Comsec Quizzes

Pataasin ang iyong marka sa homework at exams ngayon gamit ang Quizwiz!

Rob is an auditor reviewing the payment process used by a company to issue checks to vendors. He notices that Helen, a staff accountant, is the person responsible for creating new vendors. Norm, another accountant, is responsible for issuing payments to vendors. Helen and Norm are cross-trained to provide backup for each other. What security issue, if any, exists in this situation?

separation of duties violation

Please refer to the following scenario: Aziz is responsible for the administration of an e-commerce website that generates $100,000 per day in revenue for his firm. The website uses a database that contains sensitive information about the firm's customers. He expects that a compromise of that database would result in $500,000 of fines against his firm. Aziz is assessing the risk of a SQL injection attack against the database where the attacker would steal all of the customer personally identifiable information (PII) from the database. After consulting threat intelligence, he believes that there is a 5 percent chance of a successful attack in any given year. What is the asset value (AV)?

$500,000 The asset at risk in this case is the customer database. Losing control of the database would result in a $500,000 fine, so the asset value (AV) is $500,000.

Seamus is conducting a business impact assessment for his organization. He is attempting to determine the risk associated with a denial-of-service attack against his organization's data center. He consulted with various subject matter experts and determined that the attack would not cause any permanent damage to equipment, applications, or data. The primary damage would come in the form of lost revenue. Seamus believes that the organization would lose $75,000 in revenue during a successful attack. Seamus also consulted with his threat management vendor, who considered the probability of a successful attack against his organization and determined that there is a 10 percent chance of a successful attack in the next 12 months. What is the SLE in this scenario?

$75,000 The single loss expectancy (SLE) is the amount of damage expected to occur as the result of a single successful attack. In this case, the scenario provides this information as $75,000.

Amanda is deploying a wireless network in the United States and wants to use 2.4 GHz wireless channels that will not overlap or result in channel overlays. Which of the following channels will not create overlap if they are all deployed in a small area?

1, 6, and 11. Due to the amount of bandwidth allocated to each channel in the 2.4 GHz spectrum, only three channels will not overlap each other if they are used together. Those channels are 1, 6, and 11. Using any other channel will overlap with those three.

Chris wants to run a RAID that is a mirror of two disks. What RAID level does he need to implement?

1. RAID 1 is a mirror of two disks, with each disk a complete copy of the other disk. RAID 0 is a stripe of two disks and does not help with redundancy, instead focusing on performance. RAID 2 is rarely used, and stripes data and uses error correction. RAID 5 stripes by blocks of data and distributes parity information among drives.

Acme Widgets has 10 employees and they all need the ability to communicate with one another using a symmetric encryption system. The system should allow any two employees to securely communicate without other employees eavesdropping. If an 11th employee is added to the organization, how many new keys must be added to the system?

10

Acme Widgets has 10 employees and they all need the ability to communicate with one another using a symmetric encryption system. The system should allow any two employees to securely communicate without other employees eavesdropping. If an 11th employee is added to the organization, how many new keys must be added to the system?

10. When the 11th employee joins Acme Widgets, they will need a shared secret key with every existing employee. There are 10 existing employees, so 10 new keys are required.

Henry wants to review the first few lines of a file to see header information. How many lines at the start of a file will the head command display by default?

10. The head and tail commands are used to see the start and end of a file, respectively. They both display 10 lines by default, although you can use command-line flags to change how much they display.

What type of malware is frequently called stalkerware because of its use by those in intimate relationships to spy on their partners?

RATs. RATs, or remote access Trojans, are sometimes called stalkerware because they are often utilized by those in intimate relationships to spy on their partners. They provide remote access and other capabilities to computers and mobile devices.

Brian recently verified that the cash registers in his retail stores are printing only the last four digits of credit card numbers on receipts, replacing all the other digits with asterisks. The receipt does contain the customer's name and signature. What type of control has he implemented?

Masking

Colleen's organization recently suffered a security breach in which the attacker was able to destroy a system that processes customer orders. Colleen is concerned that the breach is slowing down the delivery of those orders. What type of risk concerns Colleen the most?

Operational

Alaina has configured the switches and routers in her organization to use a private VLAN connected to dedicated management ports on her network devices. What type of management model is she using?

Out of band management. Connecting to a device via a distinct administrative interface from a protected network is an example of out-of-band management. An in-band management approach would use the same connectivity that the device normally uses to provide its function. A SAN is a storage area network, and serial connections were (and sometimes still are) used for direct console access to devices, but this question does not describe a serial connection.

Fred wants to ensure that the administrative interfaces for the switches and routers are protected so that they cannot be accessed by attackers. Which of the following solutions should he recommend as part of his organization's network design?

Out of band management. Out-of-band management places the administrative interface of a switch, router, or other device on a separate network or requires direct connectivity to the device to access and manage it. This ensures that an attacker who has access to the network cannot make changes to the network devices. NAC and port security help protect the network itself, whereas trunking is used to combine multiple interfaces, VLANs, or ports together.

Which of the following is not a common constraint of embedded and specialized systems?

Overly complex firewall settings. Embedded and specialized systems tend to have lower power CPUs, less memory, less storage, and often may not be able to handle CPU-intensive tasks like cryptographic algorithms or built-in security tools. Thus, having a firewall is relatively unlikely, particularly if there isn't network connectivity built in or the device is expected to be deployed to a secure network.

Jen's firm is planning to open a new retail store that will accept credit cards. What regulation must the firm comply with as a result of this processing?

PCI DSS The Payment Card Industry Data Security Standard (PCI DSS) is an industry regulatory framework that specifies the cybersecurity requirements for organizations involved in credit card transactions.

Which one of the following categories best describes information protected by HIPAA?

PHI (protected health information) The Health Insurance Portability and Accountability Act (HIPAA) mandates the safeguarding of protected health information (PHI). Sensitive personal information (SPI) and personally identifiable information (PII) may fall under HIPAA but do not necessarily do so. Payment card information (PCI) is covered by PCI DSS.

Tina works for a hospital system and manages the system's patient records. What category of personal information best describes the information that is likely to be found in those records?

PHI (protected health information) This is a tricky question, as it is possible that all of these categories of information may be found in patient records. However, they are most likely to contain protected health information (PHI). PHI could also be described as a subcategory of personally identifiable information (PII), but PHI is a better description. It is also possible that the records might contain payment card information (PCI) or personal financial information (PFI), but that is less likely than PHI.

Gary wants to use secure protocols for email access for his end users. Which of the following groups of protocols should he implement to accomplish this task?

POPS. IMAP, HTTPS End users may use secure POP (POPS), secure IMAP (IMAPS), and secure HTTP (HTTPS) to retrieve email. SPF, DKIM, and DMARC are used to identify and validate email servers, not to access email by end users.

Which one of the CVSS metrics would contain information about the type of account access that an attacker must have to execute an attack?

PR (privileges required) The privileges required (PR) metric indicates the type of system access that an attacker must have to execute the attack.

Laura wants to deploy a WPA2 secured wireless for her small business, but she doesn't have a RADIUS server set up. If she wants her Wi-Fi to be encrypted, what is her best option for wireless authentication?

PSK In small business and home environments, preshared keys (PSKs) allow encryption without enterprise authentication and a RADIUS server. Both EAP and EAP-TLS are used in enterprise authentication environments, and open Wi-Fi doesn't use encryption.

Which one of the following documents must normally be approved by the CEO or similarly high-level executive?

Policy. Policies require approval from the highest level of management, usually the CEO. Other documents may often be approved by other managers, such as the CISO.

Which one of the following information sources would not be considered an OSINT source?

Port scans Port scans are an active reconnaissance technique that probe target systems and would not be considered open source intelligence (OSINT). Search engine research, DNS lookups, and WHOIS queries are all open source resources.

What scripting environment is native to Windows systems?

Powershell. PowerShell is a native scripting environment for Windows systems. Although Python and Bash can be installed, they are not automatically part of the operating system. CMD.exe will start the command prompt, but it is not a scripting environment.

Greg recently conducted an assessment of his organization's security controls and discovered a potential gap: the organization does not use full-disk encryption on laptops. What type of control gap exists in this case?

Preventive The use of full-disk encryption is intended to prevent a security incident from occurring if a device is lost or stolen. Therefore, this is a preventive control gap.

What is the most frequent concern that leads to GPS tagging being disabled by some companies via an MDM tool?

Privacy Geotagging places a location stamp in documents and pictures that can include position, time, and date. This can be a serious privacy issue when pictures or other information are posted, and many individuals and organizations disable GPS tagging.

Which one of the following penetration testing techniques does not involve expanding the scope of a compromise to additional systems?

Privilege escalation. Pivoting, maneuver, and lateral movement are all similar terms that involve moving from one compromised system to compromise other systems on the same network. Privilege escalation is a technique used to expand the access an attacker has to an already compromised system.

Shelly is writing a document that describes the steps that incident response teams will follow upon first notice of a potential incident. What type of document is she creating?

Procedure

Gavin is drafting a document that provides a detailed step-by-step process that users may follow to connect to the VPN from remote locations. Alternatively, users may ask IT to help them configure the connection. What term best describes this document?

Procedure. A procedure offers a step-by-step process for completing a cybersecurity activity. The VPN instructions that Gavin is creating are best described using this term.

Shelly is writing a document that describes the steps that incident response teams will follow upon first notice of a potential incident. What type of document is she creating?

Procesure. Procedures provide checklist-style sets of step-by-step instructions guiding how employees should react in a given circumstance. Procedures commonly guide the early stages of incident response

Susan wants to ensure that the threat of a lost phone creating a data breach is minimized. What two technologies should she implement to do this?

Remote wipe and FDE. Susan's best options are to use a combination of full-device encryption (FDE) and remote wipe. If a device is stolen and continues to be connected to the cellular network, or reconnects at any point, the remote wipe will occur. If it does not, or if attackers attempt to get data from the device and it is locked, the encryption will significantly decrease the likelihood of the data being accessed. Of course, cracking a passcode, PIN, or password remains a potential threat. NFC and Wi-Fi are wireless connection methods and have no influence on data breaches due to loss of a device. Geofencing may be useful for some specific organizations that want to take action if devices leave designated areas, but it is not a general solution. Containerization may shield data, but use of containers does not immediately imply encryption or other protection of the data, simply that the environments are separated.

Maria is considering a BYOD device deployment and wants to enroll the devices in a MDM application. What key concern will she likely need to address with her users in the event that a device is lost and the organization wants to respond to ensure no corporate data is lost?

Remote wipe.

Vincent discovered the vulnerability shown here when scanning a system on his network. What is the best action he can take to correct this vulnerability?

Remove the FTP server

Which one of the following would not normally be found in an organization's information security policy?

Requirement to use AES-256 encryption Security policies do not normally contain prescriptive technical guidance, such as a requirement to use a specific encryption algorithm. This type of detail would normally be found in a security standard.

Brian recently conducted a risk mitigation exercise and has determined the level of risk that remains after implementing a series of controls. What term best describes this risk?

Residual risk. The residual risk is the risk that remains after an organization implements controls designed to mitigate, avoid, and/or transfer the inherent risk.

Brian would like to limit the ability of users inside his organization to provision expensive cloud server instances without permission. What type of control would best help him achieve this goal?

Resource policy. Cloud providers offer resource policies that customers may use to limit the actions that users of their accounts may take. Implementing resource policies is a good security practice to limit the damage caused by an accidental command, a compromised account, or a malicious insider.

Fred receives a call to respond to a malware-infected system. When he arrives, he discovers a message on the screen that reads "Send .5 Bitcoin to the following address to recover your files." What is the most effective way for Fred to return the system to normal operation?

Restore from a backup if available. In most cases, if a backup exists it is the most effective way to return to normal operation. If no backup exists, Fred may be faced with a difficult choice. Paying a ransom is prohibited by policy in many organizations and does not guarantee that the files will be unlocked. Wiping and reinstalling may result in the loss of data, much like not paying the ransom. Antimalware software may work, but if it did not detect the malware in the first place, it may not work, or it may not decrypt the files encrypted by the malware.

Susan has discovered that an incident took place on her network almost six months ago. As she prepares to identify useful data for the incident, which common policy is most likely to cause her difficulties during her investigation?

Retention policies. Retention policies for many organizations mean that data is kept for only a limited period of time. Many organizations keep specific logs for as short a period as 30 or 45 days, with other data kept for longer periods of time. It is likely that Susan will not have all of the incident data she would have if she had discovered the incident within 30 days of it occurring. Configuration standards are not a policy; communication and incident response policies would both support her IR needs.

Richard is sending a message to Grace and would like to apply a digital signature to the message before sending it. What key should he use to create the digital signature?

Richard's private key

Grace received a digitally signed message from Richard and would like to verify the digital signature. What key should she use to perform this verification?

Richard's public key. The recipient of a digitally signed message may verify the digital signature by decrypting it with the public key of the individual who signed the message.

Naomi is preparing to migrate her organization to a cloud service and wants to ensure that she has the appropriate contractual language in place. Which of the following is not a common item she should include?

Right to forensic examination Contracts commonly include right to audit, choice of jurisdiction, and data breach notification timeframe clauses, but a right to forensically examine a vendor's systems or devices is rarely included. Naomi may want to ask about their incident response process and for examples of previous breach notification and incident documentation shared with customers instead.

Gary discovers that his organization is storing some old files in a cloud service that are exposed to the world. He deletes those files. What type of risk management strategy is this?

Risk avoidance Gary is changing business practices to eliminate the risk entirely. This is, therefore, an example of risk avoidance.

Please refer to the following scenario: Grace recently completed a risk assessment of her organization's exposure to data breaches and determined that there is a high level of risk related to the loss of sensitive personal information. She is considering a variety of approaches to managing this risk. Grace's first idea is to add a web application firewall to protect her organization against SQL injection attacks. What risk management strategy does this approach adopt?

Risk mitigation

Gary recently conducted a comprehensive security review of his organization. He identified the 25 top risks to the organization and is pursuing different risk management strategies for each of these risks. In some cases, he is using multiple strategies to address a single risk. His goal is to reduce the overall level of risk so that it lies within his organization's risk tolerance. Gary decides that the organization should integrate a threat intelligence feed with the firewall. What type of risk management strategy is this?

Risk mitigation. The use of a threat intelligence feed to block connections at the firewall reduces the likelihood of a successful attack and is, therefore, a risk mitigation activity.

Lila is working on a penetration testing team and she is unsure whether she is allowed to conduct social engineering as part of the test. What document should she consult to find this information?

Rules of engagement. The rules of engagement provide technical details on the parameters of the test. This level of detail would not normally be found in a contract or statement of work. The lessons learned report is not produced until after the test.

Madhuri disables SMS, MMS, and RCS on phones in her organization. What has she prevented from being sent?

Text messages and multimedia messages. SMS (Short Message Service) is used to send text messages, and MMS and RCS provide additional multimedia features. Neither provides phone calls or firmware updates.

Frank is concerned about the admissibility of his forensic data. Which of the following is not an element he should be concerned about?

Whether the forensic information includes a timestamp Forensic information does not have to include a timestamp to be admissible, but timestamps can help build a case that shows when events occurred. Files without a timestamp may still show other information that is useful to the case or may have other artifacts associated with them that can provide context about the time and date.

The network that Jaime is connecting to requires each device to protect itself from potential threats both from outside the local security zone and from systems that share the same network zone with it. What security design concept requires this type of configuration?

Zero trust A zero-trust network does not trust systems or individuals, even if they are already inside the network's security perimeter. This means that each device or system must be secure and defended, rather than creating a harder outside security shell at security boundaries like many traditional networks did. DMZs are used to allow access from public or lower-security zones to resources such as web servers. Security zones are a high-level concept based on the level of security for a network segment or other logical division. Security tagging is not a specific technical term.

What type of Trojan is specifically designed to provide administrative control of the systems it is installed on?

a RAT. RATs, or remote access Trojans, are Trojans that are specifically designed to provide remote administrative access.

Wayne is concerned that an on-path attack has been used against computers he is responsible for. What artifact is he most likely to find associated with this attack?

a browser plug-in. Man-in-the-browser attacks take advantage of malicious browser plug-ins or proxies to modify traffic at the browser level. They do not involve compromised routers or servers, and a modified hosts file is more likely to be involved in a man-in-the-middle attack.

Michael wants to acquire the firmware from a running device for analysis. What method is most likely to succeed?

Use forensic memory acquisition techniques.

Acme Widgets has 10 employees and they all need the ability to communicate with one another using a symmetric encryption system. The system should allow any two employees to securely communicate without other employees eavesdropping. If an 11th employee is added to the organization, how many new keys must be added to the system?

10. When the 11th employee joins Acme Widgets, they will need a shared secret key with every existing employee. There are 10 existing employees, so 10 new keys are required.

Aziz is responsible for the administration of an e-commerce website that generates $100,000 per day in revenue for his firm. The website uses a database that contains sensitive information about the firm's customers. He expects that a compromise of that database would result in $500,000 of fines against his firm. Aziz is assessing the risk of a SQL injection attack against the database where the attacker would steal all of the customer personally identifiable information (PII) from the database. After consulting threat intelligence, he believes that there is a 5 percent chance of a successful attack in any given year. What is the exposure factor (EF)?

100% The attack would result in the total loss of customer data stored in the database, making the exposure factor (EF) 100 percent.

Acme Widgets has 10 employees and they all need the ability to communicate with one another using a symmetric encryption system. The system should allow any two employees to securely communicate without other employees eavesdropping. If Acme Widgets switched to an asymmetric encryption algorithm, how many keys would be required to add the 11th employee?

2. In an asymmetric encryption algorithm, each employee needs only two keys: a public key and a private key. Adding a new user to the system requires the addition of these two keys for that user, regardless of how many other users exist.

Tarin ran a port scan on a web server hosting her organization's public website and discovered that it is exposing ports 22, 80, and 443 to the world. Which one of these ports poses the greatest security risk?

22 Port 22 is used by the Secure Shell (SSH) protocol and should generally never be exposed to public access because it enables brute-force SSH attacks. Ports 80 and 443 are commonly exposed on web servers to provide public web access using HTTP and HTTPS, respectively. Although organizations generally now prefer the use of HTTPS, port 80 remains open for the purposes of redirecting connections to port 443.

Nathaniel is scanning for SSH servers on his network. What port and protocol should he scan for to find them?

22/TCP. The default SSH port is 22 via TCP. Although some administrators move SSH to a nonstandard port, most invest time in protecting the SSH server and accounts instead.

What ISO standard provides guidance on privacy controls?

27701. The International Organization for Standardization (ISO) publishes ISO 27701, covering privacy controls. ISO 27001 and 27002 cover cybersecurity, and ISO 31000 covers risk management.

Amanda is assessing a vehicle's internal network. What type of bus is she most like to discover connecting its internal sensors and controllers?

A CAN bus. A controller area network (CAN) is a vehicle-specific standard designed to allow microcontrollers, sensors, and other components of the vehicle to communicate.Zigbee, a wireless protocol used for home automation and similar short-ranged purposes, would be poorly suited to use in vehicles. Narrowband describes a channel, not a bus type, and an SoC bus was made up for this question.

Brianna is concerned about brownouts and short power outages for her systems in a datacenter. What type of power protection should she put in place to help keep her systems online?

A UPS, or uninterruptible power supply, relies on batteries or other stored power to keep systems online during short power outages, and it can also provide stable power during power sags and brownouts. A generator is needed for longer outages, because most UPS systems are intended to stay online for only a few minutes. A PDU, or power distribution unit, is used to deliver power to devices, and dual-power supplies are used to ensure that a single power supply failing or a single power source failing does not take down a server.

What type of malware connects to a command-and-control system, allowing attackers to manage, control, and update it remotely?

A bot. Bots connect to command-and-control systems, allowing them to be updated, controlled, and managed remotely. Worms spread via vulnerabilities, and drones and vampires aren't common terms for malware.

Scott notices that one of the systems on his network contacted a number of systems via encrypted web traffic, downloaded a handful of files, and then uploaded a large amount of data to a remote system. What type of infection should he look for?

A bot. The behaviors that Scott is seeing are characteristic of a bot infection. The bot was likely contacting command-and-control hosts, then downloading updates and/or additional packages, then uploading data from his organization. He will need to determine if sensitive or important business information was present on the system or accessible from it. Keyloggers will capture keystrokes and user input but would typically require additional malware packages to display this behavior. A logic bomb might activate after an event, but no event is described, and a backdoor is used for remote access.

Jerome wants to allow guests to use his organization's wireless network, but he does not want to provide a preshared key. What solution can he deploy to gather information such as email addresses or other contact information before allowing users to access his open network?

A captive portal Jerome should deploy a captive portal that requires users to provide information before being moved to a network segment that allows Internet access. WPS capture mode was made up for this question, Kerberos is used for enterprise authentication, and WPA2 supports open, enterprise, or PSK modes but does not provide the capability Jerome needs by itself.

Catherine wants to deploy a split tunnel VPN. What is the key difference between a split tunnel and a full tunnel VPN?

A split tunnel only sends traffic intended for the remote network through the tunnel.

Tom has documented the set of security settings and procedures used to configure systems before they are deployed in his organization. What industry term describes this sort of documentation?

A configuration baseline. Configuration baselines are used to document the settings and procedures used to configure systems or devices. The rest of the options are not common industry terms.

Gary is reviewing his system's SSH logs and sees logins for the user named "Gary" with passwords like: password1, passsword2 ... PassworD. What type of attack has Gary discovered?

A dictionary attack. A dictionary attack will use a set of likely passwords along with common variants of those passwords to try to break into an account. Repeated logins for a single userID with iterations of various passwords is likely a dictionary account. A rainbow table is used to match a hashed password with the password that was hashed to that value. A pass-the-hash attack provides a captured authentication hash to try to act like an authorized user. A password spraying attack uses a known password (often from a breach) for many different sites to try to log in to them.

Charles has implemented LDAP for his organization. What type of service has he enabled?

A directory service LDAP, the Lightweight Directory Access Protocol, is an open industry standard for directory services. LDAP is not itself a federation or an attestation service, nor does it provide biometric authentication services.

Ed wants to trick a user into connecting to his evil twin access point. What type of attack should he conduct to increase his chances of the user connecting to it?

A disassociation attack. If Ed can cause his target to disassociate from the access point they are currently connected to, he can use a higher transmission power or closer access point to appear higher in the list of access points. If he is successful at fooling the user or system into connecting to his AP, he can then conduct man-in-the-middle attacks or attempt other exploits. Denial-of-service attacks are unlikely to cause a system to associate with another AP, and a known plain-text attack is a type of cryptographic attack and is not useful for this type of attempt.

Gwen is building her organization's documentation and processes and wants to create the plan for what the organization would if her datacenter burned down. What type of plan would typically cover that type of scenario?

A disaster recovery plan. Disaster recovery plans describe what will occur if a natural or man-made disaster has a significant impact on an organization. Business continuity plans describe how the business will continue to operate. IR plans deal with incidents, and stakeholder management is part of many plans.

Amanda wants to create view of her buildings that shows Wi-Fi signal strength and coverage. What is this type of view called?

A heat map. Amanda wants to create a heatmap. which shows the signal strength and coverage for each access point in a facility. Heatmaps can also be used to physically locate an access point by finding the approximate center of the signal. This can be useful to locate rogue access points and other unexpected or undesired wireless devices.

Ben wants to observe malicious behavior targeted at multiple systems on a network. He sets up a variety of systems and instruments to allow him to capture copies of attack tools and to document all the attacks that are conducted. What has he set up?

A honey net. A honeynet is a group of systems that intentionally exposes vulnerabilities so that defenders can observe attacker behaviors, techniques, and tools to help them design better defenses.

Samantha has configured an unused network segment at her company to appear to be vulnerable, and has added instrumentation and data gathering capabilities so that she can observe and analyze what attackers do while attempting to exploit that network. What type of environment has she set up?

A honey net. A honeynet is a network that is built to have intentional vulnerabilities that will attract attackers whose actions can then be recorded and studied. A honeypot is a system or device configured in a similar way. A black hole is a network location where traffic is sent that will not be further forwarded. A tarpit is a system configured to slow down attackers.

Olivia wants to install a host-based security package that can detect attacks against the system coming from the network, but she does not want to take the risk of blocking the attacks since she fears that she might inadvertently block legitimate traffic. What type of tool could she install that will meet this requirement?

A host intrusion detection system. Olivia should install a host-based intrusion detection system. An IDS can detect and report on potential attacks but does not have the ability to stop them. A host-based IPS can be configured to report only on attacks, but it does have the built-in ability to be set up to block them. Firewalls can block known ports, protocols, or applications, but they do not detect attacks—although advanced modern firewalls blur the line between firewalls and other defensive tools. Finally, a data loss prevention tool focuses on preventing data exposures, not on stopping network attacks.

Kathleen wants to set up a system that allows access into a high-security zone from a low security zone. What type of solution should she configure?

A jump box. Jump boxes are systems or servers that are used to provide a presence and access path in a different security zone. VDI is a virtual desktop infrastructure and is used to provide controlled virtual systems for productivity and application presentation among other uses. A container is a way to provide a scalable, predictable application environment without having a full underlying virtual system, and a DMZ is a secured zone exposed to a lower trust level area or population.

Naomi wants to deploy a tool that can allow her to scale horizontally while also allowing her to patch systems without interfering with traffic to her web servers. What type of technology should she deploy?

A load balancer. Load balancers can spread traffic across multiple systems while allowing specific systems to be added or removed from the service pools in use. NIC teaming is used to increase bandwidth or to provide multiple network connections to a system, geographic diversity helps ensure that a single disaster impacting an organization cannot take the organization offline, and a multipath network prevents the disruption of a single network path from causing an outage.

Alyssa wants to use her Android phone to store and manage cryptographic certificates. What type of solution could she choose to do this using secure hardware?

A microSD HSM. A hardware security module (HSM) in a microSD form factor allows a mobile device like an Android phone to securely store and manage certificates.

The company that Hui works for has built a device based on an Arduino and wants to standardize its deployment across the entire organization. What type of device has Hui's organization deployed, and where should Hui place her focus on securing it?

A microcontroller, and on physical security Arduinos are a form of microcontroller, and since Arduinos in their default form do not have wired or wireless networking built in, Hui should focus on the physical security of the device.

What type of malicious actor is most likely to use hybrid warfare?

A nation-state. Hybrid warfare combines active cyberwarfare, influence campaigns, and real-world direct action. This makes hybrid warfare almost exclusively the domain of nation-state actors.

Which of the following phrases best describes a man-in-the-browser attack?

A proxy Trojan. Man-in-the browser attacks insert malicious software that intercepts traffic from the browser and modifies for malicious purposes. This is an example of a proxy Trojan. Although this may be implemented as a plug-in, the important element here is that it is a proxy, rather than a rootkit, worm, or virus.

The application that Scott is writing has a flaw that occurs when two operations are attempted at the same time, resulting in unexpected results when the two actions do not occur in the expected order. What type of flaw does the application have?

A race condition The application has a race condition, which occurs when multiple operations cause undesirable results due to their order of completion. De-referencing would occur if a memory location was incorrect, an insecure function would have security issues in the function itself, and improper error handling would involve an error and how it was displayed or what data it provided.

The credit card reader that Susan used at the grocery store had a secondary reader and camera that captured her PIN and her card information. What type of attack is this?

A skimming attack. Skimming is the process of stealing credit card information by capturing it during a transaction or while the card is out of the owner's hands. Skimmers may be automated, such as the model described in the question, or manual, such as workers capturing credit card information while they are processing the card. A man-in-the-middle (MiTM) attack redirects traffic to allow an attacker to read and/or modify it before sending it on. Card shark and cardlock attacks were made up for this question.

Cynthia wants to clone a virtual machine. What should she do to capture a live machine, including the machine state?

A snapshot. Virtual machine snapshots capture the machine state at a point in time and will allow Cynthia to clone the system. A full backup and a differential backup can be used to capture the disk for the machine but typically will not capture the memory state and other details of the system state. A LiveCD allows you to boot and run a nonpersistent system from trusted media.

Alex discovers that the network routers that his organization has recently ordered are running a modified firmware version that does not match the hash provided by the manufacturer when he compares them. What type of attack should Alex categorize this attack as?

A supply chain attack Supply chain attacks occur before software or hardware is delivered to an organization. Influence campaigns seek to change or establish opinions and attitudes. Pharming attacks redirect legitimate traffic to fake sites, and hoaxes are intentional deceptions.

As part of their yearly incident response preparations, Ben's organization goes through a sample incident step by step to validate what each person will do in the incident. What type of exercise is this?

A walk-through. Ben's organization is conducting a walk-through exercise that reviews each step, thus ensuring that every team member knows what they would do and how they would do it. Checklist exercises are not a specific type of exercise. Tabletop exercises are conducted with more flexibility—team members are given a scenario and asked how they would respond and what they would do to accomplish tasks they believe would be relevant. A simulation exercise attempts to more fully re-create an actual incident to test responses.

Selah infects the ads on a website that users from her target company frequently visit with malware as part of her penetration test. What technique has she used?

A watering hole attack

Henry wants to use an open source forensic suite. Which of the following tools should he select?

Autopsy. Autopsy is the only open source forensic suite on this list. Both EnCase and FTK are commercial tools, and WinHex is also a commercial tool but isn't a forensic suite.

Joanna wants to implement an access control schema for her organization and needs to identify staff members based on their job title, their location, and whether they are a member of a specific team. What type of access control mechanism should she choose?

ABAC (attribute-based access control ABAC, or attribute-based access control, is based on attributes of subjects. In this case, each of the items listed is an attribute that can be used to grant permissions or access. Discretionary access control gives resource owners the rights to decide what others can do with their resources. MAC enforces access control at the system or OS level, requiring the administrator to make those choices. RBAC can be either rule- or role-based access control. Here, there are more than roles involved, and no rules were mentioned.

Vince is choosing a symmetric encryption algorithm for use in his organization. He would like to choose the strongest algorithm from the choices below. What algorithm should he choose?

AES. AES is the successor to 3DES and DES and is the best choice for a symmetric encryption algorithm. RSA is a secure algorithm, but it is asymmetric rather than symmetric.

Wendy is scanning cloud-based repositories for sensitive information. Which one of the following should concern her most, if discovered in a public repository?

API Keys. All of these items could be concerning, depending on the circumstances. However, API keys should never be found in public repositories because they may grant unauthorized individuals access to information and resources.

Which one of the following threat actors is most likely to have access to a zero-day exploit?

APT. Zero-day vulnerabilities are difficult to discover and their use is the hallmark of sophisticated, well-resourced advanced persistent threat (APT) groups. It is far less likely that a criminal syndicate, hacktivist, or script kiddie would have access to a zero-day vulnerability.

Patrick is a security analyst with a government agency who believes that his organization was targeted by a sophisticated foreign government attack that used a zero-day exploit. What term best describes this threat actor?

APT. This attack was waged by a foreign government using a sophisticated zero-day attack. The group waging this attack clearly qualifies as an advanced persistent threat (APT).

Samantha is investigating a cybersecurity incident where an internal user used his computer to participate in a denial-of-service attack against a third party. What type of policy was most likely violated?

AUP. This activity is almost certainly a violation of the organization's acceptable use policy, which should contain provisions describing appropriate use of networks and computing resources belonging to the organization.

Adam wants to deploy one-time passwords to his staff, and he wants to be able to support many different sites while also providing the ability to enroll users using his MDM system. What tool should he select?

Adam should select an authentication application. Tools like Google Authenticator, Duo, and Microsoft Authenticator all provide the capabilities that he is looking for. Some hardware tokens can handle multiple sites but are not manageable via MDM. Static codes are just that—printed-out codes. Phone-based push authentication could support multiple sites but is far less secure and, again, is not managed via MDM.

Scott runs the following tcpdump command. What will he see in the output of the command? tcpdump -n icmp

All ICMP traffic Filtering for specific protocols is a common technique with tcpdump, and this command filters out all traffic that is not ICMP traffic. Scott will see ping, traceroute, and other ICMP traffic, but he will not see TCP or UDP traffic.

Howard is assessing the legal risks to his organization based upon its handling of PII. The organization is based in the United States, handles the data of customers located in Europe, and stores information in Japanese datacenters. What law would be most important to Howard during his assessment?

All laws should have equal weight. The principle of data sovereignty states that data is subject to the legal restrictions of any jurisdiction where it is collected, stored, or processed. In this case, Howard needs to assess the laws of all three jurisdictions.

Florian wants to ensure that systems on a protected network cannot be attacked via the organization's network. What design technique should he use to ensure this?

An air gap Florian can use an air gapped network. An air gapped network or system is one without a connection to other systems or networks, requiring data and files to be manually copied to it. Hot and cold aisles are used in datacenters as part of airflow and thermal regulation, and protected cable distribution is used to ensure that cables cannot be accessed or tapped without network administrators or security professionals being aware.

During a site survey, Chris discovers that there are more access points broadcasting his organization's SSID than he expects there to be. What type of wireless attack has he likely discovered?

An evil twin. Evil twins are access points configured to appear to be legitimate access points. In this case, Chris should determine where his access points are, and then use his wireless surveying tools to locate the potentially malicious access point. Although it is possible that a member of his organization's staff has configured their own access point, Chris needs to be sure that attackers have not attempted to infiltrate his network. Identical twin, alternate access point, and split SSD were made up for this question.

What does a SSL stripping attack look for to perform an on-path attack?

An unencrypted HTTP connection The original implementation of SSL stripping attacks relied heavily on unencrypted HTTP connections, and the updated version of SSLStrip+ continues to leverage HTTP connections, and then adds the ability to rewrite HTTPS links to HTTP links, allowing it even greater access to unencrypted links. DNSSEC and ARP are not involved in this technique.

The company that Theresa works for has deployed IoT sensors that have built-in cellular modems for communication back to a central server. What issue may occur if the devices can be accessed by attackers?

Attackers may steal the SIM cards and use them for their own purposes

The board of directors of Kate's company recently hired an independent firm to review the state of the organization's security controls and certify those results to the board. What term best describes this engagement?

Audit Any of these terms could reasonably be used to describe this engagement. However, the term audit best describes this effort because of the formal nature of the review and the fact that it was requested by the board.

When a caller was recently directed to Amanda, who is a junior IT employee at her company, the caller informed her that they were the head of IT for her organization and that she needed to immediately disable the organization's firewall due to an ongoing issue with their e-commerce website. After Amanda made the change, she discovered that the caller was not the head of IT, and that it was actually a penetration tester hired by her company. Which social engineering principle best matches this type of attack?

Authority

Matt wants to use a freely available, open source forensics tool. Which of the following tools will provide him with timelining and other advanced forensic capabilities?

Autopsy. It provides a broad range of forensics capabilities and is freely available, making it a popular solution for companies that need forensics software or for individuals learning the trade.

Which of the following is not a typical reason to use an IP addressing schema in an enterprise?

Avoiding use of other organizations' IP addresses Organizations should use IP addresses that are specifically allocated to the organization or that are RFC 1918 addresses that are non-Internet routable. That means that an addressing scheme should not be necessary to avoid using another organization's IP addresses. IP address schemas are commonly used to avoid IP address exhaustion when working in a subnet. The same tracking means that they are helpful when conducting asset and system inventory, since they help match a device on the network to a known physical system. Finally, consistently using the same IP address for default gateways and other common network components means that support staff do not have to learn unique configurations in each location or network.

What device deployment model is least likely to support an agent-based NAC solution?

Bring your own device (BYOD) BYOD environments are less likely to find general acceptance of agent-based NAC solutions since they require the installation of an agent that can be obtrusive. That means that agentless NAC solutions are more common when security needs must still be met without an agent being installed.

Charles wants to use a lock to secure a high-security area in his organization. He wants to ensure that losing the code to the lock will not result in the lock being easily defeated by someone with that code. What type of lock should he put in place?

Biometric. A biometric lock will require the registered user to be present to unlock it. Electronic and physical locks that rely on codes or combinations can be defeated by someone who knows the code, and time-based locks merely control when the lock can be opened, and then rely on one of the other three types of locking mechanism once time-based enforcement is accomplished.

Terry wants to prevent her users from installing specific games on her organization's computers. What type of technology solution can she use to prevent known applications from being installed?

Blacklisting

What emerging cryptographic technology is commonly used to create a distributed and immutable public ledger?

Blockchain The blockchain is, in its simplest description, a distributed and immutable public ledger. This means that it can store records in a way that distributes those records among many different systems located around the world and do so in manner that prevents anyone from tampering with those records. The blockchain creates a data store that nobody can tamper with or destroy.

Gary's organization is conducting a cybersecurity exercise. Gary is responsible for defending his systems against attack during the test. What role is Gary playing in the exercise?

Blue teams. Blue teams are responsible for managing the organization's defenses. Offensive hacking is used by red teams as they attempt to gain access to systems on the target network. White teams serve as the neutral moderators of the exercise. Purple teaming is conducted after an exercise to bring together the red and blue teams for knowledge sharing.

Octavia discovers that the contact list from her phone has been acquired via a wireless attack. Which of the following is the most likely culprit?

Bluesnarfing. Bluesnarfing is the theft of information from a Bluetooth enabled device. If Octavia left Bluetooth on and has not properly secured her device, then an attacker may have been able to access her contact list and download its contents. A bluejacking attack occurs when unwanted messages are sent to a device via Bluetooth.

Susan is designing the physical security controls for her organization's new building and wants to ensure that the front doors are protected from a vehicle being used to ram through them. What physical security control is typically put in place to prevent this?

Bollards are pillars or other structures placed to prevent vehicles from passing through an area.

What is the key difference between hashing and checksums?

Both can validate integrity, but a hash also provides a unique digital footprint Although both a checksum and a hash can be used to validate message integrity, a hash has fewer collisions than a checksum and will also provide a unique fingerprint for a file. Checksums are primarily used as a quick means of checking that that integrity is maintained, whereas hashes are used for many other purposes such as secure password validation without retaining the original password. A checksum would not be useful for proving a forensic image was identical, but it could be used to ensure that your work had not changed the contents of the drive.

What type of attack does an account lockout policy help to prevent?

Brute force. Account lockout policies lock out an account after a specific number of failed login attempts. This type of response helps to prevent brute-force attacks by stopping them from using repeated attempts until they can successfully log in.

Which one of the following assessment techniques is designed to solicit participation from external security experts and reward them for discovering vulnerabilities?

Bug bounty. Bug bounty programs are designed to allow external security experts to test systems and uncover previously unknown vulnerabilities. Bug bounty programs offer successful testers financial rewards to incentivize their participation.

Jeff wants to prevent wireless devices from being able to connect to Wi-Fi and cellular networks while in a specific room in his facility. What type of solution can he implement to make wireless connectivity impossible in that space without causing other issues in his organization?

Build a Faraday cage. Building a Faraday cage to block wireless signals is the best option for Jeff's needs. Although this may seem to be a strange requirement, organizations do this for wireless testing to isolate signals to a controllable area, and high-security organizations may make their entire building a Faraday cage to prevent unauthorized connectivity. Policy and MDM will both result in some devices being missed either on purpose or accidentally, and jamming signals is likely to cause other problems in his organization.

Kira would like to implement a security control that can implement access restrictions across all of the SaaS solutions used by her organization. What control would best meet her needs?

CASB ( cloud access security brokers) Cloud access security brokers (CASBs) are designed specifically for this situation: enforcing security controls across cloud providers. A secure web gateway (SWG) may be able to achieve Kira's goal but it would be more difficult to do so. Security groups and resource policies are controls used in IaaS environments.

Gurvinder wants to select a mobile device deployment method that provides employees with devices that they can use as though they're personally owned to maximize flexibility and ease of use. Which deployment model should he select?

COPE. Gurvinder's requirements fit the COPE (corporate-owned, personally enabled) mobile device deployment model. Choose your own device (CYOD) allows users to choose a device but then centrally manages it. BYOD allows users to use their own device, rather than have the company provide it, and MOTD means message of the day, not a mobile device deployment scheme.

Which one of the following would not commonly be available as an IaaS service offering?

CRM. Customer relationship management (CRM) packages offered in the cloud would be classified as software-as-a-service (SaaS), since they are not infrastructure components. Storage, networking, and computing resources are all common IaaS offerings.

What organization is known for creating independent security benchmarks covering hardware and software platforms from many different vendors?

Center for Internet Security

Carla is creating a new mobile application that will communicate with a backend server. What technology can she use to provide the app with a public key that it should expect from the backend server?

Certificate pinning. Certificate pinning provides a cryptographic communicator with the public key that it should expect from a remote server. Certificate stapling, the Online Certificate Status Protocol (OCSP), and certificate revocation lists (CRLs) are all used to manage the status of current and revoked digital certificates.

What is the document that tracks the custody or control of a piece of evidence called?

Chain of custody Chain-of-custody documentation tracks evidence throughout its lifecycle, with information about who has custody or control and when transfers happened, and continues until the evidence is removed from the legal process and disposed of. The other terms are not used for this practice.

Renee would like to send Christopher an encrypted message using an asymmetric encryption algorithm. What key should she use to encrypt the message?

Christopher's public key. When encrypting a message using an asymmetric encryption algorithm, the person performing the encryption does so using the recipient's public key.

What security control can be used to clearly communicate to users the level of protection required for different data types?

Classification policies. Classification policies create different categories of data used within an organization and then specify the level of security control required for each classification level. Using classifications helps users understand the type of protection necessary for each data type they encounter.

Skimming attacks are often associated with what next step by attackers?

Cloning. Cloning attacks often occur after a skimmer is used to capture card information. Skimming devices may include magnetic stripe readers, cameras, and other technology to allow attackers to make a complete copy of a captured card. Phishing focuses on acquiring credentials or other information but isn't a typical follow-up to a skimming attack. Dumpster diving and vishing are both unrelated techniques as well.

Which one of the following statements about cloud computing is incorrect?

Cloud computing customers provision resources through the service's providers sales team. One of the key characteristics of cloud computing is that customers can access resources on-demand with minimal service provider interaction. Cloud customers do not need to contact a sales representative each time they wish to provision a resource but can normally do so on a self-service basis.

What type of security policy often serves as a backstop for issues not addressed in other policies?

Code of conduct. The code of conduct is often used as a backstop for employee behavior issues that are not addressed directly by another policy.

Tom is a software developer who creates code for sale to the public. He would like to assure his users that the code they receive actually came from him. What technique can he use to best provide this assurance?

Code signing. Code signing provides developers with a way to confirm the authenticity of their code to end users. Developers use a cryptographic function to digitally sign their code with their own private key, and then browsers can use the developer's public key to verify that signature and ensure that the code is legitimate and was not modified by unauthorized individuals.

A coalition of universities banded together and created a cloud computing environment that is open to all member institutions. The services provided are basic IaaS components. What term best describes this cloud model?

Community cloud. Community cloud deployments may offer IaaS, PaaS, and/or SaaS solutions. Their defining characteristic is that access is limited to members of a specific community.

Carl's organization is subject to PCI DSS. He determines that he will be unable to meet one of the PCI DSS objectives due to technical limitations and has obtained permission from his merchant bank to implement an alternative mechanism in place of the PCI DSS requirement. What type of control is Carl implementing?

Compensating. The scenario does not tell us whether the control is preventive, detective, or corrective. We do know, however, that it is being used in place of another control requirement that Carl's organization is unable to meet and is, therefore, a compensating control.

Jade's organization recently suffered a security breach that affected stored credit card data. Jade's primary concern is the fact that the organization is subject to sanctions for violating the provisions of the Payment Card Industry Data Security Standard. What category of risk is concerning Jade?

Compliance The breach of credit card information may cause many different impacts on the organization, including compliance, operational, and financial risks. However, in this scenario, Jade's primary concern is violating PCI DSS, making his concern a compliance risk.

Norm is using full-disk encryption technology to protect the contents of laptops against theft. What goal of cryptography is he attempting to achieve?

Confidentiality Norm's actions are designed to protect against the unauthorized disclosure of sensitive information. This is a clear example of protecting confidentiality.

Hank has purchased servers that have dual power supplies. How should he connect the power supplies to ensure that systems stay online?

Connect the power supplies to different UPS or power distribution systems. A dual power supply system is typically connected to two different power infrastructures to ensure that, if one side fails, the server or system will remain online. This is part of designing and building a fully redundant power infrastructure.

Which one of the following is not one of the five core security functions defined by the NIST Cybersecurity Framework?

Contain. The five security functions described in the NIST Cybersecurity Framework are identify, protect, detect, respond, and recover.

Fred's company issues devices in a BYOD model. That means that Fred wants to ensure that corporate data and applications are kept separate from personal applications on the devices. What technology is best suited to meeting this need?

Containerization.

Hitesh wants to keep a system online but limit the impact of the malware that was found on it while an investigation occurs. What method from the following list should he use?

Containment Containment activities focus on preventing further malicious actions or attacks. In this case, Hitesh might opt to prevent the malware from spreading but leave the system online due to a critical need or a desire to preserve memory and other artifacts for investigation. Isolation walls a system or systems off from the rest of the world, whereas segmentation is frequently used before incidents occur to create zones or segments of a network or system with different security levels and purposes.

Every time Susan checks code into her organization's code repository, it is tested and validated, and then if accepted, it is immediately put into production. What is the term for this?

Continuous delivery. Although this example includes continuous integration, the key thing to notice is that the code is then deployed into production. This means that Susan is operating in a continuous deployment environment, where code is both continually integrated and deployed. Agile is a development methodology and often uses CI/CD, but we cannot determine if Susan is using Agile.

What term best describes an organization's desired security state?

Control objectives. As an organization analyzes its risk environment, technical and business leaders determine the level of protection required to preserve the confidentiality, integrity, and availability of their information and systems.

Which one of the following statements is not true about compensating controls under PCI DSS?

Controls used to fulfill one PCI DSS requirement may be used to compensate for the absence of a control needed to meet another requirement. PCI DSS compensating controls must be "above and beyond" other PCI DSS requirements. This specifically bans the use of a control used to meet one requirement as a compensating control for another requirement.

Jeff is concerned about the effects that a ransomware attack might have on his organization and is designing a backup methodology that would allow the organization to quickly restore data after such an attack. What type of control is Jeff implementing?

Corrective. Corrective controls remediate security issues that have already occurred. Restoring backups after a ransomware attack is an example of a corrective control.

Abby's organization was recently the victim of an attack in which malicious actors implemented a man-in-the-middle attack that captured credentials and then attempted to use those credentials across many different sites and platforms. What type of attack is this?

Credential harvesting attacks can use many different techniques to acquire credentials. The important element that makes it credential harvesting is the intent to use those credentials elsewhere, typically by trying them on a variety of sites to see if account owners have reused usernames and passwords, or just passwords.

What type of attack depends on the fact that users are often logged in to many websites simultaneously in the same browser?

Cross-site request forgery (XSRF). XSRF attacks work by making the reasonable assumption that users are often logged into many different websites at the same time. Attackers then embed code in one website that sends a command to a second website.

Gabby's organization captures sensitive customer information, and salespeople and others often work with that data on local workstations and laptops. After a recent inadvertent breach where a salesperson accidentally sent a spreadsheet of customer information to another customer, her organization is seeking a technology solution that can help prevent similar problems. What should Gabby recommend?

DLP. Data loss prevention (DLP) can tag sensitive data and then scan outbound communications for that data. Once tagged data or data that matches specific patterns such as credit card numbers or Social Security numbers are discovered, DLP can alert the user or take other action.

Daniel wants to make users in his organization visit a different site than they intend to. To accomplish this, he falsifies DNS information in the local DNS server's cache, causing systems that use that DNS server to get incorrect information. What term describes this attack?

DNS poisoning

Olivia wants to protect against DNS cache poisoning, and she knows that digitally signing DNS replies from protected zones would be helpful as part of that effort. What can she implement to implement this capability?

DNSSEC DNSSEC uses digital signatures to validate information provided by a DNS server, helping to prevent issues such as DNS poisoning. None of the other answers are real DNS security solutions; although you could protect DNS queries with TLS, doing so wouldn't validate the actual DNS information like DNSSEC does.

What technology uses mathematical algorithms to render information unreadable to those lacking the required key?

Data encryption. Encryption technology uses mathematical algorithms to protect information from prying eyes, both while it is in transit over a network and while it resides on systems. Encrypted data is unintelligible to anyone who does not have access to the appropriate decryption key, making it safe to store and transmit encrypted data over otherwise insecure means.

What technology uses mathematical algorithms to render information unreadable to those lacking the required key?

Data encryption. Encryption technology uses mathematical algorithms to protect information from prying eyes, both while it is in transit over a network and while it resides on systems. Encrypted data is unintelligible to anyone who does not have access to the appropriate decryption key, making it safe to store and transmit encrypted data over otherwise insecure means.

What term best describes data that is being sent between two systems over a network connection?

Data in motion

Helen's organization maintains medical records on behalf of its customers, who are individual physicians. What term best describes the role of Helen's organization?

Data processor. In this case, the physicians maintain the data ownership role. They have chosen to outsource data processing to Helen's organization, making that organization a data processor.

Under the European Union's GDPR, what term is assigned to the individual who leads an organization's privacy efforts?

Data protection officer Under the GDPR, the data protection officer (DPO) is an individual assigned direct responsibility for carrying out an organization's privacy program.

Which one of the following policies would typically answer questions about when an organization should destroy records?

Data retention policy The data retention policy outlines what information the organization will maintain and the length of time different categories of information will be retained prior to destruction.

Kevin is attempting to determine whether he can destroy a cache of old records that he discovered. What type of policy would most directly answer his question?

Data retention. The most relevant policy here is the organization's data retention policy, which should outline the standards for keeping records before destruction or disposal.

Which if the following is not a capability provided by S/MIME when it is used to protect attachments for email?

Data security for the email headers

Matthew is concerned about the impact of overlapping international data protection laws on his company's operations. What principle would best assist Matthew in assessing this situation?

Data sovereignty. The principle of data sovereignty states that data is subject to the legal restrictions of any jurisdiction where it is collected, stored, or processed.

Under the shared responsibility model, which component always remains the responsibility of the customer, regardless of the cloud service model used?

Datacenter In the shared responsibility model, the customer always retains either full or partial responsibility for data security. Responsibility for hardware and physical datacenters is the cloud provider's responsibility under all models. Responsibility for applications is the customer's responsibility under IaaS, the provider's responsibility under SaaS, and a shared responsibility under PaaS.

If David wishes to digitally sign the message that he is sending Mike, what key would he use to create the digital signature?

David's private key

Jill is reviewing the security controls that her organization uses to protect a sensitive network segment. She determines that the network is lacking adequate IDS capability. What type of control deficiency has Jill identified?

Detective. An intrusion detection system (IDS) identifies potential intrusions that may be taking place on a network and is, therefore, an example of a detective control. An intrusion prevention system (IPS), on the other hand, might actually block the attack and would be an example of a preventive control.

Tim is working on a change to a web application used by his organization to fix a known bug. What environment should he be working in?

Development Developers working on active changes to code should always work in the development environment. The test environment is where the software or systems can be tested without impacting the production environment. The staging environment is a transition environment for code that has successfully cleared testing and is waiting to be deployed into production. The production environment is the live system. Software, patches, and other changes that have been tested and approved move to production.

Greg is reviewing a list of the security concerns commonly associated with an IPv6 rollout. Which of the following is not a common concern with IPv6 networks?

Device identification via MAC address is difficult.

Which one of the following algorithms is primarily used for the exchange of encryption keys?

Diffie-Hellman. Diffie-Hellman is a key exchange algorithm used to create a common shared secret key. AES and 3DES are symmetric encryption algorithms used to protect data. PBKDF2 is a key stretching algorithm used to create strong keys from short passwords.

Vince is conducting a penetration test against an organization and believes that he is able to gain physical access to the organization's facility. What threat vector does this access allow him to exploit that would otherwise be unavailable?

Direct Access

Tina recently completed a risk management review and identified that the organization is susceptible to a man-in-the-middle attack. After review with her manager, they jointly decided that accepting the risk is the most appropriate strategy. What should Tina do next?

Document the decision. After accepting a risk, the organization takes no action other than to document the risk as accepted. Implementing additional security controls or designing a remediation plan would not be risk acceptance but would instead fit into the category of risk mitigation.

Which of the following is not one of the four phases in COOP?

Documentation and reporting.

What type of cryptographic attack attempts to force a user to reduce the level of encryption that they use to communicate with a remote server?

Downgrade. A downgrade attack is sometimes used against secure communications such as TLS in an attempt to get the user or system to inadvertently shift to less secure cryptographic modes. The idea is to trick the user into shifting to a less secure version of the protocol, one that might be easier to break.

Ben searches through an organization's trash looking for sensitive documents, internal notes, and other useful information. What term describes this type of activity?

Dumpster Diving

What term is used to describe tools focused on detecting and responding to suspicious activities occurring on endpoints like desktops, laptops, and mobile devices?

EDR (endpoint detection and response) Endpoint detection and response (EDR) systems provide monitoring, detection, and response capabilities for systems. EDR systems capture data from endpoints and send it to a central repository, where it can be analyzed for issues and indicators of compromise or used for incident response activities. IAM is identity and access management, FDE is full-disk encryption, and ESC is not a commonly used security acronym.

What type of digital certificate provides the greatest level of assurance that the certificate owner is who they claim to be?

EV (extended validation) Extended validation (EV) certificates provide the highest available level of assurance. The CA issuing an EV certificate certifies that they have verified the identity and authenticity of the certificate subject.

Wanda is responsible for a series of seismic sensors placed at remote locations. These sensors have low-bandwidth connections and she would like to place computing power on the sensors to allow them to preprocess data before it is sent back to the cloud. What term best describes this approach?

Edge computing. This approach may be described as client-server computing, but that is a general term that describes many different operating environments. The better term to use here is edge computing, which involves placing compute power at the client to allow it to perform preprocessing before sending data back to the cloud. Fog computing is a related concept that uses IoT gateway devices that are located in close physical proximity to the sensors.

Charles wants to find out about security procedures inside his target company, but he doesn't want the people he is talking to realize that he is gathering information about the organization. He engages staff members in casual conversation to get them to talk about the security procedures without noticing that they have done so. What term describes this process in social engineering efforts?

Elicitation Elicitation is the process of using casual conversation and subtle direction to gather information without the targets realizing they have disclosed details to that social engineer. Suggestion is not one of the terms used in the Security+ exam outline, pharming redirects traffic to malicious sites, and prepending can include a variety of techniques that add data or terms.

Of the threat vectors shown here, which one is most commonly exploited by attackers who are at a distant location?

Email. Email is the most common threat vector exploited by attackers who use phishing and other social engineering tactics to gain access to an organization. The other vectors listed here, direct access, wireless, and removable media, all require physical proximity to an organization and are not easily executed from a remote location.

In some encryption algorithms, an initial connection is set up using an asymmetric key. Immediately upon the establishment of that session, the two parties create a new symmetric key that is used for the remainder of the connection. What term best describes this type of symmetric key?

Ephemeral keys Ephemeral, or short-lived keys, are used for key establishment protocols that then set up keys that will be used throughout the rest of the transaction. Whereas public and private keys are part of that exchange, both are required. One-time keys is not an encryption term, but one-time pads are cryptographic ciphers that are used once and then discarded.

Kevin is using a service where a cloud provider offers a platform that executes his code in response to discrete events. He is billed based on the actual resources consumed during each code execution event. What term best describes this service?

FaaS This is an example of function-as-a-service (FaaS) computing, a subset of platform-as-a-service (PaaS). Although both terms may be used to describe the service Kevin uses, the best answer is FaaS, because it is more specific.

Tara recently analyzed the results of a vulnerability scan report and found that a vulnerability reported by the scanner did not exist because the system was actually patched as specified. What type of error occurred?

False positive. A false positive error occurs when the vulnerability scanner reports a vulnerability that does not actually exist.

Which of the following biometric technologies is most broadly deployed due to its ease of use and acceptance from end users?

Fingerprint scanner

Which of the following is the best description of tailgating?

Following someone through a door they just unlocked

Which of the following is not a common constraint of an embedded system?

Form factor. Embedded systems are available in a broad range of physical form factors, allowing them to be placed in many different types of systems and devices. Common constraints for embedded systems as described by the Security+ exam outline include power, compute, network, crypto, inability to patch, authentication, range, cost, and implied trust.

Which one of the following data elements is not commonly associated with identity theft?

Frequent flyer number Although it is possible that a frequent flyer account number, or any other account number for that matter, could be used in identity theft, it is far more likely that identity thieves would use core identity documents. These include drivers' licenses, passports, and Social Security numbers.

Samantha wants to set an account policy that ensures that devices can be used only while the user is in the organization's main facility. What type of account policy should she set?

Geofencing

Cynthia has defined a boundary around her organization in the MDM tool she uses, and users are unable to access institutional data when their mobile devices are outside of that boundary. What is this technique called?

Geofencing. Geofencing places a boundary around a location using geolocation services. Actions are taken based on where a device is in relation to the geofence. A geoIP system attempts to match IP addresses to a geographic location or region. Geotagging marks a specific spot, and geolocation is the ability to locate a device or system.

Gurvinder identifies a third-party datacenter provider over 90 miles away to run his redundant datacenter operations. Why has he placed the datacenter that far away?

Geographic dispersal Geographic dispersal helps ensure that a single natural or man-made disaster does not disable multiple facilities. This distance is not required by law; latency increases with distance; and though there may be tax reasons in some cases, this is not a typical concern for a security professional.

Xavier recently ran a port scan of the network used by his children's school. After running the scan, he emailed the school's IT department and told them that he ran the scan and shared the results to help them improve their security. What term would best classify Xavier's activity?

Gray hat. Xavier ran this scan without permission, so he cannot be classified as a white-hat hacker. However, he did not have malicious intent, so he is also not a black-hat hacker. This activity falls somewhere between these two classifications, so it is best described as gray-hat hacking.

Which one of the following security policy framework components does not contain mandatory guidance for individuals in the organization?

Guideline

Joe is authoring a document that explains to system administrators one way in which they might comply with the organization's requirement to encrypt all laptops. What type of document is Joe writing?

Guideline. The key word in this scenario is "one way." This indicates that compliance with the document is not mandatory, so Joe must be authoring a guideline. Policies, standards, and procedures are all mandatory.

Which one of the following security policy framework components does not contain mandatory guidance for individuals in the organization?

Guideline. Guidelines are the only element of the security policy framework that is optional. Compliance with policies, standards, and procedures is mandatory.

What compliance regulation most directly affects the operations of a healthcare provider?

HIPAA Although a health-care provider may be impacted by any of these regulations, the Health Insurance Portability and Accountability Act (HIPAA) provides direct regulations for the security and privacy of protected health information and would have the most direct impact on a health-care provider.

What term is used to describe wireless site surveys that show the relative power of access points on a diagram of the building or facility?

Heat maps. Site surveys that show relative power on a map or diagram are called heat maps. This can help to show where access points provide strong signal, and where multiple APs may be competing with each other due to channel overlap or other issues. It can also help to identify dead zones where signal does not reach.

Nadean is a software developer who is preparing a new application for release. She wishes to use code signing for the application file that will be deployed to a customer. What key should she use to sign the application?

Her organization's private key Digital signatures are always created using the private key of the person or organization creating the digital signature. In this case, Nadean should use her organization's private key to sign the application.

Alan's team needs to perform computations on sensitive personal information but does not need access to the underlying data. What technology can the team use to perform these calculations without accessing the data?

Homomorphic Encryption. Homomorphic encryption technology protects privacy by encrypting data in a way that preserves the ability to perform computation on that data.

Kirk wants to learn more about attacker techniques, and to do so he sets up a system that appears to be vulnerable to attacks he is curious about. He carefully instruments the system and captures all attacker data and actions. What type of system has Kirk set up?

Honeypot. Kirk has set up a honeypot, an intentionally vulnerable and instrumented system designed to allow defenders to analyze attacker tools and techniques. A darknet is unused network space that is instrumented to allow the observation of network probes and attacks, particularly those that target network space by iterating through IP address ranges. Tarpits are systems that are designed to slow attackers down, such as those that respond to vulnerability scans very slowly with a service on every port. Beartraps are not a security term.

What component of a virtualization platform is primarily responsible for preventing VM escape attacks?

Hypervisor

What component of a virtualization platform is primarily responsible for preventing VM escape attacks?

Hypervisor. Virtual machine (VM) escape vulnerabilities are the most serious issue that can exist in a virtualized environment, particularly when a virtual host runs systems of differing security levels. In an escape attack, the attacker has access to a single virtual host and then manages to leverage that access to intrude upon the resources assigned to a different virtual machine. The hypervisor is supposed to prevent this type of access by restricting a virtual machine's access to only those resources assigned to that machine.

Which of the following statements about the security implications of IPv6 is not true?

IPv6's NAT implementation is insecure

Ben would like to join a group of security professionals in his industry who share information about current threats. What would be the best type of group to join?

ISAC. Information sharing and analysis centers (ISACs) are groups organized specifically for the purpose of sharing information about security threats. Although the other sources listed here may be able to provide Ben with threat information, an ISAC is likely to have the highest quality information relevant to his industry.

What ISO standard provides guidance on risk management practices?

ISO 31000. The International Organization for Standardization (ISO) publishes ISO 31000, covering risk management. ISO 27001 and 27002 cover cybersecurity, and ISO 27701 covers privacy controls.

In which of the following cloud categories are customers typically charged based on the number of virtual server instances dedicated to their use?

IaaS and PaaS Customers are typically charged for server instances in both IaaS environments, where they directly provision those instances, and PaaS environments, where they request the number of servers needed to support their applications. In an SaaS environment, the customer typically has no knowledge of the number of server instances supporting their use.

What phase in the incident response process leverages indicators of compromise and log analysis as part of a review of events?

Identification. The identification phase focuses on using various techniques to analyze events to identify potential incidents. Preparation focuses on building tools, processes, and procedures to respond to incidents. Eradication involves the removal of artifacts related to the incident, and containment limits the scope and impact of the incident.

Frank's organization is preparing to deploy a data loss prevention (DLP) system. What key process should they undertake before they deploy it?

Implement and use a data classification scheme. Defining data lifecycles can help prevent data from being kept longer than it should be and improves data security by limiting the data that needs to be secured, but it isn't necessary as part of a DLP deployment.

Gabby wants to protect against credential theft and knows that there are detection settings that can help prevent the abuse of stolen credentials. What detection and prevention setting relies on geolocation to protect against malicious use of stolen credentials?

Impossible travel time.

During a web application test, Ben discovers that the application shows SQL code as part of an error provided to application users. What should he note in his report?

Improper error handling Improper error handling often exposes data to users and possibly attackers that should not be exposed. In this case, knowing what SQL code is used inside the application can provide an attacker with details they can use to conduct further attacks. Code exposure is not one of the vulnerabilities we discuss in this book, and SQL code being exposed does not necessarily mean that SQL injection is possible. While this could be caused by a default configuration issue, there is nothing in the question to point to that problem.

Madhuri wants to check a PNG-formatted photo for GPS coordinates. Where can she find that information if it exists in the photo?

In the photo's metadata. If the photo includes GPS data, it will be included in the photo's metadata. Madhuri can use a tool like ExifTool to review the metadata for useful information. None of the other answers are places where data is stored for a PNG image as a normal practice.

Which one of the following statements about inline CASB is incorrect?

Incline CASB solutions can monitor activity but cannot actively enforce policy. Inline CASB solutions require either network reconfiguration or the use of a software agent. They intercept requests from users to cloud providers and, by doing so, are able to both monitor activity and enforce policy.

Bart runs a backup service for his organization, and every day he backs up the changes since the last backup operation he performed. What type of backup is he performing?

Incremental. Bart is conducting an incremental backup. Differential backups back up all data that has changed since the last full backup. Incremental backups backup the changes since the last full or incremental backup. Full backups back up all data, and partial backups are not a defined technical term.

The power company that Glenn works for builds their distribution nodes into structures that appear to be houses or other buildings appropriate for their neighborhoods. What type of physical security control is this?

Industrial camouflage. Designing buildings to be innocuous or otherwise unlikely to be noticed is a form of industrial camouflage and is often used to help facilities blend, reducing their likelihood of being targeted by malicious actors. This is a preventive control, rather than a detective or corrective control, and it does not create a demilitarized zone.

Upon further inspection, Joe finds a series of thousands of requests to the same URL coming from a single IP address. Here are a few examples: http://www.mycompany.com/servicestatus.php?serviceID=1 http://www.mycompany.com/servicestatus.php?serviceID=2 http://www.mycompany.com/servicestatus.php?serviceID=3 http://www.mycompany.com/servicestatus.php?serviceID=4 http://www.mycompany.com/servicestatus.php?serviceID=5 http://www.mycompany.com/servicestatus.php?serviceID=6 What type of vulnerability was the attacker likely trying to exploit?

Insecure direct object reference The series of thousands of requests incrementing a variable indicate that the attacker was most likely attempting to exploit an insecure direct object reference vulnerability.

What type of application testing analyzes code while a tester manipulates inputs to the application?

Interactive testing Interactive testing combines static and dynamic analysis, performing static code analysis while the attacker interacts with application inputs. Static analysis analyzes code but does not manipulate inputs. Dynamic analysis manipulates inputs without performing code analysis. Footprinting is a network reconnaissance technique and not an application testing technique.

Charles needs to know about actions an individual performed on a PC. What is the best starting point to help him identify those actions?

Interview the individual. Although it may be tempting to use a technical answer, interviewing the individual involved is the best starting point when a person performed actions that need to be reviewed. Charles can interview the staff member, and then move on to technical means to validate their responses. System and event logs may have some clues to what occurred, but normal systems do not maintain a keystroke log. In fact, the closest normal element is the command log used by both Windows and Linux to allow command-line input to be recalled as needed.

Vince recently received the hash values of malicious software that several other firms in his industry found installed on their systems after a compromise. What term best describes this information?

IoC (Indicators of Compromise) Specific details of attacks that may be used to identify compromises are known as indicators of compromise (IoCs). This data may also be described as an adversary tool, tactic, or procedure (TTP), but the fact that it is a set of file signatures makes it more closely match the definition of an IoC.

Isabelle needs to select the EAP protocol that she will use with her wireless network. She wants to use a secure protocol that does not require client devices to have a certificate, but she does want to require mutual authentication. Which EAP protocol should she use?

Isabelle should select PEAP, which doesn't require client certificates but does provide TLS support. EAP-TTLS provides similar functionality but requires additional software to be installed on some devices. EAP-FAST focuses on quick reauthentication, and EAP-TLS requires certificates to be deployed to the endpoint devices.

Mark unplugs the network connection from a system that is part of an incident and places tape over its Ethernet jack with a sign that says "Do not reconnect without approval from IR team." How is this method best described?

Isolation Mark has isolated the system by removing it from the network and ensuring that it cannot communicate with other systems. Containment would limit the impact of the incident and might leave the system connected but with restricted or protected access. Segmentation moves systems or groups of systems into zones that have similar purposes, data classification, or other restrictions on them.

How does technology diversity help ensure cybersecurity resilience?

It ensures that a vulnerability in a single company's product will not impact the entire infrastructure. If a single vendor goes out of business, the company does not need to replace its entire infrastructure. It means that a misconfiguration will not impact the company's entire infrastructure.

What technique is used to ensure that DNSSEC-protected DNS information is trustworthy?

It is digitally signed. DNSSEC does not encrypt data but does rely on digital signatures to ensure that DNS information has not been modified and that it is coming from a server that the domain owner trusts. DNSSEC does not protect confidentiality, which is a key thing to remember when discussing it as a security option. TLS, an IPSec VPN, or encryption via AES are all potential solutions to protect the confidentiality of network data.

In a cryptographic system, what component is responsible for providing secrecy?

Key. In a cryptographic algorithm, only the keys provide secrecy. All other elements of the cryptographic system may be kept open for public inspection. Strong cryptographic algorithms depend only on the secrecy of the key and not the secrecy of their mechanism.

Nancy is concerned that there is a software keylogger on the system she investigating. What data may have been stolen?

Keyboard and other input from the user. Though keyloggers often focus on keyboard input, other types of input may also be captured, meaning Nancy should worry about any user input that occurred while the keylogger was installed. Keyloggers typically do not target files on systems, although if Nancy finds a keylogger she may want to check for other malware packages with additional capabilities.

During a penetration test, Patrick deploys a toolkit on a compromised system and uses it to gain access to other systems on the same network. What term best describes this activity?

Lateral Movement Moving from one compromised system to other systems on the same network is known as lateral movement. Privilege escalation attacks increase the level of access that an attacker has to an already compromised system. Footprinting and OSINT are reconnaissance techniques.

Gurvinder has been asked to assist a company that recently fired one of their developers. After the developer was terminated, the critical application that they had written for the organization stopped working and now displays a message reading "You shouldn't have fired me!". If the developer's access was terminated and the organization does not believe that they would have had access to any systems or code after they left the organization, what type of malware should Gurvinder look for?

Logic bomb. A logic bomb is a type of malware that activates after specific conditions are met. Here, the developer no longer showing up in payroll, not entering a specific input, or another activation scheme could have been used. A RAT is a remote access Trojan, a PUP is a potentially unwanted program, and a keylogger steals user input.

Which of the following is the least volatile according to the forensic order of volatility?

Logs. Logs, along with any file that is stored on disk without the intention of being frequently overwritten, are the last volatile item listed. In order from most volatile to least from the answers here, you could list these as CPU registers, the system's routing table, temp files, and logs.

Which one of the following values for the CVSS attack complexity metric would indicate that the specified attack is simplest to exploit?

Low An attack complexity of "low" indicates that exploiting the vulnerability does not require any specialized conditions.

Melissa is planning on implementing biometric authentication on her network. Which of the following should be a goal for any biometric solution she selects?

Low CER. A low crossover error rate will ensure that there's a low false rejection rate and a low false acceptance rate. The other options each have a high element, which isn't desirable.

Dana needs to deploy and manage applications on mobile devices for her organization and knows that a broad variety of tools support this. Which of the following is not a common tool for this purpose?

MARS Mobile device management (MDM), mobile application management (MAM), and universal endpoint management (UEM) tools are all commonly used to manage applications on mobile devices. Although MARS isn't a common acronym, Cisco's MARS product is a monitoring and analysis tool used to manage network devices, not mobile devices.

Greg would like to create an umbrella agreement that provides the security terms and conditions for all future work that his organizations does with a vendor. What type of agreement should Greg use?

MSA Master service agreements (MSAs) provide an umbrella contract for the work that a vendor does with an organization over an extended period of time. The MSA typically includes detailed security and privacy requirements. Each time the organization enters into a new project with the vendor, they may then create a statement of work (SOW) that contains project-specific details and references the MSA.

In the following image, a connection between two systems has been redirected by an attacker. The attacker has spoofed ARP packets to make it seem that responses to the legitimate server should instead be sent to a system that the attacker controls. When traffic is sent to that system, the attacker reads and potentially modifies the traffic before passing it along the server, then sends back responses from the server after reviewing or modifying them as well. What type of attack is this?

Man in the middle attack. This is one form of a man-in-the-middle attack, an attack that redirects traffic to a system or device controlled by the attacker, which can then take action on network traffic originally destined for another system.

What type of attack places an attacker in the position to eavesdrop on communications between a user and a web server?

Man-in-the-middle

Which team member acts as a primary conduit to senior management on an IR team?

Management. Members of management or organizational leadership act as a primary conduit to senior leadership for most incident response teams. They also ensure that difficult or urgent decisions can be made without needing escalated authority. Communications and PR staff focus on internal and external communications but are typically not the direct conduit to leadership. Technical and information security experts do most of the incident response work itself.

Colin would like to implement a security control in his accounting department that is specifically designed to detect cases of fraud that are able to occur despite the presence of other security controls. Which one of the following controls is best suited to meet Colin's need?

Mandatory vacations Mandatory vacations are designed to force individuals to take time away from the office to allow fraudulent activity to come to light in their absence. The other controls listed here (separation of duties, least privilege, and dual control) are all designed to prevent, rather than detect, fraud.

Greg's desktop system stores hashes of the system's firmware, bootloader, drivers, and other components that are loaded at boot in the TPM, and then boots. The OS then uses a remote attestation client to send that information to a server. What type of boot process is he using?

Measured boot. This is a UEFI measured boot process. Secure boot validates hashes against known good hashes for those boot elements. BIOS does not support either of these processes. UEFI hashing was made up for this question.

Kevin recently identified a new security vulnerability and computed its CVSS base score as 6.5. Which risk category would this vulnerability fall into?

Medium Vulnerabilities with CVSS base scores between 4.0 and 6.9 fit into the medium risk category.

Which of the following is not typically part of a SoC?

Memory. A system on a chip (SoC) is a chip that has most of the functions of a complete computer built into it. In fact, most SoCs have a CPU, memory, input/output, and storage as part of the chip. Adding a display to the chip is unlikely, but adding a display that the SoC can access and display to is very common in things like smartphones, smart watches, and other devices.

Which one of the following tools is an exploitation framework commonly used by penetration testers?

Metasploit. Metasploit is the most popular exploitation framework used by penetration testers. Wireshark is a protocol analyzer. Aircrack-ng is a wireless network security testing tool. The Social Engineer's Toolkit (SET) is a framework for conducting social engineering attacks.

Which one of the following security assessment tools is least likely to be used during the reconnaissance phase of a penetration test?

Metasploit. Metasploit is an exploitation framework used to execute and attack and would be better suited for the Attacking and Exploiting phase of a penetration test. Nmap is a port scanning tool used to enumerate open network ports on a system. Nessus is a vulnerability scanner designed to detect security issues on a system. Nslookup is a DNS information gathering utility. All three of these tools may be used to gather information and detect vulnerabilities.

Alaina wants to maintain chain of custody documentation and has created a form. Which of the following is not a common element on a chain of custody form?

Method of transport Chain of custody tracks who has an item, how it is collected, where it is stored and how, how it is secured or protected, who collected it, and transfers, but it does not typically include how the items were transported because that is not relevant if the other data is provided.

Jim wants to equip his mobile phone with the ability to create, store, and manage certificates. What hardware device is purpose-built for this use?

MicroSD HSM. Hardware security modules (HSMs) come in many forms, ranging from rack-mounted servers and appliances to USB-based HSMs. MicroSD HSMs are designed to allow mobile devices equipped with the proper application to interact with the HSM, providing a way to create, manage, and store certificates using a mobile device with hardware-based assurance. A USB blocker blocks data from being sent via USB cables to prevent data theft. Both a hashing store and a one-time password (OTP) are not hardware devices.

David would like to send Mike a message using an asymmetric encryption algorithm. What key should he use to encrypt the message?

Mike's public key. When encrypting a message using an asymmetric encryption algorithm, the person performing the encryption does so using the recipient's public key

Brian would like to reduce the probability of a data breach that affects sensitive personal information. Which one of the following controls is most likely to achieve that objective?

Minimizing the amount of data retained and the number of locations it is stored

Madhuri wants to implement a camera system but is concerned about the amount of storage space that the video recordings will require. What technology can help with this?

Motion detection Motion-detecting cameras can be used to help conserve storage space for video by recording only when motion is detected. In low-usage spaces like datacenters, this means recording will occur only occasionally. In more heavily used areas, the impact on total space used will be smaller but can still be meaningful, particularly after business hours.

Rick believes that a system he is responsible for has been compromised with malware that uses a rootkit to obtain and retain access to the system. When he runs a virus scan, the system doesn't show any malware. If he has other data that indicates the system is infected, what should his next step be if he wants to determine what malware may be on the system?

Mount the drive on another system and scan it that way

Chris is concerned about the possibility that former employees will disclose sensitive personal information about customers to unauthorized individuals. What is the best mechanism that Chris can use to manage this risk?

NDA. All of the mechanisms listed here may be used to protect private information. However, acceptable use policies, privacy policies, and data ownership policies are internal policies that would not be binding on former employees. To manage this risk, Chris's organization should have all employees sign nondisclosure agreements (NDAs) that remain binding after the end of the employment relationship.

What wireless technology is most frequently used for wireless payment solutions?

NFC

Which one of the following attackers is most likely to be associated with an APT?

Nation-state actor Advanced persistent threats (APTs) are most commonly associated with nation-state actors.

Which of the following threat actors typically has the greatest access to resources?

Nation-state actors. Nation-state actors are government sponsored, and they typically have the greatest access to resources, including tools, money, and talent.

Greg is implementing a data loss prevention system. He would like to ensure that it protects against transmissions of sensitive information by guests on his wireless network. What DLP technology would best meet this goal?

Network based. In this case, Greg must use a network-based DLP system. Host-based DLP requires the use of agents, which would not be installed on guest systems. Greg may use watermarking and/or pattern recognition to identify the sensitive information. but he must use network-based DLP to meet his goal.

Paul is concerned that network devices in his organization may have exposed management interfaces. Which one of the following tests is most likely to discover this vulnerability?

Network vulnerability scan. Exposed management interfaces are a standard test conducted during network vulnerability scans. Application testing of any kind is unlikely to discover this type of vulnerability.

Randy wants to prevent DHCP attacks on his network. What secure protocol should he implement to have the greatest impact?

None of the above None of the protocols listed will accomplish Randy's task. In fact, there is no secure DHCP or ARP version, and secure LDAP does not impact DHCP services.

Chuck wants to provide route security for his organization, and he wants to secure the BGP traffic that his routers rely on for route information. What should Chuck do?

None of the above. Unfortunately, BGP does not have native security methods, and BGP hijacks continue to appear in the news. Two solutions, SIDR and RPLS, have not been broadly adopted.

Which one of the following objectives is not one of the three main objectives that information security professionals must achieve to protect their organizations against cybersecurity threats?

Nonrepudiation. The three primary objectives of cybersecurity professionals are confidentiality, integrity, and availability.

Tina is applying a digital signature to a contract so that the recipient can prove that she agreed to its terms. What goal of cryptography most directly describes Tina's actions?

Nonrepudiation. Nonrepudiation ensures that individuals can prove to a third party that a message came from its purported sender. Although Tina may also achieve other goals with her approach, this goal is her stated intention.

Which one of the following reconnaissance techniques allows an attacker to gather information with the least likelihood of the target learning of the attack?

OSINT. Open source intelligence (OSINT) uses research techniques that mine publicly available information about the subject. OSINT would not trigger any alerts in the subject's security systems. The other active reconnaissance techniques listed here all involve interactions with target systems that would leave log entries and other traces of the attacker's actions.

Scott send his backups to a company that keeps them in a secure vault. What type of backup solution has he implemented?

Offline. Scott has implemented an offline backup scheme. His backups will take longer to retrieve because they are at a remote facility and will have to be sent back to him, but they are likely to survive any disaster that occurs in his facility or datacenter.

What specification provided by the Trusted Computing Group is used to define self-encrypting drives?

Opal The Opal storage specification defines how devices protect confidentiality of user data and ensures interoperability for devices that meet the Opal standard. FDE, full-disk encryption, is not a standard; Ruby is a programming language; and SED 2.0 was made up for this question.

Joe checks his web server logs and sees that someone sent the following query string to an application running on the server: http://www.mycompany.com/servicestatus.php?serviceID=892&serviceID=892' ; DROP TABLE Services;-- What type of attack was most likely attempted?

Parameter pollution This query string is indicative of a parameter pollution attack. In this case, it appears that the attacker was waging a SQL injection attack and tried to use parameter pollution to slip the attack past content filtering technology. The two instances of the serviceID parameter in the query string indicate a parameter pollution attempt.

Precompiled SQL statements that only require variables to be input are an example of what type of application security control?

Parameterized queries. A parameterized query (sometimes called a prepared statement) uses a prebuilt SQL statement to prevent SQL-based attacks. Variables from the application are fed to the query, rather than building a custom query when the application needs data.

Which of the following technologies is the least effective means of preventing shared accounts?

Password complexity requirements Password complexity requirements do not prevent sharing of complex passwords, making it the least effective option from the list.

After user accounts belonging to users from her organization for other third-party sites were breached, Sally begins to see attempts against services she is responsible for using those usernames and passwords from the breach. She receives notices from other sites that the same usernames and passwords are being tried there too. What type of attack is occurring?

Passwords spraying. Password spraying attacks use known passwords to attempt to log in as the same user on other services and sites. A dictionary attack uses a list of likely passwords as well as likely variants to try to log into for one or more accounts. A known plain-text attack uses plain text to try to crack a cryptographic cipher to recover other encrypted data. An offline password attack is conducted against a stolen password file to try to crack the passwords, not against online services and sites.

Connor believes that there is an issue between his organization's network and a remote web server, and he wants to verify this by checking each hop along the route. Which tool should he use if he is testing from a Windows 10 system?

Pathping. The Windows pathping tool is specifically designed to show the network latency and loss at each step along a route. The tracert tool identifies the path to a remote system, and the route command can be used to view, add, and delete routes. traceroute is used in Linux, not Windows.

Norm is conducting a penetration test and has gained access to an organization's database server. He then creates a user account for himself on that system in the hope that he can use this account to access the system at a later date, even if the original exploit that he used is patched. What term best describes Norm's activity?

Persistence Persistence includes any technique used to maintain access to a system, even after the attack is discovered. Norm is creating this user account for this purpose, so his activity is best described as persistence.

Kyle is conducting a penetration test. After gaining access to an organization's database server, he installs a backdoor on the server to grant himself access in the future. What term best describes this action?

Persistence. Backdoors are a persistence tool, designed to make sure that the attacker's access persists after the original vulnerability is remediated. Kyle can use this backdoor to gain access to the system in the future, even if the original exploit that he used to gain access is no longer effective.

Alaina discovers that someone has set up a website that looks exactly like her organization's banking website. Which of the following terms best describes this sort of attack?

Pharming. Pharming best fits this description. Pharming attacks use web pages that are designed to look like a legitimate site but that attempt to capture information like credentials. Typo squatting relies on slightly incorrect hostnames or URLs, and nothing like that is mentioned in the question.

Lucca's organization runs a hybrid datacenter with systems in Microsoft's Azure cloud and in a local facility. Which of the following attacks is one that he can establish controls for in both locations?

Phishing. Shoulder surfing, tailgating, and dumpster diving are all in-person physical attacks and are not something that will be in Lucca's control with a major cloud vendor. Antiphishing techniques can be used regardless of where servers and services are located.

Sarah's security team has recommended that she place the offsite storage facility for her organization's backups at least 90 miles away from the primary office location. What is the primary driver of this recommendation?

Placing the offsite storage facility 90 means a single disaster won't destroy both the main facility and the backups.

Bart knows that there are two common connection methods between Wi-Fi devices. Which of the following best describes ad hoc mode?

Point-to-point Ad hoc networks work without an access point. Instead, devices directly connect to each other in a point-to-point fashion. Infrastructure mode Wi-Fi networks use a point-to-multipoint model.

Geoff needs to connect to an Internet of Things device that broadcasts a SSID to allow him to perform initial configuration of the device. When he connects to the unsecured Wi-Fi, he can then manage the device using an application. What connection model does this type of Wi-Fi connection use?

Point-to-point This is a point-to-point connection. Device-to-device connections are typically point to point, whereas access points use point-to-multipoint connections. The description notes an unencrypted connection rather than an authenticated enterprise connection.

Which one of the following items is not normally included in a request for an exception to security policy?

Proposed revision to the security policy Requests for an exception to a security policy would not normally include a proposed revision to the policy. Exceptions are documented variances from the policy because of specific technical and/or business requirements. They do not alter the original policy, which remains in force for systems not covered by the exception.

Gary is an attacker who wants to cause an AI analysis program to produce false positive responses when attempting to find malicious software. What should he do to influence the AI's data analysis if he only has access to the systems or network that the AI's data is captured from?

Provide tainted data. Providing tainted data is an effective way to modify an AI's responses without having direct access to the AI's underlying code. Unless Gary has direct access to the AI and its underlying code, he cannot change the code. Encrypting the data used by the AI won't change how the AI processes it but would protect it from being used by attackers who managed to acquire it.

At the end of a cybersecurity exercise, who gathers to share lessons learned during both the offensive and defensive portions of the exercise?

Purple team

Rick has been asked to secure a legacy SCADA environment that his organization uses to manage power generation facilities. What recommendation is best suited to a legacy environment that uses a combination of proprietary and open protocols and systems?

Put the SCADA system on an isolated network and strictly control ingress and egress.

Marek finds the following code on a Linux workstation that he is reviewing. What language is it, and what does it do? my_socket = socket.socket(socket. AF_INET, socket.SOCK_STREAM) rhost = ("10.11.24.8", 22) result_detail = my_socket.connect_ex(rhost) if result_detail == 0: print("Open") else: print("Closed") a_socket. close()

Python; checks if SSH is accessible. This simple Python code defines a socket, defines a remote host and port, and then checks to see if it can open a TCP connection. Since the port is 22, we can assume this is checking for SSH. Bash doesn't directly support sockets the same way that Python does, and this code should clearly look like Python code instead of Bash code, allowing you to rule out the potential of this being a Bash script.

Elaine wants to implement an AAA system. Which of the following is an AAA system she could implement?

RADIUS Of all the listed options, only RADIUS is an authentication, authorization, and accounting service.

Gabby wants to implement a mirrored drive solution. What RAID level does this describe?

RAID 1 RAID 1 mirrors drives, providing higher read speeds and a redundant copy of the data while using twice the storage space. RAID 0 is striping; RAID 5 and 6 do striping with parity, using additional space to provide checksums for data.

Theresa wants to implement an access control scheme that sets permissions based on what the individual's job requires. Which of the following schemes is most suited to this type of implementation?

RBAC (role-based access control) Role-based access control (RBAC) sets permissions based on an individual's role, which is typically associated with their job. Attribute-based access control (ABAC) is typically matched to attributes other than the job role. Discretionary access control (DAC)and mandatory access control (MAC) are commonly implemented at the operating system level.

Which wireless technology is frequently used for door access cards?

RFID

What type of wireless tags are commonly used for inventory control as well as in facility access cards?

RFID. RFID, or radio frequency ID, tags are commonly used for both inventory control and for building access cards. Bluetooth, infrared, and Wi-Fi are not used for this purpose, although NFC may be in some cases, particularly when mobile devices are used for access to facilities.

The organization that Lynn works for wants to deploy an embedded system that needs to process data as it comes in to the device without processing delays or other interruptions. What type of solution does Lynn's company need to deploy?

RTO. A real-time operating system (RTOS) is an OS that is designed to handle data as it is fed to the operating system, rather than delaying handling it as other processes and programs are run. Real-time operating systems are used when processes or procedures are sensitive to delays that might occur if responses do not happen immediately. An MFP is a multifunction printer, a HIPS is a host intrusion prevention system, and an SoC is a system on a chip—which is hardware, which might run an RTOS, but the answer does not mention what type of OS the SoC is running.

What type of cryptographic attack is especially effective against passwords stored in hashed format?

Rainbow table. Rainbow table attacks attempt to reverse hashed password value by precomputing the hashes of common passwords. The attacker takes a list of common passwords and runs them through the hash function to generate the rainbow table. They then search through lists of hashed values, looking for matches to the rainbow table.

Lucca is prototyping an embedded system and wants to use a device that can run a full Linux operating system so that he can install and use a firewall and other security software to protect a web service he will run on it. Which of the following solutions should he use?

Raspberry Pi. A Raspberry Pi supports Linux natively and has the resources and hardware to run the operating system and services described. An Arduino is a microcontroller and is better suited to handling a limited set of sensors, actuators, or similar hardware. An FPGA is a specific type of integrated chip that can be programmed to handle specific tasks, but it is not a full computer.

Renee is configuring her vulnerability management solution to perform credentialed scans of servers on her network. What type of account should she provide to the scanner?

Read-only. Credentialed scans only require read-only access to target servers. Renee should follow the principle of least privilege and limit the access available to the scanner.

Kevin is participating in a security exercise for his organization. His role in the exercise is to use hacking techniques to attempt to gain access to the organization's systems. What role is Kevin playing in this exercise?

Red team. Offensive hacking is used by red teams as they attempt to gain access to systems on the target network. Blue teams are responsible for managing the organization's defenses. White teams serve as the neutral moderators of the exercise. Purple teaming is conducted after an exercise to bring together the red and blue teams for knowledge sharing.

You notice a high number of SQL injection attacks against a web application run by your organization, so you install a web application firewall to block many of these attacks before they reach the server. How have you altered the severity of this risk?

Reduced the probability. Installing a web application firewall reduces the probability that an attack will reach the web server. Vulnerabilities may still exist in the web application and the threat of an external attack is unchanged. The impact of a successful SQL injection attack is also unchanged by a web application firewall.

Daniel knows that WPA3 has added a method to ensure that brute-force attacks against weak preshared keys are less likely to succeed. What is this technology called?

SAE. Simultaneous Authentication of Equals (SAE) is used to establish a secure peering environment and to protect session traffic. Since the process requires additional cryptographic steps, it causes brute-force attacks to be much slower and thus less likely to succeed while also providing more security than WPA2's preshared key (PSK) mode. WPS is Wi-Fi Protected Setup, a quick setup capability; CCMP is the encryption mode used for WPA2 networks. WPA3 moves to 128-bit encryption for Personal mode and can support 192-bit encryption in Enterprise mode.

Brian has deployed a system that monitors sensors and uses that data to manage the power distribution for the power company that he works for. Which of the following terms is commonly used to describe this type of control and monitoring solution?

SCADA. SCADA (supervisory control and data acquisition) is a system architecture that combines data acquisition and control devices with communications methods and interfaces to oversee complex industrial and manufacturing processes, just like those used in utilities.

April is working with an independent auditor to produce an audit report that she will share with her customers under NDA to demonstrate that her organization has appropriate security controls in place and that those controls are operating effectively. What type of audit report should April expect?

SOC 2 Type 2. The fact that the auditor will be assessing the effectiveness of the controls means that this is a Type 2 report, not a Type 1 report. The fact that it will be shared only under NDA means that it is a SOC 2 assessment.

Valerie wants to replace the telnet access that she found still in use in her organization. Which protocol should she use to replace it, and what port will it run on?

SSH, port 22 Telnet provides remote command-line access but is not secure. SSH is the most common alternative to telnet, and it operates on port 22.

What protocol is used to prevent network loops?

STP. STP, or Spanning Tree Protocol, is used to detect loops. STP ensures that every segment is accessible but that loops are detected and blocked. Both BGP and RIP are routing protocols, and LLD was made up for this question.

In what cloud security model does the cloud service provider bear the most responsibility for implementing security controls?

SaaS. The cloud service provider bears the most responsibility for implementing security controls in an SaaS environment and the least responsibility in an IaaS environment. This is due to the division of responsibilities under the cloud computing shared responsibility model.

In what cloud security model does the cloud service provider bear the most responsibility for implementing security controls?

SaaS. The cloud service provider bears the most responsibility for implementing security controls in an SaaS environment and the least responsibility in an IaaS environment. This is due to the division of responsibilities under the cloud computing shared responsibility model.

Ian has been receiving hundreds of false positive alerts from his SIEM every night when scheduled jobs run across his datacenter. What should he adjust on his SIEM to reduce the false positive rate?

Sensitivity. Ian's first step should be changing the sensitivity for his alerts. Adjusting the alerts to ignore safe or expected events can help reduce false positives. Correlation rules may then need to be adjusted if they are matching unrelated items. Dashboards are used to visualize data, not for alerting, and trend analysis is used to feed dashboards and reports.

Frank's organization recently suffered an attack in which a senior system administrator executed some malicious commands and then deleted the log files that recorded his activity. Which one of the following controls would best mitigate the risk of this activity recurring in the future?

Separation of duties. Separation of duties is the most effective way to mitigate this risk. Administrators who have access to perform privileged activities on systems should not also have the ability to alter log files. Two-person control could work but would be very cumbersome. Job rotation and security awareness would not address this risk.

Wendy is a penetration tester who wishes to engage in a session hijacking attack. What information is crucial for Wendy to obtain if her attack will be successful?

Session cookie. Websites use HTTP cookies to maintain sessions over time. If Wendy is able to obtain a copy of the user's session cookie, she can use that cookie to impersonate the user's browser and hijack the authenticated session.

Angela wants to prevent users in her organization from changing their passwords repeatedly after they have been changed so that they can reuse their current password. What two password security settings does she need to implement to make this occur?

Set a password history and a minimum password age

Mike is sending David an encrypted message using a symmetric encryption algorithm. What key should he use to encrypt the message?

Shared secret key

Tracy is concerned about attacks against the machine learning algorithm that her organization is using to assess their network. What step should she take to ensure that her baseline data is not tainted?

She should run the ML algorithm on the network only if she believes it is secure. If Tracy is worried about baselining her network and having tainted data, she needs to ensure that no malicious activity is occurring when she runs the baseline data capture. That way, the machine learning algorithm will only be working with normal traffic patterns and behaviors and can then detect and alert on things that are abnormal.

Alan reads Susan's password from across the room as she logs in. What type of technique has he used?

Shoulder surfing

What significant improvement in personal mode wireless was included in WPA3?

Simultaneous authentication of equals Simultaneous authentication of equals is a major addition to WPA3's Personal mode, and it actually helps to prevent dictionary attacks. AES encryption remains in use, but Wi-Fi Protected Setup (WPS) is being removed.

Madhuri receives a text message asking her to contact the IRS due to unpaid taxes. When she calls, the person on the other end of the line attempts to get her to disclose a bank account number, Social Security number, and other personal information. What type of attack is this?

Smishing

Michelle enables the Windows 10 picture password feature to control logins for her laptop. Which type of attribute will it provide?

Something you can do. Picture password asks users to click on specific, self-defined parts of a picture. This means that clicking on those points is something you can do.

Xavier is implementing multifactor authentication and wants to ensure that he is using different factors. The authentication system he is setting up requires a PIN and a biometric factor. What types of factors are these?

Something you know and something you are

What type of phishing targets specific groups of employees, such as all managers in the financial department of a company?

Spear phishing Spear phishing is aimed at specific groups. Whaling would target VIPs and executives, smishing uses SMS (text) messages, and vishing is done via voice or voicemail.

Jean recently completed the user acceptance testing process and is getting her code ready to deploy. What environment should house her code before it is released for use?

Staging. Developers working on active changes to code should always work in the development environment. The test environment is where the software or systems can be tested without impacting the production environment. The staging environment is a transition environment for code that has successfully cleared testing and is waiting to be deployed into production. The production environment is the live system. Software, patches, and other changes that have been tested and approved move to production.

Allan is developing a document that lists the acceptable mechanisms for securely obtaining remote administrative access to servers in his organization. What type of document is Allan writing?

Standards Standards describe specific security controls that must be in place for an organization. Allan would not include acceptable mechanisms in a high-level policy document, and this information is too general to be useful as a procedure. Guidelines are not mandatory, so they would not be applicable in this scenario.

Brian discovers that a user suspected of stealing sensitive information is posting many image files to a message board. What technique might the individual be using to hide sensitive information in those images?

Steganography is the art of using cryptographic techniques to embed secret messages within another file.

Tony is reviewing the status of his organization's defenses against a breach of their file server. He believes that a compromise of the file server could reveal information that would prevent the company from continuing to do business. What term best describes the risk that Tony is considering?

Strategic. The risk that Tony is contemplating could fit any one of these categories. However, his primary concern is that the company may no longer be able to do business if the risk materializes. This is a strategic risk.

Greg believes that an attacker may have installed malicious firmware in a network device before it was provided to his organization by the supplier. What type of threat vector best describes this attack?

Supply chain. Tampering with equipment before it reaches the intended user is an example of a supply chain threat. It is also possible to describe this attack as a direct access attack because it involved physical access to the device, but supply chain is a more relevant answer. You should be prepared to select the best possible choice from several possible correct answers when you take the exam. Security+ questions often use this type of misdirection.

Which one of the following protocols allows the exchange of threat information over HTTPS connections?

TAXII. TAXII is intended to allow cyberthreat information to be communicated at the application layer via HTTPS. STIX is an XML format for describing threat components. OpenIOC is an XML format for describing indicators of compromise. TTP is a generic term for adversary tools, tactics, and procedures and is not a communication protocol or standard.

What protocol is used to securely wrap many otherwise insecure protocols?

TLS. Transport Layer Security (TLS) is commonly used to wrap (protect) otherwise insecure protocols. In fact, many of the secure protocols simply add TLS to protect them. ISAKMP and IKE are both used for IPSec and can be used to wrap insecure protocols, but they aren't used alone. SSL is no longer used; TLS has almost entirely replaced it, although SSL is still often casually referred to as TLS.

The authentication token that Susan uses generates codes based on an algorithm that relies on the current time. What type of token does Susan have?

TOTP. Susan has a time-based OTP (TOTP) token. HMAC-based One-Time Password (HOTP) tokens use a mathematical function that increments based on an event such as a button push. Timestamp and time offsets are used for forensic and log analysis but are not types of tokens.

What hardware device is used to create the hardware root of trust for modern desktops and laptops?

TPM. A hardware root of trust provides a unique element that means that board or device cannot be replicated. A TPM, or Trusted Platform Module, is commonly used to provide the hardware root of trust. CPUs and system memory are not unique in this way for common desktops and laptops, and an HSM, or hardware security module, is used to create, manage, and store cryptographic certificates as well as perform and offload cryptographic operations.

Elaine has been asked to choose a physical backup medium to send to an offsite storage facility as part of her organization's disaster recovery planning. What is the least expensive commonly used option for reliable mass storage for backups in this scenario?

Tapes. The most common answer to large-scale backups that will be kept in a storage location is to use tapes. Tapes are relatively inexpensive, travel safely, and are available in very high capacities.

Tina is tuning her organization's intrusion prevention system to prevent false positive alerts. What type of control is Tina implementing?

Technical control Technical controls enforce confidentiality, integrity, and availability in the digital space. Examples of technical security controls include firewall rules, access control lists, intrusion prevention systems, and encryption.

Elenora runs the following command on a Linux system: cat example.txt example2.txt What will result?

The contents of both example.txt and example2.txt will be displayed on the terminal. Using the cat command with two filenames will simply display both files to the terminal. Appending a file to another file requires directing output to that file, such as cat example.txt ˃˃ example2.txt.

The organization that Chris works for has disabled automatic updates. What is the most common reason for disabling automatic updates for organizational systems?

To avoid issues with problematic patches and updates

Which one of the following certificate formats is closely associated with Windows binary certificate files?

The PFX format is most closely associated with Windows systems that store certificates in binary format, whereas the P7B format is used for Windows systems storing files in text format.

What hardware device is used to create the hardware root of trust for modern desktops and laptops?

The TPM

Chris has turned on logon auditing for a Windows system. Which log will show them?

The Windows Security log. The Windows Security log records logon events when logon auditing is enabled. The Application and System logs do not contain these events.

Sally is working to restore her organization's operations after a disaster took her datacenter offline. What critical document should she refer to as she restarts systems?

The restoration order documentation

Thomas has configured UEFI boot attestation on the servers that he is responsible for. What occurs during boot attestation?

The system attests to a verification platform about the trustworthiness of the software it is running after it completes the boot process. Boot attestation provides information about the software that it booted with to an attestation verification platform or system after boot, unlike secure boot, which uses a chained verification process to ensure that each component is signed and acceptable before it is loaded.

Which one of the following statements is not true about zero-day attacks?

They are often widely publicized Zero-day attacks are generally known only to a small group of researchers who discover the vulnerabilities. They are not known to the general public and would likely be patched by the vendor if they became widely known. Zero-day vulnerabilities may exist in any technology component: software or hardware. They are only effective during the limited window of opportunity when they remain unpatchable before the vendor issues a fix.

Which one of the following threat research tools is used to visually display information about the location of threat actors?

Threat map Threat maps are graphical tools that display information about the geographic locations of attackers and their targets. These tools are most often used as interesting marketing gimmicks, but they can also help identify possible threat sources.

Trevor is deploying the Google Authenticator mobile application for use in his organization. What type of one-time password system does Google Authenticator use in its default mode?

Time-based one-time passwords

What is a HSM used for?

To generate, manage, and securely store cryptographic keys Hardware security modules (HSMs) are used to create, securely store, and manage digital signatures, cryptographic key pairs, and other cryptographic functions. They are not used for biometric enrollment data, to enable federation, or to generate one-time passwords.

What data minimization technique replaces personal identifiers with unique identifiers that may be cross-referenced with a lookup table?

Tokenization Tokenization replaces personal identifiers that might directly reveal an individual's identity with a unique identifier using a lookup table. Hashing uses a cryptographic hash function to replace sensitive identifiers with an irreversible alternative identifier. Salting these values with a random number prior to hashing them makes these hashed values resistant to a type of attack known as a rainbow table attack.

Jake is reviewing a database containing records of customer purchases and comes across the following table. What data minimization technique has most likely been used on the credit card information in this table?

Tokenization. This data is most likely tokenized. It appears to have been replaced with a sequential identifier that might be used to reference a credit card number contained in a lookup table. If the data had been hashed, it would contain fixed-length hash values. If the data had been masked, it would contain placeholder characters, such as asterisks or Xs.

Which one of the following U.S. government classification levels requires the highest degree of security control?

Top Secret Top Secret is the highest level of classification under the U.S. system and, therefore, requires the highest level of security control.

Which of the following controls helps prevent insider threats?

Two-person control Two-person control is specifically intended to prevent insider threats by requiring two individuals to take a given action.

Chris wants systems that connect to his network to report their boot processes to a server where they can be validated before being permitted to join the network. What technology should he use to do this on the workstations?

UEFI/Measured boot Chris knows that BIOS-based systems do not support either of these modes, and that trusted boot validates every component before loading it, whereas measured boot logs the boot process and sends it to a server that can validate it before permitting the system to connect to the network or perform other actions.

What standard allows USB devices like cameras, keyboards and flash drives to be plugged into mobile devices and used as they normally would be?

USB-OTG. USB On-the-Go, or USB-OTG, is a standard that allows mobile devices to act as USB hosts, allowing cameras, keyboards, thumb drives, and other USB devices to be used.

Angela wants to limit the potential impact of malicious Bash scripts. Which of the following is the most effective technique she can use to do so without a significant usability impact for most users?

Use Bash's restricted mode. Bash's restricted shell mode removes many of the features that can make Bash useful for malicious actors. You can read more about Bash in restricted shell mode at www.gnu.org/software/bash/manual/html_node/The-Restricted-Shell.html.

Theresa is concerned about application distributed denial-of-service (DDoS) attacks against her web application. Which of the following options is best suited to helping prevent resource exhaustion due to an application DDoS?

Use Captcha Scripts. The only viable option is to use CAPTCHA scripts, which will require users to validate that they are human. SYN floods are not application DDoSs but are network layer DDoS attacks. Although using SYN flood prevention is a good idea, this won't address the specific issue that Theresa wants to tackle. Disabling either API keys or a web application firewall (WAF) would reduce the security of her application and potentially expose it to more application DDoS attacks.

Which of the following is not a typical security concern with MFPs?

Use of weak encryption.MFPs, or multifunction printers, may contain sensitive data from copies or scans; some MFPs have built-in hard drives or other mass storage that can retain data for an extended period of time. They often have weak network security capabilities, making them useful as a reflector or amplifier in some network attacks. Fortunately, if a MFP supports protocols like TLS for web access, they support a reasonably secure implementation of the protocols needed to keep data transfers secure.

Charles wants to obtain a forensic copy of a running virtual machine. What technique should he use to capture the image?

Use the VM host to create a snapshot. Creating a snapshot will provide a complete copy of the system, including memory state that can then be analyzed for forensic purposes. Copying a running system from a program running within that system can be problematic, since the system itself will change while it is trying to copy itself. FTK Imager can copy drives and files, but it would not handle a running virtual machine.

Which one of the following is not an example of infrastructure as code?

Using a could provider's web interface to provision resources Infrastructure as code is any approach that automates the provisioning, management, and deprovisioning of cloud resources. Defining resources through JSON or YAML is IaC, as is writing code that interacts with an API. Provisioning resources through a web interface is manual, not automated, and therefore does not qualify as IaC.

What scripting language is most commonly associated with attacks involving malicious code embedded in Microsoft Office documents?

VBA, or Visual Basic for Applications, is most commonly associated with Microsoft office scripting attacks. PowerShell is more commonly used for command-line scripts and attacks for Windows systems. Python and Bash are commonly used on Linux systems for similar purposes.

Kayla is conducting threat research and would like to keep up-to-date on new security vulnerabilities. Which one of the following information sources is most likely to provide her with this information?

Vendor website Vendor websites commonly contain security bulletins with the most recent vulnerability information.

Kevin discovered that his web server was being overwhelmed by traffic, causing a CPU bottleneck. Using the interface offered by his cloud service provider, he added another CPU to the server. What term best describes Kevin's action?

Vertical scaling. This is an example of adding additional capacity to an existing server, which is also known as vertical scaling. Kevin could also have used horizontal scaling by adding additional web servers. Elasticity involves the ability to both add and remove capacity on demand and, though it does describe this scenario, it's not as good a description as vertical scaling. There is no mention of increasing the server's availability.

Garrett is attempting to manage the cloud server instances used by his organization. They do not currently tag cloud resources with the identity of the responsible individual. What is the primary risk of not better controlling this situation?

Virtual machine sprawl occurs when IaaS users create virtual service instances and then forget about them or abandon them, leaving them to accrue costs and accumulate security issues over time. Organizations should maintain instance awareness to avoid VM sprawl issues.

When you combine phishing with Voice over IP, it is known as:

Vishing

Which of the following is a memory forensics toolkit that includes memdump?

Volatility. The Volatility Framework is a memory forensics toolkit that includes memdump. FTK Imager does contain a capture memory function, WinHex can dump memory, and dd can be used in a limited fashion to capture memory, but none of these tools builds in a function called memdump.

Henry wants to check to see if services were installed by an attacker. What commonly gathered organizational data can he use to see if a new service appeared on systems?

Vulnerability scans. Vulnerability scans are the best way to find new services that are offered by systems. In fact, many vulnerability scanners will flag new services when they appear, allowing administrators to quickly notice unexpected new services. Registry information is not regularly dumped or collected in most organizations. Firewall logs and flow logs could show information is the services are being used by systems whose traffic passes through them, but this is a less useful and accurate way of identifying new services and would work only if those services were also being used.

The business-critical web application that Nicole runs for her organization has a known zero-day flaw in it that involves SQL injection. If Nicole has sample code showing the SQL injection, what type of network security device can she use to protect her application even if a patch isn't available yet?

WAF. A web application firewall (WAF) can do exactly what Nicole needs. WAF software and hardware specializes in protecting web applications by analyzing traffic sent to the web application and blocking known malicious traffic and traffic patterns. Nicole can write a detection that will match the malicious SQL code from the zero day attack while being careful not to write an overly broad or overly narrow detection. Once it's deployed, she can continue to run her web application until a patch is released while remaining safe because of her WAF. Stateful packet inspection firewalls track the communication between two devices but do not detect SQL injection or other application layer detail, and the other answers were made up.

What type of recovery site has some or most systems in place but does not have the data needed to take over operations?

Warm site

As part of her organization's response and recovery controls, Charleen has implemented a remote site that has all the systems needed to operate her company's IT infrastructure. In the event of a major outage or issue, she would need to bring copies of data to the site. What type of disaster recovery site has she set up?

Warm site A warm site has all the hardware and networking needed to run essential operations, but it does not have the data ready to go. A hot site has everything you need, and you may have to bring just the last data update. A cold site is essentially just space to bring in equipment, networking, and data. Availability zones are a cloud computing concept used by Amazon.

Chris is designing a data loss prevention implementation for his organization. His primary goal is to protect a set of product plans that reside in a small data repository. New files are added to this repository on a periodic basis, and all of the files in the repository require protection. What technology would best meet Chris's needs?

Watermarking Chris could use either host-based or network-based DLP to meet his needs. The key technology in this scenario is the use of watermarking as the identification technique for sensitive data. Chris can tag all the documents in the secure repository with digital watermarks to flag them to the DLP system. Pattern recognition would not be a useful tool in this case because new documents are regularly added to the repository.

Nina's organization uses SSH keys to provide secure access between systems. Which of the following is not a common security concern when using SSH keys?

Weak encryption. Inadvertent exposure of private keys via upload to a service like GitHub; poor handling of the private key in user directories; use of weak or reused passwords and passphrases; and key sprawl, in which keys are used broadly across an organization, are all common concerns. Weak encryption is not a typical concern with the use of SSH, since it implements modern strong encryption.

Which one of the following tools is most likely to detect an XSS vulnerability?

Web application vulnerability scanner. Intrusion detection systems do not detect vulnerabilities; they detect attacks. The remaining three tools could all possibly discover a cross-site scripting (XSS) vulnerability, but a web application vulnerability scanner is the most likely to detect it because it is specifically designed to test web applications.

Kolin is a penetration tester who works for a cybersecurity company. His firm was hired to conduct a penetration test against a health-care system, and Kolin is working to gain access to the systems belonging to a hospital in that system. What term best describes Kolin's work?

White hat

Bruce is conducting a penetration test for a client. The client provided him with details of their systems in advance. What type of test is Bruce conducting?

White-box test. White-box tests are performed with full knowledge of the underlying technology, configurations, and settings that make up the target. Black-box tests are intended to replicate what an attacker would encounter. Testers are not provided with access to or information about an environment, and instead, they must gather information, discover vulnerabilities, and make their way through an infrastructure or systems like an attacker would. Gray-box tests are a blend of black-box and white-box testing. Blue-box tests are not a type of penetration test.

Greg wants to use a tool that can directly edit disks for forensic purposes. What commercial tool could he select from this list?

WinHex. WinHex is a commercial disk editor that provides a number of useful forensic tools that can help with investigations and data recovery. The other tools are open source tools.

Selah wants to ensure that malware is completely removed from a system. What should she do to ensure this?

Wipe the drive and reinstall from known good media

Danielle wants to capture traffic from a network so that she can analyze a VoIP conversation. Which of the following tools will allow her to review the conversation most effectively?

Wireshark. Although tcpdump can be used to view packets sent as part of a VoIP connection, Wireshark has built-in VoIP analysis and protocol-specific tools. Danielle will have greater success using those built-in tools. A network SIPper is a made-up tool, and netcat is not a packet sniffer.

Melissa wants to capture network traffic for forensic purposes. What tool should she use to capture it?

Wireshark. Even though Wireshark is not a dedicated network forensic tool, since network traffic is ephemeral, capturing it with a packet sniffer like Wireshark is Melissa's best option. Forensic suites are useful for analyzing captured images, not capturing network traffic, and dd and WinHex are both useful for packet capture, but not for network traffic analysis.

Joanna has discovered that one of her staff has connected an access point in their office to allow them to have wireless access to the network because her organization only uses a wired network in secure areas. What type of attack is this?

a rogue AP Rogue access points are access points connected to a network that are not supposed to be there. Evil twins are access points set up with the same SSID so that they appear to be a legitimate access point. Once unsuspecting users connect to them, attackers can monitor or modify their traffic. Both fake APs and access clones attacks were made up for this question.

Nick wants to display the ARP cache for a Windows system. What command should he run to display the cache?

arp /a The arp command will show the system's ARP cache using the /a flag on Windows systems. Other flags are /d to delete the cache or a single address if one is supplied, and /s, which will allow you to add an entry. In most cases, security professionals will use the /a flagmost frequently to see what exists in an ARP cache on a system.

Jen is conducting a penetration test for a client. The client did not provide her with any details about their systems in advance of the test and Jen is determining this information using reconnaissance techniques. What type of test is Jen performing?

black box. Black-box tests are intended to replicate what an attacker would encounter. Testers are not provided with access to or information about an environment, and instead, they must gather information, discover vulnerabilities, and make their way through an infrastructure or systems like an attacker would. White-box tests are performed with full knowledge of the underlying technology, configurations, and settings that make up the target. Gray-box tests are a blend of black-box and white-box testing. Blue-box tests are not a type of penetration test.

Nolan is writing an after action report on a security breach that took place in his organization. The attackers stole thousands of customer records from the organization's database. What cybersecurity principle was most impacted in this breach?

confidentiality

What term best describes data that resides on a hard drive attached to a server?

data at rest

Lucca needs to make a forensic copy of a Linux system. What built-in Linux command-line tool can he use for that purpose?

dd The Linux dd command can be used to make a complete copy of a disk or volume. Since it is built into most Linux distributions, it is a handy way to make a copy. Once he is done, Lucca should use md5sum to hash the copy and the original to validate his copying process. None of the other commands can be used to clone a disk.

Cynthia wants to make an exact copy of a drive using a Linux command-line tool. What command should she use?

dd dd is a copying and conversion command for Linux and can be used to create a forensic image that can be validated using an MD5sum or SHA1 hash. The other commands are df for disk usage, cp for copying files, and ln to link files.

Glenn recently obtained a wildcard certificate for *.mydomain.com. Which one of the following domains would not be covered by this certificate?

dev.www.mydomain.com. Wildcard certificates protect the listed domain as well as all first-level subdomains. dev.www.mydomain.com is a second-level subdomain of mydomain.com and would not be covered by this certificate.

Jim wants to view log entries that describe actions taken by applications on a CentOS Linux system. Which of the following tools can he use on the system to view those logs?

journalctl. CentOS and Red Hat Enterprise Linux both use journalctl to view journal logs that contain application information. Jim should use journalctl to review the logs for the information he needs. The tool also provides functionality that replicates what head and tail can do for logs. Syslog-ng is a logging infrastructure, and though logs may be sent via syslog-ng, it is not mentioned here. logger is a logging utility used to make entries in the system log.

Connor believes that there is an issue between his organization's network and a remote web server, and he wants to verify this by checking each hop along the route. Which tool should he use if he is testing from a Windows 10 system?

pathping

Norm is evaluating the security of his organization's datacenters and notices that there is a hole in the barbed wire fence protecting the facility. What type of control flaw has Norm identified?

physical

Cynthia's organization recently received a legal hold notice. What actions must she take?

she should not delete or destroy electronic or paper documents related to the legal case that is in process.

Adam is conducting software testing by reviewing the source code of the application. What type of code testing is Adam conducting?

static code analysis. Adam is conducting static code analysis by reviewing the source code. Dynamic code analysis requires running the program, and both mutation testing and fuzzing are types of dynamic analysis.

Bart needs to assess whether a three-way TCP handshake is occurring between a Linux server and a Windows workstation. He believes that the workstation is sending a SYN but is not sure what is occurring next. If he wants to monitor the traffic, and he knows that the Linux system does not provide a GUI, what tool should he use to view that traffic?

tcpdump tcpdump is a command-line tool that will allow Bart to capture and analyze the traffic coming from the Windows workstation. If he does not see a three-way handshake, he will need to determine what is occurring with the traffic. Wireshark is a GUI (graphical) program, tcpreplay is used to replay traffic, and dd is used to clone drives.

Fran's organization uses a Type I hypervisor to implement an IaaS offering that it sells to customers. Which one of the following security controls is least applicable to this environment?

the provider must maintain security patches on the host operating system

Oren obtained a certificate for his domain covering *.acmewidgets.net. Which one of the following domains would not be covered by this certificate?

test.mail.acmewidgets.net

Ben wants to conduct an offline brute-force attack against a Linux system. What file should he work to obtain a copy of?

the /etc/shadow file. The /etc/shadow file contains password hashes for most modern Linux implementations, and Ben can then use a tool such as rainbow tables or John the Ripper to crack passwords. John itself is not a password file or repository, and /etc/passwd is a secure pointer to /etc/shadow and does not actually contain useful information. Finally, an offline password attack implies cracking that is not across a network, so SSH is not a valid answer.

What major difference is likely to exist between on-premises identity services and those used in a cloud-hosted environment?

the cloud service will provide account and identity management services

Which one of the following virtualization models provides the highest level of efficiency?

type 1 hypervisor


Kaugnay na mga set ng pag-aaral

Chapter 59: Concepts of Care for Patients With Diabetes Mellitus

View Set