Practice Questions
A company needs to implement stronger authentication by adding an authentication factor to its wireless system. The wireless system only supports WPA with pre-shared keys, but the backend authentication system supports EAP and TTLS. What should the network administrator implement? A) 802.1x using EAP with MSCHAPv2 B) WPA2 with a complex shared key C) PKI with user authentication D) MAC address filtering with IP filtering
A) 802.1x using EAP with MSCHAPv2 Since the backend uses a RADIUS server for authentication, the network administrator can install 802.1x using EAP with MSCHAPv2 for authentication. The Extensible Authentication Protocol (EAP) is a framework in a series of protocols that allows for numerous different mechanisms of authentication, including things like simple passwords, digital certificates, and public key infrastructure. Microsoft Challenge Handshake Authentication Protocol version 2 (MS-CHAP v2) is a password-based authentication protocol that is widely used as an authentication method in PPTP-based (Point to Point Tunneling Protocol) VPNs and can be used with EAP.
An attacker is searching in Google for Cisco VPN configuration files by using the filetype:pcf modifier. The attacker located several of these configuration files and now wants to decode any connectivity passwords that they might contain. What tool should the attacker use? A) Cain and Abel B) Nessus C) Nmap D) Netcat
A) Cain and Abel Cain and Abel (often abbreviated to Cain) is a popular password cracking tool. It can recover many password types using methods such as network packet sniffing, cracking various password hashes by using methods such as dictionary attacks, brute force, and cryptanalysis attacks. It also includes a module to conduct Cisco VPN Client Password Decoding too. CUPP is used to create password lists. Nessus is a vulnerability scanner. The netcat tool is used to create reverse shells for remote access.
Hilda needs a cost-effective backup solution that would allow for the restoration of data within a 24 hour RPO. The disaster recovery plan requires that backups occur during a specific timeframe each week, and then the backups should be transported to an off-site facility for storage. What strategy should Hilda choose to BEST meet these requirements? A) Create a daily incremental backup to tape B) Configure replication of the data to a set of servers located at a hot site C) Create disk-to-disk snapshots of the server every hour D) Conduct full backups daily to tape
A) Create a daily incremental backup to tape Since the RPO must be within 24 hours, daily or hourly backups must be conducted. Since the requirement is for backups to be conducted at a specific time each week, hourly snapshots would not meet this requirement and are not easily transported since they are being conducted as a disk-to-disk backup. Replication to a hot site environment also doesn't allow for transportation of the data to an off-site facility for storage, and replication would continuously occur throughout the day. Therefore, a daily incremental backup should be conducted since it will require the least amount of time to conduct. The tapes could be easily transported for storage and restored incrementally from tape since the last full backup was conducted.
A financial services company wants to donate some old hard drives from their servers to a local charity. Still, they are concerned about the possibility of residual data being left on the drives. Which of the following secure disposal methods would you recommend the company use? A) Cryptographic erase B) Overwrite C) Secure erase D) Zero-fill
A) Cryptographic erase In a cryptographic erase (CE), the storage media is encrypted by default and the encryption key is destroyed during the erasing operation; CE is a feature of self-encrypting drives (SED) and is often used with solid-state devices, but can be used with hard drives as well. Zero-fill is a process that fills the entire storage device with zeroes; this is not reliable for SSDs and hybrid drives because they use wear-leveling routines in the drive controller to communicate which locations are available for use. A secure erase is a special utility provided with some solid-state drives that can perform the sanitization of flash-based devices. Overwrite is like zero-fill but can utilize a random pattern of ones and zeroes on the storage device.
How can you best prevent rogue machines from connecting to your network? A) Deploy an IEEE 802.1x configuration B) Use strong passwords for user accounts C) Use IPv6 D) Deploy an IEEE 802.11 configuration
A) Deploy an IEEE 802.1x configuration The IEEE 802.1x standard requires that devices be authenticated before being given network access. Strong passwords may prevent user account compromise, but will not prevent rogue network connections. IPv6 does not prevent rogue network connections. IEEE 802.11 defines the WiFi standard, and does not prevent rogue network connections.
What is a reverse proxy commonly used for? A) Directing traffic to internal services if the contents of the traffic comply with the policy B) Allowing access to a virtual private cloud C) Obfuscating the origin of a user within a network D) Preventing unauthorized use of cloud services from the local network
A) Directing traffic to internal services if the contents of the traffic comply with the policy A reverse proxy is positioned at the cloud network edge and directs traffic to cloud services if the contents of that traffic comply with the policy. This does not require the configuration of the users' devices. This approach is only possible if the cloud application has proxy support. You can deploy a reverse proxy and configure it to listen for client requests from a public network, like the internet. The proxy then creates the appropriate request to the internal server on the corporate network and passes the server's response back to the external client. They are not generally intended to obfuscate the source of communication, nor are they necessarily specific to the cloud. A cloud access security broker (CASB) can be used to prevent unauthorized use of cloud services from the local network.
A company's NetFlow collection system can handle up to 2 Gbps. Due to excessive load, this has begun to approach full utilization at various times of the day. If the security team does not have additional money in their budget to purchase a more capable collector, which of the following options could they use to collect useful data? A) Enable sampling of the data B) Enable QoS C) Enable full packet capture D) Enable NetFlow compression
A) Enable sampling of the data Sampling can help them capture network flows that could be useful without collecting everything passing through the sensor. This reduces the bottleneck of 2 Gbps and still provides useful information. Quality of Service (QoS) is a set of technologies that work on a network to guarantee its ability to run high-priority applications and traffic dependably, but that does not help in this situation. Compressing NetFlow data helps save disk space, but it does not increase the capacity of the bottleneck of 2 Gbps during collection. Enabling full packet capture would take even more resources to process and store and not minimize the bottleneck of 2 Gbps during collection.
Which law requires government agencies and other organizations that operate systems on behalf of government agencies to comply with security standards? A) FISMA B) HIPAA C) SOX D) COPPA
A) FISMA The Federal Information Security Management Act (FISMA) is a United States federal law requiring that government agencies and other organizations that operate systems on behalf of government agencies comply with security standards. The Children's Online Privacy Protection Act (COPPA) is a United States federal law that imposes certain requirements on operators of websites or online services directed to children under 13 years of age and on operators of other websites or online services that have actual knowledge that they are collecting personal information online from a child under 13 years of age. The Health Insurance Portability and Accountability Act (HIPAA) is a United States federal law designed to provide privacy standards to protect patients' medical records and other health information provided to health plans, doctors, hospitals, and other health care providers. Sarbanes-Oxley (SOX) is a United States federal law that sets new or expanded requirements for all U.S. public company boards, management, and public accounting firms.
You are deploying cloud storage for your organization through a public cloud provider. Which type of cloud service model does this apply to? A) IaaS B) PaaS C) XaaS D) SaaS
A) IaaS IaaS refers to compute, network, and storage services offered in the cloud. PaaS is primarily of interest to software developers and provides services such as databases and programming APIs. XaaS is a general term. SaaS enables end-user software to be rapidly provisioned over a network.
Your company just launched a new invoicing website for use by your five largest vendors. You are the cybersecurity analyst and have been receiving numerous phone calls that the webpage is timing out, and the website overall is performing slowly. You have noticed that the website received three million requests in just 24 hours, and the service has now become unavailable for use. What do you recommend should be implemented to restore and maintain the availability of the new invoicing system? A) Implement an allow list B) VPN C) MAC filtering D) IDS
A) Implement an allow list By implementing an allow list of the authorized IP addresses for the five largest vendors, they will be the only ones who can access the webserver and all other users will be denied. This can be done by creating rules in the Access Control List (ACL). Based on the scenario's description, it appears like the system is under some form of denial of service attack. MAC filtering is only applicable at layer 2 of the OSI model (which would not work for traffic being sent over the internet from your vendors to your server). A VPN is a reasonable solution to secure the connection between the vendors and your systems, but it will not deal with the DoS condition being experienced. An intrusion detection system may detect the DoS condition, but an IDS cannot resolve it (whereas an IPS could).
You are notified by an external organization that an IP address associated with your company's email server has been sending spam emails requesting funds as part of a lottery collection scam. An investigation into the incident reveals the email account used was Connor from the sales department and that Connor's email account was only used from one workstation. You analyze Connor's workstation and discover several unknown processes running, but netflow analysis reveals no attempted lateral movement to other workstations on the network. Which containment strategy would be most effective to use in this scenario? A) Isolate the workstation computer by disabling the switch port and resetting Connor's username and password B) Request disciplinary action for Connor for causing this incident C) Isolate the network segment Connor is on and conduct a forensic review of all workstations in the sales department D) Unplug the workstation's network cable and conduct a complete reimaging of the workstation
A) Isolate the workstation computer by disabling the switch port and resetting Connor's username and password Isolation of Connor's computer by deactivating the port on the switch should be performed instead of just unplugging the computer to guarantee that Connor won't just plug the computer back into the network as soon as you leave his desk. Isolating the network segment, without evidence indicating the need to do so, would have been overkill and overly disruptive to the business. Reimaging Connor's device may destroy data that could have otherwise been recovered and led to a successful root cause analysis. While Connor won't be able to work without his workstation, it is essential to isolate the issue quickly to prevent future attempts at lateral movement from occurring and protect the company's data needed for continued business operations.
Dion Training has added a salt and cryptographic hash to their passwords to increase the security before storing them. To further increase security, they run this process many times before storing the passwords. What is this technique called? A) Key stretching B) Rainbow table C) Collision resistance D) Salting
A) Key stretching In cryptography, key stretching techniques are used to make a possibly weak key, typically a password or passphrase, more secure against a brute-force attack by increasing the resources it takes to test each possible key. The question describes one such key stretching technique.
A security auditor must determine which types of servers are running on a network. Which tool or technique is best suited for this task? A) OS fingerprinting B) Protocol analyzer C) Port scanner D) Virus scanner
A) OS fingerprinting OS fingerprinting is used by network mapping and vulnerability scanning utilities to map a network's layout and identify host operating systems. Protocol analyzers capture transmitted network traffic. Port scanners identify listening ports. Virus scanners protect against malware on a host, and do not scan entire networks.
A security analyst conducts a Nmap scan of a server and found that port 25 is open. What risk might this server be exposed to? A) Open mail relay B) Web portal data leak C) Clear text authentication D) Open file/print sharing
A) Open mail relay Port 25 is the default port for SMTP (Simple Message Transfer Protocol), which is used for sending an email. An open mail relay occurs when an SMTP server is configured in such a way that it allows anyone on the Internet to send email through it, not just mail originating from your known and trusted users. Spammers can exploit this type of vulnerability to use your email server for their benefit. File/print sharing usually operates over ports 135, 139, and 445 on a Windows server. Web portals run on ports 80 and 443. Clear text authentication could occur using an unencrypted service, such as Telnet (23), FTP (20/21), or the web (80).
Your colleagues report that there is a short time frame in which a revoked certificate can still be used. Why is this? A) The CRL is published periodically B) The CRL is published immediately but must replicate to all hosts C) The CRL lists only revoked certificate serial numbers; it is not checked to prevent usage of revoked certificates D) The CRL is dependent on network bandwidth
A) The CRL is published periodically The CRL is not published immediately; it is published either manually or on a schedule, so there may be a small time frame in which revoked certificates can still be used.
You just received a notification that your company's email servers have been blocklisted due to reports of spam originating from your domain. What information do you need to start investigating the source of the spam emails? A) The full email header from one of the spam messages B) Network flows for the DMZ containing the email servers C) The SMTP audit log from his company's email server D) Firewall logs showing the SMTP connections
A) The full email header from one of the spam messages You should first request a copy of one of the spam messages, including the full email header. By reading through the full headers of one of the messages, you can determine where the email originated from, whether it was from your email system or external, and if it was a spoofed email or a legitimate email. Once this information has been analyzed, you can then continue your analysis based on those findings, whether that be analyzing your email server, the firewalls, or other areas of concern.
While performing a vulnerability scan, Christina discovered an administrative interface to a storage system is exposed to the internet. She looks through the firewall logs and attempts to determine whether any access attempts have occurred from external sources. Which of the following IP addresses in the firewall logs would indicate a connection attempt from an external source? A) 192.168.1.100 B) 192.186.1.100 C) 172.16.1.100 D) 10.15.1.100
B) 192.186.1.100 Private IP addresses are either 10.x.x.x, 172.16-31.x.x, or 192.168.x.x. All other IP addresses are considered publicly routable over the internet (except localhost and APIPA addresses). Therefore, the answer must be 192.186.1.100 since it is not a private IP address.
Your organization is updating its Acceptable User Policy (AUP) to implement a new password standard that requires a guest's wireless devices to be sponsored before receiving authentication. Which of the following should be added to the AUP to support this new requirement? A) Sponsored guest passwords must be at least 14 alphanumeric characters containing a mixture of uppercase, lowercase, and special characters B) All guests must provide valid identification when registering their wireless devices for use on the network C) Open authentication standards should be implemented on a wireless infrastructure D) Network authentication of all guests should occur using the 802.1x protocol as authenticated by a RADIUS server
B) All guests must provide valid identification when registering their wireless devices for use on the network Sponsored authentication of guest wireless devices requires a guest user to provide valid identification when registering their wireless device for use on the network. This requires that an employee validates the guest's need for access, known as sponsoring the guest. While setting a strong password or using 802.1x are good security practices, these alone do not meet the question's sponsorship requirement. An open authentication standard only requires that the guest know the Service-Set Identifier (SSID) to gain access to the network. Therefore, this does not meet the sponsorship requirement.
You have been asked to determine if Dion Training's web server is vulnerable to a recently discovered attack on an older version of SSH. Which technique should you use to determine the current version of SSH running on their web server? A) Passive scan B) Banner grabbing C) Protocol analysis D) Vulnerability scan
B) Banner grabbing Banner grabbing is conducted by actively connecting to the server using Telnet or netcat and collecting the web server's response. This banner usually contains the server's operating system and the version number of the service (SSH) being run. This is the fastest and easiest way to determine the SSH version being run on this web server. While it is possible to use a vulnerability scanner, protocol analyzer, or to conduct a passive scan to determine the SSH version, these are more time-consuming and not fully accurate methods to determine the version being run.
Which of the following refers to unauthorized data access of a Bluetooth device over a Bluetooth wireless network? A) Bluejacking B) Bluesnarfing C) Packet sniffing D) Port scanning
B) Bluesnarfing Bluesnarfing is the act of connecting to and accessing data from a device over a Bluetooth wireless connection. Bluejacking sends an unsolicited message to a Bluetooth device, but does not access data. Packet sniffing captures network traffic. Port scanning enumerates running services on a host.
Which type of card can be used to access computer systems as well as buildings? (Choose the best answer) A) Smartcard B) CAC C) Proximity card D) Hardware token
B) CAC Common access cards (CACs) grant access to multiple items (such as computers and buildings). Smartcards are used for system authentication and can be used for buildings. Proximity cards store less information than smartcards and are used for building/facility access. Hardware tokens display a rotating OTP used to gain access to a system.
Which of the following cryptographic algorithms is classified as asymmetric? A) RC4 B) Diffie-Hellman C) AES D) Blowfish
B) Diffie-Hellman The Diffie-Hellman (DH) is used to exchange cryptographic keys over a public channel securely and was one of the first public-key protocols. As a public-key protocol, it relies on an asymmetric algorithm. AES, RC4, and Blowfish are all symmetric algorithms.
You have been hired as a cybersecurity analyst for a privately-owned bank. Which of the following regulations would have the greatest impact on your bank's cybersecurity program? A) SOX B) GLBA C) HIPAA D) FERPA
B) GLBA The Gramm-Leach-Bliley Act (GLBA) is a United States federal law that requires financial institutions to explain how they share and protect their customers' private information. Sarbanes-Oxley (SOX) is a United States federal law that sets new or expanded requirements for all US public company boards, management, and public accounting firms. The Health Insurance Portability and Accountability Act (HIPAA) is a US law designed to provide privacy standards to protect patients' medical records and other health information provided to health plans, doctors, hospitals, and other health care providers. The Family Educational Rights and Privacy Act (FERPA) of 1974 is a United States federal law that governs the access to educational information and records by public entities such as potential employers, publicly funded educational institutions, and foreign governments.
You received an incident response report indicating a piece of malware was introduced into the company's network through a remote workstation connected to the company's servers over a VPN connection. Which of the following controls should be applied to prevent this type of incident from occurring again? A) MAC filtering B) NAC C) ACL D) SPF
B) NAC Network Access Control (NAC) is an approach to computer security that attempts to unify endpoint security technology, user/system authentication, and network security enforcement. When a remote workstation connects to the network, NAC will place it into a segmented portion of the network (sandbox), scan it for malware and validate its security controls, and then based on the results of those scans, either connect it to the company's networks or place the workstation into a separate quarantined portion of the network for further remediation. An access control list (ACL) is a network traffic filter that can control incoming or outgoing traffic. An ACL alone would not have prevented this issue. MAC Filtering refers to a security access control method whereby the MAC address assigned to each network card is used to determine access to the network. MAC filtering operates at layer 2 and is easy to bypass. Sender Policy Framework (SPF) is an email authentication method designed to detect forging sender addresses during email delivery.
A penetration tester hired by a bank began searching for the bank's IP ranges by performing lookups on the bank's DNS servers, reading news articles online about the bank, monitoring what times the bank's employees came into and left work, searching job postings (with a special focus on the bank's information technology jobs), and even searching the corporate office of the bank's dumpster. Based on this description, what portion of the penetration test is being conducted? A) Active information gathering B) Passive information gathering C) Information reporting D) Vulnerability assessment
B) Passive information gathering Passive information gathering consists of numerous activities where the penetration tester gathers open-source or publicly available information without the organization under investigation being aware that the information has been accessed. Active information gathering starts to probe the organization using DNS Enumeration, Port Scanning, and OS Fingerprinting techniques. Vulnerability assessments are another form of active information gathering. Information reporting occurs after the penetration test is complete, and it involves writing a final report with the results, vulnerabilities, and lessons learned during the assessment.
Taylor needs to sanitize hard drives from some leased workstations before returning them to a supplier at the end of the lease period. The workstations' hard drives contained sensitive corporate data. Which is the most appropriate choice to ensure that data exposure doesn't occur during this process? A) Clear, validate, and document the sanitization of the drives B) Purge, validate, and document the sanitization of the drives C) Clear the drives D) The drives must be destroyed to ensure no data loss
B) Purge, validate, and document the sanitization of the drives Purging includes methods that eliminate information from being feasibly recovered even in a lab environment. For example, performing a cryptographic erasure (CE) would sanitize and purge the drives' data without harming the drives themselves. Clearing them leaves the possibility that some tools would allow data recovery. Since the scenario indicates that these were leased drives that must be returned at the end of a lease, they cannot be destroyed.
Which solution can centrally authenticate users between different organizations? A) RADIUS B) RADIUS federation C) EAP-FAST D) EAP-TTLS
B) RADIUS federation RADIUS federation requires a trusted provider in one organization; edge devices forward authentication requests only to a RADIUS server located on a protected network. RADIUS itself does not involve multiple organizations using federated identities. EAP-FAST and EAP-TTLS do not make up a centralized authentication solution.
Complex passwords are considered which type of security control? A) Management B) Technical C) Physical D) Operational
B) Technical Technical security controls (such as complex passwords) are used to protect computing resources. Management controls are written policies that determine acceptable activities and how they should be conducted. Physical controls include physical barriers (e.g. fences, locks). Operational controls (such as data backups) ensure business continuity.
Which of the following is not normally part of an endpoint security suite? A) Anti-virus B) VPN C) Software firewall D) IPS
B) VPN Endpoint security includes software host-based firewalls, host-based intrusion protection systems (HIPS), and anti-virus software. A VPN is not typically considered an endpoint security tool because it is a network security tool.
You ran a vulnerability scan and received the following output: CVE-2011-3389 QID 42366 - SSLv3.0/TLSv1.0 Protocol weak CBC mode Server side vulnerability Check with: openssl s_client -connect login.website.com:443 - tls -cipher "AES:CAMELLISA:SEED:3DES:DES" Which of the following categories should this be classified as? A) Active Directory encryption vulnerability B) Web application cryptography vulnerability C) VPN tunnel vulnerability D) PKI transfer vulnerability
B) Web application cryptography vulnerability This vulnerability should be categorized as a web application cryptographic vulnerability. This is shown by the weak SSLv3.0/TLSv1.0 protocol being used in cipher block chaining (CBC) mode. Specifically, the use of the 3DES and DES algorithms during negotiation is a significant vulnerability. A stronger protocol should be used, such as forcing the use of AES.
A cybersecurity analyst has determined that an attack has occurred against your company's network. Fortunately, your company uses a good logging system with a centralized Syslog server, so all the logs are available, collected, and stored properly. According to the cybersecurity analyst, the logs indicate that the database server was the only company server on the network that appears to have been attacked. The network is a critical production network for your organization. Therefore, you have been asked to choose the LEAST disruptive actions on the network while performing the appropriate incident response actions. Which actions do you recommend as part of the response efforts? A) Immediately remove the database server from the network, create an image of its hard disk, and maintain the chain of custody B) Conduct a system restore of the database server, image the hard drive, and maintain the chain of custody C) Capture network traffic using a sniffer, schedule a period of downtime to image and remediate the affected server, and maintain the chain of custody D) Isolate the affected server from the network immediately, format the database server, and reinstall from a known good backup
C) Capture network traffic using a sniffer, schedule a period of downtime to image and remediate the affected server, and maintain the chain of custody Since the database server is part of a critical production network, it is important to work with the business to time the remediation period to minimize productivity losses. You can immediately begin to capture network traffic since this won't affect the database server or the network (least intrusive) while scheduling a period of downtime in which to take a forensic image of the database server's hard drive. All network captures and the hard drive should be maintained under the chain of custody if needed for criminal prosecution or civil action after remediation. The server should be remediated and brought back online once the hard drive image has been created.
A hacker successfully modified the sale price of items purchased through your company's website. During the investigation that followed, the security analyst has verified the web server, and the Oracle database was not compromised directly. The analyst also found no attacks that could have caused this during their log verification of the Intrusion Detection System (IDS). What is the most likely method that the attacker used to change the items' sale price? A) Buffer overflow attack B) SQL injection C) Changing hidden form values D) Cross-site scripting
C) Changing hidden form values Since there are no indications in the IDS logs, the database, or the server, it is most likely that the hacker changed hidden form values to change the items' price in the shopping cart. A buffer overflow is an anomaly that occurs when a program overruns the buffer's boundary and overwrites adjacent memory locations while writing data to a buffer. Cross-Site Scripting (XSS) attacks are a type of injection in which malicious scripts are injected into otherwise benign and trusted websites. XSS attacks occur when an attacker uses a web application to send malicious code, generally in a browser side script, to a different end-user. SQL injection is a code injection technique used to attack data-driven applications.
Review the following packet captured at your NIDS: 23:12:12.154234 IP 86.18.10.3:54326 > 71.168.10.45:3389 Flags [P.], Seq 1834:1245, ackl, win 511, options [nop,nop, TS val 263451334 erc 482862734, length 125 After reviewing the packet above, you discovered there is an unauthorized service running on the host. Which of the following ACL entries should be implemented to prevent further access to the unauthorized service while maintaining full access to the approved services running on this host? A) DENY TCP ANY HOST 86.18.10.3 EQ 25 B) DENY IP HOST 86.18.10.3 EQ 3389 C) DENY TCP ANY HOST 71.168.10.45 EQ 3389 D) DENY IP HOST 71.168.10.45 ANY EQ 25
C) DENY TCP ANY HOST 71.168.10.45 EQ 3389 Since the question asks you to prevent unauthorized service access, we need to block port 3389 from accepting connections on 71.168.10.45 (the host). This option will deny ANY workstation from connecting to this machine (host) over the Remote Desktop Protocol service that is unauthorized (port 3389).
Vulnerability scans must be conducted continuously to meet regulatory compliance requirements for the storage of PHI. During the last vulnerability scan, a cybersecurity analyst received a report of 2,592 possible vulnerabilities and was asked by the Chief Information Security Officer (CISO) for a plan to remediate all the known issues. Which of the following should the analyst do next? A) Attempt to identify all the false positives and exceptions, then resolve any remaining items B) Place any assets that contain PHI in a sandbox environment and then remediate all the vulnerabilities C) Filter the scan results to include only those items listed as critical in the asset inventory and remediate those vulnerabilities first D) Wait to perform any additional scanning until the current list of vulnerabilities have been remediated fully
C) Filter the scan results to include only those items listed as critical in the asset inventory and remediate those vulnerabilities first When attempting to remediate numerous vulnerabilities, it is crucial to prioritize the vulnerabilities to determine which ones should be remediated first. In this case, assets critical to the secure handling/storage of PHI are of the highest risk should be prioritized for remediation first. It is impractical to resolve all 2,592 vulnerabilities at once. Therefore, you should not identify all the false positives and exceptions and then resolve any remaining items since they won't be prioritized for remediation. You should also not wait to perform additional scanning because a scan is only a snapshot of your current status and you may miss changes. Placing all the PHI assets into a sandbox will not work either because you have removed them from the production environment and can no longer serve their critical business functions.
Which of the following hashing algorithms results in a 128-bit fixed output? A) SHA-2 B) RIPEMD C) MD-5 D) SHA-1
C) MD-5 MD-5 creates a 128-bit fixed output. SHA-1 creates a 160-bit fixed output. SHA-2 creates a 256-bit fixed output. RIPEMD creates a 160-bit fixed output.
Which type of system would classify traffic as malicious or benign based on explicitly defined examples of malicious and benign traffic? A) Generative adversarial network B) Deep learning C) Machine learning D) Artificial intelligence
C) Machine learning In the context of cybersecurity, ML generally works by analyzing example data sets to create its own ability to classify future items presented. If the system was presented with large datasets of malicious and benign traffic, it will learn which is malicious and categorize future traffic presented to it. Artificial Intelligence is the science of creating machines to develop problem-solving and analysis strategies without significant human direction or intervention. AI goes beyond ML and can make a more complicated decision than just the classifications made by ML. A deep learning system can determine what is malicious traffic without having the prior benefit of being told what is benign/malicious. A generative adversarial network is an underlying strategy used to accomplish deep learning but is not specific to the scenario described.
You are investigating a suspected compromise. You have noticed several files that you don't recognize. How can you quickly and effectively check if the files have been infected with malware? A) Disassemble the files and conduct static analysis on them using IDA Pro B) Run the Strings tool against each file to identify common malware identifiers C) Submit the files to an open-source intelligence provider like VirusTotal D) Scan the files using a local anti-virus/anti-malware engine
C) Submit the files to an open-source intelligence provider like VirusTotal VirusTotal allows you to quickly analyze suspicious files and URLs to detect types of malware. It then automatically shares them with the security community, as well. Disassembly and static analysis would require a higher level of knowledge and more time to complete. Running the Strings tool can help identify text if the code is not encoded in a specific way within the malware, but you have to know what you are looking for, such as a malware signature. You should never scan the files using a local anti-virus or anti-malware engine if you suspect the workstation or server has already been compromised because the scanner may also be compromised.
Colleen would like to refurbish old, unneeded computers by reinstalling a new operating system and donating them to a local community center for disadvantaged children in the neighborhood. The owner is concerned that the private and sensitive corporate data on the old computers' hard drives might be placed at risk of exposure. You have been asked to choose the best solution to sanitize or destroy the data while ensuring the computers will still be usable by the community center. What type of data destruction or sanitization method do you recommend? A) Degaussing B) Shredding C) Wiping D) Purging
C) Wiping Data wiping or clearing occurs by using a software tool to overwrite the data on a hard drive to destroy all electronic data on a hard disk or other media. This allows the hard drive to remain functional and allows for hardware reuse. Degaussing a hard drive involves demagnetizing a hard drive to erase its stored data. You cannot reuse a hard drive once it has been degaussed. Purging involves removing sensitive data from a hard drive using the device's internal electronics or an outside source such as a degausser, or by using a cryptographic erase function if the drive supports one. Shredding involves the physical destruction of the hard drive. This is a secure method of destruction but doesn't allow for device reuse.
You have been hired to investigate a possible insider threat from a user named Terri. Which command would you use to review all sudo commands ever issued by Terri (whose login account is terri and UID=1003) on a Linux system? (Select the MOST efficient command) A) journalctl_UID=1003 | grep -e [Tt]erri | grep -e 1003 | grep sudo B) journalctl_UID=1003 | grep -e 1003 | grep sudo C) journalctl_UID=1003 | grep sudo D) journalctl_UID=1003 | grep -e [Tt]erri | grep sudo
C) journalctl_UID=1003 | grep sudo journalctl is a command for viewing logs collected by systemd. If you specify the parameter of _UID=1003, you will only receive entries made under the authorities of the user with ID (UID) 1003. In this case, that is Terri. Using the piping function, we can send that list of entries into the grep command as an input and then filter the results before returning them to the screen. This command will be sufficient to see all the times that Terri has executed something as the superuser using privilege escalation. Since the UID of 1003 is only used by Terri, it is unnecessary to add [Tt]erri to your grep filter.
A cybersecurity analyst is working at a college that wants to increase its network's security by implementing vulnerability scans of centrally managed workstations, student laptops, and faculty laptops. Any proposed solution must scale up and down as new students and faculty use the network. Additionally, the analyst wants to minimize the number of false positives to ensure accuracy in their results. The chosen solution must also be centrally managed through an enterprise console. Which of the following scanning topologies would be BEST able to meet these requirements? A) Combination of cloud-based and server-based scanning engines B) Passive scanning engine located at the core of the network infrastructure C) Combination of server-based and agent-based scanning engines D) Active scanning engine installed on the enterprise console
D) Active scanning engine installed on the enterprise console Since the college wants to ensure a centrally-managed enterprise console, an active scanning engine installed on the enterprise console would best meet these requirements. The college's cybersecurity analysts could then perform scans on any devices connected to the network using the active scanning engine at the desired intervals. Agent-based scanning would be ineffective since the college cannot force the agents' installation onto each of the personally owned devices brought in by the students or faculty. A cloud-based or server-based engine may be useful, but it won't address the centrally-managed requirement. Passive scanning is less intrusive but is subject to a high number of false positives.
Your organization requires the use of TLS or IPsec for all communications with an organization's network. Which of the following is this an example of? A) DLP B) Data in use C) Data at rest D) Data in transit
D) Data in transit Data in transit (or data in motion) occurs whenever data is transmitted over a network. In this state, data can be protected by a transport encryption protocol, such as TLS or IPsec. Data at rest means that the data is in persistent storage media using whole disk encryption, database encryption, and file- or folder-level encryption. Data in use is when data is present in volatile memory, such as system RAM or CPU registers and cache. Data loss prevention (DLP) products automate the discovery and classification of data types and enforce rules so that data is not viewed or transferred without proper authorization. DLP is a generic term that may include data at rest, data in transit, or data in use to function.
Which analysis framework provides a graphical depiction of the attacker's approach relative to a kill chain? A) MITRE ATT&CK framework B) OpenIOC C) Lockheed Martin cyber kill chain D) Diamond Model of Intrusion Analysis
D) Diamond Model of Intrusion Analysis The Diamond Model is constructed around a graphical representation of an attacker's behavior. The MITRE ATT&CK framework provides explicit pseudo-code examples for detecting or mitigating a given threat within a network and ties specific behaviors back to individual actors. The Lockheed Martin cyber kill chain provides a general life cycle description of how attacks occur but does not deal with the specifics of how to mitigate them. OpenIOC contains a depth of research on APTs but does not integrate the detection and mitigation strategy.
A cybersecurity analyst has deployed a custom DLP signature to alert on any files that contain numbers in the format of a social security number (xxx-xx-xxxx). Which of the following concepts within DLP is being utilized? A) Classification B) Statistical matching C) Document matching D) Exact data match
D) Exact data match An exact data match (EDM) is a pattern matching technique that uses a structured database of string values to detect matches. Document matching attempts to match a whole document or a partial document against a signature in the DLP. Statistical matching is a further refinement of partial document matching that uses machine learning to analyze various data sources using artificial intelligence or machine learning. Classification techniques use a rule based on a confidentiality classification tag or label attached to the data.
If you cannot ping a target because you are receiving no response or a response that states the destination is unreachable, then ICMP may be disabled on the remote end. If you wanted to elicit a response from a host using TCP, what tool would you use? A) Broadcast ping B) Ptunnel C) Traceroute D) Hping
D) Hping Hping is a utility that assembles and sends custom ICMP, UDP, or TCP packets and then displays any replies. It was inspired by the ping command but offered far more control over the probes sent, and is particularly useful when trying to traceroute/ping/probe hosts behind a firewall that blocks attempts using the standard utilities. Nping is an updated version of Hping with IPv6 support. Traceroute uses ICMP and not TCP. Broadcast ping is simply pinging the subnet's broadcast IP using the ping command, but if a regular ping does not work, neither will a broadcast ping. Ptunnel is an application that allows you to reliably tunnel TCP connections to a remote host using ICMP echo request and reply packets, commonly known as ping requests and replies. Ptunnel is used as a covert channel, not to elicit a response from a host using TCP.
Which of the following technologies is NOT a shared authentication protocol? A) Facebook Connect B) OAuth C) OpenID Connect D) LDAP
D) LDAP LDAP can be used for single sign-on but is not a shared authentication protocol. OpenID, OAuth, and Facebook Connect are all shared authentication protocols. Open ID Connect (OIDC) is an authentication protocol that can be implemented as special types of OAuth flows with precisely defined token fields. OAuth is designed to facilitate the sharing of information (resources) within a user profile between sites.
Janet, a defense contractor for the military, performs an analysis of their enterprise network to identify what type of work the Army would be unable to perform if the network were down for more than a few days. Which of the following was Janet trying to identify? A) Critical systems B) Backup and restoration plan C) Single point of failure D) Mission essential function
D) Mission essential function Mission essential functions are things that must be performed by an organization to meet its mission. If they couldn't do that because a network server is offline, then that system would be considered a critical system and should be prioritized for higher security and better defenses.
A firewall administrator has configured a new screened subnet to allow public systems to be segmented from the organization's internal network. The firewall now has three security zones set: Untrusted (Internet) [143.27.43.0/24]; DMZ (Screened Subnet) [161.212.71.0/24]; Trusted (Intranet) [10.10.0.0/24]. The firewall administrator has been asked to enable remote desktop access from a fixed IP on the remote network to a remote desktop server in the screened subnet for the Chief Security Officer to work from his home office after hours. The CSO's home internet uses a static IP of 143.27.43.32. The remote desktop server is assigned a public-facing IP of 161.212.71.14. What rule should the administrator add to the firewall? A) Permit 143.27.43.0/24 161.212.71.14 RDP 3389 B) Permit 143.27.43.32 161.212.71.0/24 RDP 3389 C) Permit 143.27.43.0/24 161.212.71.0/24 RDP 3389 D) Permit 143.27.43.32 161.212.71.14 RDP 3389
D) Permit 143.27.43.32 161.212.71.14 RDP 3389 Due to the requirement to allow a single remote IP to enter the firewall, the permit statement must start with a single IP in the Untrusted (Internet) zone. Based on the options provided, only 143.27.43.32 could be correct. Next, the destination is a single server in the DMZ (screened subnet), so only 161.212.71.14 could be correct.
The management at Steven's work is concerned about rogue devices being attached to the network. Which of the following solutions would quickly provide the most accurate information that Steve could use to identify rogue devices on a wired network? A) A physical survey B) A discovery scan using a port scanner C) Reviewing a central administration tool like an endpoint manager D) Router- and switch-based MAC address reporting
D) Router- and switch-based MAC address reporting The best option is MAC address reporting from a source device like a router or a switch. If the company uses a management system or inventory process to capture these addresses, then a report from one of these devices will show what is connected to the network even when they are not currently in the inventory. This information could then be used to track down rogue devices based on the physical port connected to a network device.
You are evaluating public cloud storage solutions. Users will be authenticated to a local server on your network that will allow them access to cloud storage. Which identity federation standard could be configured to achieve this? A) LDAP B) SSL C) PKI D) SAML
D) SAML SAML is an XML standard that defines how authentication and authorization data can be transmitted in a federated identity environment. LDAP is a protocol defining how to access a replicated network database. SSL provides a method to secure application-specific network transmissions. A PKI is a hierarchy of digital certificates.
You are working for a government contractor who requires all users to use a PIV device when sending digitally signed and encrypted emails. Which of the following physical security measures is being implemented? A) Key fob B) Cable lock C) Biometric reader D) Smart card
D) Smart card The personal identity verification (PIV) standard provides a framework to store credentials on a smartcard for use in MFA processes.
You have noticed some unusual network traffic outbound from a certain host. The host is communicating with a known malicious server over port 443 using an encrypted TLS tunnel. You ran a full system anti-virus scan of the host with an updated anti-virus signature file, but the anti-virus did not find any infection signs. Which of the following has MOST likely occurred? A) Session hijacking B) Directory traversal C) Password spraying D) Zero-day attack
D) Zero-day attack Since you scanned the system with the latest anti-virus signatures and did not find any signs of infection, it would most likely be evidence of a zero-day attack; the anti-virus doesn't have a signature yet for this particular malware variant. Password spraying occurs when an attacker tries to log in to multiple different user accounts with the same compromised password credentials. Session hijacking is exploiting a valid computer session to gain unauthorized access to information or services in a computer system. Based on the scenario, it doesn't appear to be session hijacking since the user would not normally attempt to connect to a malicious server. Directory traversal is an HTTP attack that allows attackers to access restricted directories and execute commands outside of the web server's root directory.
