Security+ 601 Practice Questions 2:
What command would be used to create an SSH key pair using RSA? A.ssh -keygen -t rsa B.ssh -i ~/.ssh/id_rsa C.Ssh -new rsa 2048 D.Ssh -n -rsa
"-T" allows you to change the TYPE of key that is created. A.ssh -keygen -t rsa
Web server A is unreachable from the corporate branch office. Review the stateful firewall below. Which of the options below would resolve the problem while ensuring the web traffic is secure? A.Add a rule "permit source 172.30.2.1/24 to destination 172.30.1.0/24, HTTP" B.Add a rule "permit source 172.30.3.0/24 to destination 172.30.2.1/24, HTTP" C.Add a rule "permit source 172.30.1.0/24 to destination 172.30.2.1/24, HTTP" D.Add a rule "permit source 172.30.2.1/24 to destination 172.30.1.0/24, HTTPS" E.Add a rule "permit source 172.30.3.0/24 to destination 172.30.2.1/24, HTTPS" F.Add a rule "permit source 172.30.1.0/24 to destination 172.30.2.1/24, HTTPS"
(A), (B), and (C) are all insecure. We want HTTPS. (D) Is the wrong direction. We want the branch office set as the source and the web server as the destination. (E) Has the wrong source address. (F) is correct. We do not need to make a rule for the web server to the office since a stateful firewall will allow return traffic that matches the new rule. F. Add a rule "permit source 172.30.1.0/24 to destination 172.30.2.1/24, HTTPS"
A corporate partner has been assisting in the development of several SaaS products. The past three projects they completed lacked input validation and contained several other vulnerabilities. What should be done to find these weaknesses before the software is released? A.Limit the use of third-party libraries. B.Prevent data exposure queries. C.Obfuscate the source code. D.Submit the application to QA before releasing it.
(A), (B), and (C) will not detect vulnerabilities, while (D) submitting to Quality Assurance could, so long as they are instructed to look for them. D.Submit the application to QA before releasing it.
A company is concerned about custom/targeted malware being injected into their IT systems via USB sticks or email. Of the options below, what is the company's best course of action to mitigate this specific threat? A.Configure signature-based antivirus to update every 30 minutes B.Fuzzing new files for vulnerabilities if they are not digitally signed C.Implement application execution in a sandbox for unknown software D.Enforcing S/MIME for email and automatically encrypting USB drives upon insertion
(A)Signature based antivirus will not stop CUSTOM malware.(B) Fuzzing is used to test input validation and will not help in this situation. (C) A reasonable answer. Any unknown applications are immediately sent to an isolated sandbox. (D) Encrypting the drives doesn't stop the malware from attempting to access the system. C.Implement application execution in a sandbox for unknown software
An employee's phone was compromised with malware after they plugged it into a USB charging port at an airport terminal. What could have mitigated this risk? A.A firewall B.A device pin C.A USB data blocker D.Biometrics
A USB data blocker (P. 543) can prevent access to the phone in public areas. CompTIA defines it as a "hardware plug to prevent malicious data transfer when a device is plugged into a USB charging point." While a phone pin can also help prevent access it wouldn't prevent more sophisticated attacks C.A USB data blocker
A manager has decided that outsiders and corporate partners visiting the company campus need to sign a digital AUP before they will be allowed to access the isolated and complementary guest WiFi. What would a technician utilize to facilitate the manager's decision? A.Implement open PSK on the Aps B.Install a captive portal C.Deploy a WAF D.Configure WIPS on the APs
A captive portal is a web page accessed with a web browser that is displayed to newly connected users of a Wi-Fi or wired network before they are granted broader access to network resources. B.Install a captive portal
A cloud storage server has been brought online that is intended to serve hospitals exclusively. Several hospitals, all owned by different entities, have begun using this highly secured cloud server. What type of cloud deployment model matches this type of server? A.Public B.Private C.Community D.Hybrid
A community cloud is shared by a group of similar organizations that all have similar needs. In this example, it is a server built only to serve hospitals. A.Community
An large industrial HVAC system is set up to alert the maintenance company whenever there is a problem with the system. While performing a routine audit an engineer notices that the HVAC system is sending IP packets to an internal file server's IP. While maintaining the alerting capabilities of the HVAC system, what mitigation effort should the engineer employ? A.Segmentation B.Firewall whitelisting C.Containment D.Isolation
A firewall could be used to force the HVAC system to communicate ONLY to the maintenance company, and not the internal file server. Segmentation is not a bad answer, but without knowing how we do the segmentation, it is a risky choice. Containment/isolation will cut the device off from the maintenance company and we need to maintain the alerting capabilities. B.Firewall whitelisting
A manager is using their company laptop to connect to a public access point and remotely access company file shares. What would best be utilized in this situation to protect the laptop from other devices on the public network? (Pick two) A.Trusted Platform Module B.A Host-based firewall C.A DLP solution D.Full disk encryption E.A VPN F.Antivirus software
A host-based firewall will stop unwanted traffic from entering the laptop, while a VPN would be ideal for creating an encrypted connection to the corporate shares over public WiFi. B.A Host-based firewall E.A VPN
An organization has a few severs with end-of-life software running on them. The OS is still receiving updates, but the software isn't and it can't be migrated to any other system due to compatibility issues. An admin has developed a resiliency plan that would allow the OS to be patched in a non-production environment, while also effortlessly making backups of the systems should recovery be necessary. What resiliency technique will best provide the services described above? A.Redundancy B.RAID 1+5 C.Virtual machines D.Full backups
A long question that attempts to confuse you with excess information! They are trying to describe the benefits of using virtual machines. C.Virtual machines
Of the plans listed below, which one would help a company's executives determine how to proceed during an ongoing disaster, such as a global pandemic? A.An incident response plan B.A communications plan C.A disaster recovery plan D.A business continuity plan
A recovery plan is about recovering after the disaster. A continuity plan is about increasing resiliency and possibly what to do during a disaster. D.A business continuity plan
After a meeting with an auditor, a manager is putting together a risk register. What best describes a risk register? A.To define the level or risk using probability and likelihood B.To register the risk with the required regulatory agencies C.To identify the risk, the risk owner, and the risk measures D.To formally log the type of risk mitigation strategy the organization is using
A risk register will: •Identify potential risks and their impact/likelihood •Display the company's mitigation plan for each risk •Assign responsibility for the execution of those plans •Track the status of each plan (complete, in-progress, not started, etc) (A) isn't wrong, but (C) is a more complete answer. C.To identify the risk, the risk owner, and the risk measures
In which situation would a DNS sinkhole be useful? A.An attacker is sniffing traffic to port 53, and the server is managed using unencrypted usernames and passwords. B.An organization is experiencing excessive traffic on port 53 and suspects an attacker is trying to DoS the domain name server. C.Malware is trying to resolve an unregistered domain name to determine if it is running in an isolated sandbox. D.Routing tables have been compromised, and an attacker is rerouting traffic to malicious websites.
A sinkhole is a defense mechanism typically used against DDoS attacks. When a network device or server detects an incoming attack the "sinkhole" function attempts to send the malicious traffic to a honeypot/net (sandbox) for analysis, away from the originally indented target. B.An organization is experiencing excessive traffic on port 53 and suspects an attacker is trying to DoS the domain name server.
A technician needs to create a detailed diagram that shows where all of the company access points are located in the office. What would be the best method for creating this diagram? A.Footprinting B.White-box testing C.A drone/UAV D.Pivoting
A site survey would be a great answer. Unfortunately, footprinting is the best that we have available to us. A.Footprinting
Somebody managed to capture all of the password hashes from a web server on a company's network. While performing an investigation, an analyst needs to gain access to the contents of RAM from the compromised server. Which of the following file types is the analyst looking for? A.Security B.Application C.Dump D.Syslog
A system memory dump creates an image file that can be analyzed to identify the processes that are running, the contents of temporary file systems, registry data, network connections, cryptographic keys, and more. P.471 C.Dump
Several managers have gathered to discuss hypothetical attacks and threats to the company. They discuss how to respond to the threats based off of previous plans and explore how to handle a dynamic security breach. What best describes what the managers are doing? A.Running a simulation exercise B.Conducting a tabletop exercise C.Building a disaster recovery plan D.Developing an incident response plan
A table top exercise involves reviewing the incident response plans so that future responses are faster and smoother. Furthermore, it gives everyone an opportunity to suggest improvements or changes to the plan. B.Conducting a tabletop exercise
Which of the following could be categorized as physical and preventative controls? Choose the BEST answers. (pick two) A.Alarms B.Signage C.Lighting D.Mantraps E.Fencing F.Sensors
A. Detective B. Deterrent C. Deterrent D. Preventative E. Can be preventative F. Detective D.Mantraps E.Fencing
Countless websites have become unreachable for all the hosts on the network. A technician from the helpdesk runs ipconfig /flushdns on all affected workstations but the problem persists. The issue is elevated to a senior technician who changes the configured DNS server on the affected hosts and the problem is resolved. What problem is the original DNS most likely server suffering from? A.DNS cache poisoning B.DNS tunneling C.Domain hijacking D.Distributed denial-of-service
A. If this was the case, flushing the DNS would have solved the problem. B. This is when an attacker uses DNS as a covert channel to exfiltrate data from the network. C. Since we are dealing with several websites, it is unlikely a hacker has compromised all of them. Furthermore, most hijacks do not involve disabling the server. D. Sounds like the DNS server that we where originally using is having problems. A DDoS could be responsible. D.Distributed denial-of-service
Which of the following would best describe the severity of a company's vulnerabilities? A.CVSS B.SIEM C.CVE D.SOAR
A.CVSS - The Common Vulnerability Scoring System (CVSS) provides a way to capture the principal characteristics of a vulnerability and produce a numerical score reflecting its severity. - CVE is a list of entries—each containing an identification number, a description, and at least one public reference—for publicly known cybersecurity vulnerabilities. - SIEM (Security information and event management) is a service/software that gathers network and application logs in real-time and analyzes them, giving security experts the ability to better monitor and analyze attacks/threats. - Sometimes running alongside the SIEM or built into it, SOAR (Security Orchestration, Automation, and Response) was designed to automate and improve response time when a SIEM detects a threat/anomaly on the network. Sometimes referred to as a Next Generation SIEM.
Which would be best in balancing a newly adopted BYOD culture while also protecting company secrets? A.Containerization B.Geofencing C.Full-disk encryption D.Remote wipe
A.Containerization
Given the following output on an Attacker's system: Status : Cracked Hash.Type : SHA-1 Hash.Target : e653c7526c3a40b47943710427dabaee71ec2267 Time.Started : Tuesday, April 21 1:45:12 2020 Progress : 26845159 / 450365879 (5.96%) hashes Time.Stopped : Tuesday, April 21 1:47:53 2020 Password found : Str0ngP@ssword1! Which of the following BEST describes the type of password attack the attacker is performing? A.Dictionary B.Pash-the-hash C.Brute-force D.Password spraying
A.Dictionary A password that long broken in a few minutes? Must be a dictionary attack; brute force attacks could take years to crack passwords of that length.
An admin and their team are building several new servers and the servers must have high availability and resiliency. Of the options below, what will best meet the admin's needs? (pick two) A.Dual power supply B.Off-site backups C.Automatic OS upgrades D.NIC teaming E.Scheduled penetration testing F.Network-attached storage
A.Dual power supply D.NIC teaming
The CEO would like employees to be able to work from home in the event of a disaster. However, they are concerned that staff might attempt to work from high risk countries or outsource their work if given the ability to work remotely. What controls could best mitigate the CEO's concerns? (pick two) A.Geolocation B.Time-of-day restrictions C.Certificates D.Tokens E.Geotagging F.Role-based access controls
A.Geolocation B.Time-of-day restrictions
Before a news team takes a tour of the new state-of-the-art office complex, a manager instructs employees to clean all whiteboards and clear off all of their desks. What threat is the manager most likely trying to mitigate? A.Loss of proprietary information B.Damage to the company's reputation C.Social engineering D.Credential exposure
A.Loss of proprietary information
Which one of the tools below could be used to find out if the corporate server is running unnecessary services? A.Nmap B.DNSEnum C.Wireshark D.Autopsy
A.Nmap - Nmap, short for network mapper, is capable of port scanning the network and determining what services are running on any hosts that are detected. - Wireshark is a protocol analyzer and packet sniffer that is used for gathering, sorting, and analyzing traffic from a network. - Autopsy is a tool for performing data forensics.
Before accepting credit cards on a new shopping website, what standard must a company follow? A.PCI DSS B.NIST CSF C.ISO 22301 D.ISO 27001
A.PCI DSS PCI DSS = Payment Card Industry Data Security Standard NIST CSF = National Institute of Standards and Technology, Cyber Security Framework ISO 22301 - security & resilience, business continuity management ISO 27001 - information security rules and requirements (compliance/regulations)
Of the control type listed below, what would a mantrap (access control vestibule) or turnstile be considered? A.Physical B.Detective C.Corrective D.Technical
A.Physical
Which of the following pen-test teams would mimic the tactics used by hackers? A.Red team B.White team C.Blue team D.Purple team
A.Red team
An employee received a text message (SMS) on their phone that asked for them to confirm their social security number and date of birth. Of the options below, what best describes what this employee has experienced? A.Smishing B.SPIM C.Vishing D.Spear phishing
A.Smishing - Smishing is text/instant message (SMS) phishing. - SPIM is text/instant message spam. - Vishing is VOIP (voice) phishing. It requires someone to call you. - Spear phishing is a phishing attack that targets a specific individual or group.
After entering a password a user is asked to enter an authentication code. What type of MFA factors are being used in this scenario? (pick two) A.Something you know B.Something you have C.Somewhere you are D.Someone you know E.Something you are F.Something you can do
A.Something you know B.Something you have
After a ransomware attack, you need to review a cryptocurrency transaction made by the victim. Which of the following you MOST likely review to trace this transaction? A.The public ledger B.The NetFlow data C.A checksum D.The event log
A.The public ledger "Blockchain is a concept in which an expanding list of transactional records is secured using cryptography. The blockchain is recorded in a public ledger. This ledger does not exist as an individual file on a single computer; rather, one of the most important characteristics of a blockchain is that it is decentralized. The ledger is distributed across a peer-to-peer (P2P) network in order to mitigate the risks associated with having a single point of failure or compromise. Blockchain users can therefore trust each other equally." Page 121
After performing a detailed risk analysis an organization has elected to use insurance to protect itself in the event of a natural disaster. Which of the following risk management strategies are they employing? A.Transference B.Avoidance C.Mitigation D.Acceptance
A.Transference
Sales employees regularly utilize the same fantasy football website as other sales associates working for other companies. Which of the following attacks is the highest concern in this scenario? A.Watering-hole attack B.Credential harvesting C.Hybrid warfare D.Pharming
A.Watering-hole attack
Which of the following best represents a directory traversal? A.http://website.com/products/../../..etc/shadow B.http://website.com/robert');+drop+table+users;-- http://redirect.wibsite.url.website.com/malicious-dns-redirect
A.http://website.com/products/../../..etc/shadow
A smart switch has the ability to monitor electrical levels and shut off power to a building in the event of a power surge or other similar situations. The switch was installed on a wired network in a local office and is monitored via a cloud application. The switch is already isolated on a separate VLAN and set up a patching routine. Which of the following steps should also be taken to harden the smart switch? A.Set up an air gap for the switch. B.Change the default password for the switch. C.Place the switch in a Faraday cage. D.Install a cable lock on the switch.
Air gapping the device could cut it off from the cloud application, the question doesn't mention wireless so a faraday cage won't help, and a cable lock will only help prevent against physical theft which doesn't appear to be our main concern. That leaves us with (B). B.Change the default password for the switch.
Of the options below, when would it be the best time to use a detective control instead of a preventative control? A.A company implemented a network load balancer to ensure 99.999% availability of its web application. B.A company designed a backup solution to increase the chances of restoring services in case of a natural disaster. C.A company purchased an application-level firewall to isolate traffic between the accounting department and the information technology department. D.A company purchased an IPS system, but after reviewing the requirements, the appliance was supposed to monitor, not block, any traffic.
All IPSs (intrusion prevention systems) can be set up to act as an IDSs (intrusion detection systems). D.A company purchased an IPS system, but after reviewing the requirements, the appliance was supposed to monitor, not block, any traffic.
A mission critical system needs to be deployed and due to government regulations it should not be accessible by any networks or the internet. What solution would best protect this system? A.A demilitarized zone B.A shielded cable C.A faraday cage D.An air gap
An air gapped host is one that is not physically connected to any network. D.An air gap
A hospital is recovering from a recent ransomware attack against its networked storage. The original incident was caused by a phishing email and the hospital's IT admin wants to prevent any reoccurrence of this type of incident. Which of the following should the admin do FIRST after recovery? A.Scan the NAS for residual or dormant malware and take new daily backups that are tested on a frequent basis. B.Restrict administrative privileges and patch all systems and applications. C.Rebuild all workstations and install new antivirus software. D.Implement applications whitelisting and perform user application hardening.
Answers A and B are close. Restricting access and patching systems seems pretty beneficial for preventing further intrusion, but scanning for residual malware is a better FIRST task. A.Scan the NAS for residual or dormant malware and take new daily backups that are tested on a frequent basis.
A RAT was used to compromise a manager's computer and steal the password to the corporate bank account. Data forensics revealed that the manager's account had permission to install and the RAT was installed by clicking on an email attachment. What would prevent this from reoccurring to them or someone else in the future? A.Create a new acceptable use policy. B.Segment the network into trusted and untrusted zones. C.Enforce application whitelisting. D.Implement DLP at the network boundary.
Application whitelisting can restrict untrusted or unknown applications from being installed. C.Enforce application whitelisting.
You have been issued a smart card that provides physical access to a building as well as thin clients on the network utilizing tokens. You see the same desktop each time you log in regardless of which thin client is used. Which technologies are responsible for these capabilities? (Pick Two) A.COPE B.VDI C.GPS D.TOTP E.RFID F.BYOD
B.VDI E.RFID
Which of the following describes the ability of code to target a hypervisor from inside a guest OS? A.Fog computing B.VM escape C.Software-defined networking D.Image forgery E.Container breakout
B.VM escape
Mr. LaRusso, the owner of your company, may have had their PC affected by a security incident. A duplicate copy of his hard drive must be stored securely to follow chain of custody and appropriate forensic procedure. Which of the following steps should be performed in order to accomplish this goal? A.Install a new hard drive in his PC, and then remove the old hard drive and place it in a tamper-evident bag. B.Connect a write blocker to the hard drive. Then, leveraging a forensic workstation, utilize the dd command in a live Linux environment to create a duplicate copy. C.Remove his hard drive from the PC, connect to the forensic workstation, and copy all the contents onto a remote fileshare while Mr. LaRusso watches. D.Refrain from completing a forensic analysis of his hard drive until after the incident is confirmed; duplicating the hard drive at this stage could destroy evidence.
B.Connect a write blocker to the hard drive. Then, leveraging a forensic workstation, utilize the dd command in a live Linux environment to create a duplicate copy.
After reading the user manual for a specific brand of security camera, a hacker was able to log in and disable the cameras on the company's campus. What describes the configuration that the hacker took advantage of? A.Open permissions B.Default settings C.Unsecure protocols D.Weak encryption
B.Default settings If the hacker figured out how to access (log in) and disable the cameras just from reading the manual, it is likely that there is a default password on the camera that was never changed.
After connecting the laptop to the company's SSID, an employee was prompted to enter their username and password into a popup web browser. This had never happened before, but they entered their credentials anyways. Later that day they noticed they where unable to access any of the company servers and unusual transactions where appearing on their credit card. What attack is most likely being described in this scenario? A.Rogue access point B.Evil twin C.DNS poisoning D.ARP poisoning
B.Evil twin
A server certificate needs to be generated to be used for 802.1X. Which of the following is the FIRST step that will most likely accomplish this task? A.Create an OCSP. B.Generate a CSR. C.Create a CRL. D.Generate a .pfx file.
B.Generate a CSR.
A data breach was discovered after a company's usernames and password were posted to a hacker website. Afterwards, an analyst discovered the company stored credentials in plain text. Which of the following would help mitigate this type of breach in the future? A.Create DLP controls that prevent documents from leaving the network. B.Implement salting and hashing. C.Configure the web content filter to block access to the forum. D.Increase password complexity requirements.
B.Implement salting and hashing.
A professor recently left their position at university A to take a job at a rivaling college, university B. A few months after the professor officially departed, a security analyst at university A noticed that the former professor had logged into a department server and deleted several important file shares. Of the security practices listed below, what should have been performed to prevent the important files from being deleted? A.Non-disclosure agreement B.Offboarding C.An acceptable use policy D.Least privilege
B.Offboarding
Emily has received a suspicious email that claims she won a multi-million dollar sweepstake. The email instructs her to reply with her full name, birthdate, and home address so her identity can be validated before she is given the prize. What best describes this type of social engineering attack? A.Vishing B.Phishing C.Whaling D.Spear phishing
B.Phishing
Due to a supply shortage over the summer not all of the company campus was upgraded with the new and faster wireless access points. While the company is waiting for more to come in, a security analyst has grown concerned that employees might bring in their own access points without permission. What type of threat is the security analyst concerned about? A.Hactivist B.Shadow IT C.White-hat D.A script kiddie E.APT
B.Shadow IT
What attack best describes the logs below: A.Brute-force B.Spraying C.Dictionary D.Rainbow table
B.Spraying
A text file titled "admin_passwords" was put on the desktop of the company server. What explains why an admin would leave this file on the desktop of the server? A.The document is used as a keylogger that stores all keystrokes should an admin account get compromised. B.The document is a honeyfile and is meant to attract the attention of a cyberintruder. C.The document is a backup file that allows for password recovery. D.The server uses this file to verify login credentials.
B.The document is a honeyfile and is meant to attract the attention of a cyberintruder.
Instead of relying on in-house application security, an organization has decided to outsource their application security by adopting a SaaS from a CSP (cloud service provider). What type of risk management has the company performed by implementing this change? A.Acceptance B.Transference C.Avoidance D.Mitigation
B.Transference
Which ISO standard is specifically designed for certifying privacy? A.31000 B.27002 C.27701 D.9001
C.27701 ISO standards 27001, 27002, 27701, 31000 are listed as exam objectives. Additional supplementary ISO numbers can be found in this slide's notes. - ISO 27001 Information Security Management Systems Infosec rules and requirements used by many governing bodies to create compliance/regulations. - ISO 27701 Privacy Information Management An extension to 27001 that outlines rules and regulations specifically tied to privacy. - ISO 27002 Information Security Best Practices Guidelines and suggestions for how to start or improve infosec at an organization. - ISO 31000 Risk Management Best Practices Generic (non specific) suggestions for managing risk response within an organization
Assuming multiple drives will not fail simultaneously, which RAID configuration would provide some fault tolerance while offering high speeds? A.0 B.1 C.5 D.10
C.5
An admin sees several employees all simultaneously downloading files with the .tar.gz extension. The employees say they did not initiate any of the downloads. A closer examination of the files reveals they are PE32 files. Another admin discovers all of the employees clicked on an external email containing an infected MHT file with an href link at least two weeks prior. Which of the following is MOST likely occurring? A.A RAT was installed and is transferring additional exploit tools. B.The workstations are beaconing to a command-and-control server. C.A logic bomb was executed and is responsible for the data transfers. D.A fileless virus is spreading in the local network environment.
C.A logic bomb was executed and is responsible for the data transfers. The two week delay suggests logic bomb!
From the options below, what type of threat actor would be described as highly skilled and well coordinated? A.Shadow IT B.A hacktivist C.An advanced persistent threat D.An insider threat
C.An advanced persistent threat
A security expert has identified the following:- •www.example.com is officially hosted at 172.16.99.99.- •Based off of Netflow records, there was a day where a single corporate DNS server resolved www.example.com to 172.31.50.50.- •At present all company DNS servers resolve www.example.com to 172.16.99.99. - Of the options below, what most likely occurred? A.A reverse proxy was used to redirect network traffic. B.An SSL strip MITM attack was performed. C.An attacker temporarily poisoned a name server. D.An ARP poisoning attack was successfully executed.
C.An attacker temporarily poisoned a name server.
Which of the following would MOST likely support the integrity of a banking application? A.Perfect forward secrecy B.Transport Layer Security C.Blockchain D.Asymmetric encryption
C.Blockchain (A) and (B) are designed to support confidentiality, while (C) BLOCKCHAIN is specifically used for integrity management through encryption. (D) can be used for integrity management, but not without the addition of hashing, which creates a process known as signing. More about blockchain: A blockchain is a growing list of records, called blocks, that are linked using cryptography. Each block contains a cryptographic hash of the previous block, a timestamp, and transaction data. By design, a blockchain is resistant to modification of its data. This is because once recorded, the data in any given block cannot be altered retroactively without alteration of all subsequent blocks
You are configuring a vulnerability scanner for a multinational organization. You are required by contract to scan systems on a weekly basis with admin privileges, but are concerned that hackers could gain access to the account and pivot throughout the company's networks. Which of the following BEST addresses this concern? A.Create different accounts for each region, each configured with push MFA notifications. B.Create one global administrator account and enforce Kerberos authentication. C.Create different accounts for each region, limit their logon times, and alert on risky logins. D.Create a guest account for each region, remember the last ten passwords, and block password reuse.
C.Create different accounts for each region, limit their logon times, and alert on risky logins.
What type of control would a sign, like the one above, be considered? A.Detective B.Compensating C.Deterrent D.Corrective
C.Deterrent
Which of the following would document concerns associated with the restoration of IT systems in the event of a flood, earthquake, or hurricane? A.Business continuity plan B.Communications plan C.Disaster recovery plan D.Continuity of operations plan
C.Disaster recovery plan
In your growing company, each newly hired salesperson relies on a mobile device to conduct business. You are wondering if the organization may need to scale down just as quickly as it scaled up. You're also concerned about the organization's security and customer privacy. Which of the following would be BEST to address your concerns? A.Disallow new hires from using mobile devices for six months. B.Select four devices for the sales department to use in a CYOD model. C.Implement BYOD for the sales department while leveraging the MDM. D.Deploy mobile devices using the COPE methodology.
C.Implement BYOD for the sales department while leveraging the MDM.
An employee typical uses SSH to connect and configure a remote server. Today they got this message: xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx WARNING: REMOTE HOST ID HAS CHANGED! xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx The fingerprint for the RSA key sent by the host is SHA: 1B8104A05A243CEE3776A81BDE2EC7DAA990D0A5. Host key verification failed. Please contact your admin. What network attack is the employee most likely experiencing? A.Evil twin B.ARP poisoning C.Man-in-the-middle D.MAC cloning
C.Man-in-the-middle The remote device we are attempting to connect to does not have the proper SSH key. We are likely talking to a Man-in-the-Middle (MitM) who is impersonating our intended destination.
An organization needs their future internet service provider to commit to a specific timeframe in the event of a significant service outage. What document would be used to enforce this with the service provider? A.MOU B.MTTR C.SLA D.NDA
C.SLA
An admin is viewing the company website and see the URL displayed below: http://security123.com/home/forum.php?sessionID=7261143 The admin copies their URL and sends it a coworker. Then they browse the website through the following URL: http:// security123.com/home/forum.php?sessionID=9819813 Which of the following attacks is being tested? A.Pass-the-hash B.Cross-site request forgery C.Session replay D.Object deference
C.Session replay
How could you tell from the results of a vulnerability scan if the scanner had been provided valid credentials relevant to the target it was scanning? A.The scan identified expired SSL certificates B.The scan produced a list of vulnerabilities on the target host C.The scan enumerated software versions of installed programs D.The scan results show open ports, protocols, and services exposed on the target host
C.The scan enumerated software versions of installed programs A vulnerability scanner should NOT be able to see software versions of installed programs unless it has valid credentials and can log into the device it is scanning.
A security expert is looking through logs for a specific IoC (Indicator of Compromise) that they read about online. What are they doing? A.A packet capture B.A user behavior analysis C.Threat hunting D.Credentialed vulnerability scanning
C.Threat hunting
A company would like to get one SSL certificate that can cover both of their application servers, [email protected] and www.example.com. Furthermore, this certificate should be able to cover any future application servers that the company may add of a similar naming convention, such as smtp.example.com. What type of SSL certificate would best fit their needs? A.Self-signed B.SAN C.Wildcard D.Extended validation
C.Wildcard *.example.com A wildcard certificate is capable of being used by, and protecting, several servers so long as the domain and top level domain are matching.
A public announcement is made about a newly discovered, rapidly spreading virus. The security team immediately updates and applies all its antivirus signatures. The security manager contacts the antivirus vendor support team to ask why one of the systems was infected. The vendor support team explains that the signature update is not available for this virus yet. Which of the following best describes the situation? A.Race condition B.End of life C.Zero day D.Integer overflow
C.Zero day
You are concerned with servers running outdated applications. Which command would work BEST to help identify potential vulnerabilities? A.hping3 -S comptia.org -p 80 B.nc -1 -v comptia.org -p 80 C.nmap comptia.org -p 80 -sV D.nslookup -port=80 comptia.org
C.nmap comptia.org -p 80 -sV Since no vulnerability scanners are listed (Nessus or OpenVAS for example) then NMAP is our next best choice (As a scanning tool it has basic vulnerability scanning)
A company has developed their own SaaS product. They need a flexible and transparent management tool that grants them the ability to control and monitor who uses their product. What could meet the needs of this company for their new SaaS product? A.SIEM B.DLP C.CASB D.SWG
CASB (Cloud Access Security Broker) is a software/service that sits between the end user and the cloud provider. Flexible management, security, access control... a CASB should be able to handle all of their needs. A SWG (software web gateway, basically a layer 7 firewall) is going to be more limited in its functions and will not give them all the flexibility, granular controls, and transparency that they will ultimately require. C.CASB
A company's Chief Information Officer (CIO) is meeting with the Chief Information Security Officer (CISO) to plan some activities to enhance the skill levels of the company's developers. Which of the following would be MOST suitable for training the developers? A.A capture-the-flag competition B.A phishing simulation C.Physical security training D.Basic awareness training
Capture the Flag (CTF) is usually used in ethical hacker training programs and gamified competitions. Participants must complete a series of challenges within a virtualized computing environment to discover a flag. The flag will represent either threat actor activity (for blue team exercises) or a vulnerability (for red team exercises). None of the other options would enhance the "SKILL LEVELS" of the developers. A.A capture-the-flag competition
What command would be used to send a public SSH key to another host? A.Copy-ssh ~/ssh/id_rsa/pub user@server B.chmod 644 ~/.ssh/id_rsa C.Ssh-copy-id -i ~/ssh/id_rsa_pub user@server D.chmod 777 ~/.ssh/authroized_keys
Chmod alters permissions on a folder or file. 644 means the owner has read and write while everyone else has read only. 777 means everyone can read, write, and execute. C.Ssh-copy-id -i ~/ssh/id_rsa_pub user@server (This copies the public key to the remote server)
You have been tasked with performing data forensics and need to make an exact copy of a hard drive. What command could you use to perform this task? A.Dd B.Chmod C.Dnsenum D.logger
CompTIA says, "on a Linux host you can use the dd command to make a copy of an input file (if=) to an output file (of=) and apply optional conversions to the file data. In the following sda is the fixed drive: dd if=/dev/sda of=/mnt/usbstick/backup.img" Chmod alters permissions for file system objects while Dnsenum is for gathering (enumerating) dns information. Logger is used to make entries in the system log. It provides a command interface to the syslog module. A.Dd
One of your employees wants to access sensitive data from a corporate-owned mobile device. Personal data is not allowed on the device. Which of the following MDM configurations must be considered when the engineer travels for business? A.Screen locks B.Application management C.Geofencing D.Containerization
Containerization protects portions of a device as well as how data can be transferred into and outside of that container. This could also determine how an employee can write data to their phone, such as personal data. P. 353 While geofencing is a tempting answer, it doesn't address the overall concerns of personal data while an employee uses the phone, only when they bring it outside of boundaries of the fence. D.Containerization
Of the options below, which one would typically utilize steganography? A.Blockchain B.Integrity C.Non-repudiation D.Obfuscation
D.Obfuscation Steganography is a technique/art that involves obscuring or hiding a message in plain sight.
Which type of RAID would allow for recovery even after two drive failures? A.0 B.1 C.5 D.6
D.6
A security audit has revealed that a system is vulnerable to malicious users installing and running applications on the system. The system is beyond end-of-life support, so it is placed on a protected network segment until it can be upgraded. Which technology would most effectively protect the vulnerable system? A.DNS sinkhole B.DLP rules on the terminal C.An IP blacklist D.Application whitelisting
D.Application whitelisting
An investigation has revealed that the worm gained access to the company SQL server using well-known credentials. It then spread throughout the network and managed to infect over a dozen systems before it was contained. What is the best preventative measure the company could take to prevent this from happening again? A.Air gap the SQL server from the network B.Block all remote access services on the network gateway C.Establish routine backups for all company servers D.Change the default application password
D.Change the default application password "Well known credentials" indicates we have a common/predictable/default password on our hands. We should change that password ASAP and then deploy IPS/antimalware tools.
After several corporate usernames and credentials where posted on the dark web, a security engineer began an investigation. They discovered that for eight hours, last week, the IP address for a vendor's website was changed. Of the attacks below, which is the most likely considering the limited evidence? A.Man-in-the-middle B.Spear-phishing C.Evil twin D.DNS poisoning
D.DNS poisoning
An employee installed a new service on the domain controller without consent or approval from the IT department and change management. What specifically describes this type of threat? A.OSINT B.Insider threat C.Shadow IT D.Dark web
D.Dark web Shadow IT (also known as fake IT, stealth IT, or rogue IT) refers to information technology (IT) systems deployed by departments other than the central IT department, to work around the shortcomings of the central information system.
During an investigation, the following is found in a web server's logs: GET http://somesite.com/../../../../etc/shadow Which attack is the above most likely seen above? A.SQL injection B.Cross-site scripting C.Pass-the-hash D.Directory traversal
D.Directory traversal
Of the access control schemes below, which one allows an owner to determine an object's access policies? A.Role-based B.Attribute-based C.Mandatory D.Discretionary
D.Discretionary
An organizations e-commerce webpage is not allowed to be offline for more than five hours and they do not have a lot of available storage space. Of the backup strategies outlined below, which should the organization utilize to allow for the FASTEST database restore time in the event of a failure, while being mindful of the limited space? A.Implement full tape backups every Sunday at 8:00 p.m. and perform nightly tape rotations. B.Implement differential backups every Sunday at 8:00 p.m. and nightly incremental backups at 8:00 pm. C.Implement nightly full backups every Sunday at 8:00 pm. D.Implement full backups every Sunday at 8:00 pm. and nightly differential backups at 8:00 p.m.
D.Implement full backups every Sunday at 8:00 pm. and nightly differential backups at 8:00 p.m.
Of the intelligence sources below, which should an security manager review that would allow them to remain proactive in understanding the types of threats that face their company? A.Vulnerability feeds B.Trusted automated exchange of indicator information C.Structured threat information expression D.Industry information-sharing and collaboration groups
D.Industry information-sharing and collaboration groups (A) Vulnerability feeds only show software/hardware vulnerabilities. Nothing about their human targets. (B) TAXII is a protocol for transferring Cyber Threat Intelligence from a server to client(C) STIX - Structured method of describing cyber security threats in a consistent matter. While it helps logically organize information it isn't a source of sharing information. (D) ISAC - Industry specific groups on sharing threat information (for example aviation or financial businesses)
An organization is overwhelmed with the responsibilities tied to safely securing their new online store. They are looking for a service provider to assist them in this endeavor. What would be the best option in this situation? A.SDP B.AAA C.IaaS D.MSSP E.Microservices
D.MSSP
After a security assessment is concluded, what benefit does the CVSS score provide to a company on the list of discovered vulnerabilities? A.Validate the vulnerability exists in the organization's network through penetration testing. B.Research the appropriate mitigation techniques in a vulnerability database. C.Find the software patches that are required to mitigate a vulnerability. D.Prioritize remediation of vulnerabilities based on the possible impact.
D.Prioritize remediation of vulnerabilities based on the possible impact.
The data center is currently protected by two factor authentication that includes a fingerprint scanner and a pin number. What item could be added to this preexisting system to allow for three factor authentication? A.Date of birth B.Password C.TPM D.Smart card E.Iris scan
D.Smart card We already have fingerprint (something you are) and pin number (something you know). We need to find something from a different category, such as something you have!
A company is building a new e-commerce website and has asked an specialist for the most appropriate way to store credit card numbers to create an easy reordering process. Of the methods outlined below, which would be best for achieving this goal? A.Salting the magnetic strip information B.Encrypting the credit card information in transit C.Hashing the credit card numbers upon entry D.Tokenizing the credit cards in the database
D.Tokenizing the credit cards in the database
A penetration tester has found a domain controller using 3DES to encrypt authentication messages. What problem has the penetration tester identified? A.Unsecure protocols B.Default settings C.Open permissions D.Weak encryption
D.Weak encryption
The company's Chief Financial Officer received an email from a branch office manager who claims to have lost their company credit cards. They are requesting $12,000 be sent to a private bank account to cover various business expenses. What type of social engineer attack does this best illustrate? A.Pharming B.Phishing C.Typo squatting D.Whaling
D.Whaling Whaling: A form of spear phishing where the target is upper management.
Which of the following tools should be utilized to review a 1GB pcap? A.Nmap B.cURL C.Netcat D.Wireshark
D.Wireshark Pcap = packet captureWireshark, a protocol analyzer, would be an ideal tool for this!
You are responsible for emailing company employees their benefits and tax information. After sending an email to a new employee you receive back the following email: "Your email message was quarantined. Violation: PII. Please contact IT." Which of the following most likely generated the email found above? A.S/MIME B.DLP C.IMAP D.HIDS
DLP (Data loss/leak prevention) software detects potential data breaches or data ex-filtration and prevents them by monitoring, detecting and blocking sensitive data while in use, in motion, and at rest. The contents of the email contained PII (personally identifiable information) and the DLP software put in place by the IT department quarantined the email. S/MIME is a protocol for singing and encrypting emails. IMAP is a protocol used for accessing and managing emails stored on an email server. A HIDS is used to detect hackers attempting to access a host system. B.DLP
An admin needs to use functional data drawn from the production environment in a new virtual training environment. What should be done to the data that is drawn from the production environment so that security and anonymity is maintained when it is used by the training environment? A.Data minimization B.Data masking C.Data deduplication D.Data encryption
Data masking can mean that part or all of the contents of a field are redacted by substituting strings with a new value. For example, all patients could have their age masked and the training system only sees everyone as being 30 years old. Data masking is considered an irreversible deidentification technique, while tokenization can be undone as needed. B.Data masking
A document that appears to be malicious has been discovered in an email that was sent to a company's Chief Financial Officer (CFO). Which of the following would be BEST to allow a security analyst to gather and confirm it is a malicious document without executing any code it may contain? A.Open the document on an air-gapped network. B.View the document's metadata for origin clues. C.Search for matching file hashes on malware websites. D.Detonate the document in an analysis sandbox.
Detonation/execution of a file in a sandbox would give you the ability to analyze its behavior in a controlled environment, making it a good answer. Unfortunately the question specifically mentions not executing any code so C is much safer C.Search for matching file hashes on malware websites.
What is ISO 27002?
Information Security Best Practices Guidelines and suggestions for how to start or improve infosec at an organization.
What is ISO 27001?
Information Security Management Systems Infosec rules and requirements used by many governing bodies to create compliance/regulations.
A company has decided to adopt the CYOD (choose your own device) deployment model, where the company allows the employee to choose from a range of cellular devices. Considering this deployment model, what should the security team consider before the phones are deployed? A.The most common set of MDM configurations will become the effective set of enterprise mobile security controls. B.All devices will need to support SCEP-based enrollment; therefore, the heterogeneity of the chosen architecture may unnecessarily expose private keys to adversaries. C.Certain devices are inherently less secure than others, so compensatory controls will be needed to address the delta between device vendors. D.MDMs typically will not support heterogeneous deployment environments, so multiple MDMs will need to be installed and configured.
Different phones will have different security postures, features, and control mechanisms. Some may require compensatory controls. C.Certain devices are inherently less secure than others, so compensatory controls will be needed to address the delta between device vendors.
A penetration tester revealed that an end of life server is using 3DES to encrypt its traffic. Unfortunately, the server which is mission critical cannot be upgraded to AES, replaced, or removed. What type of control could help reduce the risk created by this server considering the company must continue to use it? A.Corelating B.Physical C.Detective D.Preventative E.Compensation
E.Compensation
During an ongoing attack an admin locks all of the compromised accounts and airgaps all infected hosts. What step of the incident response process is being described? A.Preparation B.Eradication C.Identification D.Lessons Learned E.Containment F.Recovery
E.Containment
A VPN connection needs to be configured from site A to site B while also providing the following: ·Integrity ·Encryption ·Authentication ·Anti-replay Which of the following should be enabled when configuring the VPN to meet the objectives above? A.ESP B.DNSSEC C.AH D.EDR
ESP (Encapsulated Security Payload can provide all of the requirements above, while AH (Authentication Header) provides all of them EXCEPT encryption. EDR stands for Endpoint Detection and Response. A.ESP
A worm infected a computer, and then spread to the network's file shares. All preventative measures failed to block or detect the worm and it has continued to evade detection. What could be used to protect the network from this elusive malware? A.Install a definition-based antivirus. B.Implement an IDS/IPS. C.Implement a heuristic behavior-detection solution. D.Implement CASB to protect the network shares.
Either the worm is a zero-day and there is no signature or patch for it, or the worm is polymorphic and thereby evading detection. Nevertheless, time for anomaly based (heuristics/behavior) solution. C.Implement a heuristic behavior-detection solution.
Which is the BEST way to deploy software patches? A.Apply the patches to systems in a testing environment, then to systems in a staging environment, and finally to production systems. B.Test the patches in a staging environment, develop against them in the development environment, and then apply them to the productions systems. C.Test the patches in a test environment, apply them to the production systems, and then apply them to a staging environment. D.Apply the patches to the production systems, apply them in a staging environment, and then test all of them in a testing environment.
First you apply the patches for testing in the testing environment, then the staging environments, and finally production. Development -> Testing -> Staging -> Production A.Apply the patches to systems in a testing environment, then to systems in a staging environment, and finally to production systems.
A popular manufacturer of network hardware releases a CVE (Common Vulnerability & Exposure) that outlines a weakness in the latest OS patch for their routers. This vulnerability allows attackers to perform a resource exhaustion on the SIP protocol which causes the routers to restart. What type of attack is being described? (pick two) A.DoS B.SSL stripping C.Memory leak D.Race condition E.Shimming F.Refactoring
Forcing devices to restart due to a resource exhaustion? While there are many ways to perform a resource exhaustion, the best example of that is a memory leak. A. Denial of Service, an attack that causes a system or service to be temporarily or permanently unavailable. B. An exploit that involves downgrading an SSL encrypted connect to a non-encrypted connection C. An attack that causes a device to run out of memory (resource exhaustion), and typically leads to a system crash (DOS) or other instability. D. An undesirable situation that occurs when a device or system attempts to perform two operations at the same time, but because of the nature of the device/system, the operations must be done in the proper sequence to be done correctly. Can cause a DOS or other instability. E. Creating or modifying a DLL, driver, or API to get an app to perform a malicious or unusual function. F. An attack that utilizes a small library (shim) that transparently intercepts API calls and changes the arguments passed, handles the operation itself, or redirects the operation elsewhere. A.DoS C.Memory leak
What control could be used to detect when a mobile device is about to leave the company premises? A.Geotargeting B.Geolocation C.Geotagging D.Geofencing
Geofencing refers to accepting or rejecting access requests based on location. Geofencing can also be used to send alerts to a device when a user enters a specific area. Geotagging refers recording the GPS location in the meta data of a file when it is created on a mobile device. D.Geofencing
A company is worried about the complexities of managing hundreds of encryption keys in a multi-cloud environment. Of the options below, what would grant them centralized control and management over the keys, while also allowing the integration of preexisting keys? A.Trusted Platform Module B.IaaS C.HSMaaS D.PaaS E.Key Management Service
Hardware Security Module as a Service. A cloud provider will manage your encryption keys! C.HSMaaS
An insider at an application development company embedded a backdoor in an application, allowing them the ability to bypass standard account login mechanisms on any computer running this app. What would be the best measure for the company to take to prevent this in the future? A.Conduct code review B.Implement application fuzzing C.Implement 2FA using TOTP D.Change the default application password
If an insider has inserted a backdoor into the application, we will need a mechanism that can detect that type of malicious activity (answer A). Fuzzing is used to test input validation, so (B) is wrong. TOTP (time based one time password, answer C) and changing the default password (answer D) wouldn't help us detect a backdoor either. A.Conduct code review
After many passwords where leaked to the dark web, an admin has decided everyone must change their password at next login. What should the admin consider to minimize the likelihood that accounts are not compromised again after the reset is issued? A.A geofencing policy based on logon history B.Encrypted credentials in transit C.Account lockout after three failed attempts D.A password reuse policy
If the passwords have been leaked, we don't want anyone to REUSE the same password when they are prompted to change them! D.A password reuse policy
A company has maintained highly detailed records of all of their authorized network devices and is planning to use WiFi for all laptops that need network access. What would alleviate the risk of a script kiddie brute forcing a PSK on a wireless access point? A.BPDU guard B.WPA-EAP C.IP filtering D.A WIDS
If we have detailed records, lets limit which devices can even use the APs by filtering the IP addresses. While a skilled hacker could easily get around this, a script kiddie probably couldn't. C.IP filtering
What forensics technique must be used to preserve the admissibility of evidence? A.Order of volatility B.Data recovery C.Chain of custody D.Non-repudiation
In criminal and civil law, the term "chain of custody" refers to the order in which items of evidence have been handled during the investigation of a case. Proving that an item has been properly handled through an unbroken chain of custody is required for it to be legally considered as evidence in court. C.Chain of custody
Which of the access control mechanisms listed below uses classification labels? A.Mandatory B.Role-based C.Rule-based D.Discretionary
In the MAC (mandatory access control) model: •Subjects (users/applications) are granted clearance tags/labels. •Objects (files/folders/etc) are given classification tags/labels. If you have, for example, secret clearance, you are permitted within the MAC model to see secret, confidential, and any other classifications considered to be beneath secret. You cannot see any files with classifications above your clearance level, such as top secret. A.Mandatory
To protect business operations during an incident, a manager has asked you to update the execution prevention rules to stop malware from spreading to critical systems. Which of the following incident response steps are you being asked to perform? A.Investigation B.Lessons learned C.Containment D.Recovery E.Eradication
Incident response process = PICERL Prepare Identify Contain Eradicate Recover Lessons-learned C.Containment
A technician at the SOC (security operations center) is using a SIEM to aggregate and correlate alert messages gathered from all across the network. What step of incident response are they most likely involved in? A.Eradication B.Preparation C.Identification D.Recovery
Incident response process = PICERL Prepare Identify Contain Eradicate Recover Lessons-learned C.Identification
After returning from an overseas trip with a company laptop, an employee is unable to establish a VPN on the laptop in the home office. What is the most likely explanation for why they are unable to establish a VPN connection? A.Due to foreign travel, the user's laptop was isolated from the network. B.The user's laptop was quarantined because it missed the latest patch update. C.The VPN client was blacklisted. D.The user's account was put on a legal hold.
It is very likely that there was a policy in place where the laptop must be scanned or checked back in before it can resume using the VPN service. This type of policy is not unusual, and it may be described as a host health check. (B) is also a possibility, but it seems less likely than (A). A.Due to foreign travel, the user's laptop was isolated from the network.
An admin logs into the domain controller and finds the following information: Based on the evidence gathered, what best describes this attack? A.Brute-force B.Spraying C.Keylogger D.Credential harvesting
It looks like a hacker is trying to gain access to one of the accounts listed below. Password spraying is a safe assumption. See the notes for more explanation. B.Spraying PASSWORD SPRAYING: Step 1: Acquire a list of usernames. This part can be difficult. Step 2: Try common passwords with each of the user accounts. This part is very easy. Step 3: Gain access, assuming you don't get caught! Pg 159 in student guide.
After an incident was identified, it took more than an hour to quarantine the affected system. This allowed the malware to spread to additional hosts before it was contained. Which of the following would be BEST to improve this process? A.Updating the playbooks with better decisions points. B.Dividing the network into trusted and untrusted zones. C.Providing additional end-user training on acceptable use. D.Implementing manual quarantining of infected hosts.
It sounds like the incident response playbook needs some revision. A.Updating the playbooks with better decisions points.
Employee tablets and phones have been losing WiFi connectivity in specific places within the sale offices. What should a network technician use to determine the source of the problem? (pick two) A.Perform a site survey B.Install a captive portal C.Deploy a FTK imager D.Upgrade the security protocols E.Create a heat map F.Scan for rogue access points
It sounds like we have a problem with interference or employees are walking out of range. Perform a site survey to figure out where the access points are located, what the building is made of, and which frequencies are in use. Then, create a heat map that details where the signal is strong versus where it is the weakest. We may need to change antennas, adjust the signal strength, use a different channel/frequency, or get a few more access points. FTK = Forensics Tool Kit imager is used to quickly assess electronic evidence. A.Perform a site survey E.Create a heat map
Of the options below, which attack could potentially have the worst impact on an unpatched PLC (programable logic controller) running a LAMP server that is accessible via HTTP? (pick two) A.Cross-site scripting B.Data exfiltration C.Poor system logging D.Weak encryption E.SQL injection F.Server-side request forgery
LAMP (Linux, Apache, MySQL, PHP/Perl/Python) is a very common example of a web service stack, after its four original components: the Linux operating system, the Apache HTTP Server, the MySQL relational database management system (RDBMS), and the PHP programming language. Code being inserted into the webpage, or into the SQL application, will be the most impactful thing that could happen to the device itself. Everything else is an inconvenience or an issue relating to privacy, that wouldn't significantly impact the device, but could harm the business. A.Cross-site scripting E.SQL injection
A company lacks the personnel and expertise to secure their new cloud platform. Of the options below, which could best assist the company with their security needs? A.MSSP B.SOAR C.IaaS D.PaaS
MSSP = Managed Security Service Provider A third party organization hired to manage another company's security. A.MSSP
After a server failure, it took the cloud provider 120 minutes to bring the system back online. Meanwhile, an affected company expected the server would be available again within 60 minutes. Of the answers below, what best illustrates the company's expectation? A.MTBF B.RPO C.MTTR D.RTO
MTBF = Mean Time Between Failures RPO = Recovery Point Objective (acceptable amount of data loss)MTTR = Mean Time To Recovery (real world average time for recovery) RTO = Recovery Time Objective (goal/expected time for recovery) D.RTO
Before entering a high security environment, all guests must put their phone in a metal lockbox, and leave it outside of the lab. Which risk inspired the creation of this policy? A.The theft of portable electronic devices B.Geotagging in the metadata of images C.Bluesnarfing of mobile devices D.Data exfiltration over a mobile hotspot
Metal boxes? Sounds like a faraday cage. The company is worried about someone using a wireless technology (like a hotspot) to exfiltrate data. The metal lockbox will block all wireless signals thereby mitigating the risk. D.Data exfiltration over a mobile hotspot
Of the control types listed below, what best fits the description of a NIDS? A.Corrective B.Physical C.Administrative D.Detective
NIDS = Network Intrusion Detection System D.Detective
Before a new application can be sent to the production environment, a developer needs to perform the following: •code-execution testing •black-box testing •non-functional testing What best describes the series of tasks the developer needs to perform? A.Verification B.Validation C.Normalization D.Staging
Non-functional testing is focused on the user experience and performance of the software. All of these would be performed as part of staging, in a staging environment. Staging environments are built to mimic the real production environment. We would also do fuzzing and stress testing in this environment too. D.Staging
A designer is building a new database for the company. What could they implement to improve the efficiency and accuracy of the future database? A.Obfuscation B.Normalization C.Data masking D.Tokenization
Normalization is a form of input validation. Any string that is input is stripped of illegal characters and converted to the accepted character set before being entered into or processed by the database. B.Normalization
A hospital has a new encrypted document management application that allows remote doctors to securely access patient hospital records. However, the PHI data is being blocked by the hospital's DLP system. What would be the best way to resolve this issue without unnecessarily compromising the systems security? A.Configure the DLP policies to allow all PHI B.Configure the DLP policies to whitelist this application with the specific PHI C.Configure the firewall to allow all ports that are used by this application D.Configure the antivirus software to allow the application. E.Configure the application to encrypt the PHI
Our goal is to enable the use of the application with as little risk as possible. Whitelisting (allowing) the PHI data will be required for this to work, and we want to limit the whitelisting to this new application only. B.Configure the DLP policies to whitelist this application with the specific PHI
What could be used to allow for secure authentication to cloud services and third-party websites without the need to send a password? A.SSO B.PAP C.Oauth D.SAML
PAP, typically used with point to point serial connections, sends your password as plaintext. Oauth is typically used for sending authorizations from one web service / cloud server to another, but doesn't typically handle authentication. SAML is an XML-based format used to exchange authentication information and thereby achieve identity federations (SSO). It doesn't actually send your password from one system to another in the process. Instead it tokenizes credentials across multiple parties. D.SAML
What is ISO 27701?
Privacy Information Management An extension to 27001 that outlines rules and regulations specifically tied to privacy.
The SLA created with the cloud storage provider outlines the acceptable amount of data loss must be no greater than one hour in the event of a disaster. What metric is being described in this agreement? A.DRP B.RPO C.RTO D.MTTR
Recovery Point Objective (RPO) is the acceptable amount of data loss. If the cloud provider was to lose more than one hour worth of data for any reason, they would be subject to penalties as outlined in the SLA (service level agreement). B.RPO
What is ISO 31000?
Risk Management Best Practices Generic (non specific) suggestions for managing risk response within an organization
Which of the following is the most secure choice for MANAGING a Unix based network device? A.SSH B.DNS C.SNMP D.Telnet E.HTTP
SSH provides an encrypted remote connection to another device via the command line. It is still commonly used when managing UNIX systems and network based devices. It operates on port 22 TCP. A.SSH
A contractor working for the company updated several applications and plugins on the cloud platform causing a massive outage. Of the options below, what would best prevent this from happening again? A.SWG B.CASB C.Automated failover D.Containerization
SWG = Secure Web Gateway. Its an application firewall built to serve cloud applications. While these are capable of inspecting traffic and filtering out scripting attacks, it is unlikely that the gateway would block an application from receiving an update. CASB = Cloud Access Security Broker. This is a proxy server that limits access and enforces access control for the cloud, on a per user basis. Many CASB's will include SWG functionality and a CASB could block an application or plugin from receiving an update. B.CASB
A company needs to detect single points of failure in their security systems. Which of the following policies or concepts would assist them in this endeavor? A.Mandatory vacation B.Separation of duties C.Awareness training D.Least privilege
Separation of duties would allow at least one other individual to identify a flaw in a process, especially when considering the risk from an insider threat. To resolve SPoFs with personnel, use job rotation. B.Separation of duties
Which will most affect the collection of live forensics data? (Pick two) A.Data accessibility B.Right-to-audit clauses C.Legal hold D.Value and volatility of data E.Data retention legislation F.Cryptographic or hash algorithm
Since the rise of cloud providers, gaining access to the LIVE data has become increasingly difficult. (A) Data accessibility. Can we get to the data we need to collect? (D) Value and volatility. How important is the data, and how long will it last before it is erased? Some types of data are inherently more volatile than others, meaning it needs to be collected quickly or it will no longer be available A.Data accessibility D.Value and volatility of data
While minimizing inconvenience for employees, what would protect a corporate laptop's HDD from possible data theft? A.HSM B.TPM C.SED D.DLP
Since they specified HDD (hard-drive disk) a SED is a slightly better answer than a DLP. HSM = Hardware Security Module, an addon device that is plugged into a computer to provide crypto processing and manage/store digital encryption keys. TPM = Trusted Platform Module, just like the HSM, but built into your motherboard. It can do everything the HSM can do, but it can't be removed. A thief will have to take the entire motherboard if they want the keys! SED = Self Encrypting Drive, a hard drive that encrypts itself. Faster encryption when compared with software encryption options like Bitlocker. DLP = Data Loss Prevention, used to protect data from theft, while in motion, at rest, or in use. C.SED
A computer on the company network was infected with malware and the user says they haven't used the device for anything but browsing the internet. They did not download anything or open any emails on the infected computer. Of the options below, what might help a technician find where the malware came from? A.The DNS logs B.The web server logs C.The SIP traffic logs D.The SNMP logs
The DNS logs will reveal which websites the user went to. A.The DNS logs
Which is the most accurate? A.The data owner is responsible for adhering to the rules for using the data, while the data custodian is responsible for determining the corporate governance regarding the data. B.The data owner is responsible for determining how the data may be used, while the data custodian is responsible for implementing the protections to the data. C.The data owner is responsible for controlling the data, while the data custodian is responsible for maintaining the chain of custody. D.The data owner grants the technical permissions for data access, while the data custodian maintains the database access controls to the data.
The custodian described in (A) is actually the job description of the data steward. Owner - Management role of data Stewart - governance/ compliance Custodian - access controls and security enforcement Privacy Officer - PII and disclosure B.The data owner is responsible for determining how the data may be used, while the data custodian is responsible for implementing the protections to the data.
An intelligence organization detects IoC (Indicators of Compromise) coming from several different companies that use their services. Before the organization can release news of these threats, what are they obligated to do? A.Perform attribution to specific APTs and nation-state actors. B.Anonymize any PII that is observed within the IoC data. C.Add metadata to track the utilization of threat intelligence reports. D.Assist companies with impact assessments based on the observed data.
The evidence they collected could be very sensitive and needs to be anonymized before any part of it can be shared. B.Anonymize any PII that is observed within the IoC data.
The company wants to deploy MFA on desktops in the main office. They have specified that the MFA solution must be non-disruptive and as user friendly as possible. Which of the options below would be best considering these conditions? A.One-time passwords B.Email tokens C.Push notifications D.Hardware authentication
The most user friendly option would be hardware authentication. If the hardware provides authentication on its own through a certificates or token, it will not require any extra steps for the end user. All of the other options require a user to get a pin number and enter it in addition to a password. D.Hardware authentication
Which of the following would best enable an organization to be better prepared for a ransomware attack, while also increasing resiliency and minimizing downtime? A.Use email-filtering software and centralized account management, patch high-risk systems, and restrict administration privileges on fileshares. B.Purchase cyber insurance from a reputable provider to reduce expenses during an incident. C.Invest in end-user awareness training to change the long-term culture and behavior of staff and executives, reducing the organization's susceptibility to phishing attacks. D.Implement application whitelisting and centralized event-log management, and perform regular testing and validation of full backups.
The only one that directly minimizes downtime is (D). D.Implement application whitelisting and centralized event-log management, and perform regular testing and validation of full backups.
Several credit cards numbers have been stolen and incident response has determined the following: •All SSL encrypted traffic is sent through an inspection proxy at the edge of the company network •Only the traffic going through the proxy was compromised •Traffic that did not go through the proxy (the guest network) was not compromised •The websites that employees used to make online purchases at where not the cause of the compromise What is the most likely cause of this compromise considering the facts above? A.HTTPS sessions are being downgraded to insecure cipher suites. B.The SSL inspection proxy is feeding events to a compromised SIEM. C.The payment providers are insecurely processing credit card charges. D.The adversary has not yet established a presence on the guest WiFI network.
The only thing we know for sure is that the inspection proxy is integral to this issue. The only answer that involves the proxy is (B). Process of elimination is crucial when troubleshooting any problem, incident, or tricky test question! B.The SSL inspection proxy is feeding events to a compromised SIEM.
Of the cloud service models listed below, which would include storage, networking, and servers, but not applications? A.DaaS B.SaaS C.PaaS D.IaaS
The primary three cloud SERVICE models: DaaS = Desktop as a Service - its VDI but through the cloud D.IaaS
An international company is expanding it services and is creating several new servers to store customer data. Of the options listed below, which would likely contain an outline of roles/responsibilities for data controllers/processors that the company should follow? A.ISO 31000 International risk management best practices B.GDPR The European Union's regulation that states that personal data cannot be collected or processed without the individual's informed consent. C.PCI DSS Outlines how credit card/bank info must be safely managed. D.SSAE SOC2 An audit/test that reports on an organization's controls relative to the CIA triad.
The question is somewhat vague, so we will want a generalized answer. The GDPR (General Data Protection Regulation) is most likely to outline responsibilities for data controllers/processors/users. B.GDPR The European Union's regulation that states that personal data cannot be collected or processed without the individual's informed consent.
An admin performing a routine audit at the company revealed that a network appliance with an embedded OS is potentially vulnerable to compromise. Looking back at the company records, the admin notices that this same piece of hardware was identified as vulnerable during the last three audits. What best explains the appliance's vulnerable state? A.The appliance requires administrative credentials for the assessment. B.The vendor has not supplied a patch for the appliance. C.The device uses weak encryption ciphers. D.The system was configured with weak default security settings.
The question should be interpreted as "why hasn't anyone fixed this thing?" Ether the company is negligent or there isn't a patch for this particular system (answer B). B.The vendor has not supplied a patch for the appliance.
Users are having trouble accessing the internet and file shares on remote servers. A technician observes the following on the edge router: CPU UTILIZATION 0% - last checked 5 minutes ago 5 minutes, average 10% 1 minute, average, 95% 1 second, average, 99% What is the problem with the edge router? A.DDoS attack B.Memory leak C.Buffer overflow D.Resource exhaustion
The traffic volume seems to be spiking periodically. If the average utilization is in the high 90s, we run the risk of a resource exhaustion. The router's CPU simply can't handle anymore traffic. D.Resource exhaustion
A worm spread rapidly through a company's network infecting dozens of host machines before it was detected. What would be the best approach to preventing this from happening again? A.Segment the network with firewalls B.Install a NIDS device at the boundary C.Implement application blacklisting D.Update all antivirus signatures daily
There is no mention of this worm being polymorphic so signature-based antimalware tools would be very effective at stopping it, assuming they are updated regularly. We don't know the topology of this network or what port the worm used to spread, so it is hard to tell if segmentation with firewalls is even possible or useful. (D) is the best answer, and (A) is the runner up. D.Update all antivirus signatures daily
What type of plan would the company use in the event that they completely lost all of their critical systems and data? A.Data retention plan B.Disaster recovery plan C.Communications plan D.Incident response plan
They lost everything? That sounds like a disaster! B.Disaster recovery plan
An admin wanted to better understand their company's security posture from a outsider's perspective. Examine the information they gathered below. What is true based off of the admin's findings? (pick two) A.They used Whois to produce this output B.They used cURL to produce this output C.They used Wireshark to produce this output. D.The organization has adequate information in public registration. E.The organization has too much information available in public registration. F.The organization has to little information available in the public registration.
This is an output from a Whois search. Contact information (phone number, email, address of registrant) should not be stored in the Whois as per the GDPR. A.They used Whois to produce this output E.The organization has too much information available in public registration.
What would best protect a company from data theft via USB drives or other removable media? A.Blocking removable-media devices and write capabilities using a host-based security tool B.Implementing a group policy to block user access to system files C.Monitor large data transfer transactions in the firewall logs D.Develop mandatory training to educate employees about the removable media policy
To best protect the company we need a preventative control. (A)Blocking USBs with a host based tool will achieve the desired results. Good answer! (B)The majority of files we are protecting are not likely to be specifically "system files". (C)This is a detective control and furthermore not possible in most systems, if any. (D)Training is nice, but a preventative technical control like (A) will be more reliable. A.Blocking removable-media devices and write capabilities using a host-based security tool
An admin has found a vulnerability on a cloud server. Before a patch can be applied, what should the admin consider? A.Resource management B.Configuration management C.Incident management D.Change management
To ensure that no changes are made without permission, or without due caution, all patches (and all changes for that matter) should go through change management. D.Change management
A webserver was recently overwhelmed by a sudden flood of SYN packets from multiple sources. Of the options below, which best describes this attack? A.Worm B.Botnet C.Virus D.RAT E.Logic bomb
To overwhelm a server with SYN packets we will need to utilize the combined bandwidth of a botnet. A botnet is a collection of compromised computers that act together in unison to perform a DDoS (Distributed Denial of Service). The individual computers are often called bots or zombies. B.Botnet
Without losing the ability to search or fully utilize the data, what is the best protection mechanism for data stored on cloud-based services? A.Data encryption B.Data masking C.Anonymization D.Tokenization
Tokenization: A deidentification method where a unique token is substituted for real data. Unlike masking, it is non-destructive. It is used as a substitute for encryption, because from a regulatory perspective an encrypted field is the same value as the original data. D.Tokenization
A cloud service provider (CSP) outlines in a contract that the customer has the ultimate responsibility of ensuring the resources and services provided by the CSP are not used for illegal or fraudulent activity. Which of the risk responses is the CSP demonstrating? A.Risk avoidance B.Risk acceptance C.Risk transference D.Risk mitigation
Transference: The cloud provider has transferred the risk, and thereby the responsibility for securing the services, to the customer. C.Risk transference
A user is having problem accessing network shares. An admin investigates and finds the following on the user's computer: What attack has been performed on this computer? A.Directory traversal B.Pass-the-hash C.Mac flood D.ARP poisoning E.IP conflict F.DHCP starvation attack
Two different devices shouldn't have the same MAC addresses. Since these are dynamically learned ARP entries, it is reasonable to believe this was an ARP poisoning. Device .1 is probably the default gateway and then device .11 is the MitM. D.ARP poisoning
An admin is deploying access points that will use PKI for authentication. What needs to be configured for this to work? A.Captive portal B.WPS C.802.1x D.PSK
Using PKI to authenticate into the access point will require an AAA system (a RADIUS or TACACS server must be on the network and configured properly). This process is described in the standard 802.1x, and is also referred to as "enterprise authentication". C.802.1x
You enter a username and password and then must draw a gesture on a touch screen. Which of the following answers best describes what you are doing? A.Multifactor authentication B.Something you can do C.Biometrics D.Two-factor authentication
Very bad question. All bad answers but, while a specific gesture is "Something you know" we have to assume that isn't the answer because it isn't an option, and the same goes with this only being single factor. If you argue that B applies to gesture lock, then if you combine the gesture with the username and password, making it two factors of authentication. This feels like a logic puzzle more than a question, but sometimes that's just what you get. D.Two-factor authentication
Your company wants to build another office that is expected to cost two million dollars. The town that this new office will be built in has a history of terrible earthquakes, once every 50 years. The estimated damage is 50% of the buildings cost. What is the SLE (Single Loss Expectancy)? A.20,000 B.40,000 C.500,000 D.1,000,000 E.4,000,000
We are given the AV, EF, and ARO. We need to solve for SLE. (AV) Asset Value - $ 2 million(EF) Exposure Factor - .5 (Half the value, %50)(SLE) Single Lost Expectancy - $ 1 Million <-Answer(ARO) Annual Rate of Occurrence - .02 (1 every 50 years)(ALE) Annual Loss Expectancy - $20,000 EQUATIONS AV x EF = SLE 2 Million * .5 = 1 Million SLE x ARO = ALE (this equation is not needed in this question) D.1,000,000
An admin is concerned that a threat actor may have breached the company network using a new and publicly available exploit. What should be checked first that would best inform the admin as to the order for future data forensics? A.The vulnerability scan output B.The SIEM alerts C.The IDS logs D.The full packet capture data
We may have been compromised! Lets check the vulnerability scanner and let that inform our future decisions relating to data forensics. The vulnerability scanner should give us the best look into our network's security posture (level of vulnerability) and may also give us some clues (IoCs = indicators of compromise). A.The vulnerability scan output
An organization is worried that the SCADA network that controls the environmental systems could be compromised if the staff's WiFi network was breached. What would be the best option to mitigate this threat? A.Install a smart meter of the staff WiFi. B.Place the environmental systems in the same DHCP scope as the staff WiFi. C.Implement Zigbee on the staff WiFi access points. D.Segment the staff WiFi network from the environmental systems network.
We should isolate/separate/segment those networks! D.Segment the staff WiFi network from the environmental systems network.
A cloud administrator is configuring five compute instances under the same subnet in a VPC. Which of the following must the administrator configure to meet this requirement? A.One security group B.Two security groups C.Three security groups D.Five security groups
While it is possible that each instance has its own security group, a single security group can manage multiple instances. So the minimum requirement is only one group. P. 426 A.One security group
An attacker used a keylogger to remotely monitor a user's input, thereby harvesting important credentials. What would best mitigate or prevent this threat in the future? A.Change default passwords B.Update cryptographic protocols C.Implement 2FA using push notifications D.Force password resets for compromised accounts E.Enforce complexity requirements through group policy
With 2FA (two factor authentication) the attacker can get our password (something you know) with a keylogger, as described above, and will not be able to access the system without the pin number from the push notification (something you have). C.Implement 2FA using push notifications
HD cameras located throughout the airport are going to be used to track passengers without requiring them to enroll in a biometric system. Of the biometric options below, what would be suitable for this advanced security tracking system? (pick two) A.Voice B.Vein C.Facial D.Gait E.Fingerprint F.Retina
Without enrollment, the only things the cameras could reasonably use would be facial recognition and gait (how someone walks, or the distance between their steps). C.Facial D.Gait
Several team members are collaborating on the same project. They bring their code together with an automation tool that also ensures that it is validated (tested) and tracked through version control. Of the options below, what most accurately describes this process? A.Continuous monitoring B.Continuous validation C.Continuous integration D.Continuous delivery
Word "validate" is there to throw you off. Continuous validation has to do with compliance and design goals. Continuous integration is more focused on multiple developers working in parallel. a. Constant/automatic detection of security problems and service failures. b. Automatic compliance testing and frequent checks to ensure it meets design goals. c. Quickly applying changes, keep track of changes/versions, and constant testing. d. Consistent testing of infrastructure that supports the app, such as network. C.Continuous integration
What will help protect a company from phishing and spear-phishing attacks? A.DNSSEC and DMARC B.DNS query logging C.Exact mail exchanger records in the DNS D.The addition of DNS conditional forwarders
https://dmarc.org/ DMARC is a way to make it easier for email senders and receivers to determine whether or not a given message is legitimately from the sender, and what to do if it isn't. This makes it easier to identify spam and phishing messages, and keep them out of peoples' inboxes. A.DNSSEC and DMARC