Sec+ Final Exam

Identify the type of attack where malware forces a legitimate process to load a malicious link library. A.) DLL injection B.) Pass the Hash (PtH) C.) Null pointer dereferencing D.) Overflow attack

A.) DLL injection

A user at a realtor's office contacts their IT department to report that they are not able to copy contract files to a USB flash drive to take home. Which explanation does the IT representative share with the user? A.) Data loss prevention prevents file copying. B.) Mobile device management restricts the use of a portable USB device. C.) A compromised private key has created a trust issue. D.) The file copy process has been allow-listed.

A.) Data loss prevention prevents file copying

A hacker places a false name:IP address mapping in an operating system's HOSTS file, redirecting traffic from a legitimate IP address to a malicious IP address. What type of attack did the hacker perform? A.) Domain hijacking B.) Domain name system client cache (DNS) poisoning C.) Rogue dynamic host configuration protocol (DHCP) D.) Address Resolution Protocol (ARP) poisoning

B.) Domain name system client cache (DNS) poisoning

Analyze the following scenarios and determine which constitutes an external threat. A. Naomi practices poor password management, and through her negligence, an outsider gains access to her company's server. B. Raul, a security contractor, installs antivirus software for a small company. He uses his temporary access to gain the company's banking information. C. Abram uses a quiz on a popular social media platform to solicit answers to online banking consumers' login security questions. D. Chelsea uses her coworker's unattended workstation to exploit her coworker's elevated account permissions.

C. Abram uses a quiz on a popular social media platform to solicit answers to online banking consumers' login security questions.

During a cyber incident response exercise, a blue team takes steps to ensure the company and its affiliates can still use network systems while managing a simulated threat in real-time. Based on knowledge of incident response procedures, what stage of the incident response process is the blue team practicing? Containment Identification Eradication Recovery

Containment

IT staff reviews security alerts received for a monitoring system and discovers that uncommon firewall ports on several Windows workstations and a server have been opened and are being accessed by a malicious process. What does the staff determine the issue to be? A.) Shellcode B.) Persistence C.) Credential dumping D.) Lateral movement

D.) Lateral movement

What type of attack replays a cookie? A.) Cross-site request forgery (CSRF or XSRF) B.) Clickjacking C.) Secure Sockets Layer (SSL) strip attack D.) Session hijacking

D.) Session hijacking

A company performing a risk assessment calculates how much potential cost the company has saved by implementing a security measure. Which formula will they use to calculate this metric? Asset value x EF [(ALE-ALEm)-Cost of Solution]/Cost of Solution SLE x ARO (ALE-SLE)/Cost of Solution

[(ALE-ALEm)-Cost of Solution]/Cost of Solution

The U.S. Department of Defense (DoD) awards an IT contract to a tech company to perform server maintenance. The servers are colocated at a third-party storage facility. The DoD and the tech company enter into what type of agreement which commits the tech company to implement the agreed upon security controls? Interconnection security agreement (ISA) Non-disclosure agreement (NDA) Data sharing and use agreement Service level agreement (SLA)

Interconnection security agreement (ISA)

Management at a financial firm assembles an incident response team. This team is responsible for handling certain aspects of recovery and remediation following a security incident. Which roles are appropriate to include on the team? (Select all that apply.) Sales Legal HR PR

Legal; HR;PR

Management looks to IT for a solution to identify successful and failed login attempts. Which solution will IT provide to management? Logs Network monitors Packet capture Sniffer

Logs

A cooperative group of farmers and ranchers consider network options for embedded systems that operate automated irrigation and feeding processes. The cooperative is most likely to be concerned with which embedded network features? (Select all that apply.) Antenna range High reliability 4G/5G connectivity Low latency

high reliability; low latency

he Human Resources department works with the IT department at an organization to develop employee security training. Which security control type and function describes the training program? (Select all that apply.) Operational Managerial Deterrent Compensating

Operational; Deterrent

An engineer routinely provides data to a source that compiles threat intelligence information. The engineer focuses on behavioral threat research. Which information does the engineer provide? A. IP addresses associated with malicious behavior b. Descriptions of example attacks c. Correlation of events observed with known actor indicators d. Data available as a paid subscription

b. descriptions of example attacks

Which statements describe why devices on an enterprise network should disable Wi-Fi tethering? (Select all that apply.) Wi-Fi tethering functionality can circumvent data loss prevention measures. Wi-Fi tethering functionality can circumvent web content filtering policies. Wi-Fi tethering functionality can enable a Trojan to install apps through the device's charging plug. Wi-Fi tethering functionality can enable a nearby attacker to skim information from the device.

Wi-Fi tethering functionality can circumvent data loss prevention measures. Wi-Fi tethering functionality can circumvent web content filtering policies.

Which command can help a security professional conducting an organizational security assessment identify a spoofing attack? arp ipconfig/ifconfig route pathping/mtr

arp

Which statement describes a key distinction between an intentional and unintentional threat actor? A. An intentional threat actor attack a target from inside its network; whereas, an unintentional threat actor conducts opportunistic attacks B. An intentional threat actor has intent and motivation to attack; whereas, an unintentional threat actor acts out of negligence. C. An intentional threat actor actively undermines a target system; whereas an unintentional threat actor passively undermines the target system. D. An intentional threat actor has permissions on the target system; whereas, an unintentional threat actor does not have permissions.

B. An intentional threat actor has intent and motivation to attack; whereas, an unintentional threat actor acts out of negligence.`

What type of phishing attack targets upper-level managment? A.) Pharming B.) Credential harvesting C.) Whaling D.) Typosquatting

C.) Whaling

A hacker remotely gains unauthorized access to a company's system and makes a copy of proprietary business data. Which of the following summarizes the event that has taken place? a.Data exfiltration b.Data loss c.Identity theft d.Financial loss

a. data exfiltration

A primary target for a hacker gaining access to a network is user passwords. Consider the file locations where Windows and Linux each store passwords and determine which of the following is NOT used for password storage. %SystemRoot%\System32\config\SAM /etc/passwd %SystemRoot%\System32\Drivers\etc\hosts /etc/shadow

%SystemRoot%\System32\config\SAM

Which of the following sequences properly orders forensic data acquisition by volatility priority? 1. Data on persistent mass storage devices 2. System memory caches 3. Remote monitoring data 4. Archival media 1. System memory caches 2. Remote monitoring data 3. Data on mass storage devices 4. Archival media 1. System memory caches 2. Data on mass storage devices 3. Remote monitoring data 4. Archival media 1. Remote monitoring data 2. Data on mass storage devices 3. System memory caches 4. Archival media

1. System memory caches 2. Data on mass storage devices 3. Remote monitoring data 4. Archival media

An organization receives notification from an actor that vulnerabilities have been found in an onsite firewall. While the actor does not exploit the vulnerability, a bounty is requested for the work and discovery. What type of actor is the organization dealing with? A. Gray Hat B. White Hat C. Script kiddie D. Black hat

A. Gray hat

Analyze the following scenarios and determine which attacker used piggy backing. A.) On the way to a meeting in a restricted area of a government facility, a contractor holds open a gate for a person in a military uniform, who approaches the entry point at a jog, flashing a badge just outside of the readable range. B.) A government employee is late for a meeting in a restricted area of a military installation. Preoccupied with making the meeting on time, the employee does not notice when the gate has not closed and someone enters the restricted area. C.) An employee leaves the workstation to use the restroom. A coworker notices that the employee has forgotten to lock the workstation, and takes advantage of the user's permissions. D.) Several prospective interns are touring the operations floor of a large tech firm. One of them seems to be paying especially close attention to the employees.

A.) On the way to a meeting in a restricted area of a government facility, a contractor holds open a gate for a person in a military uniform, who approaches the entry point at a jog, flashing a badge just outside of the readable range.

A hacker gains access to a database of usernames for a target company and then begins combining common, weak passwords with each username to attempt authentication. The hacker conducts what type of attack? A.) Password spraying B.) Brute force attack C.) Dictionary attack D.) Rainbow table attack

A.) Password spraying

A threat actor infiltrates a company's server. Engineers fail while trying to stop the attacker from stealing data. The attacker achieves which final phase of the Lockheed Martin kill chain? Command and control Reconnaissance Exploitation Actions on objectives

Actions on Objective

Compare and evaluate the main components in an Extensible Authentication Protocol (EAP). Which scenarios accurately differentiate between these components? (Select all that apply.) An authenticator performs the authentication and the authentication server establishes a channel. An authenticator establishes a channel for the supplicant and the authentication server to exchange credentials using EAP. A supplicant requests authentication and the authentication server performs the authentication. A supplicant requests authentication and the authenticator performs the authentication.

An authenticator establishes a channel for the supplicant and the authentication server to exchange credentials using EAP. A supplicant requests authentication and the authentication server performs the authentication.

After several users call to report dropped network connections on a local wireless network, a security analyst scans network logs and discovers that multiple unauthorized devices were connecting to the network and overwhelming it via a smartphone tethered to the network, which provided a backdoor for unauthorized access. How would this device be classified? A.) A switched port analyzer (SPAN)/mirror port B.) A spectrum analyzer C.) A rogue access point (AP) D.) A thin wireless access point (WAP)

C.) A rouge access point (AP)

An end-user has enabled cookies for several e-commerce websites and has started receiving targeted ads. The ads do not trouble the user until, when trying to access an e-commerce site, the user gets several pop-up ads that automatically redirect the user to suspicious sites the user did not intend to visit. What is the most likely explanation for this phenomenon? A.) tracking cookies have infected the user's computer. B.) Ransomeware has infected the user's computer. C.) Spyware has infected the user's computer. D.) Crypto-malware has infected the user's computer.

C.) Spyware has infected the user's computer

Which statement correctly differentiates between file transfer protocol (FTP), secure shell file transfer protocol (SFTP), and file transfer protocol over secure socket layer (FTPS)? FTP has no encryption. FTPS adds transport layer security (TLS), and SFTP is an entirely different protocol based on the network protocol SSH (secure shell). FTP uses only basic encryption, while SFTP adds a layer of security with secure shell (SSH). FTPS uses an entirely different protocol, using secure port 990. FTP has no encryption. SFTP adds a layer of security with secure shell (SSH), and FTPS uses an entirely different protocol, using secure port 990. FTP uses only basic encryption, while FTPS adds transport layer security (TLS), and SFTP is an entirely different protocol based on the network protocol SSH (secure shell).

FTP has no encryption. FTPS adds transport layer security (TLS), and SFTP is an entirely different protocol based on the network protocol SSH (secure shell).

Which features distinguish a next-generation endpoint detection and response (EDR) product from traditional EDR solutions? (Select all that apply.) Next-generation endpoint agents use cloud management, rather than reporting to an on-premises server. Next-generation endpoint detection systems use artificial intelligence (AI) and machine learning to perform user and entity behavior analysis (UEBA). Next-generation endpoint agents report baseline configuration deviations, whereas legacy systems report threats based on signature-detection. The primary purpose of next-generation endpoint agents is to stop initial threat execution, while traditional systems aim to detect and report attacks.

Next-generation endpoint agents use cloud management, rather than reporting to an on-premises server. ; Next-generation endpoint detection systems use artificial intelligence (AI) and machine learning to perform user and entity behavior analysis (UEBA).

When monitoring API usage on a system, an engineer notices a very high error rate. The application's latency and thresholds appear to be normal. What does the engineer determine to be the cause? A.) Overloaded system B.) Security issues C.) Number of requests D.) Service responses

Overloaded system, Security issues

A systems engineer looks to monitor a network for security purposes. The engineer places sensors throughout the building in appropriate places. Fortunately, the engineer thought ahead and purchased appropriate network switches. Which sensor type does the engineer use? (Select all that apply.) TAP (Active) SPAN TAP (passive) Mirror

SPAN; mirror

Which statement best describes the purpose of the spanning tree protocol (STP)? STP enforces a network health policy. STP allows a server to assign clients IP address information when they connect to the network. STP prevents loops and network broadcast storms. STP prevents the attachment of unauthorized client devices at unsecured wall ports.

STP prevents loops and network broadcast storms.

After a break-in at a government laboratory, some proprietary information was stolen and leaked. Which statement best summarizes how the laboratory can implement security controls to prevent future breaches? The laboratory needs to take detective action and should implement physical and deterrent controls in the future. The laboratory needs to take detective action and should implement corrective controls in the future. The laboratory needs to take compensatory action and should implement physical controls in the future. The laboratory needs to take corrective action and should implement both physical and preventative controls in the future.

The laboratory needs to take corrective action and should implement both physical and preventative controls in the future.

During weekly scans, a system administrator identifies a system that has software installed that goes against security policy. The system administrator removes the system from the network in an attempt to limit the effect of the incident on the remainder of the network. After the system administrator removes the unauthorized software and completes additional scans, the system administrator places the system back on the network. Applying information from the Computer Security Incident Handling Guide, determine the next step the system administrator should take to mitigate the effects of the incident and restore the network to optimal functionality. The system administrator should put controls in place to prevent the software from being installed. The system administrator should complete an initial scan to determine if unauthorized software is installed, then fully document the incident. The system administrator should remove the system from the network, remove the unauthorized software, and then place the system back into operation. The system administrator should determine how the unauthorized software was installed and identify what security to modify to prevent future incidents, then fully document the incident.

The system administrator should determine how the unauthorized software was installed and identify what security to modify to prevent future incidents, then fully document the incident.

Which of the following key storage solutions exercises M-of-N control? Security administrators log and audit access to critical encryption keys. While four administrators have access to the system, it takes two administrators to access the system at any given time. A third party safely stores the encryption key. One administrator has access to the system, and that administrator can delegate access to two others.

While four administrators have access to the system, it takes two administrators to access the system at any given time

Simulate the installation of a bare metal virtual platform. a. A type 1 hypervisor is installed directly onto a host machine and manages access to the host hardware directly. b. An office has all desktop computers replaced with low specification and low power thin client computers that boot a minimal operating system. c. The client accesses an application hosted on a server or streams the application from the server to the client for local processing. d. A client enforces resource separation at the operating system level without a hypervisor.

a. A type 1 hypervisor is installed directly onto a host machine and manages access to the host hardware directly

An administrator provisions both a new cloud-based virtual server and an on-premises virtual server. Compare the possible virtualization layer responsibilities for the implementation and determine which one applies to this configuration. a. CSP is responsible for the cloud, the administrator is responsible for the on-premise. b. CSP is responsible for the cloud, the CSP is responsible for the on-premise. c. The administrator is responsible for the cloud, the administrator is responsible for the on-premise. d. The administrator is responsible for the cloud, the CSP is responsible for the on-premise.

a. CSP is responsible for the cloud, the administrator is responsible for the on-premise

Which of the following statements best contrasts between a service-oriented architecture (SOA) model and a microservices-based model? a. SOA can build services from other services, while an implementation of microservices develops, tests, and deploys microservices independently. b. Microservices are loosely decoupled, while SOA services are considered highly decoupled. c. SOA focuses on making a single, discrete task easily repeatable, while microservices perform a sequence of automated tasks. d. Microservices help to make a network's design architecture fit a business's requirements, rather than accommodating the business workflow to the platform requirements, as in SOA.

a. SOA can build services from other services, while an implementation of microservices deveolps, tests and deploys microservices independently.

An organization requires that a file transfer occurs on a nightly basis from an internal system to a third-party server. IT for both organizations agree on using FTPS. Which configurations does IT need to put in place for proper file transfers? (Select all that apply.) a. Configure the use of port 990 b. Configure the use of port 22 c. Negotiate a tunnel prior to any exchanged commands d. Using Secure Shell (SSH) between client and server

a. configure the use of port 990; c. negotiate a tunnel prior to any exchange commands

The Human Resources department issues a policy at an organization to govern the use of company owned computer equipment. Which behavior type does this policy address? Code of conduct Clean desk Bring your own device Acceptable use

acceptable use

A systems administrator realizes the need to scale a server for high availability purposes. Which approaches does the administrator utilize to scale out the system? (Select all that apply.) Add an additional CPU Give important processes higher priority Free up CPU usage by eliminating services Add additional RAM

add an additional cpu; add additional ram

An engineering firm wants to bolster the security measures implemented on their servers. Evaluate the proposed solutions for the best type of security control to fit the firm's needs. Security guards should secure all entry control points. Advanced firewalls and access control lists should be configured. The company's security policy needs to be updated. Employees should attend annual security training.

advanced firewalls and access control lists should be configured

Examine each of the following attack scenarios to determine which vulnerabilities can be mitigated by changing firewall configurations. An authorized user unknowingly installed a malicious script sent via email. An attacker used a software vulnerability to install a malicious script. An attacker used a domain name server (DNS) lookup from a network host. An attacker exploited a network client that bypassed the secure web gateway (SWG).

an attacker used a domain name server (DNS) lookup from a network host

Systems administrators configure an application suite that uses a collection of single hash functions and symmetric ciphers to protect sensitive communication. While the suite uses these security features collectively, how is each instance recognized? As non-repudiation As a cryptographic system As a cryptographic primitive As a key pair

as a cryptographic primitive

Examine the differences between authentication factors and authentication attributes and select the statement that most effectively summarizes the differences between authentication factors and authentication attributes. a. Authentication attributes are characteristics used to verify an account holder's credentials, while authentication factors use secondary or continuous authentication and access control. b. Authentication factors verify an account holder's credentials, while authentication attributes are either non-unique or cannot independently authenticate a user's credentials. c. Authentication factors are most secure when used alone, while authentication attributes should be used in combination with one another to authenticate a user's credentials. d. Authentication attributes describe physical characteristics and behavioral traits of an individual user, while authentication factors primarily authenticate users based on items they carry or information they know.

b. Authentication factors verify an account holder's credentials, while authentication attributes are either non-unique or cannot independently authenticate a user's credentials.

A penetration tester directs test packets to the host using a variety of default passwords against service and device accounts, gaining a view of the vulnerabilities the network exposes to unprivileged users. Given this situation, what type of test did the penetration tester use? a. A credentialed scan b. A non-credentialed scan c. A topology discovery scan d. A host discovery scan

b. a non-credentialed scan

Which of the following authentication procedures effectively employs multifactor authentication? a. A password reset prompt requires the user to supply the answer to several recovery questions. b. A system login requires a user to insert a smart card and enter a PIN. c. An entry control point employs a security guard and requires entrants to submit to a retinal scan. d. A system login requires a user to enter a password, pin, and passphrase.

b. a system login requires a user to insert a smart card and enter a pin

Select the correct simulation of a Virtual Desktop Infrastructure (VDI) deployment. a. A company installs a platform that uses a Type 1 hypervisor to manage access to the host hardware outside of the host operating system. b. A company deploys Citrix XenApp on a server for the client to access for local processing. c. A company replaces all desktop computers with thin clients the employees use to log into VMs stored on the company server. d. A company enforces resource separation at the operating system level without the use of a hypervisor.

c. A company replaces all desktop computers with thin clients the employees use to log into VMs stored on the company server

Examine the use of software diversity in infrastructure development and assess which statement describes the advantages of using a diverse range of development tools and application vendors over a monoculture environment. a. A diverse environment enables secure failover, as development diversity provides system redundancy over multiple vendor products. b. A diverse environment relies on security by obscurity, making a system's infrastructure more difficult for an attacker to interpret and attack. c. A diverse environment can provide security by diversity, making attack strategies more difficult to research and implement. d. A diverse environment reduces the likelihood of installing configuration errors common to a monoculture environment.

c. A diverse environment can provide security by diversity, making attack strategies more difficult to research and implement.

An organization hires a pen tester. The tester achieves a connection to a perimeter server. Which technique allows the tester to bypass a network boundary from this advantage? A. Persistence b. Privilege escalation c. Pivoting d. Lateral movement

c. pivoting

An employee that carries a company credit card learns that the card has become compromised. The employee only remembers fueling a company vehicle. Consider the following viable methods and determine which method compromised the card. Card cloning Data blocker Proximity reader Card skimming

card skimming

Sal, an IT specialist for a large tech firm, pays for a subscription to a threat data feed to stay updated on the latest blogs, white papers, and webinars in his field. What term(s) best describes this type of feed? (Select all that apply.) a. Closed b. Proprietary c. Open source d. Vendor-specific

closed; proprietary

When employees log in to their corporate network from personal devices, they must reauthenticate to access any corporate apps. What type of control is in place? Geofencing Discretionary Access Control (DAC) Containerization Full device encryption

containerization

A new security technician is tasked with sanitizing data on solid state drives (SSD). The technician first uses a degaussing magnet, and then pulverizes the drives with a hammer. What is the likely result of this sanitization attempt? The drives are now sufficiently sanitized. The degaussing magnet failed to destroy media on the SSD, but pulverizing the drives with a hammer makes data permanently irrecoverable. Degaussing fails to destroy media on the SSD, and pulverization by hammer may leave a significant amount of data recoverable. The degaussing magnet successfully destroyed media on the SSD, but pulverization by hammer is an ineffective physical sanitization measure.

degaussing fails to destry media on ssd, and pulverization by hammer may leave a significant amount of data recoverable

Which scenario best illustrates effective use of industrial camouflage as a security control? Security guards protect a well-lit entry point to a top secret processing facility. Conspicuous warning signs warn unauthorized personnel against entering a fenced-off security zone. Entry control measures for a secure facility begin inside a main entry point, rather than outside the building. Entry to secure zones proceeds in an in-and-out manner, rather than an across-and-between traffic flow.

entry control measures for a secure facilty begin inside a main entry point, rather than outside the building

A company hires a security consultant to help them perform a business process analysis (BPA) and reduce dependencies. The consultant asks a manager at the company to walk through the typical process each salesperson makes when processing order requests. Examine the consultant's methods and determine which factor in the BPA the consultant is evaluating. Identify process inputs Identify process outputs Examine the process flow Identify staff and other resources performing the function

examine the process flow

An organization considers installing fingerprint scanners at a busy entry control point to a secure area. What concerns might arise with the use of this technology? (Select all that apply.). Fingerprint scanning is relatively easy to spoof. Installing equipment is cost-prohibitive. Surfaces must be clean and dry. The scan is highly intrusive.

fingerprinting scanning is relatively easy to spoof; surfaces must be clean and dry

An administrator plans a backup and recovery implementation for a server. The goal is to have a full backup every Sunday followed by backups that only include changes every other day of the week. In the event of a catastrophe, the restore time needs to be as quick as possible. Which scheme does the administrator use? Full followed by incrementals Image followed by incrementals Full followed by differentials2 Snapshot followed by differentials

full followed by differentials

A software engineer develops an application that includes routines to check whether user input meets conformity standards to reduce the application's potential attack surface. The engineer conducts which secure coding technique? Normalization Output encoding Error handling Input validation

input validation

Which of the following statements most accurately describes the function of key stretching? Key stretching makes the password key stronger. Key stretching prevents brute force attacks. Key stretching adds a random value when creating the password hash. Key stretching adds entropy to a user-generated password.

key stretching adds entropy to a user-generated password

Analyze the following security information and event management (SIEM) functions and determine which event is NOT conducted during data aggregation. Normalize time zones to a single timeframe. Use plug-ins to parse data from different vendors and sensors. Identify attributes and content that can be mapped to standard fields. Link observables into a meaningful indicator of risk, or Indicator of Compromise (IOC).

link observables into a meaningful indicator of risk, or indicator of compromise (IOC)

A new IT administrator accidently causes a fire in the IT closet at a small company. Consider the disaster types and conclude which types this event might classify as. (Select all that apply.) External Man-made Internal Environmental

man-made; internal

Consider the Public Key Infrastructure (PKI) Trust Model. In which of the following is the root NOT the single point of failure? Single CA Intermediate CA Self-signed CA Offline CA

offline CA

A company tells the IT department that user access needs to be changed so privileges are only granted when needed, then revoked as soon as the task is finished or the need has passed. Based on Account Management practices, what is the company asking the IT department to implement? Onboarding Identity and Access Management (IAM) Offboarding Privilege bracketing

privilege bracketing

While preparing a disaster recovery plan, management at a company considers how far back it can allow for the loss of data. Which metric does management use to describe this business essential data in terms of recovery? Recovery point objective Work recovery time Maximum tolerable downtime Mean time to repair

recovery point objective

A company located in the western United States that uses cloud computing relies on redundant systems in adjacent availability zones for data backup and storage. Analyze the configuration and determine which level of high availability service the company utilizes. Local replication Regional replication Geo-redundant storage (GRS) Cloud service replication

regional replication

Consider the process of obtaining a digital certificate and determine which of the following statements is NOT correct. A Certificate Authority (CA) ensures the validity of certificates and the identity of those applying for them. Registration is the process where end users create an account with the domain administrator. The registration function may be delegated by the CA to one or more RAs. When a subject wants to obtain a certificate, it completes a CSR.

registration is the process where end users create an account with the domain administrator

What exploitation method targets near field communication (NFC) devices? Juice jacking Bluesnarfing Remote wipe Skimming

skimming

A security information and event management (SIEM) handler's dashboard provides graphical representations of user profile trends. The graphic contrasts standard user activity with administrative user activity and flags activity that deviates from these clusters. This graphical representation utilizes which trend analysis methodology? Frequency-based trend analysis Volume based trend analysis Statistical deviation analysis Syslog trend analysis

statistical deviation analysis

An investigator needs to analyze all data on a system. Which file does the investigator review if it contains data while in use when physical RAM in a system is exceeded? Hibernation file Dump file Swap file Temp file

swap file

A technology firm suffers a large-scale data breach, and the company suspects a disgruntled former IT staff member orchestrated the breach to exfiltrate proprietary data. During the forensic investigation, a hard disk was not signed out when handled. Examine the scenario and determine what issue this oversight is most likely to cause in the investigative process. The chain of custody is under question. A timeline of events is under question. Retrospective network analysis (RNA) cannot occur. Relevant evidence was not properly disclosed to the defendant.

the chain of custody is under question

Two companies enter into an agreement that if one data center suffers a disaster-level event, it can failover to the other company's data center with minimal disruption in service. Which statement most accurately describes the companies' site resiliency postures? The companies have a reciprocal arrangement for mutual hot site support. The companies have a contractual agreement to provide mutual cold site support. The companies each have a reserved warm site for failover operations. The companies have a mutual contract for warm site failover support.

the companies have a reciprocal arrangement for mutal hot site support

A small company needs to secure the perimeter of their network, but they do not have the overhead or infrastructure to construct a demilitarized zone. Examine the following recommendations and select the best solution for this small company. The company should configure a screened subnet. The company should install a triple-homed firewall. The company should implement microsegmentation across their network. The company should configure a screened host.

the company should configure a screened host

Analyze the factors associated with performing a Business Process Analysis (BPA) and select the statement that aligns with the output factors. The data or resources a function produces The source of information for performing a function The resources supporting a function A description of how a function is performed

the data or resources a function produces

A company's IT department pushes system updates and configures user permissions from the same shared account. Which statement best describes how this practice is problematic? This practice relies on a single point of failure. This practice breaks data integrity. This practice breaks non-repudiation. This practice fails to properly separate duties among users.

the practice breaks non-repudiation

A server administrator configures symmetric encryption for client-server communications. The administrator configured it this way to utilize which mechanism? The same secret key is used to perform both encryption and decryption. Any operations are performed by two different but related public and private keys. The keys are linked in such a way as to make it impossible to derive one from the other. A key pair is generated and the private key is kept secret.

the same secret ey is used to perform btoh encryption and decryption

A user enters the web address of a favorite site and the browser returns the following: "There is a problem with this website's security certificate." The user visits this website frequently and has never had a problem before. Applying knowledge of server certificates, select the circumstances that could cause this error message. (Select all that apply.) The system's time setting is incorrect. The certificate is pinned. The web address was mistyped. The certificate expired.

the system's time setting is incorrect; the certificate expired

A national intelligence agency maintains data on threat actors. If someone intercepted this data, it would cause exceptionally grave damage to national security. Analyze the risk of exposure and determine which classification this data most likely holds. Confidential Secret Top secret Proprietary

top secret

A suspected network breach prompts an engineer to investigate. The engineer utilizes a set of command line tools to collect network routing data. While doing so, the engineer discovers that UDP communications is not working as expected. Which tool does the engineer experience difficulty with? route tracert pathping traceroute

traceroute

A network administrator needs to implement a firewall between nodes on the same subnet, without reconfiguring subnets and reassigning IP addresses across the network. Considering firewall configurations, which implementation is the best choice? Routed firewall Router firewall Transparent firewall Virtual firewall

transparent firewall

A systems manager creates a control diversity plan to enact a defense in depth approach to security. To mitigate any possible risk of a virus infection, the plan includes which physical and administrative controls? (Select all that apply.) User training USB port locks Restricted permissions Endpoint security

user training; USB port locks

In the containment phase of incident response, the Cyber Incident Response Team (CIRT) faces complex issues that need to be addressed quickly. During this phase, a member of the CIRT would be concerned about all EXCEPT which of the following issues? What damage has already occurred? Which password policy will prevent this in the future? What actions could alert the attacker that the attack has been detected? What countermeasures are available?

which password policy will prevent this in the future