C178 certmaster
A security specialist reviews an open closet with network cables and discovers highly exposable areas that are at high risk of physical intrusion. The specialist recommends creating a protected distribution system (PDS) to lower security risks. What would a PDS help solve? (Select all that apply.) a) Eavesdropping b) Speed c) Damage d) Length
a) Eavesdropping c) Damage #A physically secure cabled network is referred to as a protected distribution system (PDS). This method of cable installation can deter eavesdropping. #A hardened PDS is one where all cabling is routed through sealed metal conduit. This type of enclosure protects the cabling from accidental or intentional damage. NOTE: Both length and speed are not of security concerns. These are just abt how long the cable is and how much twisted the cable is.
A security engineer configures a passcode to a data center by using a cipher. The engineer uses a substitution cipher on the string hocuspocus. Which result does the engineer produce with this cipher type? a) The string: krfxvsrfxv b) The string: pocushocus c) The string: hocuspocusted6543nv6 d) The string: pocushocus37dh3hg
a) The string: krfxvsrfxv #A substitution cipher replaces units in the plaintext. Simple substitution ciphers rotate or scramble letters of the alphabet. In this case, each character has been substituted with an alphabetic rotation of 3 places. #In a transposition cipher, units stay the same in plaintext and ciphertext. Their order is changed according to some mechanism.
An engineer configures a proxy to control access to online content for all users in an organization. Which proxy type does the engineer implement by using an inline network appliance? (Select all that apply.) a) Non-transparent b) Transparent c) Intercepting d) Application
b) Transparent c) Intercepting #A transparent proxy must be implemented on a switch, router, or other inline network appliance. #An intercepting proxy (known as a transparent proxy) is configured to intercept client traffic without the client having to be reconfigured. #Proxy servers can be application-specific; others are multipurpose
A new systems administrator at an organization has a difficult time understanding some of the configurations from the previous IT staff. It appears many shortcuts were taken to keep systems running and users happy. Which weakness does the administrator report this configuration as? a) Complex dependencies b) Overdependence on perimeter security c) Availability over confidentiality and integrity d) Single points of failure
c) Availability over confidentiality and integrity
Compare the types of Distributed Denial of Service (DDoS) attacks and select the best example of a synchronize (SYN) flood attack. a) A group of attackers work together to form an attack on a network. b) An attack consumes all of the network bandwidth resulting in denial to legitimate hosts. c) Client IP addresses are spoofed to misdirect the server's SYN/ACK packet increasing session queues. d) A client's IP address is spoofed and pings the broadcast address of a third-party network with many hosts.
c) Client IP addresses are spoofed to misdirect the server's SYN/ACK packet increasing session queues. #An SYN flood attack works by withholding clients' ACK packets during TCP's three-way handshakes that can increase the server session queues and prevent other legitimate clients from connecting. The server will continue to send SYN/ACK packets because there is no acknowledgment and will not timeout until sometime later.
An end-user has enabled cookies for several e-commerce websites and has started receiving targeted ads. The ads do not trouble the user until, when trying to access an e-commerce site, the user gets several pop-up ads that automatically redirect the user to suspicious sites the user did not intend to visit. What is the most likely explanation for this phenomenon? a) Tracking cookies have infected the user's computer. b) Ransomware has infected the user's computer. c) Spyware has infected the user's computer. d) Crypto-malware has infected the user's computer.
c) Spyware has infected the user's computer. #Spyware can perform adware-like tracking and monitor local activity. Another spyware technique is to perform domain name service (DNS) redirection to pharming sites.
A security information and event management (SIEM) handler's dashboard provides graphical representations of user profile trends. The graphic contrasts standard user activity with administrative user activity and flags activity that deviates from these clusters. This graphical representation utilizes which trend analysis methodology? a) Frequency-based trend analysis b) Volume based trend analysis c) Statistical deviation analysis d) Syslog trend analysis
c) Statistical deviation analysis #Statistical deviation analysis can alert security admin to a suspicious data point. A cluster graph might show activity by standard users and privileged users, and data points outside these clusters may indicate suspicious account activity.
The Human Resources department issues a policy at an organization to govern the use of company owned computer equipment. Which behavior type does this policy address? a) Code of conduct b) Clean desk c) Bring your own device d) Acceptable use
d) Acceptable use #A code of conduct, or rules of behavior, sets out expected professional standards. For example, employees' use of social media may be harmful to the company.
A threat actor infiltrates a company's server. Engineers fail while trying to stop the attacker from stealing data. The attacker achieves which final phase of the Lockheed Martin kill chain? a) Command and control b) Reconnaissance c) Exploitation d) Actions on objectives
d) Actions on objectives #When actions on objectives are achieved, the attacker typically uses the access they have gained to covertly collect information from target systems and transfer it to a remote system. NOTE: In the reconnaissance stage the attacker determines what methods to use to complete the phases of the attack and gathers information.
Firewall Types
#A bridged or transparent firewall inspects traffic passing between two nodes, such as a router and a switch. It typically deploys without having to reconfigure subnets and reassign IP addresses on other devices. #A routed firewall appliance forwards between subnets. Each interface on the firewall connects to a different subnet and represents a different security zone. #A router firewall or firewall router appliance implements filtering functionality as part of the router firmware, with a firewall as a secondary feature. #Virtual firewalls often enact east-west security and zero-trust microsegmentation design paradigms. Virtual firewalls can inspect traffic as it passes from host-to-host or between virtual networks, rather than requiring that traffic be routed up to a firewall appliance and back.
Single CA Model vs. Hierarchical model (root CA + intermediate CAs),
#In a single CA model, one CA issues certificates to users; users trust certificates issued only by that CA. The single CA server is very exposed, and if compromised, the whole PKI collapses. #In the hierarchical model, a single CA (root) issues certificates to several intermediate CAs, who issue certificates to subjects. This is also referred to as certificate chaining or a chain of trust.
High availability services utilized by a company
#Local replication replicates data within a single data center in the region where the company created its storage account. Replicas are often in separate fault domains and upgrade domains. #Geo-redundant storage (GRS) replicates data to a secondary region that is distant from the primary region. This safeguards data in the event of a regional outage or a disaster. #Data replication allows businesses to copy data to where the business can utilize it most effectively. Data replication requires low latency network connections, security, and data integrity.
Password attacks
1) Password spraying is a horizontal brute-force online attack. An attacker chooses common passwords and tries them with multiple usernames. 2) A brute-force attack attempts every possible combination in the output space to match a captured hash and guess at the plaintext that generated it. 3) An attacker uses a dictionary attack where there is a good chance of guessing the plaintext value (non-complex passwords). The software generates hash values from a dictionary of plaintexts to try to match one to a captured hash. 4) Rainbow table attacks refine the dictionary approach. The attacker uses a precomputed lookup table of all possible passwords and their matching hashes and looks up the hash value of a stored password in the table to discover the plaintext.
trend analysis
1) Statistical deviation analysis can alert security admin to a suspicious data point. A cluster graph might show activity by standard users and privileged users, and data points outside these clusters may indicate suspicious account activity. 2) Frequency-based trend analysis establishes a baseline for a metric, and if frequency exceeds the baseline threshold, then the system raises an alert. 3) Volume-based trend analysis uses simpler indicators, such as log or network traffic volume, or endpoint disk usage. Unusual log growth needs investigating, and unexpected disk capacity may signify data exfiltration. 4) Syslog provides an open format, protocol, and server software for logging event messages. A very wide range of host types use Syslog.
Incident Response Process
1. Preparation 2. Detection and Analysis (Identification) 3. Containment 4. Eradication 5. Recovery 6. Document/Lessons learned #Once the security admin contains the incident, eradication removes the cause and restores the affected system to a secure state. #When security admin eradicates the cause of the incident, they can reintegrate the system into the business process that it supports. This recovery phase may involve restoration of data from backup and security testing.
There are a variety of methods for indicating a potential security breach during the identification and detection phase of incident response. Two examples are Intrusion Detection System (IDS) alerts and firewall alerts. Evaluate the following evidence and select the alternate methods that would be of most interest to the IT department during this phase. (Select all that apply.) a) A daily industry newsletter reports on a new vulnerability in the software version that runs on the company's server. b) An anonymous employee uses an "out of band" communication method to report a suspected insider threat. c) The marketing department contacts the IT department because they cannot post a company document to the company's social media account. d) An employee calls the help desk because the employee is working on a file and is unable to save it to a USB to work on at home.
a) A daily industry newsletter reports on a new vulnerability in the software version that runs on the company's server. b) An anonymous employee uses an "out of band" communication method to report a suspected insider threat. #A media report of a newly discovered vulnerability in the version of software that's currently running would be valuable information that should be addressed immediately. #A whistleblower with information about a potential insider threat would be worthy of pursuit. "Out of band" is an authenticated communications channel separate from the company's primary channel.
A security analytics team is threat hunting on a Windows network. What type of activity is most likely to alert the team to an insider attack? a) A user without privileged access executes PowerShell Invoke-Command cmdlet. b) A privileged user account executes PowerShell Invoke-Command cmdlet. c) A user without privileged access uses a Bash command whoami to locate users on the local network. d) A privileged user account uses Constrained Language Mode (CLM) and signed scripts.
a) A user without privileged access executes PowerShell Invoke-Command cmdlet. #Lateral movement or an insider attack uses access to execute a process remotely, using a tool such as psexec or PowerShell. These commands can blend in with ordinary network operations, though they could be anomalous behavior for a non-privileged account. Cmdlets, such as Invoke-Expression, can indicate an attempt to run some type of binary shellcode. #A malicious script running on a Linux host might attempt to use commands, such as whoami and ifconfig/ip/route to establish the local context. NOTE: The use of CLM (Constrained Language Mode) and signed scripts indicate legitimate behavior and can limit the ability to exploit code to run on high-value target systems.
A systems administrator realizes the need to scale a server for high availability purposes. Which approaches does the administrator utilize to scale out the virtual system? (Select all that apply.) a) Add an additional CPU b) Give important processes higher priority c) Free up CPU usage by eliminating services d) Add additional RAM
a) Add an additional CPU d) Add additional RAM #Scalability is the capacity to increase resources to meet demand within similar cost ratios. Scaling out adds more resources in parallel to a system. Adding an additional CPU is an example of scaling out. Scalability means that if service demand doubles, costs do not more than double. Adding more resources such as RAM is an example of scaling out. NOTE: Giving important processes higher priority in a system is not scaling out, but more so scaling up. Scaling up is done by increasing existing resources. Freeing up CPU resources in a system by eliminating services is not scaling out, but more so scaling up. Scaling up is done by increasing existing resources.
Sal, an IT specialist for a large tech firm, pays for a subscription to a threat data feed to stay updated on the latest blogs, white papers, and webinars in his field. What term(s) best describes this type of feed? (Select all that apply.) a) Closed b) Proprietary c) Open source d) Vendor-specific
a) Closed b) Proprietary #Closed or proprietary research and cyber threat intelligence (CTI) data are available through a paid subscription to a commercial threat intelligence platform. #Closed/proprietary security solution providers also publish blogs, white papers, and webinars, making the most valuable research available early to platform subscribers.
An attacker compromises a confidential database at a retailer. Investigators discover that unauthorized ad hoc changes to the system were to blame. How do the investigators describe the attack vector in a follow-up report? (Select all that apply.) a) Configuration drift b) Weak configuration c) Lack of security controls d) Shadow IT
a) Configuration drift d) Shadow IT #Configuration drift happens when malware exploits an undocumented configuration change on a system. #Shadow IT occurs when individuals introduce unauthorized hardware or software to a workplace.
An organization requires that a file transfer occurs on a nightly basis from an internal system to a third-party server. IT for both organizations agree on using FTPS. Which configurations does IT need to put in place for proper file transfers? (Select all that apply.) a) Configure the use of port 990 b) Configure the use of port 22 c) Negotiate a tunnel prior to any exchanged commands d) Using Secure Shell (SSH) between client and server
a) Configure the use of port 990 c) Negotiate a tunnel prior to any exchanged commands #Implicit TLS (FTPS) mode FTPS is tricky to configure when there are firewalls between the client and server, and it uses the secure port 990 for the control connection. #Implicit TLS (FTPS) negotiates an SSL/TLS tunnel before the exchange of any FTP commands. NOTE: With SFTP, which uses SSH, a secure link is created between the client and server. Ordinary FTP commands and data transfer can then be sent over the secure link without risk of eavesdropping or man-in-the-middle attacks.
During a cyber incident response exercise, a blue team takes steps to ensure the company and its affiliates can still use network systems while managing a simulated threat in real-time. Based on knowledge of incident response procedures, what stage of the incident response process is the blue team practicing? a) Containment b) Identification c) Eradication d) Recovery
a) Containment #The goal of the containment stage is to secure data while limiting the immediate impact on customers and business partners.
Identify the type of attack where malware forces a legitimate process to load a malicious link library. a) DLL injection b) Pass the hash (PtH) c) Null pointer dereferencing d) Overflow attack
a) DLL injection #DLL injection is a vulnerability in the way the operating system allows one process to attach to another. Malware can abuse this functionality to force a legitimate process to load a malicious link library.
An IT team looks into secure data access and file encryption solutions. During planning, the team researches the different states of data and decides on a way to handle data that is in memory but not used, such as a forgotten open file. Which data state is the team addressing? a) Data in use b) Data at rest c) Data in transit d) Data in motion
a) Data in use #Data in use is the state when data is present in volatile memory, such as system RAM or CPU cache. A document that is open in a word processing application is an example of data in use. #Data at rest means that the data is in some sort of persistent storage media. Includes information stored in databases or archived files. #Data in motion (data in transit) is the state when data is transmitted over a network. An example of data in transit is a file copy process, website traffic.
Identify the options that are types of active directory group scopes. (Select all that apply.) a) Domain local b) Local group c) Global d) Universal
a) Domain local c) Global d) Universal #Unlike a domain local group, a local group is a system specific group that applies to that system only. #Domain local groups can be used to assign rights to resources within the same domain only. Accounts or universal and global groups from any trusted domain can be a member of a domain local group. #Global groups can contain only user and global or universal group accounts from the same domain but can be used to assign rights to resources in any trusted domain. #Universal groups can contain accounts from any trusted domain and can also be used to grant permissions on any object in any trusted domain.
Which statement correctly differentiates between file transfer protocol (FTP), secure shell file transfer protocol (SFTP), and file transfer protocol over secure socket layer (FTPS)? a) FTP has no encryption. FTPS adds transport layer security (TLS), and SFTP is an entirely different protocol based on the network protocol SSH (secure shell). b) FTP uses only basic encryption, while SFTP adds a layer of security with secure shell (SSH). FTPS uses an entirely different protocol, using secure port 990. c) FTP has no encryption. SFTP adds a layer of security with secure shell (SSH), and FTPS uses an entirely different protocol, using secure port 990. d) FTP uses only basic encryption, while FTPS adds transport layer security (TLS), and SFTP is an entirely different protocol based on the network protocol SSH (secure shell).
a) FTP has no encryption. FTPS adds transport layer security (TLS), and SFTP is an entirely different protocol based on the network protocol SSH (secure shell). #Unlike both FTP and FTPS, SFTP uses only one connection and encrypts both authentication information and data files being transferred.
An organization considers installing fingerprint scanners at a busy entry control point to a secure area. What concerns might arise with the use of this technology? (Select all that apply.). a) Fingerprint scanning is relatively easy to spoof. b) Installing equipment is cost-prohibitive. c) Surfaces must be clean and dry. d) The scan is highly intrusive.
a) Fingerprint scanning is relatively easy to spoof. c) Surfaces must be clean and dry. #The main problem with fingerprint scanners is that it is possible to obtain a copy of a user's fingerprint and create a mold of it that will fool the scanner. #Moisture or dirt can prevent good readings, so facilities using fingerprint scanners must keep readers clean and dry, which can prove challenging in high throughput areas.
Evaluate which of the following solutions would most effectively mitigate vulnerabilities that might arise when outsourcing code development. a) Have one vendor develop the code, and a different vendor perform vulnerability and penetration testing. b) Outsource coding to multiple vendors at once, compare the results each vendor produces, and select the most secure implementations. c) Outsource all coding to a single vendor, limiting the number of vendors in the workflow. d) Trust system integration to the third-party contractor and their contacts.
a) Have one vendor develop the code, and a different vendor perform vulnerability and penetration testing.
A server operates an intrusion detection system (IDS) that enables a system administrator to verify that key system files match authorized versions. This illustrates what IDS implementation and feature? a) Host-based intrusion detection system (HIDS) with file integrity monitoring (FIM) b) Next-generation firewall (NGFW) with file integrity monitoring (FIM) c) User and Entity Behavior Analytics (UEBA) with unified threat management (UTM) d) Next-generation firewall (NGFW) with unified threat management (UTM)
a) Host-based intrusion detection system (HIDS) with file integrity monitoring (FIM) #One of the core features of HIDS is FIM. #An NGFW combines application-aware filtering with user account-based filtering and the ability to act as an intrusion prevention system (IPS). FIM software audits key system files to make sure they match the authorized versions. #UEBA solutions support identification of malicious behaviors from comparison to a baseline. Unified threat management (UTM) refers to a security product that centralizes many types of security controls for monitoring and management. #Intrusion detection functionality integrates into a new generation of firewalls (NGFWs). UTM centralizes security controls and monitoring into a single appliance.
Compare the components found in a virtual platform and select the options that accurately differentiate between them. (Select all that apply.) a) Hypervisors are Virtual Machine Monitors (VMM) and guest operating systems are Virtual Machines (VM). b) Hypervisors facilitate interactions with the computer hardware and computers are the platform that hosts the virtual environment. c) Computers are the operating systems that are installed under the virtual environment and guest operating systems are the platform that host the virtual environment. d) Hypervisors are guest operating systems and computers are the platform that hosts the virtual environment.
a) Hypervisors are Virtual Machine Monitors (VMM) and guest operating systems are Virtual Machines (VM). b) Hypervisors facilitate interactions with the computer hardware and computers are the platform that hosts the virtual environment.
Which of the following statements illustrates an advantage that a self-encrypting drive (SED) offers over full disk encryption (FDE)? a) In a self-encrypting drive (SED), the drive controller, rather than the operating system (OS), controls cryptographic functions. b) In a self-encrypting drive, the operating system (OS), rather than the drive controller, controls cryptographic functions. c) Full disk encryption (FDE) requires an asymmetric key pair to encrypt data, while a self-encrypting drive (SED) can store the data encryption key in the trusted platform module (TPM). d) Full disk encryption (FDE) allows administrative users to change passwords without having to decrypt and re-encrypt the entire drive, while a self-encrypting drive (SED) can safely store keys on a removable USB drive.
a) In a self-encrypting drive (SED), the drive controller, rather than the operating system (OS), controls cryptographic functions. #One of the drawbacks of FDE occurs when the OS performs the cryptographic operations, then performance suffers. FDE doesn't support cryptographic functions. That's why it's best to implement SEDs coz Self-encrypting drives (SEDs) mitigate this issue, as the drive controller performs cryptographic operations.
The U.S. Department of Defense (DoD) awards an IT contract to a tech company to perform server maintenance. The servers are colocated at a third-party storage facility. The DoD and the tech company enter into what type of agreement which commits the tech company to implement the agreed upon security controls? a) Interconnection security agreement (ISA) b) Non-disclosure agreement (NDA) c) Data sharing and use agreement d) Service level agreement (SLA)
a) Interconnection security agreement (ISA) #Any federal agency interconnecting its IT system to a third party must create an ISA to govern the relationship. An ISA sets out a security risk awareness process and commits the agency and supplier to implementing security controls.
A defense contractor must configure a new server in a site where several other companies maintain server equipment. The contractor's security requirements specify that other companies' personnel cannot gain access to the contractor's servers, and the area must be impervious to eavesdropping from electromagnetic leaks. What site security configuration will best meet the contractor's requirements? a) Locked Faraday cage b) Locked equipment cage c) Locked server racks d) Vault
a) Locked Faraday cage #The contractor's assets are collocated with other equipment, so they should be secured in a separate, locking cage. A Faraday cage is a charged conductive mesh that blocks signals from entering or leaving the area, to mitigate the risk of eavesdropping from leakage of electromagnetic signals. #With data colocation, the contractor can install racks inside cages so that technicians can only physically access the racks housing their own company's servers and appliances. #A vault is a room hardened against unauthorized entry by physical means, such as drilling or explosives.
Management looks to IT for a solution to identify successful and failed login attempts. Which solution will IT provide to management? a) Logs b) Network monitors c) Packet capture d) Sniffer
a) Logs #A system log can be used to diagnose availability issues. A security log can record both authorized and unauthorized uses of a resource or privilege.
After news of a breach at a competitor, IT at a manufacturer looks to harden server systems. Which system properties should IT disable if they are not in use? (Select all that apply.) a) Network interfaces b) System services c) Service ports d) Persistent storage
a) Network interfaces b) System services c) Service ports #Interfaces provide a connection to the network. Some machines may have more than one interface. #Services provide a library of functions for different types of applications. Some services support local features of the OS and installed applications. #Application service ports allow client software to connect to applications over a network. These should either be disabled or blocked at a firewall if remote access is not required.
Analyze the following scenarios and determine which attacker used piggy backing. a) On the way to a meeting in a restricted area of a government facility, a contractor holds open a gate for a person in a military uniform, who approaches the entry point at a jog, flashing a badge just outside of the readable range. b) A government employee is late for a meeting in a restricted area of a military installation. Preoccupied with making the meeting on time, the employee does not notice when the gate has not closed and someone enters the restricted area. c) An employee leaves the workstation to use the restroom. A coworker notices that the employee has forgotten to lock the workstation, and takes advantage of the user's permissions. d) Several prospective interns are touring the operations floor of a large tech firm. One of them seems to be paying especially close attention to the employees.
a) On the way to a meeting in a restricted area of a government facility, a contractor holds open a gate for a person in a military uniform, who approaches the entry point at a jog, flashing a badge just outside of the readable range. #Piggy backing is similar to tailgating, but the attacker enters a secure area with an employee's permission. #Tailgating is a means of entering a secure area without authorization
When monitoring API usage on a system, an engineer notices a very high error rate. The application's latency and thresholds appear to be high. What does the engineer determine to be the cause? (Select all that apply.) a) Overloaded system b) Security issues c) Number of requests d) Service responses
a) Overloaded system b) Security issues #API stands for Application Programming Interface. #An error rate is a measurement of the no. of errors as a percentage of total calls. Errors may represent an overloaded system if the API is unresponsive. #Errors from an API may represent a security issue if the errors are authorization/access denied types. #The no. of requests represents the basic load metric count of requests per second or requests per minute. #Latency is the time in milliseconds (ms) taken for the service to respond to an API call.
A hacker gains access to a database of usernames for a target company and then begins combining common, weak passwords with each username to attempt authentication. The hacker conducts what type of attack? a) Password spraying b) Brute force attack c) Dictionary attack d) Rainbow table attack
a) Password spraying #Password spraying is a horizontal brute-force online attack. An attacker chooses common passwords and tries them with multiple usernames.
A security engineer implements a secure wireless network. In doing so, the engineer decides to use EAP with Flexible Authentication via Secure Tunneling (EAP-FAST). Which authentication approach does the engineer implement? a) Protected Access Credential (PAC) instead of a certificate b) Any inner authentication protocol such as PAP or CHAP c) Only requiring a server-side public key certificate d) The supplicant and server are configured with certificates.
a) Protected Access Credential (PAC) instead of a certificate #EAP with Flexible Authentication via Secure Tunneling (EAP-FAST) is similar to PEAP, but instead of using a certificate to set up the tunnel, it uses a Protected Access Credential (PAC). NOTE: #EAP-Tunneled TLS (EAP-TTLS) is similar to PEAP. It uses a server-side certificate and can use any inner authentication protocol (PAP or CHAP, for instance). #In Protected Extensible Authentication Protocol (PEAP), an encrypted tunnel is established between the supplicant and authentication server and only requires a server-side public key certificate. #EAP-TLS is one of the strongest types of authentication and the supplicant and server are configured with certificates.
A power outage disrupts a medium-sized business, and the company must restore systems from backups. If the business can resume normal operations from a backup made two days ago, what metric does this scenario represent? a) Recovery Point Objective (RPO) b) Recovery time objective (RTO) c) Maximum tolerable downtime (MTD) d) Work Recovery Time (WRT)
a) Recovery Point Objective (RPO) #RPO is the amount of data loss a system can sustain, measured in time. That is, if a virus destroys a database, an RPO of 24 hours means the system can recover the data (from a backup copy) to a point not more than 24 hours before the infection.
While preparing a disaster recovery plan, management at a company considers how far back it can allow for the loss of data. Which metric does management use to describe this business essential data in terms of recovery? a) Recovery point objective b) Work recovery time c) Maximum tolerable downtime d) Mean time to repair
a) Recovery point objective #Recovery Point Objective (RPO) is the amount of data loss that a system can sustain, measured in time. If data is not recoverable (such as the last five working days of data), there is significant impact to operations of the business. #Work Recovery Time (WRT) follows systems recovery. During this time there may be additional work to reintegrate different systems and test overall functionality. #Maximum tolerable downtime (MTD) is the longest period of time that a business function outage may occur
Several businesses operating on a federated network allow access to each other's resources through enterprise connections. When this type of federated network employs Security Assertion Markup Language (SAML), how are authorization tokens secured? a) SAML tokens are signed with an eXtensible Markup Language (XML) digital signature. b) SAML uses OpenID Connect (OIDC) to refer the service provider to the identity provider. c) SAML uses OpenID to allow the user to select their preferred identity provider to "sign on with." d) SAML tokens are encrypted using Public Key Infrastructure (PKI) digital signatures.
a) SAML tokens are signed with an eXtensible Markup Language (XML) digital signature. #Security Assertion Markup Language (SAML) authorizations or tokens are written and signed with the eXtensible Markup Language (XML) signature specification. This digital signature allows the service provider to trust the identity provider. NOTE: SAML and OpenID are both federated authentication standards, but they do not operate cooperatively.
Which of the following statements best contrasts between a service-oriented architecture (SOA) model and a microservices-based model? a) SOA can build services from other services, while an implementation of microservices develops, tests, and deploys microservices independently. b) Microservices are loosely decoupled, while SOA services are considered highly decoupled. c) SOA focuses on making a single, discrete task easily repeatable, while microservices perform a sequence of automated tasks. d) Microservices help to make a network's design architecture fit a business's requirements, rather than accommodating the business workflow to the platform requirements, as in SOA.
a) SOA can build services from other services, while an implementation of microservices develops, tests, and deploys microservices independently. #SOA allows a service to build from other services. By contrast, each microservice should be capable of being developed, tested, and deployed independently. The microservices can be described as highly decoupled rather than just loosely decoupled.
After attending a security seminar, management inquired about ways to secure directory services. If the company uses Microsoft's Active Directory, which of the following implementations is the IT team most likely to suggest? a) Simple Authentication and Security Layer (SASL) b) Simple Network Management Protocol (SNMP) c) Lightweight Directory Access Protocol Secure (LDAPS) d) Simple bind authentication
a) Simple Authentication and Security Layer (SASL) #With SASL, the client and server negotiate which supported authentication mechanism to use, such as Kerberos. The STARTTLS (transport layer security (TLS) as part of SASL) command mandates encryption (sealing) and message integrity (signing). Microsoft's Active Directory (AD) prefers this LDAP implementation. #With LDAP Secure (LDAPS), admin installs the server with a digital certificate, which it uses to set up a secure tunnel for the user credential exchange. LDAPS uses port 636.
A technology firm suffers a large-scale data breach, and the company suspects a disgruntled former IT staff member orchestrated the breach to exfiltrate proprietary data. During the forensic investigation, a hard disk was not signed out when handled. Examine the scenario and determine what issue this oversight is most likely to cause in the investigative process. a) The chain of custody is under question. b) A timeline of events is under question. c) Retrospective network analysis (RNA) cannot occur. d) Relevant evidence was not properly disclosed to the defendant.
a) The chain of custody is under question. #When security breaches go to trial, the chain of custody protects an organization against accusations that evidence has been tampered with or altered in any way.
Two companies enter into an agreement that if one data center suffers a disaster-level event, it can failover to the other company's data center with minimal disruption in service. Which statement most accurately describes the companies' site resiliency postures? a) The companies have a reciprocal arrangement for mutual hot site support. b) The companies have a contractual agreement to provide mutual cold site support. c) The companies each have a reserved warm site for failover operations. d) The companies have a mutual contract for warm site failover support.
a) The companies have a reciprocal arrangement for mutual hot site support. #Businesses may enter into reciprocal arrangements to provide mutual support, which is cost effective but complex to plan and set up. Each data center represents a hot site, which can failover almost immediately. #A cold site, such as an empty building with a lease agreement to install computer equipment when needed, takes longer to set up. #A warm site is similar to a hot site, but a warm site will need to load the latest data set to resume normal operations.
When a company first installed its computer infrastructure, IT implemented robust security controls. As the equipment ages, however, those controls no longer effectively mitigate new risks. Which statement best summarizes the company's risk posture? a) The company's aging infrastructure constitutes a control risk. b) The company demonstrates risk transference, assigning risk to IT personnel. c) The company can expect little to no impact from an outage event. d) The company demonstrates effective risk mitigation techniques for low priority systems
a) The company's aging infrastructure constitutes a control risk. #Control risk measures how much less effective a security control has become over time. Risk management is an ongoing process, requiring continual reassessment and re-prioritization. NOTE: Transference (or sharing) means assigning risk to a third-party, such as an insurance company or a contract with a supplier that defines liabilities. A company's IT department is not a third-party.
Analyze the factors associated with performing a Business Process Analysis (BPA) and select the statement that aligns with the output factors. a) The data or resources a function produces b) The source of information for performing a function c) The resources supporting a function d) A description of how a function is performed
a) The data or resources a function produces #Coz it says "output factors"...duhh! #This is one of five factors that should be identified when performing a Business Process Analysis (BPA). #A BPA is performed to identify dependencies, which should be reduced as much as possible between critical components. #The input factors are the sources of information for performing a function, including the resulting impact if these are delayed or out of sequence. This can include data entered into a system, or data flowing from other systems or sites.
An individual contacts a company's IT department, threatening to exploit a vulnerability found in the company's security infrastructure if the company does not pay a bounty. Upon further investigation, the IT team discovers that the individual threatening the company used crude scripts in the hacking attempt, which they easily managed. Which statement best describes the disparity between the hacker's claim and the hacker's real capability? a) The hacker presents as a black hat, but the individual's capabilities indicate the hacker is a script kiddie. b) The hacker claims to be a white hat, but the threatening demeanor and capabilities represent those of a black hat hacker. c) The hacker presents as a script kiddie, but the threatening demeanor and capabilities indicate a black hat hacker. d) The hacker presents as a gray hat hacker, but the individual's capabilities indicate a script kiddie.
a) The hacker presents as a black hat, but the individual's capabilities indicate the hacker is a script kiddie. #The term hacker describes an individual who has the skills to gain access to computer systems through unauthorized or unapproved means. A black hat hacker acts with malicious intent. A script kiddie is someone that uses hacker tools without necessarily understanding how they work or having the ability to craft new attacks.
Which of the following defines key usage with regard to standard extensions? a) The purpose for which a certificate was issued b) The ability to create a secure key pair c) Configuring the security log to record key indicators d) To archive a key with a third party
a) The purpose for which a certificate was issued #One of the most important standard extensions is key usage. This extension defines the purpose for issuing a digital certificate, such as for signing documents or key exchange. #The ability to create a secure key pair of the required strength using the chosen cipher is key generation, not key usage. #Configuring the security log to record key indicators and then reviewing the logs for suspicious activity is usage auditing, not key usage. #In terms of key management, escrow refers to archiving a key (or keys) with a third party. It is not key usage.
A user enters the web address of a favorite site and the browser returns the following: "There is a problem with this website's security certificate." The user visits this website frequently and has never had a problem before. Applying knowledge of server certificates, select the circumstances that could cause this error message. (Select all that apply.) a) The system's time setting is incorrect. b) The certificate is pinned. c) The web address was mistyped. d) The certificate expired.
a) The system's time setting is incorrect. d) The certificate expired. #If the date and time settings on the system are not synchronized with the server's setting, the server's certificate will be rejected. An expired server certificate would cause the browser to return an error message. NOTE: Certificate pinning ensures that when a client inspects the certificate presented by a server, it is inspecting the proper certificate.
A systems manager creates a control diversity plan to enact a defense in depth approach to security. To mitigate any possible risk of a virus infection, the plan includes which physical and administrative controls? (Select all that apply.) a) User training b) USB port locks c) Restricted permissions d) Endpoint security
a) User training b) USB port locks #User training (an administrative control) may ensure that a USB drive is not inserted into a computer system without scanning it first. Security locks inserted into USB ports (physical control) on a system could prevent malicious activity by denying the attachment of media without first requesting a key. NOTE: restricted permissions and endpoint security is for malware prevention.
An engineer considers blockchain as a solution for record-keeping. During planning, which properties of blockchain does the engineer document for implementation? (Select all that apply.) a) Using a peer-to-peer network b) Obscuring the presence of a message c) Partially encrypting data d) Using cryptographic linking
a) Using a peer-to-peer network d) Using cryptographic linking #Blockchain is recorded in a public ledger. This ledger does not exist as an individual file on a single computer; rather, it is distributed across a peer-to-peer (P2P) network. #The hash value of a previous block in a chain is added to the hash calculation of the next block in the chain. This ensures that each successive block is cryptographically linked. #Obscuring the presence of a message is done by steganography!!! It is done by embedding where it is not expected.
A cloud administrator receives reports that a physical server is having issues with its virtualized guest machines. There is a possibility that a threat actor has been successful with an attack. Which problem types does the administrator investigate? (Select all that apply.) a) VM sprawl b) VM escape c) VM template d) VM monitor
a) VM sprawl b) VM escape #VM sprawl is a configuration vulnerability where provisioning and deprovisioning of virtual assets is not authorized and properly monitored. #VM escaping refers to malware running on a guest OS jumping to another guest or to the host. To do this, the malware must identify that it is running in a virtual environment, which is usually simple to do.
A company follows a bring your own device (BYOD) mobile implementation. What is an ideal solution the company can use to overcome some of the security risks involved with employee-supplied devices? a) Virtual desktop infrastructure (VDI) b) Location services c) Remote wipe d) Carrier unlocking
a) Virtual desktop infrastructure (VDI) #The hardware only has to be capable of running a VDI client viewer or have a browser support a clientless HTML5 solution. #Each time a user accesses VDI, the session is "as new" and employees can remotely access it. NOTE: If a malicious actor steals a user's device using a remote wipe (kill switch), it can reset the device to factory defaults or clear personal data (sanitization). Carrier unlocking involves the removal of restrictions that lock a device to a single carrier and uses it for privilege escalation.
Which statements describe why devices on an enterprise network should disable Wi-Fi tethering? (Select all that apply.) a) Wi-Fi tethering functionality can circumvent data loss prevention measures. b) Wi-Fi tethering functionality can circumvent web content filtering policies. c) Wi-Fi tethering functionality can enable a Trojan to install apps through the device's charging plug. d) Wi-Fi tethering functionality can enable a nearby attacker to skim information from the device.
a) Wi-Fi tethering functionality can circumvent data loss prevention measures. b) Wi-Fi tethering functionality can circumvent web content filtering policies. #The term "Wi-Fi tethering" is widely known as a hotspot. When a device connects to an enterprise network, this functionality should be disabled, as it might be used to circumvent security mechanisms. Wi-Fi tethering functionality can allow devices to circumvent data loss prevention or web content filtering policies.
Which command can help a security professional conducting an organizational security assessment identify a spoofing attack? a) arp b) ipconfig/ifconfig c) route d) pathping/mtr
a) arp #arp displays the local machine's Address Resolution Protocol (ARP) cache, which shows the media access control (MAC) address associated with each IP address the local host communicated with recently. This is useful for investigating suspected spoofing attacks. NOTE: pathping (Windows)/mtr (Linux) provides statistics for latency and packet loss along a route over a longer measuring period. High latency at the various hops could indicate man-in-the-middle attacks, denial of service, or network congestion.
Xander sends a malicious file via email attachment to employees at a target company, hoping at least one employee will open the malicious file that will propagate through the company's network and disrupt the company's operations. If Xander's goal is disruption of company operations, what does this describe? a) intent b) motivation c) risk d) threat
a) intent #Intent describes what an attacker hopes to achieve from the attack, while motivation is the attacker's reason for perpetrating the attack.
A penetration tester directs test packets to the host using a variety of default passwords against service and device accounts, gaining a view of the vulnerabilities the network exposes to unprivileged users. Given this situation, what type of test did the penetration tester use? a) A credentialed scan b) A non-credentialed scan c) A topology discovery scan d) A host discovery scan
b) A non-credentialed scan #A non-credentialed scan proceeds without the tester logging on to a host or given any sort of privileged access. The view obtained from this scan is what an unprivileged user would see. #A credentialed scan gives a user account logon rights to various hosts, plus whatever other permissions are appropriate for the testing routines. #Topology discovery (footprinting) is the part of the discovery phase where the attacker or pen tester starts to identify the structure of the target network. #Like the ping command, host discovery can detect the presence of a host on a particular IP address or one that responds to a particular host name.
An engineering firm wants to bolster the security measures implemented on their servers. Evaluate the proposed solutions for the best type of security control to fit the firm's needs. a) Security guards should secure all entry control points. b) Advanced firewalls and access control lists should be configured. c) The company's security policy needs to be updated. d) Employees should attend annual security training.
b) Advanced firewalls and access control lists should be configured. #If it was not for servers, employee training would be the best option. #The company is interested in server-level control systems, so they need to implement stricter technical controls. Technical controls are system-level implementations, such as access control lists, firewalls, and anti-virus software. NOTE: Oversight policies are a form of managerial control.
Which statement describes a key distinction between an intentional and unintentional threat actor? a) An intentional threat actor attacks a target from inside its network; whereas, an unintentional threat actor conducts opportunistic attacks. b) An intentional threat actor has intent and motivation to attack; whereas, an unintentional threat actor acts out of negligence. c) An intentional threat actor actively undermines a target system; whereas an unintentional threat actor passively undermines the target system. d) An intentional threat actor has permissions on the target system; whereas, an unintentional threat actor does not have permissions.
b) An intentional threat actor has intent and motivation to attack; whereas, an unintentional threat actor acts out of negligence. #An attack vector is the path or tool a malicious threat actor uses.
Examine the differences between authentication factors and authentication attributes and select the statement that most effectively summarizes the differences between authentication factors and authentication attributes. a) Authentication attributes are characteristics used to verify an account holder's credentials, while authentication factors use secondary or continuous authentication and access control. b) Authentication factors verify an account holder's credentials, while authentication attributes are either non-unique or cannot independently authenticate a user's credentials. c) Authentication factors are most secure when used alone, while authentication attributes should be used in combination with one another to authenticate a user's credentials. d) Authentication attributes describe physical characteristics and behavioral traits of an individual user, while authentication factors primarily authenticate users based on items they carry or information they know.
b) Authentication factors verify an account holder's credentials, while authentication attributes are either non-unique or cannot independently authenticate a user's credentials.
A hacker places a false name:IP address mapping in an operating system's HOSTS file, redirecting traffic from a legitimate IP address to a malicious IP address. What type of attack did the hacker perform? a) Domain hijacking b) Domain name system client cache (DNS) poisoning c) Rogue dynamic host configuration protocol (DHCP) d) Address Resolution Protocol (ARP) poisoning
b) Domain name system client cache (DNS) poisoning #If an attacker can place a false name:IP address mapping in the HOSTS file, poisoning the DNS cache, the attacker can redirect traffic. #ARP poisoning occurs when an attacker with access to the network redirects an IP address to the MAC address of a computer that is not the intended recipient. #In domain hijacking (or brandjacking), the attacker steals a domain name by altering its registration information and then transferring the domain name to another entity.
A large data facility just experienced a disaster-level event, and the IT team is in the process of reconstituting systems. Which statement illustrates the appropriate first step the team should take in this process? a) First, the team should enable and test switch infrastructure, then routing appliances and systems. b) First, the team should enable and test power delivery systems, including grid power, power distribution units (PDUs), uninterruptible power supplies (UPS), and secondary generators. c) First, the team should enable and test network security appliances, including firewalls, intrusion detection systems (IDS), and proxies. d) First, the team should enable and test critical network servers, including dynamic host configuration protocol (DHCP), domain name system (DNS), network time protocol (NTP), and directory services.
b) First, the team should enable and test power delivery systems, including grid power, power distribution units (PDUs), uninterruptible power supplies (UPS), and secondary generators. #Secondly, the team should enable and test switch infrastructure, then routing appliances and systems. #The third step is to enable and test network security appliances (firewalls, IDS, proxies). #The fourth step is enabling and testing critical network servers (DHCP, DNS, NTP, and directory services).
An organization prepares for an audit of all systems security. While doing so, staff perform a risk management exercise. Which phase does the staff consider first? a) Identify vulnerabilities b) Identify essential functions c) Analyze business impact d) Identify risk response
b) Identify essential functions #Effective risk management must focus on mission essential functions that could cause the whole business to fail if they are not performed. Identifying these systems and processes should be done first.
Which statement draws a true comparison between full, differential, and incremental backups? (Select all that apply.) a) A system can combine incremental and differential backup methods for faster restoration than using a full backup. b) If a system performs backups every day, an incremental backup includes only files changed that day, while a differential backup includes all files changed since the last full backup. c) Compared to a differential backup, both full backups and incremental backups clear the archive attribute. d) A differential backup combines elements of full and incremental backups to optimize backup and restore timelines.
b) If a system performs backups every day, an incremental backup includes only files changed that day, while a differential backup includes all files changed since the last full backup. c) Compared to a differential backup, both full backups and incremental backups clear the archive attribute.
Security solutions providers and academics conduct primary research to produce outputs on threat intelligence that takes three main forms. Which of these selections is NOT one of the three main outputs? a) Behavioral threat research b) Information Sharing and Analysis Centers (ISACs) c) Reputational threat intelligence d) Threat data
b) Information Sharing and Analysis Centers (ISACs) #Information Sharing and Analysis Centers (ISACs) are sector-specific resources for companies and agencies working in critical industries, such as power supply, financial markets, or aviation.
Management at a financial firm is assembling an incident response team that will be responsible for handling certain aspects of recovery and remediation following a security incident. What internal offices should provide a representative to serve as a member of this team? (Select all that apply.) a) Sales b) Legal c) HR d) PR
b) Legal c) HR d) PR #It is important to have access to legal expertise so that the team can evaluate incident response from the perspective of compliance with laws and industry regulations. #An HR member should be on the team. Incident prevention and remediation actions may affect employee contracts, employment law, and more. #A team is likely to require public relations input, so that any negative publicity from a serious incident can be managed. The PR role should be the one dealing with any media outlets.
A dissatisfied employee has discreetly begun exfiltrating company secrets to sell to a competitor. The employee sets up a malware script that will run in the event of the employee's firing and account deletion. Analyze the attack and determine what type of attack the employee has emplaced. a) Rootkit b) Logic bomb c) Remote Access Trojan (RAT) d) Backdoor
b) Logic bomb #A typical example of a logic bomb can involve a disgruntled system administrator who leaves a scripted trap, which runs in the event an account is deleted or disabled.
A new IT administrator accidently causes a fire in the IT closet at a small company. Consider the disaster types and conclude which types this event might classify as. (Select all that apply.) a) External b) Man-made c) Internal d) Environmental
b) Man-made c) Internal #A man-made disaster event is one where human agency is the primary cause. Typical examples include terrorism, war, vandalism, pollution, and arson. There can also be accidental man-made disasters. #An internal disaster is one that is caused by malicious activity or by accident by an employee or contractor. In this case, the fire was accidental.
An unauthorized person gains access to a restricted area by blending in with a crowd of employee's as they approach the security desk and show their badges to the guard. While walking down a long hallway, the group is stopped at a turnstile and the unauthorized person is discovered. What type of policy prevented this type of social engineering attack? a) CCTV policy b) Mantrap policy c) ID badge policy d) Skimming policy
b) Mantrap policy #A mantrap is a physical security control used for critical assets, where one gateway leads to an enclosed space protected by another barrier. #Skimming involves the use of a counterfeit card reader to capture card details, which are then used to program a duplicate.
A company located in the western United States that uses cloud computing relies on redundant systems in adjacent availability zones for data backup and storage. Analyze the configuration and determine which level of high availability service the company utilizes. a) Local replication b) Regional replication c) Geo-redundant storage (GRS) d) Cloud service replication
b) Regional replication #Regional replication (also called zone-redundant storage) replicates data across multiple data centers within one or two regions. This safeguards data and access in the event a single data center is destroyed or goes offline.
Identify the true statements about supervisory control and data acquisition (SCADA) systems. (Select all that apply.) a) SCADA systems typically communicate with one another through LAN connections. b) SCADA systems typically run as software on ordinary computers, gathering data from and managing field devices. c) SCADA systems are purpose-built devices that prioritize IT security features. d) SCADA systems serve primarily industrial, manufacturing, utility, and logistics sectors.
b) SCADA systems typically run as software on ordinary computers, gathering data from and managing field devices. d) SCADA systems serve primarily industrial, manufacturing, utility, and logistics sectors. #SCADA typically runs as software on ordinary computers, gathering data from and managing plant devices and equipment, with embedded PLCs, referred to as field devices. #Many sectors of industry, including utilities, industrial processing, fabrication and manufacturing, logistics, and facilities management use these types of systems. NOTE: CS/SCADA was historically built without regard to IT security. SCADA typically use WAN communications, such as cellular or satellite, to link the SCADA server to field devices.
A company without an internal IT team hires a service provider to monitor a computer network for security issues. Before the service provider is given access, which agreement is put in place to establish expectations? a) NDA b) SLA c) ISA d) PII
b) SLA #Interconnection security agreements (ISA) are used for integrating systems. Any federal agency interconnecting its IT system to a third party must create an ISA to govern the relationship.
A systems engineer looks to monitor a network for security purposes. The engineer places sensors throughout the building in appropriate places, but does not have enough to cover all areas that they want to monitor. Fortunately, the engineer thought ahead and purchased appropriate network switches. Which sensor type does the engineer use to monitor specific systems? (Select all that apply.) a) TAP (Active) b) SPAN c) TAP (passive) d) Mirror
b) SPAN d) Mirror #Switched port analyzer (SPAN) is a sensor that is attached to a specially configured port on the switch that receives copies of frames. #A mirrored port is the same as a SPAN port. This method is not completely reliable. Frames with errors will not be mirrored and frames may be dropped under heavy load.
A banking firm's IT team discovers a possible man-in-the-middle attack. Which of the following statements describes an assessment tool, built into the operating system, that would result in this discovery? (Select all that apply.) a) This tool is an open-source graphical packet capture and analysis utility, with installer packages for most operating systems. b) This tool sends probes to report the round trip time (RTT) for hops between the local host and a host on a remote network. c) This tool will repair the boot sector. d) This tool displays the local machine's Address Resolution Protocol (ARP) cache.
b) This tool sends probes to report the round trip time (RTT) for hops between the local host and a host on a remote network. d) This tool displays the local machine's Address Resolution Protocol (ARP) cache. #tracert (Windows) and traceroute (Linux) allow the user to view and configure the host's local routing table using probes to report the round trip time (RTT) for hops between the local host and a host on a remote network. #The ARP cache shows the MAC address of the interface associated with each IP address the local host has communicated with recently. A discrepancy in the MAC address may indicate a man-in-the-middle attack. NOTE: Repairing boot sector is done by using boot disk option in the anti-virus software. For packet capture and analysis, use wireshark.
In the containment phase of incident response, the Cyber Incident Response Team (CIRT) faces complex issues that need to be addressed quickly. During this phase, a member of the CIRT would be concerned about all EXCEPT which of the following issues? a) What damage has already occurred? b) Which password policy will prevent this in the future? c) What actions could alert the attacker that the attack has been detected? d) What countermeasures are available?
b) Which password policy will prevent this in the future? #CIRT would not be concerned about future password policy during the containment phase since it is not a critical issue in incident response.
An engineer configures hosts on a network to use IPSEC for secure communications. The engineer decides between Encapsulation Security Payload (ESP) or Authentication Header (AH). If the engineer chooses transport mode over tunnel mode, which specifics of operation should be expected? (Select all that apply.) a) With ESP the whole IP packet (header and payload) is encrypted b) With ESP the IP header for each packet is not encrypted c) AH has no real use in this mode d) AH can provide integrity for the IP header
b) With ESP the IP header for each packet is not encrypted d) AH can provide integrity for the IP header #Transport mode is used to secure communications between hosts on a private network. When ESP is applied, the IP header for each packet is not encrypted, just the payload data. #If AH is used in transport mode, it can provide integrity for the IP header as it performs a cryptographic hash on the whole packet.
A company performing a risk assessment calculates how much return the company has saved by implementing a security measure. Which formula will they use to calculate this metric? a) Asset value x EF b) [(ALE-ALEm)-Cost of Solution]/Cost of Solution c) SLE x ARO d) (ALE-SLE)/Cost of Solution
b) [(ALE-ALEm)-Cost of Solution]/Cost of Solution #Return on Security Investment (ROSI) calculates a new ALE, based on reduction in loss by new security controls. ROSI is: [(ALE - ALEm) - Cost of Solution] / Cost of Solution, where ALE is before controls and ALEm is after controls.
A primary target for a hacker gaining access to a network is user passwords. Consider the file locations where Windows and Linux each store passwords and determine which of the following is NOT used for password storage. a) %SystemRoot%\System32\config\SAM b) /etc/passwd c) %SystemRoot%\System32\Drivers\etc\hosts d) /etc/shadow
c) %SystemRoot%\System32\Drivers\etc\hosts #%SystemRoot%\System32\Drivers\etc\hosts is the file responsible for mapping IP addresses to domain names in Windows. It does not store passwords. The HOSTS file existed long before Domain Name System (DNS), and while all name resolution now functions through DNS, the HOSTS file is still present, and most operating systems check it before using DNS.
Which of the following sequences properly orders forensic data acquisition by volatility priority? a) 1. Data on persistent mass storage devices 2. System memory caches 3. Remote monitoring data 4. Archival media b) 1. System memory caches 2. Remote monitoring data 3. Data on mass storage devices 4. Archival media c) 1. System memory caches 2. Data on mass storage devices 3. Remote monitoring data 4. Archival media d) 1. Remote monitoring data 2. Data on mass storage devices 3. System memory caches 4. Archival media
c) 1. System memory caches 2. Data on mass storage devices 3. Remote monitoring data 4. Archival media #The third most volatile in this case is remote logging and monitoring data. This is data stored in a central repository that will include very recent data, and maybe some data no longer on the monitored host. #The least volatile in this case is archival media. This may include system and file backups stored off site, and even printed documents.
Select the correct simulation of a Virtual Desktop Infrastructure (VDI) deployment. a) A company installs a platform that uses a Type 1 hypervisor to manage access to the host hardware outside of the host operating system. b) A company deploys Citrix XenApp on a server for the client to access for local processing. c) A company replaces all desktop computers with thin clients the employees use to log into VMs stored on the company server. d) A company enforces resource separation at the operating system level without the use of a hypervisor.
c) A company replaces all desktop computers with thin clients the employees use to log into VMs stored on the company server. #VDI is all about replacing desktop infrastructure...duhh!!
Examine the use of software diversity in infrastructure development and assess which statement describes the advantages of using a diverse range of development tools and application vendors over a monoculture environment. a) A diverse environment enables secure failover, as development diversity provides system redundancy over multiple vendor products. b) A diverse environment relies on security by obscurity, making a system's infrastructure more difficult for an attacker to interpret and attack. c) A diverse environment can provide security by diversity, making attack strategies more difficult to research and implement. d) A diverse environment reduces the likelihood of installing configuration errors common to a monoculture environment.
c) A diverse environment can provide security by diversity, making attack strategies more difficult to research and implement. #Security by diversity works on the principle that attacks are harder to develop against non-standard environments. Using a wide range of development tools and OS/application vendors and versions can make attack strategies harder to research. NOTE: Failover ensures a redundant component, device, application, or site, can quickly and efficiently take over the functionality of an asset that has failed. Software diversity does not ensure asset redundancy and failover. Obfuscating code makes it harder for a threat actor to reverse engineer and analyze the code to discover weaknesses; however, a diverse software environment does not rely on such measures for security.
Compare the characteristics of service account types and determine which statement accurately describes the characteristics of a local service account. a) A local service account has the most privileges of any Windows account and creates the host processes that start Windows before the user logs on. b) A local service account has the same privileges of any administrator account and can present the computer's account credentials when accessing network resources. c) A local service account has the same privileges as the standard user account and can only access network resources as an anonymous user. d) A local service account has the same privileges as the standard user account, but can present the computer's account credentials when accessing network resources.
c) A local service account has the same privileges as the standard user account and can only access network resources as an anonymous user.
After several users call to report dropped network connections on a local wireless network, a security analyst scans network logs and discovers that multiple unauthorized devices were connecting to the network and overwhelming it via a smartphone tethered to the network, which provided a backdoor for unauthorized access. How would this device be classified? a) A switched port analyzer (SPAN)/mirror port b) A spectrum analyzer c) A rogue access point (AP) d) A thin wireless access point (WAP)
c) A rogue access point (AP) #With a SPAN port, the sensor attaches to a specially configured port on the switch that receives copies of frames addressed to nominated access ports (or all the other ports). #An access point that requires a wireless controller to function is known as a thin WAP, while a fat WAP's firmware contains enough processing logic to be able to function autonomously and handle clients without the use of a wireless controller.
Examine each of the following attack scenarios to determine which vulnerabilities can be mitigated by changing firewall configurations. a) An authorized user unknowingly installed a malicious script sent via email. b) An attacker used a software vulnerability to install a malicious script. c) An attacker used a domain name server (DNS) lookup from a network host. d) An attacker exploited a network client that bypassed the secure web gateway (SWG).
c) An attacker used a domain name server (DNS) lookup from a network host. #Restrict DNS lookups to the company's own—or the ISP's—DNS services or authorized public resolvers. NOTE: Secure web gateway (SWG) is already in place, an attacker may have found a way to circumvent it via some sort of backdoor.
Systems administrators configure an application suite that uses a collection of single hash functions and symmetric ciphers to protect sensitive communication. While the suite uses these security features collectively, how is each instance recognized? a) As non-repudiation b) As a cryptographic system c) As a cryptographic primitive d) As a key pair
c) As a cryptographic primitive #A single hash function, symmetric cipher, or asymmetric cipher is called a cryptographic primitive. #A complete cryptographic system or product is likely to use multiple cryptographic primitives, such as within a cipher suite. #Non-repudiation depends on a recipient not being able to encrypt the message, or the recipient would be able to impersonate the sender.
An organization installs embedded systems throughout a manufacturing plant. When planning the install, engineers had to consider system constraints related to identification. As a result, which areas of the main systems are impacted? (Select all that apply.) a) PC b) Network c) Compute resources d) Authentication
c) Compute resources d) Authentication #The lack of compute resources means that embedded systems are not well-matched to the cryptographic identification technologies that are widely used on computer networks. #As embedded systems become more accessible, they will need to use authentication technologies to ensure consistent confidentiality, integrity, and availability.
When employees log in to their corporate network from personal devices, they must reauthenticate to access any corporate apps. What type of control is in place? a) Geofencing b) Discretionary Access Control (DAC) c) Containerization d) Full device encryption
c) Containerization #A host operating system applies containerization, a virtualization method, to provision an isolated execution environment for an application. This creates an enterprise workstation with a defined selection of apps with a separate container, which isolates the corporate apps from the rest of the device, and often requires additional authentication.
After a company moves on-premise systems to the cloud, engineers devise a serverless approach in a future deployment. What type of architecture will engineers provision in this deployment? (Select all that apply.) a) Virtual machine b) Physical server c) Containers d) Microservices
c) Containers d) Microservices #When a client requires some operation to be processed in a serverless environment, the cloud spins up a container to run the code, performs the processing, and then destroys the container. #With serverless technologies, applications are developed as functions and microservices, each interacting with other functions to facilitate client requests.
Consider an abstract model of network functions for an infrastructure as code (IaC) implementation and determine which plane describes how traffic is prioritized. a) Data b) Management c) Control d) Application
c) Control #The control plane makes decisions about how traffic should be prioritized, secured, and switched. A software-defined networking (SDN) application can be used to define policy decisions. #The data plane handles the actual switching and routing of traffic and imposition of security access controls. Decisions made in the control plane are implemented on the data plane. #The management plane is used to monitor traffic conditions and network status.
The IT staff at a large company review numerous security logs and discover that the SAM database on Windows workstations is being accessed by a malicious process. What does the staff determine the issue to be? a) Shellcode b) Persistence c) Credential dumping d) Lateral movement
c) Credential dumping #Credential dumping is a method used to access the credentials file (SAM on a local Windows workstation) or sniff credentials held in memory by the lsass.exe system process. #Shellcode is a minimal program designed to exploit a buffer overflow or similar vulnerability to gain privileges to a system.
A network administrator is preparing a strategy for backing up company data. Which of the following is NOT a main backup type? a) Full b) Incremental c) Discretionary d) Differential
c) Discretionary #A discretionary backup is NOT a main backup type. Discretionary is a common type of access control. (remember DAC??)
A company hires a security consultant to help them perform a business process analysis (BPA) and reduce dependencies. The consultant asks a manager at the company to walk through the typical process each salesperson makes when processing order requests. Examine the consultant's methods and determine which factor in the BPA the consultant is evaluating. a) Identify process inputs b) Identify process outputs c) Examine the process flow d) Identify staff and other resources performing the function
c) Examine the process flow #For mission essential functions, it is important to reduce the number of dependencies between components. Performing a business process analysis (BPA) for each mission critical function identifies dependencies for each function. NOTE: Inputs are the sources of information for performing the function (including the impact if delayed or out of sequence). Outputs are the data or resources the function produces.
An administrator plans a backup and recovery implementation for a server. The goal is to have a full backup every Sunday followed by backups that only include changes every other day of the week. In the event of a catastrophe, the restore time needs to be as quick as possible. Which scheme does the administrator use? a) Full followed by incrementals b) Image followed by incrementals c) Full followed by differentials d) Snapshot followed by differentials
c) Full followed by differentials #A full backup includes data regardless of its last backup time. A differential backup includes new and modified files since the last full backup. A differential restore is quicker than an incremental. #An incremental backup includes new and modified files since the last backup. #An image is not a backup type in a backup scheme, but is a disk imaging process. #A snapshot is a method to backup open files.
Evaluate the differences between hardware- and software-based key storage and select the true statement. a) In hardware-based storage, the key is stored on a server. b) Software-based storage and distribution is typically implemented using removable media or a smart card. c) HSM may be less susceptible to tampering and insider threats than software-based storage. d) In hardware-based storage, security is provided by the operating system Access Control List (ACL).
c) HSM may be less susceptible to tampering and insider threats than software-based storage. #A Hardware Security Module (HSM) is an appliance for generating and storing cryptographic keys, which may be less susceptible to tampering and insider threats than software-based storage.
A junior engineer suspects there is a breached system based on an alert received from a software monitor. The use of the alert provides which information to the engineer? a) TTP b) CTI c) IoC d) ISAC
c) IoC #An indicator of compromise (IoC) is a residual sign that an asset or network has been successfully attacked or is continuing to be attacked and provides evidence of a TTP. #Threat data can be packaged as feeds that integrate with a security information and event management (SIEM) platform. These feeds are usually described as cyber threat intelligence (CTI) data. #Information Sharing and Analysis Centers (ISAC) are set up to share threat intelligence and promote best practices.
Compare and contrast methods used by Kerberos and Public Key Infrastructure (PKI) to authenticate users and identify the true statement. a) Kerberos uses asymmetric cryptography while PKI uses symmetric cryptography. b) Kerberos and PKI both use passwords to authenticate users. c) Kerberos uses timestamps and PKI does not. d) Kerberos and PKI both provide Single Sign-On (SSO).
c) Kerberos uses timestamps and PKI does not.
A customer responds to an email advertisement that appears to link to mystore.com. The customer logs into the website with their username and password. The website has the same homepage the customer is familiar with, but it is actually a page set up by an attacker to gain credentials. The attacker can then login to mystore.com with the user's credentials, and shop using the saved credit card on file. Which type of attack has occurred in this scenario? a) Denial of Service (DoS) b) DNS client cache poisoning c) Pharming d) Pollution
c) Pharming #A pharming attack occurs when the attacker compromises the process of Domain Name System (DNS) resolution to replace the valid IP address for a trusted website. The attacker can then receive all of the packets directed to the site designed to fool the user into thinking it is genuine.
Company policy prohibits employees from taking any type of portable computing or storage device other than managed laptops identified by RFID tags into an equipment room. Video surveillance has been implemented within the equipment room. As part of a compliance audit, you must categorize the surveillance control. Which single classification is BEST suited to categorizing the surveillance system? a) Operational b) Corrective c) Physical d) Managerial
c) Physical #Physical is a way of classifying controls by characteristic and refers to things that operate in the built environment, such as locks, badge readers, security guards, video surveillance, and lighting. #Operational: People's behavior (Procedural and policy-based control) #Corrective: Mitigation and control (using backup software) #Managerial is a way of classifying controls by characteristic and refers to controls that give insight and reporting into the whole security system, such as risk assessment and compliance monitoring.
An organization hires a pen tester. The tester achieves a connection to a perimeter server. Which technique allows the tester to bypass a network boundary from this advantage? a) Persistence b) Privilege escalation c) Pivoting d) Lateral movement
c) Pivoting #If the pen tester achieves a foothold on a perimeter server, a pivot allows them to bypass a network boundary and compromise servers on an inside network.
A banking institution is considering the use of cloud computing across multiple locations. Comparing the various cloud deployment models, which model will likely allow optimal control over privacy and security? a) Public b) Hosted private c) Private d) Community
c) Private #Private cloud infrastructure is completely private to and owned by the organization, allowing greater control over privacy and security. This method suits banking and governmental services that require strict access control in their operations. #A hosted private cloud, hosted by a third-party for the organization's exclusive use, offers better performance and security than a public cloud model. #Several organizations share the costs of either a hosted private or fully private cloud in a cloud community. Organizations can pool resources for a common concern, like standardization and security policies. #With the public model, businesses can offer subscriptions or pay-as-you-go financing
Which statement best describes the purpose of the spanning tree protocol (STP)? a) STP enforces a network health policy. b) STP allows a server to assign clients IP address information when they connect to the network. c) STP prevents loops and network broadcast storms. d) STP prevents the attachment of unauthorized client devices at unsecured wall ports.
c) STP prevents loops and network broadcast storms. #Spanning tree is a means for bridges to organize themselves into a hierarchy and prevent loops from forming.
A systems administrator uses a disk image to provision new workstations. After installing several workstations, it is found that they no longer boot. It is possible that the disk image in use included malicious code. Which specific method has stopped the systems from starting? a) UEFI b) Measured boot c) Secure boot d) Boot attestation
c) Secure boot #Secure boot is designed to prevent a computer from being hijacked by a malicious OS. UEFI is configured with digital certificates from valid OS vendors to verify legitimacy. #Unified extensible firmware interface (UEFI) provides code that allows the host to boot to an OS. UEFI can enforce a number of boot integrity checks.
A company's IT department pushes system updates and configures user permissions from the same shared account. Which statement best describes how this practice is problematic? a) This practice relies on a single point of failure. b) This practice breaks data integrity. c) This practice breaks non-repudiation. d) This practice fails to properly separate duties among users.
c) This practice breaks non-repudiation. #Admin should replace the default superuser with named accounts that have sufficient elevated privileges for a given job role. This ensures that admin can audit administrative activity and the system conforms to non-repudiation.
A data analytics company compiles reports based on patient health information for a regional patient call center, which will later use the data to contact patients for follow-up appointments. All sensitive information is digitally modified to contain randomly generated letters that can be returned to its' original value by using the correct tool. Based on this requirement, which de-identification method is the data analytics company using to protect patient data? a) Data masking b) Data minimization c) Tokenization d) Full anonymization
c) Tokenization #Tokenization replaces all or part of data in a field with a randomly generated token, which is securely stored with the original value. An authorized query or app can retrieve the original value, so tokenization is a reversible technique. NOTE: Individual subjects can no longer be identified in a fully anonymized data set, even when combined with other data sources. de-identification method permanently removes identifying information.
A network administrator needs to implement a firewall between nodes on the same subnet, without reconfiguring subnets and reassigning IP addresses across the network. Considering firewall configurations, which implementation is the best choice? a) Routed firewall b) Router firewall c) Transparent firewall d) Virtual firewall
c) Transparent firewall #A bridged or transparent firewall inspects traffic passing between two nodes, such as a router and a switch. It typically deploys without having to reconfigure subnets and reassign IP addresses on other devices.
Which statement best illustrates the advantages and disadvantages of using asymmetric encryption? a) Asymmetric encryption is ideal for bulk encryption, but it is not suitable for proving a user's identity. b) Asymmetric encryption provides non-repudiation, but it is not ideal for secure distribution and storage of a private key. c) Asymmetric encryption is ideal for encrypting communications where the total length of the message is not known, but it requires significant overhead computing. d) Asymmetric encryption is ideal for proving identity, but it requires significant computing overhead and is inefficient for bulk encryption.
d) Asymmetric encryption is ideal for proving identity, but it requires significant computing overhead and is inefficient for bulk encryption. #Another user cannot impersonate a private key holder, so asymmetric encryption proves identity. The public and private keys are linked in such a way as to make it impossible to derive one from the other. #The drawback of asymmetric encryption is that it involves substantial computing overhead compared to symmetric encryption. #Symmetric encryption is very fast. It is used for bulk encryption of large amounts of data.
A security information and event management (SIEM) manager analyzes logs from a network RADIUS server. When the SIEM manager analyzes this data, what is the manager looking for as an indicator of possible malicious activity? a) Unauthorized network traffic b) Suspicious metadata entries c) Communication with suspect IP addresses d) Authentication attempt errors
d) Authentication attempt errors #Remember that the RADIUS server is for authentication purposes. #Routers, firewalls, switches, and access points generate network logs. #Metadata contains information about the data's properties, such as when an application creates data, when media stores data, or when data transmits over a network. #A DNS server may log an event each time it handles a request to convert between a domain name and an IP address.
A mobile device program at an organization allows users to use a standard issue company owned device for personal and work use. Which program type does the organization provide? a) BYOD b) CYOD c) COBO d) COPE
d) COPE #Choose your own device (CYOD) is a program that is much the same as COPE but the employee is given a choice of device from a list. #A corporate owned, business only (COBO) program ensures that the device is the property of the company and may only be used for company business.
A company deploys an active defense strategy designed to detect insider malpractice. To record the malicious insider's actions, the security team creates a convincing, yet fake, data file with a tracker that records any data exfiltration attempts. Analyze the security tool and determine what method the security team employed. a) Honeypot b) Honeynet c) Subnet d) Honeyfile
d) Honeyfile #A honeyfile is convincingly useful but fake data. A security team can make a honeyfile trackable, so if a threat actor successfully exfiltrates it, the security team can trace any attempts to reuse or exploit it. #A honeynet is an entire decoy network. This may be set up as an actual network or simulated using an emulator. #A honeypot is a computer system set up to attract threat actors
A web server receives data from an application. It appears that passing this data causes an issue that evolves into an overflow at the destination. What process on the receiving server should be investigated? a) Normalization b) Output encoding c) Error handling d) Input validation
d) Input validation #Input could include user data entered into a form or a URL passed by another application as a URL or HTTP header. Malicious input could be crafted to perform an overflow attack. Input validation checks for proper input. #A well-written application must be able to handle errors and exceptions gracefully. This means that the application performs in a controlled way when something unpredictable happens.
IT staff reviews security alerts received for a monitoring system and discovers that uncommon firewall ports on several Windows workstations and a server have been opened and are being accessed by a malicious process. What does the staff determine the issue to be? a) Shellcode b) Persistence c) Credential dumping d) Lateral movement
d) Lateral movement #With lateral movement, the attacker might be seeking data assets or may try to widen access through systems by changing the system security configuration. NOTE: Credential dumping mainly tries to access credential files (SAM databases)
Analyze the following security information and event management (SIEM) functions and determine which event is NOT conducted during data aggregation. a) Normalize time zones to a single timeframe. b) Use plug-ins to parse data from different vendors and sensors. c) Identify attributes and content that can be mapped to standard fields. d) Link observables into a meaningful indicator of risk, or Indicator of Compromise (IOC).
d) Link observables into a meaningful indicator of risk, or Indicator of Compromise (IOC). #Where collection and aggregation produce inputs, a SIEM is for reporting, a critical function of which is correlation. SIEM software can link individual events or data points (observables) into a meaningful indicator of risk, or Indicator of Compromise (IOC). SIEM can use correlation to drive an alerting system. #SIEM aggregation uses connectors or plug-ins to parse data from distinct types of systems and to account for differences between vendor implementations.
Which term best describes a root certificate authority (CA) in a secure configuration? a) Online b) Single c) Hierarchical d) Offline
d) Offline #Because of the high risk posed by compromising the root CA, a secure configuration involves making the root an offline CA, disconnected from any network, and usually kept in a powered-down state.
Consider the Public Key Infrastructure (PKI) Trust Model. Which of the following best protects against compromise? a) Single CA b) Intermediate CA c) Self-signed CA d) Offline CA
d) Offline CA #An offline Certificate Authority (CA) is where the root CA has been disconnected from the network to protect it from compromise. Therefore, it is not a single point of failure. #A single CA issues certificates to users, but is very exposed. If it is compromised, the whole PKI collapses. #In a hierarchical model, the root CA issues certificates to several intermediate CAs, diluting risk. However, the root is still a single point of failure. #A self-signed certificate is a type of digital certificate that is owned by the entity that signs it, which makes it a single CA, or root.
What type of attack replays a cookie? a) Cross-site request forgery (CSRF or XSRF) b) Clickjacking c) Secure Sockets Layer (SSL) strip attack d) Session hijacking
d) Session hijacking #Session hijacking typically means replaying a cookie in some way. Attackers can sniff network traffic to obtain session cookies sent over unsecured networks.
A guard station deploys a new security device to use to access a classified data station. The installation technician tests the device's sensitivity to speed and pressure. Which type of behavioral technology is the technician testing for? a) Voice recognition b) Gait analysis c) Typing d) Signature recognition
d) Signature recognition #Signatures are relatively easy to duplicate, but it is more difficult to fake the actual signing process. Signature matching records the user applying their signature (stroke, speed, and pressure of the stylus). #Gait analysis produces a template from human movement (locomotion). The technologies can either be camera-based or use smartphone features, such as an accelerometer and gyroscope.
As part of updating a company's compliance documentation, you are classifying security controls used by the company. The company's app uses an IP geolocation database to determine whether to trigger a secondary authentication method. What type of authentication design should this be categorized as? a) Something you can do authentication. b) Something you exhibit authentication. c) Something you have authentication. d) Somewhere you are authentication.
d) Somewhere you are authentication. #Something you can do refers to physical behavioral characteristics, such as the way you walk (gait). #Something you exhibit authentication refers to profiling behavioral patterns.
A junior engineer investigates a systems breach. While documenting network information, the engineer uses the arp command. What useful information will this command provide? a) The configuration assigned to network interface(s) in Windows, including the media access control (MAC) address. b) The address of the DHCP server that provides the IP address lease. c) Probing of a host on a particular IP address. d) The MAC address of systems the host has communicated with.
d) The MAC address of systems the host has communicated with.
A small company needs to secure the perimeter of their network, but they do not have the overhead or infrastructure to construct a demilitarized zone. Examine the following recommendations and select the best solution for this small company. a) The company should configure a screened subnet. b) The company should install a triple-homed firewall. c) The company should implement micro-segmentation across their network. d) The company should configure a screened host.
d) The company should configure a screened host. #A dual-homed proxy/gateway server can act as a screened host to protect internet access in smaller networks. #A screened subnet uses two firewalls placed on either side of the DMZ. #A triple-homed DMZ uses one router/firewall appliance with three network interfaces. One interface is public, another is the DMZ, and the third connects to the LAN. #Microsegmentation is a zero-trust technique that applies policies to a single node, as though it was in a zone of its own. Microsegmentation occurs in larger networks like data centers.
After a break-in at a government laboratory, some proprietary information was stolen and leaked. Which statement best summarizes how the laboratory can implement security controls to prevent future breaches? a) The laboratory needs to take detective action and should implement physical and deterrent controls in the future. b) The laboratory needs to take detective action and should implement corrective controls in the future. c) The laboratory needs to take compensatory action and should implement physical controls in the future. d) The laboratory needs to take corrective action and should implement both physical and preventative controls in the future.
d) The laboratory needs to take corrective action and should implement both physical and preventative controls in the future. #Following a break-in that included both physical intrusion and data compromise, the lab should take corrective action to reduce the impact of the intrusion event.
A suspected network breach prompts an engineer to investigate. The engineer utilizes a set of command line tools to collect network routing data. While doing so, the engineer discovers that UDP communications is not working as expected. Which tool does the engineer experience difficulty with? a) route b) tracert c) pathping d) traceroute
d) traceroute #The traceroute command performs route discovery from a Linux host. This command uses UDP probes rather than ICMP, by default. NOTE: ICMP is used by tracert
Archive attribute
Attribute of a file that shows whether the file has been backed up since the last change. Each time a file is opened, changed, or saved, the archive bit is turned on. Some types of backups turn off this archive bit to indicate that a good backup of the file exists on tape. #The archive attribute or bit, is a Windows file attribute that when is set, it indicates that the file has changed since the last backup operation. The backup software then clears up that value after a successful backup.
A security team uses passive scanning to gather information and data related to a suspected rogue system on a network. By using passive scanning, what type of information does the team gather? a) Credentialed b) Indirect evidence c) Embedded d) Report
b) Indirect evidence #Non-intrusive (or passive) scanning means analyzing indirect evidence, such as the types of traffic generated by a device.
Which of the following key storage solutions exercises M-of-N control? a) Security administrators log and audit access to critical encryption keys. b) While four administrators have access to the system, it takes two administrators to access the system at any given time. c) A third party safely stores the encryption key. d) One administrator has access to the system, and that administrator can delegate access to two others.
b) While four administrators have access to the system, it takes two administrators to access the system at any given time. #M-of-N control meaning that of N number of administrators permitted to access the system, M must be present to access the system. M must be greater than 1, and N must be greater than M.
An investigator needs to analyze all data on a system. Which file does the investigator review if it contains data while in use when physical RAM in a system is exceeded? a) Hibernation file b) Dump file c) Swap file d) Temp file
c) Swap file #The pagefile/swap file/swap partition stores pages of memory in use that exceed the capacity of the host's RAM modules. The pagefile is not structured in a way that analysis tools can interpret, but it is possible to search for strings. NOTE: A hibernation file is created on disk in the root folder of the boot volume when a Windows host is put into a sleep state. When Windows encounters an unrecoverable kernel error, it can write contents of memory to a dump file. A temp, or temporary, file is a file that is created during certain circumstances such as when software is installed or when a file is currently open by an application.