EXAM D
1. Management within your organization wants to ensure that users understand the rules of behavior when they access the organization's computer systems and networks. Which of the following BEST describes what they would implement to meet this requirement? A. AUP B. NDA C. SLA D. MSA
1. A is correct. An acceptable use policy (AUP) informs users of company expectations when they use computer systems and networks, and it defines acceptable rules of behavior. A non-disclosure agreement (NDA) ensures that individuals do not share proprietary data with others. A service level agreement (SLA) is an agreement between a company and a vendor that stipulates performance expectations, such as minimum uptime and maximum downtime levels. A measurement systems analysis (MSA) evaluates the processes and tools used to make measurements.
1. Your organization hosts an e-commerce web server. The server randomly experiences a high volume of sales and usage from mid-November to the end of December, causing spikes in resource usage. These spikes have resulted in outages during the past year. Which of the following should be implemented to prevent these outages? A. Stored procedures B. Scalability C. Version control D. Memory management
1. B is correct. Scalability is the best choice because it allows administrators to manually scale the server up or out as needed in response to this predictable high resource usage. Stored procedures are a group of SQL statements that execute as a whole and help prevent SQL injection attacks. Version control tracks software versions as it is updated and is unrelated to this question. Memory management techniques help ensure that applications don't cause memory problems such as memory leaks or integer overflows. See Chapter 1.
10. After a recent incident, a forensic analyst was given several hard drives to analyze. Which of the following actions should she take FIRST? A. Capture drive images for integrity. B. Take hashes for provenance. C. Review the logs on the disks. D. Create a chain of custody document.
10. B is correct. Forensic analysts take hashes to prove provenance of the copy. The hash (or checksum) provides proof that the copy is the same as the original and has not lost integrity. A drive image shouldn't be captured before creating a hash, and just having a drive image doesn't provide integrity or prove that it is the same as the original. Reviewing any data on an original disk will potentially modify the data so it shouldn't be done. A chain of custody document is created when evidence is collected, so it should already exist.
10. Developers are planning to develop an application using role-based access control. Which of the following would they MOST likely include in their planning? A. A listing of labels reflecting classification levels B. A listing of rules that the application must be able to trigger C. A listing of owners D. A matrix of functions matched with required privileges
10. D. A matrix of functions, roles, or job titles matched with the required access privileges for each of the functions, roles, or job titles is a common planning document for a role-based access control model. The mandatory access control (MAC) model uses sensitivity labels and classification levels. Rule-based access control models use rules, but role-based access control models don't use rules. The discretionary access control (DAC) model specifies that every object has an owner and it might identify owners in a list. See Chapter 2.
11. Your organization has implemented a system that stores user credentials in a central database. Users log on once with their credentials. They can then access other systems in the organization without logging on again. Which of the following does this describe? A. Federation B. SAML C. SSO D. OAuth
11. C is correct. This describes a single sign-on (SSO) solution in which users only log on once. Although a federation supports SSO, not all SSO systems use a federation. Security Assertions Markup Language (SAML) is an SSO solution used for web-based applications, but not all SSO solutions use SAML. OAuth (Open Authorization) is an authorization protocol used with HTTP-based apps, not internal organizations. See Chapter 2.
11. A health care organization manages several hospitals and medical facilities within a state, and they have treated thousands of patients who have suffered from a recent viral outbreak. Doctors from another state are performing studies of this virus and would like to access the information that the health care organization has amassed. Management has authorized the release of this information but has mandated that the data cannot reveal any personal information about patients. Which of the following methods will BEST meet these requirements? A. Pseudo-anonymization B. Tokenization C. Encryption D. Masking
11. D is correct. Data masking will modify the original data and can be used to hide Personally Identifiable Information (PII). In this scenario, data masking could modify names, addresses, and phone numbers, while retaining medical data such as treatments and outcomes. Although not available as a choice, anonymization of the data could also meet the requirements. Pseudo-anonymization replaces some data with pseudonyms, or artificial identifiers, but the process can be reversed to identify the original data, so it isn't the best choice. Tokenization replaces data elements with a token, and the token is then used in place of the original data element. Tokenization doesn't protect identities. Encryption would convert cleartext into ciphertext making everything unusable by the outside researchers.
12. An urban hospital has recently treated hundreds of patients after a viral outbreak. Researchers trying to learn more about the virus have asked the hospital for information on treatment methods they used and their outcomes. The hospital management has asked the IT department to remove all personal information about patients before releasing this data. Which of the following methods will BEST meet these requirements? A. Anonymization B. Pseudo-anonymization C. Tokenization D. Data minimization
12. A is correct. Anonymization of the data would modify it to hide Personally Identifiable Information (PII) and is the best choice of the available options. Although not available as a choice, data masking could also meet the requirements. Pseudo-anonymization replaces some data with pseudonyms, or artificial identifiers, but the process can be reversed to identify the original data, so it isn't the best choice. Tokenization doesn't protect identities but instead replaces data elements with a token, and the token can then be used in place of the original data element. Data minimization refers to data collection and requires organizations to limit the data they collect and use.
12. The Mapple organization is creating a help-desk team to assist employees with account issues. Members of this team need to create and modify user accounts and occasionally reset user passwords. Which of the following is the BEST way to accomplish this goal? A. Give each help-desk employee appropriate privileges individually. B. Add each member of the help-desk team to the administrator group within the domain. C. Add members of the help-desk team to a security group that has the appropriate privileges. D. Assign attributes to members of the help-desk team and give these attributes appropriate privileges.
12. C is correct. The best solution of the available choices is to add members of the help-desk team to a security group that has the appropriate privileges. Assigning permissions to users individually adds to the administrative workload. Giving members administrator privileges violates the principle of least privilege by giving them too many privileges. An attribute-based access control model can use attributes to grant access but would add to the administrative workload if done individually. See Chapter 2.
13. Your organization's security policy states that administrators should follow the principle of least privilege. Which of the following tools can ensure that administrators are following the policy? A. Account audits B. Risk assessment C. Vulnerability assessment D. Threat assessment
13. A is incorrect. Account audits verify users have the permissions they need for their job, and no more, which verifies the principle of least privilege is being followed. Risk, vulnerability, and threat assessments assess current risks. While they might verify the principle of least privilege is being followed, they do much more. See Chapter 3.
13. Investigations have shown that several recent security incidents originated after employees responded inappropriately to malicious emails. The IT department has sent out multiple emails describing what to do with these emails, but employees continue to respond inappropriately. The chief information officer has directed the Human Resources department to find and implement a solution that will increase user awareness and reduce these incidents. Which of the following would be the BEST solution? A. Offboarding B. Least privilege C. Gamification D. Role-based training
13. C is correct. Gamification uses various techniques to increase employee interaction, participation, and understanding of topics. This scenario indicates employees are responding to phishing emails and the IT department has been unsuccessful in getting them to respond to phishing emails appropriately. Offboarding is the process of removing an employee's access when they leave the company but firing employees isn't the best choice here. A principle of least privilege ensures employees have only enough rights and permissions to perform their job and can temporarily limit an attacker's access after a successful phishing attack, but it won't prevent an employee's actions. Role-based training gives users specific training based on their role, but this scenario doesn't indicate the problem is limited to any role.
14. Your organization is updating the data policy, and management wants to ensure that employees get training on their responsibilities based on their role. Which of the following BEST describes the responsibilities of data owners and indicates what training they need? A. Ensuring data is backed up in accordance with the data policy B. Ensuring data is classified and labeled correctly C. Complying with laws related to privacy D. Understanding common threats, such as malware and phishing attacks
14. B is correct. Owners are responsible for identifying the proper classification of data, ensuring it is labeled correctly, and ensuring security controls are implemented to protect the data. A data custodian (also called a data steward) is responsible for routine daily tasks such as backing up data. A data protection officer (DPO) is responsible for ensuring the organization is complying with relevant laws. End users need to be trained on common threats, such as malware and phishing attacks.
14. Lisa is responsible for managing and monitoring network devices, such as routers and switches, in your network. Which of the following protocols is she MOST likely to use? A. NAT B. SRTP C. SNMPv3 D. DNSSEC
14. C is correct. Simple Network Management Protocol version 3 (SNMPv3) is used to securely manage and monitor network devices. None of the other choices is related to managing and monitoring network devices. Network Address Translation (NAT) translates public IP addresses to private IP addresses and private addresses back to public. The Secure Real-time Transport Protocol (SRTP) secures voice and other streaming media transmissions. Domain Name System Security Extensions (DNSSEC) helps prevent DNS cache poisoning attacks. See Chapter 3.
15. Your organization's network looks like the following graphic and you've been asked to verify that Firewall 2 has the correct settings. All firewalls should enforce the following requirements: Use only secure protocols for remote management. Block cleartext web traffic. The following graphic shows the current rules configured in Firewall 2. Which rule, if any, should be changed in Firewall 2? A. HTTPS Outbound B. HTTP Outbound C. DNS D. Telnet E. SSH F. None. All rules are correct.
15. D is correct. The Telnet rule should be changed to block Telnet traffic. Telnet sends credentialed and other data in cleartext and should not be used. Secure Shell (SSH) encrypts traffic and should be used instead of Telnet. All other rules are correct. See Chapter 3.
15. Organizations that conduct business in the EU must have a position within the organization that can act as an independent advocate for the proper care and use of customer information. Which of the following BEST identifies this position? A. Data owner B. Data custodian C. Data processor D. Data protection officer
15. D is correct. The data protection officer (DPO) is a role identified in the General Data Protection Regulation (GDPR), and the GDPR specifies the person in this role needs to act as an independent advocate for customer information. Data owners are responsible for identifying the proper classification of data, ensuring it is labeled correctly, and ensuring security controls are implemented to protect the data. A data custodian (also called a data steward) is responsible for routine daily tasks such as backing up data. A data processor is any entity that uses and manipulates the data.
16. Your organization recently landed a contract with the federal government. Developers are fine-tuning an application that will process sensitive data. The contract mandates that all computers using this application must be isolated. Which of the following would BEST meet this need? A. Create a bastion host in a screened subnet. B. Implement a boundary firewall. C. Create an air-gapped network. D. Implement an IPS.
16. C is correct. An air-gapped network would best meet this need. An air gap indicates that the network is isolated from other networks with space or air. The application would be developed and compiled in this isolated network. All the other answers have a level of connectivity with the Internet and don't provide the best protection. A bastion host is a hardened server that can be accessed via the Internet and it may be directly on the Internet or within a screened subnet (sometimes called a demilitarized zone or DMZ). A boundary firewall (sometimes called a perimeter firewall) is placed at the edge of the network between the Internet and the internal network or within the screened subnet. An intrusion prevention system (IPS) is typically placed inline with traffic between the Internet and the internal network and attempts to detect and block attacks. See Chapter 3.
17. Your organization wants to increase security for VoIP and video teleconferencing applications used within the network. Which of the following protocols will BEST support this goal? A. S/MIME B. TLS C. SFTP D. SRTP
17. D is correct. The Secure Real-Time Transport Protocol (SRTP) provides encryption, message authentication, and integrity for Voice over Internet Protocol (VoIP), video teleconferencing, and other streaming media applications. None of the other answers are related to VoIP or video teleconferencing. Secure/Multipurpose Internet Mail Extensions (S/MIME) secures email. The Transport Layer Security (TLS) protocol is used to encrypt data in transit but isn't the best choice for streaming media. Secure File Transfer Protocol (SFTP) is a secure implementation of FTP to transfer files. See Chapter 3.
18. Your organization hosts a web server accessed from employees within the network, and via the Internet. Management wants to increase its security. You are tasked with separating all web-facing traffic from internal network traffic. Which of the following provides the BEST solution? A. Screened subnet B. VLAN C. Firewall D. WAF
18. A is correct. A screened subnet (sometimes called a demilitarized zone, DMZ) is a buffered zone between a private network and the Internet, and it will separate the web server's web-facing traffic from the internal network. You can use a virtual local area network (VLAN) to group computers together based on job function or some other administrative need, but it is created in the internal network. A firewall does provide protection for the web server but doesn't necessarily separate the web-facing traffic from the internal network. A web application firewall (WAF) protects a web server from incoming attacks, but it does not necessarily separate Internet and internal network traffic. See Chapter 3.
19. Developers recently configured a new service on a server called GCGA1. GCGA1 is in a screened subnet and accessed by employees in the internal network, and by others via the Internet. Network administrators modified firewall rules to access the service. Testing shows the service works when accessed from internal systems. However, it does not work when accessed from the Internet. Which of the following is MOST likely configured incorrectly? A. The new service B. An ACL C. The GCGA1 server D. A VLAN
19. B is correct. The most likely problem of the available choices is that an access control list (ACL) is configured incorrectly. The server is in a screened subnet (sometimes called a demilitarized zone or DMZ) and the most likely problem is an incorrectly configured ACL on the border firewall (between the Internet and the screened subnet). The service is working when accessed by internal systems, so it isn't likely that it is the problem. Also, the GCGA1 server works for internal systems indicating it is working correctly. There isn't any indication a virtual local area network (VLAN) is in use. See Chapter 3.
2. Employees currently log in with their username and a password but management wants to increase login security by implementing smart cards. However, the IT department anticipates it will take a long time to purchase the necessary equipment and issue smart cards for everyone. You need to identify a solution that will provide comparable security until the smart cards are implemented. Which of the following is a compensating control that will meet these needs? A. Implement an account lockout policy. B. Increase password policy requirements. C. Implement a TOTP solution. D. Require users to change their password more
2. C is correct. A Time-based One-Time Password (TOTP) solution can be implemented as a compensating control. It can be implemented with hardware tokens or with an app on a smartphone. The smart cards provide two-factor authentication, so the compensating control should provide two-factor control, and TOTP fills that need. None of the other answers provides an additional factor of authentication. An account lockout policy locks out users after entering an incorrect password too many times. The password policy can be used to increase password security. Requiring users to change their password more often is in the password policy as password expiration. See Chapter 1.
2. Management recently decided to upgrade the organization's security policy. Among other items, they want to implement a policy that will reduce the risk of personnel within the organization colluding to embezzle company funds. Which of the following is the BEST choice to meet this need? A. AUP B. Training C. Mandatory vacations D. Background check
2. C is correct. Mandatory vacations help to reduce the possibility of fraud and embezzlement. An acceptable use policy informs users of company policies, and even though users sign them, they don't deter someone considering theft by embezzling funds. Training can help reduce incidents by ensuring personnel are aware of appropriate policies. A background check is useful before hiring employees, but it doesn't directly reduce risks related to employees colluding to embezzle funds.
20. Bart recently hooked up a switch incorrectly causing a switching loop problem, which took down part of an organization's network. Management wants to implement a solution that will prevent this from occurring in the future. Which of the following is the BEST choice to meet this need? A. Flood guard B. SNMPv3 C. SRTP D. RSTP
20. D is correct. Rapid Spanning Tree Protocol (RSTP) prevents switching loop problems and should be enabled on the switches to meet this need. While not available as a possible answer, the older Spanning Tree Protocol (STP) also provides loop protection. A flood guard on a switch helps prevent a media access control (MAC) flood attack. Simple Network Management Protocol version 3 (SNMPv3) is used to manage and monitor network devices. The Secure Real-time Transport Protocol (SRTP) provides encryption, message authentication, and integrity for video and voice data. See Chapter 3.
21. A penetration tester has been hired to perform an assessment on the greatadministrator.com site. He used the nslookup command to perform some reconnaissance and received the following output: C:\>nslookup -querytype=mx greatadministrator.com Server: UnKnown Address: 192.168.1.1 Non-authoritative answer: gcgapremium.com MX preference = 20, mail exchanger = mx1.emailsrvr.com gcgapremium.com MX preference = 90, mail exchanger = mx2.emailsrvr.com Of the following choices, what BEST describes this output? A. The server named mx2.emailsrvr.com is the primary email server for this domain. B. The server named mx1.emailsrvr.com is the primary email server for this domain. C. The AAAA record is misconfigured for this domain. D. The SOA record is hiding the IP address of the domain. E. DNSSEC has not been enabled on this domain.
21. B is correct. The server named mx1.emailsrvr.com is the primary email server for this domain. The MX record indicates it is a mail server and the preference of 20 (compared with the preference of 90 for mx2) indicates it is the primary email server. A preference of 90 for mx2.emailsrvr.com is higher than 20 (the preference for mx1.emailsrvr.com) and indicates that mx2.emailsrvr.com is the backup email server. An AAAA record maps the IPv6 address to the hostname, but IPv6 is not indicated at all in this question. The start of authority (SOA) record includes information about the DNS zone and some of its settings, but it does not hide the domain's IP address. Domain Name System Security Extensions (DNSSEC) is a suite of extensions to DNS that helps prevent DNS cache poisoning, but the existence (or non-existence) of a DNSSEC record is not indicated in this question. See Chapter 3.
22. Which of the following is an example of a detective control? A. An IPS reconfigured to monitor traffic instead of blocking it B. A backup solution that includes off-site backups C. Security guards D. A cable lock
22. A is correct. An intrusion prevention system (IPS) is normally placed in line with traffic to block malicious traffic. However, it can be reconfigured to monitor traffic, effectively operating as an intrusion detection system (IDS). A backup solution is a corrective or recovery control. Security guards are preventive and deterrent controls. Cable locks are physical controls that prevent the theft of devices such as laptops. See Chapter 4.
23. Your organization is planning to implement a wireless network using WPA2 Enterprise. Of the following choices, what is required? A. An authentication server with a digital certificate installed on the authentication server B. An authentication server with DHCP installed on the authentication server C. An authentication server with DNS installed on the authentication server D. An authentication server with WPS running on the access point
23. A is correct. WPA2 Enterprise requires an 802.1x authentication server and most implementations require a digital certificate installed on the server. The network will likely have Dynamic Host Configuration Protocol (DHCP) and Domain Name System (DNS) services, but it isn't necessary to install them on the authentication server. Wi-Fi Protected Setup (WPS) makes it easier to set up wireless devices, but it isn't related to WPA2 Enterprise. See Chapter 4.
24. Bart was in a coffee shop going through emails and messages on his smartphone. He then started receiving several text messages promoting a political party and encouraging him to visit websites. After he left the coffee shop, he didn't receive any more messages. What does this describe? A. Bluesnarfing B. Bluejacking C. Malware D. WPS attack
24. B is correct. Bluejacking is the practice of sending unsolicited messages to other Bluetooth devices. It has a limited range of about 30 feet when sent from one mobile phone to another so the attacker couldn't send additional messages after he left. Bluesnarfing allows attackers to access data (including email contact lists) on a smartphone but the scenario only indicates the user is receiving unwanted messages. Malware would not stop after a person leaves a coffee shop. A Wi-Fi Protected Setup (WPS) attack attempts to discover an access point WPS PIN by guessing PIN numbers, but this is not related to smartphone messages. See Chapter 4.
25. Management within your organization wants employees to be able to access internal network resources from remote locations, including from their homes. Which of the following is the BEST choice to meet this need? A. NAC B. VPN C. IDS D. IPS
25. B is correct. A virtual private network (VPN) provides access to a private network over a public network such as the Internet via remote locations and is the best choice to meet this requirement. Network access control (NAC) methods can check VPN clients for health before allowing them access to the network, but it doesn't directly provide the access. Intrusion detection systems (IDSs) and intrusion prevention systems (IPSs) protect networks but do not provide remote access. See Chapter 4.
26. Security experts want to reduce risks associated with updating critical operating systems. Which of the following will BEST meet this goal? A. Implement patches when they are released. B. Implement a change management policy. C. Use only trusted operating systems. D. Implement operating systems with secure configurations.
26. B is correct. A change management policy helps reduce risk associated with making any changes to systems, including updating them. Patches should be tested and evaluated before implementing them and implementing them when they are released sometimes causes unintended consequences. The use of a trusted operating system or operating systems with secure configurations doesn't address how they are updated. See Chapter 5.
27. Your organization has a segmented network used to process highly classified material. Management wants to prevent users from copying documents to USB flash drives from any computer in this network. Which of the following can be used to meet this goal? A. DLP B. HSM C. COPE D. SED
27. A is correct. A data loss prevention (DLP) solution can prevent users from copying documents to a USB drive. None of the other answers control USB drives. A hardware security module (HSM) is an external security device used to manage, generate, and securely store cryptographic keys. COPE (corporate-owned, personally enabled) is a mobile device deployment model. A self-encrypting drive (SED) includes the hardware and software to encrypt all data on the drive and securely store the encryption keys. See Chapter 5.
28. Your organization hosts an e-commerce website using a back-end database. The database stores product data and customer data, including credit card numbers. Which of the following is the BEST way to protect the credit card data? A. Full database encryption B. Full disk encryption C. Database column encryption D. File-level encryption
28. C is correct. Database column (or field) encryption is the best choice because it can be used to encrypt the fields holding credit card data, but not fields that don't need to be encrypted. Full database encryption and full disk encryption aren't appropriate because of the resources needed to encrypt everything compared with the security desire of protecting only the credit card data. File-level encryption isn't appropriate on a database and will often make it inaccessible to the database application. See Chapter 5.
29. The Springfield Nuclear Power Plant has created and maintains an online application used to teach the basics of nuclear physics. Only students and teachers in Springfield Elementary School can access this application via the cloud. What type of cloud service model is this? A. IaaS B. PaaS C. SaaS D. XaaS
29. C is correct. This is a Software as a Service (SaaS) model. The software is the online application and the cloud provider (the Springfield Nuclear Power Plant in this example) maintains it. Infrastructure as a Service (IaaS) provides customers with the hardware via the cloud. Customers are responsible for installing the operating system and any applications. Platform as a Service (PaaS) is a computing platform. Anything as a Service (XaaS) refers to cloud services beyond IaaS, PaaS, and SaaS but this scenario clearly describes a SaaS model. See Chapter 5.
3. Lisa is a training instructor, and she maintains a training lab with 16 computers. She has enough rights and permissions on these machines to configure them as needed for classes. However, she does not have the rights to add them to the organization's domain. Which of the following choices BEST describes the reasoning for this? A. Least privilege B. MSA C. Diversity of training D. Offboarding
3. A is correct. When following the principle of least privilege, individuals have only enough rights and permissions to perform their job. Lisa needs to maintain the training lab, but there is no indication she needs to join the training lab computers to the domain. A measurement systems analysis (MSA) uses various methods to identify variations within a measurement process and is completely unrelated to this question. Diversity of training techniques refers to using different training techniques for end users. Offboarding is the process of removing employees' access when they leave the company but has nothing to do with the privileges of a training instructor.
3. You have configured a firewall in your network to block ICMP traffic. You want to verify that it is working as expected. Which of the following commands would you use? A. arp B. ipconfig C. route D. ping
3. D is correct. The ping command sends Internet Control Message Protocol (ICMP) echo requests and checks for ICMP echo replies. The Address Resolution Protocol (ARP) resolves IP addresses to media access control (MAC) addresses, and the arp command is used to view and manipulate the ARP cache. The ipconfig command displays the configuration of a NIC. The route command can be used to display and manipulate the routing table on computing systems. See Chapter 1.
30. Your organization has implemented a CYOD security policy. The policy mandates the use of security controls to protect the devices, and any data on them if they are lost or stolen. Which of the following would BEST meet this goal? A. Screen locks and GPS tagging B. Patch management and change management C. Screen locks and device encryption D. Full device encryption and XaaS
30. C is correct. Screen locks provide protection for lost devices by making it more difficult for someone to access the device. Device encryption protects the confidentiality of the data even if someone gets past the screen lock. Global Positioning System (GPS) tagging includes location information on pictures and other files but won't help protect a lost or stolen device. Patch management keeps devices up to date, and change management helps prevent outages from unauthorized changes. Anything as a Service (XaaS) refers to cloud services beyond IaaS, PaaS, and SaaS. See Chapter 5.
31. Management within your company wants to implement a method that will authorize employee access to the network based on several elements. These elements include the employee's identity, location, the time of day, and the type of device used by the employee. Which of the following will BEST meet this need? A. Geofencing B. Containerization C. Tethering D. Context-aware authentication
31. D is correct. Context-aware authentication can authenticate a user and a mobile device using multiple elements, including identity, geolocation, time of day, and type of device. None of the other answers meets all the requirements of the question. A geofence creates a virtual fence, or geographic boundary, and can be used with context-aware authentication. Containerization isolates an application, protecting it and its data. Tethering allows one device to share its Internet connection with other devices. See Chapter 5.
32. Personnel should be able to run the BizzFadd app from their mobile devices. However, certain features should only be operational when employees are within the company's property. When an employee leaves the property, access to these features should be blocked. Which of the following answers provides the BEST solution to meet this goal? A. Geofencing B. Geolocation C. GPS tagging D. Containerization
32. A is correct. Geofencing can be used to create a virtual fence or geographic boundary, outlining the company's property. Geolocation is used to identify the location of an object, such as a mobile device. Geofencing will use geolocation to determine when a mobile device is within a geographic boundary, but geolocation without geofencing won't detect if a user is on the company's property. Global Positioning System (GPS) tagging adds geographic data (such as latitude and longitude data) to files indicating when the file was created and is unrelated to this question. Containerization runs applications in a container to isolate them. See Chapter 5.
33. A large city is using a SCADA system to manage a water treatment plant. City managers have asked IT personnel to implement security controls to reduce the risk of cybersecurity attacks against ICSs controlled by the SCADA system. Which of the following security controls would be MOST relevant to protect this system? A. DLP B. TPM C. FPGA D. NIPS
33. D is correct. A network intrusion prevention system (NIPS) is the most relevant security control of those listed to reduce risks related to cybersecurity attacks of the supervisory control and data acquisition (SCADA) system, or industrial control systems (ICSs) controlled by the SCADA system. The SCADA system should be within an isolated network, and the NIPS helps provide that isolation. A data loss prevention (DLP) system helps prevent loss of data but wouldn't protect a SCADA system from potential attacks. A Trusted Platform Module (TPM) is a hardware chip on a computer's motherboard that stores cryptographic keys used for encryption. A field programmable gate array (FPGA) is an integrated circuit that can be configured after it is sold and is unrelated to this question. See Chapter 5.
34. IT auditors have found several unmanaged VMs in a network. They discovered that these were created by administrators for testing but weren't removed after testing was completed. Which of the following should be implemented to prevent this in the future? A. A policy related to VM sprawl B. A policy related to VM escape protection C. A policy related to XAAS D. A policy related to SDNs
34. A is correct. Virtual machine (VM) sprawl occurs when an organization has many VMs that aren't managed properly, and a policy addressing VM sprawl can reduce or eliminate them. Unmonitored VMs often aren't updated and can be vulnerable to attacks. A policy related to VM escape protection addresses problems that allow successful VM escape protection attacks, such as not keeping VMs updated. Anything as a Service (XaaS) refers to cloud services beyond IaaS, PaaS, and SaaS and is unrelated to VMs. A software-defined network (SDN) creates an infrastructure with code instead of hardware routers and switches and is unrelated to VMs. See Chapter 5.
35. Bart recently launched an attack on a company website using scripts he found on the Internet. Which of the following BEST describes Bart as a threat actor? A. Insider B. Hacktivist C. Script kiddie D. Shadow IT
35. C is correct. In this scenario, Bart is acting as a script kiddie because he is using existing scripts. An insider works for an organization, but there isn't any indication that Bart is an employee of the company he attacked. A hacktivist launches attacks as part of an activist movement, but this scenario doesn't indicate Bart's actions are trying to increase awareness about a cause. Shadow information technology (IT) refers to IT systems deployed by non-IT departments to get around shortcomings with IT systems deployed by a central IT department in a large organization. See Chapter 6.
36. The Marvin Monroe Memorial Hospital recently suffered a serious attack preventing employees from accessing any computer data. The attackers scattered ReadMe files throughout the network that appeared on user screens. They indicated that the attackers encrypted all the data, and it would remain encrypted until the attackers received a hefty sum as payment. Which of the following identifies the MOST likely threat actor in this attack? A. Criminal syndicate B. Ransomware C. Competitors D. Hacktivist
36. A is correct. Criminal syndicates most likely launched this attack because their motivation is primarily money. While the scenario describes ransomware, ransomware is the malware, not the threat actor. Competitors often want to obtain proprietary information, but it would be rare for a hospital competitor to put lives at risk by taking down a hospital's network and trying to extort money from another hospital. A hacktivist typically launches attacks to further a cause, not to extort money. See Chapter 6.
37. Gil Gunderson, a salesperson in your organization, received an email on his work computer that included a malicious link. After clicking the link, his computer was infected with malware. The malware was not detected by antivirus software installed on his computer, the organization's email server, or the organization's UTM appliance. After infecting his computer, the malware then searched the network and encrypted data in all the network shares that Gil could access. Which of the following BEST describes how this occurred? A. The malware represents a zero-day exploit. B. The antivirus software indicated false positives. C. The malware infection was the result of a backdoor. D. The principle of least privilege was not implemented.
37. A is correct. The malware is likely a zero-day attack because the malware was not detected by antivirus software, the email server, or the unified threat management (UTM) appliance. A zero-day exploit wouldn't be known by antivirus software, so it wouldn't detect it. A false positive occurs when antivirus software raises an alert indicating a file is malicious when it isn't. However, there isn't any indication that the antivirus software raised an alert. Malware often installs backdoors that allow attackers access to infected systems without user intervention, but the scenario indicates that Gil clicked the malicious link causing the infection. If the malware encrypted all network shares, it would indicate that Gil had too many permissions, and the principle of least privilege wasn't implemented. However, the scenario indicates that the malware only encrypted shares that Gil could access. See Chapter 6.
38. Logs on a web server show that it is receiving a significant number of SYN packets from multiple sources on the Internet, but it isn't receiving the corresponding ACK packets. Of the following choices, what is the MOST likely source of these packets? A. DDoS B. Ransomware C. Worm D. Bots
38. D is correct. These packets are most likely coming from bots within a botnet that are launching a distributed denial-of-service (DDoS) attack using a SYN flood attack. The attacker sends the SYN packet, the web server responds with the SYN/ACK packet, but the attacker never finished the TCP handshake with the ACK packet. While this is a DDoS attack, the question is asking for the likely source of the packets, not what type of attack is taking place. Ransomware would encrypt data on the system, not send packets to it. A worm is self-replicating malware that spreads throughout a network. See Chapter 6.
39. Management recently mandated that computer monitors be repositioned to ensure they cannot be viewed from outside any windows. Additionally, users are directed to place screen filters over their monitors. What is the purpose of this policy? A. Reduce success of phishing B. Reduce success of shoulder surfing C. Reduce success of dumpster diving D. Reduce success of prepending
39. B is correct. Shoulder surfing is the practice of viewing data by looking over someone's shoulder and it includes looking at computer monitors. Positioning monitors so that they cannot be viewed through a window and/or placing screen filters over the monitors reduces this threat. Phishing is an email attack. Dumpster diving is the practice of looking through dumpsters. Prepending simply means to add something to the beginning of something else, and social engineers often prepend queries with valid information to make their query seem valid. See Chapter 6.
4. Your organization includes a software development division within the IT department. One developer writes and maintains applications for the Sales and Marketing departments. A second developer writes and maintains applications for the Payroll department. Once a year, they switch roles for at least a month. What is the purpose of this practice? A. To enforce a separation of duties policy B. To enforce a mandatory vacation policy C. To enforce a job rotation policy D. To enforce an acceptable use policy
4. C is correct. This practice enforces a job rotation policy where employees rotate into different jobs, and it is designed to reduce potential incidents. A separation of duties policy prevents any single person from performing multiple job functions to help prevent fraud, but it doesn't force users to switch roles. A mandatory vacation policy requires employees to take time away from their job. An acceptable use policy informs users of their responsibilities when using an organization's equipment.
4. You need to reboot a database server. Before doing so, you need to verify it doesn't have any active network connections. Which of the following commands will BEST meet your needs? A. arp B. ipconfig C. hping3 D. netstat
4. D is correct. The netstat command displays active connections on a system. Arp displays information related to media access control (MAC) addresses. Ipconfig displays TCP/IP configuration information for wired and wireless network interface cards. The hping3 command is used to identify open and closed ports on remote systems. See Chapter 1.
40. Bart's supervisor told him to clean his desk to comply with the organization's clean desk space policy. While doing so, he threw several papers containing PII into the recycle bin. Which type of attack can exploit this action? A. SPIM B. Dumpster diving C. Shoulder surfing D. Tailgating
40. B is correct. Dumpster divers look through trash or recycling containers for valuable paperwork, such as documents that include Personally Identifiable Information (PII). Instead, paperwork should be shredded or incinerated. Spam over Internet messaging (SPIM) refers to unwanted text messages sent to mobile devices. Shoulder surfers attempt to view monitors or screens, not papers thrown into the trash or recycling containers. Tailgating is the practice of following closely behind someone else without using proper credentials. See Chapter 6.
41. Your organization's CFO recently received an email indicating the organization is being sued. More, the email names her specifically as a defendant in the lawsuit. It includes an attachment described as a subpoena and encourages her to open it for more information. Which of the following BEST describes the social engineering principle used by the sender in this scenario? A. Whaling B. Phishing C. Authority D. Consensus
41. C is correct. The sender is using the social engineering principle of authority in this scenario. A chief financial officer (CFO) would respect legal authorities and might be more inclined to open an attachment from such an authority. The scenario describes whaling, which is a specific type of phishing attack. However, whaling and phishing are attacks, not social engineering principles. The social engineering principle of consensus attempts to show that other people like a product, but this is unrelated to this scenario. See Chapter 6.
42. Users are complaining about intermittent connectivity with a web server. After examining the logs, you identify a large volume of connection attempts from public IP addresses. You realize these connection attempts are overloading the server, preventing it from responding to other connections. Which of the following is MOST likely occurring? A. DDoS attack B. DNS poisoning attack C. Replay attack D. ARP poisoning attack
42. A is correct. A distributed denial-of-service (DDoS) attack includes attacks from multiple systems with the goal of depleting the target's resources, and this scenario indicates multiple connection attempts from different IP addresses. A Domain Name System (DNS) poisoning attack attempts to redirect web browsers to malicious URLs. A replay attack doesn't overload a system but instead allows the attacker to intercept data and use it to impersonate a user or system. An Address Resolution Protocol (ARP) poisoning attack gives clients false hardware address updates, and attackers use it to redirect or interrupt network traffic. See Chapter 7.
43. An application on one of your database servers has crashed several times recently. Examining detailed debugging logs, you discover that just prior to crashing, the database application is receiving a long series of x90 characters. What is MOST likely occurring? A. SQL injection B. Buffer overflow C. XML injection D. Zero-day
43. B is correct. Buffer overflow attacks include a series of no operation (NOP) commands, such as hexadecimal 90 (x90). When successful, they can crash applications and expose memory, allowing attackers to run malicious code on the system. SQL injection attacks and Extensible Markup Language (XML) injection attacks do not use NOP commands. Zero-day attacks are unknown or undocumented, but attacks using NOP commands are known. See Chapter 7.
44. Your organization recently experienced a significant data breach. After an investigation, cybersecurity professionals found that the initial attack originated from an internally developed application. Normally users can only access the application by logging on. However, the application allowed the attacker access to the application without requiring the attacker to log on. Which of the following would have the BEST chance of preventing this attack? A. Code review B. Backdoor C. DDoS protection D. Keylogger
44. A is correct. A code review would have the best chance of preventing this attack. The scenario describes a backdoor in the internally developed application, but the backdoor is a vulnerability that allowed the attack and won't prevent the attack. Distributed denial of service (DDoS) protection can help thwart DDoS attacks, but there's no indication that this is a DDoS attack. A keylogger logs keystrokes of users so would not prevent an attack. See Chapter 7.
45. A software development process merges code changes from developers working on a project several times a day. It uses automation to validate the code and tracks changes using version control processes. Which of the following BEST describes this process? A. Continuous integration B. Continuous validation C. Continuous delivery D. Continuous monitoring .
45. A is correct. This describes continuous integration, which merges changes from multiple developers and uses version control processes to track the changes. Continuous validation revalidates code after every change and is frequently part of CI, but continuous validation by itself doesn't include version control. Continuous delivery comes after CI and provides an automated process that delivers changes to a testing or staging environment. Continuous monitoring monitors code changes to detect compliance issues and security threats. See Chapter 7.
46. Martin is performing a risk assessment. He is trying to identify the number of times a specific type of incident occurred in the previous year. Which of the following BEST identifies this? A. ALE B. ARO C. SLE D. RPO
46. B is correct. The annual rate of occurrence (ARO) is the best choice to identify how many times a specific type of incident occurs in a year. Annual loss expectancy (ALE) identifies the expected monetary loss for a year and single loss expectancy (SLE) identifies the expected monetary loss for a single incident. ALE = SLE × ARO and if you know any two of these values, you can identify the third value. For example, ARO = ALE / SLE. The recovery point objective (RPO) identifies a point in time where data loss is acceptable, but it doesn't refer to the number of times an incident occurred. See Chapter 8.
47. Lisa recently received a security advisory. She's using it to review logs and looking for activity mentioned in the security advisory. Which of the following BEST describes what she is doing? A. Creating OSINT B. Threat hunting C. Penetration testing D. Performing reconnaissance
47. B is correct. Threat hunting is the process of actively looking for threats within a network, and security advisories provide information on threats, including their tactics, techniques, and procedures (TTPs). Security advisories are one type of open source intelligence (OSINT) used in threat hunting, but she is reading the OSINT, not creating it. Penetration testing actively assesses deployed security controls within a system or network. It is much more than reviewing logs. Reconnaissance methods attempt to learn as much as possible about a target, but Lisa is examining her own network. See Chapter 8.
48. You recently completed a vulnerability scan on your network. It reported that several servers are missing key operating system patches. However, after checking the servers, you've verified that the servers have these patches installed. Which of the following BEST describes this? A. False negative B. Misconfiguration on servers C. False positive D. Non-credentialed scan
48. C is correct. In this scenario, the vulnerability scanner reported a false positive indicating that the servers had a vulnerability, but the servers did not have the vulnerability. A false negative occurs if a vulnerability scanner does not report a known vulnerability. There isn't any indication that the servers are misconfigured. The scenario doesn't indicate if the scan was run under an account's context (credentialed or non-credentialed), so this answer isn't relevant to the question. See Chapter 8.
49. An external security auditor recently completed a security assessment. He discovered that a system has a vulnerability that two previous security assessments detected. Which of the following BEST explains this? A. The scanner is reporting a false negative. B. The vendor has not created a security patch. C. The scans ran as credentialed scans. D. The system is misconfigured.
49. B is correct. If a vendor has not created a patch for a known vulnerability, vulnerability scanners will report the vulnerability (assuming they know about the vulnerability). False negatives are not reported so they will not appear in a vulnerability scanner's output. If scans are reporting the same vulnerability, it may be because a non-credentialed scan is reporting incorrect results, but a credentialed scan is more accurate than a non-credentialed scan. There isn't any indication that the system is misconfigured. See Chapter 8.
5. Your organization recently suffered a costly malware attack. Management wants to take steps to prevent damage from malware in the future. Which of the following phases of common incident response procedures is the BEST phase to address this? A. Preparation B. Identification C. Containment D. Eradication
5. A is correct. The preparation phase is the first phase of common incident response procedures and attempts to prevent security incidents. Incident identification occurs after a potential incident occurs and verifies it is an incident. Containment attempts to limit the damage by preventing an incident from spreading, but it doesn't prevent the original incident. Eradication attempts to remove all malicious elements of an incident after it has been contained. All six steps in order are preparation, identification, containment, eradication, recovery, and lessons learned.
5. You are troubleshooting an issue with the ycda application hosted on a Linux system. You suspect that the issue is caused when performing a specific function. You execute the function and see a generic error message. You now want to view the detailed error logged in the messages file. Which of the following commands would be the BEST choice to use? A. head B. tail C. chmod D. logger
5. B is correct. The tail command shows the last 10 lines (by default) of a log file and, in this scenario, is the best choice to show a recent error message. The head command shows the beginning lines in a log file and is unlikely to display recent error messages. You would use the chmod command (short for change mode) to change permissions on files and directories. The logger command is used to add entries into the syslog file. See Chapter 1.
50. Your organization regularly performs training in the form of a game mimicking an exercise. One team oversees the exercise, sets the rules, and identifies the rules of engagement. Another team uses known TTPs to exploit vulnerabilities within the rules of engagement. You are on a team dedicated to defending resources. Which of the following BEST describes your role? A. A member of the red team B. A member of the blue team C. A member of the purple team D. A member of the white team
50. B is correct. A blue team defends and since you are on a team dedicated to defending resources, you are a member of the blue team. A red team attacks and they often use known tactics, techniques, and procedures (TTPs) of attackers to simulate actual attacks. A purple team is a group of people who can perform on either a red team or a blue team. The white team overseas the exercise, sets the rules, and identifies the rules of engagement. See Chapter 8.
51. You are running a vulnerability scanner with an access level that gives it the best chance of detecting vulnerabilities. Which of the following BEST describes the type of scan you are running? A. Non-credentialed scan B. A port scan C. A non-intrusive scan D. Credentialed scan .
51. D is correct. A credentialed scan runs with a high level of access and is better at detecting vulnerabilities than a non-credential scan. A non-credentialed scan runs without any account privileges. A port scan detects open ports on a server. Vulnerability scanners are generally non-intrusive, but this doesn't give a scanner any specific access level. See Chapter 8.
52. You suspect that an attacker has been sending specially crafted TCP packets to a server trying to exploit a vulnerability. You decide to capture TCP packets being sent to this server for later analysis and you want to use a command-line tool to do so. Which of the following tools will BEST meet your need? A. Tcpreplay B. Tcpdump C. Netcat D. Wiredump
52. B is correct. The tcpdump command-line tool is the best choice of the given answers. It is a command-line packet analyzer (or protocol analyzer) and its primary purpose is to capture packets. Tcpreplay is a suite of utilities used to edit packet captures and resend them, not capture packets. Netcat is useful for remotely accessing systems and can be used for banner grabbing, but it doesn't capture packets. Wiredump isn't a valid tool name. Wireshark (not included as an answer choice) is a graphic-based packet analyzer that can be started from the command line, but tcpdump includes more command-line options than Wireshark. See Chapter 8.
53. Your company wants to control access to a restricted area of the building by adding an additional physical security control that includes facial recognition. Which of the following provides the BEST solution? A. Bollards B. Guards C. Retina scanners D. Cameras
53. B is correct. Security guards can protect access to restricted areas with facial recognition and by checking the identities of personnel before letting them in. In some cases, the guards might recognize people, and in other situations, they might compare people's faces with their security badge. None of the other answers use facial recognition. Bollards are effective barricades to block vehicles, but they do not block personnel. Retina scanners are effective biometric access devices, but they only scan part of the eye, not the whole face. Cameras can monitor who goes in and out of an area, but they do not control the access. See Chapter 9.
54. Thieves recently rammed a truck through the entrance of one of your organization's buildings in the middle of the night. They then proceeded to steal a significant amount of IT equipment. Which of the following choices can prevent this from happening again? A. Bollards B. Guards C. CCTV D. Alarms
54. A is correct. Bollards are effective barricades that can block vehicles. Guards can restrict access for personnel, but they cannot stop trucks from ramming through a building. Closed-circuit television (CCTV) or a similar video surveillance system can monitor the entrance, but it won't stop the attack. Alarms can go off after the truck rams through the entrance, but they won't stop the attack. See Chapter 9.
55. Fileserver1 hosts several files accessed by users in your organization, and it's important that they can always access these files. Management wants to implement a solution to increase cybersecurity resilience. Which of the following is the LOWEST cost solution to meet this requirement? A. Active/active load balancing B. Active/passive load balancing C. RAID D. Warm site
55. C is correct. A redundant array of inexpensive disks (RAID) subsystem is a relatively low-cost solution for disks' fault tolerance. By providing fault tolerance, it increases availability and resilience. Load balancing (active/active and active/passive) requires additional servers, which are significantly more expensive than RAID. A warm site is a separate location, which can also be expensive. See Chapter 9. .
56. You need to identify and mitigate potential single points of failure in your organization's security operations. Which of the following policies would be the BEST choice to help you find them? A. A disaster recovery plan B. A business impact analysis C. Annualized loss expectancy D. Separation of duties
56. D is correct. A separation of duties policy is the best answer. In this context, if only one person can perform tasks within the organization's security operations, that person becomes a single point of failure. None of the other answers address a single point of failure. A disaster recovery plan (DRP) identifies how to recover critical systems and data after a disaster. A business impact analysis (BIA) helps an organization identify critical systems and components. An annualized loss expectancy (ALE) identifies the expected annual loss from a known risk. See Chapter 9.
57. Compu-Global-Hyper-Mega-Net hosts a website selling digital products. Marketing personnel have launched several successful sales. The server has been overwhelmed, resulting in slow responses from the server, and lost sales. Management wants to implement a solution that will provide cybersecurity resilience. Which of the following is the BEST choice? A. Managed PDUs B. Certificates C. Web application firewall D. Load balancing
57. D is correct. Load balancing shifts the load among multiple servers and provides cybersecurity resilience by increasing the site's availability by adding additional nodes when necessary. Managed power distribution units (PDUs) are used to remotely monitor energy consumption in a data center. Certificates can be used for identity, authentication, confidentiality, and integrity but won't provide resilience due to overloading resources on a server. A web application firewall helps protect a web server against attacks, but it does not increase availability from normal client requests. See Chapter 9.
58. The backup policy for a database server states that the amount of time needed to perform backups should be minimized. Which of the following backup plans would BEST meet this need? A. Full backups on Sunday and full backups on the other six days of the week B. Full backups on Sunday and differential backups on the other six days of the week C. Full backups on Sunday and incremental backups on the other six days of the week D. Differential backups on Sunday and incremental backups on the other six days of the week
58. C is correct. A full/incremental backup strategy is the best option with one full backup on one day and incremental backups on the other days. The incremental backups will take a relatively short time compared with the other methods. A full backup every day would require the most time every day. Differential backups become steadily larger as the week progresses and take more time to back up than incremental backups. Backups must start with a full backup, so a differential/incremental backup strategy is not possible. See Chapter 9. .
59. A security analyst is creating a document that includes the expected monetary loss from a major outage. She is calculating the potential impact on life, property, finances, and the organization's reputation. Which of the following documents is she MOST likely creating? A. BCP B. BIA C. MTBF D. RPO
59. B is correct. A business impact analysis (BIA) includes information on potential monetary losses along with information on essential and critical functions, recovery plans, and more. It is the most likely document of those listed that would include this information. A business continuity plan (BCP) includes a BIA, but the BIA is more likely to include this information than the BCP. The mean time between failures (MTBF) provides a measure of a system's reliability. The recovery point objective (RPO) refers to the amount of data you can afford to lose, but it does not include monetary losses. See Chapter 9.
6. Lisa is installing an application named gcga.exe on a Linux server. The documentation indicates that the application should be installed with the following permissions: The owner of the application should have read, write, and execute permissions. The owner group of the application should have read and execute permissions. All other users should not have any permissions for the application. Which of the following commands should be used to meet these requirements? A. chmod 067 gcga.exe B. chmod 661 gcga.exe C. chmod 760 gcga.exe D. chmod 770 gcga.exe
6. C is correct. The chmod 760 gcga.exe should be used. The 7 (in 760) gives read, write, and execute permissions to the owner. The 6 (in 760) gives read and execute permissions to the owner group. The 0 (in 760) ensures that everyone else has no permissions. The 0 (in 067) denies read, write, and execute permissions for the owner, and the 7 (in 067) grants read, write, and execute permissions for everyone. The first 6 (in 661) grants only read and write permissions but not execute permissions to the owner. The second 7 (in 770) grants read, write, and execute permissions for the owner group, but the scenario says that only read and execute permissions should be granted for this group. See Chapter 1.
6. An incident response team is following typical incident response procedures. Which of the following phases is the BEST choice for analyzing an incident to identify steps to prevent a reoccurrence of the incident? A. Preparation B. Identification C. Eradication D. Lessons learned
6. D is correct. You should analyze an incident during the lessons learned phase of incident response to identify steps to prevent reoccurrence. Preparation is a planning step done before an incident, to prevent incidents and identify methods to respond to incidents. Identification is the first step after hearing about a potential incident to verify it is an incident. Eradication attempts to remove all malicious elements of an incident after containing it.
60. You are helping a risk management team update the business impact analysis for your organization. For one system, the plan requires an RTO of five hours and an RPO of one day. Which of the following would meet this requirement? A. Ensure the system can be restored within five hours and ensure it does not lose more than one day of data. B. Ensure the system can be restored within one day and ensure it does not lose more than five hours of data. C. Ensure the system can be restored between five hours and one day after an outage. D. Ensure critical systems can be restored within five hours and noncritical systems can be restored within one day.
60. A is correct. The recovery time objective (RTO) identifies the maximum amount of time it should take to restore a system after an outage. The recovery point objective (RPO) refers to the amount of data you can afford to lose. RTO only refers to time, not data. RPO refers to data recovery points, not time to restore a system. See Chapter 9.
61. Marge is updating the business impact analysis (BIA) for your organization. She needs to document the time needed to return a database server to an operational state after a failure. Which of the following terms would she use? A. MTTR B. MTBF C. SLE D. ARO
61. A is correct. The mean time to recover (MTTR) identifies the average time (the arithmetic mean) it takes to restore a failed system and is commonly used when preparing a business impact analysis (BIA). The mean time between failures (MTBF) identifies the average (the arithmetic mean) time between failures. The single loss expectancy (SLE) identifies the cost of any single loss. The annual rate of occurrence (ARO) identifies how many times a loss is expected to occur in a year. Multiplying SLE * ARO identifies the annual loss expectancy (ALE). See Chapter 9. on.
62. Lisa needs to transmit PII via email and she wants to maintain its confidentiality. Which of the following choices is the BEST solution? A. Use hashes. B. Encrypt it before sending. C. Protect it with a digital signature. D. Use RAID.
62. B is correct. Encryption is used to maintain confidentiality of any data, including Personally Identifiable Information (PII) with encryption. Hashes provide integrity, not confidentiality. A digital signature provides authentication, non-repudiation, and integrity. A redundant array of inexpensive disks (RAID) provides higher availability for a disk subsystem. See Chapter 10.
63. Employees in your organization recently received an email that appeared to come from your organization's CEO. The email mentioned that IT personnel were troubleshooting an authentication issue and needed employees to reply to the email with their credentials. Several employees responded with their credentials. This was a phishing campaign created for user training, and it spoofed the CEO's email. Executives want to ensure that employees have proof that any emails that appear to be coming from the executives, did come from them. Which of the following should be implemented? A. Digital signatures B. Spam filter C. Role-based training D. Heuristic-based detection
63. A is correct. A digital signature provides assurances of who sent an email and meets the goal of this scenario. Although a spam filter might filter a spear phishing attack, it does not provide assurances about who sent an email. Role-based training provides targeted training for employees based on their roles, but any type of training wouldn't provide assurances about who sent an email. Some antivirus software includes heuristic-based detection. Heuristic-based detection attempts to detect viruses that were previously unknown and do not have virus signatures. See Chapter 10.
64. As an administrator, you receive an antivirus alert from a server in your network indicating one of the files has a hash of known malware. The file was pushed to the server from the organization's patch management system and is scheduled to be applied to the server early the next morning. The antivirus software indicates that the file and hash of the malware on the server are: File: gcga_upgrade.exe Hash: bd64571e26035d95e5e9232b4aff b915 Checking the logs of the patch management system, you see the following information: **Status Update Name Hash** Pushed gcga_upgrade.exe b815571e26035d95e5e9232b4aff48db Which of the following indicates what MOST likely occurred? A. The file was infected after it was pushed out to the server. B. The file was embedded with crypto-malware before it was pushed to the server. C. The file was listed in the patch management system's blacklist. D. The file was infected when the patch management system downloaded it.
64. A is correct. Of the given choices, the file was most likely infected after it was pushed out to the server. This is because the hash of the file is different on the server than it is on the patch management system. The scenario doesn't indicate what type of infection the malware has, so it isn't possible to tell if it is crypto-malware or another type of malware. A blacklist blocks files so if the file were listed in the patch management system's blacklist, the patch management system wouldn't push it out to systems. If it were infected before it was pushed out to the server, it would have the same hash. See Chapter 10.
65. Tony hid several plaintext documents within an image file. He then sent the image file to Louie. Which of the following BEST describes the purpose of his actions? A. To support steganography B. To support integrity C. To support resilience D. To support obfuscation
65. D is correct. Hiding data within data is one way to support a use case of supporting obfuscation and Tony is attempting to send the text files within the image file to obscure his intent. In this scenario, Tony is using steganography to hide the files within the image, but that is the method, not the purpose. Hashing methods and digital signatures support integrity. Redundancy and fault-tolerance methods increase availability supporting resiliency. See Chapter 10.
66. Lisa and Bart need to exchange emails over the Internet using a nonsecure channel. These emails need to provide non-repudiation. They decide to use certificates on each of their computers. What would they use to sign their emails? A. CRL B. OCSP C. CSR D. CA E. DSA
66. E is correct. A Digital Signature Algorithm (DSA) is used to create a digital signature and they would sign their emails with a digital signature. A certificate revocation list (CRL) is a list of revoked certificates. Online Certificate Status Protocol (OCSP) is an alternative to a CRL and provides a real-time response indicating the validity of a certificate. The certificate signing request (CSR) is used to request a certificate. A certificate authority (CA) manages certificates and would sign certificates issued to users. A certificate is needed to create a digital signature, but the certificate itself can't sign an email. See Chapter 10.
67. Administrators have noticed a significant amount of OCSP traffic sent to an intermediate CA. They want to reduce this traffic. Which of the following is the BEST choice to meet this need? A. Pinning B. Digital signatures C. Stapling D. Hashing
67. C is correct. Online Certificate Status Protocol (OCSP) stapling reduces OCSP traffic sent to a certificate authority (CA). Certificate presenters append a timestamped, digitally signed OCSP response to a certificate. Public key pinning includes a list of public key hashes in HTTPS responses from the web server. While pinning helps validate certificates, it is unrelated to OCSP. Neither digital signatures (used for non-repudiation) nor hashing (used for integrity) will reduce OCSP traffic. See Chapter 10.
68. A company is hosting an e-commerce site that uses certificates for HTTPS. Management wants to ensure that users can verify the validity of these certificates even if elements of the Internet suffer an extended outage. Which of the following provides the BEST solution? A. OCSP B. PEM C. SAN D. CRL
68. D is correct. A certificate revocation list (CRL) provides the best solution in this scenario. After a CRL is retrieved, systems hold a copy of it in cache. Instead of downloading the same CRL every time a system needs to validate a certificate, they just look at the cached copy of the CRL. Online Certificate Status Protocol (OCSP) is an alternative to a CRL and provides a real-time response to validate certificates. Because OCSP responds in real time, it is susceptible to Internet outages. Privacy enhanced mail (PEM) certificates are not used to validate other certificates. A subject alternative name (SAN) certificate is used for multiple domains that have different names but are owned by the same organization. See Chapter 10.
69. A security auditor discovered that several employees in the Accounting department can print and sign checks. In her final report, she recommended restricting the number of people who can print checks and the number of people who can sign them. She also recommended that no one should be authorized to both print and sign checks. Which security policy does this describe? A. Discretionary access control B. Rule-based access control C. Separation of duties D. Job rotation
69. C is correct. This recommendation enforces the separation of duties principle, which prevents any individual person from performing multiple job functions that might allow the person to commit fraud. Discretionary access control specifies that every object has an owner but doesn't separate duties. Devices such as routers use a rule-based access control model, but it doesn't separate duties. Job rotation rotation policies rotate employees into different jobs, but they don't necessarily separate job functions. See Chapter 11.
7. Homer is not able to access any network resources from his Linux-based computer. Which of the following commands would he use to view the network configuration of his system? A. ifconfig B. ipconfig C. netstat D. tracert
7. A is correct. The ifconfig command displays network settings on a Linux computer. This includes the IP address, subnet mask, and default gateway assigned to the network interface card (NIC). The ipconfig command performs similar checks on Windows computers but not on Linux systems. Netstat shows network statistics and active connections but not the network settings. The tracert command traces the route between systems on a network and can help determine which network devices are failing. See Chapter 1.
7. After a recent cybersecurity incident resulting in a significant loss, your organization decided to create a security policy for incident response. Which of the following choices is the BEST choice to include in the policy when an incident requires confiscation of a physical asset? A. Ensure hashes are taken first. B. Maintain the order of volatility. C. Keep a record of everyone who took possession of the physical asset. D. Require interviews of all witnesses present when the asset is confiscated.
7. C is correct. It's important to keep a chain of custody for any confiscated physical items, and the chain of custody is a record of everyone who took possession of the asset after it was first confiscated. Hashes should be taken before capturing an image of a disk, but hashes are not required before confiscating equipment. Security personnel should be aware of the order of volatility and protect volatile data, but there isn't any way to maintain the order of volatility. It's important to perform interviews of anyone who observed the incident, but it isn't necessary to interview people who were present when the asset is confiscated.
70. Bart recently resigned and left your organization. Later, IT personnel determined that he deleted several files and folders on a server share after he left the organization. Further, they determined that he did so during the weekend while the organization was closed. Which of the following account management practices would have prevented his actions? A. Onboarding B. Time-of-day restrictions C. Account audit D. Offboarding
70. D is correct. Offboarding is the process of removing an employee's access when he leaves the organization, and this is typically done during the exit interview. Because the employee deleted the files and shares after he left the organization, it indicates offboarding processes were not performed. Onboarding is the process of granting appropriate access to employees when they are first hired. Time-of-day restrictions might have prevented the employee from accessing resources during the weekend while the organization was closed. However, there isn't any indication that the organization wanted to restrict employees from accessing resources during off-hours. An account audit might have identified the account but not as quickly as offboarding processes done during an exit interview. Additionally, audits are typically done periodically, such as monthly. See Chapter 11.
71. Your organization hired a third-party security professional to assess vulnerabilities. The security professional discovered a server was running an application that hasn't been updated for eight years. Management decided to keep the application online because there isn't a newer version from the vendor. Which of the following BEST describes why the application doesn't have a newer version? A. MSA B. AUP C. MSSP D. EOL
71. D is correct. When a system reaches its end of life (EOL), a vendor no longer offers it for sale, and the vendor stops releasing updates for it. This scenario indicates management has weighed the risks and decided to keep the application. While not available as a possible answer, end of service life (EOSL) would be more specific. EOSL is the date when a vendor no longer supports a product and would no longer create patches or upgrades. The other answers are unrelated to the question. Measurement systems analysis (MSA) evaluates processes and tools used to make measurements. An acceptable use policy (AUP) defines proper system usage for employees when using IT systems. A managed security service provider (MSSP) is a third-party vendor that provides security services for smaller companies. See Chapter 11.
72. A help-desk professional has begun to receive several calls from employees related to malware. Using common incident response procedures, which of the following should be her FIRST response to these calls? A. Preparation B. Identification C. Eradication D. Recovery
72. B is correct. At this stage, the first response is incident identification. The preparation phase is performed before an incident and includes steps to prevent incidents. After identifying this as a valid incident (malware infection), the next steps are containment, eradication, recovery, and lessons learned. See Chapter 11.
73. Homer reported suspicious activity on his computer. After investigating, you verify that his computer is infected with malware. Which of the following steps should you take NEXT? A. Identification B. Preparation C. Containment D. Eradication
73. C is correct. After identifying an incident, the next step is containment. The scenario indicates you have identified the incident as a malware infection. Preparation is the first step in an incident response process. Eradication attempts to remove all elements of the incident after first containing it. The last two steps in the incident response process are recovery and lessons learned. See Chapter 11.
74. Security personnel confiscated Bart's workstation after a security incident. Administrators removed the hard drive for forensic analysis but were called away to troubleshoot an outage before capturing an image of the drive. They left it unattended for several hours before returning to begin their analysis. Later, legal personnel stated that the analysis results would not be admissible in a court of law. What is the MOST likely reason for the lack of admissibility? A. Witnesses were not identified. B. A chain of custody was not maintained. C. An order of volatility was not maintained. D. A hard drive analysis was not complete.
74. B is correct. A chain of custody was not maintained because the hard drive was left unattended for several hours before capturing an image. Witnesses were not mentioned but are not needed for the hard drive if the chain of custody was maintained. The order of volatility does not apply here, but the hard drive is not volatile. Analysis would occur after capturing an image, but there isn't any indication it wasn't done or wasn't complete. See Chapter 11.
75. Your organization is involved in a lawsuit, and a judge issued a court order requiring your organization to keep all emails from the last three years. Your data retention policy states that email should only be maintained from the previous 12 months. After investigating, administrators realize that backups contain emails from the last three years. What should they do with these backups? A. Backups older than 12 months should be deleted to comply with the data retention policy. B. Backups for the last 12 months should be protected to comply with the legal hold. C. Backups for the last two years should be protected to comply with the legal hold. D. Backups for the last three years should be protected to comply with the legal hold.
75. D is correct. The court order specified a legal hold on email from the last three years, so all the backups for the last three years should be kept. If the backups had been destroyed before the court order, they wouldn't be available, so the legal hold wouldn't apply to them. Deleting them after the court order is illegal. Protecting only the backups from the last 12 months or the last two years doesn't comply with the court order. See Chapter 11.
8. A forensic analyst was told of a suspected attack on a Virginia-based web server from IP address 72.52.230.233 at 01:23:45 GMT. However, after investigating the logs, he doesn't see any traffic from that IP at that time. Which of the following is the MOST likely reason why the analyst was unable to identify the traffic? A. He did not account for the time offset. B. He did not capture an image. C. The IP address has expired. D. The logs were erased when the system was rebooted.
8. A is correct. The most likely reason is that he did not account for the time offset. The attack occurred at 01:23:45 Greenwich Mean Time (GMT), which is the same time in London (except when daylight savings time starts). The web server is in the Eastern Standard Time (EST) zone in Virginia, which is five hours different from GMT. There is no need to capture an image to view logs. IP addresses on the Internet do not expire. Logs are written to a hard drive or a central location; they are not erased when a system is rebooted.
8. Management wants to increase security for any users accessing the network with a VPN. They plan to implement a method that will require users to install an application on their smartphones. This application will generate a key that they'll have to enter in addition to their username and password. What is the BEST description of this added authentication method? A. Something you know B. Something you have C. Something you are D. Something you can do
8. B is correct. This is in the something you have factor of authentication. Users are required to have a smartphone with the authentication application installed. The application generates a key of numbers, users don't know this key until the application generates it. Biometrics are in the something you are factor, but biometric methods aren't mentioned. Something you can do refers to a user's actions, such as making gestures on a screen. See Chapter 2.
9. Homer called the help desk complaining his computer is giving random errors. Cybersecurity professionals suspect his system is infected with malware and decide to use digital forensic methods to acquire data on his system. Which of the following following should be collected before turning the system off? (Choose TWO.) A. Image of disk B. RAM C. OS D. ROM E. Cache
9. B and E are correct. Random access memory (RAM) and cache are the most volatile of the items listed and should be collected before the system is turned off. You can collect an image of the disk and the operating system (OS) after it is powered off. Read only memory (ROM) will be retained even when the power is removed. While the swap/pagefile is not listed, it should also be collected. If the system is turned back on after it is turned off, the swap/pagefile will be overwritten.
9. Users normally log on using a smart card, a username, and a password. Management wants administrators to use a third factor of authentication. Which of the following will meet this need? A. PIN B. Token C. Fingerprints D. Push notification
9. C is correct. Fingerprints are in the something you are factor of authentication and will meet this need. All the other answers are in either the something you have factor (already used by the smart card) or the something you know factor (already used by the password). A personal identification number (PIN) is in the something you know factor. Tokens and push notifications are in the something you have factor. See Chapter 2.