CompTIA Security+ (SY0-601) Practice Exam

(Sample Simulation - On the real exam for this type of question, you would have to rearrange the ports into the proper order by dragging and dropping them into place.) 1701 ____ RDP 3389 ____ L2TP 88 ____ LDAP 389 ____ Kerberos Using the image provided, place the port numbers in the correct order with their associated protocols: 1701, 3389, 88. 389 3389, 1701, 389, 88 88, 389, 3389, 1701 389, 88, 1701, 3389

3389, 1701, 389, 88 Explanation OBJ-3.1: For the exam, you need to know your ports and protocols. The Remote Desktop Protocol (RDP) operates over port 3389. Layer 2 Tunneling Protocol (L2TP) operates over port 1701. The Lightweight Directory Access Protocol (LDAP) operates over port 389. Kerberos operates over port 88.

You suspect that your server has been the victim of a web-based attack. Which of the following ports should most likely be seen in the logs to indicate the attack's target? A. 21 B. 389 C. 443 D. 3389

443 Explanation OBJ-1.6: Web-based attacks would likely appear on port 80 (HTTP) or port 443 (HTTPS). An attack against Active Directory is likely to be observed on port 389 LDAP. An attack on an FTP server is likely to be observed on port 21 (FTP). An attack using the remote desktop protocol would be observed on port 3389 (RDP).

A company needs to implement stronger authentication by adding an authentication factor to its wireless system. The wireless system only supports WPA with pre-shared keys, but the backend authentication system supports EAP and TTLS. What should the network administrator implement? A. MAC address filtering with IP filtering B. 802.1x using EAP with MSCHAPv2 C. WPA2 with a complex shared key D. PKI with user authentication

802.1x using EAP with MSCHAPv2 Explanation OBJ-3.4: Since the backend uses a RADIUS server for back-end authentication, the network administrator can install 802.1x using EAP with MSCHAPv2 for authentication. The Extensible Authentication Protocol (EAP) is a framework in a series of protocols that allows for numerous different mechanisms of authentication, including things like simple passwords, digital certificates, and public key infrastructure. Microsoft Challenge Handshake Authentication Protocol version 2 (MS-CHAP v2) is a password-based authentication protocol that is widely used as an authentication method in PPTP-based (Point to Point Tunneling Protocol) VPNs and can be used with EAP.

Jamie's organization is attempting to budget for the next fiscal year. Jamie has calculated that the asset value of a database server is $120,000. Based on her analysis, she believes that a data breach to this server will occur once every four years and has a risk factor is 30%. What is the ALE for a data breach within Jamie's organization? A. $9,000 B. $90,000 C. $360,000 D. $36,000

A. $9,000 Explanation OBJ-5.4: The single loss expectancy (SLE) is the amount that would be lost in a single occurrence (AV) times the exposure factor (EF). The annual loss expectancy (ALE) is the total cost of a risk to an organization annually. This is determined by multiplying the SLE by the annual rate of occurrence (ARO). SLE = AV x RF = $120,000 x 30% = $36,000 ALE = SLE x ARO = $36,000 x 0.25 = $9,000

A cybersecurity analyst is attempting to classify network traffic within an organization. The analyst runs the tcpdump command and receives the following output: *reference image* Which of the following statements is true based on this output? A. 10.0.19.121 is a client that is accessing an SSH server over port 52497 B. 11.154.12.121 is a client that is accessing an SSH server over port 52497 C. 11.154.12.121 is under attack from a host at 10.0.19.121 D. 10.0.19.121 is under attack from a host at 11.154.12.121

A. 10.0.19.121 is a client that is accessing an SSH server over port 52497 Explanation OBJ-4.1: This output from the tcpdump command is displaying three packets in a larger sequence of events. Based solely on these three packets, we can only be certain that the server (11.154.12.121) runs an SSH server over port 22. This is based on the first line of the output. The second and third lines are the server responding to the request and sending data back to the client (10.0.19.121) over port 52497. There is no evidence of an attack against either the server or the client based on this output since we can only see the headers and not the content being sent between the client and server.

While performing a vulnerability scan, Christina discovered an administrative interface to a storage system is exposed to the internet. She looks through the firewall logs and attempts to determine whether any access attempts have occurred from external sources. Which of the following IP addresses in the firewall logs would indicate a connection attempt from an external source? A. 192.186.1.100 B. 192.168.1.100 C. 10.15.1.100 D. 172.16.1.100

A. 192.186.1.100 Explanation OBJ-1.7: This question tests your ability to determine if an IP address is a publicly routable IP (external connection) or private IP (internal connection). During your CompTIA A+, Network+, and Security+ studies, you should have learned that private IP addresses are either 10.x.x.x, 172.16-31.x.x, or 192.168.x.x. All other IP addresses are considered publicly routable over the internet (except localhost and APIPA addresses). Therefore, the answer must be 192.186.1.100 since it is not a private IP address.

Which of the following cryptographic algorithms is classified as symmetric? A. 3DES B. PGP C. ECC D. RSA

A. 3DES Explanation OBJ-2.8: Triple DES (3DES) is a symmetric-key block cipher that applies the DES cipher algorithm three times to each data block to increase its security over DES. RSA, PGP, and ECC are all asymmetric algorithms.

Dion Training just installed a new webserver within a screened subnet. You have been asked to open up the port for secure web browsing on the firewall. Which port should you set as open to allow users to access this new server? A. 443 B. 21 C. 143 D. 80

A. 443 Explanation OBJ-3.1: The hypertext transfer protocol secure (HTTPS) is a secure protocol used to provide web content to browsers using SSL/TLS encryption over port 443. The hypertext transfer protocol (HTTP) is a protocol used to provide web content to browsers using port 80. The hypertext transfer protocol (HTTP) is a protocol used to provide web content to browsers using port 80. The file transfer protocol (FTP) is the protocol used to transfer files across the internet over ports 20 and 21.

Which of the following tools could be used to detect unexpected output from an application being managed or monitored? A. A behavior-based analysis tool B. Manual analysis C. A log analysis tool D. A signature-based detection tool

A. A behavior-based analysis tool Explanation OBJ-3.3: A behavior-based analysis tool can capture/analyze normal behavior and then alert when an anomaly occurs. Configuring a behavior-based analysis tool requires more effort to set up properly, but it requires less work and manual monitoring once it is running. Signature-based detection is a process where a unique identifier is established about a known threat so that the threat can be identified in the future. Manual analysis requires a person to read all the output and determine if it is erroneous. A log analysis tool would only be useful to analyze the logs, but it would not detect unexpected output by itself. Instead, the log analysis tool would need to use a behavior-based or signature-based detection system.

Which of the following cryptographic algorithms is classified as symmetric? A. AES B. Diffie-Hellman C. RSA D. ECC

A. AES Explanation OBJ-2.8: The Advanced Encryption Standard (AES) is a symmetric-key algorithm for encrypting digital data. It was established as an electronic data encryption standard by NIST in 2001. AES can use a 128-bit, 192-bit, or 256-bit key, and uses a 128-bit block size.

Which of the following types of attackers are sophisticated and highly organized people or teams typically sponsored by a nation-state? A. Advanced Persistent Threat B. Script kiddies C. Ethical hacker D. Hacktivists

A. Advanced Persistent Threat Explanation OBJ-1.5: Advanced Persistent Threat (APT) attackers are sophisticated and have access to financial and technical resources typically provided by a government. An APT is an attacker with the ability to obtain, maintain, and diversify access to network systems using exploits and malware. A hacktivist is an attacker that is motivated by a social issue or political cause. A script kiddie has little skill or sophistication and uses publicly available tools and techniques. An ethical hacker specializes in penetration testing and in other testing methodologies that ensure the security of an organization's information systems. An ethical hacker is also known as an authorized hacker.

After analyzing and correlating activity from the firewall logs, server logs, and the intrusion detection system logs, a cybersecurity analyst has determined that a sophisticated breach of the company's network security may have occurred from a group of specialized attackers in a foreign country over the past five months. Up until now, these cyberattacks against the company network had gone unnoticed by the company's information security team. How would you best classify this threat? A. Advanced persistent threat (APT) B. Spear phishing C. Insider threat D. Privilege escalation

A. Advanced persistent threat (APT) Explanation OBJ-1.5: An advanced persistent threat (APT) is a network attack in which an unauthorized person gains access to a network and stays there undetected for a long period of time. An APT attack intends to steal data rather than to cause damage to the network or organization. An APT refers to an adversary's ongoing ability to compromise network security, obtain and maintain access, and use various tools and techniques. They are often supported and funded by nation-states or work directly for a nation-states' government. Spear phishing is the fraudulent practice of sending emails ostensibly from a known or trusted sender to induce targeted individuals to reveal confidential information. An insider threat is a malicious threat to an organization from people within the organization, such as employees, former employees, contractors, or business associates, who have inside information concerning the organization's security practices, data, and computer systems. Privilege escalation is the act of exploiting a bug, design flaw, or configuration oversight in an operating system or software application to gain elevated access to resources that are normally protected from an application or user. While an APT may use spear phishing, privilege escalation, or an insider threat to gain access to the system, the scenario presented in this question doesn't specify what method was used. Therefore, APT is the best answer to select.

A cybersecurity analyst has received an alert that sensors continuously observe well-known call home messages at their network boundary. Still, the organization's proxy firewall is properly configured to successfully drop the messages before leaving the network. Which of the following is MOST likely the cause of the call home messages being sent? A. An infected workstation is attempting to reach a command and control server B. A malicious insider is trying to exfiltrate information to a remote network C. An attacker is performing reconnaissance of the organization's workstations D. Malware is running on a company workstation or server

A. An infected workstation is attempting to reach a command and control server Explanation OBJ-1.2: A call home message is an indicator of compromise known as beaconing. Beaconing usually occurs after a stage 1 malware program has been implanted on an organization's workstation or server, but that isn't the most correct answer to this question. Instead, beaconing indicates that a workstation or server is infected and tries to communicate with the attacker's command and control server. This beaconing will continue until the infected system (workstation or server) is found and cleared of the malware or until the botnet gives the infected host further instructions to perform (such as to attack). "Malware is running on a company workstation or server" is incorrect because we do not have positive verification of that based on this scenario. A beacon does not have to be malware. For example, it can simply be a single ping packet or DNS request being sent out every day at a certain time using the Windows task scheduler. Be careful on the exam to answer the question being asked and choose the "most" accurate answer. Since the call home signal is coming from the internal network and attempting to connect to an external server, it cannot be evidence of an attacker performing reconnaissance on your workstations. Also, nothing in the question is indicative of an insider threat trying to exfiltrate information since a call home message is generally minimal in size and not large enough to exfiltrate data.

Dion Training wants to implement technology within their corporate network to BEST mitigate the risk that a zero-day virus might infect their workstations. Which of the following should be implemented FIRST? A. Application allow list B. Host-based firewall C. Intrusion detection system D. Anti-malware solution

A. Application allow list Explanation OBJ-4.4: Application allow list will only allow a program to execute if it is specifically listed in the approved exception list. All other programs are blocked from running. This makes it the BEST mitigation against a zero-day virus. An intrusion detection system might detect the anomalous activity created by a piece of malware, but it will only log or alert based on the activity, not prevent it. A host-based firewall may prevent a piece of malware from establishing a network connection with a remote server. Still, again, it wouldn't prevent infection or prevent it from executing. An anti-malware solution is a good investment towards improving your security. Since the threat is a zero-day virus, an anti-malware solution will not detect it using its signature database.

What type of malware is designed to be difficult for malware analysts to reverse engineer? A. Armored virus B. Trojan C. Logic bomb D. Rootkit

A. Armored virus Explanation OBJ-1.2: Armored viruses are a type of virus that use various techniques to protect it from being reverse engineered. This includes changing its code during execution and encrypting its payloads.

(Sample Simulation - On the real exam for this type of question, you would receive 3-5 pictures and drag and drop them into place next to the correct term.) *reference image* How would you appropriately categorize the authentication method displayed here? A. Biometric authentication B. Multifactor authentication C. One-time password authentication D. PAP authentication

A. Biometric authentication Explanation OBJ-2.4: For the exam, you need to know the different authentication categories and what type of authentication methods belong to each category. A fingerprint scan is a type of biometric authentication. Biometric authentications include any authentication system that relies on a person's physical characteristics for authentication.

Your smartphone begins to receive unsolicited messages while eating lunch at the restaurant across the street from your office. What might cause this to occur? A. Bluejacking B. Geotagging C. Packet sniffing D. Bluesnarfing

A. Bluejacking Explanation OBJ-1.4: Bluejacking sends unsolicited messages over Bluetooth to Bluetooth-enabled devices such as smartphones and tablets. On the other hand, Bluesnarfing involves taking data from a smartphone or tablet over Bluetooth without permission. Bluetooth has a limited range, so the attacker is likely within 10 meters of the victimized device. Geotagging involves embedding the geolocation coordinates into a piece of data (normally a photo or video). Packet sniffing is a passive method of collecting network traffic for follow-on analysis at a later time.

A cybersecurity analyst is reviewing the logs of an authentication server and saw the following output: *reference image* What type of attack was most likely being attempted by the attacker? A. Brute force B. Credential stuffing C. Impersonation D. Password spraying

A. Brute force Explanation OBJ-1.2: This is an example of a brute force attack. Unlike password spraying that focuses on attempting only one or two passwords per user, a brute force attack focuses on trying multiple passwords for a single user. The goal of this attack is to crack the user's password and gain access to their account. Password spraying, instead, refers to the attack method that takes a large number of usernames and loops them with a single password. We can use multiple iterations using several different passwords, but the number of passwords attempted is usually low compared to the number of users attempted. This method avoids password lockouts, and it is often more effective at uncovering weak passwords than targeting specific users. In the scenario provided, only one or two attempts are being made to each username listed. This is indicative of a password spraying attack instead of a brute force attempt against a single user. Impersonation is the act of pretending to be another person for fraudulent purposes. Credential stuffing is the automated injection of breached username/password pairs to gain user accounts access fraudulently. This is a subset of the brute force attack category: large numbers of spilled credentials are automatically entered into websites until they are potentially matched to an existing account. The attacker can then hijack the account for their purposes.

Lamont is in the process of debugging a software program. As he examines the code, he discovers that it is miswritten. Due to the error, the code does not validate a variable's size before allowing the information to be written into memory. Based on Lamont's discovery, what type of attack might occur? A. Buffer overflow B. Cross-site scripting C. SQL injection D. Malicious logic

A. Buffer overflow Explanation OBJ-1.3: A buffer overflow occurs when a program or process tries to store more data in a buffer (temporary data storage area) than it was intended to hold. Since buffers are created to contain a finite amount of data, the extra information can cause an overflow into adjacent buffers, corrupting or overwriting the valid data held in them. Although it may occur accidentally through programming error, buffer overflow is an increasingly common security attack on data integrity. In buffer overflow attacks, the extra data may contain codes designed to trigger specific actions, in effect sending new instructions to the attacked computer that could, for example, damage the user's files, change data, or disclose confidential information. Programs should use the variable size validation before writing the data to memory to ensure that the variable can fit into the buffer to prevent this type of attack.

Due to a worldwide pandemic in 2020 caused by the COVID-19 virus, Dion Training Solutions instituted teleworking for all of its employees. This was part of a preplanned response so that the company's students could continue to learn and receive support throughout the pandemic. Which of the following plans should contain the company's pandemic response plan? A. Business continuity plan B. Incident response plan C. Rollback plan D. Disaster recovery plan

A. Business continuity plan Explanation OBJ-4.2: The business continuity plan (BCP) contains a collection of processes that enable an organization to maintain normal business operations in the face of some adverse event. This event could be natural or man-made; as long as it affects the business operations, then the BCP should be activated. The development of the BCP is often referred to as continuity of operations planning (COOP). A disaster recovery plan focuses on procedures and steps to follow to recover a system or site to a working state. For example, if a power failure or a fire occurred, the site would have to be recovered to a working state again. In the pandemic example, the facility did not have a disaster to recover from. Still, the business operations were affected and needed to be modified to continue operations under the BCP.

Which of the following is required for evidence to be admissible in a court of law? A. Chain of custody B. Right to audit C. Order of volatility D. Legal hold

A. Chain of custody Explanation OBJ-4.4: Chain of custody forms list every person who has worked with or who has touched the evidence that is a part of an investigation. These forms record every action taken by each individual in possession of the evidence. Depending on the organization's procedures, manipulation of evidence may require an additional person to act as a witness to verify whatever action is being taken. A legal hold is a process that an organization uses to preserve all forms of potentially relevant information when litigation is pending or reasonably anticipated. A right to audit is a clause in a contract or service agreement that allows a company the authority to audit the systems and information processed. Order of volatility refers to the order in which you should collect evidence.

A hacker successfully modified the sale price of items purchased through your company's website. During the investigation that followed, the security analyst has verified the web server, and the Oracle database was not compromised directly. The analyst also found no attacks that could have caused this during their log verification of the Intrusion Detection System (IDS). What is the most likely method that the attacker used to change the items' sale price? A. Changing hidden form values B. Cross-site scripting C. SQL injection D. Buffer overflow attack

A. Changing hidden form values Explanation OBJ-3.2: Since there are no indications in the IDS logs, the database, or the server, it is most likely that the hacker changed hidden form values to change the items' price in the shopping cart. A buffer overflow is an anomaly that occurs when a program overruns the buffer's boundary and overwrites adjacent memory locations while writing data to a buffer. Cross-Site Scripting (XSS) attacks are a type of injection in which malicious scripts are injected into otherwise benign and trusted websites. XSS attacks occur when an attacker uses a web application to send malicious code, generally in a browser side script, to a different end-user. SQL injection is a code injection technique used to attack data-driven applications. Malicious SQL statements are inserted into an entry field for execution, such as dumping the database contents to the attacker.

What sanitization technique uses only logical techniques to remove data, such as overwriting a hard drive with a random series of ones and zeroes? A. Clear B. Degauss C. Purge D. Destroy

A. Clear Explanation OBJ-2.7: Clear applies logical techniques to sanitize data in all user-addressable storage locations for protection against simple non-invasive data recovery techniques. Clearing involves overwriting data once (and seldom more than three times) with repetitive data (such as all zeros) or resetting a device to factory settings. Purging data is meant to eliminate information from being feasibly recovered even in a laboratory environment. Destroy requires physical destruction of the media, such as pulverization, melting, incineration, and disintegration. Degaussing is the process of decreasing or eliminating a remnant magnetic field. Degaussing is an effective method of sanitization for magnetic media, such as hard drives and floppy disks.

You work for a bank interested in moving some of its operations to the cloud, but it is worried about security. You recently discovered an organization called CloudBank that was formed by 15 local banks as a way for them to build a secure cloud-based environment that can be accessed by the 15 member banks. Which cloud model BEST describes the cloud created by CloudBank? A. Community cloud B. Private cloud C. Public cloud D. Hybrid cloud

A. Community cloud Explanation OBJ-2.2: Community Cloud is another type of cloud computing in which the cloud setup is shared manually among different organizations that belong to the same community or area. A multi-tenant setup is developed using the cloud among different organizations belonging to a particular community or group with similar computing concerns. For joint business organizations, ventures, research organizations, and tenders, a community cloud is an appropriate solution. Based on the description of 15 member banks coming together to create the CloudBank organization and its cloud computing environment, a community cloud model is most likely described. A public cloud contains services offered by third-party providers over the public Internet and is available to anyone who wants to use or purchase them. They may be free or sold on-demand, allowing customers to pay only per usage for the CPU cycles, storage, or bandwidth they consume. A private cloud contains services offered either over the Internet or a private internal network and only to select users instead of the general public. A hybrid cloud is a cloud computing environment that uses a mix of on-premises, private cloud, and third-party public cloud services with orchestration between these platforms. This typically involves a connection from an on-premises data center to a public cloud.

James, a programmer at Apple Computers, is surfing the internet on his lunch break. He comes across a rumor site focused on providing details of the upcoming iPhone being released in a few months. James knows that Apple likes to keep its product details a secret until it is publicly announced. As James is looking over the website, he sees a blog post with an embedded picture of a PDF containing detailed specifications for the next iPhone and labeled "Proprietary Information - Internal Use Only." The new iPhone is still several months away from release. What should James do next? A. Contact the service desk or incident response team to determine what to do next B. Contact his team lead and ask what he should do next C. Contact the website's owner and request they take down the PDF D. Reply to the blog post and deny the accuracy of the specifications

A. Contact the service desk or incident response team to determine what to do next Explanation OBJ-5.5: This is an example of either a data leak or a data breach. James is not sure how the website got the details of the product's specifications. Therefore, he should follow his organizational procedures for notification that internal company information has been leaked to the internet. In most organizations, the service desk acts as the single point of contact for all IT issues (even possible data breaches), and they can refer James to the incident response team (if one is currently stood up). Since James works as a programmer, it is unlikely that his team lead is responsible for handling a data leak or data breach, so it is better to contact the service desk first. James should not contact the website directly nor reply to the blog post. Instead, he should leave the response actions to the security team and the incident response team.

You are conducting an incident response and have traced the attack source to some compromised user credentials. After performing log analysis, you discover that the attack was successfully authenticated from an unauthorized foreign country. Your management is now asking for you to implement a solution to help mitigate this type of attack from occurring again. Which of the following should you implement? A. Context-based authentication B. Single sign-on C. Password complexity D. Self-service password reset

A. Context-based authentication Explanation OBJ-3.7: Context-based authentication can consider several factors before permitting access to a user, including their location (e.g., country, GPS location, etc.), the time of day, and other key factors to minimize the threat of compromised credentials from being utilized by an attacker. A self-service password reset is defined as any process or technology that allows users who have either forgotten their password or triggered an intruder lockout to authenticate with an alternate factor and repair their problem without calling the help desk. While helpful, this alone would not help prevent an attacker from using the compromised credentials. Single sign-on (SSO) is an authentication scheme that allows a user to log in with a single ID and password to any of several related yet independent software systems. Again, this is helpful since it will minimize the number of usernames and passwords that a user must remember. Still, if their credentials are stolen, then the attacker can now access every system the user had access to, extending the problem. Password complexity is also a good thing to use, but it won't address the challenge presented in how to prevent the use of compromised credentials. If the password complexity is increased, this will prevent a brute force credential compromise. However, if the credentials are compromised any other way, the attacker could still log in to our systems and cause trouble.

Which of the following describes the overall accuracy of a biometric authentication system? A. Crossover error rate B. False acceptance rate C. False positive rate D. False rejection rate

A. Crossover error rate Explanation OBJ-2.4: The Crossover Error Rate (CER) describes the point where the False Reject Rate (FRR) and False Accept Rate (FAR) are equal. CER is also known as the Equal Error Rate (EER). The Crossover Error Rate describes the overall accuracy of a biometric system.

Your company recently suffered a small data breach caused by an employee emailing themselves a copy of the current customer's names, account numbers, and credit card limits. You are determined that something like this shall never happen again. Which of the following logical security concepts should you implement to prevent a trusted insider from stealing your corporate data? A. DLP B. Strong passwords C. MDM D. Firewall

A. DLP Explanation OBJ-2.1: Data loss prevention software detects potential data breaches/data ex-filtration transmissions and prevents them by monitoring, detecting, and blocking sensitive data while in use (endpoint actions), in-motion (network traffic), and at rest (data storage). Since the user was an authorized user (employee), changing your password policy, reconfiguring the firewall, or setting up an MDM solution would not solve this problem. Instead, a DLP solution must be implemented.

When you purchase an exam voucher at diontraining.com, the system only collects your name, email, and credit card information. Which of the following privacy methods is being used by Dion Training? A. Data minimization B. Data masking C. Tokenization D. Anonymization

A. Data minimization Explanation OBJ-5.5: Data minimization involves limiting data collection to only what is required to fulfill a specific purpose. Reducing what information is collected reduces the amount and type of information that must be protected. Since we only need your name and email to deliver the voucher and your credit card to receive payment for the voucher, we do not collect any additional information, such as your home address or phone number. Data masking can mean that all or part of a field's contents are redacted, by substituting all character strings with x, for example. Tokenization means that all or part of data in a field is replaced with a randomly generated token. The token is stored with the original value on a token server or token vault, separate from the production database. An authorized query or app can retrieve the original value from the vault, if necessary, so tokenization is a reversible technique. Data anonymization is the process of removing personally identifiable information from data sets so that the people whom the data describe remain anonymous.

Which of the following is NOT a means of improving data validation and trust? A. Decrypting data at rest B. Using MD5 checksums for files C. Encrypting data in transi D. Implementing Tripwire

A. Decrypting data at rest Explanation OBJ-2.1: Encrypting data in transit leads to more integrity and confidentiality of the data, and therefore trust. Hashing files using MD5 to check against known valid checksums would provide integrity, and therefore validation and trust. Implementing a file integrity monitoring program, such as Tripwire, would also improve data validation and trust. Decrypting data at rest does not improve data validation, or trust since the data at rest could be modified when decrypted.

Dion Training's offices utilize an open concept floor plan. They are concerned that a visitor might attempt to steal an external hard drive and carry it out of the building. To mitigate this risk, the security department has recommended installing security cameras clearly visible to both employees and visitors. What type of security control do these cameras represent? A. Deterrent B. Administrative C. Corrective D. Compensating

A. Deterrent Explanation OBJ-5.1: A deterrent control is designed to discourage the violation of a security policy. Since the cameras are clearly visible, they are acting as a deterrent control. Corrective control is one that is used to fix or eliminate a vulnerability. A compensating control is used to minimize a vulnerability when it is deemed too difficult or impractical to correct the vulnerability fully. Administrative control is used to create a policy or procedure to minimize or eliminate a vulnerability.

Which of the following proprietary tools is used to create forensic disk images without making changes to the original evidence? A. FTK Imager B. Memdump C. Autopsy D. dd

A. FTK Imager Explanation OBJ-4.1: FTK Imager can create perfect copies or forensic images of computer data without making changes to the original evidence. The forensic image is identical in every way to the original, including copying the slack, unallocated, and free space on a given drive. The dd tool can also create forensic images, but it is not a proprietary tool since it is open-source. Memdump is used to collect the content within RAM on a given host. Autopsy is a cross-platform, open-source forensic tool suite.

A vulnerability scanner has reported that a vulnerability exists in the system. Upon validating the report, the analyst determines that this reported vulnerability does not exist on the system. What is the proper term for this situation? A. False positive B. True negative C. False negative D. True positive

A. False positive Explanation OBJ-1.7: A false positive occurs when a scanner detects a vulnerability, but the vulnerability does not exist on the scanned system. A true positive occurs when a scanner detects a vulnerability, and the vulnerability exists on the scanned system. A true negative occurs when a scanner does not detect a vulnerability because the vulnerability does not exist on the scanned system. A false negative occurs when a scanner does not detect a vulnerability, but the vulnerability exists on the scanned system.

Which of the following is the leading cause for cross-site scripting, SQL injection, and XML injection attacks? A. Faulty input validation B. Output encoding C. File inclusions D. Directory traversals

A. Faulty input validation Explanation OBJ-3.2: A primary vector for attacking applications is to exploit faulty input validation. The input could include user data entered into a form or URL, passed by another application or link. This is heavily exploited by cross-site scripting, SQL injection, and XML injection attacks. Directory traversal is the practice of accessing a file from a location that the user is unauthorized to access. The attacker does this by ordering an application to backtrack through the directory path to read or execute a file in a parent directory. In a file inclusion attack, the attacker adds a file to a web app or website's running process. The file is either constructed to be malicious or manipulated to serve the attacker's malicious purposes. Cross-site scripting (XSS) is one of the most powerful input validation exploits. XSS involves a trusted site, a client browsing the trusted site, and the attacker's site.

Which of the following methods should a cybersecurity analyst use to locate any instances on the network where passwords are being sent in cleartext? A. Full packet capture B. Software design documentation review C. SIEM event log monitoring D. Net flow capture

A. Full packet capture Explanation OBJ-4.3: Full packet capture records the complete payload of every packet crossing the network. The other methods will not provide sufficient information to detect a cleartext password being sent. A net flow analysis will determine where communications occurred, by what protocol, to which devices, and how much content was sent. Still, it will not reveal anything about the content itself since it only analyzes the metadata for each packet crossing the network. A SIEM event log being monitored might detect that an authentication event has occurred. Still, it will not necessarily reveal if the password was sent in cleartext, as a hash value, or in the ciphertext. A software design documentation may also reveal the designer's intentions for authentication when they created the application, but this only provides an 'as designed' approach for a given software and does not provide whether the 'as-built' configuration was implemented securely.

Your company is expanding its operations in the European Union and is concerned about additional governmental regulations that may apply. Which of the following regulations applies when processing personal data within the European Union? A. GDPR B. PCI C. PHI D. PII

A. GDPR Explanation OBJ-5.5: The General Data Protection Regulation (GDPR) is a regulation created in the European Union that creates provisions and requirements to protect the personal data of European Union (EU) citizens. Transfers of personal data outside the EU Single Market are restricted unless protected by like-for-like regulations, such as the US's Privacy Shield requirements. Personally identifiable information (PII) is data used to identify, contact, or locate an individual. Information such as social security number (SSN), name, date of birth, email address, telephone number, street address, and biometric data is considered PII. Protected health information (PHI) refers to medical and insurance records, plus associated hospital and laboratory test results. The peripheral component interconnect (PCI) bus is used to provide low-speed connectivity to expansion cards but has been mostly replaced by the faster PCIe bus. The Payment Card Industry Data Security Standard (PCI-DSS) applies to companies of any size that accept credit card payments. If your company intends to accept card payment and store, process, and transmit cardholder data, you need to securely host your data and follow PCI compliance requirements.

Dion Consulting Group has recently been awarded a contract to provide cybersecurity services for a major hospital chain in 48 cities across the United States. Previously, the consultants have won numerous contracts with financial services and publicly traded companies, but they are new to the healthcare industry. Which of the following laws must the consultants review to ensure the hospital and its customers are fully protected? A. HIPAA B. GLBA C. COSO D. SOX

A. HIPAA Explanation OBJ-5.2: The Health Insurance Portability and Accountability Act (HIPAA) was created primarily to modernize the flow of healthcare information, stipulate how Personally Identifiable Information maintained by the healthcare and healthcare insurance industries should be protected from fraud and theft, and address limitations on healthcare insurance coverage. This is a federal law that must be followed in the United States. The Gramm-Leach-Bliley Act (GLBA) requires financial institutions to explain their information-sharing practices to their customers and safeguard sensitive data. This includes companies that offer consumers financial products or services like loans, financial or investment advice, or insurance. The Sarbanes-Oxley Act of 2002 is a federal law that established sweeping auditing and financial regulations for public companies. Lawmakers created the legislation to help protect shareholders, employees, and the public from accounting errors and fraudulent financial practices. The Committee of Sponsoring Organizations of the Treadway Commission (COSO) guides governance-related topics, including fraud, controls, finance, and ethics. COSO's ERM-integrated framework defines risk, and related common terminology lists key components of risk management strategies and supplies direction and criteria for enhancing risk management practices.

Tierra works as a cybersecurity analyst for a large multi-national oil and gas company. She responds to an incident at her company in which their public-facing web server has been defaced with the words, "Killers of the Arctic." She believes this was done in response to her company's latest oil drilling project in the Arctic Circle. Which threat actor is most likely to blame for the website defacement? A. Hacktivist B. Script kiddie C. Organized crime D. APT

A. Hacktivist Explanation OBJ-1.5: It appears this hack was motivated by a pro-environmentalist agenda based on the message of the website defacement. This is an example of hacktivism. In 2012, five top multi-national oil companies were targeted by members of Anonymous as a form of digital protest against drilling in the Arctic, a practice that these hacktivists believe has contributed to the melting of the ice caps in that region.

When conducting forensic analysis of a hard drive, what tool would BEST prevent changing the hard drive contents during your analysis? A. Hardware write blocker B. Forensic drive duplicator C. Software write blocker D. Degausser

A. Hardware write blocker Explanation OBJ-2.7: Both hardware and software write blockers are designed to ensure that forensic software and tools cannot change a drive inadvertently by accessing it. But, since the question indicates that you need to choose the BEST solution to protect the drive's contents from being changed during analysis, you should pick the hardware write blocker. A hardware write blocker's primary purpose is to intercept and prevent (or 'block') any modifying command operation from ever reaching the storage device. A forensic drive duplicator copies a drive and validates that it matches the original drive but cannot be used by itself during analysis. A degausser is used to wipe magnetic media. Therefore, it should not be used on the drive since it would erase the hard drive contents.

Barbara received a phone call from a colleague asking why she sent him an email with lewd and unusual content. Barbara doesn't remember sending the email to the colleague. What is Barbara MOST likely the victim of? A. Hijacked email B. Ransomware C. Spear phishing D. Phishing

A. Hijacked email Explanation OBJ-1.1: Barbara is MOST likely the victim of hijacked email. Hijacked email occurs when someone takes over your email account and sends out messages on your behalf. Hijacked email can occur after a system is taken over by an attacker. The victim usually finds out about it when someone asks about an email the victim sent them, or the victim sees an automated out-of-office reply from one of the recipients of the victim's emails. Phishing is an email-based social engineering attack in which the attacker sends an email from a supposedly reputable source, such as a bank, to try to elicit private information from the victim. Phishing attacks target an indiscriminate large group of random people. Spear phishing is the fraudulent practice of sending emails from a seemingly known or trusted sender to induce targeted individuals to reveal confidential information. Ransomware is a type of malware designed to deny access to a computer system or data until a ransom is paid. Ransomware typically spreads through phishing emails or by unknowingly visiting an infected website. Once infected, a system or its files are encrypted, and then the decryption key is withheld from the victim unless payment is received.

You are trying to select the best device to install to detect an outside attacker trying to reach into your internal network. The device should log the event, but it should not take any action to stop it. Which of the following devices would be the BEST for you to select? A. IDS B. IPS C. Proxy server D. Authentication server

A. IDS Explanation OBJ-3.3: An intrusion detection system is a device or software application that monitors a network or system for malicious activity or policy violations. Any malicious activity or violation is typically reported to an administrator or collected centrally using a security information and event management system. Unlike an IPS, which can stop malicious activity or policy violations, an IDS can only log these issues and not stop them. An intrusion prevention system (IPS) conducts the same functions as an IDS but can also block or take actions against malicious events. An authentication, authorization, and accounting (AAA) server is a server used to identify (authenticate), approve (authorize), and keep track of (account for) users and their actions. AAA servers can also be classified based on the protocol they use, such as a RADIUS server or TACACS+ server. A proxy server is a server that acts as an intermediary between a client requesting a resource and the server that provides that resource. A proxy server can be used to filter content and websites from reaching a user.

An analyst reviews the logs from the network and notices that there have been multiple attempts from the open wireless network to access the networked HVAC control system. The open wireless network must remain openly available so that visitors can access the internet. How can this type of attack be prevented from occurring in the future? A. Implement a VLAN to separate the HVAC control system from the open wireless network B. Enable NAC on the open wireless network C. Enable WPA2 security on the open wireless network D. Install an IDS to protect the HVAC system

A. Implement a VLAN to separate the HVAC control system from the open wireless network Explanation OBJ-1.5: A VLAN is useful to segment out network traffic to various parts of the network and stop someone from the open wireless network from logging to the HVAC controls. By utilizing NAC, each machine connected to the open wireless network could be checked for compliance and determine if it is a 'known' machine, but they would still be given access to the entire network. Also, since this is a publicly usable network, using NAC could prevent users from accessing all the network features. An IDS would be a good solution to detect the attempted logins, but it won't prevent them. Instead, an IPS would be required to prevent logins.

You have been asked to recommend a capability to monitor all of the traffic entering and leaving the corporate network's default gateway. Additionally, the company's CIO requests to block certain content types before it leaves the network based on operational priorities. Which of the following solution should you recommend to meet these requirements? A. Install a NIPS on the internal interface and a firewall on the external interface of the router B. Configure IP filtering on the internal and external interfaces of the router C. Install a firewall on the router's internal interface and a NIDS on the router's external interface D. Installation of a NIPS on both the internal and external interfaces of the router

A. Install a NIPS on the internal interface and a firewall on the external interface of the router Explanation OBJ-3.3: Due to the requirements provided, you should install a NIPS on the gateway router's internal interface and a firewall on the external interface of the gateway router. The firewall on the external interface will allow the bulk of the malicious inbound traffic to be filtered before reaching the network. Then, the NIPS can be used to inspect the traffic entering the network and provide protection for the network using signature-based or behavior-based analysis. A NIPS is less powerful than a firewall and could easily "fail open" if it is overcome with traffic by being placed on the external interface. The NIPS installed on the internal interface would also allow various content types to be quickly blocked using custom signatures developed by the security team. We wouldn't want to place the NIPS on the external interface in the correct choice for the same reasons. We also wouldn't choose to install a NIPS on both the internal and external connections. IP filtering on both interfaces of the router will not provide the ability to monitor the traffic or to block traffic based on content type. Finally, we would not want to rely on a NIDS on the external interface alone since it can only monitor and not provide the content blocking capabilities needed.

You have just received an email that claims to be from the Federal Bureau of Investigation (FBI). The email claims that your computer was identified as part of a botnet being used to distribute pirated copies of a new movie. The email states that you must click the link below and pay a fine of $1000 within 24 hours, or federal agents will be sent to your home to arrest you for copyright infringement. What social engineering principle is this email relying on using? A. Intimidation B. Trust C. Familiarity D. Consensus

A. Intimidation Explanation OBJ-1.1: Intimidation is a commonly used technique during a social engineering campaign. It relies on trying to scare or frighten a person into clicking a link. Often, these emails will claim to be from the FBI, IRS, or other government agencies.

A cybersecurity analyst just finished conducting an initial vulnerability scan and is reviewing their results. To avoid wasting time on results that are not related to actual vulnerabilities, the analyst wants to remove any false positives before remediating the findings. Which of the following is an indicator that something in their results would be a false positive? A. Items classified by the system as Low or as For Informational Purposes Only B. An HTTPS entry that indicates the web page is securely encrypted C. A finding that shows the scanner compliance plug-ins are not up-to-date D. A scan result that shows a version that is different from the automated asset inventory

A. Items classified by the system as Low or as For Informational Purposes Only Explanation OBJ-1.7: When conducting a vulnerability scan, it is common for the report to include some findings that are classified as "low" priority or "for informational purposes only." These are most likely false positives and can be ignored by the analyst when starting their remediation efforts. "An HTTPS entry that indicates the web page is securely encrypted" is not a false positive but a true negative (a non-issue). A scan result showing a different version from the automated asset inventory should be investigated and is likely a true positive. A finding that shows the scanner compliance plug-ins are not up-to-date would likely also be a true positive that should be investigated.

You are the first forensic analyst to arrive on the scene of a data breach. You have been asked to begin evidence collection on the server while waiting for the rest of your team to arrive. Which of the following evidence should you capture first? A. L3 cache B. Backup tapes C. ARP cache D. Image of the server's SSD

A. L3 cache Explanation OBJ-4.5: When collecting evidence, you should always follow the order of volatility. This will allow you to collect the most volatile evidence (most likely to change) first and the least volatile (least likely to change) last. You should always begin collecting the CPU registers and cache memory (L1/L2/L3/GPU). The contents of system memory (RAM), including a routing table, ARP cache, process tables, kernel statistics, and temporary file systems/swap space/virtual memory. Next, you would move on to the collection of data storage devices like hard drives, SSDs, and flash memory devices. After that, you would move onto less volatile data such as backup tapes, external media devices (hard drives, DVDs, etc.), and even configuration data or network diagrams.

Which of the following technologies is NOT a shared authentication protocol? A. LDAP B. OpenID Connect C. Facebook Connect D. OAuth

A. LDAP Explanation OBJ-3.8: LDAP can be used for single sign-on but is not a shared authentication protocol. OpenID, OAuth, and Facebook Connect are all shared authentication protocols. Open ID Connect (OIDC) is an authentication protocol that can be implemented as special types of OAuth flows with precisely defined token fields. OAuth is designed to facilitate the sharing of information (resources) within a user profile between sites.

Which protocol relies on mutual authentication of the client and the server for its security? A. LDAPS B. CHAP C. RADIUS D. Two-factor authentication

A. LDAPS Explanation OBJ-3.1: The Lightweight Directory Access Protocol (LDAP) uses a client-server model for mutual authentication. LDAP is used to enable access to a directory of resources (workstations, users, information, etc.). TLS provides mutual authentication between clients and servers. Since Secure LDAP (LDAPS) uses TLS, it provides mutual authentication.

A new corporate policy dictates that all access to network resources will be controlled based on the user's job functions and tasks within the organization. For example, only people working in Human Resources can access employee records, and only the people working in finance can access customer payment histories. Which of the following security concepts is BEST described by this new policy? A. Least privilege B. Permission creep C. Directory permissions D. Blocklists

A. Least privilege Explanation OBJ-5.3: Least privilege is the concept and practice of restricting access rights for users, accounts, and computing processes to only those resources absolutely required to perform routine, legitimate activities. Privilege itself refers to the authorization to bypass certain security restraints. Permissions Creep, also known as privilege creep, is what happens when an employee moves between roles in an organization and keeps the access or permissions of the previous role. Directory permissions are used to determine which users can access, read, write, and delete files or directories within a given directory. A blocklist is a list of IP addresses, ports, or applications that are not allowed to be run or used on a given system.

Which type of system would classify traffic as malicious or benign based on explicitly defined examples of malicious and benign traffic? A. Machine learning B. Generative adversarial network C. Artificial intelligence D. Deep learning

A. Machine learning Explanation OBJ-1.2: A machine learning (ML) system uses a computer to accomplish a task without being explicitly programmed. In the context of cybersecurity, ML generally works by analyzing example data sets to create its own ability to classify future items presented. If the system was presented with large datasets of malicious and benign traffic, it will learn which is malicious and categorize future traffic presented to it. Artificial Intelligence is the science of creating machines to develop problem-solving and analysis strategies without significant human direction or intervention. AI goes beyond ML and can make a more complicated decision than just the classifications made by ML. A deep learning system can determine what is malicious traffic without having the prior benefit of being told what is benign/malicious. A generative adversarial network is an underlying strategy used to accomplish deep learning but is not specific to the scenario described.

You have discovered that an employee has been conducting illegal activities using his workplace computer. You have taken possession of the employee's laptop according to your company's procedures and are waiting to give it to law enforcement authorities. What should you do when turning over the laptop to the police? A. Maintain the chain of custody B. Quarantine the system C. Preserve the evidence D. Document the changes

A. Maintain the chain of custody Explanation OBJ-4.5: The chain of custody is the chronological documentation or paper trail that records the sequence of custody, control, transfer, analysis, and disposition of physical or electronic evidence. The chain of custody must be maintained from when you arrived at the laptop until you turn it over to law enforcement officials. As first responders, our job is to collect the evidence and maintain the chain of custody.

Dion Training conducts weekly vulnerability scanning of their network and patches any identified issues within 24 hours. Which of the following best describes the company's risk response strategy? A. Mitigation B. Transference C. Acceptance D. Avoidance

A. Mitigation Explanation OBJ-5.4: Risk mitigation is the overall process of reducing exposure to or the effects of risk factors, such as patching a vulnerable system. Transference (or sharing) means assigning risk to a third party (such as an insurance company or a contract with a supplier that defines liabilities). Avoidance means that the company stops doing an activity that is risk-bearing. Acceptance means that no countermeasures are put in place either because the level of risk does not justify the cost or because there will be an unavoidable delay before the countermeasures are deployed.

Dave's company utilizes Google's G-Suite environment for file sharing and office productivity, Slack for internal messaging, and AWS for hosting their web servers. Which of the following cloud models type of cloud deployment models is being used? A. Multi-cloud B. Private C. Public D. Community

A. Multi-cloud Explanation OBJ-2.2: Multi-cloud is a cloud deployment model where the cloud consumer uses multiple public cloud services. In this example, Dave is using the Google Cloud, Amazon's AWS, and Slack's cloud-based SaaS product simultaneously. A private cloud is a cloud that is deployed for use by a single entity. A public cloud is a cloud that is deployed for shared use by multiple independent tenants. A community cloud is a cloud that is deployed for shared use by cooperating tenants.

(Sample Simulation - On the real exam for this type of question, you would receive 3-5 pictures and be asked to drag and drop them into place next to the correct term.) *reference image* How would you appropriately categorize the authentication method being displayed here? A. Multifactor authentication B. Biometric authentication C. PAP authentication D. One-time password authentication

A. Multifactor authentication Explanation OBJ-2.4: For the exam, you need to know the different authentication categories and what type of authentication methods belong to each category. This is an example of multifactor authentication because you are using both a username/password combination with an SMS code. This provides a knowledge factor (username/password) and a possession factor (your smartphone) to provide two factors of authentication, making this the best option.

Dion Training utilizes a wired network throughout the building to provide network connectivity. Jason is concerned that a visitor might plug their laptop into a CAT 5e wall jack in the lobby and access the corporate network. What technology should be utilized to prevent users from gaining access to network resources if they can plug their laptops into the network? A. NAC B. DMZ C. VPN D. UTM

A. NAC Explanation OBJ-3.3: Network Access Control (NAC) is an approach to computer security that attempts to unify endpoint security technology, the user or system authentication, and network security enforcement. NAC restricts the data that each particular user can access and implements anti-threat applications such as firewalls, anti-virus software, and spyware detection programs. NAC also regulates and restricts the things individual subscribers or users can do once they are connected. If a user is unknown, the NAC can quarantine the device from the network upon connection. A DMZ (demilitarized zone), a type of screened subnet, is a physical or logical subnetwork that contains and exposes an organization's external-facing services to an untrusted network such as the Internet. A virtual private network (VPN) extends a private network across a public network and enables users to send and receive data across shared or public networks as if their computing devices were directly connected to the private network. Unified threat management (UTM) provides multiple security features (anti-virus, anti-spam, content filtering, and web filtering) in a single device or network appliance.

What is a legal contract outlining the confidential material or information that will be shared by the pentester and the organization during an assessment? A. NDA B. SLA C. SOW D. MSA

A. NDA Explanation OBJ-5.3: This is the definition of a non-disclosure agreement (NDA). There may be two NDAs in use: One from the organization to the pentester and another from the pentester to the organization. The Statement of Work (SOW) is a formal document stating what will and will not be performed during a penetration test. It should also contain the assessment's size and scope and a list of the assessment's objectives. A master service agreement (MSA) is a contract reached between parties, in which the parties agree to most of the terms that will govern future transactions or future agreements. The MSA is used when a pentester will be on retainer for a multi-year contract, and an individual SOW will be issued for each assessment to define the individual scopes for each one. A service level agreement (SLA) is a contract that outlines the detailed terms under which a service is provided, including reasons the contract may be terminated.

What tool can be used to scan a network to perform vulnerability checks and compliance auditing? A. Nessus B. Nmap C. BeEF D. Metasploit

A. Nessus Explanation OBJ-4.1: Nessus is a popular vulnerability scanner. It can be used to check how vulnerable your network is by using various plugins to test for vulnerabilities. Also, Nessus can perform compliance auditing, like internal and external PCI DSS audit scans. The nmap tool is a port scanner. The Metasploit Project is a computer security project that provides information about security vulnerabilities and aids in penetration testing and IDS signature development. BeEF is short for The Browser Exploitation Framework. It is a penetration testing tool that focuses on the web browser.

You just received an email from Bob, your investment banker, stating that he completed the wire transfer of $10,000 to your bank account in Vietnam. The problem is, you do not have a bank account in Vietnam, so you immediately call Bob to ask what happened. Bob explains that he received an email from you requesting the transfer. You insist you never sent that email to Bob initiating this wire transfer. What aspect of PKI could be used to BEST ensure that a sender sent a particular email message and avoid this type of situation? A. Non-repudiation B. Recovery agents C. CRL D. Trust models

A. Non-repudiation Explanation OBJ-2.8: Non-repudiation occurs when a sender cannot claim they didn't send an email when they did. A digital signature should be attached to each email sent to achieve non-repudiation. This digital signature is comprised of a digital hash of the email's contents, and then encrypting that digital hash using the sender's private key. The receiver can then unencrypt the digital hash using the sender's public key to verify the message's integrity.

Your company is required to remain compliant with PCI-DSS due to the type of information processed by your systems. If there was a breach of this data, which type of disclosure would you be required to provide during your incident response efforts? A. Notification to your credit card processor B. Notification to local law enforcement C. Notification to federal law enforcement D. Notification to Visa and Mastercard

A. Notification to your credit card processor Explanation OBJ-4.5: Any organization that processes a credit card will be required to work with their credit card processor instead of working directly with the card issuers (Visa and Mastercard). Conducting notification to your bank or credit card processor is one of the first steps in the incident response effort for a breach of this type of data. Typically, law enforcement does not have to be notified of a data breach at a commercial organization.

You are applying for a job at a cybersecurity firm. The application requests you enter your social security number, date of birth, and email address to conduct a background check as part of the hiring process. Which of the following types of information have you been asked to provide? A. PII B. CUI C. PHI D. IP

A. PII Explanation OBJ-5.5: Personally identifiable information (PII) is data used to identify, contact, or locate an individual. Information such as social security number (SSN), name, date of birth, email address, telephone number, street address, and biometric data is considered PII. Protected health information (PHI) refers to medical and insurance records, plus associated hospital and laboratory test results. Proprietary information or intellectual property (IP) is information created and owned by the company, typically about the products or services that they make or perform. Controlled Unclassified Information (CUI) is federal non-classified information that must be safeguarded by implementing a uniform set of requirements and information security controls to secure sensitive government information.

An attacker recently compromised an e-commerce website for a clothing store. Which of the following methods did the attacker use to harvest an account's cached credentials when the user logged into an SSO system? A. Pass the hash B. Pivoting C. Golden ticket D. Lateral movement

A. Pass the hash Explanation OBJ-1.3: Pass the Hash (PtH) is the process of harvesting an account's cached credentials when the user logs in to a single sign-on (SSO) system. This would then allow the attacker to use the credentials on other systems, as well. A golden ticket is a Kerberos ticket that can grant other tickets in an Active Directory environment. Attackers who can create a golden ticket can use it to grant administrative access to other domain members, even to domain controllers. Lateral movement is an umbrella term for a variety of attack types. Attackers can extend their lateral movement by a great deal if they can compromise host credentials. Pivoting is a process similar to lateral movement. When attackers pivot, they compromise one central host (the pivot) that allows them to spread out to other hosts that would otherwise be inaccessible.

Which type of monitoring would utilize a network tap? A. Passive B. SNMP C. Router-based D. Active

A. Passive Explanation OBJ-3.3: Network taps are devices that allow a copy of network traffic to be captured for analysis. They conduct passive network monitoring and visibility without interfering with the network traffic itself. Active monitoring relies on scanning targeted systems, not a network tap. Router-based monitoring would involve looking over the router's logs and configuration files. SNMP is used to monitor network devices but is considered active monitoring and doesn't rely on network taps.

What technique is an attacker using if they review data and publicly available information to gather intelligence about the target organization without scanning or other technical information-gathering activities? A. Passive reconnaissance B. Vulnerability scanning C. Patch management D. Active scanning

A. Passive reconnaissance Explanation OBJ-1.8: Passive reconnaissance combines publicly available data from various sources about an organization and does not use active scanning or data gathering methods. Vulnerability scanning is an inspection of the potential points of exploitation on a computer or network to identify security holes. A vulnerability scan is usually conducted to detect and classify system weaknesses in computers, networks, and communications equipment and predict the effectiveness of countermeasures. Patch management is the process that helps acquire, test, and install multiple patches (code changes) on existing applications and software tools on a computer, enabling systems to stay updated on existing patches and determining which patches are the appropriate ones.

You have just completed identifying, analyzing, and containing an incident. You have verified that the company uses self-encrypting drives as part of its default configuration. As you begin the eradication and recovery phase, you must sanitize the storage devices' data before restoring the data from known-good backups. Which of the following methods would be the most efficient to use to sanitize the affected hard drives? A. Perform a cryptographic erase (CE) on the storage devices B. Incinerate and replace the storage devices C. Use a secure erase (SE) utility on the storage devices D. Conduct zero-fill on the storage devices

A. Perform a cryptographic erase (CE) on the storage devices Explanation OBJ-2.7: Sanitizing a hard drive can be done using cryptographic erase (CE), secure erase (SE), zero-fill, or physical destruction. In this case, the hard drives already used data at rest. Therefore, the most efficient method would be to choose CE. The cryptographic erase (CE) method sanitizes a self-encrypting drive by erasing the media encryption key and then reimaging the drive. A secure erase (SE) is used to perform the sanitization of flash-based devices (such as SSDs or USB devices) when cryptographic erase is not available. The zero-fill method relies on overwriting a storage device by setting all bits to the value of zero (0), but this is not effective on SSDs or hybrid drives, and it takes much longer than the CE method. The final option is to conduct physical destruction, but since the scenario states that the storage device will be reused, this is not a valid technique. Physical destruction occurs by mechanical shredding, incineration, or degaussing magnetic hard drives.

Tim, a help desk technician, receives a call from a frantic executive who states that their company-issued smartphone was stolen during their lunch meeting with a rival company's executive. Tim quickly checks the MDM administration tool and identifies that the user's smartphone is still communicating with the MDM, and displays its location on a map. What should Tim do next to ensure the stolen device's data remains confidential and inaccessible to the thief? A. Perform a remote wipe of the device B. Remotely encrypt the device C. Identify the IP address of the smartphone D. Reset the device's password

A. Perform a remote wipe of the device Explanation OBJ-3.5: To ensure the data remains confidential and is not accessed by the thief, Tim should perform a remote wipe of the device from the MDM. This will ensure any corporate data is erased before anyone accesses it. Additionally, Tim could reset the device's password, but if the thief could guess or crack the password, they would have access to the data. Identifying the smartphone's IP address is not a useful step in protecting the data on the device. Additionally, devices should be encrypted BEFORE they are lost or stolen, not after. Therefore, the option to remotely encrypt the device is provided as a wrong answer and a distractor.

(Sample Simulation - On the real exam for this type of question, you would receive 3-5 pictures and be asked to drag and drop them into place next to the correct term.) Which of the following types of attacks occurs when an attacker attempts to obtain personal or private information through domain spoofing or poisoning a DNS server? A. Pharming B. Spear phishing C. Hoax D. Vishing E. Spamming

A. Pharming Explanation OBJ-1.1: Pharming is the fraudulent practice of directing Internet users to a bogus website that mimics the appearance of a legitimate one to obtain personal information such as user passwords, account numbers, and other confidential data.

You have just completed identifying, analyzing, and containing an incident. You have verified that the company uses older unencrypted SSDs as part of their default configuration, and the manufacturer does not provide a SE utility for the devices. The storage devices contained top-secret data that would bankrupt the company if it fell into a competitor's hands. After safely extracting the device's data and saving it to a new self-encrypting drive, you have been asked to dispose of the SSDs securely. Which of the following methods should you use? A. Physically destroy the storage devices B. Use a secure erase (SE) utility on the storage devices C. Conduct zero-fill on the storage devices D. Perform a cryptographic erase (CE) on the storage devices

A. Physically destroy the storage devices Explanation OBJ-2.7: Physical destruction is the only option that will meet the requirements of this scenario. Sanitizing a hard drive can be done using cryptographic erase (CE), secure erase (SE), zero-fill, or physical destruction. In this scenario, the SSDs were not self-encrypting drives (SED) and did not have a SE utility available, so the CE or SE methods cannot be used. The cryptographic erase (CE) method sanitizes a self-encrypting drive by erasing the media encryption key and then reimaging the drive. A secure erase (SE) is used to perform the sanitization of flash-based devices (such as SSDs or USB devices) when cryptographic erase is not available. The zero-fill method relies on overwriting a storage device by setting all bits to the value of zero (0), but this is not effective on SSDs or hybrid drives. The best option is to conduct physical destruction since the scenario states that the storage device was already replaced with a new self-encrypting drive (SED). The old SSD contained top-secret data crucial to maintaining a corporate advantage over the company's competitors. Physical destruction occurs by mechanical shredding, incineration, or degaussing magnetic hard drives.

Which type of media sanitization would you classify degaussing as? A. Purging B. Clearing C. Erasing D. Destruction

A. Purging Explanation OBJ-2.7: Degaussing is classified as a form of purging. Purging eliminates information from being feasibly recovered even in a laboratory environment. Purging includes degaussing, encryption of the data with the destruction of its encryption key, and other non-destructive techniques. Some generic magnetic storage devices can be reused after the degaussing process has finished, such as VHS tapes and some older backup tapes. For this reason, though, the technique of degaussing is classified as purging and not destruction, even though hard drives are rendered unusable after being degaussed. Clearing data prevents data from being retrieved without the use of state-of-the-art laboratory techniques. Clearing often involves overwriting data one or more times with repetitive or randomized data. Destroying data is designed not merely to render the information unrecoverable but also to hinder any reuse of the media itself. Destruction is a physical process that may involve shredding media to pieces, disintegrating it into parts, pulverizing it to powder, or incinerating it to ash. Erasing or deleting is considered a normal operation of a computer, which erases the data file's pointer on a storage device. Erasing and deleting are easily reversed, and the data can be recovered with commercially available or open-source tools.

Which of the following access control methods utilizes a set of organizational roles in which users are assigned to gain permissions and access rights? A. RBAC B. ABAC C. DAC D. MAC

A. RBAC Explanation OBJ-3.8: Role-based access control (RBAC) is a modification of DAC that provides a set of organizational roles that users may be assigned to gain access rights. The system is non-discretionary since the individual users cannot modify the ACL of a resource. Users gain their access rights implicitly based on the groups to which they are assigned as members.

Which of the following cryptographic algorithms is classified as symmetric? A. RC4 B. ECC C. Diffie-Hellman D. RSA

A. RC4 Explanation OBJ-2.8: RC4, or Rivest Cipher 4, is a symmetric stream cipher used in WEP and TLS. ECC, RSA, and Diffie-Hellman are all asymmetric algorithms.

Which of the following hashing algorithms results in a 160-bit fixed output? A. RIPEMD B. MD-5 C. NTLM D. SHA-2

A. RIPEMD Explanation OBJ-2.8: RIPEMD creates a 160-bit fixed output. SHA-2 creates a 256-bit fixed output. NTLM creates a 128-bit fixed output. MD-5 creates a 128-bit fixed output.

Which party in a federation provides services to members of the federation? A. RP B. SSO C. SAML D. IdP

A. RP Explanation OBJ-2.4: Relying parties (RPs) provide services to members of a federation. An identity provider (IdP) provides identities, makes assertions about those identities, and releases information about the identity holders. The Security Assertion Markup Language (SAML) is an open standard for exchanging authentication and authorization data between parties between an identity provider and a service provider (SP) or a relying party (RP). Single sign-on (SSO) is an authentication scheme that allows a user to log in with a single ID and password to any of several related yet independent software systems across a federation. SAML and SSO are not parties. Therefore, they cannot possibly be the right answer to this question.

Which of the following terms is used to describe the timeframe following a disaster that an individual IT system may remain offline? A. RTO B. MTTR C. MTBF D. RPO

A. RTO Explanation OBJ-5.4: Recovery time objective (RTO) is when an individual IT system may remain offline following a disaster. This represents the amount of time it takes to identify a problem and then perform recovery (restore from backup or switch in an alternative system, for instance). Recovery point objective (RPO) is the amount of data loss that a system can sustain, measured in time. That is, if a virus destroys a database, an RPO of 24 hours means that the data can be recovered (from a backup copy) to a point not more than 24 hours before the database was infected. Mean time between failure (MTBF) represents the expected lifetime of a product before it fails and must be replaced or repaired. Mean time to repair (MTTR) is a measure of the time taken to correct a fault to restore the system to full operation.

Frank and John have started a secret club together. They want to ensure that when they send messages to each other, they are truly unbreakable. What encryption key would provide the STRONGEST and MOST secure encryption? A. Randomized one-time use pad B. AES with a 256-bit key C. DES with a 56-bit key D. ECC with a 256-bit key

A. Randomized one-time use pad Explanation OBJ-2.8: The only truly unbreakable encryption is one that uses a one-time use pad. This ensures that every message is encrypted with a different shared key that only the two owners of the one-time use pad would know. This technique ensures that there is no pattern in the key for an attacker to guess or find. Even if one of the messages could be broken, all of the other messages would remain secure since they use different keys to encrypt them. Unfortunately, one-time use pads require that two identical copies of the pad are produced and distributed securely before they can be used. DES and AES both rely on a single shared secret key, making it vulnerable to attack. DES has already been broken, while AES remains unbroken (today). With enough time and computing power, though, an AES key could be discovered. RSA is also vulnerable to attack with enough time and computing power.

You have been hired as a consultant by Dion Training to review their current disaster recovery plans. The CEO has requested that the plans ensure that the company can limit downtime in the event of a disaster. Still, due to staffing concerns, he cannot approve the budget to implement or maintain a fully redundant offsite location to ensure 99.999% availability. Based on that limitation, what should you recommend to the CEO? A. Redundant hardware be maintained at the offsite location and configured to be ready for the recovery of the company's backup data when needed B. Retain all hardware at their office building but ship their backups to an offsite facility for storage C. Install a set of redundant servers to another part of the company's office building D. Retain their backups in their office building but install redundant services in a collocated data center within a different company

A. Redundant hardware be maintained at the offsite location and configured to be ready for the recovery of the company's backup data when needed Explanation OBJ-2.1: A warm site provides some of a hot site's capabilities, but it requires the customer to do more work to become operational. Warm sites provide computer systems and compatible media capabilities. If a warm site is used, administrators and other staff will need to install and configure systems to resume operations. For most organizations, a warm site could be a remote office, a leased facility, or another organization with which yours has a reciprocal agreement. By placing your redundant hardware at the offsite location and configuring it to be ready for recovery when needed, the company can have a higher availability level than a cold site but not have the full personnel costs involved with a hot site. A hot site would ensure that the offsite location has all the hardware, equipment, personnel, and data installed and ready to provide services at all times. Maintaining a hot site is much more expensive than a warm site. It is not recommended that your redundant servers are located within the same building since a fire, flood, or other disaster could destroy your primary and redundant capabilities. Retaining the hardware at the office building but shipping the backups offsite is more in line with a cold site description. This would also not provide high availability levels since the systems would need to be set up, configured, and made ready for use.

Dion Training is concerned with the possibility of employees accessing another user's workstation in secured areas without their permission. Which of the following would BEST be able to prevent this from happening? A. Require biometric identification for user logins B. Enforce a policy that requires passwords to be changed every 30 days C. Require a username and a password for user logins D. Install security cameras in secure areas to monitor logins

A. Require biometric identification for user logins Explanation OBJ-2.4: The BEST choice is to implement biometric identification for user logins, such as a fingerprint reader or a retina scanner. This would ensure that even if an employee could discover another employee's username and password, they would be prevented from logging into the workstation without the employee's finger or eye to scan. Enforcing short password retention can limit the possible damage when a password is disclosed, but it won't prevent a login during the valid period. Security cameras may act as a deterrent or detective control, but they cannot prevent an employee from logging into the workstation as another employee. Security cameras could be used to determine who logged in after the fact, though.

You are developing your vulnerability scanning plan and attempting to scope your scans properly. You have decided to focus on the criticality of a system to the organization's operations when prioritizing the system in the scope of your scans. Which of the following would be the best place to gather the criticality of a system? A. Review the asset inventory and BCP B. Conduct a nmap scan of the network to determine the OS of each system C. Scope the scan based on IP subnets D. Ask the CEO for a list of the critical systems

A. Review the asset inventory and BCP Explanation OBJ-4.2: To best understand a system's criticality, you should review the asset inventory and the BCP. Most organizations classify each asset in its inventory based on its criticality to the organization's operations. This helps to determine how many spare parts to have, the warranty requirements, service agreements, and other key factors to help keep these assets online and running at all times. Additionally, you can review the business continuity plan (BCP) since this will provide the organization's plan for continuing business operations in the event of a disaster or other outage. Generally, the systems or operations listed in a BCP are the most critical ones to support business operations. While the CEO may be able to provide a list of the most critical systems in a large organization, it isn't easy to get them to take the time to do it, even if they did know the answer. Worse, in most large organizations, the CEO isn't going to know what systems he relies on, but instead just the business functions they serve, again making this a bad choice. While conducting a nmap scan may help you determine what OS is being run on each system, this information doesn't help you determine criticality to operations. The same is true of using IP subnets since a list of subnets by itself doesn't provide criticality or prioritization of the assets.

During her login session, Sally is asked by the system for a code sent to her via text (SMS) message. Which of the following concerns should she raise to her organization's AAA services manager? A. SMS messages may be accessible to attackers via VoIP or other systems B. SMS should be paired with a third factor C. SMS is a costly method of providing a second factor of authentication D. SMS should be encrypted to be secure

A. SMS messages may be accessible to attackers via VoIP or other systems Explanation OBJ-2.4: NIST's SP 800-63-3 recommends that SMS messages be deprecated as a means of delivering a second factor for multifactor authentication because they may be accessible to attackers. SMS is unable to be encrypted (at least without adding additional applications to phones). A third factor is typically not a user-friendly recommendation and would be better handled by replacing SMS with the proposed third factor. SMS is not a costly method since it can be deployed for less than $20/month at scale.

Which security tool is used to facilitate incident response, threat hunting, and security configuration by orchestrating automated runbooks and delivering data enrichment? A. SOAR B. DLP C. SIEM D. MDM

A. SOAR Explanation OBJ-4.4: A security orchestration, automation, and response (SOAR) is used to facilitate incident response, threat hunting, and security configuration by orchestrating automated runbooks and delivering data enrichment. A SOAR may be implemented as a standalone technology or integrated within a SIEM as a next-gen SIEM. A SOAR can scan the organization's store of security and threat intelligence, analyze it using machine/deep learning techniques, and then use that data to automate and provide data enrichment for the workflows that drive incident response and threat hunting.

Which cloud computing concept is BEST described as focusing on the replacement of applications and programs on a customer's workstation with cloud-based resources? A. SaaS B. IaaS C. DaaS D. PaaS

A. SaaS Explanation OBJ-2.2: Software as a Service (SaaS) is ca loud computing service that enables a service provider to make applications available over the Internet to end-users. This can be a calendar, scheduling, invoicing, word processor, database, or other programs. For example, Google Docs and Office 365 are both word processing SaaS solutions. Infrastructure as a Service (IaaS) is a cloud computing service that enables a consumer to outsource computing equipment purchases and running their own data center. Platform as a Service (PaaS) is a cloud computing service that enables consumers to rent fully configured systems that are set up for specific purposes. Desktop as a Service (DaaS) provides a full virtualized desktop environment from within a cloud-based service. This is also known as VDI (Virtualized Desktop Infrastructure) and is coming in large enterprise businesses focused on increasing their security and minimizing their operational expenses.

What is a major security risk that could occur when you comingle hosts/servers with different security requirements in a single network? A. Security policy violations B. Zombie attacks C. Password compromises D. Privilege creep

A. Security policy violations Explanation OBJ-5.3: A network is only as strong as its weakest link (or host/server). When you comingle hosts/servers, there is a large risk that security policy violations could occur. This is because users may be used to following a less stringent security policy for one set of machines and carry over those procedures to a machine that should have had stronger security policies.

Christina is auditing the security procedures related to the use of a cloud-based online payment service. She notices that the access permissions are set so that a single person can not add funds to the account and transfer funds out of the account. What security principle is most closely related to this scenario? A. Separation of duties B. Security through obscurity C. Least privilege D. Dual control authentication

A. Separation of duties Explanation OBJ-5.3: Separation of duties is the concept of having more than one person required to complete a task. In business, the separation by sharing more than one individual in a single task is an internal control intended to prevent fraud and error. In this case, one person can transfer money in, while another must transfer money out. Dual control authentication is used when performing a sensitive action and requires two different users to log in. Least privilege is the concept and practice of restricting access rights for users, accounts, and computing processes to only those resources required to perform routine, legitimate activities. Security through obscurity is the reliance on security engineering in design or implementation by using secrecy as the main method of providing security to a system or component.

You are analyzing the logs of a forensic analysts workstation and see the following: *reference image* What does the bs=1M signify in the command list above? A. Sets the block size B. Sends output to a blank sector C. Sets the beginning sector D. Removes error messages and other incorrect data

A. Sets the block size Explanation OBJ-4.1: The dd command is used in forensic data acquisition to forensically create a bit by bit copy of a hard drive to a disk image. The bs operator sets the block size when using the Linux dd command. This question may seem beyond the scope of the exam. Still, the objectives allow for "other examples of technologies, processes, or tasks about each objective may also be included on the exam although not listed or covered" in the objectives' bulletized lists. The content examples listed in the objectives are meant to clarify the test objectives and should not be construed as a comprehensive listing of this examination's content. Therefore, questions like this are fair game on test day. That said, your goal isn't to score 100% on the exam; it is to pass it. Don't let questions like this throw you off on test day. If you aren't sure, take your best guess and move on!

Which attack method is MOST likely to be used by a malicious employee or insider trying to obtain another user's passwords? A. Shoulder surfing B. Phishing C. Tailgating D. On-path attack

A. Shoulder surfing Explanation OBJ-1.1: While a malicious employee or insider could use all of the methods listed to obtain another user's passwords, shoulder surfing is the MOST likely to be used. Shoulder surfing is a type of social engineering technique used to obtain personal identification numbers (PINs), passwords, and other confidential data by looking over the victim's shoulder. Since a malicious employee or insider can work close to their victims (other users), they could easily use this technique to collect the victimized users' passwords. An on-path attack is an attack where the attacker secretly relays and possibly alters the communications between two parties who believe they are directly communicating with each other. The attacker makes independent connections with the victims and relays messages between them to make them believe they are talking directly to each other over a private connection. The attacker will intercept all relevant messages passing between the two victims and inject new ones. Tailgating is a social engineering technique to gain access to a building by following someone unaware of their presence. Phishing is an email-based social engineering attack in which the attacker sends an email from a supposedly reputable source, such as a bank, to try to elicit private information from the victim. Phishing attacks target an indiscriminate large group of random people.

What technique is most effective in determining whether or not increasing end-user security training would benefit the organization during your technical assessment of their network? A. Social engineering B. Vulnerability scanning C. Application security testing D. Network sniffing

A. Social engineering Explanation OBJ-5.3: Social engineering refers to the psychological manipulation of people into performing actions or divulging confidential information. During your technical assessment, utilizing social engineering techniques such as phishing or pharming can help you determine if additional end-user security training should be included in the organization. The other three options focus solely on technical controls. Therefore adding end-user training would not affect these technology options.

Which of the following is not considered an authentication factor? A. Something you want B. Something you have C. Something you know D. Something you are

A. Something you want Explanation OBJ-2.4: The five factors of authentication are knowledge, possession, biometric, action, and location. This is also known as 'something you know,' 'something you have,' 'something you are,' 'something you do,' and 'somewhere you are.'

An independent cybersecurity researcher has contacted your company to prove a buffer overflow vulnerability exists in one of your applications. Which technique would have been most likely to identify this vulnerability in your application during development? A. Static code analysis B. Manual Peer Review C. Pair programming D. Dynamic code analysis

A. Static code analysis Explanation OBJ-3.4: Buffer overflows are most easily detected by conducting a static code analysis. Manual peer review or pair programming methodologies might have been able to detect the vulnerability. Still, they do not have the same level of success as a static code analysis using proper tools. DevSecOps methodology would also improve the likelihood of detecting such an error but still rely on human-to-human interactions and human understanding of source code to detect the fault. Dynamic code analysis also may have detected this if the test found exactly the right condition. Still, again, a static code analysis tool is designed to find buffer overflows more effectively.

You are conducting a routine vulnerability scan of a server when you find a vulnerability. You locate a patch for the vulnerability on the software vendor's website. What should you do next? A. Submit a Request for Change using the change management process B. Download and install the patch immediately C. Start the incident response process D. Establish continuous monitoring

A. Submit a Request for Change using the change management process Explanation OBJ-5.3: Before any change to a baseline occurs, a Request for Change should be submitted. This submission will start the change management process within your organization. Once approved, the patch should be tested in a staging environment, installed on the production server, and then the server should be rescanned to ensure the vulnerability no longer exists. In this scenario, no incident response is being performed since this vulnerability is found during a routine vulnerability scan.

You are conducting an intensive vulnerability scan to detect which ports might be open to exploitation. During the scan, one of the network services becomes disabled and impacts the production server. Which of the following sources of information would provide you with the most relevant information for you to use in determining which network service was interrupted and why? A. Syslog B. Firewall logs C. NIDS D. Network mapping

A. Syslog Explanation OBJ-4.3: The Syslog server is a centralized log management solution. By looking through the Syslog server's logs, the technician could determine which service failed on which server since all the logs are retained on the Syslog server from all the network devices and servers. Network mapping is conducted using active and passive scanning techniques and could help determine which server was offline, but not what caused the interruption. Firewall logs would only help determine why the network connectivity between a host and destination may have been disrupted. A network intrusion detection system (NIDS) is used to detect hacking activities, denial of service attacks, and port scans on a computer network. It is unlikely to provide the details needed to identify why the network service was interrupted.

Which of the following authentication mechanisms involves receiving a one-time use shared secret password, usually, through a token-based key fob or smartphone app, that automatically expires after a short period of time (for example, 60 seconds)? A. TOTP B. HOTP C. EAP D. Smart card

A. TOTP Explanation OBJ-2.4: The Time-based One-time Password Algorithm (TOTP) is a refinement of the HOTP. One issue with HOTP is that tokens can be allowed to persist unexpired, raising the risk that an attacker might obtain one and decrypt data in the future. In TOTP, the HMAC is built from the shared secret plus a value derived from the device's and server's local timestamps. TOTP automatically expires each token after a short window (60 seconds, for instance).

An ethical hacker has been hired to conduct a physical penetration test of a company. During the first day of the test, the ethical hacker dresses up like a plumber and waits in the building's main lobby until an employee goes through the main turnstile. As soon as the employee enters his access number and proceeds to go through the turnstile, the ethical hacker follows them through the access gate. What type of attack did the ethical hacker utilize to access the restricted area of the building? A. Tailgating B. Spoofing C. Shoulder surfing D. Social engineering

A. Tailgating Explanation OBJ-1.1: Based on the description, the ethical hacker conducted a very specialized type of social engineering attack known as tailgating. Sometimes on a certification exam, there are two correct answers, but one is more correct. This question is an example of that concept. Tailgating involves someone who lacks the proper authentication following an employee into a restricted area. Social engineering uses deception to manipulate individuals into divulging confidential or personal information that may be used for fraudulent purposes. Shoulder surfing is a type of social engineering technique used to obtain personal identification numbers (PINs), passwords, and other confidential data by looking over the victim's shoulder. Spoofing is the act of disguising a communication from an unknown source as being from a known, trusted source.

Which of the following categories of controls are firewalls, intrusion detection systems, and a RADIUS server classified as? A. Technical controls B. Compensating controls C. Administrative controls D. Physical controls

A. Technical controls Explanation OBJ-5.1: Firewalls, intrusion detection systems, and a RADIUS server are all examples of technical controls. Technical controls are implemented as a system of hardware, software, or firmware. Administrative controls involve processes and procedures. Physical controls include locks, fences, and other controls over physical access. Compensating controls are controls that are put in place to cover any gaps and reduce the risk remaining after using other controls.

You were conducting a forensic analysis of an iPad backup and discovered that only some of the information is within the backup file. Which of the following best explains why some of the data is missing? A. The backup is a differential backup B. The backup is encrypted C. The backup was interrupted D. The backup is stored in iCloud.

A. The backup is a differential backup Explanation OBJ-2.5: iPhone/iPad backups can be created as full or differential backups. In this scenario, the backup being analyzed is likely a differential backup containing the information that has changed since the last full backup. If the backup were encrypted, you would be unable to read any of the contents. If the backup were interrupted, the backup file would be in an unusable state. If the backup were stored in iCloud, you would need access to their iCloud account to retrieve and access the file. Normally, during an investigation, you will not have access to the user's iCloud account.

Which of the following cryptographic algorithms is classified as symmetric? A. Twofish B. ECC C. Diffie-Hellman D. RSA

A. Twofish Explanation OBJ-2.8: Twofish is a symmetric key block cipher with a block size of 128 bits and key sizes up to 256 bits. ECC, RSA, and Diffie-Hellman are all asymmetric algorithms.

You have been investigating how a malicious actor could exfiltrate confidential data from a web server to a remote host. After an in-depth forensic review, you determine that a rootkit's installation had modified the web server's BIOS. After removing the rootkit and reflashing the BIOS to a known good image, what should you do to prevent the malicious actor from affecting the BIOS again? A. Utilize secure boot B. Install an anti-malware application C. Utilize file integrity monitoring D. Install a host-based IDS

A. Utilize secure boot Explanation OBJ-3.2: Since you are trying to protect the BIOS, utilizing secure boot is the best choice. Secure boot is a security system offered by UEFI. It is designed to prevent a computer from being hijacked by a malicious OS. Under secure boot, UEFI is configured with digital certificates from valid OS vendors. The system firmware checks the operating system boot loader using the stored certificate to ensure that the OS vendor has digitally signed it. This prevents a boot loader that has been changed by malware (or an OS installed without authorization) from being used. The TPM can also be invoked to compare hashes of key system state data (boot firmware, boot loader, and OS kernel) to ensure they have not been tampered with by a rootkit. The other options are all good security practices, but they only apply once you have already booted into the operating system. This makes them ineffective against boot sector or rootkit attacks.

C. A customer brought in a computer that has been infected with a virus. Since the infection, the computer began redirecting all three of the system's web browsers to a series of malicious websites whenever a valid website is requested. You quarantined the system, disabled the system restore, and then perform the remediation to remove the malware. You have scanned the machine with several anti-virus and anti-malware programs and determined it is now cleaned of all malware. You attempt to test the web browsers again, but a small number of valid websites are still being redirected to a malicious website. Luckily, the updated anti-virus you installed blocked any new malware from infecting the system. Which of the following actions should you perform NEXT to fix the redirection issue with the browsers? A. Verify the hosts file has not been maliciously modified B. Perform a System Restore to an earlier date before the i

A. Verify the hosts file has not been maliciously modified Explanation OBJ-1.4: Browser redirection usually occurs if the browser's proxy is modified or the hosts.ini file is modified. If the redirection occurs only for a small number of sites or occurs in all web browsers on a system, it is most likely a maliciously modified hosts.ini file. The hosts.ini file is a local file that allows a user to specify specific domain names to map to particular addresses. It works as an elementary DNS server and can redirect a system's internet connection. For example, if your children are overusing YouTube, you can change YouTube.com to resolve to YourSchool.edu for just your child's laptop.

Riaan's company runs critical web applications. During a vulnerability scan, Riaan found a serious SQL injection vulnerability in one of their web applications. The system cannot be taken offline to remediate the vulnerability. Which of the following compensating controls should Riaan recommend using until the system can be remediated? A. WAF B. Encryption C. IPS D. Vulnerability scanning

A. WAF Explanation OBJ-3.3: WAF (web application firewall) is the best option since it can serve as a compensating control and protect against web application vulnerabilities like an SQL injection until the application can be fully remediated. Vulnerability scanning could only be used to detect the issue. Therefore, it is a detective control, not a compensating control. Encryption would not be effective in stopping an SQL injection. An intrusion prevention system (IPS) is designed to protect network devices based on ports, protocols, and signatures. It would not be effective against an SQL injection and is not considered a compensating control for this vulnerability.

What should be done NEXT if the final set of security controls does not eliminate all of the risks in a given system? A. You should accept the risk if the residual risk is low enough B. You should ignore any remaining risk C. You should continue to apply additional controls until there is zero risk D. You should remove the current controls since they are not completely effective

A. You should accept the risk if the residual risk is low enough Explanation OBJ-5.4: In most cases, you will be unable to remove all risks. Instead, it would be best to mitigate the risk to a low enough level to accept the residual risk. Removing the controls would add to the risk, which is a bad course of action to select. Ignoring the remaining risk is unacceptable; instead, you should acknowledge what risk remains and accept it if it is low enough. If it is not low enough, you should continue to mitigate the risk by adding additional control measures. It is unlikely you will ever be able to get all risk down to zero, but mitigating to a lower level and then accepting the residual risk is a common industry practice.

Which command is used in the Linux terminal to change the permissions of a file? A. chmod B. chown C. pwd D. sudo

A. chmod Explanation OBJ-4.1: The chmod command sets the permissions of files or directories on a Linux system. A set of flags associated with each file determines who can access that file and how they can access it. These flags are called file permissions or modes. The command name chmod stands for change mode and it restricts the way a file can be accessed. The chown command is used to change the owner of the file, directory, or link in Linux. The pwd command displays the present working directory (current directory) path to the terminal or display. If you are working on a Linux system and are unsure of where you are in the directory structure, type "pwd" and hit enter to display the path to the screen. The sudo command allows programs to be executed as a superuser (known as the root user) or another user. The command's name is an abbreviation of the phrase "superuser do" and works on all Unix-based operating systems.

Your team is developing an update to a piece of code that allows customers to update their billing and shipping addresses in the web application. The shipping address field used in the database was designed with a limit of 75 characters. Your team's web programmer has brought you some algorithms that may help prevent an attacker from trying to conduct a buffer overflow attack by submitting invalid input to the shipping address field. Which pseudo-code represents the best solution to prevent this issue? A. if (shippingAddress <= 75) {update field} else exit B. if (shippingAddress != 75) {update field} else exit C. if (shippingAddress = 75) {update field} else exit D. if (shippingAddress >= 75) {update field} else exit

A. if (shippingAddress <= 75) {update field} else exit Explanation OBJ-3.2: To ensure that the field is not overrun by an input that is too long, input validation must occur. Checking if the shipping address is less than or equal to 75 characters before updating the field will prevent a buffer overflow from occurring in this program. If the input is 76 characters or more, then the field will not be updated, and the algorithm will exit the function.

You are troubleshooting an issue with a Windows desktop and need to display the machine's active TCP connections. Which of the following commands should you use? A. netstat B. ipconfig C. net use D. ping

A. netstat Explanation OBJ-4.1: The netstat command is used to display active TCP connections, ports on which the computer is listening, Ethernet statistics, the IP routing table, IPv4 statistics (for the IP, ICMP, TCP, and UDP protocols), and IPv6 statistics (for the IPv6, ICMPv6, TCP over IPv6, and UDP over IPv6 protocols) on a Windows machine. This is a useful command when determining if any malware has been installed on the system and maybe maintaining a remote connection with a command and control server. The ipconfig tool displays all current TCP/IP network configuration values on a given system. The ping command is used to test a host's reachability on an Internet Protocol network. The net use command is used to connect to, remove, and configure connections to shared resources such as mapped drives and network printers.

During a penetration test of your company's network, the assessor came across a spreadsheet with the passwords being used for several servers. Four of the passwords recovered are listed below. Which one is the weakest password and should be changed FIRST to increase the password's complexity? A. pa55word B. P@$$W0RD C. P@$$w0rd D. Pa55w0rd

A. pa55word Explanation OBJ-3.7: Password policies often enforce a mixture of standard character types, including uppercase letters, lowercase letters, numbers, and symbols. The option 'pa55word' is the weakest choice since it only includes lowercase letters and numbers. The option 'Pa55w0rd' is slightly more complex since it includes uppercase letters, lowercase letters, and numbers. The option 'P@$$W0RD is also similar in complexity since it includes uppercase letters, numbers, and special characters. The most secure option is 'P@5$w0rd' since it includes a mixture of uppercase letters, lowercase letters, numbers, and special characters.

You are troubleshooting a network connectivity issue and need to determine the packet's flow path from your system to the remote server. Which of the following tools would best help you identify the path between the two systems? A. tracert B. ipconfig C. nbtstat D. netstat

A. tracert Explanation OBJ-4.1: The tracert (trace route) diagnostic utility determines the route to a destination by sending Internet Control Message Protocol (ICMP) echo packets to the destination. In these packets, tracert uses varying IP Time-To-Live (TTL) values. When the TTL on a packet reaches zero (0), the router sends an ICMP "Time Exceeded" message back to the source computer. The ICMP "Time Exceeded" messages that intermediate routers send back show the route. The ipconfig tool displays all current TCP/IP network configuration values on a given system. The netstat tool is a command-line network utility that displays network connections for Transmission Control Protocol, routing tables, and some network interface and network protocol statistics on a single system. The nbtstat command is a diagnostic tool for NetBIOS over TCP/IP used to troubleshoot NetBIOS name resolution problems.

A system on your network was accessed during working hours and some sensitive information was viewed by an unintended user. Which actions will help prevent this issue from occurring in the future? (Choose TWO.) Answers A. Implement onboarding/offboarding policies B. Perform usage auditing and review C. Perform permission auditing and review D. Set time-of-day restrictions

B. Perform usage auditing and review C. Perform permission auditing and review A big part of access control is ensuring that users do not have more permissions than they need to perform their job. To ensure that users have the proper level of privileges, you should regularly perform permission auditing and reviews. In addition, you will want to perform regular usage audits and reviews. This will allow you to see which users are gaining access to the system and what actions they have performed. This will allow you to prevent unintended users from accessing sensitive information.Setting time-of-day restrictions is typically used to prevent users from accessing resources outside of their working hours. While implementing onboarding and offboarding will provide users with awareness of security policies, it will not prevent them from accidentally viewing sensitive information.

Dion Training has a $15,000 server that has frequently been crashing. Over the past 12 months, the server has crashed 10 times, requiring the server to be rebooted to recover from the crash. Each time, this has resulted in a 5% loss of functionality or data. Based on this information, what is the Annual Loss Expectancy (ALE) for this server? A. $2,500 B. $7,500 C. $15,000 D. $1,500

B. $7,500 Explanation OBJ-5.4: To calculate the ALE, you need to multiple the Single Loss Expectancy (SLE) by the Annual Rate of Occurrence (ARO). The SLE is calculated by multiplying the Exposure Factor (EF) by the Asset Value (AV). Therefore, SLE = EF x AV, and ALE = SLE x ARO. For this scenario, the asset value is $15,000, the annual rate of occurrence is 10 times per year, and the exposure factor is 5% (or 0.05). To calculate the SLE, SLE = 0.05 x $15,000 = $750. Therefore, the ALE = SLE x ARO = $750 x 10 = $7,500.

Your coworker is creating a script to run on a Windows server using PowerShell. Which of the following file formats should the script use? A. .bat B. .ps1 C. .sh D. .py

B. .ps1 Explanation OBJ-4.1: Windows PowerShell enables you to perform management and administrative tasks in Windows 7 and later. It is fully integrated with the operating system and supports both remote execution and scripting. Microsoft provides the Windows PowerShell Integrated Scripting Environment (ISE) to help create and manage your Windows PowerShell scripts. If you want to save a series of PowerShell commands in a file to rerun them later, you effectively create a PowerShell script by creating a text file with a .ps1 extension. The file can contain a series of PowerShell commands, with each command appearing on a separate line. Python is a general-purpose programming language that can develop many different kinds of applications. It is designed to be easy to read, and the programs use fewer lines of code compared to other programming languages. The code runs in an interpreter. Python is preinstalled on many Linux distributions and can be installed on Windows. Python scripts are saved using the .py extension. Batch scripts run on the Windows operating system and, in their simplest form, contain a list of several commands that are executed in a sequence. A .bat file is used for a batch script. You can run the file by calling its name from the command line or double-clicking the file in File Explorer. Generally, batch file scripts run from end to end and are limited in branching and user input. A shell script is a file that contains a list of commands to be read and executed by the shell in Linux and macOS. A .sh file is used for a shell script and its first line always begins with #!/bin/bash that designates the interpreter. This line instructs the operating system to execute the script. Shell scripts allow you to perform various functions. These functions include automation of commands and tasks of system admi

Which of the following ports should you block at the firewall if you want to prevent a remote login to a server from occurring? A. 80 B. 22 C. 143 D. 21

B. 22 Explanation OBJ-3.1: Secure shell (SSH) is the protocol used for remote administration and file copying using TCP port 22. SSH is considered secure since it uses authenticated and encrypted sessions for communication. The file transfer protocol (FTP) is the protocol used to transfer files across the internet over ports 20 and 21. The hypertext transfer protocol (HTTP) is a protocol used to provide web content to browsers using port 80. The internet message access protocol (IMAP) is a TCP/IP application protocol that provides a means for a client to access email messages stored in a mailbox on a remote server using TCP port number 143. Unlike POP3, messages persist on the server after the client has downloaded them. IMAP also supports mailbox management functions, such as creating subfolders and access to the same mailbox by more than one client at the same time.

(Sample Simulation - On the real exam for this type of question, you would have to rearrange the ports into the proper order by dragging and dropping them into place.) *reference image* Using the image provided, place the port numbers in the correct order with their associated protocols: A. 161, 22, 110, 23 B. 22, 110, 161, 23 C. 110, 161, 23, 22 D. 23, 110, 22, 161

B. 22, 110, 161, 23 Explanation OBJ-3.1: For the exam, you need to know your ports and protocols. The Secure Copy (SCP) operates over port 22. Telnet operates over port 23. The Simple Network Management Protocol (SNMP) operates over port 161. The Post Office Protocol 3 (POP3) operates over port 110.

Which of the following ports should you block at the firewall if you want to prevent a remote login to a server from occurring? A. 25 B. 23 C. 110 D. 443

B. 23 Explanation OBJ-3.1: Telnet is the protocol used for remote command-line administration of a host using TCP port 23. Telnet is considered insecure since it is unauthenticated and unencrypted. The simple mail transfer protocol (SMTP) is the protocol used to send mail between hosts on the Internet using TCP port 25. The post office protocol (POP3) is a TCP/IP application protocol providing a means for a client to access email messages stored in a mailbox on a remote server over port 110. The server usually deletes messages once the client has downloaded them. The hypertext transfer protocol secure (HTTPS) is a secure protocol used to provide web content to browsers using SSL/TLS encryption over port 443.

Your firewall is blocking outbound email traffic that is attempting to be sent. Which port should you verify is set to ALLOW in the firewall to ensure your emails are being sent? A. 143 B. 25 C. 80 D. 22

B. 25 Explanation OBJ-3.1: The simple mail transfer protocol (SMTP) is the protocol used to send mail between hosts on the Internet using TCP port 25. Port 25 must be set to OPEN or ALLOW in the firewall for SMTP (Sendmail transfer protocol) to function properly. Secure shell (SSH) is the protocol used for remote administration and file copying using TCP port 22. SSH is considered secure since it uses authenticated and encrypted sessions for communication. Secure shell (SSH) is the protocol used for remote administration and file copying using TCP port 22. SSH is considered secure since it uses authenticated and encrypted sessions for communication. The internet message access protocol (IMAP) is a TCP/IP application protocol that provides a means for a client to access email messages stored in a mailbox on a remote server using TCP port number 143. Unlike POP3, messages persist on the server after the client has downloaded them. IMAP also supports mailbox management functions, such as creating subfolders and access to the same mailbox by more than one client at the same time.

What access control model will a network switch utilize if it requires multilayer switches to use authentication via RADIUS/TACACS+? A. 802.1q B. 802.1x C. 802.3af D. 802.11ac

B. 802.1x Explanation OBJ-3.8: If you are using RADIUS/TACACS+ with the switch, you will need to use 802.1x for the protocol. The IEEE 802.1x standard is a network authentication protocol that opens ports for network access when an organization authenticates a user's identity and authorizes them for access to the network. This defines port security. The user's identity is determined based on their credentials or certificate, which is confirmed by the RADIUS server.

If an administrator cannot fully remediate a vulnerability, which of the following should they implement? A. A policy B. A compensating control C. An engineering tradeoff D. Access requirements

B. A compensating control Explanation OBJ-5.1: Based on the question's wording, a compensating control would be most accurate for the given scenario. Compensating controls may be considered when an entity cannot meet a requirement explicitly, as stated due to legitimate technical or documented business constraints but has sufficiently mitigated the risk associated with the requirement by implementing other controls. Access requirements are a form of logical controls that can be implemented to protect a system and could be a form of compensating control if used appropriately. A policy is a statement of intent and is implemented as a procedure or protocol within an organization. An engineering tradeoff is a situational decision that involves diminishing or losing one quality, quantity, or property of a set or design in return for gains in other aspects. Often, an engineering tradeoff occurs when we trade security requirements for operational requirements or vice versa.

Based on some old SIEM alerts, you have been asked to perform a forensic analysis on a given host. You have noticed that some SSL network connections are occurring over ports other than port 443. The SIEM alerts indicate that copies of svchost.exe and cmd.exe have been found in the host's %TEMP% folder. The logs indicate that RDP connections have previously connected with an IP address that is external to the corporate intranet, as well. What threat might you have uncovered during your analysis? A. DDoS B. APT C. Ransomware D. Software vulnerability

B. APT Explanation OBJ-1.2: The provided indicators of compromise appear to be from an Advanced Persistent Threat (APT). These attacks tend to go undetected for several weeks or months and utilize secure communication to external IPs and Remote Desktop Protocol connections to provide the attackers with access to the infected host. While an APT might use a software vulnerability to gain their initial access, the full description provided in the question that includes the files being copied and executed from the %TEMP% folder and the use of SSL/RDP connections indicates longer-term exploitation, such as one caused by an APT.

What type of threat actor is highly funded and often backed by nation-states? A. Insider Threat B. APT C. Script Kiddies D. Hacktivist

B. APT Explanation OBJ-1.5: Advanced Persistent Threats are a group of hackers with great capability and intent. Nation-states and other large organizations often fund them to conduct highly covert hacks over a long period of time for political or economic gain. Script kiddies are people who use existing computer scripts or code to hack into computers, lacking the expertise to write their own. An insider threat is a malicious threat to an organization from people within the organization, such as employees, former employees, contractors, or business associates, who have inside information concerning the organization's security practices, data, and computer systems. A hacktivist is someone who uses hacking to bring about political and social change.

Every new employee at Dion Training must sign a document to show they understand the proper rules for using the company's computers. This document states that the new employee has read the policy that dictates what can and cannot be done from the corporate workstations. Which of the following documents BEST describes this policy? A. SOW B. AUP C. MOU D. SLA

B. AUP Explanation OBJ-5.3: An acceptable use policy (AUP) is a document stipulating constraints and practices that a user must agree to for access to a corporate network or the internet. For example, an AUP may state that they must not attempt to break any computer network security, hack other users, or visit pornographic websites from their work computer. A service level agreement (SLA) is a contract that outlines the detailed terms under which a service is provided, including reasons the contract may be terminated. A statement of work (SOW), or a scope of work, is a document that outlines all the work that is to be performed, as well as the agreed-upon deliverables and timelines. A memorandum of understanding (MOU) is a preliminary or exploratory agreement to express an intent to work together that is not legally binding and does not involve monetary exchange.

What tool is used to collect wireless packet data? A. Netcat B. Aircrack-ng C. Nessus D. John the Ripper

B. Aircrack-ng Explanation OBJ-3.4: Aircrack-ng is a complete suite of wireless security assessment and exploitation tools that includes monitoring, attacking, testing, and cracking of wireless networks. This includes packet capture and export of the data collected as a text file or pcap file. John the Ripper is a password cracking software tool. Nessus is a vulnerability scanner. Netcat is used to create a reverse shell from a victimized machine back to an attacker.

A cybersecurity analyst at a mid-sized retail chain has been asked to determine how much information can be gathered from the store's public webserver. The analyst opens up the terminal on his Kali Linux workstation and uses netcat to gather some information. *reference image* What type of action did the analyst perform, based on the command and response above? A. Querying the Whois database B. Banner grabbing C. SQL injection D. Cross-site scripting

B. Banner grabbing Explanation OBJ-1.8: The analyst conducted banner grabbing. Banner grabbing is a technique used to learn information about a computer system on a network and the services running on its open ports. In the question, the command "nc test.diontraining.com 80" was used to establish a connection to a target web server using netcat, then send an HTTP request (HEAD / HTTP/1.1). The response contains information about the service running on the webserver. In this example, the server software version (Apache 2.0.46) and the operating system (Red Hat Linux). Cross-Site Scripting (XSS) attacks are a type of injection in which malicious scripts are injected into otherwise benign and trusted websites. XSS attacks occur when an attacker uses a web application to send malicious code, generally in a browser side script, to a different end-user. SQL injection is a code injection technique used to attack data-driven applications where malicious SQL statements are inserted into an entry field for execution, such as dumping the database contents to the attacker. A query to the WHOIS database would return information on the website owner, not the server's operating system.

What technology is NOT PKI x.509 compliant and cannot be used in various secure functions? A. SSL/TLS B. Blowfish C. AES D. PKCS

B. Blowfish Explanation OBJ-3.9: AES, PKCS, and SSL/TLS are all compatible with x.509 and can be used in a wide variety of functions and purposes. AES is used for symmetric encryption. PKCS is used as a digital signature algorithm. SSL/TLS is used for secure key exchange.

Nick is participating in a security exercise as part of the network defense team for his organization. Which team is Nick playing on? A. Red team B. Blue team C. White team D. Yellow team

B. Blue team Explanation OBJ-1.8: Penetration testing can form the basis of functional exercises. One of the best-established means of testing a security system for weaknesses is to play "war game" exercises in which the security personnel split into teams: red, blue, and white. The red team acts as the adversary. The blue team acts as the defenders. The white team acts as the referees and sets the parameters for the exercise. The yellow team is responsible for building tools and architectures in which the exercise will be performed.

Your company's Security Operations Center (SOC) is currently detecting an ongoing DDoS attack against your network's file server. A cybersecurity analyst has identified forty internal workstations on the network conducting the attack against your network's file server. The cybersecurity analyst believes these internal workstations are infected with malware and places them into a quarantined network area. The analyst then submits a service desk ticket to have the workstations scanned and cleaned of the infection. What type of malware was the workstation likely a victim of based on the scenario provided? A. Ransomware B. Botnet C. Rootkit D. Spyware

B. Botnet Explanation OBJ-1.2: A botnet is many internet-connected devices, each of which is running one or more bots. Botnets can be used to perform distributed denial-of-service (DDoS) attacks, steal data, send spam, and allow the attacker to access the device and its connection. A zombie (also known as a bot) is a computer or workstation that a remote attacker has accessed and set up to forward transmissions (including spam and viruses) to other computers on the internet. Spyware is software with malicious behavior that aims to gather information about a person or organization and send it to another entity in a way that harms the user. Ransomware is a type of malware that threatens to publish the victim's personal data or perpetually block access to it unless a ransom is paid. A rootkit is a clandestine computer program designed to provide continued privileged access to a computer while actively hiding its presence.

Dion Training has set up a lab consisting of 12 laptops for students to use outside of normal classroom hours. The instructor is worried that a student may try to steal one of the laptops. Which of the following physical security measures should be used to ensure the laptop is not stolen or moved out of the lab environment? A. Key fob B. Cable locks C. USB lock D. Biometric locks

B. Cable locks Explanation OBJ-2.7: The Kensington lock is a small hole found on almost every portable computer or laptop made after 2000. It allows a cable lock to be attached to a portable computer or laptop to lock it to a desk and prevent theft. These locks often use a combination lock or padlock type of locking system. These locks do not affect the user's ability to use the laptop or device. It only prevents them from moving the laptop from the area. A biometric lock is any lock that can be activated by biometric features, such as a fingerprint, voiceprint, or retina scan. Biometric locks make it more difficult for someone to counterfeit the key used to open the lock or a user's account. A smart card is a form of hardware token. A key fob generates a random number code synchronized to a code on the server. The code changes every 60 seconds or so. This is an example of a one-time password. A SecureID token is an example of a key fob that is produced by RSA. USB lock prevents unauthorized data transfer through USB ports, reducing the risk of data leakage, data theft, computer viruses, and malware by physically locking and blocking the USB Ports.

Which of the following elements is LEAST likely to be included in an organization's data retention policy? A. Description of information that needs to be retained B. Classification of information C. Minimum retention period D. Maximum retention period

B. Classification of information Explanation OBJ-4.2: Data retention policies highlight what types of information an organization will maintain and the length of time they will maintain it. Data classification would not be covered in the retention policy but would be a key part of your organization's data classification policy.

A cybersecurity analyst is analyzing what they believe to be an active intrusion into their network. The indicator of compromise maps to suspected nation-state group that has strong financial motives, APT 38. Unfortunately, the analyst finds their data correlation lacking and cannot determine which assets have been affected, so they begin to review the list of network assets online. The following servers are currently online: PAYROLL_DB, DEV_SERVER7, FIREFLY, DEATHSTAR, THOR, and DION. Which of the following actions should the analyst conduct first? A. Hardening the DEV_SERVER7 server B. Conduct a data criticality and prioritization analysis C. Conduct a Nessus scan of the FIREFLY server D. Logically isolate the PAYROLL_DB server from the production network

B. Conduct a data criticality and prioritization analysis Explanation OBJ-5.4: While the payroll server could be assumed to hold PII, financial information, and corporate information, the analyst would only be making that assumption based on its name. Even before an incident response occurs, it would be a good idea to conduct a data criticality and prioritization analysis to determine what assets are critical to your business operations and need to be prioritized for protection. After an intrusion occurs, this information could be used to better protect and defend those assets against an attacker. Since the question states the analyst is trying to determine which server to look at based on their names, it is clear this organization never performed a data criticality and prioritization analysis and should do that first. After all, with names like FIREFLY, DEATHSTAR, THOR, and DION, the analyst has no idea what is stored on those systems. For example, how do we know that DEATHSTAR doesn't contain their credit card processing systems that would be a more lucrative target for APT 38 than the PAYROLL_DB. The suggestions of hardening, logically isolating, or conducting a vulnerability scan of a particular server are random guesses by the analyst since they don't know which data they should focus on protecting or where the attacker is currently.

Fail to Pass Systems has just become the latest victim in a large-scale data breach by an APT. Your initial investigation confirms a massive exfiltration of customer data has occurred. Which of the following actions do you recommend to the CEO of Fail to Pass Systems in handling this data breach? A. Provide a statement to the press that minimizes the scope of the breach B. Conduct notification to all affected customers within 72 hours of the discovery of the breach C. Conduct a 'hack-back' of the attacker to retrieve the stolen information D. Purchase a cyber insurance policy, alter the date of the incident in the log files, and file an insurance claim

B. Conduct notification to all affected customers within 72 hours of the discovery of the breach Explanation OBJ-1.6: Generally speaking, most laws require notification within 72 hours, such as the GDPR. All other options are either unethical, constitute insurance fraud, or are illegal. Conducting a hack-back is considered illegal, and once data has been taken, it is nearly impossible to steal it back as the attacker probably has a backup of it. Providing an incorrect statement to the press is unethical, and if your company is caught lying about the extent of the breach, it could further hurt your reputation. Purchasing a cyber insurance policy and altering the log file dates to make it look like the attack occurred after buying the policy would be insurance fraud. This is unethical and illegal.

Your company is adopting a new BYOD policy for tablets and smartphones. Which of the following would allow the company to secure the sensitive information on personally owned devices and the ability to remote wipe corporate information without the user's affecting personal data? A. Face ID B. Containerization C. Long and complex passwords D. Touch ID

B. Containerization Explanation OBJ-3.5: Containerization is the logical isolation of enterprise data from personal data while co-existing in the same device. The major benefit of containerization is that administrators can only control work profiles that are kept separate from the user's personal accounts, apps, and data. This technology creates a secure vault for your corporate information. Highly targeted remote wiping is supported with most container-based solutions.

Which term is used in software development to refer to the method in which app and platform updates are committed to a production environment rapidly? A. Continuous monitoring B. Continuous deployment C. Continuous integration D. Continuous delivery

B. Continuous deployment Explanation OBJ-2.3: Continuous deployment is a software development method in which app and platform updates are committed to production rapidly. Continuous delivery is a software development method in which app and platform requirements are frequently tested and validated for immediate availability. Continuous integration is a software development method in which code updates are tested and committed to development or build server/code repositories rapidly. Continuous monitoring is the technique of constantly evaluating an environment for changes so that new risks may be more quickly detected and business operations improved upon. While continuous deployment and continuous delivery sound very similar, there is one key difference. In continuous delivery, a human is still required to approve the release into the production environment. In continuous deployment, the test and release process into the production environment is automated, making the changes available for immediate release once the code is committed.

Which of the following cryptographic algorithms is classified as symmetric? A. DSA B. DES C. GPG D. ECC

B. DES Explanation OBJ-2.8: The Data Encryption Standard (DES) is a symmetric-key algorithm for the encryption of digital data. Although its short key length of 56 bits makes it too insecure for applications, it was the standard used from 1977 until the early 2000s. GPG, ECC, and DSA are all asymmetric algorithms.

You are conducting threat hunting for an online retailer. Upon analyzing their web server, you identified that a single HTML response returned as 45 MB in size, but an average response is normally only 275 KB. Which of the following categories of potential indicators of compromise would you classify this as? A. Introduction of new accounts B. Data exfiltration C. Unauthorized privilege D. Beaconing

B. Data exfiltration Explanation OBJ-1.6: If attackers use SQL injection to extract data through a Web application, the requests issued by them will usually have a larger HTML response size than a normal request. For example, if the attacker extracts the full credit card database, then a single response for that attacker might be 20 to 50 MB, where a normal response is only 200 KB. Therefore, this scenario is an example of a data exfiltration indicator of compromise. Based on the scenario, there is no evidence that a user is conducting a privilege escalation or using unauthorized privileges. There is also no evidence of a new account having been created or beaconing occurring over the network.

A cybersecurity analyst is reviewing the logs of a proxy server and saw the following URL, http://test.diontraining.com/../../../../etc/shadow. What type of attack has likely occurred? A. XML injection B. Directory traversal C. Buffer overflow D. SQL injection

B. Directory traversal Explanation OBJ-1.3: This is an example of a directory traversal. A directory traversal attack aims to access files and directories that are stored outside the webroot folder. By manipulating variables or URLs that reference files with "dot-dot-slash (../)" sequences and its variations or using absolute file paths, it may be possible to access arbitrary files and directories stored on the file system, including application source code or configuration and critical system files. A buffer overflow is an exploit that attempts to write data to a buffer and exceed that buffer's boundary to overwrite an adjacent memory location. XML Injection is an attack technique used to manipulate or compromise an XML application or service's logic. SQL injection is the placement of malicious code in SQL statements via web page input.

Which of the following cryptographic algorithms is classified as asymmetric? A. DES B. ECC C. RC4 D. Twofish

B. ECC Explanation OBJ-2.8: Elliptic-curve cryptography (ECC) is an approach to public-key cryptography based on the algebraic structure of elliptic curves over finite fields. As a public-key cryptosystem, it relies on an asymmetric algorithm. Twofish, RC4, and DES are all symmetric algorithms.

What is used as a measure of biometric performance to rate the system's ability to correctly authenticate an authorized user by measuring the rate that an unauthorized user is mistakenly permitted access? A. False rejection rate B. False acceptance rate C. Crossover error rate D. Failure to capture

B. False acceptance rate Explanation OBJ-2.4: False acceptance rate (FAR), or Type II, is the measure of the likelihood that the biometric security system will incorrectly accept an access attempt by an unauthorized user. The false rejection rate is calculated based upon the number of times an authorized user is denied access to the system.

Which of the following security controls provides Windows system administrators with an efficient way to deploy system configuration settings across many devices? A. HIPS B. GPO C. Anti-malware D. Patch management

B. GPO Explanation OBJ-4.4: Microsoft's Group Policy Object (GPO) is a collection of Group Policy settings that defines what a system will look like and how it will behave for a defined group of users. A Group Policy is the primary administrative tool for defining and controlling how programs, network resources, and the operating system operate for users and computers in an organization. In an active directory environment, Group Policy is applied to users or computers based on their membership in sites, domains, or organizational units. A host-based intrusion detection system (HIDS) is a device or software application that monitors a system for malicious activity or policy violations. Any malicious activity or violation is typically reported to an administrator or collected centrally using a security information and event management system. Anti-malware software is a program that scans a device or network for known viruses, Trojans, worms, and other malicious software. Patch management is the process of distributing and applying updates to the software to prevent vulnerabilities from being exploited by an attacker or malware. Proper patch management is a technical control that would prevent future outbreaks.

What should administrators perform to reduce a system's attack surface and remove unnecessary software, services, and insecure configuration settings? A. Stealthing B. Hardening C. Harvesting D. Windowing

B. Hardening Explanation OBJ-3.2: Hardening is usually the process of securing a system by reducing its surface of vulnerability, which is larger when a system performs more functions; in principle, a single-function system is more secure than a multipurpose one. Reducing available ways of attack typically includes changing default passwords, removing unnecessary software, unnecessary usernames or logins, and disabling or removing unnecessary services. Windows is the use of windows for the simultaneous display of more than one item on a screen. Harvesting is the process of gathering data, normally user credentials. Stealthing is a made-up term in this question.

You have been hired as a consultant to help Dion Training develop a new disaster recovery plan. Dion Training has recently grown in the number of employees and information systems infrastructure used to support its employees. Unfortunately, Dion Training does not currently have any documentation, policies, or procedures for its student and faculty networks. What is the first action you should take to assist them in developing a disaster recovery plan? A. Develop a data retention policy B. Identify the organization's assets C. Conduct a vulnerability scan D. Conduct a risk assessment

B. Identify the organization's assets Explanation OBJ-4.2: The first step to developing an effective disaster recovery plan is to identify the assets. The organization must understand exactly what assets they own and operate. Once identified, you can then determine what assets and services are essential to business operations, what risks are facing them, and how best to recovery in the event of a disaster. To best understand the organization's risks, they will undertake an organization-wide risk assessment and conduct a vulnerability scan of its assets.

During an assessment of the POS terminals that accept credit cards, a cybersecurity analyst notices a recent Windows operating system vulnerability exists on every terminal. Since these systems are all embedded and require a manufacturer update, the analyst cannot install Microsoft's regular patch. Which of the following options would be best to ensure the system remains protected and are compliant with the rules outlined by the PCI DSS? A. Build a custom OS image that includes the patch B. Identify, implement, and document compensating controls C. Remove the POS terminals from the network until the vendor releases a patch D. Replace the Windows POS terminals with standard Windows systems

B. Identify, implement, and document compensating controls Explanation OBJ-5.1: Since the analyst cannot remediate the vulnerabilities by installing a patch, the next best action would be to implement some compensating controls. If a vulnerability exists that cannot be patched, compensating controls can mitigate the risk. Additionally, the analyst should document the current situation to achieve compliance with PCI DSS. The analyst will likely not remove the terminals from the network without affecting business operations, so this is a bad option. The analyst should not build a custom OS image with the patch since this could void the support agreement with the manufacturer and introduce additional vulnerabilities. Also, it would be difficult (or impossible) to replace the POS terminals with standard Windows systems due to the custom firmware and software utilized on these systems.

In 2014, Apple's implementation of SSL had a severe vulnerability that, when exploited, allowed an attacker to gain a privileged network position that would allow them to capture or modify data in an SSL/TLS session. This was caused by poor programming in which a failed check of the connection would exit the function too early. Based on this description, what is this an example of? A. Insufficient logging and monitoring B. Improper error handling C. Insecure object reference D. Use of insecure functions

B. Improper error handling Explanation OBJ-1.3: This is an example of an improper error handling vulnerability. A well-written application must be able to handle errors and exceptions gracefully. The main goal must be for the application not to fail and allow the attacker to execute code or perform an injection attack. One famous example of an improper error handling vulnerability is Apple's GoTo bug, as described above. For more details on this particular vulnerability, please see CVE-2014-1266. Insecure object reference refers to when a reference to an internal implementation object, such as a file or database key, is exposed to users without any other access control. Insufficient logging and monitoring allow attackers to achieve their goals without being detected due to the lack of monitoring and timely response by defenders. The use of insecure functions occurs in the C language when legacy functions like strcpy() are used. These insecure functions can lead to buffer overflow and other exploits being successful against a program.

Which of the following utilizes a well-written set of carefully developed and tested scripts to orchestrate runbooks and generate consistent server builds across an enterprise? A. Software-Defined Networking (SDN) B. Infrastructure as Code (IaC) C. Infrastructure as a Service (IaaS) D. Software as a Service (SaaS)

B. Infrastructure as Code (IaC) Explanation OBJ-2.2: Infrastructure as Code (IaC) is designed with the idea that a well-coded description of the server/network operating environment will produce consistent results across an enterprise and significantly reduce IT overhead costs through automation while precluding the existence of security vulnerabilities. SDN uses software to define networking boundaries but does not necessarily handle server architecture in the same way that IaC can. Infrastructure as a Service (IaaS) is a computing method that uses the cloud to provide any or all infrastructure needs. Software as a Service (SaaS) is a computing method that uses the cloud to provide users with application services.

You work for Dion Training as a physical security manager. You are concerned that the physical security at the entrance to the company is not sufficient. To increase your security, you are determined to prevent piggybacking. What technique should you implement first? A. Install CCTV to monitor the entrance B. Install an access control vestibule at the entrance C. Install an RFID badge reader at the entrance D. Require all employees to wear security badges when entering the building

B. Install an access control vestibule at the entrance Explanation OBJ-2.7: An access control vestibule, or mantrap, is a device that only allows a single person to enter per authentication. This authentication can be done by RFID, a PIN, or other methods. Once verified, the mantrap lets a single person enter through a system, such as a turnstile or rotating door. CCTV will not stop piggybacking, but it could be used as a detective control after an occurrence. Wearing security badges is useful, but it won't stop piggybacking by a skilled social engineer. RFID badges may be used as part of your entry requirements, but it won't stop a determined piggyback who follows an employee into the building after their authenticated RFID access has been performed.

A corporate workstation was recently infected with malware. The malware was able to access the workstation's credential store and steal all the usernames and passwords from the machine. Then, the malware began to infect other workstations on the network using the usernames and passwords it stole from the first workstation. The IT Director has directed its IT staff to develop a plan to prevent this issue from occurring again. Which of the following would BEST prevent this from reoccurring? A. Install a host-based intrusion detection system on all of the corporate workstations B. Install an anti-virus or anti-malware solution that uses heuristic analysis C. Install a Unified Threat Management system on the network to monitor for suspicious traffic D. Monitor all workstations for failed login attempts and forward them to a centralized SYSLOG server

B. Install an anti-virus or anti-malware solution that uses heuristic analysis Explanation OBJ-3.3: The only solution that could stop this from reoccurring would be to use an anti-virus or anti-malware solution with heuristic analysis. The other options might be able to monitor and detect the issue but not stop it from spreading. Heuristic analysis is a method employed by many computer anti-virus programs designed to detect previously unknown computer viruses and new variants of viruses already in the wild. This is behavior-based detection and prevention, so it should detect the issue and stop it from spreading throughout the network. A host-based intrusion detection system (HIDS) is a device or software application that monitors a system for malicious activity or policy violations. Any malicious activity or violation is typically reported to an administrator or collected centrally using a security information and event management system. The UTM is also acting as an IDS in this scenario based on the option presented.

You want to provide controlled remote access to the remote administration interfaces of multiple servers hosted on a private cloud. What type of segmentation security solution is the best choice for this scenario? A. Airgap B. Jumpbox C. Bastion hosts D. Physical

B. Jumpbox Explanation OBJ-3.3: Installing a jumpbox as a single point of entry for the administration of servers within the cloud is the best choice for this requirement. The jumpbox only runs the necessary administrative port and protocol (typically SSH). Administrators connect to the jumpbox then use the jumpbox to connect to the admin interface on the application server. The application server's admin interface has a single entry in its ACL (the jumpbox) and denies any other hosts' connection attempts. A bastion host is a special-purpose computer on a network specifically designed and configured to withstand attacks. The computer generally hosts a single application. For example, a proxy server and all other services are removed or limited to reduce the threat to the computer. An airgap system is a network or single host computer with unique security requirements that may physically be separated from any other network. Physical separation would prevent a system from accessing the remote administration interface directly and require an airgap system to reach the private cloud.

The paparazzi have found copies of pictures of a celebrity's new baby online. The celebrity states they were never publicly released but were uploaded to their cloud provider's automated photo backup. Which of the following threats was the celebrity MOST likely a victim of? A. Unauthorized root access B. Leaked personal files C. Unauthorized camera activation D. Unintended Bluetooth pairing

B. Leaked personal files Explanation OBJ-2.5: When authorized users access devices through unintended connections or unauthorized users get their hands on absconded devices, they can access data on the device(s) that they were never intended to see. Every firm should have a policy for protecting data (encryption) and dealing with leaks when they occur.

Which of the following items represents a document that includes detailed information on when an incident was detected, how impactful the incident was, how it was remediated, the effectiveness of the incident response, and any identified gaps that might require improvement? A. Forensic analysis report B. Lessons learned report C. Chain of custody report D. Trends analysis report

B. Lessons learned report Explanation OBJ-4.2: The lessons learned report provides you with the details of the incident, its severity, the remediation method, and, most importantly, how effective your response was. Additionally, it provides recommendations for improvements in the future. A forensic analysis report would not provide recommendations for future improvements, even though it provides many of the other details. A trend analysis report describes whether behaviors have increased, decreased, or stayed the same over time. The chain of custody report is the chronological documentation or paper trail that records the custody, control, transfer, analysis, and disposition of physical or electronic evidence.

Dion Training is building a new data center. The group designing the facility has decided to provide additional HVAC capacity to ensure the data center maintains a consistently low temperature. Which of the following is the most likely benefit that will be achieved by increasing the designed HVAC capacity? A. Higher data integrity due to more efficient SSD cooling B. Longer MTBF of hardware due to lower operating temperatures C. Increase the availability of network services due to higher throughput D. Longer UPS run time due to increased airflow

B. Longer MTBF of hardware due to lower operating temperatures Explanation OBJ-5.4: The mean time between failure (MTBF) is the measure of the anticipated rate of failure for a system or component. This is effectively a measurement of the component's expected lifespan. If the HVAC capacity is increased, the server room can maintain a cooler temperature range. Datacenters produce a lot of heat from the equipment being operated. Excessive heat can damage components and cause premature hardware failure. Therefore, increasing the HVAC capacity and airflow can lead to longer lifespans for servers and networking equipment.

Dion Training is in early discussions with a large university to license its cybersecurity courses as part of their upcoming semester. Both organizations have decided to enter into an exploratory agreement while negotiating the detailed terms of the upcoming contract. Which of the following documents would best serve this purpose? A. SLA B. MOU C. NDA D. ISA

B. MOU Explanation OBJ-5.3: A Memorandum of understanding (MOU) is used as a preliminary or exploratory agreement to express their intent for the two companies to work together. A service level agreement (SLA) is a contractual agreement setting out the detailed terms under which a service is provided. The interconnection security agreement (ISA) governs the relationship between any federal agency and a third party interconnecting their systems. A non-disclosure agreement (NDA) is the legal basis for protecting information assets.

You are conducting an incident response and want to determine if any account-based indicators of compromise (IoC) exist on a compromised server. Which of the following would you NOT search for on the server? A. Unauthorized sessions B. Malicious processes C. Off-hours usage D. Failed logins

B. Malicious processes Explanation OBJ-4.3: A malicious process is any process running on a system that is outside the norm. This is a host-based indicator of compromise (IOC) and not directly associated with an account-based IOC. Off-hours usage, unauthorized sessions, and failed logins are all account-based examples of an IOC. Off-hours usage occurs when an account is observed to log in during periods outside of normal business hours. An attacker often uses this to avoid detection during business hours. Unauthorized sessions occur when a device or service is accessed without authorization. For example, if a limited privilege user is signed into a domain controlled. A failed login might be normal if a user forgets or incorrectly types their password, but repeated failures for one account could also be an indication of an attack attempting to crack a user's password.

You have been asked to write a new security policy to reduce the risk of employees working together to steal information from the Dion Training corporate network. Which of the following policies should you create to counter this threat? A. Privacy policy B. Mandatory vacation policy C. Least privilege policy D. Acceptable use policy

B. Mandatory vacation policy Explanation OBJ-5.3: A mandatory vacation policy requires that all users take time away from work to enjoy a break from their day to day routine of their jobs. But, there is a major side benefit to mandatory vacations regarding your company's security posture. It will require the company to have another employee fill in for the vacationing employee's normal roles and responsibilities by requiring mandatory vacations. The employee who is filling in might come across fraud, abuse, or theft that the vacationing employee is a part of. The concept of least privilege may not stop this theft from occurring since two employees could work together to steal information that they have access to as part of their job. Also, acceptable use outlines the types of activities allowed and not allowed; it won't prevent theft from occurring. A privacy policy discusses how information should be properly stored and secured, but this won't stop an employee from stealing information or detecting the stolen information.

When you are managing a risk, what is considered an acceptable option? A. Reject B. Mitigate C. Deny D. Initiate

B. Mitigate Explanation OBJ-5.4: Mitigating a risk makes the effect of a risk a little less unpleasant, harmful, or serious. The majority of risk management is focused on mitigating risks down to an acceptable level of loss or risk. The risk response actions are accept, avoid, mitigate, or transfer.

Which security control would prevent unauthorized users from connecting to a company's wireless network? A. IPS B. NAC C. Firewall D. Segmentation

B. NAC Explanation OBJ-3.3: Network Access Control (NAC) prevents unauthorized users from connecting to a network. Firewalls and intrusion prevention systems (IPS) are meant to restrict access from external sources and block known attacks. They would not keep out an intruder who is already in range of the wireless network. Network segmentation would limit the access that an intruder has to network resources but would not block the connection itself.

A new smartphone supports users' ability to transfer a photograph by simply placing their phones near each other and "tapping" the two phones together. What type of technology does this most likely rely on? A. RF B. NFC C. IR D. BT

B. NFC Explanation OBJ-1.4: Near-field communication (NFC) is a set of communication protocols that enable two electronic devices, one of which is usually a portable device such as a smartphone, to establish communication by bringing them within 4 cm of each other. This is commonly used for contactless payment systems, transferring contacts, or transferring a file from one device to another. Bluetooth (BT) is a wireless technology standard used for exchanging data between fixed and mobile devices over short distances using UHF radio waves in the industrial, scientific, and medical radio bands from 2.402 GHz to 2.480 GHz and building a personal area network (PAN). Bluetooth is commonly used when connecting wireless devices like mice, trackpads, headphones, and other devices. Infrared (IR) was a wireless networking standard supporting speeds up to about 4 Mbps with a direct line of sight for communications. Infrared sensors are used in mobile devices and with IR blasters to control appliances. While infrared (IR) used to be commonly used to connect wireless mice and keyboards to a laptop in the 1990s, it has fallen out of favor in the last 10-15 years since Bluetooth is more reliable and does not require a direct line of sight between the device and the laptop. Radio frequency (RF) is the propagation of radio waves at different frequencies and wavelengths. For example, Wi-Fi network products use a frequency of either 2.4 GHz or 5 GHz.

A penetration tester has issued the following command on a victimized host: nc -l -p 8080 | nc 192.168.1.76 443. What will occur based on this command? A. Netcat will listen on port 8080 and then output anything received to local interface 192.168.1.76 B. Netcat will listen on port 8080 and output anything received to a remote connection on 192.168.1.76 port 443 C. Netcat will listen on the 192.168.1.76 interface for 443 seconds on port 8080 D. Netcat will listen for a connection from 192.168.1.76 on port 443 and output anything received to port 8080

B. Netcat will listen on port 8080 and output anything received to a remote connection on 192.168.1.76 port 443 Explanation OBJ-4.1: The proper syntax for netcat (nc) is -l to signify listening and -p to specify the listening port. Then, the | character allows multiple commands to execute during a single command's execution. Next, netcat sends the data to the given IP (192.168.1.76) over port 443. This is a common technique to bypass the firewall by sending traffic over port 443 (a secure SSL/TLS tunnel).

During your review of the firewall logs, you notice that an IP address from within your company's server subnet had been transmitting between 125 to 375 megabytes of data to a foreign IP address overnight each day. You have determined this has been occurring for approximately 5 days, and the affected server has since been taken offline for forensic review. Which of the following is MOST likely to increase the impact assessment of the incident? A. Raw financial information about the company was accessed B. PII of company employees and customers was exfiltrated C. Forensic review of the server required fallback to a less efficient service D. IP addresses and other network-related configurations were exfiltrated

B. PII of company employees and customers was exfiltrated Explanation OBJ-5.5: If the PII (Personally Identifiable Information) of the company's employees or customers were exfiltrated or stolen during the compromise, this would increase the incident's impact assessment. Loss of PII is a big issue for corporations and one that might garner media attention. While all of the options presented here are bad things that could increase the impact of the assessment, loss of PII is considered the MOST likely to increase the impact dramatically. Depending on the company's size or organization, there may also be mandatory reporting requirements, fines, or restitution that must be paid.

You want to create a new mobile application and develop it in the cloud. You just signed up for a cloud-based service provider's offering to allow you to develop it using their programming environment. Which of the following best describes which type of service you have just purchased? A. SaaS B. PaaS C. IaaS D. DaaS

B. PaaS Explanation OBJ-2.2: Platform as a Service (PaaS) provides the end-user with a development environment without all the hassle of configuring and installing it themselves. If you want to develop a customized or specialized program, PaaS helps reduce the development time and overall costs by providing a ready to use platform. Infrastructure as a Service (IaaS) is a cloud computing service that enables a consumer to outsource computing equipment purchases and running their own data center. Software as a Service (SaaS) is ca loud computing service that enables a service provider to make applications available over the Internet to end-users. This can be a calendar, scheduling, invoicing, word processor, database, or other programs. For example, Google Docs and Office 365 are both word processing SaaS solutions. Desktop as a Service (DaaS) provides a full virtualized desktop environment from within a cloud-based service. This is also known as VDI (Virtualized Desktop Infrastructure) and is coming in large enterprise businesses focused on increasing their security and minimizing their operational expenses.

Which of the following password policies defines the types of alphanumeric characters required to be utilized in a user's password? A. Password expiration B. Password complexity C. Password length D. Password history

B. Password complexity Explanation OBJ-3.7: The Passwords must meet complexity requirements. The policy setting determines whether passwords must meet a series of guidelines that are considered important for a strong password. Enabling this policy setting requires passwords to meet more complicated password requirements. This includes using uppercase, lowercase, numeric, and special characters.

Which of the following password policies defines the number of previous passwords that cannot be reused when resetting a user's password? A. Password complexity B. Password history C. Password expiration D. Password length

B. Password history Explanation OBJ-3.7: Password history is used to determine the number of unique passwords a user must use before using an old password again. This prevents password reuse and also helps protect authentication services from brute force attacks. A password expiration control in the policy would force users to change their passwords at specific time intervals. The passwords must meet the complexity requirements which determines whether passwords must meet a series of guidelines that are considered important for a strong password. Maximum password length creates a limit to how long the password can be, but a longer password is considered stronger against a brute force attack.

A cybersecurity analyst is reviewing the logs of an authentication server and saw the following output: *reference image* What type of attack was most likely being attempted by the attacker? A. Credential stuffing B. Password spraying C. Impersonation D. Session hijacking

B. Password spraying Explanation OBJ-1.2: Password spraying refers to the attack method that takes many usernames and loops them with a single password. We can use multiple iterations using many different passwords, but the number of passwords attempted is usually low compared to the number of users attempted. This method avoids password lockouts, and it is often more effective at uncovering weak passwords than targeting specific users. In the scenario provided, only one or two attempts are being made to each username listed. This is indicative of a password spraying attack instead of a brute force attempt against a single user. Impersonation is the act of pretending to be another person for fraud. Credential stuffing is the automated injection of breached username/password pairs to gain user accounts access fraudulently. This is a subset of the brute force attack category: large numbers of spilled credentials are automatically entered into websites until they are potentially matched to an existing account. The attacker can then hijack the account for their purposes. Session hijacking exploits a valid computer session to gain unauthorized access to information or services in a computer system.

What type of weakness is John the Ripper used to test during a technical assessment? A. Firewall rulesets B. Passwords C. File permissions D. Usernames

B. Passwords Explanation OBJ-4.1: John the Ripper is a free, open-source password cracking software tool. It tests the strength of passwords during a technical assessment. John the Ripper supports both dictionary and brute force attacks.

A new alert has been distributed throughout the information security community regarding a critical Apache vulnerability. What action could you take to ONLY identify the known vulnerability? A. Perform an unauthenticated vulnerability scan on all servers in the environment B. Perform a scan for the specific vulnerability on all web servers C. Perform an authenticated scan on all web servers in the environment D. Perform a web vulnerability scan on all servers in the environment

B. Perform a scan for the specific vulnerability on all web servers Explanation OBJ-1.7: Since you wish to check for only the known vulnerability, you should scan for that specific vulnerability on all web servers. All web servers are chosen because Apache is a web server application. While performing an authenticated scan of all web servers or performing a web vulnerability scan of all servers would also find these vulnerabilities, it is a much larger scope. It would waste time and processing power by conducting these scans instead of properly scoping the scans based on your needs. Performing unauthenticated vulnerability scans on all servers is also too large in scope (all servers) while also being less effective (unauthenticated scan).

You are working as a security administrator and need to respond to an ongoing spearphishing campaign against your organization. Which of the following should be used as a checklist of actions to perform to detect and respond to this particular incident? A. Disaster recovery plan B. Playbook C. Runbook D. Incident response plan

B. Playbook Explanation OBJ-4.4: A playbook is a checklist of actions to perform to detect and respond to a specific type of incident. Your organization will have playbooks for phishing attempts, privilege escalation, and other specific types of incidents. A runbook is an automated version of a playbook used by a SOAR to have the system conduct as many steps as possible. DRP is a disaster recovery plan focused on the response to a natural or man-made disaster, not an incident. An incident response plan is a generic document for the overall steps of incident response. Therefore, it doesn't apply to a specific type of incident. This is a hard question because all four terms are very closely related to incidents and disasters.

What type of malware changes its binary pattern in its code on specific dates or times to avoid detection by antimalware software? A. Trojan B. Polymorphic virus C. Ransomware D. Logic bomb

B. Polymorphic virus Explanation OBJ-1.2: A polymorphic virus alters its binary code to avoid detection by antimalware scanners that rely on signature-based detection. By changing its signature, the virus can avoid detection.

You are reviewing the logs in your HIDS and see that entries were showing SYN packets received from a remote host targeting each port on your web server from 1 to 1024. Which of the following MOST likely occurred? A. SYN flood B. Port scan C. UDP probe D. The remote host cannot find the right service port

B. Port scan Explanation OBJ-4.1: Based on the description provided, this is most likely a port scan. Using a tool like nmap, an attacker can create an SYN scan across every port in the range against the desired target. A port scan or SYN scan may trigger an alert in your IDS. While scanners support more stealthy scans, default scans may connect to each port sequentially. The other options are incorrect because a remote host will typically connect to only a single port associated with a service. An SYN flood normally sends many SYNs to a single system. Still, it doesn't send them to unused ports, and a UDP probe will not send SYN packets.

During which phase of the incident response process does an organization assemble an incident response toolkit? A. Post-incident activity B. Preparation C. Containment, eradication, and recovery D. Detection and analysis

B. Preparation Explanation OBJ-4.2: During the preparation phase, the incident response team conducts training, prepares their incident response kits, and researches threats and intelligence. During the detection and analysis phase, an organization focuses on monitoring and detecting any possible malicious events or attacks. During the containment, eradication, and recovery phase of an incident response, an analyst must preserve forensic and incident information for future needs, prevent future attacks or bring up an attacker on criminal charges. During the post-incident activity phase, the organization conducts after-action reports, creates lessons learned, and conducts follow-up actions to better prevent another incident from occurring.

A cybersecurity analyst conducts an incident response at a government agency when she discovers that attackers had exfiltrated PII. Which of the following types of breaches has occurred? A. Integrity breach B. Privacy breach C. Proprietary breach D. Financial breach

B. Privacy breach Explanation OBJ-4.5: A data breach is an incident where information is stolen or taken from a system without the system's owner's knowledge or authorization. If sensitive personally identifiable information (PII) was accessed or exfiltrated, then a privacy breach has occurred. If information like trade secrets were accessed or exfiltrated, then a proprietary breach has occurred. If any data is modified or altered, then an integrity breach has occurred. If any information related to payroll, tax returns, banking, or investments is accessed or exfiltrated, then a financial breach has occurred.

In which type of attack does the attacker begin with a normal user account and then seek additional access rights? A. Remote code exploitation B. Privilege escalation C. Spear phishing D. Cross-site scripting

B. Privilege escalation Explanation OBJ-1.8: Privilege escalation attacks seek to increase the access level that an attacker has to a target system. Privilege escalation is the act of exploiting a bug, design flaw, or configuration oversight in an operating system or software application to gain elevated access to resources that are normally protected from an application or user. Spear phishing is an email or electronic communications scam targeted towards a specific individual, organization, or business. Cross-Site Scripting (XSS) attacks are a type of injection in which malicious scripts are injected into otherwise benign and trusted websites. Remote code execution is the ability an attacker has to access someone else's computing device and make changes, no matter where the device is geographically located.

You are in the recovery steps of an incident response. Throughout the incident, your team never successfully determined the root cause of the network compromise. Which of the following options would you LEAST likely perform as part of your recovery and remediation actions? A. Restrict host access to peripheral protocols like USB or Bluetooth B. Proactively sanitize and reimage all of your routers and switches C. Review and enhance patch management policies D. Disable unused user accounts

B. Proactively sanitize and reimage all of your routers and switches Explanation OBJ-4.4: Since your team could not determine the root cause of the compromise, you would most likely conduct system and network hardening actions as part of the recovery and remediation. The only option that is not considered a hardening action is proactively sanitizing and reimaging your routers and switches. If you performed this action, you could have unwanted disruptive effects on the company. Instead, it would be more beneficial to increase monitoring of the devices to ensure they are not compromised. Proactively sanitizing and reimaging all of the routers and switches would be a large undertaking. Without evidence suggesting that such an approach is warranted, you would be wasting a lot of time and money. The other options presented are the best security practices to prevent future compromises. Reimaging the network devices without knowing the root cause will likely be ineffective in securing the network.

Your company has decided to move all of its data into the cloud. Your company is small and has decided to purchase some on-demand cloud storage resources from a commercial provider (such as Google Drive) as its primary cloud storage solution. Which of the following types of clouds is your company using? A. Community B. Public C. Hybrid D. Private

B. Public Explanation OBJ-2.2: The public cloud is defined as computing services offered by third-party providers over the public internet, making them available to anyone who wants to use or purchase them. They may be free or sold on-demand, allowing customers to pay only per usage for the CPU cycles, storage, or bandwidth they consume. Amazon Web Services, Microsoft Azure, and Google Cloud are three popular public cloud platforms. A private cloud contains services offered either over the Internet or a private internal network and only to select users instead of the general public. A community cloud is a collaborative effort in which infrastructure is shared between several organizations from a specific community with common concerns (security, compliance, jurisdiction, etc.), whether managed internally or by a third party and hosted internally or externally. A hybrid cloud is a cloud computing environment that uses a mix of on-premises, private cloud, and third-party public cloud services with orchestration between these platforms. This typically involves a connection from an on-premises data center to a public cloud.

You have been asked to develop a solution for one of your customers. The customer is a software development company, and they need to be able to test a wide variety of operating systems to test the software applications their company is developing internally. The company doesn't want to buy a bunch of computers to install all of these operating systems for testing. Which of the following solutions would BEST meet the company's requirements? A. Purchase multiple workstations, install a VM on each one, then install one operating system that will be used to test the applications being developed in each VM B. Purchase a high-end computer that has a lot of CPU cores and RAM, install a hypervisor, and configure a virtual machine for each operating system that will be used to test the applications being developed C. Purchase multiple inexpensive workstations and install one operating system that will be used to test the

B. Purchase a high-end computer that has a lot of CPU cores and RAM, install a hypervisor, and configure a virtual machine for each operating system that will be used to test the applications being developed Explanation OBJ-2.2: Since the company's main goal was to minimize the amount of hardware required, the BEST solution is to purchase a high-end computer that has a lot of CPU cores and RAM, install a hypervisor, and configure a virtual machine for each operating system that will be used to test the applications being developed. This allows a single machine to run multiple operating systems for testing with the least amount of hardware.

Taylor needs to sanitize hard drives from some leased workstations before returning them to a supplier at the end of the lease period. The workstations' hard drives contained sensitive corporate data. Which is the most appropriate choice to ensure that data exposure doesn't occur during this process? A. The drives must be destroyed to ensure no data loss B. Purge, validate, and document the sanitization of the drives C. Clear, validate, and document the sanitization of the drives D. Clear the drives

B. Purge, validate, and document the sanitization of the drives Explanation OBJ-2.7: Purging the drives, validating that the purge was effective, and documenting the sanitization is the best response. Purging includes methods that eliminate information from being feasibly recovered even in a lab environment. For example, performing a cryptographic erasure (CE) would sanitize and purge the drives' data without harming the drives themselves. Clearing them leaves the possibility that some tools would allow data recovery. Since the scenario indicates that these were leased drives that must be returned at the end of a lease, they cannot be destroyed.

After completing an assessment, you create a chart listing the associated risks based on the vulnerabilities identified with your organization's privacy policy. The chart contains listings such as high, medium, and low. It also utilizes red, yellow, and green colors based on the likelihood and impact of a given incident. Which of the following types of assessments did you just complete? A. Quantitative risk assessment B. Qualitative risk assessment C. Supply chain assessment D. Privacy assessment

B. Qualitative risk assessment Explanation OBJ-5.4: This describes a qualitative risk assessment since it categorizes things based on the likelihood and impact of a given incident using non-numerical terms, such as high, medium, and low. If the risk assessment provided exact numbers or percentages of risk, then it would be a quantitative risk assessment.

Users connecting to an SSID appear to be unable to authenticate to the captive portal. Which of the following is the MOST likely cause of the issue? A. WPA2 security key B. RADIUS C. SSL certificates D. CSMA/CA

B. RADIUS Explanation OBJ-3.8: Captive portals usually rely on 802.1x, and 802.1x uses RADIUS for authentication. The IEEE 802.1x standard is a network authentication protocol that opens ports for network access when an organization authenticates a user's identity and authorizes them for access to the network. This defines port security. The user's identity is determined based on their credentials or certificate, which is confirmed by the RADIUS server. The Remote Authentication Dial-in User Service (RADIUS) is used to manage remote and wireless authentication infrastructure. Users supply authentication information to RADIUS client devices, such as wireless access points. The client device then passes the authentication data to an AAA (Authentication, Authorization, and Accounting) server that processes the request. Secure Sockets Layer (SSL) is a security protocol developed by Netscape to provide privacy and authentication over the Internet. SSL is application independent that works at layer 5 [Session] and can be used with a variety of protocols, such as HTTP or FTP. Client and server set up a secure connection through PKI (X.509) certificates. Carrier-sense multiple access with collision avoidance (CSMA/CA) is a network multiple access method in which carrier sensing is used, but nodes attempt to avoid collisions by beginning transmission only after the channel is sensed to be idle. CSMA/CA occurs in the background when communicating with a wireless access point and would not prevent the user from authenticating to the captive portal. A WPA2 security key is a preshared password used to authenticate and connect to a wireless access point. If the user connected to the SSID, then the WPA2 security key was valid.

(Sample Simulation - On the real exam for this type of question, you may receive a list of different RAID types and be asked to visually display which hard drives in the RAID are used for redundant data storage as either a stripe or a mirror. You will then have to identify which RAID type is most appropriate for each type of server shown.) You are configuring a RAID drive for a Media Streaming Server. Your primary concern is the speed of delivery of the data. This server has two hard disks installed. What type of RAID should you install, and what type of data will be stored on Disk 1 and Disk 2? A. RAID 1 - Disk 1 (Mirror) and Disk 2 (Mirror) B. RAID 0 - Disk 1 (Stripe) and Disk 2 (Stripe) C. RAID 1 - Disk 1 (Stripe) and Disk 2 (Stripe) D. RAID 0 - Disk 1 (Mirror) and Disk 2 (Mirror)

B. RAID 0 - Disk 1 (Stripe) and Disk 2 (Stripe) Explanation OBJ-2.5: Since this is a Media Streaming Server, you should implement a RAID 0, which provides disk stripping across both drives. This will increase the speed of the data delivery but provides no redundancy. If you were concerned with redundancy, then you should choose a RAID 1, which uses a mirror of the data on both hard disks. You cannot use a RAID 5 since it requires a minimum of 3 disk drives and stripes the data across the hard disks. You also can not use a RAID 6 since this requires at least 4 hard disks with dual parity and disk stripping. A RAID 10 also requires 4 hard disks and is a mirror of striped drives (combining the benefits of RAID 1 and RAID 0).

(This is a simulated performance-based question.)You are working as a help desk technician and received a call from a user who complains about their computer's performance has slowed down over the last week since they installed a new free video game on the computer. As part of your troubleshooting efforts, you enter the command prompt in Windows and run the following command: *reference image* Based on the output provided, what type of malware may have been installed on this user's computer? A. Worm B. RAT C. Keylogger D. Spam

B. RAT Explanation OBJ-1.2: Based on the scenario and the output provided, the best choice is a RAT. A RAT is a Remote Access Trojan, and it is usually installed accidentally by a user when they install free software on their machine that has a RAT embedded into it. The first two output lines show that ports 135 and 445 are open and listening for an inbound connection (typical of a RAT). This is not an example of a worm because the user admitted to installing a free program, and worms can install themselves and continue to send data outbound across the network to continue to spread. There is no indication in the scenario that a keylogger is being used, nor that spam (unsolicited emails) has been received.

Dion Training performed an assessment as part of its disaster recovery planning. The assessment found that the organization can only tolerate a maximum of 60 minutes worth of data loss in the event of a disaster. Therefore, the organization has implemented a system of database snapshots that are backed up every hour. Which of the following metrics would best represent this timeframe? A. RTO B. RPO C. MTTR D. MTBF

B. RPO Explanation OBJ-5.4: Recovery point objective (RPO) describes the timeframe in which an enterprise's operations must be restored following a disruptive event, e.g., a cyberattack, natural disaster, or communications failure. RPO is about how much data you afford to lose before it impacts business operations. For example, at Dion Training, if 1 hour of data loss occurred, that means that any student progress within the last hour would be lost once the organization restored a server from a known good backup.

A popular game allows for in-app purchases to acquire extra lives in the game. When a player purchases the extra lives, the number of lives is written to a configuration file on the gamer's phone. A hacker loves the game but hates having to buy lives all the time, so they developed an exploit that allows a player to purchase 1 life for $0.99 and then modifies the content of the configuration file to claim 100 lives were purchased before the application reading the number of lives purchased from the file. Which of the following type of vulnerabilities did the hacker exploit? A. Sensitive data exposure B. Race condition C. Dereferencing D. Broken authentication

B. Race condition Explanation OBJ-1.6: Race conditions occur when the outcome from execution processes is directly dependent on the order and timing of certain events. Those events fail to execute in the order and timing intended by the developer. In this scenario, the hacker's exploit is racing to modify the configuration file before the application reads the number of lives from it. Sensitive data exposure is a fault that allows privileged information (such as a token, password, or PII) to be read without being subject to the proper access controls. Broken authentication refers to an app that fails to deny access to malicious actors. Dereferencing attempts to access a pointer that references an object at a particular memory location.

Which of the following type of threats did the Stuxnet attack rely on to cross an air gap between a business and an industrial control system network? A. Directory traversal B. Removable media C. Cross-site scripting D. Session hijacking

B. Removable media Explanation OBJ-2.7: Air gaps are designed to remove connections between two networks to create physical segmentation between them. The only way to cross an air gap is to have a physical device between these systems, such as using a removable media device to transfer files between them. A directory traversal is an HTTP attack that allows attackers to access restricted directories and execute commands outside the web server's root directory. Cross-Site Scripting (XSS) attacks are a type of injection in which malicious scripts are injected into otherwise benign and trusted websites. A session hijacking attack compromises the session token by stealing or predicting a valid session token to gain unauthorized access to the Web Server. A directory traversal, cross-site scripting, or session hijacking attack cannot by itself cross an air gap.

Dion Training wants to require students to log on using multifactor authentication to increase the security of the authorization and authentication process. Currently, students log in to diontraining.com using a username and password. What proposed solution would best meet the goal of enabling multifactor authentication for the student login process? A. Require students to create a unique pin that is entered after their username and password are accepted B. Require students to enter a unique six-digit number that is sent to them by SMS after entering their username and password C. Require students to enter a cognitive password requirement (such as 'What is your dog's name?') D. Require students to choose an image to serve as a secondary password after logon

B. Require students to enter a unique six-digit number that is sent to them by SMS after entering their username and password Explanation OBJ-2.4: All of the options presented are knowledge factors (something you know) except the six-digit number sent by SMS to your smartphone. This SMS sent number is an example of a possession factor or something you have. In this case, it verifies you have your smartphone. By combining this possession factor with the already in use knowledge factor (username and password), you can establish multifactor security for the login process.

Recently, you discovered an unauthorized device during a search of your corporate network. The device provides nearby wireless hosts to access the corporate network's resources. What type of attack is being utilized? A. Bluesnarfing B. Rogue access point C. Bluejacking D. IV attack

B. Rogue access point Explanation OBJ-1.4: A rogue access point is a wireless access point that has been installed on a secure network without explicit authorization from a local network administrator, whether added by a well-meaning employee or by a malicious attacker. The question describes the unauthorized device, indicating it is a rogue device. An access point performs the ability to connect wireless hosts to the corporate network. Therefore, the unauthorized device in this question would be considered a rogue access point.

A macOS user is browsing the internet in Google Chrome when they see a notification that says, "Windows Enterprise Defender: Your computer is infected with a virus, please click here to remove it!" What type of threat is this user experiencing? A. Pharming B. Rogue anti-virus C. Phishing D. Worm

B. Rogue anti-virus Explanation OBJ-1.1: Rogue anti-virus is a form of malicious software and internet fraud that misleads users into believing there is a virus on their computer and to pay money for a fake malware removal tool (that actually introduces malware to the computer). It is a form of scareware that manipulates users through fear and a form of ransomware. Since the alert is being displayed on a macOS system but appears to be meant for a Windows system, it is obviously a scam or fake alert and most likely a rogue anti-virus attempting to infect the system. Phishing is an email-based social engineering attack in which the attacker sends an email from a supposedly reputable source, such as a bank, to try to elicit private information from the victim. Phishing attacks target an indiscriminate large group of random people. A worm is a standalone malware computer program that replicates itself to spread to other computers. Often, it uses a computer network to spread itself, relying on security failures on the target computer to access it. A worm can spread on its own, whereas a virus needs a host program or user interaction to propagate itself. Pharming is a type of social engineering attack that redirects a request for a website, typically an e-commerce site, to a similar-looking, but fake, website. The attacker uses DNS spoofing to redirect the user to the fake site.

Which of the following protocols is commonly used to collect information about CPU utilization and memory usage from network devices? A. MIB B. SNMP C. SMTP D. NetFlow

B. SNMP Explanation OBJ-3.1: Simple Network Management Protocol (SNMP) is commonly used to gather information from routers, switches, and other network devices. It provides information about a device's status, including CPU and memory utilization, and many other useful details about the device. NetFlow provides information about network traffic. A management information base (MIB) is a database used for managing the entities in a communication network. The Simple Mail Transfer Protocol (SMTP) is a communication protocol for electronic mail transmission.

Which of the following categories would contain information about a French citizen's race or ethnic origin? A. PHI B. SPI C. PII D. DLP

B. SPI Explanation OBJ-5.5: According to the GDPR, information about an individual's race or ethnic origin is classified as Sensitive Personal Information (SPI). Sensitive personal information (SPI) is information about a subject's opinions, beliefs, and nature afforded specially protected status by privacy legislation. As it cannot be used to identify somebody or make any relevant assertions about health uniquely, it is neither PII nor PHI. Data loss prevention (DLP) is a software solution that detects and prevents sensitive information from being stored on unauthorized systems or transmitted over unauthorized networks.

Dion Training requires that the staff simulate their response to a potential data breach. During this simulation, the staff gathers in the conference room and discusses each action they would take as part of their response. This information is then analyzed to ensure the company's data breach response playbook is up to date and would work properly when needed. Which of the following best describes what the staff did? A. Disaster recovery planning B. Tabletop exercise C. Business impact analysis D. Incident response

B. Tabletop exercise Explanation OBJ-4.2: A tabletop exercise involves gathering the key staff of an organization and discussing their actions during a potential unwanted event. The staff could further be divided into a blue team and a red team, with half playing the role of defenders and the other half playing the adversary's role. Tabletop exercises are less expensive to conduct than a full-scale red team event or penetration test. Tabletop exercises are a great way to exercise existing procedures and response plans to identify any weaknesses within them.

An attacker has compromised a virtualized server. You are conducting forensic analysis as part of the recovery effort but found that the attacker deleted a virtual machine image as part of their malicious activity. Which of the following challenges do you now have to overcome as part of the recovery and remediation efforts? A. All log files are stored within the VM disk image, therefore, they are lost B. The attack widely fragmented the image across the host file system C. You will need to roll back to an early snapshot and then merge any checkpoints to the main image D. File formats used by some hypervisors cannot be analyzed with traditional forensic tools

B. The attack widely fragmented the image across the host file system Explanation OBJ-4.5: Due to the VM disk image's deletion, you will now have to conduct file carving or other data recovery techniques to recover and remediate the virtualized server. If the server's host uses a proprietary file system, such as VMFS on ESXi, this can further limit support by data recovery tools. The attacker may have widely fragmented the image across the host file system when they deleted the disk image. VM instances are most useful when they are elastic (meaning they optimally spin up when needed) and then destroyed without preserving any local data when security has performed the task, but this can lead to the potential of lost system logs. To prevent this, most VMs also save their logs to an external Syslog server or file. Virtual machine file formats are image-based and written to a mass storage device. Depending on the configuration and VM state, security must merge any checkpoints to the main image, using a hypervisor tool, not recovery from an old snapshot, and then roll forward. It is possible to load VM data into a memory analysis tool, such as Volatility. However, some hypervisors' file formats require conversion first, or they may not support the analysis tool.

You just received a notification that your company's email servers have been blocklisted due to reports of spam originating from your domain. What information do you need to start investigating the source of the spam emails? A. The SMTP audit log from his company's email server B. The full email header from one of the spam messages C. Firewall logs showing the SMTP connections D. Network flows for the DMZ containing the email servers

B. The full email header from one of the spam messages Explanation OBJ-1.1: You should first request a copy of one of the spam messages, including the full email header. By reading through the full headers of one of the messages, you can determine where the email originated from, whether it was from your email system or external, and if it was a spoofed email or a legitimate email. Once this information has been analyzed, you can then continue your analysis based on those findings, whether that be analyzing your email server, the firewalls, or other areas of concern. If enough information cannot be found by analyzing the email headers, you will need to conduct more research to determine the best method to solve the underlying problem.

You are attempting to prioritize your vulnerability scans based on the data's criticality. This will be determined by the asset value of the data contained in each system. Which of the following would be the most appropriate metric to use in this prioritization? A. The depreciated hardware cost of the system B. The type of data processed by the system C. The cost of hardware replacement of the system D. The cost of acquisition of the system

B. The type of data processed by the system Explanation OBJ-5.4: The data's asset value is a metric or classification that an organization places on data stored, processed, and transmitted by an asset. Different data types, such as regulated data, intellectual property, and personally identifiable information, can determine its value. The cost of acquisition, cost of hardware replacement, and depreciated costs refer to the financial value of the hardware or system itself. This can be significantly different from the value of the information and data that the system stores and processes.

An electronics store was recently the victim of a robbery where an employee was injured, and some property was stolen. The store's IT department hired an external supplier to expand its network to include a physical access control system. The system has video surveillance, intruder alarms, and remotely monitored locks using an appliance-based system. Which of the following long-term cybersecurity risks might occur based on these actions? A. There are no new risks due to the install and the company has a stronger physical security posture B. These devices should be isolated from the rest of the enterprise network C. These devices should be scanned for viruses before installation D. These devices are insecure and should be isolated from the internet

B. These devices should be isolated from the rest of the enterprise network Explanation OBJ-2.6: While the physical security posture of the company has been improved by adding the cameras, alarms, and locks, this appliance-based system may pose additional risks to the store's network. Specialized technology and appliance-based systems rarely receive security updates at the same rate as regular servers or endpoints. These devices need to be on a network to ensure that their network functions can continue, but they don't necessarily need to be on the enterprise production network. A good option would be to set up a parallel network that is physically or logically isolated from the enterprise network and install the video cameras, alarms, and lock on that one. These devices cannot be isolated from the internet without compromising their functions, such as allowing remote monitoring of the system and locks. The devices should be scanned for viruses before installation, but that is a short-term consideration and doesn't protect them long-term.

The Pass Certs Fast corporation has recently been embarrassed by several high-profile data breaches. The CIO proposes improving the company's cybersecurity posture by migrating images of all the current servers and infrastructure into a cloud-based environment. What, if any, is the flaw in moving forward with this approach? A. This approach assumes that the on-site administrators will provide better security than the cloud provider B. This approach only changes the location of the network and not the network's attack surface C. The company has already paid for the physical servers and will not fully realize their ROI on them due to the migration D. This is a reasonable approach that will increase the security of the servers and infrastructure

B. This approach only changes the location of the network and not the network's attack surface Explanation OBJ-3.6: A poorly implemented security model at a physical location will still be a poorly implemented security model in a virtual location. Unless the fundamental causes of the security issues that caused the previous data breaches have been understood, mitigated, and remediated, then migrating the current images into the cloud will change where the processing occurs without improving the network's security. While the statement concerning unrealized ROI may be accurate, it simply demonstrates the sunk cost argument's fallacy. These servers were already purchased, and the money was spent. Regardless of whether we maintain the physical servers or migrate to the cloud, that money is gone. Those servers could also be repurposed, reused, or possibly resold to recoup some of the capital invested. While the company's physical security will potentially improve in some regards, the physical security of the endpoints on-premises is still a concern that cannot be solved by this cloud migration. Additionally, the scenario never stated that physical security was an issue that required being addressed, so it is more likely that the data breach occurred due to a data exfiltration over the network. As a cybersecurity analyst, you must consider the business case and the technical accuracy of a proposed approach or plan to add the most value to your organization.

What is the utilization of insights gained from threat research and threat modeling to proactively discover evidence of an adversarial TTP within a network or system called? A. Penetration testing B. Threat hunting C. Incident response D. Information assurance

B. Threat hunting Explanation OBJ-1.7: Threat hunting is the utilization of insights gained from threat research and threat modeling to proactively discover evidence of an adversarial TTP within a network or system. Penetration testing uses active tools and security utilities to evaluate security by simulating an attack on a system. A penetration test verifies that a threat exists, actively tests and bypasses security controls, and finally exploits vulnerabilities on the system. Information assurance (IA) is the practice of assuring information and managing risks related to the use, processing, storage, and transmission of information or data and the systems and processes used for those purposes. Incident response is an organized approach to addressing and managing the aftermath of a security breach or cyberattack, also known as an IT incident, computer incident, or security incident. The goal is to handle the situation to limit damage and reduce recovery time and costs.

Which of the following methods is used to replace all or part of a data field with a randomly generated number used to reference the original value stored in another vault or database? A. Data minimization B. Tokenization C. Anonymization D. Data masking

B. Tokenization Explanation OBJ-5.5: Tokenization means that all or part of data in a field is replaced with a randomly generated token. The token is stored with the original value on a token server or token vault, separate from the production database. An authorized query or app can retrieve the original value from the vault, if necessary, so tokenization is a reversible technique. Data masking can mean that all or part of a field's contents is redacted, by substituting all character strings with x, for example. Data minimization involves limiting data collection to only what is required to fulfill a specific purpose. Reducing what information is collected reduces the amount and type of information that must be protected. Data anonymization is the process of removing personally identifiable information from data sets so that the people whom the data describe remain anonymous.

Assuming that Dion Training trusts Thor Teaches, and Thor Teaches trusts Udemy, then we can assume Dion Training also trusts Udemy. What concept of IAM does the previous statement represent? A. Public key trust B. Transitive trust C. Certificate authority trust D. Domain level trust

B. Transitive trust Explanation OBJ-2.4: Transitive trust occurs when X trusts Y, and Y trusts Z; therefore, X trusts Z. This is because the trust flows from the first part (Dion Training) through the second party (Thor Teaches) to the third party (Udemy).

Your organization has recently been the target of a spearphishing campaign. You have identified the website associated with the link in the spearphishing emails and want to deny access to it. Which of the following techniques would be the MOST effective in this situation? A. Containment B. URL filter C. Quarantine D. Application blocklist

B. URL filter Explanation OBJ-4.4: A URL filter can be used to block a website based on its website address or universal resource locator (URL). This is not a containment technique but a blocking and filtering technique. Quarantine would be used against an infected machine, and it would not be effective against trying to block access to a given website across the entire organization. An application blocklist is used to prevent an application from running, so this cannot be used to block a single malicious or suspicious website or URL.

Which of the following vulnerabilities involves leveraging access from a single virtual machine to other machines on a hypervisor? A. VM sprawl B. VM escape C. VM data remnant D. VM migration

B. VM escape Explanation OBJ-2.2: Virtual machine escape vulnerabilities are the most severe issue that may exist in a virtualized environment. In this attack, the attacker can access a single virtual host and then leverages that access to intrude on the resources assigned to different virtual machines. Data remnant is the residual representation of digital data that remains even after attempts have been made to remove or erase it. Virtualization sprawl is a phenomenon that occurs when the number of virtual machines on a network reaches a point where the administrator can no longer manage them effectively. Virtual machine migration is the task of moving a virtual machine from one physical hardware environment to another.

Which of the following is not normally part of an endpoint security suite? A. Anti-virus B. VPN C. Software firewall D. IPS

B. VPN Explanation OBJ-3.2: Endpoint security includes software host-based firewalls, host-based intrusion protection systems (HIPS), and anti-virus software. A VPN is not typically considered an endpoint security tool because it is a network security tool.

Which of the following must be combined with a threat to create risk? A. Mitigation B. Vulnerability C. Exploit D. Malicious actor

B. Vulnerability Explanation OBJ-1.6: A risk results from the combination of a threat and a vulnerability. A vulnerability is a weakness in a device, system, application, or process that might allow an attack to take place. A threat is an outside force that may exploit a vulnerability. Remember, a vulnerability is something internal to your organization's security goals. Therefore, you can control, mitigate, or remediate a vulnerability. A threat is external to your organization's security goals. A threat could be a malicious actor, a software exploit, a natural disaster, or other external factors. In the case of an insider threat, they are considered an external factor for threats and vulnerabilities since their goals lie outside your organization's security goals.

A new security appliance was installed on a network as part of a managed service deployment. The vendor controls the appliance, and the IT team cannot log in or configure it. The IT team is concerned about the appliance receiving the necessary updates. Which of the following mitigations should be performed to minimize the concern for the appliance and updates? A. Configuration management B. Vulnerability scanning C. Scan and patch the device D. Automatic updates

B. Vulnerability scanning Explanation OBJ-3.3: The best option here is vulnerability scanning as this allows the IT team to know what risks their network is taking on and where subsequent mitigations may be possible. Configuration management, automatic updates, and patching could normally be possible solutions, but these are not viable options without gaining administrative access to the appliance. Therefore, the analyst should continue to conduct vulnerability scanning of the device to understand the risks associated with it and then make recommendations to add additional compensating controls like firewall configurations, adding a WAF, providing segmentation, and other configurations outside the appliance that could minimize the vulnerabilities it presents.

You are installing a new wireless network in your office building and want to ensure it is secure. Which of the following configurations would create the MOST secure wireless network? A. WPA2 and RC4 B. WPA2 and AES C. WPA and MAC filtering D. WEP and TKIP

B. WPA2 and AES Explanation OBJ-3.4: The most secure wireless network configuration utilizes WPA2 with AES encryption. WPA2 is the most secure wireless encryption standard listed as an option and has replaced both WPA and WEP. Wi-Fi protected access version 2 (WPA2) replaced the original version of WPA after the completion of the 802.11i security standard. WPA2 features an improved method of key distribution and authentication for enterprise networks, though the pre-shared key method is still available for home and small office networks. WPA2 uses the improved AES cipher with counter mode with cipher-block chaining message authentication protocol (CCMP) for encryption. Wi-Fi protected access (WPA) is an improved encryption scheme for protecting Wi-Fi communications designed to replace WEP. WPA uses the RC4 cipher and a temporal key integrity protocol (TKIP) to overcome the vulnerabilities in the older WEP protection scheme. Wired equivalent privacy (WEP) is an older mechanism for encrypting data sent over a wireless connection. WEP is considered vulnerable to attacks that could probably break its encryption. WEP relies on the use of a 24-bit initialization vector to secure its preshared key. MAC filtering is the application of an access control list to a switch or access point so that only clients with approved MAC addresses connect.

Which of the following is the MOST secure wireless security and encryption protocol? A. WEP B. WPA3 C. WPA2 D. WPA

B. WPA3 Explanation OBJ-3.4: Wi-Fi protected access version 3 (WPA3) has replaced WPA2 as the most secure wireless encryption method. WPA3 uses the simultaneous authentication of equals (SAE) to increase the security of preshared keys. WPA3 provides the enhanced open mode that encrypts transmissions from a client to the access point when using an open network. WPA3 Enterprise mode supports the use of AES with the Galois/counter mode protocol (GCMP-256) for the highest levels of encryption. Wi-Fi protected access version 2 (WPA2) replaced the original version of WPA after the completion of the 802.11i security standard. WPA2 features an improved method of key distribution and authentication for enterprise networks, though the pre-shared key method is still available for home and small office networks. WPA2 uses the improved AES cipher with counter mode with cipher-block chaining message authentication protocol (CCMP) for encryption. Wi-Fi protected access (WPA) is an improved encryption scheme for protecting Wi-Fi communications designed to replace WEP. WPA uses the RC4 cipher and a temporal key integrity protocol (TKIP) to overcome the vulnerabilities in the older WEP protection scheme. Wired equivalent privacy (WEP) is an older mechanism for encrypting data sent over a wireless connection. WEP is considered vulnerable to attacks that can break its encryption. WEP relies on the use of a 24-bit initialization vector to secure its preshared key.

You are working as a penetration tester and have discovered a new method of exploiting a vulnerability within the Windows 10 operating system. You conduct some research online and discover that a security patch against this particular vulnerability doesn't exist yet. Which type of threat would this BEST be categorized as? A. Spoofing B. Zero-day C. Brute force D. DDOS

B. Zero-day Explanation OBJ-1.6: A zero-day attack happens once that flaw, or software/hardware vulnerability, is exploited, and attackers release malware before a developer has an opportunity to create a patch to fix the vulnerability, hence the term zero-day. A Distributed Denial of Service (DDoS) attack is an attempt to make an online service unavailable by overwhelming it with traffic from multiple sources. A brute-force attack consists of an attacker systematically trying all possible password and passphrase combinations until the correct one is found. Spoofing is the act of disguising a communication from an unknown source as being from a known, trusted source.

Ted, a file server administrator at Dion Training, has noticed that many sensitive files have been transferred from a corporate workstation to an IP address outside of the local area network. Ted looks up the IP address and determines that it is located in a foreign country. Ted contacts his company's security analyst, verifying that the workstation's anti-malware solution is up-to-date and the network's firewall is properly configured. What type of attack most likely occurred to allow the exfiltration of the files from the workstation? A. Impersonation B. Zero-day C. MAC spoofing D. Session hijacking

B. Zero-day Explanation OBJ-1.6: Since the firewall is properly configured and the anti-malware solution is up-to-date, this signifies that a zero-day vulnerability may have been exploited. A zero-day vulnerability is an unknown vulnerability, so a patch or virus definition has not been released yet. A zero-day vulnerability refers to a hole in software that is unknown to the vendor. Hackers then exploit this security hole before the vendor becomes aware and hurries to fix it. This exploit is therefore called a zero-day attack. Zero-day attacks include infiltrating malware, spyware, or allowing unwanted access to user information. Spoofing is the act of disguising a communication from an unknown source as being from a known, trusted source. Impersonation is the act of pretending to be someone or something else. A session hijacking attack compromises the session token by stealing or predicting a valid session token to gain unauthorized access to the webserver.

What command should a forensic analyst use to make a forensic disk image of a hard drive? A. touch B. dd C. rm D. wget

B. dd Explanation OBJ-4.1: The dd tool is used to make bit by bit copies of a disk, drive, or partition. Once the image is created using dd, a hash of the file should be made and placed into evidence to validate the integrity of the disk image that was created. This will ensure that no modification occurs between the collection and analysis of the disk image. The wget command is a command-line utility for downloading files from the Internet. The touch command is a standard command used in the UNIX/Linux operating system used to create, change, and modify timestamps of a file. The rm command is used to delete one or more files or directories.

Which of the following command-line tools would you use to identify open ports and services on a host along with the version of the application that is associated with them? A. Wireshark B. nmap C. netstat D. ping

B. nmap Explanation OBJ-4.1: Nmap sends specially crafted packets to the target host(s) and then analyzes the responses to determine the open ports and services running on those hosts. Also, nmap can determine the versions of the applications being used on those ports and services. Nmap is a command-line tool for use on Linux, Windows, and macOS systems. The netstat (network statistics) tool is a command-line utility that displays network connections for incoming and outgoing TCP packets, routing tables, and some network interface and network protocol statistics. Still, it cannot identify open ports and services on a host with their version numbers. The ping tool is used to query another computer on a network to determine whether there is a valid connection. Wireshark is an open-source packet analyzer used for network troubleshooting, analysis, software and communications protocol development, and education.

What popular open-source port scanning tool is commonly used for host discovery and service identification? A. services.msc B. nmap C. dd D. Nessus

B. nmap Explanation OBJ-4.1: The world's most popular open-source port scanning utility is nmap. The Services console (services.msc) allows an analyst to disable or enable Windows services. The dd tool is used to copy files, disks, and partitions, and it can also be used to create forensic disk images. Nessus is a proprietary vulnerability scanner developed by Tenable. While Nessus does contain the ability to conduct a port scan, its primary role is as a vulnerability scanner, and it is not an open-source tool.

Which mobile device strategy is most likely to introduce vulnerable devices to a corporate network? A. CYOD B. BYOD C. MDM D. COPE

BYOD Explanation OBJ-3.5: The BYOD (bring your own device) strategy opens a network to many vulnerabilities. People can bring their personal devices to the corporate network, and their devices may contain vulnerabilities that could be allowed to roam free on a corporate network. COPE (company-owned/personally enabled) means that the company provides the users with a smartphone primarily for work use, but basic functions such as voice calls, messaging, and personal applications are allowed, with some controls on usage and flexibility. With CYOD, the user can choose which device they wish to use from a small selection of devices approved by the company. The company then buys, procures, and secures the device for the user. The MDM is a mobile device management system that gives centralized control over COPE company-owned personally enabled devices.

(This is a simulated performance-based question.) *reference image* Review the network diagram provided. Which of the following ACL entries should be added to the firewall to allow only the Human Resources (HR) computer to have SMB access to the file server (Files)? (Note: The firewall in this network is using implicit deny to maintain a higher level of security. ACL entries are in the format of Source IP, Destination IP, Port Number, TCP/UDP, Allow/Deny.) A. 172.16.1.12/24, 192.168.1.3/24, 445, TCP, ALLOW B. 172.16.1.3, 192.168.1.12, ANY, TCP, ALLOW C. 172.16.1.3, 192.168.1.12, 445, TCP, ALLOW D. 192.168.1.12, 172.16.1.3, 445, UDP, DENY

C. 172.16.1.3, 192.168.1.12, 445, TCP, ALLOW Explanation OBJ-3.3: The ACL should be created with 172.16.1.3 as the Source IP, 192.168.1.12 as the Destination IP, 445 as the port number operating over TCP, and the ALLOW condition set. This is the most restrictive option presented (only the HR and Files server are used), and the minimal number of ports are opened to accomplish our goal (only port 445 for the SMB service).

You have just finished running a Nmap scan on a server are see the following output: ___________________________________________________________________________________ # nmap diontraining.com Starting Nmap ( http://nmap.org ) Nmap scan report for diontraining.com (63.13.134.52) Not shown: 996 filtered ports PORTS. STATE 22/tcp open 23/tcp open 53/tcp open 443/tcp open Nmap done: 1 IP address (1 host up) scanned in 2.56 seconds ___________________________________________________________________________________ Based on the output above, which of the following ports listed as open represents the most significant security vulnerability to your network? A. 22 B. 53 C. 23 D. 44

C. 23 Explanation OBJ-3.1: Port 23 is used by telnet and is not considered secure because it sends all of its data in cleartext, including authentication data like usernames and passwords. As an analyst, you should recommend that telnet be disabled and blocked from use. The other open ports are SSH (port 22), DNS (port 53), and HTTPS (port 443).

You work as the incident response team lead at Fail to Pass Systems. Sierra, a system administrator, believes an incident has occurred on the network and contacts the SOC. At 2:30 am, you are woken up by a phone call from the CEO of Fail to Pass stating an incident has occurred and that you need to solve this immediately. As you are getting dressed to drive into the office, your phone rings again. This time, the CIO starts asking you a lot of technical questions about the incident. The first you heard of this incident was 5 minutes ago from the CEO, so you don't have the answers to the CIO's questions, yet. Based on this scenario, which of the following issues needs to be documented in your lessons learned report once this incident is resolved? A. A robust method of incident detection B. An offline incident response jump bag or kit C. A call list/escalation list D. An established incident response form for all em

C. A call list/escalation list Explanation OBJ-4.2: To maintain a disciplined approach to incident response, the organization needs to document and follow procedures developed during the preparation phase. The SOC should have a call list or an escalation list as part of those procedures. This list should detail who should be called, what order, and how high up the organizational leadership chart a particular issue would reach. In almost every case, the incident response team lead should be contacted before the CEO or CIO is notified of the incident. When companies go "right to the top" of the leadership chart, the CEO and CIO will be acting on half-true or unverified information during the start of an incident response process. Instead, an established form for incident detail collection should be performed, the right technical leads should be notified of the incident, and the incident response team should be called in to analyze the information and provide a quick "stand up" report to leadership on what the issue is, what has already been done, and what they recommend doing from here to resolve the incident. All of the other options are best practices to consider and develop in the preparation phase. Still, they would not have solved the issue in this scenario of senior leadership being notified before the incident response team lead.

Which of the following access control methods provides the most detailed and explicit type of access control over a resource? A. DAC B. RBAC C. ABAC D. MAC

C. ABAC Explanation OBJ-3.8: Attribute-based access control (ABAC) provides the most detailed and explicit type of access control over a resource because it is capable of making access decisions based on a combination of subject and object attributes, as well as context-sensitive or system-wide attributes. Information such as the group membership, the OS being used by the user, and even the machine's IP address could be considered when granting or denying access.

Which of the following policies should contain the requirements for removing a user's access when an employee is terminated? A. Data retention policy B. Data ownership policy C. Account management policy D. Data classification policy

C. Account management policy Explanation OBJ-3.7: Account management policies describe the account life cycle from creation through decommissioning. Data ownership policies describe how ownership information is created and used. Data classification policies describe the classification structure of the data in use by an organization. Retention policies describe what data will be maintained and for how long it will be retained.

Susan, a help desk technician at Dion Training, has received several trouble tickets today related to employees receiving the same email as part of a phishing campaign. She has determined that the email's malicious link is not being blocked by the company's security suite when a user clicks the link. Susan asked you what action can be performed to prevent a user from reaching the website associated with the phishing email's malicious link. What action do you recommend she utilize? A. Block the IP address of the malicious domain in your firewall's ACL B. Enable TLS on your organization's mail server C. Add the malicious domain name to your content filter and web proxy's block list D. Forward this phishing email to all employees with a warning not to click on the embedded links

C. Add the malicious domain name to your content filter and web proxy's block list Explanation OBJ-3.3: To prevent a user from accessing the malicious website when the link is clicked, the malicious domain name should be added to the blocklist of the company's content filter and web proxy. This will ensure that no devices on the network can reach the malicious domain name. While blocking the IP address associated with the domain name might help for a short period of time, the malicious domain's owner could quickly redirect the DNS to point to a different IP. Then the users would still be able to access the malicious domain and its contents. Enabling TLS on the mail server will only encrypt the connection between the email server and its clients. Still, it will not prevent the users from clicking on the malicious link and accessing the malicious content. While informing the users that there is an active attempt at phishing being conducted against the organization is a good idea, forwarding the phishing email with the malicious link will generally cause more users to accidentally click on the malicious link, which further exacerbates the issue.

Raj is working to deploy a new vulnerability scanner for an organization. He wants to verify the information he gets is the most accurate view of the configurations on the organization's traveling salespeople's laptops to determine if any configuration issues could lead to new vulnerabilities. Which of the following technologies would work BEST to collect the configuration information in this situation? A. Passive network monitoring B. Non-credentialed scanning C. Agent-based scanning D. Server-based scanning

C. Agent-based scanning Explanation OBJ-1.7: Using agent-based scanning, you typically get the most reliable results for systems that are not connected to the network, as well as the ones that are connected. This is ideal for traveling salespeople since their laptops are not constantly connected to the organization's network. These agent-based scans can be conducted when the laptop is offline and then sent to a centralized server the next time it is connected to the network. Server-based scanning, non-credentialed scanning, and passive network monitoring require a continuous network connection to collect the devices' configurations accurately.

As a cybersecurity analyst conducting vulnerability scans, you have just completed your first scan of an enterprise network comprising over 10,000 workstations. As you examine your findings, you note that you have less than 1 critical finding per 100 workstations. Which of the following statement does BEST explain these results? A. The scanner was not compatible with the devices on your network B. The network has an exceptionally strong security posture C. An uncredentialed scan of the network was performed D. The scanner failed to connect with the majority of workstations

C. An uncredentialed scan of the network was performed Explanation OBJ-1.7: Uncredentialed scans are generally unable to detect many vulnerabilities on a device. When conducting an internal assessment, you should perform an authenticated (credentialed) scan of the environment to most accurately determine the network's vulnerability posture. In most enterprise networks, if a vulnerability exists on one machine, it also exists on most other workstations since they use a common baseline or image. If the scanner failed to connect to the workstations, an error would have been generated in the report.

What information should be recorded on a chain of custody form during a forensic investigation? A. The list of individuals who made contact with files leading to the investigation B. The list of former owners/operators of the workstation involved in the investigation C. Any individual who worked with evidence during the investigation D. The law enforcement agent who was first on the scene

C. Any individual who worked with evidence during the investigation Explanation OBJ-4.5: Chain of custody forms list every person who has worked with or who has touched the evidence that is a part of an investigation. These forms record every action taken by each individual in possession of the evidence. Depending on the organization's procedures, manipulation of evidence may require an additional person to act as a witness to verify whatever action is being taken. While the chain of custody would record who initially collected the evidence, it does not have to record who was the first person on the scene (if that person didn't collect the evidence). The other options presented by the question are all good pieces of information to record in your notes, but it is not required to be on the chain of custody form.

Your company has created a baseline image for all of its workstations using Windows 10. Unfortunately, the image included a copy of Solitaire, and the CIO has created a policy to prevent anyone from playing the game on the company's computers. You have been asked to create a technical control to enforce the policy (administrative control) that was recently published. What should you implement? A. Application hardening B. Disable removable media C. Application block list D. Application allow list

C. Application block list Explanation OBJ-3.2: You should create and implement an application block list that includes the Solitaire game on it. This will prevent the application from being able to be run on any corporate workstation. Application allow lists will allow only authorized applications to be run, while application block lists will prevent any application listed from being run. Application hardening involves updating and patching your software (not applicable to this question). Disabling removable media is a good practice, but it won't prevent the game that was already installed from being run from the hard drive. Application allow lists and block lists can be deployed to hosts on the network using a GPO update.

Your company has created a baseline image for all of its workstations using Windows 10. Unfortunately, the image included a copy of Solitaire, and the CIO has created a policy to prevent anyone from playing the game on the company's computers. You have been asked to create a technical control to enforce the policy (administrative control) that was recently published. What should you implement? A. Application hardening B. Disable removable media C. Application block list D. Application allow list

C. Application block list Explanation OBJ-4.4: You should create and implement an application block list that includes the Solitaire game on it. This will prevent the application from being able to be run on any corporate workstation. Application allow lists will allow only authorized applications to be run, while application block lists will prevent any application listed from being run. Application hardening involves updating and patching your software (not applicable to this question). Disabling removable media is a good practice, but it won't prevent the game that was already installed from being run from the hard drive. Application allow lists and block lists can be deployed to hosts on the network using a GPO update.

What process is used to conduct an inventory of critical systems, components, and devices within an organization? A. Vulnerability management B. Patch management C. Asset management D. Change management

C. Asset management Explanation OBJ-5.3: An asset management process takes inventory of and tracks all the organization's critical systems, components, devices, and other valuable objects. It also involves collecting and analyzing information about these assets so that personnel can make more informed changes or otherwise work with assets to achieve business goals. Many software suites and associated hardware solutions are available for tracking and managing assets (or inventory).

Alexa is an analyst for a large bank that has offices in multiple states. She wants to create an alert to detect if an employee from one bank office logs into a workstation located at an office in another state. What type of detection and analysis is Alexa configuring? A. Trend B. Heuristic C. Behavior D. Anomaly

C. Behavior Explanation OBJ-1.7: This is an example of behavior-based detection. Behavior-based detection (or statistical- or profile-based detection) means that the engine is trained to recognize baseline traffic or expected events associated with a user account or network device. Anything that deviates from this baseline (outside a defined level of tolerance) generates an alert. The heuristic analysis determines whether several observed data points constitute an indicator and whether related indicators make up an incident depending on a good understanding of the relationship between the observed indicators. Human analysts are typically good at interpreting context but work painfully slowly, in computer terms, and cannot hope to cope with the sheer volume of data and traffic generated by a typical network. Anomaly analysis is the process of defining an expected outcome or pattern to events and then identifying any events that do not follow these patterns. This is useful in tools and environments that enable you to set rules. Trend analysis is not used for detection but instead to better understand capacity and the system's normal baseline. Behavioral-based detection differs from anomaly-based detection. Behavioral-based detection records expected patterns concerning the entity being monitored (in this case, user logins). Anomaly-based detection prescribes the baseline for expected patterns based on its observation of what normal looks like.

(This is a simulated performance-based question.)You have been asked to help conduct a known environment penetration test. As part of your preparations, you have been given the source code for the organization's custom web application. *reference image* Which type of vulnerability might be able to exploit the code shown in this image? A. Remote code execution B. SQL injection C. Buffer overflow D. JavaScript injection

C. Buffer overflow Explanation OBJ-1.2: The function DionCode may be subject to a buffer overflow as the user enters something over 20 characters as their input. In defining the char (character) type array, the programmer only allocated 20 characters worth of memory storage. To solve this problem, the programmer should create proper input validation to ensure that the input is less than 20 characters before passing the user_input variable to the strcpy (string copy) function.

The incident response team leader has asked you to perform a forensic examination on a workstation suspected of being infected with malware. You remember from your training that you must collect digital evidence in the proper order to protect it from being changed during your evidence collection efforts. Which of the following describes the correct sequence to collect the data from the workstation? A. RAM, CPU cache, Swap, Hard drive B. Swap, RAML, CPU cache, Hard drive C. CPU cache, RAM, Swap, Hard drive D. Hard drive, Swap, CPU cache, RAM

C. CPU cache, RAM, Swap, Hard drive Explanation OBJ-4.5: The order of volatility states that you should collect the most volatile (least persistent) data first and the least volatile (most persistent) data last. The most volatile data resides in the CPU Cache since this small memory cache is overwritten quickly during computer operations. Next, you should collect the data in the system memory (RAM) since it will be erased if the workstation is shut down or the power is lost. Third, you should collect the Swap file, a form of temporary memory located on the hard disk. These files are also overwritten frequently during operations. Finally, you should collect the data from the hard disk, as it is the least volatile and remains on the hard disk until a command is given to delete it. Data on a hard disk remains even when power is removed from the workstation.

The digital certificate on the Dion Training web server is about to expire. Which of the following should Jason submit to the CA to renew the server's certificate? A. CRL B. OCSP C. CSR D. Key escrow

C. CSR Explanation OBJ-3.9: A CSR (certificate signing request) is what is submitted to the CA (certificate authority) to request a digital certificate. Key escrow stores keys, CRL is a list of revoked certificates, and the OCSP is a status of certificates that provide validity such as good, revoked, or unknown.

The public library has had a recent issue with their laptops being stolen from their computer lab.Since this is a public library, it is not a high-security area and is fully accessible by patrons during the day. What is the best way to prevent the theft of laptops? A. Mobile Device Management B. CCTV C. Cable Locks D. Motion Sensorsx

C. Cable Locks Explanation OBJ-2.7: Cable locks are the best solution to allow the laptops to be connected physically to the desks and prevent theft. CCTV is a deterrent or detective control but will require someone to monitor it to detect the theft. Mobile device management focuses on tablets or phones, not laptops. Motion sensors are not useful during the library's open hours since authorized patrons are allowed into the lab during the day. If laptop theft occurs during the day, motion sensors will be useless to stop them.

During your annual cybersecurity awareness training in your company, the instructor states that employees should be careful about what information they post on social media. According to the instructor, if you post too much personal information on social media, such as your name, birthday, hometown, and other personal details, it is much easier for an attacker to conduct which type of attack to break your passwords? A. Birthday attack B. Brute force attack C. Cognitive password attack D. Rainbow table attack

C. Cognitive password attack Explanation OBJ-1.2: A cognitive password is a form of knowledge-based authentication that requires a user to answer a question, presumably something they intrinsically know, to verify their identity. If you post a lot of personal information about yourself online, this password type can easily be bypassed. For example, during the 2008 elections, Vice Presidential candidate Sarah Palin's email account was hacked because a high schooler used the "reset my password" feature on Yahoo's email service to reset her password using the information that was publically available about Sarah Palin (like her birthday, high school, and other such information).

During a vulnerability scan of your network, you identified a vulnerability on an appliance installed by a vendor on your network under an ongoing service contract. You do not have access to the appliance's operating system as the device was installed under a support agreement with the vendor. What is your best course of action to remediate or mitigate this vulnerability? A. Try to gain access to the underlying operating system and install the patch B. Mark the identified vulnerability as a false positive C. Contact the vendor to provide an update or to remediate the vulnerability D. Wait 30 days, run the scan again, and determine if the vendor corrected the vulnerability

C. Contact the vendor to provide an update or to remediate the vulnerability Explanation OBJ-1.6: You should contact the vendor to determine if a patch is available for installation. Since this is a vendor-supported appliance installed under a service contract, the vendor is responsible for the appliance's management and security. You should not attempt to gain access to the underlying operating system to patch the vulnerability yourself, as this could void your warranty and void your service contract. Based on the information provided, there is no reason to believe that this is a false positive, either. You should not simply wait 30 days and rerun the scan, as this is a non-action. Instead, you should contact the vendor to fix this vulnerability. Then, you could rerun the scan to validate they have completed the mitigations and remediations.

During which incident response phase is the preservation of evidence performed? A. Post-incident activity B. Preparation C. Containment, eradication, and recovery D. Detection and analysis

C. Containment, eradication, and recovery Explanation OBJ-4.2: A cybersecurity analyst must preserve evidence during the containment, eradication, and recovery phase. They must preserve forensic and incident information for future needs, prevent future attacks or bring up an attacker on criminal charges. Restoration and recovery are often prioritized over analysis by business operations personnel, but taking time to create a forensic image is crucial to preserve the evidence for further analysis and investigation. During the preparation phase, the incident response team conducts training, prepares their incident response kits, and researches threats and intelligence. During the detection and analysis phase, an organization focuses on monitoring and detecting any possible malicious events or attacks. During the post-incident activity phase, the organization conducts after-action reports, creates lessons learned, and conducts follow-up actions to better prevent another incident from occurring.

Last week, your organization was the victim of a cyber attack. The attack's root cause was investigated and found to be due to a missing patch on your Windows 2016 server for the EternalBlue exploit. The organization's vulnerability management team has rescanned the network and identified all the machines missing this critical patch. These systems were then patched, and the network was rescanned to verify the patch was installed properly. Which of the following types of controls would you classify the installation of this patch as? A. Detective B. Deterrent C. Corrective D. Compensating

C. Corrective Explanation OBJ-5.1: A corrective control is one that responds to and fixes an incident. A corrective control can also help to prevent the incident's reoccurrence. A compensating control fixes the root cause of an attack but instead adds additional layers of protection if the root cause cannot be fixed to mitigate the risk. Detective control is used to identify and record any attempted or successful intrusion, not prevent or deter access. A deterrent control is used to discourage an attacker from attempting an intrusion psychologically.

While conducting a penetration test of an organization's web applications, you attempt to insert the following script into the search form on the company's website: *reference image* Then, you clicked the search button, and a pop-up box appears on your screen showing the following text, "This site is vulnerable to an attack!" Based on this response, what vulnerability have you uncovered in the web application? A. Distributed denial of service B. Cross-site request forgery C. Cross-site scripting D. Buffer overflow

C. Cross-site scripting Explanation OBJ-1.3: This is a form of Cross-Site Scripting (XSS). Cross-site scripting (XSS) is a type of computer security vulnerability typically found in web applications. XSS enables attackers to inject client-side scripts into web pages viewed by other users. Attackers may use a cross-site scripting vulnerability to bypass access controls such as the same-origin policy. Cross-site request forgery (CSRF or XSRF) is a malicious exploit of a website where unauthorized commands are transmitted from a user that the web application trusts. There are many ways in which a malicious website can transmit commands, such as specially-crafted image tags, hidden forms, and JavaScript XMLHttpRequests can all work without the user's interaction or even knowledge. A distributed denial-of-service (DDoS) attack is a malicious attempt to disrupt normal traffic of a targeted server, service, or network by overwhelming the target or its surrounding infrastructure with a flood of Internet traffic. A buffer overflow is an anomaly that occurs when a program overruns the buffer's boundary and overwrites adjacent memory locations while writing data to a buffer.

An insurance company has developed a new web application to allow its customers to choose and apply for an insurance plan. You have been asked to help perform a security review of the new web application. You have discovered that the application was developed in ASP and used MSSQL for its backend database. You have been able to locate an application's search form and introduced the following code in the search input field: *Reference image* When you click submit on the search form, your web browser returns a pop-up window that displays Vulnerable_to_Attack. Which of the following vulnerabilities did you discover in the web application? A. Cross-site request forgery B. SQL injection C. Cross-site scripting D. Command injection

C. Cross-site scripting Explanation OBJ-1.3: This is a form of Cross-Site Scripting (XSS). Cross-site scripting (XSS) is a type of computer security vulnerability typically found in web applications. XSS enables attackers to inject client-side scripts into web pages viewed by other users. Attackers may use a cross-site scripting vulnerability to bypass access controls such as the same-origin policy. Cross-site request forgery (CSRF or XSRF) is a malicious exploit of a website where unauthorized commands are transmitted from a user that the web application trusts. There are many ways in which a malicious website can transmit commands, such as specially-crafted image tags, hidden forms, and JavaScript XMLHttpRequests can all work without the user's interaction or even knowledge. SQL injection is a code injection technique used to attack data-driven applications. Malicious SQL statements are inserted into an entry field for execution, such as dumping the database contents to the attacker. Command injection is an attack in which the goal is to execute arbitrary commands on the host operating system via a vulnerable application. Command injection attacks are possible when an application passes unsafe user-supplied data (forms, cookies, HTTP headers, etc.) to a system shell.

A financial services company wants to donate some old hard drives from their servers to a local charity. The hard drives used in the servers are self-encrypting drives. Still, they are concerned about the possibility of residual data being left on the drives. Which of the following secure disposal methods would you recommend the company use? A. Secure erase B. Overwrite C. Cryptographic erase D. Zero-fill

C. Cryptographic erase Explanation OBJ-3.2: In a cryptographic erase (CE), the storage media is encrypted by default. The encryption key itself is destroyed during the erasing operation. CE is a feature of self-encrypting drives (SED) and is often used with solid-state devices. Cryptographic erase can be used with hard drives, as well. Zero-fill is a process that fills the entire storage device with zeroes. For SSDs and hybrid drives, zero-fill-based methods might not be reliable because the device uses wear-leveling routines in the drive controller to communicate which locations are available for use to any software process accessing the device. A secure erase is a special utility provided with some solid-state drives that can perform the sanitization of flash-based devices. Overwrite is like zero-fill but can utilize a random pattern of ones and zeroes on the storage device. The most secure option would be a cryptographic erase (CE) for the question's scenario.

During a security audit, you discovered that customer service employees have been sending unencrypted confidential information to their personal email accounts via email. What technology could you employ to detect these occurrences in the future and send an automated alert to the security team? A. SSL B. MDM C. DLP D. UTM

C. DLP Explanation OBJ-2.1: Data loss prevention (DLP) software detects potential data breaches/ data exfiltration transmissions and prevents them by monitoring, detecting, and blocking sensitive data while in use, in motion, and at rest. This can be configured to detect and alert on future occurrences of this issue. Secure Socket Layer (SSL) is a distraction in this question since the questions ask about information being sent unencrypted. The connection between the client and the email server could be encrypted using SSL. However, the information is still sent to an employee's personal email account, which equates to a loss of control over the company's confidential data. Mobile Device Management (MDM) software is used for the configuration and securing of mobile devices like smartphones and tablets. Unified Threat Management (UTM) is a device that combines the functions of a firewall, anti-malware solution, and IDS into a single piece of hardware. Some UTM's may provide a DLP functionality, but DLP is a better answer to this question.

You want to play computer-based video games from anywhere in the world using your laptop or tablet. You heard about a new product called a Shadow PC that is a virtualized Windows 10 Home gaming PC in the cloud. Which of the following best describes this type of service? A. SaaS B. IaaS C. DaaS D. PaaS

C. DaaS Explanation OBJ-2.2: Desktop as a Service (DaaS) provides a full virtualized desktop environment from within a cloud-based service. This is also known as VDI (Virtualized Desktop Infrastructure) and is coming in large enterprise businesses focused on increasing their security and minimizing their operational expenses. Shadow PC (shadow.tech) provides a version of DaaS for home users who want to have a gaming PC without all the upfront costs. Software as a Service (SaaS) is ca loud computing service that enables a service provider to make applications available over the Internet to end-users. This can be a calendar, scheduling, invoicing, word processor, database, or other programs. For example, Google Docs and Officer 365 are both word processing SaaS solutions. Platform as a Service (PaaS) is a cloud computing service that enables consumers to rent fully configured systems that are set up for specific purposes. Infrastructure as a Service (IaaS) is a cloud computing service that enables a consumer to outsource computing equipment purchases and running their own data center.

Dion Training is currently undergoing an audit of its information systems. The auditor wants to understand better how the PII data from a particular database is used within business operations. Which of the following employees should the auditor interview? A. Data controller B. Data owner C. Data protection officer D. Data steward

C. Data protection officer Explanation OBJ-5.5: The primary role of the data protection officer (DPO) is to ensure that her organization processes the personal data of its staff, customers, providers, or any other individuals (also referred to as data subjects) in compliance with the applicable data protection rules. They must understand how any privacy information is used within business operations. Therefore, they are the best person for the auditor to interview to get a complete picture of the data usage.

Which authentication mechanism does 802.1x usually rely upon? A. RSA B. HOTP C. EAP D. TOTP

C. EAP Explanation OBJ-3.8: The IEEE 802.1X Port-based Network Access Control framework establishes several ways for devices and users to be securely authenticated before they are permitted full network access. The actual authentication mechanism will be some variant of the Extensible Authentication Protocol (EAP). EAP allows lots of different authentication methods, but many use a digital certificate on the server and/or client machines. This allows the machines to establish a trust relationship and create a secure tunnel to transmit the user authentication credential.

What type of scan will measure the size or distance of a person's external features with a digital video camera? A. Retinal scan B. Iris scan C. Facial recognition scan D. Signature kinetics scan

C. Facial recognition scan Explanation OBJ-2.4: A face recognition system is a computer application capable of identifying or verifying a person from a digital image or a video frame from a video source. One way to do this is by comparing selected facial features from the image and a face database. By measuring the external facial features, such as the distance between your eyes and nose, you can uniquely identify the user. A retinal scan is a biometric technique that uses unique patterns on a person's retina blood vessels. Iris recognition or iris scanning is the process of using visible and near-infrared light to take a high-contrast photograph of a person's iris. A signature kinetics scan measures a user's action when signing their name and compares it against a known-good example or baseline.

You are working in a doctor's office and have been asked to set up a kiosk to allow customers to check in for their appointments. The kiosk should be secured, and only customers to access a single application used for the check-in process. You must also ensure that the computer will automatically log in whenever the system is powered on or rebooted. Which of the following types of accounts should you configure for this kiosk? A. Remote Desktop User B. Power User C. Guest D. Administrator

C. Guest Explanation OBJ-3.7: A Windows guest account will let other people use your computer without being able to change PC settings, install apps, or access your private files. A Guest account is a Microsoft Windows user account with limited capabilities, no privacy, and is disabled by default. An administrator account is a Microsoft Windows user account that can perform all tasks on the computer, including installing and uninstalling apps, setting up other users, and configuring hardware and software.

Jack is assessing the likelihood of reconnaissance activities being performed against his organization. Which of the following would best classify the likelihood of a port scan being conducted against his DMZ? A. Medium B. None C. High D. Low

C. High Explanation OBJ-5.4: Since Jack's DMZ would contain systems and servers exposed to the Internet, there is a high likelihood that they are constantly being scanned by potential attackers performing reconnaissance.

(Sample Simulation - On the real exam for this type of question, you would have to fill in the blanks by dragging and dropping them into place.) *reference image* Using the image provided, select four security features that you should use with a workstation or laptop within your organization? A. Cable lock, Network sniffer, Host-based firewall, Remote wipe B. CAT5e STP, Location tracking, Host-based firewall, Remote wipe C. Host-based firewall, Network sniffer, Cable lock, CAT5e STP D. Remote wipe, Location tracking, Host-based firewall, Cable lock

C. Host-based firewall, Network sniffer, Cable lock, CAT5e STP Explanation OBJ-3.5: Host-based firewall, Network sniffer, a Cable lock, and CAT5e STP cables are appropriate security features to use with a corporate workstation or laptop. Using a host-based firewall (such as Windows Firewall), you can configure the workstation or laptop to block incoming or outgoing data from the device's network connection. If you install a network sniffer, you will be able to capture any network traffic used on the network for later analysis. If you use a cable lock, it will lock the workstation or laptop to a desk and prevent theft of the device. If you use a CAT 5e STP cable for your network connection, you will minimize EMI risk and reduce data emanations.

Your company has decided to begin moving some of its data into the cloud. Currently, your company's network consists of both on-premise storage and some cloud-based storage. Which of the following types of clouds is your company currently using? A. Community B. Public C. Hybrid D. Private

C. Hybrid Explanation OBJ-2.2: A hybrid cloud is a cloud computing environment that uses a mix of on-premises, private cloud, and third-party public cloud services with orchestration between these platforms. This typically involves a connection from an on-premises data center to a public cloud. A community cloud is a collaborative effort in which infrastructure is shared between several organizations from a specific community with common concerns (security, compliance, jurisdiction, etc.), whether managed internally or by a third-party and hosted internally or externally. A public cloud contains services offered by third-party providers over the public Internet and is available to anyone who wants to use or purchase them. They may be free or sold on-demand, allowing customers to pay only per usage for the CPU cycles, storage, or bandwidth they consume. A private cloud contains services offered either over the Internet or a private internal network and only to select users instead of the general public.

Jason has created a new password cracking tool using some Python code. When he runs the program, the following output is displayed: *reference image* Based on the output, what type of password cracking method does Jason's new tool utilize? A. Brute force attack B. Rainbow attack C. Hybrid attack D. Dictionary attack

C. Hybrid attack Explanation OBJ-1.2: Based on the passwords found in the example, Jason's new password cracker is most likely using a hybrid approach. All of the passwords found are dictionary words with some additional characters added to the end. For example, Jason's password of rover123 is made up of the dictionary word "rover" and the number 123. The cracker likely attempted to use a dictionary word (like rover) and the attempted variations on it using brute force (such as adding 000, 001, 002, ...122, 123) to the end of the password until found. Combining the dictionary and brute force methods into a single tool is known as a hybrid password cracking approach.

You are trying to select the best device to install to proactively stop outside attackers from reaching your internal network. Which of the following devices would be the BEST for you to select? A. IDS B. Proxy server C. IPS D. Syslog server

C. IPS Explanation OBJ-3.3: An intrusion prevention system (IPS) is a form of network security that detects and prevents identified threats. Intrusion prevention systems continuously monitor your network, looking for possible malicious incidents, and capturing information about them. An IPS can block malicious network traffic, unlike an IDS, which can only log them. A proxy server is a server application that acts as an intermediary between a client requesting a resource and the server providing that resource. System Logging Protocol (Syslog) uses port 514 and is a way network devices can use a standard message format to communicate with a logging server. It was designed specifically to make it easy to monitor network devices. Devices can use a Syslog agent to send out notification messages under a wide range of specific conditions.

A supplier needs to connect several laptops to an organization's network as part of their service agreement. These laptops will be operated and maintained by the supplier. Victor, a cybersecurity analyst for the organization, is concerned that these laptops could contain some vulnerabilities that could weaken the network's security posture. What can Victor do to mitigate the risk to other devices on the network without having direct administrative access to the supplier's laptops? A. Require 2FA (two-factor authentication) on the laptops B. Increase the encryption level of VPN used by the laptops C. Implement a jumpbox system D. Scan the laptops for vulnerabilities and patch them

C. Implement a jumpbox system Explanation OBJ-3.3: A jumpbox is a system on a network used to access and manage devices in a separate security zone. This would create network segmentation between the supplier's laptops and the rest of the network to minimize the risk. A jump-box system is a hardened and monitored device that spans two dissimilar security zones and provides a controlled means of access between them. While the other options listed are all good security practices, they do not fully mitigate the risk that insecure systems pose since Victor cannot enforce these configurations on a supplier-provided laptop. Instead, he must find a method of segmenting the laptops from the rest of the network, either physically, logically, using an air gap, or using a jumpbox.

Which of the following would a virtual private cloud (VPC) infrastructure be classified as? A. Function as a Service B. Platform as a Service C. Infrastructure as a Service D. Software as a Service

C. Infrastructure as a Service Explanation OBJ-2.2: Infrastructure as a Service (IaaS) is a computing method that uses the cloud to provide any or all infrastructure needs. In a VPC environment, an organization may provision virtual servers in a cloud-hosted network. The service consumer is still responsible for maintaining the IP address space and routing internally to the cloud. Platform as a Service (PaaS) is a computing method that uses the cloud to provide any platform-type services. Software as a Service (SaaS) is a computing method that uses the cloud to provide users with application services. Function as a Service (FaaS) is a cloud service model that supports serverless software architecture by provisioning runtime containers to execute code in a particular programming language.

Which of the following secure coding best practices ensures special characters like <, >, /, and ' are not accepted from the user via a web form? A. Output encoding B. Session management C. Input validation D. Error handling

C. Input validation Explanation OBJ-3.2: Input validation is performed to ensure only properly formed data is entering the workflow in an information system, preventing malformed data from persisting in the database and triggering a malfunction of various downstream components. Input validation should happen as early as possible in the data flow, preferably as soon as the data is received from the user. Improper error handling can introduce various security problems where detailed internal error messages such as stack traces, database dumps, and error codes are displayed to an attacker. The session management implementation defines the exchange mechanism that will be used between the user and the web application to share and continuously exchange the session ID. Output encoding involves translating special characters into some different but equivalent form that is no longer dangerous in the target interpreter, for example, translating the < character into the &lt; string when writing to an HTML page.

A cybersecurity analyst is reviewing the logs of a proxy server and saw the following URLs: *reference image* What type of vulnerability does this website have? A. Weak or default configurations B. Improper error handling C. Insecure direct object reference D. Race condition

C. Insecure direct object reference Explanation OBJ-1.3: Insecure direct object references (IDOR) are a cybersecurity issue that occurs when a web application developer uses an identifier for direct access to an internal implementation object but provides no additional access control and/or authorization checks. An attacker could change the userid number and directly access any user's profile page in this scenario. A race condition is a software vulnerability when the resulting outcome from execution processes is directly dependent on the order and timing of certain events. Those events fail to execute in the order and timing intended by the developer. Weak or default configurations are commonly a result of incomplete or ad-hoc configurations, open cloud storage, misconfigured HTTP headers, unnecessary HTTP methods, permissive Cross-Origin resource sharing (CORS), and verbose error messages containing sensitive information. Improper handling of errors can reveal implementation details that should never be revealed, such as detailed information that can provide hackers important clues on the system's potential flaws.

You are conducting a code review of a program and observe the following calculation of 0xffffffff + 1 was attempted, but the result was returned as 0x0000000. Based on this, what type of exploit could be created against this program? A. Impersonation B. Password spraying C. Integer overflow attack D. SQL injection

C. Integer overflow attack Explanation OBJ-1.3: Integer overflows and other integer manipulation vulnerabilities frequently result in buffer overflows. An integer overflow occurs when an arithmetic operation results in a large number to be stored in the space allocated for it. Integers are stored in 32 bits on the x86 architecture; therefore, if an integer operation results in a number greater than 0xffffffff, an integer overflow occurs, as was the case in this example. SQL injection is an attack that injects a database query into the input data directed at a server by accessing the application's client-side. Password spraying is a type of brute force attack in which multiple user accounts are tested with a dictionary of common passwords. Impersonation is the act of pretending to be another person or system for fraud.

The local electric power plant contains both business networks and ICS/SCADA networks to control their equipment. Which technology should the power plant's security administrators look to implement first as part of configuring better defenses for the ICS/SCADA systems? A. Automated patch deployment B. Anti-virus software C. Intrusion prevention system D. Log consolidation

C. Intrusion prevention system Explanation OBJ-2.6: Since this question is focused on the ICS/SCADA network, the best solution would be implementing an Intrusion Prevention System. ICS/SCADA machines utilize very specific commands to control the equipment and to prevent malicious activity. You could set up strict IPS rules to prevent unknown types of actions from being allowed to occur. Log consolidation is a good idea, but it won't prevent an issue and therefore isn't the most critical thing to add first. Automated patch management should not be conducted, as ICS/SCADA systems must be tested before conducting any patches. Often, patches will break ICS/SCADA functionality. Antivirus software may or may not be able to run on the equipment, as well, since some ICS/SCADA systems often do not rely on standard operating systems like Windows.

Which of the following biometric authentication factors relies on matching patterns on the eye's surface using near-infrared imaging? A. Facial recognition B. Retinal scan C. Iris scan D. Pupil dilation

C. Iris scan Explanation OBJ-2.4: Iris scans rely on the matching of patterns on the surface of the eye using near-infrared imaging, and so is less intrusive than retinal scanning (the subject can continue to wear glasses, for instance) and much quicker. Iris scanners offer a similar level of accuracy as retinal scanners but are much less likely to be affected by diseases. Iris scanning is the technology most likely to be rolled out for high-volume applications, such as airport security. There is a chance that an iris scanner could be fooled by a high-resolution photo of someone's eye.

Which of the following is NOT considered part of the Internet of Things? A. SCADA B. ICS C. Laptop D. Smart television

C. Laptop Explanation OBJ-2.6: Supervisory control and data acquisition (SCADA) systems, industrial control systems (ICS), internet-connected televisions, thermostats, and many other things examples of devices classified as the Internet of Things (IoT). A laptop would be better classified as a computer or host than part of the Internet of Things. The Internet of things (IoT) is a system of interrelated computing devices, mechanical and digital machines provided with unique identifiers (UIDs), and the ability to transfer data over a network without requiring human-to-human or human-to-computer interaction.

Your company is adopting a cloud-first architecture model. Management wants to decommission the on-premises SIEM your analysts use and migrate it to the cloud. Which of the following is an issue with using this approach? A. A VM escape exploit could allow an attacker to gain access to the SIEM B. The company will have less control over the SIEM C. Legal and regulatory issues may prevent data migration to the cloud D. The company will be dependent on the cloud provider's backup capabilities

C. Legal and regulatory issues may prevent data migration to the cloud Explanation OBJ-2.2: If there are legal or regulatory requirements that require the company to host their security audit data on-premises, then moving to the cloud will not be possible without violating applicable laws. For example, some companies must host their data within their national borders, even if migrating to the cloud. The other options presented are all low risk and can be overcome with proper planning and mitigations. Most cloud providers have degrees of redundancy far above what any individual on-premises provider will be able to generate, making the concern over backups a minimal risk. If the SIEM is moved to a cloud-based server, it could still be operated and controlled in the same manner as the previous on-premise solution using a virtualized cloud-based server. While a VM or hypervisor escape is possible, they are rare and can be mitigated with additional controls.

Which analysis framework makes no allowance for an adversary retreat in its analysis? A. AlienVault (AT&T Cybersecurity) Cyber Kill Chain B. MITRE ATT&CK framework C. Lockheed Martin cyber kill chain D. Diamond Model of Intrusion Analysis

C. Lockheed Martin cyber kill chain Explanation OBJ-4.2: The Lockheed Martin cyber kill chain implicitly assumes a unidirectional workflow. Therefore, it fails to consider that an adversary may retreat during an attack. MITRE and Diamond's models are more dynamic systems that allow for a broader range of adversary behaviors. AlienVault was specifically designed to avoid the rigidity of the Lockheed Martin cyber kill chain.

The Security Operations Center Director for Dion Training received a pop-up message on his workstation that said, "You will regret firing me; just wait until Christmas!" He suspects the message came from a disgruntled former employee who may have set up a piece of software to create this pop-up on his machine. The director is now concerned that other code might be lurking within the network that could negatively affect Christmas. He directs his team of cybersecurity analysts to begin searching the network for this suspicious code. What type of malware should they be searching for? A.Trojan B. Worm C. Logic bomb D. Adware

C. Logic bomb Explanation OBJ-1.2: A logic bomb is a piece of code intentionally inserted into a software system that will set off a malicious function when specified conditions are met. For example, a programmer may hide a piece of code that starts deleting files should they ever be terminated from the company. The director is concerned that a logic bomb may have been created and installed on his system or across the network before the analyst was fired.

Dion Training has an open wireless network called "InstructorDemos" for its instructors to use during class, but they do not want any students connecting to this wireless network. The instructors need the "InstructorDemos" network to remain open since some of their IoT devices used during course demonstrations do not support encryption. Based on the requirements provided, which of the following configuration settings should you use to satisfy the instructor's requirements and prevent students from using the "InstructorDemos" network? A. QoS B. Signal strength C. MAC filtering D. NAT

C. MAC filtering Explanation OBJ-3.4: Since the instructors need to keep the wireless network open, the BEST option is to implement MAC filtering to prevent the students from connecting to the network while still keeping the network open. Since the instructors would most likely use the same devices to connect to the network, it would be relatively easy to implement a MAC filtering based on the list of devices that are allowed to use the open network and reject any other devices not listed by the instructors (like the student's laptops or phones). Reducing the signal strength would not solve this issue since students and instructors are in the same classrooms. Using Network Address Translation and Quality of Service will not prevent the students from accessing or using the open network.

Which of the following security policies could help detect fraudulent cases that occur even when other security controls are already in place? A. Separation of duties B. Dual control C. Mandatory vacations D. Least privilege

C. Mandatory vacations Explanation OBJ-5.3: Mandatory vacation policies require employees to take time away from their job and help to detect fraud or malicious activities. Even if other controls such as separation of duties, least privilege, and dual control are used, an employee could collude with others to conduct fraud. By utilizing mandatory vacation policies, this fraud can often be discovered since a new person will be conducting the duties assigned to the person on vacation. Separation of duties is the concept of having more than one person required to complete a particular task to prevent fraud and error. Dual control, instead, requires both people to act together. For example, a nuclear missile system uses dual control and requires two people to each turn a different key simultaneously to allow for a missile launch to occur. Least privilege is the concept and practice of restricting access rights for users, accounts, and computing processes to only those resources required to perform routine, legitimate activities.

Which operating system feature is designed to detect malware that is loaded early in the system startup process or before the operating system can load itself? A. Master Boot Record analytics B. Startup Control C. Measured boot D. Advanced anti-malware

C. Measured boot Explanation OBJ-3.2: Measured boot is a feature where a log of all boot actions is taken and stored in a trusted platform module for later retrieval and analysis by anti-malware software on a remote server. Master boot record analysis is used to capture the hard disk's required information to support a forensic investigation. It would not detect malware during the system's boot-up process. Startup control would be used to determine which programs will be loaded when the operating system is initially booted, but this would be too late to detect malware loaded during the pre-startup and boot process. Advanced anti-malware solutions are programs that are loaded within the operating system. Therefore, they are loaded too late in the startup process to be effective against malicious boot sector viruses and other BIOS/UEFI malware variants.

Which of the following tools is useful for capturing Windows memory data for forensic analysis? A. Wireshark B. dd C. Memdump D. Nessus

C. Memdump Explanation OBJ-4.1: The Memdump, Volatility framework, DumpIt, and EnCase are examples of Windows memory capture tools for forensic use. The dd tool is used to conduct forensic disk images. Wireshark is used for packet capture and analysis. Nessus is a commonly used vulnerability scanner.

What tool can be used as an exploitation framework during your penetration tests? A. Autopsy B. Nmap C. Metasploit D. Nessus

C. Metasploit Explanation OBJ-4.1: The Metasploit Project is a computer security project that provides information about security vulnerabilities and aids in penetration testing and IDS signature development. Nessus is a very popular vulnerability scanner. It can be used to check how vulnerable your network is by using various plugins to test for vulnerabilities. Also, Nessus can perform compliance auditing, like internal and external PCI DSS audit scans. The nmap tool is a port scanner. Autopsy is used in digital forensic investigations.

Windows file servers commonly hold sensitive files, databases, passwords, and more. What common vulnerability is usually used against a Windows file server to expose sensitive files, databases, and passwords? A. CRLF injection B. Cross-site scripting C. Missing patches D. SQL injection

C. Missing patches Explanation OBJ-3.2: Missing patches are the most common vulnerability found on both Windows and Linux systems. When a security patch is released, attackers begin to reverse engineer the security patch to exploit the vulnerability. If your servers are not patched against the vulnerability, they can become victims of the exploit, and the server's data can become compromised. Cross-Site Scripting (XSS) attacks are a type of injection in which malicious scripts are injected into otherwise benign and trusted websites. Cross-site scripting focuses on exploiting a user's workstation, not a server. CRLF injection is a software application coding vulnerability that occurs when an attacker injects a CRLF character sequence where it is not expected. SQL injection is the placement of malicious code in SQL statements via web page input. SQL is commonly used against databases, but they are not useful when attacking file servers.

(Sample Simulation - On the real exam for this type of question, you would receive 3-5 pictures and be asked to drag and drop them into place next to the correct term.) *reference image* How would you appropriately categorize the authentication method being displayed here? (Note: the hardware token is being by itself used for authentication.) A. PAP authentication B. Multifactor authentication C. One-time password authentication D. Biometric authentication

C. One-time password authentication Explanation OBJ-2.4: For the exam, you need to know the different categories of authentication and what type of authentication methods belong to each category. A hardware security token like the one displayed creates a one-time use password by presenting the user with a random string of numbers that changes every 30-60 seconds. When used by itself, it is considered a one-time password authentication method. If combined with a username and password, it would become a multi-factor authentication scheme.

Which of the following cryptographic algorithms is classified as asymmetric? A. 3DES B. RC4 C. PGP D. AES

C. PGP Explanation OBJ-2.8: Pretty Good Privacy (PGP) is an encryption program that provides cryptographic privacy and authentication for data communication. PGP is used for signing, encrypting, and decrypting texts, emails, files, directories, and whole disk partitions and to increase the security of email communications. PGP is a public-key cryptosystem and relies on an asymmetric algorithm. AES, RC4, and 3DES are all symmetric algorithms.

Which of the following is considered a form of regulated data? A. AUP B. DRM C. PII D. DMCA

C. PII Explanation OBJ-5.5: The four forms of regulated data covered by the exam are PII (Personally Identifiable Information), PCI (Payment Card Industry), GDPR (General Data Protection Regulation), and PHI (Protected Health Information). Personally identifiable information (PII) is data used to identify, contact, or locate an individual. Information such as social security number (SSN), name, date of birth, email address, telephone number, street address, and biometric data is considered PII. An acceptable use policy (AUP) is a document stipulating constraints and practices that a user must agree to for access to a corporate network or the Internet. While some items in the AUP might help prevent a malware infection (such as not allowing users to download and run programs from the internet), it is considered an administrative control, and choosing a technical control like patch management would better protect the network. Digital rights management (DRM) is a copyright protection technology for digital media. DRM solutions usually try to restrict the number of devices allowed for playback of a licensed digital file, such as a music track or ebook. The Digital Millennium Copyright Act (DMCA) is a 1998 United States copyright law that implements two 1996 treaties of the World Intellectual Property Organization that criminalizes production and dissemination of technology, devices, or services intended to circumvent measures that control access to copyrighted works.

Marta's organization is concerned with the vulnerability of a user's account being vulnerable for an extended period of time if their password was compromised. Which of the following controls should be configured as part of their password policy to minimize this vulnerability? A. Password complexity B. Password history C. Password expiration D. Minimum password length

C. Password expiration Explanation OBJ-3.7: A password expiration control in the policy would force users to change their passwords at specific time intervals. This will then lock out a user who types in the incorrect password or create an alter that the user's account has been potentially compromised. While the other options are good components of password security to prevent an overall compromise, they are not effective against the vulnerability described in this particular scenario. It states the issue is based on time. Password history is used to determine the number of unique passwords a user must use before using an old password again. The Passwords must meet complexity requirements. The policy setting determines whether passwords must meet a series of guidelines that are considered important for a strong password. Maximum password length creates a limit to how long the password can be, but a longer password is considered stronger against a brute force attack.

Which of the following would NOT be useful in defending against a zero-day threat? A. Threat intelligence B. Allow listing C. Patching D. Segmentation

C. Patching Explanation OBJ-1.6: While patching is a great way to combat threats and protect your systems, it is not effective against zero-day threats. By definition, a zero-day threat is a flaw in the software, hardware, or firmware that is unknown to the party or parties responsible for patching or otherwise fixing the flaw. This attack has no time (or days) between the time the vulnerability is discovered and the first attack, and therefore no patch would be available to combat it. Using segmentation, allow listing, and threat intelligence, a cybersecurity analyst, can put additional mitigations in place to protect the network even if a zero-day attack was successful.

What problem can you solve by using Wireshark? A. Validating the creation dates of web pages on a server B. Tracking source code version changes C. Performing packet capture and analysis on a network D. Resetting the administrator password on three different server

C. Performing packet capture and analysis on a network Explanation OBJ-4.1: Wireshark is a free and open-source packet analyzer. It is used for network troubleshooting, analysis, software and communications protocol development, and education. It cannot perform any of the other three options.

What is the lowest layer (bottom layer) of a bare-metal virtualization environment? A. Guest operating system B. Hypervisor C. Physical hardware D. Host operating system

C. Physical hardware Explanation OBJ-2.2: The bottom layer is physical hardware in this environment. It is what sits beneath the hypervisor and controls access to guest operating systems. The bare-metal approach doesn't have a host operating system. A hypervisor is a program used to run and manage one or more virtual machines on a computer. A host operating system is an operating system that is running the hypervisor. A host operating system is an operating system that is running the hypervisor.

(Sample Simulation - On the real exam for this type of question, you would receive 3-5 pictures and be asked to drag and drop them into place next to the correct term.) *reference image* Based on the image provided, what type of attack is occurring? A. DDoS B. SYN flood C. Ping flood D. Smurf attack

C. Ping flood Explanation OBJ-1.4: A Ping flood occurs when an attacker attempts to flood the server by sending too many ICMP echo request packets (known as pings). This image is a graphical depiction of this type of attack.

(Sample Simulation - On the real exam for this type of question, you would have to rearrange the steps into the proper order by dragging and dropping them into place.) What is the correct order of the Incident Response process? A. Identification, Containment, Eradication, Preparation, Recovery, and Lessons Learned B. Containment, Eradication, Identification, Lessons learned, Preparation, and Recovery C. Preparation, Identification, Containment, Eradication, Recovery, and Lessons Learned D. Lessons Learned, Recovery, Preparation, Identification, Containment, and Eradication

C. Preparation, Identification, Containment, Eradication, Recovery, and Lessons Learned Explanation OBJ-4.2: The proper order of the Incident Response process is Preparation, Identification, Containment, Eradication, Recovery, and Lessons Learned. Concepts with lists of steps are common questions asked as an ordering or a drag and drop question on the exam. For example, the steps of incident response, the order of volatility, or the strength of encryption schemes could be asked using this question format.

A penetration tester is using a known vulnerability to compromise an Apache webserver. After they gain access to the webserver, what is their next step to pivot to a protected system outside of the screened subnet? A. Installing additional tools B. Vulnerability scanning C. Privilege escalation D. Patching

C. Privilege escalation Explanation OBJ-1.8: Apache web servers are run as a limited user by default, not as an administrative or root account. To be efficient and effective, the penetration tester should attempt to conduct a privilege escalation before pivoting into the screened subnet. As a penetration tester, they would not likely patch the system, conduct a vulnerability scan, or install additional tools. This does not help them achieve their goal of pivoting out of the screened subnet.

Question 38: Correct (Sample Simulation - On the real exam for this type of question, you would have to rearrange the steps into the proper order by dragging and dropping them into place.) Swap File -> 1. __________ Processor Cache -> 2. __________ Hard Drive or USB drive -> 3. __________ Random Access Memory -> 4. __________ You are working as part of a cyber incident response team. An ongoing attack has been identified on your webserver. Your company wants to take legal action against the criminals who have hacked your server, so they have brought a forensic analyst from the FBI to collect the evidence from the server. In what order should the digital evidence be collected based on the order of volatility? A. Swap File, Processor Cache, Random Access Memory, Hard Drive or USB Drive B. Processor Cache, Swap File, Random Access Memory, Hard Drive or USB Drive C. Processor Cache, Random Access Memory, Swap Fil

C. Processor Cache, Random Access Memory, Swap File, Hard Drive or USB Drive Explanation OBJ-4.5: The correct order for evidence collection based on the order of volatility is the Processor Cache, Random Access Memory, Swap File, and then the Hard Drive or USB Drive. Since the Processor Cache is the most volatile and changes the most frequently, it should be captured first. Random Access Memory (RAM) is temporary storage on a computer. It can quickly change or be overwritten, and the information stored in RAM is lost when power is removed from the computer, so it should be collected second. Swap files are temporary files on a hard disk used as virtual memory, and therefore, they should be collected third. The files on a hard disk or USB drive are the least volatile of the four options presented since they are used for long-term storage of data and are not lost when the computer loses power.

Which of the following types of data breaches would require that the US Department of Health and Human Services and the media be notified if more than 500 individuals are affected by a data breach? A. Trade secret information B. Credit card information C. Protected health information D. Personally identifiable information

C. Protected health information Explanation OBJ-4.5: Protected health information (PHI) is defined as any information that identifies someone as the subject of medical and insurance records, plus their associated hospital and laboratory test results. This type of data is protected by the Health Insurance Portability and Accountability Act (HIPAA). It requires notification of the individual, the Secretary of the US Department of Health and Human Services (HHS), and the media (if more than 500 individuals are affected) in the case of a data breach. Personally identifiable information (PII) is any data that can be used to identify, contact, or impersonate an individual. Credit card information is protected under the PCI DSS information security standard. Trade secret information is protected by the organization that owns those secrets.

Which of the following is a common attack model of an APT attack? A. Holds an organization's data hostage using encryption B. Relies on worms to spread laterally C. Quietly gathers information from compromised systems D. Involves sophisticated DDoS attacks

C. Quietly gathers information from compromised systems Explanation OBJ-1.5: An APT refers to an adversary's ongoing ability to compromise network security by using various tools and techniques to obtain and maintain access. An APT is usually a highly sophisticated nation-state threat actor that quietly gathers information from compromised systems and can lay in waiting for several months during an ongoing attack. In general, an APT is primarily focused on espionage and strategic advantage, but some target companies purely for commercial gain. An APT is unlikely to conduct a DDoS attack, use worms to spread throughout the network, or use ransomware as part of their covert attacks.

Which of the following cryptographic algorithms is classified as asymmetric? A. AES B. DES C. RSA D. RC4

C. RSA Explanation OBJ-2.8: RSA (Rivest-Shamir-Adleman) was one of the first public-key cryptosystems and is widely used for secure data transmission. As a public-key cryptosystem, it relies on an asymmetric algorithm. AES, RC4, and DES are all symmetric algorithms.

Dion Training has just completed an assessment as part of its disaster recovery planning. The assessment found that the organization can only tolerate a maximum of 30 minutes of downtime for their public-facing webserver. Which of the following metrics would best represent this period of time? A. MTTR B. MTBF C. RTO D. RPO

C. RTO Explanation OBJ-5.4: The Recovery Time Objective (RTO) is the targeted duration of time and a service level within which a business process must be restored after a disaster (or disruption) to avoid unacceptable consequences associated with a break in business continuity. In this example, 30 minutes would be the RTO.

On your lunch break, you walked down to the coffee shop on the corner. You open your laptop and connect to their wireless network. After a few minutes of surfing the Internet, a pop-up is displayed on your screen. You close the pop-up, finish your lunch break, shut down the laptop, and put it back into your backpack. When you get back to the office, you take out the laptop and turn it on, but instead of your normal desktop background, you are greeted by a full-screen image with a padlock and a message stating you have to pay 0.1 BTC to regain access to your personal files. What type of malware has infected your laptop? A. Rootkit B. Trojan C. Ransomware D. Spyware

C. Ransomware Explanation OBJ-1.2: This scenario is describing a ransomware attack. Your personal files are being held hostage and will not be released unless you pay a ransom (in this case, 0.1 BTC). Ransomware is a type of malware designed to deny access to a computer system or data until a ransom is paid. Ransomware typically spreads through phishing emails or by unknowingly visiting an infected website. Once infected, a system or its files are encrypted, and then the decryption key is withheld from the victim unless payment is received. A rootkit is a clandestine computer program designed to provide continued privileged access to a computer while actively hiding its presence. A rootkit is generally a collection of tools that enabled administrator-level access to a computer or network. They can often disguise themselves from detection by the operating system and anti-malware solutions. If a rootkit is suspected on a machine, it is best to reformat and reimage the system. Spyware is a program that monitors user activity and sends the information to someone else. It may be installed with or without the user's knowledge. It invades the device, steals sensitive information and internet usage data, and relays it to advertisers, data firms, or external users. A trojan is a type of malware that looks legitimate but can take control of your computer. A Trojan is designed to damage, disrupt, steal, or in general, inflict some other harmful action on your data or network. The most common form of a trojan is a Remote Access Trojan (RAT), which allows an attacker to control a workstation or steal information remotely. To operate, a trojan will create numerous processes that run in the background of the system.

You have been asked to install a computer in a public workspace. Only an authorized user should use the computer. Which of the following security requirements should you implement to prevent unauthorized users from accessing the network with this computer? A. Remove the guest account from the administrator group B. Issue the same strong and complex password for all users C. Require authentication on wake-up D. Disable single sign-on

C. Require authentication on wake-up Explanation OBJ-3.8: To prevent the computer from being used inadvertently to access the network, the system should be configured to require authentication whenever the computer is woken up. Therefore, if an authorized user walks away from the computer and goes to sleep when another person tries to use the computer, it will ask for a username and password before granting them access to the network. A screen lock can secure the desktop with a password while leaving programs running if a user walks away, as well. Single sign-on (SSO) is a type of mutual authentication for multiple services that can accept the credential from one domain or service as authentication for other services. A guest account is a Microsoft Windows user account with limited capabilities, no privacy, and is disabled by default. Using the same password for all users is considered extremely poor security and should not be done.

Fail To Pass Systems has just been the victim of another embarrassing data breach. Their database administrator needed to work from home this weekend, so he downloaded the corporate database to his work laptop. On his way home, he left the laptop in an Uber, and a few days later, the data was posted on the internet. Which of the following mitigations would have provided the greatest protection against this data breach? A. Require data masking for any information stored in the database B. Require all new employees to sign an NDA C. Require data at rest encryption on all endpoints D. Require a VPN to be utilized for all telework employees

C. Require data at rest encryption on all endpoints Explanation OBJ-2.1: The greatest protection against this data breach would have been to require data at rest encryption on all endpoints, including this laptop. If the laptop were encrypted, the data would not have been readable by others, even if it was lost or stolen. While requiring a VPN for all telework employees is a good idea, it would not have prevented this data breach since the laptop's loss caused it. Even if a VPN had been used, the same data breach would still have occurred if the employee copied the database to the machine. Remember on exam day that many options are good security practices, but you must select the option that solves the issue or problem in the question being asked. Similarly, data masking and NDAs are useful techniques, but they would not have solved this particular data breach.

Which protocol is paired with OAuth2 to provide authentication of users in a federated identity management solution? A. OpenID Connect B. ADFS C. SAML D. Kerberos

C. SAML Explanation OBJ-2.4: OAuth 2 is explicitly designed to authorize claims and not to authenticate users. The implementation details for fields and attributes within tokens are not defined. Open ID Connect (OIDC) is an authentication protocol that can be implemented as special types of OAuth flows with precisely defined token fields. Security Assertion Markup Language (SAML) is an open standard for exchanging authentication and authorization data between parties, in particular, between an identity provider and a service provider. SAML is an XML-based markup language for security assertions. Active Directory Federation Services (ADFS) is a software component developed by Microsoft that can run on Windows Server operating systems to provide users with single sign-on access to systems and applications located across organizational boundaries. Kerberos is a computer network authentication protocol that works based on tickets to allow nodes communicating over a non-secure network to prove their identity to one another in a secure manner.

Which of the following hashing algorithms results in a 256-bit fixed output? A. NTLM B. SHA-1 C. SHA-2 D. MD-5

C. SHA-2 Explanation OBJ-2.8: SHA-2 creates a 256-bit fixed output. SHA-1 creates a 160-bit fixed output. NTLM creates a 128-bit fixed output. MD-5 creates a 128-bit fixed output.

Which of the following attacks would most likely be used to create an inadvertent disclosure of information from an organization's database? A. Buffer overflow B. Cross-site scripting C. SQL injection D. Denial of service

C. SQL injection Explanation OBJ-1.3: A SQL injection poses the most direct and more impactful threat to an organization's database. A SQL injection could allow the attacker to execute remote commands on the database server and lead to sensitive information disclosure. A buffer overflow attack attempts to overwrite the memory buffer to send additional data into adjacent memory locations. A buffer overflow attack might target a database server, but it isn't intended to disclose information directly. Instead, a buffer overflow attack may be used to gain initial access to a server and allow for other malicious code running. A denial of service targets the availability of the information by attempting to take the server offline. A cross-site scripting attack typically is focused on the user, not the server or database.

A security analyst is conducting a log review of the company's web server and found two suspicious entries: *reference top image* The analyst contacts the web developer and asks for a copy of the source code to the logon.php script. The script is as follows: *reference bottom image* Based on source code analysis, which type of vulnerability is this web server vulnerable to? A. Directory traversal B. LDAP injection C. SQL injection D. Command injection

C. SQL injection Explanation OBJ-1.3: Based on the log entries, it appears the attack was successful in conducting a SQL injection. Notice the escape character (') used in the log. A connection to the MySQL database is being used in the script, which could be exploited since no input validation is being performed. Command injection is an attack in which the goal is to execute arbitrary commands on the host operating system via a vulnerable application. SQL injection is a specific type of command injection. LDAP injection is a code injection technique used to exploit web applications that could reveal sensitive user information or modify information represented in the LDAP (Lightweight Directory Access Protocol) data stores. Directory traversal or Path Traversal is an HTTP attack that allows attackers to access restricted directories and execute commands outside of the web server's root directory.

You are reviewing the IDS logs and notice the following log entry: *reference image* What type of attack is being performed? A. Cross-site scripting B. Header manipulation C. SQL injection D. XML injection

C. SQL injection Explanation OBJ-1.3: SQL injection is a code injection technique that is used to attack data-driven applications. SQL injections are conducted by inserting malicious SQL statements into an entry field for execution. For example, an attacker may try to dump the contents of the database by using this technique. A common SQL injection technique is to insert an always true statement, such as 1 == 1, or in this example, 7 == 7. Header manipulation is the insertion of malicious data, which has not been validated, into an HTTP response header. XML Injection is an attack technique used to manipulate or compromise an XML application or service's logic. The injection of unintended XML content and/or structures into an XML message can alter the application's intended logic. Cross-Site Scripting (XSS) attacks are a type of injection in which malicious scripts are injected into otherwise benign and trusted websites. XSS attacks occur when an attacker uses a web application to send malicious code, generally in a browser side script, to a different end-user.

An analyst just completed a port scan and received the following results of open ports: *reference image* Based on these scan results, which of the following services are NOT currently operating? A. RDP B. Web C. SSH D. Database

C. SSH Explanation OBJ-4.3: Based on the port numbers shown as open in the nmap scan results, SSH is not currently operating. SSH operates over port 22. Web servers use port 80 for HTTP and 443 for HTTPS. Database servers run on port 1433 (Microsoft SQL) or 3306 (MySQL). Remote Desktop Protocol runs on port 3389.

Which of the following is a best practice that should be followed when scheduling vulnerability scans of an organization's data center? A. Schedule scans to be conducted evenly throughout the day B. Schedule scans to run during peak times to simulate performance under load C. Schedule scans to run during periods of low activity D. Schedule scans to begin at the same time every day

C. Schedule scans to run during periods of low activity Explanation OBJ-1.7: For the best results, the scans should be scheduled during periods of low activity. This will help to reduce the negative impact of scanning on business operations. The other three options all carry a higher risk of causing disruptions to the network or its business operations.

An analyst reviews a triple-homed firewall configuration that connects to the internet, a private network, and one other network. Which of the following would best describe the third network connected to this firewall? A. Data zone B. Staging environment C. Screened subnet D. Availability zone

C. Screened subnet Explanation OBJ-3.3: A triple-homed firewall connects to three networks internal (private), external (internet/public), and a screened subnet (formerly called a demilitarized zone or DMZ). The screened subnet is used to host systems that require access from external hosts. Data zones describe the state and location of data to help isolate and protect it from unauthorized/inappropriate use-for example, as data transitions from raw storage, processing, production, and analytical use. Data zones are associated with data lakes and designed to help manage big data used by analysts and scientists for data exploration and discovery tasks. An availability zone is an individual data center within a region of a cloud service provider's network. A staging environment is a pre-production enclave used for testing and development.

Which type of personnel control is being implemented if Kirsten must receive and inventory any items that her coworker, Bob, orders? A. Dual control B. Mandatory vacation C. Separation of duties D. Background checks

C. Separation of duties Explanation OBJ-5.3: This organization uses separation of duties to ensure that neither Kirsten nor Bob can exploit the organization's ordering processes for their gain. Separation of duties is the concept of having more than one person required to complete a particular task to prevent fraud and error. Dual control, instead, requires both people to act together. For example, a nuclear missile system uses dual control and requires two people to each turn a different key simultaneously to allow for a missile launch to occur. Mandatory vacation policies require employees to take time away from their job and detect fraud or malicious activities. A background check is a process a person or company uses to verify that a person is who they claim to be and provides an opportunity for someone to check a person's criminal record, education, employment history, and other past activities to confirm their validity.

A web developer wants to protect their new web application from an on-path attack. Which of the following controls would best prevent an attacker from stealing tokens stored in cookies? A. Hashing the cookie value B. Forcing the use of SSL for the web application C. Setting the secure attribute on the cookie D. Forcing the use of TLS for the web application

C. Setting the secure attribute on the cookie Explanation OBJ-3.2: When a cookie has the Secure attribute, the user agent includes the cookie in an HTTP request only if transmitted over a secure channel (typically HTTPS). Although seemingly useful for protecting cookies from active network attackers, the Secure attribute protects only the cookie's confidentiality. Forcing the web application to use TLS or SSL does not force the cookie to be sent over TLS/SSL, so you still need to set the cookie's Secure attribute. Hashing the cookie provides the cookie's integrity, not confidentiality; therefore, it will not solve the issue presented by this question.

You are performing a web application security test, notice that the site is dynamic, and must be using a back-end database. You decide you want to determine if the site is susceptible to an SQL injection. What is the first character that you should attempt to use in breaking a valid SQL request? A. Exclamation mark B. Double quote C. Single quote D. Semicolon

C. Single quote Explanation OBJ-1.3: The single quote character (') is the character limiter in SQL. With a single quote,' you delimit strings, and therefore you can test whether the programmer has properly escaped the strings in the targeted application. If not escaped directly, you can end any string supplied to the application and add other SQL code after it. This is a common technique for SQL injections. A semicolon is a commonly used character at the end of a line of code or command in many programming languages. An exclamation mark comments a line of code in several languages. Double quotes contain a string that is passed to a variable.

Which of the following techniques would be the most appropriate solution to implementing a multi-factor authentication system? A. Fingerprint and retinal scan B. Username and password C. Smartcard and PIN D. Password and security question

C. Smartcard and PIN Explanation OBJ-2.4: Multi-factor authentication (MFA) creates multiple security layers to help increase the confidence that the user requesting access is who they claim to be by requiring two distinct factors for authentication. These factors can be something you know (knowledge factor), something you have (possession factor), something you are (inheritance factor), something you do (action factor), or somewhere you are (location factor). By selecting a smartcard (something you have) and a PIN (something you know), you have implemented multi-factor authentication. Choosing a fingerprint and retinal scan would instead use only one factor (inheritance). Choosing a username, password, and security question would also be only using one factor (knowledge). For something to be considered multi-factor, you need items from at least two different authentication factor categories: knowledge, possession, inheritance, location, or action.

Which of the following authentication protocols was developed by Cisco to provide authentication, authorization, and accounting services? A. CHAP B. Kerberos C. TACACS+ D. RADIUS

C. TACACS+ Explanation OBJ-3.8: TACACS+ is an extension to TACACS (Terminal Access Controller Access Control System) and was developed as a proprietary protocol by Cisco. The Remote Authentication Dial-In User Service (RADIUS) is a networking protocol that operates on port 1812 and provides centralized Authentication, Authorization, and Accounting management for users who connect and use a network service, but Cisco did not develop it. Kerberos is a network authentication protocol designed to provide strong mutual authentication for client/server applications using secret-key cryptography developed by MIT. Challenge-Handshake Authentication Protocol (CHAP) is used to authenticate a user or network host to an authenticating entity. CHAP is an authentication protocol but does not provide authorization or accounting services.

While working as a security analyst, you have been asked to monitor the SIEM. You observed network traffic going from an external IP to an internal host's IP within your organization's network over port 443. Which of the following protocols would you expect to be in use? A. TFTP B. HTTP C. TLS D. SSH

C. TLS Explanation OBJ-3.1: Transport Layer Security (TLS) is used to secure web connections over port 443. Since port 443 was in use, you should expect either HTTPS, SSL, or TLS to be used as the protocol. If not, this would be suspicious activity and should be investigated. In fact, since this was a connection from the external IP to an internal host over port 443, this is suspicious and could be indicative of a remote access trojan on your host.

Which of the following protocols is considered insecure and should never be used in your networks? A. SSH B. HTTPS C. Telnet D. SFTP

C. Telnet Explanation OBJ-3.1: Telnet is an application protocol used on the internet or local area network to provide a bidirectional interactive text-oriented communication facility using a virtual terminal connection. It is considered insecure and should never be used in secure networks because it transmits everything in clear text, including your authentication credentials. Telnet should be replaced with a more secure option, such as the secure shell (SSH) protocol. SSH performs the same functions as telnet but uses an encrypted tunnel to maintain the data's confidentiality before being sent over it. SSH File Transfer Protocol (SFTP) is a network protocol that provides file access, file transfer, and file management over any reliable data stream. Hypertext Transfer Protocol Secure (HTTPS) is an extension of HTTP used for secure communication over a computer network by encrypting data being transferred over it with either TLS or SSL.

An employee contacts the service desk because they cannot open an attachment they receive in their email. The service desk agent conducts a screen-sharing session with the user and investigates the issue. The agent notices that the attached file is named Invoice1043.pdf, and a black pop-up window appears and then disappears quickly when the attachment was double-clicked. Which of the following is most likely causing this issue? A. The email is a form of spam and should be deleted B. The user doesn't have a PDF reader installed on their computer C. The attachment is using a double file extension to mask its identity D. The file contains an embedded link to a malicious website

C. The attachment is using a double file extension to mask its identity Explanation OBJ-1.1: The message contains a file attachment hoping that the user will execute or open it. The attachment's nature might be disguised by formatting tricks such as using a double file extension, such as Invoice1043.pdf.exe, where the user only sees the first extension since .exe is a known file type in Windows. This would explain the black popup window that appears and then disappeared, especially if the exe file was running a command-line tool. This file is most likely not a PDF, so there is no need for a PDF reader. Additionally, most modern web browsers, such as Chrome and Edge, can open PDF files by default for the user. The file would not contain an embedded link since an embedded link is another popular attack vector that embeds a link to a malicious site within the email body, not within the file. This email is likely not spam and would be better categorized as a phishing attempt instead.

You are conducting threat hunting on your organization's network. Every workstation on the network uses the same configuration baseline and contains a 500 GB HDD, 4 GB of RAM, and the Windows 10 Enterprise operating system. You know from previous experience that most of the workstations only use 40 GB of space on the hard drives since most users save their files on the file server instead of the local workstation. You discovered one workstation that has over 250 GB of data stored on it. Which of the following is a likely hypothesis of what is happening, and how would you verify it? A. The host might be offline and conducted backups locally -- you should contact a system administrator to have it analyzed B. The host might be used as a command and control node for a botnet -- you should immediately disconnect the host from the network C. The host might use as a staging area for data exfiltration -- you should conduc

C. The host might use as a staging area for data exfiltration -- you should conduct volume-based trend analysis on the host's storage device Explanation OBJ-1.6: Based on your previous experience, you know that most workstations only store 40 GB of data. Since client workstations don't usually need to store data locally, and you noticed that a host's disk capacity has suddenly diminished, you believe it could indicate that it is used to stage data for exfiltration. To validate this hypothesis, you should configure monitoring and conduct volume-based trend analysis to see how much data is added over the next few hours or days. If you suspect the machine is the victim of a remote access trojan, you should not reimage it immediately. By reimaging the host, you would lose any evidence or the ability to confirm your hypothesis. Based on the scenario, you have no evidence that the system is offline or conducting backups locally. If you did suspect this, you could confirm this by checking the network connectivity or analyzing the files stored on the system. If you suspect the host used as a command and control (C2) node for a botnet, you should conduct network monitoring to validate your hypothesis before disconnecting the host from the network. If the host were a C2 node, that would not explain the excessive use of disk space observed.

Your company explicitly obtains permission from its customers to use their email address as an account identifier in its CRM. Max, who works at the marketing department in the company's German headquarters, just emailed all their customers to let them know about a new sales promotion this weekend. Which of the following privacy violations has occurred, if any? A. There was no privacy violation since the customers were emailed securely through the customer relationship management tool B. There was no privacy violation because only corporate employees had access to their email addresses C. There was a privacy violation since the customers explicitly gave permission to use the email address as an identifier and did not consent to receive marketing emails D. There was a privacy violation since data minimization policies were not followed properly

C. There was a privacy violation since the customers explicitly gave permission to use the email address as an identifier and did not consent to receive marketing emails Explanation OBJ-5.2: According to the European Union's General Data Protection Regulation (GDPR), personal data collected can only be used for the exact purpose in which explicit consent was obtained. To use email addresses for marketing purposes, separate explicit consent should have been obtained. Since the company operates in Germany, it must follow the GDPR privacy standard. Even if a company doesn't operate within the European Union, its customers might be European Union citizens, and therefore the company should still optional follow the GDPR guidelines. While data minimization is a good internal policy to utilize, not following it doesn't equate to a privacy violation or breach. Data minimization is the principle that data should only be processed and stored, if necessary, to perform the purpose for which it is collected. The option concerning the customer relationship management (CRM) tool is a distractor since the issue is using the data in ways that were not consented to by the customer, not which system the email was sent through. A privacy violation can occur when corporate employees view data if those employees do not have a need to know, a valid business requirement to use the data, or consent from the customer to use the data for a specific purpose (as was the case in this scenario).

Karen lives in an area that is prone to hurricanes and other extreme weather conditions. She asks you to recommend an electrical conditioning device that will prevent her files from being corrupted if the building's power is unstable or lost. Additionally, she would like the computer to maintain power for up to an hour of uptime to allow for a graceful shutdown of her programs and computer. Which of the following should you recommend? A. Line conditioner B. Power distribution unit C. Uninterruptible power supply D. Surge protector

C. Uninterruptible power supply Explanation OBJ-2.5: An uninterruptible power supply or uninterruptible power source (UPS) is an electrical apparatus that provides emergency power to a load when the input power source becomes too low or the main power fails. A UPS provides near-instantaneous protection from input power interruptions by using a battery backup. The on-battery run-time of most uninterruptible power sources is usually short (less than 60 minutes) but sufficient to properly shut down a computer system. A line conditioner is a device that adjusts voltages in under-voltage and overvoltage conditions to maintain a 120 V output. Line conditioners raise a sag or under-voltage event back to normal levels, but they cannot protect the line from a complete power failure or power outage. A surge protector defends against possible voltage spikes that could damage your electronics, appliances, or equipment. A power strip will not protect against voltage spikes. A UPS or line conditioner could protect against voltage spikes, but they cost much more than a surge protector. A power distribution unit (PDU) is a device designed to provide power to devices that require power, and may or may not support remote monitoring and access.

Your company is making a significant investment in infrastructure-as-a-service (IaaS) hosting to replace its data centers. Which of the following techniques should be used to mitigate the risk of data remanence when moving virtual hosts from one server to another in the cloud? A. Use data masking B. Span multiple virtual disks to fragment data C. Use full-disk encryption D. Zero-wipe drives before moving systems

C. Use full-disk encryption Explanation OBJ-2.2: To mitigate the risk of data remanence, you should implement full disk encryption. This method will ensure that all data is encrypted and cannot be exposed to other organizations or the underlying IaaS provider. Using a zero wipe is typically impossible because VM systems may move without user intervention during scaling and elasticity operations. Data masking can mean that all or part of a field's contents is redacted, by substituting all character strings with "x," for example. Data masking will not prevent your corporate data from being exposed by data remanence. Spanning multiple disks will leave the data accessible, even though it would be fragmented, and would make the data remanence problem worse overall.

Which of the following functions is not provided by a TPM? A. Remote attestation B. Random number generation C. User authentication D. Sealing E. Secure generation of cryptographic keys F. Binding

C. User authentication Explanation OBJ-3.2: User authentication is performed at a much higher level in the operating system. Trusted Platform Module (TPM) technology is designed to provide hardware-based, security-related functions. A TPM chip is a secure crypto-processor that is designed to carry out cryptographic operations. The chip includes multiple physical security mechanisms to make it tamper-resistant, and malicious software cannot tamper with the security functions of the TPM. The TPM provides random number generation, secure generation of cryptographic keys, remote attestation, binding, and sealing functions securely.

You are working as a network administrator for Dion Training. The company has decided to allow employees to connect their devices to the corporate wireless network under a new BYOD policy. You have been asked to separate the corporate network into an administrative network (for corporate-owned devices) and an untrusted network (for employee-owned devices). Which of the following technologies should you implement to achieve this goal? A. MAC filtering B. WPA2 C. VLAN D. VPN

C. VLAN Explanation OBJ-3.3: A virtual local area network (VLAN) is a type of network segmentation configured in your network switches that prevent communications between different VLANs without using a router. This allows two virtually separated networks to exist on one physical network and separates the two virtual network's data. A virtual private network (VPN) is a remote access capability to connect a trusted device over an untrusted network back to the corporate network. A VPN would not create the desired effect. WPA2 is a type of wireless encryption, but it will not create two different segmented networks on the same physical hardware. MAC filtering is used to allow or deny a device from connecting to a network, but it will not create two network segments, as desired.

Which of the following is the LEAST secure wireless security and encryption protocol? A. WPA3 B. WPA C. WEP D. WPA2

C. WEP Explanation OBJ-3.4: Wired equivalent privacy (WEP) is an older mechanism for encrypting data sent over a wireless connection. WEP is considered vulnerable to attacks that can break its encryption. WEP relies on the use of a 24-bit initialization vector to secure its preshared key. Wi-Fi protected access (WPA) is an improved encryption scheme for protecting Wi-Fi communications that was designed to replace WEP. WPA uses the RC4 cipher and a temporal key integrity protocol (TKIP) to overcome the vulnerabilities in the older WEP protection scheme. Wi-Fi protected access version 2 (WPA2) replaced the original version of WPA after the completion of the 802.11i security standard. WPA2 features an improved method of key distribution and authentication for enterprise networks, though the pre-shared key method is still available for home and small office networks. WPA2 uses the improved AES cipher with counter mode with cipher-block chaining message authentication protocol (CCMP) for encryption. Wi-Fi protected access version 3 (WPA3) has replaced WPA2 as the most secure wireless encryption method. WPA3 uses the simultaneous authentication of equals (SAE) to increase the security of preshared keys. WPA3 provides the enhanced open mode that encrypts transmissions from a client to the access point when using an open network. WPA3 Enterprise mode supports the use of AES with the Galois/counter mode protocol (GCMP-256) for the highest levels of encryption.

Which of the following vulnerabilities is the greatest threat to data confidentiality? A. SSL Server with SSLv3 enabled vulnerability B. HTTP TRACE/TRACK methods enabled C. Web application SQL injection vulnerability D. phpinfo information disclosure vulnerability

C. Web application SQL injection vulnerability Explanation OBJ-5.4: Each vulnerability mentioned poses a significant risk, but the greatest threat comes from the SQL injection. An SQL injection could allow an attacker to retrieve our data from the backend database directly. Using this technique, the attacker could also alter the data and put it back, and nobody would notice everything that had been changed, thereby also affecting our data integrity. The HTTP TRACE/TRACK methods are normally used to return the full HTTP request to the requesting client for proxy-debugging purposes and allow the attacker to access sensitive information in the HTTP headers. Since this only exposes information in the headers, it minimizes the risk to our system's data confidentiality. An SSL server with SSLv3 enabled is not ideal since this is an older encryption type, but it still provides some confidentiality. The phpinfo information disclosure vulnerability prints out detailed information on both the system and the PHP configuration. This information by itself doesn't disclose any information about the data stored within the system, though, so it isn't a great threat to our data's confidentiality.

What type of malicious application does not require user intervention or another application to act as a host to replicate? A. Trojan B. Macro C. Worm D. Virus

C. Worm Explanation OBJ-1.2: A worm is a self-replicating type of malware that does not require user intervention or another application to act as a host for it to replicate. Viruses and Macros require user intervention to spread, and Trojans are hosted within another application that appears harmless.

What kind of security vulnerability would a newly discovered flaw in a software application be considered? A. Time-to-check to time-to-use flaw B. Input validation flaw C. Zero-day vulnerability D. HTTP header injection vulnerability

C. Zero-day vulnerability Explanation OBJ-1.6: A zero-day vulnerability refers to a hole in software unknown to the vendor and newly discovered. This security hole can become exploited by hackers before the vendor becomes aware of it and can fix it. An input validation attack is any malicious action against a computer system that involves manually entering strange information into a normal user input field that is successful due to an input validation flaw. HTTP header injection vulnerabilities occur when user input is insecurely included within server response headers. The time of check to time of use is a class of software bug caused by changes in a system between checking a condition (such as a security credential) and using the check's results and the difference in time passed. This is an example of a race condition.

An attacker uses the nslookup interactive mode to locate information on a Domain Name Service (DNS). What command should they type to request the appropriate records for only the name servers? A. locate type=ns B. transfer type=ns C. set type=ns D. request type=ns

C. set type=ns Explanation OBJ-4.1: The nslookup command is used to query the Domain Name System to obtain the mapping between a domain name and an IP address or to view other DNS records. The "set type=ns" tells nslookup only reports information on name servers. If you used "set type=mx" instead, you would receive information only about mail exchange servers.

An attacker is searching in Google for Cisco VPN configuration files by using the filetype:pcf modifier. The attacker located several of these configuration files and now wants to decode any connectivity passwords that they might contain. What tool should the attacker use? A. Netcat B. Nessus C. Cain and Abel D. Nmap

Cain and Abel Explanation OBJ-4.1: Cain and Abel (often abbreviated to Cain) is a popular password cracking tool. It can recover many password types using methods such as network packet sniffing, cracking various password hashes by using methods such as dictionary attacks, brute force, and cryptanalysis attacks. It also includes a module to conduct Cisco VPN Client Password Decoding too. CUPP is used to create password lists. Nessus is a vulnerability scanner. The netcat tool is used to create reverse shells for remote access.

(Sample Simulation - On the real exam for this type of question, you would have access to the log files to determine which server on a network might have been affected, and then choose the appropriate actions.) A cybersecurity analyst has determined that an attack has occurred against your company's network. Fortunately, your company uses a good logging system with a centralized Syslog server, so all the logs are available, collected, and stored properly. According to the cybersecurity analyst, the logs indicate that the database server was the only company server on the network that appears to have been attacked. The network is a critical production network for your organization. Therefore, you have been asked to choose the LEAST disruptive actions on the network while performing the appropriate incident response actions. Which actions do you recommend as part of the response efforts? A. Immediately remove the data

Capture network traffic using a sniffer, schedule a period of downtime to image and remediate the affected server, and maintain the chain of custody Explanation OBJ-4.3: Since the database server is part of a critical production network, it is important to work with the business to time the remediation period to minimize productivity losses. You can immediately begin to capture network traffic since this won't affect the database server or the network (least intrusive) while scheduling a period of downtime in which to take a forensic image of the database server's hard drive. All network captures and the hard drive should be maintained under the chain of custody if needed for criminal prosecution or civil action after remediation. The server should be remediated and brought back online once the hard drive image has been created.

*reference image* Review the network diagram provided. Which of the following ACL entries should be added to the firewall to allow only the system administrator's computer (IT) to have SSH access to the FTP, Email, and Web servers in the DMZ? ((Note: The firewall in this network is using implicit deny to maintain a higher level of security. ACL entries are in the format of Source IP, Destination IP, Port Number, TCP/UDP, Allow/Deny.) A. 192.168.0.0/24, 172.16.1.4, 22, TCP, ALLOW B. 172.16.1.0/24, 192.168.0.0/24, ANY, TCP, ALLOW C. 192.168.0.3/24, 172.16.1.4, ANY, TCP, ALLOW D. 172.16.1.4, 192.168.0.0/24, 22, TCP, ALLOW

D. 172.16.1.4, 192.168.0.0/24, 22, TCP, ALLOW Explanation OBJ-3.3: Since the scenario requires you to set up SSH access from the IT computer to all three servers in the DMZ, you will need to use a /24 subnet to set up the ACL rule correctly (or have 3 separate ACL entries). Since you can only select one in this example, you will have to use the /24 for the destination network. This means that the Source IP is 172.16.1.4 (IT computer), the Destination IP is 192.168.0.0/24 (the entire DMZ), the port is 22 for SSH and operates over TCP, and the condition is set to ALLOW.

(Sample Simulation - On the real exam for this type of question, you would have to rearrange the steps into the proper order by dragging and dropping them into place.) *reference image* Using the image provided, place the port numbers in the correct order with their associated protocols. A. 80, 53, 69, 25 B. 53, 69, 25, 80 C. 25, 80, 53, 69 D. 69, 25, 80, 53

D. 69, 25, 80, 53 Explanation OBJ-3.1: For the exam, you need to know your ports and protocols. The Trivial File Transfer Protocol (TFTP) uses port 69. The Simple Mail Transfer Protocol (SMTP) uses port 25. The Hypertext Transfer Protocol (HTTP) uses port 80. The Domain Name Service (DNS) protocol uses port 53.

A recent vulnerability scan found several vulnerabilities on an organization's public-facing IP addresses. To reduce the risk of a breach, which of the following vulnerabilities should be prioritized for remediation? A. An HTTP response that reveals an internal IP address B. A cryptographically weak encryption cipher C. A website utilizing a self-signed SSL certificate D. A buffer overflow that is known to allow remote code execution

D. A buffer overflow that is known to allow remote code execution Explanation OBJ-1.3: The most serious vulnerability discovered is one that could allow remote code execution to occur. Since this buffer overflow vulnerability is known to allow remote code execution, it must be mitigated first to prevent a security breach most effectively. While the other issues should be addressed eventually, you need to prioritize the most critical one (remote code execution) on a public-facing IP address. A public-facing IP address means the device is accessible from the internet.

An internet marketing company decided that they didn't want to follow the rules for GDPR because it would create too much work for them. They wanted to buy insurance, but no insurance company would write them a policy to cover any fines received. They considered how much the fines might be and decided to ignore the regulation and its requirements. Which of the following risk strategies did the company choose? A. Transference B. Mitigation C. Avoidance D. Acceptance

D. Acceptance Explanation OBJ-5.4: The internet marketing company initially tried to transfer the risk (buy insurance) but then decided to accept the risk. To avoid the risk, the company would have changed how it did business or would prevent European customers from signing up on their mailing list using geolocation blocks.

A cybersecurity analyst is working at a college that wants to increase its network's security by implementing vulnerability scans of centrally managed workstations, student laptops, and faculty laptops. Any proposed solution must scale up and down as new students and faculty use the network. Additionally, the analyst wants to minimize the number of false positives to ensure accuracy in their results. The chosen solution must also be centrally managed through an enterprise console. Which of the following scanning topologies would be BEST able to meet these requirements? A. Combination of cloud-based and server-based scanning engines B. Passive scanning engine located at the core of the network infrastructure C. Combination of server-based and agent-based scanning engines D. Active scanning engine installed on the enterprise console

D. Active scanning engine installed on the enterprise console Explanation OBJ-1.7: Since the college wants to ensure a centrally-managed enterprise console, an active scanning engine installed on the enterprise console would best meet these requirements. The college's cybersecurity analysts could then perform scans on any devices connected to the network using the active scanning engine at the desired intervals. Agent-based scanning would be ineffective since the college cannot force the agents' installation onto each of the personally owned devices brought in by the students or faculty. A cloud-based or server-based engine may be useful, but it won't address the centrally-managed requirement. Passive scanning is less intrusive but is subject to a high number of false positives.

What role does the red team perform during a tabletop exercise (TTX)? A. Network defender B. System administrator C. Cybersecurity analyst D. Adversary

D. Adversary Explanation OBJ-1.8: The red team acts as the adversary, attempting to penetrate the network or exploit it as a rogue internal attacker. The red team might select members of in-house security staff, a third-party company, or a consultant contracted to perform the role. The blue team operates the security system with a focus on detecting and repelling the red team. The blue team usually consists of system administrators, cybersecurity analysts, and network defenders.

You are configuring the ACL for the network perimeter firewall. You have just finished adding all the proper allow and deny rules. What should you place at the end of your ACL rules? A. A SNMP deny string B. A time of day restriction C. An implicit allow statement D. An implicit deny statement

D. An implicit deny statement Explanation OBJ-3.3: According to the best practices of firewall configurations, you should include an implicit deny at the end of your ACL rules. This will ensure that anything not specifically allowed in the rules above is blocked. Using an implicit allow is a bad security practice since it will allow anything into the network that is not specifically denied. While the time of day restrictions can be useful, they are not required for all network implementations.

Michelle has just finished installing a new database application on her server. She then proceeds to uninstall the sample configuration files, properly configure the application settings, and update the software to the latest version according to her company's policy. What best describes the actions Michelle just took? A. Input validation B. Patch management C. Vulnerability scanning D. Application hardening

D. Application hardening Explanation OBJ-3.2: Application hardening involves taking actions to best secure the application from attack. This involves removing any default or sample configurations, properly configuring settings, and updating the application to the latest and more secure version. Patch management is incorrect because only updating the software falls under patch management, not the configuration portions of her actions. Vulnerability scanning involves scanning a device for known vulnerabilities to update the device and prevent a future attack. Input validation is a technique to verify user-provided data meets the expected length and type before allowing a program to utilize it.

You are helping to set up a backup plan for your organization. The current plan states that all of the organization's Linux servers must have a daily backup conducted. These backups are then saved to a local NAS device. You have been asked to recommend a method to ensure the backups will work when needed for restoration. Which of the following should you recommend? A. Frequently restore the server from backup files to test them B. Create an additional copy of the backups in an off-site datacenter C. Set up scripts to automatically reattempt any failed backup jobs D. Attempt to restore to a test server from one of the backup files to verify them

D. Attempt to restore to a test server from one of the backup files to verify them Explanation OBJ-2.5: The only way to fully ensure that a backup will work when needed is to restore the files from the backups. To do that, it is best to restore them to a test server since this will not affect your production environment.

A small business recently experienced a catastrophic data loss due to flooding from a recent hurricane. The customer had no backups, and flooding destroyed all of the hardware associated with the small business. As part of the rebuilding process, the small business contracts with your company to help create a disaster recovery plan to ensure this never reoccurs again. Which of the following recommendations should you include as part of the disaster recovery plan? A. Local backups should be verified weekly to ensure no data loss occurs B. Purchase waterproof devices to prevent data loss C. Local backups should be conducted D. Backups should be conducted to a cloud-based storage solution

D. Backups should be conducted to a cloud-based storage solution Explanation OBJ-4.2: While losing the hardware is a problem for the business, their insurance will replace the hardware if flooding destroyed it. The data involved is more of a concern. Therefore, backups should be the primary concern. Local backups are risky since a flood might also destroy them; therefore, using a cloud-based storage solution would be ideal and prevent future data loss.

You have been asked to determine if Dion Training's web server is vulnerable to a recently discovered attack on an older version of SSH. Which technique should you use to determine the current version of SSH running on their web server? A. Protocol analysis B. Vulnerability scan C. Passive scan D. Banner grabbing

D. Banner grabbing Explanation OBJ-1.7: Banner grabbing is conducted by actively connecting to the server using telnet or netcat and collecting the web server's response. This banner usually contains the server's operating system and the version number of the service (SSH) being run. This is the fastest and easiest way to determine the SSH version being run on this web server. While it is possible to use a vulnerability scanner, protocol analyzer, or to conduct a passive scan to determine the SSH version, these are more time-consuming and not fully accurate methods to determine the version being run.

Which of the following physical security controls would be the most effective in preventing an attacker from driving a vehicle through the glass doors at the front of the organization's headquarters? A. Access control vestibule B. Intrusion alarm C. Security guards D. Bollards

D. Bollards Explanation OBJ-2.7: Bollards are a physical security control that is designed to prevent a vehicle-ramming attack. Bollards are typically designed as sturdy, short, vertical posts. Some organizations have installed more decorative bollards created out of cement and are large enough to plant flowers or trees inside. Access control vestibules are designed to prevent individuals from tailgating into the building. Security guards and intrusion alarms could detect this from occurring but not truly prevent them.

Dion Training has applied a new Group Policy to all student accounts that will lock out any account in which the student enters their password incorrectly 3 times in a row. Once the account is locked out, the student must wait 15 minutes before they can attempt to log in again. What type of attack is this mitigation strategy trying to prevent? A. Privilege escalation B. Spoofing C. On-path attack D. Brute force attack

D. Brute force attack Explanation OBJ-1.2: Since the policy will lock out the student for 15 minutes between attempts, it is a valid mitigation technique against a brute force attack. By extending the waiting period, the attacker's brute force attempts are less effective. A brute force attack is a type of password attack where an attacker uses an application to exhaustively try every possible alphanumeric combination to crack encrypted passwords. An on-path attack is an attack where the threat actor makes an independent connection between two victims and can read, and possibly modify traffic. A privilege escalation is a practice of exploiting flaws in an operating system or other application to gain a greater level of access than was intended for the user or application. Spoofing is a type of attack that disguises a communication from an unknown source as being from a known, trusted source. Spoofing can occur using different methods, such as MAC spoofing, IP spoofing, call spoofing, and others.

Dion Training has recently opened an Internet café for students to use during their lunch break. Unfortunately, Dion Training doesn't have any wireless networks in their building, so they have placed three laptops in the Internet café. What protection should be installed to best prevent the laptops from being stolen? A. CCTV B. Safe C. Proximity badge D. Cable locks

D. Cable locks Explanation OBJ-2.7: The best option is to use a cable lock for each laptop to ensure that they won't get stolen from the Internet café. CCTV is useful as a detective control and could be used to find out who stole the laptops after they were taken, but a cable lock is a preventative control that would stop the theft from occurring in the first place. Proximity badges are a poor choice because students would likely not have a proximity badge, and the Internet café is an area with open access for students and instructors. Similarly, a safe may be useful to lock up the laptops at night, but during the day, the laptops would need to be available at the Internet café, so the cable locks are still a better choice.

(Sample Simulation - On the real exam for this type of question, you would have to fill in the blanks by dragging and dropping them into place.) *reference image* Using the image provided, select four security features that you should use with a smartphone provided through a COPE policy in your organization? A. MDM, Location tracking, Host-based firewall, Remote wipe B. Remote wipe, Location tracking, Host-based firewall, Cable lock C. Cable lock, Network sniffer, Cellular data, Remote wipe D. Cellular data, Remote wipe, Location tracking, MDM

D. Cellular data, Remote wipe, Location tracking, MDM Explanation OBJ-3.5: Cellular data, Remote wipe, Location tracking, and MDM are all appropriate security features to use with a company-provided laptop. By using cellular data, your users will be able to avoid connecting to WiFi networks for connectivity. Remote wipe enables the organization to remotely erase the device's contents if it is lost or stolen. Location tracking uses the smart phone's GPS coordinates for certain apps, location-based authentication, and to track down a device if it is lost or stolen. Mobile device management (MDM) programs enable the administrators to remotely push software updates, security policies, and other security features to the device from a centralized server.

You conducted a security scan and found that port 389 is being used when connecting to LDAP for user authentication instead of port 636. The security scanning software recommends that you remediate this by changing user authentication to port to 636 wherever possible. What should you do? A. Conduct remediation actions to update encryption keys on each server to match port 636 B. Change all devices and servers that support it to port 636 since port 389 is a reserved port that requires root access and can expose the server to privilege escalation attacks C. Mark this as a false positive in your audit report since the services that typically run on ports 389 and 636 are identical D. Change all devices and servers that support it to port 636 since encrypted services run by default on port 636

D. Change all devices and servers that support it to port 636 since encrypted services run by default on port 636 Explanation OBJ-3.1: LDAP can be run on either port 389 or port 636. Port 389 is the standard port for LDAP but typically runs unencrypted LDAP services over this port. Instead, you should change all devices and servers that can technically support the change to port 636 since LDAP services over port 636 are encrypted by default.

Following a root cause analysis of an edge router's unexpected failure, a cybersecurity analyst discovered that the system administrator had purchased the device from an unauthorized reseller. The analyst suspects that the router may be a counterfeit device. Which of the following controls would have been most effective in preventing this issue? A. Increase network vulnerability scan frequency B. Verify that all routers are patched to the latest release C. Ensure all anti-virus signatures are up to date D. Conduct secure supply chain management training

D. Conduct secure supply chain management training Explanation OBJ-5.3: Anti-counterfeit training is part of the NIST 800-53r4 control set (SA-19(1)) and should be a mandatory part of your supply chain management training within your organization. All other options may produce security gains in the network. They are unlikely to reliably detect a counterfeit item or prevent its introduction into the organization's supply chain. Training on detection methodologies (i.e., simple visual inspections) and training for acquisition personnel will better prevent recurrences.

Jason has installed multiple virtual machines on a single physical server. He needs to ensure that the traffic is logically separated between each virtual machine. How can Jason best implement this requirement? A. Create a virtual router and disable the spanning tree protocol B. Install a virtual firewall and establish an access control list C. Conduct system partitioning on the physical server to ensure the virtual disk images are on different partitions D. Configure a virtual switch on the physical server and create VLANs

D. Configure a virtual switch on the physical server and create VLANs Explanation OBJ-3.3: A virtual switch is a software application that allows communication between virtual machines. A virtual local area network (VLAN) is a hardware-imposed network segmentation created by switches. This solution provides a logical separation of each virtual machine through the use of VLANs on the virtual switch.

Which of the following actions should be done FIRST after forensically imaging a hard drive for evidence in an investigation? A. Encrypt the source drive to ensure an attacker cannot modify its contents B. Digitally sign the image file to provide non-repudiation of the collection C. Encrypt the image file to ensure it maintains data integrity D. Create a hash digest of the source drive and the image file to ensure they match

D. Create a hash digest of the source drive and the image file to ensure they match Explanation OBJ-4.5: The first thing that must be done after acquiring a forensic disk image is to create a hash digest of the source drive and destination image file to ensure they match. A critical step in the presentation of evidence will be to prove that analysis has been performed on an identical image to the data present on the physical media and that neither data set has been tampered with. The standard means of proving this is to create a cryptographic hash or fingerprint of the disk contents and any derivative images made from it. When comparing hash values, you need to use the same algorithm used to create the reference value. While encrypting the image files is a good security practice to maintain the data's confidentiality, it does not provide data integrity like a hash digest does. Once imaged, the source drive should not be altered or encrypted. Digitally signing the image file could serve the function of non-repudiation, but it is an uncommon practice and not required to be performed.

Which of the following vulnerability scans would provide the best results if you want to determine if the target's configuration settings are correct? A. External scan B. Non-credentialed scan C. Internal scan D. Credentialed scan

D. Credentialed scan Explanation OBJ-1.7: Credentialed scans log into a system and retrieve their configuration information. Therefore, it should provide you with the best results. A non-credentialed scan relies on external resources for configuration settings that can be altered or incorrect. The scanner's network location does not directly impact the ability to read the configuration information, so it would not make a difference if you conducted an external or internal scan.

You are working as a junior cybersecurity analyst and utilize a SIEM to support investigations into ongoing incidents. The SIEM is configured to collect data from numerous sources across the network, including network sensors, routers, switches, firewalls, hosts, and servers. Unfortunately, due to the number of data sources, you have data about a particular event being detected by different sensors and devices. Which of the following must you ensure to make sense of all the data being collected by your SIEM before analyzing it? A. Data recovery B. Data retention C. Data sanitization D. Data correlation

D. Data correlation Explanation OBJ-4.3: Data correlation is the first step in making sense of data from across numerous sensors. This will ensure the data is placed concerning other pieces of data within the system. For example, if your IDS detected an incident, host logs were collected, and your packet capture system collected the network traffic, the SIEM could be used to correlate all three pieces of information from these different systems to allow an analyst to understand the event better. By conducting data correlation, it allows an analyst to identify a pattern more clearly and take action. Data correlation should be performed as soon as the SIEM indexes the data.

When your credit card data is written to the customer invoicing system at Dion Training, the first 12 digits are replaced with an x before storing the data. Which of the following privacy methods is being used? A. Anonymization B. Tokenization C. Data minimization D. Data masking

D. Data masking Explanation OBJ-5.5: Data masking can mean that all or part of a field's contents is redacted, by substituting all character strings with x, for example. Tokenization means that all or part of data in a field is replaced with a randomly generated token. The token is stored with the original value on a token server or token vault, separate from the production database. An authorized query or app can retrieve the original value from the vault, if necessary, so tokenization is a reversible technique. Data minimization involves limiting data collection to only what is required to fulfill a specific purpose. Reducing what information is collected reduces the amount and type of information that must be protected. Data anonymization is the process of removing personally identifiable information from a data set so that the people whom the data describe remain anonymous.

Which of the following is a senior role with the ultimate responsibility for maintaining confidentiality, integrity, and availability in a system? A. Privacy officer B. Data steward C. Data custodian D. Data owner

D. Data owner Explanation OBJ-5.5: A data owner is responsible for the confidentiality, integrity, availability, and privacy of information assets. They are usually senior executives and somebody with authority and responsibility. A data owner is responsible for labeling the asset and ensuring that it is protected with appropriate controls. The data owner typically selects the data steward and data custodian and has the authority to direct their actions, budgets, and resource allocations. The data steward is primarily responsible for data quality. This involves ensuring data are labeled and identified with appropriate metadata. That data is collected and stored in a format and with values that comply with applicable laws and regulations. The data custodian is the role that handles managing the system on which the data assets are stored. This includes responsibility for enforcing access control, encryption, and backup/recovery measures. The privacy officer is responsible for oversight of any PII/SPI/PHI assets managed by the company.

You have been asked to provide some training to Dion Training's system administrators about the importance of proper patching of a system before deployment. To demonstrate the effects of deploying a new system without patching it first, you ask the system administrators to provide you with an image of a brand-new server they plan to deploy. How should you deploy the image to demonstrate the vulnerabilities exposed while maintaining the security of the corporate network? A. Utilize a server with multiple virtual machine snapshots installed to it, restore from a known compromised image, then scan it for vulnerabilities B. Deploy the image to a brand new physical server, connect it to the corporate network, then conduct a vulnerability scan to demonstrate how many vulnerabilities are now on the network C. Deploy the vulnerable image to a virtual machine on a physical server, create an ACL to restrict all incoming con

D. Deploy the system image within a virtual machine, ensure it is in an isolated sandbox environment, then scan it for vulnerabilities Explanation OBJ-3.2: To ensure your corporate network's safety, any vulnerable image you deploy should be done within a sandboxed environment. This will ensure that an outside attacker cannot exploit the vulnerabilities but will still allow you to show the vulnerabilities found during a scan to demonstrate how important patching is to the security of the server.

You are working as part of a penetration testing team during an assessment of Dion Training's headquarters. Your boss has requested that you search the company's recycling bins for any information that might be valuable during the reconnaissance phase of your attack. What type of social engineering method are you performing? A. Impersonation B. Whaling C. Phishing D. Dumpster diving

D. Dumpster diving Explanation OBJ-1.1: Dumpster diving involves searching through publicly accessible garbage cans or recycling bins to find discarded paper, manuals, or other valuable types of information from a targeted company. This is often done as part of the reconnaissance phase before an attack is performed. Whaling is an email-based or web-based form of phishing that targets senior executives or wealthy individuals. Phishing is an email-based social engineering attack in which the attacker sends an email from a supposedly reputable source, such as a bank, to try to elicit private information from the victim. Impersonation is the act of pretending to be someone or something else. Malicious actors often couple pretexting and impersonation to craft a believable scenario and impersonate people in authority during a social engineering attack.

What regulation protects the privacy of student educational records? A. GLBA B. SOX C. HIPAA D. FERPA

D. FERPA Explanation OBJ-5.2: The Family Educational Rights and Privacy Act (FERPA) requires that educational institutions implement security and privacy controls for student educational records. Gramm-Leach-Bliley Act (GLBA) institutes requirements that help protect the privacy of an individual's financial information held by financial institutions and others, such as tax preparation companies. The privacy standards and rules created as part of GLBA safeguard private information and set penalties in the event of a violation. Sarbanes-Oxley Act (SOX) dictates requirements for storing and retaining documents relating to an organization's financial and business operations, including the type of documents to be stored and their retention periods. It is relevant for any publicly-traded company with a market value of at least $75 million. The Health Insurance Portability and Accountability Act (HIPAA) establishes several rules and regulations regarding healthcare in the United States. With the rise of electronic medical records, HIPAA standards have been implemented to protect patient medical information privacy through restricted access to medical records and regulations for sharing medical records.

(Sample Simulation - On the real exam for this type of question, you would have to fill in the blanks by dragging and dropping them into place.) *reference image* Using the image provided, select four security features that you should use to best protect your servers in the data center. This can include physical, logical, or administrative protections. A. GPS tracking, Biometrics, Proximity badges, Remote wipe B. Strong passwords, Biometrics, Mantrap, Cable lock C. Antivirus, Mantrap, Cable lock, GPS tracking D. FM-200, Biometric locks, Mantrap, Antivirus

D. FM-200, Biometric locks, Mantrap, Antivirus (Correct) Explanation OBJ-2.7: The best option based on your choices is FM-200, Biometric locks, Mantrap, and Antivirus. FM-200 is a fire extinguishing system commonly used in data centers and server rooms to protect the servers from fire. Biometric locks are often used in high-security areas as a lock on the access door. Additionally, biometric authentication could be used for a server by using a USB fingerprint reader. Mantraps often are used as part of securing a data center as well. This area creates a boundary between a lower security area (such as the offices) and the higher security area (the server room). Antivirus should be installed on servers since they can use signature-based scans to ensure files are safe before being executed.

Your intrusion detection system has produced an alert based on its review of a series of network packets. After analysis, it is determined that the network packets did not contain any malicious activity. How should you classify this alert? A. True negative B. True positive C. False negative D. False positive

D. False positive Explanation OBJ-1.7: A false positive occurs when an alert is triggered (the system believes malicious activity occurred) when there is no malicious activity involved. A false positive is an error in some evaluation process in which a condition tested for is mistakenly found to have been detected.

You have just finished running a vulnerability scan of the network and are reviewing the results. The first result in the report shows the following vulnerability: *reference image* You log into the MySQL server and verify that you are currently running version 3.5.3. Based on the item shown on the image, what best describes how you should categorize this finding? A. True negative B. False negative C. True positive D. False positive

D. False positive Explanation OBJ-1.7: You should categorize the results as a false positive. Based on the scenario and output, your server is not vulnerable to a remote code execution for the identified vulnerability. You are already running MySQL v3.5.3 that is greater than v3.3.x or above. This indicates that the vulnerability scanner falsely identified your MySQL version as an earlier and more vulnerable version. The system incorrectly identified a vulnerability, but the vulnerability doesn't exist on your system. Therefore this is a false positive.

Vulnerability scans must be conducted continuously to meet regulatory compliance requirements for the storage of PHI. During the last vulnerability scan, a cybersecurity analyst received a report of 2,592 possible vulnerabilities and was asked by the Chief Information Security Officer (CISO) for a plan to remediate all the known issues. Which of the following should the analyst do next? A. Wait to perform any additional scanning until the current list of vulnerabilities have been remediated fully B. Place any assets that contain PHI in a sandbox environment and then remediate all the vulnerabilities C. Attempt to identify all the false positives and exceptions, then resolve any remaining items D. Filter the scan results to include only those items listed as critical in the asset inventory and remediate those vulnerabilities first

D. Filter the scan results to include only those items listed as critical in the asset inventory and remediate those vulnerabilities first Explanation OBJ-5.5: PHI is an abbreviation for Personal Health Information. When attempting to remediate numerous vulnerabilities, it is crucial to prioritize the vulnerabilities to determine which ones should be remediated first. In this case, there is a regulatory requirement to ensure the security of the PHI data. Therefore, those critical assets to the secure handling or storage of PHI are of the highest risk should be prioritized for remediation first. It is impractical to resolve all 2,592 vulnerabilities at once. Therefore, you should not identify all the false positives and exceptions and then resolve any remaining items since they won't be prioritized for remediation. You should also not wait to perform additional scanning because a scan is only a snapshot of your current status. If it takes 30 days to remediate all the vulnerabilities and do not scan, new vulnerabilities may have been introduced. Placing all the PHI assets into a sandbox will not work either because you have removed them from the production environment and can no longer serve their critical business functions.

A software assurance test analyst performs a dynamic assessment on an application by automatically generating random data sets and inputting them in an attempt to cause an error or failure condition. Which technique is the analyst utilizing? A. Sequential data sets B. Static code analysis C. Known bad data injection D. Fuzzing

D. Fuzzing Explanation OBJ-3.2: Fuzzing is an automated software assessment technique that involves providing invalid, unexpected, or random data as inputs to a computer program. The program is then monitored for exceptions (crashes), failing built-in code assertions, or finding potential memory leaks. Static code analysis is a method of debugging by examining source code before a program is run. Known bad data injection is a technique where data known to cause an exception or fault is entered as part of the testing / assessment with known bad data injections. You would not use randomly generated data sets, though.

A software assurance laboratory performs a dynamic assessment on an application by automatically generating random data sets and inputting them to cause an error or failure condition. Which of the following is the laboratory performing? A. Security regression testing B. Stress testing C. User acceptance testing D. Fuzzing

D. Fuzzing Explanation OBJ-3.2: Fuzzing or fuzz testing is an automated software testing technique that involves providing invalid, unexpected, or random data as inputs to a computer program. The program is then monitored for exceptions such as crashes, failing built-in code assertions, or potential memory leaks. User Acceptance Testing is the process of verifying that a created solution/software works for the user. Security regression testing ensures that changes made to a system do not harm its security, are therefore of high significance, and the interest in such approaches has steadily increased. Stress testing verifies the system's stability and reliability by measuring its robustness and error handling capabilities under heavy load conditions.

Which of the following authentication mechanisms involves receiving a one-time use shared secret password, usually through a token-based key fob or smartphone app, that does not expire? A. Smart card B. EAP C. TOTP D. HOTP

D. HOTP Explanation OBJ-2.4: HMAC-based One-time Password Algorithm (HOTP) is an algorithm for token-based authentication. The authentication server and client token are configured with the same shared secret. The token could be a fob-type device or implemented as a smartphone app. The token does not have an expiration under HOTP, but an improved version known as TOTP does include token expirations.

Which of the protocols listed is NOT likely to trigger a vulnerability scan alert when used to support a virtual private network (VPN)? A. SSLv3 B. SSLv2 C. PPTP D. IPsec

D. IPsec Explanation OBJ-3.3: IPsec is the most secure protocol that works with VPNs. The use of PPTP and SSL is discouraged for VPN security. Due to this, PPTP and SSL for a VPN will likely alert during a vulnerability scan as an issue to be remediated.

To improve the Dion Training corporate network's security, a security administrator wants to update the configuration of their wireless network to have IPSec built into the protocol by default. Additionally, the security administrator would like for NAT to no longer be required for extending the number of IP addresses available. What protocol should the administrator implement on the wireless network to achieve their goals? A. WEP B. IPv4 C. WPA2 D. IPv6

D. IPv6 Explanation OBJ-3.1: IPv6 includes IPsec built into the protocol by default. Additionally, IPv6 also provides an extended IP address range for networks, eliminating the need for using NAT. IPv4 does not include IPsec or extended IP address ranges by default. WPA2 is the most modern and secure version of wireless encryption for WiFi networks, but it doesn't include IPsec or extended IP address ranges by default. WEP is an older version of wireless encryption for WiFi networks and doesn't provide these features by default, either.

Which cloud computing concept is BEST described as focusing on the replacement of physical hardware at a customer's location with cloud-based resources? A. PaaS B. SaaS C. SECaaS D. IaaS

D. IaaS Explanation OBJ-2.2: Infrastructure as a Service (IaaS) is a cloud computing service that enables a consumer to outsource computing equipment purchases and running their own data center. If you purchase a server in the cloud and then install and manage the operating system and software, this is Iaas. Platform as a Service (PaaS) is a cloud computing service that enables consumers to rent fully configured systems that are set up for specific purposes. Software as a Service (SaaS) is a cloud computing service that enables a service provider to make applications available over the Internet to end-users. This can be a calendar, scheduling, invoicing, word processor, database, or other programs. For example, Google Docs and Office 365 are both word processing SaaS solutions. Security as a service is a business model in which a service provider integrates their security services into a corporate infrastructure on a subscription basis more cost-effectively than most individuals or corporations can provide on their own when the total cost of ownership is considered.

You want to create a website for your new technical support business. You decide to purchase an on-demand cloud-based server and install Linux, Apache, and WordPress on it to run your website. Which of the following best describes which type of service you have just purchased? A. SaaS B. PaaS C. DaaS D. IaaS

D. IaaS Explanation OBJ-2.2: Infrastructure as a Service (Iaas) is focused on moving your servers and computers into the cloud. If you purchase a server in the cloud and then install and manage the operating system and software on it, this is Iaas. Platform as a Service (PaaS) is a cloud computing service that enables consumers to rent fully configured systems that are set up for specific purposes. Software as a Service (SaaS) is ca loud computing service that enables a service provider to make applications available over the Internet to end-users. This can be a calendar, scheduling, invoicing, word processor, database, or other programs. For example, Google Docs and Office 365 are both word processing SaaS solutions. Desktop as a Service (DaaS) provides a full virtualized desktop environment from within a cloud-based service. This is also known as VDI (Virtualized Desktop Infrastructure) and is coming in large enterprise businesses focused on increasing their security and minimizing their operational expenses.

Which role validates the user's identity when using SAML for authentication? A. User agent B. RP C. SP D. IdP

D. IdP Explanation OBJ-3.8: The IdP provides the validation of the user's identity. Security assertions markup language (SAML) is an XML-based framework for exchanging security-related information such as user authentication, entitlement, and attributes. SAML is often used in conjunction with SOAP. SAML is a solution for providing single sign-on (SSO) and federated identity management. It allows a service provider (SP) to establish a trust relationship with an identity provider (IdP) so that the SP can trust the identity of a user (the principal) without the user having to authenticate directly with the SP. The principal's User Agent (typically a browser) requests a resource from the service provider (SP). The resource host can also be referred to as the relying party (RP). If the user agent does not already have a valid session, the SP redirects the user agent to the identity provider (IdP). The IdP requests the principal's credentials if not already signed in and, if correct, provides a SAML response containing one or more assertions. The SP verifies the signature(s) and (if accepted) establishes a session and provides access to the resource.

Dion Training allows its visiting business partners from CompTIA to use an available Ethernet port in their conference room to establish a VPN connection back to the CompTIA internal network. The CompTIA employees should obtain internet access from the Ethernet port in the conference room, but nowhere else in the building. Additionally, if any of the Dion Training employees use the same Ethernet port in the conference room, they should access Dion Training's secure internal network. Which of the following technologies would allow you to configure this port and support both requirements? A. Create an ACL to allow access B. Configure a SIEM C. MAC filtering D. Implement NAC

D. Implement NAC Explanation OBJ-3.3: Network Access Control (NAC) uses a set of protocols to define and implement a policy that describes how to secure access to network nodes whenever a device initially attempts to access the network. NAC can utilize an automatic remediation process by fixing non-compliant hosts before allowing network access. Network Access Control can control access to a network with policies, including pre-admission endpoint security policy checks and post-admission controls over where users and devices can go on a network and what they can do. In this scenario, implementing NAC can identify which machines are known and trusted Dion Training assets and provide them with access to the secure internal network. NAC could also determine unknown machines (assumed to be those of CompTIA employees) and provide them with direct internet access only by placing them on a guest network or VLAN. While MAC filtering could be used to allow or deny access to the network, it cannot by itself control which set of network resources could be utilized from a single ethernet port. A security information and event management (SIEM) system provides real-time analysis of security alerts generated by applications and network hardware. An access control list could define what ports, protocols, or IP addresses the ethernet port could be utilized. Still, it would be unable to distinguish between a Dion Training employee's laptop and a CompTIA employee's laptop like a NAC implementation could.

Your company just launched a new invoicing website for use by your five largest vendors. You are the cybersecurity analyst and have been receiving numerous phone calls that the webpage is timing out, and the website overall is performing slowly. You have noticed that the website received three million requests in just 24 hours, and the service has now become unavailable for use. What do you recommend should be implemented to restore and maintain the availability of the new invoicing system? A. MAC filtering B. VPN C. Intrusion Detection System D. Implement an allow list

D. Implement an allow list Explanation OBJ-3.2: By implementing an allow list of the authorized IP addresses for the five largest vendors, they will be the only ones who can access the webserver. This can be done by creating rules in the Access Control List (ACL) to deny ALL other users except these five vendors, thereby dropping a large number of requests from any other IP addresses, such as those from an attacker. Based on the scenario's description, it appears like the system is under some form of denial of service attack. Still, by implementing an allow list at the edge of the network and sinkholing any traffic from IP addresses that are not allow listed, the server will no longer be overwhelmed or perform slowly to respond to legitimate requests. MAC filtering is only applicable at layer 2 of the OSI model (which would not work for traffic being sent over the internet from your vendors to your server). A VPN is a reasonable solution to secure the connection between the vendors and your systems, but it will not deal with the DoS condition being experienced. An intrusion detection system may detect the DoS condition, but an IDS cannot resolve it (whereas an IPS could).

Julie was just hired to conduct a security assessment of Dion Training's security policies. During her assessment, she noticed that many users were sharing group accounts to conduct their work roles. Julie recommended that the group accounts be eliminated and instead have an account created for each user. What improvement will this recommended action provide for the company? A. More efficient baseline management B. More routing auditing C. Increase password security D. Increase individual accountability

D. Increase individual accountability Explanation OBJ-5.3: To adequately provide accountability, the use of shared or group accounts should be disabled. This allows you to log and track individual user actions based on individual user accounts. This enables the organization to hold users accountable for their actions, too.

During a penetration test, you find a hash value related to malware associated with an APT. What best describes what you have found? A. SQL injection B. XSRF C. Botnet D. Indicator of compromise

D. Indicator of compromise Explanation OBJ-1.2: An indicator of compromise is an artifact observed on a network or in an operating system that, with high confidence, indicates a computer intrusion. Typical IOCs are virus signatures and IP addresses, MD5 hashes of malware files or URLs, or botnet command and control servers' domain names. SQL injection is a code injection technique used to attack data-driven applications. Malicious SQL statements are inserted into an entry field for execution, such as dumping the database contents to the attacker. Cross-site request forgery (CSRF or XSRF) is a malicious exploit of a website where unauthorized commands are transmitted from a user that the web application trusts. There are many ways in which a malicious website can transmit commands, such as specially-crafted image tags, hidden forms, and JavaScript XMLHttpRequests can all work without the user's interaction or even knowledge. A botnet consists of many Internet-connected devices, each of which is running one or more bots. Botnets can be used to perform Distributed Denial-of-Service (DDoS) attacks, steal data, send spam, and allow the attacker to access the device and its connection.

While investigating a data breach, you discover that the account credentials used belonged to an employee who was fired several months ago for misusing company IT systems. The IT department never deactivated the employee's account upon their termination. Which of the following categories would this breach be classified as? A. Advanced persistent threat B. Known threat C. Zero-day D. Insider Threat

D. Insider Threat Explanation OBJ-1.5: An insider threat is any current or former employee, contractor, or business partner who has or had authorized access to an organization's network, system, or data and intentionally exceeded or misused that access in a manner that negatively affected the confidentiality, integrity, or availability of the organization's information or information systems. Based on the details provided in the question, it appears the employee's legitimate credentials were used to conduct the breach. This would be classified as an insider threat. A zero-day is a vulnerability in software unpatched by the developer or an attack that exploits such a vulnerability. A known threat is a threat that can be identified using a basic signature or pattern matching. An advanced persistent threat (APT) is an attacker with the ability to obtain, maintain, and diversify access to network systems using exploits and malware.

Which type of threat actor can accidentally or inadvertently cause a security incident in your organization? A. Organized Crime B. APT C. Hacktivist D. Insider threat

D. Insider threat Explanation OBJ-1.5: An insider threat is a type of threat actor assigned privileges on the system that cause an intentional or unintentional incident. Insider threats can be used as unwitting pawns of external organizations or make crucial mistakes that can open up exploitable security vulnerabilities. Hacktivists, Organized Crimes, and advanced persistent threats (APT) entities do not accidentally or unwittingly target organizations. Instead, their actions are deliberate. A hacktivist is an attacker that is motivated by a social issue or political cause. Organized crime is a type of threat actor that uses hacking and computer fraud for commercial gain. An advanced persistent threat (APT) is a type of threat actor that can obtain, maintain, and diversify access to network systems using exploits and malware.

What containment technique is the strongest possible response to an incident? A. Isolating the attacker B. Enumeration C. Segmentation D. Isolating affected systems

D. Isolating affected systems Explanation OBJ-4.4: Isolation involves removing an affected component from whatever larger environment it is a part of. This can be everything from removing a server from the network after it has been the target of a DoS attack, placing an application in a sandbox virtual machine (VM) outside of the host environments it usually runs on. Segmentation-based containment is a means of achieving the isolation of a host or group of hosts using network technologies and architecture. Segmentation uses VLANs, routing/subnets, and firewall ACLs to prevent a host or group of hosts from communicating outside the protected segment. Removal is not an industry term used but would be a synonym for isolation. Enumeration is defined as the process of extracting usernames, machine names, network resources, shares, and services from a system. Isolating the attacker would only stop their direct two-way communication and control of the affected system. However, it would not be the strongest possible response since there could be malicious code still running on your victimized machine.

What is the biggest disadvantage of using single sign-on (SSO) for authentication? A. Users need to authenticate with each server as they log on B. The identity provider issues the authorization C. Systems must be configured to utilize the federation D. It introduces a single point of failure

D. It introduces a single point of failure Explanation OBJ-5.4: Single sign-on is convenient for users since they only need to remember one set of credentials. Unfortunately, single sign-on also introduces a single point of failure. If the identity provider is offline, then the user cannot log in to any of the resources they may wish to utilize across the web. Additionally, if the single sign-on is compromised, the attacker now has access to every site that the user would have access to using the single set of credentials.

Dion Training has added a salt and cryptographic hash to their passwords to increase the security before storing them. To further increase security, they run this process many times before storing the passwords. What is this technique called? A. Collision resistance B. Rainbow table C. Salting D. Key stretching

D. Key stretching Explanation OBJ-2.8: In cryptography, key stretching techniques are used to make a possibly weak key, typically a password or passphrase, more secure against a brute-force attack by increasing the resources it takes to test each possible key. The question describes one such key stretching technique.

You have been asked to help design a new architecture for Dion Training's website. The current architecture involves a single server that hosts the website in its entirety. The company's newest course has been creating a lot of interest on social media. The CIO is concerned that the single server will not be able to handle the increased demand that could result from this increased publicity. What technology should you implement in the new architecture to allow multiple web servers to serve up the courses and meet this expected increase in demand from new students? A. DLP B. VPN concentrator C. RAID D. Load balancer

D. Load balancer Explanation OBJ-3.3: A load balancer allows for high availability and the ability to serve increased demand by splitting the workload across multiple servers. RAID is a high availability technology that allows for multiple hard disks to act logically as one to handle more throughput, but this will not solve the higher demand on the server's limited processing power as a load balancer would. A VPN concentrator is a networking device that provides the secure creation of VPN connections and the delivery of messages between VPN nodes. A data loss prevention (DLP) system is focused on ensuring that intellectual property theft does not occur. Therefore, a DLP will not help meet the increased demand from new students.

Which of the following types of access control provides the strongest level of protection? A. DAC B. RBAC C. ABAC D. MAC

D. MAC Explanation OBJ-3.8: Mandatory Access Control (MAC) requires all access to be predefined based on system classification, configuration, and authentication. MAC is commonly used in highly centralized environments and usually relies on a series of labels, such as classification levels of the data.

Which analysis framework provides the most explicit detail regarding how to mitigate or detect a given threat? A. OpenIOC B. Diamond Model of Intrusion Analysis C. Lockheed Martin cyber kill chain D. MITRE ATT&CK framework

D. MITRE ATT&CK framework Explanation OBJ-4.2: The MITRE ATT&CK framework provides explicit pseudo-code examples for detecting or mitigating a given threat within a network and ties specific behaviors back to individual actors. The Diamond Model provides an excellent methodology for communicating cyber events and allowing an analyst to implicitly derive mitigation strategies. The Lockheed Martin cyber kill chain provides a general life cycle description of how attacks occur but does not deal with the specifics of how to mitigate them. OpenIOC contains a depth of research on APTs but does not integrate the detection and mitigation strategy.

You have been asked to assist with an investigation into a malicious user's activities. Unfortunately, your organization did not have full packet capture available for the time period of the suspected activities. Instead, you have received netflow data that contains statistics and information about the network traffic during that time period. Which of the following best represents the type of data you can obtain from this netflow data to support the investigation? A. Email messages B. Application logs C. File contents D. Metadata

D. Metadata Explanation OBJ-4.3: Netflow is a flow analysis tool. Netflow does not capture the full packet capture of data as it crosses the network sensor but instead captures metadata and statistics about the network traffic. This metadata can highlight trends and patterns in the traffic generated by the malicious user, such as the volume of data sent and received. This could indicate data exfiltration if a large amount of data was sent in a short period of time. File contents and email messages could be retrieved from a full packet capture, but unfortunately, that was not provided in this scenario. Application logs are stored locally on a host or a centralized server, but those would not be captured in the netflow data.

(Sample Simulation - On the real exam for this type of question, you would receive 3-5 pictures and be asked to drag and drop them into place next to the correct term.) *reference image* How would you appropriately categorize the authentication method being displayed here? A. Biometric authentication B. Multifactor authentication C. One-time password authentication D. PAP authentication

D. PAP authentication Explanation OBJ-2.4: For the exam, you need to know the different authentication categories and what type of authentication methods belong to each category. A username and password are used as part of the Password Authentication Protocol (PAP) authentication system. A username and password are also considered a knowledge factor in an authentication system.

Which cloud computing concept is BEST described as focusing on replacing the hardware and software required when creating and testing new applications and programs from a customer's environment with cloud-based resources? A. SaaS B. SECaaS C. IaaS D. PaaS

D. PaaS Explanation OBJ-2.2: Platform as a Service (PaaS) is a cloud computing service that enables consumers to rent fully configured systems that are set up for specific purposes. Platform as a Service (PaaS) provides the end-user with a development environment without all the hassle of configuring and installing it themselves. If you want to develop a customized or specialized program, PaaS helps reduce the development time and overall costs by providing a ready to use platform. Infrastructure as a Service (IaaS) is a cloud computing service that enables a consumer to outsource computing equipment purchases and running their own data center. Software as a Service (SaaS) is a cloud computing service that enables a service provider to make applications available over the Internet to end-users. This can be a calendar, scheduling, invoicing, word processor, database, or other programs. For example, Google Docs and Office 365 are both word processing SaaS solutions. Security as a service is a business model in which a service provider integrates their security services into a corporate infrastructure on a subscription basis more cost-effectively than most individuals or corporations can provide on their own when the total cost of ownership is considered.

Samantha works in the human resource department in an open floorplan office. She is concerned about the possibility of someone conducting shoulder surfing to read sensitive information from employee files while accessing them on her computer. Which of the following physical security measures should she implement to protect against this threat? A. Badge reader B. Biometric lock C. Hardware token D. Privacy screen

D. Privacy screen Explanation OBJ-1.1: A privacy screen is a filter placed on a monitor to decrease the viewing angle of a monitor. This prevents the monitor from being viewed from the side and can help prevent shoulder surfing. The standard type of anti-glare filter consists of a coating that reduces the reflection from a glass or plastic surface. A biometric lock is any lock that can be activated by biometric features, such as a fingerprint, voiceprint, or retina scan. Biometric locks make it more difficult for someone to counterfeit the key used to open the lock or a user's account. A smart card is a form of hardware token. A smart card, chip card, or integrated circuit card is a physical, electronic authorization device used to control access to a resource. It is typically a plastic credit card-sized card with an embedded integrated circuit chip. In high-security environments, employee badges may contain a smart card embedded chip that must be inserted into a smart card reader to log in or access information on the system. A badge reader is used to read an employee's identification badge using a magnetic stripe, barcode, or embedded RFID chip.

*reference image* Dion Training is concerned with students entering the server room without permission. To prevent this from occurring, the organization wants to purchase and install an access control system that will allow each instructor to have access using an RFID device. Which of the following authentication mechanisms should Dion Training use to meet this requirement? A. CCTV B. Biometric reader C. Access control vestibule D. Proximity badge

D. Proximity badge Explanation OBJ-2.7: The best option is to use a proximity badge. This type of badge embeds an RFID chip into the card or badge. When an authorized user swipes their card or badge over the reader, it sends an RF signal that uniquely identifies the card's holder or badge. While some of the other options presented could be used for authentication (such as biometrics), these options do not use an RFID as stated in the requirements. Closed-circuit television is a type of video surveillance where video cameras transmit a signal to a specific place using a limited set of monitors. An access control vestibule is a physical security access control system comprising a small space with two sets of interlocking doors, such that the first set of doors must close before the second set opens. Biometrics are identifying features stored as digital data that can be used to authenticate a user. Typical features used include facial pattern, iris, retina, or fingerprint pattern, and signature recognition. This requires a relevant scanning device, such as a fingerprint reader, and a database of biometric information for authentication to occur.

Which type of authentication method is commonly used with physical access control systems and relies upon RFID devices embedded into a token? A. TOTP B. HOTP C. Smart cards D. Proximity cards

D. Proximity cards Explanation OBJ-2.7: A proximity card is a contactless card that usually utilizes RFID to communicate with the reader on a physical access system. These are commonly used to access secured rooms (such as server rooms) or even a building itself (such as at an access control vestibule). Some smart cards contain proximity cards within them, but the best answer to this question is proximity cards since that is the function of the smart card would be the device used to meet this scenario's requirements. An HMAC-based one-time password (HOTP) is a one-time password algorithm based on hash-based message authentication codes. A Time-based one-time password (TOTP) is a computer algorithm that generates a one-time password that uses the current time as a source of uniqueness.

Your company wants to provide a secure SSO solution for accessing both the corporate wireless network and its network resources. Which of the following technologies should be used? A. WPS B. WEP C. WPA2 D. RADIUS

D. RADIUS Explanation OBJ-3.4: With RADIUS and SSO configured, users on the network can provide their user credentials one time when they initially connect to the wireless access point or another RADIUS client and are then automatically authenticated to all of the network's resources. The Remote Authentication Dial-in User Service (RADIUS) is used to manage remote and wireless authentication infrastructure. Users supply authentication information to RADIUS client devices, such as wireless access points. The client device then passes the authentication data to an AAA (Authentication, Authorization, and Accounting) server that processes the request. The Terminal Access Controller Access Control System (TACACS+) is a proprietary alternative to RADIUS developed by Cisco for handling authentication. The Wi-Fi Protected Setup (WPS) is a mechanism for auto-configuring a WLAN securely for home users. On compatible equipment, users push a button on the access point and connect adapters to associate them securely. WPS is subject to brute force attacks against the PIN used to secure them, making them vulnerable to attack. Wired equivalent privacy (WEP) is an older mechanism for encrypting data sent over a wireless connection. WEP is considered vulnerable to attacks that can break its encryption. WEP relies on the use of a 24-bit initialization vector to secure its preshared key. Wi-Fi protected access version 2 (WPA2) replaced the original version of WPA after the completion of the 802.11i security standard. WPA2 features an improved method of key distribution and authentication for enterprise networks, though the pre-shared key method is still available for home and small office networks. WPA2 uses the improved AES cipher with counter mode with cipher-block chaining message authentication protocol (CCMP) for encryption.

Dion Training uses an authentication protocol to connect a network client to a networked file server by providing its authentication credentials. The file server then uses the authentication credentials to issue an authentication request to the server running this protocol. The server can then exchange authentication messages with the file server on behalf of the client. Throughout this process, a shared secret is used to protect the communication. Which of the following technologies relies upon the shared secret? A. PKI B. Kerberos C. LDAP D. RADIUS

D. RADIUS Explanation OBJ-3.8: Remote Authentication Dial-In User Service (RADIUS) is a networking protocol operating on port 1812 that provides centralized Authentication, Authorization, and Accounting (AAA or Triple-A) management for users who connect and use a network service. The RADIUS protocol utilizes an obfuscated password created from the shared secret and creates an MD5 hash of the authentication request to protect the communications.

Which of the following cryptographic algorithms is classified as asymmetric? A. AES B. RC4 C. DES D. RSA

D. RSA Explanation OBJ-2.8: RSA (Rivest-Shamir-Adleman) was one of the first public-key cryptosystems and is widely used for secure data transmission. As a public-key cryptosystem, it relies on an asymmetric algorithm. AES, RC4, and DES are all symmetric algorithms.

You are working as part of the server team for an online retail store. Due to the upcoming holidays, your boss is worried that the current servers may not be able to handle the increased demand during a big sale. Which of the following cloud computing concepts can quickly allow services to scale upward during busy periods and scale down during slower periods based on the changing user demand? A. Resource pooling B. On-demand C. Metered services D.Rapid elasticity

D. Rapid elasticity Explanation OBJ-2.3: Rapid elasticity is used to describe scalable provisioning or the capability to provide scalable cloud computing services. Rapid elasticity is very critical to meet the fluctuating demands of cloud users. The downside of rapid elasticity implementations is that they can cause significant loading of the system due to the high resource number of allocation and deallocation requests. Resource pooling refers to the concept that allows a virtual environment to allocate memory and processing capacity for a VMs use. On-demand refers to the fact that a consumer can unilaterally provision computing capabilities, such as server time and network storage, as needed automatically without requiring human interaction with each service provider. Metered services are pre-paid, a-la-carte, pay-per-use, or committed offerings. A metered service like a database may charge its users based on the actual usage of the service resources on an hourly or monthly basis. For example, Dion Training used the AWS Lambda serverless product in some of our automation. This service charges us $0.20 for every 1 million requests processed.

Which of the following biometric authentication factors uses an infrared light shone into the eye to identify the pattern of blood vessels? A. Iris scan B. Pupil dilation C. Facial recognition D. Retinal scan

D. Retinal scan Explanation OBJ-2.4: Retinal scans utilize an infrared light shone into the eye to identify the pattern of blood vessels. The arrangement of these blood vessels is highly complex and typically does not change from birth to death, except in the event of certain diseases or injuries. Retinal scanning is, therefore, one of the most accurate forms of biometrics. Retinal patterns are very secure, but the equipment required is expensive, and the process is relatively intrusive and complex. False negatives can be produced by disease, such as cataracts.

Which type of method is used to collect information during the passive reconnaissance? A. API requests and responses B. Network traffic sniffing C. Social engineering D. Reviewing public repositories

D. Reviewing public repositories Explanation OBJ-1.8: Passive reconnaissance focuses on collecting information that is widely and openly available from publicly available sources. While network traffic sniffing is considered passive, gaining access to the network to place a sniffer in a good network tap location would not be considered passive. Of the choices provided, publicly accessible sources are the best answer to choose. Collecting API requests and responses would involve a penetration tester sending data to a given server and analyzing the responses received, which is considered an active reconnaissance method. Social engineering is also an active reconnaissance technique that uses deception to trick a user into providing information to an attacker or penetration tester.

What is the term for the amount of risk that an organization is willing to accept or tolerate? A. Risk avoidance B. Risk transference C. Risk deterrence D. Risk appetite

D. Risk appetite Explanation OBJ-5.4: An organization's willingness to tolerate risk is known as its risk appetite. If you determine that you have a greater risk appetite for a certain system or function of the business, you may choose to scan less it frequently, for example. If you have a low-risk appetite, you will place a higher amount of resources towards defending and mitigating your systems. Risk avoidance is the response of deploying security controls to reduce the likelihood and/or impact of a threat scenario. Risk deterrence is the response of deploying security controls to reduce the likelihood and/or impact of a threat scenario. Risk transference moves or shares the responsibility of risk to another entity.

What term describes the amount of risk an organization is willing to accept? A. Risk mitigation B. Risk acceptance C. Risk avoidance D. Risk appetite

D. Risk appetite Explanation OBJ-5.4: Risk appetite describes how much risk an organization is willing to accept. This is a crucial factor both in designing the assessment and determining the recommended mitigations. Risk mitigation is a strategy to prepare for and lessen the effects of threats faced by a data center. Risk mitigation refers to applying security controls to reduce the risk of a known vulnerability. Risk avoidance is the elimination of hazards, activities, and exposures that can negatively affect an organization's assets. Risk acceptance is the act of accepting the identified risk and not taking additional actions to reduce the risk because the risk is low enough. Risk acceptance should only be done once an organization's risk tolerance is defined and communicated amongst the decision-makers.

Which of the following protocols could be used inside a virtual system to manage and monitor the network? A. EIGRP B. SMTP C. BGP D. SNMP

D. SNMP Explanation OBJ-3.1: SNMP is used to monitor and manage networks, both physical and virtual. SMTP is used for email. BGP and EIGRP are used for routing network data.

You have signed up for a web-based appointment scheduling application to help you manage your new IT technical support business. What type of solution would this be categorized as? A. IaaS B. DaaS C. PaaS D. SaaS

D. SaaS Explanation OBJ-2.2: Software as a Service (SaaS) is a cloud computing service that enables a service provider to make applications available over the Internet to end-users. This can be a calendar, scheduling, invoicing, word processor, database, or other programs. For example, Google Docs and Office 365 are both word processing SaaS solutions. Platform as a Service (PaaS) is a cloud computing service that enables consumers to rent fully configured systems that are set up for specific purposes. Infrastructure as a Service (IaaS) is a cloud computing service that enables a consumer to outsource computing equipment purchases and running their own data center.

Your organization has been receiving many phishing emails recently, and you are trying to determine why they are effective in getting your users to click on their links. The latest email consists of what looks like an advertisement that is offering an exclusive early access opportunity to buy a new iPhone at a discounted price. Still, there are only 5 phones available at this price. What type of social engineering principle is being exploited here? A. Familiarity B. Intimidation C. Trust D. Scarcity

D. Scarcity Explanation OBJ-1.1: Scarcity is used to create a fear in a person of missing out on a special deal or offer. This technique is used in advertising all the time, such as "supplies are limited," "only available for the next 4 hours", and other such artificial limitations being used. Familiarity is a social engineering technique that relies on assuming a widely known organization's persona. For example, in the United States, nearly 25% of Americans have a Bank of America account. For this reason, phishing campaigns often include emails pretending to be from Bank of America since 1 in 4 people who receive the email in the United States are likely to have an account. This makes them familiar with the bank name and is more likely to click on the email link.

Which of the following does a User-Agent request a resource from when conducting a SAML transaction? A. Single sign-on (SSO) B. Relying party (RP) C. Identity provider (IdP) D. Service provider (SP)

D. Service provider (SP) Explanation OBJ-3.8: Security assertions markup language (SAML) is an XML-based framework for exchanging security-related information such as user authentication, entitlement, and attributes. SAML is often used in conjunction with SOAP. SAML is a solution for providing single sign-on (SSO) and federated identity management. It allows a service provider (SP) to establish a trust relationship with an identity provider (IdP) so that the SP can trust the identity of a user (the principal) without the user having to authenticate directly with the SP. The principal's User Agent (typically a browser) requests a resource from the service provider (SP). The resource host can also be referred to as the relying party (RP). If the user agent does not already have a valid session, the SP redirects the user agent to the identity provider (IdP). The IdP requests the principal's credentials if not already signed in and, if correct, provides a SAML response containing one or more assertions. The SP verifies the signature(s) and (if accepted) establishes a session and provides access to the resource.

You are working for a government contractor who requires all users to use a PIV device when sending digitally signed and encrypted emails. Which of the following physical security measures is being implemented? A. Biometric reader B. Cable lock C. Key fob D. Smart card

D. Smart card Explanation OBJ-3.7: A smart card is used in applications that need to protect personal information and/or deliver fast, secure transactions, such as transit fare payment cards, government, and corporate identification cards, documents such as electronic passports and visas, and financial payment cards. Often, smart cards are used as part of a multifactor authentication system in which the smart card and a PIN need to be entered for system authentication to occur. Biometrics are identifying features stored as digital data that can be used to authenticate a user. Typical features used include facial pattern, iris, retina, or fingerprint pattern, and signature recognition. This requires a relevant scanning device, such as a fingerprint reader, and a database of biometric information for authentication to occur. The Kensington lock is a small hole found on almost every portable computer or laptop made after 2000. It allows a cable lock to be attached to a portable computer or laptop to lock it to a desk and prevent theft. These locks often use a combination lock or padlock type of locking system. These locks do not affect the user's ability to use the laptop or device. It only prevents them from moving the laptop from the area. A key fob generates a random number code synchronized to a code on the server. The code changes every 60 seconds or so. This is an example of a one-time password. A SecureID token is an example of a key fob that is produced by RSA.

Which of the following identity and access management controls relies upon using a certificate-based authentication mechanism? A. TOTP B. Proximity card C. HOTP D. Smart card

D. Smart card Explanation OBJ-3.7: Smart cards, PIV, and CAC devices are used as an identity and access management control. These devices contain a digital certificate embedded within the smart card (PIV/CAC) presented to the system when it is inserted into the smart card reader. When combined with a PIN, the smart card can be used as a multi-factor authentication mechanism. The PIN unlocks the card and allows the digital certificate to be presented to the system.

(Sample Simulation - On the real exam for this type of question, you would receive 3-5 pictures and be asked to drag and drop them into place next to the correct term.) Which of the following types of attacks occurs when an attacker sends unsolicited messages over Facebook messenger? A. Spear phishing B. Spamming C. Pharming D. Spimming E. Phishing

D. Spimming Explanation OBJ-1.1: Spim is a type of spam targeting users of instant messaging (IM) services, SMS, or private messages within websites and social media. If the unsolicited messages were sent by email, they would have instead been classified as Spam.

DeepScan supports data-flow analysis and understands the execution flow of a program. It allows you to see possible security flaws without executing the code. Which of the following types of tools would DeepScan be classified as? A. Decompiler B. Fault injector C. Fuzzer D. Static code analyzer

D. Static code analyzer Explanation OBJ-3.2: DeepScan is an example of a static code analysis tool. It inspects the code for possible errors and issues without actually running the code. Fuzzing is an automated software testing technique that involves providing invalid, unexpected, or random data as inputs to a computer program through a fuzzer. A decompiler is a computer program that takes an executable file as input and attempts to create a high-level source file that can be recompiled successfully. Fault injection is a testing technique that aids in understanding how a system behaves when stressed in unusual ways. A fuzzer, decompiler, and fault injector are all dynamic analysis tools because they require the program to be run during testing and analysis.

Which of the following types of remote access technologies should NOT be used in a network due to its lack of security? A. SSH B. RDP C. VPN D. Telnet

D. Telnet Explanation OBJ-3.1: Telnet should not be used in a network due to its weak security posture. Telnet transmits all of the data in plain text (without encryption), including usernames, passwords, commands, and data files. For this reason, it should never be used in production networks and has been replaced by SSH in most corporate networks. Remote Desktop Protocol (RDP) is a Microsoft protocol designed to facilitate application data transfer security and encryption between client user devices and a virtual network server. It enables a remote user to add a graphical interface to the desktop of another computer. SSH (Secure Shell) is used to remotely connect to a network's switches and routers to configure them securely. SSH is typically used for logging into a remote machine and executing commands, but it also supports tunneling, forwarding TCP ports, and X11 connections; it can transfer files using the associated SSH file transfer (SFTP) or secure copy (SCP) protocols. SSH uses the client-server model. A remote-access VPN connection allows an individual user to connect to a private network from a remote location using a laptop or desktop computer connected to the internet. A remote-access VPN allows individual users to establish secure connections with a remote computer network. Once established, the remote user can access the corporate network and its capabilities as if they were accessing the network from their own office spaces.

You are creating a script to filter some logs so that you can detect any suspected malware beaconing. Which of the following is NOT a typical means of identifying a malware beacon's behavior on the network? A. The beaconing interval B. The removal of known traffic C. The beacon's persistence D. The beacon's protocol

D. The beacon's protocol Explanation OBJ-1.8: The beacon's protocol is not typically a means of identifying a malware beacon. A beacon can be sent over numerous protocols, including ICMP, DNS, HTTP, and numerous others. Unless you specifically knew the protocol being used by the suspected beacon, filtering out beacons by the protocol seen in the logs could lead you to eliminate malicious behavior prematurely. Other factors like the beacon's persistence (if it remains after a reboot of the system) and the beacon's interval (how much time elapses between beaconing)are much better indicators for fingerprinting a malicious beacon. The removal of known traffic by the script can also minimize the amount of data the cybersecurity analyst needs to analyze, making it easier to detect the malicious beacon without wasting their time reviewing non-malicious traffic.

You are an analyst and have been asked to review and categorize the following output from a packet analysis in Wireshark: *reference image* Based on your review, what does this scan indicate? A. 192.168.3.145 might be infected with malware B. 173.12.15.23 might be infected with malware C. 173.12.15.23 might be infected and beaconing to a C2 server D. This appears to be normal network traffic E. 192.168.3.145 might be infected and beaconing to a C2 server

D. This appears to be normal network traffic Explanation OBJ-4.1: This appears to be normal network traffic. The first line shows that a DNS lookup was performed for a website (test.diontraining.com). The second line shows the response from the DNS server with the IP address of the website. The third line begins a three-way handshake between an internal host and the website. The fourth line is the SYN-ACK response from the website to the internal host as part of this handshake. The fifth line is a standard Windows NetBIOS query within the local area network to translate human-readable names to local IP addresses. The sixth and seventh lines appear to be inbound requests to port 443 and port 8080, both of which were sent the RST by the internal host's firewall since it is not running those services on the host. None of this network traffic appears to be suspicious.

Jennifer decided that the licensing cost for a piece of video editing software was too expensive. Instead, she decided to download a keygen program to generate a license key and install a pirated version of the editing software. After she runs the keygen, a license key is created, but her system performance becomes very sluggish, and her antimalware suite begins to display numerous alerts. Which type of malware might her computer be infected with? A. Worm B. Adware C. Logic bomb D. Trojan

D. Trojan Explanation OBJ-1.2: A trojan is a program in which malicious or harmful code is contained inside a harmless program. In this example, the harmless program is the key generator (which does create a license key). It also has malicious code inside it causing the additional alerts from the antimalware solution. A Trojan is designed to damage, disrupt, steal, or in general, inflict some other harmful action on your data or network. The most common form of a trojan is a Remote Access Trojan (RAT), which allows an attacker to control a workstation or steal information remotely. To operate, a trojan will create numerous processes that run in the background of the system. A worm is a standalone malware computer program that replicates itself to spread to other computers. Often, it uses a computer network to spread itself, relying on security failures on the target computer to access it. A worm can spread on its own, whereas a virus needs a host program or user interaction to propagate itself. A logic bomb is a malicious program that is triggered when a logical condition is met, such as after a number of transactions have been processed, or on a specific date. Adware is software that displays unwanted advertisements on your computer.

A user has reported that their workstation is running very slowly. A technician begins to investigate the issue and notices a lot of unknown processes running in the background. The technician determines that the user has recently downloaded a new application from the internet and may have become infected with malware. Which of the following types of infections does the workstation MOST likely have? A. Keylogger B. Ransomware C. Rootkit D. Trojan

D. Trojan Explanation OBJ-1.2: A trojan is a type of malware that looks legitimate but can take control of your computer. A Trojan is designed to damage, disrupt, steal, or in general, inflict some other harmful action on your data or network. The most common form of a trojan is a Remote Access Trojan (RAT), which allows an attacker to control a workstation or steal information remotely. To operate, a trojan will create numerous processes that run in the background of the system. Ransomware is a type of malware designed to deny access to a computer system or data until a ransom is paid. Ransomware typically spreads through phishing emails or by unknowingly visiting an infected website. Once infected, a system or its files are encrypted, and then the decryption key is withheld from the victim unless payment is received. A rootkit is a clandestine computer program designed to provide continued privileged access to a computer while actively hiding its presence. A rootkit is generally a collection of tools that enabled administrator-level access to a computer or network. They can often disguise themselves from detection by the operating system and anti-malware solutions. If a rootkit is suspected on a machine, it is best to reformat and reimage the system. A keylogger actively attempts to steal confidential information by capturing the data when entered into the computer by the user. This is done by recording keystrokes entered into a web browser or other application. A software keylogger can be run in the background on a victim's computer. A hardware keylogger may be placed between the USB port and the wired keyboard.

Your organization has just migrated to provisioning its corporate desktops as virtual machines and accessing them using thin clients. The organization believes this will enhance security since the desktop can be rewritten with a new baseline image every time the user logs into it. Based on this scenario, which of the following technologies has the organization adopted? A. VPC B. VPN C. UEBA D. VDI

D. VDI Explanation OBJ-3.5: Virtual desktop infrastructure (VDI) is a virtualization implementation that separates the personal computing environment from a user's physical computer. Virtual private cloud (VPC) is a private network segment made available to a single cloud consumer on a public cloud. A virtual private network (VPN) is a secure tunnel created between two endpoints connected via an insecure network, typically the internet. User and entity behavior analytics (UEBA) is a system that can provide automated identification of suspicious activity by user accounts and computer hosts.

Your company has an office in Boston and is worried that its employees may not reach the office during periods of heavy snowfall. You have been asked to select a technology that would allow employees to work remotely from their homes during poor weather conditions. Which of the following should you select? A. VLAN B. NAT C. IDS D. VPN

D. VPN Explanation OBJ-3.3: A remote-access VPN connection allows an individual user to connect to a private network from a remote location using a laptop or desktop computer connected to the internet. A remote-access VPN allows individual users to establish secure connections with a remote computer network. Once established, the remote user can access the corporate network and its capabilities as if they were accessing the network from their own office spaces. Network address translation (NAT) is a network service provided by a router or proxy server to map private local addresses to one or more publicly accessible IP addresses. NAT can use static mappings but is commonly implemented as network port address translation (PAT) or NAT overloading, where a few public IP addresses are mapped to multiple LAN hosts using port allocations. A Virtual LAN (VLAN) is a logically separate network that is created using switching technology. Even though hosts on two VLANs may be physically connected to the same cabling, local traffic is isolated to each VLAN so they must use a router to communicate. An intrusion detection system (IDS) is a device or software application that monitors a network or system for malicious activity or policy violations. Any malicious activity or violation is typically reported to an administrator or collected centrally using a security information and event management system. Unlike an IPS, which can stop malicious activity or policy violations, an IDS can only log these issues and not stop them.

You need to determine the best way to test operating system patches in a lab environment before deploying them to your automated patch management system. Unfortunately, your network has several different operating systems in use, but you only have one machine available to test the patches on. What is the best environment to utilize to perform the testing of the patches before deployment? A. Purchase additional workstations B. Bypass testing and deploy patches directly into the production environment C. Sandboxing D. Virtualization

D. Virtualization Explanation OBJ-3.2: When you have a limited amount of hardware resources to utilize but have a requirement to test multiple operating systems, you should set up a virtualized environment to test the patch across each operating system before deployment. You should never deploy patches directly into production without testing them first in the lab. Virtualization will allow the organization to create a lab environment without significant costs. Purchasing additional workstations would be costly and more time-consuming to configure.

(Sample Simulation - On the real exam for this type of question, you would receive 3-5 pictures and be asked to drag and drop them into place next to the correct term.) Which of the following types of attacks occurs when an attacker calls up people over the phone and attempts to trick them into providing their credit card information? A. Pharming B. Phishing C. Hoax D. Vishing E. Spear phishing

D. Vishing Explanation OBJ-1.1: Vishing is the fraudulent practice of making phone calls or leaving voice messages purporting to be from reputable companies to induce individuals to reveal personal information, such as bank details and credit card numbers.

You are trying to find a rogue device on your wired network. Which of the following options would NOT help find the device? A. MAC validation B. Site surveys C. Port scanning D. War walking

D. War walking Explanation OBJ-1.8: War walking is conducted by walking around a build while locating wireless networks and devices. War walking will not help find a wired rogue device. Checking valid MAC addresses against a known list, scanning for new systems or devices, and physically surveying for unexpected systems can be used to find rogue devices on a wired network.

(Sample Simulation - On the real exam for this type of question, you would receive 3-5 pictures and be asked to drag and drop them into place next to the correct term.) *reference image* Which of the following types of attacks occurs when an attacker specifically targets the CEO, CFO, CIO, and other board members during their attack? A. Smishing B. Vishing C. Phishing D. Whaling F. Spear phishing

D. Whaling Explanation OBJ-1.1: Whaling occurs when the attacker targets the C-level executives (CEO, CFO, CIO, etc.), board members, and other senior executives within the organization.

Dion Training wants to reduce the management and administrative costs of using multiple digital certificates for all of their subdomains of diontraining.com. Which of the following solutions would allow the company to use one digital certificate for all of its subdomains? A. Key escrow B. OCSP C. CRL D. Wildcards

D. Wildcards Explanation OBJ-3.9: Wildcards are certificates that allow your company unlimited subdomains on a parent domain. Object identifiers identify an object. Key escrow is for key storage. OCSP is a protocol used to query CA about the revocation status of a certificate.

Your company has just finished replacing all of its computers with brand new workstations. Colleen, one of your coworkers, has asked the company's owner if she can have the old computers that are about to be thrown away. Colleen would like to refurbish the old computers by reinstalling a new operating system and donating them to a local community center for disadvantaged children in the neighborhood. The owner thinks this is a great idea but is concerned that the private and sensitive corporate data on the old computer's hard drives might be placed at risk of exposure. You have been asked to choose the best solution to sanitize or destroy the data while ensuring the computers will still be usable by the community center. What type of data destruction or sanitization method do you recommend? A. Shredding B. Purging C. Degaussing D. Wiping

D. Wiping Explanation OBJ-2.7: Data wiping or clearing occurs by using a software tool to overwrite the data on a hard drive to destroy all electronic data on a hard disk or other media. Data wiping may be performed with a 1x, 7x, or 35x overwriting, with a higher number of times being more secure. This allows the hard drive to remain functional and allows for hardware reuse. Degaussing a hard drive involves demagnetizing a hard drive to erase its stored data. You cannot reuse a hard drive once it has been degaussed. Therefore, it is a bad solution for this scenario. Purging involves removing sensitive data from a hard drive using the device's internal electronics or an outside source such as a degausser, or by using a cryptographic erase function if the drive supports one. Shredding involves the physical destruction of the hard drive. This is a secure method of destruction but doesn't allow for device reuse.

You are analyzing the SIEM for your company's e-commerce server when you notice the following URL in the logs of your SIEM: *reference image* Based on this line, what type of attack do you expect has been attempted? A. SQL injection B. Buffer overflow C. Session hijacking D. XML injection

D. XML injection Explanation OBJ-1.3: This is an example of an XML injection. XML injection manipulates or compromises the logic of an XML application or service. The injection of unintended XML content and/or structures into an XML message can alter an application's intended logic. XML Injection can cause the insertion of malicious content into resulting messages/documents. In this case, the URL is attempting to modify the server's XML structure. The original XML structure would be: <addToCart> <item id="5" perItemPrice="50.00" quantity="1" /> </addToCart>. By using the URL above, this would be modified to the following: <addToCart> <item id="5" perItemPrice="0.00" quantity="10" /> <item id="5" perItemPrice="50.00" quantity="0" /> </addToCart>. The result would be that a new line was added in the XML document that could be processed by the server. This line would allow 10 of the product at $0.00 to be added to the shopping cart, while 0 of the product at $50.00 is added to the cart. This defeats the integrity of the e-commerce store's add to cart functionality through this XML injection. A SQL injection occurs when data input by a user is interpreted as a SQL command rather than as normal data by the backend database. A buffer overflow is an exploit that attempts to write data to a buffer and exceed that buffer's boundary to overwrite an adjacent memory location. A session hijacking attack consists of exploiting the web session control mechanism, normally managed for a session token. The real key to answering this question is identifying the XML structured code being entered as part of the URL, shown by the bracketed data.

You have been asked to scan your company's website using the OWASP ZAP tool. When you perform the scan, you received the following warning: "The AUTOCOMPLETE output is not disabled in HTML FORM/INPUT containing password type input. Passwords may be stored in browsers and retrieved." You begin to investigate further by reviewing a portion of the HTML code from the website that is listed below: *reference image* Based on your analysis, which of the following actions should you take? A. You recommend that the system administrator pushes out a GPO update to reconfigure the web browsers security settings B. You recommend that the system administrator disables SSL on the server and implements TLS instead C. This is a false positive and you should implement a scanner exception to ensure you don't receive this again during your next scan D. You tell the developer to review their code and implement a bug/code fix

D. You tell the developer to review their code and implement a bug/code fix Explanation OBJ-2.3: Since your company owns the website, you can require the developer to implement a bug/code fix to prevent the form from allowing the AUTOCOMPLETE function to work on this website. The code change to perform is quite simple, simply adding "autocomplete=off" to the code's first line. The resulting code would be <form action="authenticate.php" autocomplete="off">.

You are analyzing the following network utilization report because you suspect one of the servers has been compromised. *reference image* Based on the report above, which of the following servers do you suspect has been compromised and should be investigated further? A. webdev02 B. web01 C. marketing01 D. dbsvr01

D. dbsvr01 Explanation OBJ-1.6: Due to the considerable increase in network utilization on dbsvr01, it should be suspected of compromise and further investigated. The server has a historical average utilization of only 3.15 GB per month, but this month there has been an increase to 24.6 GB of usage. This increase is nearly 8x more than the previous month when all of the other servers stayed relatively constant. This indicates a possible compromise of the database server (dbsvr01) and a data breach or data exfiltration.

Which of the following Wireshark filters should be applied to a packet capture to detect applications that send passwords in cleartext to a REST API located at 10.1.2.3? A. ip.proto==tcp B. ip.dst==10.1.2.3 C. http.request.method=="POST" D. http.request.method=="POST" && ip.dst==10.1.2.3

D. http.request.method=="POST" && ip.dst==10.1.2.3 Explanation OBJ-4.1: Filtering the available PCAP with just the http "post" methods would display any data sent when accessing a REST API, regardless of the destination IP. Filtering the available PCAP with just the desired IP address would show all traffic to that host (10.1.2.3). Combining both of these can minimize the data displayed to only show things posted to the API located at 10.1.2.3. The ip.proto==tcp filter would display all TCP traffic on a network, regardless of the port, IP address, or protocol being used. It would simply produce too much information to analyze.

Which command would be used to display the network address and subnet mask for the wired network connection on a Linux system? A. netstat B. nslookup C. ipconfig D. ip

D. ip Explanation OBJ-4.1: The ip command is used to display information about the current wired network connection on a Linux system, including its IP address, subnet mask, and MAC address. The nslookup command is used to display and troubleshoot DNS records. The netstat command is used to display the network statistics. The ipconfig tool displays all current TCP/IP network configuration values on a Windows system.

During a penetration test of your company's network, the assessor came across a spreadsheet with the passwords being used for several servers. Four of the passwords recovered are listed below. Which one is the weakest password and should be changed FIRST to increase the password's complexity? A. P@$$w0rd B. Pa55w0rd C. P@$$W0RD D. pa55word

D. pa55word Explanation OBJ-3.7: Password policies often enforce a mixture of standard character types, including uppercase letters, lowercase letters, numbers, and symbols. The option 'pa55word' is the weakest choice since it only includes lowercase letters and numbers. The option 'Pa55w0rd' is slightly more complex since it includes uppercase letters, lowercase letters, and numbers. The option 'P@$$W0RD is also similar in complexity since it includes uppercase letters, numbers, and special characters. The most secure option is 'P@5$w0rd' since it includes a mixture of uppercase letters, lowercase letters, numbers, and special characters.

Which of the following access control models is the most flexible and allows the resource owner to control the access permissions? A. DAC B. ABAC C. RBAC D. MAC

DAC Explanation OBJ-3.8: Discretionary access control (DAC) stresses the importance of the owner. The original creator of the resource is considered the owner and can then assign permissions and ownership to others. The owner has full control over the resource and can modify its ACL to grant rights to others. This is the most flexible model and is currently implemented widely in Windows, Unix, Linux, and macOS systems.

Which of the following cryptographic algorithms is classified as asymmetric? A. RC4 B. AES C. DES D. DSA

DSA Explanation OBJ-2.8: The Digital Signature Algorithm (DSA) is a Federal Information Processing Standard for digital signatures. The algorithm uses a key pair consisting of a public key and a private key. AES, RC4, and DES are all symmetric algorithms.

Which of the following cryptographic algorithms is classified as asymmetric? A. RC4 B. AES C. Blowfish D. Diffie-Hellman

Diffie-Hellman Explanation OBJ-2.8: The Diffie-Hellman (DH) is used to exchange cryptographic keys over a public channel securely and was one of the first public-key protocols. As a public-key protocol, it relies on an asymmetric algorithm. AES, RC4, and Blowfish are all symmetric algorithms.

(Sample Simulation - On the real exam for this type of question, you would receive 3-5 pictures and be asked to drag and drop them into place next to the correct term.) *reference image* Which of the following types of attacks occurs when an attacker attempts to gain confidential information or login credentials by sending targeted emails to a specific set of recipients within an organization? A. Hoax B. Pharming C. Phishing D. Vishing E. Spear phishing

E. Spear phishing Explanation OBJ-1.1: Spear phishing is the fraudulent practice of sending emails from a seemingly known or trusted sender to induce targeted individuals to reveal confidential information. The key to answering this question is that the attack was focused on a targeted set of people, not just an indiscriminate large group of random people.

You recently had issues with unauthorized access to your computer from the Internet. Which tool can be used to block these connections to your computer? Answers A. Host-based intrusion detection system B. Network-based intrusion detection system C. Antivirus D. Host-based firewall

Host-based firewalls are software that monitors traffic and can block or allow network connections. Software firewall applications can also watch for suspicious outbound activity and block or allow programs from accessing the Internet. Everyone that has a home computer should have a software firewall in place.A host-based intrusion detection system (HIDS) runs as software and is used to detect and alert of intrusions on single devices. A network-based intrusion detection system (NIDS) is configured at a strategic area on the network to allow it to monitor traffic from all devices to detect intrusions. An HIDS and NIDS cannot be used to block unauthorized access.Antivirus software automatically detects these malicious programs by comparing file signatures with a database of known viruses. Antivirus software is not used to block unauthorized access.

Dion Training has performed an assessment as part of their disaster recovery planning. The assessment found that their file server has crashed twice in the last two years. The most recent time was in August, and the time before that was 15 months before. Which of the following metrics would best represent this 15 month time period? A. RTO B. RPO C. MTTR D. MTBF

MTBF Explanation OBJ-5.4: Mean time between failures (MTBF) is the average time between system breakdowns. MTBF is a crucial maintenance metric to measure performance, safety, and equipment design, especially for critical or complex assets, like generators or airplanes. It is also used to determine the reliability of an asset.

Dion Training has performed an assessment as part of their disaster recovery planning. The assessment found that the organization's RAID takes, on average, about 8 hours to repair when two drives within the RAID fail. Which of the following metrics would best represent this time period? A. RTO B. MTBF C. MTTR D. RPO

MTTR Explanation OBJ-5.4: Mean time to repair (MTTR) is a basic measure of the maintainability of repairable items. It represents the average time required to repair a failed component or device.

Which of the following terms is used to describe the period of the time taken to correct a fault so that the system is restored to full operations after a failure or incident? A. MTTR B. RTO C. RPO D. MTBF

MTTR Explanation OBJ-5.4: Mean time to repair (MTTR) is a measure of the time taken to correct a fault to restore the system to full operation. MTTR is often used to describe the average time to replace or recover a system or product. Recovery time objective (RTO) is when an individual IT system may remain offline following a disaster. This represents the amount of time it takes to identify that there is a problem and then perform recovery (restore from backup or switch in an alternative system, for instance). Recovery point objective (RPO) is the amount of data loss that a system can sustain, measured in time. That is, if a virus destroys a database, an RPO of 24 hours means that the data can be recovered (from a backup copy) to a point not more than 24 hours before the database was infected. Mean time between failure (MTBF) represents the expected lifetime of a product before it fails and must be replaced or repaired.

(Sample Simulation - On the real exam for this type of question, you would drag and drop the authentication factor into the spot for the correct category.) How would you appropriately categorize the authentication method displayed here? PIN. ____ Something you know GPS Coordinates. ____ Something you have Fingerprint. ____ Something you are Signature. ____ Something you do Smart Card. ____ Somewhere you are A. Fingerprint, PIN, GPS Coordinates, Smart Card, Signature B. PIN, Smart Card, Fingerprint, Signature, GPS Coordinates C. PIN, Signature, Fingerprint, Smart Card, GPS Coordinates D. Smart card, Signature, GPS Coordinates, PIN, Fingerprint

PIN, Smart Card, Fingerprint, Signature, GPS Coordinates Explanation OBJ-2.4: For the exam, you need to know the different factors of authentication. If you use two or more of these factors, you are using multi-factor authentication. The five factors are something you know (knowledge), something you have (possession), something you are (biometrics), something you do (action), and somewhere you are (location).

Praveen is currently investigating activity from an attacker who compromised a host on the network. The individual appears to have used credentials belonging to a janitor. After breaching the system, the attacker entered some unrecognized commands with very long text strings and then began using the sudo command to carry out actions. What type of attack has just taken place? A. Phishing B. Social engineering C. Privilege escalation D. Session hijacking

Privilege escalation Explanation OBJ-1.3: The use of long query strings points to a buffer overflow attack, and the sudo command confirms the elevated privileges after the attack. This indicates a privilege escalation has occurred. While the other three options may have been used as an initial access vector, they cannot be confirmed based on the question's details. Only a privilege escalation is currently verified within the scenario due to the use of sudo.

David noticed that port 3389 was open on one of the POS terminals in a store during a scheduled PCI compliance scan. Based on the scan results, what service should he expect to find enabled on this terminal? A. LDAP B. MySQL C. RDP D. IMAP

RDP Explanation OBJ-3.1: Port 3389 is an RDP port used for the Remote Desktop Protocol. If this port isn't supposed to be opened, then an incident response plan should be the next step since this can be used for remote access by an attacker. MySQL runs on port 3306. LDAP runs on port 389. IMAP over SSL runs on port 993.

You are in the recovery steps of an incident response. Your analysis revealed that the attacker exploited an unpatched vulnerability on a public-facing web server as the initial intrusion vector in this incident. Which of the following mitigations should be implemented first during the recovery? Scan the network for additional instances of this vulnerability and patch the affected assets Restrict shell commands by user or host to ensure least privilege is followed Disable unused user account and reset the administrator credentials Restrict host access to peripheral protocols like USB and Bluetooth

Scan the network for additional instances of this vulnerability and patch the affected assets Explanation OBJ-4.2: All of the options listed are the best security practices to implement before and after a detected intrusion, but scanning for additional instances of this vulnerability should be performed first. Often, an enterprise network uses the same baseline configuration for all servers and workstations. Therefore, if a vulnerability is exploited on one device (such as an insecure configuration), that same vulnerability could exist on many other assets across the network. During your recovery, you must identify if any other network systems share the same vulnerability and mitigate them. If you don't, the attacker could quickly reinfect your network by simply attacking another machine using the same techniques used during this intrusion. The other options listed are all examples of additional device hardening that should be conducted during recovery after you have identified the exploited vulnerability across the rest of the network.

Which of the following best describes the type of attack shown? A. Ping of death B. Smurf C. Man in the Middle D. XMAS tree attack

Smurf Explanation OBJ-1.4: A smurf attack uses a single ping with a spoofed source address sent to the broadcast address of a network. This causes every device within the network to receive a single ping, which appears to come from the device with the spoofed source address. Each network device then responds to the spoofed address, causing the victim (whose address was spoofed) to be overwhelmed with the responses to the initial ping.

Which of the following types of attacks are usually used as part of an on-path attack? A. DDOS B. Spoofing C. Brute force D. Tailgating

Spoofing Explanation OBJ-1.4: Spoofing is often used to inject the attacker into the conversation path between the two parties. Spoofing is the act of disguising a communication from an unknown source as being from a known, trusted source. An on-path attack is an attack where the attacker secretly relays and possibly alters the communications between two parties who believe they are directly communicating with each other. The attacker makes independent connections with the victims and relays messages between them to make them believe they are talking directly to each other over a private connection. The attacker will intercept all relevant messages passing between the two victims and inject new ones. A Distributed Denial of Service (DDoS) attack is an attempt to make an online service unavailable by overwhelming it with traffic from multiple sources. Tailgating is a social engineering technique to gain access to a building by following someone unaware of their presence. A brute-force attack consists of an attacker submitting many passwords or passphrases with the hope of eventually guessing correctly.

You are a member of the security team for a federal government agency. You would like to share cyber threat indicators and defensive measures with others using Automated Indicator Sharing (AIS).When configuring your software to participate in this sharing you receive an error indicated that you cannot perform predictive analysis because the exchange of information is not configured correctly.What is most likely the source of this error? A. STIX B. Your code repository C. TAXII D. Your threat maps

Structured Threat Information eXchange(STIX) is the standard language of AIS whereas Trusted Automated eXchange of Indicator Information (TAXII) is the standardized platform for communicating this data. Once this TAXII data is in place organizations can view threat maps that show where common attacks have occurred and perform predictive analysis on likely future threats. The file/code repository is used to store inert copies of the live files that are used in threat analysis.

Why would a company want to utilize a wildcard certificate for their servers? A. To secure the certificate's private key B. To secure the certificate's private key To reduce the certificate management burden C. To extend the renewal date of the certificate D. To increase the certificate's encryption key length

To secure the certificate's private key To reduce the certificate management burden Explanation OBJ-3.9: A wildcard certificate is a public key certificate that can be used with multiple subdomains of a domain. This saves money and reduces the management burden of managing multiple certificates, one for each subdomain. A single wildcard certificate for *.diontraining.com will secure all these domains (www.diontraining.com, mail.diontraining.com, ftp.diontraining.com, etc.). The other options provided are not solved by using a wildcard certificate.

Which of the following is exploited by an SQL injection to give the attacker access to the database? A. Web application B. Operating system C. Firewall D. Database server

Web application Explanation OBJ-1.3: SQL injections target the data stored in enterprise databases by exploiting flaws in client-facing applications. These vulnerabilities being exploited are most often found in web applications. The database server or operating system would normally be exploited by a remote code execution, a buffer overflow, or another type of server-side attack. The firewall would not be subject to an SQL injection.

Which type of threat will patches NOT effectively combat as a security control? A. Discovered software bugs B. Zero-day attacks C. Malware with defined indicators of compromise D. Known vulnerabilities

Zero-day attacks Explanation OBJ-3.2: Zero-day attacks have no known fix, so patches will not correct them. A zero-day vulnerability is a computer-software vulnerability that is unknown to, or unaddressed by, those who should be interested in mitigating the vulnerability (including the vendor of the target software). If a discovered software bug or known vulnerability is found, a patch or mitigation is normally available. If a piece of malware has well-defined indicators of compromise. a patch or signature can be created to defend against it. as well.

(Sample Simulation - On the real exam for this type of question, you might receive a list of attack vectors and targets. Based on these, you would select the type of attack that occurred.) (1) An attacker has been collecting credit card details by calling victims and using false pretexts to trick them. (2) An attacker sends out to 100,000 random email addresses. In the email the attacker sent, it claims that "Your Bank of America account is locked out. Please click here to reset your password." What types of attacks have occurred in (1) and (2)? A. (1) Pharming and (2) Phishing B. (1) Spearphishing and (2) Pharming C. (1) Hoax and (2) Spearphishing D. (1) Vishing and (2) Phishing

(1) Vishing and (2) Phishing Explanation OBJ-1.1: Vishing uses a phone call to conduct information gathering and phishing type of actions. Spearphishing involves targeting specific individuals using well-crafted emails to gather information from a victim. Phishing relies on sending out a large volume of email to a broad set of recipients in the hopes of collecting the desired action or information. A hoax involves tricking a user into performing an action (such as virus remediation actions) when no infection has occurred. Pharming involves domain spoofing in an attempt to gather the desired information from a victim.

You are reviewing a rule within your organization's IDS. You see the following output: alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any msg: "BROWSER-IE Microsoft Internet Explorer CacheSize exploit attempt"; flow: to_client, established; file data; content: "recordset"; offset:14; depth:9; content:". CacheSize"; distance:0; within:100; pcre: "/CacheSize\s*=\s*/"; byte_test:10,>,0x3ffffffe,0,relative, string; max-detect-ips drop, service http; reference:cve, 2016-8077; classtype: attempted-user; sid:65535; rev:1; Based on this rule, which of the following malicious packets would this IDS alert on? A. Any malicious inbound packets B. A malicious outbound TCP packet C. A malicious inbound TCP packet D. Any malicious outbound packets

A malicious inbound TCP packet Explanation OBJ-3.3: The rule header is set to alert only on TCP packets based on this IDS rule's first line. The flow condition is set as "to_client, established," which means that only inbound traffic will be analyzed against this rule and only inbound traffic for connections that are already established. Therefore, this rule will alert on an inbound malicious TCP packet only when the packet matches all the conditions listed in this rule. This rule is an example of a Snort IDS rule. For the exam, you do not need to create your own IDS rules, but you should be able to read them and pick out generic content like the type of protocol covered by the signature, the port to be analyzed, and the direction of flow.

Which law requires government agencies and other organizations that operate systems on behalf of government agencies to comply with security standards? A. FISMA B. HIPAA C. COPPA D. SOX

A. FISMA Explanation OBJ-5.2: The Federal Information Security Management Act (FISMA) is a United States federal law that defines a comprehensive framework to protect government information, operations, and assets against natural or human-made threats. FISMA requires that government agencies and other organizations that operate systems on behalf of government agencies comply with security standards. The Health Insurance Portability and Accountability Act (HIPAA) is a United States federal law designed to provide privacy standards to protect patients' medical records and other health information provided to health plans, doctors, hospitals, and other health care providers. The Children's Online Privacy Protection Act (COPPA) is a United States federal law that imposes certain requirements on operators of websites or online services directed to children under 13 years of age and on operators of other websites or online services that have actual knowledge that they are collecting personal information online from a child under 13 years of age. Sarbanes-Oxley (SOX) is a United States federal law that sets new or expanded requirements for all U.S. public company boards, management, and public accounting firms.

Your organization is updating its Acceptable User Policy (AUP) to implement a new password standard that requires a guest's wireless devices to be sponsored before receiving authentication. Which of the following should be added to the AUP to support this new requirement? A. All guests must provide valid identification when registering their wireless devices for use on the network B. Sponsored guest passwords must be at least 14 alphanumeric characters containing a mixture of uppercase, lowercase, and special characters C. Open authentication standards should be implemented on all wireless infrastructure Network authentication of all guest users should occur using the 802.1x protocol as authenticated by a RADIUS server (Incorrect)

All guests must provide valid identification when registering their wireless devices for use on the network Explanation OBJ-5.3: Sponsored authentication of guest wireless devices requires a guest user to provide valid identification when registering their wireless device for use on the network. This requires that an employee validates the guest's need for access, known as sponsoring the guest. While setting a strong password or using 802.1x are good security practices, these alone do not meet the question's sponsorship requirement. An open authentication standard only requires that the guest know the Service-Set Identifier (SSID) to gain access to the network. Therefore, this does not meet the sponsorship requirement.

Dion Training wants to ensure that none of its computers can run a peer-to-peer file-sharing program on its office computers. Which of the following practices should be implemented to achieve this? A. Application allow listing B. MAC filtering C. Enable NAC D. Application blocklisting

Application blocklisting Explanation OBJ-4.4: Application blocklisting is the most appropriate practice to implement to block a limited number of known programs. Application allow listing could be used to achieve this purpose, but it would require much more work and block every program not specifically allowed by the allow list or approve list policy.

Which of the following BEST describes when a third-party takes components produced by a legitimate manufacturer and assembles an unauthorized replica sold in the general marketplace? A. Capitalism B. Counterfeiting C. Recycling D. Entrepreneurship

B. Counterfeiting Explanation OBJ-5.3: While the unauthorized third-party may assemble a component that was legitimately made from OEM parts, the fact remains that those parts were never intended for distribution under the manufacturer's legitimate label. Therefore, this is considered counterfeiting. As a cybersecurity analyst, you need to be concerned with your organization's supply chain management. There have been documented cases of counterfeit hardware (like switches and routers) being sold with malware or lower mean time between failures, both of which affect your network's security.

If you cannot ping a target because you are receiving no response or a response that states the destination is unreachable, then ICMP may be disabled on the remote end. If you wanted to elicit a response from a host using TCP, what tool would you use? A. Traceroute B. Hping C. Ptunnel D. Broadcast ping

B. Hping Explanation OBJ-4.1: Hping is a handy little utility that assembles and sends custom ICMP, UDP, or TCP packets and then displays any replies. It was inspired by the ping command but offered far more control over the probes sent. It also has a handy traceroute mode and supports IP fragmentation. Hping is particularly useful when trying to traceroute/ping/probe hosts behind a firewall that blocks attempts using the standard utilities. Hping also allows you to map out firewall rule sets. It is also great for learning more about TCP/IP and experimenting with IP protocols. Hping does not support IPv6, though, so the NMAP creators have created Nping to fill this gap and serve as an updated variant of Hping. Traceroute and tracert are computer network diagnostic commands for displaying the route and measuring packets' transit delays across an Internet Protocol network. Traceroute uses ICMP and not TCP. Broadcast ping is simply pinging the subnet's broadcast IP using the ping command, but if a regular ping does not work, neither will a broadcast ping. Ptunnel is an application that allows you to reliably tunnel TCP connections to a remote host using ICMP echo request and reply packets, commonly known as ping requests and replies. Ptunnel is used as a covert channel, not to elicit a response from a host using TCP.

You are investigating a suspected compromise. You have noticed several files that you don't recognize. How can you quickly and effectively check if the files have been infected with malware? A. Scan the files using a local anti-virus/anti-malware engine B. Submit the files to an open-source intelligence provider like VirusTotal C. Disassemble the files and conduct static analysis on them using IDA Pro D. Run the Strings tool against each file to identify common malware identifiers

B. Submit the files to an open-source intelligence provider like VirusTotal Explanation OBJ-1.5: The best option is to submit them to an open-source intelligence provider like VirusTotal. VirusTotal allows you to quickly analyze suspicious files and URLs to detect types of malware. It then automatically shares them with the security community, as well. Disassembly and static analysis would require a higher level of knowledge and more time to complete. Running the Strings tool can help identify text if the code is not encoded in a specific way within the malware, but you have to know what you are looking for, such as a malware signature. You should never scan the files using a local anti-virus or anti-malware engine if you suspect the workstation or server has already been compromised because the scanner may also be compromised.

Dion Training has contracted a software development firm to create a bulk file upload utility for its website. During a requirements planning meeting, the developers asked what type of encryption is required for the project. After some discussion, Jason decides that the file upload tool should use a cipher capable of encrypting 64 bits of data at a time before transmitting the files from the web developer's workstation to the webserver. What of the following should be selected to meet this security requirement? A. Stream cipher B. Hashing algorithm C. CRC D. Block cipher

Block cipher Explanation OBJ-2.8: A block cipher is used to encrypt multiple bits at a time before moving to the next set of data. Block ciphers generally have a fixed-length block (8-bit, 16-bit, 32-bit, 64-bit, etc.). Stream ciphers encrypt a single bit (or byte) at a time during their encryption process. Hashing algorithms would not meet the requirement because the data would be encrypted using a one-way hash algorithm and be unusable once on the webserver. A cyclic redundancy check (CRC) is an error-detecting code commonly used in digital networks and storage devices to detect accidental changes to raw data. Blocks of data entering these systems get a short check value attached, based on the remainder of their contents' polynomial division.

Which of the following cryptographic algorithms is classified as symmetric? A. ECC B. PGP C. RSA D. Blowfish

Blowfish Explanation OBJ-2.8: Blowfish is a symmetric-key block cipher, designed in 1993 by Bruce Schneier and included in many cipher suites and encryption products, ECC, PGP, and RSA are all asymmetric algorithms.

A cybersecurity analyst notices that an attacker is trying to crack the WPS pin associated with a wireless printer. The device logs show that the attacker tried 00000000, 00000001, 00000002 and continued to increment by 1 number each time until they found the correct PIN of 13252342. Which of the following type of password cracking was being performed by the attacker? A. Hybrid B. Rainbow table C. Brute-force D. Dictionary

Brute-force Explanation OBJ-1.2: A brute-force attack consists of an attacker submitting many passwords or passphrases with the hope of eventually guessing correctly. In a traditional brute-force attack, the passcode or password is incrementally increased by one letter/number each time until the right passcode/password is found. A dictionary attack is a technique for defeating a cipher or authentication mechanism by trying to determine its decryption key or passphrase by trying hundreds or sometimes millions of likely possibilities, such as words in a dictionary. A rainbow table is a precomputed list of possible hashes used when trying to speed up the process of password cracking. A hybrid password cracking attack combines the use of a brute-force attack with a dictionary attack by using words from the dictionary's list as the basis for the brute-force attack. For example, if the diction had the word Jason in it, the hybrid attack might try Jason123, Jason!@#, and J@$0n as possible combinations based on the word Jason.

Which of the following types of digital forensic investigations is the most challenging due to the on-demand nature of the analyzed assets? A. Mobile devices B. Employee workstations C. Cloud services D. On-premise servers

Cloud services Explanation OBJ-3.6: The on-demand nature of cloud services means that instances are often created and destroyed again, with no real opportunity for forensic recovery of any data. Cloud providers can mitigate this to some extent by using extensive logging and monitoring options. A CSP might also provide an option to generate a file system and memory snapshots from containers and VMs in response to an alert condition generated by a SIEM. Employee workstations are often the easiest to conduct forensics on since they are a single-user environment for the most part. Mobile devices have some unique challenges due to their operating systems, but good forensic tool suites are available to ease the forensic acquisition and analysis of mobile devices. On-premise servers are more challenging than a workstation to analyze, but they do not suffer from the same issues as cloud-based services and servers.

A cybersecurity analyst is working for a university that is conducting a big data medical research project. The analyst is concerned about the possibility of an inadvertent release of PHI data. Which of the following strategies should be used to prevent this? A. Utilize formal methods of verification against the application processing the PHI B. Conduct tokenization of the PHI data before ingesting it into the big data application C. Utilize a SaaS model to process the PHI data instead of an on-premise solution D. Use DevSecOps to build the application that processes the PHI

Conduct tokenization of the PHI data before ingesting it into the big data application Explanation OBJ-2.1: The university should utilize a tokenization approach to prevent an inadvertent release of the PHI data. In a tokenization approach, all or part of data in a field is replaced with a randomly generated token. That token is then stored with the original value on a token server or token vault, separate from the production database. This is an example of a deidentification control and should be used since the personally identifiable medical data is not needed to be retained after ingesting it for the research project; only the medical data itself is needed. While using DevSecOps can improve the overall security posture of the applications being developed in this project, it does not explicitly define a solution to prevent this specific issue making it a less ideal answer choice for the exam. Formal verification methods can be used to prove that none of the AI/ML techniques that process the PHI data could inadvertently leak. Still, the cost and time associated with using these methods make them inappropriate for a system used to conduct research. A formal method uses a mathematical model of a system's inputs and outputs to prove that the system works as specified in all cases. It is difficult for manual analysis and testing to capture every possible use case scenario in a sufficiently complex system. Formal methods are mostly used with critical systems such as aircraft flight control systems, self-driving car software, and nuclear reactors, not big data research projects. The option provided that recommends utilizing a SaaS model is not realistic. There is unlikely to be a SaaS provider with a product suited to the big data research being done. SaaS products tend to be commoditized software products that are hosted

Hilda needs a cost-effective backup solution that would allow for the restoration of data within a 24 hour RPO. The disaster recovery plan requires that backups occur during a specific timeframe each week, and then the backups should be transported to an off-site facility for storage. What strategy should Hilda choose to BEST meet these requirements? A. Configure replication of the data to a set of servers located at a hot site B. Conduct full backups daily to tape C. Create a daily incremental backup to tape D. Create disk-to-disk snapshots of the server every hour

Create a daily incremental backup to tape Explanation OBJ-5.4: Since the RPO must be within 24 hours, daily or hourly backups must be conducted. Since the requirement is for backups to be conducted at a specific time each week, hourly snapshots would not meet this requirement and are not easily transported since they are being conducted as disk-to-disk backup. Replication to a hot site environment also doesn't allow for transportation of the data to an off-site facility for storage, and replication would continuously occur throughout the day. Therefore, a daily incremental backup should be conducted since it will require the least amount of time to conduct. The tapes could be easily transported for storage and restored incrementally from tape since the last full backup was conducted.

You have been hired as a cybersecurity analyst for a privately-owned bank. Which of the following regulations would have the greatest impact on your bank's cybersecurity program? A. HIPAA B. FERPA C. SOX D. GLBA

D. GLBA Explanation OBJ-5.2: The Gramm-Leach-Bliley Act (GLBA) is a United States federal law that requires financial institutions to explain how they share and protect their customers' private information. The Health Insurance Portability and Accountability Act (HIPAA) is a US law designed to provide privacy standards to protect patients' medical records and other health information provided to health plans, doctors, hospitals, and other health care providers. Sarbanes-Oxley (SOX) is a United States federal law that sets new or expanded requirements for all US public company boards, management, and public accounting firms. The Family Educational Rights and Privacy Act (FERPA) of 1974 is a United States federal law that governs the access to educational information and records by public entities such as potential employers, publicly funded educational institutions, and foreign governments.

A competitor recently bought Dion Training's ITIL 4 Foundation training course, transcribed the video captions into a document, re-recorded the course exactly word for word as an audiobook, then published this newly recorded audiobook for sale on Audible. From Dion Training's perspective, how would you BEST classify this situation? A. Data breach B. Mission essential function C. Identity theft D. IP theft

D. IP theft Explanation OBJ-5.5: This is an example of intellectual property (IP) theft and it happened in 2019 to our company. The competitor wasn't even smart enough to change the examples we used throughout our course from our website (diontraining.com) to their website and re-recorded our entire 8-hour course word-for-word to sell as an audiobook. This is not identity theft because they didn't pretend to be Jason Dion or Dion Training. This is not a data breach because they did not compromise our systems to steal the course. Instead, they went to our website and purchased it. The risk is not a mission-essential function. A mission essential function is something that your organization must do to maintain its operations. For example, at Dion Training, our mission essential functions are (1) recording and editing training videos and (2) writing and publishing practice exams.

A security analyst conducts a Nmap scan of a server and found that port 25 is open. What risk might this server be exposed to? A. Clear text authentication B. Open file/print sharing C. Web portal data leak D. Open mail relay

D. Open mail relay Explanation OBJ-1.5: Port 25 is the default port for SMTP (Simple Message Transfer Protocol), which is used for sending an email. An active mail relay occurs when an SMTP server is configured in such a way that it allows anyone on the Internet to send email through it, not just mail originating from your known and trusted users. Spammers can exploit this type of vulnerability to use your email server for their benefit. File/print sharing usually operates over ports 135, 139, and 445 on a Windows server. Web portals run on ports 80 and 443. Clear text authentication could occur using an unencrypted service, such as telnet (23), FTP (20/21), or the web (80).

A firewall administrator has configured a new screened subnet to allow public systems to be segmented from the organization's internal network. The firewall now has three security zones set: Untrusted (Internet) [143.27.43.0/24]; DMZ (Screened Subnet) [161.212.71.0/24]; Trusted (Intranet) [10.10.0.0/24]. The firewall administrator has been asked to enable remote desktop access from a fixed IP on the remote network to a remote desktop server in the screened subnet for the Chief Security Officer to work from his home office after hours. The CSO's home internet uses a static IP of 143.27.43.32. The remote desktop server is assigned a public-facing IP of 161.212.71.14. What rule should the administrator add to the firewall? A. Permit 143.27.43.0/24 161.212.71.0/24 RDP 3389 B. Permit 143.27.43.0/24 161.212.71.14 RDP 3389 C. Permit 143.27.43.32 161.212.71.0/24 RDP 3389 D. Permit 143.27.43.32 161.212.71.14 RDP 3389

D. Permit 143.27.43.32 161.212.71.14 RDP 3389 Explanation OBJ-3.3: Due to the requirement to allow a single remote IP to enter the firewall, the permit statement must start with a single IP in the Untrusted (Internet) zone. Based on the options provided, only 143.27.43.32 could be correct. Next, the destination is a single server in the DMZ (screened subnet), so only 161.212.71.14 could be correct. The destination port should be 3389, which is the port for the Remote Desktop Protocol. Combining these three facts, only "permit 143.27.43.32 161.212.71.14 RDP 3389" could be correct.

You have run a vulnerability scan and received the following output: _________________________________________________________________________ CVE-2011-3389 QID 42366 - SSLv3.0/TLSv1.0 Protocol weak CBC mode Server side vulnerability Check with: openssl s_client -connect login.diontraining.com:443 - tls -cipher "AES:CAMELLISA:SEED:3DES:DES" _________________________________________________________________________ Which of the following categories should this be classified as? A. PKI transfer vulnerability B. VPN tunnel vulnerability C. Active Directory encryption vulnerability D. Web application cryptography vulnerability

D. Web application cryptography vulnerability Explanation OBJ-4.3: This vulnerability should be categories as a web application cryptographic vulnerability. This is shown by the weak SSLv3.0/TLSv1.0 protocol being used in cipher block chaining (CBC) mode. Specifically, the use of the 3DES and DES algorithms during negotiation is a significant vulnerability. A stronger protocol should be used, such as forcing the use of AES.

Review the following packet captured at your NIDS: After reviewing the packet above, you discovered there is an unauthorized service running on the host. Which of the following ACL entries should be implemented to prevent further access to the unauthorized service while maintaining full access to the approved services running on this host? A. DENY IP HOST 86.18.10.3 EQ 3389 B. DENY TCP ANY HOST 71.168.10.45 EQ 3389 C. DENY IP HOST 71.168.10.45 ANY EQ 25 D. DENY TCP ANY HOST 86.18.10.3 EQ 25

DENY TCP ANY HOST 71.168.10.45 EQ 3389 Explanation OBJ-4.4: Since the question asks you to prevent unauthorized service access, we need to block port 3389 from accepting connections on 71.168.10.45 (the host). This option will deny ANY workstation from connecting to this machine (host) over the Remote Desktop Protocol service that is unauthorized (port 3389).

Your organization requires the use of TLS or IPsec for all communications with an organization's network. Which of the following is this an example of? A. Data in transit B. DLP C. Data in use D. Data at rest

Data in transit Explanation OBJ-2.1: Data in transit (or data in motion) occurs whenever data is transmitted over a network. Examples of types of data in transit include website traffic, remote access traffic, data being synchronized between cloud repositories, and more. In this state, data can be protected by a transport encryption protocol, such as TLS or IPsec. Data at rest means that the data is in persistent storage media using whole disk encryption, database encryption, and file- or folder-level encryption. Data in use is when data is present in volatile memory, such as system RAM or CPU registers and cache. Secure processing mechanisms such as Intel Software Guard Extensions can encrypt data as it exists in memory so that an untrusted process cannot decode the information. This uses a secure enclave and requires a hardware root of trust. Data loss prevention (DLP) products automate the discovery and classification of data types and enforce rules so that data is not viewed or transferred without proper authorization. DLP is a generic term that may include data at rest, data in transit, or data in use to function.

Fail to Pass Systems has recently moved its corporate offices from France to Westeros, a country with no meaningful privacy regulations. The marketing department believes that this move will allow the company to resell all of its customer's data to third-party companies and shield the company from any legal responsibility. Which policy is violated by this scenario? A. Data limitation B. Data minimization C. Data sovereignty D. Data enrichment

Data sovereignty Explanation OBJ-2.1: While the fictitious Westeros may have no privacy laws or regulations, the laws of the countries where the company's customers reside may still retain sovereignty over the data obtained from those regions during the company's business there. This is called Data Sovereignty. Data sovereignty refers to a jurisdiction (such as France or the European Union) preventing or restricting processing and storage from taking place on systems that do not physically reside within that jurisdiction. Data sovereignty may demand certain concessions on your part, such as using location-specific storage facilities in a cloud service. Fail to Pass Systems will likely face steep fines from different regions if they go through with their plan to sell all of their customers' data to the highest bidders. Fail to Pass Systems may even be blocked from communicating with individual regions. Although data minimization and data limitation policies may be violated depending on the company's internal policies, these policies are not legally binding like the provisions of GDPR are. Data enrichment means that the machine analytics behind the view of a particular alert can deliver more correlating and contextual information with a higher degree of confidence, both from within the local network's data points and from external threat intelligence.

A user reports that every time they try to access https://www.diontraining.com, they receive an error stating "Invalid or Expired Security Certificate." The technician attempts to connect to the same site from other computers on the network, and no errors or issues are observed. Which of the following settings needs to be changed on the user's workstation to fix the "Invalid or Expired Security Certificate" error? A. Date and time B. Logon times C. UEFI boot mode D. User access control

Date and time Explanation OBJ-4.4: There are two causes of the "Invalid or Expired Security Certificate." The first is a problem with your computer, and the second occurs when the certificate itself has an issue. Since the technician can successfully connect to the website from other computers, it shows that the error is on the user's computer. One of the common causes of an Invalid or Expired Security Certificate error is the clock on the user's computer being wrong. The website security certificates are issued to be valid within a given date range. If the certificate's date is too far outside the date on the computer, the web browser will give you an invalid security certificate error because the browser thinks something is wrong. To fix this, set the computer's clock to the correct date and time.

You have recently been hired as a security analyst at Dion Training. On your first day, your supervisor begins to explain the way their network is configured, showing you the physical and logical placement of each firewall, IDS sensor, host-based IPS installations, the networked spam filter, and the DMZ. What best describes how these various devices are placed into the network for the highest level of security? A. Defense in depth B. UTM C. Load balancer D. Network segmentation

Defense in depth Explanation OBJ-2.1: Defense in depth is the concept of layering various network appliances and configurations to create a more secure and defensible architecture. Dion Training appears to be using various host-based and network-based devices to ensure there are multiple security layers in the network.

Your organization has recently suffered a data breach due to a server being exploited. As a part of the remediation efforts, the company wants to ensure that the default administrator password on each of the 1250 workstations on the network is changed. What is the easiest way to perform this password change requirement? A. Utilize the key escrow process B. Revoke the digital certificate C. Deploy a new group policy D. Create a new security group

Deploy a new group policy Explanation OBJ-3.7: A group policy is used to manage Windows systems in a Windows network domain environment utilizing a Group Policy Object (GPO). GPOs can include many settings related to credentials, such as password complexity requirements, password history, password length, and account lockout settings. You can force a reset of the default administrator account password by using a group policy update.

You just moved into a new house, and you are worried about a burglar breaking into the home and stealing your laptop. Unfortunately, the security alarm company cannot get to your home to install the security system you just purchased for another 3 weeks. In the meantime, they have sent you a little sign that says, "Protected by Security Inc." for you to place in front of your house. Once installed, which of the following control types is this sign? A. Deterrent B. Detective C. Preventative D. Corrective

Deterrent Explanation OBJ-5.1: A deterrent control may not physically or logically prevent access, but it serves to discourage an attacker from attempting an intrusion. In this example, the sign is a visual indicator that the home is protected by a security system, which is attempting to convince the burglar that they should break into a less protected home. Whether there is a security system or not is that the question here, just that the sign has been installed, acts as the deterrent.

Which analysis framework provides a graphical depiction of the attacker's approach relative to a kill chain? A. OpenIOC B. Lockheed Martin cyber kill chain C. MITRE ATT&CK framework D. Diamond Model of Intrusion Analysis

Diamond Model of Intrusion Analysis Explanation OBJ-4.2: The Diamond Model provides an excellent methodology for communicating cyber events and allowing analysts to derive mitigation strategies implicitly. The Diamond Model is constructed around a graphical representation of an attacker's behavior. The MITRE ATT&CK framework provides explicit pseudo-code examples for detecting or mitigating a given threat within a network and ties specific behaviors back to individual actors. The Lockheed Martin cyber kill chain provides a general life cycle description of how attacks occur but does not deal with the specifics of how to mitigate them. OpenIOC contains a depth of research on APTs but does not integrate the detection and mitigation strategy.

What is a reverse proxy commonly used for? A. To obfuscate the origin of a user within a network B. Allowing access to a virtual private cloud C. To prevent the unauthorized use of cloud services from the local network D. Directing traffic to internal services if the contents of the traffic comply with the policy

Directing traffic to internal services if the contents of the traffic comply with the policy Explanation OBJ-2.1: A reverse proxy is positioned at the cloud network edge and directs traffic to cloud services if the contents of that traffic comply with the policy. This does not require the configuration of the users' devices. This approach is only possible if the cloud application has proxy support. You can deploy a reverse proxy and configure it to listen for client requests from a public network, like the internet. The proxy then creates the appropriate request to the internal server on the corporate network and passes the server's response back to the external client. They are not generally intended to obfuscate the source of communication, nor are they necessarily specific to the cloud. A cloud access security broker (CASB) can be used to prevent unauthorized use of cloud services from the local network.

A cybersecurity analyst is reviewing the logs of a Citrix NetScaler Gateway running on a FreeBSD 8.4 server and saw the following output: What type of attack was most likely being attempted by the attacker? A. SQL injection B. Password spaying C. Directory traversal D. XML injection

Directory traversal Explanation OBJ-1.3: A directory traversal attack aims to access files and directories stored outside the webroot folder. By manipulating variables or URLs that reference files with "dot-dot-slash (../)" sequences and its variations or using absolute file paths, it may be possible to access arbitrary files and directories stored on the file system, including application source code or configurations and critical system files. The example output provided comes from a remote code execution vulnerability being exploited in which a directory traversal is used to access the files. XML Injection is an attack technique used to manipulate or compromise an XML applications or service's logic. SQL injection is the placement of malicious code in SQL statements via web page input. Password spraying attempts to crack various users' passwords by attempting a compromised password against multiple user accounts.

Your home network is configured with a long, strong, and complex pre-shared key for its WPA2 encryption. You noticed that your wireless network has been running slow, so you checked the list of "connected clients" and see that "Bob's Laptop" is connected to it. Bob lives downstairs and is the maintenance man for your apartment building. You know that you never gave Bob your password, but somehow he has figured out how to connect to your wireless network. Which of the following actions should you take to prevent anyone from connecting to your wireless network without the proper WPA3 password? A. Enable WEP B. Disable WPA3 C. Disable SSID broadcast D. Disable WPS

Disable WPS Explanation OBJ-3.4: WPS was created to ease the setup and configuration of new wireless devices by allowing the router to automatically configure them after a short eight-digit PIN was entered. Unfortunately, WPS is vulnerable to a brute-force attack and is easily compromised. Therefore, WPS should be disabled on all wireless networks. If Bob could enter your apartment and press the WPS button, he could have configured his laptop to use your wireless network without your WPA3 password. While disabling the SSID broadcast could help prevent someone from seeing your network, the issue was someone connecting to your network without having the password. Disabling the SSID broadcast would not solve this issue.

A company's NetFlow collection system can handle up to 2 Gbps. Due to excessive load, this has begun to approach full utilization at various times of the day. If the security team does not have additional money in their budget to purchase a more capable collector, which of the following options could they use to collect useful data? A. Enable NetFlow compression B. Enable sampling of the data C. Enable full packet capture D. Enable QoS

Enable sampling of the data Explanation OBJ-3.3: The organization should enable sampling of the data collected. Sampling can help them capture network flows that could be useful without collecting everything passing through the sensor. This reduces the bottleneck of 2 Gbps and still provides useful information. Quality of Service (QoS) is a set of technologies that work on a network to guarantee its ability to run high-priority applications and traffic dependably, but that does not help in this situation. Compressing NetFlow data helps save disk space, but it does not increase the capacity of the bottleneck of 2 Gbps during collection. Enabling full packet capture would take even more resources to process and store and not minimize the bottleneck of 2 Gbps during collection.

You are attending a cybersecurity conference and just watched a security researcher demonstrating the exploitation of a web interface on a SCADA/ICS component. This caused the device to malfunction and be destroyed. You recognize that the same component is used throughout your company's manufacturing plants. Which of the following mitigation strategies would provide you with the most immediate protection against this emergent threat? A. Demand that the manufacturer of the component release a patch immediately and deploy the patch as soon as possible B. Replace the affected SCADA/ICS components with more secure models from a different manufacturer C. Logically or physically isolate the SCADA/ICS component from the enterprise network D. Evaluate if the web interface must remain open for the system to function; if it isn't needed, block the web interface

Evaluate if the web interface must remain open for the system to function; if it isn't needed, block the web interface Explanation OBJ-2.6: The most immediate protection against this emergent threat would be to block the web interface from being accessible over the network. Before doing this, you must evaluate whether the interface needs to remain open for the system to function properly. If it is not needed, you should block it to minimize the SCADA/ICS component's attack surface. Ideally, your SCADA/ICS components should already be logically or physically isolated from the enterprise network. Since the question doesn't mention the networks as an area of concern, we can assume they are already following the industry best practice of logical or physical segmentation between the SCADA/ICS network and the enterprise network. On the exam, make sure you focus on the question being asked. In this case, the question focuses on the web interface. Developing a patch can be a time-consuming process, therefore waiting for the manufacturer to provide a patch will not provide immediate protection to your components. The same is true for replacing the affected components. Even if you could get the company to authorize the funding for such a purchase, it would take time to order, ship, receive, and install the new components. Additionally, you would cause unwanted downtime in the factory during the installation of the components, making it an ineffective option when simply blocking the web interface is free, quick, and effective.

A cybersecurity analyst has deployed a custom DLP signature to alert on any files that contain numbers in the format of a social security number (xxx-xx-xxxx). Which of the following concepts within DLP is being utilized? A. Exact data match B. Classification C. Statistical matching D. Document matching

Exact data match Explanation OBJ-4.4: An exact data match (EDM) is a pattern matching technique that uses a structured database of string values to detect matches. For example, a company might have a list of actual social security numbers of its customers. But, since it is not appropriate to load these numbers into a DLP filter, they could use EDM to match the numbers' fingerprints instead based on their format or sequence. Document matching attempts to match a whole document or a partial document against a signature in the DLP. Statistical matching is a further refinement of partial document matching that uses machine learning to analyze various data sources using artificial intelligence or machine learning. Classification techniques use a rule based on a confidentiality classification tag or label attached to the data. For example, the military might use a classification-based DLP to search for any files labeled as secret or top secret.

Several users have contacted the help desk to report that they received an email from a well-known bank stating that their accounts have been compromised and they need to "click here" to reset their banking password. Some of these users are not even customers of this particular bank, though. Which of the following social engineering principles is being utilized as a part of this phishing campaign? A. Urgency B. Familiarity C. Intimidation D. Consensus

Familiarity Explanation OBJ-1.1: Familiarity is a social engineering technique that relies on assuming a widely known organization's persona. For example, in the United States, nearly 25% of Americans have a Bank of America account. For this reason, phishing campaigns often include emails pretending to be from Bank of America since 1 in 4 people who receive the email in the United States are likely to have an account. This makes them familiar with the bank name and is more likely to click on the email link. This email appears to be untargeted since it was sent to both customers and non-customers of this particular bank; it is best classified as phishing. Spear phishing requires the attack to be more targeted and less widespread. Urgency is focused on the element of time. An attacker encourages the victim to act quickly, which often leads to them making security mistakes. Urgency is related to scarcity, and the two are often effectively used together. Social proof and consensus rely on the fact that people want to fit in and conform. If a victim sees or believes others are performing some action, they will believe it is okay for them to do it.

Your organization is updating its incident response communications plan. A business analyst in the working group recommends that if the company discovers they are the victims of a data breach, they should only notify the affected parties to minimize media attention and bad publicity. Which of the following recommendations do you provide in response to the business analyst's statement? A. The first responder should contact law enforcement upon confirmation of a security incident for a forensic team to preserve the chain of custody B. The Human Resources department should have information security personnel who are involved in the investigation of the incident sign non-disclosure agreements so the company cannot be held liable for customer data that is viewed during an investigation C. An externally hosted website should be prepared in advance to ensure that when an incident occurs, victims have timely access to not

Guidance from laws and regulations should be considered when deciding who must be notified to avoid fines and judgments from non-compliance Explanation OBJ-5.5: Guidance from various laws and regulations must be considered when deciding who must be notified to avoid fines and judgments. The requirements for different types of data breaches are set out in laws/regulations. The requirements indicate who must be notified. Other than the regulator itself, this could include law enforcement, individuals and third-party companies affected by the breach, and public notification through the press or social media channels. For example, the Health Insurance Portability and Accountability Act (HIPAA) sets out reporting requirements in legislation, requiring breach notification to the affected individuals, the Secretary of the US Department of Health and Human Services, and, if more than 500 individuals are affected, to the media.

Chris just downloaded a new third-party email client for his smartphone. When Chris attempts to log in to his email with his username and password, the email client generates an error messaging stating that "Invalid credentials" were entered. Chris assumes he must have forgotten his password, so he resets his email username and password and then reenters them into the email client. Again, Chris receives an "Invalid credentials" error. What is MOST likely causing the "Invalid credentials" error regarding Chris's email client? A. His email account requires multi-factor authentication B. His email account requires a strong password to be used C. His email account is locked out D. His smartphone has full device encryption enabled

His email account requires multi-factor authentication Explanation OBJ-3.7: If a user or system has configured their email accounts to require two-factor authentication (2FA) or multifactor authentication, then even if they enter their username and password correctly in the third-party email client, they will receive the "Invalid credentials" error message. Some email servers will allow the user to create an application-specific password to bypass the multifactor authentication requirement to overcome this. If not, then the user will have to use an email client that supports multifactor authentication. His email account is not locked out or requiring a stronger password, otherwise, those issues would have been solved when he reset the password. Full device encryption on the smartphone would not affect the use of the email client since the device is unencrypted once a user enters their PIN, password, TouchID, or FaceID as authentication.

You are installing Windows 2019 on a rack-mounted server and hosting multiple virtual machines within the physical server. You just finished the installation and now want to begin creating and provisioning the virtual machines. Which of the following should you utilize to allow you to create and provision virtual machines? A. Hypervisor B. Device manager C. Terminal services D. Disk management

Hypervisor Explanation OBJ-2.2: A hypervisor, also known as a virtual machine monitor, is a process that creates and runs virtual machines (VMs). A hypervisor allows one host computer to support multiple guest VMs by virtually sharing its resources, like memory and processing. To create and provision virtual machines within the Windows 2019 operating system, you can use a Type II hypervisor like VM Ware or VirtualBox. Disk Management is a system utility in Windows that enables you to perform advanced storage tasks. Device Manager is a component of the Microsoft Windows operating system that allows users to view and control the hardware attached to the computer. Remote Desktop Services, known as Terminal Services in Windows Server 2008 and earlier, is one of the components of Microsoft Windows that allow a user to take control of a remote computer or virtual machine over a network connection.

The email client on a desktop workstation is acting strangely. Every time the user opens an email with an image embedded within it, the image is not displayed on their screen. Which of the following is the MOST likely cause of this issue? A. Incorrect security settings in the email client B. Incorrect settings in the host-based firewall C. Incorrect settings in your web browser's trusted site configuration D. Incorrect email settings in the anti-virus software E. Incorrect settings in your email proxy server

Incorrect security settings in the email client Explanation OBJ-3.1: This is a security setting in the mail client to prevent malicious malware and viruses from entering your environment. If the images are not downloaded on a received email, they will display as a red X within the reply email. If the email was forwarded, then the images will be displayed as a white box with a black border. This can be seen in the source code as 'Image Removed by Sender' next to where the images should appear in the email client. For example, in the Microsoft Outlook email client, the security settings for hosted images can be changed within the mail client's Trust Center (Outlook Options -> Trust Center -> Trust Center Settings).

What control provides the best protection against both SQL injection and cross-site scripting attacks? A. Hypervisors B. Network layer firewalls C. CSRF D. Input validation

Input validation Explanation OBJ-3.2: Input validation prevents the attacker from sending invalid data to an application and is a strong control against both SQL injection and cross-site scripting attacks. A network layer firewall is a device that is designed to prevent unauthorized access, thereby protecting the computer network. It blocks unauthorized communications into the network and only permits authorized access based on the IP address, ports, and protocols in use. Cross-site request forgery (CSRF) is another attack type. A hypervisor controls access between virtual machines.

You are notified by an external organization that an IP address associated with your company's email server has been sending spam emails requesting funds as part of a lottery collection scam. An investigation into the incident reveals the email account used was Connor from the sales department and that Connor's email account was only used from one workstation. You analyze Connor's workstation and discover several unknown processes running, but netflow analysis reveals no attempted lateral movement to other workstations on the network. Which containment strategy would be most effective to use in this scenario? A. Request disciplinary action for Connor for causing this incident B. Isolate the network segment Connor is on and conduct a forensic review of all workstations in the sales department C. Isolate the workstation computer by disabling the switch port and resetting Connor's username/password D. Unplug the wor

Isolate the workstation computer by disabling the switch port and resetting Connor's username/password Explanation OBJ-4.4: Isolation of Connor's computer by deactivating the port on the switch should be performed instead of just unplugging the computer. This would guarantee that Connor won't just plug the computer back into the network as soon as you leave his desk. While Connor won't be able to work without his workstation, it is essential to isolate the issue quickly to prevent future attempts at lateral movement from occurring and protect the company's data needed for continued business operations. While we are unsure of the issue's initial root cause, we know it is currently isolated to Connor's machine. He should receive remedial cybersecurity training, his workstation's hard drive forensically imaged for later analysis, and then his workstation should be remediated or reimaged. It is better to isolate just Connor's machine instead of the entire network segment in this scenario. Isolating the network segment, without evidence indicating the need to do so, would have been overkill and overly disruptive to the business. Reimaging Connor's device may destroy data that could have otherwise been recovered and led to a successful root cause analysis. There is also insufficient evidence in this scenario to warrant disciplinary action against Connor, as he may have clicked on a malicious link by mistake.

What type of wireless security measure can easily be defeated by a hacker by spoofing their network interface card's hardware address? A. WEP B. WPS C. MAC filtering D. Disable SSID broadcast

MAC filtering Explanation OBJ-3.3: Wireless access points can utilize MAC filtering to ensure only known network interface cards are allowed to connect to the network. If the hacker changes their MAC address to a trusted MAC address, they can easily bypass this security mechanism. MAC filtering is considered a good security practice as part of a larger defense-in-depth strategy, but it won't stop a skilled hacker for long. MAC addresses are permanently burned into the network interface card by the manufacturer and serve as the device's physical address. WEP is the Wired Equivalent Privacy encryption standard, which is considered obsolete in modern wireless networks. WEP can be broken using a brute force attack within just a few minutes by an attacker. Another security technique is to disable the SSID broadcast of an access point. While this prevents the SSID broadcast, a skilled attacker can still find the SSID using discovery scanning techniques. WPS is the WiFi Protected Setup. WPS is used to connect and configure wireless devices to an access point easily.

Which of the following hashing algorithms results in a 128-bit fixed output? A. SHA-2 B. MD-5 C. RIPEMD D. SHA-1

MD-5 Explanation OBJ-2.8: MD-5 creates a 128-bit fixed output. SHA-1 creates a 160-bit fixed output. SHA-2 creates a 256-bit fixed output. RIPEMD creates a 160-bit fixed output.

Nicole's organization does not have the budget or staff to conduct 24/7 security monitoring of their network. To supplement her team, she contracts with a managed SOC service. Which of the following services or providers would be best suited for this role? A. IaaS B. MSSP C. PaaS D. SaaS

MSSP Explanation OBJ-2.2: A managed security service provider (MSSP) provides security as a service (SECaaS). IaaS, PaaS, and SaaS (infrastructure, platform, and software as a service) do not include security monitoring as part of their core service offerings. Security as a service or a managed service provider (MSP) would be better suited for this role. This question may seem beyond the exam scope. Still, the objectives allow for "other examples of technologies, processes, or tasks about each objective may also be included on the exam although not listed or covered" in the objectives' bulletized lists. The exam tests the equivalent of 4 years of hands-on experience in a technical cybersecurity job role. The content examples listed in the objectives are meant to clarify the test objectives and should not be construed as a comprehensive listing of this examination's content. Therefore, questions like this are fair game on test day. That said, your goal isn't to score 100% on the exam; it is to pass it. Don't let questions like this throw you off on test day. If you aren't sure, take your best guess and move on!

Janet, a defense contractor for the military, performs an analysis of their enterprise network to identify what type of work the Army would be unable to perform if the network were down for more than a few days. Which of the following was Janet trying to identify A. Critical systems B. Missions essential function C. Single point of failure D. Backup and restorations plan

Mission essential function Explanation OBJ-5.4: Mission essential functions are things that must be performed by an organization to meets its mission. For example, the Army being able to deploy its soldiers is a mission-essential function. If they couldn't do that because a network server is offline, then that system would be considered a critical system and should be prioritized for higher security and better defenses.

You received an incident response report indicating a piece of malware was introduced into the company's through a remote workstation connected to the company's servers over a VPN connection. Which of the following controls should be applied to prevent this type of incident from occurring again? A. SPF B. NAC C. ACL D. MAC filtering

NAC Explanation OBJ-3.3: Network Access Control (NAC) is an approach to computer security that attempts to unify endpoint security technology (such as anti-virus, host intrusion prevention, and vulnerability assessment), user or system authentication, and network security enforcement. When a remote workstation connects to the network, NAC will place it into a segmented portion of the network (sandbox), scan it for malware and validate its security controls, and then based on the results of those scans, either connect it to the company's networks or place the workstation into a separate quarantined portion of the network for further remediation. An access control list (ACL) is a network traffic filter that can control incoming or outgoing traffic. An ACL alone would not have prevented this issues. MAC Filtering refers to security access control method whereby the MAC address assigned to each network card is used to determine access to the network. MAC filtering operates at layer 2 and is easy to bypass. Sender Policy Framework (SPF) is an email authentication method designed to detect forging sender addresses during email delivery.

Which type of agreement between companies and employees is used as a legal basis for protecting information assets? A. ISA B. MOU C. SLA D. NDA

NDA Explanation OBJ-5.3: A non-disclosure agreement (NDA) is the legal basis for protecting information assets. A memorandum of understanding (MOU) is a preliminary or exploratory agreement to express intent for two companies to work together. A service level agreement (SLA) is a contractual agreement setting out the detailed terms under which a service is provided. The interconnection security agreement (ISA) governs the relationship between any federal agency and a third party interconnecting their systems.

Which of the following agreements is used between companies and employees, between companies and contractors, and between two companies to protect information assets? A. ISA B. SLA C. DSUA D. NDA

NDA Explanation OBJ-5.3: Non-disclosure agreement (NDA) is the legal basis for protecting information assets. NDAs are used between companies and employees, between companies and contractors, and between two companies. If the employee or contractor breaks this agreement and shares such information, they may face legal consequences. NDAs are useful because they deter employees and contractors from violating the trust that an employee places in them. An interconnection security agreement (ISA) is defined by NIST's SP800-4 and is used by any federal agency interconnecting its IT system to a third party must create an ISA to govern the relationship. A service level agreement (SLA) is a contractual agreement that sets out the detailed terms under which a service is provided. A data sharing and use agreement (DSUA) states that personal data can only be collected for a specific purpose. A DSUA can specify how a dataset can be analyzed and proscribe the use of reidentification techniques.

What kind of attack is an example of IP spoofing? A. Cross-site scripting B. On-path attack C. SQL injections D. ARP poisoning

On-path attack Explanation OBJ-1.4: An on-path attack (formerly known as a man-in-the-middle attack) intercepts communications between two systems. For example, in an HTTP transaction, the target is the TCP connection between client and server. Using different techniques, the attacker splits the original TCP connection into 2 new connections, one between the client and the attacker and the other between the attacker and the server. This often uses IP spoofing to trick a victim into connecting to the attack. SQL injection is a code injection technique used to attack data-driven applications. Malicious SQL statements are inserted into an entry field for execution, such as dumping the database contents to the attacker. An on-path attack is an attack where the attacker secretly relays and possibly alters the communications between two parties who believe that they are directly communicating with each other. ARP Poisoning, also known as ARP Spoofing, is a type of cyber attack carried out over a Local Area Network (LAN) that involves sending malicious ARP packets to a default gateway on a LAN to change the pairings in its IP to MAC address table. Cross-Site Scripting (XSS) attacks are a type of injection in which malicious scripts are injected into otherwise benign and trusted websites. XSS attacks occur when an attacker uses a web application to send malicious code, generally in a browser side script, to a different end-user.

Your company is setting up a system to accept credit cards in their retail and online locations. Which of the following compliance types should you be MOST concerned with dealing with credit cards? A. GDPR B. PCI-DSS C. PHI D. PII

PCI-DSS Explanation OBJ-5.2: The Payment Card Industry Data Security Standard (PCI-DSS) applies to companies of any size that accept credit card payments. If your company intends to accept card payment and store, process, and transmit cardholder data, you need to securely host your data and follow PCI compliance requirements. The General Data Protection Regulation (GDPR) is a regulation created in the European Union that creates provisions and requirements to protect the personal data of European Union (EU) citizens. Transfers of personal data outside the EU Single Market are restricted unless protected by like-for-like regulations, such as the US's Privacy Shield requirements. Personally identifiable information (PII) is data used to identify, contact, or locate an individual. Information such as social security number (SSN), name, date of birth, email address, telephone number, street address, and biometric data is considered PII. Protected health information (PHI) refers to medical and insurance records, plus associated hospital and laboratory test results.

You have been asked to classify a hospital's medical records as a form of regulated data. Which of the following would BEST classify this type of data? A. PII B. PHI C. PCI D. GDPR

PHI Explanation OBJ-5.5: Protected health information (PHI) refers to medical and insurance records, plus associated hospital and laboratory test results. Personally identifiable information (PII) is data used to identify, contact, or locate an individual. Information such as social security number (SSN), name, date of birth, email address, telephone number, street address, and biometric data is considered PII. The General Data Protection Regulation (GDPR) is a regulation created in the European Union that creates provisions and requirements to protect the personal data of European Union (EU) citizens. Transfers of personal data outside the EU Single Market are restricted unless protected by like-for-like regulations, such as the US's Privacy Shield requirements. The peripheral component interconnect (PCI) bus is used to provide low-speed connectivity to expansion cards but has been mostly replaced by the faster PCIe bus. The Payment Card Industry Data Security Standard (PCI-DSS) applies to companies of any size that accept credit card payments. If your company intends to accept card payment and store, process, and transmit cardholder data, you need to securely host your data and follow PCI compliance requirements.

A penetration tester hired by a bank began searching for the bank's IP ranges by performing lookups on the bank's DNS servers, reading news articles online about the bank, monitoring what times the bank's employees came into and left work, searching job postings (with a special focus on the bank's information technology jobs), and even searching the corporate office of the bank's dumpster. Based on this description, what portion of the penetration test is being conducted? A. Information reporting B. Active information gathering C. Passive information gathering D. Vulnerability assessment

Passive information gathering Explanation OBJ-1.8: Passive information gathering consists of numerous activities where the penetration tester gathers open-source or publicly available information without the organization under investigation being aware that the information has been accessed. Instead, active information gathering starts to probe the organization using DNS Enumeration, Port Scanning, and OS Fingerprinting techniques. Vulnerability assessments are another form of active information gathering. Information reporting occurs after the penetration test is complete, and it involves writing a final report with the results, vulnerabilities, and lessons learned during the assessment.

Which of the following would NOT be included in a company's password policy? A. Password history B. Password style C. Password age D. Password complexity requirements

Password style Explanation OBJ-3.7: A password policy is a set of rules designed to enhance computer security by encouraging users to employ strong passwords and use them properly. A password policy is often part of an organization's official regulations and may be taught as part of security awareness training. It contains items like password complexity, password age, and password history requirements.

Consider the following snippet from a log file collected on the host with the IP address of 10.10.3.6. BEGIN LOG _____________ Time: Jun 12, 2020 09:24:12 Port:20 Source: 10.10.3.2 Destination:10.10.3.6 Protocol: TCP Time: Jun 12, 2020 09:24:14 Port:21 Source: 10.10.3.2 Destination:10.10.3.6 Protocol: TCP Time: Jun 12, 2020 09:24:16 Port:22 Source: 10.10.3.2 Destination:10.10.3.6 Protocol: TCP Time: Jun 12, 2020 09:24:18 Port:23 Source: 10.10.3.2 Destination:10.10.3.6 Protocol: TCP Time: Jun 12, 2020 09:24:20 Port:25 Source: 10.10.3.2 Destination:10.10.3.6 Protocol: TCP Time: Jun 12, 2020 09:24:22 Port:80 Source: 10.10.3.2 Destination:10.10.3.6 Protocol: TCP Time: Jun 12, 2020 09:24:24 Port: 135 Source: 10.10.3.2 Destination:10.10.3.6 Protocol: TCP Time: Jun 12, 2020 09:24:26 Port: 443 Source: 10.10.3.2 Destination:10.10.3.6 Protocol: TCP Time: Jun 12, 2020 09:24:26 Port: 445 Source: 10.10.3.2 Destination:10.10.3.6

Port scan targeting 10.10.3.6 Explanation OBJ-4.1: Port Scanning is the name for the technique used to identify open ports and services available on a network host. Based on the logs, you can see a sequential scan of some commonly used ports (20, 21, 22, 23, 25, 80, 135, 443, 445) with a two-second pause between each attempt. The scan source is 10.10.3.2, and the destination of the scan is 10.10.3.6, making "Port scan targeting 10.10.3.6" the correct choice. IP fragmentation attacks are a common form of denial of service attack, in which the perpetrator overbears a network by exploiting datagram fragmentation mechanisms. A denial-of-service (DoS) attack occurs when legitimate users cannot access information systems, devices, or other network resources due to a malicious cyber threat actor's actions.

Your company has decided to move all of its data into the cloud. Your company is concerned about the privacy of its data due to some recent data breaches that have been in the news. Therefore, they have decided to purchase cloud storage resources that will be dedicated solely for their use. Which of the following types of clouds is your company using? A. Public B. Community C. Hybrid D. Private

Private Explanation OBJ-2.2: A private cloud contains services offered either over the Internet or a private internal network and only to select users instead of the general public. A private cloud is usually managed via internal resources. The terms private cloud and virtual private cloud (VPC) are often used interchangeably. A public cloud contains services offered by third-party providers over the public Internet and is available to anyone who wants to use or purchase them. They may be free or sold on-demand, allowing customers to pay only per usage for the CPU cycles, storage, or bandwidth they consume. A community cloud is a collaborative effort in which infrastructure is shared between several organizations from a specific community with common concerns (security, compliance, jurisdiction, etc.), whether managed internally or by a third party and hosted internally or externally. A community cloud is a collaborative effort in which infrastructure is shared between several organizations from a specific community with common concerns (security, compliance, jurisdiction, etc.), whether managed internally or by a third party and hosted internally or externally.

Dion Consulting Group has recently been awarded a contract to provide cybersecuirty services for a major hospital chain in 48 cities across the United States. You are conducting a vulnerability scan of the hospital's enterprise network when you detect several devices that could be vulnerable to a buffer overflow attack. Upon further investigation, you determine that these devices are PLCs used to control the hospital's elevators. Unfortunately, there is not an update available from the elevator manufacturer for these devices. Which of the following mitigations do you recommend? A. Recommend immediate replacement of the PLCs with ones that are not vulnerable to this type of attack B. Recommend immediate disconnections of the elevator's control system from the enterprise network C. Recommend isolation of the elevator control system from the rest of the production network through the change control process D. Conduc

Recommend isolation of the elevator control system from the rest of the production network through the change control process Explanation OBJ-4.4: The best recommendation is to conduct the elevator control system's logical or physical isolation from the rest of the production network and the internet. This should be done through the change control process that brings the appropriate stakeholders together to discuss the best way to mitigate the vulnerability to the elevator control system that defines the business impact and risk of the decision. Sudden disconnection of the PLCs from the rest of the network might have disastrous results (i.e., sick and injured trapped in an elevator) if there were resources that the PLCs were depended on in the rest of the network. Replacement of the elevators may be prohibitively expensive, time-consuming, and likely something that the hospital would not be able to justify to mitigate this vulnerability. Attempting further exploitations of the buffer overflow vulnerability might inadvertently trap somebody in an elevator or cause damage to the elevators themselves.

A computer is infected with malware that has infected the Windows kernel to hide. Which type of malware MOST likely infected this computer? A. Trojan B. Rootkit C. Ransomware D. Botnet

Rootkit Explanation OBJ-1.2: A rootkit is a clandestine computer program designed to provide continued privileged access to a computer while actively hiding its presence. A rootkit is generally a collection of tools that enabled administrator-level access to a computer or network. They can often disguise themselves from detection by the operating system and anti-malware solutions. If a rootkit is suspected on a machine, it is best to reformat and reimage the system. A botnet is many internet-connected devices, each of which is running one or more bots. Botnets can be used to perform distributed denial-of-service (DDoS) attacks, steal data, send spam, and allow the attacker to access the device and its connection. A trojan is a type of malware that looks legitimate but can take control of your computer. A Trojan is designed to damage, disrupt, steal, or in general, inflict some other harmful action on your data or network. The most common form of a trojan is a Remote Access Trojan (RAT), which allows an attacker to control a workstation or steal information remotely. To operate, a trojan will create numerous processes that run in the background of the system. Ransomware is a type of malware designed to deny access to a computer system or data until a ransom is paid. Ransomware typically spreads through phishing emails or by unknowingly visiting an infected website. Once infected, a system or its files are encrypted, and then the decryption key is withheld from the victim unless payment is received.

The management at Steven's work is concerned about rogue devices being attached to the network. Which of the following solutions would quickly provide the most accurate information that Steve could use to identify rogue devices on a wired network? A. Reviewing a central administration tool like an endpoint manager B. Router and switch-based MAC address reporting C. A discovery scan using a port scanner D A physical survey

Router and switch-based MAC address reporting Explanation OBJ-1.4: The best option is MAC address reporting from a source device like a router or a switch. If the company uses a management system or inventory process to capture these addresses, then a report from one of these devices will show what is connected to the network even when they are not currently in the inventory. This information could then be used to track down rogue devices based on the physical port connected to a network device.

Dion Training has just suffered a website defacement of its public-facing webserver. The CEO believes the company's biggest competitor may have done this act of vandalism. The decision has been made to contact law enforcement so that evidence can be collected properly for use in a potential court case. Laura is a digital forensics investigator assigned to collect the evidence. She creates a bit-by-bit disk image of the web server's hard drive as part of her evidence collection. What technology should Laura use after creating the disk image to verify the copy's data integrity matches that of the original web server's hard disk? A. RSA B. AES C. 3DES D. SHA-256

SHA-256 Explanation OBJ-4.5: SHA-256 is the Secure Hash Algorithm with a 256-bit length output. This is one of the most common hash algorithms in use and is employed in many applications and protocols. SHA-256 and other hashing algorithms are used to ensure the data integrity of a file has not been altered. RSA, 3DES, AES are all encryption algorithms. The algorithms can ensure confidentiality but not integrity.

Which of the following describes the security method used when users enter their username and password only once and can access multiple applications? A. Permission propagation B. Multifactor authentication C. Inheritance D. SSO

SSO Explanation OBJ-3.8: Single sign-on (SSO) is an authentication process that allows users to access multiple applications with one set of login credentials. SSO is a common procedure in enterprises, where a client accesses multiple resources connected to a local area network (LAN). Permission propagation occurs when a technician sets permissions on a folder or a drive, and the folder properties apply those permissions to all of the folders under that folder in the tree. Permissions propagation secures your data by limiting access to the users specified in the top folder. Multifactor authentication is an authentication scheme that works based on something you know, something you have, something you are, something you do, or somewhere you are. These schemes can be made stronger by combining them (for example, protecting the use of a smart card certification [something you have] with a PIN [something you know]). Inheritance or inherited permissions are permissions that are given to an object because it is a child of a parent object. Inheritance occurs due to permissions propagation.

(Sample Simulation - On the real exam for this type of question, you would receive 3-5 pictures and be asked to drag and drop them into place next to the correct term.) Based on the image provided, what type of attack is occurring? A. DDoS B. SYN flood C. Ping flood D. Smurf attack

SYN flood Explanation OBJ-1.4: A SYN flood is a variant of a Denial of Service (DOS) attack where the attacker initiates multiple TCP sessions but never completes the 3-way handshake. This uses up resources on the server since it cannot complete the handshake and keeps resources reserved for the attacker's computer while it awaits the handshake's completion. This image is a graphical depiction of this type of attack.

Dion Training wants to install a new accounting system and is considering moving to a cloud-based solution to reduce cost, reduce the information technology overhead costs, improve reliability, and improve availability. Your Chief Information Officer is supportive of this move since it will be more fiscally responsible. Still, the Chief Risk Officer is concerned with housing all of the company's confidential financial data in a cloud provider's network that might be shared with other companies. Since the Chief Information Officer is determined to move to the cloud, what type of cloud-based solution would you recommend to account for the Chief Risk Officer's concerns? A. SaaS in a private cloud B. SaaS in a public cloud C. PaaS in a hybrid cloud D. PaaS in a community cloud

SaaS in a private cloud Explanation OBJ-2.2: A SaaS (Software as a Service) solution best describes an accounting system or software used as part of a cloud service. This meets the CIO's requirements. To mitigate the concerns of the Chief Risk Officer, you should use a private cloud solution. This type of solution ensures that the cloud provider does not comingle your data with other customers' data and providers dedicated servers and resources for your company's use only.

You are developing a containment and remediation strategy to prevent the spread of an APT within your network. Your plan suggests creating a mirror of the company's databases, routing all externally sourced network traffic to it, and gradually updating with pseudo-realistic data to confuse and deceive the APT as they attempt to exfiltrate the data. Once the attacker has downloaded the corrupted database, your company would then conduct remediation actions on the network and restore the correct database information to the production system. Which of the following types of containment strategies does the plan utilize? A. Isolation-based containment by removing the affected database from production B. Isolation-based containment by disconnecting the APT from the affected network C. Segmentation-based containment that deceives the attack into believing their attack was successful D. Segmentation-based containment dis

Segmentation-based containment that deceives the attack into believing their attack was successful Explanation OBJ-2.1: There are two types of containment: segmentation and isolation. This is an example of a segmentation-based containment strategy that utilizes deception. Segmentation-based containment is a means of achieving the isolation of a host or group of hosts using network technologies and architecture. As opposed to completely isolating the hosts, you might configure the protected segment to deceive him or her into thinking the attack is progressing successfully, such as in the database modification example. The scenario is not a hack-back approach since the APT is not directly attacked, only deceived. Isolation-based containment involves removing an affected component from whatever larger environment it is a part of. In this scenario, the original database was never isolated from the network, nor were any other affected assets during the deception.

Aymen is creating a procedure for the remediation of vulnerabilities discovered within his organization. He wants to ensure that any vendor patches are tested before deploying them into the production environment. What type of environment should his organization establish? A. Staging B. Honeynet C. Honeypot D. Development

Staging Explanation OBJ-2.3: Deploying changes in a staging or sandbox environment provides the organization with a safe, isolated place for testing changes without interfering with production systems. Staging environments can mimic the actual production environment, leading to a realistic test environment that minimizes the risk of failure during a push to the production environment. Honeypots/Honeynets are not considered a testing environment. Instead, they are designed to attract attackers. The organization should not use the development environment to test the patches since a development environment does not mimic the real production environment.

William would like to use full-disk encryption on his laptop. He is worried about slow performance, though, so he has requested that the laptop have an onboard hardware-based cryptographic processor. Based on this requirement, what should William ensure the laptop contains? A. PAM B. TPM C. FDE D. AES

TPM Explanation OBJ-3.2: This question is asking if you know what each acronym means. Trusted Platform Module (TPM) is a hardware-based cryptographic processing component that is a part of the motherboard. A Pluggable Authentication Module (PAM) is a device that looks like a USB thumb drive and is used as a software key in cryptography. Full Disk Encryption (FDE) can be hardware or software-based. Therefore, it isn't the right answer. The Advanced Encryption System (AES) is a cryptographic algorithm. Therefore, it isn't a hardware solution.

Which of the following features is supported by Kerberos but not by RADIUS? A. Single sign-on capability B. Tickets used to identify authenticated users C. Services for authentication D. XML for cross-platform interoperability

Tickets used to identify authenticated users Explanation OBJ-3.8: Whether you learned the in-depth details of each of these protocols during your studies or not, you should be able to answer this question by remembering that Kerberos is all about 'tickets.' Kerberos uses a system of tickets to allow nodes to communicate over a non-secure network and securely prove their identity. Kerberos is a computer network authentication protocol that works based on tickets to allow nodes communicating over a non-secure network to prove their identity to one another in a secure manner. Kerberos is used in Windows Active Directory domains for authentication. Single sign-on (SSO) is a type of mutual authentication for multiple services that can accept the credential from one domain or service as authentication for other services. The Remote Authentication Dial-in User Service (RADIUS) is used to manage remote and wireless authentication infrastructure. Users supply authentication information to RADIUS client devices, such as wireless access points. The client device then passes the authentication data to an AAA (Authentication, Authorization, and Accounting) server that processes the request.

You have just received a phishing email disguised to look like it came from [email protected] asking you to send your username and password because your account has been locked out due to inactivity. Which of the following social engineering principles is being used in this email? A. Trust B. Intimidation C. Consensus D. Urgency

Trust Explanation OBJ-1.1: Trust is a commonly used social engineering technique during a social engineering campaign. It relies on making the email appear to have come from a trusted source, such as your IT support department or a company you frequently utilize. Often, the "display name" of the email is set to something like [email protected] or [email protected] to trick you into replying. Trust can also be used by pretending to be someone you know and trust in real life, such as a coworker or family member.

Dion Training is hiring a penetration testing firm to conduct an assessment of its corporate network. As part of the contract, the company has specified that it will not provide any network details to the penetration testing firm. Instead, the company wants to see how much information about the network can be found by the penetration testers using open-source research and scanning the corporate network. What type of assessment is this considered? A. Semi-trusted environment testing B. Partially known environment testing C. Known environment testing D. Unknown environment testing

Unknown environment testing Explanation OBJ-1.8: An unknown environment penetration test requires no previous information and usually takes the approach of an uninformed attacker. The penetration tester has no prior information about the target system or network in an unknown environment penetration test. These tests provide a realistic scenario for testing the defenses, but they can be costlier and more time-consuming to conduct as the tester is examining a system from an outsider's perspective. A partially known environment tester has the user's access and knowledge levels, potentially with elevated privileges on a system. These partially known environment penetration testers typically have some knowledge of a network's internals, potentially including design and architecture documentation and an account internal to the network. A known environment test is known by several different names, including clear-box, open-box, auxiliary, or logic-driven testing. It falls on the opposite end of the spectrum from an unknown environment test because the penetration testers have full access to source code, architecture documentation, and so forth. A known environment penetration tester can also perform static code analysis, so familiarity with source code analyzers, debuggers, and similar tools are necessary for this type of testing. A semi-trusted environment test is made up term and is used as a distractor in this question.

Ryan needs to verify the installation of a critical Windows patch on his organization's workstations. Which method would be the most efficient to validate the current patch status for all of the organization's Windows 10 workstations? A. Conduct a registry scan of each workstation to validate the patch was installed B. Use an endpoint manager to validate patch status for each machine on the domain C. Check the Update History manually D. Create and run a PowerShell script to search for the specific patch in question

Use an endpoint manager to validate patch status for each machine on the domain Explanation OBJ-3.2: The Microsoft Endpoint Configuration Manager (MECM) provides remote control, patch management, software distribution, operating system deployment, network access protection, and hardware and software inventory. In an Azure environment, you can also use the Update Compliance tool to monitor your device's Windows updates, Windows Defender anti-virus status, and the up-to-date patching status across all of your Windows 10 workstations. In previous Windows versions, you could use the Microsoft Baseline Analyzer (MSBA), but that is no longer supported when Windows 10 was introduced. A PowerShell script may be a reasonable option, but it would take a knowledgeable analyst to create the script and scan the network, whereas using SCCM is easier and quicker. Manually checking the Update History or registry of each system could also work, but that is very time-consuming and inefficient, especially if Ryan is supporting a large network.

A cybersecurity analyst is preparing to run a vulnerability scan on a dedicated Apache server that will be moved into a DMZ. Which of the following vulnerability scans is most likely to provide valuable information to the analyst? A. Network vulnerability scan B. Database vulnerability scan C. Port scan D. Web application vulnerability scan

Web application vulnerability scan Explanation OBJ-1.7: Since Apache is being run on the scanned server, this indicates a web server. Therefore, a web application vulnerability scan would be the most likely to provide valuable information. A network vulnerability scan or port scan can provide valuable information against any network-enabled server. Since an Apache server doesn't contain a database by default, running a database vulnerability scan is not likely to provide any valuable information to the analyst.

An organization is conducting a cybersecurity training exercise. What team is Jason assigned to if he has been asked to monitor and manage the defenders' and attackers' technical environment during the exercise? A. Blue team B. Purple team C. Red team D. White team

White team Explanation OBJ-1.8: Jason is assigned to the white team. The white team acts as the judges, enforces the rules of the exercise, observes the exercise, scores teams, resolves any problems that may arise, handles all requests for information or questions, and ensures that the competition runs fairly and does not cause operational problems for the defender's mission. A red team is a group of people authorized and organized to emulate a potential adversary's attack or exploitation capabilities against an enterprise's security posture. A blue team is a group of people responsible for defending an enterprise's use of information systems by maintaining its security posture against a group of mock attackers. The purple team is made up of both the blue and red teams to work together to maximize their cyber capabilities through continuous feedback and knowledge transfer between attackers and defenders.

You have noticed some unusual network traffic outbound from a certain host. The host is communicating with a known malicious server over port 443 using an encrypted TLS tunnel. You ran a full system anti-virus scan of the host with an updated anti-virus signature file, but the anti-virus did not find any infection signs. Which of the following has MOST likely occurred? A. Directory traversal B. Password spraying C. Zero-day attack D. Session hijacking

Zero-day attack Explanation OBJ-1.6: Since you scanned the system with the latest anti-virus signatures and did not find any signs of infection, it would most likely be evidence of a zero-day attack. A zero-day attack has a clear sign of compromise (the web tunnel being established to a known malicious server). The anti-virus doesn't have a signature yet for this particular malware variant. Password spraying occurs when an attacker tries to log in to multiple different user accounts with the same compromised password credentials. Session hijacking is exploiting a valid computer session to gain unauthorized access to information or services in a computer system. Based on the scenario, it doesn't appear to be session hijacking since the user would not normally attempt to connect to a malicious server. Directory traversal is an HTTP attack that allows attackers to access restricted directories and execute commands outside of the web server's root directory. A directory traversal is usually indicated by a dot dot slash (../) in the URL being attempted.

A salesperson's laptop has become unresponsive after attempting to open a PDF in their email. A cybersecurity analyst reviews the IDS and anti-virus software for any alerts or unusual behavior but finds nothing suspicious. Which of the following threats would BEST classify this scenario? A. RAT B. PII exfiltration C. Zero-day malware D. Ping of death

Zero-day malware Explanation OBJ-1.6: Based on the scenario provided, it appears that the laptop has become the victim of a zero-day attack. A zero-day attack is an attack that exploits a potentially serious software security weakness that the vendor or developer may be unaware of. This means that there will not be a signature available in the IDS or anti-virus definition file. Therefore, it cannot be combated with traditional signature-based detection methods. PII (personally identifiable information) exfiltration is the unauthorized copying, transfer, or retrieval of PII data from a computer or server. A ping of death is a type of attack on a computer system that involves sending a malformed or otherwise malicious ping to a computer. A remote access Trojan (RAT) is a malware program that includes a back door for administrative control over the target computer. Based on the scenario's information, we do not have any indications that a ping packet was sent, that PII has been exfiltrated, or that the attack now has remote control of the laptop. Since neither the IDS nor anti-virus alerted on the PDF, it is most likely a form of a zero-day attack.

A cybersecurity analyst from BigCorp contacts your company to notify them that several of your computer were seen attempting to create a denial of service condition against their servers. They believe your company has become infected with malware, and those machine were part of a larger botnet. Which of the following BEST describes your company's infected computer? A. Bugs B. Monsters C. Zero-day D. Zombie

Zombie Explanation OBJ-1.2: A zombie is a computer connected to the internet that has been compromised

You have been hired to investigate a possible insider threat from a user named Terri. Which command would you use to review all sudo commands ever issued by Terri (whose login account is terri and UID=1003) on a Linux system? (Select the MOST efficient command) A. journalctl _UID=1003 | grep -e [Tt]erri | grep -e 1003 | grep sudo B. journalctl _UID=1003 | grep -e 1003 | grep sudo C. journalctl _UID=1003 | grep sudo D. journalctl _UID=1003 | grep -e [Tt]erri | grep sudo

journalctl _UID=1003 | grep sudo Explanation OBJ-4.3: journalctl is a command for viewing logs collected by systemd. The systemd-journald service is responsible for systemd's log collection, and it retrieves messages from the kernel, systemd services, and other sources. These logs are gathered in a central location, which makes them easy to review. If you specify the parameter of _UID=1003, you will only receive entries made under the authorities of the user with ID (UID) 1003. In this case, that is Terri. Using the piping function, we can send that list of entries into the grep command as an input and then filter the results before returning them to the screen. This command will be sufficient to see all the times that Terri has executed something as the superuser using privilege escalation. If there are too many results, we could further filter the results using regular expressions with grep using the -e flag. Since the UID of 1003 is only used by Terri, it is unnecessary to add [Tt]erri to your grep filter as the only results for UID 1003 (terri) will already be shown. So, while all four of these would produce the same results, the most efficient option to accomplish this is by entering "journalctl _UID=1003 | grep sudo" in the terminal. Don't get afraid when you see questions like this; walk through each part of the command step by step and determine the differences. In this question, you may not have known what journalctl is, but you didn't need to. You needed to identify which grep expression was the shortest that would still get the job done. By comparing the differences between the options presented, you could likely take your best guess and identify the right one.