CompTIA Security+ (SY0-601) Practice Exam #1
(Sample Simulation - On the real exam for this type of question, you might receive a list of attack vectors and targets. Based on these, you would select the type of attack that occurred.) (1) An attacker has been collecting credit card details by calling victims and using false pretexts to trick them. (2) An attacker sends out to 100,000 random email addresses. In the email the attacker sent, it claims that "Your Bank of America account is locked out. Please click here to reset your password." What types of attacks have occurred in (1) and (2)? A. (1) Pharming and (2) Phishing B. (1) Spearphishing and (2) Pharming C. (1) Hoax and (2) Spearphishing D. (1) Vishing and (2) Phishing
(1) Vishing and (2) Phishing Explanation OBJ-1.1: Vishing uses a phone call to conduct information gathering and phishing type of actions. Spearphishing involves targeting specific individuals using well-crafted emails to gather information from a victim. Phishing relies on sending out a large volume of email to a broad set of recipients in the hopes of collecting the desired action or information. A hoax involves tricking a user into performing an action (such as virus remediation actions) when no infection has occurred. Pharming involves domain spoofing in an attempt to gather the desired information from a victim.
(Sample Simulation - On the real exam for this type of question, you would have to rearrange the ports into the proper order by dragging and dropping them into place.) 1701 ____ RDP 3389 ____ L2TP 88 ____ LDAP 389 ____ Kerberos Using the image provided, place the port numbers in the correct order with their associated protocols: 1701, 3389, 88. 389 3389, 1701, 389, 88 88, 389, 3389, 1701 389, 88, 1701, 3389
3389, 1701, 389, 88 Explanation OBJ-3.1: For the exam, you need to know your ports and protocols. The Remote Desktop Protocol (RDP) operates over port 3389. Layer 2 Tunneling Protocol (L2TP) operates over port 1701. The Lightweight Directory Access Protocol (LDAP) operates over port 389. Kerberos operates over port 88.
You suspect that your server has been the victim of a web-based attack. Which of the following ports should most likely be seen in the logs to indicate the attack's target? A. 21 B. 389 C. 443 D. 3389
443 Explanation OBJ-1.6: Web-based attacks would likely appear on port 80 (HTTP) or port 443 (HTTPS). An attack against Active Directory is likely to be observed on port 389 LDAP. An attack on an FTP server is likely to be observed on port 21 (FTP). An attack using the remote desktop protocol would be observed on port 3389 (RDP).
A company needs to implement stronger authentication by adding an authentication factor to its wireless system. The wireless system only supports WPA with pre-shared keys, but the backend authentication system supports EAP and TTLS. What should the network administrator implement? A. MAC address filtering with IP filtering B. 802.1x using EAP with MSCHAPv2 C. WPA2 with a complex shared key D. PKI with user authentication
802.1x using EAP with MSCHAPv2 Explanation OBJ-3.4: Since the backend uses a RADIUS server for back-end authentication, the network administrator can install 802.1x using EAP with MSCHAPv2 for authentication. The Extensible Authentication Protocol (EAP) is a framework in a series of protocols that allows for numerous different mechanisms of authentication, including things like simple passwords, digital certificates, and public key infrastructure. Microsoft Challenge Handshake Authentication Protocol version 2 (MS-CHAP v2) is a password-based authentication protocol that is widely used as an authentication method in PPTP-based (Point to Point Tunneling Protocol) VPNs and can be used with EAP.
You are reviewing a rule within your organization's IDS. You see the following output: alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any msg: "BROWSER-IE Microsoft Internet Explorer CacheSize exploit attempt"; flow: to_client, established; file data; content: "recordset"; offset:14; depth:9; content:". CacheSize"; distance:0; within:100; pcre: "/CacheSize\s*=\s*/"; byte_test:10,>,0x3ffffffe,0,relative, string; max-detect-ips drop, service http; reference:cve, 2016-8077; classtype: attempted-user; sid:65535; rev:1; Based on this rule, which of the following malicious packets would this IDS alert on? A. Any malicious inbound packets B. A malicious outbound TCP packet C. A malicious inbound TCP packet D. Any malicious outbound packets
A malicious inbound TCP packet Explanation OBJ-3.3: The rule header is set to alert only on TCP packets based on this IDS rule's first line. The flow condition is set as "to_client, established," which means that only inbound traffic will be analyzed against this rule and only inbound traffic for connections that are already established. Therefore, this rule will alert on an inbound malicious TCP packet only when the packet matches all the conditions listed in this rule. This rule is an example of a Snort IDS rule. For the exam, you do not need to create your own IDS rules, but you should be able to read them and pick out generic content like the type of protocol covered by the signature, the port to be analyzed, and the direction of flow.
Your organization is updating its Acceptable User Policy (AUP) to implement a new password standard that requires a guest's wireless devices to be sponsored before receiving authentication. Which of the following should be added to the AUP to support this new requirement? A. All guests must provide valid identification when registering their wireless devices for use on the network B. Sponsored guest passwords must be at least 14 alphanumeric characters containing a mixture of uppercase, lowercase, and special characters C. Open authentication standards should be implemented on all wireless infrastructure Network authentication of all guest users should occur using the 802.1x protocol as authenticated by a RADIUS server (Incorrect)
All guests must provide valid identification when registering their wireless devices for use on the network Explanation OBJ-5.3: Sponsored authentication of guest wireless devices requires a guest user to provide valid identification when registering their wireless device for use on the network. This requires that an employee validates the guest's need for access, known as sponsoring the guest. While setting a strong password or using 802.1x are good security practices, these alone do not meet the question's sponsorship requirement. An open authentication standard only requires that the guest know the Service-Set Identifier (SSID) to gain access to the network. Therefore, this does not meet the sponsorship requirement.
Dion Training wants to ensure that none of its computers can run a peer-to-peer file-sharing program on its office computers. Which of the following practices should be implemented to achieve this? A. Application allow listing B. MAC filtering C. Enable NAC D. Application blocklisting
Application blocklisting Explanation OBJ-4.4: Application blocklisting is the most appropriate practice to implement to block a limited number of known programs. Application allow listing could be used to achieve this purpose, but it would require much more work and block every program not specifically allowed by the allow list or approve list policy.
Which mobile device strategy is most likely to introduce vulnerable devices to a corporate network? A. CYOD B. BYOD C. MDM D. COPE
BYOD Explanation OBJ-3.5: The BYOD (bring your own device) strategy opens a network to many vulnerabilities. People can bring their personal devices to the corporate network, and their devices may contain vulnerabilities that could be allowed to roam free on a corporate network. COPE (company-owned/personally enabled) means that the company provides the users with a smartphone primarily for work use, but basic functions such as voice calls, messaging, and personal applications are allowed, with some controls on usage and flexibility. With CYOD, the user can choose which device they wish to use from a small selection of devices approved by the company. The company then buys, procures, and secures the device for the user. The MDM is a mobile device management system that gives centralized control over COPE company-owned personally enabled devices.
Dion Training has contracted a software development firm to create a bulk file upload utility for its website. During a requirements planning meeting, the developers asked what type of encryption is required for the project. After some discussion, Jason decides that the file upload tool should use a cipher capable of encrypting 64 bits of data at a time before transmitting the files from the web developer's workstation to the webserver. What of the following should be selected to meet this security requirement? A. Stream cipher B. Hashing algorithm C. CRC D. Block cipher
Block cipher Explanation OBJ-2.8: A block cipher is used to encrypt multiple bits at a time before moving to the next set of data. Block ciphers generally have a fixed-length block (8-bit, 16-bit, 32-bit, 64-bit, etc.). Stream ciphers encrypt a single bit (or byte) at a time during their encryption process. Hashing algorithms would not meet the requirement because the data would be encrypted using a one-way hash algorithm and be unusable once on the webserver. A cyclic redundancy check (CRC) is an error-detecting code commonly used in digital networks and storage devices to detect accidental changes to raw data. Blocks of data entering these systems get a short check value attached, based on the remainder of their contents' polynomial division.
Which of the following cryptographic algorithms is classified as symmetric? A. ECC B. PGP C. RSA D. Blowfish
Blowfish Explanation OBJ-2.8: Blowfish is a symmetric-key block cipher, designed in 1993 by Bruce Schneier and included in many cipher suites and encryption products, ECC, PGP, and RSA are all asymmetric algorithms.
An attacker is searching in Google for Cisco VPN configuration files by using the filetype:pcf modifier. The attacker located several of these configuration files and now wants to decode any connectivity passwords that they might contain. What tool should the attacker use? A. Netcat B. Nessus C. Cain and Abel D. Nmap
Cain and Abel Explanation OBJ-4.1: Cain and Abel (often abbreviated to Cain) is a popular password cracking tool. It can recover many password types using methods such as network packet sniffing, cracking various password hashes by using methods such as dictionary attacks, brute force, and cryptanalysis attacks. It also includes a module to conduct Cisco VPN Client Password Decoding too. CUPP is used to create password lists. Nessus is a vulnerability scanner. The netcat tool is used to create reverse shells for remote access.
(Sample Simulation - On the real exam for this type of question, you would have access to the log files to determine which server on a network might have been affected, and then choose the appropriate actions.) A cybersecurity analyst has determined that an attack has occurred against your company's network. Fortunately, your company uses a good logging system with a centralized Syslog server, so all the logs are available, collected, and stored properly. According to the cybersecurity analyst, the logs indicate that the database server was the only company server on the network that appears to have been attacked. The network is a critical production network for your organization. Therefore, you have been asked to choose the LEAST disruptive actions on the network while performing the appropriate incident response actions. Which actions do you recommend as part of the response efforts? A. Immediately remove the database server from the network, create an image of its hard disk, and maintain the chain of custody B. Isolate the affected server from the network immediately, format the database server, reinstall from a known good backup C. Conduct a system restore of the database server, image the hard drive, and maintain the chain of custody D. Capture network traffic using a sniffer, schedule a period of downtime to image and remediate the affected server, and maintain the chain of custody
Capture network traffic using a sniffer, schedule a period of downtime to image and remediate the affected server, and maintain the chain of custody Explanation OBJ-4.3: Since the database server is part of a critical production network, it is important to work with the business to time the remediation period to minimize productivity losses. You can immediately begin to capture network traffic since this won't affect the database server or the network (least intrusive) while scheduling a period of downtime in which to take a forensic image of the database server's hard drive. All network captures and the hard drive should be maintained under the chain of custody if needed for criminal prosecution or civil action after remediation. The server should be remediated and brought back online once the hard drive image has been created.
Which of the following types of digital forensic investigations is the most challenging due to the on-demand nature of the analyzed assets? A. Mobile devices B. Employee workstations C. Cloud services D. On-premise servers
Cloud services Explanation OBJ-3.6: The on-demand nature of cloud services means that instances are often created and destroyed again, with no real opportunity for forensic recovery of any data. Cloud providers can mitigate this to some extent by using extensive logging and monitoring options. A CSP might also provide an option to generate a file system and memory snapshots from containers and VMs in response to an alert condition generated by a SIEM. Employee workstations are often the easiest to conduct forensics on since they are a single-user environment for the most part. Mobile devices have some unique challenges due to their operating systems, but good forensic tool suites are available to ease the forensic acquisition and analysis of mobile devices. On-premise servers are more challenging than a workstation to analyze, but they do not suffer from the same issues as cloud-based services and servers.
A cybersecurity analyst is working for a university that is conducting a big data medical research project. The analyst is concerned about the possibility of an inadvertent release of PHI data. Which of the following strategies should be used to prevent this? A. Utilize formal methods of verification against the application processing the PHI B. Conduct tokenization of the PHI data before ingesting it into the big data application C. Utilize a SaaS model to process the PHI data instead of an on-premise solution D. Use DevSecOps to build the application that processes the PHI
Conduct tokenization of the PHI data before ingesting it into the big data application Explanation OBJ-2.1: The university should utilize a tokenization approach to prevent an inadvertent release of the PHI data. In a tokenization approach, all or part of data in a field is replaced with a randomly generated token. That token is then stored with the original value on a token server or token vault, separate from the production database. This is an example of a deidentification control and should be used since the personally identifiable medical data is not needed to be retained after ingesting it for the research project; only the medical data itself is needed. While using DevSecOps can improve the overall security posture of the applications being developed in this project, it does not explicitly define a solution to prevent this specific issue making it a less ideal answer choice for the exam. Formal verification methods can be used to prove that none of the AI/ML techniques that process the PHI data could inadvertently leak. Still, the cost and time associated with using these methods make them inappropriate for a system used to conduct research. A formal method uses a mathematical model of a system's inputs and outputs to prove that the system works as specified in all cases. It is difficult for manual analysis and testing to capture every possible use case scenario in a sufficiently complex system. Formal methods are mostly used with critical systems such as aircraft flight control systems, self-driving car software, and nuclear reactors, not big data research projects. The option provided that recommends utilizing a SaaS model is not realistic. There is unlikely to be a SaaS provider with a product suited to the big data research being done. SaaS products tend to be commoditized software products that are hosted in the cloud. The idea of migrating to a SaaS is a distractor on this exam, which is trying to get you to think about shifting the responsibility for the PHI to the service provider and away from the university, but due to the research nature of the project, this is unlikely to be a valid option in the real world and may not be legally allowed due to the PHI being processed.
Hilda needs a cost-effective backup solution that would allow for the restoration of data within a 24 hour RPO. The disaster recovery plan requires that backups occur during a specific timeframe each week, and then the backups should be transported to an off-site facility for storage. What strategy should Hilda choose to BEST meet these requirements? A. Configure replication of the data to a set of servers located at a hot site B. Conduct full backups daily to tape C. Create a daily incremental backup to tape D. Create disk-to-disk snapshots of the server every hour
Create a daily incremental backup to tape Explanation OBJ-5.4: Since the RPO must be within 24 hours, daily or hourly backups must be conducted. Since the requirement is for backups to be conducted at a specific time each week, hourly snapshots would not meet this requirement and are not easily transported since they are being conducted as disk-to-disk backup. Replication to a hot site environment also doesn't allow for transportation of the data to an off-site facility for storage, and replication would continuously occur throughout the day. Therefore, a daily incremental backup should be conducted since it will require the least amount of time to conduct. The tapes could be easily transported for storage and restored incrementally from tape since the last full backup was conducted.
Which of the following access control models is the most flexible and allows the resource owner to control the access permissions? A. DAC B. ABAC C. RBAC D. MAC
DAC Explanation OBJ-3.8: Discretionary access control (DAC) stresses the importance of the owner. The original creator of the resource is considered the owner and can then assign permissions and ownership to others. The owner has full control over the resource and can modify its ACL to grant rights to others. This is the most flexible model and is currently implemented widely in Windows, Unix, Linux, and macOS systems.
Review the following packet captured at your NIDS: After reviewing the packet above, you discovered there is an unauthorized service running on the host. Which of the following ACL entries should be implemented to prevent further access to the unauthorized service while maintaining full access to the approved services running on this host? A. DENY IP HOST 86.18.10.3 EQ 3389 B. DENY TCP ANY HOST 71.168.10.45 EQ 3389 C. DENY IP HOST 71.168.10.45 ANY EQ 25 D. DENY TCP ANY HOST 86.18.10.3 EQ 25
DENY TCP ANY HOST 71.168.10.45 EQ 3389 Explanation OBJ-4.4: Since the question asks you to prevent unauthorized service access, we need to block port 3389 from accepting connections on 71.168.10.45 (the host). This option will deny ANY workstation from connecting to this machine (host) over the Remote Desktop Protocol service that is unauthorized (port 3389).
Your organization requires the use of TLS or IPsec for all communications with an organization's network. Which of the following is this an example of? A. Data in transit B. DLP C. Data in use D. Data at rest
Data in transit Explanation OBJ-2.1: Data in transit (or data in motion) occurs whenever data is transmitted over a network. Examples of types of data in transit include website traffic, remote access traffic, data being synchronized between cloud repositories, and more. In this state, data can be protected by a transport encryption protocol, such as TLS or IPsec. Data at rest means that the data is in persistent storage media using whole disk encryption, database encryption, and file- or folder-level encryption. Data in use is when data is present in volatile memory, such as system RAM or CPU registers and cache. Secure processing mechanisms such as Intel Software Guard Extensions can encrypt data as it exists in memory so that an untrusted process cannot decode the information. This uses a secure enclave and requires a hardware root of trust. Data loss prevention (DLP) products automate the discovery and classification of data types and enforce rules so that data is not viewed or transferred without proper authorization. DLP is a generic term that may include data at rest, data in transit, or data in use to function.
Fail to Pass Systems has recently moved its corporate offices from France to Westeros, a country with no meaningful privacy regulations. The marketing department believes that this move will allow the company to resell all of its customer's data to third-party companies and shield the company from any legal responsibility. Which policy is violated by this scenario? A. Data limitation B. Data minimization C. Data sovereignty D. Data enrichment
Data sovereignty Explanation OBJ-2.1: While the fictitious Westeros may have no privacy laws or regulations, the laws of the countries where the company's customers reside may still retain sovereignty over the data obtained from those regions during the company's business there. This is called Data Sovereignty. Data sovereignty refers to a jurisdiction (such as France or the European Union) preventing or restricting processing and storage from taking place on systems that do not physically reside within that jurisdiction. Data sovereignty may demand certain concessions on your part, such as using location-specific storage facilities in a cloud service. Fail to Pass Systems will likely face steep fines from different regions if they go through with their plan to sell all of their customers' data to the highest bidders. Fail to Pass Systems may even be blocked from communicating with individual regions. Although data minimization and data limitation policies may be violated depending on the company's internal policies, these policies are not legally binding like the provisions of GDPR are. Data enrichment means that the machine analytics behind the view of a particular alert can deliver more correlating and contextual information with a higher degree of confidence, both from within the local network's data points and from external threat intelligence.
A user reports that every time they try to access https://www.diontraining.com, they receive an error stating "Invalid or Expired Security Certificate." The technician attempts to connect to the same site from other computers on the network, and no errors or issues are observed. Which of the following settings needs to be changed on the user's workstation to fix the "Invalid or Expired Security Certificate" error? A. Date and time B. Logon times C. UEFI boot mode D. User access control
Date and time Explanation OBJ-4.4: There are two causes of the "Invalid or Expired Security Certificate." The first is a problem with your computer, and the second occurs when the certificate itself has an issue. Since the technician can successfully connect to the website from other computers, it shows that the error is on the user's computer. One of the common causes of an Invalid or Expired Security Certificate error is the clock on the user's computer being wrong. The website security certificates are issued to be valid within a given date range. If the certificate's date is too far outside the date on the computer, the web browser will give you an invalid security certificate error because the browser thinks something is wrong. To fix this, set the computer's clock to the correct date and time.
You have recently been hired as a security analyst at Dion Training. On your first day, your supervisor begins to explain the way their network is configured, showing you the physical and logical placement of each firewall, IDS sensor, host-based IPS installations, the networked spam filter, and the DMZ. What best describes how these various devices are placed into the network for the highest level of security? A. Defense in depth B. UTM C. Load balancer D. Network segmentation
Defense in depth Explanation OBJ-2.1: Defense in depth is the concept of layering various network appliances and configurations to create a more secure and defensible architecture. Dion Training appears to be using various host-based and network-based devices to ensure there are multiple security layers in the network.
You just moved into a new house, and you are worried about a burglar breaking into the home and stealing your laptop. Unfortunately, the security alarm company cannot get to your home to install the security system you just purchased for another 3 weeks. In the meantime, they have sent you a little sign that says, "Protected by Security Inc." for you to place in front of your house. Once installed, which of the following control types is this sign? A. Deterrent B. Detective C. Preventative D. Corrective
Deterrent Explanation OBJ-5.1: A deterrent control may not physically or logically prevent access, but it serves to discourage an attacker from attempting an intrusion. In this example, the sign is a visual indicator that the home is protected by a security system, which is attempting to convince the burglar that they should break into a less protected home. Whether there is a security system or not is that the question here, just that the sign has been installed, acts as the deterrent.
Which analysis framework provides a graphical depiction of the attacker's approach relative to a kill chain? A. OpenIOC B. Lockheed Martin cyber kill chain C. MITRE ATT&CK framework D. Diamond Model of Intrusion Analysis
Diamond Model of Intrusion Analysis Explanation OBJ-4.2: The Diamond Model provides an excellent methodology for communicating cyber events and allowing analysts to derive mitigation strategies implicitly. The Diamond Model is constructed around a graphical representation of an attacker's behavior. The MITRE ATT&CK framework provides explicit pseudo-code examples for detecting or mitigating a given threat within a network and ties specific behaviors back to individual actors. The Lockheed Martin cyber kill chain provides a general life cycle description of how attacks occur but does not deal with the specifics of how to mitigate them. OpenIOC contains a depth of research on APTs but does not integrate the detection and mitigation strategy.
Which of the following cryptographic algorithms is classified as asymmetric? A. RC4 B. AES C. Blowfish D. Diffie-Hellman
Diffie-Hellman Explanation OBJ-2.8: The Diffie-Hellman (DH) is used to exchange cryptographic keys over a public channel securely and was one of the first public-key protocols. As a public-key protocol, it relies on an asymmetric algorithm. AES, RC4, and Blowfish are all symmetric algorithms.
What is a reverse proxy commonly used for? A. To obfuscate the origin of a user within a network B. Allowing access to a virtual private cloud C. To prevent the unauthorized use of cloud services from the local network D. Directing traffic to internal services if the contents of the traffic comply with the policy
Directing traffic to internal services if the contents of the traffic comply with the policy Explanation OBJ-2.1: A reverse proxy is positioned at the cloud network edge and directs traffic to cloud services if the contents of that traffic comply with the policy. This does not require the configuration of the users' devices. This approach is only possible if the cloud application has proxy support. You can deploy a reverse proxy and configure it to listen for client requests from a public network, like the internet. The proxy then creates the appropriate request to the internal server on the corporate network and passes the server's response back to the external client. They are not generally intended to obfuscate the source of communication, nor are they necessarily specific to the cloud. A cloud access security broker (CASB) can be used to prevent unauthorized use of cloud services from the local network.
A cybersecurity analyst is reviewing the logs of a Citrix NetScaler Gateway running on a FreeBSD 8.4 server and saw the following output: What type of attack was most likely being attempted by the attacker? A. SQL injection B. Password spaying C. Directory traversal D. XML injection
Directory traversal Explanation OBJ-1.3: A directory traversal attack aims to access files and directories stored outside the webroot folder. By manipulating variables or URLs that reference files with "dot-dot-slash (../)" sequences and its variations or using absolute file paths, it may be possible to access arbitrary files and directories stored on the file system, including application source code or configurations and critical system files. The example output provided comes from a remote code execution vulnerability being exploited in which a directory traversal is used to access the files. XML Injection is an attack technique used to manipulate or compromise an XML applications or service's logic. SQL injection is the placement of malicious code in SQL statements via web page input. Password spraying attempts to crack various users' passwords by attempting a compromised password against multiple user accounts.
Your home network is configured with a long, strong, and complex pre-shared key for its WPA2 encryption. You noticed that your wireless network has been running slow, so you checked the list of "connected clients" and see that "Bob's Laptop" is connected to it. Bob lives downstairs and is the maintenance man for your apartment building. You know that you never gave Bob your password, but somehow he has figured out how to connect to your wireless network. Which of the following actions should you take to prevent anyone from connecting to your wireless network without the proper WPA3 password? A. Enable WEP B. Disable WPA3 C. Disable SSID broadcast D. Disable WPS
Disable WPS Explanation OBJ-3.4: WPS was created to ease the setup and configuration of new wireless devices by allowing the router to automatically configure them after a short eight-digit PIN was entered. Unfortunately, WPS is vulnerable to a brute-force attack and is easily compromised. Therefore, WPS should be disabled on all wireless networks. If Bob could enter your apartment and press the WPS button, he could have configured his laptop to use your wireless network without your WPA3 password. While disabling the SSID broadcast could help prevent someone from seeing your network, the issue was someone connecting to your network without having the password. Disabling the SSID broadcast would not solve this issue.
A company's NetFlow collection system can handle up to 2 Gbps. Due to excessive load, this has begun to approach full utilization at various times of the day. If the security team does not have additional money in their budget to purchase a more capable collector, which of the following options could they use to collect useful data? A. Enable NetFlow compression B. Enable sampling of the data C. Enable full packet capture D. Enable QoS
Enable sampling of the data Explanation OBJ-3.3: The organization should enable sampling of the data collected. Sampling can help them capture network flows that could be useful without collecting everything passing through the sensor. This reduces the bottleneck of 2 Gbps and still provides useful information. Quality of Service (QoS) is a set of technologies that work on a network to guarantee its ability to run high-priority applications and traffic dependably, but that does not help in this situation. Compressing NetFlow data helps save disk space, but it does not increase the capacity of the bottleneck of 2 Gbps during collection. Enabling full packet capture would take even more resources to process and store and not minimize the bottleneck of 2 Gbps during collection.
You are attending a cybersecurity conference and just watched a security researcher demonstrating the exploitation of a web interface on a SCADA/ICS component. This caused the device to malfunction and be destroyed. You recognize that the same component is used throughout your company's manufacturing plants. Which of the following mitigation strategies would provide you with the most immediate protection against this emergent threat? A. Demand that the manufacturer of the component release a patch immediately and deploy the patch as soon as possible B. Replace the affected SCADA/ICS components with more secure models from a different manufacturer C. Logically or physically isolate the SCADA/ICS component from the enterprise network D. Evaluate if the web interface must remain open for the system to function; if it isn't needed, block the web interface
Evaluate if the web interface must remain open for the system to function; if it isn't needed, block the web interface Explanation OBJ-2.6: The most immediate protection against this emergent threat would be to block the web interface from being accessible over the network. Before doing this, you must evaluate whether the interface needs to remain open for the system to function properly. If it is not needed, you should block it to minimize the SCADA/ICS component's attack surface. Ideally, your SCADA/ICS components should already be logically or physically isolated from the enterprise network. Since the question doesn't mention the networks as an area of concern, we can assume they are already following the industry best practice of logical or physical segmentation between the SCADA/ICS network and the enterprise network. On the exam, make sure you focus on the question being asked. In this case, the question focuses on the web interface. Developing a patch can be a time-consuming process, therefore waiting for the manufacturer to provide a patch will not provide immediate protection to your components. The same is true for replacing the affected components. Even if you could get the company to authorize the funding for such a purchase, it would take time to order, ship, receive, and install the new components. Additionally, you would cause unwanted downtime in the factory during the installation of the components, making it an ineffective option when simply blocking the web interface is free, quick, and effective.
A cybersecurity analyst has deployed a custom DLP signature to alert on any files that contain numbers in the format of a social security number (xxx-xx-xxxx). Which of the following concepts within DLP is being utilized? A. Exact data match B. Classification C. Statistical matching D. Document matching
Exact data match Explanation OBJ-4.4: An exact data match (EDM) is a pattern matching technique that uses a structured database of string values to detect matches. For example, a company might have a list of actual social security numbers of its customers. But, since it is not appropriate to load these numbers into a DLP filter, they could use EDM to match the numbers' fingerprints instead based on their format or sequence. Document matching attempts to match a whole document or a partial document against a signature in the DLP. Statistical matching is a further refinement of partial document matching that uses machine learning to analyze various data sources using artificial intelligence or machine learning. Classification techniques use a rule based on a confidentiality classification tag or label attached to the data. For example, the military might use a classification-based DLP to search for any files labeled as secret or top secret.
Several users have contacted the help desk to report that they received an email from a well-known bank stating that their accounts have been compromised and they need to "click here" to reset their banking password. Some of these users are not even customers of this particular bank, though. Which of the following social engineering principles is being utilized as a part of this phishing campaign? A. Urgency B. Familiarity C. Intimidation D. Consensus
Familiarity Explanation OBJ-1.1: Familiarity is a social engineering technique that relies on assuming a widely known organization's persona. For example, in the United States, nearly 25% of Americans have a Bank of America account. For this reason, phishing campaigns often include emails pretending to be from Bank of America since 1 in 4 people who receive the email in the United States are likely to have an account. This makes them familiar with the bank name and is more likely to click on the email link. This email appears to be untargeted since it was sent to both customers and non-customers of this particular bank; it is best classified as phishing. Spear phishing requires the attack to be more targeted and less widespread. Urgency is focused on the element of time. An attacker encourages the victim to act quickly, which often leads to them making security mistakes. Urgency is related to scarcity, and the two are often effectively used together. Social proof and consensus rely on the fact that people want to fit in and conform. If a victim sees or believes others are performing some action, they will believe it is okay for them to do it.
Your organization is updating its incident response communications plan. A business analyst in the working group recommends that if the company discovers they are the victims of a data breach, they should only notify the affected parties to minimize media attention and bad publicity. Which of the following recommendations do you provide in response to the business analyst's statement? A. The first responder should contact law enforcement upon confirmation of a security incident for a forensic team to preserve the chain of custody B. The Human Resources department should have information security personnel who are involved in the investigation of the incident sign non-disclosure agreements so the company cannot be held liable for customer data that is viewed during an investigation C. An externally hosted website should be prepared in advance to ensure that when an incident occurs, victims have timely access to notifications from a non-compromised resource D. Guidance from laws and regulations should be considered when deciding who must be notified to avoid fines and judgments from non-compliance
Guidance from laws and regulations should be considered when deciding who must be notified to avoid fines and judgments from non-compliance Explanation OBJ-5.5: Guidance from various laws and regulations must be considered when deciding who must be notified to avoid fines and judgments. The requirements for different types of data breaches are set out in laws/regulations. The requirements indicate who must be notified. Other than the regulator itself, this could include law enforcement, individuals and third-party companies affected by the breach, and public notification through the press or social media channels. For example, the Health Insurance Portability and Accountability Act (HIPAA) sets out reporting requirements in legislation, requiring breach notification to the affected individuals, the Secretary of the US Department of Health and Human Services, and, if more than 500 individuals are affected, to the media.
Chris just downloaded a new third-party email client for his smartphone. When Chris attempts to log in to his email with his username and password, the email client generates an error messaging stating that "Invalid credentials" were entered. Chris assumes he must have forgotten his password, so he resets his email username and password and then reenters them into the email client. Again, Chris receives an "Invalid credentials" error. What is MOST likely causing the "Invalid credentials" error regarding Chris's email client? A. His email account requires multi-factor authentication B. His email account requires a strong password to be used C. His email account is locked out D. His smartphone has full device encryption enabled
His email account requires multi-factor authentication Explanation OBJ-3.7: If a user or system has configured their email accounts to require two-factor authentication (2FA) or multifactor authentication, then even if they enter their username and password correctly in the third-party email client, they will receive the "Invalid credentials" error message. Some email servers will allow the user to create an application-specific password to bypass the multifactor authentication requirement to overcome this. If not, then the user will have to use an email client that supports multifactor authentication. His email account is not locked out or requiring a stronger password, otherwise, those issues would have been solved when he reset the password. Full device encryption on the smartphone would not affect the use of the email client since the device is unencrypted once a user enters their PIN, password, TouchID, or FaceID as authentication.
You are installing Windows 2019 on a rack-mounted server and hosting multiple virtual machines within the physical server. You just finished the installation and now want to begin creating and provisioning the virtual machines. Which of the following should you utilize to allow you to create and provision virtual machines? A. Hypervisor B. Device manager C. Terminal services D. Disk management
Hypervisor Explanation OBJ-2.2: A hypervisor, also known as a virtual machine monitor, is a process that creates and runs virtual machines (VMs). A hypervisor allows one host computer to support multiple guest VMs by virtually sharing its resources, like memory and processing. To create and provision virtual machines within the Windows 2019 operating system, you can use a Type II hypervisor like VM Ware or VirtualBox. Disk Management is a system utility in Windows that enables you to perform advanced storage tasks. Device Manager is a component of the Microsoft Windows operating system that allows users to view and control the hardware attached to the computer. Remote Desktop Services, known as Terminal Services in Windows Server 2008 and earlier, is one of the components of Microsoft Windows that allow a user to take control of a remote computer or virtual machine over a network connection.
The email client on a desktop workstation is acting strangely. Every time the user opens an email with an image embedded within it, the image is not displayed on their screen. Which of the following is the MOST likely cause of this issue? A. Incorrect security settings in the email client B. Incorrect settings in the host-based firewall C. Incorrect settings in your web browser's trusted site configuration D. Incorrect email settings in the anti-virus software E. Incorrect settings in your email proxy server
Incorrect security settings in the email client Explanation OBJ-3.1: This is a security setting in the mail client to prevent malicious malware and viruses from entering your environment. If the images are not downloaded on a received email, they will display as a red X within the reply email. If the email was forwarded, then the images will be displayed as a white box with a black border. This can be seen in the source code as 'Image Removed by Sender' next to where the images should appear in the email client. For example, in the Microsoft Outlook email client, the security settings for hosted images can be changed within the mail client's Trust Center (Outlook Options -> Trust Center -> Trust Center Settings).
What control provides the best protection against both SQL injection and cross-site scripting attacks? A. Hypervisors B. Network layer firewalls C. CSRF D. Input validation
Input validation Explanation OBJ-3.2: Input validation prevents the attacker from sending invalid data to an application and is a strong control against both SQL injection and cross-site scripting attacks. A network layer firewall is a device that is designed to prevent unauthorized access, thereby protecting the computer network. It blocks unauthorized communications into the network and only permits authorized access based on the IP address, ports, and protocols in use. Cross-site request forgery (CSRF) is another attack type. A hypervisor controls access between virtual machines.
You are notified by an external organization that an IP address associated with your company's email server has been sending spam emails requesting funds as part of a lottery collection scam. An investigation into the incident reveals the email account used was Connor from the sales department and that Connor's email account was only used from one workstation. You analyze Connor's workstation and discover several unknown processes running, but netflow analysis reveals no attempted lateral movement to other workstations on the network. Which containment strategy would be most effective to use in this scenario? A. Request disciplinary action for Connor for causing this incident B. Isolate the network segment Connor is on and conduct a forensic review of all workstations in the sales department C. Isolate the workstation computer by disabling the switch port and resetting Connor's username/password D. Unplug the workstation's network cable and conduct a complete reimaging of the workstation
Isolate the workstation computer by disabling the switch port and resetting Connor's username/password Explanation OBJ-4.4: Isolation of Connor's computer by deactivating the port on the switch should be performed instead of just unplugging the computer. This would guarantee that Connor won't just plug the computer back into the network as soon as you leave his desk. While Connor won't be able to work without his workstation, it is essential to isolate the issue quickly to prevent future attempts at lateral movement from occurring and protect the company's data needed for continued business operations. While we are unsure of the issue's initial root cause, we know it is currently isolated to Connor's machine. He should receive remedial cybersecurity training, his workstation's hard drive forensically imaged for later analysis, and then his workstation should be remediated or reimaged. It is better to isolate just Connor's machine instead of the entire network segment in this scenario. Isolating the network segment, without evidence indicating the need to do so, would have been overkill and overly disruptive to the business. Reimaging Connor's device may destroy data that could have otherwise been recovered and led to a successful root cause analysis. There is also insufficient evidence in this scenario to warrant disciplinary action against Connor, as he may have clicked on a malicious link by mistake.
What type of wireless security measure can easily be defeated by a hacker by spoofing their network interface card's hardware address? A. WEP B. WPS C. MAC filtering D. Disable SSID broadcast
MAC filtering Explanation OBJ-3.3: Wireless access points can utilize MAC filtering to ensure only known network interface cards are allowed to connect to the network. If the hacker changes their MAC address to a trusted MAC address, they can easily bypass this security mechanism. MAC filtering is considered a good security practice as part of a larger defense-in-depth strategy, but it won't stop a skilled hacker for long. MAC addresses are permanently burned into the network interface card by the manufacturer and serve as the device's physical address. WEP is the Wired Equivalent Privacy encryption standard, which is considered obsolete in modern wireless networks. WEP can be broken using a brute force attack within just a few minutes by an attacker. Another security technique is to disable the SSID broadcast of an access point. While this prevents the SSID broadcast, a skilled attacker can still find the SSID using discovery scanning techniques. WPS is the WiFi Protected Setup. WPS is used to connect and configure wireless devices to an access point easily.
Which of the following hashing algorithms results in a 128-bit fixed output? A. SHA-2 B. MD-5 C. RIPEMD D. SHA-1
MD-5 Explanation OBJ-2.8: MD-5 creates a 128-bit fixed output. SHA-1 creates a 160-bit fixed output. SHA-2 creates a 256-bit fixed output. RIPEMD creates a 160-bit fixed output.
Nicole's organization does not have the budget or staff to conduct 24/7 security monitoring of their network. To supplement her team, she contracts with a managed SOC service. Which of the following services or providers would be best suited for this role? A. IaaS B. MSSP C. PaaS D. SaaS
MSSP Explanation OBJ-2.2: A managed security service provider (MSSP) provides security as a service (SECaaS). IaaS, PaaS, and SaaS (infrastructure, platform, and software as a service) do not include security monitoring as part of their core service offerings. Security as a service or a managed service provider (MSP) would be better suited for this role. This question may seem beyond the exam scope. Still, the objectives allow for "other examples of technologies, processes, or tasks about each objective may also be included on the exam although not listed or covered" in the objectives' bulletized lists. The exam tests the equivalent of 4 years of hands-on experience in a technical cybersecurity job role. The content examples listed in the objectives are meant to clarify the test objectives and should not be construed as a comprehensive listing of this examination's content. Therefore, questions like this are fair game on test day. That said, your goal isn't to score 100% on the exam; it is to pass it. Don't let questions like this throw you off on test day. If you aren't sure, take your best guess and move on!
Dion Training has performed an assessment as part of their disaster recovery planning. The assessment found that their file server has crashed twice in the last two years. The most recent time was in August, and the time before that was 15 months before. Which of the following metrics would best represent this 15 month time period? A. RTO B. RPO C. MTTR D. MTBF
MTBF Explanation OBJ-5.4: Mean time between failures (MTBF) is the average time between system breakdowns. MTBF is a crucial maintenance metric to measure performance, safety, and equipment design, especially for critical or complex assets, like generators or airplanes. It is also used to determine the reliability of an asset.
Dion Training has performed an assessment as part of their disaster recovery planning. The assessment found that the organization's RAID takes, on average, about 8 hours to repair when two drives within the RAID fail. Which of the following metrics would best represent this time period? A. RTO B. MTBF C. MTTR D. RPO
MTTR Explanation OBJ-5.4: Mean time to repair (MTTR) is a basic measure of the maintainability of repairable items. It represents the average time required to repair a failed component or device.
Which of the following terms is used to describe the period of the time taken to correct a fault so that the system is restored to full operations after a failure or incident? A. MTTR B. RTO C. RPO D. MTBF
MTTR Explanation OBJ-5.4: Mean time to repair (MTTR) is a measure of the time taken to correct a fault to restore the system to full operation. MTTR is often used to describe the average time to replace or recover a system or product. Recovery time objective (RTO) is when an individual IT system may remain offline following a disaster. This represents the amount of time it takes to identify that there is a problem and then perform recovery (restore from backup or switch in an alternative system, for instance). Recovery point objective (RPO) is the amount of data loss that a system can sustain, measured in time. That is, if a virus destroys a database, an RPO of 24 hours means that the data can be recovered (from a backup copy) to a point not more than 24 hours before the database was infected. Mean time between failure (MTBF) represents the expected lifetime of a product before it fails and must be replaced or repaired.
Janet, a defense contractor for the military, performs an analysis of their enterprise network to identify what type of work the Army would be unable to perform if the network were down for more than a few days. Which of the following was Janet trying to identify A. Critical systems B. Missions essential function C. Single point of failure D. Backup and restorations plan
Mission essential function Explanation OBJ-5.4: Mission essential functions are things that must be performed by an organization to meets its mission. For example, the Army being able to deploy its soldiers is a mission-essential function. If they couldn't do that because a network server is offline, then that system would be considered a critical system and should be prioritized for higher security and better defenses.
You received an incident response report indicating a piece of malware was introduced into the company's through a remote workstation connected to the company's servers over a VPN connection. Which of the following controls should be applied to prevent this type of incident from occurring again? A. SPF B. NAC C. ACL D. MAC filtering
NAC Explanation OBJ-3.3: Network Access Control (NAC) is an approach to computer security that attempts to unify endpoint security technology (such as anti-virus, host intrusion prevention, and vulnerability assessment), user or system authentication, and network security enforcement. When a remote workstation connects to the network, NAC will place it into a segmented portion of the network (sandbox), scan it for malware and validate its security controls, and then based on the results of those scans, either connect it to the company's networks or place the workstation into a separate quarantined portion of the network for further remediation. An access control list (ACL) is a network traffic filter that can control incoming or outgoing traffic. An ACL alone would not have prevented this issues. MAC Filtering refers to security access control method whereby the MAC address assigned to each network card is used to determine access to the network. MAC filtering operates at layer 2 and is easy to bypass. Sender Policy Framework (SPF) is an email authentication method designed to detect forging sender addresses during email delivery.
Which type of agreement between companies and employees is used as a legal basis for protecting information assets? A. ISA B. MOU C. SLA D. NDA
NDA Explanation OBJ-5.3: A non-disclosure agreement (NDA) is the legal basis for protecting information assets. A memorandum of understanding (MOU) is a preliminary or exploratory agreement to express intent for two companies to work together. A service level agreement (SLA) is a contractual agreement setting out the detailed terms under which a service is provided. The interconnection security agreement (ISA) governs the relationship between any federal agency and a third party interconnecting their systems.
Which of the following agreements is used between companies and employees, between companies and contractors, and between two companies to protect information assets? A. ISA B. SLA C. DSUA D. NDA
NDA Explanation OBJ-5.3: Non-disclosure agreement (NDA) is the legal basis for protecting information assets. NDAs are used between companies and employees, between companies and contractors, and between two companies. If the employee or contractor breaks this agreement and shares such information, they may face legal consequences. NDAs are useful because they deter employees and contractors from violating the trust that an employee places in them. An interconnection security agreement (ISA) is defined by NIST's SP800-4 and is used by any federal agency interconnecting its IT system to a third party must create an ISA to govern the relationship. A service level agreement (SLA) is a contractual agreement that sets out the detailed terms under which a service is provided. A data sharing and use agreement (DSUA) states that personal data can only be collected for a specific purpose. A DSUA can specify how a dataset can be analyzed and proscribe the use of reidentification techniques.
What kind of attack is an example of IP spoofing? A. Cross-site scripting B. On-path attack C. SQL injections D. ARP poisoning
On-path attack Explanation OBJ-1.4: An on-path attack (formerly known as a man-in-the-middle attack) intercepts communications between two systems. For example, in an HTTP transaction, the target is the TCP connection between client and server. Using different techniques, the attacker splits the original TCP connection into 2 new connections, one between the client and the attacker and the other between the attacker and the server. This often uses IP spoofing to trick a victim into connecting to the attack. SQL injection is a code injection technique used to attack data-driven applications. Malicious SQL statements are inserted into an entry field for execution, such as dumping the database contents to the attacker. An on-path attack is an attack where the attacker secretly relays and possibly alters the communications between two parties who believe that they are directly communicating with each other. ARP Poisoning, also known as ARP Spoofing, is a type of cyber attack carried out over a Local Area Network (LAN) that involves sending malicious ARP packets to a default gateway on a LAN to change the pairings in its IP to MAC address table. Cross-Site Scripting (XSS) attacks are a type of injection in which malicious scripts are injected into otherwise benign and trusted websites. XSS attacks occur when an attacker uses a web application to send malicious code, generally in a browser side script, to a different end-user.
Your company is setting up a system to accept credit cards in their retail and online locations. Which of the following compliance types should you be MOST concerned with dealing with credit cards? A. GDPR B. PCI-DSS C. PHI D. PII
PCI-DSS Explanation OBJ-5.2: The Payment Card Industry Data Security Standard (PCI-DSS) applies to companies of any size that accept credit card payments. If your company intends to accept card payment and store, process, and transmit cardholder data, you need to securely host your data and follow PCI compliance requirements. The General Data Protection Regulation (GDPR) is a regulation created in the European Union that creates provisions and requirements to protect the personal data of European Union (EU) citizens. Transfers of personal data outside the EU Single Market are restricted unless protected by like-for-like regulations, such as the US's Privacy Shield requirements. Personally identifiable information (PII) is data used to identify, contact, or locate an individual. Information such as social security number (SSN), name, date of birth, email address, telephone number, street address, and biometric data is considered PII. Protected health information (PHI) refers to medical and insurance records, plus associated hospital and laboratory test results.
You have been asked to classify a hospital's medical records as a form of regulated data. Which of the following would BEST classify this type of data? A. PII B. PHI C. PCI D. GDPR
PHI Explanation OBJ-5.5: Protected health information (PHI) refers to medical and insurance records, plus associated hospital and laboratory test results. Personally identifiable information (PII) is data used to identify, contact, or locate an individual. Information such as social security number (SSN), name, date of birth, email address, telephone number, street address, and biometric data is considered PII. The General Data Protection Regulation (GDPR) is a regulation created in the European Union that creates provisions and requirements to protect the personal data of European Union (EU) citizens. Transfers of personal data outside the EU Single Market are restricted unless protected by like-for-like regulations, such as the US's Privacy Shield requirements. The peripheral component interconnect (PCI) bus is used to provide low-speed connectivity to expansion cards but has been mostly replaced by the faster PCIe bus. The Payment Card Industry Data Security Standard (PCI-DSS) applies to companies of any size that accept credit card payments. If your company intends to accept card payment and store, process, and transmit cardholder data, you need to securely host your data and follow PCI compliance requirements.
(Sample Simulation - On the real exam for this type of question, you would drag and drop the authentication factor into the spot for the correct category.) How would you appropriately categorize the authentication method displayed here? PIN. ____ Something you know GPS Coordinates. ____ Something you have Fingerprint. ____ Something you are Signature. ____ Something you do Smart Card. ____ Somewhere you are A. Fingerprint, PIN, GPS Coordinates, Smart Card, Signature B. PIN, Smart Card, Fingerprint, Signature, GPS Coordinates C. PIN, Signature, Fingerprint, Smart Card, GPS Coordinates D. Smart card, Signature, GPS Coordinates, PIN, Fingerprint
PIN, Smart Card, Fingerprint, Signature, GPS Coordinates Explanation OBJ-2.4: For the exam, you need to know the different factors of authentication. If you use two or more of these factors, you are using multi-factor authentication. The five factors are something you know (knowledge), something you have (possession), something you are (biometrics), something you do (action), and somewhere you are (location).
A penetration tester hired by a bank began searching for the bank's IP ranges by performing lookups on the bank's DNS servers, reading news articles online about the bank, monitoring what times the bank's employees came into and left work, searching job postings (with a special focus on the bank's information technology jobs), and even searching the corporate office of the bank's dumpster. Based on this description, what portion of the penetration test is being conducted? A. Information reporting B. Active information gathering C. Passive information gathering D. Vulnerability assessment
Passive information gathering Explanation OBJ-1.8: Passive information gathering consists of numerous activities where the penetration tester gathers open-source or publicly available information without the organization under investigation being aware that the information has been accessed. Instead, active information gathering starts to probe the organization using DNS Enumeration, Port Scanning, and OS Fingerprinting techniques. Vulnerability assessments are another form of active information gathering. Information reporting occurs after the penetration test is complete, and it involves writing a final report with the results, vulnerabilities, and lessons learned during the assessment.
Which of the following would NOT be included in a company's password policy? A. Password history B. Password style C. Password age D. Password complexity requirements
Password style Explanation OBJ-3.7: A password policy is a set of rules designed to enhance computer security by encouraging users to employ strong passwords and use them properly. A password policy is often part of an organization's official regulations and may be taught as part of security awareness training. It contains items like password complexity, password age, and password history requirements.
Consider the following snippet from a log file collected on the host with the IP address of 10.10.3.6. BEGIN LOG _____________ Time: Jun 12, 2020 09:24:12 Port:20 Source: 10.10.3.2 Destination:10.10.3.6 Protocol: TCP Time: Jun 12, 2020 09:24:14 Port:21 Source: 10.10.3.2 Destination:10.10.3.6 Protocol: TCP Time: Jun 12, 2020 09:24:16 Port:22 Source: 10.10.3.2 Destination:10.10.3.6 Protocol: TCP Time: Jun 12, 2020 09:24:18 Port:23 Source: 10.10.3.2 Destination:10.10.3.6 Protocol: TCP Time: Jun 12, 2020 09:24:20 Port:25 Source: 10.10.3.2 Destination:10.10.3.6 Protocol: TCP Time: Jun 12, 2020 09:24:22 Port:80 Source: 10.10.3.2 Destination:10.10.3.6 Protocol: TCP Time: Jun 12, 2020 09:24:24 Port: 135 Source: 10.10.3.2 Destination:10.10.3.6 Protocol: TCP Time: Jun 12, 2020 09:24:26 Port: 443 Source: 10.10.3.2 Destination:10.10.3.6 Protocol: TCP Time: Jun 12, 2020 09:24:26 Port: 445 Source: 10.10.3.2 Destination:10.10.3.6 Protocol: TCP _____________ END LOG What type of activity occurred based on the output above? A. Port scan targeting 10.10.3.2 B. Denial of service attack targeting 10.10.3.6 C. Port scan targeting 10.10.3.6 D. Fragmentation attack targeting 10.10.3.6
Port scan targeting 10.10.3.6 Explanation OBJ-4.1: Port Scanning is the name for the technique used to identify open ports and services available on a network host. Based on the logs, you can see a sequential scan of some commonly used ports (20, 21, 22, 23, 25, 80, 135, 443, 445) with a two-second pause between each attempt. The scan source is 10.10.3.2, and the destination of the scan is 10.10.3.6, making "Port scan targeting 10.10.3.6" the correct choice. IP fragmentation attacks are a common form of denial of service attack, in which the perpetrator overbears a network by exploiting datagram fragmentation mechanisms. A denial-of-service (DoS) attack occurs when legitimate users cannot access information systems, devices, or other network resources due to a malicious cyber threat actor's actions.
Your company has decided to move all of its data into the cloud. Your company is concerned about the privacy of its data due to some recent data breaches that have been in the news. Therefore, they have decided to purchase cloud storage resources that will be dedicated solely for their use. Which of the following types of clouds is your company using? A. Public B. Community C. Hybrid D. Private
Private Explanation OBJ-2.2: A private cloud contains services offered either over the Internet or a private internal network and only to select users instead of the general public. A private cloud is usually managed via internal resources. The terms private cloud and virtual private cloud (VPC) are often used interchangeably. A public cloud contains services offered by third-party providers over the public Internet and is available to anyone who wants to use or purchase them. They may be free or sold on-demand, allowing customers to pay only per usage for the CPU cycles, storage, or bandwidth they consume. A community cloud is a collaborative effort in which infrastructure is shared between several organizations from a specific community with common concerns (security, compliance, jurisdiction, etc.), whether managed internally or by a third party and hosted internally or externally. A community cloud is a collaborative effort in which infrastructure is shared between several organizations from a specific community with common concerns (security, compliance, jurisdiction, etc.), whether managed internally or by a third party and hosted internally or externally.
Praveen is currently investigating activity from an attacker who compromised a host on the network. The individual appears to have used credentials belonging to a janitor. After breaching the system, the attacker entered some unrecognized commands with very long text strings and then began using the sudo command to carry out actions. What type of attack has just taken place? A. Phishing B. Social engineering C. Privilege escalation D. Session hijacking
Privilege escalation Explanation OBJ-1.3: The use of long query strings points to a buffer overflow attack, and the sudo command confirms the elevated privileges after the attack. This indicates a privilege escalation has occurred. While the other three options may have been used as an initial access vector, they cannot be confirmed based on the question's details. Only a privilege escalation is currently verified within the scenario due to the use of sudo.
David noticed that port 3389 was open on one of the POS terminals in a store during a scheduled PCI compliance scan. Based on the scan results, what service should he expect to find enabled on this terminal? A. LDAP B. MySQL C. RDP D. IMAP
RDP Explanation OBJ-3.1: Port 3389 is an RDP port used for the Remote Desktop Protocol. If this port isn't supposed to be opened, then an incident response plan should be the next step since this can be used for remote access by an attacker. MySQL runs on port 3306. LDAP runs on port 389. IMAP over SSL runs on port 993.
Dion Consulting Group has recently been awarded a contract to provide cybersecuirty services for a major hospital chain in 48 cities across the United States. You are conducting a vulnerability scan of the hospital's enterprise network when you detect several devices that could be vulnerable to a buffer overflow attack. Upon further investigation, you determine that these devices are PLCs used to control the hospital's elevators. Unfortunately, there is not an update available from the elevator manufacturer for these devices. Which of the following mitigations do you recommend? A. Recommend immediate replacement of the PLCs with ones that are not vulnerable to this type of attack B. Recommend immediate disconnections of the elevator's control system from the enterprise network C. Recommend isolation of the elevator control system from the rest of the production network through the change control process D. Conduct a penetration test of the elevator control system to prove that the possibility of this kind of attack exists
Recommend isolation of the elevator control system from the rest of the production network through the change control process Explanation OBJ-4.4: The best recommendation is to conduct the elevator control system's logical or physical isolation from the rest of the production network and the internet. This should be done through the change control process that brings the appropriate stakeholders together to discuss the best way to mitigate the vulnerability to the elevator control system that defines the business impact and risk of the decision. Sudden disconnection of the PLCs from the rest of the network might have disastrous results (i.e., sick and injured trapped in an elevator) if there were resources that the PLCs were depended on in the rest of the network. Replacement of the elevators may be prohibitively expensive, time-consuming, and likely something that the hospital would not be able to justify to mitigate this vulnerability. Attempting further exploitations of the buffer overflow vulnerability might inadvertently trap somebody in an elevator or cause damage to the elevators themselves.
A computer is infected with malware that has infected the Windows kernel to hide. Which type of malware MOST likely infected this computer? A. Trojan B. Rootkit C. Ransomware D. Botnet
Rootkit Explanation OBJ-1.2: A rootkit is a clandestine computer program designed to provide continued privileged access to a computer while actively hiding its presence. A rootkit is generally a collection of tools that enabled administrator-level access to a computer or network. They can often disguise themselves from detection by the operating system and anti-malware solutions. If a rootkit is suspected on a machine, it is best to reformat and reimage the system. A botnet is many internet-connected devices, each of which is running one or more bots. Botnets can be used to perform distributed denial-of-service (DDoS) attacks, steal data, send spam, and allow the attacker to access the device and its connection. A trojan is a type of malware that looks legitimate but can take control of your computer. A Trojan is designed to damage, disrupt, steal, or in general, inflict some other harmful action on your data or network. The most common form of a trojan is a Remote Access Trojan (RAT), which allows an attacker to control a workstation or steal information remotely. To operate, a trojan will create numerous processes that run in the background of the system. Ransomware is a type of malware designed to deny access to a computer system or data until a ransom is paid. Ransomware typically spreads through phishing emails or by unknowingly visiting an infected website. Once infected, a system or its files are encrypted, and then the decryption key is withheld from the victim unless payment is received.
The management at Steven's work is concerned about rogue devices being attached to the network. Which of the following solutions would quickly provide the most accurate information that Steve could use to identify rogue devices on a wired network? A. Reviewing a central administration tool like an endpoint manager B. Router and switch-based MAC address reporting C. A discovery scan using a port scanner D A physical survey
Router and switch-based MAC address reporting Explanation OBJ-1.4: The best option is MAC address reporting from a source device like a router or a switch. If the company uses a management system or inventory process to capture these addresses, then a report from one of these devices will show what is connected to the network even when they are not currently in the inventory. This information could then be used to track down rogue devices based on the physical port connected to a network device.
Dion Training has just suffered a website defacement of its public-facing webserver. The CEO believes the company's biggest competitor may have done this act of vandalism. The decision has been made to contact law enforcement so that evidence can be collected properly for use in a potential court case. Laura is a digital forensics investigator assigned to collect the evidence. She creates a bit-by-bit disk image of the web server's hard drive as part of her evidence collection. What technology should Laura use after creating the disk image to verify the copy's data integrity matches that of the original web server's hard disk? A. RSA B. AES C. 3DES D. SHA-256
SHA-256 Explanation OBJ-4.5: SHA-256 is the Secure Hash Algorithm with a 256-bit length output. This is one of the most common hash algorithms in use and is employed in many applications and protocols. SHA-256 and other hashing algorithms are used to ensure the data integrity of a file has not been altered. RSA, 3DES, AES are all encryption algorithms. The algorithms can ensure confidentiality but not integrity.
Which of the following describes the security method used when users enter their username and password only once and can access multiple applications? A. Permission propagation B. Multifactor authentication C. Inheritance D. SSO
SSO Explanation OBJ-3.8: Single sign-on (SSO) is an authentication process that allows users to access multiple applications with one set of login credentials. SSO is a common procedure in enterprises, where a client accesses multiple resources connected to a local area network (LAN). Permission propagation occurs when a technician sets permissions on a folder or a drive, and the folder properties apply those permissions to all of the folders under that folder in the tree. Permissions propagation secures your data by limiting access to the users specified in the top folder. Multifactor authentication is an authentication scheme that works based on something you know, something you have, something you are, something you do, or somewhere you are. These schemes can be made stronger by combining them (for example, protecting the use of a smart card certification [something you have] with a PIN [something you know]). Inheritance or inherited permissions are permissions that are given to an object because it is a child of a parent object. Inheritance occurs due to permissions propagation.
(Sample Simulation - On the real exam for this type of question, you would receive 3-5 pictures and be asked to drag and drop them into place next to the correct term.) Based on the image provided, what type of attack is occurring? A. DDoS B. SYN flood C. Ping flood D. Smurf attack
SYN flood Explanation OBJ-1.4: A SYN flood is a variant of a Denial of Service (DOS) attack where the attacker initiates multiple TCP sessions but never completes the 3-way handshake. This uses up resources on the server since it cannot complete the handshake and keeps resources reserved for the attacker's computer while it awaits the handshake's completion. This image is a graphical depiction of this type of attack.
Dion Training wants to install a new accounting system and is considering moving to a cloud-based solution to reduce cost, reduce the information technology overhead costs, improve reliability, and improve availability. Your Chief Information Officer is supportive of this move since it will be more fiscally responsible. Still, the Chief Risk Officer is concerned with housing all of the company's confidential financial data in a cloud provider's network that might be shared with other companies. Since the Chief Information Officer is determined to move to the cloud, what type of cloud-based solution would you recommend to account for the Chief Risk Officer's concerns? A. SaaS in a private cloud B. SaaS in a public cloud C. PaaS in a hybrid cloud D. PaaS in a community cloud
SaaS in a private cloud Explanation OBJ-2.2: A SaaS (Software as a Service) solution best describes an accounting system or software used as part of a cloud service. This meets the CIO's requirements. To mitigate the concerns of the Chief Risk Officer, you should use a private cloud solution. This type of solution ensures that the cloud provider does not comingle your data with other customers' data and providers dedicated servers and resources for your company's use only.
You are developing a containment and remediation strategy to prevent the spread of an APT within your network. Your plan suggests creating a mirror of the company's databases, routing all externally sourced network traffic to it, and gradually updating with pseudo-realistic data to confuse and deceive the APT as they attempt to exfiltrate the data. Once the attacker has downloaded the corrupted database, your company would then conduct remediation actions on the network and restore the correct database information to the production system. Which of the following types of containment strategies does the plan utilize? A. Isolation-based containment by removing the affected database from production B. Isolation-based containment by disconnecting the APT from the affected network C. Segmentation-based containment that deceives the attack into believing their attack was successful D. Segmentation-based containment disrupts the APT by using a hack-back approach
Segmentation-based containment that deceives the attack into believing their attack was successful Explanation OBJ-2.1: There are two types of containment: segmentation and isolation. This is an example of a segmentation-based containment strategy that utilizes deception. Segmentation-based containment is a means of achieving the isolation of a host or group of hosts using network technologies and architecture. As opposed to completely isolating the hosts, you might configure the protected segment to deceive him or her into thinking the attack is progressing successfully, such as in the database modification example. The scenario is not a hack-back approach since the APT is not directly attacked, only deceived. Isolation-based containment involves removing an affected component from whatever larger environment it is a part of. In this scenario, the original database was never isolated from the network, nor were any other affected assets during the deception.
Which of the following best describes the type of attack shown? A. Ping of death B. Smurf C. Man in the Middle D. XMAS tree attack
Smurf Explanation OBJ-1.4: A smurf attack uses a single ping with a spoofed source address sent to the broadcast address of a network. This causes every device within the network to receive a single ping, which appears to come from the device with the spoofed source address. Each network device then responds to the spoofed address, causing the victim (whose address was spoofed) to be overwhelmed with the responses to the initial ping.
Which of the following types of attacks are usually used as part of an on-path attack? A. DDOS B. Spoofing C. Brute force D. Tailgating
Spoofing Explanation OBJ-1.4: Spoofing is often used to inject the attacker into the conversation path between the two parties. Spoofing is the act of disguising a communication from an unknown source as being from a known, trusted source. An on-path attack is an attack where the attacker secretly relays and possibly alters the communications between two parties who believe they are directly communicating with each other. The attacker makes independent connections with the victims and relays messages between them to make them believe they are talking directly to each other over a private connection. The attacker will intercept all relevant messages passing between the two victims and inject new ones. A Distributed Denial of Service (DDoS) attack is an attempt to make an online service unavailable by overwhelming it with traffic from multiple sources. Tailgating is a social engineering technique to gain access to a building by following someone unaware of their presence. A brute-force attack consists of an attacker submitting many passwords or passphrases with the hope of eventually guessing correctly.
Aymen is creating a procedure for the remediation of vulnerabilities discovered within his organization. He wants to ensure that any vendor patches are tested before deploying them into the production environment. What type of environment should his organization establish? A. Staging B. Honeynet C. Honeypot D. Development
Staging Explanation OBJ-2.3: Deploying changes in a staging or sandbox environment provides the organization with a safe, isolated place for testing changes without interfering with production systems. Staging environments can mimic the actual production environment, leading to a realistic test environment that minimizes the risk of failure during a push to the production environment. Honeypots/Honeynets are not considered a testing environment. Instead, they are designed to attract attackers. The organization should not use the development environment to test the patches since a development environment does not mimic the real production environment.
Which of the following features is supported by Kerberos but not by RADIUS? A. Single sign-on capability B. Tickets used to identify authenticated users C. Services for authentication D. XML for cross-platform interoperability
Tickets used to identify authenticated users Explanation OBJ-3.8: Whether you learned the in-depth details of each of these protocols during your studies or not, you should be able to answer this question by remembering that Kerberos is all about 'tickets.' Kerberos uses a system of tickets to allow nodes to communicate over a non-secure network and securely prove their identity. Kerberos is a computer network authentication protocol that works based on tickets to allow nodes communicating over a non-secure network to prove their identity to one another in a secure manner. Kerberos is used in Windows Active Directory domains for authentication. Single sign-on (SSO) is a type of mutual authentication for multiple services that can accept the credential from one domain or service as authentication for other services. The Remote Authentication Dial-in User Service (RADIUS) is used to manage remote and wireless authentication infrastructure. Users supply authentication information to RADIUS client devices, such as wireless access points. The client device then passes the authentication data to an AAA (Authentication, Authorization, and Accounting) server that processes the request.
Why would a company want to utilize a wildcard certificate for their servers? A. To secure the certificate's private key B. To secure the certificate's private key To reduce the certificate management burden C. To extend the renewal date of the certificate D. To increase the certificate's encryption key length
To secure the certificate's private key To reduce the certificate management burden Explanation OBJ-3.9: A wildcard certificate is a public key certificate that can be used with multiple subdomains of a domain. This saves money and reduces the management burden of managing multiple certificates, one for each subdomain. A single wildcard certificate for *.diontraining.com will secure all these domains (www.diontraining.com, mail.diontraining.com, ftp.diontraining.com, etc.). The other options provided are not solved by using a wildcard certificate.
You have just received a phishing email disguised to look like it came from [email protected] asking you to send your username and password because your account has been locked out due to inactivity. Which of the following social engineering principles is being used in this email? A. Trust B. Intimidation C. Consensus D. Urgency
Trust Explanation OBJ-1.1: Trust is a commonly used social engineering technique during a social engineering campaign. It relies on making the email appear to have come from a trusted source, such as your IT support department or a company you frequently utilize. Often, the "display name" of the email is set to something like [email protected] or [email protected] to trick you into replying. Trust can also be used by pretending to be someone you know and trust in real life, such as a coworker or family member.
Ryan needs to verify the installation of a critical Windows patch on his organization's workstations. Which method would be the most efficient to validate the current patch status for all of the organization's Windows 10 workstations? A. Conduct a registry scan of each workstation to validate the patch was installed B. Use an endpoint manager to validate patch status for each machine on the domain C. Check the Update History manually D. Create and run a PowerShell script to search for the specific patch in question
Use an endpoint manager to validate patch status for each machine on the domain Explanation OBJ-3.2: The Microsoft Endpoint Configuration Manager (MECM) provides remote control, patch management, software distribution, operating system deployment, network access protection, and hardware and software inventory. In an Azure environment, you can also use the Update Compliance tool to monitor your device's Windows updates, Windows Defender anti-virus status, and the up-to-date patching status across all of your Windows 10 workstations. In previous Windows versions, you could use the Microsoft Baseline Analyzer (MSBA), but that is no longer supported when Windows 10 was introduced. A PowerShell script may be a reasonable option, but it would take a knowledgeable analyst to create the script and scan the network, whereas using SCCM is easier and quicker. Manually checking the Update History or registry of each system could also work, but that is very time-consuming and inefficient, especially if Ryan is supporting a large network.
Which of the following is exploited by an SQL injection to give the attacker access to the database? A. Web application B. Operating system C. Firewall D. Database server
Web application Explanation OBJ-1.3: SQL injections target the data stored in enterprise databases by exploiting flaws in client-facing applications. These vulnerabilities being exploited are most often found in web applications. The database server or operating system would normally be exploited by a remote code execution, a buffer overflow, or another type of server-side attack. The firewall would not be subject to an SQL injection.
A cybersecurity analyst is preparing to run a vulnerability scan on a dedicated Apache server that will be moved into a DMZ. Which of the following vulnerability scans is most likely to provide valuable information to the analyst? A. Network vulnerability scan B. Database vulnerability scan C. Port scan D. Web application vulnerability scan
Web application vulnerability scan Explanation OBJ-1.7: Since Apache is being run on the scanned server, this indicates a web server. Therefore, a web application vulnerability scan would be the most likely to provide valuable information. A network vulnerability scan or port scan can provide valuable information against any network-enabled server. Since an Apache server doesn't contain a database by default, running a database vulnerability scan is not likely to provide any valuable information to the analyst.
An organization is conducting a cybersecurity training exercise. What team is Jason assigned to if he has been asked to monitor and manage the defenders' and attackers' technical environment during the exercise? A. Blue team B. Purple team C. Red team D. White team
White team Explanation OBJ-1.8: Jason is assigned to the white team. The white team acts as the judges, enforces the rules of the exercise, observes the exercise, scores teams, resolves any problems that may arise, handles all requests for information or questions, and ensures that the competition runs fairly and does not cause operational problems for the defender's mission. A red team is a group of people authorized and organized to emulate a potential adversary's attack or exploitation capabilities against an enterprise's security posture. A blue team is a group of people responsible for defending an enterprise's use of information systems by maintaining its security posture against a group of mock attackers. The purple team is made up of both the blue and red teams to work together to maximize their cyber capabilities through continuous feedback and knowledge transfer between attackers and defenders.
You have noticed some unusual network traffic outbound from a certain host. The host is communicating with a known malicious server over port 443 using an encrypted TLS tunnel. You ran a full system anti-virus scan of the host with an updated anti-virus signature file, but the anti-virus did not find any infection signs. Which of the following has MOST likely occurred? A. Directory traversal B. Password spraying C. Zero-day attack D. Session hijacking
Zero-day attack Explanation OBJ-1.6: Since you scanned the system with the latest anti-virus signatures and did not find any signs of infection, it would most likely be evidence of a zero-day attack. A zero-day attack has a clear sign of compromise (the web tunnel being established to a known malicious server). The anti-virus doesn't have a signature yet for this particular malware variant. Password spraying occurs when an attacker tries to log in to multiple different user accounts with the same compromised password credentials. Session hijacking is exploiting a valid computer session to gain unauthorized access to information or services in a computer system. Based on the scenario, it doesn't appear to be session hijacking since the user would not normally attempt to connect to a malicious server. Directory traversal is an HTTP attack that allows attackers to access restricted directories and execute commands outside of the web server's root directory. A directory traversal is usually indicated by a dot dot slash (../) in the URL being attempted.
Which type of threat will patches NOT effectively combat as a security control? A. Discovered software bugs B. Zero-day attacks C. Malware with defined indicators of compromise D. Known vulnerabilities
Zero-day attacks Explanation OBJ-3.2: Zero-day attacks have no known fix, so patches will not correct them. A zero-day vulnerability is a computer-software vulnerability that is unknown to, or unaddressed by, those who should be interested in mitigating the vulnerability (including the vendor of the target software). If a discovered software bug or known vulnerability is found, a patch or mitigation is normally available. If a piece of malware has well-defined indicators of compromise. a patch or signature can be created to defend against it. as well.
A salesperson's laptop has become unresponsive after attempting to open a PDF in their email. A cybersecurity analyst reviews the IDS and anti-virus software for any alerts or unusual behavior but finds nothing suspicious. Which of the following threats would BEST classify this scenario? A. RAT B. PII exfiltration C. Zero-day malware D. Ping of death
Zero-day malware Explanation OBJ-1.6: Based on the scenario provided, it appears that the laptop has become the victim of a zero-day attack. A zero-day attack is an attack that exploits a potentially serious software security weakness that the vendor or developer may be unaware of. This means that there will not be a signature available in the IDS or anti-virus definition file. Therefore, it cannot be combated with traditional signature-based detection methods. PII (personally identifiable information) exfiltration is the unauthorized copying, transfer, or retrieval of PII data from a computer or server. A ping of death is a type of attack on a computer system that involves sending a malformed or otherwise malicious ping to a computer. A remote access Trojan (RAT) is a malware program that includes a back door for administrative control over the target computer. Based on the scenario's information, we do not have any indications that a ping packet was sent, that PII has been exfiltrated, or that the attack now has remote control of the laptop. Since neither the IDS nor anti-virus alerted on the PDF, it is most likely a form of a zero-day attack.
A cybersecurity analyst from BigCorp contacts your company to notify them that several of your computer were seen attempting to create a denial of service condition against their servers. They believe your company has become infected with malware, and those machine were part of a larger botnet. Which of the following BEST describes your company's infected computer? A. Bugs B. Monsters C. Zero-day D. Zombie
Zombie Explanation OBJ-1.2: A zombie is a computer connected to the internet that has been compromised
You have been hired to investigate a possible insider threat from a user named Terri. Which command would you use to review all sudo commands ever issued by Terri (whose login account is terri and UID=1003) on a Linux system? (Select the MOST efficient command) A. journalctl _UID=1003 | grep -e [Tt]erri | grep -e 1003 | grep sudo B. journalctl _UID=1003 | grep -e 1003 | grep sudo C. journalctl _UID=1003 | grep sudo D. journalctl _UID=1003 | grep -e [Tt]erri | grep sudo
journalctl _UID=1003 | grep sudo Explanation OBJ-4.3: journalctl is a command for viewing logs collected by systemd. The systemd-journald service is responsible for systemd's log collection, and it retrieves messages from the kernel, systemd services, and other sources. These logs are gathered in a central location, which makes them easy to review. If you specify the parameter of _UID=1003, you will only receive entries made under the authorities of the user with ID (UID) 1003. In this case, that is Terri. Using the piping function, we can send that list of entries into the grep command as an input and then filter the results before returning them to the screen. This command will be sufficient to see all the times that Terri has executed something as the superuser using privilege escalation. If there are too many results, we could further filter the results using regular expressions with grep using the -e flag. Since the UID of 1003 is only used by Terri, it is unnecessary to add [Tt]erri to your grep filter as the only results for UID 1003 (terri) will already be shown. So, while all four of these would produce the same results, the most efficient option to accomplish this is by entering "journalctl _UID=1003 | grep sudo" in the terminal. Don't get afraid when you see questions like this; walk through each part of the command step by step and determine the differences. In this question, you may not have known what journalctl is, but you didn't need to. You needed to identify which grep expression was the shortest that would still get the job done. By comparing the differences between the options presented, you could likely take your best guess and identify the right one.
