Security+ Wrong Answers
You need to utilize certificates for a new web application so that users can trust that the application is connecting to an authenticated server that belongs to your organization. In cryptography, which of the following information assurance objectives is met by using digital certificates?
Authentication is correct. Encrypted digital certificates are used to identify users electronically on a network and satisfy the information assurance objective of authentication.
Which of the following security mitigation techniques is most likely to help detect a zero-day attack targeting an organization's users?
Awareness training is correct. With awareness training, users can recognize the signs of suspicious messages, viruses, malware, and phishing links that should be brought to the attention of the administrator before they spread through the company's network. This can be effective even if there are no signatures available for a threat.
Which type of study reveals the effect that realized threats could have on the operation of an organization?
Business impact analysis is correct. A business impact analysis identifies how personnel, data systems, clients, and revenue will be affected if a threat is realized. Risk analysis is incorrect. A risk analysis is conducted before a business impact analysis; otherwise, the threats would not yet have been identified. Incident response is incorrect. Incident response defines what is to be done when a threat is realized, but it does not specify how regular business operations are affected. Security audit is incorrect. Security audits identify vulnerabilities and policy noncompliance.
Your manager asks you to identify the amount of time and personnel required to address a worm virus infection on the corporate WAN. You estimate it would take six technicians two days to remove the infection, at a total cost of $2800. Which type of analysis would this dollar figure best relate to?
Business impact analysis is correct. A business impact analysis studies the impact (financial in this case) that an incident presents to a business.
Which of the following is a framework composed of 20 control groups covering topics that range from hardware inventory to penetration testing within an organization?
CIS Controls is correct. The Center for Internet Security (CIS) Critical Security Controls (CSC), otherwise known as the "Top 20 Controls" or "CIS Controls," is a framework composed of 20 control groups covering topics that range from hardware inventory to penetration testing within an organization. The underlying thesis for the CSC framework is to pare down the controls to those that are most critical, helping prevent organizations from becoming overwhelmed or choosing the wrong controls to apply to reduce risk.
You have just enabled SNMP on all your servers so that you can monitor them from a central monitoring station. Which of the following actions should you perform to increase security when using SNMP?
Change the "public" community name is correct. The default community name for the Simple Network Management Protocol (SNMP), "public," acts as a password between the SNMP monitor and the device. If you do not change the default, any user with an SNMP monitor can access the device using the "public" community string.
Which of the following is not an official privacy role?
Chief information security officer is correct. Although the chief information security officer (CISO) may participate in the privacy process, the CISO needs to be designated within an official privacy role. Data owner, data controller, and data steward are incorrect. These are official privacy roles.
A malicious user, Daniel, gains access to a corporate Wi-Fi network where two other users are exchanging data. Daniel captures network traffic between the two communicating victims, modifies it, and sends it back on the network. How could this type of attack be prevented?
Computer authentication using PKI is correct. Public Key Infrastructure (PKI) certificates from a trusted source could be configured on the two computers. Network traffic from hosts not using a trusted PKI certificate could then be ignored. Jumbo frames is incorrect. Jumbo frames are oversized Ethernet packets (larger than 1514 bytes) designed to transmit more data in a single transmission. This increases performance but not security. Jumbo frames is incorrect. There is no such thing as ARP computer authentication. Hard disk encryption is incorrect. Hard disk encryption secures locally stored data but does nothing when transmitting data on a network.
A user reports that when he connects to a secured web site at https://www.fakeacmewidgets.com, the web address changes to http://www.fakeredirect.uk, but the web site content looks the same. The user has never noticed this URL change before. What type of attack does this behavior indicate?
Correct Answer: DNS poisoning is correct. DNS poisoning can redirect requests for a legitimate web site address to another web server that may gather personal user information such as account numbers or passwords. Incorrect Answers: ARP poisoning is incorrect. ARP poisoning relies on victim stations having a malicious MAC address entry such that a malicious user receives network traffic that should be destined for a legitimate device. Cross-site scripting is incorrect. Cross-site scripting refers to malicious code entered on web sites that executes on client web browsers. DoS is incorrect. Denial of service attacks render a network service unusable to legitimate users.
Which type of SOC report focuses on the efficacy of security controls required to meet trust principles?
Correct Answer: SOC 2 Type 1 is correct. SOC 2 Type 1 documents IT systems and business processes to ensure compliance with security trust requirements. Incorrect Answers: SOC 2 Type 2 is incorrect. SOC 2 Type 2 documents the operation efficacy of IT systems within a specified time frame. SOC 2 Type 3 and SOC 2 Type 4 are incorrect. Both of these are invalid SOC 2 report types.
Which of the following statements regarding capturing wireless network traffic with a packet sniffer are true? (Choose two.)
Correct Answers: Most wireless routers behave as hubs do; all wireless clients exist in a single collision domain and wireless router administrative credentials sent over HTTP are vulnerable are correct. Most wireless routers do not isolate wireless client connections; this means once you have connected to the wireless network and begun a network capture, you will see all wireless client traffic. Newer wireless routers support isolation mode, which behaves much like an Ethernet switch (each port is its own collision domain). Most wireless routers use HTTP to transmit administrative credentials. Capturing this traffic means the credentials can easily be learned; HTTPS should be configured so that administrative credentials are encrypted.
An organic food retail chain is adding six new stores within the next month. Each retail store outlet will accept cash, debit, and credit card payments. To satisfy the board of directors, the IT staff is asked to provide a solution that will ensure data transfers to unauthorized locations can be monitored and/or blocked. What kind of solutions should the IT staff investigate?
DLP is correct. Data loss prevention (DLP) ensures that private data stays private. This can be done with deep packet inspection such as data (e-mail messages, attachments) leaving an intranet or entering or leaving the cloud, data copied to media, data sent to printers, and so on. Incorrect Answers: HSM is incorrect. HSMs perform cryptographic duties, thus eliminating the need for a host computer to perform these duties. While this can protect data, it not as all-encompassing a solution as DLP. ARP is incorrect. ARP is a TCP/IP protocol that often uses broadcasts to resolve IP addresses such as 192.168.1.1 to hardware MAC addresses such as 00-24-D6-9B-08-8C. SSL is an application-specific network encryption solution, but it does nothing for data at rest (stored files). TLS is incorrect. TLS is a network security protocol commonly used to secure web application connections using HTTPS.
You need to implement a solution that can help prevent sensitive data from being leaked out of the company via e-mail, texting, file copying, and social media file sharing. What type of solution should you consider?
DLP is correct. Data loss prevention (DLP) solutions can be implemented to limit data leakage outside of the organization. This could be achieved with embedded watermarks on photos and videos and the limited ability to send e-mail file attachments only to users within the organization.
Which of the following is not a valid privacy role within an organization that is required to comply with the GDPR?
Data assessor is correct. The General Data Protection Regulation (GDPR) does not designate a data assessor privacy role.
Your users have home directories on server ALPHA. You have set the security such that users have full control over file permissions in their own home directories. Which term best describes this configuration?
Discretionary access control is correct. Discretionary access control (DAC) gives the resource owner (the user owns his or her home directory and its contents) control of assigning permissions to that resource. Mandatory access control is incorrect. Mandatory access control (MAC) is a model whereby administrators or computer operating systems determine what permissions are granted in accordance with established policies. Role-based access control is incorrect. Role-based access control (RBAC) assigns permissions to a role. The occupant of that role inherits those permissions. User account control is incorrect. User account control is a Windows operating system mechanism that requires administrator approval to modify operating system configurations.
You have been asked to recommend a capability to monitor all of the traffic entering and leaving the corporate network's default gateway. Additionally, the company's CIO requests to block certain content types before it leaves the network based on operational priorities. Which of the following solution should you recommend to meet these requirements?
Due to the requirements provided, you should install a NIPS on the gateway router's internal interface and a firewall on the external interface of the gateway router.
Which technique can easily reveal internal business procedures and computing configurations?
Dumpster diving is correct. Dumpster diving involves analyzing discarded documentation to learn about a company's operations, view employee names and e-mail addresses, and so on.
Which of the following are considered benefits of server virtualization? (Choose two.)
Efficient application of software updates and centralized data storage are correct. Because virtualized servers could be running on the same physical host, patch deployment is efficient. Virtualized servers often use shared disk storage, thus centralizing data and making backups quicker and easier. Incorrect Answers: Faster network access is incorrect. Virtualized servers are not faster than physical servers, although their deployment often is. Virtual machine sprawl results from the ease of deploying virtual machines and forgetting about them over time as their use declines. Cheaper software licensing is incorrect. Licensing for virtualized servers is not always cheaper than it is for physical hosts.
You would like to ensure that an authentication server is always available. Two authentication servers are clustered together with the authentication data stored on shared disk storage. What must be done to eliminate any single points of failure? (Choose two.)
Enable a second NIC in each cluster node and configure the shared disk storage with RAID 1 are correct. A second NIC (network interface card) ensures that network communication continues if one NIC fails. With RAID level 1, also called disk mirroring, data written to one disk is also written to a second disk for safety.
You are setting up a remote access connection to a nearby branch office so that you can perform administration on their network without having to physically be at the branch office. Which of the following is the best deterrent for on-path attacks on your remote access connection?
Encrypt the connection is correct. An on-path attack is performed by a hacker who uses a protocol analyzer to intercept network packets before they reach their destination. Use encryption to make sure that the hacker cannot read the intercepted packets.
Which of the following techniques can you implement to prevent command injection?
Escape command characters is correct. Escaping is a technique used when processing input fields to process command characters inserted into the input as text data to prevent commands from being run.
You are developing a web application and are performing testing of the input fields for web forms. Which of the following techniques can you use to make sure that operating system commands cannot be inserted into your web forms and executed?
Escaping is correct. Escaping is a secure coding technique that ensures that any system commands are not processed and executed as actual commands; instead, they are only recognized as text.
A technician connects to an Internet SMTP host using the telnet command and issues the following commands: ``` Helo smtp1.acme.ca Mail from:[email protected] Rcpt to:[email protected] Data:Subject:Linux versus Windows Hi Bill. Please take note that open source software is set to achieve world dominance. Thanks. - The Pres ``` How can these two users prevent this type of attack? (Choose two.)
Exchange public keys and digitally sign e-mails using private keys are correct. A private key is used by the sender to generate a unique signature for an e-mail message. The recipient uses the related sender public key to verify the validity of the signature. Spoofed SMTP messages cannot have a valid digital signature, since hackers will not have access to the sender's private key.
You are configuring laptops for your organization's sales engineers, who will be visiting customer sites to perform technical integration and troubleshooting of your organization's products installed there. The laptops contain several proprietary applications that should not be distributed outside of your organization. Which of the following actions should you take to help secure the contents of the laptops?
Full-disk encryption is correct. You can encrypt the contents of the laptops' hard drives so that they can't be accessed without a passphrase or other measure entered by the sales engineers.
You must determine which TCP port a custom seismic activity application uses in order to configure a firewall rule allowing access to the program. The application is running on a host named ROVER that also runs other custom network applications. Users connect to an internal web site, which in turn connects to ROVER to use the custom application. How can you find out which TCP port the custom application uses?
Generate activity to the seismic activity app and capture the traffic is correct. Using a protocol analyzer (packet sniffer) such as Wireshark or the Linux tcpdump command to capture the relevant network traffic from the web site to ROVER will reveal the TCP port being used by examining the TCP packet header. This enables technicians to use the port number to configure application or network-based firewall rules correctly.
Which item offloads the cryptographic processing responsibilities of a host computer?
HSM is correct. HSM devices perform cryptographic calculations, thus eliminating this task from the host computer system.
With which term is nonrepudiation most closely associated?
Hashing is correct. Hashing feeds data into a one-way algorithm, which results in a unique value that can be recomputed and compared against the original in the future. Digitally signing a message encrypts the message hash with a private key. Because the private key is held only by the owner, the owner cannot deny having signed the message; this is also referred to as nonrepudiation. Encryption is incorrect. Encryption provides confidentiality, not assurances of message authenticity. Block cipher is incorrect. Block ciphers are algorithms that encrypt blocks of data a time. Stream cipher is incorrect. Stream ciphers are algorithms that encrypt data one bit at a time.
Which of the following is not a constraint to be considered within an embedded or specialized system?
Heat is correct. Heat is not generally a factor within an embedded and specialized system.
You are creating a VPN for your organization so that users can access the network via the Internet when working remotely from home and when traveling. Which of the following protocols should you use to encrypt VPN traffic?
IPSec is correct. IP Security (IPSec) provides encryption, integrity, and authentication for data tunneled over virtual private networks (VPNs) across public networks.
You want to create a website for your new technical support business. You decide to purchase an on-demand cloud-based server and install Linux, Apache, and WordPress on it to run your website. Which of the following best describes which type of service you have just purchased?
IaaS
Your company manufactures bolts. A partner company manufactures nuts. The partner company requires access to your manufacturing data, which is available on your internal web server. What should you configure?
Identity federation is correct. Identity federation uses security tokens generated by a trusted identity source to allow access to resources such as web sites. The federation trust between parties is established using PKI certificates. Proxy server is incorrect. Proxy servers retrieve Internet content for users. Router is incorrect. Routers route network traffic between networks using the most efficient router. SSL is incorrect. SSL secures communications (authentication and encryption) between two parties communicating over a network.
SAML implementations have three basic roles: the __________, the identity provider, and the service provider.
Identity is correct. The three roles within a Security Assertions Markup Language (SAML) implementation are the identity, the identity provider, and the service provider.
What can be done to harden a public e-commerce web server, assuming default ports are being used? (Choose two.)
Install a PKI certificate and enable TLS and Do not use an administrative account to run the web server. are correct. You can enable TLS and install a PKI certificate on a web server. Web servers run with a user account, and this should be a limited account with limited system privileges in case the web server is compromised by an attacker.
Which of the following security measures would best protect wireless clients from network attacks while they are connecting remotely?
Install a host-based firewall is correct. The host-based firewall software can be used to protect a user's confidential local data against many types of possible attacks for both incoming and outgoing connections on both wireless and wired networks when the user is away from the office.
What term describes a trusted third party possessing decryption keys?
Key escrow is correct. A key escrow holds decryption keys in trust and is not related to the company, institution, or government agency that issued the keys. The keys can be used in the event of a catastrophe or because of legal requirements.
To help prevent security vulnerabilities, which of the following can you implement outside of the development cycle to improve the quality of the software code?
Known environment penetration testing is correct. Known environment penetration testing is performed in the testing cycle after the code is generated.
As the IT administrator for your organization, you have been contacted by your organization's general counsel and instructed to begin collecting evidence for a pending investigation of an employee's alleged use of the organization's network for illegal purposes. What do you need to formally initiate?
Legal hold is correct. If your legal counsel determines that evidence should be collected for any reason, be it a pending investigation, litigation, or other situation where evidence would be required, a legal hold must be formally initiated. A legal hold halts the usual backup and disposition processes, and immediately puts your personnel into data protection mode.
A lawyer for a dismissed employee notifies the IT department that for evidence admissibility reasons, the employee's laptop must be securely stored and all connectivity and modifications related to the machine must be strictly prohibited. Which term does this scenario most closely relate to?
Legal hold is correct. Legal hold is a preservation order sometimes issued during e-discovery to ensure that potential evidence is immutable, meaning that it cannot be modified. Order of volatility is incorrect. The order of volatility describes the fragility of digital evidence and as a result the order in which it should be gathered. For example, acquiring the contents of a machine's RAM memory should be done before obtaining the data from its hard drive, because the RAM contents will be erased when the target machine is powered off. Data sovereignty is incorrect. Data sovereignty refers to applicable laws and regulations based on the physical location of digital data. Chain of custody is incorrect. The chain of custody requires the gathering of potential evidence to be done legally while ensuring the secure documentation and storage of that evidence.
You are a cybersecurity leader for an organization that doesn't currently utilize threat intelligence. You would like to begin using a program that catalogs emerging tactics, techniques, and procedures being used within attacks globally. Which of the following best suits this desire?
MITRE ATT&CK is correct. MITRE created the ATT&CK framework to help catalog emerging tactics, techniques, and procedures (TTPs) being used within attacks globally.
What can an administrator configure to prevent users from reusing old passwords within a short period of time? (Choose two.)
Minimum password age and password history are correct. Minimum password age is the amount of time that must pass before users can reset their passwords again. Combined with password history, this can prevent users from changing their passwords multiple times (password history) to the point where they can reuse old passwords within a short period of time.
You are designing authentication services for a highly secure facility. Which of the following authentication models would provide the most security for physical access?
Multifactor authentication is correct. Multifactor authentication is very secure and means that users must provide at least two unique identification factors, such as an access card, a PIN, and a fingerprint scan.
Which of the following is an example of a weak configuration?
Not disabling the account to disallow use is correct. To best protect an account, you should disable it so it cannot be used.
You have just received a phishing email disguised to look like it came from [email protected] asking you to send your username and password because your account has been locked out due to inactivity. Which of the following social engineering principles is being used in this email?
OBJ-1.1: Trust is a commonly used social engineering technique during a social engineering campaign. It relies on making the email appear to have come from a trusted source, such as your IT support department or a company you frequently utilize. Often, the "display name" of the email is set to something like [email protected] or [email protected] to trick you into replying. Trust can also be used by pretending to be someone you know and trust in real life, such as a coworker or family member.
You just received a notification that your company's email servers have been blocklisted due to reports of spam originating from your domain. What information do you need to start investigating the source of the spam emails?
OBJ-1.1: You should first request a copy of one of the spam messages, including the full email header. By reading through the full headers of one of the messages, you can determine where the email originated from, whether it was from your email system or external, and if it was a spoofed email or a legitimate email. Once this information has been analyzed, you can then continue your analysis based on those findings, whether that be analyzing your email server, the firewalls, or other areas of concern. If enough information cannot be found by analyzing the email headers, you will need to conduct more research to determine the best method to solve the underlying problem.
What kind of attack is an example of IP spoofing?
OBJ-1.4: An on-path attack (formerly known as a man-in-the-middle attack) intercepts communications between two systems. For example, in an HTTP transaction, the target is the TCP connection between client and server. Using different techniques, the attacker splits the original TCP connection into 2 new connections, one between the client and the attacker and the other between the attacker and the server. This often uses IP spoofing to trick a victim into connecting to the attack. SQL injection is a code injection technique used to attack data-driven applications. Malicious SQL statements are inserted into an entry field for execution, such as dumping the database contents to the attacker. An on-path attack is an attack where the attacker secretly relays and possibly alters the communications between two parties who believe that they are directly communicating with each other. ARP Poisoning, also known as ARP Spoofing, is a type of cyber attack carried out over a Local Area Network (LAN) that involves sending malicious ARP packets to a default gateway on a LAN to change the pairings in its IP to MAC address table. Cross-Site Scripting (XSS) attacks are a type of injection in which malicious scripts are injected into otherwise benign and trusted websites. XSS attacks occur when an attacker uses a web application to send malicious code, generally in a browser side script, to a different end-user.
A cybersecurity analyst is preparing to run a vulnerability scan on a dedicated Apache server that will be moved into a DMZ. Which of the following vulnerability scans is most likely to provide valuable information to the analyst?
OBJ-1.7: Since Apache is being run on the scanned server, this indicates a web server. Therefore, a web application vulnerability scan would be the most likely to provide valuable information. A network vulnerability scan or port scan can provide valuable information against any network-enabled server. Since an Apache server doesn't contain a database by default, running a database vulnerability scan is not likely to provide any valuable information to the analyst.
A cybersecurity analyst is working at a college that wants to increase its network's security by implementing vulnerability scans of centrally managed workstations, student laptops, and faculty laptops. Any proposed solution must scale up and down as new students and faculty use the network. Additionally, the analyst wants to minimize the number of false positives to ensure accuracy in their results. The chosen solution must also be centrally managed through an enterprise console. Which of the following scanning topologies would be BEST able to meet these requirements?
OBJ-1.7: Since the college wants to ensure a centrally-managed enterprise console, an active scanning engine installed on the enterprise console would best meet these requirements. The college's cybersecurity analysts could then perform scans on any devices connected to the network using the active scanning engine at the desired intervals. Agent-based scanning would be ineffective since the college cannot force the agents' installation onto each of the personally owned devices brought in by the students or faculty. A cloud-based or server-based engine may be useful, but it won't address the centrally-managed requirement. Passive scanning is less intrusive but is subject to a high number of false positives.
What is a reverse proxy commonly used for?
OBJ-2.1: A reverse proxy is positioned at the cloud network edge and directs traffic to cloud services if the contents of that traffic comply with the policy. This does not require the configuration of the users' devices. This approach is only possible if the cloud application has proxy support. You can deploy a reverse proxy and configure it to listen for client requests from a public network, like the internet. The proxy then creates the appropriate request to the internal server on the corporate network and passes the server's response back to the external client. They are not generally intended to obfuscate the source of communication, nor are they necessarily specific to the cloud. A cloud access security broker (CASB) can be used to prevent unauthorized use of cloud services from the local network.
Dion Training wants to install a new accounting system and is considering moving to a cloud-based solution to reduce cost, reduce the information technology overhead costs, improve reliability, and improve availability. Your Chief Information Officer is supportive of this move since it will be more fiscally responsible. Still, the Chief Risk Officer is concerned with housing all of the company's confidential financial data in a cloud provider's network that might be shared with other companies. Since the Chief Information Officer is determined to move to the cloud, what type of cloud-based solution would you recommend to account for the Chief Risk Officer's concerns?
OBJ-2.2: A SaaS (Software as a Service) solution best describes an accounting system or software used as part of a cloud service. This meets the CIO's requirements. To mitigate the concerns of the Chief Risk Officer, you should use a private cloud solution. This type of solution ensures that the cloud provider does not comingle your data with other customers' data and providers dedicated servers and resources for your company's use only.
Dave's company utilizes Google's G-Suite environment for file sharing and office productivity, Slack for internal messaging, and AWS for hosting their web servers. Which of the following cloud models type of cloud deployment models is being used?
OBJ-2.2: Multi-cloud is a cloud deployment model where the cloud consumer uses multiple public cloud services. In this example, Dave is using the Google Cloud, Amazon's AWS, and Slack's cloud-based SaaS product simultaneously. A private cloud is a cloud that is deployed for use by a single entity. A public cloud is a cloud that is deployed for shared use by multiple independent tenants. A community cloud is a cloud that is deployed for shared use by cooperating tenants.
You are attending a cybersecurity conference and just watched a security researcher demonstrating the exploitation of a web interface on a SCADA/ICS component. This caused the device to malfunction and be destroyed. You recognize that the same component is used throughout your company's manufacturing plants. Which of the following mitigation strategies would provide you with the most immediate protection against this emergent threat?
OBJ-2.6: The most immediate protection against this emergent threat would be to block the web interface from being accessible over the network. Before doing this, you must evaluate whether the interface needs to remain open for the system to function properly. If it is not needed, you should block it to minimize the SCADA/ICS component's attack surface. Ideally, your SCADA/ICS components should already be logically or physically isolated from the enterprise network. Since the question doesn't mention the networks as an area of concern, we can assume they are already following the industry best practice of logical or physical segmentation between the SCADA/ICS network and the enterprise network. On the exam, make sure you focus on the question being asked. In this case, the question focuses on the web interface. Developing a patch can be a time-consuming process, therefore waiting for the manufacturer to provide a patch will not provide immediate protection to your components. The same is true for replacing the affected components. Even if you could get the company to authorize the funding for such a purchase, it would take time to order, ship, receive, and install the new components. Additionally, you would cause unwanted downtime in the factory during the installation of the components, making it an ineffective option when simply blocking the web interface is free, quick, and effective.
You just received an email from Bob, your investment banker, stating that he completed the wire transfer of $10,000 to your bank account in Vietnam. The problem is, you do not have a bank account in Vietnam, so you immediately call Bob to ask what happened. Bob explains that he received an email from you requesting the transfer. You insist you never sent that email to Bob initiating this wire transfer. What aspect of PKI could be used to BEST ensure that a sender sent a particular email message and avoid this type of situation?
OBJ-2.8: Non-repudiation occurs when a sender cannot claim they didn't send an email when they did. A digital signature should be attached to each email sent to achieve non-repudiation. This digital signature is comprised of a digital hash of the email's contents, and then encrypting that digital hash using the sender's private key. The receiver can then unencrypt the digital hash using the sender's public key to verify the message's integrity.
A firewall administrator has configured a new screened subnet to allow public systems to be segmented from the organization's internal network. The firewall now has three security zones set: Untrusted (Internet) [143.27.43.0/24]; DMZ (Screened Subnet) [161.212.71.0/24]; Trusted (Intranet) [10.10.0.0/24]. The firewall administrator has been asked to enable remote desktop access from a fixed IP on the remote network to a remote desktop server in the screened subnet for the Chief Security Officer to work from his home office after hours. The CSO's home internet uses a static IP of 143.27.43.32. The remote desktop server is assigned a public-facing IP of 161.212.71.14. What rule should the administrator add to the firewall?
OBJ-3.3: Due to the requirement to allow a single remote IP to enter the firewall, the permit statement must start with a single IP in the Untrusted (Internet) zone. Based on the options provided, only 143.27.43.32 could be correct. Next, the destination is a single server in the DMZ (screened subnet), so only 161.212.71.14 could be correct. The destination port should be 3389, which is the port for the Remote Desktop Protocol. Combining these three facts, only "permit 143.27.43.32 161.212.71.14 RDP 3389" could be correct.
A company's NetFlow collection system can handle up to 2 Gbps. Due to excessive load, this has begun to approach full utilization at various times of the day. If the security team does not have additional money in their budget to purchase a more capable collector, which of the following options could they use to collect useful data?
OBJ-3.3: The organization should enable sampling of the data collected. Sampling can help them capture network flows that could be useful without collecting everything passing through the sensor. This reduces the bottleneck of 2 Gbps and still provides useful information. Quality of Service (QoS) is a set of technologies that work on a network to guarantee its ability to run high-priority applications and traffic dependably, but that does not help in this situation. Compressing NetFlow data helps save disk space, but it does not increase the capacity of the bottleneck of 2 Gbps during collection. Enabling full packet capture would take even more resources to process and store and not minimize the bottleneck of 2 Gbps during collection.
You work as the incident response team lead at Fail to Pass Systems. Sierra, a system administrator, believes an incident has occurred on the network and contacts the SOC. At 2:30 am, you are woken up by a phone call from the CEO of Fail to Pass stating an incident has occurred and that you need to solve this immediately. As you are getting dressed to drive into the office, your phone rings again. This time, the CIO starts asking you a lot of technical questions about the incident. The first you heard of this incident was 5 minutes ago from the CEO, so you don't have the answers to the CIO's questions, yet. Based on this scenario, which of the following issues needs to be documented in your lessons learned report once this incident is resolved?
OBJ-4.2: To maintain a disciplined approach to incident response, the organization needs to document and follow procedures developed during the preparation phase. The SOC should have a call list or an escalation list as part of those procedures. This list should detail who should be called, what order, and how high up the organizational leadership chart a particular issue would reach. In almost every case, the incident response team lead should be contacted before the CEO or CIO is notified of the incident. When companies go "right to the top" of the leadership chart, the CEO and CIO will be acting on half-true or unverified information during the start of an incident response process. Instead, an established form for incident detail collection should be performed, the right technical leads should be notified of the incident, and the incident response team should be called in to analyze the information and provide a quick "stand up" report to leadership on what the issue is, what has already been done, and what they recommend doing from here to resolve the incident. All of the other options are best practices to consider and develop in the preparation phase. Still, they would not have solved the issue in this scenario of senior leadership being notified before the incident response team lead.
You are conducting an intensive vulnerability scan to detect which ports might be open to exploitation. During the scan, one of the network services becomes disabled and impacts the production server. Which of the following sources of information would provide you with the most relevant information for you to use in determining which network service was interrupted and why?
OBJ-4.3: The Syslog server is a centralized log management solution. By looking through the Syslog server's logs, the technician could determine which service failed on which server since all the logs are retained on the Syslog server from all the network devices and servers. Network mapping is conducted using active and passive scanning techniques and could help determine which server was offline, but not what caused the interruption. Firewall logs would only help determine why the network connectivity between a host and destination may have been disrupted. A network intrusion detection system (NIDS) is used to detect hacking activities, denial of service attacks, and port scans on a computer network. It is unlikely to provide the details needed to identify why the network service was interrupted.
Your organization is updating its Acceptable User Policy (AUP) to implement a new password standard that requires a guest's wireless devices to be sponsored before receiving authentication. Which of the following should be added to the AUP to support this new requirement?
OBJ-5.3: Sponsored authentication of guest wireless devices requires a guest user to provide valid identification when registering their wireless device for use on the network. This requires that an employee validates the guest's need for access, known as sponsoring the guest. While setting a strong password or using 802.1x are good security practices, these alone do not meet the question's sponsorship requirement. An open authentication standard only requires that the guest know the Service-Set Identifier (SSID) to gain access to the network. Therefore, this does not meet the sponsorship requirement.
Dion Training has performed an assessment as part of their disaster recovery planning. The assessment found that the organization's RAID takes, on average, about 8 hours to repair when two drives within the RAID fail. Which of the following metrics would best represent this time period?
OBJ-5.4: Mean time to repair (MTTR) is a basic measure of the maintainability of repairable items. It represents the average time required to repair a failed component or device.
Hilda needs a cost-effective backup solution that would allow for the restoration of data within a 24 hour RPO. The disaster recovery plan requires that backups occur during a specific timeframe each week, and then the backups should be transported to an off-site facility for storage. What strategy should Hilda choose to BEST meet these requirements?
OBJ-5.4: Since the RPO must be within 24 hours, daily or hourly backups must be conducted. Since the requirement is for backups to be conducted at a specific time each week, hourly snapshots would not meet this requirement and are not easily transported since they are being conducted as a disk-to-disk backup. Replication to a hot site environment also doesn't allow for transportation of the data to an off-site facility for storage, and replication would continuously occur throughout the day. Therefore, a daily incremental backup should be conducted since it will require the least amount of time to conduct. The tapes could be easily transported for storage and restored incrementally from tape since the last full backup was conducted.
Your organization is updating its incident response communications plan. A business analyst in the working group recommends that if the company discovers they are the victims of a data breach, they should only notify the affected parties to minimize media attention and bad publicity. Which of the following recommendations do you provide in response to the business analyst's statement?
OBJ-5.5: Guidance from various laws and regulations must be considered when deciding who must be notified to avoid fines and judgments. The requirements for different types of data breaches are set out in laws/regulations. The requirements indicate who must be notified. Other than the regulator itself, this could include law enforcement, individuals and third-party companies affected by the breach, and public notification through the press or social media channels. For example, the Health Insurance Portability and Accountability Act (HIPAA) sets out reporting requirements in legislation, requiring breach notification to the affected individuals, the Secretary of the US Department of Health and Human Services, and, if more than 500 individuals are affected, to the media.
What can be done to secure virtualized operating systems?
Patch the virtual machine OS is correct. Patching a virtual OS is just as important as patching the OS on the physical host. To attackers on a network, virtual hosts generally appear as physical hosts, whether the OS is server-based or, in the case of virtual desktop infrastructure (VDI), client-based.
Which type of attack attempts to trick users into providing their legitimate web site credentials to access malicious web sites?
Phishing is incorrect. Phishing scams often manifest themselves as web site links within official looking e-mail messages asking a user to confirm her account information or something similar. The unsuspecting user is then redirected to a malicious web site that captures the credentials she enters. Incorrect Answers: Spam is incorrect. Spam is junk e-mail, which could be unsolicited legitimate advertising. Cross-site scripting is incorrect. Cross-site scripting is a type of attack whereby an attacker injects malicious code into a web page that will be viewed by others, thus running the code on their computers. Social engineering is incorrect. Social engineering involves tricking people into divulging some kind of private information such as passwords, but this is a broad term and not as specific as phishing.
You are setting up your network, which spans several different floors of an office building. You want to subdivide the network using logical methods to prevent cross-network chatter and improve access security, but several departments have employees on different floors and sections of the building. Which of the following techniques should you implement?
Port-based VLAN is correct. Using a port-based virtual local area network (VLAN), you can assign specific router and switch ports to different VLANs, which allows you to assign any network segment on any floor of your office to a specific VLAN. This provides flexibility so that the user's location does not limit his or her network access.
Which key does a secured web server use to decrypt a client session key? (Choose the best answer)
Private key is correct. Web browsers generate a unique session key that is encrypted with the web server's public key and sent across the network. The web server then uses its mathematically related private key to decrypt the message to expose the session key. Incorrect Answers: Public key, symmetric key, and asymmetric key are incorrect. The private key is used for decryption.
What type of server provides centralized authentication services for devices such as Ethernet switches and wireless routers?
RADIUS is correct. RADIUS (Remote Authentication Dial-In User Service) servers provide centralized authentication. RADIUS clients such as wireless routers and Ethernet switches forward client requests to a RADIUS server for authentication before allowing network access. This type of authentication is a variation of network access control (NAC). Checking requesting clients for other items, such as applied updates, up-to-date virus signature databases, and so on, requires a client agent.
Which of the following encryption algorithms is considered the strongest?
RSA 1024-bit is correct. RSA (Rivest, Shamir, Adelman) 1024-bit is a secure asymmetric encryption algorithm. SHA-1 is incorrect. SHA-1 is not an encryption algorithm; it is a hashing algorithm (secure hashing algorithm) used to verify data integrity. WEP 128-bit is incorrect. Even though WEP has a cipher strength of 128 bits, its implementation is poor, thus making it vulnerable to IV attacks. Des is incorrect. DES is an outdated 56-bit block cipher that is considered inferior to RSA.
Which of the following aspects of your company's network or systems does not provide redundancy in the event of a failure?
Redundant routers for the same ISP is correct. Although you have redundancy at the router level, if your Internet service provider (ISP) communications fail, there are no backup communications. You should have at least one more communications line to a different ISP.
You are developing a web-based software application that utilizes user ID and password authentication mechanisms. Which of the following methods can you use to prevent session cookie hijacking?
Regenerate session keys and IDs after a successful login is correct. To protect against session cookie hijacking (a type of attack in which an unauthorized user uses a session cookie from another authenticated user to access the application), web applications should regenerate session keys and IDs after a successful login so that a secondary attempt to use the same session credentials from a hijacked cookie will not work.
You have just discovered that several user accounts are still active for employees who have long since left the organization or were let go from the company. After changing the passwords and disabling the accounts, which of the following would be best to implement to prevent this security issue from recurring?
Regular audit of personnel credentials is correct. By regularly checking user accounts and permissions, you ensure that current users only have the rights and permissions required for their current positions. If you find accounts from users who have left the organization, you can disable those accounts.
In crafting your DRP, you outline the procedure in which PKI user-encrypted files for damaged user accounts can be decrypted. Which statement regarding this plan is correct?
Restore user private keys from backup is correct. In a PKI environment, users have a pair of mathematically related keys that can be stored in a certificate file, in a directory service, on a smart card, and so on. Private keys are used to decrypt files; the public key is used to encrypt.
You are running several web servers for different client websites and you want to consolidate some services to improve resource usage on your underutilized server hardware. You also want to make sure that security issues with one client web service will not affect the web service of other clients. Which of the following technologies should you implement?
Run each client web service in a virtual machine is correct. Using virtualization, you can run each client's website on a separate virtual machine (VM) running on the same hardware platform. This allows you to run several VMs on one system, and each VM is isolated from the others, thus preventing security issues with one client web service from affecting other client web services.
What type of system would be used for monitoring and notification of real-time data at a manufacturing site?
SCADA is correct. Supervisory Control and Data Acquisition (SCADA) consists of hardware and software components to acquire data, monitor equipment, and notify of any hazardous conditions that may exist. The data is gathered and manipulated in real time. SCADA is often used in industrial control system (ICS) environments. SNMP is incorrect. Simple Network Management Protocol (SNMP) is used to monitor specific values, or counters, for network devices. Cloud computing is incorrect. Cloud computing offers IT services over a network. These services can be rapidly provisioned and deprovisioned from a self-service web portal, and usage is metered. Virtualization is incorrect. Virtualization enables multiple operating system to run concurrently on a single set of computing hardware.
An exported NFS folder named Toronto on a Linux system has the following permissions set: ``` rwx - owner - root r-x - group - accounting ``` The parent folder restricts access only to the root account. The root account is a member of the accounting group. User Sean is not given access to the root account, and he is not a member of the accounting group. Which of the following statements is true?
Sean is implicitly denied access to the Toronto folder is correct. Implicit denial means that the end result is a subject is denied through indirect association. This applies not only to file system security but also firewall rule sets. Only user root has access to the parent folder; everybody else is implicitly denied access, including Sean. Sean is explicitly denied access to the Toronto folder is incorrect. Sean is implicitly denied, not explicitly denied, access. The root account is implicitly allowed access to the Toronto folder and The root account has r-x to the Toronto folder are incorrect. The root account (owner) is explicitly, not implicitly, granted rwx (read, write, execute) permissions to the Toronto folder.
Which of the following is the best method to mitigate DNS attacks?
Secure authenticated zone transfers is correct. Domain Name Service (DNS) poisoning attacks can be mitigated by ensuring that your DNS server updates its information only from authoritative sources by proper authentication or the use of secure communications.
Your organization currently has only two external public IP addresses available but needs to share these IPs with several internal hosts that require external IP addresses for connectivity. Which of the following should you implement?
Security device with NAT capabilities is correct. Using network address translation (NAT) on a firewall device, you can share an external address with several internal IP addresses of devices protected by the firewall.
Which type of log would list failed logon attempts?
Security log is correct. The Windows Security log shows auditing entries related to activity such as logon attempts or file access. Access log, Event log and Application log are incorrect. They are not as likely to contain failed logon attempts as an audit log is.
You are developing a web application that requires strong security controls. Which of the following secure coding practices helps prevent cross-site request forgery attacks?
Session cookie authentication is correct. Cross-site request forgery (XSRF/CSRF) is a type of attack that tricks a user into navigating to a website that contains malicious code. To prevent XSRF/CSRF attacks, a web application must verify that a request came from an authorized user. Web applications can require a second identifying value saved in a cookie that is compared with every single request to the website.
Your small company has quickly grown into a midsize company with approximately 200 users. You currently have assigned separate usernames and passwords for three different servers utilized by your users, but you will be adding several more servers to scale with your increased number of users. Which of the following authentication methods would be the most efficient to implement?
Single sign-on to a directory server is correct. Single sign-on (SSO) means that users need to log in only once to access any resources they are authorized for on the network. A directory service such as LDAPS provides the central database for the users' credentials, instead of having separate usernames and passwords for each resource.
Which items would be found in an IP header? (Choose two.)
Source IP address and TTL value are correct. Among other fields, the IP header in a packet contains the source IP address and the TTL (time-to-live) value. The TTL value on newer Windows operating systems (such as 7, 8, and 10) is normally set to 128. This value determines how many routers (hops) the packet can travel though before being discarded.
Gretchen uses her laptop to connect to many different web sites to download free software. Over time, her laptop slows down to the point where it is unusable. You verify that she has plenty of free hard disk space. What do you suspect is causing the slowdown?
Spyware is installed is correct. Spyware can get installed covertly when you install free software. The spyware then monitors your computer activity and may inventory what type of files or software you have installed. All of this can take its toll on performance over time. The disk is fragmented is incorrect. Disk fragmentation is not nearly as likely as spyware to slow down the system. Fragmentation occurs when data is copied to and deleted from disks. Empty disk space is used for new file blocks first, and then the oldest deleted file entries are overwritten, thus causing fragmentation. Defragmenting a hard disk attempts to put data blocks in adjacent sectors (ideally on the same cylinder when possible) to speed up file access. The disk is storing too many web browser cookies is incorrect. Cookies store information or preferences about the user accessing a web site, but this is not the cause of the problem, since there is plenty of disk space free. A rootkit is present is incorrect. Rootkits give a user administrative access to a system while hiding the user's presence. This does not imply that the system would slow down; answer B is more plausible.
Under what circumstance might a risk be acceptable? (Choose the best answer.)
The ALE is less than the cost of mitigating the risk is correct. ALE (annual loss expectancy) is a dollar figure derived from the SLE (single loss expectancy) and the ARO (annual rate of occurrence). For example, the probability of an e-mail server being down for four hours a year might be 65 percent, at a loss of $900, due to the unavailability of that e-mail server for four hours. ALE = ARO × SLE = 65% × $900; therefore, the ALE value would be $585. So, for example, paying $700 annually to protect against a $585 ALE value cannot be justified. The ALE is more than the cost of mitigating the risk is incorrect. If the ALE is more than the cost of mitigating the risk, mitigating the risk would be considered acceptable, because mitigating the risk would cost the business less money than having the risk materialize. The SLE is less than the cost of mitigating the risk and the ARO is less than the cost of mitigating the risk are incorrect. The SLE and ARO should not be considered by themselves in this scenario because they are both used to derive the ALE.
You are a cybersecurity leader for a program that doesn't currently utilize threat intelligence. You would like to begin using a program that helps you better describe how adversaries use capabilities within an infrastructure to attack a victim. Which of the following best suits this desire?
The Diamond Model of Intrusion Analysis is correct. The Diamond Model categorizes the relationships and characteristics of an attack's four main components: the model describes that an adversary deploys a capability over some infrastructure against a victim. These are known as events and form the diamond. Analysts then populate each part of the diamond with the information they gather during the analysis process.
A Linux administrator enables hardware disk encryption for data drives used by a Linux server. The operating system disk is physically located in the Linux server but the data drives exist on a SAN (storage area network). Which of the following statements is true?
The confidentiality of the data is being protected is correct. Encryption protects data confidentially. Only authorized parties possessing the correct decryption keys can access encrypted data.
During your disaster recovery and business continuity planning, you examine all aspects of your operations to understand in detail the RTO of each critical network service. Which of the following aspects does the RTO refer to?
The maximum amount of time that is considered tolerable for a service to be unavailable is correct. The recovery time objective (RTO) is the maximum amount of time that is considered tolerable for a service or certain business function to be unavailable. For example, a critical web server that takes customer orders over the Internet may have an RTO of 30 minutes.
Leslie is projecting timelines to complete various analysis reports. Which list presents the correct order in which each analysis should be performed?
Threat, risk is correct. Threat analysis identifies how vulnerable a party is to specific threats, the likelihood of those threats occurring, and their impact. Because a risk assessment relies on organizing threats to maximize potential opportunity, it cannot be conducted before a threat assessment. Risk, threat, threat, vulnerability, and business impact, risk are incorrect. These do not reflect the correct order in which to perform the listed analyses.
Why would an administrator configure router ACLs (access control lists)?
To restrict or allow specific network traffic through the router is correct. Router ACLs allow or deny network traffic through the router. The ACLs can look at IP addresses, protocol types, TCP and UDP port numbers, and so on. Devices such as routers should also be configured with a logon banner stating that the device can be used only for legitimate organizational activities. To restrict or allow specific network traffic through the router is incorrect. ACLs do not determine the location from which routers load their configuration. To restrict what files users can access on the file server is incorrect. Router ACLs do not restrict file access, but file system ACLs do. To enable the detection of suspicious activity is incorrect. Router ACLs are not used to detect suspicious activity; this is more commonly done using intrusion detection systems (IDSs).
While working as a security analyst, you have been asked to monitor the SIEM. You observed network traffic going from an external IP to an internal host's IP within your organization's network over port 443. Which of the following protocols would you expect to be in use?
Transport Layer Security (TLS) is used to secure web connections over port 443.
You are creating a disaster recovery plan for your organization and assigning probabilities to specific risks. Which of the following would be the highest probability risk for your server room?
Unauthorized access is correct. Unauthorized access to your secure server room is the highest probability risk. Therefore, adequate access control security is required for the server room entrance.
Which type of security testing does not provide any information at all to testers?
Unknown environment is correct. Unknown environment security testing does not provide any information on software coding, network layout or addressing, phone numbers, usernames, and so on. Testers must piece together relevant data to construct a picture of what they are testing.
An attacker enters an office building and plugs his laptop into an unused network jack behind a plant in the reception area. He is then connected to the LAN, where he initiates an ARP poisoning attack. How could this have been prevented? (Choose two.)
Use a strict IPSec policy for all LAN computers and disable unused switch ports are correct. IPSec can be used to ensure that network traffic is accepted only from appropriate computers. For example, a LAN could use PKI certificates with IPSec—traffic from computers without a trusted PKI certificate would simply be dropped. Switch ports not in use should be disabled to prevent unauthorized network connectivity.
Which of the following security measures should you implement to prevent improper administrative access to a router?
Using strong passwords is correct. You should ensure that all your network devices use very strong passwords to prevent basic hacking attempts on the administrator account.
Which of the following techniques allows you to run a public-facing web application but still maintain a private back end with servers that aren't publicly accessible?
Virtual private cloud is correct. By using a virtual private cloud (VPC), you can run a public-facing web application but still maintain a private back end with servers that aren't publicly accessible.
Your quality assurance team is testing a new web application and requires several servers on-site to properly test the application on different operating systems. Due to budget and resource constraints, your company does not have enough physical servers to cover the testing requirements and provide adequate security for each system. Which of the following technologies could you implement?
Virtualization is correct. Virtualization allows you to run several operating system instances on a single hardware device. Each virtual machine is run in its own CPU and memory environment and is secure from the other virtual machines running on the same system.
Which of the following is an example of high availability?
Web server cluster is correct. A cluster consists of two or more servers working together to ensure that a service is always available, such as a web site.
After a recent hacking attack on your web server, you have discovered that the hacker exploited a security flaw within the underlying operating system running on the server. Which of the following was the most likely cause?
You didn't apply an OS patch to resolve the issue is correct. Keep your operating system up to date with the latest software updates or patches. If a security flaw is discovered, the OS vendor will release a patch as quickly as possible to resolve the issue.
For security reasons, you want to enable port security for your network switches to allow only certain clients to connect to specific switches. Which of the following is the best authentication service to implement?
802.1X is correct. 802.1X is implemented on network devices such as switches to provide access control by authenticating connecting clients based on the user or system identity. You can then allow or block network connectivity and apply network access policies based on this authentication.
In which order should the following items be conducted? risk analysis, ALE, business impact analysis
ALE, risk analysis, business impact analysis is correct. The ALE is a dollar figure used in quantitative risk analysis to prioritize risks; therefore, it cannot be calculated after a risk analysis. The business impact analysis can occur only after risks have been identified. "Risk analysis, ALE, business impact analysis," "business impact analysis, ALE, risk analysis," and "ALE, business analysis, risk analysis" are incorrect. The process must begin with ALE, followed by a risk analysis and then a business impact analysis.
You need to improve the redundancy of the file servers in your organization's network. Which of the following actions helps improve hardware redundancy on the file servers to prevent downtime because of hardware failures?
Adding another power supply is correct. By adding a second power supply, you ensure that the servers will not power off if one of the power supplies fails.
Which of the following are ways to mask PII (personally identifiable information)? (Choose two.)
Anonymous proxy server and gloves are correct. PII uniquely identifies a person and includes items such as a credit card number, e-mail address, signature, and so on. Anonymous proxy servers mask your IP address, and gloves prevent fingerprints from being left behind—these both mask PII. Tattoo and fingerprint are incorrect. Tattoos and fingerprints themselves are PII, so they can't be used to mask PII.
What can be used to prevent malicious e-mail file attachments from being opened by users?
Antivirus software is correct. Antivirus software running on user computers can detect infected file attachments sent via e-mail.
