Sec+ v6 Practice Exam Pt 2
Your organization has recently suffered a data breach due to a server being exploited. As a part of the remediation efforts, the company wants to ensure that the default administrator password on each of the 1250 workstations on the network is changed. What is the easiest way to perform this password change requirement? A. Deploy a new group policy B. Create a new security group C. Utilize the key escrow process D. Revoke the digital certificate
A. Deploy a new group policy A group policy is used to manage Windows systems in a Windows network domain environment utilizing a Group Policy Object (GPO). GPO's include a number of settings related to credentials, such as password complexity requirements, password history, password length, and account lockout settings. You can force a reset of the default administrator account password by using a group policy update.
Which of the following methods should a cybersecurity analyst use to locate any instances on the network where passwords are being sent in cleartext? A. Full packet capture B. Net flow capture C. SIEM event log monitoring D. Software design documentation review
A. Full packet capture Full packet capture records the complete payload of every packet crossing the network. The other methods will not provide sufficient information to detect a cleartext password being sent. A net flow analysis will determine where communications occurred, by what protocol, to which devices, and how much content was sent. Still, it will not reveal anything about the content itself since it only analyzes the metadata for each packet crossing the network. A SIEM event log being monitored might detect that an authentication event has occurred. Still, it will not necessarily reveal if the password was sent in cleartext, as a hash value, or in the ciphertext. A software design documentation may also reveal the designer's intentions for authentication when they created the application, but this only provides an 'as designed' approach for a given software and does not provide whether the 'as-built' configuration was implemented securely.
Which of the following authentication mechanisms involves receiving a one-time use shared secret password, usually through a token-based key fob or smartphone app, that does not expire? A. HOTP B. Smart Card C. TOTP D. EAP
A. HOTP HMAC-based One-time Password Algorithm (HOTP) is an algorithm for token-based authentication. The authentication server and client token are configured with the same shared secret. The token could be a fob-type device or implemented as a smartphone app. The token does not have an expiration under HOTP, but an improved version known as TOTP does include token expirations.
Yoyodyne Systems has recently bought out its competitor, Whamiedyne Systems, which went out of business due to a series of data breaches. As a cybersecurity analyst for Yoyodyne, you are assessing Whamiedyne's existing applications and infrastructure. During your analysis, you discover the following URL is used to access an application: -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- https://www.whamiedyne.com/app/accountInfo?acct=12345 -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- You change the URL to end with 12346 and notice that a different user's account information is now displayed. Which of the following type of vulnerabilities or threats have you discovered? A. Insecure direct object reference B. XML injection C. Race condition D. SQL injection
A. Insecure direct object reference This is an example of an insecure direct object reference. Direct object references are typically insecure when they do not verify whether a user is authorized to access a specific object. Therefore, it is important to implement access control techniques in applications that work with private information or other sensitive data types. Based on the URL above, you cannot determine if the application is vulnerable to an XML or SQL injection attack. An attacker can modify one or more of these four basic functions in a SQL injection attack by adding code to some input within the web app, causing it to execute the attacker's own set of queries using SQL. An XML injection is similar but focuses on XML code instead of SQL queries. A race condition is a software vulnerability when the resulting outcome from execution processes is directly dependent on the order and timing of certain events. Those events fail to execute in the developer's order and timing, which is not the case in this scenario.
You are notified by an external organization that an IP address associated with your company's email server has been sending spam emails requesting funds as part of a lottery collection scam. An investigation into the incident reveals the email account used was Connor from the sales department and that Connor's email account was only used from one workstation. You analyze Connor's workstation and discover several unknown processes running, but netflow analysis reveals no attempted lateral movement to other workstations on the network. Which containment strategy would be most effective to use in this scenario? A. Isolate the workstation computer by disabling the switch port and reset Connor's username/password B. Isolate the network segment Connor is on and conduct a forensic review of all workstations in the sales department C. Unplug the workstation's network cable and conduct a complete reimaging of the workstation D. Request disciplinary action for Connor for causing this incident
A. Isolate the workstation computer by disabling the switch port and reset Connor's username/password Isolation of Connor's computer by deactivating the port on the switch should be performed instead of just unplugging the computer. This would guarantee that Connor won't just plug the computer back into the network as soon as you leave his desk. While Connor won't be able to work without his workstation, it is essential to isolate the issue quickly to prevent future attempts at lateral movement from occurring and protect the company's data needed for continued business operations. While we are unsure of the issue's initial root cause, we know it is currently isolated to Connor's machine. He should receive remedial cybersecurity training, his workstation's hard drive forensically imaged for later analysis, and then his workstation should be remediated or reimaged. It is better to isolate just Connor's machine instead of the entire network segment in this scenario. Isolating the network segment, without evidence indicating the need to do so, would have been overkill and overly disruptive to the business. Reimaging Connor's device may destroy data that could have otherwise been recovered and led to a successful root cause analysis. There is also insufficient evidence in this scenario to warrant disciplinary action against Connor, as he may have clicked on a malicious link by mistake.
Which of the following hashing algorithms results in a 128-bit fixed output? A. MD-5 B. SHA-1 C. RIPEMD D. SHA-2
A. MD-5 MD-5 creates a 128-bit fixed output. SHA-1 creates a 160-bit fixed output. SHA-2 creates a 256-bit fixed output. RIPEMD creates a 160-bit fixed output.
Dion Training uses an authentication protocol to connect a network client to a networked file server by providing its authentication credentials. The file server then uses the authentication credentials to issue an authentication request to the server running this protocol. The server can then exchange authentication messages with the file server on behalf of the client. Throughout this process, a shared secret is used to protect the communication. Which of the following technologies relies upon the shared secret? A. RADIUS B. Kerberos C. PKI D. LDAP
A. RADIUS Remote Authentication Dial-In User Service (RADIUS) is a networking protocol operating on port 1812 that provides centralized Authentication, Authorization, and Accounting (AAA or Triple-A) management for users who connect and use a network service. The RADIUS protocol utilizes an obfuscated password created from the shared secret and creates an MD5 hash of the authentication request to protect the communications.
Dion Training has performed an assessment as part of their disaster recovery planning. The assessment found that the organization can only tolerate a maximum of 30 minutes of downtime for their public-facing webserver. Which of the following metrics would best represent this time period? A. RTO B. RPO C. MTBF D. MTTR
A. RTO The Recovery Time Objective (RTO) is the targeted duration of time and a service level within which a business process must be restored after a disaster (or disruption) to avoid unacceptable consequences associated with a break in business continuity. In this example, 30 minutes would be the RTO.
Which of the following vulnerabilities involves leveraging access from a single virtual machine to other machines on a hypervisor? A. VM escape B. VM migration C. VM sprawl D. VM data remnant
A. VM escape Virtual machine escape vulnerabilities are the most severe issue that may exist in a virtualized environment. In this attack, the attacker can access a single virtual host and then leverages that access to intrude on the resources assigned to different virtual machines. Data remnant is the residual representation of digital data that remains even after attempts have been made to remove or erase it. Virtualization sprawl is a phenomenon that occurs when the number of virtual machines on a network reaches a point where the administrator can no longer manage them effectively. Virtual machine migration is the task of moving a virtual machine from one physical hardware environment to another.
You have been hired to investigate a possible insider threat from a user named Terri. Which command would you use to review all sudo commands ever issued by Terri (whose login account is terri and UID=1003) on a Linux system? (Select the MOST efficient command) A. journalctl_UID=1003 | grep sudo B. journalctl_UID=1003 | grep -e 1003 | grep sudo C. journalctl_UID=1003 | grep -e [Tt]erri | grep sudo D. journalctl_UID=1003 | grep -e [Tt]erri | grep -e 1003 | grep sudo
A. journalctl_UID=1003 | grep sudo journalctl is a command for viewing logs collected by systemd. The systemd-journald service is responsible for systemd's log collection, and it retrieves messages from the kernel, systemd services, and other sources. These logs are gathered in a central location, which makes it easy to review. If you specify the parameter of _UID=1003, you will only receive entries made under the authorities of the user with ID (UID) 1003. In this case, that is Terri. Using the piping function, we can send that list of entries into the grep command as an input and then filter the results before returning them to the screen. This command will be sufficient to see all the times that Terri has executed something as the superuser using privilege escalation. If there are too many results, we could further filter the results using regular expressions with grep using the -e flag. Since the UID of 1003 is only used by Terri, it is unnecessary to add [Tt]erri to your grep filter as the only results for UID 1003 (terri) will already be shown. So, while all four of these would produce the same results, the most efficient option to accomplish this is by entering "journalctl _UID=1003 | grep sudo" in the terminal. Don't get afraid when you see questions like this; walk through each part of the command step by step and determine the differences. In this question, you may not have known what journalctl is, but you didn't need to. You needed to identify which grep expression was the shortest that would still get the job done. By comparing the differences between the options presented, you could likely take your best guess and identify the right one.
What popular open-source port scanning tool is commonly used for host discovery and service identification? A. nmap B. dd C. services.msc D. Nessus
A. nmap The world's most popular open-source port scanning utility is nmap. The Services console (services.msc) allows an analyst to disable or enable Windows services. The dd tool is used to copy files, disk, and partitions, and it can also be used to create forensic disk images. Nessus is a proprietary vulnerability scanner developed by Tenable. While Nessus does contain the ability to conduct a port scan, its primary role is as a vulnerability scanner, and it is not an open-source tool.
Which of the following ports should you block at the firewall if you want to prevent a remote login to a server from occurring? A. 21 B. 22 C. 80 D. 143
B. 22 Port 22 is used for SSH, which administrators use to securely connect remotely to a server and issue commands via a command-line interface. Port 21 is used by FTP, Port 80 is used by HTTP, and port 143 is used by IMAP.
Your firewall is blocking outbound email traffic that is attempting to be sent. Which port should you verify is set to ALLOW in the firewall to ensure your emails are being sent? A. 22 B. 25 C. 80 D. 143
B. 25 Email servers rely on port 25 to send emails out of the network. Port 25 must be set to OPEN or ALLOW in the firewall for SMTP (sendmail transfer protocol) to function properly. Port 22 is SSH, Port 80 is HTTP, and Port 143 is IMAP.
A company needs to implement stronger authentication by adding an authentication factor to its wireless system. The wireless system only supports WPA with pre-shared keys, but the backend authentication system supports EAP and TTLS. What should the network administrator implement? A. PKI with user authentication B. 802.1x using EAP with MSCHAPv2 C. WPA2 with a complex shared key D. MAC address filtering with filtering
B. 802.1x using EAP with MSCHAPv2 Since the backend uses a RADIUS server for back-end authentication, the network administrator can install 802.1x using EAP with MSCHAPv2 for authentication.
Every new employee at Dion Training must sign a document to show they understand the proper rules for using the company's computers. This document states that the new employee has read the policy that dictates what can and cannot be done from the corporate workstations. Which of the following documents BEST describes this policy? A. MOU B. AUP C. SOW D. SLA
B. AUP An acceptable use policy (AUP) is a document stipulating constraints and practices that a user must agree to for access to a corporate network or the internet. For example, it may state that they must not attempt to break the security of any computer network, user, or prohibits visiting pornographic websites from their work computer.
You have recently been hired as a security analyst at Dion Training. On your first day, your supervisor begins to explain the way their network is configured, showing you the physical and logical placement of each firewall, IDS sensor, host-based IPS installations, the networked spam filter, and the DMZ. What best describes how these various devices are placed into the network for the highest level of security? A. Network segmentation B. Defense in depth C. UTM D. Load Balancer
B. Defense in depth Defense in depth is the concept of layering various network appliances and configurations to create a more secure and defensible architecture. Dion Training appears to be using various host-based and network-based devices to ensure there are multiple security layers in the network.
You have been hired as a cybersecurity analyst for a privately-owned bank. Which of the following regulations would have the greatest impact on your bank's cybersecurity program? A. HIPAA B. GLBA C. FERPA D. SOX
B. GLBA The Gramm-Leach-Bliley Act (GLBA) is a United States federal law that requires financial institutions to explain how they share and protect their customers' private information. The Health Insurance Portability and Accountability Act (HIPPA) is a US law designed to provide privacy standards to protect patients' medical records and other health information provided to health plans, doctors, hospitals, and other health care providers. Sarbanes-Oxley (SOX) is a United States federal law that set new or expanded requirements for all US public company boards, management, and public accounting firms. The Family Educational Rights and Privacy Act (FERPA) of 1974 is a United States federal law that governs the access to educational information and records by public entities such as potential employers, publicly funded educational institutions, and foreign governments.
You want to create a new mobile application and develop it in the cloud. You just signed up for a cloud-based service provider's offering to allow you to develop it using their programming environment. Which of the following best describes which type of service you have just purchased? A. DaaS B. PaaS C. IaaS D. SaaS
B. PaaS Platform as a Service (PaaS) provides the end-user with a development environment without all the hassle of configuring and installing it themselves. If you want to develop a customized or specialized program, PaaS helps reduce the development time and overall costs by providing a ready to use platform.
Which of the following cryptographic algorithms is classified as stream cipher? A. AES B. RC4 C. Blowfish D. DES
B. RC4 RC4, or Rivest Cipher 4, is a symmetric stream cipher used in WEP and TLS. AES, Blowfish, and DES are all block ciphers.
Dion Consulting Group has recently been awarded a contract to provide cybersecurity services for a major hospital chain in 48 cities across the United States. You are conducting a vulnerability scan of the hospital's enterprise network when you detect several devices that could be vulnerable to a buffer overflow attack. Upon further investigation, you determine that these devices are PLCs used to control the hospital's elevators. Unfortunately, there is not an update available from the elevator manufacturer for these devices. Which of the following mitigations do you recommend? A. Recommend immediate replacement of the PLCs with ones that are not vulnerable to this type B. Recommend isolation of the elevator control system from the rest of the production network through the change control process C. Conduct a penetration test of the elevator control system to prove that the possibility of this kind of attack exists D. Recommend immediate disconnection of the elevator's control system from the enterprise network
B. Recommend isolation of the elevator control system from the rest of the production network through the change control process The best recommendation is to conduct the elevator control system's logical or physical isolation from the rest of the production network and the internet. This should be done through the change control process that brings the appropriate stakeholders together to discuss the best way to mitigate the vulnerability to the elevator control system that defines the business impact and risk of the decision. Sudden disconnection of the PLCs from the rest of the network might have disastrous results (i.e., sick and injured trapped in an elevator) if there were resources that the PLCs were dependent on in the rest of the network. Replacement of the elevators may be prohibitively expensive, time-consuming, and likely something that the hospital would not be able to justify to mitigate this vulnerability. Attempting further exploitation of the buffer overflow vulnerability might inadvertently trap somebody in an elevator or cause damage the elevators themselves.
Which of the following hashing algorithms results in a 160-bit fixed output? A. MD-5 B. SHA-1 C. NTLM D. SHA-2
B. SHA-1 SHA-1 creates a 160-bit fixed output. SHA-2 creates a 256-bit fixed output. NTLM creates a 128-bit fixed output. MD-5 creates a 128-bit fixed output.
Which security tool is used to facilitate incident response, threat hunting, and security configuration by orchestrating automated runbooks and delivering data enrichment? A. SIEM B. SOAR C. MDM D. DLP
B. SOAR A security orchestration, automation, and response (SOAR) is used to facilitate incident response, threat hunting, and security configuration by orchestrating automated runbooks and delivering data enrichment. A SOAR may be implemented as a standalone technology or integrated within a SIEM as a next-gen SIEM. A SOAR can scan the organization's store of security and threat intelligence, analyze it using machine/deep learning techniques, and then use that data to automate and provide data enrichment for the workflows that drive incident response and threat hunting.
You are creating a script to filter some logs so that you can detect any suspected malware beaconing. Which of the following is NOT a typical means of identifying a malware beacons behavior on the network? A. The beacon's persistence B. The beacon's protocol C. The beaconing interval D. The removal of known traffic
B. The beacon's protocol The beacon's protocol is not typically a means of identifying a malware beacon. A beacon can be sent over numerous protocols, including ICMP, DNS, HTTP, and numerous others. Unless you specifically knew the protocol being used by the suspected beacon, filtering out beacons by the protocol seen in the logs could lead you to eliminate malicious behavior prematurely. Other factors like the beacon's persistence (if it remains after a reboot of the system) and the beacon's interval (how much time elapses between beaconing)are much better indicators for fingerprinting a malicious beacon. The removal of known traffic by the script can also minimize the amount of data the cybersecurity analyst needs to analyze, making it easier to detect the malicious beacon without wasting their time reviewing non-malicious traffic.
Which of the following types of access control provides the strongest level of protection? A. RBAC B. MAC C. DAC D. ABAC
B.MAC Mandatory Access Control (MAC) requires all access to be predefined based on system classification, configuration, and authentication. MAC is commonly used in highly centralized environments and usually relies on a series of labels, such as classification levels of the data.
A cybersecurity analyst is analyzing what they believe to be an active intrusion into their network. The indicator of compromise maps to suspected nation-state group that has strong financial motives, APT 38. Unfortunately, the analyst finds their data correlation lacking and cannot determine which assets have been affected, so they begin to review the list of network assets online. The following servers are currently online: PAYROLL_DB, DEV_SERVER7, FIREFLY, DEATHSTAR, THOR, and DION. Which of the following actions should the analyst conduct first? A. Hardening the DEV_SERVER7 server B. Conduct a Nessus scan of the FIREFLY server C. Conduct a data criticality and prioritization analysis D. Logically isolate the PAYROLL_DB server from the production network
C. Conduct a data criticality and prioritization analysis While the payroll server could be assumed to holds PII, financial information, and corporate information, the analyst would only be making that assumption based on its name. Even before an incident response occurs, it would be a good idea to conduct a data criticality and prioritization analysis to determine what assets are critical to your business operations and need to be prioritized for protection. After an intrusion occurs, this information could be used to better protect and defend those assets against an attacker. Since the question states the analyst is trying to determine which server to look at based on their names, it is clear this organization never performed a data criticality and prioritization analysis and should do that first. After all, with names like FIREFLY, DEATHSTAR, THOR, and Dion, the analyst has no idea what is stored on those systems. For example, how do we know that DEATHSTAR doesn't contain their credit card processing systems that would be a more lucrative target for APT 38 than the PAYROLL_DB. The suggestions of hardening, logically isolating, or conducting a vulnerability scan of a particular server are random guesses by the analyst since they don't know which data they should focus on protecting or where the attacker is currently.
You are conducting an incident response and have traced the attack source to some compromised user credentials. After performing log analysis, you discover that the attack was successfully authenticated from an unauthorized foreign country. Your management is now asking for you to implement a solution to help mitigate this type of attack from occurring again. Which of the following should you implement? A. Self-service password reset B. Single sign-on C. Context-based authentication D. Password complexity
C. Context-based authentication Context-based authentication can consider several factors before permitting access to a user, including their location (e.g., country, GPS location, etc.), the time of day, and other key factors to minimize the threat of compromised credentials from being utilized by an attacker. A self-service password reset is defined as any process or technology that allows users who have either forgotten their password or triggered an intruder lockout to authenticate with an alternate factor and repair their own problem without calling the help desk. While helpful, this alone would not help prevent an attacker from using the compromised credentials. Single sign-on (SSO) is an authentication scheme that allows a user to log in with a single ID and password to any of several related yet independent software systems. Again, this is helpful since it will minimize the number of usernames and passwords that a user must remember. Still, if their credentials are stolen, then the attacker can now access every system the user had access to, extending the problem. Password complexity is also a good thing to use, but it won't address the challenge presented in how to prevent the use of compromised credentials. If the password complexity is increased, this will prevent a brute force credential compromise. However, if the credentials are compromised any other way, the attacker could still log in to our systems and cause trouble.
Which term is used in software development to refer to the method in which app and platform updates are committed to a production environment rapidly? A. Continuous delivery B. Continuous integration C. Continuous deployment D. Continuous monitoring
C. Continuous deployment Continuous deployment is a software development method in which app and platform updates are committed to production rapidly. Continuous delivery is a software development method in which app and platform requirements are frequently tested and validated for immediate availability. Continuous integration is a software development method in which code updates are tested and committed to development or build server/code repositories rapidly. Continuous monitoring is the technique of constantly evaluating an environment for changes so that new risks may be more quickly detected and business operations improved upon. While continuous deployment and continuous delivery sound very similar, there is one key difference. In continuous delivery, a human is still required to approve the release into the production environment. In continuous deployment, the test and release process into the production environment is automated, making the changes available for immediate release once the code is committed.
Which of the following is NOT a means of improving data validation and trust? A. Encrypting data in transit B. Using MD5 checksums for files C. Decrypting data at rest D. Implementing Tripwire
C. Decrypting data at rest Encrypting data in transit leads to more integrity and confidentiality of the data, and therefore trust. Hashing files using MD5 to check against known valid checksums would provide integrity, and therefore validation and trust. Implementing a file integrity monitoring program, such as Tripwire, would also improve data validation and trust. Decrypting data at rest does not improve data validation, or trust since the data at rest could be modified when decrypted.
You are attending a cybersecurity conference and just watched a security researcher demonstrating the exploitation of a web interface on a SCADA/ICS component. This caused the device to malfunction and be destroyed. You recognize that the same component is used throughout your company's manufacturing plants. Which of the following mitigation strategies would provide you with the most immediate protection against this emergent threat? A. Demand the manufacturer of the component release a patch immediately and deploy the patch as soon as possible B. Logically or physically isolate the SCADA/ICS component from the enterprise network C. Evaluate if the web interface must remain open for the system to function; if it isn't needed, block the web interface D. Replace the affected SCADA/ICS components with more secure models from a different manufacturer
C. Evaluate if the web interface must remain open for the system to function; if it isn't needed, block the web interface The most immediate protection against this emergent threat would be to block the web interface from being accessible over the network. Before doing this, you must evaluate whether the interface needs to remain open for the system to function properly. If it is not needed, you should block it to minimize the SCADA/ICS component's attack surface. Ideally, your SCADA/ICS components should already be logically or physically isolated from the enterprise network. Since the question doesn't mention the networks as an area of concern, we can assume they are already following the industry best practice of logical or physical segmentation between the SCADA/ICS network and the enterprise network. On the exam, make sure you focus on the question being asked. In this case, the question focuses on the web interface. Developing a patch can be a time-consuming process, therefore waiting for the manufacturer to provide a patch will not provide immediate protection to your components. The same is true for replacing the affected components. Even if you could get the company to authorize the funding for such a purchase, it would take time to order, ship, receive and install the new components. Additionally, you would cause unwanted downtime in the factory during the installation of the components, making it an ineffective option when simply blocking the web interface is free, quick, and effective.
Your company is expanding its operations in the European Union and is concerned about additional governmental regulations that may apply. Which of the following regulations applies when processing personal data within the European Union? A. PHI B. PCI C. GDPR D. PII
C. GDPR GDPR (General Data Protection Regulation) is a regulation that applies to companies that do business in the European Union. The four forms of regulated data covered by the exam are PII (Personally Identifiable Information), PCI (Payment Card Industry), GDPR (General Data Protection Regulation), and PHI (Protected Health Information).
A supplier needs to connect several laptops to an organization's network as part of their service agreement. These laptops will be operated and maintained by the supplier. Victor, a cybersecurity analyst for the organization, is concerned that these laptops could contain some vulnerabilities that could weaken the network's security posture. What can Victor do to mitigate the risk to other devices on the network without having direct administrative access to the supplier's laptops? A. Scan the laptops for vulnerabilities and patch them B. Increase the encryption level of VPN used by the laptops C. Implement a jumpbox system D. Require 2FA (two-factor authentication) on the laptops
C. Implement a jumpbox system A jumpbox is a system on a network used to access and manage devices in a separate security zone. This would create network segmentation between the supplier's laptops and the rest of the network to minimize the risk. A jump-box system is a hardened and monitored device that spans two dissimilar security zones and provides a controlled means of access between them. While the other options listed are all good security practices, they do not fully mitigate the risk that insecure systems pose since Victor cannot enforce these configurations on a supplier provided laptop. Instead, he must find a method of segmenting the laptops from the rest of the network, either physically, logically, using an airgap, or using a jumpbox.
Which of the following cryptographic algorithms is classified as asymmetric? A. AES B. RC4 C. RSA D. DES
C. RSA RSA (Rivest-Shamir-Adleman) was one of the first public-key cryptosystems and is widely used for secure data transmission. As a public-key cryptosystem, it relies on an asymmetric algorithm. AES, RC4, and DES are all symmetric algorithms.
You are developing a containment and remediation strategy to prevent the spread of an APT within your network. Your plan suggests creating a mirror of the company's databases, routing all externally sourced network traffic to it, and gradually updating with pseudo-realistic data to confuse and deceive the APT as they attempt to exfiltrate the data. Once the attacker has downloaded the corrupted database, your company would then conduct remediation actions on the network and restore the correct database information to the production system. Which of the following types of containment strategies does the plan utilize? A. Segmentation-based containment disrupts the APT by using a hack-back approach B. Isolation-based containment by removing the affected database from production C. Segmentation-based containment that deceives the attack into believing their attack was successful D. Isolation-based containment by disconnecting the APT from the affected network
C. Segmentation-based containment that deceives the attack into believing their attack was successful There are two types of containment: segmentation and isolation. This is an example of a segmentation-based containment strategy that utilizes deception. Segmentation-based containment is a means of achieving the isolation of a host or group of hosts using network technologies and architecture. As opposed to completely isolating the hosts, you might configure the protected segment to deceive him or her into thinking the attack is progressing successfully, such as in the database modification example. The scenario is not a hack-back approach since the APT is not directly attacked, only deceived. Isolation-based containment involves removing an affected component from whatever larger environment it is a part of. In this scenario, the original database was never isolated from the network, nor were any other affected assets during the deception.
Which of the following methods is used to replace all or part of a data field with a randomly generated number used to reference the original value stored in another vault or database? A. Data masking B. Anonymization C. Tokenization D. Data minimization
C. Tokenization Tokenization means that all or part of data in a field is replaced with a randomly generated token. The token is stored with the original value on a token server or token vault, separate from the production database. An authorized query or app can retrieve the original value from the vault, if necessary, so tokenization is a reversible technique. Data masking can mean that all or part of a field's contents is redacted, by substituting all character strings with x, for example. Data minimization involves limiting data collection to only what is required to fulfill a specific purpose. Reducing what information is collected reduces the amount and type of information that must be protected. Data anonymization is the process of removing personally identifiable information from data sets so that the people whom the data describe remain anonymous.
You have run a vulnerability scan and received the following output: -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- CVE-2011-3389 QID 42366 - SSLv3.0/TLSv1.0 Protocol weak CBC mode Server side vulnerability Check with: openssl s_client -connect login.diontraining.com:443 - tls -cipher "AES:CAMELLISA:SEED:3DES:DES" -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- Which of the following categories should this be classified as? A. PKI transfer vulnerability B. Active Directory encryption vulnerability C. Web application cryptography vulnerability D. VPN tunnel vulnerability
C. Web application cryptography vulnerability This vulnerability should be categories as a web application cryptographic vulnerability. This is shown by the weak SSLv3.0/TLSv1.0 protocol being used in cipher block chaining (CBC) mode. Specifically, the use of the 3DES and DES algorithms during negotiation is a significant vulnerability. A stronger protocol should be used, such as forcing the use of AES.
Which of the following access control methods provides the most detailed and explicit type of access control over a resource? A. MAC B. RBAC C. DAC D. ABAC
D. ABAC Attribute-based access control (ABAC) provides the most detailed and explicit type of access control over a resource because it is capable of making access decisions based on a combination of subject and object attributes, as well as context-sensitive or system-wide attributes. Information such as the group membership, the OS being used by the user, and even the machine's IP address could be considered when granting or denying access.
Alexa is an analyst for a large bank that has offices in multiple states. She wants to create an alert to detect when an employee from one bank office logs into a workstation located at an office in another state. What type of detection and analysis is Alexa configuring? A. Trend B. Anomaly C. Heuristic D. Behavior
D. Behavior This is an example of behavior-based detection. Behavior-based detection (or statistical- or profile-based detection) means that the engine is trained to recognize baseline traffic or expected events associated with a user account or network device. Anything that deviates from this baseline (outside a defined level of tolerance) generates an alert. The heuristic analysis determines whether several observed data points constitute an indicator and whether related indicators make up an incident depend on a good understanding of the relationship between the observed indicators. Human analysts are typically good at interpreting context but work painfully slowly, in computer terms, and cannot hope to cope with the sheer volume of data and traffic generated by a typical network. Anomaly analysis is the process of defining an expected outcome or pattern to events and then identifying any events that do not follow these patterns. This is useful in tools and environments that enable you to set rules. Trend analysis is not used for detection but instead to better understand capacity and the system's normal baseline. Behavioral-based detection differs from anomaly-based detection. Behavioral-based detection records expected patterns concerning the entity being monitored (in this case, user logins). Anomaly-based detection prescribes the baseline for expected patterns based on its own observation of what normal looks like.
Vulnerability scans must be conducted continuously to meet regulatory compliance requirements for the storage of PHI. During the last vulnerability scan, a cybersecurity analyst received a report of 2,592 possible vulnerabilities and was asked by the Chief Information Security Officer (CISO) for a plan to remediate all the known issues. Which of the following should the analyst do next? A. Attempt to identify all the false positives and exceptions, then resolve any remaining items. B. Wait to perform any additional scanning until the current list of vulnerabilities have been remediated fully C. Place any assets that contain PHI in a sandbox environment and then remediate all the vulnerabilities D. Filter the scan results to include only those items listed as critical in the asset inventory and remediate those vulnerabilities first
D. Filter the scan results to include only those items listed as critical in the asset inventory and remediate those vulnerabilities first PHI is an abbreviation for Personal Health Information. When attempting to remediate numerous vulnerabilities, it is crucial to prioritize the vulnerabilities to determine which ones should be remediated first. In this case, there is a regulatory requirement to ensure the security of the PHI data. Therefore, those critical assets to the secure handling or storage of PHI are of the highest risk should be prioritized for remediation first. It is impractical to resolve all 2,592 vulnerabilities at once. Therefore, you should not identify all the false positives and exceptions and then resolve any remaining items since they won't be prioritized for remediation. You should also not wait to perform additional scanning because a scan is only a snapshot of your current status. If it takes 30 days to remediate all the vulnerabilities and do not scan, new vulnerabilities may have been introduced. Placing all the PHI asserts into a sandbox will not work either because then you have removed them from the production environment, and they can no longer serve their critical business functions.
To improve the Dion Training corporate network's security, a security administrator wants to update the configuration of their wireless network to have IPSec built into the protocol by default. Additionally, the security administrator would like for NAT to no longer be required for extending the number of IP addresses available. What protocol should the administrator implement on the wireless network to achieve their goals? A. WEP B. WPA2 C. IPv4 D. IPv6
D. IPv6 IPv6 includes IPSec built into the protocol by default. Additionally, IPv6 also provides an extended IP address range for networks, eliminating the need for using NAT. IPv4 does not include IPSec or extended IP address ranges by default. WPA2 is the most modern and secure version of wireless encryption for WiFi networks, but it doesn't include IPSec or extended IP address ranges by default. WEP is an older version of wireless encryption for WiFi networks and doesn't provide these features by default, either.
Dion Training has performed an assessment as part of their disaster recovery planning. The assessment found that their file server has crashed twice in the last two years. The most recent time was in August, and the time before that was 15 months before. Which of the following metrics would best represent this 15 month time period? A. RTO B. RPO C. MTTR D. MTBF
D. MTBF Mean time between failures (MTBF) is the average time between system breakdowns. MTBF is a crucial maintenance metric to measure performance, safety, and equipment design, especially for critical or complex assets, like generators or airplanes. It is also used to determine the reliability of an asset.
Which protocol is paired with OAuth2 to provide authentication of users in a federated identity management solution? A. Kerberos B. ADFS C. SAML D. OpenID Connect
D. OpenID Connect OAuth 2 is explicitly designed to authorize claims and not to authenticate users. The implementation details for fields and attributes within tokens are not defined. Open ID Connect (OIDC) is an authentication protocol that can be implemented as special types of OAuth flows with precisely defined token fields. Security Assertion Markup Language (SAML) is an open standard for exchanging authentication and authorization data between parties, in particular, between an identity provider and a service provider. SAML is an XML-based markup language for security assertions. Active Directory Federation Services (ADFS) is a software component developed by Microsoft that can run on Windows Server operating systems to provide users with single sign-on access to systems and applications located across organizational boundaries. Kerberos is a computer network authentication protocol that works based on tickets to allow nodes communicating over a non-secure network to prove their identity to one another in a secure manner.
Frank and John have started a secret club together. They want to ensure that when they send messages to each other, they are truly unbreakable. What encryption key would provide the STRONGEST and MOST secure encryption? A. DES with a 56-bit key B. AES with a 256-bit key C. ECC with a 256-bit key D. Randomized one-time use pad
D. Randomized one-time use pad The only truly unbreakable encryption is one that uses a one-time use pad. This ensures that every message is encrypted with a different shared key that only the two owners of the one-time use pad would know. This technique ensures that there is no pattern in the key for an attacker to guess or find. Even if one of the messages could be broken, all of the other messages would remain secure since they use different keys to encrypt them. Unfortunately, one-time use pads require that two identical copies of the pad are produced and distributed securely before they can be used. DES and AES both rely on a single shared secret key, making it vulnerable to attack. DES has already been broken, while AES remains unbroken (today). With enough time and computing power, though, an AES key could be discovered. RSA is also vulnerable to attack with enough time and computing power.
Which of the following hashing algorithms results in a 256-bit fixed output? A. MD-5 B. SHA-1 C. NTLM D. SHA-2
D. SHA-2 SHA-2 creates a 256-bit fixed output. SHA-1 creates a 160-bit fixed output. NTLM creates a 128-bit fixed output. MD-5 creates a 128-bit fixed output.
Which of the following protocols is commonly used to collect information about CPU utilization and memory usage from network devices? A. NetFlow B. SMTP C. MIB D. SNMP
D. SNMP Simple Network Management Protocol (SNMP) is commonly used to gather information from routers, switches, and other network devices. It provides information about a device's status, including CPU and memory utilization, and many other useful details about the device. NetFlow provides information about network traffic. A management information base (MIB) is a database used for managing the entities in a communication network. The Simple Mail Transfer Protocol (SMTP) is a communication protocol for electronic mail transmission.
Which of the following functions is not provided by a TPM? A. Random number generation B. Secure generation of cryptographic keys C. Remote attestation D. Binding E. Sealing F. User authentication
F. User authentication User authentication is performed at a much higher level in the operating system. Trusted Platform Module (TPM) technology is designed to provide hardware-based, security-related functions. A TPM chip is a secure crypto-processor that is designed to carry out cryptographic operations. The chip includes multiple physical security mechanisms to make it tamper-resistant, and malicious software cannot tamper with the security functions of the TPM. The TPM provides random number generation, secure generation of cryptographic keys, remote attestation, binding, and sealing functions securely.
A security analyst conducts a nmap scan of a server and found that port 25 is open. What risk might this server be exposed to? A. Open file/print sharing B. Web portal data leak C. Clear text authentication D. Open mail relay
Port 25 is the default port for SMTP (Simple Message Transfer Protocol), which is used for sending an email. An active mail relay occurs when an SMTP server is configured in such a way that it allows anyone on the Internet to send email through it, not just mail originating from your known and trusted users. Spammers can exploit this type of vulnerability to use your email server for their own benefit. File/print sharing usually operates over ports 135, 139, and 445 on a Windows server. Web portals run on ports 80 and 443. Clear text authentication could occur using an unencrypted service, such as telnet (23), FTP (20/21), or the web (80).
