Practice Test 2
You are attempting to prioritize your vulnerability scans based on the data's criticality. This will be determined by the asset value of the data contained in each system. Which of the following would be the most appropriate metric to use in this prioritization?
Type of data processed by the system Explanation OBJ-5.4: The data's asset value is a metric or classification that an organization places on data stored, processed, and transmitted by an asset. Different data types, such as regulated data, intellectual property, and personally identifiable information, can determine its value. The cost of acquisition, cost of hardware replacement, and depreciated costs refer to the financial value of the hardware or system itself. This can be significantly different from the value of the information and data that the system stores and processes.
(Sample Simulation - On the real exam for this type of question, you might receive a list of attack vectors and targets. Based on these, you would select the type of attack that occurred.) (1) An attacker has been collecting credit card details by calling victims and using false pretexts to trick them. (2) An attacker sends out to 100,000 random email addresses. In the email the attacker sent, it claims that "Your Bank of America account is locked out. Please click here to reset your password." What types of attacks have occurred in (1) and (2)?
(1) Vishing and (2) Phishing Explanation OBJ-1.1: Vishing uses a phone call to conduct information gathering and phishing type of actions. Spearphishing involves targeting specific individuals using well-crafted emails to gather information from a victim. Phishing relies on sending out a large volume of email to a broad set of recipients in the hopes of collecting the desired action or information. A hoax involves tricking a user into performing an action (such as virus remediation actions) when no infection has occurred. Pharming involves domain spoofing in an attempt to gather the desired information from a victim.
Which of the following describes the overall accuracy of a biometric authentication system?
Crossover error rate Explanation OBJ-2.4: The Crossover Error Rate (CER) describes the point where the False Reject Rate (FRR) and False Accept Rate (FAR) are equal. CER is also known as the Equal Error Rate (EER). The Crossover Error Rate describes the overall accuracy of a biometric system.
Which of the following cryptographic algorithms is classified as asymmetric?
Diffie-Hellman Explanation OBJ-2.8: The Diffie-Hellman (DH) is used to exchange cryptographic keys over a public channel securely and was one of the first public-key protocols. As a public-key protocol, it relies on an asymmetric algorithm. AES, RC4, and Blowfish are all symmetric algorithms.
Which authentication mechanism does 802.1x usually rely upon?
EAP Explanation OBJ-3.8: The IEEE 802.1X Port-based Network Access Control framework establishes several ways for devices and users to be securely authenticated before they are permitted full network access. The actual authentication mechanism will be some variant of the Extensible Authentication Protocol (EAP). EAP allows lots of different authentication methods, but many use a digital certificate on the server and/or client machines. This allows the machines to establish a trust relationship and create a secure tunnel to transmit the user authentication credential.
Which of the following cryptographic algorithms is classified as asymmetric?
ECC Explanation OBJ-2.8: Elliptic-curve cryptography (ECC) is an approach to public-key cryptography based on the algebraic structure of elliptic curves over finite fields. As a public-key cryptosystem, it relies on an asymmetric algorithm. Twofish, RC4, and DES are all symmetric algorithms.
An analyst reviews the logs from the network and notices that there have been multiple attempts from the open wireless network to access the networked HVAC control system. The open wireless network must remain openly available so that visitors can access the internet. How can this type of attack be prevented from occurring in the future?
Implement a VLAN to separate the HVAC control system from the open wireless network Explanation OBJ-3.3: A VLAN is useful to segment out network traffic to various parts of the network and stop someone from the open wireless network from logging to the HVAC controls. By utilizing NAC, each machine connected to the open wireless network could be checked for compliance and determine if it is a 'known' machine, but they would still be given access to the entire network. Also, since this is a publicly usable network, using NAC could prevent users from accessing all the network features. An IDS would be a good solution to detect the attempted logins, but it won't prevent them. Instead, an IPS would be required to prevent logins.
Which of the following cryptographic algorithms is classified as symmetric?
PGP Explanation OBJ-2.8: Blowfish is a symmetric-key block cipher, designed in 1993 by Bruce Schneier and included in many cipher suites and encryption products. ECC, PGP, and RSA are all asymmetric algorithms.
How would you appropriately categorize the authentication method being displayed here?
See Image... PIN, Smart Card, Fingerprint, Signature, GPS Coordinates
An electronics store was recently the victim of a robbery where an employee was injured, and some property was stolen. The store's IT department hired an external supplier to expand its network to include a physical access control system. The system has video surveillance, intruder alarms, and remotely monitored locks using an appliance-based system. Which of the following long-term cybersecurity risks might occur based on these actions?
These devices should be isolated from the rest of the enterprise network Explanation OBJ-2.6: While the physical security posture of the company has definitely been improved by adding the cameras, alarms, and locks, this appliance-based system may pose additional risks to the store's network. Specialized technology and appliance-based systems rarely receive security updates at the same rate as regular servers or endpoints. These devices need to be on a network to ensure that their network functions can continue, but they don't necessarily need to be on the enterprise production network. A good option would be to set up a parallel network that is physically or logically isolated from the enterprise network and install the video cameras, alarms, and lock on that one. These devices cannot be isolated from the internet without compromising their functions, such as allowing remote monitoring of the system and locks. The devices should be scanned for viruses before installation, but that is a short-term consideration and doesn't protect them long-term.
Dion Training is concerned with the possibility of a data breach causing a financial loss to the company. After performing a risk analysis, the COO decides to purchase data breach insurance to protect the company in an incident. Which of the following best describes the company's risk response?
Transference Explanation OBJ-5.4: Transference (or sharing) means assigning risk to a third party (such as an insurance company or a contract with a supplier that defines liabilities). Avoidance means that the company stops doing the activity that is risk-bearing. Risk mitigation is the overall process of reducing exposure to or the effects of risk factors, such as patching a vulnerable system. Acceptance means that no countermeasures are put in place either because the risk level does not justify the cost or because there will be an unavoidable delay before the countermeasures are deployed
You are working as a network administrator for Dion Training. The company has decided to allow employees to connect their devices to the corporate wireless network under a new BYOD policy. You have been asked to separate the corporate network into an administrative network (for corporate-owned devices) and an untrusted network (for employee-owned devices). Which of the following technologies should you implement to achieve this goal?
VLAN Explanation OBJ-3.3: A virtual local area network (VLAN) is a type of network segmentation configured in your network switches that prevent communications between different VLANs without using a router. This allows two virtually separated networks to exist on one physical network and separates the two virtual network's data. A virtual private network (VPN) is a remote access capability to connect a trusted device over an untrusted network back to the corporate network. A VPN would not create the desired effect. WPA2 is a type of wireless encryption, but it will not create two different segmented networks on the same physical hardware. MAC filtering is used to allow or deny a device from connecting to a network, but it will not create two network segments, as desired.
While performing a vulnerability scan, Christina discovered an administrative interface to a storage system is exposed to the internet. She looks through the firewall logs and attempts to determine whether any access attempts have occurred from external sources. Which of the following IP addresses in the firewall logs would indicate a connection attempt from an external source?
192. 186. 1 . 100 Explanation OBJ-1.7: This question tests your ability to determine if an IP address is a publicly routable IP (external connection) or private IP (internal connection). During your CompTIA A+, Network+, and Security+ studies, you should have learned that private IP addresses are either 10.x.x.x, 172.16-31.x.x, or 192.168.x.x. All other IP addresses are considered publicly routable over the internet (except localhost and APIPA addresses). Therefore, the answer must be 192.186.1.100 since it is not a private IP address.
Dion Training wants to ensure that none of its computers can run a peer-to-peer file-sharing program on its office computers. Which of the following practices should be implemented to achieve this?
Application blacklisting Explanation OBJ-4.4: Application blacklisting is the most appropriate practice to implement to block a limited number of known programs. Application whitelisting could be used to achieve this purpose, but it would require much more work and block every program not specifically allowed by the whitelisting policy.
Which of the following policies should contain the requirements for removing a user's access when an employee is terminated?
Account management policy Explanation OBJ-3.7: Account management policies describe the account life cycle from creation through decommissioning. Data ownership policies describe how ownership information is created and used. Data classification policies describe the classification structure of the data in use by an organization. Retention policies describe what data will be maintained and for how long it will be retained.
A cybersecurity analyst is working at a college that wants to increase its network's security by implementing vulnerability scans of centrally managed workstations, student laptops, and faculty laptops. Any proposed solution must scale up and down as new students and faculty use the network. Additionally, the analyst wants to minimize the number of false positives to ensure accuracy in their results. The chosen solution must also be centrally-managed through an enterprise console. Which of the following scanning topologies would be BEST able to meet these requirements?
Active scanning engine installed on the enterprise console Explanation OBJ-1.7: Since the college wants to ensure a centrally-managed enterprise console, using an active scanning engine installed on the enterprise console would best meet these requirements. Then, the college's cybersecurity analysts could perform scans on any devices connected to the network using the active scanning engine at the desired intervals. Agent-based scanning would be ineffective since the college cannot force the agents' installation onto each of the personally owned devices brought in by the students or faculty. A cloud-based or server-based engine may be useful, but it won't address the centrally-managed requirement. Passive scanning is less intrusive but is subject to a high number of false positives.
Your organization is updating its Acceptable User Policy (AUP) to implement a new password standard that requires a guest's wireless devices to be sponsored before receiving authentication. Which of the following should be added to the AUP to support this new requirement?
All guests must provide valid identification when registering their wireless devices for use on the network Explanation OBJ-5.3: Sponsored authentication of guest wireless devices requires a guest user to provide valid identification when registering their wireless device for use on the network. This requires that an employee validates the guest's need for access, known as sponsoring the guest. While setting a strong password or using 802.1x are good security practices, these alone do not meet the question's sponsorship requirement. An open authentication standard only requires that the guest know the Service-Set Identifier (SSID) to gain access to the network. Therefore, this does not meet the sponsorship requirement.
You are configuring the ACL for the network perimeter firewall. You have just finished adding all the proper allow and deny rules. What should you place at the end of your ACL rules?
An implicit deny statement Explanation OBJ-3.3: According to the best practices of firewall configurations, you should include an implicit deny at the end of your ACL rules. This will ensure that anything not specifically allowed in the rules above is blocked. Using an implicit allow is a bad security practice since it will allow anything into the network that is not specifically denied. While the time of day restrictions can be useful, they are not required for all network implementations.
A cybersecurity analyst has received an alert that sensors continuously observe well-known call home messages at their network boundary. Still, the organization's proxy firewall is properly configured to successfully drop the messages before leaving the network. Which of the following is MOST likely the cause of the call home messages being sent?
An infected workstation is attempting to reach a command and control server Explanation OBJ-1.2: A call home message is an indicator of compromise known as beaconing. Beaconing usually occurs after a stage 1 malware program has been implanted on an organization's workstation or server, but that isn't the most correct answer to this question. Instead, beaconing indicates that a workstation or server is infected and tries to communicate with the attacker's command and control server. This beaconing will continue until the infected system (workstation or server) is found and cleared of the malware or until the botnet gives the infected host further instructions to perform (such as to attack). "Malware is running on a company workstation or server" is incorrect because we do not have positive verification of that based on this scenario. A beacon does not have to be malware. For example, it can simply be a single ping packet or DNS request being sent out every day at a certain time using the Windows task scheduler. Be careful on the exam to answer the question being asked and choose the "most" accurate answer. Since the call home signal is coming from the internal network and attempting to connect to an external server, it cannot be evidence of an attacker performing reconnaissance on your workstations. Also, nothing in the question is indicative of an insider threat trying to exfiltrate information since a call home message is generally minimal in size and not large enough to exfiltrate data.
You have been asked to determine if Dion Training's web server is vulnerable to a recently discovered attack on an older version of SSH. Which technique should you use to determine the current version of SSH running on their web server?
Banner grabbing Explanation OBJ-1.7: Banner grabbing is conducted by actively connecting to the server using telnet or netcat and collecting the web server's response. This banner usually contains the operating system being run by the server and the version number of the service (SSH) being run. This is the fastest and easiest way to determine the SSH version being run on this web server. While it is possible to use a vulnerability scanner, protocol analyzer, or to conduct a passive scan to determine the SSH version, these are more time consuming and not fully accurate methods to determine the version being run.
You are working for a government contractor who requires all users to use a PIV device when sending digitally signed and encrypted emails. Which of the following physical security measures is being implemented?
Biometric reader Explanation OBJ-2.4: A smart card is used in applications that need to protect personal information and/or deliver fast, secure transactions, such as transit fare payment cards, government, and corporate identification cards, documents such as electronic passports and visas, and financial payment cards. Often, smart cards are used as part of a multifactor authentication system where the smart card and a PIN needs to be entered for system authentication to occur.
The digital certificate on the Dion Training web server is about to expire. Which of the following should Jason submit to the CA in order to renew the server's certificate?
CRL Explanation OBJ-3.9: A CSR (certificate signing request) is what is submitted to the CA (certificate authority) to request a digital certificate. Key escrow stores keys, CRL is a list of revoked certificates, and the OCSP is a status of certificates that provides validity such as good, revoked, or unknown.
(Sample Simulation - On the real exam for this type of question, you would have access to the log files to determine which server on a network might have been affected, and then choose the appropriate actions.) A cybersecurity analyst has determined that an attack has occurred against your company's network. Fortunately, your company uses a good logging system with a centralized Syslog server, so all the logs are available, collected, and stored properly. According to the cybersecurity analyst, the logs indicate that the database server was the only company server on the network that appears to have been attacked. The network is a critical production network for your organization. Therefore, you have been asked to choose the LEAST disruptive actions on the network while performing the appropriate incident response actions. Which actions do you recommend as part of the response efforts?
Capture network traffic using a sniffer, schedule a period of downtime to image and remediate the affected server, and maintain the chain of custody Explanation OBJ-4.3: Since the database server is part of a critical production network, it is important to work with the business to time the remediation period to minimize productivity losses. You can immediately begin to capture network traffic since this won't affect the database server or the network (least intrusive) while scheduling a period of downtime in which to take a forensic image of the database server's hard drive. All network captures and the hard drive should be maintained under the chain of custody if needed for criminal prosecution or civil action after remediation. The server should be remediated and brought back online once the hard drive image has been created.
A cybersecurity analyst is working for a university that is conducting a big data medical research project. The analyst is concerned about the possibility of an inadvertent release of PHI data. Which of the following strategies should be used to prevent this?
Conduct tokenization of the PHI data before ingesting it into the big data application Explanation OBJ-3.2: The university should utilize a tokenization approach to prevent an inadvertent release of the PHI data. In a tokenization approach, all or part of data in a field is replaced with a randomly generated token. That token is then stored with the original value on a token server or token vault, separate from the production database. This is an example of a deidentification control and should be used since the personally identifiable medical data is not needed to be retained after ingesting it for the research project; only the medical data itself is needed. While using DevSecOps can improve the overall security posture of the applications being developed in this project, it does not explicitly define a solution to prevent this specific issue making it a less ideal answer choice for the exam. Formal verification methods can be used to prove that none of the AI/ML techniques that process the PHI data could inadvertently leak. Still, the cost and time associated with using these methods make them inappropriate for a system used to conduct research. A formal method uses a mathematical model of a system's inputs and outputs to prove that the system works as specified in all cases. It is difficult for manual analysis and testing to capture every possible use case scenario in a sufficiently complex system. Formal methods are mostly used with critical systems such as aircraft flight control systems, self-driving car software, and nuclear reactors, not big data research projects. The option provided that recommends utilizing a SaaS model is not realistic. There is unlikely to be a SaaS provider with a product suited to the big data research being done. SaaS products tend to be commoditized software products that are hosted in the cloud. The idea of migrating to a SaaS is a distractor on this exam, which is trying to get you to think about shifting the responsibility for the PHI to the service provider and away from the university, but due to the research nature of the project, this is unlikely to be a valid option in the real world and may not be legally allowed due to the PHI being processed.
Jason has installed multiple virtual machines on a single physical server. He needs to ensure that the traffic is logically separated between each virtual machine. How can Jason best implement this requirement?
Configure a virtual switch on the physical server and create VLANs Explanation OBJ-3.3: A virtual switch is a software application that allows communication between virtual machines. A virtual local area network (VLAN) is a hardware-imposed network segmentation created by switches. This solution provides a logical separation of each virtual machine through the use of VLANs on the virtual switch.
Which of the following is not considered an authentication factor?
Something you want Explanation OBJ-2.4: The five factors of authentication are knowledge, possession, biometric, action, and location. This is also known as 'something you know,' 'something you have,' 'something you are,' 'something you do,' and 'somewhere you are.'
Which of the following actions should be done FIRST after forensically imaging a hard drive for evidence in an investigation?
Create a hash digest of the source drive and the image file to ensure they match Explanation OBJ-4.5: The first thing that must be done after acquiring a forensic disk image is to create a hash digest of the source drive and destination image file to ensure they match. A critical step in the presentation of evidence will be to prove that analysis has been performed on an identical image to the data present on the physical media and that neither data set has been tampered with. The standard means of proving this is to create a cryptographic hash or fingerprint of the disk contents and any derivative images made from it. When comparing hash values, you need to use the same algorithm used to create the reference value. While encrypting the image files is a good security practice to maintain the data's confidentiality, it does not provide data integrity like a hash digest does. Once imaged, the source drive should not be altered or encrypted. Digitally signing the image file could serve the function of non-repudiation, but it is an uncommon practice and not required to be performed.
Which of the following vulnerability scans would provide the best results if you want to determine if the target's configuration settings are correct?
Credentialed scan Explanation OBJ-1.7: Credentialed scans log into a system and retrieve their configuration information. Therefore, it should provide you with the best results. Non-credentialed scans rely on external resources for configuration settings that can be altered or incorrect. The scanner's network location does not directly impact the ability to read the configuration information, so it would not make a difference if you conducted an external or internal scan.
When you purchase an exam voucher at diontraining.com, the system only collects your name, email, and credit card information. Which of the following privacy methods is being used by Dion Training?
Data minimization Explanation OBJ-5.5: Data minimization involves limiting data collection to only what is required to fulfill a specific purpose. Reducing what information is collected reduces the amount and type of information that must be protected. Since we only need your name and email to deliver the voucher and your credit card to receive payment for the voucher, we do not collect any additional information, such as your home address or phone number. Data masking can mean that all or part of a field's contents are redacted, by substituting all character strings with x, for example. Tokenization means that all or part of data in a field is replaced with a randomly generated token. The token is stored with the original value on a token server or token vault, separate from the production database. An authorized query or app can retrieve the original value from the vault, if necessary, so tokenization is a reversible technique. Data anonymization is the process of removing personally identifiable information from data sets so that the people whom the data describe remain anonymous.
A company's NetFlow collection system can handle up to 2 Gbps. Due to excessive load, this has begun to approach full utilization at various times of the day. If the security team does not have additional money in their budget to purchase a more capable collector, which of the following options could they use to collect useful data?
Enable sampling of the data Explanation OBJ-3.3: The organization should enable sampling of the data collected. Sampling can help them capture network flows that could be useful without collecting everything passing through the sensor. This reduces the bottleneck of 2 Gbps and still provide useful information. Quality of Service (QoS) is a set of technologies that work on a network to guarantee its ability to run high-priority applications and traffic dependably, but that does not help in this situation. Compressing NetFlow data helps save disk space, but it does not increase the capacity of the bottleneck of 2 Gbps during collection. Enabling full packet capture would take even more resources to process and store and not minimize the bottleneck of 2 Gbps during collection.
Which of the following proprietary tools is used to create forensic disk images without making changes to the original evidence?
FTK Imager Explanation OBJ-4.1: FTK Imager can create perfect copies or forensic images of computer data without making changes to the original evidence. The forensic image is identical in every way to the original, including file slack and unallocated space or drive free space. The dd tool can also create forensic images, but it is not a proprietary tool since it is open-source. Memdump is used to collect the content within RAM on a given host. Autopsy is a cross-platform, open-source forensic tool suite.
A software assurance laboratory performs a dynamic assessment on an application by automatically generating random data sets and inputting them in an attempt to cause an error or failure condition. Which of the following is the laboratory performing?
Fuzzing Explanation OBJ-3.2: Fuzzing or fuzz testing is an automated software testing technique that involves providing invalid, unexpected, or random data as inputs to a computer program. The program is then monitored for exceptions such as crashes, failing built-in code assertions, or potential memory leaks. User Acceptance Testing is the process of verifying that a created solution/software works for the user. Security regression testing ensures that changes made to a system do not harm its security, are therefore of high significance, and the interest in such approaches has steadily increased. Stress testing verifies the system's stability and reliability by measuring its robustness and error handling capabilities under heavy load conditions
Your organization is updating its incident response communications plan. A business analyst in the working group recommends that if the company discovers they are the victims of a data breach, they should only notify the affected parties to minimize media attention and bad publicity. Which of the following recommendations do you provide in response to the business analyst's statement?
Guidance from the laws and regulations should be considered when deciding who must be notified in order to avoid fines and judgments from non-compliance Explanation OBJ-5.5: Guidance from various laws and regulations must be considered when deciding who must be notified to avoid fines and judgments. The requirements for different types of data breaches are set out in laws/regulations. The requirements indicate who must be notified. Other than the regulator itself, this could include law enforcement, individuals and third-party companies affected by the breach, and public notification through the press or social media channels. For example, the Health Insurance Portability and Accountability Act (HIPAA) sets out reporting requirements in legislation, requiring breach notification to the affected individuals, the Secretary of the US Department of Health and Human Services, and, if more than 500 individuals are affected, to the media.
When conducting forensic analysis of a hard drive, what tool would BEST prevent changing the hard drive contents during your analysis?
Hardware write blocker Explanation OBJ-2.7: Both hardware and software write blockers are designed to ensure that forensic software and tools cannot change a drive inadvertently by accessing it. But, since the question indicates that you need to choose the BEST solution to protect the drive's contents from being changed during analysis, you should pick the hardware write blocker. A hardware write blocker's primary purpose is to intercept and prevent (or 'block') any modifying command operation from ever reaching the storage device. A forensic drive duplicator copies a drive and validates that it matches the original drive but cannot be used by itself during analysis. A degausser is used to wipe magnetic media. Therefore, it should not be used on the drive since it would erase the hard drive contents.
Barbara received a phone call from a colleague asking why she sent him an email with lewd and unusual content. Barbara doesn't remember sending the email to the colleague. What is Barbara MOST likely the victim of?
Hijacked email Explanation OBJ-1.1: Barbara is MOST likely the victim of hijacked email. Hijacked email occurs when someone takes over your email account and sends out messages on your behalf. Hijacked email can occur after a system is taken over by an attacker. The victim usually finds out about it when someone asks about an email the victim sent them, or the victim sees an automated out of office reply from one of the recipients of the victim's emails.
You are trying to select the best device to install to proactively stop outside attackers from reaching your internal network. Which of the following devices would be the BEST for you to select?
IPS Explanation OBJ-3.3: An intrusion prevention system (IPS) is a form of network security that detects and prevents identified threats. Intrusion prevention systems continuously monitor your network, looking for possible malicious incidents, and capturing information about them. An IPS can block malicious network traffic, unlike an IDS, which can only log them.
During a penetration test, you find a hash value related to malware associated with an APT. What best describes what you have found?
Indicator of compromise Explanation OBJ-1.2: An indicator of compromise is an artifact observed on a network or in an operating system that, with high confidence, indicates a computer intrusion. Typical IOCs are virus signatures and IP addresses, MD5 hashes of malware files or URLs, or botnet command and control servers' domain names. SQL injection is a code injection technique used to attack data-driven applications. Malicious SQL statements are inserted into an entry field for execution, such as dumping the database contents to the attacker. Cross-site request forgery (CSRF or XSRF) is a malicious exploit of a website where unauthorized commands are transmitted from a user that the web application trusts. There are many ways in which a malicious website can transmit commands, such as specially-crafted image tags, hidden forms, and JavaScript XMLHttpRequests can all work without the user's interaction or even knowledge. A botnet consists of many Internet-connected devices, each of which is running one or more bots. Botnets can be used to perform Distributed Denial-of-Service (DDoS) attacks, steal data, send spam, and allows the attacker to access the device and its connection.
Which of the following utilizes a well-written set of carefully developed and tested scripts to orchestrate runbooks and generate consistent server builds across an enterprise?
Infrastructure as Code (IaC) Explanation OBJ-4.4: IaC is designed with the idea that a well-coded description of the server/network operating environment will produce consistent results across an enterprise and significantly reduce IT overhead costs through automation while precluding the existence of security vulnerabilities. SDN uses software to define networking boundaries but does not necessarily handle server architecture in the same way that IaC can. Infrastructure as a Service (IaaS) is a computing method that uses the cloud to provide any or all infrastructure needs. Software as a Service (SaaS) is a computing method that uses the cloud to provide users with application services.
A cybersecurity analyst is reviewing the logs of a proxy server and saw the following URLs: -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- https://test.diontraining.com/profile.php?userid=1546 https://test.diontraining.com/profile.php?userid=5482 https://test.diontraining.com/profile.php?userid=3618 -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- What type of vulnerability does this website have?
Insecure direct object reference Explanation OBJ-1.3: Insecure direct object references (IDOR) are a cybersecurity issue that occurs when a web application developer uses an identifier for direct access to an internal implementation object but provides no additional access control and/or authorization checks. An attacker could change the userid number and directly access any user's profile page in this scenario. A race condition is a software vulnerability when the resulting outcome from execution processes is directly dependent on the order and timing of certain events. Those events fail to execute in the order and timing intended by the developer. Weak or default configurations are commonly a result of incomplete or ad-hoc configurations, open cloud storage, misconfigured HTTP headers, unnecessary HTTP methods, permissive Cross-Origin resource sharing (CORS), and verbose error messages containing sensitive information. Improper handling of errors can reveal implementation details that should never be revealed, such as detailed information that can provide hackers important clues on the system's potential flaws.
Which type of threat actor can accidentally or inadvertently cause a security incident in your organization
Insider threat Explanation OBJ-1.5: An insider threat is a type of threat actor assigned privileges on the system that cause an intentional or unintentional incident. Insider threats can be used as unwitting pawns of external organizations or make crucial mistakes that can open up exploitable security vulnerabilities. Hacktivists, Organized Crimes, and advanced persistent threats (APT) entities do not accidentally or unwittingly target organizations. Instead, their actions are deliberate in nature. A hacktivist is an attacker that is motivated by a social issue or political cause. Organized crime is a type of threat actor that uses hacking and computer fraud for commercial gain. An advanced persistent threat (APT) is a type of threat actor who can obtain, maintain, and diversify access to network systems using exploits and malware.
A corporate workstation was recently infected with malware. The malware was able to access the workstation's credential store and steal all the usernames and passwords from the machine. Then, the malware began to infect other workstations on the network using the usernames and passwords it stole from the first workstation. The IT Director has directed its IT staff to develop a plan to prevent this issue from occurring again. Which of the following would BEST prevent this from reoccurring?
Install an anti-virus or anti-malware solution that uses heuristic analysis Explanation OBJ-3.3: The only solution that could STOP this from reoccurring would be to use an anti-virus or anti-malware solution with heuristic analysis. The other options might be able to monitor and detect the issue but not stop it from spreading. Heuristic analysis is a method employed by many computer anti-virus programs designed to detect previously unknown computer viruses and new variants of viruses already in the wild. This is behavior-based detection and prevention, so it should detect the issue and stop it from spreading throughout the network.
What containment technique is the strongest possible response to an incident?
Isolating affected systems Explanation OBJ-4.4: Isolation involves removing an affected component from whatever larger environment it is a part of. This can be everything from removing a server from the network after it has been the target of a DoS attack, placing an application in a sandbox virtual machine (VM) outside of the host environments it usually runs on. Segmentation-based containment is a means of achieving the isolation of a host or group of hosts using network technologies and architecture. Segmentation uses VLANs, routing/subnets, and firewall ACLs to prevent a host or group of hosts from communicating outside the protected segment. Removal is not an industry term used but would be a synonym for isolation. Enumeration is defined as the process of extracting user names, machine names, network resources, shares, and services from a system. Isolating the attacker would only stop their direct two-way communication and control of the affected system. However, it would not be the strongest possible response since there could be malicious code still running on your victimized machine.
What kind of attack is an example of IP spoofing?
Man-in-the-middle Explanation OBJ-1.4: The man-in-the-middle attack intercepts communications between two systems. For example, in an HTTP transaction, the target is the TCP connection between client and server. Using different techniques, the attacker splits the original TCP connection into 2 new connections, one between the client and the attacker and the other between the attacker and the server. This often uses IP spoofing to trick a victim into connecting to the attack. SQL injection is a code injection technique used to attack data-driven applications. Malicious SQL statements are inserted into an entry field for execution, such as dumping the database contents to the attacker. A man-in-the-middle attack (MITM) is an attack where the attacker secretly relays and possibly alters the communications between two parties who believe that they are directly communicating with each other. ARP Poisoning, also known as ARP Spoofing, is a type of cyber attack carried out over a Local Area Network (LAN) that involves sending malicious ARP packets to a default gateway on a LAN to change the pairings in its IP to MAC address table. Cross-Site Scripting (XSS) attacks are a type of injection in which malicious scripts are injected into otherwise benign and trusted websites. XSS attacks occur when an attacker uses a web application to send malicious code, generally in a browser side script, to a different end-user.
Which of the following elements is LEAST likely to be included in an organization's data retention policy
Minimum retention period Explanation OBJ-4.2: Data retention policies highlight what types of information an organization will maintain and the length of time they will maintain it. Data classification would not be covered in the retention policy but would be a key part of your organization's data classification policy.
Windows file servers commonly hold sensitive files, databases, passwords, and more. What common vulnerability is usually used against a Windows file server to expose sensitive files, databases, and passwords?
Missing patches Explanation OBJ-3.2: Missing patches are the most common vulnerability found on both Windows and Linux systems. When a security patch is released, attackers begin to reverse engineer the security patch to exploit the vulnerability. If your servers are not patched against the vulnerability, they can become victims of the exploit, and the server's data can become compromised. Cross-Site Scripting (XSS) attacks are a type of injection in which malicious scripts are injected into otherwise benign and trusted websites. Cross-site scripting focuses on exploiting a user's workstation, not a server. CRLF injection is a software application coding vulnerability that occurs when an attacker injects a CRLF character sequence where it is not expected. SQL injection is the placement of malicious code in SQL statements via web page input. SQL is commonly used against databases, but they are not useful when attacking file servers.
When you are managing a risk, what is considered an acceptable option?
Mitigate It Explanation OBJ-5.4: Mitigating a risk makes the effect of a risk a little less unpleasant, harmful, or serious. The majority of risk management is focused on mitigating risks down to an acceptable level of loss or risk. The risk response actions are accept, avoid, mitigate, or transfer.
Dion Training utilizes a wired network throughout the building to provide network connectivity. Jason is concerned that a visitor might plug their laptop into a CAT 5e wall jack in the lobby and access the corporate network. What technology should be utilized to prevent users from gaining access to network resources if they can plug their laptops into the network?
NAC Explanation OBJ-3.3: Network Access Control (NAC) is an approach to computer security that attempts to unify endpoint security technology, the user or system authentication, and network security enforcement. NAC restricts the data that each particular user can access and implements anti-threat applications such as firewalls, anti-virus software, and spyware detection programs. NAC also regulates and restricts the things individual subscribers or users can do once they are connected. If a user is unknown, the NAC can quarantine the device from the network upon connection.
A new smartphone supports users' ability to transfer a photograph by simply placing their phones near each other and "tapping" the two phones together. What type of technology does this most likely rely on?
NFC Explanation OBJ-1.4: NFC, or near-field communication, is a set of communication protocols that enable two electronic devices, one of which is usually a portable device such as a smartphone, to establish communication by bringing them within 4 cm of each other. This is commonly used for contactless payment systems, transferring contacts, or transferring a file from one device to another.
Which analysis framework provides the most explicit detail regarding how to mitigate or detect a given threat?
OpenIOC Explanation OBJ-4.2: The MITRE ATT&CK framework provides explicit pseudo-code examples for detecting or mitigating a given threat within a network and ties specific behaviors back to individual actors. The Diamond Model provides an excellent methodology for communicating cyber events and allowing an analyst to derive mitigation strategies implicitly. The Lockheed Martin cyber kill chain provides a general life cycle description of how attacks occur but do not deal with the specifics of how to mitigate. OpenIOC contains a depth of research on APTs but does not integrate the detections and mitigation strategy.
You are applying for a job at a cybersecurity firm. The application requests you enter your social security number, date of birth, and email address to conduct a background check as part of the hiring process. Which of the following types of information has you been asked to provide?
PII Explanation OBJ-5.5: Personally identifiable information (PII) is data used to identify, contact, or locate an individual. Information such as social security number (SSN), name, date of birth, email address, telephone number, street address, and biometric data is considered PII. Protected health information (PHI) refers to medical and insurance records, plus associated hospital and laboratory test results. Proprietary information or intellectual property (IP) is information created and owned by the company, typically about the products or services that they make or perform. Controlled Unclassified Information (CUI) is federal non-classified information that must be safeguarded by implementing a uniform set of requirements and information security controls directed at securing sensitive government information.
You have just completed identifying, analyzing, and containing an incident. You have verified that the company uses self-encrypting drives as part of its default configuration. As you begin the eradication and recovery phase, you must sanitize the storage devices' data before restoring the data from known-good backups. Which of the following methods would be the most efficient to use to sanitize the affected hard drives?
Perform a cryptographic erase (CE) on the storage devices Explanation OBJ-2.7: Sanitizing a hard drive can be done using cryptographic erase (CE), secure erase (SE), zero-fill, or physical destruction. In this case, the hard drives already used data at rest. Therefore, the most efficient method would be to choose CE. The cryptographic erase (CE) method sanitizes a self-encrypting drive by erasing the media encryption key and then reimaging the drive. A secure erase (SE) is used to perform the sanitization of flash-based devices (such as SSDs or USB devices) when cryptographic erase is not available. The zero-fill method relies on overwriting a storage device by setting all bits to the value of zero (0), but this is not effective on SSDs or hybrid drives, and it takes much longer than the CE method. The final option is to conduct physical destruction, but since the scenario states that the storage device will be reused, this is not a valid technique. Physical destruction occurs by mechanical shredding, incineration, or degaussing magnetic hard drives.
Question 11:
Photo
You are working as a security administrator and need to respond to an ongoing spearphishing campaign against your organization. Which of the following should be used as a checklist of actions to perform to detect and respond to this particular incident?
Playbook Explanation OBJ-4.4: A playbook is a checklist of actions to perform to detect and respond to a specific type of incident. Your organization will have playbooks for phishing attempts, privilege escalation, and other specific types of incidents. A runbook is an automated version of a playbook used by a SOAR to have the system conduct as many steps as possible. DRP is a disaster recovery plan focused on the response to a natural or manmade disaster, not an incident. An incident response plan is a generic document for the overall steps of incident response. Therefore it doesn't apply to a specific type of incident. This is a hard question because the four terms are very closely related around incidents and disasters.
(Sample Simulation - On the real exam for this type of question, you would have to rearrange the steps into the proper order by dragging and dropping them into place.) What is the correct order of the Incident Response process?
Preparation, Identification, Containment, Eradication, Recovery, and Lessons Learned Explanation OBJ-4.2: The proper order of the Incident Response process is Preparation, Identification, Containment, Eradication, Recovery, and Lessons Learned. Concepts with lists of steps are common questions asked as an ordering or a drag and drop question on the exam. For example, the steps of incident response, the order of volatility, or the strength of encryption schemes could be asked using this question format.
How would you appropriately categorize the authentication method being displayed here? (Note: the hardware token is being by itself used for authentication.)
Print out photo to review this One-time password authentication Explanation OBJ-2.4: For the exam, you need to know the different categories of authentication and what type of authentication methods belong to each category. A hardware security token like the one displayed creates a one-time use password by presenting the user with a random string of numbers that changes every 30-60 seconds. When used by itself, it is considered a one-time password authentication method. If combined with a username and password, it would become a multi-factor authentication scheme.
A cybersecurity analyst conducts an incident response at a government agency when she discovers that attackers had exfiltrated PII. Which of the following types of breaches has occurred?
Privacy breach Explanation OBJ-4.5: A data breach is an incident where information is stolen or taken from a system without the system's owner's knowledge or authorization. If sensitive personally identifiable information (PII) was accessed or exfiltrated, then a privacy breach has occurred. If information like trade secrets were access or exfiltrated, then a proprietary breach has occurred. If any data is modified or altered, then an integrity breach has occurred. If any information related to payroll, tax returns, banking, or investments is accessed or exfiltrated, then a financial breach has occurred.
Which of the following types of data breaches would require that the US Department of Health and Human Services and the media be notified if more than 500 individuals are affected by a data breach?
Protected health information Explanation OBJ-4.5: Protected health information (PHI) is defined as any information that identifies someone as the subject of medical and insurance records, plus their associated hospital and laboratory test results. This type of data is protected by the Health Insurance Portability and Accountability Act (HIPPA). It requires notification of the individual, the Secretary of the US Department of Health and Human Services (HHS), and the media (if more than 500 individuals are affected) in the case of a data breach. Personally identifiable information (PII) is any data that can be used to identify, contact, or impersonate an individual. Credit card information is protected under the PCI DSS information security standard. Trade secret information is protected by the organization that owns those secrets.
Your company has decided to move all of its data into the cloud. Your company is small and has decided to purchase some on-demand cloud storage resources from a commercial provider (such as Google Drive) as its primary cloud storage solution. Which of the following types of clouds is your company using?
Public Explanation OBJ-2.2: The public cloud is defined as computing services offered by third-party providers over the public internet, making them available to anyone who wants to use or purchase them. They may be free or sold on-demand, allowing customers to pay only per usage for the CPU cycles, storage, or bandwidth they consume. Amazon Web Services, Microsoft Azure, and Google Cloud are three popular public cloud platforms.
Your company wants to provide a secure SSO solution for accessing both the corporate wireless network and its network resources. Which of the following technologies should be used?
RADIUS Explanation OBJ-3.4: With RADIUS and SSO configured, users on the network can provide their user credentials one time (when they initially connect to the wireless access point or another RADIUS client) are automatically authenticated to all of the network's resources.
Which of the following access control methods utilizes a set of organizational roles in which users are assigned to gain permissions and access rights?
RBAC Explanation OBJ-3.8: Role-based access control (RBAC) is a modification of DAC that provides a set of organizational roles that users may be assigned to gain access rights. The system is non-discretionary since the individual users cannot modify the ACL of a resource. Users gain their access rights implicitly based on the groups to which they are assigned as members.
David noticed that port 3389 was open on one of the POS terminals in a store during a scheduled PCI compliance scan. Based on the scan results, what service should he expect to find enabled on this terminal?
RDP Explanation OBJ-3.1: Port 3389 is an RDP port used for the Remote Desktop Protocol. If this port isn't supposed to be opened, then an incident response plan should be the next step since this can be used for remote access by an attacker. MySQL runs on port 3306. LDAP runs on port 389. IMAP over SSL runs on port 993.
Which of the following terms is used to describe the period of time following a disaster that an individual IT system may remain offline?
RTO Explanation OBJ-5.4: Recovery time objective (RTO) is when an individual IT system may remain offline following a disaster. This represents the amount of time it takes to identify a problem and then perform recovery (restore from backup or switch in an alternative system, for instance). Recovery point objective (RPO) is the amount of data loss that a system can sustain, measured in time. That is, if a virus destroys a database, an RPO of 24 hours means that the data can be recovered (from a backup copy) to a point not more than 24 hours before the database was infected. Mean time between failure (MTBF) represents the expected lifetime of a product before it fails and must be replaced or repaired. Mean time to repair (MTTR) is a measure of the time taken to correct a fault to restore the system to full operation.
Which of the following type of threats did the Stuxnet attack rely on to cross an airgap between a business and an industrial control system network?
Removable media Explanation OBJ-2.6: Airgaps are designed to remove connections between two networks to create a physical segmentation between them. The only way to cross an airgap is to have a physical device between these systems, such as using a removable media device to transfer files between them. A directory traversal is an HTTP attack that allows attackers to access restricted directories and execute commands outside of the web server's root directory. Cross-Site Scripting (XSS) attacks are a type of injection in which malicious scripts are injected into otherwise benign and trusted websites. A session hijacking attack compromises the session token by stealing or predicting a valid session token to gain unauthorized access to the Web Server. A directory traversal, cross-site scripting, or session hijacking attack cannot by itself cross an airgap.
What is the term for the amount of risk that an organization is willing to accept or tolerate?
Risk appetite Explanation OBJ-5.4: An organization's willingness to tolerate risk is known as its risk appetite. If you determine that you have a greater risk appetite for a certain system or function of the business, you may choose to scan less it frequently, for example. If you have a low-risk appetite, you will place a higher amount of resources towards defending and mitigating your systems. Risk avoidance is the response of deploying security controls to reduce the likelihood and/or impact of a threat scenario. Risk deterrence is the response of deploying security controls to reduce the likelihood and/or impact of a threat scenario. Risk transference moves or shares the responsibility of risk to another entity.
Recently, you discovered an unauthorized device during a search of your corporate network. The device provides nearby wireless hosts to access the corporate network's resources. What type of attack is being utilized?
Rogue Access Point Explanation OBJ-1.4: A rogue access point is a wireless access point that has been installed on a secure network without explicit authorization from a local network administrator, whether added by a well-meaning employee or by a malicious attacker. The question describes the unauthorized device, indicating it is a rogue device. An access point performs the ability to connect wireless hosts to the corporate network. Therefore, the unauthorized device in this question would be considered a rogue access point.
A penetration tester has been hired to conduct an assessment, but the company wants to exclude social engineering from the list of authorized activities. Which of the following documents would include this limitation?
Rules of engagement Explanation OBJ-1.8: While the contract documents' network scope will define what will be tested, the rules of engagement define how that testing is to occur. Rules of engagement can state things like no social engineering is allowed, no external website scanning, etc. A memorandum of understanding (MOU) is a preliminary or exploratory agreement to express an intent to work together that is not legally binding and does not involve monetary exchange. A service level agreement contains the operating procedures and standards for a service contract. An acceptable use policy is a policy that governs employees' use of company equipment and internet services.
Dion Training has just suffered a website defacement of its public-facing webserver. The CEO believes the company's biggest competitor may have done this act of vandalism. The decision has been made to contact law enforcement so that evidence can be collected properly for use in a potential court case. Laura is a digital forensics investigator assigned to collect the evidence. She creates a bit-by-bit disk image of the web server's hard drive as part of her evidence collection. What technology should Laura use after creating the disk image to verify the copy's data integrity matches that of the original web server's hard disk?
SHA-256 Explanation OBJ-2.8: SHA-256 is the Secure Hash Algorithm with a 256-bit length output. This is one of the most common hash algorithms in use and is employed in many applications and protocols. SHA-256 and other hashing algorithms are used to ensure the data integrity of a file has not been altered. RSA, 3DES, and AES are all encryption algorithms. These algorithms can ensure confidentiality but not integrity.
Which of the following describes the security method used when users enter their username and password only once and gain access to multiple applications?
SSO Explanation OBJ-2.4: Single sign-on (SSO) is an authentication process that allows users to access multiple applications with one set of login credentials. SSO is a common procedure in enterprises, where a client accesses multiple resources connected to a local area network (LAN).
Christina is auditing the security procedures related to the use of a cloud-based online payment service. She notices that the access permissions are set so that a single person can not add funds to the account and transfer funds out of the account. What security principle is most closely related to this scenario?
Separation of duties Explanation OBJ-5.3: Separation of duties is the concept of having more than one person required to complete a task. In business, the separation by sharing more than one individual in a single task is an internal control intended to prevent fraud and error. In this case, one person can transfer money in, while another must transfer money out. Dual control authentication is used when performing a sensitive action and requires two different users to log in. Least privilege is the concept and practice of restricting access rights for users, accounts, and computing processes to only those resources absolutely required to perform routine, legitimate activities. Security through obscurity is the reliance on security engineering in design or implementation by using secrecy as the main method of providing security to a system or component.
A web developer wants to protect their new web application from a man-in-the-middle attack. Which of the following controls would best prevent an attacker from stealing tokens stored in cookies?
Setting the secure attribute on the cookie Explanation OBJ-3.2: When a cookie has the Secure attribute, the user agent includes the cookie in an HTTP request only if transmitted over a secure channel (typically HTTPS). Although seemingly useful for protecting cookies from active network attackers, the Secure attribute protects only the cookie's confidentiality. Forcing the web application to use TLS or SSL does not force the cookie to be sent over TLS/SSL, so you still need to set the cookie's Secure attribute. Hashing the cookie provides the cookie's integrity, not confidentiality; therefore, it will not solve the issue presented by this question.
Aymen is creating a procedure for the remediation of vulnerabilities discovered within his organization. He wants to ensure that any vendor patches are tested before deploying them into the production environment. What type of environment should his organization establish?
Staging Explanation OBJ-2.3: Deploying changes in a staging or sandbox environment provides the organization with a safe, isolated place for testing changes without interfering with production systems. Staging environments can mimic the actual production environment, leading to a realistic test environment that minimizes the risk of failure during a push to the production environment. Honeypots/Honeynets are not considered a testing environment. Instead, they are designed to attract attackers. The organization should not use the development environment to test the patches since a development environment does not mimic the real production environment.
Which of the following authentication protocols was developed by Cisco to provide authentication, authorization, and accounting services?
TACACS+ Explanation OBJ-3.8: TACACS+ is an extension to TACACS (Terminal Access Controller Access Control System) and was developed as a proprietary protocol by Cisco. The Remote Authentication Dial-In User Service (RADIUS) is a networking protocol that operates on port 1812 and provides centralized Authentication, Authorization, and Accounting management for users who connect and use a network service, but Cisco did not develop it. Kerberos is a network authentication protocol designed to provide strong mutual authentication for client/server applications using secret-key cryptography developed by MIT. Challenge-Handshake Authentication Protocol (CHAP) is used to authenticate a user or network host to an authenticating entity. CHAP is an authentication protocol but does not provide authorization or accounting services.
You are conducting a review of a VPN device's logs and found the following URL being accessed: -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- https://sslvpn/dana-na/../diontraining/html5acc/teach/../../../../../../etc/passwd?/diontraining/html5acc/teach/ -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- Based upon this log entry alone, which of the following most likely occurred?
The /etc/passwd file was downloaded using a directory traversal attack if input validation of the URL was not conducted Explanation OBJ-1.3: The exact string used here was the attack string used in CVE-2019-11510 to compromise thousands of VPN servers worldwide using a directory traversal approach. However, its presence in the logs does not prove that the attack was successful, only that it was attempted. To verify that the attacker successfully downloaded the/etc/passwd file, a cybersecurity analyst would require additional information and correlation. If the server utilizes proper input validation on URL entries, then the directory traversal would be prevented. As no SQL or XML language elements are present, this is definitely not an SQL or XML injection attack.
You were conducting a forensic analysis of an iPad backup and discovered that only some of the information is within the backup file. Which of the following best explains why some of the data is missing?
The backup is a differential backup Explanation OBJ-2.5: iPhone/iPad backups can be created as full or differential backups. In this scenario, the backup being analyzed is likely a differential backup containing the information that has changed since the last full backup. If the backup were encrypted, you would be unable to read any of the contents. If the backup were interrupted, the backup file would be in an unusable state. If the backup were stored in iCloud, you would need access to their iCloud account to retrieve and access the file. Normally, during an investigation, you will not have access to the user's iCloud account.
Ryan needs to verify the installation of a critical Windows patch on his organization's workstations. Which method would be the most efficient to validate the current patch status for all of the organization's Windows 10 workstations?
Use SCCM to validate patch status for each machine on the domain Explanation OBJ-3.2: The Microsoft System Center Configuration Manager (SCCM) provides remote control, patch management, software distribution, operating system deployment, network access protection, and hardware and software inventory. In an Azure environment, you can also use the Update Compliance tool to monitor your device's Windows updates, Windows Defender anti-virus status, and the up to date patching status across all of your Windows 10 workstations. In previous Windows versions, you could use the Microsoft Baseline Analyzer (MSBA), but that is no longer supported when Windows 10 was introduced. A PowerShell script may be a reasonable option, but it would take a knowledgeable analyst to create the script and scan the network, whereas using SCCM is easier and quicker. Manually checking the Update History or registry of each system could also work, but that is very time consuming and inefficient, especially if Ryan is supporting a large network.
The Pass Certs Fast corporation has recently been embarrassed by several high profile data breaches. The CIO proposes improving the company's cybersecurity posture by migrating images of all the current servers and infrastructure into a cloud-based environment. What, if any, is the flaw in moving forward with this approach?
This approach only changes the location of the network and not the attack surface of it OBJ-1.5: A poorly implemented security model at a physical location will still be a poorly implemented security model in a virtual location. Unless the fundamental causes of the security issues that caused the previous data breaches have been understood, mitigated, and remediated, then migrating the current images into the cloud will change where the processing occurs without improving the network's security. While the statement concerning unrealized ROI may be accurate, it simply demonstrates the sunk cost argument's fallacy. These servers were already purchased, and the money was spent. Regardless of whether we maintain the physical servers or migrate to the cloud, that money is gone. Those servers could also be repurposed, reused, or possibly resold to recoup some of the capital invested. While the company's physical security will potentially improve in some regards, the physical security of the endpoints on-premises is still a concern that cannot be solved by this cloud migration. Additionally, the scenario never stated that physical security was an issue that required being addressed, so it is more likely that the data breach occurred due to a data exfiltration over the network. As a cybersecurity analyst, you must consider the business case and the technical accuracy of a proposed approach or plan to add the most value to your organization.
Jennifer decided that the licensing cost for a piece of video editing software was too expensive. Instead, she decided to download a keygen program to generate her own license key and install a pirated version of the editing software. After she runs the keygen, a license key is created, but her system performance becomes very sluggish, and her antimalware suite begins to display numerous alerts. Which type of malware might her computer be infected with?
Trojan Explanation OBJ-1.2: A trojan is a program in which malicious or harmful code is contained inside an apparently harmless program. In this example, the harmless program is the key generator (which does create a license key). Still, it also has malicious code inside it (causing the additional alerts from the antimalware solution). Likely, this keygen has an embedded virus or remote access trojan (RAT) in its programming
A user has reported that their workstation is running very slowly. A technician begins to investigate the issue and notices a lot of unknown processes running in the background. The technician determines that the user has recently downloaded a new application from the internet and may have become infected with malware. Which of the following types of infections does the workstation MOST likely have?
Trojan Explanation OBJ-1.2: A trojan is a type of malware that looks legitimate but can take control of your computer. A Trojan is designed to damage, disrupt, steal, or in general, inflict some other harmful action on your data or network. The most common form of a trojan is a Remote Access Trojan (RAT), which allows an attacker to control a workstation or steal information remotely. To operate, a trojan will create numerous processes that run in the background of the system.
You are analyzing the SIEM for your company's e-commerce server when you notice the following URL in the logs of your SIEM: -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- https://www.diontraining.com/add_to_cart.php?itemId=5"+perItemPrice="0.00"+quantity="100"+/><item+id="5&quantity=0 -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- Based on this line, what type of attack do you expect has been attempted?
XML injection Explanation OBJ-1.3: This is an example of an XML injection. XML injection manipulates or compromises the logic of an XML application or service. The injection of unintended XML content and/or structures into an XML message can alter an application's intended logic, and XML Injection can cause the insertion of malicious content into resulting messages/documents. In this case, the URL is attempting to modify the server's XML structure. The original XML structure would be: <addToCart> <item id="5" perItemPrice="50.00" quantity="1" /> </addToCart>. By using the URL above, this would be modified to the following: <addToCart> <item id="5" perItemPrice="0.00" quantity="10" /> <item id="5" perItemPrice="50.00" quantity="0" /> </addToCart>. The result would be that a new line was added in the XML document that could be processed by the server. This line would allow 10 of the product at $0.00 to be added to the shopping cart, while 0 of the product at $50.00 is added to the cart. This defeats the integrity of the e-commerce store's add to cart functionality through this XML injection. A SQL injection occurs when data input by a user is interpreted as a SQL command rather than as normal data by the backend database. A buffer overflow is an exploit that attempts to write data to a buffer and exceed that buffer's boundary to overwrite an adjacent memory location. A session hijacking attack consists of exploiting the web session control mechanism, which is normally managed for a session token. The real key to answering this question is identifying the XML structured code being entered as part of the URL, shown by the bracketed data.
What should be done NEXT if the final set of security controls does not eliminate all of the risks in a given system?
You should accept the risk if the residual risk is low enough Explanation OBJ-5.4: In most cases, you will be unable to remove all risk. Instead, it would be best to mitigate the risk to a low enough level to accept the residual risk. Removing the controls would add to the risk, which is a bad course of action to select. Ignoring the remaining risk is unacceptable; instead, you should acknowledge what risk remains and accept it if it is low enough. If it is not low enough, you should continue to mitigate the risk by adding additional control measures. It is unlikely you will ever be able to get all risk down to zero, but mitigating to a lower level and then accepting the residual risk is a common industry practice.