CompTIA Security+ (SY0-601) Practice Exam #4

What role does the red team perform during a tabletop exercise (TTX)? Network defender Cybersecurity analyst Adversary System administrator

Adversary OBJ-1.8: The red team acts as the adversary, attempting to penetrate the network or exploit it as a rogue internal attacker. The red team might select members of in-house security staff, a third-party company, or a consultant contracted to perform the role. The blue team operates the security system with a focus on detecting and repelling the red team. The blue team usually consists of system administrators, cybersecurity analysts, and network defenders.

How would you appropriately categorize the authentication method displayed here? Multifactor authentication PAP authentication Biometric authentication One-time password authentication

Biometric authentication

Which term is used in software development to refer to the method in which app and platform updates are committed to a production environment rapidly? Continuous delivery Continuous deployment Continuous monitoring Continuous integration

Continuous deployment

Which protocol relies on mutual authentication of the client and the server for its security? Two-factor authentication RADIUS LDAPS CHAP

LDAPS OBJ-3.1: The Lightweight Directory Access Protocol (LDAP) uses a client-server model for mutual authentication. LDAP is used to enable access to a directory of resources (workstations, users, information, etc.). TLS provides mutual authentication between clients and servers. Since Secure LDAP (LDAPS) uses TLS, it provides mutual authentication.

Which operating system feature is designed to detect malware that is loaded early in the system startup process or before the operating system can load itself? Advanced anti-malware Startup Control Measured boot Master Boot Record analytics

Measured boot

Which of the following terms is used to describe the timeframe following a disaster that an individual IT system may remain offline? RPO MTTR MTBF RTO

RTO OBJ-5.4: Recovery time objective (RTO) is when an individual IT system may remain offline following a disaster. This represents the amount of time it takes to identify a problem and then perform recovery (restore from backup or switch in an alternative system, for instance). Recovery point objective (RPO) is the amount of data loss that a system can sustain, measured in time. That is, if a virus destroys a database, an RPO of 24 hours means that the data can be recovered (from a backup copy) to a point not more than 24 hours before the database was infected. Mean time between failure (MTBF) represents the expected lifetime of a product before it fails and must be replaced or repaired. Mean time to repair (MTTR) is a measure of the time taken to correct a fault to restore the system to full operation.

Dion Training is concerned with the possibility of employees accessing another user's workstation in secured areas without their permission. Which of the following would BEST be able to prevent this from happening? Require a username and a password for user logins Enforce a policy that requires passwords to be changed every 30 days Install security cameras in secure areas to monitor logins Require biometric identification for user logins

Require biometric identification for user logins

Which of the following vulnerabilities involves leveraging access from a single virtual machine to other machines on a hypervisor? VM sprawl VM escape VM migration (Incorrect) VM data remnant

VM escape OBJ-2.2: Virtual machine escape vulnerabilities are the most severe issue that may exist in a virtualized environment. In this attack, the attacker can access a single virtual host and then leverages that access to intrude on the resources assigned to different virtual machines. Data remnant is the residual representation of digital data that remains even after attempts have been made to remove or erase it. Virtualization sprawl is a phenomenon that occurs when the number of virtual machines on a network reaches a point where the administrator can no longer manage them effectively. Virtual machine migration is the task of moving a virtual machine from one physical hardware environment to another.

Which of the following types of attacks occurs when an attacker specifically targets the CEO, CFO, CIO, and other board members during their attack? Smishing Vishing Phishing Whaling Spear phishing

Whaling OBJ-1.1: Whaling occurs when the attacker targets the C-level executives (CEO, CFO, CIO, etc.), board members, and other senior executives within the organization.

An attacker uses the nslookup interactive mode to locate information on a Domain Name Service (DNS). What command should they type to request the appropriate records for only the name servers? transfer type=ns request type=ns locate type=ns set type=ns

set type=ns OBJ-4.1: The nslookup command is used to query the Domain Name System to obtain the mapping between a domain name and an IP address or to view other DNS records. The "set type=ns" tells nslookup only reports information on name servers. If you used "set type=mx" instead, you would receive information only about mail exchange servers.

Dion Training has a $15,000 server that has frequently been crashing. Over the past 12 months, the server has crashed 10 times, requiring the server to be rebooted to recover from the crash. Each time, this has resulted in a 5% loss of functionality or data. Based on this information, what is the Annual Loss Expectancy (ALE) for this server? $2,500 $1,500 (Incorrect) $7,500 $15,000

$7500 OBJ-5.4: To calculate the ALE, you need to multiple the Single Loss Expectancy (SLE) by the Annual Rate of Occurrence (ARO). The SLE is calculated by multiplying the Exposure Factor (EF) by the Asset Value (AV). Therefore, SLE = EF x AV, and ALE = SLE x ARO. For this scenario, the asset value is $15,000, the annual rate of occurrence is 10 times per year, and the exposure factor is 5% (or 0.05). To calculate the SLE, SLE = 0.05 x $15,000 = $750. Therefore, the ALE = SLE x ARO = $750 x 10 = $7,500.

Your firewall is blocking outbound email traffic that is attempting to be sent. Which port should you verify is set to ALLOW in the firewall to ensure your emails are being sent? 22 80 25 143 (Incorrect)

25 OBJ-3.1: The simple mail transfer protocol (SMTP) is the protocol used to send mail between hosts on the Internet using TCP port 25. Port 25 must be set to OPEN or ALLOW in the firewall for SMTP (Sendmail transfer protocol) to function properly. Secure shell (SSH) is the protocol used for remote administration and file copying using TCP port 22. SSH is considered secure since it uses authenticated and encrypted sessions for communication. Secure shell (SSH) is the protocol used for remote administration and file copying using TCP port 22. SSH is considered secure since it uses authenticated and encrypted sessions for communication. The internet message access protocol (IMAP) is a TCP/IP application protocol that provides a means for a client to access email messages stored in a mailbox on a remote server using TCP port number 143. Unlike POP3, messages persist on the server after the client has downloaded them. IMAP also supports mailbox management functions, such as creating subfolders and access to the same mailbox by more than one client at the same time.

Which of the following cryptographic algorithms is classified as symmetric? RSA PGP 3DES ECC

3DES OBJ-2.8: Triple DES (3DES) is a symmetric-key block cipher that applies the DES cipher algorithm three times to each data block to increase its security over DES. RSA, PGP, and ECC are all asymmetric algorithms.

Dion Training just installed a new webserver within a screened subnet. You have been asked to open up the port for secure web browsing on the firewall. Which port should you set as open to allow users to access this new server? 443 143 21 80

443 OBJ-3.1: The hypertext transfer protocol secure (HTTPS) is a secure protocol used to provide web content to browsers using SSL/TLS encryption over port 443. The hypertext transfer protocol (HTTP) is a protocol used to provide web content to browsers using port 80. The hypertext transfer protocol (HTTP) is a protocol used to provide web content to browsers using port 80. The file transfer protocol (FTP) is the protocol used to transfer files across the internet over ports 20 and 21.

Using the image provided, place the port numbers in the correct order with their associated protocols. 53, 69, 25, 80 25, 80, 53, 69 69, 25, 80, 53 80, 53, 69, 25

69, 25, 80, 53 OBJ-3.1: For the exam, you need to know your ports and protocols. The Trivial File Transfer Protocol (TFTP) uses port 69. The Simple Mail Transfer Protocol (SMTP) uses port 25. The Hypertext Transfer Protocol (HTTP) uses port 80. The Domain Name Service (DNS) protocol uses port 53.

What access control model will a network switch utilize if it requires multilayer switches to use authentication via RADIUS/TACACS+? 802.1x 802.11ac 802.3af 802.1q

802.1x OBJ-3.8: If you are using RADIUS/TACACS+ with the switch, you will need to use 802.1x for the protocol. The IEEE 802.1x standard is a network authentication protocol that opens ports for network access when an organization authenticates a user's identity and authorizes them for access to the network. This defines port security. The user's identity is determined based on their credentials or certificate, which is confirmed by the RADIUS server.

Which of the following tools could be used to detect unexpected output from an application being managed or monitored? A signature-based detection tool A log analysis tool Manual analysis A behavior-based analysis tool

A behavior-based analysis tool OBJ-3.3: A behavior-based analysis tool can capture/analyze normal behavior and then alert when an anomaly occurs. Configuring a behavior-based analysis tool requires more effort to set up properly, but it requires less work and manual monitoring once it is running. Signature-based detection is a process where a unique identifier is established about a known threat so that the threat can be identified in the future. Manual analysis requires a person to read all the output and determine if it is erroneous. A log analysis tool would only be useful to analyze the logs, but it would not detect unexpected output by itself. Instead, the log analysis tool would need to use a behavior-based or signature-based detection system.

Which of the following access control methods provides the most detailed and explicit type of access control over a resource? MAC (Incorrect) DAC RBAC ABAC

ABAC OBJ-3.8: Attribute-based access control (ABAC) provides the most detailed and explicit type of access control over a resource because it is capable of making access decisions based on a combination of subject and object attributes, as well as context-sensitive or system-wide attributes. Information such as the group membership, the OS being used by the user, and even the machine's IP address could be considered when granting or denying access.

What information should be recorded on a chain of custody form during a forensic investigation? The law enforcement agent who was first on the scene Any individual who worked with evidence during the investigation The list of individuals who made contact with files leading to the investigation The list of former owners/operators of the workstation involved in the investigation

Any individual who worked with evidence during the investigation OBJ-4.5: Chain of custody forms list every person who has worked with or who has touched the evidence that is a part of an investigation. These forms record every action taken by each individual in possession of the evidence. Depending on the organization's procedures, manipulation of evidence may require an additional person to act as a witness to verify whatever action is being taken. While the chain of custody would record who initially collected the evidence, it does not have to record who was the first person on the scene (if that person didn't collect the evidence). The other options presented by the question are all good pieces of information to record in your notes, but it is not required to be on the chain of custody form.

Alexa is an analyst for a large bank that has offices in multiple states. She wants to create an alert to detect if an employee from one bank office logs into a workstation located at an office in another state. What type of detection and analysis is Alexa configuring? Trend Heuristic Behavior Anomaly

Behavior OBJ-1.7: This is an example of behavior-based detection. Behavior-based detection (or statistical- or profile-based detection) means that the engine is trained to recognize baseline traffic or expected events associated with a user account or network device. Anything that deviates from this baseline (outside a defined level of tolerance) generates an alert. The heuristic analysis determines whether several observed data points constitute an indicator and whether related indicators make up an incident depending on a good understanding of the relationship between the observed indicators. Human analysts are typically good at interpreting context but work painfully slowly, in computer terms, and cannot hope to cope with the sheer volume of data and traffic generated by a typical network. Anomaly analysis is the process of defining an expected outcome or pattern to events and then identifying any events that do not follow these patterns. This is useful in tools and environments that enable you to set rules. Trend analysis is not used for detection but instead to better understand capacity and the system's normal baseline. Behavioral-based detection differs from anomaly-based detection. Behavioral-based detection records expected patterns concerning the entity being monitored (in this case, user logins). Anomaly-based detection prescribes the baseline for expected patterns based on its observation of what normal looks like.

Dion Training has applied a new Group Policy to all student accounts that will lock out any account in which the student enters their password incorrectly 3 times in a row. Once the account is locked out, the student must wait 15 minutes before they can attempt to log in again. What type of attack is this mitigation strategy trying to prevent? Brute force attack Privilege escalation Spoofing On-path attack

Brute force attack OBJ-1.2: Since the policy will lock out the student for 15 minutes between attempts, it is a valid mitigation technique against a brute force attack. By extending the waiting period, the attacker's brute force attempts are less effective. A brute force attack is a type of password attack where an attacker uses an application to exhaustively try every possible alphanumeric combination to crack encrypted passwords. An on-path attack is an attack where the threat actor makes an independent connection between two victims and can read, and possibly modify traffic. A privilege escalation is a practice of exploiting flaws in an operating system or other application to gain a greater level of access than was intended for the user or application. Spoofing is a type of attack that disguises a communication from an unknown source as being from a known, trusted source. Spoofing can occur using different methods, such as MAC spoofing, IP spoofing, call spoofing, and others.

Which of the following is required for evidence to be admissible in a court of law? Chain of custody Order of volatility Legal hold Right to audit

Chain of custody OBJ-4.4: Chain of custody forms list every person who has worked with or who has touched the evidence that is a part of an investigation. These forms record every action taken by each individual in possession of the evidence. Depending on the organization's procedures, manipulation of evidence may require an additional person to act as a witness to verify whatever action is being taken. A legal hold is a process that an organization uses to preserve all forms of potentially relevant information when litigation is pending or reasonably anticipated. A right to audit is a clause in a contract or service agreement that allows a company the authority to audit the systems and information processed. Order of volatility refers to the order in which you should collect evidence.

During your annual cybersecurity awareness training in your company, the instructor states that employees should be careful about what information they post on social media. According to the instructor, if you post too much personal information on social media, such as your name, birthday, hometown, and other personal details, it is much easier for an attacker to conduct which type of attack to break your passwords? Birthday attack Cognitive password attack Brute force attack Rainbow table attack

Cognitive password attack OBJ-1.2: A cognitive password is a form of knowledge-based authentication that requires a user to answer a question, presumably something they intrinsically know, to verify their identity. If you post a lot of personal information about yourself online, this password type can easily be bypassed. For example, during the 2008 elections, Vice Presidential candidate Sarah Palin's email account was hacked because a high schooler used the "reset my password" feature on Yahoo's email service to reset her password using the information that was publically available about Sarah Palin (like her birthday, high school, and other such information).

A cybersecurity analyst is analyzing what they believe to be an active intrusion into their network. The indicator of compromise maps to suspected nation-state group that has strong financial motives, APT 38. Unfortunately, the analyst finds their data correlation lacking and cannot determine which assets have been affected, so they begin to review the list of network assets online. The following servers are currently online: PAYROLL_DB, DEV_SERVER7, FIREFLY, DEATHSTAR, THOR, and DION. Which of the following actions should the analyst conduct first? Conduct a data criticality and prioritization analysis Conduct a Nessus scan of the FIREFLY server (Incorrect) Logically isolate the PAYROLL_DB server from the production network Hardening the DEV_SERVER7 server

Conduct a data criticality and prioritization analysis OBJ-5.4: While the payroll server could be assumed to hold PII, financial information, and corporate information, the analyst would only be making that assumption based on its name. Even before an incident response occurs, it would be a good idea to conduct a data criticality and prioritization analysis to determine what assets are critical to your business operations and need to be prioritized for protection. After an intrusion occurs, this information could be used to better protect and defend those assets against an attacker. Since the question states the analyst is trying to determine which server to look at based on their names, it is clear this organization never performed a data criticality and prioritization analysis and should do that first. After all, with names like FIREFLY, DEATHSTAR, THOR, and DION, the analyst has no idea what is stored on those systems. For example, how do we know that DEATHSTAR doesn't contain their credit card processing systems that would be a more lucrative target for APT 38 than the PAYROLL_DB. The suggestions of hardening, logically isolating, or conducting a vulnerability scan of a particular server are random guesses by the analyst since they don't know which data they should focus on protecting or where the attacker is currently.

Fail to Pass Systems has just become the latest victim in a large-scale data breach by an APT. Your initial investigation confirms a massive exfiltration of customer data has occurred. Which of the following actions do you recommend to the CEO of Fail to Pass Systems in handling this data breach? Purchase a cyber insurance policy, alter the date of the incident in the log files, and file an insurance claim Conduct notification to all affected customers within 72 hours of the discovery of the breach Conduct a 'hack-back' of the attacker to retrieve the stolen information Provide a statement to the press that minimizes the scope of the breach

Conduct notification to all affected customers within 72 hours of the discovery of the breach OBJ-1.6: Generally speaking, most laws require notification within 72 hours, such as the GDPR. All other options are either unethical, constitute insurance fraud, or are illegal. Conducting a hack-back is considered illegal, and once data has been taken, it is nearly impossible to steal it back as the attacker probably has a backup of it. Providing an incorrect statement to the press is unethical, and if your company is caught lying about the extent of the breach, it could further hurt your reputation. Purchasing a cyber insurance policy and altering the log file dates to make it look like the attack occurred after buying the policy would be insurance fraud. This is unethical and illegal.

Which of the following actions should be done FIRST after forensically imaging a hard drive for evidence in an investigation? Create a hash digest of the source drive and the image file to ensure they match Digitally sign the image file to provide non-repudiation of the collection Encrypt the image file to ensure it maintains data integrity Encrypt the source drive to ensure an attacker cannot modify its contents

Create a hash digest of the source drive and the image file to ensure they match OBJ-4.5: The first thing that must be done after acquiring a forensic disk image is to create a hash digest of the source drive and destination image file to ensure they match. A critical step in the presentation of evidence will be to prove that analysis has been performed on an identical image to the data present on the physical media and that neither data set has been tampered with. The standard means of proving this is to create a cryptographic hash or fingerprint of the disk contents and any derivative images made from it. When comparing hash values, you need to use the same algorithm used to create the reference value. While encrypting the image files is a good security practice to maintain the data's confidentiality, it does not provide data integrity like a hash digest does. Once imaged, the source drive should not be altered or encrypted. Digitally signing the image file could serve the function of non-repudiation, but it is an uncommon practice and not required to be performed.

Which of the following vulnerability scans would provide the best results if you want to determine if the target's configuration settings are correct? Internal scan Credentialed scan External scan Non-credentialed scan

Credentialed scan OBJ-1.7: Credentialed scans log into a system and retrieve their configuration information. Therefore, it should provide you with the best results. A non-credentialed scan relies on external resources for configuration settings that can be altered or incorrect. The scanner's network location does not directly impact the ability to read the configuration information, so it would not make a difference if you conducted an external or internal scan.

Your company recently suffered a small data breach caused by an employee emailing themselves a copy of the current customer's names, account numbers, and credit card limits. You are determined that something like this shall never happen again. Which of the following logical security concepts should you implement to prevent a trusted insider from stealing your corporate data? DLP MDM Firewall Strong passwords

DLP OBJ-2.1: Data loss prevention software detects potential data breaches/data ex-filtration transmissions and prevents them by monitoring, detecting, and blocking sensitive data while in use (endpoint actions), in-motion (network traffic), and at rest (data storage). Since the user was an authorized user (employee), changing your password policy, reconfiguring the firewall, or setting up an MDM solution would not solve this problem. Instead, a DLP solution must be implemented.

Dion Consulting Group has recently been awarded a contract to provide cybersecurity services for a major hospital chain in 48 cities across the United States. Previously, the consultants have won numerous contracts with financial services and publicly traded companies, but they are new to the healthcare industry. Which of the following laws must the consultants review to ensure the hospital and its customers are fully protected? HIPAA SOX GLBA COSO

HIPAA OBJ-5.2: The Health Insurance Portability and Accountability Act (HIPAA) was created primarily to modernize the flow of healthcare information, stipulate how Personally Identifiable Information maintained by the healthcare and healthcare insurance industries should be protected from fraud and theft, and address limitations on healthcare insurance coverage. This is a federal law that must be followed in the United States. The Gramm-Leach-Bliley Act (GLBA) requires financial institutions to explain their information-sharing practices to their customers and safeguard sensitive data. This includes companies that offer consumers financial products or services like loans, financial or investment advice, or insurance. The Sarbanes-Oxley Act of 2002 is a federal law that established sweeping auditing and financial regulations for public companies. Lawmakers created the legislation to help protect shareholders, employees, and the public from accounting errors and fraudulent financial practices. The Committee of Sponsoring Organizations of the Treadway Commission (COSO) guides governance-related topics, including fraud, controls, finance, and ethics. COSO's ERM-integrated framework defines risk, and related common terminology lists key components of risk management strategies and supplies direction and criteria for enhancing risk management practices.

What should administrators perform to reduce a system's attack surface and remove unnecessary software, services, and insecure configuration settings? Harvesting Hardening Stealthing Windowing

Hardening OBJ-3.2: Hardening is usually the process of securing a system by reducing its surface of vulnerability, which is larger when a system performs more functions; in principle, a single-function system is more secure than a multipurpose one. Reducing available ways of attack typically includes changing default passwords, removing unnecessary software, unnecessary usernames or logins, and disabling or removing unnecessary services. Windows is the use of windows for the simultaneous display of more than one item on a screen. Harvesting is the process of gathering data, normally user credentials. Stealthing is a made-up term in this question.

When conducting forensic analysis of a hard drive, what tool would BEST prevent changing the hard drive contents during your analysis? Hardware write blocker Software write blocker Degausser Forensic drive duplicator

Hardware write blocker OBJ-2.7: Both hardware and software write blockers are designed to ensure that forensic software and tools cannot change a drive inadvertently by accessing it. But, since the question indicates that you need to choose the BEST solution to protect the drive's contents from being changed during analysis, you should pick the hardware write blocker. A hardware write blocker's primary purpose is to intercept and prevent (or 'block') any modifying command operation from ever reaching the storage device. A forensic drive duplicator copies a drive and validates that it matches the original drive but cannot be used by itself during analysis. A degausser is used to wipe magnetic media. Therefore, it should not be used on the drive since it would erase the hard drive contents.

Barbara received a phone call from a colleague asking why she sent him an email with lewd and unusual content. Barbara doesn't remember sending the email to the colleague. What is Barbara MOST likely the victim of? Phishing Ransomware Spear phishing Hijacked email

Hijacked email OBJ-1.1: Barbara is MOST likely the victim of hijacked email. Hijacked email occurs when someone takes over your email account and sends out messages on your behalf. Hijacked email can occur after a system is taken over by an attacker. The victim usually finds out about it when someone asks about an email the victim sent them, or the victim sees an automated out-of-office reply from one of the recipients of the victim's emails. Phishing is an email-based social engineering attack in which the attacker sends an email from a supposedly reputable source, such as a bank, to try to elicit private information from the victim. Phishing attacks target an indiscriminate large group of random people. Spear phishing is the fraudulent practice of sending emails from a seemingly known or trusted sender to induce targeted individuals to reveal confidential information. Ransomware is a type of malware designed to deny access to a computer system or data until a ransom is paid. Ransomware typically spreads through phishing emails or by unknowingly visiting an infected website. Once infected, a system or its files are encrypted, and then the decryption key is withheld from the victim unless payment is received.

Based on the output, what type of password cracking method does Jason's new tool utilize? Rainbow attack (incorrect) Dictionary attack Brute force attack Hybrid attack

Hybrid attack OBJ-1.2: Based on the passwords found in the example, Jason's new password cracker is most likely using a hybrid approach. All of the passwords found are dictionary words with some additional characters added to the end. For example, Jason's password of rover123 is made up of the dictionary word "rover" and the number 123. The cracker likely attempted to use a dictionary word (like rover) and the attempted variations on it using brute force (such as adding 000, 001, 002, ...122, 123) to the end of the password until found. Combining the dictionary and brute force methods into a single tool is known as a hybrid password cracking approach.

You are trying to select the best device to install to detect an outside attacker trying to reach into your internal network. The device should log the event, but it should not take any action to stop it. Which of the following devices would be the BEST for you to select? Proxy server IDS Authentication server IPS (Incorrect)

IPS OBJ-3.3: An intrusion detection system is a device or software application that monitors a network or system for malicious activity or policy violations. Any malicious activity or violation is typically reported to an administrator or collected centrally using a security information and event management system. Unlike an IPS, which can stop malicious activity or policy violations, an IDS can only log these issues and not stop them. An intrusion prevention system (IPS) conducts the same functions as an IDS but can also block or take actions against malicious events. An authentication, authorization, and accounting (AAA) server is a server used to identify (authenticate), approve (authorize), and keep track of (account for) users and their actions. AAA servers can also be classified based on the protocol they use, such as a RADIUS server or TACACS+ server. A proxy server is a server that acts as an intermediary between a client requesting a resource and the server that provides that resource. A proxy server can be used to filter content and websites from reaching a user.

You are trying to select the best device to install to proactively stop outside attackers from reaching your internal network. Which of the following devices would be the BEST for you to select? Syslog server IDS Proxy server IPS

IPS OBJ-3.3: An intrusion prevention system (IPS) is a form of network security that detects and prevents identified threats. Intrusion prevention systems continuously monitor your network, looking for possible malicious incidents, and capturing information about them. An IPS can block malicious network traffic, unlike an IDS, which can only log them. A proxy server is a server application that acts as an intermediary between a client requesting a resource and the server providing that resource. System Logging Protocol (Syslog) uses port 514 and is a way network devices can use a standard message format to communicate with a logging server. It was designed specifically to make it easy to monitor network devices. Devices can use a Syslog agent to send out notification messages under a wide range of specific conditions.

Which role validates the user's identity when using SAML for authentication? User agent IdP RP SP

IdP OBJ-3.8: The IdP provides the validation of the user's identity. Security assertions markup language (SAML) is an XML-based framework for exchanging security-related information such as user authentication, entitlement, and attributes. SAML is often used in conjunction with SOAP. SAML is a solution for providing single sign-on (SSO) and federated identity management. It allows a service provider (SP) to establish a trust relationship with an identity provider (IdP) so that the SP can trust the identity of a user (the principal) without the user having to authenticate directly with the SP. The principal's User Agent (typically a browser) requests a resource from the service provider (SP). The resource host can also be referred to as the relying party (RP). If the user agent does not already have a valid session, the SP redirects the user agent to the identity provider (IdP). The IdP requests the principal's credentials if not already signed in and, if correct, provides a SAML response containing one or more assertions. The SP verifies the signature(s) and (if accepted) establishes a session and provides access to the resource.

You have been hired as a consultant to help Dion Training develop a new disaster recovery plan. Dion Training has recently grown in the number of employees and information systems infrastructure used to support its employees. Unfortunately, Dion Training does not currently have any documentation, policies, or procedures for its student and faculty networks. What is the first action you should take to assist them in developing a disaster recovery plan? Identify the organization's assets Conduct a vulnerability scan Conduct a risk assessment Develop a data retention policy (Incorrect)

Identify the organization's assets OBJ-4.2: The first step to developing an effective disaster recovery plan is to identify the assets. The organization must understand exactly what assets they own and operate. Once identified, you can then determine what assets and services are essential to business operations, what risks are facing them, and how best to recovery in the event of a disaster. To best understand the organization's risks, they will undertake an organization-wide risk assessment and conduct a vulnerability scan of its assets.

An analyst reviews the logs from the network and notices that there have been multiple attempts from the open wireless network to access the networked HVAC control system. The open wireless network must remain openly available so that visitors can access the internet. How can this type of attack be prevented from occurring in the future? Enable WPA2 security on the open wireless network (Incorrect) Implement a VLAN to separate the HVAC control system from the open wireless network Install an IDS to protect the HVAC system Enable NAC on the open wireless network

Implement a VLAN to separate the HVAC control system from the open wireless network OBJ-1.5: A VLAN is useful to segment out network traffic to various parts of the network and stop someone from the open wireless network from logging to the HVAC controls. By utilizing NAC, each machine connected to the open wireless network could be checked for compliance and determine if it is a 'known' machine, but they would still be given access to the entire network. Also, since this is a publicly usable network, using NAC could prevent users from accessing all the network features. An IDS would be a good solution to detect the attempted logins, but it won't prevent them. Instead, an IPS would be required to prevent logins.

What type of vulnerability does this website have? Race condition Insecure direct object reference Improper error handling (Incorrect) Weak or default configurations

Insecure direct object reference OBJ-1.3: Insecure direct object references (IDOR) are a cybersecurity issue that occurs when a web application developer uses an identifier for direct access to an internal implementation object but provides no additional access control and/or authorization checks. An attacker could change the userid number and directly access any user's profile page in this scenario. A race condition is a software vulnerability when the resulting outcome from execution processes is directly dependent on the order and timing of certain events. Those events fail to execute in the order and timing intended by the developer. Weak or default configurations are commonly a result of incomplete or ad-hoc configurations, open cloud storage, misconfigured HTTP headers, unnecessary HTTP methods, permissive Cross-Origin resource sharing (CORS), and verbose error messages containing sensitive information. Improper handling of errors can reveal implementation details that should never be revealed, such as detailed information that can provide hackers important clues on the system's potential flaws.

Which type of threat actor can accidentally or inadvertently cause a security incident in your organization? Organized Crime Insider threat APT Hacktivist

Insider threat OBJ-1.5: An insider threat is a type of threat actor assigned privileges on the system that cause an intentional or unintentional incident. Insider threats can be used as unwitting pawns of external organizations or make crucial mistakes that can open up exploitable security vulnerabilities. Hacktivists, Organized Crimes, and advanced persistent threats (APT) entities do not accidentally or unwittingly target organizations. Instead, their actions are deliberate. A hacktivist is an attacker that is motivated by a social issue or political cause. Organized crime is a type of threat actor that uses hacking and computer fraud for commercial gain. An advanced persistent threat (APT) is a type of threat actor that can obtain, maintain, and diversify access to network systems using exploits and malware.

Which of the following biometric authentication factors relies on matching patterns on the eye's surface using near-infrared imaging? Facial recognition Retinal scan Iris scan Pupil dilation

Iris Scan OBJ-2.4: Iris scans rely on the matching of patterns on the surface of the eye using near-infrared imaging, and so is less intrusive than retinal scanning (the subject can continue to wear glasses, for instance) and much quicker. Iris scanners offer a similar level of accuracy as retinal scanners but are much less likely to be affected by diseases. Iris scanning is the technology most likely to be rolled out for high-volume applications, such as airport security. There is a chance that an iris scanner could be fooled by a high-resolution photo of someone's eye.

What is the biggest disadvantage of using single sign-on (SSO) for authentication? It introduces a single point of failure Systems must be configured to utilize the federation Users need to authenticate with each server as they log on The identity provider issues the authorization

It introduces a single point of failure OBJ-5.4: Single sign-on is convenient for users since they only need to remember one set of credentials. Unfortunately, single sign-on also introduces a single point of failure. If the identity provider is offline, then the user cannot log in to any of the resources they may wish to utilize across the web. Additionally, if the single sign-on is compromised, the attacker now has access to every site that the user would have access to using the single set of credentials.

Dion Training is building a new data center. The group designing the facility has decided to provide additional HVAC capacity to ensure the data center maintains a consistently low temperature. Which of the following is the most likely benefit that will be achieved by increasing the designed HVAC capacity? Increase the availability of network services due to higher throughput Longer UPS run time due to increased airflow Higher data integrity due to more efficient SSD cooling (Incorrect) Longer MTBF of hardware due to lower operating temperatures

Longer MTBF of hardware due to lower operating temperatures OBJ-5.4: The mean time between failure (MTBF) is the measure of the anticipated rate of failure for a system or component. This is effectively a measurement of the component's expected lifespan. If the HVAC capacity is increased, the server room can maintain a cooler temperature range. Datacenters produce a lot of heat from the equipment being operated. Excessive heat can damage components and cause premature hardware failure. Therefore, increasing the HVAC capacity and airflow can lead to longer lifespans for servers and networking equipment.

Dion Training has an open wireless network called "InstructorDemos" for its instructors to use during class, but they do not want any students connecting to this wireless network. The instructors need the "InstructorDemos" network to remain open since some of their IoT devices used during course demonstrations do not support encryption. Based on the requirements provided, which of the following configuration settings should you use to satisfy the instructor's requirements and prevent students from using the "InstructorDemos" network? Signal strength MAC filtering NAT QoS

MAC filtering OBJ-3.4: Since the instructors need to keep the wireless network open, the BEST option is to implement MAC filtering to prevent the students from connecting to the network while still keeping the network open. Since the instructors would most likely use the same devices to connect to the network, it would be relatively easy to implement a MAC filtering based on the list of devices that are allowed to use the open network and reject any other devices not listed by the instructors (like the student's laptops or phones). Reducing the signal strength would not solve this issue since students and instructors are in the same classrooms. Using Network Address Translation and Quality of Service will not prevent the students from accessing or using the open network.

You are conducting an incident response and want to determine if any account-based indicators of compromise (IoC) exist on a compromised server. Which of the following would you NOT search for on the server? Off-hours usage Failed logins Malicious processes Unauthorized sessions

Malicious processes OBJ-4.3: A malicious process is any process running on a system that is outside the norm. This is a host-based indicator of compromise (IOC) and not directly associated with an account-based IOC. Off-hours usage, unauthorized sessions, and failed logins are all account-based examples of an IOC. Off-hours usage occurs when an account is observed to log in during periods outside of normal business hours. An attacker often uses this to avoid detection during business hours. Unauthorized sessions occur when a device or service is accessed without authorization. For example, if a limited privilege user is signed into a domain controlled. A failed login might be normal if a user forgets or incorrectly types their password, but repeated failures for one account could also be an indication of an attack attempting to crack a user's password.

When you are managing a risk, what is considered an acceptable option? Initiate Mitigate Reject Deny

Mitigate OBJ-5.4: Mitigating a risk makes the effect of a risk a little less unpleasant, harmful, or serious. The majority of risk management is focused on mitigating risks down to an acceptable level of loss or risk. The risk response actions are accept, avoid, mitigate, or transfer.

What is a legal contract outlining the confidential material or information that will be shared by the pentester and the organization during an assessment? SLA SOW MSA NDA

NDA OBJ-5.3: This is the definition of a non-disclosure agreement (NDA). There may be two NDAs in use: One from the organization to the pentester and another from the pentester to the organization. The Statement of Work (SOW) is a formal document stating what will and will not be performed during a penetration test. It should also contain the assessment's size and scope and a list of the assessment's objectives. A master service agreement (MSA) is a contract reached between parties, in which the parties agree to most of the terms that will govern future transactions or future agreements. The MSA is used when a pentester will be on retainer for a multi-year contract, and an individual SOW will be issued for each assessment to define the individual scopes for each one. A service level agreement (SLA) is a contract that outlines the detailed terms under which a service is provided, including reasons the contract may be terminated.

Your company is required to remain compliant with PCI-DSS due to the type of information processed by your systems. If there was a breach of this data, which type of disclosure would you be required to provide during your incident response efforts? Notification to local law enforcement Notification to federal law enforcement Notification to your credit card processor (Incorrect) Notification to Visa and Mastercard

Notification to Visa and Mastercard OBJ-4.5: Any organization that processes a credit card is required to work with Visa and Mastercard to report a data breach. After a data breach, you should notify payment card brands (Visa and Mastercard), acquirers (merchant banks), and any other entities that may require notification, whether by contract or law. Conducting notification to your payment card brand and merchant banks is one of the first steps in the incident response process for this type of data breach. Typically, law enforcement does not have to be notified of a data breach at a commercial organization.

An attacker recently compromised an e-commerce website for a clothing store. Which of the following methods did the attacker use to harvest an account's cached credentials when the user logged into an SSO system? Lateral movement Golden ticket Pivoting Pass the hash

Pass the hash OBJ-1.3: Pass the Hash (PtH) is the process of harvesting an account's cached credentials when the user logs in to a single sign-on (SSO) system. This would then allow the attacker to use the credentials on other systems, as well. A golden ticket is a Kerberos ticket that can grant other tickets in an Active Directory environment. Attackers who can create a golden ticket can use it to grant administrative access to other domain members, even to domain controllers. Lateral movement is an umbrella term for a variety of attack types. Attackers can extend their lateral movement by a great deal if they can compromise host credentials. Pivoting is a process similar to lateral movement. When attackers pivot, they compromise one central host (the pivot) that allows them to spread out to other hosts that would otherwise be inaccessible.

What is the correct order of the Incident Response process? Lessons Learned, Recovery, Preparation, Identification, Containment, and Eradication Identification, Containment, Eradication, Preparation, Recovery, and Lessons Learned Containment, Eradication, Identification, Lessons learned, Preparation, and Recovery Preparation, Identification, Containment, Eradication, Recovery, and Lessons Learned

Preparation, Identification, Containment, Eradication, Recovery, and Lessons Learned

Samantha works in the human resource department in an open floorplan office. She is concerned about the possibility of someone conducting shoulder surfing to read sensitive information from employee files while accessing them on her computer. Which of the following physical security measures should she implement to protect against this threat? Privacy screen Biometric lock Hardware token Badge reader

Privacy screen OBJ-1.1: A privacy screen is a filter placed on a monitor to decrease the viewing angle of a monitor. This prevents the monitor from being viewed from the side and can help prevent shoulder surfing. The standard type of anti-glare filter consists of a coating that reduces the reflection from a glass or plastic surface. A biometric lock is any lock that can be activated by biometric features, such as a fingerprint, voiceprint, or retina scan. Biometric locks make it more difficult for someone to counterfeit the key used to open the lock or a user's account. A smart card is a form of hardware token. A smart card, chip card, or integrated circuit card is a physical, electronic authorization device used to control access to a resource. It is typically a plastic credit card-sized card with an embedded integrated circuit chip. In high-security environments, employee badges may contain a smart card embedded chip that must be inserted into a smart card reader to log in or access information on the system. A badge reader is used to read an employee's identification badge using a magnetic stripe, barcode, or embedded RFID chip.

Which of the following types of data breaches would require that the US Department of Health and Human Services and the media be notified if more than 500 individuals are affected by a data breach? Protected health information Credit card information Personally identifiable information Trade secret information

Protected health information

Dion Training is concerned with students entering the server room without permission. To prevent this from occurring, the organization wants to purchase and install an access control system that will allow each instructor to have access using an RFID device. Which of the following authentication mechanisms should Dion Training use to meet this requirement? Biometric reader Proximity badge CCTV Access control vestibule

Proximity badge OBJ-2.7: The best option is to use a proximity badge. This type of badge embeds an RFID chip into the card or badge. When an authorized user swipes their card or badge over the reader, it sends an RF signal that uniquely identifies the card's holder or badge. While some of the other options presented could be used for authentication (such as biometrics), these options do not use an RFID as stated in the requirements. Closed-circuit television is a type of video surveillance where video cameras transmit a signal to a specific place using a limited set of monitors. An access control vestibule is a physical security access control system comprising a small space with two sets of interlocking doors, such that the first set of doors must close before the second set opens. Biometrics are identifying features stored as digital data that can be used to authenticate a user. Typical features used include facial pattern, iris, retina, or fingerprint pattern, and signature recognition. This requires a relevant scanning device, such as a fingerprint reader, and a database of biometric information for authentication to occur.

You have been asked to develop a solution for one of your customers. The customer is a software development company, and they need to be able to test a wide variety of operating systems to test the software applications their company is developing internally. The company doesn't want to buy a bunch of computers to install all of these operating systems for testing. Which of the following solutions would BEST meet the company's requirements? Purchase multiple workstations, install a VM on each one, then install one operating system that will be used to test the applications being developed in each VM Purchase a high-end computer that has a lot of CPU cores and RAM, install a hypervisor, and configure a virtual machine for each operating system that will be used to test the applications being developed Purchase multiple inexpensive workstations and install one operating system that will be used to test the application

Purchase a high-end computer that has a lot of CPU cores and RAM, install a hypervisor, and configure a virtual machine for each operating system that will be used to test the applications being developed OBJ-2.2: Since the company's main goal was to minimize the amount of hardware required, the BEST solution is to purchase a high-end computer that has a lot of CPU cores and RAM, install a hypervisor, and configure a virtual machine for each operating system that will be used to test the applications being developed. This allows a single machine to run multiple operating systems for testing with the least amount of hardware.

Users connecting to an SSID appear to be unable to authenticate to the captive portal. Which of the following is the MOST likely cause of the issue? CSMA/CA SSL certificates WPA2 security key (Incorrect) RADIUS

RADIUS OBJ-3.8: Captive portals usually rely on 802.1x, and 802.1x uses RADIUS for authentication. The IEEE 802.1x standard is a network authentication protocol that opens ports for network access when an organization authenticates a user's identity and authorizes them for access to the network. This defines port security. The user's identity is determined based on their credentials or certificate, which is confirmed by the RADIUS server. The Remote Authentication Dial-in User Service (RADIUS) is used to manage remote and wireless authentication infrastructure. Users supply authentication information to RADIUS client devices, such as wireless access points. The client device then passes the authentication data to an AAA (Authentication, Authorization, and Accounting) server that processes the request. Secure Sockets Layer (SSL) is a security protocol developed by Netscape to provide privacy and authentication over the Internet. SSL is application independent that works at layer 5 [Session] and can be used with a variety of protocols, such as HTTP or FTP. Client and server set up a secure connection through PKI (X.509) certificates. Carrier-sense multiple access with collision avoidance (CSMA/CA) is a network multiple access method in which carrier sensing is used, but nodes attempt to avoid collisions by beginning transmission only after the channel is sensed to be idle. CSMA/CA occurs in the background when communicating with a wireless access point and would not prevent the user from authenticating to the captive portal. A WPA2 security key is a preshared password used to authenticate and connect to a wireless access point. If the user connected to the SSID, then the WPA2 security key was valid.

Which of the following hashing algorithms results in a 160-bit fixed output? MD-5 (Incorrect) NTLM SHA-2 RIPEMD

RIPEMD OBJ-2.8: RIPEMD creates a 160-bit fixed output. SHA-2 creates a 256-bit fixed output. NTLM creates a 128-bit fixed output. MD-5 creates a 128-bit fixed output.

Which party in a federation provides services to members of the federation? RP IdP SAML SSO

RP OBJ-2.4: Relying parties (RPs) provide services to members of a federation. An identity provider (IdP) provides identities, makes assertions about those identities, and releases information about the identity holders. The Security Assertion Markup Language (SAML) is an open standard for exchanging authentication and authorization data between parties between an identity provider and a service provider (SP) or a relying party (RP). Single sign-on (SSO) is an authentication scheme that allows a user to log in with a single ID and password to any of several related yet independent software systems across a federation. SAML and SSO are not parties. Therefore, they cannot possibly be the right answer to this question.

A popular game allows for in-app purchases to acquire extra lives in the game. When a player purchases the extra lives, the number of lives is written to a configuration file on the gamer's phone. A hacker loves the game but hates having to buy lives all the time, so they developed an exploit that allows a player to purchase 1 life for $0.99 and then modifies the content of the configuration file to claim 100 lives were purchased before the application reading the number of lives purchased from the file. Which of the following type of vulnerabilities did the hacker exploit? Dereferencing Broken authentication Race condition Sensitive data exposure

Race condition OBJ-1.6: Race conditions occur when the outcome from execution processes is directly dependent on the order and timing of certain events. Those events fail to execute in the order and timing intended by the developer. In this scenario, the hacker's exploit is racing to modify the configuration file before the application reads the number of lives from it. Sensitive data exposure is a fault that allows privileged information (such as a token, password, or PII) to be read without being subject to the proper access controls. Broken authentication refers to an app that fails to deny access to malicious actors. Dereferencing attempts to access a pointer that references an object at a particular memory location.

Fail To Pass Systems has just been the victim of another embarrassing data breach. Their database administrator needed to work from home this weekend, so he downloaded the corporate database to his work laptop. On his way home, he left the laptop in an Uber, and a few days later, the data was posted on the internet. Which of the following mitigations would have provided the greatest protection against this data breach? Require data masking for any information stored in the database Require all new employees to sign an NDA Require a VPN to be utilized for all telework employees (Incorrect) Require data at rest encryption on all endpoints

Require data at rest encryption on all endpoints

You are developing your vulnerability scanning plan and attempting to scope your scans properly. You have decided to focus on the criticality of a system to the organization's operations when prioritizing the system in the scope of your scans. Which of the following would be the best place to gather the criticality of a system? Ask the CEO for a list of the critical systems Review the asset inventory and BCP Conduct a nmap scan of the network to determine the OS of each system (Incorrect) Scope the scan based on IP subnets

Review the asset inventory and BCP OBJ-4.2: To best understand a system's criticality, you should review the asset inventory and the BCP. Most organizations classify each asset in its inventory based on its criticality to the organization's operations. This helps to determine how many spare parts to have, the warranty requirements, service agreements, and other key factors to help keep these assets online and running at all times. Additionally, you can review the business continuity plan (BCP) since this will provide the organization's plan for continuing business operations in the event of a disaster or other outage. Generally, the systems or operations listed in a BCP are the most critical ones to support business operations. While the CEO may be able to provide a list of the most critical systems in a large organization, it isn't easy to get them to take the time to do it, even if they did know the answer. Worse, in most large organizations, the CEO isn't going to know what systems he relies on, but instead just the business functions they serve, again making this a bad choice. While conducting a nmap scan may help you determine what OS is being run on each system, this information doesn't help you determine criticality to operations. The same is true of using IP subnets since a list of subnets by itself doesn't provide criticality or prioritization of the assets.

Which of the following hashing algorithms results in a 256-bit fixed output? SHA-2 MD-5 SHA-1 NTLM

SHA-2 OBJ-2.8: SHA-2 creates a 256-bit fixed output. SHA-1 creates a 160-bit fixed output. NTLM creates a 128-bit fixed output. MD-5 creates a 128-bit fixed output.

Your organization has been receiving many phishing emails recently, and you are trying to determine why they are effective in getting your users to click on their links. The latest email consists of what looks like an advertisement that is offering an exclusive early access opportunity to buy a new iPhone at a discounted price. Still, there are only 5 phones available at this price. What type of social engineering principle is being exploited here? Familiarity Scarcity Intimidation Trust

Scarcity OBJ-1.1: Scarcity is used to create a fear in a person of missing out on a special deal or offer. This technique is used in advertising all the time, such as "supplies are limited," "only available for the next 4 hours", and other such artificial limitations being used. Familiarity is a social engineering technique that relies on assuming a widely known organization's persona. For example, in the United States, nearly 25% of Americans have a Bank of America account. For this reason, phishing campaigns often include emails pretending to be from Bank of America since 1 in 4 people who receive the email in the United States are likely to have an account. This makes them familiar with the bank name and is more likely to click on the email link.

What technique is most effective in determining whether or not increasing end-user security training would benefit the organization during your technical assessment of their network? Vulnerability scanning Network sniffing Application security testing Social engineering

Social engineering OBJ-5.3: Social engineering refers to the psychological manipulation of people into performing actions or divulging confidential information. During your technical assessment, utilizing social engineering techniques such as phishing or pharming can help you determine if additional end-user security training should be included in the organization. The other three options focus solely on technical controls. Therefore adding end-user training would not affect these technology options.

Which of the following is not considered an authentication factor? Something you are Something you want Something you know Something you have

Something you want OBJ-2.4: The five factors of authentication are knowledge, possession, biometric, action, and location. This is also known as 'something you know,' 'something you have,' 'something you are,' 'something you do,' and 'somewhere you are.'

Which of the following types of attacks occurs when an attacker attempts to gain confidential information or login credentials by sending targeted emails to a specific set of recipients within an organization? Spear phishing Phishing Vishing Pharming Hoax

Spear phishing OBJ-1.1: Spear phishing is the fraudulent practice of sending emails from a seemingly known or trusted sender to induce targeted individuals to reveal confidential information. The key to answering this question is that the attack was focused on a targeted set of people, not just an indiscriminate large group of random people.

Which of the following authentication protocols was developed by Cisco to provide authentication, authorization, and accounting services? CHAP TACACS+ Kerberos RADIUS

TACACS+ OBJ-3.8: TACACS+ is an extension to TACACS (Terminal Access Controller Access Control System) and was developed as a proprietary protocol by Cisco. The Remote Authentication Dial-In User Service (RADIUS) is a networking protocol that operates on port 1812 and provides centralized Authentication, Authorization, and Accounting management for users who connect and use a network service, but Cisco did not develop it. Kerberos is a network authentication protocol designed to provide strong mutual authentication for client/server applications using secret-key cryptography developed by MIT. Challenge-Handshake Authentication Protocol (CHAP) is used to authenticate a user or network host to an authenticating entity. CHAP is an authentication protocol but does not provide authorization or accounting services.

An employee contacts the service desk because they cannot open an attachment they receive in their email. The service desk agent conducts a screen-sharing session with the user and investigates the issue. The agent notices that the attached file is named Invoice1043.pdf, and a black pop-up window appears and then disappears quickly when the attachment was double-clicked. Which of the following is most likely causing this issue? The user doesn't have a PDF reader installed on their computer The attachment is using a double file extension to mask its identity The file contains an embedded link to a malicious website The email is a form of spam and should be deleted

The attachment is using a double file extension to mask its identity OBJ-1.1: The message contains a file attachment hoping that the user will execute or open it. The attachment's nature might be disguised by formatting tricks such as using a double file extension, such as Invoice1043.pdf.exe, where the user only sees the first extension since .exe is a known file type in Windows. This would explain the black popup window that appears and then disappeared, especially if the exe file was running a command-line tool. This file is most likely not a PDF, so there is no need for a PDF reader. Additionally, most modern web browsers, such as Chrome and Edge, can open PDF files by default for the user. The file would not contain an embedded link since an embedded link is another popular attack vector that embeds a link to a malicious site within the email body, not within the file. This email is likely not spam and would be better categorized as a phishing attempt instead.

You are an analyst and have been asked to review and categorize the following output from a packet analysis in Wireshark: Based on your review, what does this scan indicate? 173.12.15.23 might be infected with malware 192.168.3.145 might be infected with malware This appears to be normal network traffic 192.168.3.145 might be infected and beaconing to a C2 server (Incorrect) 173.12.15.23 might be infected and beaconing to a C2 server

This appears to be normal network traffic OBJ-4.1: This appears to be normal network traffic. The first line shows that a DNS lookup was performed for a website (test.diontraining.com). The second line shows the response from the DNS server with the IP address of the website. The third line begins a three-way handshake between an internal host and the website. The fourth line is the SYN-ACK response from the website to the internal host as part of this handshake. The fifth line is a standard Windows NetBIOS query within the local area network to translate human-readable names to local IP addresses. The sixth and seventh lines appear to be inbound requests to port 443 and port 8080, both of which were sent the RST by the internal host's firewall since it is not running those services on the host. None of this network traffic appears to be suspicious.

Which of the following methods is used to replace all or part of a data field with a randomly generated number used to reference the original value stored in another vault or database? Anonymization Tokenization Data minimization Data masking

Tokenization OBJ-5.5: Tokenization means that all or part of data in a field is replaced with a randomly generated token. The token is stored with the original value on a token server or token vault, separate from the production database. An authorized query or app can retrieve the original value from the vault, if necessary, so tokenization is a reversible technique. Data masking can mean that all or part of a field's contents is redacted, by substituting all character strings with x, for example. Data minimization involves limiting data collection to only what is required to fulfill a specific purpose. Reducing what information is collected reduces the amount and type of information that must be protected. Data anonymization is the process of removing personally identifiable information from data sets so that the people whom the data describe remain anonymous.

Your company is making a significant investment in infrastructure-as-a-service (IaaS) hosting to replace its data centers. Which of the following techniques should be used to mitigate the risk of data remanence when moving virtual hosts from one server to another in the cloud? Zero-wipe drives before moving systems Span multiple virtual disks to fragment data Use full-disk encryption Use data masking

Use full-disk encryption OBJ-2.2: To mitigate the risk of data remanence, you should implement full disk encryption. This method will ensure that all data is encrypted and cannot be exposed to other organizations or the underlying IaaS provider. Using a zero wipe is typically impossible because VM systems may move without user intervention during scaling and elasticity operations. Data masking can mean that all or part of a field's contents is redacted, by substituting all character strings with "x," for example. Data masking will not prevent your corporate data from being exposed by data remanence. Spanning multiple disks will leave the data accessible, even though it would be fragmented, and would make the data remanence problem worse overall.

Which of the following functions is not provided by a TPM? User authentication Binding Sealing Remote attestation Random number generation Secure generation of cryptographic keys

User authentication OBJ-3.2: User authentication is performed at a much higher level in the operating system. Trusted Platform Module (TPM) technology is designed to provide hardware-based, security-related functions. A TPM chip is a secure crypto-processor that is designed to carry out cryptographic operations. The chip includes multiple physical security mechanisms to make it tamper-resistant, and malicious software cannot tamper with the security functions of the TPM. The TPM provides random number generation, secure generation of cryptographic keys, remote attestation, binding, and sealing functions securely.

You have been investigating how a malicious actor could exfiltrate confidential data from a web server to a remote host. After an in-depth forensic review, you determine that a rootkit's installation had modified the web server's BIOS. After removing the rootkit and reflashing the BIOS to a known good image, what should you do to prevent the malicious actor from affecting the BIOS again? Utilize secure boot Install an anti-malware application Install a host-based IDS Utilize file integrity monitoring

Utilize secure boot OBJ-3.2: Since you are trying to protect the BIOS, utilizing secure boot is the best choice. Secure boot is a security system offered by UEFI. It is designed to prevent a computer from being hijacked by a malicious OS. Under secure boot, UEFI is configured with digital certificates from valid OS vendors. The system firmware checks the operating system boot loader using the stored certificate to ensure that the OS vendor has digitally signed it. This prevents a boot loader that has been changed by malware (or an OS installed without authorization) from being used. The TPM can also be invoked to compare hashes of key system state data (boot firmware, boot loader, and OS kernel) to ensure they have not been tampered with by a rootkit. The other options are all good security practices, but they only apply once you have already booted into the operating system. This makes them ineffective against boot sector or rootkit attacks.

Your organization has just migrated to provisioning its corporate desktops as virtual machines and accessing them using thin clients. The organization believes this will enhance security since the desktop can be rewritten with a new baseline image every time the user logs into it. Based on this scenario, which of the following technologies has the organization adopted? UEBA VDI VPN VPC

VDI OBJ-3.5: Virtual desktop infrastructure (VDI) is a virtualization implementation that separates the personal computing environment from a user's physical computer. Virtual private cloud (VPC) is a private network segment made available to a single cloud consumer on a public cloud. A virtual private network (VPN) is a secure tunnel created between two endpoints connected via an insecure network, typically the internet. User and entity behavior analytics (UEBA) is a system that can provide automated identification of suspicious activity by user accounts and computer hosts.

You are working as a network administrator for Dion Training. The company has decided to allow employees to connect their devices to the corporate wireless network under a new BYOD policy. You have been asked to separate the corporate network into an administrative network (for corporate-owned devices) and an untrusted network (for employee-owned devices). Which of the following technologies should you implement to achieve this goal? VPN VLAN MAC filtering WPA2 (Incorrect)

VLAN OBJ-3.3: A virtual local area network (VLAN) is a type of network segmentation configured in your network switches that prevent communications between different VLANs without using a router. This allows two virtually separated networks to exist on one physical network and separates the two virtual network's data. A virtual private network (VPN) is a remote access capability to connect a trusted device over an untrusted network back to the corporate network. A VPN would not create the desired effect. WPA2 is a type of wireless encryption, but it will not create two different segmented networks on the same physical hardware. MAC filtering is used to allow or deny a device from connecting to a network, but it will not create two network segments, as desired.

Which of the following must be combined with a threat to create risk? Mitigation Vulnerability Exploit Malicious actor

Vulnerability OBJ-1.6: A risk results from the combination of a threat and a vulnerability. A vulnerability is a weakness in a device, system, application, or process that might allow an attack to take place. A threat is an outside force that may exploit a vulnerability. Remember, a vulnerability is something internal to your organization's security goals. Therefore, you can control, mitigate, or remediate a vulnerability. A threat is external to your organization's security goals. A threat could be a malicious actor, a software exploit, a natural disaster, or other external factors. In the case of an insider threat, they are considered an external factor for threats and vulnerabilities since their goals lie outside your organization's security goals.

Which of the following is the LEAST secure wireless security and encryption protocol? WPA2 WPA3 WPA WEP

WEP OBJ-3.4: Wired equivalent privacy (WEP) is an older mechanism for encrypting data sent over a wireless connection. WEP is considered vulnerable to attacks that can break its encryption. WEP relies on the use of a 24-bit initialization vector to secure its preshared key. Wi-Fi protected access (WPA) is an improved encryption scheme for protecting Wi-Fi communications that was designed to replace WEP. WPA uses the RC4 cipher and a temporal key integrity protocol (TKIP) to overcome the vulnerabilities in the older WEP protection scheme. Wi-Fi protected access version 2 (WPA2) replaced the original version of WPA after the completion of the 802.11i security standard. WPA2 features an improved method of key distribution and authentication for enterprise networks, though the pre-shared key method is still available for home and small office networks. WPA2 uses the improved AES cipher with counter mode with cipher-block chaining message authentication protocol (CCMP) for encryption. Wi-Fi protected access version 3 (WPA3) has replaced WPA2 as the most secure wireless encryption method. WPA3 uses the simultaneous authentication of equals (SAE) to increase the security of preshared keys. WPA3 provides the enhanced open mode that encrypts transmissions from a client to the access point when using an open network. WPA3 Enterprise mode supports the use of AES with the Galois/counter mode protocol (GCMP-256) for the highest levels of encryption.

You are trying to find a rogue device on your wired network. Which of the following options would NOT help find the device? Site surveys Port scanning MAC validation War walking

War walking OBJ-1.8: War walking is conducted by walking around a build while locating wireless networks and devices. War walking will not help find a wired rogue device. Checking valid MAC addresses against a known list, scanning for new systems or devices, and physically surveying for unexpected systems can be used to find rogue devices on a wired network.

What should be done NEXT if the final set of security controls does not eliminate all of the risks in a given system? You should accept the risk if the residual risk is low enough You should ignore any remaining risk You should remove the current controls since they are not completely effective You should continue to apply additional controls until there is zero risk (Incorrect)

You should accept the risk if the residual risk is low enough OBJ-5.4: In most cases, you will be unable to remove all risks. Instead, it would be best to mitigate the risk to a low enough level to accept the residual risk. Removing the controls would add to the risk, which is a bad course of action to select. Ignoring the remaining risk is unacceptable; instead, you should acknowledge what risk remains and accept it if it is low enough. If it is not low enough, you should continue to mitigate the risk by adding additional control measures. It is unlikely you will ever be able to get all risk down to zero, but mitigating to a lower level and then accepting the residual risk is a common industry practice.

What popular open-source port scanning tool is commonly used for host discovery and service identification? dd nmap services.msc Nessus (Incorrect)

nmap OBJ-4.1: The world's most popular open-source port scanning utility is nmap. The Services console (services.msc) allows an analyst to disable or enable Windows services. The dd tool is used to copy files, disks, and partitions, and it can also be used to create forensic disk images. Nessus is a proprietary vulnerability scanner developed by Tenable. While Nessus does contain the ability to conduct a port scan, its primary role is as a vulnerability scanner, and it is not an open-source tool.

You are troubleshooting a network connectivity issue and need to determine the packet's flow path from your system to the remote server. Which of the following tools would best help you identify the path between the two systems? netstat tracert ipconfig (Incorrect) nbtstat

tracert