Jason Dion - Test #5

Which of the following protocols could be used inside a virtual system to manage and monitor the network? 1) SNMP 2) SMTP 3) EIGRP 4) BGP

1) SNMP OBJ-2.6: SNMP is used to monitor and manage networks, both physical and virtual. SMTP is used for email. BGP and EIGRP are used for routing network data.

You have just finished running an nmap scan on a server are see the following output: -=-=-=-=-=-=--=-=-=-=-=-=--=-=-=-=-=-=--=-=-=-=-=-=- # nmap diontraining.com Starting Nmap ( http://nmap.org ) Nmap scan report for diontraining.com (64.13.134.52) Not shown: 996 filtered ports PORT STATE 22/tcp open 23/tcp open 53/tcp open 443/tcp open Nmap done: 1 IP address (1 host up) scanned in 2.56 seconds -=-=-=-=-=-=--=-=-=-=-=-=--=-=-=-=-=-=--=-=-=-=-=-=- Based on the output above, which of the following ports listed as open represents the most significant security vulnerability to your network? 1) 23 2) 443 3) 53 4) 22

1) 23 OBJ-2.2: Port 23 is used by telnet and is not considered secure because it sends all of its data in cleartext, including authentication data like usernames and passwords. As an analyst, you should recommend that telnet is disabled and blocked from use. The other open ports are for SSH (port 22), DNS (port 53), and HTTPS (port 443).

Which of the following access control methods provides the most detailed and explicit type of access control over a resource? 1) ABAC 2) MAC 3) RBAC 4) DAC

1) ABAC OBJ-4.3: Attribute-based access control (ABAC) provides the most detailed and explicit type of access control over a resource because it is capable of making access decisions based on a combination of subject and object attributes, as well as context-sensitive or system-wide attributes. Information such as the group membership, the OS being used by the user, and even the machine's IP address could be considered when granting or denying access.

As a cybersecurity analyst conducting vulnerability scans, you have just completed your first scan of an enterprise network comprising over 10,000 workstations. As you examine your findings, you note that you have less than 1 critical finding per 100 workstations. Which of the following statement does BEST explain these results? 1) An uncredentialled scan of the network was performed. 2) The scanner was not compatible with the devices on your network 3) The network has an exceptionally strong security posture 4) The scanner failed to connect with the majority of workstations

1) An uncredentialled scan of the network was performed. OBJ-1.5: Uncredentialed scans are generally unable to detect many vulnerabilities on a device. When conducting an internal assessment, you should perform an authenticated (credentialed) scan of the environment to most accurately determine the network's vulnerability posture. In most enterprise networks, if a vulnerability exists on one machine, it also exists on most other workstations since they use a common baseline or image. If the scanner failed to connect to the workstations, an error would have been generated in the report.

An insurance company has developed a new web application to allow its customers to choose and apply for an insurance plan. You have been asked to help perform a security review of the new web application. You have discovered that the application was developed in ASP and used MSSQL for its backend database. You have been able to locate an application's search form and introduced the following code in the search input field: -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- IMG SRC=vbscript:msgbox("Vulnerable_to_Attack");> originalAttribute="SRC" originalPath="vbscript:msgbox("Vulnerable_to_Attack ");>" -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- When you click submit on the search form, your web browser returns a pop-up window that displays Vulnerable_to_Attack. Which of the following vulnerabilities did you discover in the web application? 1) Cross-site scripting 2) Cross-site request forgery 3) Command injection 4) SQL injection

1) Cross-site scripting OBJ-1.2: This is a form of Cross-Site Scripting (XSS). Cross-site scripting (XSS) is a type of computer security vulnerability typically found in web applications. XSS enables attackers to inject client-side scripts into web pages viewed by other users. Attackers may use a cross-site scripting vulnerability to bypass access controls such as the same-origin policy. Cross-site request forgery (CSRF or XSRF) is a malicious exploit of a website where unauthorized commands are transmitted from a user that the web application trusts. There are many ways in which a malicious website can transmit commands, such as specially-crafted image tags, hidden forms, and JavaScript XMLHttpRequests can all work without the user's interaction or even knowledge. SQL injection is a code injection technique used to attack data-driven applications. Malicious SQL statements are inserted into an entry field for execution, such as dumping the database contents to the attacker. Command injection is an attack in which the goal is to execute arbitrary commands on the host operating system via a vulnerable application. Command injection attacks are possible when an application passes unsafe user-supplied data (forms, cookies, HTTP headers, etc.) to a system shell.

Which of the following cryptographic algorithms is classified as symmetric? 1) DES 2) GPG 3) DSA 4) ECC

1) DES OBJ-6.2: The Data Encryption Standard (DES) is a symmetric-key algorithm for encrypting digital data. Although its short key length of 56 bits makes it too insecure for applications, it was the standard used from 1977 until the early 2000s. GPG, ECC, and DSA are all asymmetric algorithms.

Which of the following describes the rate at which a biometric security system will incorrectly deny access to an authorized user? 1) FRR 2) FPR 3) CER 4) FAR

1) FRR OBJ-4.3: The false rejection rate (FRR) is the measure of the likelihood that the biometric security system will incorrectly reject an access attempt by an authorized user. A system's FRR typically is stated as the ratio of the number of false rejections divided by the number of identification attempts.

Using the image provided, select four security features that you should use with a workstation or laptop within your organization? 1) Host-based firewall, Network sniffer, Cable lock, CAT5e STP 2) CAT5e STP, Location tracking, Host-based firewall, remote wipe

1) Host-based firewall, Network sniffer, Cable lock, CAT5e STP OBJ 3.9: Host-based firewall, Network sniffer, a Cable lock, and CAT5e STP cables are appropriate security features to use with a corporate workstation or laptop. Using a host-based firewall (such as Windows Firewall), you can configure the workstation or laptop to block incoming or outgoing data from the device's network connection. If you install a network sniffer, you will be able to capture any network traffic used on the network for later analysis. If you use a cable lock, it will lock the workstation or laptop to a desk and prevent theft of the device. If you use a CAT 5e STP cable for your network connection, you will minimize EMI risk and reduce data emanations.

Which role validates the user's identity when using SAML for authentication? 1) IdP 2) SP 3) User agent 4) RP

1) IdP OBJ-4.2: The IdP provides the validation of the user's identity. Security assertions markup language (SAML) is an XML-based framework for exchanging security-related information such as user authentication, entitlement, and attributes. SAML is often used in conjunction with SOAP. SAML is a solution for providing single sign-on (SSO) and federated identity management. It allows a service provider (SP) to establish a trust relationship with an identity provider (IdP) so that the SP can trust the identity of a user (the principal) without the user having to authenticate directly with the SP. The principal's User Agent (typically a browser) requests a resource from the service provider (SP). The resource host can also be referred to as the relying party (RP). If the user agent does not already have a valid session, the SP redirects the user agent to the identity provider (IdP). The IdP requests the principal's credentials if not already signed in and, if correct, provides a SAML response containing one or more assertions. The SP verifies the signature(s) and (if accepted) establishes a session and provides access to the resource.

Which of the following cryptographic algorithms is classified as asymmetric? 1) 3DES 2) AES 3) RC4 4) PGP

4) PGP OBJ-6.2: Pretty Good Privacy (PGP) is an encryption program that provides cryptographic privacy and authentication for data communication. PGP is used for signing, encrypting, and decrypting texts, emails, files, directories, and whole disk partitions and to increase the security of email communications. PGP is a public-key cryptosystem and relies on an asymmetric algorithm. AES, RC4, and 3DES are all symmetric algorithms. Continue Retake test

You have been asked to install a computer in a public workspace. The computer should only be used by an authorized user. Which of the following security requirements should you implement to prevent unauthorized users from accessing the network with this computer? 1) Require authentication on wake-up 2) Issue the same strong and complex password for all users 3) Remove the guest account from the administrator group 4)F Disable single sign-on

1) Require authentication on wake-up OBJ-4.1: To prevent the computer from being used inadvertently to access the network, the system should be configured to require authentication whenever the computer is woken up. Therefore, if an authorized user walks away from the computer and goes to sleep when another person tries to use the computer, it will ask for a username and password before granting them access to the network.

You are reviewing a rule within your organization's IDS. You see the following output: -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET anymsg: "BROWSER-IE Microsoft Internet Explorer CacheSize exploit attempt";flow: to_client,established;file_data;content:"recordset"; offset:14; depth:9;content:".CacheSize"; distance:0; within:100;pcre:"/CacheSize\s*=\s*/";byte_test:10,>,0x3ffffffe,0,relative,string;max-detect-ips drop, service http;reference:cve,2016-8077;classtype: attempted-user;sid:65535;rev:1;-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- Based on this rule, which of the following malicious packets would this IDS alert on? 1) Any malicious inbound packets 2) An malicious inbound TCP packet

2) An malicious inbound TCP packet OBJ-2.4: The rule header is set to alert only on TCP packets based on this IDS rule's first line. The flow condition is set as "to_client,established," which means that only inbound traffic will be analyzed against this rule and only inbound traffic for connections that are already established. Therefore, this rule will alert on an inbound malicious TCP packet only when the packet matches all the conditions listed in this rule. This rule is an example of a Snort IDS rule. For the exam, you do not need to create your own IDS rules, but you should be able to read them and pick out generic content like the type of protocol covered by the signature, the port be analyzed, and the direction of flow.

Lamont is in the process of debugging a software program. As he examines the code, he discovers that it is miswritten. Due to the error, the code does not validate a variable's size before allowing the information to be written into memory. Based on Lamont's discovery, what type of attack might occur? 1) SQL injection 2) Buffer overflow 3) Malicious logic 4) Cross-site scripting

2) Buffer overflow OBJ-1.2: A buffer overflow occurs when a program or process tries to store more data in a buffer (temporary data storage area) than it was intended to hold. Since buffers are created to contain a finite amount of data, the extra information can cause an overflow into adjacent buffers, corrupting or overwriting the valid data held in them. Although it may occur accidentally through programming error, buffer overflow is an increasingly common security attack on data integrity. In buffer overflow attacks, the extra data may contain codes designed to trigger specific actions, in effect sending new instructions to the attacked computer that could, for example, damage the user's files, change data, or disclose confidential information. Programs should use the variable size validation before writing the data to memory to ensure that the variable can fit into the buffer to prevent this type of attack.

Which of the following is NOT a means of improving data validation and trust? 1) Encrypting data in transit 2) Decrypting data at rest 3) Implementing Tripwire 4) USing MD5 checksums for files

2) Decrypting data at rest OBJ-6.1: Encrypting data in transit leads to more integrity and confidentiality of the data, and therefore trust. Hashing files using MD5 to check against known valid checksums would provide integrity, and therefore validation and trust. Implementing a file integrity monitoring program, such as Tripwire, would also improve data validation and trust. Decrypting data at rest does not improve data validation, or trust since the data at rest could be modified when decrypted.

You have just received some unusual alerts on your SIEM dashboard and want to collect the payload associated with it. Which of the following should you implement to effectively collect these malicious payloads that the attackers are sending towards your systems without impacting your organization's normal business operations? 1) Jumpbox 2) Honeypot 3) Sandbox 4) Containerization

2) Honeypot OBJ-2.2: A honeypot is a host set up to lure attackers away from the actual network components and/or discover attack strategies and weaknesses in the security configuration. A jumpbox is a hardened server that provides access to other hosts. A sandbox is a computing environment isolated from a host system to guarantee that the environment runs in a controlled, secure fashion. Containerization is a type of virtualization applied by a host operating system to provide an isolated execution environment for an application.

You have been asked to write a new security policy to reduce the risk of employees working together to steal information from the Dion Training corporate network. Which of the following policies should you create to counter this threat? 1) Acceptable use policy 2) Mandatory vacation policy 3) Privacy policy 4) Least privilege policy

2) Mandatory vacation policy OBJ-5.1: A mandatory vacation policy requires that all users take time away from work to enjoy a break from their day to day routine of their jobs. But, there is a major side benefit to mandatory vacations regarding your company's security posture. It will require the company to have another employee fill in for the vacationing employee's normal roles and responsibilities by requiring mandatory vacations. The employee who is filling in might come across fraud, abuse, or theft that the vacationing employee is a part of. The concept of least privilege may not stop this theft from occurring since two employees could work together to steal information that they have access to as part of their job. Also, acceptable use outlines the types of activities allowed and not allowed; it won't prevent theft from occurring. A privacy policy discusses how information should be properly stored and secured, but this won't stop an employee from stealing information or detecting the stolen information.

Which technique would provide the largest increase in security on a network with ICS, SCADA, or IoT devices? 1) Installation of anti-virus tools 2) User and entity behavior analytics 3) Implement endpoint protection platforms 4) Use of a host-based ids or IPS

2) User and entity behavior analytics OBJ-3.5: Since ICS, SCADA, and IoT devices often run proprietary, inaccessible, or unpatchable operating systems, the traditional tools used to detect the presence of malicious cyber activity in normal enterprise networks will not function properly. Therefore, user and entity behavior analytics (UEBA) is best suited to detect and classify known-good behavior from these systems to create a baseline. Once a known-good baseline is established, deviations can be detected and analyzed. UEBA may be heavily dependent on advanced computing techniques like artificial intelligence and machine learning and may have a higher false-positive rate. As the name suggests, the analytics software tracks user account behavior across different devices and cloud services. Entity refers to machine accounts, such as client workstations or virtualized server instances, and embedded hardware, such as the Internet of Things (IoT) devices. Traditional technologies include anti-virus tools, host-based IDS and IPS, and endpoint protection platforms.

You have been asked to determine if Dion Training's web server is vulnerable to a recently discovered attack on an older version of SSH. Which technique should you use to determine the current version of SSH running on their web server? 1) Vulnerability scan 2) Protocol analysis 3) Banner grabbing 4) Passive scan

3) Banner grabbing OBJ-2.2: Banner grabbing is conducted by actively connecting to the server using telnet or netcat and collecting the web server's response. This banner usually contains the operating system being run by the server and the version number of the service (SSH) being run. This is the fastest and easiest way to determine the SSH version being run on this web server. While it is possible to use a vulnerability scanner, protocol analyzer, or to conduct a passive scan to determine the SSH version, these are more time consuming and not fully accurate methods to determine the version being run.

Which of the following access control models is the most flexible and allows the resource owner to control the access permissions? 1) ABAC 2) RBAC 3) DAC 4) MAC

3) DAC OBJ-4.3: Discretionary access control (DAC) stresses the importance of the owner. The original creator of the resource is considered the owner and can then assigned permissions and ownership to others. The owner has full control over the resource and can modify its ACL to grant rights to others. This is the most flexible model and is currently implemented widely in Windows, Unix, Linux, and macOS systems.

You have just finished running a vulnerability scan of the network and are reviewing the results. The first result in the report shows the following vulnerability: (IMAGE) You log into the MySQL server and verify that you are currently running version 3.5.3. Based on the item shown on the image, what best describes how you should categorize this finding? 1) False negative 2) True negative 3) False positive 4) True positive

3) False positive Practice Exam #5 - Results Return to review Attempt 1 All knowledge areas All questions Question 1: Incorrect Which of the following access control models is the most flexible and allows the resource owner to control the access permissions? ​ ABAC ​ RBAC (Incorrect) ​ DAC (Correct) ​ MAC Explanation OBJ-4.3: Discretionary access control (DAC) stresses the importance of the owner. The original creator of the resource is considered the owner and can then assigned permissions and ownership to others. The owner has full control over the resource and can modify its ACL to grant rights to others. This is the most flexible model and is currently implemented widely in Windows, Unix, Linux, and macOS systems. Question 2: Correct You are working as a junior cybersecurity analyst and utilize a SIEM to support investigations into ongoing incidents. The SIEM is configured to collect data from numerous sources across the network, including network sensors, routers, switches, firewalls, hosts, and servers. Unfortunately, due to the number of data sources, you have data about a particular event being detected by different sensors and devices. Which of the following must you ensure to make sense of all the data being collected by your SIEM before analyzing it? ​ Data sanitization ​ Data correlation (Correct) ​ Data recovery ​ Data retention Explanation OBJ-3.2: Data correlation is the first step in making sense of data from across numerous sensors. This will ensure the data is placed concerning other pieces of data within the system. For example, if your IDS detected an incident, host logs were collected, and your packet capture system collected the network traffic, the SIEM could be used to correlate all three pieces of information from these different systems to allow an analyst to understand the event better. By conducting data correlation, it allows an analyst to identify a pattern more clearly and take action. Data correlation should be performed as soon as the SIEM indexes the data. Question 3: CorrectDion Training has applied a new Group Policy to all student accounts that will lock out any account in which the student enters their password incorrectly 3 times in a row. Once the account is locked out, the student must wait 15 minutes before they can attempt to log in again. What type of attack is this mitigation strategy trying to prevent? ​ Brute force attack (Correct) ​ Privilege escalation ​ Man-in-the-Middle ​ Spoofing Explanation OBJ-1.2: Since the policy will lockout the student for 15 minutes between attempts, it is a valid mitigation technique against a brute force attack. By extending the waiting period, the attacker's brute force attempts are less effective. Question 4: Correct A new smartphone supports users' ability to transfer a photograph by simply placing their phones near each other and "tapping" the two phones together. What type of technology does this most likely rely on? ​ IR ​ NFC (Correct) ​ BT ​ RF Explanation OBJ-1.2: NFC, or near-field communication, is a set of communication protocols that enable two electronic devices, one of which is usually a portable device such as a smartphone, to establish communication by bringing them within 4 cm of each other. This is commonly used for contactless payment systems, transferring contacts, or transferring a file from one device to another. Question 5: CorrectWhich of the following is the leading cause for cross-site scripting, SQL injection, and XML injection attacks? ​ Directory traversals ​ Output encoding ​ File inclusions ​ Faulty input validation (Correct) Explanation OBJ-3.6: A primary vector for attacking applications is to exploit faulty input validation. The input could include user data entered into a form or URL, passed by another application or link. This is heavily exploited by cross-site scripting, SQL injection, and XML injection attacks. Directory traversal is the practice of accessing a file from a location that the user is unauthorized to access. The attacker does this by ordering an application to backtrack through the directory path to read or execute a file in a parent directory. In a file inclusion attack, the attacker adds a file to a web app or website's running process. The file is either constructed to be malicious or manipulated to serve the attacker's malicious purposes. Cross-site scripting (XSS) is one of the most powerful input validation exploits. XSS involves a trusted site, a client browsing the trusted site, and the attacker's site. Question 6: IncorrectWhich of the following describes the rate at which a biometric security system will incorrectly deny access to an authorized user? ​ FRR (Correct) ​ FPR ​ CER (Incorrect) ​ FAR Explanation OBJ-4.3: The false rejection rate (FRR) is the measure of the likelihood that the biometric security system will incorrectly reject an access attempt by an authorized user. A system's FRR typically is stated as the ratio of the number of false rejections divided by the number of identification attempts. Question 7: CorrectWhich of the following password policies defines the types of alphanumeric characters required to be utilized in a user's password? ​ Password expiration ​ Password length ​ Password history ​ Password complexity (Correct) Explanation OBJ-4.4: The Passwords must meet complexity requirements policy setting determines whether passwords must meet a series of guidelines that are considered important for a strong password. Enabling this policy setting requires passwords to meet more complicated password requirements. This includes using uppercase, lowercase, numeric, and special characters. Question 8: Incorrect Which of the following categories would contain information about a French citizen's race or ethnic origin? ​ PII (Incorrect) ​ DLP ​ PHI ​ SPI (Correct) Explanation OBJ-5.8: According to the GDPR, information about an individual's race or ethnic origin is classified as Sensitive Personal Information (SPI). Sensitive personal information (SPI) is information about a subject's opinions, beliefs, and nature afforded specially protected status by privacy legislation. As it cannot be used to identify somebody or make any relevant assertions about health uniquely, it is neither PII nor PHI. Data loss prevention (DLP) is a software solution that detects and prevents sensitive information from being stored on unauthorized systems or transmitted over unauthorized networks. Question 9: Incorrect An attacker recently compromised an e-commerce website for a clothing store. Which of the following methods did the attacker use to harvest an account's cached credentials when the user logged into an SSO system? ​ Pivoting ​ Lateral movement ​ Pass the hash (Correct) ​ Golden ticket (Incorrect) Explanation OBJ-1.2: Pass the Hash (PtH) is the process of harvesting an account's cached credentials when the user logs in to a single sign-on (SSO) system. This would then allow the attacker to use the credentials on other systems, as well. A golden ticket is a Kerberos ticket that can grant other tickets in an Active Directory environment. Attackers who can create a golden ticket can use it to grant administrative access to other domain members, even to domain controllers. Lateral movement is an umbrella term for a variety of attack types. Attackers can extend their lateral movement by a great deal if they can compromise host credentials. Pivoting is a process similar to lateral movement. When attackers pivot, they compromise one central host (the pivot) that allows them to spread out to other hosts that would otherwise be inaccessible. Question 10: Incorrect You have been asked to determine if Dion Training's web server is vulnerable to a recently discovered attack on an older version of SSH. Which technique should you use to determine the current version of SSH running on their web server? ​ Vulnerability scan (Incorrect) ​ Protocol analysis ​ Banner grabbing (Correct) ​ Passive scan Explanation OBJ-2.2: Banner grabbing is conducted by actively connecting to the server using telnet or netcat and collecting the web server's response. This banner usually contains the operating system being run by the server and the version number of the service (SSH) being run. This is the fastest and easiest way to determine the SSH version being run on this web server. While it is possible to use a vulnerability scanner, protocol analyzer, or to conduct a passive scan to determine the SSH version, these are more time consuming and not fully accurate methods to determine the version being run. Question 11: CorrectAn attacker has issued the following command: nc -l -p 8080 | nc 192.168.1.76 443. Based on this command, what will occur? ​ Netcat will listen on port 8080 and output anything received to a remote connection on 192.168.1.76 port 443 (Correct) ​ Netcat will listen for a connection from 192.168.1.76 on port 443 and output anything received to port 8080 ​ Netcat will listen on port 8080 and then output anything received to local interface 192.168.1.76 ​ Netcat will listen on the 192.168.1.76 interface for 443 seconds on port 8080 Explanation OBJ-2.2: The proper syntax for netcat (nc) is -l to signify listening and -p to specify the listening port. Then, the | character allows multiple commands to execute during a single command execution. Next, netcat sends the data to the given IP (192.168.1.76) over port 443. This is a common technique to bypass the firewall by sending traffic over port 443 (a secure SSL/TLS tunnel). Question 12: CorrectYour organization has just migrated to provisioning its corporate desktops as virtual machines and accessing them using thin clients. The organization believes this will enhance security since the desktop can be rewritten with a new baseline image every time the user logs into it. Based on this scenario, which of the following technologies has the organization adopted? ​ VDI (Correct) ​ UEBA ​ VPC ​ VPN Explanation OBJ-2.5: Virtual desktop infrastructure (VDI) is a virtualization implementation that separates the personal computing environment from a user's physical computer. Virtual private cloud (VPC) is a private network segment made available to a single cloud consumer on a public cloud. A virtual private network (VPN) is a secure tunnel created between two endpoints connected via an insecure network, typically the internet. User and entity behavior analytics (UEBA) is a system that can provide an automated identification of suspicious activity by user accounts and computer hosts. Question 13: IncorrectWhich of the following is NOT a means of improving data validation and trust? ​ Encrypting data in transit ​ Decrypting data at rest (Correct) ​ Implementing Tripwire (Incorrect) ​ Using MD5 checksums for files Explanation OBJ-6.1: Encrypting data in transit leads to more integrity and confidentiality of the data, and therefore trust. Hashing files using MD5 to check against known valid checksums would provide integrity, and therefore validation and trust. Implementing a file integrity monitoring program, such as Tripwire, would also improve data validation and trust. Decrypting data at rest does not improve data validation, or trust since the data at rest could be modified when decrypted. Question 14: Correct Fail to Pass Systems has recently moved its corporate offices from France to Westeros, a country with no meaningful privacy regulations. The marketing department believes that this move will allow the company to resell all of its customer's data to third-party companies and shield the company from any legal responsibility. Which policy is violated by this scenario? ​ Data limitation ​ Data enrichment ​ Data minimization ​ Data sovereignty (Correct) Explanation OBJ-5.6: While the fictitious Westeros may have no privacy laws or regulations, the laws of the countries where the company's customers reside may still retain sovereignty over the data obtained from those regions during the course of the company's business there. This is called Data Sovereignty. Data sovereignty refers to a jurisdiction (such as France or the European Union) preventing or restricting processing and storage from taking place on systems that do not physically reside within that jurisdiction. Data sovereignty may demand certain concessions on your part, such as using location-specific storage facilities in a cloud service. Fail to Pass Systems will likely face steep fines from different regions if they go through with their plan to sell all of their customers' data to the highest bidders. Fail to Pass Systems may even be blocked from communicating with individual regions. Although Data minimization and data limitation policies may be violated depending on the company's internal policies, these policies are not legally binding like the provisions of GDPR are. Data enrichment means that the machine analytics behind the view of a particular alert can deliver more correlating and contextual information with a higher degree of confidence, both from within the local network's data points and from external threat intelligence. Question 15: Correct You need to determine the best way to test operating system patches in a lab environment before deploying them to your automated patch management system. Unfortunately, your network has several different operating systems in use, but you only have one machine available to test the patches on. What is the best environment to utilize to perform the testing of the patches before deployment? ​ Sandboxing ​ Bypass testing and deploy patches directly into the production environment ​ Virtualization (Correct) ​ Purchase additional workstations Explanation OBJ-3.3: When you have a limited amount of hardware resources to utilize but have a requirement to test multiple operating systems, you should set up a virtualized environment to test the patch across each operating system before deployment. You should never deploy patches directly into production without testing them first in the lab. Question 16: IncorrectWhich of the following access control methods provides the most detailed and explicit type of access control over a resource? ​ ABAC (Correct) ​ MAC ​ RBAC (Incorrect) ​ DAC Explanation OBJ-4.3: Attribute-based access control (ABAC) provides the most detailed and explicit type of access control over a resource because it is capable of making access decisions based on a combination of subject and object attributes, as well as context-sensitive or system-wide attributes. Information such as the group membership, the OS being used by the user, and even the machine's IP address could be considered when granting or denying access. Question 17: IncorrectKeith wants to validate the application file that he downloaded from the vendor of the application. Which of the following should he compare against the file to verify the integrity of the downloaded application? ​ Private key of the file ​ File size and file creation date ​ Public key of the file (Incorrect) ​ MD5 or SHA1 hash digest of the file (Correct) Explanation OBJ-6.1: Keith should conduct a hash of the downloaded file and compare it against the MD5 hash digest listed on the server of this file. This file needs to be a verifiable MD5 hash file to validate the file integrity has not been compromised during the download. This is an important step to ensure the file was not modified in transit during the download. The other options are insufficient to guarantee the integrity of the downloaded file since integrity checking relies on comparing hash digests. A public or private key would not be assigned solely to a single file, nor do they provide integrity on their own. Public and private keys are used to ensure data confidentiality, whereas a hash digest ensures integrity. The file size and file creation date are additional forms of metadata that could help validate a file's integrity. Still, they of a much lower quality and trust factor than using a hash digest. Therefore MD5 or SHA1 is a better choice. Question 18: CorrectWhich of the following would NOT be included in a company's password policy? ​ Password style (Correct) ​ Password history ​ Password complexity requirements ​ Password age Explanation OBJ-4.4: A password policy is a set of rules designed to enhance computer security by encouraging users to employ strong passwords and use them properly. A password policy is often part of an organization's official regulations and may be taught as part of security awareness training. It contains items like password complexity, password age, and password history requirements. Question 19: CorrectWhich of the following is not considered an authentication factor? ​ Something you want (Correct) ​ Something you are ​ Something you know ​ Something you have Explanation OBJ-4.1: The five factors of authentication are knowledge, possession, biometric, action, and location. This is also known as 'something you know,' 'something you have,' 'something you are,' 'something you do,' and 'somewhere you are.' Question 20: CorrectWhen you are managing a risk, what is considered an acceptable option? ​ Reject it ​ Deny it ​ Initiate it ​ Mitigate it (Correct) Explanation OBJ-5.3: Mitigating a risk makes the effect of a risk a little less unpleasant, harmful, or serious. The majority of risk management is focused on mitigating risks down to an acceptable level of loss or risk. The risk response actions are accept, avoid, mitigate, or transfer. Question 21: Incorrect (Sample Simulation - On the real exam for this type of question, you would receive 3-5 pictures and be asked to drag and drop them into place next to the correct term.) Larger image How would you appropriately categorize the authentication method being displayed here? ​ One-time password authentication (Incorrect) ​ Multi-factor authentication ​ Biometric authentication ​ PAP authentication (Correct) Explanation OBJ 4.1: For the exam, you need to know the different authentication categories and what type of authentication methods belong to each category. A username and password are used as part of the Password Authentication Protocol (PAP) authentication system. A username and password are also considered a knowledge factor in an authentication system. Question 22: IncorrectWhich of the following cryptographic algorithms is classified as asymmetric? ​ RC4 ​ AES (Incorrect) ​ Blowfish ​ Diffie-Hellman (Correct) Explanation OBJ-6.2: The Diffie-Hellman (DH) is used to exchange cryptographic keys over a public channel securely and was one of the first public-key protocols. As a public-key protocol, it relies on an asymmetric algorithm. AES, RC4, and Blowfish are all symmetric algorithms. Question 23: Incorrect Lamont is in the process of debugging a software program. As he examines the code, he discovers that it is miswritten. Due to the error, the code does not validate a variable's size before allowing the information to be written into memory. Based on Lamont's discovery, what type of attack might occur? ​ SQL injection (Incorrect) ​ Buffer overflow (Correct) ​ Malicious logic ​ Cross-site scripting Explanation OBJ-1.2: A buffer overflow occurs when a program or process tries to store more data in a buffer (temporary data storage area) than it was intended to hold. Since buffers are created to contain a finite amount of data, the extra information can cause an overflow into adjacent buffers, corrupting or overwriting the valid data held in them. Although it may occur accidentally through programming error, buffer overflow is an increasingly common security attack on data integrity. In buffer overflow attacks, the extra data may contain codes designed to trigger specific actions, in effect sending new instructions to the attacked computer that could, for example, damage the user's files, change data, or disclose confidential information. Programs should use the variable size validation before writing the data to memory to ensure that the variable can fit into the buffer to prevent this type of attack. Question 24: Correct You are a penetration tester hired by an organization that wants you to conduct a risk assessment of their DMZ. The company provided Rules of Engagement states that you must do all penetration testing from an external IP address without any prior knowledge of the internal IT system architecture. What kind of penetration test will you perform? ​ White box ​ Black box (Correct) ​ Red team ​ Gray box Explanation OBJ-1.4: A black box penetration test requires no previous information and usually takes the approach of an uninformed attacker. The penetration tester has no prior information about the target system or network in a black box penetration test. These tests provide a realistic scenario for testing the defenses, but they can be costlier and takes much more time to conduct. A black box tester is examining a system from an outsider's perspective. A gray-box tester has the user's access and knowledge levels, potentially with elevated privileges on a system. Gray-box pentesters typically have some knowledge of a network's internals, potentially including design and architecture documentation and an account internal to the network. White-box testing goes by several different names, including clear-box, open-box, auxiliary and logic-driven testing. It falls on the opposite end of the spectrum from black-box testing, and penetration testers have full access to source code, architecture documentation, and so forth. Unlike black-box and gray-box testing, white-box penetration testers can perform static code analysis, so familiarity with source code analyzers, debuggers, and similar tools are necessary for this type of testing. A red team is a group that helps organizations to improve themselves by providing opposition to the point of view of the organization that they are helping. Penetration testers often work as part of a red team. Question 25: CorrectWhich command would be used to display the IP address and subnet mask for the wired network connection on a macOS or Linux system? ​ netstat ​ iwconfig ​ ifconfig (Correct) ​ ipconfig Explanation OBJ-2.2: The ifconfig command is used to display information about the current wired network connection on a macOS or Linux system, including its IP address, subnet mask, and MAC address. Question 26: Incorrect You have just finished running an nmap scan on a server are see the following output: -=-=-=-=-=-=--=-=-=-=-=-=--=-=-=-=-=-=--=-=-=-=-=-=- # nmap diontraining.com Starting Nmap ( http://nmap.org ) Nmap scan report for diontraining.com (64.13.134.52) Not shown: 996 filtered ports PORT STATE 22/tcp open 23/tcp open 53/tcp open 443/tcp open Nmap done: 1 IP address (1 host up) scanned in 2.56 seconds -=-=-=-=-=-=--=-=-=-=-=-=--=-=-=-=-=-=--=-=-=-=-=-=- Based on the output above, which of the following ports listed as open represents the most significant security vulnerability to your network? ​ 23 (Correct) ​ 443 ​ 53 ​ 22 (Incorrect) Explanation OBJ-2.2: Port 23 is used by telnet and is not considered secure because it sends all of its data in cleartext, including authentication data like usernames and passwords. As an analyst, you should recommend that telnet is disabled and blocked from use. The other open ports are for SSH (port 22), DNS (port 53), and HTTPS (port 443). Question 27: CorrectWhich of the following physical security controls would be the most effective in preventing an attacker from driving a vehicle through the glass doors at the front of the organization's headquarters? ​ Security guards ​ Mantraps ​ Intrusion alarm ​ Bollards (Correct) Explanation OBJ-3.9: Bollards are a physical security control that is designed to prevent a vehicle-ramming attack. Bollards are typically designed as a sturdy, short, vertical post. Some organizations have installed more decorative bollards created out of cement and are large enough to plant flowers or trees inside. Mantraps are designed to prevent individuals from tailgating into the building. Security guards and intrusion alarms could detect this from occurring but not truly prevent them. Question 28: Incorrect You are reviewing a rule within your organization's IDS. You see the following output: -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET anymsg: "BROWSER-IE Microsoft Internet Explorer CacheSize exploit attempt";flow: to_client,established;file_data;content:"recordset"; offset:14; depth:9;content:".CacheSize"; distance:0; within:100;pcre:"/CacheSize\s*=\s*/";byte_test:10,>,0x3ffffffe,0,relative,string;max-detect-ips drop, service http;reference:cve,2016-8077;classtype: attempted-user;sid:65535;rev:1;-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- Based on this rule, which of the following malicious packets would this IDS alert on? ​ Any malicious inbound packets (Incorrect) ​ Any malicious outbound packets ​ An malicious inbound TCP packet (Correct) ​ An malicious outbound TCP packet Explanation OBJ-2.4: The rule header is set to alert only on TCP packets based on this IDS rule's first line. The flow condition is set as "to_client,established," which means that only inbound traffic will be analyzed against this rule and only inbound traffic for connections that are already established. Therefore, this rule will alert on an inbound malicious TCP packet only when the packet matches all the conditions listed in this rule. This rule is an example of a Snort IDS rule. For the exam, you do not need to create your own IDS rules, but you should be able to read them and pick out generic content like the type of protocol covered by the signature, the port be analyzed, and the direction of flow. Question 29: CorrectWhich of the following agreements is used between companies and employees, between companies and contractors, and between two companies to protect information assets? ​ SLA ​ NDA (Correct) ​ DSUA ​ ISA Explanation OBJ-5.1: Non-disclosure agreement (NDA) is the legal basis for protecting information assets. NDAs are used between companies and employees, between companies and contractors, and between two companies. If the employee or contractor breaks this agreement and shares such information, they may face legal consequences. NDAs are useful because they deter employees and contractors from violating the trust that an employee places in them. An interconnection security agreement (ISA) is defined by NIST's SP800-4 and is used by any federal agency interconnecting its IT system to a third party must create an ISA to govern the relationship. A service level agreement (SLA) is a contractual agreement that sets out the detailed terms under which a service is provided. A data sharing and use agreement (DSUA) states that personal data can only be collected for a specific purpose. A DSUA can specify how a dataset can be analyzed and proscribe the use of reidentification techniques. Question 30: CorrectDion Training is building a new data center. The group designing the facility has decided to provide additional HVAC capacity to ensure the data center maintains a consistently low temperature. Which of the following is the most likely benefit that will be achieved by increasing the designed HVAC capacity? ​ Longer UPS run time due to increased airflow ​ Higher data integrity due to more efficient SSD cooling ​ Longer MTBF of hardware due to lower operating temperatures (Correct) ​ Increase the availability of network services due to higher throughput Explanation OBJ-5.2: The mean time between failure (MTBF) is the measure of the anticipated rate of failure for a system or component. This is effectively a measurement of the component's expected lifespan. If the HVAC capacity is increased, the server room can maintain a cooler temperature range. Datacenters produce a lot of heat from the equipment being operated. Excessive heat can damage components and cause premature hardware failure. Therefore, increasing the HVAC capacity and airflow can lead to longer lifespans for servers and networking equipment. Question 31: Incorrect You are notified by an external organization that an IP address associated with your company's email server has been sending spam emails requesting funds as part of a lottery collection scam. An investigation into the incident reveals the email account used was Connor from the sales department and that Connor's email account was only used from one workstation. You analyze Connor's workstation and discover several unknown processes running, but netflow analysis reveals no attempted lateral movement to other workstations on the network. Which containment strategy would be most effective to use in this scenario? ​ Request disciplinary action for Connor for causing this incident ​ Unplug the workstation's network cable and conduct a complete reimaging of the workstation (Incorrect) ​ Isolate the workstation computer by disabling the switch port and reset Connor's username/password (Correct) ​ Isolate the network segment Connor is on and conduct a forensic review of all workstations in the sales department Explanation OBJ-3.2: Isolation of Connor's computer by deactivating the port on the switch should be performed instead of just unplugging the computer. This would guarantee that Connor won't just plug the computer back into the network as soon as you leave his desk. While Connor won't be able to work without his workstation, it is essential to isolate the issue quickly to prevent future attempts at lateral movement from occurring and protect the company's data needed for continued business operations. While we are unsure of the issue's initial root cause, we know it is currently isolated to Connor's machine. He should receive remedial cybersecurity training, his workstation's hard drive forensically imaged for later analysis, and then his workstation should be remediated or reimaged. It is better to isolate just Connor's machine instead of the entire network segment in this scenario. Isolating the network segment, without evidence indicating the need to do so, would have been overkill and overly disruptive to the business. Reimaging Connor's device may destroy data that could have otherwise been recovered and led to a successful root cause analysis. There is also insufficient evidence in this scenario to warrant disciplinary action against Connor, as he may have clicked on a malicious link by mistake. Question 32: IncorrectWhich of the following terms is used to describe the period of time following a disaster that an individual IT system may remain offline? ​ MTTR (Incorrect) ​ RPO ​ RTO (Correct) ​ MTBF Explanation OBJ-5.2: Recovery time objective (RTO) is when an individual IT system may remain offline following a disaster. This represents the amount of time it takes to identify a problem and then perform recovery (restore from backup or switch in an alternative system, for instance). Recovery point objective (RPO) is the amount of data loss that a system can sustain, measured in time. That is, if a virus destroys a database, an RPO of 24 hours means that the data can be recovered (from a backup copy) to a point not more than 24 hours before the database was infected. Mean time between failure (MTBF) represents the expected lifetime of a product before it fails and must be replaced or repaired. Mean time to repair (MTTR) is a measure of the time taken to correct a fault to restore the system to full operation. Question 33: CorrectRyan needs to verify the installation of a critical Windows patch on his organization's workstations. Which method would be the most efficient to validate the current patch status for all of the organization's Windows 10 workstations? ​ Use SCCM to validate patch status for each machine on the domain (Correct) ​ Conduct a registry scan of each workstation to validate the patch was installed ​ Check the Update History manually ​ Create and run a PowerShell script to search for the specific patch in question Explanation OBJ-2.4: The Microsoft System Center Configuration Manager (SCCM) provides remote control, patch management, software distribution, operating system deployment, network access protection, and hardware and software inventory. In an Azure environment, you can also use the Update Compliance tool to monitor your device's Windows updates, Windows Defender anti-virus status, and the up to date patching status across all of your Windows 10 workstations. In previous Windows versions, you could use the Microsoft Baseline Analyzer (MSBA), but that is no longer supported when Windows 10 was introduced. A PowerShell script may be a reasonable option, but it would take a knowledgeable analyst to create the script and scan the network, whereas using SCCM is easier and quicker. Manually checking the Update History or registry of each system could also work, but that is very time consuming and inefficient, especially if Ryan is supporting a large network. Question 34: IncorrectYou have just received some unusual alerts on your SIEM dashboard and want to collect the payload associated with it. Which of the following should you implement to effectively collect these malicious payloads that the attackers are sending towards your systems without impacting your organization's normal business operations? ​ Jumpbox ​ Honeypot (Correct) ​ Sandbox (Incorrect) ​ Containerization Explanation OBJ-2.2: A honeypot is a host set up to lure attackers away from the actual network components and/or discover attack strategies and weaknesses in the security configuration. A jumpbox is a hardened server that provides access to other hosts. A sandbox is a computing environment isolated from a host system to guarantee that the environment runs in a controlled, secure fashion. Containerization is a type of virtualization applied by a host operating system to provide an isolated execution environment for an application. Question 35: IncorrectWhich technique would provide the largest increase in security on a network with ICS, SCADA, or IoT devices? ​ Installation of anti-virus tools ​ User and entity behavior analytics (Correct) ​ Implement endpoint protection platforms ​ Use of a host-based IDS or IPS (Incorrect) Explanation OBJ-3.5: Since ICS, SCADA, and IoT devices often run proprietary, inaccessible, or unpatchable operating systems, the traditional tools used to detect the presence of malicious cyber activity in normal enterprise networks will not function properly. Therefore, user and entity behavior analytics (UEBA) is best suited to detect and classify known-good behavior from these systems to create a baseline. Once a known-good baseline is established, deviations can be detected and analyzed. UEBA may be heavily dependent on advanced computing techniques like artificial intelligence and machine learning and may have a higher false-positive rate. As the name suggests, the analytics software tracks user account behavior across different devices and cloud services. Entity refers to machine accounts, such as client workstations or virtualized server instances, and embedded hardware, such as the Internet of Things (IoT) devices. Traditional technologies include anti-virus tools, host-based IDS and IPS, and endpoint protection platforms. Question 36: IncorrectWhich role validates the user's identity when using SAML for authentication? ​ IdP (Correct) ​ SP ​ User agent (Incorrect) ​ RP Explanation OBJ-4.2: The IdP provides the validation of the user's identity. Security assertions markup language (SAML) is an XML-based framework for exchanging security-related information such as user authentication, entitlement, and attributes. SAML is often used in conjunction with SOAP. SAML is a solution for providing single sign-on (SSO) and federated identity management. It allows a service provider (SP) to establish a trust relationship with an identity provider (IdP) so that the SP can trust the identity of a user (the principal) without the user having to authenticate directly with the SP. The principal's User Agent (typically a browser) requests a resource from the service provider (SP). The resource host can also be referred to as the relying party (RP). If the user agent does not already have a valid session, the SP redirects the user agent to the identity provider (IdP). The IdP requests the principal's credentials if not already signed in and, if correct, provides a SAML response containing one or more assertions. The SP verifies the signature(s) and (if accepted) establishes a session and provides access to the resource. Question 37: IncorrectYou have been asked to write a new security policy to reduce the risk of employees working together to steal information from the Dion Training corporate network. Which of the following policies should you create to counter this threat? ​ Acceptable use policy ​ Mandatory vacation policy (Correct) ​ Privacy policy (Incorrect) ​ Least privilege policy Explanation OBJ-5.1: A mandatory vacation policy requires that all users take time away from work to enjoy a break from their day to day routine of their jobs. But, there is a major side benefit to mandatory vacations regarding your company's security posture. It will require the company to have another employee fill in for the vacationing employee's normal roles and responsibilities by requiring mandatory vacations. The employee who is filling in might come across fraud, abuse, or theft that the vacationing employee is a part of. The concept of least privilege may not stop this theft from occurring since two employees could work together to steal information that they have access to as part of their job. Also, acceptable use outlines the types of activities allowed and not allowed; it won't prevent theft from occurring. A privacy policy discusses how information should be properly stored and secured, but this won't stop an employee from stealing information or detecting the stolen information. Question 38: IncorrectAs a cybersecurity analyst conducting vulnerability scans, you have just completed your first scan of an enterprise network comprising over 10,000 workstations. As you examine your findings, you note that you have less than 1 critical finding per 100 workstations. Which of the following statement does BEST explain these results? ​ An uncredentialed scan of the network was performed (Correct) ​ The scanner was not compatible with the devices on your network ​ The network has an exceptionally strong security posture (Incorrect) ​ The scanner failed to connect with the majority of workstations Explanation OBJ-1.5: Uncredentialed scans are generally unable to detect many vulnerabilities on a device. When conducting an internal assessment, you should perform an authenticated (credentialed) scan of the environment to most accurately determine the network's vulnerability posture. In most enterprise networks, if a vulnerability exists on one machine, it also exists on most other workstations since they use a common baseline or image. If the scanner failed to connect to the workstations, an error would have been generated in the report. Question 39: IncorrectYou have been asked to install a computer in a public workspace. The computer should only be used by an authorized user. Which of the following security requirements should you implement to prevent unauthorized users from accessing the network with this computer? ​ Require authentication on wake-up (Correct) ​ Issue the same strong and complex password for all users ​ Remove the guest account from the administrator group (Incorrect) ​ Disable single sign-on Explanation OBJ-4.1: To prevent the computer from being used inadvertently to access the network, the system should be configured to require authentication whenever the computer is woken up. Therefore, if an authorized user walks away from the computer and goes to sleep when another person tries to use the computer, it will ask for a username and password before granting them access to the network. Question 40: Incorrect A corporate workstation was recently infected with malware. The malware was able to access the workstation's credential store and steal all the usernames and passwords from the machine. Then, the malware began to infect other workstations on the network using the usernames and passwords it stole from the first workstation. The IT Director has directed its IT staff to develop a plan to prevent this issue from occurring again. Which of the following would BEST prevent this from reoccurring? ​ Install a Unified Threat Management system on the network to monitor for suspicious traffic (Incorrect) ​ Monitor all workstations for failed login attempts and forward them to a centralized SYSLOG server ​ Install an anti-virus or anti-malware solution that uses heuristic analysis (Correct) ​ Install a host-based intrusion detection system on all of the corporate workstations Explanation OBJ-2.1: The only solution that could STOP this from reoccurring would be to use an anti-virus or anti-malware solution with heuristic analysis. The other options might be able to monitor and detect the issue but not stop it from spreading. Heuristic analysis is a method employed by many computer anti-virus programs designed to detect previously unknown computer viruses and new variants of viruses already in the wild. This is behavior-based detection and prevention, so it should detect the issue and stop it from spreading throughout the network. Question 41: Incorrect Which of the following protocols could be used inside a virtual system to manage and monitor the network? ​ SNMP (Correct) ​ SMTP (Incorrect) ​ EIGRP ​ BGP Explanation OBJ-2.6: SNMP is used to monitor and manage networks, both physical and virtual. SMTP is used for email. BGP and EIGRP are used for routing network data. Question 42: Incorrect (Sample Simulation - On the real exam for this type of question, you would receive 3-5 pictures and be asked to drag and drop them into place next to the correct term.) Larger image Which of the following types of attacks occurs when an attacker attempts to obtain personal or private information through domain spoofing or poisoning a DNS server? ​ Vishing ​ Hoax ​ Spamming ​ Spear phishing (Incorrect) ​ Pharming (Correct) Explanation OBJ 1.2: Pharming is the fraudulent practice of directing Internet users to a bogus website that mimics the appearance of a legitimate one to obtain personal information such as user passwords, account numbers, and other confidential data. Question 43: CorrectWhich of the following should be implemented to securely allow wireless network access for clients in the lobby using a shared password key? ​ WEP ​ WPA2 (Correct) ​ IPSec ​ RADIUS Explanation OBJ-6.3: WPA2 allows the use of a preshared key for wireless network access. The only other option presented that would is WEP, but that is insecure. Question 44: Correct A popular game allows for in-app purchases to acquire extra lives in the game. When a player purchases the extra lives, the number of lives is written to a configuration file on the gamer's phone. A hacker loves the game but hates having to buy lives all the time, so they developed an exploit that allows a player to purchase 1 life for $0.99 and then modifies the content of the configuration file to claim 100 lives were purchased before the application reading the number of lives purchased from the file. Which of the following type of vulnerabilities did the hacker exploit? ​ Race condition (Correct) ​ Broken authentication ​ Sensitive data exposure ​ Dereferencing Explanation OBJ-1.3: Race conditions occur when the outcome from execution processes is directly dependent on the order and timing of certain events. Those events fail to execute in the order and timing intended by the developer. In this scenario, the hacker's exploit is racing to modify the configuration file before the application reads the number of lives from it. Sensitive data exposure is a fault that allows privileged information (such as a token, password, or PII) to be read without being subject to the proper access controls. Broken authentication refers to an app that fails to deny access to malicious actors. Dereferencing attempts to access a pointer that references an object at a particular memory location. Question 45: Correct Which mobile device strategy is most likely to introduce vulnerable devices to a corporate network? ​ MDM ​ BYOD (Correct) ​ CYOD ​ COPE Explanation OBJ-2.5: The BYOD (bring your own device) strategy opens a network to many vulnerabilities. People can bring their personal devices to the corporate network, and their devices may contain vulnerabilities that could be allowed to roam free on a corporate network. COPE (company-owned/personally enabled) means that the company provides the users with a smartphone primarily for work use, but basic functions such as voice calls, messaging, and personal applications are allowed, with some controls on usage and flexibility. With CYOD, the user can choose which device they wish to use from a small selection of devices approved by the company. The company then buys, procures, and secures the device for the user. The MDM is a mobile device management system that gives centralized control over COPE company-owned personally enabled devices. Question 46: CorrectWhich type of monitoring would utilize a network tap? ​ SNMP ​ Active ​ Passive (Correct) ​ Router-based Explanation OBJ-3.2: Network taps are devices that allow a copy of network traffic to be captured for analysis. They conduct passive network monitoring and visibility without interfering with the network traffic itself. Active monitoring relies on scanning targeted systems, not a network tap. Router-based monitoring would involve looking over the router's logs and configuration files. SNMP is used to monitor network devices but is considered active monitoring and doesn't rely on network taps. Question 47: Correct Raj is working to deploy a new vulnerability scanner for an organization. He wants to verify the information he gets is the most accurate view of the configurations on the organization's traveling salespeople's laptops to determine if any configuration issues could lead to new vulnerabilities. Which of the following technologies would work BEST to collect the configuration information in this situation? ​ Agent-based scanning (Correct) ​ Server-based scanning ​ Passive network monitoring ​ Non-credentialed scanning Explanation OBJ-1.5: Using agent-based scanning, you typically get the most reliable results for systems that are not connected to the network, as well as the ones that are connected. This is ideal for traveling salespeople since their laptops are not constantly connected to the organization's network. These agent-based scans can be conducted when the laptop is offline and then sent to a centralized server the next time it is connected to the network. Server-based scanning, non-credentialed scanning, and passive network monitoring require a continuous network connection to collect the devices' configurations accurately. Question 48: CorrectWhich of the following proprietary tools is used to create forensic disk images without making changes to the original evidence? ​ FTK Imager (Correct) ​ dd ​ Memdump ​ Autopsy Explanation OBJ-5.5: FTK Imager can create perfect copies or forensic images of computer data without making changes to the original evidence. The forensic image is identical in every way to the original, including file slack and unallocated space or drive free space. The dd tool can also create forensic images, but it is not a proprietary tool since it is open-source. Memdump is used to collect the content within RAM on a given host. Autopsy is a cross-platform, open-source forensic tool suite. Question 49: Correct (Sample Simulation - On the real exam for this type of question, you would receive 3-5 pictures and be asked to drag and drop them into place next to the correct term.) Larger image Based on the image provided, what type of attack is occurring? ​ DDoS ​ Smurf attack ​ Ping flood ​ SYN flood (Correct) Explanation OBJ 1.2: A SYN flood is a variant of a Denial of Service (DOS) attack where the attacker initiates multiple TCP sessions but never completes the 3-way handshake. This uses up resources on the server since it cannot complete the handshake and keeps resources reserved for the attacker's computer while it awaits the handshake's completion. This image is a graphical depiction of this type of attack. Question 50: Incorrect An insurance company has developed a new web application to allow its customers to choose and apply for an insurance plan. You have been asked to help perform a security review of the new web application. You have discovered that the application was developed in ASP and used MSSQL for its backend database. You have been able to locate an application's search form and introduced the following code in the search input field: -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- IMG SRC=vbscript:msgbox("Vulnerable_to_Attack");> originalAttribute="SRC" originalPath="vbscript:msgbox("Vulnerable_to_Attack ");>" -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- When you click submit on the search form, your web browser returns a pop-up window that displays Vulnerable_to_Attack. Which of the following vulnerabilities did you discover in the web application? ​ Cross-site scripting (Correct) ​ Cross-site request forgery (Incorrect) ​ Command injection ​ SQL injection Explanation OBJ-1.2: This is a form of Cross-Site Scripting (XSS). Cross-site scripting (XSS) is a type of computer security vulnerability typically found in web applications. XSS enables attackers to inject client-side scripts into web pages viewed by other users. Attackers may use a cross-site scripting vulnerability to bypass access controls such as the same-origin policy. Cross-site request forgery (CSRF or XSRF) is a malicious exploit of a website where unauthorized commands are transmitted from a user that the web application trusts. There are many ways in which a malicious website can transmit commands, such as specially-crafted image tags, hidden forms, and JavaScript XMLHttpRequests can all work without the user's interaction or even knowledge. SQL injection is a code injection technique used to attack data-driven applications. Malicious SQL statements are inserted into an entry field for execution, such as dumping the database contents to the attacker. Command injection is an attack in which the goal is to execute arbitrary commands on the host operating system via a vulnerable application. Command injection attacks are possible when an application passes unsafe user-supplied data (forms, cookies, HTTP headers, etc.) to a system shell. Question 51: Correct An analyst reviews the logs from the network and notices that there have been multiple attempts from the open wireless network to access the networked HVAC control system. The open wireless network must remain openly available so that visitors can access the internet. How can this type of attack be prevented from occurring in the future? ​ Enable WPA2 security on the open wireless network ​ Enable NAC on the open wireless network ​ Implement a VLAN to separate the HVAC control system from the open wireless network (Correct) ​ Install an IDS to protect the HVAC system Explanation OBJ-3.2: A VLAN is useful to segment out network traffic to various parts of the network and stop someone from the open wireless network from logging to the HVAC controls. By utilizing NAC, each machine connected to the open wireless network could be checked for compliance and determine if it is a 'known' machine, but they would still be given access to the entire network. Also, since this is a publicly usable network, using NAC could prevent users from accessing all the network features. An IDS would be a good solution to detect the attempted logins, but it won't prevent them. Instead, an IPS would be required to prevent logins. Question 52: CorrectWhich of the following is an example of an authentication factor that includes something you have? ​ Fingerprint ​ GPS location ​ Password ​ Smart card (Correct) Explanation OBJ-4.1: Something you have (possession factor) includes authentication factors like a smart card, a token, or a cellphone that receives a one-time use SMS message during the login process. Question 53: Incorrect You have just finished running a vulnerability scan of the network and are reviewing the results. The first result in the report shows the following vulnerability: Larger image You log into the MySQL server and verify that you are currently running version 3.5.3. Based on the item shown on the image, what best describes how you should categorize this finding? ​ False negative (Incorrect) ​ True negative ​ False positive (Correct) ​ True positive Explanation OBJ 1.5: You should categorize the results as a false positive. Based on the scenario and output, your server is not vulnerable to a remote code execution for the identified vulnerability. You are already running MySQL v3.5.3 that is greater than v3.3.x or above. This indicates that the vulnerability scanner falsely identified your MySQL version as an earlier and more vulnerable version. The system incorrectly identified a vulnerability, but the vulnerability doesn't exist on your system. Therefore this is a false positive.

A corporate workstation was recently infected with malware. The malware was able to access the workstation's credential store and steal all the usernames and passwords from the machine. Then, the malware began to infect other workstations on the network using the usernames and passwords it stole from the first workstation. The IT Director has directed its IT staff to develop a plan to prevent this issue from occurring again. Which of the following would BEST prevent this from reoccurring? 1) Install a Unified Threat Management system on the network to monitor for suspicious traffic 2) Monitor all workstations for failed login attempts and forward them to a centralized SYSLOG server 3) Install an anti-virus or anti-malware solution that uses heuristic analysis

3) Install an anti-virus or anti-malware solution that uses heuristic analysis OBJ-2.1: The only solution that could STOP this from reoccurring would be to use an anti-virus or anti-malware solution with heuristic analysis. The other options might be able to monitor and detect the issue but not stop it from spreading. Heuristic analysis is a method employed by many computer anti-virus programs designed to detect previously unknown computer viruses and new variants of viruses already in the wild. This is behavior-based detection and prevention, so it should detect the issue and stop it from spreading throughout the network.

Dion Training is in early discussions with a large university to license its cybersecurity courses as part of their upcoming semester. Both organizations have decided to enter into an exploratory agreement while negotiating the detailed terms of the upcoming contract. Which of the following documents would best serve this purpose? 1) NDA 2) SLA 3) MOU 4) ISA

3) MOU OBJ-5.1: Memorandum of understanding (MOU) is used as a preliminary or exploratory agreement to express their intent for the two companies to work together. A service level agreement (SLA) is a contractual agreement setting out the detailed terms under which a service is provided. The interconnection security agreement (ISA) governs the relationship between any federal agency and a third party interconnecting their systems. A non-disclosure agreement (NDA) is the legal basis for protecting information assets.

An attacker recently compromised an e-commerce website for a clothing store. Which of the following methods did the attacker use to harvest an account's cached credentials when the user logged into an SSO system? 1) Pivoting 2) Lateral movement 3) Pass the hash 4) Golden ticket

3) Pass the hash OBJ-1.2: Pass the Hash (PtH) is the process of harvesting an account's cached credentials when the user logs in to a single sign-on (SSO) system. This would then allow the attacker to use the credentials on other systems, as well. A golden ticket is a Kerberos ticket that can grant other tickets in an Active Directory environment. Attackers who can create a golden ticket can use it to grant administrative access to other domain members, even to domain controllers. Lateral movement is an umbrella term for a variety of attack types. Attackers can extend their lateral movement by a great deal if they can compromise host credentials. Pivoting is a process similar to lateral movement. When attackers pivot, they compromise one central host (the pivot) that allows them to spread out to other hosts that would otherwise be inaccessible.

Which of the following terms is used to describe the period of time following a disaster that an individual IT system may remain offline? 1) MTTR 2) RPO 3) RTO 4) MTBF

3) RTO OBJ-5.2: Recovery time objective (RTO) is when an individual IT system may remain offline following a disaster. This represents the amount of time it takes to identify a problem and then perform recovery (restore from backup or switch in an alternative system, for instance). Recovery point objective (RPO) is the amount of data loss that a system can sustain, measured in time. That is, if a virus destroys a database, an RPO of 24 hours means that the data can be recovered (from a backup copy) to a point not more than 24 hours before the database was infected. Mean time between failure (MTBF) represents the expected lifetime of a product before it fails and must be replaced or repaired. Mean time to repair (MTTR) is a measure of the time taken to correct a fault to restore the system to full operation.

You are an analyst and have been asked to review and categorize the following output from a packet analysis in Wireshark:-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-Source Destination Protocol Length Info 192.168.3.145 4.4.2.2 DNS 74 Standard query 0xaed A test.diontraining.com 4.4.2.2 192.168.3.145 DNS 90 Standard query response 0x3aed A test.diontraining.com A 173.12.15.23 192.168.3.145 173.12.15.23 TCP 78 48134 -80 [SYN] seq=0 Win=65635 Len=0 MSS=1426 WS=16 TSVal=486234134 Tsecr=0 SACK_PERM=1 173.12.15.23 192.168.3.145 TCP 78 80-48134 [SYN,ACK] seq=0 Ack=1 Win=65535 Len=0 MSS=1426 WS=4 TSVal=0 Tsecr=0 SACK_PERM=1 a1=486234134 Tsecr=240612 192.168.3.145 192.168.3.255 NBNS 92 Namequery NB WORKGROUP 34.250.23.14 192.168.3.145 TCP 60 443 - 48134 [RST] Seq=1 Win=0 Len=0 34.250.23.14 192.168.3.145 TCP 60 8080 - 48134 [RST] Seq=1 Win=0 Len=0-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- Based on your review, what does this scan indicate? 1) 173.12.15.23 might be infected with malware 2) 192.168.3.145 might be infected and beaconing to a C2 server 3) This appears to be normal network traffic

3) This appears to be normal network traffic OBJ-2.2: This appears to be normal network traffic. The first line shows that a DNS lookup was performed for a website (test.diontraining.com). The second line shows the response from the DNS server with the IP address of the website. The third line begins a three-way handshake between an internal host and the website. The fourth line is the SYN-ACK response from the website to the internal host as part of this handshake. The fifth line is a standard Windows NetBIOS query within the local area network to translate human-readable names to local IP addresses. The sixth and seventh lines appear to be inbound requests to port 443 and port 8080, both of which were sent the RST by the internal host's firewall since it is not running those services on the host. None of this network traffic appears to be suspicious.

Which of the following types of attacks occurs when an attacker attempts to obtain personal or private information through domain spoofing or poisoning a DNS server? 1) Vishing 2) Hoax 3) Spamming 4) Spear phishing 4) Pharming

4) Pharming OBJ 1.2: Pharming is the fraudulent practice of directing Internet users to a bogus website that mimics the appearance of a legitimate one to obtain personal information such as user passwords, account numbers, and other confidential data.

Which of the following categories would contain information about a French citizen's race or ethnic origin? 1) PII 2) DLP 3) PHI 4) SPI

4) SPI OBJ-5.8: According to the GDPR, information about an individual's race or ethnic origin is classified as Sensitive Personal Information (SPI). Sensitive personal information (SPI) is information about a subject's opinions, beliefs, and nature afforded specially protected status by privacy legislation. As it cannot be used to identify somebody or make any relevant assertions about health uniquely, it is neither PII nor PHI. Data loss prevention (DLP) is a software solution that detects and prevents sensitive information from being stored on unauthorized systems or transmitted over unauthorized networks.

Tony works for a company as a cybersecurity analyst. His company runs a website that allows public postings. Recently, users have started complaining about the website having pop-up messages asking for their username and password. Simultaneously, your security team has noticed a large increase in the number of compromised user accounts on the system. What type of attack is most likely the cause of both of these events? 1) Cross-site request forgery 2) SQL injection 3) Rootkit 4) Cross-site scripting

4) Cross-site scripting OBJ-1.2: This scenario is a perfect example of the effects of a cross-site scripting (XSS) attack. If your website's HTML code does not perform input validation to remove scripts that may be entered by a user, then an attacker can create a popup window that collects passwords and uses that information to compromise other accounts further. A cross-site request forgery (CSRF) is an attack that forces an end user to execute unwanted actions on a web application in which they are currently authenticated. An XSS will allow an attacker to execute arbitrary JavaScript within the victim's browser (such as creating pop-ups). A CSRF would allow an attack to induce a victim to perform actions they do not intend to perform. A rootkit is a set of software tools that enable an unauthorized user to control a computer system without being detected. SQL injection is the placement of malicious code in SQL statements via web page input. None of the things described in this scenario would indicate a CSRF, rootkit, or SQL injection.

Which of the following cryptographic algorithms is classified as asymmetric? 1) RC4 2) AES 3) Blowfish 4) Diffie-Hellman

4) Diffie-Hellman OBJ-6.2: The Diffie-Hellman (DH) is used to exchange cryptographic keys over a public channel securely and was one of the first public-key protocols. As a public-key protocol, it relies on an asymmetric algorithm. AES, RC4, and Blowfish are all symmetric algorithms.

A cybersecurity analyst is reviewing the logs of a proxy server and saw the following URLs: -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-https://test.diontraining.com/profile.php?userid=1546https://test.diontraining.com/profile.php?userid=5482https://test.diontraining.com/profile.php?userid=3618-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- What type of vulnerability does this website have? 1) IMproper error handling 2) Weak or default configurations 3) Race condition 4) Insecure direct object reference

4) Insecure direct object reference OBJ-1.2: Insecure direct object references (IDOR) are a cybersecurity issue that occurs when a web application developer uses an identifier for direct access to an internal implementation object but provides no additional access control and/or authorization checks. An attacker could change the userid number and directly access any user's profile page in this scenario. A race condition is a software vulnerability when the resulting outcome from execution processes is directly dependent on the order and timing of certain events. Those events fail to execute in the order and timing intended by the developer. Weak or default configurations are commonly a result of incomplete or ad-hoc configurations, open cloud storage, misconfigured HTTP headers, unnecessary HTTP methods, permissive Cross-Origin resource sharing (CORS), and verbose error messages containing sensitive information. Improper handling of errors can reveal implementation details that should never be revealed, such as detailed information that can provide hackers important clues on the system's potential flaws.

Keith wants to validate the application file that he downloaded from the vendor of the application. Which of the following should he compare against the file to verify the integrity of the downloaded application? 1) Private key of the file 2) FIle size and file creation date 3) Public key of the file 4) MD5 or SHA1 hash digest of the file

4) MD5 or SHA1 hash digest of the file OBJ-6.1: Keith should conduct a hash of the downloaded file and compare it against the MD5 hash digest listed on the server of this file. This file needs to be a verifiable MD5 hash file to validate the file integrity has not been compromised during the download. This is an important step to ensure the file was not modified in transit during the download. The other options are insufficient to guarantee the integrity of the downloaded file since integrity checking relies on comparing hash digests. A public or private key would not be assigned solely to a single file, nor do they provide integrity on their own. Public and private keys are used to ensure data confidentiality, whereas a hash digest ensures integrity. The file size and file creation date are additional forms of metadata that could help validate a file's integrity. Still, they of a much lower quality and trust factor than using a hash digest. Therefore MD5 or SHA1 is a better choice.

How would you appropriately categorize the authentication method being displayed here? 1) One-time password authentication 2) Multi-factor authentication 3) biometric authentication 4) PAP authentication

4) PAP authentication OBJ 4.1: For the exam, you need to know the different authentication categories and what type of authentication methods belong to each category. A username and password are used as part of the Password Authentication Protocol (PAP) authentication system. A username and password are also considered a knowledge factor in an authentication system.

Which of the following functions is not provided by a TPM? 1) Binding 2) Secure generation of cryptographic 3) Remote attestation 4) User authentication 4) Random number generation

4) User authentication OBJ-3.3: User authentication is performed at a much higher level in the operating system. Trusted Platform Module (TPM) technology is designed to provide hardware-based, security-related functions. A TPM chip is a secure crypto-processor that is designed to carry out cryptographic operations. The chip includes multiple physical security mechanisms to make it tamper-resistant, and malicious software cannot tamper with the security functions of the TPM. The TPM provides random number generation, secure generation of cryptographic keys, remote attestation, binding, and sealing functions securely.