Practice Exam C
During an initial network connection, a supplicant communicates to an authenticator, which then sends an authentication request to an Active Directory database. Which of the following would BEST describe this authentication technology? ❍ A. Federation ❍ B. AES ❍ C. 802.1X ❍ D. PKI
802.1X IEEE 802.1X is a standard for port-based network access control (NAC). When 802.1X is enabled, devices connecting to the network do not gain access until they provide the correct authentication credentials. This 802.1X standard refers to the client as the supplicant, the switch is commonly configured as the authenticator, and the backend authentication server is a centralized user database such as Active Directory.
Which of these are used to force the preservation of data for later use in court? ❍ A. Chain of custody ❍ B. Data loss prevention ❍ C. Legal hold ❍ D. Order of volatility
A legal hold is a legal technique to preserve relevant information. This process will ensure the data remains accessible for any legal preparation that occurs prior to litigation.
Which of the following BEST describes a risk matrix? ❍ A. A visual summary of a risk assessment ❍ B. Identification of risk at each step of a project plan ❍ C. A list of cybersecurity requirements based on the identified risks ❍ D. Ongoing group discussions regarding cybersecurity
A risk matrix, or risk heat map, is often presented as a graphical chart comparing the likelihood of risk with the consequence.
A server administrator is building a new web server and needs to provide operating system access to the web server executable. Which of the following account types should be configured? ❍ A. User ❍ B. Privileged ❍ C. Service ❍ D. Guest
A service account is commonly used by local services on a system, but service accounts are not generally enabled for interactive logins. Web servers, database servers, and other local servers use service accounts.
Each year, a certain number of laptops are lost or stolen and must be replaced by the company. Which of the following would describe the total cost the company spends each year on laptop replacements? ❍ A. SLE ❍ B. SLA ❍ C. ALE ❍ D. ARO
ALE
A device is exhibiting intermittent connectivity when viewing remote web sites. A security administrator views the local device ARP table: Internet Address Physical Address 192.168.1.1 60:3d:26:69:71:fc 192.168.1.101 e2:c3:53:79:4c:51 192.168.1.102 7a:3b:8f:21:86:57 192.168.1.103 60:3d:26:69:71:fc 192.168.1.104 00:80:92:c7:c8:49 192.168.1.105 d0:81:7a:d3:f0:d5 Which of the following would be the MOST likely explanation of this connectivity issue? ❍ A. DDoS ❍ B. Wireless disassociation ❍ C. Rogue access point ❍ D. ARP poisoning
ARP poisoning
A company has contracted with a third-party to provide penetration testing services. The service includes a port scan of each externally-facing device. This is an example of: ❍ A. Initial exploitation ❍ B. Escalation of privilege ❍ C. Pivot ❍ D. Active footprinting
Active footprinting
A company runs two separate applications in their data center. The security administrator has been tasked with preventing all communication between these applications. Which of the following would be the BEST way to implement this security requirement? ❍ A. Firewall ❍ B. Protected distribution ❍ C. Air gap ❍ D. VLANs
Air gap
A company would like to install an IPS to observe normal network activity and block any traffic that deviates from this baseline. Which of these IPS types would be the BEST fit for this requirement? ❍ A. Heuristic ❍ B. Anomaly-based ❍ C. Behavior-based ❍ D. Signature-based
Anomaly-based
A security administrator would like to encrypt all telephone communication on the corporate network. Which of the following protocols would provide this functionality? ❍ A. TLS ❍ B. SRTP ❍ C. SSH ❍ D. S/MIME
Answer: SRTP S/MIME (Secure/Multipurpose Internet Mail Extensions) provides security for the content of an email messag
The contract of a long-term temporary employee is ending. Which of these would be the MOST important part of the off-boarding process? ❍ A. Perform an on-demand audit of the user's privileges ❍ B. Archive the decryption keys associated with the user account ❍ C. Document the user's outstanding tasks ❍ D. Obtain a signed copy of the Acceptable Use Policies
Archive the decryption keys associated with the user account
A security administrator would like to use employee-owned mobile phones to unlock the door of the data center using a sensor on the wall. The users would authenticate on their phones with a fingerprint before the door would unlock. Which of the following features should the administrator use? (Select TWO) ❍ A. NFC ❍ B. Remote wipe ❍ C. Containerization ❍ D. Biometrics ❍ E. Push notification
Biometrics NFC
Visitors to a corporate data center must enter through the main doors of the building. Which of the following security controls would be the BEST choice to successfully guide people to the front door? (Select TWO) ❍ A. Cable locks ❍ B. Bollards ❍ C. Biometrics ❍ D. Fencing ❍ E. Industrial camouflage
Bollards Fencing
Which of the following malware types would cause a workstation to participate in a DDoS? ❍ A. Bot ❍ B. Logic bomb ❍ C. Ransomware ❍ D. Keylogger
Bot
A security administrator has installed a new firewall to protect a web server VLAN. The application owner requires that all web server sessions communicate over an encrypted channel. Which of these rules should the security administrator include in the firewall rulebase? (Select TWO) ❍ A. Source: ANY, Destination: ANY, Protocol: TCP, Port: 23, Deny ❍ B. Source: ANY, Destination: ANY, Protocol: TCP, Port: 443, Deny ❍ C. Source: ANY, Destination: ANY, Protocol: TCP, Port: 80, Deny ❍ D. Source: ANY, Destination: ANY, Protocol: TCP, Port: 443, Allow ❍ E. Source: ANY, Destination: ANY, Protocol: TCP, Port: 80, Allow
C. Source: ANY, Destination: ANY, Protocol: TCP, Port: 80, Deny D. Source: ANY, Destination: ANY, Protocol: TCP, Port: 443, Allow Most web servers use tcp/80 for HTTP (Hypertext Transfer Protocol) communication and tcp/443 for HTTPS (Hypertext Transfer Protocol Secure). HTTP traffic sends traffic in the clear, so the first firewall rule would block any tcp/80 traffic before it hits the web server. The second rule allows HTTPS encrypted traffic to continue to the web server over tcp/443. The incorrect answers: A. Source: ANY, Destination: ANY, Protocol: TCP, Port: 23, Deny The insecure Telnet protocol commonly uses tcp/23, but most web servers would not be listening on tcp/23. An explicit tcp/23 deny rule would not provide any additional web server security. B. Source: ANY, Destination: ANY, Protocol: TCP, Port: 443, Deny The encrypted HTTPS protocol uses tcp/443, so the security administrator would not want to deny that traffic through the firewall. E. Source: ANY, Destination: ANY, Protocol: TCP, Port: 80, Allow Since the application owner requires encrypted communication, allowing HTTP over tcp/80 should not be allowed through the firewall.
A system administrator is designing a data center for an insurance company's new public cloud and would like to restrict user access to sensitive data. Which of the following would provide ongoing visibility, data security, and control of cloud-based applications? ❍ A. HSM ❍ B. CASB ❍ C. 802.1X ❍ D. EDR
CASB
A network administrator is installing a series of access points in a public library. Which of the following would be the BEST way to prevent theft of his laptop while performing this work? ❍ A. Biometrics ❍ B. Cable lock ❍ C. Protected distribution ❍ D. Faraday cage
Cable lock
A private company uses an SSL proxy to examine the contents of an encrypted application during transmission. How could the application developers prevent the use of this proxy examination in the future? ❍ A. OCSP stapling ❍ B. Offline CAs ❍ C. Certificate chaining ❍ D. Certificate pinning
Certificate pinning Certificate pinning embeds or "pins" a certificate inside of an application. When the application contacts a service, the service certificate will be compared to the pinned certificate. If the certificates match, the application knows that it can trust the service. If the certificates don't match, then the application can choose to shut down, show an error message, or make the user aware of the discrepancy. An SSL proxy will use a different certificate than the service certificate, so an application using certificate pinning can identify and react to this situation. The incorrect answers: OCSP stapling OCSP (Online Certificate Status Protocol) stapling is a method that has the certificate holder verify their own certificate status. The OCSP status is commonly "stapled" into the SSL handshake process. Offline CAs An offline CA (Certificate Authority) is a common way to prevent the exploitation of a root authority. If the CA is offline, then you can't hack it. However, an online or offline CA won't prevent the use of an SSL proxy. Certificate chaining Intermediate certificates are often listed between a web server's SSL certificate and the root certificate. This list of intermediate certificates is called a "chain." It's important to configure web servers with the proper chain, or the end user may receive an error in their browser that the server can't be trusted.
To upgrade an internal application, the development team provides the operations team with a patch and instructions for backing up, patching, and reverting the patch if needed. The operations team schedules a date for the upgrade, informs the business divisions, and tests the upgrade process after completion. Which of the following describes this process? ❍ A. Agile ❍ B. Continuity planning ❍ C. Usage auditing ❍ D. Change management
Change management
A company is concerned their EDR solution will not be able to stop more advanced ransomware variants. Technicians have created a backup and restore utility that will get most systems up and running less than an hour after an attack. What type of security control is associated with this restore process? ❍ A. Managerial ❍ B. Compensating ❍ C. Preventive ❍ D. Detective
Compensating
A company's security engineer is working on a project to simplify the employee onboarding and offboarding process. One of the project goals is to allow individuals to use their personal phones for work purposes. If the user leaves the company, the company data will be removed but the user's data would remain intact. Which of these technologies would meet this requirement? ❍ A. Policy management ❍ B. Geofencing ❍ C. Containerization ❍ D. Storage encryption
Containerization
Which of the following processes merges developed code, tests for issues, and automatically moves the newly developed application to production without any human intervention? ❍ A. Continuous deployment ❍ B. Continuity of operations ❍ C. Continuous delivery ❍ D. Continuous integration
Continuous deployment automates every aspect of deploying software. After the developer creates the code, the testing and deployment process is completely hands-off and does not need any human intervention.
A finance company is legally required to maintain seven years of tax records for all of their customers. Which of the following would be the BEST way to implement this requirement? ❍ A. Create an automated script to remove all tax information more than seven years old ❍ B. Print and store all tax records in a seven-year cycle ❍ C. Allow users to download tax records from their account login ❍ D. Create a separate daily backup archive for all applicable tax records
Create a separate daily backup archive for all applicable tax records
A system administrator has installed a new firewall between the corporate user network and the data center network. When the firewall is turned on with the default settings, users complain that the application in the data center is no longer working. Which of the following would be the BEST way to correct this application issue? ❍ A. Create a single firewall rule with an explicit deny ❍ B. Build a separate VLAN for the application ❍ C. Create firewall rules that match the application traffic flow ❍ D. Disable spanning tree protocol
Create firewall rules that match the application traffic flow
A company is receiving complaints of slowness and disconnections to their Internet-facing web server. A network administrator monitors the Internet link and finds excessive bandwidth utilization from thousands of different IP addresses. Which of the following would be the MOST likely reason for these performance issues? ❍ A. DDoS ❍ B. Wireless jamming ❍ C. MAC cloning ❍ D. Rogue access point
DDoS
Sam, a user in the purchasing department, would like to send an email to Jack. Which of these would allow Jack to verify the sender of the email? ❍ A. Digitally sign it with Sam's private key ❍ B. Digitally sign it with Sam's public key ❍ C. Digitally sign it with Jack's private key ❍ D. Digitally sign it with Jack's public key
Digitally sign it with Sam's private key
What type of vulnerability would be associated with this log information? GET http://example.com/show.asp?view=../../Windows/ system.ini HTTP/1.1 ❍ A. Buffer overflow ❍ B. Directory traversal ❍ C. DoS ❍ D. Cross-site scripting
Directory traversal attempts to read or access files that are outside the scope of the web server's file directory. The pair of dots in a file path (..) refers to the parent directory, so this example is attempt to move back two parent directories before proceeding into the /Windows directory. In a properly configured web server, this traversal should not be possible.
A network technician at a bank has noticed a significant decrease in traffic to the bank's public website. After additional investigation, the technician finds that users are being directed to a web site that looks similar to the bank's site but is not under the bank's control. Flushing the local DNS cache and changing the DNS entry does not have any effect. Which of the following has most likely occurred? ❍ A. DDoS ❍ B. Disassociation attack ❍ C. Evil twin ❍ D. Domain hijacking
Domain hijacking
A company's security cameras have identified an unknown person walking into a fenced disposal area in the back of the building and then leaving with a box containing printed documents. Which of the following attacks is this person attempting? ❍ A. Dumpster diving ❍ B. Shoulder surfing ❍ C. Tailgating ❍ D. Phishing
Dumpster diving
A system administrator is configuring an IPsec VPN to a remote location and would like to ensure that the VPN provides confidentiality for both the original IP header and the data. Which of the following should be configured on the VPN? ❍ A. ECB ❍ B. AH ❍ C. PEAP ❍ D. HMAC ❍ E. ESP
ESP (Encapsulation Security Payload) encrypts the data in the IP packet. In IPsec (Internet Protocol Security) transport mode, the IP header is not encrypted and is used for routing. In tunnel mode, both the original IP header and data are encrypted and encapsulated within a separate IP header. ECB (Electronic Codebook) is a block cipher mode where each block is encrypted with the same key. For IPsec (and most use cases), ECB is too simple to ensure data confidentiality. The AH (Authentication Header) contains a hash of the IPsec packet to provide integrity protection of the data. The AH does not encrypt data. PEAP (Protected Extensible Authentication Protocol) is an authentication protocol that encapsulates EAP in a TLS (Transport Layer Security) tunnel to ensure a protected authentication process. PEAP is not used to protect IPsec data. HMAC (Hash-based Message Authentication Code) is a hashing algorithm commonly used with the AH field of IPsec. HMAC does not provide any data confidentiality.
A system administrator has configured MAC filtering on the corporate access point, but access logs show that unauthorized users are accessing the network. The administrator has confirmed that the address filter includes only authorized MAC addresses. Which of the following should the administrator configure to prevent this authorized use? ❍ A. Enable WPA3 encryption ❍ B. Remove unauthorized MAC addresses from the filter ❍ C. Modify the SSID name ❍ D. Modify the channel
Enable WPA3 encryption A MAC (Media Access Control) address can be spoofed on a remote device, which means anyone within the vicinity of the access point can view legitimate MAC addresses and spoof them to avoid the MAC filter. To ensure proper authentication, the system administrator can enable WPA3 (Wi-Fi Protected Access version 3) with a shared key, or configure 802.1X to integrate with an existing authentication database.
A system administrator is implementing a fingerprint scanner to provide access to the data center. Which of these metrics should be kept at a minimum in order to prevent unauthorized persons from accessing the data center? ❍ A. TOTP ❍ B. FRR ❍ C. HOTP ❍ D. FAR
FAR
A company is implementing a public file-storage and cloud-based sharing service, but does not want to build a separate authentication front-end. Instead, the company would like users to authenticate with an existing account on a trusted third-party web site. Which of the following should the company implement? ❍ A. SSO ❍ B. Federation ❍ C. Transitive trust ❍ D. X.509 certificates signed by a trusted CA
Federation provides a way to authenticate and authorize between two entities using a separate trusted authentication platform. For example, a web site could allow authentication using an existing account on a third-party social media site.
Each salesperson in a company will receive a laptop with applications and data to support their sales efforts. The IT manager would like to prevent third-parties from gaining access to this information if the laptop is stolen. Which of the following would be the BEST way to protect this data? ❍ A. Remote wipe ❍ B. Full disk encryption ❍ C. Biometrics ❍ D. BIOS user password
Full disk encryption
During sales meetings, visitors often require an Internet connection for demonstrations. Which of the following should the company implement to maintain the security of the internal network resources? ❍ A. NAT ❍ B. Ad hoc wireless workstations ❍ C. Intranet ❍ D. Guest network with captive portal
Guest network with captive portal
A security administrator is researching the methods used by attackers to gain access to web servers. Which of the following would provide additional information about these techniques? ❍ A. IPS ❍ B. Hashing ❍ C. Obfuscation ❍ D. Honeypot
Honeypot
An IT manager is leading a project to implement a global standard for a privacy information management system. Which of these standards would BEST apply to this project? ❍ A. ISO 27701 ❍ B. PCI DSS ❍ C. SSAE SOC 2 ❍ D. CSA CCM
ISO 27701
Which of the following cloud deployments would include CPU, storage, and networking, but not include any operating system or application? ❍ A. SaaS ❍ B. DaaS ❍ C. IaaS ❍ D. PaaS
IaaS (Infrastructure as a Service) describes a cloud model that provides the base hardware of a system. The administrator of the system would still need to install an OS and applications on the IaaS system. SaaS (Software as a Service) is a cloud model that provides everything for the end user. End users on a SaaS model would not usually have access to the operating system or the application code. DaaS (Desktop as a Service) describes a virtual computing environment with managed desktops in the cloud PaaS (Platform as a Service) provides the foundational building blocks for application development and requires the users to build their own applications on the cloud platform.
An organization has contracted with a third-party to perform a vulnerability scan of their Internet-facing web servers. The report shows that the web servers have multiple Sun Java Runtime Environment (JRE) vulnerabilities, but the server administrator has verified that JRE is not installed. Which of the following would be the BEST way to handle this report? ❍ A. Install the latest version of JRE on the server ❍ B. Quarantine the server and scan for malware ❍ C. Harden the operating system of the web server ❍ D. Ignore the JRE vulnerability alert
Ignore the JRE vulnerability alert
An application team has been provided with a hardened version of Linux to use with a new application rollout, and they are installing a web service and the application code on the server. Which of the following would BEST protect the application from attacks? ❍ A. Build a backup server for the application ❍ B. Run the application in a cloud-based environment ❍ C. Implement a secure configuration of the web service ❍ D. Send application logs to the SIEM via syslog
Implement a secure configuration of the web service The tech support resources for many services will include a list of hardening recommendations. This hardening may include account restrictions, file permission settings, internal service configuration options, and other settings to ensure that the service is as secure as possible. Run the application in a cloud-based environment The location of the application service won't provide any significant protection against attacks. Some cloud-based services may include some additional security features, but many do not. Given the options available, running the application in the cloud would not be the best option available.
A security administrator has installed a network-based DLP solution to determine if file transfers contain PII. Which of the following describes the data during the file transfer? ❍ A. In-use ❍ B. In-transit ❍ C. At-rest ❍ D. Highly available
In-transit
A network administrator is viewing a log file from a web server: https://www.example.com/?s=/Index/think/ app/invokefunction&function=call_user_ func_array&vars[0]=md5&vars[1][0]= __HelloThinkPHP Which of the following would be the BEST way to prevent this attack? ❍ A. Static code analyzer ❍ B. Input validation ❍ C. Allow list ❍ D. Secure cookies
Input validation
A company maintains a server farm in a large data center. These servers are for internal use only and are not accessible externally. The security team has discovered that a group of servers was breached before the latest updates were applied. Breach attempts were not logged on any other servers. Which of these threat actors would be MOST likely involved in this breach? ❍ A. Competitor ❍ B. Insider ❍ C. Nation state ❍ D. Script kiddie
Insider
A security administrator would like to implement an authentication system that uses cryptographic tickets to validate users. Which of the following would provide this functionality? ❍ A. RADIUS ❍ B. LDAP ❍ C. Kerberos ❍ D. TACACS
Kerberos Kerberos is a network authentication protocol that provides single sign-on and mutual authentication using cryptographic "tickets" for the behind the-scenes authentication process.
A group of business partners is using blockchain technology to monitor and track raw materials and parts as they are transferred between companies. Where would a partner find these tracking details? ❍ A. Ledger ❍ B. HSM ❍ C. SIEM ❍ D. SED
Ledger
The IT department of a transportation company maintains an on-site inventory of chassis-based network switch interface cards. If a failure occurs, the on-site technician can replace the interface card and have the system running again in sixty minutes. Which of the following BEST describes this recovery metric? ❍ A. MTBF ❍ B. MTTR ❍ C. RPO ❍ D. RTO
MTTR
Which of the following would be the MOST significant security concern when protecting against criminal syndicates? ❍ A. Prevent users from posting passwords near their workstations ❍ B. Require identification cards for all employees and guests ❍ C. Maintain reliable backup data ❍ D. Use access control vestibules at all data center locations
Maintain reliable backup data
An application does not properly release unused memory, and eventually it grows so large that it uses all available memory. Which of the following would describe this issue? ❍ A. Integer overflow ❍ B. NULL pointer dereference ❍ C. Memory leak ❍ D. Data injection
Memory leak
A security administrator would like to minimize the number of certificate status checks made by web site clients to the certificate authority. Which of the following would be the BEST option for this requirement? ❍ A. OCSP stapling ❍ B. Certificate chaining ❍ C. CRL ❍ D. Certificate pinning
OCSP stapling OCSP (Online Certificate Status Protocol) stapling allows the certificate holder verify their own certificate status. The OCSP status is commonly "stapled" into the SSL handshake process. Instead of contacting the certificate authority to verify the certificate, the verification is included with the initial network connection to the server. Certificate chaining Intermediate certificates are often listed in a "chain" between a web server's SSL certificate and the root certificate. It's important to configure web servers with the proper chain, or the end user may receive an error in their browser that the server can't be trusted. A certificate chain does not provide the end station with any revocation information. A CRL (Certificate Revocation List) is a list of revoked certificates that is maintained by the certificate authority. To view the CRL, an end-user client would directly access the CA. Certificate pinning Certificate pinning embeds or "pins" a certificate inside of an application. When the application contacts a service, the service certificate will be compared to the pinned certificate. If the certificates match, the application knows that it can trust the service. If the certificates don't match, then the application can choose to shut down, show an error message, or make the user aware of the discrepancy. Certificate pinning does not necessarily provide any revocation checks.
Daniel, a cybersecurity analyst, has been asked to respond to a denial of service attack against a web server. Daniel first collects information in the ARP cache, then a copy of the server's temporary file system, and finally system logs from the web server. What part of the forensics gathering process did Daniel follow? ❍ A. Chain of custody ❍ B. Data hashing ❍ C. Legal hold ❍ D. Order of volatility
Order of volatility
In an environment using discretionary access controls, which of these would control the rights and permissions associated with a file or directory? ❍ A. Administrator ❍ B. Owner ❍ C. Group ❍ D. System
Owner
A penetration tester is researching a company using information gathered from user profiles and posts on a social media site. Which of the following would describe this activity? ❍ A. Pivot ❍ B. Passive footprinting ❍ C. White box testing ❍ D. Persistence
Passive footprinting
A company has identified a web server data breach that resulted in the theft of financial records from 150 million customers. A security update to the company's web server software was available for two months prior to the breach. Which of the following would have prevented this breach from occurring? ❍ A. Patch management ❍ B. Full disk encryption ❍ C. Disable unnecessary services ❍ D. Application allow lists
Patch management
A company has recently moved from one accounting system to another, and the new system includes integration with many other divisions of the organization. Which of the following would ensure that the correct access has been provided to the proper employees in each division? ❍ A. Location-based policies ❍ B. On-boarding process ❍ C. Account deprovisioning ❍ D. Permission and usage audit
Permission and usage audit
A company is building a broad set of conditional steps to follow when investigating a data breach. Which of the following would BEST describe these steps? ❍ A. Managerial controls ❍ B. DAC ❍ C. Playbook ❍ D. Order of volatility
Playbook
Which of these cloud deployment models would BEST describe a company that would build a cloud for their own use and use systems and storage platforms in their data center? ❍ A. Private ❍ B. Community ❍ C. Hybrid ❍ D. Public
Private
A technology company is manufacturing a military grade radar tracking system that can instantly identify any nearby unmanned aerial vehicles (UAVs). The UAV detector must be able to instantly identify and react to a vehicle without delay. Which of the following would BEST describe this tracking system? ❍ A. RTOS ❍ B. IoT ❍ C. ICS ❍ D. MFD
RTOS
A receptionist at a manufacturing company recently received an email from the CEO asking for a copy of the internal corporate employee directory. The receptionist replied to the email and attached a copy of the directory. It was later determined that the email address was not sent from the CEO and the domain associated with the email address was not a corporate domain name. What type of training could help prevent this type of situation in the future? ❍ A. Recognizing social engineering ❍ B. Using emails for personal use ❍ C. Proper use of social media ❍ D. Understanding insider threats
Recognizing social engineering
During a ransomware outbreak, an organization was forced to rebuild database servers from known good backup systems. In which of the following incident response phases were these database servers brought back online? ❍ A. Recovery ❍ B. Lessons learned ❍ C. Containment ❍ D. Identification
Recovery
A system administrator is viewing this output from Microsoft's System File Checker: 15:43:01 - Repairing corrupted file C:\Windows\System32\kernel32.dll 15:43:03 - Repairing corrupted file C:\Windows\System32\netapi32.dll 15:43:07 - Repairing corrupted file C:\Windows\System32\user32.dll 15:43:43 - Repair complete Which of the following malware types is the MOST likely cause of this output? ❍ A. RAT ❍ B. Logic bomb ❍ C. Rootkit ❍ D. Bot
Rootkit
A company is contracting with a third-party to find vulnerabilities that employees could possibly exploit on the company's internal networks. Which of the following would be the BEST way for the third-party to meet this requirement? ❍ A. Run a credentialed vulnerability scan ❍ B. Capture packets of the application traffic flows from the internal network ❍ C. Identify an exploit and perform a privilege escalation ❍ D. Scan the network during normal working hours
Run a credentialed vulnerability scan
A company is implementing a series of automated processes when responding to a security event. Which of the following would provide a linear checklist of steps to perform? ❍ A. Playbook ❍ B. SOP ❍ C. Stored Procedure ❍ D. Runbook
Runbook
A network IPS has created this log entry: Frame 4: 937 bytes on wire (7496 bits), 937 bytes captured Ethernet II, Src: HewlettP_82:d8:31, Dst: Cisco_a1:b0:d1 Internet Protocol Version 4, Src: 172.16.22.7, Dst: 10.8.122.244 Transmission Control Protocol, Src Port: 3863, Dst Port: 1433 Application Data: SELECT * FROM users WHERE username='x' or 'x'='x' AND password='x' or 'x'='x' Which of the following would describe this log entry? ❍ A. Phishing ❍ B. Brute force ❍ C. SQL injection ❍ D. Cross-site scripting
SQL injection
An attacker has circumvented a web-based application to send commands directly to a database. Which of the following would describe this attack type? ❍ A. Session hijack ❍ B. SQL injection ❍ C. Cross-site scripting ❍ D. On-path
SQL injection
A developer has created an application that will store password information in a database. Which of the following BEST describes a way of protecting these credentials by adding random data to the password? ❍ A. Hashing ❍ B. PFS ❍ C. Salting ❍ D. Asymmetric encryption
Salting
Which of the following would be the MOST effective use of asymmetric encryption? ❍ A. Real-time video encryption ❍ B. Store passwords ❍ C. Protect data on mobile devices ❍ D. Securely derive a session key
Securely derive a session key
A medical imaging company would like to connect all remote locations together with high speed network links. The network connections must maintain high throughput rates and must always be available during working hours. In which of the following should these requirements be enforced with the network provider? ❍ A. Service level agreement ❍ B. Memorandum of understanding ❍ C. Non-disclosure agreement ❍ D. Acceptable use policy
Service level agreement
Which of these would be used to provide multi-factor authentication? ❍ A. USB-connected storage drive with FDE ❍ B. Employee policy manual ❍ C. Null-modem serial cable ❍ D. Smart card with picture ID
Smart card with picture ID
A transportation company maintains a scheduling application and a database in a virtualized cloud-based environment. Which of the following would be the BEST way to backup these services? ❍ A. Full ❍ B. Snapshot ❍ C. Differential ❍ D. Incremental
Snapshot
A security administrator has identified an internally developed application that allows users to modify SQL queries through a web-based front-end. To prevent this modification, the administrator has recommended that all queries be completely removed from the application front-end and placed onto the back-end of the application server. Which of the following would describe this implementation? ❍ A. Input validation ❍ B. Code signing ❍ C. Stored procedures ❍ D. Obfuscation
Stored procedures
A security administrator is concerned that a user may have installed a rogue access point on the corporate network. Which of the following could be used to confirm this suspicion? ❍ A. UTM log ❍ B. WAF log ❍ C. Switch log ❍ D. DLP log
Switch log A rogue access point would be difficult to identify once it's on the network, but at some point the access point would need to physically connect to the corporate network. An analysis of switch interface activity would be able to identify any new devices and their MAC addresses. The incorrect answers: UTM log A UTM (Unified Threat Management) gateway is an all-in-one device that provides firewall services, URL filtering, spam filtering, and more. From the UTM's perspective, the traffic from a rogue access point would look similar to all other traffic on the network. WAF log A WAF (Web Application Firewall) would not be able to determine if web server traffic was from a rogue access point or a legitimate wired device. DLP log DLP (Data Loss Prevention) is important for stopping the transfer of confidential data, but it would not be able to identify traffic from a rogue access point.
An incident response team would like to validate their disaster recovery plans without making any changes to the infrastructure. Which of the following would be the best course of action? ❍ A. Tabletop exercise ❍ B. Hot site fail-over ❍ C. Simulation ❍ D. Penetration test
Tabletop exercise
A company's web server has been infected with malware, and the security administrator has contained the system and would like to create a bit-by-bit image of the server storage drive. Which of the following would be the BEST choice for this task? ❍ A. Memdump ❍ B. chmod ❍ C. dd (copy and convert) ❍ D. tcpdump
The Linux dd command is commonly used to create an image of a partition or disk.
A security administrator is deploying a web server and needs to understand the methods an attacker could use to gain access to the system. Which of the following would be the BEST source of this information? ❍ A. MITRE ATT&CK ❍ B. Diamond model ❍ C. Tabletop exercise ❍ D. ISO 27701
The MITRE ATT&CK framework is a knowledgebase that contains points of intrusion, methods used for attackers to move around, and a list of security techniques to prevent future attacks.
A system administrator has identified an unexpected username on a database server, and the user has been transferring database files to an external server over the company's Internet connection. The administrator then performed these tasks: • Physically disconnected the Ethernet cable on the database server • Disabled the unknown account • Configured a firewall rule to prevent file transfers from the server Which of the following would BEST describe this part of the incident response process? ❍ A. Eradication ❍ B. Containment ❍ C. Lessons learned ❍ D. Preparation
The containment phase isolates events that can quickly spread and get out of hand. A file transfer from a database server can quickly be contained by disabling any ability to continue the file transfer.
Richard is reviewing this information from an IPS log: MAIN_IPS: 22June2019 09:02:50 reject 10.1.111.7 Alert: HTTP Suspicious Webdav OPTIONS Method Request; Host: Server Severity: medium; Performance Impact:3; Category: info-leak; Packet capture; disable Proto:tcp; dst:192.168.11.1; src:10.1.111.7 Which of the following can be associated with this log information? (Select TWO) ❍ A. The attacker sent a non-authenticated BGP packet to trigger the IPS ❍ B. The source of the attack is 192.168.11.1 ❍ C. The event was logged but no packets were dropped ❍ D. The source of the attack is 10.1.111.7 ❍ E. The attacker sent an unusual HTTP packet to trigger the IPS
The source of the attack is 10.1.111.7 and The attacker sent an unusual HTTP packet to trigger the IPS The second line of the IPS log shows the type of alert, and this record indicates that a suspicious HTTP packet was sent. The last line of the IPS log shows the protocol, destination, and source IP address information. The source IP address is 10.1.111.7. The incorrect answers: A. The attacker sent a non-authenticated BGP packet to trigger the IPS The alert for this IPS log does not indicate any non-authenticated packets or BGP packets. B. The source of the attack is 192.168.11.1 The last line of the log identifies the protocol and IP addresses. The "src" address is the source of the packet and is identified as 10.1.111.7. C. The event was logged but no packets were dropped The first line of the log shows the name of the IPS that identified the issue, the date and time, and disposition. In this log entry, the packet was rejected from IP address 10.1.111.7
Which of the following is the process for replacing sensitive data with a non-sensitive and functional placeholder? ❍ A. Minimization ❍ B. Tokenization ❍ C. Retention ❍ D. Masking
Tokenization
A user downloaded and installed a utility for compressing and decompressing files. Immediately after installing the utility, the user's overall workstation performance degraded, and it now takes twice as much time to perform any tasks on the computer. Which of the following is the BEST description of this malware infection? ❍ A. Ransomware ❍ B. Adware ❍ C. Logic bomb ❍ D. Trojan
Trojan
Which of these would be used to provide HA for a web-based database application? ❍ A. SIEM ❍ B. UPS ❍ C. DLP ❍ D. VPN concentrator
UPS
A security administrator is preparing a phishing email that will be sent to employees as part of a periodic security test. The email is spoofed to appear as an unknown third-party and asks employees to immediately click a link or their state licensing will be revoked. Which of these social engineering principles are used by this email? ❍ A. Familiarity ❍ B. Social Proof ❍ C. Authority ❍ D. Urgency
Urgency
An attacker was able to download ten thousand company employee login credentials containing usernames and hashed passwords. Less than an hour later, a list containing all ten thousand usernames and passwords in plain text were posted to an online file storage repository. Which of the following would BEST describe how this attacker was able to post this information? ❍ A. Improper certificate management ❍ B. Phishing ❍ C. Untrained users ❍ D. Weak cipher suite
Weak cipher suite
An access point in a corporate headquarters office has the following configuration: IP address: 10.1.10.1 Subnet mask: 255.255.255.0 DHCPv4 Server: Enabled SSID: Wireless Wireless Mode: 802.11g Security Mode: WEP-PSK Frequency band: 2.4 GHz Software revision: 2.1 MAC Address: 60:3D:26:71:FF:AA IPv4 Firewall: Enabled Which of the following would apply to this configuration? ❍ A. Invalid frequency band ❍ B. Weak encryption ❍ C. Incorrect IP address and subnet mask ❍ D. Invalid software version
Weak encryption
A network administrator needs to identify all inbound connections to a Linux web server. Which of the following utilities would be the BEST choice for this task? ❍ A. netcat ❍ B. nmap ❍ C. net view ❍ D. netstat
netstat The netstat command can view inbound and outbound statistics for all connections to a device. The netcat command can read or write information to the network. Netcat can be used to create an open connection on a device or to access a connection on a remote machine. The Nmap utility is commonly used to locate open ports and identify services running on a remote device. net view The Windows net view command is used to list the available file shares on a Windows computer.
A security engineer is capturing packets on an internal company network and is documenting the IP addresses and MAC addresses associated with the local network devices. Which of these commands would provide the MAC address of the default gateway at 10.11.1.1? ❍ A. ping 10.11.1.1 arp -a ❍ B. tracert 10.11.1.1 ❍ C. dig 10.11.1.1 ❍ D. ipconfig /all
ping 10.11.1.1 arp -a
A set of corporate security policies is what kind of security control? ❍ A. Compensating ❍ B. Detective ❍ C. Managerial ❍ D. Physical
❍ C. Managerial
