Jason Dion - Test 1

Which of the following cryptographic algorithms is classified as asymmetric? 1) DSA 2) DES 3) RC4 4) AES

1) DSA OBJ-6.2: The Digital Signature Algorithm (DSA) is a Federal Information Processing Standard for digital signatures. The algorithm uses a key pair consisting of a public key and a private key. AES, RC4, and DES are all symmetric algorithms.

A macOS user is browsing the internet in Google Chrome when they see a notification that says, "Windows Enterprise Defender: Your computer is infected with a virus, please click here to remove it!" What type of threat is this user experiencing? 1) Rogue anti-virus 2) Worm 3) Pharming 4) Phishing

1) Rogue anti-virus OBJ-1.2: Rogue anti-virus is a form of malicious software and internet fraud that misleads users into believing there is a virus on their computer and to pay money for a fake malware removal tool (that actually introduces malware to the computer). It is a form of scareware that manipulates users through fear and a form of ransomware. Since the alert is being displayed on a macOS system but appears to be meant for a Windows system, it is obviously a scam or fake alert and most likely a rogue anti-virus attempting to infect the system.

Which of the following is not normally part of an endpoint security suite? 1) VPN 2) IPS 3) Antivirus 4) Software Firewall

1) VPN OBJ-2.1: Endpoint security includes software host-based firewalls, host-based intrusion protection systems (HIPS), and anti-virus software. A VPN is not typically considered an endpoint security tool because it is a network security tool.

Riaan's company runs critical web applications. During a vulnerability scan, Riaan found a serious SQL injection vulnerability in one of their web applications. The system cannot be taken offline to remediate the vulnerability. Which of the following compensating controls should Riaan recommend using until the system can be remediated? 1) WAF 2) IPS 3) Vulnerability scanning 4) Encryption

1) WAF OBJ-3.2: WAF (web application firewall) is the best option since it can serve as a compensating control and protect against web application vulnerabilities like an SQL injection until the application can be fully remediated. Vulnerability scanning could only be used to detect the issue. Therefore, it is a detective control, not a compensating control. Encryption would not be effective in stopping an SQL injection. An IPS are designed to protected network devices based on ports, protocols, and signatures. It would not be effective against an SQL injection and is not considered a compensating control for this vulnerability.

Which of the following ports should you block at the firewall if you want to prevent a remote login to a server from occurring? 1) 443 2) 23 3) 25 4) 110

2) 23 OBJ-2.6: Port 23 is used by telnet, which used to be used by administrators to connect remotely to a server and issue commands via a command-line interface. Telnet is not commonly used in networks anymore because all of the commands sent back and forth to the server are passed without any encryption or protection. Therefore, telnet is a security risk and has been mostly replaced by SSH (Port 22). Port 25 is used by SMTP, Port 110 is used by POP3, and port 443 is used by HTTPS.

You are the first forensic analyst to arrive on the scene of a data breach. You have been asked to begin evidence collection on the server while waiting for the rest of your team to arrive. Which of the following evidence should you capture first? 1) Image of the server's SSD 2) L3 cache 3) ARP cache 4) Backup tapes

2) L3 cache OBJ-5.5: When collecting evidence, you should always follow the order of volatility. This will allow you to collect the most volatile evidence (most likely to change) first and the least volatile (least likely to change) last. You should always begin collecting the CPU registers and cache memory (L1/L2/L3/GPU). The contents of system memory (RAM), including a routing table, ARP cache, process tables, kernel statistics, and temporary file systems/swap space/virtual memory. Next, you would move onto the collection of data storage devices like hard drives, SSDs, and flash memory devices. After that, you would move onto less volatile data such as backup tapes, external media devices (hard drives, DVDs, etc.), and even configuration data or network diagrams.

What type of malicious application does not require user intervention or another application to act as a host to replicate? 1) Virus 2) Macro 3) Worm 4) Trojan

3) Worm OBJ-1.1: A worm is a self-replicating type of malware that does not require user intervention or another application to act as a host for it to replicate. Viruses and Macros require user intervention to spread, and Trojans are hosted within another application that appears harmless.

Nicole's organization does not have the budget or staff to conduct 24/7 security monitoring of their network. To supplement her team, she contracts with a managed SOC service. Which of the following services or providers would be best suited for this role? 1) IaaS 2) PaaS 3) SaaS 4) MSSP

4) MSSP OBJ-3.7: A managed security service provider (MSSP) provides security as a service (SECaaS). IaaS, PaaS, and SaaS (infrastructure, platform, and software as a service) do not include security monitoring as part of their core service offerings. Security as a service or a managed service provider (MSP) would be better suited for this role. This question may seem beyond the exam scope. Still, the objectives allow for "other examples of technologies, processes, or tasks about each objective may also be included on the exam although not listed or covered" in the objectives' bulletized lists. The exam tests the equivalent of 4 years of hands-on experience in a technical cybersecurity job role. The content examples listed in the objectives are meant to clarify the test objectives and should not be construed as a comprehensive listing of this examination's content. Therefore, questions like this are fair game on test day. That said, your goal isn't to score 100% on the exam; it is to pass it. Don't let questions like this throw you off on test day. If you aren't sure, take your best guess and move on!

A software assurance test analyst performs a dynamic assessment on an application by automatically generating random data sets and inputting them in an attempt to cause an error or failure condition. Which technique is the analyst utilizing? 1) Known bad data injection? 2) Sequential data sets 3) Static code anlysis 4) fuzzing

4) fuzzing OBJ-3.6: Fuzzing is an automated software assessment technique that involves providing invalid, unexpected, or random data as inputs to a computer program. The program is then monitored for exceptions (crashes), failing built-in code assertions, or finding potential memory leaks. Dynamic code analysis relies on studying how the code behaves during execution. Fuzzing a specific type of dynamic code analysis, making it a better answer to this question. Static code analysis is a method of debugging by examining source code before a program is run. Known bad data injection is a technique where data known to cause an exception or fault is entered as part of the testing/assessment. With known bad data injections, you would not use randomly generated data sets, though.

You are working as a help desk technician and received a call from a user who complains about their computer's performance has slowed down over the last week since they installed a new free video game on the computer. As part of your troubleshooting efforts, you enter the command prompt in Windows and run the following command: (image) Based on the output provided, what type of malware may have been installed on this user's computer? 1) Keylogger 2) Worm 3) RAT 4) Spam

OBJ 1.1: Based on the scenario and the output provided, the best choice is a RAT. A RAT is a Remote Access Trojan, and it is usually installed accidentally by a user when they install free software on their machine that has a RAT embedded into it. The first two output lines show that ports 135 and 445 are open and listening for an inbound connection (typical of a RAT). This is not an example of a worm because the user admitted to installing a free program, and worms can install themselves and continue to send data outbound across the network to continue to spread. There is no indication in the scenario that a keylogger is being used, nor that spam (unsolicited emails) has been received.

Using the image provided, place the port numbers in the correct order with their associated protocols: 1) 69, 25, 80, 53 2) 80, 53, 69, 25 3) 53, 69, 25, 80 4) 25, 80, 53, 69

OBJ 2.6: For the exam, you need to know your ports and protocols. The Trivial File Transfer Protocol (TFTP) uses port 69. The Simple Mail Transfer Protocol (SMTP) uses port 25. The Hypertext Transfer Protocol (HTTP) uses port 80. The Domain Name Service (DNS) protocol uses port 53.

What type of wireless security measure can easily be defeated by a hacker by spoofing the hardware address of their network interface card? 1) MAC Filtering 2) WPS 3) Disable SSID broadcast 4) WEP

OBJ-2.1: Wireless access points can utilize MAC filtering to ensure only known network interface cards are allowed to connect to the network. If the hacker changes their MAC address to a trusted MAC address, though, they can easily bypass this security mechanism. MAC filtering is considered a good security practice as part of a larger defense-in-depth strategy, but it won't stop a skilled hacker for long. MAC addresses are permanently burned into the network interface card by the manufacturer and serve as the device's physical address. WEP is the Wired Equivalent Privacy encryption standard, which is considered obsolete in modern wireless networks. WEP can be broken using a brute force attack within just a few minutes by an attacker. Another security technique is to disable the SSID broadcast of an access point. While this prevents the broadcast of the SSID, a skilled attacker can still find the SSID using discovery scanning techniques. WPS is the WiFi Protected Setup. WPS is used to connect and configure wireless devices to an access point easily.

During her login session, Sally is asked by the system for a code sent to her via text (SMS) message. Which of the following concerns should she raise to her organization's AAA services manager? 1) SMS should be encrypted to be secure 2) SMS is a costly method of providing a second factor of authentication 3) SMS messages may be accessible to attackers via VoIP or other systems 4) SMS should be paired with a third factor

OBJ-2.5: NIST's SP 800-63-3 recommends that SMS messages be deprecated as a means of delivering a second factor for multifactor authentication because they may be accessible to attackers. SMS is unable to be encrypted (at least without adding additional applications to phones). A third factor is typically not a user-friendly recommendation and would be better handled by replacing SMS with the proposed third factor. SMS is not a costly method since it can be deployed for less than $20/month at scale.

Which of the following ports should you block at the firewall if you want to prevent a remote login to a server from occurring? 1) 80 2) 21 3) 22 3) 143

OBJ-2.6: Port 22 is used for SSH, which administrators use to securely connect remotely to a server and issue commands via a command-line interface. Port 21 is used by FTP, Port 80 is used by HTTP, and port 143 is used by IMAP.

You suspect that your server has been the victim of a web-based attack. Which of the following ports would most likely be seen in the logs to indicate the attack's target? 1) 3389 2) 21 3) 443 4) 389

OBJ-2.6: Web-based attacks would likely appear on port 80 (HTTP) or port 443 (HTTPS). An attack against Active Directory is likely to be observed on port 389 LDAP. An attack on an FTP server is likely to be observed on port 21 (FTP). An attack using the remote desktop protocol would be observed on port 3389 (RDP).

Which of the following is NOT considered part of the Internet of Things? 1) ICS 2) Smart television 3) SCADA 4) Laptop

OBJ-3.5: Supervisory control and data acquisition (SCADA) systems, industrial control systems (ICS), internet-connected televisions, thermostats, and many other things examples of devices classified as the Internet of Things (IoT). A laptop would be better classified as a computer or host than part of the Internet of Things. The Internet of things (IoT) is a system of interrelated computing devices, mechanical and digital machines provided with unique identifiers (UIDs), and the ability to transfer data over a network without requiring human-to-human or human-to-computer interaction.

You are attending a cybersecurity conference and just watched a security researcher demonstrating the exploitation of a web interface on a SCADA/ICS component. This caused the device to malfunction and be destroyed. You recognize that the same component is used throughout your company's manufacturing plants. Which of the following mitigation strategies would provide you with the most immediate protection against this emergent threat? 1) Evaluate if the web interface must remain open for the system to function; if it isn't needed, block the web interface 2) Demand that the manufacturer of the component release a patch immediately and deploy the patch as soon as possible. 3) Replace the affected SCADA/ICS components with more secure models from a different manufacturer

OBJ-3.5: The most immediate protection against this emergent threat would be to block the web interface from being accessible over the network. Before doing this, you must evaluate whether the interface needs to remain open for the system to function properly. If it is not needed, you should block it to minimize the SCADA/ICS component's attack surface. Ideally, your SCADA/ICS components should already be logically or physically isolated from the enterprise network. Since the question doesn't mention the networks as an area of concern, we can assume they are already following the industry best practice of logical or physical segmentation between the SCADA/ICS network and the enterprise network. On the exam, make sure you focus on the question being asked. In this case, the question focuses on the web interface. Developing a patch can be a time-consuming process, therefore waiting for the manufacturer to provide a patch will not provide immediate protection to your components. The same is true for replacing the affected components. Even if you could get the company to authorize the funding for such a purchase, it would take time to order, ship, receive and install the new components. Additionally, you would cause unwanted downtime in the factory during the installation of the components, making it an ineffective option when simply blocking the web interface is free, quick, and effective.

Which of the following does a User Agent request a resource from when conducting a SAML transaction? 1) Single sign-on (SSO) 2) Relying party (RP) 3) Service provider (SP) 4) Identity provider (IdP)

OBJ-4.2: Security assertions markup language (SAML) is an XML-based framework for exchanging security-related information such as user authentication, entitlement, and attributes. SAML is often used in conjunction with SOAP. SAML is a solution for providing single sign-on (SSO) and federated identity management. It allows a service provider (SP) to establish a trust relationship with an identity provider (IdP) so that the SP can trust the identity of a user (the principal) without the user having to authenticate directly with the SP. The principal's User Agent (typically a browser) requests a resource from the service provider (SP). The resource host can also be referred to as the relying party (RP). If the user agent does not already have a valid session, the SP redirects the user agent to the identity provider (IdP). The IdP requests the principal's credentials if not already signed in and, if correct, provides a SAML response containing one or more assertions. The SP verifies the signature(s) and (if accepted) establishes a session and provides access to the resource.

Which of the following elements is LEAST likely to be included in an organization's data retention policy? 1) Maximum retention period 2) Classification of information 3) Minimum retention period 4) Description of information that needs to be retained

OBJ-5.8: Data retention policies highlight what types of information an organization will maintain and the length of time they will maintain it. Data classification would not be covered in the retention policy but would be a key part of your organization's data classification policy.

Dion Training has added a salt and cryptographic hash to their passwords to increase the security before storing them. To further increase security, they run this process many times before storing the passwords. What is this technique called? 1) Key stretching 2) Collision resistance 3) Salting 4) Rainbow table

OBJ-6.1: In cryptography, key stretching techniques are used to make a possibly weak key, typically a password or passphrase, more secure against a brute-force attack by increasing the resources it takes to test each possible key. The question describes one such key stretching technique.

Which of the following cryptographic algorithms is classified as asymmetric? 1) RSA 2) RC4 3) AES 4) DES

OBJ-6.2: RSA (Rivest-Shamir-Adleman) was one of the first public-key cryptosystems and is widely used for secure data transmission. As a public-key cryptosystem, it relies on an asymmetric algorithm. AES, RC4, and DES are all symmetric algorithms.

Which of the following hashing algorithms results in a 256-bit fixed output? 1) SHA-2 2) NTLM 3) MD-5 4) SHA-1

OBJ-6.2: SHA-2 creates a 256-bit fixed output. SHA-1 creates a 160-bit fixed output. NTLM creates a 128-bit fixed output. MD-5 creates a 128-bit fixed output.