CompTIA Security+ Final Assessment

Which of the following defines key usage with regard to standard extensions? A.The purpose for which a certificate was issued B.The ability to create a secure key pair C.Configuring the security log to record key indicators D.To archive a key with a third party

A.The purpose for which a certificate was issued One of the most important standard extensions is key usage. This extension defines the purpose for issuing a digital certificate, such as for signing documents or key exchange. The ability to create a secure key pair of the required strength using the chosen cipher is key generation, not key usage. Configuring the security log to record key indicators and then reviewing the logs for suspicious activity is usage auditing, not key usage. In terms of key management, escrow refers to archiving a key (or keys) with a third party. It is not key usage.

Examine the use of software diversity in infrastructure development and assess which statement describes the advantages of using a diverse range of development tools and application vendors over a monoculture environment. A.A diverse environment enables secure failover, as development diversity provides system redundancy over multiple vendor products. B.A diverse environment relies on security by obscurity, making a system's infrastructure more difficult for an attacker to interpret and attack. C.A diverse environment can provide security by diversity, making attack strategies more difficult to research and implement. D.A diverse environment reduces the likelihood of installing configuration errors common to a monoculture environment.

C.A diverse environment can provide security by diversity, making attack strategies more difficult to research and implement. Security by diversity works on the principle that attacks are harder to develop against non-standard environments. Using a wide range of development tools and OS/application vendors and versions can make attack strategies harder to research. Failover ensures a redundant component, device, application, or site, can quickly and efficiently take over the functionality of an asset that has failed. Software diversity does not ensure asset redundancy and failover. Obfuscating code makes it harder for a threat actor to reverse engineer and analyze the code to discover weaknesses; however, a diverse software environment does not rely on such measures for security. This sort of complexity may lead to a greater incidence of configuration errors as technicians and developers struggle to master unfamiliar technologies.

A junior engineer suspects there is a breached system based on an alert received from a software monitor. The use of the alert provides which information to the engineer? A.TTP B.CTI C.IoC D.ISAC

C.IoC An indicator of compromise (IoC) is a residual sign that an asset or network has been successfully attacked or is continuing to be attacked and provides evidence of a TTP. A tactic, technique, or procedure (TTP) is a generalized statement of adversary behavior. TTPs categorize behaviors in terms of a campaign strategy. Threat data can be packaged as feeds that integrate with a security information and event management (SIEM) platform. These feeds are usually described as cyber threat intelligence (CTI) data. Public/private information sharing centers are utilized in many critical industries. Information Sharing and Analysis Centers (ISAC) are set up to share threat intelligence and promote best practices.

A technology firm suffers a large-scale data breach, and the company suspects a disgruntled former IT staff member orchestrated the breach to exfiltrate proprietary data. During the forensic investigation, a hard disk was not signed out when handled. Examine the scenario and determine what issue this oversight is most likely to cause in the investigative process. A.The chain of custody is under question. B.A timeline of events is under question. C.Retrospective network analysis (RNA) cannot occur. D.Relevant evidence was not properly disclosed to the defendant.

A.The chain of custody is under question. Chain of custody documentation reinforces the integrity and proper handling of evidence. When security breaches go to trial, the chain of custody protects an organization against accusations that evidence has been tampered with or altered in any way. Every person in the chain who handles evidence must log the methods and tools they used. A significant part of a forensic investigation involves tying events to specific times to establish a consistent and verifiable narrative. A Retrospective Network Analysis (RNA) solution provides the means to record network events at either a packet header or payload level.

A systems manager creates a control diversity plan to enact a defense in depth approach to security. To mitigate any possible risk of a virus infection, the plan includes which physical and administrative controls? (Select all that apply.) A.User training B.USB port locks C.Restricted permissions D.Endpoint security

A.User training B.USB port locks User training (an administrative control) may ensure that a USB drive is not inserted into a computer system without scanning it first. Security locks inserted into USB ports (physical control) on a system could prevent malicious activity by denying the attachment of media without first requesting a key. Permissions restricting a user account (a technical control) could prevent any malware from executing successfully. This includes such as being able to install software. Endpoint security software (a technical control) on a system could scan for malware or block access automatically. Endpoint security can monitor a system at all times.

A hacker remotely gains unauthorized access to a company's system and makes a copy of proprietary business data. Which of the following summarizes the event that has taken place? A.Data exfiltration B.Data loss C.Identity theft D.Financial loss

A.Data exfiltration Data exfiltration refers to the methods and tools by which an attacker transfers data without authorization from the victim's systems to an external network or media.Data loss describes any event where data has become unavailable, either permanently or temporarily. This can happen when data is corrupt and cannot be restored via a backup.Identity theft may involve, for example, the hacker's ability to obtain account credentials to access a system or personal details and financial information to make fraudulent credit card purchases."Financial losses are due to damages, fines, and loss of business. Although the copying or proprietary data can lead to greater competition and loss of business, this does not describe this specific attack.

An organization receives notification from an actor that vulnerabilities have been found in an onsite firewall. While the actor does not exploit the vulnerability, a bounty is requested for the work and discovery. What type of actor is the organization dealing with? A.Gray hat B.White hat C.Script Kiddie D.Black hat

A.Gray hat A gray hat hacker might try to find vulnerabilities in a network without seeking the approval of the owner. They might seek voluntary compensation of some sort (a bug bounty) but will not use an exploit as extortion. A white hat hacker always seeks authorization to perform penetration testing of private and proprietary systems. A script kiddie is someone who uses hacker tools without necessarily understanding how they work or having the ability to craft new attacks. A black hat hacker never seeks authorization to perform penetration testing of private and proprietary systems and does so for malicious purposes.

After news of a breach at a competitor, IT at a manufacturer looks to harden server systems. Which system properties should IT disable if they are not in use? (Select all that apply.) A.Network interfaces B.System services C.Service ports D.Persistent storage

A.Network interfaces B.System services C.Service ports Interfaces provide a connection to the network. Some machines may have more than one interface. If any of these interfaces are not required, they should be explicitly disabled rather than simply left unused. Services provide a library of functions for different types of applications. Some services support local features of the OS and installed applications. Unused services should be disabled. Application service ports allow client software to connect to applications over a network. These should either be disabled or blocked at a firewall if remote access is not required. Persistent storage holds user data generated by applications, plus cached credentials. Disk encryption is essential to data security.

After several users call to report dropped network connections on a local wireless network, a security analyst scans network logs and discovers that multiple unauthorized devices were connecting to the network and overwhelming it via a smartphone tethered to the network, which provided a backdoor for unauthorized access. How would this device be classified? A.A switched port analyzer (SPAN)/mirror port B.A spectrum analyzer C.A rogue access point (AP) D.A thin wireless access point (WAP)

C.A rogue access point (AP) With a SPAN port, the sensor attaches to a specially configured port on the switch that receives copies of frames addressed to nominated access ports (or all the other ports). A spectrum analyzer is a device that can detect the source of jamming (interference) on a wireless network. A malicious user can set up an unauthorized (rogue) access point with something as basic as a smartphone with tethering capabilities, and non-malicious users could do so by accident. An access point that requires a wireless controller to function is known as a thin WAP, while a fat WAP's firmware contains enough processing logic to be able to function autonomously and handle clients without the use of a wireless controller.

IT staff reviews security alerts received for a monitoring system and discovers that uncommon firewall ports on several Windows workstations and a server have been opened and are being accessed by a malicious process. What does the staff determine the issue to be? A.Shellcode B.Persistence C.Credential dumping D.Lateral movement

D.Lateral movement With lateral movement, the attacker might be seeking data assets or may try to widen access through systems by changing the system security configuration. Shellcode is a minimal program designed to exploit a buffer overflow or similar vulnerability to gain privileges to a system. Persistence is a mechanism that maintains a connection if the threat actor's backdoor is restarted if the host reboots or the user logs off. Credential dumping is a method used to access the credentials file (SAM on a local Windows workstation) or sniff credentials held in memory by the lsass.exe system process.

As part of updating a company's compliance documentation, you are classifying security controls used by the company. The company's app uses an IP geolocation database to determine whether to trigger a secondary authentication method. What type of authentication design should this be categorized as? A.Something you can do authentication. B.Something you exhibit authentication. C.Something you have authentication. D.Somewhere you are authentication.

D.Somewhere you are authentication. Something you can do refers to physical behavioral characteristics, such as the way you walk (gait). Something you exhibit authentication refers to profiling behavioral patterns. Something you have authentication tests ownership or possession of a trusted device. Somewhere you are authentication measures the subject's current location, using various services.

A junior engineer investigates a systems breach. While documenting network information, the engineer uses the arp command. What useful information will this command provide? A.The configuration assigned to network interface(s) in Windows, including the media access control (MAC) address. B.The address of the DHCP server that provides the IP address lease. C.Probing of a host on a particular IP address. D.The MAC address of systems the host has communicated with.

D.The MAC address of systems the host has communicated with. The ARP cache shows the MAC address of the interface associated with each IP address the local host has communicated with recently. In Windows ipconfig shows the configuration assigned to network interface(s), including the hardware or media access control (MAC) address, IPv4 and IPv6 addresses. In Windows ipconfig shows whether the IP address is static or assigned by DHCP. If the address is DHCP-assigned, the output also shows the address of the DHCP server that provided the lease. The admin can use the ping command to probe a host on a particular IP address or host name using the Internet Control Message Protocol (ICMP).

Examine the features of different virtual platform implementations and select the statement that best describes the difference between a Type I and a Type II hypervisor. A.A Type II hypervisor installs on a host OS, that manages virtual machines. A Type I (or "bare metal") hypervisor interfaces directly with the host hardware. B.A Type I hypervisor installs directly on a host OS to manage virtual machines, while a Type II hypervisor interfaces directly with the host hardware. C.A Type I hypervisor must be compatible with the host OS, while a Type II hypervisor needs only support the base system requirements for the hypervisor, plus resources for the installed guest OSes. D.A host-based hypervisor interfaces directly with the host hardware, whereas a Type I hypervisor installs as software that runs virtual machines.

A.A Type II hypervisor installs on a host OS, that manages virtual machines. A Type I (or "bare metal") hypervisor interfaces directly with the host hardware. In a guest OS (or host-based) system, the hypervisor application (known as a Type II hypervisor) is itself installed onto a host operating system. The hypervisor software must support the host OS. A bare metal virtual platform means that the hypervisor (Type I hypervisor) installs directly onto the computer and manages access to the host hardware without going through a host OS. For a Type I hypervisor, the hardware needs only support the base system requirements for the hypervisor, plus resources for the type and number of guest operating systems that will be installed. One basic distinction between virtual platforms is between host and bare metal methods of interacting with the host hardware.

There are a variety of methods for indicating a potential security breach during the identification and detection phase of incident response. Two examples are Intrusion Detection System (IDS) alerts and firewall alerts. Evaluate the following evidence and select the alternate methods that would be of most interest to the IT department during this phase. (Select all that apply.) A.A daily industry newsletter reports on a new vulnerability in the software version that runs on the company's server. B.An anonymous employee uses an "out of band" communication method to report a suspected insider threat. C.The marketing department contacts the IT department because they cannot post a company document to the company's social media account. D.An employee calls the help desk because the employee is working on a file and is unable to save it to a USB to work on at home.

A.A daily industry newsletter reports on a new vulnerability in the software version that runs on the company's server. B.An anonymous employee uses an "out of band" communication method to report a suspected insider threat. A media report of a newly discovered vulnerability in the version of software that's currently running would be valuable information that should be addressed immediately. A whistleblower with information about a potential insider threat would be worthy of pursuit. "Out of band" is an authenticated communications channel separate from the company's primary channel. If the marketing department is trying to post a document that has been identified as confidential data, the IT department would not be concerned since the company's data loss prevention mechanisms are working. If an employee is trying to save a document that has been identified as confidential data to USB and it fails, the IT department would not be concerned since the company's data loss prevention mechanisms are working.

Which situation describes how a company can install a virtual machine on a bare metal virtual platform? A.A type 1 hypervisor is installed directly onto a host machine and manages access to the host hardware directly. B.An office has all desktop computers replaced with low specification and low power thin client computers that boot a minimal operating system. C.The client accesses an application hosted on a server or streams the application from the server to the client for local processing. D.A client enforces resource separation at the operating system level without a hypervisor.

A.A type 1 hypervisor is installed directly onto a host machine and manages access to the host hardware directly. A bare metal virtual platform means that a type 1 hypervisor is installed directly onto a host machine and manages access to the host hardware directly without going through a host Operating System (OS) like Windows Server. Virtual Desktop Infrastructure (VDI) is achieved by replacing desktop computers with low specification and low power thin client computers. Application virtualization is a more limited type of VDI. Rather than run the whole client desktop as a virtual platform, the client accesses an application hosted on a server or streams the application from the server to the client for local processing. An application cell dispenses the idea of a hypervisor, and instead enforces resource separation at the operating system level.

A systems administrator realizes the need to scale a server for high availability purposes. Which approaches does the administrator utilize to scale out the virtual system? (Select all that apply.) A.Add an additional CPU B.Give important processes higher priority C.Free up CPU usage by eliminating services D.Add additional RAM

A.Add an additional CPU D.Add additional RAM Scalability is the capacity to increase resources to meet demand within similar cost ratios. Scaling out adds more resources in parallel to a system. Adding an additional CPU is an example of scaling out. Scalability means that if service demand doubles, costs do not more than double. Adding more resources such as RAM is an example of scaling out. Giving important processes higher priority in a system is not scaling out, but more so scaling up. Scaling up is done by increasing existing resources. Freeing up CPU resources in a system by eliminating services is not scaling out, but more so scaling up. Scaling up is done by increasing existing resources.

Sal, an IT specialist for a large tech firm, pays for a subscription to a threat data feed to stay updated on the latest blogs, white papers, and webinars in his field. What term(s) best describes this type of feed? (Select all that apply.) A.Closed B.Proprietary C.Open source D.Vendor-specific

A.Closed B.Proprietary Closed or proprietary research and cyber threat intelligence (CTI) data are available through a paid subscription to a commercial threat intelligence platform. Closed/proprietary security solution providers also publish blogs, white papers, and webinars, making the most valuable research available early to platform subscribers. Some companies operate threat intelligence services on an open-source basis, earning income from consultancy rather than directly from the platform or research effort. Security, hardware, and software vendors may also make proprietary threat intelligence available at no cost, as a customer benefit, publishing threat data on their websites, such as Microsoft's Security Intelligence blog.

An attacker compromises a confidential database at a retailer. Investigators discover that unauthorized ad hoc changes to the system were to blame. How do the investigators describe the attack vector in a follow-up report? (Select all that apply.) A.Configuration drift B.Weak configuration C.Lack of security controls D.Shadow IT

A.Configuration drift D.Shadow IT Configuration drift happens when malware exploits an undocumented configuration change on a system. Shadow IT occurs when individuals introduce unauthorized hardware or software to a workplace. Weak configuration occurs when a configuration was correctly applied but was exploited anyway. Review the template to devise more secure settings. A lack of security control is likely to happen if an attack could have been prevented by endpoint protection or antivirus, a host firewall, content filtering policies, data loss prevention systems, or a mobile device management program.

During a cyber incident response exercise, a blue team takes steps to ensure the company and its affiliates can still use network systems while managing a simulated threat in real-time. Based on knowledge of incident response procedures, what stage of the incident response process is the blue team practicing? A.Containment B.Identification C.Eradication D.Recovery

A.Containment The goal of the containment stage is to secure data while limiting the immediate impact on customers and business partners. Based on an alert or report, identification determines whether an incident has taken place, how severe it might be (triage), and notifies stakeholders. Once the security admin contains the incident, eradication removes the cause and restores the affected system to a secure state. When security admin eradicates the cause of the incident, they can reintegrate the system into the business process that it supports. This recovery phase may involve restoration of data from backup and security testing.

Identify the type of attack where malware forces a legitimate process to load a malicious link library. A.DLL injection B.Pass the hash (PtH) C.Null pointer dereferencing D.Overflow attack

A.DLL injection DLL injection is a vulnerability in the way the operating system allows one process to attach to another. Malware can abuse this functionality to force a legitimate process to load a malicious link library. In a pass the hash (PtH) attack, the attacker harvests an account's cached credentials when the user logs into a single sign-on (SSO) system. Attempting to read or write that memory address via the pointer is called dereferencing. If the memory location is invalid or null, this creates a null pointer dereference type of exception and the process may crash. In an overflow attack, the threat actor submits input that is too large to store in an application variable.

A user at a realtor's office contacts their IT department to report that they are not able to copy contract files to a USB flash drive to take home. Which explanation does the IT representative share with the user? A.Data loss prevention prevents file copying. B.Mobile device management restricts the use of a portable USB device. C.A compromised private key has created a trust issue. DThe file copy process has been allow-listed.

A.Data loss prevention prevents file copying. Data loss prevention (DLP) performs a copy protection function based on policies. It does not govern file access, but it mediates the copying of certain tagged data to restrict it to authorized media and services. Mobile Device Management (MDM) provides execution control over apps and features of smartphones. Features include GPS, camera, and microphone. If a host is compromised, the private key it used for digital signatures, or digital envelopes for messaging and communications, is no longer safe. This is outside the function of a file copy. An execution control policy defines applications that can or cannot be run. An allow list denies execution unless the process is explicitly authorized.

Which of the following policies support separation of duties? (Select all that apply.) A.Employees must take at least one, five-consecutive-day vacation each year. B.Employees must stay in the same role for a minimum of two years prior to promotion. C.A principle of least privilege is utilized and critical tasks are distributed between two employees. D.Standard Operating Procedures (SOPs) are in effect in each office.

A.Employees must take at least one, five-consecutive-day vacation each year. C.A principle of least privilege is utilized and critical tasks are distributed between two employees. D.Standard Operating Procedures (SOPs) are in effect in each office. Mandatory vacations force employees to take earned vacation time. During this time, someone else fulfills their duties while they are away so audits can occur and potential discrepancies can be identified. The principle of least privilege solely grants a user sufficient rights to perform a specific job. For critical tasks, duties should be divided between several people. SOPs are the policies that set the technical expectation to enforce least privilege. It can be high level or detailed, but should at least be broad enough to ensure coverage across all types of systems. It is advisable that employees do not stay in the same role for an extended period of time. For example, managers may be moved to different departments periodically.

Which statement correctly differentiates between file transfer protocol (FTP), secure shell file transfer protocol (SFTP), and file transfer protocol over secure socket layer (FTPS)? A.FTP has no encryption. FTPS adds transport layer security (TLS), and SFTP is an entirely different protocol based on the network protocol SSH (secure shell). B.FTP uses only basic encryption, while SFTP adds a layer of security with secure shell (SSH). FTPS uses an entirely different protocol, using secure port 990. C.FTP has no encryption. SFTP adds a layer of security with secure shell (SSH), and FTPS uses an entirely different protocol, using secure port 990. D.FTP uses only basic encryption, while FTPS adds transport layer security (TLS), and SFTP is an entirely different protocol based on the network protocol SSH (secure shell).

A.FTP has no encryption. FTPS adds transport layer security (TLS), and SFTP is an entirely different protocol based on the network protocol SSH (secure shell). Unlike both FTP and FTPS, SFTP uses only one connection and encrypts both authentication information and data files being transferred. SFTP addresses FTP's privacy and integrity issues by encrypting the authentication and data transfer between client and server. SFTP establishes a secure link using Secure Shell (SSH) over transmission control protocol (TCP) port 22. SFTP enables the use of ordinary FTP commands and data transfer over the secure link without risk of eavesdropping or man-in-the-middle attacks. This solution requires an SSH server that supports SFTP and SFTP client software. FTPS secures FTP using the connection security protocol SSL/TLS. FTPS negotiates an SSL/TLS tunnel before exchanging any FTP commands. This mode uses the secure port 990 for the control connection.

An organization considers installing fingerprint scanners at a busy entry control point to a secure area. What concerns might arise with the use of this technology? (Select all that apply.). A.Fingerprint scanning is relatively easy to spoof. B.Installing equipment is cost-prohibitive. C.Surfaces must be clean and dry. D.The scan is highly intrusive.

A.Fingerprint scanning is relatively easy to spoof. C.Surfaces must be clean and dry. The main problem with fingerprint scanners is that it is possible to obtain a copy of a user's fingerprint and create a mold of it that will fool the scanner. The technology required for scanning and recording fingerprints is relatively inexpensive, and the process quite straightforward. A fingerprint sensor is usually a small capacitive cell that can detect the unique pattern of ridges making up the pattern. Moisture or dirt can prevent good readings, so facilities using fingerprint scanners must keep readers clean and dry, which can prove challenging in high throughput areas. Fingerprint technology is non-intrusive and relatively simple to use.

Evaluate which of the following solutions would most effectively mitigate vulnerabilities that might arise when outsourcing code development. A.Have one vendor develop the code, and a different vendor perform vulnerability and penetration testing. B.Outsource coding to multiple vendors at once, compare the results each vendor produces, and select the most secure implementations. C.Outsource all coding to a single vendor, limiting the number of vendors in the workflow. D.Trust system integration to the third-party contractor and their contacts.

A.Have one vendor develop the code, and a different vendor perform vulnerability and penetration testing. A solution to outsourced code development is to use one vendor for development and a different vendor for vulnerability and penetration testing. Vendors may supply documentation and certification to prove that it has implemented a security policy robustly. Evaluating vendors prior to code outsourcing may ensure the vendor effectively manages vulnerabilities. When a vendor has become deeply embedded within a workflow, lack of vendor support can have serious impacts, so vendor management may require a risk assessment and contingency plan if a vendor does not perform as expected. The principal risk in having a vendor control the systems integration process is that the contracting company may lack expertise and place too much trust in the third-party integrator.

A retail establishment experiences an attack where whole number values have been exploited. As a result, some credit values are manipulated from positive values to negative values. Which type of attack is the establishment dealing with? A.Integer overflow B.Buffer overflow C.Stack overflow D.Race condition

A.Integer overflow An integer overflow attack causes the target software to calculate a value that exceeds these bounds. This may cause a positive number to become negative. A buffer is an area of memory that the application reserves to store expected data. To exploit a buffer overflow vulnerability, the attacker passes data that deliberately overfills the buffer. A stack is an area of memory used by a program. It includes a return address, which is the location of the program that called the subroutine. An attacker could use a buffer overflow to change the return address. Race conditions occur when the outcome from an execution process is directly dependent on the order and timing of certain events, and those events fail.

Analyze the following scenarios and determine which attacker used piggy backing. A.On the way to a meeting in a restricted area of a government facility, a contractor holds open a gate for a person in a military uniform, who approaches the entry point at a jog, flashing a badge just outside of the readable range. B.A government employee is late for a meeting in a restricted area of a military installation. Preoccupied with making the meeting on time, the employee does not notice when the gate has not closed and someone enters the restricted area. C.An employee leaves the workstation to use the restroom. A coworker notices that the employee has forgotten to lock the workstation, and takes advantage of the user's permissions. D.Several prospective interns are touring the operations floor of a large tech firm. One of them seems to be paying especially close attention to the employees.

A.On the way to a meeting in a restricted area of a government facility, a contractor holds open a gate for a person in a military uniform, who approaches the entry point at a jog, flashing a badge just outside of the readable range. Piggy backing is similar to tailgating, but the attacker enters a secure area with an employee's permission. Flashing an unreadable badge implies a request, soliciting to hold the door. The attacker takes advantage of urgency. Tailgating is a means of entering a secure area without authorization by following close behind a person who is allowed to open the door or checkpoint. Lunchtime attacks take advantage of an unsecured, unattended workstation to gain access to the system. An attacker can use shoulder surfing to learn a password or PIN (or other secure information) by watching the user type it. Despite the name, the attacker may not have to be close to the target.

The Human Resources department works with the IT department at an organization to develop employee security training. Which security control type and function describes the training program? (Select all that apply.) A.Operational B.Managerial C.Deterrent D.Compensating

A.Operational C.Deterrent An operational control is implemented primarily by people rather than systems. For example, policies and training programs are operational controls. A deterrent psychologically discourages an attacker from attempting an intrusion. This includes insider threats. Training materials may contain warnings and descriptions of legal action as part of a systems use policy. A managerial control gives oversight of the information system. Examples could include risk identification or a tool allowing for evaluation of other controls. A compensating control serves as a substitute for a principal control (when not available), as recommended by a security standard.

When monitoring API usage on a system, an engineer notices a very high error rate. The application's latency and thresholds appear to be high. What does the engineer determine to be the cause? (Select all that apply.) A.Overloaded system B.Security issues C.Number of requests D.Service responses

A.Overloaded system B.Security issues An error rate is a measurement of the number of errors as a percentage of total calls. Errors may represent an overloaded system if the API is unresponsive. Errors from an API may represent a security issue if the errors are authorization/access denied types. The number of requests represents the basic load metric count of requests per second or requests per minute. Depending on the service type, baselines for typical usage can be set with thresholds for alerting abnormal usage. Latency is the time in milliseconds (ms) taken for the service to respond to an API call. This can be measured for specific services or as an aggregate value across all services.

A hacker gains access to a database of usernames for a target company and then begins combining common, weak passwords with each username to attempt authentication. The hacker conducts what type of attack? A.Password spraying B.Brute force attack C.Dictionary attack D.Rainbow table attack

A.Password spraying Password spraying is a horizontal brute-force online attack. An attacker chooses common passwords and tries them with multiple usernames. A brute-force attack attempts every possible combination in the output space to match a captured hash and guess at the plaintext that generated it. An attacker uses a dictionary attack where there is a good chance of guessing the plaintext value (non-complex passwords). The software generates hash values from a dictionary of plaintexts to try to match one to a captured hash. Rainbow table attacks refine the dictionary approach. The attacker uses a precomputed lookup table of all possible passwords and their matching hashes and looks up the hash value of a stored password in the table to discover the plaintext.

A power outage disrupts a medium-sized business, and the company must restore systems from backups. If the business can resume normal operations from a backup made two days ago, what metric does this scenario represent? A.Recovery Point Objective (RPO) B.Recovery time objective (RTO) C.Maximum tolerable downtime (MTD) D.Work Recovery Time (WRT)

A.Recovery Point Objective (RPO) RPO is the amount of data loss a system can sustain, measured in time. That is, if a virus destroys a database, an RPO of 24 hours means the system can recover the data (from a backup copy) to a point not more than 24 hours before the infection. RTO is the post-disaster period an IT system may remain offline, including the amount of time it takes to identify a problem and perform recovery. MTD is the longest period of time that a business function outage may occur, without causing irrecoverable business failure. Following system recovery, WRT is the additional work necessary to reintegrate systems, test functionality, and brief users on changes and updates to fully support the business function.

While preparing a disaster recovery plan, management at a company considers how far back it can allow for the loss of data. Which metric does management use to describe this business essential data in terms of recovery? A.Recovery point objective B.Work recovery time C.Maximum tolerable downtime D.Mean time to repair

A.Recovery point objective Recovery Point Objective (RPO) is the amount of data loss that a system can sustain, measured in time. If data is not recoverable (such as the last five working days of data), there is significant impact to operations of the business. Work Recovery Time (WRT) follows systems recovery. During this time there may be additional work to reintegrate different systems and test overall functionality. Maximum tolerable downtime (MTD) is the longest period of time that a business function outage may occur for without causing irrecoverable business failure. Mean time to repair (MTTR) is a measure of the time taken to correct a fault so that the system is restored to full operation.

Which of the following statements best contrasts between a service-oriented architecture (SOA) model and a microservices-based model? A.SOA can build services from other services, while an implementation of microservices develops, tests, and deploys microservices independently. B.Microservices are loosely decoupled, while SOA services are considered highly decoupled. C.SOA focuses on making a single, discrete task easily repeatable, while microservices perform a sequence of automated tasks. D.Microservices help to make a network's design architecture fit a business's requirements, rather than accommodating the business workflow to the platform requirements, as in SOA.

A.SOA can build services from other services, while an implementation of microservices develops, tests, and deploys microservices independently. SOA allows a service to build from other services. By contrast, each microservice should be capable of being developed, tested, and deployed independently. The microservices can be described as highly decoupled rather than just loosely decoupled. Services and clients requesting services do not have as many compatibility restraints with SOA as with monolithic applications; the independence between the client and service is referred to as loose coupling. Where automation focuses on making a single, discrete task easily repeatable, orchestration performs a sequence of automated tasks. Virtualization helps to make the design architecture fit to the business requirement rather than accommodate the business workflow to the platform requirement.

An attacker uses a sniffer to gain session cookies a client sends over an unsecured network. What type of attack can the malicious actor now use the session cookies to conduct? A.Session hijacking B.Cross-site scripting (XSS) C.SQL injection D.LDAP injection

A.Session hijacking Session hijacking typically means replaying a cookie in some way. Attackers can sniff network traffic to obtain session cookies sent over unsecured networks. A cross-site scripting (XSS) attack exploits the fact that the browser is likely to trust scripts that appear to come from a site the user has chosen to visit. XSS inserts a malicious script that appears to be part of the trusted site. In an SQL injection attack, the attacker modifies basic SQL functions by adding code to some input the app accepts, causing it to execute the attacker's SQL queries or parameters. A threat actor could exploit either unauthenticated access or a vulnerability in a client app to submit arbitrary Lightweight Directory Access Protocol (LDAP) queries.

Two companies enter into an agreement that if one data center suffers a disaster-level event, it can failover to the other company's data center with minimal disruption in service. Which statement most accurately describes the companies' site resiliency postures? A.The companies have a reciprocal arrangement for mutual hot site support. B.The companies have a contractual agreement to provide mutual cold site support. C.The companies each have a reserved warm site for failover operations. D.The companies have a mutual contract for warm site failover support.

A.The companies have a reciprocal arrangement for mutual hot site support. Businesses may enter into reciprocal arrangements to provide mutual support, which is cost effective but complex to plan and set up. Each data center represents a hot site, which can failover almost immediately. A cold site, such as an empty building with a lease agreement to install computer equipment when needed, takes longer to set up. A warm site is similar to a hot site, but a warm site will need to load the latest data set to resume normal operations. A hot site could consist of a separate building with operational computer equipment, kept updated with a live data set; in this case, each company acts as a hot site for the other.

When a company first installed its computer infrastructure, IT implemented robust security controls. As the equipment ages, however, those controls no longer effectively mitigate new risks. Which statement best summarizes the company's risk posture? A.The company's aging infrastructure constitutes a control risk. B.The company demonstrates risk transference, assigning risk to IT personnel. C.The company can expect little to no impact from an outage event. D.The company demonstrates effective risk mitigation techniques for low priority systems.

A.The company's aging infrastructure constitutes a control risk. Control risk measures how much less effective a security control has become over time. Risk management is an ongoing process, requiring continual reassessment and re-prioritization. Transference (or sharing) means assigning risk to a third-party, such as an insurance company or a contract with a supplier that defines liabilities. A company's IT department is not a third-party. A security categorization (SC) of low risk describes an impact as minor damage to an asset or loss of performance (though essential functions remain operational). Companies may accept some risks. Risk acceptance means that no countermeasures are emplaced either because the level of risk does not justify the cost or because there will be unavoidable delay before deploying the countermeasures.

An individual contacts a company's IT department, threatening to exploit a vulnerability found in its security infrastructure if the company does not pay a bounty. Upon further investigation, the IT team discovered that the individual threatening the company easily managed to use crude scripts in the hacking attempt. Which statement best describes the disparity between the hacker's claim and real capability? A.The hacker presents as a black hat, but the individual's capabilities indicate the hacker is a script kiddie. B.The hacker claims to be a white hat, but the threatening demeanor and capabilities represent those of a black hat hacker. C.The hacker presents as a script kiddie, but the threatening demeanor and capabilities indicate a black hat hacker. D.The hacker presents as a gray hat hacker, but the individual's capabilities indicate a script kiddie.

A.The hacker presents as a black hat, but the individual's capabilities indicate the hacker is a script kiddie. The term hacker describes an individual who has the skills to gain access to computer systems through unauthorized or unapproved means. A black hat hacker acts with malicious intent. A script kiddie is someone that uses hacker tools without necessarily understanding how they work or having the ability to craft new attacks. A white hat hacker has technical skill and creativity, but non-malicious intent. Technical skill and creativity distinguish a hacker from a script kiddie. A hacker excels at computer programming and computer system administration, while a script kiddie uses hacker tools without the ability to craft new attack methods. Gray hat hackers will not generally extort a target but may offer services after revealing a vulnerability.

Which statement best describes how a hierarchical certificate authority (CA) trust model mitigates the weakness in a single CA model and guards against the compromise of the root CA? A.The hierarchical CA model still uses a single root CA, but delegates certificate granting authority to intermediate CAs, so the root CA may go offline in a secure configuration. B.The hierarchical CA model uses multiple root CAs to issue certificates, so if a root is damaged or compromised, the structure does not collapse. C.The hierarchical CA model still uses a single root CA, but delegates certificate granting authority to intermediate CAs, so the root may stay online in a secure, redundant configuration. D.The hierarchical CA model uses multiple root CAs to issue certificates so any one of the root CAs may go offline in a secure storage configuration while retaining certificate granting authority.

A.The hierarchical CA model still uses a single root CA, but delegates certificate granting authority to intermediate CAs, so the root CA may go offline in a secure configuration. In the hierarchical model, a single CA (called the root) issues certificates to several intermediate CAs. The intermediate CAs issue certificates to subjects (leaf or end entities). In the hierarchical model, the root is still a single point of failure. Because of the high risk compromising the root CA poses, a secure configuration involves making the root an offline CA. This means that the system disconnects the root from any network and usually keeps it in a powered-down state. Different intermediate CAs can be set up with different certificate policies, and each leaf certificate can trace back to the root CA along the certification path. This is also referred to as certificate chaining or a chain of trust.

A server administrator configures symmetric encryption for client-server communications. The administrator configured it this way to utilize which mechanism? A.The same secret key is used to perform both encryption and decryption. B.Any operations are performed by two different but related public and private keys. C.The keys are linked in such a way as to make it impossible to derive one from the other. D.A key pair is generated and the private key is kept secret.

A.The same secret key is used to perform both encryption and decryption. In a symmetric encryption cipher, the same secret key is used to perform both encryption and decryption operations. With an asymmetric cipher, operations are performed by two different but related public and private keys in a key pair. Each key is capable of reversing the operation of its pair. The keys are linked in such a way as to make it impossible to derive one from the other. This means that the key holder can distribute the public key to anyone. Generating a key pair and keeping the private key secret is the first step and concept in creating an asymmetric encryption scheme.

A user enters the web address of a favorite site and the browser returns the following: "There is a problem with this website's security certificate." The user visits this website frequently and has never had a problem before. Applying knowledge of server certificates, select the circumstances that could cause this error message. (Select all that apply.) A.The system's time setting is incorrect. B.The certificate is pinned. C.The web address was mistyped. D.The certificate expired.

A.The system's time setting is incorrect. D.The certificate expired. If the date and time settings on the system are not synchronized with the server's setting, the server's certificate will be rejected. An expired server certificate would cause the browser to return an error message. Certificate pinning ensures that when a client inspects the certificate presented by a server, it is inspecting the proper certificate. This is mostly done to prevent a Man-in-the-Middle attack and would not generate an error message. A mistyped web address would not return an error message about the server certificate. It would return a message that the website could not be found.

An engineer considers blockchain as a solution for record-keeping. During planning, which properties of blockchain does the engineer document for implementation? (Select all that apply.) A.Using a peer-to-peer network B.Obscuring the presence of a message C.Partially encrypting data D.Using cryptographic linking

A.Using a peer-to-peer network D.Using cryptographic linking Blockchain is recorded in a public ledger. This ledger does not exist as an individual file on a single computer; rather, it is distributed across a peer-to-peer (P2P) network. The hash value of a previous block in a chain is added to the hash calculation of the next block in the chain. This ensures that each successive block is cryptographically linked. Steganography is a technique for obscuring the presence of a message. Typically, information is embedded where it is not expected. Homomorphic encryption is a solution that allows an entity to use information in particular fields within the data while keeping the data set as a whole encrypted.

A cloud administrator receives reports that a physical server is having issues with its virtualized guest machines. There is a possibility that a threat actor has been successful with an attack. Which problem types does the administrator investigate? (Select all that apply.) A.VM sprawl B.VM escape C.VM template D.VM monitor

A.VM sprawl B.VM escape VM sprawl is a configuration vulnerability where provisioning and deprovisioning of virtual assets is not authorized and properly monitored. VM escaping refers to malware running on a guest OS jumping to another guest or to the host. To do this, the malware must identify that it is running in a virtual environment, which is usually simple to do. Each VM needs to be installed with its own security software suite to protect against malware and intrusion attempts. Using a VM template image makes this process easier. Virtual machine life cycle management (VMLM) software can provide a centralized dashboard for maintaining and monitoring all the virtual environments in an organization.

A company follows a bring your own device (BYOD) remote implementation. What is an ideal solution the company can use to overcome some of the security risks involved with employee-supplied devices? A.Virtual desktop infrastructure (VDI) B.Location services C.Remote wipe D.Carrier unlocking

A.Virtual desktop infrastructure (VDI) Virtual desktop infrastructure (VDI) means provisioning an OS desktop to interchangeable hardware. The hardware only has to be capable of running a VDI client viewer or have a browser support a clientless HTML5 solution. Each time a user accesses VDI, the session is "as new" and employees can remotely access it. Location services alone represent a security risk. Location services can use geo-fencing to enforce context-aware authentication based on the device's location. If a malicious actor steals a user's device using a remote wipe (kill switch), it can reset the device to factory defaults or clear personal data (sanitization). Carrier unlocking involves the removal of restrictions that lock a device to a single carrier and uses it for privilege escalation.

Which statements describe why devices on an enterprise network should disable Wi-Fi tethering? (Select all that apply.) A.Wi-Fi tethering functionality can circumvent data loss prevention measures. B.Wi-Fi tethering functionality can circumvent web content filtering policies. C.Wi-Fi tethering functionality can enable a Trojan to install apps through the device's charging plug. D.Wi-Fi tethering functionality can enable a nearby attacker to skim information from the device.

A.Wi-Fi tethering functionality can circumvent data loss prevention measures. B.Wi-Fi tethering functionality can circumvent web content filtering policies. The term "Wi-Fi tethering" is widely known as a hotspot. When a device connects to an enterprise network, this functionality should be disabled, as it might be used to circumvent security mechanisms. Wi-Fi tethering functionality can allow devices to circumvent data loss prevention or web content filtering policies. Juice jacking is an attack whereby a charging plug, acting as a Trojan, tries to install apps. Modern smartphone operating systems largely mitigate this attack vector by requiring authorization before the device will accept the connection. Smartphones commonly have near-field communication (NFC) sensors and functionality. An attacker with a reader may also be able to skim information from an NFC device in a crowded area, such as a busy train.

An engineer implements a security solution to protect a domain. The engineer decides on DNS Security Extensions (DNSSEC) to prevent spoofing. Which features does the engineer rely on for protection? (Select all that apply.) A.Zone Signing Key B.RRset package C.Access Control List D.Key Signing Key

A.Zone Signing Key B.RRset package D.Key Signing Key With DNS Security Extensions (DNSSEC) enabled, the authoritative server for the zone creates a "package" of resource records (RRset). An RRset is signed with a private key (the Zone Signing Key). When another server requests a secure record exchange, the authoritative server returns the package and its public key. With DNSSEC, the public Zone Signing Key is signed with a separate Key Signing Key. Separate keys are used so that if there is a compromise, the domain can continue to operate securely by revoking the compromised key and issuing a new one. An Access Control List can prevent zone transfers to unauthorized hosts, preventing an external server from obtaining information about the private network. This is not part of DNSSEC.

Which command can help a security professional conducting an organizational security assessment identify a spoofing attack? A.arp B.ipconfig/ifconfig C.route D.pathping/mtr

A.arp arp displays the local machine's Address Resolution Protocol (ARP) cache, which shows the media access control (MAC) address associated with each IP address the local host communicated with recently. This is useful for investigating suspected spoofing attacks. ipconfig/ifconfig shows the configuration assigned to a network interface(s), including the hardware or media access control (MAC) address, IPv4 and IPv6 addresses, and other configurations. Route views and configures the host's local routing table. If the host is not a router, additional entries in the routing table could be suspicious. pathping (Windows)/mtr (Linux) provides statistics for latency and packet loss along a route over a longer measuring period. High latency at the various hops could indicate man-in-the-middle attacks, denial of service, or network congestion.

Xander sends a malicious file via email attachment to employees at a target company, hoping at least one employee will open the malicious file that will propagate through the company's network and disrupt the company's operations. If Xander's goal is disruption of company operations, what does this describe? A.intent B.motivation C.risk D.threat

A.intent Intent describes what an attacker hopes to achieve from the attack, while motivation is the attacker's reason for perpetrating the attack. A malicious threat actor's motivation could be greed, curiosity, or some sort of grievance. The intent could be to vandalize and disrupt a system or to steal something. Risk is the likelihood and impact of a threat actor exploiting a vulnerability. To assess risk, one must identify a vulnerability and then evaluate the likelihood of exploiting it by a threat and the impact that a successful exploit would have. A threat is the potential for someone or something to exploit a vulnerability and breach security.

A penetration tester directs test packets to the host using a variety of default passwords against service and device accounts, gaining a view of the vulnerabilities the network exposes to unprivileged users. Given this situation, what type of test did the penetration tester use? A.A credentialed scan B.A non-credentialed scan C.A topology discovery scan D.A host discovery scan

B.A non-credentialed scan A non-credentialed scan proceeds without the tester logging on to a host or given any sort of privileged access. The view obtained from this scan is what an unprivileged user would see. A credentialed scan gives a user account logon rights to various hosts, plus whatever other permissions are appropriate for the testing routines. This allows the detection of application or security setting misconfigurations. Topology discovery (footprinting) is the part of the discovery phase where the attacker or pen tester starts to identify the structure of the target network. Like the ping command, host discovery can detect the presence of a host on a particular IP address or one that responds to a particular host name.

Which of the following authentication procedures effectively employs multifactor authentication? A.A password reset prompt requires the user to supply the answer to several recovery questions. B.A system login requires a user to insert a smart card and enter a PIN. C.An entry control point employs a security guard and requires entrants to submit to a retinal scan. D.A system login requires a user to enter a password, pin, and passphrase.

B.A system login requires a user to insert a smart card and enter a PIN. A login prompt that requires both a physical object the user holds and a PIN the user knows, employs multifactor authentication. The password reset prompt uses only single-factor authentication. If the password reset process also sent a one-time code to an authorized device, then it would be multifactor authentication, requiring both something the user knows and has. A security guard is a physical access control, but not an authentication mechanism. The retinal scan is a single-factor authentication mechanism. Passwords, PINs, and passphrases all fall under the category of "something you know" authentication. Multifactor authentication requires the use of at least two factors.

An engineering firm wants to bolster the security measures implemented on their servers. Evaluate the proposed solutions for the best type of security control to fit the firm's needs. A.Security guards should secure all entry control points. B.Advanced firewalls and access control lists should be configured. C.The company's security policy needs to be updated. D.Employees should attend annual security training.

B.Advanced firewalls and access control lists should be configured. The company is interested in server-level control systems, so they need to implement stricter technical controls. Technical controls are system-level implementations, such as access control lists, firewalls, and anti-virus software. People primarily implement operational controls, rather than systems. Security guards and training programs are operational controls, rather than technical controls. Oversight policies are a form of managerial control. Managerial controls give oversight of the information system, including risk identification and tools for selection and evaluation of other security controls. Training programs, such as security training, occurs at the personal level, rather than the system level.

Compare and evaluate the main components in an Extensible Authentication Protocol (EAP). Which scenarios accurately differentiate between these components? (Select all that apply.) A.An authenticator performs the authentication and the authentication server establishes a channel. B.An authenticator establishes a channel for the supplicant and the authentication server to exchange credentials using EAP. C.A supplicant requests authentication and the authentication server performs the authentication. D.A supplicant requests authentication and the authenticator performs the authentication.

B.An authenticator establishes a channel for the supplicant and the authentication server to exchange credentials using EAP. C.A supplicant requests authentication and the authentication server performs the authentication. The authenticator provides the channel while the authentication server provides the authentication. An authenticator is the device that receives the authentication request such as a remote access server or wireless point. The authenticator establishes a channel for the supplicant and the authentication server to exchange credentials using the EAP over LAN protocol. A supplicant is the client requesting the authentication. The authentication server is the server that performs the authentication and is typically an AAA server. The supplicant is the client that requests authentication but the authentication server actually provides the authentication while the authenticator provides the channel for the exchange of credentials.

Examine the differences between authentication factors and authentication attributes and select the statement that most effectively summarizes the differences between authentication factors and authentication attributes. A.Authentication attributes are characteristics used to verify an account holder's credentials, while authentication factors use secondary or continuous authentication and access control. B.Authentication factors verify an account holder's credentials, while authentication attributes are either non-unique or cannot independently authenticate a user's credentials. C.Authentication factors are most secure when used alone, while authentication attributes should be used in combination with one another to authenticate a user's credentials. D.Authentication factors describe physical characteristics and behavioral traits of an individual user, while authentication attributes primarily authenticate users based on items they carry or information they know.

B.Authentication factors verify an account holder's credentials, while authentication attributes are either non-unique or cannot independently authenticate a user's credentials. Attributes can be distinguished from factors as information that is not unique or that is not reliable/fast enough to use as a primary authentication mechanism. Attributes are for secondary or continuous authentication/access control mechanisms. Authentication verifies that only the account holder can use the account. Technologies for defining credentials are categorized as factors. Single-factor authentication may easily be compromised. A strong authentication technology combines the use of more than one type of knowledge, ownership, and biometric factor, and is called multifactor authentication (MFA). Authentication factors include something the user knows, has, does, or is. Authentication technologies should meet confidentiality, integrity, and availability requirements for effective authentication design.

Analyze and select the statements that accurately describe both worms and Trojans. (Select all that apply.) A.A worm is concealed within an application package while a Trojan is self-contained. B.Both worms and Trojans can provide a backdoor. C.Both worms and Trojans are designed to replicate. D.A worm is self-contained while a Trojan is concealed within an application package.

B.Both worms and Trojans can provide a backdoor. D.A worm is self-contained while a Trojan is concealed within an application package. Both worms and Trojans can provide a backdoor into a system. Worms can carry a payload that may perform a malicious action such as installing a backdoor. Many Trojans function as backdoor applications. Worms are self-contained and are memory-resident viruses that replicate over network resources. A Trojan is concealed within an application package. Worms do not need to attach themselves to another executable file as they are self-contained. Trojans are not self-contained and are delivered with an application. Worms are designed to replicate, but Trojans are not. Typically, a worm is designed to rapidly consume network bandwidth as it replicates. This action may be able to crash a system.

A geographically dispersed corporation wants to expand its IT capabilities by allowing employees to use personal devices on the corporate network. If employees are not comfortable using their own devices on the corporate network, they will offer them a device from a pre-approved list. Which two types of models will the company be deploying? (Select all that apply.) A.Corporate-owned, business only (COBO) B.Bring your own device (BYOD) C.Corporate-owned, personally-enabled (COPE) D.Choose your own device (CYOD)

B.Bring your own device (BYOD) D.Choose your own device (CYOD) With BYOD, the mobile device will have to meet whatever profile is required by the company (in terms of OS version and functionality), and the employee will have to agree on the installation of corporate apps and to some level of oversight and auditing. Similar to a COPE model, the CYOD model allows employees to choose a device from a pre-approved list of items in inventory. In a COBO model, the device is the company's property and may only be used for company business. The company chooses and supplies the device with the COPE model, and it remains its property.

A server administrator configures digital signatures for secure communications. By doing so, the administrator accomplishes which secure method of communication? (Select all that apply.) A.Configuring encryption so no two hashes are the same B.Combining public key cryptography with hashing algorithms C.Using the same secret key to perform both encryption and decryption D.Providing authentication, integrity, and non-repudiation

B.Combining public key cryptography with hashing algorithms D.Providing authentication, integrity, and non-repudiation Public key cryptography can authenticate a sender because it controls a private key that encrypts messages. Adding hashing to an encrypted message proves integrity by computing a unique checksum. In a symmetric encryption cipher, the same secret key is used to perform both encryption and decryption operations. This does not define a digital signature. If two hashes are the same, then the data has not been tampered with during transmission. This is not something the administrator configures, but rather the result of secure communication. Public key cryptographic functions can be combined with hashing to authenticate a sender and prove the integrity of a message. This usage is called a digital signature.

An engineer routinely provides data to a source that compiles threat intelligence information. The engineer focuses on behavioral threat research. Which information does the engineer provide? A.IP addresses associated with malicious behavior B.Descriptions of example attacks C.Correlation of events observed with known actor indicators D.Data available as a paid subscription

B.Descriptions of example attacks Behavioral threat research is narrative commentary describing examples of attacks and TTPs gathered through primary research sources. Reputational threat intelligence includes lists of IP addresses and domains associated with malicious behavior, plus signatures of known file-based malware. Threat data is computer data that can correlate events observed on a customer's own networks and logs with known TTP and threat actor indicators. Data that is part of a closed/proprietary system is made available as a paid subscription to a commercial threat intelligence platform. There is no mention of a subscription model in this case.

A hacker places a false name:IP address mapping in an operating system's HOSTS file, redirecting traffic from a legitimate IP address to a malicious IP address. What type of attack did the hacker perform? A.Domain hijacking B.Domain name system client cache (DNS) poisoning C.Rogue dynamic host configuration protocol (DHCP) D.Address Resolution Protocol (ARP) poisoning

B.Domain name system client cache (DNS) poisoning Most operating systems still check the HOSTS file for a recorded name:IP mapping before using DNS. If an attacker can place a false name:IP address mapping in the HOSTS file, poisoning the DNS cache, the attacker can redirect traffic. In domain hijacking (or brandjacking), the attacker steals a domain name by altering its registration information and then transferring the domain name to another entity. The Dynamic Host Configuration Protocol (DHCP) facilitates automatic network address allocation. If an attacker establishes a rogue DHCP, it can perform DoS or snoop on network information. ARP poisoning occurs when an attacker with access to the network redirects an IP address to the MAC address of a computer that is not the intended recipient.

A large data facility just experienced a disaster-level event, and the IT team is in the process of reconstituting systems. Which statement illustrates the appropriate first step the team should take in this process? A.First, the team should enable and test switch infrastructure, then routing appliances and systems. B.First, the team should enable and test power delivery systems, including grid power, power distribution units (PDUs), uninterruptible power supplies (UPS), and secondary generators. C.First, the team should enable and test network security appliances, including firewalls, intrusion detection systems (IDS), and proxies. D.First, the team should enable and test critical network servers, including dynamic host configuration protocol (DHCP), domain name system (DNS), network time protocol (NTP), and directory services.

B.First, the team should enable and test power delivery systems, including grid power, power distribution units (PDUs), uninterruptible power supplies (UPS), and secondary generators. If systems come back online in an uncontrolled way, there is the serious risk of causing additional power problems or of causing problems in the network, OS, or application layers because dependencies between different appliances and servers have not been met. The first step in the process is enabling and testing power delivery systems (grid power, power distribution units (PDUs), UPS, secondary generators, and so on). Secondly, the team should enable and test switch infrastructure, then routing appliances and systems. The third step is to enable and test network security appliances (firewalls, IDS, proxies). The fourth step is enabling and testing critical network servers (DHCP, DNS, NTP, and directory services).

What phases of the Incident Response Process involves determining if an attack happened and mitigating its effects? (Select all that apply.) A.Eradication B.Identification C.Containment D.Preparation

B.Identification C.Containment Identification is the step where information from an alert or report is used to determine whether an incident has taken place, assess how severe it might be (triage), and notify stakeholders. Containment is the step to limit the scope and magnitude of the incident. The principal aim of incident response is to secure data while limiting the immediate impact. Eradication is the step to remove the cause and restore the affected system to a secure state by wiping a system and applying secure configuration settings. Preparation is the precursor step to make the system resilient to attack in the first place. This includes hardening systems, writing policies and procedures, and setting up confidential lines of communication.

An organization prepares for an audit of all systems security. While doing so, staff perform a risk management exercise. Which phase does the staff consider first? A.Identify vulnerabilities B.Identify essential functions C.Analyze business impact D.Identify risk response

B.Identify essential functions Effective risk management must focus on mission essential functions that could cause the whole business to fail if they are not performed. Identifying these systems and processes should be done first. Identifying vulnerabilities for each function or workflow (starting with the most critical) is done by analyzing systems and assets to discover and list any vulnerabilities or weaknesses. Analyzing business impacts identifies the likelihood of a vulnerability being activated as a security incident by a threat and the impact of that incident on critical systems. Identifying risk response for each risk requires identifying possible countermeasures and assesses the cost of deploying additional security controls to protect systems and processes.

A security team uses passive scanning to gather information and data related to a suspected rogue system on a network. By using passive scanning, what type of information does the team gather? A.Credentialed B.Indirect evidence C.Embedded D.Report

B.Indirect evidence Non-intrusive (or passive) scanning means analyzing indirect evidence, such as the types of traffic generated by a device. A credentialed scan (whether passive or active) is given a user account with logon rights to various hosts, plus whatever other permissions are appropriate. These credentials allow access to protected information. Embedded refers to a system type, such as VoIP phones, where the OS is built in to the system. This system types are prone to crashing if being scanned. Report data is available from many scanning systems which use databases of known software and configuration vulnerabilities. Reports may include information about each vulnerability in the database.

Security solutions providers and academics conduct primary research to produce outputs on threat intelligence that takes three main forms. Which of these selections is NOT one of the three main outputs? A.Behavioral threat research B.Information Sharing and Analysis Centers (ISACs) C.Reputational threat intelligence D.Threat data

B.Information Sharing and Analysis Centers (ISACs) Information Sharing and Analysis Centers (ISACs) are sector-specific resources for companies and agencies working in critical industries, such as power supply, financial markets, or aviation. ISACs are platforms used to share threat intelligence data. Behavioral threat research is a narrative commentary describing examples of attacks and TTPs gathered through primary research sources. Reputational threat intelligence includes lists of IP addresses and domains associated with malicious behavior, plus signatures of known file-based malware. Computer data that can correlate events observed on a customer's own networks and logs with known TTP and threat actor indicators is called threat data, which can package as feeds that integrate with security information and event management (SIEM) platform.

Management at a financial firm is assembling an incident response team that will be responsible for handling certain aspects of recovery and remediation following a security incident. What internal offices should provide a representative to serve as a member of this team? (Select all that apply.) A.Sales B.Legal C.HR D.PR

B.Legal C.HR D.PR It is important to have access to legal expertise so that the team can evaluate incident response from the perspective of compliance with laws and industry regulations. An HR member should be on the team. Incident prevention and remediation actions may affect employee contracts, employment law, and more. A team is likely to require public relations input, so that any negative publicity from a serious incident can be managed. The PR role should be the one dealing with any media outlets. A sales representative would not be required. Typically, a team will consist of those that deal with any sort of rules, regulations, laws, and communications.

A dissatisfied employee has discreetly begun exfiltrating company secrets to sell to a competitor. The employee sets up a malware script that will run in the event of the employee's firing and account deletion. Analyze the attack and determine what type of attack the employee has emplaced. A.Rootkit B.Logic bomb C.Remote Access Trojan (RAT) D.Backdoor

B.Logic bomb A typical example of a logic bomb can involve a disgruntled system administrator who leaves a scripted trap, which runs in the event an account is deleted or disabled. Malware running with SYSTEM level privilege is a rootkit. A remote access trojan (RAT) is backdoor malware that mimics the functionality of legitimate remote control programs but designed specifically to operate covertly. A RAT allows the threat actor to access the host, upload files, and install software or use "live off the land" techniques to effect further compromises. Any type of access method to a host that circumvents the usual authentication method and gives the remote user administrative control are backdoor methods

A new IT administrator accidently causes a fire in the IT closet at a small company. Consider the disaster types and conclude which types this event might classify as. (Select all that apply.) A.External B.Man-made C.Internal D.Environmental

B.Man-made C.Internal A man-made disaster event is one where human agency is the primary cause. Typical examples include terrorism, war, vandalism, pollution, and arson. There can also be accidental man-made disasters. An internal disaster is one that is caused by malicious activity or by accident by an employee or contractor. In this case, the fire was accidental. External disaster includes disasters that have an impact on the organization through wider environmental or social impacts, such as disruption of public services or impacts to a supply chain. An environmental disaster, or natural disaster, is one that could not be prevented through human agency. Environmental disasters include river or sea floods, earthquakes, and storms.

An unauthorized person gains access to a restricted area by blending in with a crowd of employees as they approach the security desk and show their badges to the guard. While walking down a long hallway, the group is stopped at a turnstile and the unauthorized person is discovered. What type of policy prevented this type of social engineering attack? A.CCTV policy B.Mantrap policy C.ID badge policy D.Skimming policy

B.Mantrap policy A mantrap is a physical security control used for critical assets, where one gateway leads to an enclosed space protected by another barrier. CCTV (closed circuit television) is a cheaper means of providing surveillance than maintaining separate guards at each gateway or zone, though still not cheap to set up if the infrastructure is not already in place on the premises. Anyone moving through secure areas of a building should be wearing an ID badge. Security should stop anyone without an ID badge. Skimming involves the use of a counterfeit card reader to capture card details, which are then used to program a duplicate.

Users at a company report that web browsing to their own website is not working. Upon further investigation, it is found that HTTP sessions are being hijacked. Any requests to replace a resource during a TCP connection are being altered. Which HTTP method is not working properly? A.GET B.PUT C.DELETE D.POST

B.PUT The PUT method creates a new resource or replaces a current resource (at a target URL) on a web server. The GET method is used to retrieve a resource from a server. This is the principle method used. It retrieves content such as a web page. The DELETE method can be used to remove a resource from the web server as identified by the Request-URL. The POST method is used to send data to the server for processing by the requested resource. This is a method that submits data to a server.

A company located in the western United States that uses cloud computing relies on redundant systems in adjacent availability zones for data backup and storage. Analyze the configuration and determine which level of high availability service the company utilizes. A.Local replication B.Regional replication C.Geo-redundant storage (GRS) D.Cloud service replication

B.Regional replication Regional replication (also called zone-redundant storage) replicates data across multiple data centers within one or two regions. This safeguards data and access in the event a single data center is destroyed or goes offline. Local replication replicates data within a single data center in the region where the company created its storage account. Replicas are often in separate fault domains and upgrade domains. Geo-redundant storage (GRS) replicates data to a secondary region that is distant from the primary region. This safeguards data in the event of a regional outage or a disaster. Data replication allows businesses to copy data to where the business can utilize it most effectively. Data replication requires low latency network connections, security, and data integrity.

Identify the true statements about supervisory control and data acquisition (SCADA) systems. (Select all that apply.) A.SCADA systems typically communicate with one another through LAN connections. B.SCADA systems typically run as software on ordinary computers, gathering data from and managing field devices. C.SCADA systems are purpose-built devices that prioritize IT security features. D.SCADA systems serve primarily industrial, manufacturing, utility, and logistics sectors.

B.SCADA systems typically run as software on ordinary computers, gathering data from and managing field devices. D.SCADA systems serve primarily industrial, manufacturing, utility, and logistics sectors. SCADA typically runs as software on ordinary computers, gathering data from and managing plant devices and equipment, with embedded PLCs, referred to as field devices. Many sectors of industry, including utilities, industrial processing, fabrication and manufacturing, logistics, and facilities management use these types of systems. SCADA typically use WAN communications, such as cellular or satellite, to link the SCADA server to field devices. ICS/SCADA was historically built without regard to IT security, though there is now high awareness of the necessity of enforcing security controls to protect them, especially when they operate in a networked environment.

A company without an internal IT team hires a service provider to monitor a computer network for security issues. Before the service provider is given access, which agreement is put in place to establish expectations? A.NDA B.SLA C.ISA D.PII

B.SLA A service level agreement (SLA) is a contractual agreement setting out the detailed terms or expectations under which a service is provided. A nondisclosure agreement (NDA) provides a legal basis for protecting information assets. NDAs are used between companies and employees, between companies and contractors, and between two companies. Interconnection security agreements (ISA) are used for integrating systems. Any federal agency interconnecting its IT system to a third party must create an ISA to govern the relationship. Personally identifiable information (PII) is data that can be used to identify, contact, or locate an individual. A Social Security Number (SSN) is an example of PII.

A systems engineer looks to monitor a network for security purposes. The engineer places sensors throughout the building in appropriate places, but does not have enough to cover all areas that they want to monitor. Fortunately, the engineer thought ahead and purchased appropriate network switches. Which sensor type does the engineer use to monitor specific systems? (Select all that apply.) A.TAP (Active) B.SPAN C.TAP (passive) D.Mirror

B.SPAN D.Mirror Switched port analyzer (SPAN) is a sensor that is attached to a specially configured port on the switch that receives copies of frames. A mirrored port is the same as a SPAN port. This method is not completely reliable. Frames with errors will not be mirrored and frames may be dropped under heavy load. An active TAP is a powered device that performs signal regeneration which may be necessary in some circumstances. Gigabit signaling over copper wire, for example, is too complex for a passive tap to monitor. A passive test access point (TAP) is a box with ports for incoming and outgoing network cabling and an inductor or optical splitter that physically copies the signal from the cabling to a monitor port.

A user enters a card equipped with a secure processing chip into a reader and then enters a PIN for Kerberos authentication. What authentication method is described here? (Select all that apply.) A.Trusted Platform Module (TPM) authentication B.Smart-card authentication C.Multifactor authentication D.One-time password (OTP) token authentication

B.Smart-card authentication C.Multifactor authentication Smart-card authentication means programming cryptographic information onto a card equipped with a secure processing chip. The chip stores the user's digital certificate, the private key associated with the certificate, and a personal identification number (PIN) used to activate the card. Strong, multifactor authentication (MFA) technology combines the use of more than one type of knowledge, ownership, and biometric factor. A Trusted Platform Module (TPM) is a cryptoprocessor enclave implemented on a PC, laptop, smartphone, or network appliance. The TPM is usually a module within the CPU and can be used to present a virtual smart card. A one-time password (OTP) is generated automatically, rather than being chosen by a user, and used only once.

A cloud engineer configures a virtual private cloud. While trying to create a public subnet, the engineer experiences difficulties. The issue is that the subnet remains private, while the goal is to have a public subnet. What does the engineer conclude the problem might be? A.The Internet gateway is configured as the default route. B.The Internet gateway is not configured as the default route. C.The Internet gateway uses 1:1 network address translation. D.The Internet gateway does not use 1:1 network address translation.

B.The Internet gateway is not configured as the default route. To configure a public subnet, first an Internet gateway (virtual router) must be attached to the VPC configuration. Secondly, the Internet gateway must be configured as the default route for each public subnet. After a VPC has a virtual router attached, a gateway is set as a default route. If an Internet gateway is not assigned as a default route, the subnet is private. Each instance in a public subnet is configured with a public IP in its cloud profile. The Internet gateway performs 1:1 network address translation (NAT) to route Internet communications to and from the instance. Typically, the virtual Internet gateway performs 1:1 network address translation (NAT) to route Internet communications to and from the instance. One-to-many is another NAT approach.

A systems administrator deletes a user account after an employee left the company. The employee returns a few weeks later and the account is recreated with the same username and password. The user no longer has immediate access to previously used assets such as files and folders. Which account property does the administrator realize is the cause? A.The username is different B.The user's security identifier is different C.The user's password is different D.The user's descriptive name is different

B.The user's security identifier is different Behind a user account is a security identifier (SID). Even though a user may have the same name and password as previously used, the account is a different account (based on the SID) and will need to have access and permissions configured. Creating a user with the same username as in the past does not give automatic access or permissions to previously accessible assets or objects. Creating a user with the same password as used in the past does not give automatic access or permissions to previously accessible assets or objects. A user's descriptive name does not impact the user account permissions. A descriptive name is just a friendly name such as John Smith for a username of jsmith.

A banking firm's IT team discovers a possible man-in-the-middle attack. Which of the following statements describes an assessment tool, built into the operating system, that would result in this discovery? (Select all that apply.) A.This tool is an open-source graphical packet capture and analysis utility, with installer packages for most operating systems. B.This tool sends probes to report the round trip time (RTT) for hops between the local host and a host on a remote network. C.This tool will repair the boot sector. D.This tool displays the local machine's Address Resolution Protocol (ARP) cache.

B.This tool sends probes to report the round trip time (RTT) for hops between the local host and a host on a remote network. D.This tool displays the local machine's Address Resolution Protocol (ARP) cache. tracert (Windows) and traceroute (Linux) allow the user to view and configure the host's local routing table using probes to report the round trip time (RTT) for hops between the local host and a host on a remote network. The ARP cache shows the MAC address of the interface associated with each IP address the local host has communicated with recently. A discrepancy in the MAC address may indicate a man-in-the-middle attack. The best way to resolve errors such as "Boot device not found," "OS not found," or "Invalid drive specification" is to use the boot disk option in your anti-virus software. This will include a scanner that may detect the malware that caused the problem in the first place and contain tools to repair the boot sector. Wireshark is an open-source graphical packet capture and analysis utility, with installer packages for most operating systems. However it is not built into the operating system.

An engineer configures a proxy to control access to online content for all users in an organization. Which proxy type does the engineer implement by using an inline network appliance? (Select all that apply.) A.Non-transparent B.Transparent C.Intercepting D.Application

B.Transparent C.Intercepting A transparent proxy must be implemented on a switch, router, or other inline network appliance. An intercepting proxy is configured to intercept client traffic without the client having to be reconfigured. A non-transparent proxy configuration means that the client must be configured with the proxy server address and port number to use it. Proxy servers can be application-specific; others are multipurpose. A multipurpose proxy is one configured with filters for multiple protocol types. In this case, the target is not a specific application.

In the containment phase of incident response, the Cyber Incident Response Team (CIRT) faces complex issues that need to be addressed quickly. During this phase, a member of the CIRT would be concerned about all EXCEPT which of the following issues? A.What damage has already occurred? B.Which password policy will prevent this in the future? C.What actions could alert the attacker that the attack has been detected? D.What countermeasures are available?

B.Which password policy will prevent this in the future? CIRT would not be concerned about future password policy during the containment phase since it is not a critical issue in incident response. During the containment phase, it is essential to assess what damage or theft has already occurred, as well as how much more damage could occur and in what time frame. Alerting the attacker that the attack has been detected could lead to retaliatory attacks prepared in advance by the attacker, so it needs to be considered in how the response proceeds. The CIRT also needs to determine what evidence of the attack must be gathered and preserved. Available countermeasures to the attack as well as their associated costs and implications is a consideration during this phase.

Which of the following key storage solutions exercises M-of-N control? A.Security administrators log and audit access to critical encryption keys. B.While four administrators have access to the system, it takes two administrators to access the system at any given time. C.A third party safely stores the encryption key. D.One administrator has access to the system, and that administrator can delegate access to two others.

B.While four administrators have access to the system, it takes two administrators to access the system at any given time. Access to critical encryption keys is typically subject to M-of-N control, meaning that of N number of administrators permitted to access the system, M must be present to access the system. M must be greater than 1, and N must be greater than M. Administrators must log and audit access to critical keys, such as the private key of a root CA. In key management, escrow refers to archiving a key (or keys) with a third party. This helps some organizations store keys securely, but it invests a great deal of trust in the third party. In the hierarchical model, a single CA (called the root) issues certificates to several intermediate CAs, who issue certificates to subjects.

An engineer configures hosts on a network to use IPSEC for secure communications. The engineer is deciding between Encapsulation Security Payload (ESP) or Authentication Header (AH). If the engineer chooses transport mode over tunnel mode, which specifics of operation should be expected? (Select all that apply.) A.With ESP the whole IP packet (header and payload) is encrypted B.With ESP the IP header for each packet is not encrypted C.AH has no real use in this mode D.AH can provide integrity for the IP header

B.With ESP the IP header for each packet is not encrypted D.AH can provide integrity for the IP header

An engineer configures hosts on a network to use IPSEC for secure communications. The engineer is deciding between Encapsulation Security Payload (ESP) or Authentication Header (AH). If the engineer chooses transport mode over tunnel mode, which specifics of operation should be expected? (Select all that apply.) A.With ESP the whole IP packet (header and payload) is encrypted B.With ESP the IP header for each packet is not encrypted C.AH has no real use in this mode D.AH can provide integrity for the IP header

B.With ESP the IP header for each packet is not encrypted D.AH can provide integrity for the IP header Transport mode is used to secure communications between hosts on a private network. When ESP is applied, the IP header for each packet is not encrypted, just the payload data. If AH is used in transport mode, it can provide integrity for the IP header as it performs a cryptographic hash on the whole packet. With ESP in tunnel mode, the whole IP packet (header and payload) is encrypted and encapsulated as a datagram with a new IP header. AH has no real use case in tunnel mode, as confidentiality will usually be required.

A primary target for a hacker gaining access to a network is user passwords. Consider the file locations where Windows and Linux each store passwords and determine which of the following is NOT used for password storage. A.%SystemRoot%\System32\config\SAM B./etc/passwd C.%SystemRoot%\System32\Drivers\etc\hosts D./etc/shadow

C.%SystemRoot%\System32\Drivers\etc\hosts %SystemRoot%\System32\Drivers\etc\hosts is the file responsible for mapping IP addresses to domain names in Windows. It does not store passwords. The HOSTS file existed long before Domain Name System (DNS), and while all name resolution now functions through DNS, the HOSTS file is still present, and most operating systems check it before using DNS. %SystemRoot%\System32\config\SAM is where local users and passwords are stored as part of the Registry (Security Account Manager) on Windows machines. /etc/passwd is where user account details and encrypted passwords are stored on Linux (on older systems), but this file is universally accessible. Consequently, passwords are moved to /etc/shadow, which is only readable by the root user on Linux.

Which of the following sequences properly orders forensic data acquisition by volatility priority? A.1. Data on persistent mass storage devices 2. System memory caches 3. Remote monitoring data 4. Archival media B.1. System memory caches 2. Remote monitoring data 3. Data on mass storage devices 4. Archival media C.1. System memory caches 2. Data on mass storage devices 3. Remote monitoring data 4. Archival media D.1. Remote monitoring data 2. Data on mass storage devices 3. System memory caches 4. Archival media

C.1. System memory caches 2. Data on mass storage devices 3. Remote monitoring data 4. Archival media

Compare the advantages and disadvantages of certificate revocation versus suspension and select the scenario that presents the best argument for certificate revocation. A.An online business changed its domain name. B.An administrative user left his/her company. C.A banking website's private key may have been compromised. D.A key used for encryption is accidentally destroyed.

C.A banking website's private key may have been compromised. If a private key is compromised, the admin can revoke the key pair to prevent users from trusting the public key. CAs maintain a certificate revocation list (CRL) of all revoked and suspended certificates. A CA or certificate owner may revoke or suspend a certificate for a variety of reasons. If the reason is for a domain name change and not because of compromise or misuse, suspension may be preferable. If a departing administrative user has not compromised data, certificate revocation may be unnecessary, and other security measures may be more appropriate to secure assets. If the key used to decrypt data is lost or damaged, the admin cannot recover the encrypted data, unless they made a backup of the key.

Select the correct simulation of a Virtual Desktop Infrastructure (VDI) deployment. A.A company installs a platform that uses a Type 1 hypervisor to manage access to the host hardware outside of the host operating system. B.A company deploys Citrix XenApp on a server for the client to access for local processing. C.A company replaces all desktop computers with thin clients the employees use to log into VMs stored on the company server. D.A company enforces resource separation at the operating system level without the use of a hypervisor.

C.A company replaces all desktop computers with thin clients the employees use to log into VMs stored on the company server. Virtual Desktop Infrastructure (VDI) refers to using a Virtual Machine (VM) as a means of provisioning corporate desktops. This can be accomplished by replacing desktops with thin clients that are low specifications and low power. The thin client will boot a minimal Operating System (OS) and then allow the user to log on to a VM stored on the company server. A bare metal virtual platform uses a Type 1 hypervisor installed directly onto the computer and manages access to the host hardware without going through a host OS. Application virtualization is a more limited type of VDI. Rather than run the whole client desktop as a virtual platform, the client may access an application (Citrix XenApp) hosted on a server to the client for local processing. Application cell does not use a hypervisor and instead enforces resource separation at the operating system level.

Compare the characteristics of service account types and determine which statement accurately describes the characteristics of a local service account. A.A local service account has the most privileges of any Windows account and creates the host processes that start Windows before the user logs on. B.A local service account has the same privileges of any administrator account and can present the computer's account credentials when accessing network resources. C.A local service account has the same privileges as the standard user account and can only access network resources as an anonymous user. D.A local service account has the same privileges as the standard user account, but can present the computer's account credentials when accessing network resources.

C.A local service account has the same privileges as the standard user account and can only access network resources as an anonymous user. A local service account has the same privileges as the standard user account and can only access network resources as an anonymous user. A system account has the most privileges of any Windows account. The system account creates the host processes that start Windows before the user logs on. Any process created using the system account will have full privileges over the local computer. A network service has the same privileges as the standard user account but can present the computer's account credentials when accessing network resources.

Examine each of the following attack scenarios to determine which vulnerabilities can be mitigated by changing firewall configurations. A.An authorized user unknowingly installed a malicious script sent via email. B.An attacker used a software vulnerability to install a malicious script. C.An attacker used a domain name server (DNS) lookup from a network host. D.An attacker exploited a network client that bypassed the secure web gateway (SWG).

C.An attacker used a domain name server (DNS) lookup from a network host. Restrict DNS lookups to the company's own—or the ISP's—DNS services or authorized public resolvers. If a SWG is already in place, an attacker may have found a way to circumvent it via some sort of backdoor. Security admin should check and update the network configuration to ensure that all client access to the Internet must pass through the SWG. If a user executed malware, use security education and awareness to reduce the risk of future attacks succeeding. Review permissions to see if the account could be operated with a lower privilege level. If the malware exploited a software fault, either install the patch or isolate the system until vendors can develop a patch.

Systems administrators configure an application suite that uses a collection of single hash functions and symmetric ciphers to protect sensitive communication. While the suite uses these security features collectively, how is each instance recognized? A.As non-repudiation B.As a cryptographic system C.As a cryptographic primitive D.As a key pair

C.As a cryptographic primitive A single hash function, symmetric cipher, or asymmetric cipher is called a cryptographic primitive. The properties of different symmetric/asymmetric/hash types and of specific ciphers for each type impose limitations when used alone. Non-repudiation depends on a recipient not being able to encrypt the message, or the recipient would be able to impersonate the sender. A complete cryptographic system or product is likely to use multiple cryptographic primitives, such as within a cipher suite. To use a key pair, the user or server generates the linked keys. These keys are an example of a cryptographic primitive that uses a symmetric cipher.

A new systems administrator at an organization has a difficult time understanding some of the configurations from the previous IT staff. It appears many shortcuts were taken to keep systems running and users happy. Which weakness does the administrator report this configuration as? A.Complex dependencies B.Overdependence on perimeter security C.Availability over confidentiality and integrity D.Single points of failure

C.Availability over confidentiality and integrity Availability over confidentiality and integrity is often presented by taking "shortcuts" to get a service up and running. Compromising security might represent a quick fix but creates long term risks. Complex dependencies may include services that require many different systems to be available. Ideally, the failure of individual systems or services should not affect the overall performance of other network services. Overdependence on perimeter security can occur if the network architecture is "flat." Penetrating the network edge gives the attacker freedom of movement. A single point of failure is a "pinch point" in a network that may rely on a single hardware server or appliance.

Compare the types of Distributed Denial of Service (DDoS) attacks and select the best example of a synchronize (SYN) flood attack. A.A group of attackers work together to form an attack on a network. B.An attack consumes all of the network bandwidth resulting in denial to legitimate hosts. C.Client IP addresses are spoofed to misdirect the server's SYN/ACK packet increasing session queues. D.A client's IP address is spoofed and pings the broadcast address of a third-party network with many hosts.

C.Client IP addresses are spoofed to misdirect the server's SYN/ACK packet increasing session queues. An SYN flood attack works by withholding clients' ACK packets during TCP's three-way handshakes that can increase the server session queues and prevent other legitimate clients from connecting. The server will continue to send SYN/ACK packets because there is no acknowledgment and will not timeout until sometime later. A coordinated attack occurs when a group of attackers engage together against a well-known company or government institution. DDoS attacks can be simple and just focus on consuming network bandwidth resulting in the denial of legitimate hosts. A smurf attack occurs by the adversary spoofing the client's IP address and then pings the broadcast address of a third-party network with many hosts. This is known as amplifying the network.

An organization installs embedded systems throughout a manufacturing plant. When planning the install, engineers had to consider system constraints related to identification. As a result, which areas of the systems are impacted? (Select all that apply.) A.PC B.Network C.Compute resources D.Authentication

C.Compute resources D.Authentication The lack of compute resources means that embedded systems are not well-matched to the cryptographic identification technologies that are widely used on computer networks. As embedded systems become more accessible, they will need to use authentication technologies to ensure consistent confidentiality, integrity, and availability. A PC is a dynamic environment. The user can add or remove programs and data files, install new hardware components, and upgrade the operating system. A static environment does not allow or require such frequent changes. Networks for embedded systems emphasize the power-efficient transfer of small amounts of data with a high degree of reliability and low latency.

When employees log in to their corporate network from personal devices, they must reauthenticate to access any corporate apps. What type of control is in place? A.Geofencing B.Discretionary Access Control (DAC) C.Containerization D.Full device encryption

C.Containerization A host operating system applies containerization, a virtualization method, to provision an isolated execution environment for an application. This creates an enterprise workstation with a defined selection of apps with a separate container, which isolates the corporate apps from the rest of the device, and often requires additional authentication. Geofencing creates virtual boundaries based on real-world geography. Discretionary access control (DAC) involves granting owner-controlled permissions. A user device, with full device encryption, encrypts all user data, and the device stores the encryption key. In the event of theft, destroying the encryption key locks access to the data.

After a company moves on-premise systems to the cloud, engineers devise a serverless approach in a future deployment. What type of architecture will engineers provision in this deployment? (Select all that apply.) A.Virtual machine B.Physical server C.Containers D.Microservices

C.Containers D.Microservices When a client requires some operation to be processed in a serverless environment, the cloud spins up a container to run the code, performs the processing, and then destroys the container. With serverless technologies, applications are developed as functions and microservices, each interacting with other functions to facilitate client requests. A virtual machine or VM is a fully operational operating system functioning as a guest instance on a physical host. A physical machine or server is a fully operational operating system that functions on a physical host system and is not dependent on any virtual technology.

The IT staff at a large company review numerous security logs and discover that the SAM database on Windows workstations is being accessed by a malicious process. What does the staff determine the issue to be? A.Shellcode B.Persistence C.Credential dumping D.Lateral movement

C.Credential dumping Credential dumping is a method used to access the credentials file (SAM on a local Windows workstation) or sniff credentials held in memory by the lsass.exe system process. Shellcode is a minimal program designed to exploit a buffer overflow or similar vulnerability to gain privileges to a system. Persistence is a mechanism that maintains a connection if the threat actor's backdoor is restarted, if the host reboots, or if the user logs off. With lateral movement, the attacker might be seeking data assets or may try to widen access by changing the system security configuration.

A new security technician is tasked with sanitizing data on solid state drives (SSD). The technician first uses a degaussing magnet and then smashes the drives with a hammer. What is the likely result of this sanitization attempt? A.The drives are now sufficiently sanitized. B.The degaussing magnet failed to destroy media on the SSD, but smashing the drives with a hammer makes data permanently irrecoverable. C.Degaussing fails to destroy media on the SSD, and smashing by hammer may leave a significant amount of data recoverable. D.The degaussing magnet successfully destroyed media on the SSD, but smashing by hammer is an ineffective physical sanitization measure.

C.Degaussing fails to destroy media on the SSD, and smashing by hammer may leave a significant amount of data recoverable. Media sanitization and remnant removal erase data from hard drives, flash drives/SSDs, tape media, CD and DVD ROMs before disposing of them or putting them to a different use. Degaussing does not work with SSDs and a hammer is an ineffective physical sanitation measure.SSDs, flash media, and optical media cannot be degaussed, as degaussing only works for hard disk drives. To pulverize media, organizations should use industrial machinery, rather than hammers, to ensure destruction. Degaussing involves exposing a hard disk to a powerful electromagnet, which disrupts the magnetic pattern that stores the data on the disk surface. SSDs store data on NAND chips, which are not affected by degaussing. Industrial machinery should be used to ensure pulverization as a physical sanitation measure.Degaussing will not destroy media on a SSD. SSDs do not store data magnetically and degaussing specifically targets data on magnetic media. Hitting a hard drive with a hammer can leave a surprising amount of recoverable data, so destruction by pulverization should utilize industrial machinery.

A network administrator is preparing a strategy for backing up company data. Which of the following is NOT a main backup type? A.Full B.Incremental C.Discretionary D.Differential

C.Discretionary A discretionary backup is NOT a main backup type. Discretionary is a common type of access control. A full backup includes all selected data regardless of when it was previously backed up. Performing a full backup takes a longer period of time than other backup methods. However, the time it takes to restore data is relatively low. When performing an incremental backup, new files, as well as files that have been modified since the last backup are backed up. Another main type of backing up data is known as a differential backup. With a differential backup, it only takes a moderate amount of time to both backup and restore data.

Which scenario best illustrates effective use of industrial camouflage as a security control? A.Security guards protect a well-lit entry point to a top secret processing facility. B.Conspicuous warning signs warn unauthorized personnel against entering a fenced-off security zone. C.Entry control measures for a secure facility begin inside a main entry point, rather than outside the building. D.Entry to secure zones proceeds in an in-and-out manner, rather than an across-and-between traffic flow.

C.Entry control measures for a secure facility begin inside a main entry point, rather than outside the building. Discreet entry points to secure zones impede an intruder from inspecting the security mechanisms protecting such zones (or even to know where they are). The use of industrial camouflage makes buildings and gateways protecting high-value assets unobtrusive. Human security guards can guard entry to and around an asset. The visible presence of guards is a very effective intrusion detection and deterrence mechanism, but is expensive and conspicuous. Signage and warnings enforce the idea that security is tightly controlled and may convince intruders to stay away, but they are not discreet. Minimizing traffic passing between zones enhances security. The flow of people should be "in and out" rather than "across and between."

Evaluate the differences between hardware- and software-based key storage and select the true statement. A.In hardware-based storage, the key is stored on a server. B.Software-based storage and distribution is typically implemented using removable media or a smart card. C.HSM may be less susceptible to tampering and insider threats than software-based storage. D.In hardware-based storage, security is provided by the operating system Access Control List (ACL).

C.HSM may be less susceptible to tampering and insider threats than software-based storage. A Hardware Security Module (HSM) is an appliance for generating and storing cryptographic keys, which may be less susceptible to tampering and insider threats than software-based storage. The key is stored on the server in software-based storage. Hardware-based storage and distribution is typically implemented using removable media or a smart card, or a dedicated key storage HSM at the higher end. Security is provided by the operating system Access Control List in software-based storage. This would not be considered secure enough for mission critical key storage, so software-based distribution of keys (or in-band distribution) should take place only over a secured network.

Compare and contrast methods used by Kerberos and Public Key Infrastructure (PKI) to authenticate users and identify the true statement. A.Kerberos uses asymmetric cryptography while PKI uses symmetric cryptography. B.Kerberos and PKI both use passwords to authenticate users. C.Kerberos uses timestamps and PKI does not. D.Kerberos and PKI both provide Single Sign-On (SSO).

C.Kerberos uses timestamps and PKI does not. Kerberos uses timestamps and a validity period when issuing tickets to defeat replay attacks. PKI issues certificates and does not use timestamps. Kerberos uses symmetric encryption where the client and server share a secret key. PKI uses asymmetric encryption where each user has a public and private key. Only Kerberos uses passwords to authenticate users. PKI uses certificates for authentication. Kerberos allows for Single Sign-On (SSO), but PKI does not. Once authenticated using an SSO, a user is trusted by the system and does not need to reauthenticate to access different resources.

A customer responds to an email advertisement that appears to link to mystore.com. The customer logs into the website with their username and password. The website has the same homepage the customer is familiar with, but it is actually a page set up by an attacker to gain credentials. The attacker can then login to mystore.com with the user's credentials, and shop using the saved credit card on file. Which type of attack has occurred in this scenario? A.Denial of Service (DoS) B.DNS client cache poisoning C.Pharming D.Pollution

C.Pharming A pharming attack occurs when the attacker compromises the process of Domain Name System (DNS) resolution to replace the valid IP address for a trusted website. The attacker can then receive all of the packets directed to the site designed to fool the user into thinking it is genuine. A Denial of Service (DoS) attack can occur by directing all traffic for a particular fully qualified domain name to an invalid IP address (black hole). DNS client cache poisoning occurs when an attacker modifies the HOSTS file to redirect traffic. Pollution is another name for DNS server cache poisoning. It is a redirection attack that aims to corrupt the records held by the DNS server.

Company policy prohibits employees from taking any type of portable computing or storage device other than managed laptops identified by RFID tags into an equipment room. Video surveillance has been implemented within the equipment room. As part of a compliance audit, you must classify the surveillance control. Which single classification is BEST suited to classifying the surveillance system? A.Operational B.Corrective C.Physical D.Managerial

C.Physical Physical is a way of classifying controls by characteristic and refers to things that operate in the built environment, such as locks, badge readers, security guards, video surveillance, and lighting. Operational is a way of classifying controls by characteristic and refers to things that bind the way people should behave, such as procedural and policy-based controls. Corrective is a way of classifying controls by function and refers to the set of controls that operate to mitigate an event that has already happened, such as using backup software to recover from destruction of data files. Managerial is a way of classifying controls by characteristic and refers to controls that give insight and reporting into the whole security system, such as risk assessment and compliance monitoring.

An organization hires a pen tester. The tester achieves a connection to a perimeter server. Which technique allows the tester to bypass a network boundary from this advantage? A.Persistence B.Privilege escalation C.Pivoting D.Lateral movement

C.Pivoting If the pen tester achieves a foothold on a perimeter server, a pivot allows them to bypass a network boundary and compromise servers on an inside network. Persistence is the tester's ability to reconnect to the compromised host and use it as a remote access tool (RAT) or backdoor. A pen tester enumerates running services and accounts associated in an attempt to escalate privileges and gain further access. Lateral movement is the action of gaining control over other hosts. This is done partly to discover more opportunities to widen access, partly to identify where valuable data assets might be located, and partly to evade detection.

The recovery phase of an incident response involves several steps. Which of the following is NOT a step in the recovery phase? A.Reaudit security controls. B.Reconstitute affected systems. C.Prepare a lessons learned report. D.Notify affected parties with instructions to remediate affected systems.

C.Prepare a lessons learned report. Preparing a "lessons learned" report is part of the lessons learned phase, which is after the recovery phase. Reauditing security controls is part of the recovery phase and ensures the controls are not vulnerable to another attack. The attacker gained information about the network in the current attack, which could be used to launch a second attempt. Reconstituting affected systems means either removing malicious files or tools from affected systems or restoring the systems from secure backups. This is part of the recovery phase. Ensure that affected parties are notified and provided with the means to remediate their own systems is part of the recovery phase.

A security information and event management (SIEM) handler's dashboard provides graphical representations of user profile trends. The graphic contrasts standard user activity with administrative user activity and flags activity that deviates from these clusters. This graphical representation utilizes which trend analysis methodology? A.Frequency-based trend analysis B.Volume based trend analysis C.Statistical deviation analysis D.Syslog trend analysis

C.Statistical deviation analysis Statistical deviation analysis can alert security admin to a suspicious data point. A cluster graph might show activity by standard users and privileged users, and data points outside these clusters may indicate suspicious account activity. Frequency-based trend analysis establishes a baseline for a metric, and if frequency exceeds the baseline threshold, then the system raises an alert. Volume-based trend analysis uses simpler indicators, such as log or network traffic volume, or endpoint disk usage. Unusual log growth needs investigating, and unexpected disk capacity may signify data exfiltration. Syslog provides an open format, protocol, and server software for logging event messages. A very wide range of host types use Syslog.

A company's IT department allows all team members to know passwords/credentials for shared accounts. Which statement best describes how this practice is problematic? A.This practice relies on a single point of failure. B.This practice breaks data integrity. C.This practice breaks non-repudiation. D.This practice fails to properly separate duties among users.

C.This practice breaks non-repudiation. Admin should replace the default superuser with named accounts that have sufficient elevated privileges for a given job role. This ensures that admin can audit administrative activity and the system conforms to non-repudiation. Password changes to a shared account represent a risk. Passwords need to changing often, and distributing new passwords to shared account users poses a challenge to password security. A shared account breaks the principle of non-repudiation and makes an accurate audit trail difficult to establish. Separation of duties is a means of establishing checks and balances against the possibility that critical systems or procedures can be compromised by insider threats. The company should divide duties and responsibilities among individuals to prevent ethical conflicts or abuse of powers.

A data analytics company compiles reports based on patient health information for a regional patient call center, which will later use the data to contact patients for follow-up appointments. All sensitive information is digitally modified to contain randomly generated letters that can be returned to its original value by using the correct tool. Based on this requirement, which de-identification method is the data analytics company using to protect patient data? A.Data masking B.Data minimization C.Tokenization D.Full anonymization

C.Tokenization Tokenization replaces all or part of data in a field with a randomly generated token, which is securely stored with the original value. An authorized query or app can retrieve the original value, so tokenization is a reversible technique. Data masking redacts all or part of a field's contents, substituting character strings with "x" for example. Data masking is an irreversible de-identification technique. Data minimization is the principle of only processing and storing data if that is necessary to perform the purpose for which it is collected. Individual subjects can no longer be identified in a fully anonymized data set, even when combined with other data sources. This de-identification method permanently removes identifying information.

A national intelligence agency maintains data on threat actors. If someone intercepted this data, it would cause exceptionally grave damage to national security. Analyze the risk of exposure and determine which classification this data most likely holds. A.Confidential B.Secret C.Top secret D.Proprietary

C.Top secret Critical or top secret information is too valuable to allow any risk of its capture. Viewing is severely restricted, and if captured would cause exceptionally grave damage to national security. Secret information is a level of classification below top secret for government agencies. If this data were captured it would cause serious damage to national security. The term confidential and secret may be used interchangeably because both require information to be shared to only those that need to know. Proprietary is a common schema for information as assets of an organization. Proprietary and intellectual property is information a company creates and owns. These are typically the products or services that they make or perform.

Analyze the following statements and select the one that describes key differences between internet protocol security (IPSec) modes. A.Transport mode allows communication between virtual private networks (VPNs), while tunnel mode secures communications between hosts on a private network. B.Authentication Header (AH) mode provides confidentiality, as the payload is encrypted. Encapsulation Security Payload (ESP) mode does not provide confidentiality and/or authentication and integrity. C.Tunnel mode allows communication between virtual private networks (VPNs), while transport mode secures communications between hosts on a private network. D.Encapsulation Security Payload (ESP) mode does not provide confidentiality, as the payload is not encrypted. Authentication Header (AH) mode provides confidentiality and/or authentication and integrity.

C.Tunnel mode allows communication between virtual private networks (VPNs), while transport mode secures communications between hosts on a private network. Tunnel mode, also called router implementation, creates a virtual private network (VPN), allowing communications between VPN gateways across an unsecure network. Transport mode secures communications between hosts on a private network (an end-to-end implementation). The AH protocol authenticates the origin of transmitted data and provides integrity and protection against replay attacks. The payload is not encrypted, so this protocol does not provide confidentiality. ESP is an IPSec sub-protocol that enables encryption and authentication of a data packet's header and payload. Encapsulation Security Payload (ESP) provides confidentiality and/or authentication and integrity, and can be used to encrypt the packet.

The Human Resources department issues a policy at an organization to govern the use of company owned computer equipment. Which behavior type does this policy address? A.Code of conduct B.Clean desk C.Bring your own device D.Acceptable use

D.Acceptable use Enforcing an acceptable use policy (AUP) is important to protect the organization from the security and legal implications of employees misusing its equipment. A code of conduct, or rules of behavior, sets out expected professional standards. For example, employees' use of social media may be harmful to the company. A clean desk policy means that each employee's work area should be free from any documents left there. This helps to hide confidential information. Portable devices, such as smartphones, USB sticks, media players, and so on, pose a considerable threat to data security. Rules should be outlined in a bring your own device (BYOD) policy.

A threat actor infiltrates a company's server. Engineers fail while trying to stop the attacker from stealing data. The attacker achieves which final phase of the Lockheed Martin kill chain? A.Command and control B.Reconnaissance C.Exploitation D.Actions on objectives

D.Actions on objectives When actions on objectives are achieved, the attacker typically uses the access they have gained to covertly collect information from target systems and transfer it to a remote system. Weaponized code establishes an outbound channel to a remote server that can then be used to control the remote access tool in the command and control (C2 or C&C) stage. In the reconnaissance stage the attacker determines what methods to use to complete the phases of the attack and gathers information. Weaponized code is executed on the target system during exploitation. For example, a phishing email may trick a user into running some code.

Which statement best illustrates the advantages and disadvantages of using asymmetric encryption? A.Asymmetric encryption is ideal for bulk encryption, but it is not suitable for proving a user's identity. B.Asymmetric encryption provides non-repudiation, but it is not ideal for secure distribution and storage of a private key. C.Asymmetric encryption is ideal for encrypting communications where the total length of the message is not known, but it requires significant overhead computing. D.Asymmetric encryption is ideal for proving identity, but it requires significant computing overhead and is inefficient for bulk encryption.

D.Asymmetric encryption is ideal for proving identity, but it requires significant computing overhead and is inefficient for bulk encryption. Another user cannot impersonate a private key holder, so asymmetric encryption proves identity. The public and private keys are linked in such a way as to make it impossible to derive one from the other. The drawback of asymmetric encryption is that it involves substantial computing overhead compared to symmetric encryption. Symmetric encryption is very fast. It is used for bulk encryption of large amounts of data. The main problem is secure key distribution and storage. In a stream cipher, each byte or bit of data in the plaintext is encrypted one at a time. This is suitable for encrypting communications where the total length of the message is not known.

A mobile device program at an organization allows users to use a standard issue company owned device for personal and work use. Which program type does the organization provide? A.BYOD B.CYOD C.COBO D.COPE

D.COPE With a corporate owned, personally-enabled (COPE) program, the device is chosen and supplied by the company and remains its property. The employee may use it for personal use as well. Choose your own device (CYOD) is a program that is much the same as COPE but the employee is given a choice of device from a list. In a bring your own device (BYOD) program, the mobile device is owned by the employee. The device will have to meet whatever profile is required by the company, such as the OS version. A corporate owned, business only (COBO) program ensures that the device is the property of the company and may only be used for company business.

An employee that carries a company credit card learns that the card has become compromised. The employee only remembers fueling a company vehicle. Consider the following viable methods and determine which method compromised the card. A.Card cloning B.Data blocker C.Proximity reader D.Card skimming

D.Card skimming Skimming refers to using a counterfeit card reader to capture card details, which are then used to program a duplicate. Card swiping terminals are at risk of having a skimmer installed by a malicious actor. Card cloning refers to making one or more copies of an existing card. A lost or stolen card with no cryptographic protections can be physically duplicated. A data blocker can provide mitigation against a juice-jacking attack by preventing any sort of data transfer when the smartphone or laptop is connected to a charge point. A proximity reader can detect the presence of a physical token from a short distance, such as a wireless key fob or smart card.

A company deploys an active defense strategy designed to detect insider malpractice. To record the malicious insider's actions, the security team creates a convincing, yet fake, data file with a tracker that records any data exfiltration attempts. Analyze the security tool and determine what method the security team employed. A.Honeypot B.Honeynet C.Subnet D.Honeyfile

D.Honeyfile A honeyfile is convincingly useful but fake data. A security team can make a honeyfile trackable, so if a threat actor successfully exfiltrates it, the security team can trace any attempts to reuse or exploit it. A honeypot or honeynet can combine with a honeyfile. A honeypot is a computer system set up to attract threat actors, with the intention of analyzing attack strategies and tools, to provide early warnings of attacks. Another use is to detect internal fraud, snooping, and malpractice. A honeynet is an entire decoy network. This may be set up as an actual network or simulated using an emulator. A subnet is a logical piece of a larger network.

A software engineer develops an application that includes routines to check whether user input meets conformity standards to reduce the application's potential attack surface. The engineer conducts which secure coding technique? A.Normalization B.Output encoding C.Error handling D.Input validation

D.Input validation An attacker can craft malicious input to exploit faulty input validation. Installing routines to check user input and reject any input that does not conform to requirements helps reduce the potential attack surface. Normalization strips an input string of illegal characters or substrings and converts them to the accepted character set. This ensures that the string is in a format that the input validation routines can process correctly. Output encoding re-encodes a string of user-generated input as it passes through different contexts in a web application to protect against script injection. A well-written application must be able to handle errors and exceptions gracefully. This means that the application performs in a controlled way when something unpredictable happens.

A web server receives data from an application. It appears that passing this data causes an issue that evolves into an overflow at the destination. What process on the receiving server should be investigated? A.Normalization B.Output encoding C.Error handling D.Input validation

D.Input validation Input could include user data entered into a form or a URL passed by another application as a URL or HTTP header. Malicious input could be crafted to perform an overflow attack. Input validation checks for proper input. Normalization means that a string of characters is stripped of illegal characters or substrings and converted to the accepted character set. Output encoding means that a string of characters is re-encoded safely for the context in which it is being used. A well-written application must be able to handle errors and exceptions gracefully. This means that the application performs in a controlled way when something unpredictable happens.

Which of the following statements most accurately describes the function of key stretching? A.Key stretching makes the password key stronger. B.Key stretching prevents brute force attacks. C.Key stretching adds a random value when creating the password hash. D.Key stretching adds entropy to a user-generated password.

D.Key stretching adds entropy to a user-generated password. Users tend to select low entropy passwords. Key stretching helps compensate for this by running the initial key through thousands of rounds of hashing. This creates ever-longer, more random keys. Key stretching does not actually make the key stronger, but it slows an attack down, as the attacker has to perform additional processing for each possible key value. A brute force attack runs through every possible combination of letters, numbers, and symbols. Key stretching increases the amount of operations the attacker must perform, slowing attacks. Adding a salt value to a password keeps an attacker from using pre-computed tables of hashes. Salt values are not secret, but an attacker must recompile hash values with the specific salt value for each password.

A company tells the IT department that user access needs to be changed so privileges are only granted when needed, then revoked as soon as the task is finished or the need has passed. Based on Account Management practices, what is the company asking the IT department to implement? A.Onboarding B.Identity and Access Management (IAM) C.Offboarding D.Least privilege

D.Least privilege Least privilege is when minimum privileges are only granted when needed, then revoked once the task is finished, or the need has passed. Onboarding is the process of ensuring that the accounts are only created for valid users, the account is assigned the appropriate privileges, and the account credentials are only known to the valid user. IAM provides identification, authentication, and authorization mechanisms for users, computers, and other entities to work with assets like networks, operating systems, and applications. Offboarding is the process of ensuring that the accounts for an employee that leaves the company are disabled. During this process all access should be terminated and documented.

Analyze the following security information and event management (SIEM) functions and determine which event is NOT conducted during data aggregation. A.Normalize time zones to a single timeframe. B.Use plug-ins to parse data from different vendors and sensors. C.Identify attributes and content that can be mapped to standard fields. D.Link observables into a meaningful indicator of risk, or Indicator of Compromise (IOC).

D.Link observables into a meaningful indicator of risk, or Indicator of Compromise (IOC). Where collection and aggregation produce inputs, a SIEM is for reporting, a critical function of which is correlation. SIEM software can link individual events or data points (observables) into a meaningful indicator of risk, or Indicator of Compromise (IOC). SIEM can use correlation to drive an alerting system. Log aggregation involves normalizing date/time zone differences to a single timeline. SIEM aggregation uses connectors or plug-ins to parse data from distinct types of systems and to account for differences between vendor implementations. Aggregation normalizes data from different sources so that it is consistent and searchable, identifying attributes and content that can map to standard fields in the SIEM's reporting and analysis tools.

Consider the Public Key Infrastructure (PKI) Trust Model. Which of the following best protects against compromise? A.Single CA B.Intermediate CA C.Self-signed CA D.Offline CA

D.Offline CA An offline Certificate Authority (CA) is where the root CA has been disconnected from the network to protect it from compromise. Therefore, it is not a single point of failure. A single CA issues certificates to users, but is very exposed. If it is compromised, the whole PKI collapses. In a hierarchical model, the root CA issues certificates to several intermediate CAs, diluting risk. However, the root is still a single point of failure. A self-signed certificate is a type of digital certificate that is owned by the entity that signs it, which makes it a single CA, or root.

A guard station deploys a new security device to use to access a classified data station. The installation technician tests the device's sensitivity to speed and pressure. Which type of behavioral technology is the technician testing for? A.Voice recognition B.Gait analysis C.Typing D.Signature recognition

D.Signature recognition Signatures are relatively easy to duplicate, but it is more difficult to fake the actual signing process. Signature matching records the user applying their signature (stroke, speed, and pressure of the stylus). Voice recognition is relatively cheap, as the hardware and software required are built into many standard PCs and mobiles. However, obtaining an accurate template can be difficult and time-consuming. Gait analysis produces a template from human movement (locomotion). The technologies can either be camera-based or use smartphone features, such as an accelerometer and gyroscope. Typing is used to match the speed and pattern of a user's input of a passphrase.

In a protocol, such as Transport Layer Security (TLS), the server and client negotiate mutually compatible cipher suites as part of the TLS handshake. Which of the following components is NOT part of the encryption cipher suite? A.Signature algorithm B.A key exchange/agreement algorithm C.Bulk encryption cipher D.Stream cipher

D.Stream cipher The Advanced Encryption Standard (AES) is the default symmetric (block) encryption cipher for most products. A block cipher divides plaintext into equal-size blocks, adding padding if there is not enough data in the plaintext to fill out the block. TLS protocol uses a signature algorithm to assert the identity of the server's public key and facilitate authentication. In TLS, the server and client derive the same bulk encryption symmetric key through the use of a key exchange/agreement algorithm. The final part of a cipher suite determines the bulk encryption cipher. When advanced encryption standard (AES) is the symmetric cipher, it has to be in a mode of operation that supports a stream of network data.

A small company needs to secure the perimeter of their network, but they do not have the overhead or infrastructure to construct a demilitarized zone. Examine the following recommendations and select the best solution for this small company. A.The company should configure a screened subnet. B.The company should install a triple-homed firewall. C.The company should implement microsegmentation across their network. D.The company should configure a screened host.

D.The company should configure a screened host. A dual-homed proxy/gateway server can act as a screened host to protect internet access in smaller networks. A screened subnet uses two firewalls placed on either side of the DMZ. The edge firewall restricts traffic on the external/public interface, allowing permitted traffic to hosts in the DMZ. The internal firewall filters communications between hosts in the DMZ and hosts on the LAN. A triple-homed DMZ uses one router/firewall appliance with three network interfaces. One interface is public, another is the DMZ, and the third connects to the LAN. Microsegmentation is a zero-trust technique that applies policies to a single node, as though it was in a zone of its own. Microsegmentation occurs in larger networks like data centers.

After a break-in at a government laboratory, some proprietary information was stolen and leaked. Which statement best summarizes how the laboratory can implement security controls to prevent future breaches? A.The laboratory needs to take detective action and should implement physical and deterrent controls in the future. B.The laboratory needs to take detective action and should implement corrective controls in the future. C.The laboratory needs to take compensatory action and should implement physical controls in the future. D.The laboratory needs to take corrective action and should implement both physical and preventative controls in the future.

D.The laboratory needs to take corrective action and should implement both physical and preventative controls in the future. Following a break-in that included both physical intrusion and data compromise, the lab should take corrective action to reduce the impact of the intrusion event. Implementing preventative measures can help secure data from future attacks, and physical controls can mitigate the probability of future physical break-ins. Deterrent controls, such as warning signs, may not physically or logically prevent access, but psychologically discourage attackers from attempting an intrusion. Detective controls, such as logs, which operate during an attack, may not prevent or deter access, but they will identify and record any attempted or successful intrusion. Compensating controls serve as a substitute for a principal control, but corrective controls reduce the impact of an intrusion event.

A suspected network breach prompts an engineer to investigate. The engineer utilizes a set of command line tools to collect network routing data. While doing so, the engineer discovers that UDP communications is not working as expected. Which tool does the engineer experience difficulty with? A.route B.tracert C.pathping D.traceroute

D.traceroute The traceroute command performs route discovery from a Linux host. This command uses UDP probes rather than ICMP, by default. The route command displays and modifies a system's local routing table. This command does not collect network data. The tracert command uses ICMP probes to report the round trip time (RTT) for hops between the local host and a host on a remote network. This command is a Windows based tool. The pathping command is a Windows tool that provides statistics for latency and packet loss along a route over a measuring period.

A company performing a risk assessment calculates how much return the company has saved by implementing a security measure. Which formula will they use to calculate this metric? A.Asset value x EF [B.(ALE-ALEm)-Cost of Solution]/Cost of Solution C.SLE x ARO D.(ALE-SLE)/Cost of Solution

[B.(ALE-ALEm)-Cost of Solution]/Cost of Solution Return on Security Investment (ROSI) calculates a new ALE, based on reduction in loss by new security controls. ROSI is: [(ALE - ALEm) - Cost of Solution] / Cost of Solution, where ALE is before controls and ALEm is after controls. Single Loss Expectancy (SLE) is the potential loss from a single event. Multiplying the value of the asset by an Exposure Factor (EF), where EF is the percentage of an asset lost, gives the SLE. Annualized Loss Expectancy (ALE) is the potential for loss over the course of a year. Multiplying the SLE by the Annualized Rate of Occurrence (ARO) gives the ALE. Annualized Loss Expectancy (ALE) is a yearly figure, while Single Loss Expectancy (SLE) measures a single event.