Practice Exam 6
When your credit card data is written to the customer invoicing system at Dion Training, the first 12 digits are replaced with an x before storing the data. Which of the following privacy methods is being used? Data minimization Tokenization Anonymization Data masking
Data masking OBJ-5.5: Data masking can mean that all or part of a field's contents is redacted, by substituting all character strings with x, for example. Tokenization means that all or part of data in a field is replaced with a randomly generated token. The token is stored with the original value on a token server or token vault, separate from the production database. An authorized query or app can retrieve the original value from the vault, if necessary, so tokenization is a reversible technique. Data minimization involves limiting data collection to only what is required to fulfill a specific purpose. Reducing what information is collected reduces the amount and type of information that must be protected. Data anonymization is the process of removing personally identifiable information from a data set so that the people whom the data describe remain anonymous.
Which command would be used to display the network address and subnet mask for the wired network connection on a Linux system? netstat ipconfig nslookup ip
ip OBJ-4.1: The ip command is used to display information about the current wired network connection on a Linux system, including its IP address, subnet mask, and MAC address. The nslookup command is used to display and troubleshoot DNS records. The netstat command is used to display the network statistics. The ipconfig tool displays all current TCP/IP network configuration values on a Windows system.
During a security audit, you discovered that customer service employees have been sending unencrypted confidential information to their personal email accounts via email. What technology could you employ to detect these occurrences in the future and send an automated alert to the security team? SSL MDM DLP UTM
DLP OBJ-2.1: Data loss prevention (DLP) software detects potential data breaches/ data exfiltration transmissions and prevents them by monitoring, detecting, and blocking sensitive data while in use, in motion, and at rest. This can be configured to detect and alert on future occurrences of this issue. Secure Socket Layer (SSL) is a distraction in this question since the questions ask about information being sent unencrypted. The connection between the client and the email server could be encrypted using SSL. However, the information is still sent to an employee's personal email account, which equates to a loss of control over the company's confidential data. Mobile Device Management (MDM) software is used for the configuration and securing of mobile devices like smartphones and tablets. Unified Threat Management (UTM) is a device that combines the functions of a firewall, anti-malware solution, and IDS into a single piece of hardware. Some UTM's may provide a DLP functionality, but DLP is a better answer to this question.
Dion Training requires that the staff simulate their response to a potential data breach. During this simulation, the staff gathers in the conference room and discusses each action they would take as part of their response. This information is then analyzed to ensure the company's data breach response playbook is up to date and would work properly when needed. Which of the following best describes what the staff did? Incident response Disaster recovery planning Business impact analysis Tabletop exercise
Tabletop exercise OBJ-4.2: A tabletop exercise involves gathering the key staff of an organization and discussing their actions during a potential unwanted event. The staff could further be divided into a blue team and a red team, with half playing the role of defenders and the other half playing the adversary's role. Tabletop exercises are less expensive to conduct than a full-scale red team event or penetration test. Tabletop exercises are a great way to exercise existing procedures and response plans to identify any weaknesses within them.
Your company's Security Operations Center (SOC) is currently detecting an ongoing DDoS attack against your network's file server. A cybersecurity analyst has identified forty internal workstations on the network conducting the attack against your network's file server. The cybersecurity analyst believes these internal workstations are infected with malware and places them into a quarantined network area. The analyst then submits a service desk ticket to have the workstations scanned and cleaned of the infection. What type of malware was the workstation likely a victim of based on the scenario provided? Spyware Botnet Rootkit Ransomware
Botnet OBJ-1.2: A botnet is many internet-connected devices, each of which is running one or more bots. Botnets can be used to perform distributed denial-of-service (DDoS) attacks, steal data, send spam, and allow the attacker to access the device and its connection. A zombie (also known as a bot) is a computer or workstation that a remote attacker has accessed and set up to forward transmissions (including spam and viruses) to other computers on the internet. Spyware is software with malicious behavior that aims to gather information about a person or organization and send it to another entity in a way that harms the user. Ransomware is a type of malware that threatens to publish the victim's personal data or perpetually block access to it unless a ransom is paid. A rootkit is a clandestine computer program designed to provide continued privileged access to a computer while actively hiding its presence.
Which authentication mechanism does 802.1x usually rely upon? HOTP EAP TOTP RSA
EAP OBJ-3.8: The IEEE 802.1X Port-based Network Access Control framework establishes several ways for devices and users to be securely authenticated before they are permitted full network access. The actual authentication mechanism will be some variant of the Extensible Authentication Protocol (EAP). EAP allows lots of different authentication methods, but many use a digital certificate on the server and/or client machines. This allows the machines to establish a trust relationship and create a secure tunnel to transmit the user authentication credential.
Your coworker is creating a script to run on a Windows server using PowerShell. Which of the following file formats should the script use? .py .ps1 .sh .bat
.ps1 OBJ-4.1: Windows PowerShell enables you to perform management and administrative tasks in Windows 7 and later. It is fully integrated with the operating system and supports both remote execution and scripting. Microsoft provides the Windows PowerShell Integrated Scripting Environment (ISE) to help create and manage your Windows PowerShell scripts. If you want to save a series of PowerShell commands in a file to rerun them later, you effectively create a PowerShell script by creating a text file with a .ps1 extension. The file can contain a series of PowerShell commands, with each command appearing on a separate line. Python is a general-purpose programming language that can develop many different kinds of applications. It is designed to be easy to read, and the programs use fewer lines of code compared to other programming languages. The code runs in an interpreter. Python is preinstalled on many Linux distributions and can be installed on Windows. Python scripts are saved using the .py extension. Batch scripts run on the Windows operating system and, in their simplest form, contain a list of several commands that are executed in a sequence. A .bat file is used for a batch script. You can run the file by calling its name from the command line or double-clicking the file in File Explorer. Generally, batch file scripts run from end to end and are limited in branching and user input. A shell script is a file that contains a list of commands to be read and executed by the shell in Linux and macOS. A .sh file is used for a shell script and its first line always begins with #!/bin/bash that designates the interpreter. This line instructs the operating system to execute the script. Shell scripts allow you to perform various functions. These functions include automation of commands and tasks of system administration and troubleshooting, creating simple applications, and manipulating text or files.
(Cloud) Internet (DMZ) FTP 192.168.0.5 Web 192.168.0.6 Email 192.168.0.7 (Intranet Workstations) Sales 172.16.1.2 HR 172.16.1.3 IT 172.16.1.4 (Data Center) Backup 192.168.1.10 Confidential 192.168.1.11 Files 192.168.1.12 Review the network diagram provided. Which of the following ACL entries should be added to the firewall to allow only the Human Resources (HR) computer to have SMB access to the file server (Files)? (Note: The firewall in this network is using implicit deny to maintain a higher level of security. ACL entries are in the format of Source IP, Destination IP, Port Number, TCP/UDP, Allow/Deny.) 192.168.1.12, 172.16.1.3, 445, UDP, DENY 172.16.1.3, 192.168.1.12, ANY, TCP, ALLOW 172.16.1.3, 192.168.1.12, 445, TCP, ALLOW 172.16.1.12/24, 192.168.1.3/24, 445, TCP, ALLOW
172.16.1.3, 192.168.1.12, 445, TCP, ALLOW OBJ-3.3: The ACL should be created with 172.16.1.3 as the Source IP, 192.168.1.12 as the Destination IP, 445 as the port number operating over TCP, and the ALLOW condition set. This is the most restrictive option presented (only the HR and Files server are used), and the minimal number of ports are opened to accomplish our goal (only port 445 for the SMB service).
(Cloud) Internet (DMZ) FTP 192.168.0.5 Web 192.168.0.6 Email 192.168.0.7 (Intranet Workstations) Sales 172.16.1.2 HR 172.16.1.3 IT 172.16.1.4 (Data Center) Backup 192.168.1.10 Confidential 192.168.1.11 Files 192.168.1.12 Review the network diagram provided. Which of the following ACL entries should be added to the firewall to allow only the system administrator's computer (IT) to have SSH access to the FTP, Email, and Web servers in the DMZ? (Note: The firewall in this network is using implicit deny to maintain a higher level of security. ACL entries are in the format of Source IP, Destination IP, Port Number, TCP/UDP, Allow/Deny.) 172.16.1.4, 192.168.0.0/24, 22, TCP, ALLOW 192.168.0.3/24, 172.16.1.4, ANY, TCP, ALLOW 192.168.0.0/24, 172.16.1.4, 22, TCP, ALLOW 172.16.1.0/24, 192.168.0.0/24, ANY, TCP, ALLOW
172.16.1.4, 192.168.0.0/24, 22, TCP, ALLOW OBJ-3.3: Since the scenario requires you to set up SSH access from the IT computer to all three servers in the DMZ, you will need to use a /24 subnet to set up the ACL rule correctly (or have 3 separate ACL entries). Since you can only select one in this example, you will have to use the /24 for the destination network. This means that the Source IP is 172.16.1.4 (IT computer), the Destination IP is 192.168.0.0/24 (the entire DMZ), the port is 22 for SSH and operates over TCP, and the condition is set to ALLOW.
A recent vulnerability scan found several vulnerabilities on an organization's public-facing IP addresses. To reduce the risk of a breach, which of the following vulnerabilities should be prioritized for remediation? An HTTP response that reveals an internal IP address A website utilizing a self-signed SSL certificate A cryptographically weak encryption cipher A buffer overflow that is known to allow remote code execution
A buffer overflow that is known to allow remote code execution OBJ-1.3: The most serious vulnerability discovered is one that could allow remote code execution to occur. Since this buffer overflow vulnerability is known to allow remote code execution, it must be mitigated first to prevent a security breach most effectively. While the other issues should be addressed eventually, you need to prioritize the most critical one (remote code execution) on a public-facing IP address. A public-facing IP address means the device is accessible from the internet.
Which of the following types of attackers are sophisticated and highly organized people or teams typically sponsored by a nation-state? Advanced Persistent Threat Hacktivists Ethical hacker Script kiddies
Advanced Persistent Threat OBJ-1.5: Advanced Persistent Threat (APT) attackers are sophisticated and have access to financial and technical resources typically provided by a government. An APT is an attacker with the ability to obtain, maintain, and diversify access to network systems using exploits and malware. A hacktivist is an attacker that is motivated by a social issue or political cause. A script kiddie has little skill or sophistication and uses publicly available tools and techniques. An ethical hacker specializes in penetration testing and in other testing methodologies that ensure the security of an organization's information systems. An ethical hacker is also known as an authorized hacker.
A cybersecurity analyst has received an alert that sensors continuously observe well-known call home messages at their network boundary. Still, the organization's proxy firewall is properly configured to successfully drop the messages before leaving the network. Which of the following is MOST likely the cause of the call home messages being sent? Malware is running on a company workstation or server An infected workstation is attempting to reach a command and control server An attacker is performing reconnaissance of the organization's workstations A malicious insider is trying to exfiltrate information to a remote network
An infected workstation is attempting to reach a command and control server OBJ-1.2: A call home message is an indicator of compromise known as beaconing. Beaconing usually occurs after a stage 1 malware program has been implanted on an organization's workstation or server, but that isn't the most correct answer to this question. Instead, beaconing indicates that a workstation or server is infected and tries to communicate with the attacker's command and control server. This beaconing will continue until the infected system (workstation or server) is found and cleared of the malware or until the botnet gives the infected host further instructions to perform (such as to attack). "Malware is running on a company workstation or server" is incorrect because we do not have positive verification of that based on this scenario. A beacon does not have to be malware. For example, it can simply be a single ping packet or DNS request being sent out every day at a certain time using the Windows task scheduler. Be careful on the exam to answer the question being asked and choose the "most" accurate answer. Since the call home signal is coming from the internal network and attempting to connect to an external server, it cannot be evidence of an attacker performing reconnaissance on your workstations. Also, nothing in the question is indicative of an insider threat trying to exfiltrate information since a call home message is generally minimal in size and not large enough to exfiltrate data.
Dion Training wants to implement technology within their corporate network to BEST mitigate the risk that a zero-day virus might infect their workstations. Which of the following should be implemented FIRST? Host-based firewall Anti-malware solution Application allow list Intrusion detection system
Application allow list OBJ-4.4: Application allow list will only allow a program to execute if it is specifically listed in the approved exception list. All other programs are blocked from running. This makes it the BEST mitigation against a zero-day virus. An intrusion detection system might detect the anomalous activity created by a piece of malware, but it will only log or alert based on the activity, not prevent it. A host-based firewall may prevent a piece of malware from establishing a network connection with a remote server. Still, again, it wouldn't prevent infection or prevent it from executing. An anti-malware solution is a good investment towards improving your security. Since the threat is a zero-day virus, an anti-malware solution will not detect it using its signature database.
Michelle has just finished installing a new database application on her server. She then proceeds to uninstall the sample configuration files, properly configure the application settings, and update the software to the latest version according to her company's policy. What best describes the actions Michelle just took? Application hardening Vulnerability scanning Input validation Patch management
Application hardening OBJ-3.2: Application hardening involves taking actions to best secure the application from attack. This involves removing any default or sample configurations, properly configuring settings, and updating the application to the latest and more secure version. Patch management is incorrect because only updating the software falls under patch management, not the configuration portions of her actions. Vulnerability scanning involves scanning a device for known vulnerabilities to update the device and prevent a future attack. Input validation is a technique to verify user-provided data meets the expected length and type before allowing a program to utilize it.
What type of malware is designed to be difficult for malware analysts to reverse engineer? Trojan Logic bomb Rootkit Armored virus
Armored virus OBJ-1.2: Armored viruses are a type of virus that use various techniques to protect it from being reverse engineered. This includes changing its code during execution and encrypting its payloads.
Which of the following physical security controls would be the most effective in preventing an attacker from driving a vehicle through the glass doors at the front of the organization's headquarters? Intrusion alarm Access control vestibule Bollards Security guards
Bollards OBJ-2.7: Bollards are a physical security control that is designed to prevent a vehicle-ramming attack. Bollards are typically designed as sturdy, short, vertical posts. Some organizations have installed more decorative bollards created out of cement and are large enough to plant flowers or trees inside. Access control vestibules are designed to prevent individuals from tailgating into the building. Security guards and intrusion alarms could detect this from occurring but not truly prevent them.
The incident response team leader has asked you to perform a forensic examination on a workstation suspected of being infected with malware. You remember from your training that you must collect digital evidence in the proper order to protect it from being changed during your evidence collection efforts. Which of the following describes the correct sequence to collect the data from the workstation? Swap, RAML, CPU cache, Hard drive Hard drive, Swap, CPU cache, RAM CPU cache, RAM, Swap, Hard drive RAM, CPU cache, Swap, Hard drive
CPU cache, RAM, Swap, Hard drive OBJ-4.5: The order of volatility states that you should collect the most volatile (least persistent) data first and the least volatile (most persistent) data last. The most volatile data resides in the CPU Cache since this small memory cache is overwritten quickly during computer operations. Next, you should collect the data in the system memory (RAM) since it will be erased if the workstation is shut down or the power is lost. Third, you should collect the Swap file, a form of temporary memory located on the hard disk. These files are also overwritten frequently during operations. Finally, you should collect the data from the hard disk, as it is the least volatile and remains on the hard disk until a command is given to delete it. Data on a hard disk remains even when power is removed from the workstation.
The public library has had a recent issue with their laptops being stolen from their computer lab.Since this is a public library, it is not a high-security area and is fully accessible by patrons during the day. What is the best way to prevent the theft of laptops? Motion Sensors Mobile Device Management Cable Locks CCTV
Cable Locks OBJ-2.7: Cable locks are the best solution to allow the laptops to be connected physically to the desks and prevent theft. CCTV is a deterrent or detective control but will require someone to monitor it to detect the theft. Mobile device management focuses on tablets or phones, not laptops. Motion sensors are not useful during the library's open hours since authorized patrons are allowed into the lab during the day. If laptop theft occurs during the day, motion sensors will be useless to stop them.
Offices Sales 172.16.1.2 HR 172.16.1.3 IT 172.16.1.4 Internet Cafe Laptop1 192.168.1.10 Laptop2 192.168.1.11 Laptop3 192.168.1.12 Server Room Backup 192.168.1.10 Confidential 192.168.1.11 Files 192.168.1.12 Dion Training has recently opened an Internet café for students to use during their lunch break. Unfortunately, Dion Training doesn't have any wireless networks in their building, so they have placed three laptops in the Internet café. What protection should be installed to best prevent the laptops from being stolen? Cable locks CCTV Proximity badge Safe
Cable locks OBJ-2.7: The best option is to use a cable lock for each laptop to ensure that they won't get stolen from the Internet café. CCTV is useful as a detective control and could be used to find out who stole the laptops after they were taken, but a cable lock is a preventative control that would stop the theft from occurring in the first place. Proximity badges are a poor choice because students would likely not have a proximity badge, and the Internet café is an area with open access for students and instructors. Similarly, a safe may be useful to lock up the laptops at night, but during the day, the laptops would need to be available at the Internet café, so the cable locks are still a better choice.
What sanitization technique uses only logical techniques to remove data, such as overwriting a hard drive with a random series of ones and zeroes? Destroy Clear Purge Degauss
Clear OBJ-2.7: Clear applies logical techniques to sanitize data in all user-addressable storage locations for protection against simple non-invasive data recovery techniques. Clearing involves overwriting data once (and seldom more than three times) with repetitive data (such as all zeros) or resetting a device to factory settings. Purging data is meant to eliminate information from being feasibly recovered even in a laboratory environment. Destroy requires physical destruction of the media, such as pulverization, melting, incineration, and disintegration. Degaussing is the process of decreasing or eliminating a remnant magnetic field. Degaussing is an effective method of sanitization for magnetic media, such as hard drives and floppy disks.
You are conducting an incident response and have traced the attack source to some compromised user credentials. After performing log analysis, you discover that the attack was successfully authenticated from an unauthorized foreign country. Your management is now asking for you to implement a solution to help mitigate this type of attack from occurring again. Which of the following should you implement? Context-based authentication Single sign-on Self-service password reset Password complexity
Context-based authentication OBJ-3.7: Context-based authentication can consider several factors before permitting access to a user, including their location (e.g., country, GPS location, etc.), the time of day, and other key factors to minimize the threat of compromised credentials from being utilized by an attacker. A self-service password reset is defined as any process or technology that allows users who have either forgotten their password or triggered an intruder lockout to authenticate with an alternate factor and repair their problem without calling the help desk. While helpful, this alone would not help prevent an attacker from using the compromised credentials. Single sign-on (SSO) is an authentication scheme that allows a user to log in with a single ID and password to any of several related yet independent software systems. Again, this is helpful since it will minimize the number of usernames and passwords that a user must remember. Still, if their credentials are stolen, then the attacker can now access every system the user had access to, extending the problem. Password complexity is also a good thing to use, but it won't address the challenge presented in how to prevent the use of compromised credentials. If the password complexity is increased, this will prevent a brute force credential compromise. However, if the credentials are compromised any other way, the attacker could still log in to our systems and cause trouble.
While conducting a penetration test of an organization's web applications, you attempt to insert the following script into the search form on the company's website: <scrip>alert("This site is vulnerable to an attack!")</scrip> Then, you clicked the search button, and a pop-up box appears on your screen showing the following text, "This site is vulnerable to an attack!" Based on this response, what vulnerability have you uncovered in the web application? Buffer overflow Cross-site request forgery Cross-site scripting Distributed denial of service
Cross-site scripting OBJ-1.3: This is a form of Cross-Site Scripting (XSS). Cross-site scripting (XSS) is a type of computer security vulnerability typically found in web applications. XSS enables attackers to inject client-side scripts into web pages viewed by other users. Attackers may use a cross-site scripting vulnerability to bypass access controls such as the same-origin policy. Cross-site request forgery (CSRF or XSRF) is a malicious exploit of a website where unauthorized commands are transmitted from a user that the web application trusts. There are many ways in which a malicious website can transmit commands, such as specially-crafted image tags, hidden forms, and JavaScript XMLHttpRequests can all work without the user's interaction or even knowledge. A distributed denial-of-service (DDoS) attack is a malicious attempt to disrupt normal traffic of a targeted server, service, or network by overwhelming the target or its surrounding infrastructure with a flood of Internet traffic. A buffer overflow is an anomaly that occurs when a program overruns the buffer's boundary and overwrites adjacent memory locations while writing data to a buffer.
An insurance company has developed a new web application to allow its customers to choose and apply for an insurance plan. You have been asked to help perform a security review of the new web application. You have discovered that the application was developed in ASP and used MSSQL for its backend database. You have been able to locate an application's search form and introduced the following code in the search input field: Dion Picture When you click submit on the search form, your web browser returns a pop-up window that displays Vulnerable_to_Attack. Which of the following vulnerabilities did you discover in the web application? Cross-site request forgery SQL injection Command injection Cross-site scripting
Cross-site scripting OBJ-1.3: This is a form of Cross-Site Scripting (XSS). Cross-site scripting (XSS) is a type of computer security vulnerability typically found in web applications. XSS enables attackers to inject client-side scripts into web pages viewed by other users. Attackers may use a cross-site scripting vulnerability to bypass access controls such as the same-origin policy. Cross-site request forgery (CSRF or XSRF) is a malicious exploit of a website where unauthorized commands are transmitted from a user that the web application trusts. There are many ways in which a malicious website can transmit commands, such as specially-crafted image tags, hidden forms, and JavaScript XMLHttpRequests can all work without the user's interaction or even knowledge. SQL injection is a code injection technique used to attack data-driven applications. Malicious SQL statements are inserted into an entry field for execution, such as dumping the database contents to the attacker. Command injection is an attack in which the goal is to execute arbitrary commands on the host operating system via a vulnerable application. Command injection attacks are possible when an application passes unsafe user-supplied data (forms, cookies, HTTP headers, etc.) to a system shell.
Which of the following cryptographic algorithms is classified as symmetric? ECC GPG DSA DES
DES OBJ-2.8: The Data Encryption Standard (DES) is a symmetric-key algorithm for the encryption of digital data. Although its short key length of 56 bits makes it too insecure for applications, it was the standard used from 1977 until the early 2000s. GPG, ECC, and DSA are all asymmetric algorithms.
You have been asked to provide some training to Dion Training's system administrators about the importance of proper patching of a system before deployment. To demonstrate the effects of deploying a new system without patching it first, you ask the system administrators to provide you with an image of a brand-new server they plan to deploy. How should you deploy the image to demonstrate the vulnerabilities exposed while maintaining the security of the corporate network? Deploy the image to a brand new physical server, connect it to the corporate network, then conduct a vulnerability scan to demonstrate how many vulnerabilities are now on the network Deploy the vulnerable image to a virtual machine on a physical server, create an ACL to restrict all incoming connections to the system, then scan it for vulnerabilities Deploy the system image within a virtual machine, ensure it is in an isolated sandbox environment, then scan it for vulnerabilities Utilize a server with multiple virtual machine snapshots installed to it, restore from a known compromised image, then scan it for vulnerabilities
Deploy the system image within a virtual machine, ensure it is in an isolated sandbox environment, then scan it for vulnerabilities OBJ-3.2: To ensure your corporate network's safety, any vulnerable image you deploy should be done within a sandboxed environment. This will ensure that an outside attacker cannot exploit the vulnerabilities but will still allow you to show the vulnerabilities found during a scan to demonstrate how important patching is to the security of the server.
A vulnerability scanner has reported that a vulnerability exists in the system. Upon validating the report, the analyst determines that this reported vulnerability does not exist on the system. What is the proper term for this situation? False positive False negative True negative True positive
False positive OBJ-1.7: A false positive occurs when a scanner detects a vulnerability, but the vulnerability does not exist on the scanned system. A true positive occurs when a scanner detects a vulnerability, and the vulnerability exists on the scanned system. A true negative occurs when a scanner does not detect a vulnerability because the vulnerability does not exist on the scanned system. A false negative occurs when a scanner does not detect a vulnerability, but the vulnerability exists on the scanned system.
Which of the following is the leading cause for cross-site scripting, SQL injection, and XML injection attacks? Output encoding Directory traversals File inclusions Faulty input validation
Faulty input validation OBJ-3.2: A primary vector for attacking applications is to exploit faulty input validation. The input could include user data entered into a form or URL, passed by another application or link. This is heavily exploited by cross-site scripting, SQL injection, and XML injection attacks. Directory traversal is the practice of accessing a file from a location that the user is unauthorized to access. The attacker does this by ordering an application to backtrack through the directory path to read or execute a file in a parent directory. In a file inclusion attack, the attacker adds a file to a web app or website's running process. The file is either constructed to be malicious or manipulated to serve the attacker's malicious purposes. Cross-site scripting (XSS) is one of the most powerful input validation exploits. XSS involves a trusted site, a client browsing the trusted site, and the attacker's site.
Your company is expanding its operations in the European Union and is concerned about additional governmental regulations that may apply. Which of the following regulations applies when processing personal data within the European Union? PHI PCI PII GDPR
GDPR OBJ-5.5: The General Data Protection Regulation (GDPR) is a regulation created in the European Union that creates provisions and requirements to protect the personal data of European Union (EU) citizens. Transfers of personal data outside the EU Single Market are restricted unless protected by like-for-like regulations, such as the US's Privacy Shield requirements. Personally identifiable information (PII) is data used to identify, contact, or locate an individual. Information such as social security number (SSN), name, date of birth, email address, telephone number, street address, and biometric data is considered PII. Protected health information (PHI) refers to medical and insurance records, plus associated hospital and laboratory test results. The peripheral component interconnect (PCI) bus is used to provide low-speed connectivity to expansion cards but has been mostly replaced by the faster PCIe bus. The Payment Card Industry Data Security Standard (PCI-DSS) applies to companies of any size that accept credit card payments. If your company intends to accept card payment and store, process, and transmit cardholder data, you need to securely host your data and follow PCI compliance requirements.
Which of the following authentication mechanisms involves receiving a one-time use shared secret password, usually through a token-based key fob or smartphone app, that does not expire? Smart card HOTP EAP TOTP
HOTP OBJ-2.4: HMAC-based One-time Password Algorithm (HOTP) is an algorithm for token-based authentication. The authentication server and client token are configured with the same shared secret. The token could be a fob-type device or implemented as a smartphone app. The token does not have an expiration under HOTP, but an improved version known as TOTP does include token expirations.
Tierra works as a cybersecurity analyst for a large multi-national oil and gas company. She responds to an incident at her company in which their public-facing web server has been defaced with the words, "Killers of the Arctic." She believes this was done in response to her company's latest oil drilling project in the Arctic Circle. Which threat actor is most likely to blame for the website defacement? Hacktivist APT Organized crime Script kiddie
Hacktivist OBJ-1.5: It appears this hack was motivated by a pro-environmentalist agenda based on the message of the website defacement. This is an example of hacktivism. In 2012, five top multi-national oil companies were targeted by members of Anonymous as a form of digital protest against drilling in the Arctic, a practice that these hacktivists believe has contributed to the melting of the ice caps in that region.
During an assessment of the POS terminals that accept credit cards, a cybersecurity analyst notices a recent Windows operating system vulnerability exists on every terminal. Since these systems are all embedded and require a manufacturer update, the analyst cannot install Microsoft's regular patch. Which of the following options would be best to ensure the system remains protected and are compliant with the rules outlined by the PCI DSS? Remove the POS terminals from the network until the vendor releases a patch Replace the Windows POS terminals with standard Windows systems Identify, implement, and document compensating controls Build a custom OS image that includes the patch
Identify, implement, and document compensating controls OBJ-5.1: Since the analyst cannot remediate the vulnerabilities by installing a patch, the next best action would be to implement some compensating controls. If a vulnerability exists that cannot be patched, compensating controls can mitigate the risk. Additionally, the analyst should document the current situation to achieve compliance with PCI DSS. The analyst will likely not remove the terminals from the network without affecting business operations, so this is a bad option. The analyst should not build a custom OS image with the patch since this could void the support agreement with the manufacturer and introduce additional vulnerabilities. Also, it would be difficult (or impossible) to replace the POS terminals with standard Windows systems due to the custom firmware and software utilized on these systems.
Dion Training allows its visiting business partners from CompTIA to use an available Ethernet port in their conference room to establish a VPN connection back to the CompTIA internal network. The CompTIA employees should obtain internet access from the Ethernet port in the conference room, but nowhere else in the building. Additionally, if any of the Dion Training employees use the same Ethernet port in the conference room, they should access Dion Training's secure internal network. Which of the following technologies would allow you to configure this port and support both requirements? MAC filtering Create an ACL to allow access Configure a SIEM Implement NAC
Implement NAC OBJ-3.3: Network Access Control (NAC) uses a set of protocols to define and implement a policy that describes how to secure access to network nodes whenever a device initially attempts to access the network. NAC can utilize an automatic remediation process by fixing non-compliant hosts before allowing network access. Network Access Control can control access to a network with policies, including pre-admission endpoint security policy checks and post-admission controls over where users and devices can go on a network and what they can do. In this scenario, implementing NAC can identify which machines are known and trusted Dion Training assets and provide them with access to the secure internal network. NAC could also determine unknown machines (assumed to be those of CompTIA employees) and provide them with direct internet access only by placing them on a guest network or VLAN. While MAC filtering could be used to allow or deny access to the network, it cannot by itself control which set of network resources could be utilized from a single ethernet port. A security information and event management (SIEM) system provides real-time analysis of security alerts generated by applications and network hardware. An access control list could define what ports, protocols, or IP addresses the ethernet port could be utilized. Still, it would be unable to distinguish between a Dion Training employee's laptop and a CompTIA employee's laptop like a NAC implementation could.
During a penetration test, you find a hash value related to malware associated with an APT. What best describes what you have found? SQL injection Indicator of compromise Botnet XSRF
Indicator of compromise OBJ-1.2: An indicator of compromise is an artifact observed on a network or in an operating system that, with high confidence, indicates a computer intrusion. Typical IOCs are virus signatures and IP addresses, MD5 hashes of malware files or URLs, or botnet command and control servers' domain names. SQL injection is a code injection technique used to attack data-driven applications. Malicious SQL statements are inserted into an entry field for execution, such as dumping the database contents to the attacker. Cross-site request forgery (CSRF or XSRF) is a malicious exploit of a website where unauthorized commands are transmitted from a user that the web application trusts. There are many ways in which a malicious website can transmit commands, such as specially-crafted image tags, hidden forms, and JavaScript XMLHttpRequests can all work without the user's interaction or even knowledge. A botnet consists of many Internet-connected devices, each of which is running one or more bots. Botnets can be used to perform Distributed Denial-of-Service (DDoS) attacks, steal data, send spam, and allow the attacker to access the device and its connection.
Which of the following utilizes a well-written set of carefully developed and tested scripts to orchestrate runbooks and generate consistent server builds across an enterprise? Infrastructure as Code (IaC) Software-Defined Networking (SDN) Infrastructure as a Service (IaaS) Software as a Service (SaaS)
Infrastructure as Code (IaC) OBJ-2.2: Infrastructure as Code (IaC) is designed with the idea that a well-coded description of the server/network operating environment will produce consistent results across an enterprise and significantly reduce IT overhead costs through automation while precluding the existence of security vulnerabilities. SDN uses software to define networking boundaries but does not necessarily handle server architecture in the same way that IaC can. Infrastructure as a Service (IaaS) is a computing method that uses the cloud to provide any or all infrastructure needs. Software as a Service (SaaS) is a computing method that uses the cloud to provide users with application services.
You work for Dion Training as a physical security manager. You are concerned that the physical security at the entrance to the company is not sufficient. To increase your security, you are determined to prevent piggybacking. What technique should you implement first? Install CCTV to monitor the entrance Install an access control vestibule at the entrance Install an RFID badge reader at the entrance Require all employees to wear security badges when entering the building
Install an access control vestibule at the entrance OBJ-2.7: An access control vestibule, or mantrap, is a device that only allows a single person to enter per authentication. This authentication can be done by RFID, a PIN, or other methods. Once verified, the mantrap lets a single person enter through a system, such as a turnstile or rotating door. CCTV will not stop piggybacking, but it could be used as a detective control after an occurrence. Wearing security badges is useful, but it won't stop piggybacking by a skilled social engineer. RFID badges may be used as part of your entry requirements, but it won't stop a determined piggyback who follows an employee into the building after their authenticated RFID access has been performed.
You have just received an email that claims to be from the Federal Bureau of Investigation (FBI). The email claims that your computer was identified as part of a botnet being used to distribute pirated copies of a new movie. The email states that you must click the link below and pay a fine of $1000 within 24 hours, or federal agents will be sent to your home to arrest you for copyright infringement. What social engineering principle is this email relying on using? Familiarity Consensus Trust Intimidation
Intimidation OBJ-1.1: Intimidation is a commonly used technique during a social engineering campaign. It relies on trying to scare or frighten a person into clicking a link. Often, these emails will claim to be from the FBI, IRS, or other government agencies.
The local electric power plant contains both business networks and ICS/SCADA networks to control their equipment. Which technology should the power plant's security administrators look to implement first as part of configuring better defenses for the ICS/SCADA systems? Automated patch deployment Intrusion prevention system Anti-virus software Log consolidation
Intrusion prevention system OBJ-2.6: Since this question is focused on the ICS/SCADA network, the best solution would be implementing an Intrusion Prevention System. ICS/SCADA machines utilize very specific commands to control the equipment and to prevent malicious activity. You could set up strict IPS rules to prevent unknown types of actions from being allowed to occur. Log consolidation is a good idea, but it won't prevent an issue and therefore isn't the most critical thing to add first. Automated patch management should not be conducted, as ICS/SCADA systems must be tested before conducting any patches. Often, patches will break ICS/SCADA functionality. Antivirus software may or may not be able to run on the equipment, as well, since some ICS/SCADA systems often do not rely on standard operating systems like Windows.
You are the first forensic analyst to arrive on the scene of a data breach. You have been asked to begin evidence collection on the server while waiting for the rest of your team to arrive. Which of the following evidence should you capture first? Backup tapes ARP cache Image of the server's SSD L3 cache
L3 cache OBJ-4.5: When collecting evidence, you should always follow the order of volatility. This will allow you to collect the most volatile evidence (most likely to change) first and the least volatile (least likely to change) last. You should always begin collecting the CPU registers and cache memory (L1/L2/L3/GPU). The contents of system memory (RAM), including a routing table, ARP cache, process tables, kernel statistics, and temporary file systems/swap space/virtual memory. Next, you would move on to the collection of data storage devices like hard drives, SSDs, and flash memory devices. After that, you would move onto less volatile data such as backup tapes, external media devices (hard drives, DVDs, etc.), and even configuration data or network diagrams.
Which of the following is NOT considered part of the Internet of Things? SCADA ICS Smart television Laptop
Laptop OBJ-2.6: Supervisory control and data acquisition (SCADA) systems, industrial control systems (ICS), internet-connected televisions, thermostats, and many other things examples of devices classified as the Internet of Things (IoT). A laptop would be better classified as a computer or host than part of the Internet of Things. The Internet of things (IoT) is a system of interrelated computing devices, mechanical and digital machines provided with unique identifiers (UIDs), and the ability to transfer data over a network without requiring human-to-human or human-to-computer interaction.
Which analysis framework makes no allowance for an adversary retreat in its analysis? AlienVault (AT&T Cybersecurity) Cyber Kill Chain MITRE ATT&CK framework Lockheed Martin cyber kill chain Diamond Model of Intrusion Analysis
Lockheed Martin cyber kill chain OBJ-4.2: The Lockheed Martin cyber kill chain implicitly assumes a unidirectional workflow. Therefore, it fails to consider that an adversary may retreat during an attack. MITRE and Diamond's models are more dynamic systems that allow for a broader range of adversary behaviors. AlienVault was specifically designed to avoid the rigidity of the Lockheed Martin cyber kill chain.
The Security Operations Center Director for Dion Training received a pop-up message on his workstation that said, "You will regret firing me; just wait until Christmas!" He suspects the message came from a disgruntled former employee who may have set up a piece of software to create this pop-up on his machine. The director is now concerned that other code might be lurking within the network that could negatively affect Christmas. He directs his team of cybersecurity analysts to begin searching the network for this suspicious code. What type of malware should they be searching for? Adware Logic bomb Worm Trojan
Logic bomb OBJ-1.2: A logic bomb is a piece of code intentionally inserted into a software system that will set off a malicious function when specified conditions are met. For example, a programmer may hide a piece of code that starts deleting files should they ever be terminated from the company. The director is concerned that a logic bomb may have been created and installed on his system or across the network before the analyst was fired.
Which of the following types of access control provides the strongest level of protection? DAC MAC RBAC ABAC
MAC OBJ-3.8: Mandatory Access Control (MAC) requires all access to be predefined based on system classification, configuration, and authentication. MAC is commonly used in highly centralized environments and usually relies on a series of labels, such as classification levels of the data.
Which of the following security policies could help detect fraudulent cases that occur even when other security controls are already in place? Dual control Mandatory vacations Least privilege Separation of duties
Mandatory vacations OBJ-5.3: Mandatory vacation policies require employees to take time away from their job and help to detect fraud or malicious activities. Even if other controls such as separation of duties, least privilege, and dual control are used, an employee could collude with others to conduct fraud. By utilizing mandatory vacation policies, this fraud can often be discovered since a new person will be conducting the duties assigned to the person on vacation. Separation of duties is the concept of having more than one person required to complete a particular task to prevent fraud and error. Dual control, instead, requires both people to act together. For example, a nuclear missile system uses dual control and requires two people to each turn a different key simultaneously to allow for a missile launch to occur. Least privilege is the concept and practice of restricting access rights for users, accounts, and computing processes to only those resources required to perform routine, legitimate activities.
Which of the following tools is useful for capturing Windows memory data for forensic analysis? dd Wireshark Memdump Nessus
Memdump OBJ-4.1: The Memdump, Volatility framework, DumpIt, and EnCase are examples of Windows memory capture tools for forensic use. The dd tool is used to conduct forensic disk images. Wireshark is used for packet capture and analysis. Nessus is a commonly used vulnerability scanner.
Dion Training conducts weekly vulnerability scanning of their network and patches any identified issues within 24 hours. Which of the following best describes the company's risk response strategy? Acceptance Transference Mitigation Avoidance
Mitigation OBJ-5.4: Risk mitigation is the overall process of reducing exposure to or the effects of risk factors, such as patching a vulnerable system. Transference (or sharing) means assigning risk to a third party (such as an insurance company or a contract with a supplier that defines liabilities). Avoidance means that the company stops doing an activity that is risk-bearing. Acceptance means that no countermeasures are put in place either because the level of risk does not justify the cost or because there will be an unavoidable delay before the countermeasures are deployed.
What tool can be used to scan a network to perform vulnerability checks and compliance auditing? Nmap Nessus Metasploit BeEF
Nessus OBJ-4.1: Nessus is a popular vulnerability scanner. It can be used to check how vulnerable your network is by using various plugins to test for vulnerabilities. Also, Nessus can perform compliance auditing, like internal and external PCI DSS audit scans. The nmap tool is a port scanner. The Metasploit Project is a computer security project that provides information about security vulnerabilities and aids in penetration testing and IDS signature development. BeEF is short for The Browser Exploitation Framework. It is a penetration testing tool that focuses on the web browser.
Which of the following is considered a form of regulated data? DMCA DRM AUP PII
PII OBJ-5.5: The four forms of regulated data covered by the exam are PII (Personally Identifiable Information), PCI (Payment Card Industry), GDPR (General Data Protection Regulation), and PHI (Protected Health Information). Personally identifiable information (PII) is data used to identify, contact, or locate an individual. Information such as social security number (SSN), name, date of birth, email address, telephone number, street address, and biometric data is considered PII. An acceptable use policy (AUP) is a document stipulating constraints and practices that a user must agree to for access to a corporate network or the Internet. While some items in the AUP might help prevent a malware infection (such as not allowing users to download and run programs from the internet), it is considered an administrative control, and choosing a technical control like patch management would better protect the network. Digital rights management (DRM) is a copyright protection technology for digital media. DRM solutions usually try to restrict the number of devices allowed for playback of a licensed digital file, such as a music track or ebook. The Digital Millennium Copyright Act (DMCA) is a 1998 United States copyright law that implements two 1996 treaties of the World Intellectual Property Organization that criminalizes production and dissemination of technology, devices, or services intended to circumvent measures that control access to copyrighted works.
Which of the following password policies defines the types of alphanumeric characters required to be utilized in a user's password? Password length Password complexity Password history Password expiration
Password complexity OBJ-3.7: The Passwords must meet complexity requirements. The policy setting determines whether passwords must meet a series of guidelines that are considered important for a strong password. Enabling this policy setting requires passwords to meet more complicated password requirements. This includes using uppercase, lowercase, numeric, and special characters.
Which of the following password policies defines the number of previous passwords that cannot be reused when resetting a user's password? Password complexity Password history Password expiration Password length
Password history OBJ-3.7: Password history is used to determine the number of unique passwords a user must use before using an old password again. This prevents password reuse and also helps protect authentication services from brute force attacks. A password expiration control in the policy would force users to change their passwords at specific time intervals. The passwords must meet the complexity requirements which determines whether passwords must meet a series of guidelines that are considered important for a strong password. Maximum password length creates a limit to how long the password can be, but a longer password is considered stronger against a brute force attack.
You have just completed identifying, analyzing, and containing an incident. You have verified that the company uses self-encrypting drives as part of its default configuration. As you begin the eradication and recovery phase, you must sanitize the storage devices' data before restoring the data from known-good backups. Which of the following methods would be the most efficient to use to sanitize the affected hard drives? Conduct zero-fill on the storage devices Use a secure erase (SE) utility on the storage devices Incinerate and replace the storage devices Perform a cryptographic erase (CE) on the storage devices
Perform a cryptographic erase (CE) on the storage devices OBJ-2.7: Sanitizing a hard drive can be done using cryptographic erase (CE), secure erase (SE), zero-fill, or physical destruction. In this case, the hard drives already used data at rest. Therefore, the most efficient method would be to choose CE. The cryptographic erase (CE) method sanitizes a self-encrypting drive by erasing the media encryption key and then reimaging the drive. A secure erase (SE) is used to perform the sanitization of flash-based devices (such as SSDs or USB devices) when cryptographic erase is not available. The zero-fill method relies on overwriting a storage device by setting all bits to the value of zero (0), but this is not effective on SSDs or hybrid drives, and it takes much longer than the CE method. The final option is to conduct physical destruction, but since the scenario states that the storage device will be reused, this is not a valid technique. Physical destruction occurs by mechanical shredding, incineration, or degaussing magnetic hard drives.
A new alert has been distributed throughout the information security community regarding a critical Apache vulnerability. What action could you take to ONLY identify the known vulnerability? Perform a web vulnerability scan on all servers in the environment Perform an authenticated scan on all web servers in the environment Perform a scan for the specific vulnerability on all web servers Perform an unauthenticated vulnerability scan on all servers in the environment
Perform a scan for the specific vulnerability on all web servers OBJ-1.7: Since you wish to check for only the known vulnerability, you should scan for that specific vulnerability on all web servers. All web servers are chosen because Apache is a web server application. While performing an authenticated scan of all web servers or performing a web vulnerability scan of all servers would also find these vulnerabilities, it is a much larger scope. It would waste time and processing power by conducting these scans instead of properly scoping the scans based on your needs. Performing unauthenticated vulnerability scans on all servers is also too large in scope (all servers) while also being less effective (unauthenticated scan).
During which phase of the incident response process does an organization assemble an incident response toolkit? Detection and analysis Containment, eradication, and recovery Preparation Post-incident activity
Preparation OBJ-4.2: During the preparation phase, the incident response team conducts training, prepares their incident response kits, and researches threats and intelligence. During the detection and analysis phase, an organization focuses on monitoring and detecting any possible malicious events or attacks. During the containment, eradication, and recovery phase of an incident response, an analyst must preserve forensic and incident information for future needs, prevent future attacks or bring up an attacker on criminal charges. During the post-incident activity phase, the organization conducts after-action reports, creates lessons learned, and conducts follow-up actions to better prevent another incident from occurring.
A penetration tester is using a known vulnerability to compromise an Apache webserver. After they gain access to the webserver, what is their next step to pivot to a protected system outside of the screened subnet? Privilege escalation Vulnerability scanning Patching Installing additional tools
Privilege escalation OBJ-1.8: Apache web servers are run as a limited user by default, not as an administrative or root account. To be efficient and effective, the penetration tester should attempt to conduct a privilege escalation before pivoting into the screened subnet. As a penetration tester, they would not likely patch the system, conduct a vulnerability scan, or install additional tools. This does not help them achieve their goal of pivoting out of the screened subnet.
You are in the recovery steps of an incident response. Throughout the incident, your team never successfully determined the root cause of the network compromise. Which of the following options would you LEAST likely perform as part of your recovery and remediation actions? Review and enhance patch management policies Restrict host access to peripheral protocols like USB or Bluetooth Disable unused user accounts Proactively sanitize and reimage all of your routers and switches
Proactively sanitize and reimage all of your routers and switches OBJ-4.4: Since your team could not determine the root cause of the compromise, you would most likely conduct system and network hardening actions as part of the recovery and remediation. The only option that is not considered a hardening action is proactively sanitizing and reimaging your routers and switches. If you performed this action, you could have unwanted disruptive effects on the company. Instead, it would be more beneficial to increase monitoring of the devices to ensure they are not compromised. Proactively sanitizing and reimaging all of the routers and switches would be a large undertaking. Without evidence suggesting that such an approach is warranted, you would be wasting a lot of time and money. The other options presented are the best security practices to prevent future compromises. Reimaging the network devices without knowing the root cause will likely be ineffective in securing the network.
Which type of authentication method is commonly used with physical access control systems and relies upon RFID devices embedded into a token? HOTP TOTP Proximity cards Smart cards
Proximity cards OBJ-2.7: A proximity card is a contactless card that usually utilizes RFID to communicate with the reader on a physical access system. These are commonly used to access secured rooms (such as server rooms) or even a building itself (such as at an access control vestibule). Some smart cards contain proximity cards within them, but the best answer to this question is proximity cards since that is the function of the smart card would be the device used to meet this scenario's requirements. An HMAC-based one-time password (HOTP) is a one-time password algorithm based on hash-based message authentication codes. A Time-based one-time password (TOTP) is a computer algorithm that generates a one-time password that uses the current time as a source of uniqueness.
Your company wants to provide a secure SSO solution for accessing both the corporate wireless network and its network resources. Which of the following technologies should be used? WPS WEP WPA2 RADIUS
RADIUS OBJ-3.4: With RADIUS and SSO configured, users on the network can provide their user credentials one time when they initially connect to the wireless access point or another RADIUS client and are then automatically authenticated to all of the network's resources. The Remote Authentication Dial-in User Service (RADIUS) is used to manage remote and wireless authentication infrastructure. Users supply authentication information to RADIUS client devices, such as wireless access points. The client device then passes the authentication data to an AAA (Authentication, Authorization, and Accounting) server that processes the request. The Terminal Access Controller Access Control System (TACACS+) is a proprietary alternative to RADIUS developed by Cisco for handling authentication. The Wi-Fi Protected Setup (WPS) is a mechanism for auto-configuring a WLAN securely for home users. On compatible equipment, users push a button on the access point and connect adapters to associate them securely. WPS is subject to brute force attacks against the PIN used to secure them, making them vulnerable to attack. Wired equivalent privacy (WEP) is an older mechanism for encrypting data sent over a wireless connection. WEP is considered vulnerable to attacks that can break its encryption. WEP relies on the use of a 24-bit initialization vector to secure its preshared key. Wi-Fi protected access version 2 (WPA2) replaced the original version of WPA after the completion of the 802.11i security standard. WPA2 features an improved method of key distribution and authentication for enterprise networks, though the pre-shared key method is still available for home and small office networks. WPA2 uses the improved AES cipher with counter mode with cipher-block chaining message authentication protocol (CCMP) for encryption.
Dion Training uses an authentication protocol to connect a network client to a networked file server by providing its authentication credentials. The file server then uses the authentication credentials to issue an authentication request to the server running this protocol. The server can then exchange authentication messages with the file server on behalf of the client. Throughout this process, a shared secret is used to protect the communication. Which of the following technologies relies upon the shared secret? PKI Kerberos RADIUS LDAP
RADIUS OBJ-3.8: Remote Authentication Dial-In User Service (RADIUS) is a networking protocol operating on port 1812 that provides centralized Authentication, Authorization, and Accounting (AAA or Triple-A) management for users who connect and use a network service. The RADIUS protocol utilizes an obfuscated password created from the shared secret and creates an MD5 hash of the authentication request to protect the communications.
Which of the following cryptographic algorithms is classified as symmetric? RC4 ECC RSA Diffie-Hellman
RC4 OBJ-2.8: RC4, or Rivest Cipher 4, is a symmetric stream cipher used in WEP and TLS. ECC, RSA, and Diffie-Hellman are all asymmetric algorithms.
Dion Training performed an assessment as part of its disaster recovery planning. The assessment found that the organization can only tolerate a maximum of 60 minutes worth of data loss in the event of a disaster. Therefore, the organization has implemented a system of database snapshots that are backed up every hour. Which of the following metrics would best represent this timeframe? MTBF MTTR RTO RPO
RPO OBJ-5.4: Recovery point objective (RPO) describes the timeframe in which an enterprise's operations must be restored following a disruptive event, e.g., a cyberattack, natural disaster, or communications failure. RPO is about how much data you afford to lose before it impacts business operations. For example, at Dion Training, if 1 hour of data loss occurred, that means that any student progress within the last hour would be lost once the organization restored a server from a known good backup.
On your lunch break, you walked down to the coffee shop on the corner. You open your laptop and connect to their wireless network. After a few minutes of surfing the Internet, a pop-up is displayed on your screen. You close the pop-up, finish your lunch break, shut down the laptop, and put it back into your backpack. When you get back to the office, you take out the laptop and turn it on, but instead of your normal desktop background, you are greeted by a full-screen image with a padlock and a message stating you have to pay 0.1 BTC to regain access to your personal files. What type of malware has infected your laptop? Spyware Rootkit Trojan Ransomware
Ransomware OBJ-1.2: This scenario is describing a ransomware attack. Your personal files are being held hostage and will not be released unless you pay a ransom (in this case, 0.1 BTC). Ransomware is a type of malware designed to deny access to a computer system or data until a ransom is paid. Ransomware typically spreads through phishing emails or by unknowingly visiting an infected website. Once infected, a system or its files are encrypted, and then the decryption key is withheld from the victim unless payment is received. A rootkit is a clandestine computer program designed to provide continued privileged access to a computer while actively hiding its presence. A rootkit is generally a collection of tools that enabled administrator-level access to a computer or network. They can often disguise themselves from detection by the operating system and anti-malware solutions. If a rootkit is suspected on a machine, it is best to reformat and reimage the system. Spyware is a program that monitors user activity and sends the information to someone else. It may be installed with or without the user's knowledge. It invades the device, steals sensitive information and internet usage data, and relays it to advertisers, data firms, or external users. A trojan is a type of malware that looks legitimate but can take control of your computer. A Trojan is designed to damage, disrupt, steal, or in general, inflict some other harmful action on your data or network. The most common form of a trojan is a Remote Access Trojan (RAT), which allows an attacker to control a workstation or steal information remotely. To operate, a trojan will create numerous processes that run in the background of the system.
Dion Training wants to require students to log on using multifactor authentication to increase the security of the authorization and authentication process. Currently, students log in to diontraining.com using a username and password. What proposed solution would best meet the goal of enabling multifactor authentication for the student login process? Require students to create a unique pin that is entered after their username and password are accepted Require students to enter a cognitive password requirement (such as 'What is your dog's name?') Require students to enter a unique six-digit number that is sent to them by SMS after entering their username and password Require students to choose an image to serve as a secondary password after logon
Require students to enter a unique six-digit number that is sent to them by SMS after entering their username and password OBJ-2.4: All of the options presented are knowledge factors (something you know) except the six-digit number sent by SMS to your smartphone. This SMS sent number is an example of a possession factor or something you have. In this case, it verifies you have your smartphone. By combining this possession factor with the already in use knowledge factor (username and password), you can establish multifactor security for the login process.
What is the term for the amount of risk that an organization is willing to accept or tolerate? Risk deterrence Risk transference Risk appetite Risk avoidance
Risk appetite OBJ-5.4: An organization's willingness to tolerate risk is known as its risk appetite. If you determine that you have a greater risk appetite for a certain system or function of the business, you may choose to scan less it frequently, for example. If you have a low-risk appetite, you will place a higher amount of resources towards defending and mitigating your systems. Risk avoidance is the response of deploying security controls to reduce the likelihood and/or impact of a threat scenario. Risk deterrence is the response of deploying security controls to reduce the likelihood and/or impact of a threat scenario. Risk transference moves or shares the responsibility of risk to another entity.
What term describes the amount of risk an organization is willing to accept? Risk appetite Risk acceptance Risk avoidance Risk mitigation
Risk appetite OBJ-5.4: Risk appetite describes how much risk an organization is willing to accept. This is a crucial factor both in designing the assessment and determining the recommended mitigations. Risk mitigation is a strategy to prepare for and lessen the effects of threats faced by a data center. Risk mitigation refers to applying security controls to reduce the risk of a known vulnerability. Risk avoidance is the elimination of hazards, activities, and exposures that can negatively affect an organization's assets. Risk acceptance is the act of accepting the identified risk and not taking additional actions to reduce the risk because the risk is low enough. Risk acceptance should only be done once an organization's risk tolerance is defined and communicated amongst the decision-makers.
Recently, you discovered an unauthorized device during a search of your corporate network. The device provides nearby wireless hosts to access the corporate network's resources. What type of attack is being utilized? Rogue access point Bluejacking IV attack Bluesnarfing
Rogue access point OBJ-1.4: A rogue access point is a wireless access point that has been installed on a secure network without explicit authorization from a local network administrator, whether added by a well-meaning employee or by a malicious attacker. The question describes the unauthorized device, indicating it is a rogue device. An access point performs the ability to connect wireless hosts to the corporate network. Therefore, the unauthorized device in this question would be considered a rogue access point.
Which of the following protocols is commonly used to collect information about CPU utilization and memory usage from network devices? NetFlow MIB SNMP SMTP
SNMP OBJ-3.1: Simple Network Management Protocol (SNMP) is commonly used to gather information from routers, switches, and other network devices. It provides information about a device's status, including CPU and memory utilization, and many other useful details about the device. NetFlow provides information about network traffic. A management information base (MIB) is a database used for managing the entities in a communication network. The Simple Mail Transfer Protocol (SMTP) is a communication protocol for electronic mail transmission.
You have signed up for a web-based appointment scheduling application to help you manage your new IT technical support business. What type of solution would this be categorized as? SaaS PaaS DaaS IaaS
SaaS OBJ-2.2: Software as a Service (SaaS) is ca loud computing service that enables a service provider to make applications available over the Internet to end-users. This can be a calendar, scheduling, invoicing, word processor, database, or other programs. For example, Google Docs and Office 365 are both word processing SaaS solutions. Platform as a Service (PaaS) is a cloud computing service that enables consumers to rent fully configured systems that are set up for specific purposes. Infrastructure as a Service (IaaS) is a cloud computing service that enables a consumer to outsource computing equipment purchases and running their own data center.
An analyst reviews a triple-homed firewall configuration that connects to the internet, a private network, and one other network. Which of the following would best describe the third network connected to this firewall? Screened subnet Availability zone Staging environment Data zone
Screened subnet OBJ-3.3: A triple-homed firewall connects to three networks internal (private), external (internet/public), and a screened subnet (formerly called a demilitarized zone or DMZ). The screened subnet is used to host systems that require access from external hosts. Data zones describe the state and location of data to help isolate and protect it from unauthorized/inappropriate use-for example, as data transitions from raw storage, processing, production, and analytical use. Data zones are associated with data lakes and designed to help manage big data used by analysts and scientists for data exploration and discovery tasks. An availability zone is an individual data center within a region of a cloud service provider's network. A staging environment is a pre-production enclave used for testing and development.
You are analyzing the logs of a forensic analysts workstation and see the following: root@DionTraining:/home# dd if=/dev/sdc of=/dev/sdb bs=1M count=1000 What does the bs=1M signify in the command list above? Removes error messages and other incorrect data Sends output to a blank sector Sets the block size Sets the beginning sector
Sets the block size OBJ-4.1: The dd command is used in forensic data acquisition to forensically create a bit by bit copy of a hard drive to a disk image. The bs operator sets the block size when using the Linux dd command. This question may seem beyond the scope of the exam. Still, the objectives allow for "other examples of technologies, processes, or tasks about each objective may also be included on the exam although not listed or covered" in the objectives' bulletized lists. The content examples listed in the objectives are meant to clarify the test objectives and should not be construed as a comprehensive listing of this examination's content. Therefore, questions like this are fair game on test day. That said, your goal isn't to score 100% on the exam; it is to pass it. Don't let questions like this throw you off on test day. If you aren't sure, take your best guess and move on!
You are performing a web application security test, notice that the site is dynamic, and must be using a back-end database. You decide you want to determine if the site is susceptible to an SQL injection. What is the first character that you should attempt to use in breaking a valid SQL request? Double quote Semicolon Exclamation mark Single quote
Single quote OBJ-1.3: The single quote character (') is the character limiter in SQL. With a single quote,' you delimit strings, and therefore you can test whether the programmer has properly escaped the strings in the targeted application. If not escaped directly, you can end any string supplied to the application and add other SQL code after it. This is a common technique for SQL injections. A semicolon is a commonly used character at the end of a line of code or command in many programming languages. An exclamation mark comments a line of code in several languages. Double quotes contain a string that is passed to a variable.
Which of the following identity and access management controls relies upon using a certificate-based authentication mechanism? Smart card HOTP Proximity card TOTP
Smart card OBJ-3.7: Smart cards, PIV, and CAC devices are used as an identity and access management control. These devices contain a digital certificate embedded within the smart card (PIV/CAC) presented to the system when it is inserted into the smart card reader. When combined with a PIN, the smart card can be used as a multi-factor authentication mechanism. The PIN unlocks the card and allows the digital certificate to be presented to the system.
Which of the following techniques would be the most appropriate solution to implementing a multi-factor authentication system? Smartcard and PIN Password and security question Fingerprint and retinal scan Username and password
Smartcard and PIN OBJ-2.4: Multi-factor authentication (MFA) creates multiple security layers to help increase the confidence that the user requesting access is who they claim to be by requiring two distinct factors for authentication. These factors can be something you know (knowledge factor), something you have (possession factor), something you are (inheritance factor), something you do (action factor), or somewhere you are (location factor). By selecting a smartcard (something you have) and a PIN (something you know), you have implemented multi-factor authentication. Choosing a fingerprint and retinal scan would instead use only one factor (inheritance). Choosing a username, password, and security question would also be only using one factor (knowledge). For something to be considered multi-factor, you need items from at least two different authentication factor categories: knowledge, possession, inheritance, location, or action.
DeepScan supports data-flow analysis and understands the execution flow of a program. It allows you to see possible security flaws without executing the code. Which of the following types of tools would DeepScan be classified as? Decompiler Fuzzer Static code analyzer Fault injector
Static code analyzer OBJ-3.2: DeepScan is an example of a static code analysis tool. It inspects the code for possible errors and issues without actually running the code. Fuzzing is an automated software testing technique that involves providing invalid, unexpected, or random data as inputs to a computer program through a fuzzer. A decompiler is a computer program that takes an executable file as input and attempts to create a high-level source file that can be recompiled successfully. Fault injection is a testing technique that aids in understanding how a system behaves when stressed in unusual ways. A fuzzer, decompiler, and fault injector are all dynamic analysis tools because they require the program to be run during testing and analysis.
Which of the following protocols is considered insecure and should never be used in your networks? SFTP HTTPS Telnet SSH
Telnet OBJ-3.1: Telnet is an application protocol used on the internet or local area network to provide a bidirectional interactive text-oriented communication facility using a virtual terminal connection. It is considered insecure and should never be used in secure networks because it transmits everything in clear text, including your authentication credentials. Telnet should be replaced with a more secure option, such as the secure shell (SSH) protocol. SSH performs the same functions as telnet but uses an encrypted tunnel to maintain the data's confidentiality before being sent over it. SSH File Transfer Protocol (SFTP) is a network protocol that provides file access, file transfer, and file management over any reliable data stream. Hypertext Transfer Protocol Secure (HTTPS) is an extension of HTTP used for secure communication over a computer network by encrypting data being transferred over it with either TLS or SSL.
Which of the following types of remote access technologies should NOT be used in a network due to its lack of security? RDP VPN SSH Telnet
Telnet OBJ-3.1: Telnet should not be used in a network due to its weak security posture. Telnet transmits all of the data in plain text (without encryption), including usernames, passwords, commands, and data files. For this reason, it should never be used in production networks and has been replaced by SSH in most corporate networks. Remote Desktop Protocol (RDP) is a Microsoft protocol designed to facilitate application data transfer security and encryption between client user devices and a virtual network server. It enables a remote user to add a graphical interface to the desktop of another computer. SSH (Secure Shell) is used to remotely connect to a network's switches and routers to configure them securely. SSH is typically used for logging into a remote machine and executing commands, but it also supports tunneling, forwarding TCP ports, and X11 connections; it can transfer files using the associated SSH file transfer (SFTP) or secure copy (SCP) protocols. SSH uses the client-server model. A remote-access VPN connection allows an individual user to connect to a private network from a remote location using a laptop or desktop computer connected to the internet. A remote-access VPN allows individual users to establish secure connections with a remote computer network. Once established, the remote user can access the corporate network and its capabilities as if they were accessing the network from their own office spaces.
You are creating a script to filter some logs so that you can detect any suspected malware beaconing. Which of the following is NOT a typical means of identifying a malware beacon's behavior on the network? The beaconing interval The removal of known traffic The beacon's persistence The beacon's protocol
The beacon's protocol OBJ-1.8: The beacon's protocol is not typically a means of identifying a malware beacon. A beacon can be sent over numerous protocols, including ICMP, DNS, HTTP, and numerous others. Unless you specifically knew the protocol being used by the suspected beacon, filtering out beacons by the protocol seen in the logs could lead you to eliminate malicious behavior prematurely. Other factors like the beacon's persistence (if it remains after a reboot of the system) and the beacon's interval (how much time elapses between beaconing)are much better indicators for fingerprinting a malicious beacon. The removal of known traffic by the script can also minimize the amount of data the cybersecurity analyst needs to analyze, making it easier to detect the malicious beacon without wasting their time reviewing non-malicious traffic.
You are attempting to prioritize your vulnerability scans based on the data's criticality. This will be determined by the asset value of the data contained in each system. Which of the following would be the most appropriate metric to use in this prioritization? The cost of hardware replacement of the system The type of data processed by the system The cost of acquisition of the system The depreciated hardware cost of the system
The type of data processed by the system OBJ-5.4: The data's asset value is a metric or classification that an organization places on data stored, processed, and transmitted by an asset. Different data types, such as regulated data, intellectual property, and personally identifiable information, can determine its value. The cost of acquisition, cost of hardware replacement, and depreciated costs refer to the financial value of the hardware or system itself. This can be significantly different from the value of the information and data that the system stores and processes.
Assuming that Dion Training trusts Thor Teaches, and Thor Teaches trusts Udemy, then we can assume Dion Training also trusts Udemy. What concept of IAM does the previous statement represent? Public key trust Certificate authority trust Domain level trust Transitive trust
Transitive trust OBJ-2.4: Transitive trust occurs when X trusts Y, and Y trusts Z; therefore, X trusts Z. This is because the trust flows from the first part (Dion Training) through the second party (Thor Teaches) to the third party (Udemy).
A new security appliance was installed on a network as part of a managed service deployment. The vendor controls the appliance, and the IT team cannot log in or configure it. The IT team is concerned about the appliance receiving the necessary updates. Which of the following mitigations should be performed to minimize the concern for the appliance and updates? Configuration management Vulnerability scanning Automatic updates Scan and patch the device
Vulnerability scanning OBJ-3.3: The best option here is vulnerability scanning as this allows the IT team to know what risks their network is taking on and where subsequent mitigations may be possible. Configuration management, automatic updates, and patching could normally be possible solutions, but these are not viable options without gaining administrative access to the appliance. Therefore, the analyst should continue to conduct vulnerability scanning of the device to understand the risks associated with it and then make recommendations to add additional compensating controls like firewall configurations, adding a WAF, providing segmentation, and other configurations outside the appliance that could minimize the vulnerabilities it presents.
Which of the following vulnerabilities is the greatest threat to data confidentiality? phpinfo information disclosure vulnerability HTTP TRACE/TRACK methods enabled Web application SQL injection vulnerability SSL Server with SSLv3 enabled vulnerability
Web application SQL injection vulnerability OBJ-5.4: Each vulnerability mentioned poses a significant risk, but the greatest threat comes from the SQL injection. An SQL injection could allow an attacker to retrieve our data from the backend database directly. Using this technique, the attacker could also alter the data and put it back, and nobody would notice everything that had been changed, thereby also affecting our data integrity. The HTTP TRACE/TRACK methods are normally used to return the full HTTP request to the requesting client for proxy-debugging purposes and allow the attacker to access sensitive information in the HTTP headers. Since this only exposes information in the headers, it minimizes the risk to our system's data confidentiality. An SSL server with SSLv3 enabled is not ideal since this is an older encryption type, but it still provides some confidentiality. The phpinfo information disclosure vulnerability prints out detailed information on both the system and the PHP configuration. This information by itself doesn't disclose any information about the data stored within the system, though, so it isn't a great threat to our data's confidentiality.
Ted, a file server administrator at Dion Training, has noticed that many sensitive files have been transferred from a corporate workstation to an IP address outside of the local area network. Ted looks up the IP address and determines that it is located in a foreign country. Ted contacts his company's security analyst, verifying that the workstation's anti-malware solution is up-to-date and the network's firewall is properly configured. What type of attack most likely occurred to allow the exfiltration of the files from the workstation? MAC spoofing Session hijacking Zero-day Impersonation
Zero-day OBJ-1.6: Since the firewall is properly configured and the anti-malware solution is up-to-date, this signifies that a zero-day vulnerability may have been exploited. A zero-day vulnerability is an unknown vulnerability, so a patch or virus definition has not been released yet. A zero-day vulnerability refers to a hole in software that is unknown to the vendor. Hackers then exploit this security hole before the vendor becomes aware and hurries to fix it. This exploit is therefore called a zero-day attack. Zero-day attacks include infiltrating malware, spyware, or allowing unwanted access to user information. Spoofing is the act of disguising a communication from an unknown source as being from a known, trusted source. Impersonation is the act of pretending to be someone or something else. A session hijacking attack compromises the session token by stealing or predicting a valid session token to gain unauthorized access to the webserver.