Test 2 - Wrong Answers
Which of the following represents a valid format for a CVE identifier? 2022-Vulnerability Name 22-0123 2022-12345 10.0-AV:N/AC:L/PR:N/UI:N
2022-12345 OBJ: 4.3 - A CVE identifier follows a format of "CVE" followed by a year and a sequence of numbers. 2022-12345 is a correct representation of a CVE identifier. 22-0123 format is incorrect. CVE identifiers start with "CVE-" followed by the year and a sequence of numbers. While 2022-Vulnerability Name contains elements of a CVE identifier, it doesn't follow the standardized format used in the cybersecurity industry. 10.0-AV:N/AC:L/PR:N/UI:N represents a CVSS scoring vector, detailing the metrics of a vulnerability. It is not a CVE identifier.
A company wants to implement a more flexible access control system that can adjust to changing user behavior. Which of the following technologies can help the company achieve this goal? Policy-driven access control Security zones MAC Adaptive identity
Adaptive Identity OBJ: 1.2 - Adaptive identity allows for more flexible and dynamic access control by using contextual data to make dynamic access control decisions. For example, the system might grant access to a sensitive resource based on the user's location or the time of day. Security zones are used to segment a network into smaller, more manageable areas, but they do not necessarily provide more flexible and dynamic access control. MAC (Mandatory Access Control) is an access control system that is very rigid. Access is granted through a system of rules and categorization of data. It does not provide more flexible and dynamic access control. Policy-driven access control allows for more flexible and dynamic access control by using pre-defined policies to make access control decisions, but it does not necessarily adapt to changing user behavior and access patterns.
Kelsi is browsing an online shopping website that sells various products. She adds some items to her shopping cart and proceeds to checkout. She enters her credit card information, double checks that the credit card information is correct, then clicks on the confirm button. She then receives an email from her bank that informs that her credit card has been charged, but the amount she is charged is more than she expected. She checks her online banking account and sees that there are several transactions that she did not authorize. What type of web-based vulnerability has she likely encountered? Malicious update Structured Query Language injection (SQLi) Cross-site scripting (XSS) Buffer overflow
BJ: 2.3 - XSS is a web-based vulnerability that occurs when an attacker injects malicious code into a web page that is then executed by the browser of a user who visits the page. The code can steal cookies, session tokens, or other sensitive information from the user or the web server. Kelsi has likely encountered an XSS vulnerability that allowed the attacker to steal her credit card information and make unauthorized transactions. Malicious update is an application-based attack that involves replacing a legitimate update for a program with a malicious one. The attacker can compromise the program, steal data, or perform other malicious actions. Kelsi has not encountered a malicious update, as she did not update any program, but rather entered her credit card information on a web page. Buffer overflow is an application-based vulnerability that occurs when a program does not properly check the size of the input data and tries to store more data than the memory allocated to it can hold. The excess data can overwrite the adjacent memory and cause the program to crash or execute arbitrary code. It isn't likely that Kelsi has encountered a buffer overflow vulnerability, as she checked the information she entered and it was correct. SQLi is a web-based vulnerability that occurs when an attacker injects malicious SQL statements into a database query that is then executed by the database server. The statements can manipulate or extract data from the database, or execute commands on the server. Kelsi has not encountered an SQLi vulnerability, as she did not enter any information in SQL.
_________ assign a severity score to vulnerabilities, while _________ simply identify them with a number, offering a consistent way to share vulnerability data
CVSS assign a severity score to vulnerabilities, while CVEs simply identify them with a number, offering a consistent way to share vulnerability data
Which attribute of a threat actor refers to their ability to develop unique exploit techniques and tools? Resources Sophistication Funding Capability
Capability OBJ: 2.1 - Capability pertains to a threat actor's proficiency in devising new exploit techniques and tools. It can range from using commonly found attack tools to creating zero-day exploits in various systems. Those with the highest capabilities can even deploy non-cyber tools, such as political or military assets. Sophistication relates to the level of intricacy and advancement of a threat actor's methods and tools, but does not directly address their skill in crafting novel exploits. While funding can boost a threat actor's capabilities by providing them the means to acquire resources, it doesn't specifically denote their expertise in developing unique exploits. While resources can aid in bolstering a threat actor's capabilities, this term primarily refers to the tools and personnel that a threat actor can access or utilize.
As a security analyst, you are analyzing network logs to assist in your investigation of a suspected cyberattack. Which of the following pieces of information is NOT typically documented in the network log data? Destination IP and port Source IP and port Timestamp of the network traffic Content of encrypted data packets
Content of encrypted data packets OBJ: 4.9 - Network logs do not, as a standard, reveal the content of encrypted data packets. Encryption secures the content of the data traffic, rendering it unreadable without the correct decryption keys. It's important to note that decryption for inspection purposes may have legal implications and should adhere to organizational policies and compliance rules. Destination IP and port are critical pieces of network log data. Among other things, they can reveal the target of specific network traffic, which is useful for identifying potential threats or intrusions. Source IP and port comprise crucial parts of network log data. They help determine the origin of the traffic, which can be particularly helpful when investigating security incidents. Network logs typically contain timestamps for all network traffic. This allows for a timeline to be constructed when investigating incidents, helping to identify patterns and link related events.
What part of a BPA for mission essential functions provides a detailed, step-by-step description of the procedural tasks performed? Outputs Hardware Inputs Process flow
Process flow OBJ: 5.3 - In a BPA (Business Process Analysis), process flow details each operational step, describing how the mission essential function is systematically executed. Outputs relate to the final products or data produced by the function, which is the result of the process flow but not the description of the steps themselves. Hardware identifies the physical infrastructure used in the process, not the step-by-step procedural narrative. While inputs are crucial for starting the process, they do not constitute the sequential operational guide that is the process flow.
An organization is looking to protect sensitive financial data stored in spreadsheets. Which of the following methods would be the MOST effective in ensuring the data's confidentiality and integrity? Version control and backup Network monitoring and firewall Data encryption and digital watermarking Password protection and read-only access
Data encryption and digital watermarking Overall explanation OBJ: 3.3 - Data encryption and digital watermarking the spreadsheet ensures unauthorized parties cannot view its content, and digital watermarking embeds a hidden mark to track and verify the document's authenticity and integrity. While version control and backup are crucial for maintaining data history and recovery, neither directly ensures the spreadsheet's confidentiality or verifies its integrity. While network monitoring and firewall protect against unauthorized access and attacks, they don't directly ensure the confidentiality or integrity of specific spreadsheet data. Password protection restricts access, and read-only access prevents modifications, but neither ensures data confidentiality from unauthorized decryption or verifies its integrity against all forms of tampering.
Stanley, an IT Technician, is setting up a secure connection between his company's web server and a client's web browser using SSL/TLS. Which common method for authenticating systems is being used in this scenario? Biometrics Digital certificates Smart cards AAA Architecture
Digital certificates Overall explanation OBJ: 1.2 - SSL/TLS uses digital certificates to authenticate the identity of the server and, optionally, the client during the SSL/TLS handshake. Smart cards are a physical object that can be used for authentication, but they are not used in this scenario for authenticating systems. Biometrics refers to the use of a biometric characteristic, such as a fingerprint or facial recognition, for authentication, but it is not used in this scenario for authenticating systems. Authentication, authorization, and accounting (AAA) architecture used within Kerberos and other EAP based authentication services
Which of the following cryptographic algorithms is primarily used for digital signatures and key exchanges, rather than direct encryption of data? DES Twofish SHA-256 ECC
ECC OBJ: 2.5 - ECC (Elliptic Curve Cryptography) is a form of public key cryptography based on the algebraic structure of elliptic curves over finite fields primarily used for digital signatures and key exchanges. SHA-256 (Secure Hash Algorithm 256-bit) is a cryptographic hash function, not primarily used for digital signatures or key exchanges. DES (Data Encryption Standard) is an older symmetric-key method of data encryption which was largely replaced due to vulnerabilities, focusing primarily on data encryption. Twofish is a symmetric block cipher which, like AES, encrypts data in blocks using the same key for encryption and decryption.
Which of the following statements BEST explains the importance of employee retention in securing an organization? Employee retention reduces the need for automation and orchestration, leading to a more stable workforce. Employee retention helps to maintain institutional knowledge and expertise in managing security automation. High employee retention promotes a deeper understanding of automated security processes, improving response times. Your answer is incorrect Employee retention reduces the likelihood of social engineering attacks because long term employees get more training to spot and avoid such attacks.
Employee retention helps to maintain institutional knowledge and expertise in managing security automation. OBJ: 4.7 - Employee retention means that the organization can retain experienced staff who have gained valuable institutional knowledge and expertise in managing security automation and orchestration. This accumulated knowledge helps ensure the smooth functioning and effective utilization of these processes. There is no evidence that retaining employees has an impact on avoiding social engineering attacks. Employee retention provides institutional knowledge which makes managing security automation easier. High employee retention means that employees have been with the organization for a longer time, and they would have had more exposure and experience with the automated security processes. This can lead to a deeper understanding, which in turn can improve response times in handling security incidents. Employee retention is not directly related to the need for automation and orchestration. Regardless of the employee retention rate, the benefits of automation and orchestration in secure operations remain valid.
Which of the following BEST describes the data owner's role in an organization's data governance framework? Implements encryption and secures data both at rest and in transit. Outlines the purposes, conditions, and methods of personal data processing to comply with GDPR. Provides detailed recommendations on specific security controls to be included in the ISMS. Ensures data protections, level of access permissions, and security measures.
Ensures data protections, level of access permissions, and security measures. OBJ: 5.1 - The owner's role is accountable for the data's security and compliance with the organization's strategic objectives. Outlines the purposes, conditions, and methods of personal data processing to comply with GDPR pertain to the controller role, not the owner. While the owner is responsible for the level of security, the actual implementation of encryption is usually handled by IT or security teams. Providing detailed recommendations on specific security controls to be included in the ISMS is typically associated with specialized committees or the ISO/IEC 27002 standard, not directly with the owner.
Dion Training Solutions is implementing a security system for its research facility where sensitive data is stored. If the access control system fails, which mode should be adopted to ensure that no unauthorized personnel can enter the facility, even if it means some inconvenience to authorized staff? Passive mode Rate-based filtering Fail-open Fail-closed
Fail-closed OBJ: 3.2 - When security is paramount, as with sensitive data storage, a fail-closed mode ensures that all access requests are denied during system malfunctions, preventing any potential unauthorized access. This method involves limiting traffic based on a predefined rate. A fail-open mode would allow all access requests during a malfunction. In a high-security environment, this could lead to unauthorized access to sensitive data. In passive mode, the firewall monitors traffic without actively blocking or allowing it. This can be useful for observing traffic patterns but wouldn't be ideal for a mission-critical system where active protection is essential.
In the realm of digital forensics, which activity is a primary focus during the preservation phase? Generating and documenting cryptographic hashes of digital evidence to verify its integrity. Recording the specific tools and methodologies used during the evidence collection phase. Performing keyword searches on electronic documents to identify pertinent information. Drafting a comprehensive summary of findings and presenting it to stakeholders.
Generating and documenting cryptographic hashes of digital evidence to verify its integrity.
Given Dion Training's initiative to formulate a disaster recovery plan, which of the following solutions provides the BEST uninterrupted power source in the event of unforeseen power disruptions, particularly in situations prone to natural disasters? Generators Microgrids Batteries Renewable Energy Sources
Generators
As part of their expansion, Kelly Innovations LLC decided to break their monolithic application into microservices. While this provides scalability, which of the following security implications should the organization be MOST concerned with? Singular deployment cadence. Granular access controls requirements. Reduced monitoring endpoints. Consolidation of data storage.
Granular access controls requirements. OBJ: 3.1 - As applications are broken down into microservices, each service might need specific access controls, potentially complicating the permissions landscape. Microservices often distribute data storage needs across services, rather than consolidating them, making this option less relevant. Microservices allow for independent deployments, moving away from a singular deployment cadence which is more associated with monolithic structures. Microservices can actually increase the number of endpoints that need to be monitored, rather than reducing them.
Kelly Financial Solutions processes thousands of credit card transactions daily. To enhance security, the IT department wants to ensure that sensitive data, such as credit card numbers, remains protected even while being actively processed in the system's memory. Which technology would be MOST effective in safeguarding data-in-use in this scenario? Data loss prevention (DLP) Full disk encryption (FDE) Virtual private network (VPN) Homomorphic encryption
Homomorphic encryption OBJ: 3.3 - Homomorphic encryption allows data to be processed without being decrypted, effectively securing data-in-use. Computations can be performed on the encrypted data directly, and the results, when decrypted, match as if the operations were done on the plaintext. A VPN encrypts network traffic between two points, ensuring data-in-transit security. It doesn't focus on safeguarding data actively being processed in a system's memory. DLP solutions monitor and control data transfers, helping to prevent data breaches. However, they don't provide specific protection for data being actively processed in memory. While FDE is effective for protecting data at rest, especially on hard drives or SSDs, it doesn't specifically secure data-in-use.
Which of the following BEST describes the data controller's role in relation to GDPR and data governance? Holds ultimate decision-making authority and sets strategic data management policies. Ensures secure generation and management of encryption keys. Identifies purposes and conditions of data processing and ensures compliance with legal standards. Assists with the implementation and monitoring of security incident management procedures.
Identifies purposes and conditions of data processing and ensures compliance with legal standards. OBJ: 5.1 - The controller is responsible for defining how personal data is handled and ensuring it meets GDPR and other regulatory requirements. Key management and secure generation are technical processes often overseen by IT security, not the controller. Holds ultimate decision-making authority and sets strategic data management policies is more indicative of the role of a governance board or an owner. While the controller may be involved in incident management, it is not their primary role; instead, it typically pertains to security teams and the custodian.
John is reviewing an assessment where it has been determined that a successful cyber attack could result in significant operational downtime and data recovery costs, totaling approximately $500,000. Which term BEST quantifies the severity of this potential event? Impact Probability Exposure factor Likelihood
Impact OBJ: 5.2 - Impact specifically refers to the magnitude of the consequences if a risk event occurs, typically assessed in terms of financial loss, operational disruption, or other forms of damage. The exposure factor (EF) is a component used to calculate the Single loss expectancy (SLE) by representing the percentage of loss an asset would suffer from a risk event. It does not, by itself, quantify the overall severity of potential consequences. While probability quantifies the likelihood of a risk event occurring, it does not measure the severity of the consequences of the event. Similar to probability, likelihood assesses the chance of a risk event happening but does not directly quantify the severity of the event's consequences.
Which of the following statements BEST explains the importance of package monitoring in the context of vulnerability management? It ensures that all software packages are up to date with the latest features and enhancements. It allows organizations to track the physical location and status of hardware packages. It helps identify and address vulnerabilities in software packages. It involves tracking the dependencies of software packages to ensure that all required components are up to date and compatible.
It helps identify and address vulnerabilities in software packages. OBJ: 4.3 - Package monitoring involves keeping track of software package versions and security patches, which helps identify potential vulnerabilities and ensures that appropriate actions are taken to mitigate risks. By promptly addressing vulnerabilities, organizations can reduce the risk of potential exploits and maintain a more secure environment. The purpose of package monitoring which is keeping track of software package versions and security patches, not tracking software package dependencies. Tracking the physical location and status of hardware packages, is not the intended purpose of package monitoring. While updating software packages is essential for performance and functionality, package monitoring, in the context of vulnerability management, is not focused on general updates.
Which of the following BEST describes the significance of key length in encryption standards? It sets a minimum for key length It sets complexity for key It sets the duration of key's validity It sets a maximum key length
It sets a minimum for key length OBJ: 1.4 - Key length in encryption determines the minimum length that an encryption key can be to ensure a strong level of security. While length will impact the key's complexity, the key length doesn't set other factors beyond the minimum length.
Dion Training Solutions implemented a new authentication system for their internal applications. The system ensures that authentication data can only be used for a single session and requires both the client and server to prove their identity by using a unique ticketing system. Which of the following authentication mechanisms is Dion Training Solutions MOST likely using to prevent credential replay attacks? SAML LDAP Kerberos OAuth
Kerboros OBJ: 2.4 - Kerberos is an authentication protocol that uses tickets to prevent eavesdropping and replay attacks. It relies on a trusted third-party, the Key Distribution Center (KDC), to facilitate mutual authentication between clients and services. LDAP is a protocol used to access and manage directory information over a network. While it can be used for authentication, it does not inherently prevent credential replay. OAuth is an open standard for access delegation. It allows third-party services to use account information without exposing user passwords. However, it doesn't use a ticketing. SAML is an XML-based standard for exchanging authentication and authorization data between parties. It's focused more on Single Sign-On (SSO) and doesn't use the Kerberos ticketing mechanism.
What part of PKI allows the storing of encrypted keys with a third party so keys can be recovered if they are lost? Public key infrastructure Key escrow Key generation Key exchange
Key escrow OBJ: 1.4 - Key escrow is a system in which a copy of a cryptographic key is given to a third party. This allows for the recovery of keys if they are lost. Key exchange is a method in cryptography by which cryptographic keys are exchanged between two parties, allowing use of a cryptographic algorithm. Key generation is the process of generating keys in cryptography. It does not involve a third party having access to encrypted data. Public key infrastructure (PKI) is a set of roles, policies, and procedures needed to create, manage, distribute, use, store, and revoke digital certificates and manage public-key encryption.
You are a network engineer for a large hospital that has a complex network with many applications and many employees. You are most concerned with protecting the privacy of patients, so you will need to prevent unauthorized people from seeing data. Which of the following mitigation techniques can help you achieve this goal? Application allow list Least Privilege Isolation Monitoring
Least privilege
At Dion Training, the IT team is working on enhancing their business continuity plan. They want to determine the amount of the time they will need to repair the system after a disruption. This will help them to ensure timely recovery from the event. What measure do they want to determine? MTTR RPO RTO MTBF
MTTR OBJ: 2.5 - The mean time to repair (MTTR) refers to the measure of the time taken to repair a system or process after it experiences a failure or disruption. It is the average time it takes to restore functionality. The recovery time objective (RTO) is the measure of the maximum time it takes to recover a system or process after a disruption. It represents the time within which normal operations need to be restored. The mean time between failures (MTBF) is the measure of the average time between two consecutive failures of a system or component. It represents the average reliability or time between incidents. The recovery point objective (RPO) is the measure of the maximum amount of data loss an organization is willing to tolerate in the event of a disruption. It determines the point in time to which data must be restored after recovery.
What is the purpose of the audit committee? Give approval to the audits completed by the CEO Overseeing an organization's internal controls and financial reporting Confirm the CEO's hunches about weak areas of security Completing external auditing of security controls for organizations
Overseeing an organization's internal controls and financial reporting OBJ: 5.5 - The audit committee is responsible for overseeing and evaluating an organization's internal controls, financial reporting, and compliance processes. This includes assessing the effectiveness of security controls and regulatory compliance. Audit committees are internal to an organization.
Bluebird Technologies has hired a penetration tester. In the test she will attempt to enter the building by using a fake ID and by piggybacking at the entrance. What type of penetration testing will she be doing? Physical Integrated Partially known environment Known environment
Physical OBJ: 5.5 - Physical penetration testing involves evaluating an organization's physical security measures, such as access controls, surveillance systems, and security protocols, to identify vulnerabilities and potential breaches. Penetration testing in a partially known environment means that a some information has been given to the tester. There is no indication in the scenario that the tester has been given information Penetration testing in a known environment means that a significant amount of information has been given to the tester. This can include passwords, usernames, and other information. There is no indication in the scenario that the tester has been given information Integrated penetration testing refers to a comprehensive approach that combines different types of penetration tests to assess an organization's overall security posture. While physical security may be part of the assessment, it is not the main focus of this type of testing.
To stay updated with changing threats and vulnerabilities, which of the following assessment methods BEST emphasizes periodic evaluations? One-time risk assessment Recurring risk assessment Ad hoc risk assessment Continuous risk assessment
Recurring risk assessment Overall explanation OBJ: 5.2 - Recurring risk assessment involves conducting risk assessments at regular intervals to adapt to changing threats and vulnerabilities over time. Continuous risk assessment involves ongoing and real-time monitoring of risks as part of the organization's daily operations. It aims to quickly identify and address emerging risks. While it is beneficial, it may not specifically involve periodic assessments at regular intervals. One-time risk assessment is conducted only once and does not involve periodic evaluations of risks. It may be suitable for specific projects or situations but is not focused on continuous monitoring. Ad hoc risk assessment refers to conducting risk assessments on an as-needed basis or when specific events trigger the need for assessment. It is not specifically focused on keeping up with changing threats and vulnerabilities.
Which of the following is a type of vulnerability involves accessing or modifying data or communications from other virtual machines by exploiting the fact that they share one CPU? Resource reuse Race condition Time-of-check (TOC) CPU starvation
Resource reuse OBJ: 2.3 - Resource reuse is a type of vulnerability that involves accessing or modifying data or communications from other virtual machines by exploiting the shared CPU between them. It can allow an attacker to execute malicious code or commands on other virtual machines. Race condition is a situation where the outcome of a process depends on the timing or order of execution of other processes. It can cause errors, inconsistencies, or security breaches, depending on the nature and importance of the resource. Time-of-check (TOC) is a type of race condition that occurs when a process checks the state or value of a resource before using it, but another process changes it in between. It can lead to incorrect or unauthorized actions based on outdated information. CPU starvation is a type of performance issue that occurs when a process or thread does not receive enough CPU time to perform its tasks. It can affect the responsiveness and functionality of the process or thread.
Members of the Risk Management Team at Eclipse, an awning manufacturer, are discussing the organization's approach to risk management. They are considering the level of risk they are willing to accept to achieve the aggressive set of goals the CEO has created. What is the term for what they are considering? Risk deterrence Risk appetite Risk tolerance Risk acceptance
Risk appetite OBJ: 5.2 - Risk appetite refers to an organization's willingness to take on risk in pursuit of its business objectives. It reflects the organization's strategic approach to risk and how much risk it is willing to undertake to achieve specific goals. Risk tolerance is the extent to which an organization is comfortable with the level of risk it is willing to take. It represents the organization's ability to withstand potential losses or disruptions. Risk acceptance means that an organization understands the level of risk that in involved in an activity and is willing to accept the outcomes of taking the risk. The risk is either accepted or not, there aren't levels of risk acceptance. In this case they are not making a decision about a level of risk for a specific activity. Risk deterrence involves taking measures to reduce or mitigate the impact of an event. In this case, they aren't evaluating the impact or taking measures to reduce the likelihood of a specific event.
_________ allows for the secure exchange of authentication and authorization data between different organizations, enabling users to log in using their own organization's credentials while accessing resources and applications from other federated organizations without the need for separate accounts.
SAML (Security Assertion Markup Language)
Kelly Innovations LLC is searching for a comprehensive cloud-based solution that combines both network security and WAN capabilities. They want a solution that seamlessly integrates these aspects, especially for users or devices located outside their primary office. Which of the following technologies should they consider adopting? Tunnel mode of IPSec SASE ESP SD-WAN
SASE OBJ: 3.2 - SASE (Secure access service edge) combines network security and WAN capabilities in a single cloud-based service, making it an ideal solution for ensuring secure and reliable access to data and applications irrespective of user/device location. The tunnel mode in IPSec is used for communications between VPN gateways across an insecure network. Although it encrypts the whole IP packet, it doesn't combine comprehensive network security and WAN functionalities. While ESP (Encapsulation security payload) is a part of IPSec that provides confidentiality and/or authentication and integrity, it doesn't integrate network security and WAN capabilities. SD-WAN (Software-defined wide area network) optimizes network performance and centralizes network management. While it enhances WAN connections, it doesn't inherently combine network security and WAN capabilities.
Which of the following is NOT true about the importance of Security Information and Event Management (SIEM)? SIEM systems can create and maintain a database of an organization's IT equipment. SIEM systems provide real-time analysis of security alerts generated by applications and network hardware. SIEM systems can aid in the procurement and asset management of secure software systems. SIEM systems provide a unified view of an organization's IT security by collecting and aggregating log data.
SIEM systems can aid in the procurement and asset management of secure software systems. OBJ: 4.4 - SIEM systems are not primarily used for software procurement or asset management. Their primary purpose is to provide real-time analysis of security alerts and to offer a holistic view of an organization's security scenario. They are not involved in tasks such as procurement and management of hardware. SIEM systems can indeed create and maintain a record of an organization's IT equipment as a part of their comprehensive data collection. One of the critical roles of SIEM is the real-time monitoring and analysis of security alerts across an organization's network. SIEM systems collect and aggregate log data from an array of sources within an organization's IT infrastructure, providing a centralized view of the security landscape.
Safeguard Systems is looking to secure voice communication between its branch offices. Which of the following protocols would provide encryption specifically for voice traffic over IP? DHCP ARPS SRTP ICMP
SRTP OBJ: 1.4 - SRTP (Secure Real-time Transport Protocol) provides encryption, message authentication, and integrity for voice communications over IP. It's designed to protect Real-time Transport Protocol (RTP) and RTP Control Protocol (RTCP) traffic. ICMP (Internet Control Message Protocol) is mainly used by operating systems of networked computers to send error messages indicating, for instance, that a requested service is not available. It doesn't handle voice encryption. ARP (Address Resolution Protocol) is used for mapping a 32-bit IP address to a MAC address within a local network, not for encrypting voice traffic. DHCP (Dynamic Host Configuration Protocol) is used for assigning dynamic IP addresses to devices on a network. It does not encrypt voice traffic.
Jamario, a system administrator at Dion Tech Solutions, walked into the office one Monday morning to find several employees in distress. Their computer screens displayed threatening messages stating that their system had been "locked by the police due to illegal online activities." The message prompted them to make a payment via a premium rate phone line to unblock their system access. Upon investigating, Jamario found that these computers had been replaced with a shell program, making it seem as if they couldn't access their files. Which type of malware is MOST likely responsible for the events at Dion Training Solutions? Worm Trojan horse Crypto-malware ransomware Screen-locking ransomware
Screen locking ransomware OBJ: 2.4 - This type of ransomware intimidates users by locking them out of their device and displaying threatening messages. The messages suggesting that the computer was locked by the police and the shell program replacement are consistent with screen-locking ransomware. A worm is malware that replicates itself in order to spread to other computers. There was no indication of self-replicating software at the company. Crypto-malware encrypts a user's files and holds them for ransom. Since Jamario did not find encrypted files, but rather a shell program replacement, this is not the type of ransomware involved. A Trojan horse is malware disguised as legitimate software. While it can carry ransomware, the specific symptoms don't match typical Trojan behavior.
What term refers to a formal examination of an organization's procedures, controls, and operations, ensuring they comply with established guidelines, standards, or regulations? Risk assessment Penetration testing System/process audit OSINT
System/process audit OBJ: 4.3 - A system/process audit is a thorough review of an organization's operations, ensuring adherence to specific standards and identifying potential areas for improvement. Penetration testing is a simulated cyber-attack against a system to check for exploitable vulnerabilities, often involving a combination of tools and manual techniques. A risk assessment involves identifying, evaluating, and analyzing risks to an organization's assets and operations, with the aim of implementing measures to control and mitigate those risks. While risk assessments are crucial for understanding and mitigating potential risks and vulnerabilities within an organization, they do not specifically focus on ensuring that procedures, controls, and operations comply with established guidelines, standards, or regulations. OSINT leverages publicly available data sources to gather intelligence on targets, providing valuable insights without breaching any laws.
As a security analyst, you are currently investigating a potential security breach within your organization's network, specifically focusing on unusual traffic that was detected coming from an external IP address. To dig deeper into this situation, you have decided to analyze the packet capture logs that were recorded during the time of the suspected incident. Given that the unauthorized access was attempting to communicate via TCP to a sensitive internal server on port 443, and there were also abnormal DNS requests observed, which of the following pieces of information from the packet captures would be MOST valuable to investigate the incident further? ARP cache content ICMP echo request and reply messages TLS handshake details and DNS query responses HTTP GET and POST requests
TLS handshake details and DNS query responses OBJ: 4.9 - Examining the TLS handshake details can help in verifying if the secure connection was established using strong cryptographic algorithms, and it can also reveal the certificate information to check for any anomalies or unauthorized certificates. Analyzing DNS query responses is crucial to understand which domain names were resolved and to identify any potential malicious or unauthorized domain interactions. Both of these details are vital for investigating the incident, especially given the nature of the communication to a sensitive server over a secure port and the observed abnormal DNS requests. HTTP GET and POST requests are used to retrieve or submit data over the web. Given that the incident involves communication on port 443, which is commonly used for HTTPS rather than HTTP, and there are specific concerns about DNS requests, focusing on HTTP GET and POST requests might not yield the most valuable information for this particular investigation. Additionally, encrypted HTTPS traffic would require proper decryption before any HTTP methods could be analyzed, adding an extra layer of complexity. ICMP echo requests and replies, commonly known as ping messages, are used to check the availability of a network device. While they can be helpful for basic network diagnostics, they are less likely to provide in-depth information about a security incident, especially in the context of unauthorized access and abnormal DNS requests on specific TCP ports. The Address Resolution Protocol (ARP) cache stores IP-to-MAC address mappings for local network devices. While ARP spoofing can be a security concern, examining the ARP cache may not provide direct insights into the suspected breach involving secure TCP communication and DNS irregularities in this specific scenario.
Which of the following terms BEST describes a situation in which a company avoids addressing known system inefficiencies or shortcuts due to time constraints, potentially leading to future rework and vulnerabilities? Complexity Single point of failure Technical debt Cost
Technical debt OBJ: 4.7 - Technical debt represents the future cost of rectifying present-day shortcuts or less optimal solutions. It can arise when known inefficiencies aren't addressed due to various constraints, like time. While complexity might become a result in this situation, it primarily denotes the intricacy of a system or process. Single point of failure refers to a vulnerable component whose failure can disrupt an entire system, not the consequence of avoiding known system inefficiencies. While accumulating technical debt can lead to increased costs later on, the term 'cost' generally pertains to the financial considerations of a decision or action, not the implications of deferring system improvements.
In Dion Training's data management framework, Scherazade determines the why and how data will be collected. She then directs Sahra what should be done with the data that is collected. Which of the following BEST describes the roles that Scherazade and Sahra have? The data custodian and the data controller. The data owner and data custodian. The data controller and the data processor. The data owner and the data processor.
The data controller and the data processor. OBJ: 5.4 - Scherazade is the data controller because the data controller determines how and why the data is collected and used. Sahra is the data processor because the data processor follows the data controller's directions for using the data that is collected. The data owner is the person who is ultimately responsible for the confidentiality, integrity, and availability of the data. The data custodian handles the management of the system used to store and collect the data. The data owner is the person who is ultimately responsible for the confidentiality, integrity, and availability of the data.
As a security analyst, you are investigating a suspicious file activity incident. While examining metadata associated with different files, which of the following pieces of information is NOT typically presented in metadata? File's creator The file extension of the file Date and time of last modification File size
The file extension of the file OBJ: 4.9 - Metadata does NOT normally include the file's extension. The name of the user who created the file is often included as part of the file's metadata. This is crucial information during an investigation of unauthorized file access or alteration. File size is a common piece of metadata. This could potentially be useful in an investigation if, for example, a file's size significantly changes without a clear reason. Date and time of last modification is an integral part of metadata. This can help establish timelines of activity and identify any unexpected changes, which is crucial during an investigation.
Why are CVE identifiers important for cybersecurity professionals? They offer a standardized way to share vulnerability data. They provide mitigation techniques for vulnerabilities. They assign severity scores to vulnerabilities. They track software versions and updates.
They offer a standardized way to share vulnerability data.
You are a cybersecurity analyst for a large organization that collaborates with several external partners, each having their own user authentication systems. The organization wants to simplify the user login experience for both internal employees and external partners while maintaining a centralized identity management system. Which of the following approaches would be the most effective way to implement federation in the given scenario? Use a protocol, such as Security Assertion Markup Language (SAML), to facilitate the exchange of identity information among organizations. Restricting access to internal applications and resources solely based on the user's physical location or group identity. Sharing internal employee credentials with external partners to create more efficient access to all systems. Creating separate user accounts for external partners within the organization's identity management system.
Use a protocol, such as Security Assertion Markup Language (SAML), to facilitate the exchange of identity information among organizations. OBJ: 4.6 - Implementing a federation protocol, such as Security Assertion Markup Language (SAML), is the most effective approach for achieving a seamless user login experience for both internal employees and external partners. SAML allows for the secure exchange of authentication and authorization data between different organizations, enabling users to log in using their own organization's credentials while accessing resources and applications from other federated organizations without the need for separate accounts. It simplifies identity management and enhances user experience while maintaining centralized control.
Which of the following refers to the act where malware running on a guest OS manages to get to another guest or the host within a virtualized environment? Guest OS isolation Virtualization detection VM escaping Hypervisor patching
VM escape
Which of the following technologies allows creating multiple isolated environments on a single physical device? Industrial control systems Software-defined networking Containerization Correct answer Virtualization
Virtualization OBJ: 3.1 - Virtualization is a technology that allows creating multiple isolated environments on a single physical device. It can offer benefits such as resource optimization, isolation, flexibility, and security. Industrial control systems (ICS) are systems that are designed to monitor and control physical processes in industrial environments, such as power plants, factories, or water treatment facilities, not creating multiple isolated environments on a single physical device. Containerization is a technology that allows running applications in isolated environments called containers, not creating multiple isolated environments on a single physical device. Software-defined networking (SDN) is a network technology that involves dynamically configuring and managing network devices and services through software, not creating multiple isolated environments on a single physical device.
