PART 3
: C Section: (none) Explanation
A HTTP interceptor can intercept and modify clear text HTTP requests and responses. In the hands of an attacker, this could lead to attacks such as XSS, CSRF, parameter manipulation, SQL inject and many more exploits. See Cross Site Request Forgery (CSRF or XSRF) at https://www.youtube.com/watch? v=m0EHlfTgGUU. QUESTION 18 A security administrator is implementing the organization's data security policies that apply to corporate laptops and tablets. As part of the review the administrator discovers data contained on the devices is not adequately protected while at rest, applications are not fully patched, default security settings are disabled, and untrusted application repositories can be installed. Based on these findings, the administrator must recommend appropriate solutions to the security manager. Which of the following controls would be MOST appropriate to implement to address the risks identified by the administrator? A. Centralized patch management B. BYOD policy C. MDM D. Application sandboxing E. TPM
: C Section: (none) Explanation
AES addresses confidentiality only. Neither SSL nor a VPN provides integrity protection. PGP provides integrity though digital signatures that also provide authentication and non-repudiation. PGP also provides confidentiality through encryption. PGP should be used to set-up end-to end encryption (E2EE), which is a system of communication where only the communicating users can read the messages. In principle, it prevents potential eavesdroppers - including telecom providers, Internet providers, and even the provider of the communication service - from being able to access the cryptographic keys needed to decrypt the conversation. The systems are designed to defeat any attempts at surveillance and/or tampering because no third parties can decipher the data being communicated or stored. For example, companies that use end-to-end encryption are unable to hand over texts of their customers' messages to the authorities.Examples of end-to-end encryption include PGP, GnuPG, Protonmail, Mailfence, S/MIME, Inky, or pEp for email; OTR, iMessage, Signal, Threema, or WhatsApp for instant messaging; ZRTP or FaceTime for telephony; and TETRA for radio. QUESTION 30 A password-based IPSec remote access solution used by regular users will now also support domain administrators. The security manager has requirements for stronger authentication mechanisms working remotely. Which of the following solutions will BEST fulfill these requirements? A. Mandate the use of company-issued laptops for remote administrative tasks. B. Enforce the use of VDI for administrative tasks with an ACL of source IP addresses C. Implement two-factor authentication within a mandatory VDI for remote administrative tasks D. Restrict remote access from specific IP address rangers and enforce two-factor authentication.
: B Section: (none) Explanation
Cloud Access Security Broker (CASB). Watch Cloud Access Security Brokers (CASB) in 5 Minutes at https:// www.youtube.com/watch?v=qhAC--N6b8w. - CASB is a single point (gateway) for enterprises to secure an entire suite of cloud and SaaS applications. A CASB performs a number of tasks including access control, in-app encryption, monitoring (inc. audit capabilities), behavioral analysis and can institute defensive countermeasures as required. CASB also implements enterprise security policies for cloud (and SaaS) applications and can be deployed either on premise or in the cloud. Integrations: SAML, Single Sign-On(SSO), Active Directory, policy enforcement (Groups/Users), Okta, Ping etc. - Cloud Visibility, A CASB provides a monitoring capability that completely removes the SIEM blind-spot that can be exacerbated by the cloud. A standard feature of a CASB is serving real-time access logs, user patterns, data consumption, device profiles, geolocation and much more through an complete monitoring interface. This interface provides complete visibility across an organization's entire cloud and SaaS application portfolio. Interoperability with: Enterprise SIEM systems. - Data Security - Encryption. A CASB secures data by selectively encrypting it before it's sent to the cloud application. Sitting between users and the end cloud application, A CASB intercepts sensitive data and encrypts the data before it reaches the cloud application. This encryption ensures that the end cloud application never holds sensitive information in plain text. A CASB supports group policy based decryption, enabling organizations to directly control data decryption in the cloud and prevent inappropriate sharing or leaking. Integrations / Specifications: Thales nCipher, Safenet Luna, AES 256bit, Format Preserving Encryption (FPE). -- - Anomaly Detection. A CASB compiles security profiles on each user passing through the gateway. These behavioral profiles are compiled over time. Users are then benchmarked against their historical patterns and that of their peers. Behavioral Analysis implemented by A CASB is crucial in detecting security anomalies, significant changes in behavior, outliers, and insider threats. Specifications: Behavioral analysis, anomaly detection, outliers peers), insider attacks and misuse. - Threat Protection. Being able to detect threats is not enough to prevent data breaches. A CASB implements specialist countermeasures to ensure that threats are defeated upon first touch. A CASB's countermeasures are flexible and can respond depending on threat severity, from blocking connections, through to dispatching second factor challenges. The CASB countermeasure engine has a vast array of rules that can be configured to meet an organization's data protection policies; from geolocation locking, behavioral analysis, mobile/ machine specific locks through to automatically purging of stale user accounts. - Adaptive Defense: OS/browser/mobile/device policy support, behavioral driven countermeasures and many more. - Compliance. A CASB directly assists organizations in meeting strict privacy and data security requirements whilst using cloud applications. Organizations can utilize StratoKey to meet encryption, monitoring, access control and other compliance requirements as specified in legislation such as HIPAA. A CASB can perform direct Data Loss Prevention (DLP) through group sharing controls on cloud data. Whilst that may be sufficient for some organizations A CASB also supports delegating DLP and anti-virus scanning to dedicated enterprise systems. This off-loading support is performed using the industry standard ICAP protocol. QUESTION 42 Which of the following is a security disadvantage of running a Type1 hypervisor over a container-based virtual platform? A. Type 1 hypervisors are unable to take advantage of TPM hardware modules. B. Running a separate, full operating system for each VM increases the attack surface. C. Type 1 hypervisors are susceptible to DDoS attacks. D. Running an antivirus solution for each operating system will monopolize host resources.
: C Section: (none) Explanation
Mobile device management (MDM) is an industry term for the administration of mobile devices, such as smartphones, tablet computers, laptops and desktop computers. MDM is usually implemented with the use of a third party product that has management features for particular vendors of mobile devices. See What is MDM (Mobile Device Management)? at https://www.youtube.com/watch?v=ug5KUH_jdA4. MDM is a way to ensure employees stay productive and do not breach corporate policies. Many organizations control activities of their employees using MDM products/services. MDM primarily deals with corporate data segregation, securing emails, securing corporate documents on device, enforcing corporate policies, integrating and managing mobile devices including laptops and handhelds of various categories. MDM implementations may be either on-premises or cloud-based. MDM functionality can include over-the-air distribution of applications, data and configuration settings for all types of mobile devices, including mobile phones, smartphones, tablet computers, ruggedized mobile computers, mobile printers, mobile POS devices, etc. Most recently laptops and desktops have been added to the list of systems supported as Mobile Device Management becomes more about basic device management and less about the mobile platform itself. MDM tools are leveraged for both company-owned and employeeowned (BYOD) devices across the enterprise or mobile devices owned by consumers. Consumer Demand for BYOD is now requiring a greater effort for MDM and increased security for both the devices and the enterprise they connect to, especially since employers and employees have different expectations concerning the types of restrictions that should be applied to mobile devices. By controlling and protecting the data and configuration settings of all mobile devices in a network, MDM can reduce support costs and business risks. The intent of MDM is to optimize the functionality and security of a mobile communications network while minimizing cost and downtime. With mobile devices becoming ubiquitous and applications flooding the market, mobile monitoring is growing in importance.[6] Numerous vendors help mobile device manufacturers, content portals and developers test and monitor the delivery of their mobile content, applications and services. This testing of content is done in real time by simulating the actions of thousands of customers and detecting and correcting bugs in the applications. QUESTION 19 A company allows BYOD for enterprise use BYOD devices may be allowed to correct to the corporate WiFi. A certificate recently expired that provided authorization to the WiFi and must be renewed. Which of the following is the BEST way to send new certificates to each device? A. CA B. OCSP C. SCEP D. CRL
: B Section: (none) Explanation
Penetration testing would take too much time, could cause system instability and would require customer approval. Social media and deep web analysis would be quick, but inconclusive. External vulnerability scans are quick and would show serious vulnerabilities. Internal and external vulnerability scans are conducted in a similar manner. Both scans are automatically administered via a computer program and an Internet connection; however, that doesn't mean there is one program that can simultaneously conduct both scans. An external vulnerability scan looks for holes in your network firewall(s), where malicious outsiders can break in and attack your network. By contrast, an internal vulnerability scan operates inside your business's firewall(s) to identify real and potential vulnerabilities inside your business network. Deep Web vs. Surface Web The Deep Web is a part of the internet not accessible to link-crawling search engines like Google. The only way a user can access this portion of the internet is by typing a directed query into a web search form, thereby retrieving content within a database that is not linked. In layman's terms, the only way to access the Deep Web is by conducting a search that is within a particular website. The Surface Web is the internet that can be found via link-crawling techniques; link-crawling means linked data can be found via a hyperlink from the homepage of a domain. Google can find this Surface Web data. Surface Web search engines (Google/Bing/ Yahoo!) can lead you to websites that have unstructured Deep Web content. Think of searching for government grants; most researchers start by searching "government grants" in Google, and find few specific listings for government grant sites that contain databases. Google will direct researchers to the website www.grants.gov, but not to specific grants within the website's database. QUESTION 54 Given the following command. "john --format=lm" Which of the following OSs is being targeted? A. Ubuntu 14.04LTS B. Windows 2003 C. Windows 2012 D. Windows 10
: D Section: (none) Explanation
QUESTION 1 According to NIST, which of the following cryptographic requirement are recommend for a cloud computing enviroment strategy? A. TLS 1.0 or above, 3DEA112 and SHA 128 B. TLS 1.1 or above, RSA 4096 and SHA 256 C. TLS 1.2 or above, RSA 512 and SHA 128 D. TLS 1.2 or above, RSA 2048 and SHA 256
: ABD Section: (none) Explanation
QUESTION 10 A security manager is presenting a quarterly summary of the organizational security posture to senior executives. To assist with part of this presentation, the security testing results from a team member. The results are as follows: Project, Visibility (internal /external / partner), Activity, Issue, Rating, Public website, external, vuln scan, [1] Missing patches, medium Public website, external, penetration test, [2] XSS, high Client portal, external, vuln scan, [1] Weak ciphers, medium, low Client portal, external, vuln scan [2] Missing patches, medium Client portal, external, penetration test, [3] SQL injection, critical ERP web app, internal, vuln scan, [1] Missing patches, low ERP web app, internal, penetration test, [2] Insecure cookies, medium GRC app, internal, vuln scan [1] Missing patches, low GRC app, internal, penetrartion test, [2] CSRF, medium By analyzing the data, which of the following interpretations would be applicable to the presentation? (Select THREE) A. Missing patches appear to be a systemic issue internally and externally accessible platforms B. Externally visible applications should be the priority area for issue remediation efforts C. Issue remediation efforts should initially focus on internally visible applications because they have more findings D. Penetration testing activities are finding higher severity items compared to vulnerability scanning E. Vulnerability scanning is faster and cheaper than manual penetration testing and identifies higher-rated issues F. SQL and XSS findings appear to be systemic issue across internally and externally accessible platforms.
: BC Section: (none) Explanation
QUESTION 11 A penetration tester is planning an exercise. The goal is gain physical building access to a restricted facility that uses mantraps for each entry point. The tester confirms the building uses RFID-based access cards, which are commonly 125KHz. Which of the following steps should the penetration tester perform to complete the exercise? (Select TWO) A. Gain access to the building by tailgating staff members through the main doors. B. Deploy an attacker-controlled badge reader within the vicinity of staff members. C. Copy eavesdropped victim badge details onto a blank card via an RFID writer. D. Compromise the building's badge reader by connecting to and exploiting its serial interface. E. Obtain an RFID reader and sniff RFID card details from a nearby office.
: D Section: (none) Explanation
QUESTION 12 A company decides to replace all of its computers with up-to-date models that run the currently supported OS. The company decides to sell the old computers after taking the precaution to format the hard drives. An employee purchases two computers: one was formerly assigned to the human resources director, and the other was formerly assigned to the Chief Executive Officer (CEO). Which of the following is the employee hoping to take advantage of with the purchase of these computers? A. Utilize USB ports on the PCs to recover backup data. B. Recover the public key from the TPM hardware. C. Utilize the MAC address to bypass NAC port security. D. Recover leftover data remnants on the drives.
: BD Section: (none) Explanation
QUESTION 13 Which of the following ensures information shared between two organizations is kept confidential and outlines the terms of how a services between departments is delivered? (Select TWO) A. NDA B. ISA C. MOU D. OLA E. SLA
: B Section: (none) Explanation
QUESTION 14 A company completed a merger that will double the number of employees. Senior management believes the other company has never emphasized security awareness and has asked for a report comparing the riskiness of each company's web application use. Which of the following products would be recommended to implement? A. UTM B. CASB C. NAC D. WAF
: D Section: (none) Explanation
QUESTION 15 The Chief Financial Officer (CFO) has requested access to an application on a Windows server in order to finish important reports before month's end. The CFO is currently in a hotel in a different time zone and needs this access within 24 hour. Given the requirements, which of the following would be the FASTEST and MOST secure method of access? A. Overnight a firewall with certificates-based VPN, with 3389 open to the Windows server B. NAT host to port 3389, and create ACL for CFO public IP address of the hotel. C. Have CFO use SFTP to connect to a secure terminal, then RDP to the Windows server D. SSL VPN with access to the application, restricted to CFO credentials
: ACF Section: (none) Explanation
QUESTION 16 The marketing team at a courier company is required to introduce smart watches into the organization. Which of the following questions should be asked? (SELECT three). A. Are the devices supported by the MDM solution? B. Are there legal and human resources issues preventing the use of these devices? C. Do company security policies need to be updated? D. Is it appropriate for couriers to utilize watches while driving? E. Will the devices allow for Microsoft group policy updates? F. Will devices by BYOD or corporate managed?
: D Section: (none) Explanation
QUESTION 17 A Chief Technical Officer (CTO) returns from a well-know security conference and immediately begins conducting internal penetration testing. As a result of the initial phase of testing, the CTO discovers information can be seen on the network in clear text. To demonstrate the risk associated with the clear text, the CTO changes certain data fields while in transit to a RESTful application. Which of the following security tools was MOST likely used to demonstrate this risk? A. Protocol analyzer B. Network enumerator C. Port scanner D. HTTP interceptor E. Vulnerability scanner
: D Section: (none) Explanation
QUESTION 2 A security administrator is reviewing the following network-based IPS benchmarks, which are based on 1Gbps sustained network traffic across each network appliance. %CPU %CPU %CPU %CPU TPS1 IPS1 IPS3 IPS4 SMALL TCP 60 40 55 45 LARGE TCP 40 34 35 35 SMALL UDP 55 45 50 40 LARGE UDP 50 40 30 35 IPS1 IPS2 IPS3 IPS4 FALSE POSITIVES 5% 3% 3% 6% FALSE POSITIVES 7% 10% 11% 7% The security administrator is mostly concerned with ensuring the provided testing ruleset triggers the IPS every time and matches a network pattern. The administrator should select the appropriate IPS based on this condition FIRST. The administrator should also ensure that if two IPS provide the same assurance, the one with the lowest %CPU is selected. Which of the following IPSs should be chosen? A. IPS1 B. IPS2 C. IPS3 D. IPS4
: D Section: (none) Explanation
QUESTION 21 An organization is in the planning stage of a workstation equipment refresh. To offset costs, it proposes selling the existing workstation to a third party. The organization wants to minimize the risk of data loss, and the workstations must be in working order to be sold. Which of the following is the organization's best course of action? A. Reinstall the OS on the hard drives before selling them. B. Degauss and reformat the hard drives before selling them. C. The company cannot sell its workstations without the risk of data loss. D. Overwrite the hard drives with random 1s and 0s before selling them.
: CE Section: (none) Explanation
QUESTION 22 A security administrator is securely backing up a Unix host. Due to budget constraints, rsync is used instead of commercial backup software. A backup account is created on the UNIX host. The existing "authorized_keys" file on the Unix host is as follows: ssh-rsa AAae322436326GDA3135gr8312Jedfa32asdfa43afjvZ= backup@backupserver An additional lockdown requirement is needed to only allow a single backup command for this SSH account and remove the need for an interactive session. Which of the following additional steps should be performed to meet the lockdown requirements? (Select TWO) A. Set the login shell fro the backup user on the Unix host to be /bin/nologin. B. Edit the SSH daemon configuration file on the Unix host to have AllowTcpForwarding No. C. Add the following attributes to the new command restriction no-port-forwarding, no-agent-forwarding, no-pty. D. Change the file permission on the Unix host so only the backup user can execute the rsync command E. Prepend the following valid SSH command restriction to the authorized key entry command="rsync -server - sender </some/local/path> </some/remote/path>'.
: D Section: (none) Explanation
QUESTION 25 A company is replacing a web application that was developed ten years ago support employees who want to donate money to company sponsored charities. To complete an employee's transaction, the application requires input from the employee for tax purposes. The application uses simple HTML forms and Java, which communications with a database that resides on the same server. Which of the following would BEST address this security concern? A. Perform UAT B. Implement a multi-tier architecture C. Implement change management activities D. Apply a SDL process
: C Section: (none) Explanation
QUESTION 27 A password-based IPSec remote access solution used by regular users will now also support domain administrators. The security manager has requirements for stronger authentication mechanisms for administrators working remotely. Which of the following solutions will BEST fulfill these requirements? A. Mandate the use of company-issued laptops for remote administrative tasks B. Enforce the use of VDI for administrative tasks with an ACL of source IP addresses C. Implement two-factor authentication within a mandatory VDI for remote administrative tasks D. Restrict remote access from specific IP address rangers and enforce two-factor authentication
: BC Section: (none) Explanation
QUESTION 28 A security engineer wants to deploy a cloud storage application that will allow employees to store and retrieve files between multiple endpoints. Files will be automatically synchronized across employees' multiple endpoints, including personally owned devices. Which of the following security risks should the company address BEFORE deploying this solution? (Select TWO) A. File-based encryption of sensitive company data may not be supported by the cloud solution. B. Confidential company data may be stored without the appropriate security controls in place. C. Malware may bypass corporate perimeter security controls. D. Cloud storage deduplication may not be accounted for in planning internal company storage requirements. E. Federation between the cloud provider and the company may result in non-compliant identity management.
: B Section: (none) Explanation
QUESTION 29 A company's on-premise human resources system needs to integrate with a third-party internet SaaS provider that managers payroll. Payroll transactions are sent from the human resources system to the payroll system in real time. The employee information is sent via a scheduled flat file batch job. Management has concern for the confidentiality and integrity of the payroll transaction information and the confidentiality of the employee information. Which of the following solutions will BEST meet management's requirements about securing the employee human resources information? A. VPN B. PGP C. AES D. SSL
: C Section: (none) Explanation
QUESTION 3 An IT architect is providing a collaboration VTC solution for the company's board of directors. These meeting will have members logging if from diverse geographical sites around the world. Discussions at the board level are considered one of the most sensitive areas for the company, as strategic and IP-related discussions occur. Board members are tech savvy, with high-speed fiber connections at each respective location. Based on the requirements for performance and security, which of the following would fulfill the business need? A. Desktop video-conference tunneling through the Internet to on-premise central server secured with SSL 2.0 B. Cloud-based desktop teleconferencing solution with two-factor authentication C. IPSec remote access to in-house desktop teleconference with endpoint certificates D. Video teleconference proprietary solution via ISDN with H.235 security and encryption.
: AC Section: (none) Explanation
QUESTION 31 A security administrator is informed that some of the corporate Internet-facing DNS servers were used in a DDoS attack. The victim reports the attack was the result of the company's address being spoofed to receive DNS replies from all over the internet. Which of the following actions should the security administrator take to prevent future exploitation of DNS servers? (Select TWO) A. Disable recursion. B. Disable UDP packet-size limitation. C. Enable secure zone transfers. D. Enable rate limiting E. Enable split-brain. F. Disable the start of authority.
: C Section: (none) Explanation
QUESTION 32 A traditional manufacturing company in a regulated industry recently launched a new information security program. The company wants a third party to help broadly assess the adequacy of the program in meeting its business needs. Which of the following describes the BEST approach for the company's FIRST third party assessment? A. Perform a security assessment to ensure all areas of the program are assessed against requirements and best practices. B. Perform a penetration test to provide validated results to executives who may not already be familiar with how attacks operate. C. Perform a business impact assessment and begin by focusing third-party assessors on testing highestcritically systems. D. Perform a regulatory compliance audit, and assess those controls to alert the company to compliance gaps.
: ABE Section: (none) Explanation
QUESTION 33 Which of the following are technically enforceable control requirements that should be considered for BYOD to minimize the risk of a confidentiality breach? (Select THREE) A. Employees should electronically agree to the telecommuting policy prior to connecting to the corporate network. B. Personally owned devices should implement company-approved and up-to-date anti-malware software. C. Employees should follow the company's clean desk policy at the remote locations and be provided with shredders. D. At a minimum, personally owned devices should be capable of connecting to 3G wireless networks. E. All devices remotely connected to the corporate network should encrypt all communication. F. Remote telecommuting locations should implement employee-owned,application-aware firewall appliances.
: A Section: (none) Explanation
QUESTION 34 A sales engineer does not use a company laptop and instead prefers to use a personal tablet and mobile device for most activities. The company's BYOD policy allows this, but only if devices are encrypted. Which of the following could be the MOST problematic regarding data storage? A. Any loss of personal equipment could place both the sales engineer and the organization at risk. B. Cloud-based file synchronization does not incrementally back up personal devices like conventional back-up software. C. Personal devices have less storage space available than company-issued desktops and laptops. D. Personal mobile devices often support modern cellular protocols the corporation does not yet support, which may impact data transfer.
: C Section: (none) Explanation
QUESTION 35 A service desk manager has received the following email from the director of human resources: - I am really frustrated with the amount of time it takes to provision new users on the network. I understand there are security requirements, but it sees the process takes far too long. What can we do to get people up and running more quickly?" - Based on the email above, which of the following steps should the service desk manager take to collaborate within the organization and implement secure solutions? A. Establish a process to automate the provisioning of new users on the network. Establish a policy with human resources to review the new user provisioning at the end of every week. B. Research the past few requests and explain to the director of human resources that the results of the research will be provided to the Chief Information Officer (CIO) for analysis. Remind the director of human resource that the human resources process needs to be completed prior to hand off to ensure security within the organization. C. Review the current policies, procedures, and processes relating to the provisioning of new employees within the organization. Evaluate recent requests, look for common issues, and work with the director of human resources to revise the procedures and train human resources personnel on the proper procedures. D. Prepare a spreadsheet containing quantitative data from the past 20 provisioning requests. Identify the most common causal factors, and address those issues within the service desk organization. Advise the director of human resources that the issue was addressed and performance will improve.
: B Section: (none) Explanation
QUESTION 36 A company maintains two database systems one is a newly installed system, and the other is a legacy system that stores historical data. The legacy systems only supports connection string passwords with very low entropy. Recently, the company has installed a new web-based middleware platform that accesses both the new and the legacy systems. Which of the following could the company implement in the middleware solution to secure database connections for both systems and help prevent brute force disclosure of the connection string passwords? A. Enable the middleware to salt connection string passwords before hashing them. B. Enable key stretching in the middleware to connect to both back-end systems. C. Utilize complex connection strings that have greater than 16-character passwords. D. Enable password connection string hashing using an SHA in the middleware system.
: D Section: (none) Explanation
QUESTION 37 An enterprise must ensure that all devices that connect to its network have been previously approved. The solution must support dual-factor mutual authentication with strong identity assurance. In order to reduce costs and administrative overhead, the security architect wants to outsource identity proofing and second-factor digital delivery to the third party. When of the following solutions will address the enterprise requirements? A. Implementing federated network access with the third party. B. Using an HSM at the network perimeter to handle network device access. C. Using a VPN concentrator which supports dual factor via hardware tokens. D. Implementing 802.1x with EAP-TTLS across the infrastructure.
: B Section: (none) Explanation
QUESTION 38 Having already considered legal and regulatory requirements, which of the following is the NEXT aspect to consider when analyzing and defining risk profiles for workloads that are being moved to the cloud? A. Geographic location of cloud datacenters B. Economic viability of the cloud service provider. C. Visibility of the audit function over the cloud service provider D. Criticality and value of the data
: A Section: (none) Explanation
QUESTION 39 A security engineer at a corporation a review of server logs. The security engineer notices an entry for a remote connection to a server in the middle of the night. The entry indicates the extraction of a large volume of data. Which of the following steps should the security engineer perform NEXT? A. Alert the management team of the intrusion attempt B. Ignore the log entry because the company has offices overseas that are open during those hours. C. Add an entry in the firewall to block the source IP of the remote connection. D. Review system baselines and compare network traffic for that time of night.
: AE Section: (none) Explanation
QUESTION 4 A company hired a consultant to replace various legacy solutions. The consultant reviews the following information from a packet analyzer. PACKET 1 - TCP SRC 192.168.1.45: 3044 -> DST 172.16.8.3:2000 PROTO CISCO-SSCP PACKET 2 - TCP SRC 192.168.2.10: 49 -> DST 172.16.1.1:1456 PROTO TACACS PACKET 3 - TCP SRC 172.16.1.1:22 -> DST 192.168.2.19:2000 PROTO OpenSSH PACKET 4 - TCP SRC 172.16.1.5 -> DST 192.168.2.7: 445 PROTO CIFS A company is concerned with only replacing solutions that do not use open standards. Which of the following should the consultant recommend to ensure the replacement solutions use open standards and default TCP/ UDP ports based on the above information? (Select TWO) A. Ensure all network infrastructure devices are managed by a RADIUS server. B. Deploy a secure NFS solution in place of the current CIFS used by the company's file servers. C. Implement a company-wide, open source instant messaging system that fully supports SKINNY. D. Reconfigure the SSH server to listen to TCP port 22 and ensure it uses the OpenSSL library. E. Upgrade the software on the company's VoIP server and handsets to ensure SIP is supported.
: C Section: (none) Explanation
QUESTION 40 Which of the following is the GREATEST security risk incurred from allowing employee owned computing devices for telecommuting activities? A. Computer hardware will not follow the company's minimum baselines. B. The firewall may not work with employee-owned equipment. C. Protective measures are not at company standards. D. The host intrusion sensor will not integrate with company SIEM E. Bandwidth standards will not support remote activities.
: D Section: (none) Explanation
QUESTION 41 An external review of a company's cloud CRM highlighted to the Chief Information Security Officer (CISO) that a significant amount of sensitive company data is being stored in an unencrypted format. The CISO has decided to implement a solution to log all data uploads and enforce data tokenization for sensitive fields in the CRM,particularly for ones that allow attachments to be uploaded by staff. Which of the following solutions would BEST meet the CISO'S requirements? A. Cloud encryption with key rotation. B. TLS C. Cloud-to-client federation D. CASB
: C Section: (none) Explanation
QUESTION 43 A security administrator is implementing the organization's data security policies that apply to corporate laptops and tablets. As part of the review, the administrator discovers data contained on the devices is not adequately protected while at rest, applications are not fully patched, default security settings are disabled, and untrusted application repositories can be installed. Based on these findings, the administrator must recommend appropriated solutions to the security manager. Which of the following controls would most appropriate too implement to address the risks identified by the administrator? A. Centralized patch management B. BYOD policy C. MDM D. Application sandboxing E. TPM
: A Section: (none) Explanation
QUESTION 44 Company XYZ offers SaaS, maintaining all customers' credentials and authenticating locally. Many large customers have requested the company offer some form of federation with their existing authentication infrastructures. Which of the following will allow customers to manage authentication and authorizations from within their existing organizations? A. Implement SAML so the company's service may accept assertions from the customers' authentication servers. B. Provide customers with a constrained interface to manage only their user's accounts in Company XYZ's active directory server. C. Provide a system for customers to replicate their user's passwords from their authentication service to Company XYZ's. D. Use SOAP calls to support authentication between the company's product and the customers' authentication servers.
: C Section: (none) Explanation
QUESTION 45 A password-based IPSec remote access solution used by regular users will now also support domain administrators. The security manager has requirements for stronger authentication mechanisms for administrators working remotely. Which of the following solutions will BEST fulfill these requirements? A. Mandate the use of company-issued laptops for remote administrative tasks. B. Enforce the use of VDI for administrative tasks with an ACL of source IP addresses C. Implement two-factor authentication within a mandatory VDI for remote administrative tasks. D. Restrict remote access from specific IP address ranges and enforce two-factor authentication.
: C Section: (none) Explanation
QUESTION 46 The human resources department is using COTS software that is not compliant with an enterprise security baseline. After conducting a risk assessment, the findings are outside the human resources department's risk tolerance. Which of the following would BEST mitigate the risk associated with non-compliance to the baseline? A. Request a modification to the baseline B. Apply for a baseline variance C. Develop a custom software replacement D. Implement additional controls
: A Section: (none) Explanation
QUESTION 47 A disgruntled employee ran the following command from a domain controller shortly before being terminated. This was seen in a routine forensic analysis of all terminated employees from that particular division of the company. C:\net use \\reasearchdata\ipc$ " " /u: " " The system responded with: System Error 5 has occurred. Access is denied. Which of the following was attempted? A. SMB null session B. Fuzzing C. Privilege escalation D. OS fingerprinting
: AE Section: (none) Explanation
QUESTION 49 Which of the following represent the MOST important cybersecurity concerns that are transitioning major datacenter operations to one or more commercial cloud service providers? (Select TWO). A. The cloud provider's privacy policies and technical implementation. B. The cloud provider's effectiveness of searnless integration of company data with that of other subscribing entities. C. The maximum network bandwidth and processing power available to the subscriber as defined by its executed SLA with the provider D. The environmental expectations (e.g., temperature, relative humidity) of the cloud provider's corporate headquarters. E. The roles and responsibilities of provider employees and the provider's standard of employee background investigation and vetting.
: D Section: (none) Explanation
QUESTION 5 An insurance company starts providing cyber insurance coverage to a large number of small and medium-size companies. Which of the following techniques would a security consultant recommend to quickly determine the security posture of new customers? A. Penetration testing B. Social engineering attack C. Social media and deep web analysis of the applicant D. External vulnerability scan
: B Section: (none) Explanation
QUESTION 50 A security programmer discovers the two-factor authentication forward proxy application has bug. In the span of a few milliseconds, the bug wrong assigns authenticated sessions when a user is authenticated to the proxy. During this interval, all new authenticated users will be assigned to the existing session. Which of the following BEST defines this design flaw? A. Session hijacking B. Time of check/time of use C. Process impersonation D. Man-in-the-middle vulnerability
: AE Section: (none) Explanation
QUESTION 51 The human resources administrator has initiated a forensics investigation about a user who was recently terminated. The subsequent forensics investigation found that the terminated user had downloaded a series of files that contained sensitive information about current employees. That files had been overwritten with a file of the same size and name of the original file. This security incident could have been prevented with a combination of of the following security controls? A. FIM B. HIDS C. HIPS D. AV E. DLP F. Anti-spam
: C Section: (none) Explanation
QUESTION 52 Company A has recently acquired Company B. A user from Company B states that when trying to access the portal page for Company A, an unauthorized request notification appears. The user states there are never prompts to enter user credentials. Which of the following needs to be configured? A. Company B's IP-based ACL B. LDAP queries C. Trust between the two domains D. Company B's web server
: D Section: (none) Explanation
QUESTION 53 An insurance company starts providing cyber insurance to a large number of small and medium-size companies. Which of the following techniques would a security consultant recommend to quickly determine the security posture of new customers? A. Penetration testing B. Social engineering attack C. Social media and deep web analysis of the applicant D. External vulnerability scan
: AC Section: (none) Explanation
QUESTION 55 An organization is seeing an increase in malicious software downloads known to be coming from suspicious websites. Existing security controls are not blocking all the malicious software. Which of the following can be implemented to control access to these websites? (Select TWO) A. SSL inspection B. Reverse proxy C. Content filter D. Certificate revocation E. HTTP interceptor F. Web-application firewall
: D Section: (none) Explanation
QUESTION 56 An organization has exhausted its security budget through implementation of antivirus, firewalls, IDS, and web proxy, and training of an incident response team. Which of the following will BEST reduce risk while leveraging the existing security investments? A. Train network and system administrators to identify security events and act accordingly. B. Implement an end user security awareness training program that teaches users how to spot security events and how to properly report them to the incident response team. C. Implement an SIEM and configure all security devices to forward logs to it. The SIEM will correlate events and generate alerts for the incident response team to act on. D. Configure all security devices to forward logs to a single repository where the security team can parse the logs and create scripts to correlate events.
: A Section: (none) Explanation
QUESTION 57 A natural gas company has decided to begin testing its information security program through tabletop simulation exercises. A security architect is assigned the task of generating a scenario and executing the exercise. Having no previous experience, which of the following should the security architect do? A. Work with executives to define incidents that would affect mission essential functions of the company, and validate procedures to respond to those incidents. B. Research past incidents experienced by the company, and turn the events into a narrative format to access progress after action items. C. Review academic research into attacks, and develop scenarios that others at the company may not have considered to exercise new thinking. D. Focus on the most common incidents that occur across the Internet, and develop scenarios specific to the company based on those incidents.
: A Section: (none) Explanation
QUESTION 58 A company security administrator attempts to perform a factory reset on the phone issued to a fired employee. The administrator receives an error that the device is not available. Which of the following is likely the reason why the reset failed? A. The employee has disabled network connectivity to the phone. B. The employee reset the security passcode on the phone. C. The employee used a phone with an encrypted filesystem D. The employee has deleted all work-related content from the phone.
: D Section: (none) Explanation SYN/Half-Open Scanning - SYN scan is another form of TCP scanning. Rather than use the operating system's network functions, the port scanner generates raw IP packets itself, and monitors for responses. This scan type is also known as "half-open scanning", because it never actually opens a full TCP connection. The port scanner generates a SYN packet. If the target port is open, it will respond with a SYN-ACK packet. The scanner host responds with an RST packet, closing the connection before the handshake is completed.[3] If the port is closed but unfiltered, the target will instantly respond with an RST packet. - The use of raw networking has several advantages, giving the scanner full control of the packets sent and the timeout for responses, and allowing detailed reporting of the responses. There is debate over which scan is less intrusive on the target host. SYN scan has the advantage that the individual services never actually receive a connection. However, the RST during the handshake can cause problems for some network stacks, in particular simple devices like printers. There are no conclusive arguments either way. FYI: Firewalking: Firewalk is an active reconnaissance network security tool that attempts to determine what layer 4 protocols a given IP forwarding device will pass. Firewalk works by sending out TCP or UDP packets with a TTL one greater than the targeted gateway. If the gateway allows the traffic, it will forward the packets to the next hop where they will expire and elicit an ICMP_TIME_EXCEEDED message. If the gateway hostdoes not allow the traffic, it will likely drop the packets on the floor and we will see no response. To get the correct IP TTL that will result in expired packets one beyond the gateway we need to ramp up hopcounts. We do this in the same manner that traceroute works. Once we have the gateway hopcount (at that point the scan is said to be `bound`) we can begin our scan. It is significant to note the fact that the ultimate destination host does not have to be reached. It just needs to be somewhere downstream, on the other side of the gateway, from the scanning host.
QUESTION 59 An attacker sends out a SYN packet to a host, and receives a RST back from that host. After trying all of the hosts in the /24 subnet, the attacker finally receives a SYN/ACK packet back from one single host and immediately the attacker responds with a crafted RST packet. Which of the following activities is happening? A. OS banner grab B. SYN flood C. Firewalking D. Half-open scanning
: D Section: (none) Explanation
QUESTION 6 The web development team recently finished deploying a new web service. Before the service can go live, it must go through a penetration assessment. The contractor for the assessment has found that after attempts at flooding the service with thousands of GET requests and getting a service failure error page with details on the failure, the contractor was able to do a full directly traversal and retrieve files from the web server. Which of the following was the vulnerability that provided a way in for the contractor? A. Buffer overflow B. Improper server-side validation C. Fuzzing and fault injection D. Improper exception handling
: C Section: (none) Explanation
QUESTION 7 The human resources department is using COTS software that is not compliant with an enterprise security baseline. After conducting a risk assessment, the findings are outside the human resources department's risk tolerance. Which of the following would BEST mitigate the risk associated with non-compliance to the baseline? A. Request a modification to the baseline. B. Apply for a baseline variance C. Develop a custom software replacement D. Implement additional controls
: CE Section: (none) Explanation
QUESTION 8 A software developer and IT administrator are focused on implementing security in the organization to project OSI layer 7. Which of the following A. NIPS B. HSM C. HIPS D. NIDS E. WAF
: A Section: (none) Explanation
QUESTION 9 After testing the performance of block-level encryption, the storage administrator would like to begin performance testing file-level encryption over the network. Which of the following technologies is BEST suited for the test? A. SMB B. FCoE C. iSCSI D. vSAN
: AD Section: (none) Explanation
Reviewing code goes hand in hand with maintaining strong coding standards. That said, standards don't usually prevent logical errors or misunderstandings about the quirks of a programming language, whether it's JavaScript, Ruby, Objective-C or something else. Even the most experienced developers can make these kinds of mistakes, and reviewing code can greatly assist with catching them. Security code review is the process of auditing the source code for an application to verify that the proper security controls are present, that they work as intended, and that they have been invoked in all the right places. Functional code review checks the following: Correctness - Does the code do everything it claims? Complexity - Does it accomplish its goals in a straightforward way? Consistency - Does it achieve its goals consistently? Maintainability - Could the code be easily extended by another member of the team with a reasonable level of effort? Scalability - Is the code written in such a way that it would work for both 100 users and 10,000? Is it optimized? Style - Does the code adhere to a particular style guide (preferably one agreed upon by the team if the project is collaborative)? QUESTION 24 Which of the following ensures information shared between two organizations is kept confidential and outlines the terms of how a service between departments is delivered? (Select TWO) A. NDA B. ISA C. MOU D. OLA E. SLA
: BC Section: (none) Explanation
SMB NULL SESSION ATTACKS AND HOW TO AVOID THEM A well-known vulnerability within Windows can map an anonymous connection (or null session) to a hidden share called IPC$ (which stands for interprocess communication). This hack method can be used to - Gather Windows host configuration information, such as user IDs and share names. - Edit parts of the remote computer's registry. QUESTION 48 An organization has configured a set of hosts in such a way that only authorized programs and tools are allowed to execute for all accounts. After an intrusion was detected on one of the fully patched hosts, it was discovered that malware was able to execute in spite of this configuration being active. Which of the following may have occurred? (Select TWO) A. A man-in-the-middle attack was used to steal credentials and launch the malware. B. The malware was the running process of an allowed application. C. The whitelist used only executable names for enforcement. D. The host's file system does not implement full-disk encryption. E. An unexpired and valid Kerberos token was refused by the malware.
: C Section: (none) Explanation
Simple Certificate Enrollment Protocol (SCEP) is used by numerous manufacturers of network equipment and software who are developing simplified means of handling certificates for large-scale implementation to everyday users, as well as being referenced in other industry standards. The protocol is designed to make the issuing of digital certificates as scalable as possible. The idea is that any standard network user should be able to request their digital certificate electronically and as simply as possible. These processes have usually required intensive input from network administrators, and so have not been suited to large scale deployments. SCEP is the most popular, widely available and most tested certificate enrollment protocol. Although it is widely used, for example by the iOS Operating System, concerns have been raised that it is not able to "strongly authenticate certificate requests made by users or devices" QUESTION 20 When investigating a user's account, a system administrator notices the following line in the user's .bashrc file: alias ssh= ' strace -o .scantst.txt -e read,write,connect -s2048 ssh' Upon inspecting the .scantst.txt file, the system administrator finds it contains these lines: write (4, "[email protected]'s password: ",34)= 34 read (4, "T" ,1) = 1 read (4, "e" ,1) = 1 read (4, "s" ,1) = 1 read (4, "t" ,1) = 1 read (4, "p" ,1) = 1 read (4, "@",1) = 1 read (4, "s" ,1) = 1 read (4, "s" ,1) = 1 Which of the following BEST describes what happened and how this problem can be mitigated in the future? A. An attacker used a network sniffer to obtain the user's password. The user should use the relative path to system binaries and not use the same password on multiple systems. B. An attacker used shell shock SSL vulnerability to obtain the user's password. The user should not edit the .bashrc file and should not use the same password on multiple systems. C. An attacker used a keylogger to obtain the user's password. The user should use the full path to system binaries and not use the same password on multiple systems. D. An attacker used a ARP spoofing attack to obtain a user's password. The user should not use aliases to system binaries or the same password on mutiple systems.
: B Section: (none) Explanation
The Security Development Lifecycle (SDL) is a software development process that helps developers build more secure software and address security compliance requirements while reducing development cost. This would include a multi-tiered model, user acceptance testing (UAT), and change management processes. The advantages of this multi-tiered model include the following: - Increased opportunity for security. You can isolate sensitive functionality into tiers that have different access restrictions. This provides flexible and configurable levels of security. Middle tiers can limit the entry points to sensitive material, allowing you to control access more easily. If you are using HTTP or COM+, you can take advantage of the security models they support. - Encapsulation of business logic in a shared middle tier. Different client applications all access the same middle tier. This allows you to avoid the redundancy (and maintenance cost) of duplicating your business rules for each separate client application. - Thin client applications. Your client applications can be written to make a small footprint by delegating more of the processing to middle tiers. Not only are client applications smaller, but they are easier to deploy because they don't need to worry about installing, configuring, and maintaining the database connectivity software (such as the database server's client-side software). Thin client applications can be distributed over the Internet for additional flexibility. - Distributed data processing. Distributing the work of an application over several machines can improve performance because of load balancing, and allow redundant systems to take over when a server goes down. User acceptance testing (UAT) is the last phase of the software testing process. During UAT, actual software users test the software to make sure it can handle required tasks in real-world scenarios, according to specifications. UAT is one of the final and critical software project procedures that must occur before newly developed software is rolled out to the market. UAT is also known as beta testing, application testing or end user testing. QUESTION 26 A corporation suffered a large-scale data breach. Clear-text secret questions and answers, email addresses, usernames, passwords, and credit card details were compromised. The attack occurred after hackers performed a password recovery for an administrative account. Which of the following shows how the corporation should have stored the sensitive security data? A. Encrypt email addresses, encrypt passwords and secret Q&A, and hash credit card details. B. Encrypt secret questions and answers, encrypt credit cards details, and hash passwords C. Encrypt all customer information in accordance with corporate privacy policies. D. Encrypt credit card details and email addresses, and hash passwords and secret Q&A
: C Section: (none) Explanation
To allow user to set up an SSH tunnel, but nothing else you can block ssh commands with no-pty,no-portforwarding, no-X11-forwarding,no-agent-forwarding. While no-pty doesn't allow to open interactive session it does nothing to prevent command execution, so the user can edit authorized_keys file if he has access with something like ssh server 'sed -i -e s/no-pty// ~/.ssh/authorized_keys' Remote-editor.py lives on the local machine and call_remote_edit.sh lives on the remote machine (usually aliased somehow). First, remote-editor.py must be initiated on the local machine. This will clear the temp directory and start polling. On the remote machine, when you call call_remote_edit.sh, it will, over SSH, write the file path to the local machine. The local machine is actively polling the file written by call_remote_edit.sh. When it detects the queue file has changed, it will download the remote file (via rsync). It will begin to poll the file and anytime it is edited locally, it will push it back to the remote. If it is a new file, it will not pull it first. If call_remote_edit.sh calls a file already locally, it will be pulled again. This can be used to update a file or if it has already been closed. (or use the R command on the local machine) QUESTION 23 The developers of a new software project are utilizing a specific JavaScript library and a RESTful API. The main reason for choosing the particular library is to improve speed by moving the business logic to the client's local browser. Which of the following activities should the security architect require the developer to perform? A. Server side input validation B. Fuzzing of the browser plugins C. Code review of the JavaScript library D. Vulnerability scan of RESTful clients.
