Cybersecurity questions (Cert Mike)

Frank would like to set his organization's password length requirements to align with industry best practices. What should he set as the maximum password length? A. No maximum B. 8 characters C. 16 characters D. 255 characters

Correct Answer: A The best source for guidance on passwords and other authentication techniques is NIST Special Publication 800-63B: Digital Identity Guidelines. In the most recent revision of this document, NIST states that users should not be subjected to a maximum password length requirement and should be allowed to choose passwords as lengthy as they would like.

What metric would a SOC use to measure the amount of time that elapses between a security incident occurring and the SOC identifying the incident? A. MTTD B. MTTR C. MTBF D. MITRE

Correct Answer: A The mean time to repair (MTTR) and mean time between failures (MTBF) are business continuity metrics. So, these two are not the correct answers. The mean time to detection (MTTD) is the typical time taken to detect a security incident. This is the correct answer. MITRE is a security consulting firm and government think tank. So, that is not what we are looking for in this scenario.

Greg is operating a web application that processes credit cards and determines that it is subject to a SQL injection vulnerability. He is unable to fix the vulnerability immediately because developers must create a patch that will take several weeks. The application is business critical and must remain running in the meantime. Which one of the following would serve as the best compensating control? A. Web Application Firewall B. Data Loss Prevention System C. Intrusion Detection System D. Privileged Access Management System

Correct Answer: A A web application firewall would be able to identify inbound traffic containing attempted injection attacks and stop that traffic from reaching the web server. It is the best compensating control in this situation. A data loss prevention system may notice exfiltration of sensitive data and block it, but this would only trigger after a successful attack, so this is not as good of an option as a web application firewall. An intrusion detection system would simply report the attack, not stop it, and a privileged access management system would not help in this situation.

Fran is investigating an attack that took place against a website operated by her organization. When she looked at the authentication log entries, she saw that the attacker attempted to log into thousands of different accounts using a series of common passwords before eventually finding a combination that worked. What term best describes this attack? A. Credential stuffing B. Brute force C. Password spraying D. Rainbow table

Correct Answer: A Answering this question is a little tricky because it depends upon you not only recognizing that each of these options are indeed password attacks but also knowing the details of how each one of them works. Let's start by knocking off two of the more clearly incorrect answers. First, this is not a brute force attack. A brute force attack attempts every possible password against an account and in this case we have a series of common passwords being used against a lot of accounts. Second, it is not a rainbow table attack. That type of attack requires that the attacker have access to a file containing hashed passwords, which is not the case here. That leaves us with password spraying and credential stuffing: two similar attack types. Password spraying attacks take username and password combinations that were compromised on other sites and use them to attempt logging into the target site, based on the presumption that people will reuse passwords from site to site. Credential stuffing attacks use a series of commonly chosen passwords to attempt to log into a series of accounts. That's what happened in this scenario.

You experienced a power outage that disrupted access to your data center. What type of security concern occurred? A. Availability B. Confidentiality C. Non-Repudiation D. Integrity

Correct Answer: A Availability concerns occur when legitimate users are unable to gain access to systems or information. The major types of availability disruptions are denial of service, power outages, hardware failures, destruction, and service outages. Confidentiality concerns occur when unauthorized individuals may be able to gain access to sensitive information. Making it an incorrect answer here. Integrity concerns occur when there is the potential for unauthorized modification of information. The major types of integrity attacks include man-in-the-middle attacks, replay attacks, impersonation and unauthorized information alteration. Making it another incorrect answer. Nonrepudiation is a security goal that prevents someone from claiming that they did not send a message or engage in an activity. Nonrepudiation is commonly implemented by using digital signatures. So that is another incorrect answer.

Which one of the following statements about the Blowfish algorithm is incorrect? A. The algorithm is covered by a patent. B. The algorithm uses a 64-bit block size. C. The algorithm allows the use of any length key between 32 and 448 bits. D. The developer of the algorithm does not recommend it for use today.

Correct Answer: A Bruce Schneier designed the Blowfish algorithm as an open-source alternative to other patented encryption algorithms. The algorithm does support a 64-bit block size and variable length keys between 32-448 bits. Schneier does not recommend that people use Blowfish today, instead recommending the Twofish algorithm.

Fred would like to implement a new security platform that can coordinate access policies across the many cloud providers used by his organization. What technology would best meet his needs? A. CASB B. SIEM C. NGEP D. NGFW

Correct Answer: A Cloud access security brokers (CASB) are designed to coordinate security policy enforcement across the cloud providers used by an organization. This is the correct answer. Security information and event management (SIEM) solutions are designed to monitor and correlate activity across security devices. So, this is not the correct answer. Next-generation endpoint protection (NGEP) and next generation firewall (NGFW) technologies are an important part of evolving cybersecurity programs but they do not directly interact with cloud providers. So these are not the correct answers.

Rob's organization uses a variety of different cloud vendors. He is looking for a security solution that would allow him to enforce security policies consistently across those different vendors. Which one of the following technologies would best meet his needs? A. CASB B. SIEM C. VDI D. SOAR

Correct Answer: A Cloud access security brokers (CASB) are designed to enforce security policies across cloud services. Security information and event management (SIEM) and security orchestration, automation, and response (SOAR) platforms are designed to aggregate, analyze, and react to security events. Virtual desktop infrastructure (VDI) offers desktop computing to end users in a virtualized manner.

What type of scan can best help identify cases of system sprawl in an organization? A. Discovery scan B. Web application scan C. Detailed scan D. Database scan

Correct Answer: A Discovery scans are designed to identify systems on the network and can be used to detect undocumented assets that are the result of system sprawl.

What term is used to describe a network of decoy systems used to attract and study the activity of intruders? A. Honeynet B. Honeypot C. Darknet D. Darkpot

Correct Answer: A Honeynets are networks of decoy systems designed to attract intruders so that security analysts may study their activity. Honeypots are single systems designed for the same purpose. Darknets are unused portions of IP address space designed to detect scanning activity when a scanner attempts to access those unused addresses. Darkpots are what occur when I attempt to cook and leave a pot unattended on the stove for too long.

Paula is configuring her organization's firewall to support the secure remote retrieval of email using the IMAPS protocol. What port should she allow? A. TCP Port 993 B. TCP Port 143 C. UDP Port 993 D. UDP Port 143

Correct Answer: A IMAP is a connection-oriented protocol that uses TCP. UDP is not used with IMAPS or IMAP so we can eliminate both of those UDP options. TCP port 143 is used by the unencrypted and insecure version of the IMAP protocol, so we can rule that out as well. The secure version of IMAP, IMAPS, uses TCP port 993, so that's our correct answer.

Kevin would like to restrict users from accessing a list of prohibited websites while connected to his network. Which one of the following controls would best achieve his objective? A. URL Filter B. IP Address Block C. DLP Solution D. IPS Solution

Correct Answer: A IP-based restrictions are unreliable because sites may change IP addresses or use multiple IP addresses, making it difficult to maintain a current block list. Data loss prevention (DLP) systems do not filter web traffic.The best way to restrict website traffic is through the use of URL and content filtering. It is possible to use an intrusion prevention system (IPS) to filter web traffic, but this is not as simple and reliable as a dedicated URL/content filtering solution.

Jake would like to find a security solution that protects users from malicious content hosted on websites that they visit and allows him to perform content filtering according to his company's policy. Which one of the following solutions would best meet his needs? A. SWG B. NGFW C. CASB D. IPS

Correct Answer: A It is possible that an intrusion prevention system (IPS) or next generation firewall (NGFW) could provide this functionality. However, a secure web gateway (SWG) is purpose-built for filtering user web traffic and, therefore, would be the best solution in this scenario. Cloud access security brokers (CASB) do not perform web content filtering.

Darcy is concerned about an attacker launching a MAC flooding attack on her network. Which one of the following controls would best protect against MAC flooding attacks? A. Port Security B. Port Tapping C. Protocol Validation D. Input Validation

Correct Answer: A MAC flooding occurs when a single device sends many different MAC addresses to a switch, causing it to overflow its ARP table and begin sending traffic to incorrect ports, potentially causing a breach of sensitive information. Input validation is a control used to protect applications from user input, so that's not relevant here. Port tapping is used to gain access to network traffic being sent through a switch, so we don't need that either. And protocol validation is used to verify the contents of network traffic, so it's also not the correct answer. MAC flooding can be prevented through the use of port security mechanisms, which limit the number of MAC addresses allowed from a single network port

Tom is a forensic analyst conducting a security investigation at his company after the firm experienced a data breach. He is planning to speak with some employees to gather evidence and suspects they may have been complicit in the breach. Which one of the following statements is incorrect about these conversations? A. Tom may not speak with employees without first advising them of their rights because he suspects they were involved in a security incident B. Interviews should be friendly and non-aggressive C. Tom may ask employees difficult questions during the interview D. Tom should consult Human Resources before speaking with employee who may have been involved in the incident

Correct Answer: A One of the keys to answering this question is understanding the difference between interviews and interrogations. In an interview, Tom may ask difficult questions, but should do so in a non-confrontational manner. If Tom gets more aggressive, he crosses the line from interview to interrogation. Tom should always consult with Human Resources before involving employees in an investigation, but he does not need to advise employees of their rights because he is not a law enforcement officer. So, that is the correct answer to this question.

Which one of the following frameworks provides a mapping of cloud-specific security controls to security standards, best practices, and regulations? A. CCM B. CSF C. ISO 27001 D. ISO 3100

Correct Answer: A The Cloud Security Alliance's (CSA) Cloud Controls Matrix (CCM) provides a mapping of cloud-specific security controls to security standards, best practices, and regulations. So, this is the correct answer. The NIST Cybersecurity Framework (CSF) and ISO 27001 are broad security frameworks that are not cloud-specific. So, these aren't the correct answer. ISO 31000 is a risk management framework. So, this is also incorrect.

What federal law requires the use of vulnerability scanning on information systems operated by federal government agencies? A. FISMA B. HIPAA C. GLBA D. FERPA

Correct Answer: A The Health Insurance Portability and Accountability Act (HIPAA) applies only to organizations involved in healthcare, so it would not apply to all government agencies. The Gramm Leach Bliley Act (GLBA) applies to financial institutions, so it also wouldn't apply to government agencies. Similarly, the Family Educational Rights and Privacy Act (FERPA) applies to educational institutions, not government agencies. The Federal Information Security Management Act (FISMA) requires that federal agencies implement vulnerability management programs for federal information systems, so that's our correct answer.

What does the PGP algorithm use to facilitate the trusted exchange of public keys between users? A. Web of trust B. Certificate authorities C. Central key management server D. Bittorrent

Correct Answer: A The PGP package uses a concept known as the web of trust to provide assurances that keys are accurate. This decentralized model requires having keys vouched for by trusted individuals within the network and eschews a centralized approach.

Which metric from a CVSS 3 rating describes the conditions beyond the attacker's control that must exist in order to exploit the vulnerability? A. AC B. PR C. UI D. AV

Correct Answer: A The Privileges Required (PR) metric describes the level of privileges an attacker must possess before successfully exploiting the vulnerability. So, this is not the answer we are looking for.The Attack Complexity (AC) metric describes the conditions beyond the attacker's control that must exist in order to exploit the vulnerability. So, this is the correct answer. The User Interaction (UI) metric captures the requirement for a human user, other than the attacker, to participate in the successful compromise of the vulnerable component. That is not what we are looking for here. The Attack Vector (AV) metric describes the context by which vulnerability exploitation is possible. So, that is not the correct answer here either.

Frank would like to set his organization's password length requirements to align with industry best practices. What should he set as the maximum password length? A. No maximum B. 8 characters C. 16 characters D. 255 characters

Correct Answer: A The best source for guidance on passwords and other authentication techniques is NIST Special Publication 800-63B: Digital Identity Guidelines. In the most recent revision of this document, NIST states that users should not be subjected to a maximum password length requirement and should be allowed to choose passwords as lengthy as they would like.

Carolyn is working with her team to develop her organization's disaster recovery plan. What stage of the planning process provides the information necessary to prioritize recovery efforts by service? A. Business Impact Assessment B. Design C. Implementation D. Preparation

Correct Answer: A The business impact assessment (BIA) stage of the disaster recovery planning process assesses services used by the organization and prioritizes their recovery based upon their potential impact on the business. The rest of the options are incorrect.

Roland recently wrote code that implements a new feature demanded by end users of an application he manages. He would like users to examine the feature and determine whether it meets their needs. What environment is most appropriate for this activity? A. Test B. Development C. Staging D. Production

Correct Answer: A The process described, where users evaluate features to determine whether they meet business requirements, is known as user acceptance testing (UAT) and it should take place in the test environment. So, that is the correct answer. Roland would have created the new feature in a development environment. After the code passes testing, it will move on to staging and then finally into production.

Ed is working with functional units in his organization to document the maximum amount of time that they could be without a critical IT service during a disaster. What metric should he use to document this requirement? A. RTO B. RPO C. MTTR D. MTBF

Correct Answer: A The recovery time objective (RTO) is the amount of time that the business can tolerate an outage during a disaster, making it our correct answer. The recovery point objective (RPO) is the amount of tolerable data loss, which is not what we are looking for here. The mean time to repair (MTTR) is the amount of time required to repair a damaged system, while the mean time between failures (MTBF) describes the frequency of failures, neither of which are correct answers.

Naomi is installing a new endpoint detection and response (EDR) solution for her organization. What category of control is she installing? A. Technical B. Operational C. Managerial D. Detective

Correct Answer: A There are three categories of security control: technical, operational, and managerial. Technical controls enforce CIA in the digital space. Naomi is installing an EDR system that uses technology to detect and respond to security incidents. Therefore, the EDR system is best described as a technical control. Operational controls include the processes that we put in place to manage technology in a secure manner. So this is not the correct answer. Managerial controls are procedural mechanisms that focus on the mechanics of the risk management process. So this is not the correct answer either. Security controls also come in types such as: preventive, detective, corrective, deterrent, physical, and compensating controls. We are looking for control categories, not control types. So detective is another incorrect answer.

Which one of the following fields would NOT be found in a NetFlow record? A. Payload B. Source Address C. Destination Address D. Timestamp

Correct Answer: A Think of NetFlow as similar to a telephone bill. You get a record of communications, but not the actual communications themselves. So, source address, destination address, and timestamp are included in those records and are not the correct answer to this question, where we're looking for something that is NOT included in NetFlow logs. NetFlow records only contain summary information about network connections. They do not contain the actual content, or payload, from the connection. So, payload is the correct answer here.

A contractor for the German company Siemens recently pled guilty to an attack where he altered software he sold to Siemens so that it would periodically break, requiring the company to hire him to fix it. What term best describes this type of attack? A. Logic Bomb B. RAT C. Worm D. Trojan Horse

Correct Answer: A This is an example of a logic bomb, a piece of malicious software that is configured to trigger its payload when some future conditions are met. In this case, the attacker programmed the software to wait until a certain time and then disable itself. A remote access trojan, or RAT, is malware that allows the attacker to access the infected system. There's no discussion of that happening in this situation. In fact, there's no indication that any malware was used in the attack, which tells us that the attack wasn't a regular Trojan horse or a worm either.

Alex is reviewing alerts generated by his organization's SIEM and determines that the SIEM is generating too many false positive alerts. What parameter can he alter to reduce the number of false positives? A. Reduce the SIEM sensitivity B. Increase the SIEM sensitivity C. Reduce the SIEM capacity D. Increase the SIEM capacity

Correct Answer: A To alter the false positive rate, Alex should adjust the SIEM sensitivity. Increasing the sensitivity of the SIEM reduces the threshold for an alert and would increase the number of false positives. Decreasing the sensitivity of the SIEM would increase the threshold for an alert and decrease the number of false positives. Adjusting the SIEM capacity would adjust the amount of information that it can process and store, rather than changing the false positive rate.

Peter is analyzing network flow logs and finds that a server in his organization is sending a large amount of traffic to a single destination. Upon further investigation, he sees that the server is receiving very small repeated requests from the same source on UDP port 53 and sends very large responses. What type of attack should Peter suspect? A. DNS Amplification B. DNS Spoofing C. ARP Spoofing D. ARP Amplification

Correct Answer: A UDP port 53 is used by the Domain Name Service (DNS), so we can immediately eliminate the two answers that are about ARP-based attacks.The attack described in this scenario is indicative of an amplification attack, where the DNS requests are spoofed with a false source address belonging to the attack victim. This causes the DNS server to flood the victim with traffic. While this attack does use IP spoofing to insert a false source address, it is not a DNS spoofing attack because no DNS information is tampered with during the attack.

Julian is auditing the protocols in use on a Linux server and finds that it supports SSH, FTPS, LDAP, and RDP. Which one of these protocols does not use encryption when used in its default configuration? A. LDAP B. RDP C. FTPS D. SSH

Correct Answer: A What we need to do here is eliminate the answer choices that we know are encrypted protocols. SSH, the secure shell, allows administrative connections to servers over an encrypted channel, so that's not correct. FTPS is a secure version of the file transfer protocol and it is also encrypted. The remote desktop protocol, used by Windows systems, is also a secure protocol, so we can eliminate that answer choice. We're left with the lightweight directory access protocol, LDAP. LDAP is unencrypted by default, while the LDAPS protocol provides a secure, encrypted alternative. So the correct answer here is the unencrypted LDAP protocol

Which one of the following regulations provides strict, detailed procedures for the use of compensating controls? A. PCI DSS B. HIPAA C. GLBA D. FERPA

Correct Answer: A While compensating controls may be used for any control requirement, PCI DSS includes very detailed procedures for documenting and approving acceptable compensating controls in credit card processing environments. The remaining answers are incorrect.

Jake is helping his organization move out of an office complex they are leaving and has a large quantity of sensitive paper records to dispose. Which one of the following destruction methods would not be appropriate to sufficiently destroy the information? A. Degaussing B. Burning C. Pulping D. Shredding

Correct Answer: A Burning, shredding, and pulping are all acceptable ways to destroy paper records. Degaussing is a magnetic destruction technique that is only appropriate for digital records.

Ryan is considering the deployment of an impossible travel time policy in his organization's SIEM. What technology should enable him to allow the implementation of this policy? A. Geotagging B. Lockout C. Disablement D. Time of Day Restrictions

Correct Answer: A Impossible travel time policies seek to prevent logins from two different geographic locations when it would not have been physically possible for the user to travel between those locations in the time interval between the logins. This is only possible if logins are geotagged with their geographic location.

Beth is using the Cyber Kill Chain approach to analyzing the actions of an intruder on her network. She finds evidence that the most recent activity of the attacker was to successfully use a buffer overflow attack to gain control of a system. What stage is the attacker in? A. Attacker in exploitation B. Weaponization C. Command and Control D. Installation

Correct Answer: A The stages of the Cyber Kill Chain are reconnaissance, weaponization, delivery, exploitation, installation, command-and-control, and actions on objectives. The exploitation stage is where the attacker exploits a vulnerability to execute code on the victim's system. That is the stage where a buffer overflow attack gains control of a system.

Henry would like to capture network packets from the command line. What command would best meet his needs? A. dd B. tcpdump C. FTK D. Wireshark

Correct Answer: B Tcpdump is a command-line packet capture utility. Wireshark is also a packet capture utility but it is designed for interactive use through a GUI. FTK and dd are forensic utilities used to capture disk images, not network packets.

Ricky is concerned about the security of his organization's domain name records and would like to adopt a technology that ensures their authenticity by adding digital signatures. What technology should he use. A. DNSSIGN B. DNSSEC C. CERTDNS D. DNS2

Correct Answer: B DNSSIGN, CERTDNS, and DNS2 are not valid terms. So, they are not the correct answer. DNSSEC focuses on ensuring that DNS information is not modified or malicious. DNS Security (DNSSEC) adds digital signatures to traditional DNS records to provide the user with verification of the record's authenticity.

Dylan and Liam are using symmetric cryptography to communicate with each other. They have a shared secret key that no other person knows. What goal of cryptography is impossible for them to achieve? A. Confidentiality B. Non-Repudiation C. Integrity D. Authentication

Correct Answer: B Dylan and Liam can easily achieve confidentiality and integrity by using the key to encrypt and decrypt messages, which is not what we are looking for here. They can also achieve authentication because they know that if a message decrypts with the key, it must have been encrypted by the only other person with knowledge of the key. They cannot, however, achieve non-repudiation because they have no way to prove to a third party that a message came from the other party and wasn't forged by themselves.

Domer Industries is conducting a risk analysis of the risk of an earthquake damaging their data center. The data center is valued at $10 million and seismologists expect that a serious earthquake will damage 75% of the facility once every 50 years. In this scenario, what is the annualized loss expectancy? A. $7,500,000 B. $150,000 C. $5,625,000 D. $10,000,000

Correct Answer: B In this scenario, the annualized rate of occurrence (ARO) is once every 50 years, or a 0.02 ARO on an annual basis. The asset value (AV) is $10,000,000 and the exposure factor (EF) is 75%, resulting in a single loss expectancy (SLE) of $7,500,000. The annualized loss expectancy (ALE) is computed by multiplying the SLE by the ARO to get $150,000.

Brynn is concerned about the risks associated with web application attacks and wishes to perform input validation. What is the best place to perform this task? A. In the user's browser via HTML B. On the web server C. In the user's browser via JavaScript D. On the database server

Correct Answer: B Input validation should always be performed on the web server. Database servers do not see the full input provided by the user and are not well-situated to perform input validation. Input validation should never be performed at the web browser because a malicious user can disable that validation code.

In order to improve the security of his network, Tony is placing systems onto small subnets that are designed for systems that share a common purpose. What term best describes this technique? A. Isolation B. Segmentation C. Refactoring D. Shimming

Correct Answer: B Isolation disconnects a system from all other networked devices. So, that is not what we are looking for in this scenario. Refactoring and shimming are terms related to device drivers and not network structure. So, those two are incorrect as well. Segmentation is a term used to describe placing systems onto specialized subnets, rather than having them all on a larger network, making it our correct answer.

What do most physical security professionals consider the minimum fence height to slow down a determined intruder? A. 4 feet B. 8 feet C. 6 feet D. 12 feet

Correct Answer: B Most security professionals consider eight feet to be the minimum height for a fence protecting critical assets. It is trivial for an intruder to climb a fence of six feet or less. A fence that stands twelve feet high is likely unnecessary and aesthetically unpleasant. For added security, organizations may add barbed wire to the top of the fence.

Jena would like to configure her organization's switches so that they do not allow systems connected to a switch to spoof MAC addresses. Which one of the following features would be helpful in this configuration? A. Loop protection B. Port security C. Flood guard D. Traffic encryption

Correct Answer: B Port security restricts the number of unique MAC addresses that may originate from a single switch port. It is commonly used to prevent someone from unplugging an authorized device from the network and connecting an unauthorized device but may also be used to prevent existing devices from spoofing MAC addresses of other devices.

Veronica is developing a web application that must interact with the database. She would like to safeguard it against SQL injection attacks. Which one of the following controls would best achieve her goal? A. Inline Queries B. Stored Procedures C. Normalizing her database structure D. Performing data wrangling

Correct Answer: B Stored procedures are a form of parameterized query where the query template is stored on the database server, safe from modification. Making it our correct answer here. Users may only provide parameters to that query, which are executed in a manner that prevents SQL injection attacks.

What is the purpose of STIX? A. To provide a set of services to enable sharing of threat intelligence B. To represent threat information in a standardized manner C. Offer a standardized schema for the specification and communication of system and network events D. Provide an API for security platform integration

Correct Answer: B TAXII provides a set of services to enable sharing of threat intelligence. So that is not the correct answer. STIX is a collaborative effort to develop a standardized, structured language to represent cyber threat information. The STIX framework intends to convey the full range of potential cyber threat data elements and strives to be as expressive, flexible, extensible, automatable, and human-readable as possible. This is the correct answer. CEE, or the common event expression, offers a standardized schema for the specification and communication of system and network events. So, this is not the correct answer. And STIX does not provide an API for security platform integration. So that is not the correct answer either.

What static code analysis technique seeks to identify the variables in a program that may contain user input? A. Lexical analysis B. Taint analysis C. Control flow analysis D. Signature detection

Correct Answer: B Taint analysis traces variables that may contain user input and ensures that they are sanitized before being used by a potentially vulnerable function. Lexical analysis converts source code into a tokenized form. Control flow analysis traces the execution path of code. Signature detection looks for known patterns of malicious activity.

Under GDPR, which individual bears responsibility for ensuring that the company understands its privacy responsibilities and serves as the primary liaison to the supervising authority? A. Chief executive officer B. Data protection officer C. Chief information officer D. Chief information security officer

Correct Answer: B The data protection officer (DPO) is a formal designation under GDPR and the individual designated as DPO bears significant responsibilities for GDPR compliance.

Ryan is building out a cloud web architecture and wishes to provide the maximum possible degree of fault tolerance while still working with a single IaaS vendor. Which one of the following solutions would best meet his needs? A. Creating redundant web servers across multiple vendors B. Creating redundant web servers in different regions C. Creating redundant web servers in different availability zones D. Creating redundant web servers in the same availability zone

Correct Answer: B The most fault-tolerant solution would involve multiple vendors, but Ryan specified that he wanted to work with a single vendor, so this is not an acceptable solution. Therefore, Ryan should strive for the solution that has the greatest geographic and logical redundancy within his vendor's environment. The best solution would be to use redundant servers in multiple regions. Availability zones are subsets of regions and provide less redundancy, not meeting Ryans architecture needs. Operating servers in the same availability zone would create multiple single points of failure, making it another incorrect answer.

Jodie is helping her organization move services into a new cloud-based service. This includes transferring PII about her company's customers. She is concerned about the regulatory impact of that move. What country/countries may have jurisdiction over customer PII used in the new cloud service? A. The countries where Jodie's company is headquartered and the customer resides B. The countries where the data is stored, Jodie's company is headquartered and the customer resides C. The country where the customer resides D. The country where Jodie's company is headquartered

Correct Answer: B The use of cloud services is complicated from a regulatory perspective. It is possible that each of the countries involved has some jurisdiction over the data.These include the country where the cloud provider has its data centers, the country where the customer resides, and the home country of Jodie's company.

Bernard is considering using a new cloud service where the vendor offers a managed environment for the execution of customer-supplied code. What term best describes this service? A. IaaS B. PaaS C. SaaS D. XaaS

Correct Answer: B This environment, where customers supply code and vendors supply managed infrastructure, is known as platform as a service (PaaS) computing. In infrastructure as a service (IaaS) computing, the vendor offers access to the basic building blocks of a computing infrastructure, such as servers, storage, and networking and the customer assembles those building blocks to create their own solutions. In the software as a service (SaaS) model, the vendor provides a fully functional application to the customer. Anything as a service (XaaS) is a term describing the fact that virtually any computing service may be delivered in a cloud model and it is not a good description of this specific scenario.

Vickie recently gathered digital evidence and would like to be able to provide future users of that evidence with the ability to verify non-repudiation. How can she provide this? A. Generate a hash value from the evidence B. Digitally sign the evidence C. Encrypt the evidence D. Generate a checksum from the evidence

Correct Answer: B Using a hash value or checksum can verify that the evidence was not altered, but does not provide non-repudiation. Encrypting the evidence protects it from unauthorized disclosure and also verifies integrity, but it does not provide non-repudiation. Vickie can provide non-repudiation by digitally signing the evidence with her private key.

Charlie received an alert from file integrity monitoring software running on a server in his organization. Which one of the following is NOT a likely reason for this alert? A. Operating system update B. CPU failure C. Application update D. Security incident

Correct Answer: B Operating system updates and application updates frequently trigger file integrity alerts, as do system compromises. A CPU failure would result in a system crash, rather than a file integrity alert.

Rudy is configuring a router that sits at the connection between his organization's network and the Internet. He is concerned about spoofed packets and would like to configure the router to perform anti-spoofing filtering. Which one of the following source IP addresses should be blocked at the router for inbound traffic? A. 12.168.1.100 B. 278.168.1.100 C. 192.168.1.100 D. 129.168.1.100

Correct Answer: C 12.168.1.100 and 129.168.1.100 are valid public IP addresses and should be permitted as inbound source addresses. 278.168.1.100 is not a valid IP address because the first octet is greater than 255. It does not need to be blocked because it is not possible. This leaves 192.168.1.100. This address is a private address and should never be seen as a source address on packets crossing an external network connection.

Eddie is concerned about the security of cryptographic keys that his organization uses with a cloud service provider. What mechanism can he use to best safeguard those keys from access by unauthorized individuals? A. CASB B. DLP C. HSM D. IPS

Correct Answer: C Cloud access security brokers (CASB) are used to consistently apply security policies across cloud services and don't protect encryption keys, making it an incorrect answer. Hardware security modules (HSMs) are specifically designed to safeguard encryption keys, avoiding the need for a human being to directly interact with the key, making it our correct answer here. Some cloud providers offer cloud-based HSM services to their customers as an advanced security offering. Data loss prevention (DLP) systems block the exfiltration of sensitive information and, again, don't protect encryption keys. Neither do intrusion prevention systems (IPSs), which detect and block security threats.

Barry was reviewing his organization's perimeter firewall ruleset and determined that it contains rules that allow unnecessary access. What type of control flaw has Barry discovered? A. Corrective B. Detective C. Preventive D. Deterrent

Correct Answer: C Firewalls serve to block attempted access to the organization's networks and systems. Therefore, they are best described as preventative controls. The purpose of a detective control is to identify attacks that are currently taken place or have taken place in the past. The purpose of a deterrent control is to discourage an attacker from attempting to undermine security. The purpose of a corrective control is to help the organization recover after a security incident.

Which one of the following assertions can NOT be made by validating the card authentication certificate on a US government PIV card? A. The card is not expired. B. The card has not been revoked. C. The holder of the credential is the same individual the card was issued to. D. The card was issued by an authorized entity.

Correct Answer: C PIVs contain four digital certificates. The card authentication certificate is used to verify that the PIV credential was issued by an authorized entity, has not expired, and has not been revoked. The PIV authentication certificate is used to verify that the PIV credential was issued by an authorized entity, has not expired, has not been revoked, and holder of the credential (YOU) is the same individual it was issued to. The digital signature certificate allows the user to digitally sign a document or email, providing both integrity and non-repudiation. The encryption certificate allows the user to digitally encrypt documents or email.

What technology does the PEAP protocol combine with EAP to provide secure communication of authentication credentials? A. SSL B. LEAP C. TLS D. IDEA

Correct Answer: C The Protected Extensible Authentication Protocol (PEAP) runs the standard EAP protocol within a TLS session to provide secure communications.

Harry believes that an employee of his organization launched a privilege escalation attack to gain root access on one of the organization's database servers. The employee does have an authorized user account on the server. What log file would be most likely to contain relevant information? A. Database Application Log B. Firewall Log C. Operating System Log D. IDS Log

Correct Answer: C A privilege escalation attack takes place against the operating system and information relevant to this attack is most likely found in the operating system logs. It is unlikely that the database application itself would be involved, so that application's logs would not likely contain relevant information. The user has authorized access to the system, so the firewall and IDS logs would simply show that authorized access taking place.

Brenda recently participated in an incident response training program where members of the team met in a conference room to discuss their roles in an incident using the context of a simulated emergency situation. What term best describes this event? A. Partial Activation B. Walkthrough C. Tabletop D. Full Activation

Correct Answer: C Activations, whether full or partial, only occur in response to an actual incident. So, that is not the correct answer. Walkthroughs are instructional sessions designed to familiarize team members with their roles and are not structured around a scenario. So, that is not the correct answer either. Tabletop exercises are informal sessions that gather team members to discuss how they would respond in a given scenario. Making tabletop the correct answer.

Carmen recently collected evidence from a variety of sources and is concerned that the clocks on the systems generating the evidence may not be synchronized. What would be her best course of action? A. Modify the system clocks B. Configure the systems to use an NTP server C. Record the time offsets for each device D. Modify the time stamps in the evidence to match real time

Correct Answer: C At this point, Carmen has already collected the evidence, so changing the system clocks (manually or through NTP) would have no effect. Carmen should never modify evidence that has already been collected, so her best course of action is to record the time offsets and make the adjustments in her analysis.

Bijan is configuring an automated data transfer between two servers and is choosing an authentication technique for one server to connect to the other. What approach would be best-suited for this scenario? A. Biometric Authentication B. Smart Card Authentication C. SSH Key D. Hard Coded Password

Correct Answer: C Biometrics and smart cards require the administrator to intervene by either submitting to biometric or manipulating a smart card. This question asked about automated transfers, so those techniques are not appropriate. The use of an SSH key can automate the connection between these two systems without requiring human intervention, making it the correct answer. Passwords should not be hard-coded in applications to prevent theft. So they're not appropriate here either.

Which one of the following approaches attaches an OCSP validation message to the digital certificate sent to users by a website? A. Certificate Chaining B. Certificate Pinning C. Certificate Stapling D. Certificate Attachment

Correct Answer: C Certificate chaining is used to delegate authority to subordinate certificate authorities. So, that is not the correct answer. Certificate pinning is a technique used to prevent changes in the valid certificate for a domain, which is another incorrect answer. Certificate stapling attaches an OCSP validation to the digital certificate, making it our correct answer. Certificate stapling also saves the client and server the time of repeatedly querying the OCSP server for certificate validity. That last choice, certificate attachment, is just a made-up term and it's not a valid technique.

Alison is preparing to testify in court about the results of a forensic investigation conducted after a security breach. As an expert witness, she will be sharing her interpretation of the evidence collected by others. What type of evidence will Alison be giving? A. Hearsay B. Documentary C. Testimonial D. Tangible

Correct Answer: C Expert witness evidence is best described as testimonial evidence, where a witness is making statements about their own observations and experience. The scenario does not specify that Alison will be introducing any documents or tangible objects herself. Hearsay would only apply if Alison makes statements about what other people said to her, which is also not described in the scenario.

Helen is concerned about eavesdropping on a network that she manages. If a user on the network accesses only HTTPS sites, what information would an eavesdropper be able to determine about the sites that the user visits? A. IP addresses, site domains, and site content B. IP addresses and site domains C. IP addresses only D. An eavesdropper would not be able to gather any of this information

Correct Answer: C HTTPS traffic is protected by Transport Layer Security (TLS). An eavesdropper would not be able to see any information from inside the connection, such as the site domain or content. So these are not the correct answers. However, an eavesdropper would be able to determine the IP addresses of sites visited by the user. Making IP addresses the correct answer.

Jessica believes that a server in her organization was compromised by an attacker. Which one of the following endpoint security platforms would provide the most visibility into activity on that device? A. HIPS B. Microsoft Configuration Manager C. EDR D. MDM

Correct Answer: C If the organization uses host intrusion prevention systems (HIPS) or Microsoft Configuration Manager , those technologies may provide useful information during the investigation but they do not provide the comprehensive tracking found in an EDR platform.Endpoint detection and response (EDR) platforms are designed specifically to track all activity that occurs on a device for use in forensic analysis and security operations, making it our correct answer. A server would generally not be regulated by a mobile device management (MDM) solution.

Harold is investigating a security incident where the victim was visiting a message board and viewed a message containing malicious code. He had another tab open in his browser that was logged into a popular shopping website. The malicious code on the message board made a purchase on the shopping website without his knowledge and shipped the merchandise to an overseas address. What type of attack likely took place? A. Server-side request forgery B. Cross-site scripting C. Cross-site request forgery D. Phishing

Correct Answer: C In this case, the attack depended upon the fact that the victim was already logged into the shopping website. The attacker knew that some portion of the visitors to the message board would be logged into that site and took advantage of that trust relationship to send commands through the user's browser to the shopping site. That's an example of a cross-site request forgery attack. Cross-site scripting attacks work in a similar manner but they do not leverage those trust relationships. Server-side request forgery attacks target the web server itself rather than the end user. Phishing attacks attempt to trick the user into sharing sensitive information, but this attack took place without the victim's knowledge.

Tom would like to amend his organization's exit interview process to protect against former employees leaking sensitive information. Which one of the following approaches would best meet his needs? A. Asking employees to sign an NDA before departure B. Threatening employees with legal action if they violate the NDA C. Reminding employees of the NDA that they signed upon employment D. No action is appropriate

Correct Answer: C It is not appropriate to ask a former employee to sign an NDA, as they have no obligation or incentive to do so. So this is not the correct answer. Threatening an employee would likely be counterproductive. So this is not the correct answer. Tom should remind employees of their obligations under their existing NDA.

Which one of the following statements about block and stream ciphers is correct? A. Stream ciphers commonly use Feistel networks. B. Block ciphers are faster than equivalent stream ciphers. C. Most modern ciphers are block ciphers. D. Block ciphers encrypt one byte at a time.

Correct Answer: C It is true that block ciphers make up the vast majority of modern encryption algorithms. Stream ciphers are faster, not slower, than block ciphers. Block ciphers may make use of Feistel networks, while stream ciphers cannot. Block ciphers work on chunks of data, rather than a single byte at a time.

Jan is working as a team member during a cybersecurity exercise. As part of her work, she is researching and testing different tactics that her team might use to gain access to target systems. What team is Jan most likely a member of? A. Blue team B. Purple team C. Red team D. White team

Correct Answer: C Jan is helping her team research tactics to attack systems, which is an example of an offensive operation. During a cybersecurity exercise, the red team is responsible for conducting offensive operations, while the blue team conducts defensive operations. The white team consists of the officials who moderate the exercise and arbitrate rules disputes. Purple teaming occurs after the exercise when the red and blue teams come together to discuss tactics and lessons learned.

Under GDPR, which one of the following statements about Data Protection Officers (DPOs) is incorrect? A. DPOs must be appointed based upon professional qualities and expert knowledge B. Regulatory bodies must be informed of the name and contact information for the DPO C. DPOs must be employees of the organization D. Organizations may not provide instructions to the DPO on performing their tasks under GDPR Article 39

Correct Answer: C Let's walk through these and eliminate the statements that we know are correct about the GDPR. First, it is true that data protection officers, or DPOs, must be appointed based upon their professional expertise. DPOs must be well-qualified for their positions. So we can eliminate that answer. And once an organization appoints a DPO, they must notify regulators of the appointment and provide contact information so that the regulators may contact the DPO. Finally, organizations must provide the DPO with autonomy to perform their work under GDPR Article 39, so we'll eliminate that answer. Organizations are allowed to designate a contractor or service provider as an external DPO, if they wish to do so, so that makes the statement that DPOs must be employees of the organization the incorrect statement and our correct answer.

Frank is reviewing the security of a customer environment and finds that they are using the Password Authentication Protocol on their network. What finding should Frank bring to the customer's attention. A. PAP is not compatible with non-Windows operating systems B. PAP is commonly configured by attackers and this may be a sign that the network is compromised C. PAP is an insecure protocol D. No finding is necessary, as PAP is a commonly used secure protocol

Correct Answer: C PAP is not compatible with non-Windows operating systems and PAP is commonly configured by attackers and this may be a sign that the network is compromised are incorrect answers in this scenario. This is because PAP does not provide any encryption capability and is, therefore, not considered a secure protocol. Frank should recommend that his customer replace PAP with a secure alternative. This is the correct answer.

Which one of the following authentication mechanisms is most susceptible to pass-the-hash attacks? A. Kerberos B. SAML C. NTLM D. Shibboleth

Correct Answer: C Pass the hash attacks do not affect the Kerberos authentication system and they are also not likely found in the technologies supporting federation, such as the Security Assertion Markup Language (SAML), or Shibboleth. The NT LAN Manager (NTLM) authentication system used in some Windows-based networks is particularly susceptible to pass-the-hash attacks, so that's our correct answer.

Susan is looking for a security solution that is capable of reacting automatically to security information and performing a variety of tasks across other security solutions. Which one of the following technologies would best meet her needs? A. CASB B. SIEM C. SOAR D. IPS

Correct Answer: C Security orchestration, automation, and response (SOAR) platforms are specifically designed to react to security information and perform workflows across a variety of other systems, which would make it the best choice. Security information and event management (SIEM) platforms are capable of doing this to some degree, but they are not as well suited to the task as SOAR platforms, so while SIEM might be a good answer, it's not the best possible answer. When you take a security certification exam, it's very important to remember that questions may have one or more possible answers. You always want to choose the best of those choices. That's why it's very important to read the entire question carefully! Cloud access security brokers (CASB) and intrusion prevention systems (IPS) are not designed for correlating and responding to security information. CASB systems enforce security policies across cloud environments while an IPS is designed to detect and block intrusions.

In the eDiscovery reference model, what phase includes an attorney analysis of material to determine what is relevant to the case? A. Processing B. Identification C. Review D. Production

Correct Answer: C The eDiscovery Reference Model uses nine stages to describe the discovery process. During stage 5, processing, data is processed to remove irrelevant information as well as prepared for review and analysis. So, this isn't the correct answer. During stage 2, identification, stored information is identified in order to know what you have and where it is. So, this isn't the correct answer either. During stage 6, review, attorney review of collected material takes place to ensure that it only contains what it is supposed to, and that information that should not be shared is not included. This is done after identification, collection, and processing, but prior to production, and is the correct answer. During stage 8, production data is produced to provide the information to third parties or those involved in legal proceedings. So, this is another incorrect answer.

Which one of the following cryptographic algorithms does not depend upon the prime factorization problem? A. RSA B. GPG C. ECC D. PGP

Correct Answer: C The prime factorization problem forms the basis for most public key cryptographic algorithms, including RSA, PGP, and GPG. So, that eliminates all three of those - RSA, PGP, and GPG - as the answer. The elliptic curve cryptosystem (ECC) does not depend upon the prime factorization problem. The security of ECC depends upon the difficulty of finding the discrete logarithm of a random elliptic curve element with respect to a publicly known base point. That makes it our correct answer!

Tina is an independent security researcher who tests the security of systems of large corporations. She is working with a large automotive supplier to test the security of their systems. What term best describes Tina's work on this engagement? A. Black hat B. Blue hat C. White hat D. Grey hat

Correct Answer: C Tina is working under an authorized contract, so her work is clearly that of a white hat hacker. White hats do not need to be employees of the company being tested, they merely must be authorized to do their work. If Tina was working without permission, but intended to report results only to the target company, her work would be considered grey hat. If she had malicious intent, she would be a black hat hacker. Blue hat is not a term commonly used to categorize attackers.

Barry is configuring 802.1x authentication for his wireless network. In a typical wireless authentication scenario, what device would act as the 802.1x client? A. Mobile devices connecting to the network B. Router C. Wireless access point D. Back-end authentication server

Correct Answer: C In an 802.1x wireless network, the wireless access point or wireless controller typically serves as the 802.1x client, sending authentication requests to a back-end authentication server.

Donna is looking for a secure way to transfer files between systems. The systems in question are already configured for SSH connections. What file transfer method could she use that would leverage the SSH protocol? A. FTPS B. Dropbox C. HTTPS D. SFTP

Correct Answer: D The Secure File Transfer Protocol (SFTP) provides a file transfer capability through a Secure Shell (SSH) connection. The File Transfer Protocol Secure (FTPS) also provides secure file transfers, but does so through a modified version of the FTP protocol and does not use SSH. Dropbox is a proprietary file sharing service that does not use SSH. The HyperText Transfer Protocol Secure (HTTPS) is a secure web protocol that may be used for file transfers but does not leverage SSH.

Tim's organization is planning the future of their data center infrastructure and has decided that they would like to move to a cloud service model. They have already embraced virtualization but would like to gain the management benefits of a cloud offering. They are working with a service provider who will provision hardware for their exclusive use. That equipment will reside in a data center that serves many customers. What type of cloud deployment model is Tim's organization considering? A. Public B. Hybrid C. Community D. Private

Correct Answer: D This is an example of a private cloud deployment, where the service provider is dedicating hardware to this specific customer. Private clouds may operate in data centers that are dedicated to that single customer or, as in this case, they may operate in shared data centers. The difference is that each customer's equipment is segregated and customers do not share hardware. That shared hardware approach is the hallmark of public and community cloud models. Hybrid cloud models mix elements of public and private clouds. There is no indication that Tim's organization intends to do this.

Gavin is managing the access control system for his organization. Users often change jobs and he would like to select an approach that will make it easy to reassign permissions when users move around the organization. Which access control model is best suited for his needs? A. ABAC B. DAC C. MAC D. RBAC

Correct Answer: D This situation calls for role-based access control, where authorizations are assigned based upon a user's role in the organization. This approach would allow Gavin to simply change a user's role when they switch jobs and then the permissions would automatically update based upon the user's new role.

Dylan is creating a cloud architecture that requires connections between systems in two different private VPCs. What would be the best way for Dylan to enable this access? A. VPN Connection B. Internet Gateway C. Public IP Address D. VPC Endpoint

Correct Answer: D A VPN connection seamlessly links endpoints on different networks, but is not the best answer in this case. An internet gateway connects an endpoint out to the Internet and is not the best choice for this situation. A public address is used to identify a host on the Internet, making it another incorrect answer.These three incorrect answers would allow the access but would require crossing public networks, reducing security, and adding inefficiency. The easiest and most secure way for Dylan to enable this access is through the use of a VPC endpoint that allows direct connections between the VPCs without leaving the cloud provider's secure network.

Alan is conducting a penetration test and gains access to an application server. During his attack, he creates a new administrative account on the server that he can use to access the system through its standard user interface. What testing goal is Alan hoping to achieve with this action? A. Pivoting B. Cleanup C. Lateral Movement D. Persistence

Correct Answer: D Alan is providing himself with a way to access the system at a later date through alternative channels. This is an example of persistence, allowing his access to the system to remain intact even if the original vulnerability he exploited is later patched. Pivoting and lateral movement are techniques where the attacker gains access to one system and then uses that access to gain access to other systems. That's not what's happening here. Finally, cleanup occurs when the attacker removes traces of their presence from the network. That hasn't yet happened in this scenario.

Renee is configuring her vulnerability management solution to perform credentialed scans of servers on her network. What type of account should she provide to the scanner? A. Domain Administrator B. Local Administrator C. Root Account D. Read Only Account

Correct Answer: D Credentialed scans only require read-only access to target servers. Using a local administrator account would have similar issues but the problems caused by the scanner would be limited to the local system. The root account is just another name for the local administrator account. Renee should follow the principle of least privilege and limit the access available to the scanner by using a read-only account. Using a domain administrator account would provide far more privileges than necessary, allowing the scanner to potentially disrupt almost any device on the network.

What is the purpose of a DNS amplification attack? A. Host redirection B. Record poisoning C. Man-in-the-middle D. Resource exhaustion

Correct Answer: D DNS amplification is a denial of service technique that sends small queries with spoofed source addresses to DNS servers, generating much larger, amplified, responses back to the spoofed address. The purpose is to consume all of the bandwidth available to the target system, resulting in a resource exhaustion denial of service attack. Interested

What cryptographic technology enables anonymity in the Tor network? A. Elliptical Curve Cryptography B. Quantum Cryptography C. Key Stretching D. Perfect Forward Secrecy

Correct Answer: D Elliptic curve cryptography has several uses including public key encryption, digital signatures, and secure protocols, but it is not the right answer. Quantum cryptography also has several uses including key exchange and secure communications, but it too is not the right answer either. Key stretching is used to strengthen encryption keys and passwords. So, that is not the correct answer here. The Tor network depends upon perfect forward secrecy to enable true anonymity. In this approach, each link in the Tor chain only knows the identity of the immediately adjacent links in the chain.

Gina is reviewing the configuration of an Apache Ubuntu web server environment and would like to review appropriate security configuration guides. Which one of the following guides would be least relevant to her situation? A. Apache web server configuration guide B. Web application firewall configuration guide C. Firewall configuration guide D. Windows operating system configuration guide

Correct Answer: D Gina should consult the configuration guides for all devices, operating systems, and applications associated with the web server or involved in handling traffic directed to the web server. This would include the Apache web server itself, the firewall, and the web application firewall. A Windows configuration guide would not be useful because the web server is running Ubuntu Linux.

Which one of the following industry standards describes a standard approach for setting up an information security management system? A. CIS B. ISO 27002 C. OWASP D. ISO 27001

Correct Answer: D ISO 27001 describes a standard approach for setting up an information security management system, making it our correct answer here. While ISO 27002 goes into more detail on the specifics of information security controls, which is not what we are looking for. The Center for Internet Security (CIS) produces a set of configuration benchmarks used to securely configure operating systems, applications, and devices, which is an incorrect answer. The Open Web Application Security Project (OWASP) provides advice and tools focused on web application security, another incorrect answer here.

Which ISO standard contains specific guidance on the privacy of personally identifiable information? A. ISO 27001 B. ISO 27002 C. ISO 31000 D. ISO 27701

Correct Answer: D ISO standard 27701 contains guidance on enhancing an information security management system to establish privacy standards for personally identifiable information. ISO 27001 and 27002 cover the standards and best practices for implementing an information security management system. The ISO 31000 family of standards cover the design and implementation of a risk management program.

Which one of the following would not be considered an OSINT tool? A. WHOIS lookups B. Google searches C. Website perusal D. Vulnerability scans

Correct Answer: D Open source intelligence (OSINT) includes the use of any publicly available information. This would include domain registration records found in WHOIS entries, the contents of public websites, and the use of Google searches. Vulnerability scans are an active reconnaissance technique and would not be considered OSINT.

Tonya is configuring vulnerability scans for a system that is subject to the PCI DSS compliance standard. What is the minimum frequency with which she must conduct scans? A. Daily B. Weekly C. Monthly D. Quarterly

Correct Answer: D PCI DSS requires that organizations conduct vulnerability scans on at least a quarterly basis, although many organizations choose to conduct scans on a much more frequent basis.

Maliah is responding to a security incident where a call center representative was tricked into disclosing his password. The representative went to visit a company website and was redirected to an illegitimate site that looked like the corporate site, but stole his password. What term best describes this attack? A. Phishing B. Watering Hole C. Whaling D. Pharming

Correct Answer: D Phishing is a broad term used to describe obtaining user credentials and sensitive data fraudulently, usually through unsolicited email. In this case, the victim was redirected to an illegitimate website, so that wasn't a phishing attack. A watering hole attack is designed around a website that a particular group visits often. For example, it might place malicious code on a message board visited by employees of a company. Watering hole attacks don't redirect users. So, that's not the correct answer either. Whaling is a type of phishing aimed at high profile employees. We've already ruled out phishing attacks, so this is another incorrect answer .This scenario is an example of a pharming attack, where the victim was redirected to an illegitimate site and had their credentials stolen.

Which one of the following technologies is not commonly used in embedded systems? A. FPGA B. Raspberry Pi C. Arduino D. SELinux

Correct Answer: D Raspberry Pis, Arduinos, and field-programmable gate arrays (FPGA) are all hardware platforms that are easily reconfigurable for use in embedded systems. So, these are not the correct answers. Security Enhanced Linux (SELinux) is a security-focused version of the Linux operating system. It is not commonly used in embedded systems because it has significant overhead and complexity. This is the correct answer.

Which one of the following authentication mechanisms is generally not used in smartphone devices? A. Facial recognition B. Passcode C. Fingerprint scanning D. Retinal scanning

Correct Answer: D Retinal scanning is a slow, intrusive technique that requires specialized hardware and cannot be performed with a standard smartphone. Smartphones do commonly use passcodes, fingerprint scanning and facial recognition for authentication.

Which one of the following security controls provides the best defense against tailgating? A. Air Gaps B. Biometrics C. Turnstiles D. Access Control Vestibule

Correct Answer: D Tailgating attacks occur when an unauthorized individual slips into a facility behind an authorized user who opens the door. Air gaps are not sufficient on their own as someone can easily catch up with an authorized person as the door is opened. So this is not the correct answer. With biometrics, once one person has authenticated, another person can still slip in following the authorized person. So this is not the correct answer. Turnstiles may help with tailgating attacks, but an attacker could jump over the turnstile, making it not as effective. So this is not the best answer option either. Access control vestibules are isolation areas where one person completes the authentication process and accesses the facility before a second person can enter the vestibule. This is the correct answer.

Patrick is investigating a security incident. He believes that the incident is originating from a single system on the Internet and targeting multiple systems on his network. What control could he put in place to stop the incident as quickly as possible? A. Host firewall rule B. Operating system update C. DDoS Mitigation D. Network Firewall Rule

Correct Answer: D The attack in question could be most quickly stopped with a network firewall rule blocking all traffic from the origin system. Host firewall rules would also address the issue but would be more time-consuming to create on every system. An operating system update would not stop attack traffic, making it another incorrect answer. There is also no indication that a DDoS attack is underway, so a DDoS mitigation service would not be helpful.

Jessica is creating a virtual private cloud (VPC) with a private subnet in her IaaS environment. Which one of the following IP address ranges would not be appropriate for this subnet? A. 172.16.0.0/16 B. 10.16.0.0/16 C. 192.168.0.0/16 D. 181.10.0.0/16

Correct Answer: D The following address ranges are available for use on private networks and subnets: 10.0.0.0-10.255.255.255, 172.16.0.0-172.31.255.255, and 192.168.0.0-192.168.255.255. Three of the subnets presented in this question fall into these ranges while the fourth, 181.10.0.0/16 does not. That subnet is a public address range assigned to a particular user and should not be used on a private subnet.

Helen learned that there is a process isolation vulnerability in the hypervisor platform used by her organization. What is the most direct risk that this vulnerability poses? A. Privilege Escalation B. Denial of Service C. VM Sprawl D. VM Escape

Correct Answer: D The hypervisor is the component of a virtualization platform responsible for managing resources and isolating virtual machines from each other. A failure to properly perform isolation can result in a VM escape attack, where one virtual machine is able to access the resources assigned to other virtual machines, compromising the security of the entire platform. VM sprawl occurs when an organization has too many unused virtual machines and loses track of them. It is possible that a successful VM escape attack could lead to a denial of service or privilege escalation attack, but the question is asking us to identify the most direct risk, so I'm going to stick with VM escape here.

Which one of the following groups is not normally part of an organization's cybersecurity incident response team? A. Technical Subject Matter Experts B. Cybersecurity Experts C. Management D. Law Enforcement

Correct Answer: D The incident response team normally includes a wide range of internal experts, including those from cybersecurity and other technical disciplines, this also includes management representation. The team however, would not normally include outside organizations, such as representatives of law enforcement, although it may interact with those groups through a liaison function.

Wanda would like to implement an operational security control that increases the likelihood that internal fraud will be detected. Which one of the following controls would best meet her objective? A. Two-Person Control B. Least Privilege C. Separation of Duties D. Job Rotation

Correct Answer: D Two-person control, least privilege, and separation of duties are all designed to deter and prevent fraud from occurring in the first place. None of which would meet Wanda's objective. Of the controls listed, only job rotation serves to detect fraud that has already taken place. So, this is the correct answer.

Which one of the following sources of evidence contains the least volatile information? A. Memory contents B. Files stored on disk C. ARP tables D. Archival media

Correct Answer: D Volatile information is information that is likely to be altered or lost as time passes. Archival media is designed for long-term storage and is the least volatile data source listed here. ARP tables in a router and the contents of system memory may change frequently and are the most volatile. Files stored on disk fall in between these two extremes.

When operating in a cloud environment, what cloud deployment model provides security teams with the greatest access to forensic information? A. FaaS B. SaaS C. PaaS D. laaS

Correct Answer: D With Function as a Service (FaaS), you may not be able to access the computing system the function is operating on. So, that is not the best answer. With Software as a Service, (SaaS) again, you may only have access to the application. So, that is another incorrect answer. With Platform as a Service (PaaS), you have additional access to the coding environment. But that is not what we are looking for. Finally, Infrastructure as a service (IaaS) environments provide analysts with access to the operating system, allowing deeper forensic analysis than other cloud platforms that operate higher in the stack.

Alan is assessing the results of a penetration test and discovered that the attackers managed to install a back door on one of his systems. What activity were the attackers most likely engaged in when they installed the back door? A. Pivoting B. Privilege Escalation C. Lateral Movement D. Persistence

Correct Answer: D Back doors are an example of a persistence technique. They are designed to allow the attacker to regain access to the system even after the original flaw they exploited is patched. Pivoting and lateral movement techniques are used to switch targets after gaining initial access to an environment. Privilege escalation techniques are used to gain administrative privileges after obtaining access to a standard user account