Security +

Which of the following are types of cryptography algorithms used in computer security? (Select three) A. Hash function B. Symmetric encryption C. Asymmetric encryption D. Crypto module

A. Hash function B. Symmetric encryption C. Asymmetric encryption

A company recently experienced a data breach and the source was determined to be an executive who was charging a phone in a public area. Which of the following would MOST likely have prevented this breach? O A device pin O Biometrics O A firewall O A USB data blocker

Biometrics

What kind of bot operates on social media platforms? A. Googlebot B. Web crawler C Social bot D. Chatbots

C Social bot social media bots are automated programs used to engage in social media. These bots behave in an either partially or fully autonomous fashion, and are often designed to mimic human users.

Which cloud delivery model has an infrastructure shared by several organizations with shared interests and common IT needs? O Private O Community O Hybrid O Public .

O Community A community delivery model has an infrastructure shared by several organizations with shared interests and common IT needs

Virtualization that does not utilize hypervisors can be accomplished through the use of which of the following? O Sinks O Containers o Wrappers O Portals

O Containers Virtualization that does not utilize hypervisors can be accomplished through the use of containers, also known as "Docker containers." For more information, see Chapter 6.

An administrator at a sister company calls to report a new threat that is making the rounds. According to him, the latest danger is an attack that attempts to intervene in a communications session by inserting a computer between the two systems that are communicating. Which of the following types of attacks does this constitute? A. Man-in-the-middle attack B. Backdoor attack C. Worm D. TCP/IP hijacking

. A. Man in the middle A man-in-the-middle attack attempts to fool both ends of a communications sessioninto believing that the system in the middle is the other end.

What kind of attack is like a thief trying to break into a combo safe by attempting every possible combination of numbers until the safe opens? 1. Encryption spoof 2. Social engineering 3. Path attack 4. Brute force attack

4. Brute force attack A brute force attack is a trial-and-error method used to decode sensitive data. What differentiates brute force attacks from other cracking methods is that brute force attacks don't employ an intellectual strategy; they simply try using different combinations of characters until the correct combination is found

Analyze and compare the features of smart cards that are utilized for authentication. Select the options that accurately describe features that may be found on smart cards. (Select two) A. Smart cards can be either contact-based or contactless, which means they either are inserted into a system or must be in the proximity of the system to authenticate the user. B. ISO has published standards to promote interoperability for smart cards. ISO 14443 was published for contact cards while ISO 7816 was published for contactless cards. C. Smart cards can have multiple uses in addition to network access. Another use a company may employ is building access for users. D. Smart cards use a 2-step verification process such as a pin that the user must enter with the card. If the user loses the card there is no risk and the user simply needs to request a new card from the issuer.

A and C A. Smart cards can be either contact-based or contactless, which means they either are inserted into a system or must be in the proximity of the system to authenticate the user. C. Smart cards can have multiple uses in addition to network access. Another use a company may employ is building access for users.

Imagine you are on your way to a meeting and you decide to take the highway because its faster. You get onto the on ramp and stop because an unexpected traffic jam is clogging up the highway, preventing regular traffic from arriving at its destination. What type of attack does this resemble? A. DNS cache poisoning B. Domain hijacking C. Distributed denial-of-service D. DNS tunneling

A distributed denial-of-service (DDoS) attack is a malicious attempt to disrupt the normal traffic of a targeted server, service or network by overwhelming the target or its surrounding infrastructure with a flood of Internet traffic. DDoS attacks achieve effectiveness by utilizing multiple compromised computer systems as sources of attack traffic. Exploited machines can include computers and other networked resources such as IoT devices. Things to look for: Suspicious amounts of traffic originating from a single IP address or IP range A flood of traffic from users who share a single behavioral profile, such as device type, geolocation, or web browser version An unexplained surge in requests to a single page or endpoint Odd traffic patterns such as spikes at odd hours of the day or patterns that appear to be unnatural (e.g. a spike every 10 minutes)

A Certificate Revocation List (CRL) has a publish period set to 24 hours. Based on the normal procedures for a CRL, what can be deduced as the most applicable validity period for this certificate? A. 26 hours B. 1 hour C. 23 hours D. 72 hours

A. 26 hours

Identify the attack that can be launched by running software such as Dsniff, Cain and Abel, or Ettercap from a computer attached to the same switch as the target. A. ARP poisoning attack B. MAC spoofing C. MAC flooding D. Man-in-the-Middle (MitM)

A. ARP poisoning attack

Analyze the types of interoperability agreements to determine which scenario illustrates a Service Level Agreement (SLA). A. A company operating a server farm signs a contractual agreement stating the required availability of the servers allocated to a firm. B. Two companies sign a formal agreement outlining specific obligations each party must comply with. C. A company enters a preliminary agreement expressing an intent to work together and includes a confidentiality clause. D. A federal agency signs an agreement between a commercial entity and the federal agency it will interconnect its IT system with

A. A company operating a server farm signs a contractual agreement stating the required availability of the servers allocated to a firm.

A nuclear plant was the victim of a recent attack, and all the networks were air gapped. A subsequent investigation revealed a worm as the source of the issue. Which of the following BEST explains what happened? A. A malicious USB was introduced by an unsuspecting employee. B. The ICS firmware was outdated C. A local machine has a RAT installed. D. The HVAC was connected to the maintenance vendor.

A. A malicious USB was introduced by an unsuspecting employee. Air-gapped systems are disconnected from the outside world- no wifi - only physically connected

A security analyst is preparing a threat for an upcoming internal penetration test. The analyst needs to identify a method for determining the tactics, techniques, and procedures of a threat against the organization's network. Which of the following will the analyst MOST likely use to accomplish the objective? A. A table exercise B. NST CSF C. MTRE ATT$CK D. OWASP

A. A table exercise

How is SLE calculated? A. AV * EF B. RTO * AV C. MTTR * EF D. AV * ARO

A. AV * EF The single loss expectancy (SLE) describes what a single risk event is likely to cost. It is calculated using the asset value (AV) times the exposure factor (EF), which is an estimated percentage of the cost that will occur in damage if the loss occurs. MTTR is the mean time to restore, ARO is the annual rate of occurrence, and RTO is the recovery time objective. These are not part of the SLE equation.

A manufacturer creates designs for very high security products that are required to be protected and controlled by government regulations. These designs are not accessible by corporate networks or the Internet. Which of the following is the BEST solution to protect these designs? A. An air gap B. A Faraday cage C. A shielded cable D. A demilitarized zone

A. An air gap

You're explaining the basics of security to upper management in an attempt to obtain an increase in the networking budget. One of the members of the management team mentions that they've heard of a threat from a virus that attempts to mask itself by hiding code from antivirus software. What type of virus is she referring to? A. Armored virus B. Malevolent virus C. Worm D. Stealth virus

A. Armored virus An armored virus is designed to hide the signature of the virus behind code that confuses the antivirus software or blocks it from detecting the virus.

When is an RTO established for an organization? A. As part of the BIA process B. As part of the COOP assessment C. As part of the RPO calculation D. As part of hot site build-out process

A. As part of the BIA process The purpose of the BIA(Business Impact analysis) is to help you prioritize your business processes and tell you where to start when beginning your response. When creating a BIA, there are going to be three (3) main components that you should address to get the best results, including 1) Impacts, 2) Timeframes, and 3) Dependencies. RTOs, or recovery time objectives, define how soon a service needs to be restored and the service level it needs to be restored to after a disaster or interruption of service. RTOs are driven by a need to prevent severe disruptions in business and are often paired with recovery point objectives (RPOs), which define how long data may be lost during a major incident. COOP (Continuity of Operations Plan) is a federal process for ensuring continuity of operations, and non-U.S. governmental organizations will typically not conduct COOP planning. A hot site buildout process may be driven by RPOs, but RPOs are not established as part of the buildout.

A manufacturing company hires a pen-testing firm to uncover any vulnerabilities in their network with the understanding that the pen-tester receives no information about the company's system. Which of the following penetration testing strategies is the manuf. company requesting? A. Black box B. White box C. Gray box

A. Black box

An attacker has placed an opaque layer over the Request A Catalog button on your web page. This layer tricks visitors into going to a form on a different website and giving their contact information to another party when their intention was to give it to you. What type of attack is this known as? A. Clickjacking B. Man-in-the-middle C. XSRF D. Zero-day

A. Clickjacking Clickjacking involves an attacker using multiple transparent or opaque layers to trick a user into clicking a button or link on another page when they were intending to click the top-level page.

An analyst is concerned about data leaks and wants to restrict access to Internet services to authorized users only. The analyst also wants to control the actions each user can perform on each service Which of the following would be the BEST technology for me analyst to consider implementing? A. DLP B. vpc C. CASB D. ACL

A. DLP

Imagine that, as a senior-year prank, high school seniors change out all the room numbers on their high school campus, so that the new students who don't know the campus layout yet will spend the next day getting lost and showing up in the wrong classrooms. Now imagine that the mismatched room numbers get recorded in a campus directory, and students keep heading to the wrong rooms until someone finally notices and corrects the directory. What type of attack does this resemble? A. DNS cache poisoning B. Domain hijacking C. Distributed denial-of-service D. DNS tunneling

A. DNS cache poisoning DNS cache poisoning-Domain Name Server (DNS) spoofing (a.k.a. DNS cache poisoning) is the act of entering false information into a DNS cache, so that DNS queries return an incorrect response and users are directed to the wrong websites. DNS cache poisoning is also known as 'DNS spoofing.' IP addresses are the 'room numbers' of the Internet, enabling web traffic to arrive in the right places. DNS resolver caches are the 'campus directory,' and when they store faulty information, traffic goes to the wrong places until the cached information is corrected

Which type of attack denies authorized users access to network resources? A. DoS B. Worm C. Logic bomb D. Social engineering

A. DoS (Denial of service) A DoS attack is intended to prevent access to network resources by overwhelming or flooding a service or network.

The company Charles works for has recently had a stolen company cell phone result in a data breach. Charles wants to prevent future incidents of a similar nature. Which of the following mitigation techniques would be the most effective? A. Enable FDE via MDM B. A firewall change C. A DLP rule D. A new URL filter rule

A. Enable FDE via MDM A variety of configuration changes could be pushed to mobile devices to help: setting passcodes, enabling full-disk encryption (FDE) on mobile devices via organizationally deployed mobile device management (MDM), or even preventing some sensitive files from being downloaded or kept on those devices could all help. Firewall rules, data loss prevention (DLP) rules, and URL filters will not prevent a stolen device from being accessed and the data being exposed.

What type of attack uses a second wireless access point (WAP) that broadcasts the same SSID as a legitimate access point, in an attempt to get users to connect to the attacker's WAP? A. Evil twin B. IP spoofing C. Trojan horse D. Privilege escalation

A. Evil Twin Evil twin attacks use a malicious access point configured to appear to be identical to a legitimate AP. Attackers wait for their targets to connect via the evil twin, and can then capture or modify traffic however they wish. IP spoofing uses the IP address of a system already on the network. Trojan horses are malware that appear to be legitimate software or file privilege escalation is the process of using exploits to gain higher privileges.

What is the term used for events that were mistakenly flagged although they weren't truly events about which to be concerned? O False positives O Fool's gold 0 Non-incidents O Error flags

A. False positives False positives are events that were mistakenly flagged and aren't truly events to be concerned about.

Analyze the features of Microsoft's Information Rights Management (IRM) and choose the scenarios that accurately depict IRM. (Select three) A. File permissions are assigned based on the roles within a document B. A document is emailed as an attachment but cannot be printed by the receiver C. A document does not allow screen capture to any device it is sent to D. An email message cannot be forwarded to another employee

A. File permissions are assigned based on the roles within a document B. A document is emailed as an attachment but cannot be printed by the receiver D. An email message cannot be forwarded to another employee

Select the phase of risk management a company has performed if they analyzed workflows and identified critical tasks that could cause a business to fail if not performed. A. Identify mission essential functions B. Identify vulnerabilities C. Identify threats D. Analyze business impacts

A. Identify mission essential functions

A senior network manager is planning to train technicians on configuring secure remote access protocols. Which of the following talking points should be included in the training? (Select two) A. Implement a VPN for support access to networks over the Internet and to secure communications between sites B. Select a VPN protocol that gives the most effective security, while also being supported by servers and client devices .C. Install a VPN concentrator inside the network and include a secure firewall configuration to prevent compromise. D. Develop a remote access policy to ensure all company employees can connect to the network and avoid network compromise by remote clients with weak security.

A. Implement a VPN for support access to networks over the Internet and to secure communications between sites. B. Select a VPN protocol that gives the most effective security, while also being supported by servers and client devices.

Daniel works for a mid-sized financial institution. The company has recently moved some of its data to a cloud solution. Daniel is concerned that the cloud provider may not support the same security policies as the company's internal network. What is the best way to mitigate this concern? A. Implement a cloud access security broker. B. Perform integration testing. C. Establish cloud security policies. D. Implement security as a service.

A. Implement a cloud access security broker A cloud access security broker (CASB) is a software tool or service that sits between an organization's on-premises network and a cloud provider's infrastructure. A CASB acts as a gatekeeper, allowing the organization to extend the reach of their security policies into the cloud.

What key advantage does an elliptical curve cryptosystem have over an RSA-based cryptosystem? A. It can use a smaller key length for the same resistance to being broken .B. It requires only a single key to encrypt and decrypt. C. It can run on older processors. D. It can be used for digital signatures as well as encryption.

A. It can use a smaller key length for the same resistance to being broken Elliptical curve cryptography (ECC) is faster because it can use a smaller key length to achieve levels of security similar to a longer RSA key (a 228-bit elliptical curve key is roughly equivalent to a 2,380-bit RSA key). Using the same key to encrypt and decrypt would be true for a symmetric encryption cryptosystem; however, neither of these are symmetric. Either algorithm can run on older processors given the right cryptographic libraries or programming, although both will be slower. Both can be used for digital signatures.

What does a message authentication code (MAC) do when used as part of a cryptographic system? A. It validates the message's integrity and authenticity. B. It validates the message's confidentiality and authenticity. C. It protects the message's confidentiality and integrity. D. None of the above.

A. It validates the message's integrity and authenticity. A MAC supports authentication and integrity and is used to confirm that messages came from the sender who is claimed to have sent it and also ensure that recipients can validate the integrity of the message. It does not help with confidentiality.

Your system has just stopped responding to keyboard commands. You noticed that this occurred when a spreadsheet was open and you connected to the Internet. Which kind of attack has probably occurred? A. Logic bomb B. Worm C. Virus D. ACK attack

A. Logic Bomb A logic bomb notifies an attacker when a certain set of circumstances has occurred. This may in turn trigger an attack on your system.

Karl from Accounting is in a panic. He is convinced that he has identified malware on the servers—a type of man-in-the-middle attack in which a Trojan horse manipulates calls between the browser and yet still displays back the user's intended transaction. What type of attack could he have stumbled on? A. Man-in-the-browser B. Man-in-the-castle C. Man-in-the-code D. Man-in-the-business

A. Man-in-the-browser A Man-in-the-browser is a type of man-in-the-middle attack in which a Trojan horse manipulates calls between the browser and its security mechanisms yet still displaying back the user's intended transaction.

You have been asked to find an authentication service that is handled by a third party. The service should allow users to access multiple websites, as long as they support the third-party authentication service. What would be your best choice? A. OpenID B. Kerberos C. NTLM D. Shibboleth

A. Open ID OpenID is an authentication service often done by a third party, and it can be used to sign into any website that accepts OpenID. Kerberos is a network authentication protocol for use within a domain. New Technology LAN Manager (NTLM) is an older Windows authentication protocol. Shibboleth is a single sign-on system, but it works with federated systems.

A contractor has been hired to conduct penetration testing on a company's network. They have used the company's website to identify employees. They have found several of the employee's Facebook pages and have found a popular restaurant the employees like to go after work for a drink. A member of the team goes to the location and starts small talk with the employees. The member discovers that several key positions are vacant in the IT department and that there are shortfalls in terms of information security. What reconnaissance phase techniques have been utilized? (Select two) A. Open Source Intelligence (OSINT) B. Scanning C. Social engineering D. Persistence

A. Open Source Intelligence (OSINT) C. Social engineering

A network engineer has been asked to investigate why several wireless barcode scanners and wireless computers in a warehouse have intermittent connectivity to the shipping server. The barcode scanners and computers are all on forklift trucks and move around the warehouse during their regular use. Which of the following should the engineer do to determine the issue? (Choose two.) A. Perform a site survey B. Deploy an FTK Imager C. Create a heat map D. Scan for rogue access points E. Upgrade the security protocols F. Install a captive portal

A. Perform a site survey C. Create a heat map Perform a site survey to locate areas where signal degrades. With so many variables that can affect WiFi coverage, such as building materials, building dimensions, interior objects (i.e., furniture), and the types of devices and applications that will be in use, without the help of a WiFi heat map, it can be difficult for even seasoned network engineers to sort out.

In the recovery process, which key must be recoverable? A. Previous key B. Rollover key C. Secret Key D. Escrow Key

A. Previous key A key recovery process must be able to recover a previous key. If the previous key can not be recovered, then all the information for which the key was used will be irrecoverably lost.

Louis is investigating a malware incident on one of the computers on his network. He has discovered unknown software that seems to be opening a port, allowing someone to remotely connect to the computer. This software seems to have been installed at the same time as a small shareware application. Which of the following best describes this malware? A. RAT B. Worm C. Logic bomb D. Rootkit

A. RAT This is a remote-access Trojan (RAT), malware that opens access for someone to remotely access the system. A worm would have spread itself via a vulnerability, whereas a logic bomb runs when some logical condition is met. Finally, a rootkit provides root or administrative access to the system.

One of your users cannot recall the password for their laptop. You want to recover that password for them. You intend to use a tool/technique that is popular with hackers, and it consists of searching tables of precomputed hashes to recover the password. What best describes this? A. Rainbow table B. Backdoor C. Social engineering D. Dictionary attack

A. Rainbow table A rainbow table is a table of precomputed hashes, used to retrieve passwords. A backdoor is used to gain access to a system, not to recover passwords. Social engineering and dictionary attacks can both be used to gain access to passwords, but they are not tables of precomputed hashes.

An organization with a low tolerance tor user inconvenience wants to protect laptop hard drives against loss of data theft Which of the following would be the MOST acceptable? A. SED B. HSU C. DLP D. TPM

A. SED Self encrypting device Data storage device with built-in cryptographic processing that may be utilized to encrypt and decrypt the stored data, occurring within the device and without dependence on a connected information system.

A company needs to centralize its logs to create a baseline and have visibility on its security events. Which of the following technologies will accomplish this objective? A. Security information and event management B. A web application firewall C. A vulnerability scanner D. A next-generation firewall

A. Security information and event management (SIEM) SIEM is a security solution that helps organizations recognize potential security threats and vulnerabilities before they have a chance to disrupt business operations

Which of the following refers to applications and systems that are used within an organization without consent or approval? A. Shadow IT B. OSINT C. Dark web D. Insider threats

A. Shadow IT the use of information technology systems, devices, software, applications, and services without explicit IT department approval. it can also introduce serious security risks to your organization through data leaks, potential compliance violations, and more. OSINT-open source intelligence-OSINT framework provides a collection of OSINT tools, classified into various categories, that pentesters and hackers alike can use for reconnaissance

A contractor has been hired to conduct penetration testing on a company's network. They have decided to attempt to crack the passwords on a percentage of systems within the company. They plan to annotate the type of data that is on the systems that they are able to successfully crack to prove the ease of access to data. Evaluate the penetration steps and determine which are being utilized for this task. (Select two) A. Test security controls B. Bypass security controls C. Verify a threat exists D. Exploit vulnerabilities

A. Test security controls D. Exploit vulnerabilities

A host was infected with malware. During the incident response, Joe, a user, reported that he did not receive any emails with links, but he had been browsing the Internet all day. Which of the following would MOST likely show where the malware originated? A. The DNS logs B. The web server logs C. The SIP traffic logs D. The SNMP logs Answer: A

A. The DNS logs provides extremely detailed data about all DNS information that is sent and received by the DNS server, similar to the data that can be gathered using packet capture tools such as network monitor

Which of the following BEST explains the reason why a server administrator would place a document named password.txt on the desktop of an administrator account on a server? A. The document is a honeyfile and is meant to attract the attention of a cyberintruder. B. The document is a backup file if the system needs to be recovered. C. The document is a standard file that the OS needs to verify the login credentials. D. The document is a keylogger that stores all keystrokes should the account be compromised.

A. The document is a honeyfile and is meant to attract the attention of a cyberintruder.

After reading a security bulletin, a network security manager Is concerned that a malicious actor may have breached the network using the same software flaw. The exploit code Is publicly available and has been reported as being used against other industries in the same vertical. Which of the following should the network security manager consult FIRST to determine a priority list for forensic review? A. The vulnerability scan output B. The IDS logs C. The full packet capture data D. The SIEM alerts

A. The vulnerability scan output

What type of program exists to primarily propagate and spread itself to other systems? A. Worm B. Logic bomb C. Virus D. Trojan horse

A. Worm A worm is designed to multiply and propagate. Worms may carry viruses that cause system destruction, but that is not their primary mission.

A security administrator suspects an employee has been emailing proprietary information to a competitor. Company policy requires the administrator to capture an exact copy of the employee's hard disk. Which of the following should the administrator use? A. dd B. chmod C. dnsenum D. logger

A. dd dd is a command-line utility for Unix and Unix-like operating systems, the primary purpose of which is to convert and copy files. As a result, dd can be used for tasks such as backing up the boot sector of a hard drive, and obtaining a fixed amount of random data. chmod-chmod is the command used to change the access permissions of file system (files and directories)objects DNSEnum is a command-line tool that automatically identifies basic DNS records such as MX, mail exchange servers, NS, domain name servers, or A—the address record for a domain. In an application, a network log is typically a file that contains a record of events that occurred in the application. It contains the record of user and process access calls to objects, attempts at authentication, and other activity. .

Compare and analyze the types of firewalls available to differentiate between them. O An application firewall can analyze the HTTP headers to identify code that matches a pattern while an appliance firewall monitors all traffic passing into and out of a network segment. O A packet filtering firewall maintains stateful information about a connection between two host and an application firewall is implemented as a software application running on a single host. O An appliance firewall is also known as a stateful multilayer inspection or a deep packet inspection. An application aware firewall is a standalone hardware firewall that performs the function of a firewall only. O Packet filtering firewalls operate at layer 5 of the OSI model, while circuit-level stateful inspection firewalls operate at layer 3.

An application firewall can inspect the contents of packets at the application layer and can analyze the HTTP headers and the HTML code present in HTTP packets to try to identify code that matches a pattern in its threat database. Appliance firewalls are standalone hardware firewalls that perform the function of a firewall only and monitors all traffic passing into and out of a network segment. Packet filtering firewalls operate at level 3 of the OSI model while circuit-level stateful inspection firewalls operate at layer 5 of the model. An application aware firewall is also known as a stateful multilayer inspection or a deep packet inspection. An appliance firewall is a standalone hardware firewall that performs the function of a firewall only. A packet filtering firewall is stateless and an application firewall is a software application running on a single host.

Cameron wants to ensure that Voice over IP (VoIP) traffic is prioritized in his network as part of a network security design focused on identifying which traffic is most important. What technology can he use to do this across his entire network? A. Port security B. QoS C. ACLs D. Port taps

B QoS Cameron should set quality of service (QoS) rules that will ensure that VoIP traffic is prioritized. Port security and access control lists (ACLs) are used to secure the network, and port taps are used to copy traffic for inspection.

A security analyst is investigating a vulnerability In which a default file permission was set incorrectly. The company uses non-credentialed scanning for vulnerability management. Which of the following tools can the analyst use to verify the permissions? A. ssh B chmod c. Is D. setuid E. nessus

B chmod

Isaac is designing his cloud datacenter's public-facing network and wants to properly implement segmentation to protect his application servers while allowing his web servers to be accessed by customers. What design concept should he apply to implement this type of secure environment? A. A reverse proxy server B. A DMZ C. A forward proxy server D. A VPC

B. A DMZ Demilitarized zones (DMZs) remain a useful concept when designing cloud environments, although the technical implementation may vary, since cloud providers may have secure web services, load-balancing capabilities or other features that make DMZs look different. Proxy servers are useful for controlling, filtering, and relaying traffic, but they do not provide the full segmentation that Isaac is looking for. A VPC is a virtual datacenter and will typically contain his infrastructure but does not specifically address these needs.

A systems analyst is responsible for generating a new digital forensics chain-of-custody form. Which of the following should the analyst include in this documentation? (Select TWO) A. The order of volatility B. A checksum C. The location of the artifacts D. The vendor's name E. The date and time F. A warning banner

B. A checksum C. The location of the artifacts

Scott wants to back up the contents of a network-attached storage (NAS) device used in a critical department in his company. He is concerned about how long it would take to restore the device if a significant failure happened, and he is less concerned about the ability to recover in the event of a natural disaster. Given these requirements, what type of backup should he use for the NAS? A. A tape-based backup with daily full backups B. A second NAS device with a full copy of the primary NAS C. A tape-based backup with nightly incremental backups D. A cloud-based backup service that uses high durability near-line storage

B. A second NAS device with a full copy of the primary NAS In this scenario, the best fit to Scott's needs is a second network attached storage (NAS) device with a full copy of the primary NAS. In a failure scenario, the secondary NAS can simply take the place of the primary NAS while individual disks or even the whole NAS is replaced. Tape-based backups take longer to restore, regardless of whether they are full or incremental backups, although incremental backups can take more time in some cases since swapping tapes in order can add time to the restoration process. Finally, a cloud-based backup system would be useful if Scott was worried about a local disaster but would be slower than a local identical NAS, thus not meeting Scott's primary requirement.

The command monlist can be used with which protocol as part of an amplification attack? A. SMTP B. NTP C. SNMP D. ICMP

B. NTP (Network Time Protocol) The command monlist can be used with an NTP amplification attack to send details of the last 600 people who requested network time.

Analyze each scenario to determine which best describes the authentication process in an Identity and Access Management (IAM) system. A. An account is created that identifies a user on the network B. A user logs into a system using a control access card and pin C. An Access Control List (ACL) is updated to allow a new user access to only the databases that are required to perform their job D. A report is reviewed that shows every successful and unsuccessful login attempt on a server

B. A user logs into a system using a control access card and pin

What is being calculated with the following equation: Single loss expectancy (SLE) × annual rate of occurrence (ARO) A. EF B. ALE C. MTBF D. RPO

B. ALE ALE, or the annual loss expectancy, is calculated by multiplying the single loss expectancy (SLE) by the annual rate of occurrence (ARO). The exposure factor (EF) is the percentage of loss if a specific threat is realized. MTBF is the mean time between failure, and RPO is a recovery point objective.

Olivia's cloud service provider claims to provide "five nines of uptime" and Olivia's company wants to take advantage of that service because their website loses thousands of dollars every hour that it is down. What business agreement can Oliva put in place to help ensure that the reliability that the vendor advertises is maintained? A. An MOU B. An SLA C. An MSA D. A BPA

B. An SLA ( Service Level Agreement) Olivia should establish a service level agreement (SLA) with her provider to ensure that they meet the expected level of service. If they don't, financial or other penalties are typically included. Olivia should ensure that those penalties are meaningful to her vendor to make sure they are motivated to meet the SLA. MOU- is a memorandum of understanding and explains the relationship between two organizations. MSA- is a master services agreement, which establishes a business relationship under which additional work orders or other documentation describe the actual work that is done; BPA- is a business partnership agreement, which is used when companies wish to partner on efforts and may outline division of profits or responsibilities in the partnership.

Which of the following is included in an SSID broadcast? A. DHCP configuration information B. Network name C. MAC address D. DNS default values

B. Network name An SSID ( Service Set Identifier) broadcast includes the network name.

Analyze and select the statements that accurately describe both worms and Trojans. (Select two) A. A worm is concealed within an application package while a Trojan is self-contained .B. Both worms and Trojans can provide a backdoor. C. Both worms and Trojans are designed to replicate. D. A worm is self-contained while a Trojan is concealed within an application package.

B. Both worms and Trojans can provide a backdoor. D. A worm is self-contained while a Trojan is concealed within an application package.

A security analyst is performing a forensic investigation involving compromised account credentials. Using the Event Viewer, the analyst was able to defect the following message: "Special privileges assigned to new logon.' Several of these messages did not have a valid logon associated with the user before these privileges were assigned. Which of the following attacks is MOST likely being detected? A. Pass-the-hash B. Buffer overflow C. Cross-site scripting D. Session replay

B. Buffer overflow

Which of the following often operates in a client-server architecture to act as a service repository, providing enterprise consumers access to structured threat Intelligence data? A. STIX B. CIRT C. OSINT D. TAXII

B. CIRT

Which of the following incident response steps involves actions to protect critical systems while maintaining business operations? A. Investigation B. Containment C. Recovery D. Lessons learned

B. Containment

A development team employs a practice of bringing all the code changes from multiple team members into the same development project through automation. A tool is utilized to validate the code and track source code through version control. Which of the following BEST describes this process? A. Continuous delivery B. Continuous integration C. Continuous validation D. Continuous monitoring

B. Continuous integration Continuous integration is focused on automatically building and testing code Continuous delivery is a software development methodology where the release process is automated- the entire software release process up to production.

As the security administrator for your organization, you must be aware of all types of attacks that can occur and plan for them. Which type of attack uses more than one computer to attack the victim? A. DoS B. DDoS C. Worm D. UDP attack

B. DDos- A DDoS attack uses multiple computer systems to attack a server or host in the network.

A security analyst has received an alert about being sent via email. The analyst's Chief information Security Officer (CISO) has made it clear that PII must be handle with extreme care From which of the following did the alert MOST likely originate? A. S/MIME B. DLP C. IMAP D. HIDS

B. DLP- Data Loss Prevention cybersecurity solution that detects and prevents data breaches

Which design concept limits access to systems from outside users while protecting users and systems inside the LAN? A. Router B. DMZ C. VLAN D. I and A

B. DMZ A DMZ is an area in a network that allows restrictive access to untrusted users and isolates the internal network from access by external users and systems. It does so by using routers and firewalls to limit access to sensitive network resources.

Evaluate the Secure Sockets Layer (SSL)/Transport Layer Security (TLS) supported cipher suites to determine which option is a supported symmetric cipher. A. Rivest-Shamir-Adleman (RSA) B. Data Encryption Standard (DES) C. Secure Hash Algorithm (SHA) D. Diffie-Hellmann (D-H)

B. Data Encryption Standard (DES)

An organization's help desk is flooded with phone calls from users stating they can no longer access certain websites. The help desk escalates the issue to the security team, as these websites were accessible the previous day. The security analysts run the following command: ipconfig /flushdns, but the issue persists. Finally, an analyst changes the DNS server for an impacted machine, and the issue goes away. Which of the following attacks MOST likely occurred on the original DNS server? A. DNS cache poisoning B. Domain hijacking C. Distributed denial-of-service D. DNS tunneling

B. Domain hijacking Domain Hijacking or Domain Spoofing is an attack where an organization's web address is stolen by another party. The other party changes the enrollment of another's domain name without the consent of its legitimate owner. This denies true owner administrative access. DNS cache poisoning-Domain Name Server (DNS) spoofing (a.k.a. DNS cache poisoning) is an attack in which altered DNS records are used to redirect online traffic to a fraudulent website that resembles its intended destination.

Acme Company is using smartcards that use near-field communication (NFC) rather than needing to be swiped. This is meant to make physical access to secure areas more secure. What vulnerability might this also create? A. Tailgating B. Eavesdropping C. IP spoofing D. Race conditions

B. Eavesdropping Near-field communication (NFC) is susceptible to an attacker eavesdropping on the signal. Tailgating is a physical attack and not affected by NFC technology. Both IP spoofing and race conditions are unrelated to NFC technology.

Isaac wants to acquire an image of a system that includes the operating system. What tool can he use on a Windows system that can also capture live memory? A. dd B. FTK Imager C. Autopsy D. WinDump

B. FTK Imager FTK Imager is a free tool that can image both systems and memory, allowing Isaac to capture the information he wants. Although dd is useful for capturing disks, other tools are typically used for memory dumps, and though dd can be used on a Windows system, FTK Imager is a more likely choice. Autopsy is a forensic analysis tool and does not provide its own imaging tools. WinDump is a Windows version of tcpdump, a protocol analyzer.

A large Industrial system's smart generator monitors the system status and sends alerts to third-party maintenance personnel when critical failures occur. While reviewing the network logs, the company's security manager notices the generator's IP is sending packets to an internal file server's IP. Which of the following mitigations would be BEST for the security manager to implement while maintaining alerting capabilities? A. Segmentation B. Firewall whitelisting C. Containment D. Isolation

B. Firewall whitelisting

A Chief Information Security Officer (CISO) needs to create a policy set that meets international standards for data privacy and sharing. Which of the following should the CISO read and understand before writing the policies? A. PCI DSS B. GDPR C. NIST D. ISO 31000

B. GDPR General Data Protection Regulation- GDPR means reviewing how personal data is captured and used within an organization. In then ensuring compliance, it aims to provide data protection for European Union customer data, to reduce the severity and frequency of data breaches, and the potential for mishandling or misprocessing of personal data on the web. PCI DSS- Payment Card Industry Data Security Standard- information security standard for organizations that handle branded credit cards NIST-NIST develops cybersecurity standards, guidelines, best practices, and resources to meet the needs of U.S. industry, federal agencies, and the broader public

Pass-the-hash attacks take advantage of a weak encryption routine associated with which protocols? A. NetBEUI and NetBIOS B. NTLM and LanMan C. Telnet and TFTP D. Chargen and DNS

B. NTLM and LanMan Pass-the-hash attacks take advantage of a weak encryption routine associated with NTLM and LanMan protocols.

Janice is explaining how IPSec works to a new network administrator. She is trying to explain the role of IKE. Which of the following most closely matches the role of IKE in IPSec? A. It encrypts the packet. B. It establishes the SAs. C. It authenticates the packet. D. It establishes the tunnel.

B. It establishes the SAs ( Security Associations) Internet key exchange (IKE) is used to set up security associations (SAs) on each end of the tunnel. The security associations have all the settings (i.e., cryptographic algorithms, hashes) for the tunnel. IKE is not directly involved in encrypting or authenticating. IKE itself does not establish the tunnel—it establishes the SAs.

Veronica has completed the recovery phase of her organization's incident response plan. What phase should she move into next? A. Preparation B. Lessons learned C. Recovery D. Documentation

B. Lessons learned The IR process used for the Security+ exam outline is Preparation, Identification, Containment, Eradication, Recovery, and Lessons Learned. Veronica should move into the lessons learned phase.

This image shows an example of a type of secure management interface. What term describes using management interfaces or protected alternate means to manage devices and systems? Cloud connects to switch connects/ PC connects to the switch via remote control access A. A DMZ B. Out-of-band management C. In-band management D. A TLS

B. Out-of-band management Out-of-band (OOB) management uses separate management interfaces, as shown in the figure, or a different connectivity method than the normal connection to provide a secure means of managing systems. A DMZ, or demilitarized zone, is a security zone that is typically exposed to the world and is thus less trusted and more exposed. In-band management uses common protocols like Secure Shell (SSH) or HTTPS to manage devices via their normal interfaces or network connections. Transport Layer Security (TLS) is a security protocol, not a management interface.

Which of the following is a set of voluntary standards governing encryption? A. SSL B. PKI C. PKCS D. ISA

B. PKI Public key cryptography standards are a set of voluntary standards for public key cryptography. This set of standards is coordinated by RSA. SSL stands for Secure Sockets Layer, a security protocol that creates an encrypted link between a web server and a web browser. PKCS-is the specific standard used for generation and verification of digital signatures and certificates managed by a PKI

A network manager is using netstat to check the state of ports on a local machine. The network manager uses the command netstat -b to view further information. What information will be returned to analyze as a result? A. All active connections. B. Process name that has opened the port. C. Process ID number that opened the port. D. Ports and addresses in numerical format.

B. Process name that has opened the port

What tools can be used legitimately and tools are often designed to actively bypass network controls, obscuring which parties are communicating, when, and how. A. Data exfiltration B. RAT C. SQL injection D. Weak encryption

B. RAT Remote Access Tool is a piece of software used to remotely access or control a computer. This tool can be used legitimately by system administrators for accessing the client computers.

Henry runs the following command: dig @8.8.8.8 example.com What will it do? A. Search example.com's DNS server for the host 8.8.8.8. B. Search 8.8.8.8's DNS information for example.com. C. Look up the hostname for 8.8.8.8. D. Perform open source intelligence gathering about 8.8.8.8 and example.com. You Answered Incorrectly.

B. Search 8.8.8.8's DNS information for example.com. The Linux @ command for dig selects the Domain Name System (DNS) server it should query. In this case, it will query one of Google's DNS servers at 8.8.8.8 for the DNS information for example.com.

Which environment is most frequently used for vulnerability scans in organizations with mature development lifecycles if service outages are a major concern? A. Development B. Staging C. Test D. Production

B. Staging Staging environments are a mirror of the production environment and are frequently used for vulnerability scanning and other testing that is important for the security of the production environment. This allows testing against an identical environment without the potential of taking down production.

What kind of virus could attach itself to the boot sector of your disk to avoid detection and report false information about file sizes?A. Trojan horse virus B. Stealth virus C. Worm D. Polymorphic virus

B. Stealth virus A stealth virus reports false information to hide itself from antivirus software. Stealth viruses often attach themselves to the boot sector of an operating system.

Which of the following BEST explains the difference between a data owner and a data custodian? A. The data owner is responsible for adhering to the rules for using the data, while the data custodian is responsible for determining the corporate governance regarding the data B. The data owner is responsible for determining how the data may be used, while the data custodian is responsible for implementing the protection to the data C. The data owner is responsible for controlling the data, while the data custodian is responsible for maintaining the chain of custody when handling the data D. The data owner grants the technical permissions for data access, while the data custodian maintains the database access controls to the data

B. The data owner is responsible for determining how the data may be used, while the data custodian is responsible for implementing the protection to the data

A security auditor is reviewing vulnerability scan data provided by an internal security team. Which of the following BEST indicates that valid credentials were used? A. The scan results show open ports, protocols, and services exposed on the target host B. The scan enumerated software versions of installed programs C. The scan produced a list of vulnerabilities on the target host D. The scan identified expired SSL certificates

B. The scan enumerated software versions of installed programs

Evaluate the required features of a Trusted OS (TOS), as defined by the Common Criteria in ISO 15408, to propose the overall objective of a TOS. A. To verify that the OS and user are authorized on the network B. To verify that the OS will not create a security issue on the network C. To verify what permissions the OS has on the network D. To verify that the OS has support for multilevel security

B. To verify that the OS will not create a security issue on the network.

An attacker is trying to get access to your network. He is sending users on your network a link to a new game with a hacked license code program. However, the game files also include software that will give the attacker access to any machine that it is installed on. What type of attack is this? A. Rootkit B. Trojan horse C. Spyware D. Boot sector virus

B. Trojan horse The malware in this example is a Trojan horse—it pretends to be something desirable, or at least innocuous, and installs malicious software in addition to or instead of the desired software. A rootkit gives root or administrative access, spyware is malware that records user activities, and a boot sector virus is a virus that infects the boot sector of the hard drive.

Users have been issued smart cards that provide physical access to a building. The cards also contain tokens that can be used to access information systems. Users can log m to any thin client located throughout the building and see the same desktop each time. Which of the following technologies are being utilized to provide these capabilities? (Select TWO) A. COPE B. VDI C. GPS D. TOTP E. RFID F. BYOD

B. VDI E. RFID

Analyze and select the accurate statements about threats associated with virtualization. (Select two) A. Virtualizing switches and routers with hypervisors makes virtualization more secure. B. VM escaping occurs as a result of malware jumping from one guest OS to another. C. A timing attack occurs by sending multiple usernames to an authentication server to measure the server response times. D. VMs providing frontend, middleware and backend servers should remain together to reduce security implications of a VM escaping attack on a host located in the DMZ.

B. VM escaping occurs as a result of malware jumping from one guest OS to another .C. A timing attack occurs by sending multiple usernames to an authentication server to measure the server response times.

In which of these situations might a non-credentialed vulnerability scan be more advantageous than a credentialed scan? ( select all that apply) A. Detection of security setting misconfiguration B. Web application scanning C. When active scanning poses no risk to system stability D. External assessments of a network perimeter,

B. Web application scanning D. External assessments of a network perimeter

What is the command used to change the access permissions of file system (files and directories)objects? A. dd B. chmod C. dnsenum D. logger

B. chmod- chmod is the command used to change the access permissions of file system (files and directories)objects

Which of the following disaster recovery sites would require the MOST time to get operations beck online? A. Colocation B. cold C. Hot D. Warm

B. cold

An organization is concerned that Its hosted web servers are not running the most updated version of the software. Which of the following would work BEST to help identify potential vulnerabilities? A. hping3 -s compwia.org -p 80 B. nc -1 -v compria.org -p 60 C. nmap comptia.org -p 80 -sv D. nslookup -port-80 compcia.org

B. nc -1 -v comptia.org -p 60

A security analyst is using a recently released security advisory to review historical logs, looking for the specific activity that was outlined in the advisory. Which of the following is the analyst doing? A. A packet capture B. A user behavior analysis C. Threat hunting D. Credentialed vulnerability scanning

C Threat hunting Cyber threat hunting is a proactive security search through networks, endpoints, and datasets to hunt malicious, suspicious, or risky activities that have evaded detection by existing tools

An alert signals you that a server in your network has a program running on it thatbypasses authorization. Which type of attack has occurred? A. DoS B. DDoS C. Backdoor D. Social engineering

C. A back door attack In a backdoor attack, a program or service is placed on a server to bypass normal security procedures.

Analyze and select the accurate simulation of a Virtual Desktop Infrastructure (VDI) deployment. A. A company installs a platform that uses a Type 1 hypervisor to manage access to the host hardware outside of the host operating system. B. A company deploys Citrix XenApp on a server for the client to access for local processing. C. A company replaces all desktop computers with thin clients the employees use to log into VMs stored on the company server. D. A company enforces resource separation at the operating system level without the use of a hypervisor.

C. A company replaces all desktop computers with thin clients the employees use to log into VMs stored on the company server.

Megan wants to set up an account that can be issued to visitors. She configures a kiosk application that will allow users in her organization to sponsor the visitor, set the amount of time that the user will be on-site, and then allow them to log into the account, set a password, and use Wi-Fi and other services. What type of account has Megan created? A. A user account B. A shared account C. A guest account D. A service account

C. A guest account Megan has created a guest account. Guest accounts typically have very limited privileges and may be set up with limited login hours, an expiration date, or other controls to help keep them more secure. User accounts are the most common type of account and are issued to individuals to allow them to log into and use systems and services. Shared accounts are used by more than one person, making it difficult to determine who used the account. A service account is typically associated with a program or service running on a system that requires rights to files or other resources.

A host within a subnet is tricked into routing through an attacker's machine, rather than the legitimate default gateway, allowing the attacker to eavesdrop on communications and perform a Man-in-the-Middle (MitM) attack. Compare the types of routing vulnerabilities and conclude which is being exploited in this scenario. A. Route injection B. Denial of service C. ARP poisoning D. Source routing

C. ARP poisoning

Which of the following research sources is typically the least timely when sourcing threat intelligence? A. Vulnerability feeds B. Local industry groups C. Academic journals D. Threat feeds

C. Academic Journals Academic journals are the slowest of the items listed because of the review processes involved with most reputable journals. Although academic journals can be useful resources, they are typically not up-to-the-minute sources. Other resources you should be aware of are vendor websites, conferences, social media, and RFCs (requests for comments).

Greg's company has a remote location that uses an IP-based streaming security camera system. How could Greg ensure that the remote location's networked devices can be managed as if they are local devices and that the traffic to that remote location is secure?A. An as-needed TLS VPN B. An always-on TLS VPN C. An always-on IPSec VPN D. An as-needed IPSec VPN

C. An always-on IPSec VPN IPSec virtual private networks (VPNs) can make a remote location appear as though it is connected to your local network. Since Greg needs to rely on a streaming security camera, an always-on IPSec VPN is the best solution listed. TLS (SSL) VPNs are primarily used for specific applications, typically focusing on web applications.

Which of the following is not a physical security control? A. Motion detector B. Fence C. Antivirus software D. Closed-circuit television (CCTV)

C. Antivirus software Antivirus software is used to protect computer systems from malware and is not a physical security control. Physical controls are security measures put in place to reduce the risk of harm coming to a physical property. This includes protection of personnel, hardware, software, networks, and data from physical actions and events that could cause damage or loss.

What is a software program that operates on the Internet and performs repetitive tasks? A. Worms B. Trojans C. Bots D. RAT

C. Bots A bot is a software application that is programmed to do certain tasks. Bots are automated, which means they run according to their instructions without a human user needing to manually start them up every time. Bots often imitate or replace a human user's behavior. Typically they do repetitive tasks, and they can do them much faster than human users could.

A cybersecurity manager has scheduled biannual meetings with the IT team and department leaders to discuss how they would respond to hypothetical cyberattacks. During these meetings, the manager presents a scenario and injects additional information throughout the session to replicate what might occur in a dynamic cybersecurity event involving the company, its facilities, its data, and its staff. Which of the following describes what the manager is doing? A. Developing an incident response plan B. Building a disaster recovery plan C. Conducting a tabletop exercise D. Running a simulation exercise

C. Conducting a tabletop exercise

An attacker modifies the HOSTS file to redirect traffic. Consider the types of attacks and deduce which type of attack has likely occurred. A. DNS server cache poisoning B. DNS spoofing C. DNS client cache poisoning D. Hoaxing

C. DNS client cache poisoning

Which of the following is the DNS server given information about a name server that it thinks is legitimate when it isn't? A. DNS tagging B. DNS kiting C. DNS poisoning D. DNS foxing

C. DNS poisoning With DNS poisoning, also known as DNS spoofing, the DNS server is given information about a name server that it thinks is legitimate when it isn't. Attackers can poison a DNS cache by tricking DNS resolvers into caching false information, with the result that the resolver sends the wrong IP address to clients, and users attempting to navigate to a website will be directed to the wrong place

An organization routes all of its traffic through a VPN Most users are remote and connect into a corporate datacenter that houses confidential information There is a firewall at the Internet border followed by a DIP appliance, the VPN server and the datacenter itself. Which of the following is the WEAKEST design element? A. The DLP appliance should be integrated into a NGFW. B. Split-tunnel connections can negatively impact the DLP appliance's performance C. Encrypted VPN traffic will not be inspected when entering or leaving the network D. Adding two hops in the VPN tunnel may slow down remote connections

C. Encrypted VPN traffic will not be inspected when entering or leaving the network

Phishing and spear-phishing attacks have been occurring more frequently against a company's staff. Which of the following would MOST likely help mitigate this issue? A. DNSSEC and DMARC B. DNS query logging C. Exact mail exchanger records in the DNS D. The addition of DNS conditional forwarders

C. Exact mail exchanger records in the DNS Mail Exchange (MX) records are DNS records that are necessary for delivering email to your address. In simple DNS terms, an MX record is used to tell the world which mail servers accept incoming mail for your domain and where emails sent to your domain should be routed to. To stop phishing/spear-phishing attacks security teams must first train users to recognize, avoid and report suspicious emails DNSSEC and DMARC-DNSSEC adds two important features to the DNS protocol: Data origin authentication allows a resolver to cryptographically verify that the data it received actually came from the zone where it believes the data originated. Data integrity protection allows the resolver to know that the data hasn't been modified in transit since it was originally signed by the zone owner with the zone's private key. DNS Query logging is an events detail of all requests that are handled by the DNS server.

A company recently transitioned to a strictly BYOD culture due to the cost of replacing lost or damaged corporate-owned mobile devices. Which of the following technologies would be BEST to balance the BYOD culture while also protecting the company's data? A. Containerization B. Geofencing C. Full-disk encryption D. Remote wipe

C. Full-disk encryption

Which of the following is MOST likely to outline the roles and responsibilities of data controllers and data processors? A. SSAE SOC 2 B. PCI DSS C. GDPR D. ISO 31000

C. GDPR The General Data Protection Regulation is a regulation / law on data protection and privacy. It also addresses the transfer of personal data and how it is handled or used. PCI DSS-The Payment Card Industry Data Security Standard is an information security standard for organizations that handle branded credit cards SSAE SOC2 is an auditing report that assesses how well organizations handle data security, system privacy, data confidentiality and data processing processes

You want to install a crypto processor chip that can be used to enhance security with the PKI systems. Which of the following is the one you are looking for? A. OCSP B. PIV C. HSM D. MTU

C. HSM A hardware security module is a cryptoprocessor chip that can be used to enhance security and it is commonly used with PKI systems.

What type of attack is is similar to pressing refresh in a web browser over and over on many different computers at once ? A. DNS cache poisoning B. Domain hijacking C. HTTP flood D. DNS tunneling

C. HTTP flood A large numbers of HTTP requests flood the server, resulting in denial-of-service. This type of attack ranges from simple to complex. Simpler implementations may access one URL with the same range of attacking IP addresses, referrers and user agents. Complex versions may use a large number of attacking IP addresses, and target random urls using random referrers and user agents.

Which of the following ISO standards is certified for privacy? A. ISO 9001 B. ISO 27002 C. ISO 27701 D. ISO 31000

C. ISO 27701

Which certificate field shows the name of the Certificate Authority (CA) expressed as a Distinguished Name (DN)? A. Version B. Signature algorithm C. Issuer D. Subject

C. Issuer

What is the primary role of lighting in a physical security environment? A. It acts as a detective control. B. It acts as a reactive control. C. It acts as a deterrent control. D. It acts as a compensating control.

C. It acts as a deterrent control. Lighting serves a deterrent control, making potential malicious actors feel like they may be observed without dark areas or shadows to hide in. It does not detect actions, it does not compensate for the lack of another control, and although some lights may turn on for motion, the primary purpose is to deter malicious or unwanted actions.

Isaac wants to use on-premises cloud computing. What term describes this type of cloud computing solution? A. Infrastructure as a service B. Hybrid cloud C. Private cloud D. Platform as a service

C. Private cloud On-premises cloud computing is often called private cloud. Not all private clouds have to be on-site, because private clouds could be deployed to a remote location like a third-party hosting facility. Infrastructure as a service and platform as a service refer to third-party hosting services, and hybrid cloud combines both on-premises and cloud computing models.

You've discovered that an expired certificate is being used repeatedly to gain login privileges. Which type of attack is this most likely to be? A. Man-in-the-middle attack B. Backdoor attack C. Replay attack D. TCP/IP hijacking

C. REplay attack A replay attack attempts to replay the results of a previously successful session to gain access.

The new head of software engineering has demanded that all code be tested to identify the design flow and then modified, as needed, to clean up routines without changing the code's visible behavior. What is this process known as? A. Straightening B. Sanitizing C. Refactoring D. Uncluttering

C. Refactoring Refactoring involves testing to identify the design flow and then modifying, as needed, to clean up routines without changing the code's visible behavior.

A security analyst is looking for a solution to help communicate to the leadership team the severity levels of the organization's vulnerabilities. Which of the following would BEST meet this need? A. CVE B. SIEM C. SOAR D. CVSS

C. SOAR Security Orchestration, Automation and Response- SOAR will pull in information from external emerging threat intelligence feeds, endpoint security software and other third-party sources to get a better overall picture of the security landscape inside the network and out. SOAR takes analytics to a different level by creating defined investigation paths to follow based on an alert. SIEM- Security Information and Event Management- centrally collect pertinent log and event data from various security, network, server, application and database sources. Common examples of sources include firewalls, intrusion prevention systems, antivirus and antimalware software, data loss prevention tools and secure web content gateways. CVE, short for Common Vulnerabilities and Exposures, is a list of publicly disclosed computer security flaws. When someone refers to a CVE, they mean a security flaw that's been assigned a CVE ID number. Security advisories issued by vendors and researchers almost always mention at least one CVE ID.

Which of the following is the best description of a stored procedure? A. Code that is in a DLL, rather than the executable B. Server-side code that is called from a client C. SQL statements compiled on the database server as a single procedure that can be called D. Procedures that are kept on a separate server from the calling application, such as in middleware

C. SQL statements compiled on the database server as a single procedure that can be called Stored procedures are commonly used in many database management systems to contain SQL statements. The database administrator (DBA), or someone designated by the DBA, creates the various SQL statements that are needed in that business, and then programmers can simply call the stored procedures. Stored procedures are not related to dynamic linked libraries (DLLs). Stored procedures can be called by other stored procedures that are also on the server. Finally, stored procedures are not related to middleware.

What term describes when the item used to validate a user's session, such as a cookie, isstolen and used by another to establish a session with a host that thinks it is still communicating with the first party? A. Patch infiltration B. XML injection C. Session hijacking D. DTB exploitation

C. Session hijacking Session hijacking occurs when the item used to validate a user's session, such as a cookie, is stolen and used by another to establish a session with a host that thinks it is still communicating with the first party.

When investigating breaches and attempting to attribute them to specific threat actors, which of the following is not one of the indicators of an APT? A. Long-term access to the target B. Sophisticated attacks C. The attack comes from a foreign IP address. D. The attack is sustained over time.

C. The attack comes from a foreign IP address. Although you might suppose that a nation-state attacker (the usual attacker behind an advanced persistent threat) would attack from a foreign IP address, they often use a compromised address in the target country as a base for attacks. Options A, B, and D are all incorrect. These are actually signs of an advanced persistent threat.

Which of the following job roles would sponsor data quality and data entry initiatives that ensure business and regulatory requirements are met? A. The data owner B. The data processor C. The data steward D. The data privacy officer.

C. The data steward a data steward is concerned with the meaning of data and the correct usage of data. The data steward doesn't care who uses the data as long as they use it correctly. data owner- is concerned with risk and appropriate access to data.is concerned with who can access data, and tends to be more conservative with granting access. data processor-a computer or person that carries out operations on data to retrieve, transform, or classify information. data privacy officer-are responsible for overseeing a company's data protection strategy and its implementation to ensure compliance with GDPR requirements.

Which of the following is the purpose of a risk register? A. To define the level or risk using probability and likelihood B. To register the risk with the required regulatory agencies C. To identify the risk, the risk owner, and the risk measures D. To formally log the type of risk mitigation strategy the organization is using

C. To identify the risk, the risk owner, and the risk measures is a document used as a risk management tool and to fulfill regulatory compliance acting as a repository for all risks identified and includes additional information about each risk, e.g., nature of the risk, reference and owner, mitigation measures.

What is the primary difference between MDM and UEM? A. MDM does not include patch management. B. UEM does not include support for mobile device. C. UEM supports a broader range of devices. D. MDM patches domain machines, not enterprise machines.

C. UEM supports a broader range of devices. UEM, or unified endpoint management, manages desktop, laptops, mobile devices, printers, and other types of devices. Mobile device management (MDM) tools focus on mobile devices.

An employee is working on a team to build a directory of systems that are being installed in a classroom. The team is using the Lightweight Directory Access Protocol (LDAP) to update the X.500 directory. Utilizing the standards of a X.500 directory, which is the distinguished name the employee is most likely to recommend CN=system1, CN=user, OU=Univ, DC=local O DC-system1,OU=Univ, CN=user,DC=local O OU=Univ,DC=local, CN=user, CN=system 1 O CN=user, DC=local, OU=Univ, CN=system 1

CN=system1, CN=user, OU=Univ, DC=local A distinguished name is a unique identifier for any given resource within an X.500-like directory, and is made up of attribute=value pairs, separated by commas. The most specific attribute is listed first, and successive attributes become progressively broader. The most specific attribute is also referred to as the relative distinguished name (in this case system1) as it uniquely identifies the object within the context of successive attribute values.

Separation of duties helps to prevent an individual from embezzling money from a company. To embezzle funds successfully, an individual would need to recruit others to commit an act of (an agreement between two or more parties established for the purpose of committing deception or fraud). O Misuse Collusion O Fraud O Misappropriation

Collusion Collusion is an agreement between two or more parties established for the purpose of committing deception or fraud. Collusion, when part of a crime, is also a criminal act in and of itself.

Which cloud delivery model has an infrastructure shared by several organizations with shared interests and common IT needs? O Private O Community O Public O Hybrid

Community A community delivery model has an infrastructure shared by several organizations with shared interests and common IT needs.

A RAT that was used to compromise an organization's banking credentials was found on a user's computer. The RAT evaded antivirus detection. It was installed by a user who has local administrator rights to the system as part of a remote management tool set. Which of the following recommendations would BEST prevent this from reoccurring? O Create a new acceptable use policy. O Implement DLP at the network boundary. O Enforce application whitelisting. O Segment the network into trusted and untrusted zones.

Create a new acceptable use policy.

A security analyst is reviewing a new website that will soon be made publicly available. The analyst sees the following in the URL: http://dev-site.comptia.org/home/show.php? sessionID=77276554&loc=us The analyst then sends an internal user a link to the new website for testing purposes, and when the user clicks the link, the analyst is able to browse the website with the following URL: http://dev-site.comptia.org/home/show.php?sessionID=98988475&loc=us Which of the following application attacks is being tested? O Pass-the-hash O Session replay O Object deference Cross-site request forgery

Cross-site request forgery Cross-Site Request Forgery (CSRF) is an attack that forces authenticated users to submit a request to a Web application against which they are currently authenticated. Since the user is authenticated, the attack exploits a vulnerability in a Web application if it cannot differentiate between a request generated by an individual user and a request generated by a user without their consent. In a successful CSRF attack, the attacker causes the victim user to carry out an action unintentionally. For example, this might be to change the email address on their account, to change their password, or to make a funds transfer.

It has been brought to your attention that a would-be attacker in Indiana has been buying up domains based on common misspellings of your company's name with the sole intent of creating websites that resemble yours and prey on those who mistakenly stumble onto these pages. What type of attack is this known as? A. Watering hole B. Poisoned well C. Faulty tower D. Typo squatting

D .Typo squatting Typo-squatting, also known as URL hijacking, is a form of cybersquatting (sitting on sites under someone else's brand or copyright) that targets Internet users who incorrectly type a website address into their web browser (e.g., "Gooogle.com" instead of "Google.com").

Which of the following is a small library that is created to intercept API calls transparently ?A. Chock B. Wedge C. Refactor D. Shim

D. A Shim A shim is a small library that is created to intercept API calls transparently.

A company uses wireless for ail laptops and keeps a very detailed record of its assets, along with a comprehensive list of devices that are authorized to be on the wireless network. The Chief Information Officer (CIO) is concerned about a script kiddie potentially using an unauthorized device to brute force the wireless PSK and obtain access to the internal network. Which of the following should the company implement to BEST prevent this from occurring? A. A BPDU guard B. WPA-EAP C. IP filtering D. A WIDS

D. A WIDS Wireless Intrusion Detection System- monitors the radio spectrum for the presence of unauthorized, rogue access points and the use of wireless attack tools. The system monitors the radio spectrum used by wireless LANs, and immediately alerts a systems administrator whenever a rogue access point is detected.

In which of the following situations would it be BEST to use a detective control type for mitigation? A A company implemented a network load balancer to ensure 99 999% availability of its web application B. A company designed a backup solution to increase the chances of restoring services in case of a natural disaster C. A company purchased an application-level firewall to isolate traffic between the accounting department and the information technology department D. A company purchased an IPS system, but after reviewing the requirements, the appliance was supposed to monitor not block. any traffic E. A company purchased liability insurance for flood protection on all capital assets

D. A company purchased an IPS system, but after reviewing the requirements, the appliance was supposed to monitor not block. any traffic

The mobile game that Jack has spent the last year developing has been released, and malicious actors are sending traffic to the server that runs it to prevent it from competing with other games in the App Store. What type of denial-of-service attack is this? A. A network DDoS B. An operational technology DDoS C. A GDoS D. An application DDoS

D. An application DDoS This is an example of an application distributed denial-of-service (DDoS) attack, aimed at a gaming application. A network DDoS would be aimed at network technology, either the devices or protocols that underly networks. An operational technology (OT) DDoS targets SCADA, ICS, utility or similar operational systems. A GDoS was made up for this question.

Compare and analyze the types of firewalls available, to differentiate between them. A. Packet filtering firewalls operate at layer 5 of the OSI model, while circuit-level stateful inspection firewalls operate at layer 3. B. An appliance firewall is also known as a stateful multilayer inspection or a deep packet inspection. An application aware firewall is a stand-alone hardware firewall that performs the function of a firewall only C. A packet filtering firewall maintains stateful information about a connection between two hosts, and an application firewall is implemented as a software application running on a single host. D. An application firewall can analyze the HTTP headers to identify code that matches a pattern, while an appliance firewall monitors all traffic passing into and out of a network segment.

D. An application firewall can analyze the HTTP headers to identify code that matches a pattern, while an appliance firewall monitors all traffic passing into and out of a network segment.

What type of bot stimulates human conversation? a. Googlebot B. Web crawler C Social bot D. Chatbots

D. Chatbots Chatbots are computer programs used to simulate conversations with humans. Chatbots have many useful applications, but they can also be used for malicious purposes.

A financial organization has adopted a new secure, encrypted document-sharing application to help with its customer loan process. Some important PII needs to be shared across this new platform, but it is getting blocked by the DLP systems. Which of the following actions will BEST allow the PII to be shared with the secure application without compromising the organization's security posture? A. Configure the DLP policies to allow all PII B. Configure the firewall to allow all ports that are used by this application C. Configure the antivirus software to allow the application D. Configure the DLP policies to whitelist this application with the specific PII E. Configure the application to encrypt the PII

D. Configure the DLP policies to whitelist this application with the specific PII dont want to allow all traffic- just specific ones with PII connected- whitelisting policy will control data access

Leigh Ann is the new network administrator for a local community bank. She studies the current file server folder structures and permissions. The previous administrator didn't properly secure customer documents in the folders. Leigh Ann assigns appropriate file and folder permissions to be sure that only the authorized employees can access the data. What security role is Leigh Ann assuming? A. Power user B. Data owner C. User D. Custodian

D. Custodian A custodian configures data protection based on security policies. The local community bank is the data owner, not Leigh Ann. Leigh Ann is a network administrator, not a user, and power user is not a standard security role in the industry.

Which of the following would BEST identify and remediate a data-loss event in an enterprise using third-party, web-based services and file-sharing platforms? A. SIEM B. CASB C. UTM D. DLP

D. DLP- Data Loss Prevention

What law or regulation requires a DPO in organizations? A. FISMA B. COPPA C. PCI-DSS D. GDPR

D. GDPR The General Data Protection Regulation, or GDPR, requires a data protection officer (DPO). They oversee the organization's data protection strategy and implementation, and make sure that the organization complies with the GDPR.

A Chief Security Office's (CSO's) key priorities are to improve preparation, response, and recovery practices to minimize system downtime and enhance organizational resilience to ransomware attacks. Which of the following would BEST meet the CSO's objectives? A. Use email-filtering software and centralized account management, patch high-risk systems, and restrict administration privileges on fileshares. B. Purchase cyber insurance from a reputable provider to reduce expenses during an incident. C. Invest in end-user awareness training to change the long-term culture and behavior of staff and executives, reducing the organization's susceptibility to phishing attacks. D. Implement application whitelisting and centralized event-log management, and perform regular testing and validation of full backups.

D. Implement application whitelisting and centralized event-log management, and perform regular testing and validation of full backups.

What are ways/means to mitigate the effects of DDos attacks? A. filtering, DNS spoofing, black holes, countermeasures B. Complex disruption, counter measures, multi-vectoring, distraction C. Throwing away bad traffic, IP filtering, black holes, distraction D. Limiting traffic, throwing away traffic, funneling and filtering traffic, rate limiting

D. Limiting traffic, throwing away traffic, funneling and filtering traffic, rate limiting

A network administrator has been asked to design a solution to improve a company's security posture The administrator is given the following, requirements?• The solution must be inline in the network• The solution must be able to block known malicious traffic• The solution must be able to stop network-based attacks. Which of the following should the network administrator implement to BEST meet these requirements? A. HIDS B. NIDS C. HIPS D. NIPS

D. NIPS- network-based intrusion prevention system (NIPS) is a system used to monitor a network as well as protect the confidentiality, integrity, and availability of a network. Its main functions include protecting the network from threats, such as denial of service (DoS) and unauthorized usage.An intrusion prevention system (IPS) sits in-line on the network and monitors the traffic. When a suspicious event occurs, it takes action based on certain prescribed rules. An IPS is an active and real-time device

What is an application file that contains a record of events that occurred in the application. It contains the record of user and process access calls to objects, attempts at authentication, and other activity? A. dd B. chmod C. dnsenum D. network log

D. Network Log In an application, a network log is typically a file that contains a record of events that occurred in the application. It contains the record of user and process access calls to objects, attempts at authentication, and other activity.

Diana wants to prevent drones from flying over her organization's property. What can she do? A. Deploy automated drone take-down systems that will shoot the drones down B. Deploy radio frequency jamming systems to disrupt the drone's control frequencies C. Contact the FAA to get her company's property listed as a no-fly zone D. None of the above

D. None of the above In most cases none of these options are practical. Destruction of drones is an illegal destruction of private property. Jamming the open frequencies used for drones is not permissible and may result in action by the Federal Trade Commission (FTC), and contacting the Federal Aviation Administration (FAA) to request that the airspace above a company be declared a no-fly zone is not something the FAA supports in most cases. This means that Diana is likely to have to deal with the potential for drone-based threats in other ways.

What mechanism is used by PKI to allow immediate verification of a certificate's validity? A. CRL B. SSHA C. MD5 D. OCSP

D. OCSP Online certificate status protocol is a mechanism used to verify immediately whether/ or not a certificate is valid. CRL- certificate revocation list is a published list of current status'

A retail executive recently accepted a job with a major competitor. The following week, a security analyst reviews the security logs and Identifies successful logon attempts to access the departed executive's accounts. Which of the following security practices would have addressed the issue? A. A non-disclosure agreement B. Least privilege C. An acceptable use policy D. Off boarding

D. Off boarding

What major technical component of modern cryptographic systems is likely to be susceptible to quantum attacks? A. Key generation B. Elliptical plot algorithms C. Cubic root curve cryptography D. Prime factorization algorithms

D. Prime factorization algorithms Prime factorization algorithms and elliptic curve cryptography are believed to be vulnerable to future quantum computing-driven attacks against cryptographic systems. Although this is largely theoretical at the moment, quantum encryption may be the only reasonable response to quantum attacks against current cryptographic algorithms and systems.

Samantha has been asked to provide a recommendation for her organization about password security practices. Users have complained that they have to remember too many passwords as part of their job and that they need a way to keep track of them. What should Samantha recommend? A. Recommend that users write passwords down near their workstation. B. Recommend that users use the same password for sites with similar data or risk profiles. C. Recommend that users change their standard passwords slightly based on the site they are using. D. Recommend a password vault or manager application.

D. Recommend a password vault or manager application. The Security+ exam refers to password managers as password vaults. Samantha should recommend a password vault that will allow her users to generate, store, and use many passwords securely. None of the other options are good advice for password use and storage.

A security administrator currently spends a large amount of time on common security tasks, such aa report generation, phishing investigations, and user provisioning and deprovisioning This prevents the administrator from spending time on other security projects. The business does not have the budget to add more staff members. Which of the following should the administrator implement? A. DAC B. ABAC C. SCAP D. SOAR

D. SOAR Security Orchestration, Automation and Response) is a term used to describe the convergence of three distinct technology markets: security orchestration and automation, security incident response platforms (SIRP), and threat intelligence platforms (TIP). SOAR platforms integrate with a wider range of internal and external applications, both security and nonsecurit DAC- Discretionary access control (DAC) A means of restricting access to objects (e.g., files, data entities) based on the identity and need-to-know of subjects (e.g., users, processes) and/or groups to which the object belongs. ABAC- Attribute Based Access Control- access rules are based not only on the user's role but also on the specific entity that role was granted on (i.e. Scoped Roles), something like "Project Manager can add users to HIS PROJECT ONLY", SCAP- Security Content Automation Protocol. Pronounced S-cap, it is a security-enhancement method that uses specific standards to help organizations automate the way they monitor system vulnerabilities and make sure they're in compliance with security policies.

What is it known as when an attacker manipulates the database code to take advantage of a weakness in it? A. SQL tearing B. SQL manipulation C. SQL cracking D. SQL injection

D. SQL injection SQL injection occurs when an attacker manipulates the database code to take advantage of a weakness in it.

Which of the following disaster recovery tests is The LEAST time-consuming for the disaster recovery team? A. Tabletop B. Parallel C. Full interruption D. Simulation

D. Simulation-Groups go through a simulated disaster to identify whether emergency response plans are adequate. Parallel test: Recovery systems are built/set up and tested to see if they can perform actual business transactions to support key processes. Primary systems still carry the full production workload. Tabletop-A tabletop test is a meeting to discuss a simulated emergency situation discussing concrete plans to manage the fine details of the occurrence and aftermath of a natural or human-made disaster.

A user received an SMS on a mobile phone that asked for bank details. Which of the following social-engineering techniques was used in this case? A. SPIM B. Vishing C. Spear phishing D. Smishing

D. Smishing

A security administrator is reviewing the company's continuity plan, and it specifies an RTO of four hours and an RPO of one day. Which of the following is the plan describing? A. Systems should be restored within one day and should remain operational for at least four hours. B. Systems should be restored within four hours and no later than one day after the incident. C. Systems should be restored within one day and lose, at most, four hours' worth of data. D. Systems should be restored within four hours with a loss of one day's worth of data at most.

D. Systems should be restored within four hours with a loss of one day's worth of data at most. Systems should be restored within four hours with a minimum loss of one day's worth of data. The RTO (recovery time objective) is the amount of time within which a process or service must be restored after a disaster to meet business continuity. It defines how much time it takes to recover after notification of process disruption. The recovery point objective, or RPO, specifies the amount of time that can pass before the amount of data lost may exceed the organization's maximum tolerance for data loss.

Hinata is considering biometric access control solutions for her company. She is concerned about the crossover error rate (CER). Which of the following most accurately describes the CER? A. The rate of false acceptance B. The rate of false rejection C. The point at which false rejections outpace false acceptances D. The point at which false rejections and false acceptances are equal

D. The point at which false rejections and false acceptances are equal The crossover error rate or (CER) is also sometimes called the equal error rate (EER) and is the point at which the false acceptance and false rejection rates are the same.

After entering a username and password, an administrator must draw a gesture on a touch screen. Which of the following demonstrates what the administrator is providing? A. Multifactor authentication B. Something you can do C. Biometrics D. Two-factor authentication

D. Two-factor authentication

A company has one technician that is solely responsible for applying and testing software and firmware patches. The technician goes on a two week vacation, and no one is tasked to perform the patching duties during this time. A critical patch is released and not installed due to the absence. According to the National Institute of Standards and Technology (NIST) what has the delay in applying the patch caused? A. Control B. Risk C. Threat D. Vulnerability

D. Vulnerability the quality or state of being exposed to the possibility of being attacked or harmed, either physically or emotionally.

Which of the following will MOST likely adversely impact the operations of unpatched traditional programmable-logic controllers, running a back-end LAMP server and OT systems with human-management interfaces that are accessible over the Internet via a web interface? (Choose two.) A. Cross-site scripting B. Data exfiltration C. Poor system logging D. Weak encryption E. SQL injection F. Server-side request forgery

D. Weak encryption F. Server-side request forgery A LAMP stands for Linux( OS), Apache(web server), MySQL(database), and PHP(programming language). Together, they provide a proven set of software for delivering high-performance web applications. Each component contributes essential capabilities to the stack-- OT manages the operation of physical processes and the machinery used to carry them out--Server-side request forgery (also known as SSRF) is a web security vulnerability that allows an attacker to induce the server-side application to make HTTP requests to an arbitrary domain of the attacker's choosing. In a typical SSRF attack, the attacker might cause the server to make a connection to internal-only services within the organization's infrastructure. In other cases, they may be able to force the server to connect to arbitrary external systems, potentially leaking sensitive data such as authorization credentials. So if the operations of programmable logic controllers had weak encryption or Cross-Site Scripting (XSS) attacks are a type of injection, in which malicious scripts are injected into otherwise benign and trusted websites Data exfiltration is a technique used by malicious actors to target, copy, and transfer sensitive data. Data exfiltration can be done remotely or manually and can be extremely difficult to detect given it often resembles business-justified (or "normal") network traffic

When a hole is found in a web browser or other software, and attackers begin exploiting it before the developer can respond, what type of attack is it known as? A. Polymorphic B. Xmas C. Malicious insider D. Zero-day

D. Zero Day attack When a hole is found in a web browser or other software, and attackers begin exploiting it the very day it is discovered by the developer (bypassing the one-to-two-day response time that many software providers need to put out a patch once the hole has been found), it is known as a zero-day attack.

A security analyst wants to verify that a client-server (non-web) application is sending encrypted traffic. Which of the following should the analyst use? A. openssl B. hping C. netcat D. tcpdump

D. tcpdump

Which of the following involves unauthorized commands coming from a trusted user to the website? A. ZDT B. HSM C. TT3 D. XSRF

D.XSRF XRSF involves unauthorized commands coming from a trusted user to the website. This is often done without the user's knowledge, and it employs some type of social networking to pull it off.

With which of the following is the DNS server given information about a name server that it thinks is legitimate when it isn't? O DNS kiting O DNS foxing O DNS poisoning O DNS tagging

DNS poisoning With DNS poisoning, also known as DNS spoofing, the DNS server is given information about a name server that it thinks is legitimate when it isn't.

Why is DNS SEC important?

DNSSEC strengthens authentication in DNS using digital signatures based on public key cryptography. With DNSSEC, it's not DNS queries and responses themselves that are cryptographically signed, but rather DNS data itself is signed by the owner of the data.

You want to assign privileges to a user so that she can delete a file but not be able to assign privileges to others. What permissions should you assign? O Delete O Full Control O Administrator O Modify

Delete Always apply least privileges, and in this case that is Delete.

Which of the following agreements contains the technical information regarding the technical and security requirements of the interconnection between two or more organizations? O MOU O MOA O BPA O ISA

ISA The ISA (interconnection security agreement) specifies the technical and security requirements of the interconnection.

An organization is developing a plan in the event of a complete loss of critical systems and data. Which of the following plans is the organization MOST likely developing? O Communications O Disaster recovery O Incident response O Data retention

Disaster recovery A disaster recovery plan checklist includes identifying critical IT systems and networks, prioritizing the RTO (recovery time objective- is the duration of time and a service level within which a business process must be restored after a disaster in order to avoid unacceptable consequences associated with a break in continuity.), and outlining the steps needed to restart, reconfigure and recover systems and networks. The plan should at least minimize any negative effect on business operations.

On which of the following is the live acquisition of data for forensic analysis MOST dependent? (Select TWO). A. Data accessibility B. Legal hold C. Cryptographic or hash algorithm D. Data retention legislation E. Value and volatility of data F. Right-to-audit clauses

E. Value and volatility of data F. Right-to-audit clauses

On which of the following is the live acquisition of data for forensic analysis MOST dependent? (Choose two.) A. Data accessibility B. Legal hold C. Cryptographic or hash algorithm D. Data retention legislation E. Value and volatility of data F. Right-to-audit clauses

E. Value and volatility of data F. Right-to-audit clauses

On which of the following is the live acquisition of data for forensic analysis MOST dependent? (Choose two.) A. Data accessibility B. Legal hold C. Cryptographic or hash algorithm D. Data retention legislation E. Value and volatility of data F. Right-to-audit clauses

E. Value and volatility of data F. Right-to-audit clauses Right to audit clause, allows for a FA to look over the data whilst its in use. Volatility is due to the data being in use still, so a changing forensic surface.

Which kind of attack is designed to overload a particular protocol or service? O Back door O Spoofing O Flood O Man in the middle

Flood A flood attack is designed to overload a protocol or service by repeatedly initiating a request for service. This type of attack usually results in a Dos (denial-of-service) situation occurring because the protocol freezes or since excessive bandwidth is used in the network as a result of the requests. For more information, see Chapter 3.

Which system would you install to provide active protection and notification of security problems in a network connected to the Internet? O VPN O IPS o network monitoring O router

IPS- Intrusion protection system An intrusion prevention system (IPS) provides active monitoring and rule-based responses to unusual activities on a network. A firewall, for example, provides passive security by preventing access from unauthorized traffic. If the firewall were compromised, the IPS would notify you based on rules that it's designed to implement. For more information, see Chapter 3.

Why Would I not Use PSK Authentication?

If an administrator leaves the company, you should reset the PSK key. This can become tiresome and be skipped. If one user is compromised, then all users can be hacked. PSK cannot perform machine authentication the way that IEEE 802.1X authentication can. Keys tend to become old because they are not dynamically created for users upon login, nor are the keys rotated frequently. You must remember to change the keys and create keys long enough to be a challenge to hackers. PSK is subject to brute force key space search attacks and to dictionary attacks. Because WPA2-Personal uses a more advanced encryption type, additional processing power is required to keep the network functioning at full speed. Wireless networks that use legacy hardware for access points and routers can suffer speed reductions when WPA2-Personal is used instead of WPA, especially when several users are connected or a large amount of data is moving through the network. Because WPA2-Personal is a newer standard, firmware upgrades can also be required for some hardware that previously used WPA exclusively

Which of the following backup methods will generally provide the fastest backup times? Correct! O Incremental backup O Archival backup O Differential backup O Full backup

Incremental backup An incremental backup will generally be the fastest of the backup methods because it backs up only the files that have changed since the last incremental or full backup. See Chapter 12 for more information.

The OSI model, shown below, is a conceptual framework used to describe network connectivity in 7 distinct layers. What are the layers?

Layer 7- Application Layer- Human/computer interaction layer- this is where applications can access network services. Layer6- Presentation layer- Ensures that data is in a usable format for transmittal and this is also where data is encrypted Layer 5- Session Layer- Maintains connections and is responsible for controlling ports/connections/sessions Layer 4- Transport Layer- - Transmits data using transmission protocols (UDP/TCP) Layer3- Network Layer- decides which physical path the data will take Layer2- Data Link Layer- Defines the format/type of data on the network Layer 1- Physical Layer- Transmits raw bits (stream) over the physical medium

Which of the following does not apply to a hashing algorithm? O Variable-length input with fixed-length output O Collision resistance O Long key size O One-way

Long key size Long key sizes are not applicable to hashing algorithms.

You need to encrypt your hard drive. Which of the following is the best choice? O DES O AES O SHA O RSA

O AES For a hard drive, you want a symmetric cipher and AES is more secure than DES.

In intrusion detection system vernacular, which account is responsible for setting the security policy for an organization? O Root O Director O Supervisor O Administrator

O Administrator An administrator is the term for someone setting security policy in an IDS. Options A, C, and D are not the terms used in the industry.

You are concerned about your backup files becoming infected with malware. Which of the following technologies would be best to protect your backup? O VLAN O Air-gap O SPL O Firewall O DMZ

O Air-gap An air-gapped backup is not exposed to the network and thus is far less likely to become infected. In fact, the only possibility for infection at the moment is that a backup is transferred to the air-gapped storage. If antivirus is run just prior to this action, then the chances of malware in the backup become extremely small. The other options have nothing to do with protecting backups.

0/1 pts You're explaining the basics of security to upper management in an attempt to obtain an increase in the networking budget. One of the members of the management team mentions that they've heard of a threat from a virus that attempts to mask itself by hiding code from antivirus software. What type of virus is she referring to? O Malevolent virus O Worm O Stealth virus O Armored virus

O Armored virus An armored virus is designed to hide the signature of the virus behind code that confuses the antivirus software or blocks it from detecting the virus.

Which of the following terms refers to the process of establishing a standard for security? O Hardening O Methods research O Security evaluation O Baselining

O Baselining Baselining is the term for establishing a standard for security.

Employees in your company are provided smartphones by the company. Which of the following best describes this? O BYOE O BYOD O COPE O CYOD

O COPE Company Owned and provided Device describes company provided cell phones. The other acronyms/answers refer to other approaches to mobile devices.

Due to a breach, a certificate must be permanently revoked and you don't want it to ever be used again. What is often used to revoke a certificate? O PKI O CRA O CYA O CRL

O CRL A certificate revocation list should be used.

Which of the following are on-premise or cloud-based security policy enforcement points? O Cloud access security brokers O VDI/VDES O Feature slugs O Flood guards

O Cloud access security brokers Cloud access security brokers are on-premise or cloud-based security policy enforcement points

Which of the following are on-premise or cloud-based security policy enforcement points? O Cloud access security brokers O VDI/VDES O Flood guards O Feature slugs

O Cloud access security brokers Cloud access security brokers are on-premise or cloud-based security policy enforcement points.

You've been hired as a security consultant for a company that's beginning to implement handheld devices, such as smartphones. You're told that the company must use an asymmetric system. Which security standard would you recommend that it implement? OPKI O SHA O MD O ECC

O ECC Elliptic Curve Cryptography (ECC) would probably be your best choice. ECC is designed to work with smaller processors. The other systems may be options, but they require more computing power than ECC. For additional information, see Chapter 8.

Which cloud delivery model could be considered an amalgamation of other types of delivery models? o Community O Public O Hybrid O Private

O Hybrid The hybrid delivery model can be considered an amalgamation of other types of delivery models.

Which device monitors network traffic in a passive manner? O Sniffer O IDS O Firewall O Web browser

O IDS An IDS monitors network traffic, but it does not take any specific action and is therefore considered passive. Option A is incorrect because sniffers tend to be run for a specific period of time by a human operator. Option C is incorrect; a firewall is for blocking traffic, not monitoring, and is not passive. Option D is incorrect; a web browser is for viewing web pages.

A small company that does not have security staff wants to improve its security posture. Which of the following would BEST assist the company? O laas O SOAR O MSSP O Paas

O MSSP An managed security service provider (MSSP) provides outsourced monitoring and management of security devices and systems. Common services include managed firewall, intrusion detection, virtual private network, vulnerability scanning and anti-viral services SOAR stands for Security Orchestration, Automation, and Response. The term is used to describe three software capabilities - threat and vulnerability management, security incident response and security operations automation. IaaS and PaaS are cloud platforms.

What kind of physical access device restricts access to a small number of individuals at one time? O Checkpoint O Perimeter security O Security zones O Mantrap

O Mantrap A mantrap limits access to one individual at a time. It could be, for example, a small room. Mantraps typically use electronic locks and other methods to control access. For more information, see Chapter 10.

Tom has been instructed to find a security standard, applicable to the United States, that will help him develop appropriate security policies. He has found a standard that describes 8 principles and 14 practices that can be used to develop security policies. What standard is Tom most likely reviewing? O ISO/IEC 27001:2013 O NIST 800-14 O NIST 800-12 O ISA/IEC-62443 4

O NIST 800-14

During a training session, you want to impress upon users the serious nature of security and, in particular, cryptography. To accomplish this, you want to give them as much of an overview about the topic as possible. Which government agency should you mention is primarily responsible for establishing government standards involving cryptography for general-purpose government use? O ITU O IEEE O NSA O NIST

O NSA The National Security Administration is responsible for cryptography in the U.S. government, even though those standards by then become NIST standards.

Myra is concerned about database security. She wants to begin with a good configuration of the database. Which of the following is a fundamental issue with database configuration? O Fuzz testing o Stress testing O Input validation O Normalization

O Normalization Normalization is one of the most fundamental aspects of database configuration.

CRL takes time to be fully disseminated. Which protocol allows a certificate's authenticity to be immediately verified? o CRC O CP O OCSP O CA

O OCSP Online Certificate Status Protocol is done in real time.

What is the process of applying manual changes to a program called? O Patching O Service pack 0 Replacement O Hotfix

O Patching

John is working on designing a network for the insurance company where he is employed. He wants to put the web server in an area that has somewhat less security so that outside users might access it. But he does not want that to compromise the security of the rest of the network. What would be John's best approach? O Place the web server in a honeynet O Place the web server on the guest network segment O Place the web server in a DMZ. O Place the web server outside his network

O Place the web server in a DMZ. DMZS are meant to set public-facing servers. The exterior firewall of the DMZ is more permissive than the interior, making the DMZ somewhat less secure. Option A is incorrect; a honeynet is designed to catch attackers, and it should not be obviously less secure than the actual production network. Option B is incorrect; a guest network is not meant to be accessible from the outside world. Option D is incorrect; it would be completely insecure, not just somewhat less secure.

Which cloud delivery model could be considered a pool of services and resources delivered across the Internet by a cloud provider? O Hybrid O Private O Public 0 Community

O Public A public delivery model could be considered a pool of services and resources delivered across the Internet by a cloud provider.

What provides the risk assessment component, in conjunction with the organization with an accurate picture of the situation facing it. O RMG O RAC O BIA O ALE

O RAC

Which access control method is primarily concerned with the role that individuals have in the organization? O STAC О МАС O RBAC O DAC

O RBAC Role-based access control (RBAC) is primarily concerned with providing access to systems that a user needs based on the user's role in the organization. For more information, see Chapter 4.

What encryption process uses one message to hide another? O Steganography O Hashing O Cryptointelligence O MDA

O Steganography Steganography is the process of hiding one message in another. Steganography may also be referred to as electronic watermarking. For additional information, see Chapter 8.

What type of exercise involves discussing possible security risks in a low-stress environment? O Black hat O DHE O White box O Tabletop

O Tabletop A tabletop exercise involves sitting around the table and discussing (with the help of a facilitator) possible security risks in a low-stress format. For more information, see Chapter 12.

Which of the following is the best description of shoulder surfing? O Stealing information from someone's desk O Figuring out how to unlock a secured area O Watching someone enter important information O Following someone through a door they just unlocked

O Watching someone enter important information Shoulder surfing is best defined as watching someone enter important information.

Which of the following involves unauthorized commands coming from a trusted user to the website? Correct Answer O ZDT O XSRF O HSM O TT3

O ZDT

Which of the following cloud models provides clients with servers, storage, and networks but nothing else? O Paas O laas O Daas O Saas

O laas

When to use PSK?

PSK (pre-shared key) was designed for home and small office networks that do not require the complexity of an 802.1X authentication server. WPA/WPA2 Enterprise (requires a RADIUS server) and provides coverage for large entities. WPA/WPA2 Personal (also known as WPA-PSK) is appropriate for use in most residential and small business settings.

A network engineer needs to build a solution that will allow guests at the company's headquarters to access the Internet via WiFi. This solution should not allow access to the internal corporate network, but it should require guests to sign off on the acceptable use policy before accessing the Internet. Which of the following should the engineer employ to meet these requirements? A. Implement open PSK on the APs B. Deploy a WAF C. Configure WIPS on the APs D. Install a captive portal

PSK maintenance would be cumbersome-- Pre-Shared Key (PSK) is a client authentication method that uses a string of 64 hexadecimal digits, or as a passphrase of 8 to 63 printable ASCII characters, to generate unique encryption keys for each wireless client.Pre-Shared Key (PSK) is a client authentication method that uses a string of 64 hexadecimal digits, or as a passphrase of 8 to 63 printable ASCII characters, to generate unique encryption keys for each wireless client. Deploying WAF

What is phishing?

Phishing involves sending malicious emails from supposed trusted sources to as many people as possible, assuming a low response rate. For example, a phishing email might purport to be from PayPal and ask a recipient to verify their account details by clicking on an enclosed link, which leads to the installation of malware on the victim's computer. Phishing emails are impersonal, sent in bulk and often contain spelling errors or other mistakes that reveal their malicious intent. The problem is that not everyone notices these subtle hints. Trusted logos and links to known destinations are enough to trick many people into sharing their details.

What type of attach is known as a state-exhaustion attack and will cause a service disruption by over-consuming server resources and/or the resources of network equipment like firewalls and load balancers. A. DNS cache poisoning B. Domain hijacking C. HTTP flood D. Protocol attack

Protocol attacks, also known as a state-exhaustion attacks, cause a service disruption by over-consuming server resources and/or the resources of network equipment like firewalls and load balancers. Protocol attacks utilize weaknesses in layer 3 and layer 4 of the protocol stack to render the target inaccessible.

Which of the following policies would help an organization identify and mitigate potential single points of failure in the company's IT/security operations? O Awareness training O Least privilege O Mandatory vacation O Separation of duties

Separation of duties

After entering a username and password, an administrator must draw a gesture on a touch screen. Which of the following demonstrates what the administrator is providing? O Multifactor authentication O Biometrics O .Two-factor authentication O Something you can do

Something you can do

What kind of attack is this? A spoofed email is sent to an enterprise's sysadmin from someone claiming to represent www.itservices.com, a database management SaaS provider. The email uses the itservices.com customer mailing template. The email claims that itservices.com is offering a free new service for a limited time and invites the user to sign up for the service using the enclosed link. After clicking on the link, the sysadmin is redirected to a login page on itservice.com, a fake website identical to the itservices.com registration page. At the same time, a command and control agent is installed on the sysadmin's machine, which can then be used as a backdoor into the enterprise's network to execute the first stage of an APT.

Spear phishing

What is spear phishing? and whaling?

Spear phishing is a social engineering attack in which a perpetrator, disguised as a trusted individual, tricks a target into clicking a link in a spoofed email, text message or instant message. As a result, the target unwittingly reveals sensitive information, installs malicious programs (malware) on their network or executes the first stage of an advanced persistent threat (APT

Which encryption ciphers are used by WPA and WPA2 for

TKIP and AES

When going with a public cloud delivery model, who is accountable for the security and privacy of the outsourced service? O The organization O The cloud provider and the organization O The cloud provider O No one

The organization Ultimately, the organization is accountable for the choice of public cloud and the security and privacy of the outsourced service.

A security auditor is reviewing vulnerability scan data provided by an internal security team. Which of the following BEST indicates that valid credentials were used? O The scan identified expired SSL certificates O The scan enumerated software versions of installed programs O The scan results show open ports, protocols, and services exposed on the target host O The scan produced a list of vulnerabilities on the target host

The scan results show open ports, protocols, and services exposed on the target host

After reading a security bulletin, a network security manager is concerned that a malicious actor may have breached the network using the same software flaw. The exploit code is publicly available and has been reported as being used against other industries in the same vertical. Which of the following should the network security manager consult FIRST to determine a priority list for forensic review? O The full packet capture data O The vulnerability scan output O The IDS logs O The SIEM alerts

The vulnerability scan output IDS logs-inspect network packets and block suspicious ones, as well as alert administrators about attack attempts. Security information and event management (SIEM) technology supports threat detection, compliance and security incident management through the collection and analysis (both near real time and historical) of security events, as well as a wide variety of other event and contextual data sources.

You're redesigning your network in preparation for putting the company up for sale. The network, like all aspects of the company, needs to perform at its best in order to benefit the sale. Which model is used to provide an intermediary server between the end-user and the database? o Two-tiered 0 One-tiered 0 Three-tiered 0 . Relational database

Three-tiered A three-tiered architecture has an intermediary server.

It has been brought to your attention that a would-be attacker in Indiana has been buying up domains based on common misspellings of your company's name with the sole intent of creating websites that resemble yours and prey on those who mistakenly stumble onto these pages. What type of attack is this known as? o Typo squatting o Watering hole O Poisoned well O Faulty tower .

Typo squatting Typo squatting involves creating domains that are based on the misspelling of another

A system administrator has configured a security log to record unexpected behavior and review the logs for suspicious activity. Consider various types of audits to determine which type aligns with this activity. Correct! Usage auditing O Information security audit O Permission auditing 0 Compliance audit

Usage auditing Usage auditing means configuring the security log to record key indicators and then reviewing the logs for suspicious activity. Behavior recorded by event logs that differs from expected behavior may indicate everything from a minor security infraction to a major incident . Permission auditing is put in place so that privileges are reviewed regularly. This includes monitoring group membership and access control lists for each resource plus identifying and disabling unnecessary accounts. An information security audit measures how the organization's security policy is employed and determines how secure the network or site is that is being audited. A compliance audit reviews a companies policies and procedures and determines if it is in compliance with regulatory guidelines.

When you combine phishing with Voice over IP, it is known as: O Spoofing O Vishing O Spooning 0 Whaling

Vishing

Which of the following fully implements the 802.11i security standards? O WEP O WAP O WPA2 O WPA

WPA2 fully implements 802.111. WEP and WPA do not. WAP is Wireless Access Point and is not a security mechanism.

A security assessment determines DES (data encryption standard) and 3DES are still being used on recently deployed production servers. Which of the following did the assessment identify? O Default settings O Weak encryption O Open permissions O Unsecure protocols

Weak encryption

What type of bot scans content on webpages all over the Internet? A.. Googlebot B. Web crawler C Social bot D. Chatbots

Web crawlers (Googlebots): Bots that scan content on webpages all over the Internet

A cybersecurity administrator needs to add disk redundancy for a critical server. The solution must have a two-drive failure for better fault tolerance. Which of the following RAID levels should the administrator select? a. 0 b. 1 c. 5 d. 6

b. 1

Which algorithm is used to create a temporary secure session for the exchange of key information? O SSL ORSA Ο ΚΕΑ O KDC

Ο ΚΕΑ The Key Exchange Algorithm (KEA) is used to create a temporary session to exchange key information. This session creates a secret key. When the key has been exchanged, the regular session begins. For more information, see Chapter

Upper management has suddenly become concerned about security. As the senior network administrator, you are asked to suggest changes that should be implemented. Which of the following access methods should you recommend if the technique to be used is one that is primarily based on preestablished access and can't be changed by users? О МАС O DAC O RBAC O Kerberos

О МАС- Mandatory Access Control Mandatory access control cannot be modified by users and is considered more secure. Option B is incorrect-DAC provides the user's flexibility and is less secure. Option C is incorrect; RBAC is not based on pre-established access, but rather roles. Option D is incorrect; Kerberos is an authentication protocol, not an access method.