Security+ 501 Comprehensive Exam

A technician has installed new vulnerability scanner software on a server that is joined to the company domain. The vulnerability scanner is able to provide visibility over the patch posture of all company's clients. Which of the following is being used? A. Gray box vulnerability testing B. Passive scan C. Credentialed scan D. Bypassing security controls

A. Gray box vulnerability testing @ Gray box vulnerability testing, also called gray box analysis, is a strategy for software debugging in which the tester has limited knowledge of the internal details (i.e. visibility of the patch posture) of the program. A gray box is a device, program or system whose workings are partially understood

Which of the following works by implanting software on systems but delays execution until a specific set of conditions is met? A. Logic bomb B. Trojan C. Scareware D. Ransornware

A. Logic bomb A logic bomb is a malicious program timed to cause harm at a certain point in time, but is inactive up until that point. A set trigger, such as a pre-programmed date and time, activates a logic bomb. Once activated, a logic bomb implements a malicious code that causes harm to a computer. A logic bomb's application programming points may also include other variables such that the bomb is launched after a specific number of database entries. However, computer security experts believe that certain gaps of action may launch a logic bomb as well, and that these types of logic bombs may actually cause the greatest harm. A logic bomb may be implemented by someone trying to sabotage a database when they are fairly certain they will not be present to experience the effects, such as full database deletion. In these instances, logic bombs are programmed to exact revenge or sabotage work. A logic bomb is also known as slag code or malicious logic.

Which of the following technologies employ the use of SAML? (Select two.) A. Single sign-on B. Federation C. LDAP D. Secure token E. RADIUS

A. Single sign-on B. Federation The Security Assertion Markup Language (SAML) is an open standard for sharing security information about identity, authentication and authorization across different systems. SAML is implemented with the Extensible Markup Language (XML) standard for sharing data, and SAML provides a framework for implementing single sign-on (SSO) and other federated identity systems

A security team wants to establish an Incident Response plan. The team has never experienced an incident. Which of the following would BEST help them establish plans and procedures? A. Table top exercises B. Lessons learned C. Escalation procedures D. Recovery procedures

A. Table top exercises A tabletop exercise is a simulated real-world situation lead by a facilitator, where you can interact to events as they unfold in a classroom setting. Typically, the participants represent key areas that would be affected by an incident.

A network administrator at a small office wants to simplify the configuration of mobile clients connecting to an encryptedwireless network. Which of the following should be implemented if the administrator does not want to provide the wireless password or the certificate to the employees? A. WPS B. 802.1x C. WPA2-PSK D. TKIP

A. WPS Wi-Fi Protected Setup (WPS) is a wireless network setup solution that lets you automatically configure your wireless network, add new devices, and enable wireless security. Wireless routers, access points, USB adapters, printers, and all other wireless devices that have WPS capabilities, can all be easily set up to communicate with each other, usually with just a push of the button.

A software developer wants to ensure that the application is verifying that a key is valid before establishing SSL connections with random remote hosts on the Internet. Which of the following should be used in the code? (Select TWO.) A. Escrowed keys B. SSL symmetric encryption key C. Software code private key D. Remote server public key E. OCSP

C. Software code private key E. OCSP Code signing is the method of using certificate-based (private key) digital signature to sign executable and scripts in order to verify the Author's identity and ensure that the code has not been changed or corrupted since it was signed by the author. This helps users and other software to determine whether the software can be trusted. The Online Certificate Status Protocol (OCSP) is an Internet protocol used for obtaining the revocation status of an X.509 (public key) digital certificate

A botnet has hit a popular website with a massive number of GRE encapsulated packets to perform a DDoS attack. News outlets discover a certain type of refrigerator was exploited and used to send outbound packets to the website that crashed. To which of the following categories does the refrigerator belong? A. soc B. ICS C. loT D. MFD

C. loT The Internet of Things (loT) is the network of physical devices, vehicles, home appliances and other items embedded with electronics, software, sensors, actuators, and connectivity which enables these objects to connect and exchange data. Each thing is uniquely identifiable through its embedded computing system but is able to inter-operate within the existing Internet infrastructure.

A network technician is setting up a segmented network that will utilize a separate ISP to provide wireless access to the public area for a company. Which of the following wireless security methods should the technician implement to provide basic accountability for access to the public network? A. Pre -shared key B. Enterprise C. Wi-Fi Protected setup D. Captive portal

D. Captive portal @ A captive portal is a Web page that the user of a public-access network is obliged to view and interact with before access is granted. Captive portals are typically used by business centers, airports, hotel lobbies, coffee shops, and other venues that offer free Wi-Fi hot spots for Internet users The captive portal feature is a software implementation that blocks clients from accessing the network until user verification has been established. You can set up verification to allow access for both guests and authenticated users. Authenticated users must be validated against a database of authorized captive portal users before access is granted.

Which of the following can be used to control specific commands that can be executed on a network infrastructure device? A. LDAP B. Kerberos C. SAML D. TACACS+

D. TACACS+ Terminal Access Controller Access Control System (TACACS) is a security protocol that provides centralized validation of users who are attempting to gain access to a router or network access servers (NAS). TACACS+, a more recent version of the original TACACS protocol, provides separate authentication, authorization, and account (AAA) services. The TACACS+ protocol provides detailed accounting information and flexible administrative control over the authentication, authorization, and accounting process. The protocol allows a TACACS+ client to request detailed access control and allows the TACACS+ process to respond to each component of that request. TACACS+ uses Transmision Control Protocol (TCP) for its transport. TACACS+ provides security by encrypting all traffic between the NAS and the process. Encryption relies on a secret key that is known to both the client and the TACACS+ process.

Joe notices there are several user accounts on the local network generating spam with embedded malicious code. Which of the following technical control should Joe put in place to BEST reduce these incidents? A. Account lockout B. Group Based Privileges C. Least privilege D. Password complexity

A. Account lockout Someone who attempts to use more than a few unsuccessful passwords while trying to log on to your system might be a malicious user who is attempting to determine an account password by trial and error. Windows domain controllers keep track of logon attempts, and domain controllers can be configured to respond to this type of potential attack by disabling the account for a preset period of time. Account Lockout Policy settings control the threshold for this response and the actions to be taken after the threshold is reached. The Account Lockout Policy settings can be configured in the following location in the Group Policy Management Console: Computer Configuration\Windows\Settings\SecuritySettings\Account Policies\Account Lockout Policy.

Recently several employees were victims of a phishing email that appeared to originate from the company president. The email claimed the employees would be disciplined if they did not click on a malicious link in the message. Which of the following principles of social engineering made this attack successful? A. Authority B. Spamming C. Social proof D. Scarcity

A. Authority Authority can be construed to mean many different things. Within the context of Social Engineering, there are different types of Authority. Authority and power are separate but related concepts. While power is the possession of control, authority or influence over others, authority refers to the right to exercise that power. Authority is used within Social Engineering in order to gain access to property or information. Different types of Authority can be used, including: Legal, Organizational and Social.

In determining when it may be necessary to perform a credentialed scan against a system instead of a non-credentialed scan, which of the following requirements is MOST likely to influence this decision? A. The scanner must be able to enumerate the host OS of devices scanned. B. The scanner must be able to footprint the network. C. The scanner must be able to check for open ports with listening services. The scanner must be able to audit file system permissions

The scanner must be able to audit file system permissions. Credentialed scans are scans in which the scanning computer has an account on the computer being scanned that allows the scanner to do a more thorough check looking for problems that cannot be seen from the network. Credentialed scanning, and more specifically, the Policy Compliance plugins, allow customized auditing of operating systems, applications, databases, file content - nearly all aspects of configuration that impacts security. Nessus offers baseline files for a variety of operating systems, applications, standards, and policies.

A security administrator wants to configure a company's wireless network in a way that will prevent wireless clients from broadcasting the company's SSID. Which of the following should be configured on the company's access points? A. Enable ESSID broadcast B. Enable protected management frames C. Enable wireless encryption D. Disable MAC authentication E. Disable WPS F. Disable SSID broadcast

F. Disable SSID broadcast Most broadband routers and other wireless access points (APs) automatically transmit their network name (SSID) into the open air every few seconds. You can choose to disable this feature on your Wi-Fi network but before you do, be aware of the pros and cons. The simple reason SSID broadcasting is used in the first place is to make it easy for clients to see and connect to the network. Otherwise, they have to know the name beforehand and set up a manual connection to it. However, with the SSID enabled, not only do your neighbors see your network any time they browse for nearby Wi-Fi, it makes it easier for potential hackers to see that you have a wireless network within range. Similarly, while it is technically a better decision to keep your SSID hidden away, it is not a foolproof security measure. a hacker with the right tools and enough time, can sniff out the traffic coming from your network, find the SSID and continue on their hacking way. Knowing your network's name brings hackers one-step closer to a successful intrusion, just like how an unlocked door paves the way for an attacker

An external contractor , who has not been given information about the software or network architecture, is conducting a penetration test. Which of the following BEST describes the test being performed? A. Black box B. White box C. Passive reconnaissance D. Vulnerability scan

A. Black box In a black box testing assignment, the penetration tester is placed in the role of the average hacker, with no internal knowledge of the target system. Testers are not provided with any architecture diagrams or source code that is not publicly available. A black box penetration test determines the vulnerabilities in a system that is exploitable from outside the network. This means that black box penetration testing relies on dynamic analysis of currently running programs and systems within the target network. A black box penetration tester must be familiar with automated scanning tools and methodologies for manual penetration testing. Black box penetration testers also need to be capable of creating their own map of a target network based on their observations since no such diagram is provided to them. The limited knowledge provided to the penetration tester makes black box penetration tests the quickest to run, since the duration of the assignment largely depends on the tester's ability to locate and exploit vulnerabilities in the target's outward-facing services. The major downside of this approach is that if the testers cannot breach the perimeter, any vulnerability of internal services remains undiscovered and unpatched.

A senior incident response manager receives a call about some external IPs communicating with internal computers during off hours. Which of the following types of malware is MOST likely causing this issue? A. Botnet B. Ransomware C. Polymorphic malware D. Armored virus

A. Botnet A botnet is a collection of internet-connected devices, which may include PCs. servers, mobile devices and internet of things devices that are infected and controlled by a common type of malware. Users are often unaware of a botnet infecting their system. Infected devices are controlled remotely by threat actors, often cybercriminals, and are used for specific functions, so the malicious operations stay hidden to the user. Botnets are commonly used to send email spam, engage in click fraud campaigns and generate malicious traffic for distributed denial-of-service attacks

An administrator has configured a new Linux server with the FTP service. Upon verifying that the service was configured correctly, the administrator has several users test the FTP service. Users report that they are able to connect to the FTP service and download their personal files, however, they cannot transfer new files to the server. Which of the following will most likely fix the uploading issue for the users? A. Create an ACL to allow the FTP service write access to user directories B. Set the Boolean selinux value to allow FTP home directory uploads C. Reconfigure the ftp daemon to operate without utilizing the PSAV mode D. Configure the FTP daemon to utilize PAM authen tication pass through user permissions

A. Create an ACL to allow the FTP service write access to user directories As a System Administrator, our first priority will be to protect and secure data from unauthorized access. We all are aware of the permissions that we set using some helpful Linux commands like chmod, chown, chgrp... etc. However, these default permission sets have some limitation and sometimes may not work as per our needs. For example, we cannot set up different permission sets for different users on same directory or file. Thus, Access Control Lists (ACLs) were implemented. ACLs (Access Control Lists) allow us doing the same trick. These ACLs allow us to grant permissions for a user, group and any group of any users, which are not in the group list of a user. Linux groups are a mechanism to manage a collection of computer system users. All Linux users have a user ID and a group ID and a unique numerical identification number called a userid (UID) and a groupid (GID) respectively. Groups can be assigned to logically tie users together for a common security, privilege and access purpose. It is the foundation of Linux security and access. Files and devices may be granted access based on a user's ID or group ID. File, directory and device (special file) permissions are granted based on "user", "group" or "other" (world) identification status. Permission is granted (or denied) for read, write and execute access. A security analyst is testing both Windows and Linux systems for unauthorized DNS zone transfers within a LAN on comptia.org from example.erg. Which of the following commands should the security analyst use? (Select two.)A security analyst is testing both Windows and Linux systems for unauthorized DNS zone transfers within a LAN on comptia.org from example.erg. Which of the following commands should the security analyst use? (Select two.)Access Control Lists (ACLs) are applied to files and directories. ACLs are an addition to the standard Unix file permissions (r,w,x,-) for User, Group, and Other for read, write, execute and deny permissions. ACLs give users and administrator's flexibility and direct fine-grained control over who can read, write, and execute files.

Having adequate lighting on the outside of a building is an example of which of the following security controls? A. Deterrent B. Compensating C. Detective D. Preventative

A. Deterrent Security lighting is another effective form of deterrence. Intruders are less likely to enter well-lit areas for fear of being seen. Doors, gates, and other entrances, in particular, should be well lit to allow close observation of people entering and exiting. When lighting the grounds of a facility, widely distributed low-intensity lighting is generally superior to small patches of high-intensity lighting, because the latter can have a tendency to create blind spots for security personnel and CCTV cameras. It is important to place lighting in a manner that makes it difficult to tamper with (e.g. suspending lights from tall poles), and to ensure that there is a backup power supply so that security lights will not go out if the electricity is cut off.

A security analyst notices anomalous activity coming from several workstations in the organizations. Upon identifying and containing the issue, which of the following should the security analyst do NEXT? A. Document and lock the workstations in a secure area to establish chain of custody B. Notify the IT department that the workstations are to be re-imaged and the data restored for reuse C. Notify the IT department that the workstations may be reconnected to the network for the users to continue working D. Document findings and processes in the after-action and lessons learned report

A. Document and lock the workstations in a secure area to establish chain of custody What is the Chain of Custody in Computer Forensics? The chain of custody in digital forensics can also be referred to as the forensic link, the paper trail, or the chronological documentation of electronic evidence. It indicates the collection, sequence of control, transfer, and analysis. Establishing chain of custody when authenticating digital media evidence for use in the courtroom is extremely important. The chain of custody must account for the seizure, storage, transfer and condition of the evidence. The chain of custody is absolutely necessary for admissible evidence in court. It is important to maintain the chain of custody to preserve the integrity of the evidence and prevent it from contamination, which can alter the state of the evidence. If not preserved, the evidence presented in court might be challenged and ruled inadmissible.

A network administrator wants to ensure that users do not connect any unauthorized devices to the company network. Each desk needs to connect a VoIP phone and computer. Which of the following is the BEST way to accomplish this? A. Enforce authentication for network devices B. Configure the phones on one VLAN, and computers on another C. Enable and configure port channels D. Make users sign an Acceptable use Agreement

A. Enforce authentication for network devices The best cyber security comes in layers, making it difficult or frustrating for an intruder to fight through each line of defense to break into the network and gain access to data. One of the front-line defenses should be network access control (NAC) and its ability to restrict network access to devices and users that are authorized and authenticated. The emphasis of NAC is the access control - who or what has authorized permissions to access the network. this includes both users and devices. The NAC netowrk intercepts the connection requests, which are then authenticated against a designated identity and access management system. Access is either accepted or denied based on a pre-determined set of parameters and policies that are programmed into the system.

A datacenter recently experienced a breach. When access was gained, an RF device was used to access an air-gapped and locked server rack. Which of the following would BEST prevent this type of attack? A. Faraday cage B. Smart cards C. Infrared detection D. Alarms

A. Faraday cage A Faraday cage is a metallic enclosure that prevents the entry or escape of an electromagnetic field (EM field). An ideal Faraday cage consists of an unbroken, perfectly conducting shell. This ideal cannot be achieved in practice, but can be approached by using fine-mesh copper screening. For best performance, the cage should be directly connected to an earth ground. Besides electricity supply and fire protection, mainly three threats can affect the security of server rooms. The first threat comes from electromagnetic attacks. The second one from eavesdropping (i.e. sensitive information leakage) and the third one come from unintended and careless distortion. (e.g., cell phones or power transformer distorts the data processing). Faraday cages are highly reliable electromagnetic security solutions for all types of data centers to protect against the theft of information obtained from servers installed in data centers and electromagnetic wave attacks, which destroy or cause malfunctions of systems by transmitting strong electromagnetic waves from the area around a data center.

An administrator intends to configure an IPSec solution that provides ESP with integrity protection, but not confidentiality protection. Which of the following AES modes of operation would meet this integrity-only requirement? A. HMAC B. PCBC C. CBC D. GCM E. CFB

A. HMAC Encapsulating Security Payload (ESP) is a member of the IPsec protocol suite. It provides origin authentication, data integrity through hash functions (HMAC) and confidentiality through encryption protection for IP packets. ESP operates directly on top of IP, using IP protocol number 50.

Which of the following are MOST susceptible to birthday attacks? A. Hashed passwords B. Digital certificates C. Encryption passwords D. One time passwords

A. Hashed passwords Birthday attack is a cryptanalytic technique. Birthday attacks can be used to find collisions in a cryptographic hash function. For instance, suppose we have a hash function which, when supplied with a random input, returns one of k equally likely values. By repeatedly evaluating the function on 1.2 -lk different inputs, it is likely we will find some pair of inputs that produce the same output (a collision). Birthday attacks are a class of brute-force techniques used in an attempt to solve a class of cryptographic hashed password function problems. These methods take advantage of functions which, when supplied with a random input, return one of k equally likely values. By repeatedly evaluating the function for different inputs, the same output is obtained after about 1.2k√12 evaluations

A security analyst is hardening a web server, which should allow a secure certificate-based session using the organization's PKI infrastructure. The web server should also utilize the latest security techniques and standards. Given this set of requirements, which of the following techniques should the analyst implement to BEST meet these requirements? (Select two.) A. Install an X- 509-compliant certificate. B. Implement a CRL using an authorized CA. C. Enable and configure TLS on the server. D. Install a certificate signed by a public CA E. Configure the web server lo use a host header.

A. Install an X- 509-compliant certificate C. Enable and configure TLS on the server. An X.5009 certificate is a digital certificate that uses the widely accepted international X.509 public key infrastructure (PKI) standard to verify that a public key belongs to the user, computer or service identity contained within the certificate. many of the certificates that people refer to as Secure Sockets Layer (SSL) certificates are in fact X.509 TLS certificates. In cryptography, X.059 certificates are used in many Internet protocols, including TLS/SSL, which is the basis for HTTPS.

While performing surveillance activities, an attacker determines that an organization is using 802.1X to secure LAN access. Which of the following attack mechanisms can the attacker utilize to bypass the identified network security? A. MAC spoofing B. Pharming C. Xmas attack D. ARP poisoning

A. MAC spoofing Every device that is connected to a network possesses a worldwide, unique, and physical identification number: the Media Access Control address or MAC for short. This burned-in address is virtually etched to the hardware by the manufacturer. Users are not able to change or rewrite the MAC address. Nevertheless, it is possible to mask it on the software side. This masking is what is referred to as MAC spoofing. • MAC addresses: distinct hardware addresses identify network interface controllers (NIC) such as LAN cards or WLAN adapters, and are used to identify devices in local networks. Every MAC address includes 48 bits, or 6 bytes, and is arranged in the following pattern: 00:81:41:fe:ad:7e. The first 24 bits are the manufacturer code assigned by the Institute of Electrical and Electronics Engineers (IEEE), and the following 24 bits are the device number defined by the manufacturer. • Spoofing: in the network terminology , spoofing refers to the various methods, which can be used to manipulate the fundamental address system in computer networks. Hackers use this method of attack to conceal their own identity and imitate another. Other than MAC addresses , other popular targets for spoofing attacks are the internet protocol (IP), domain name system (DNS), and address resolution via Address Resolution Protocol (ARP). Basically, spoofing is a resolution strategy for troubleshooting - but in most cases, it is used for the infiltration of foreign systems and illegal network activities instead. There are tools to bypass 802.1x Network Access Control (NAC) on a wired LAN. These threat agents will help you locate any non-802.1x configurable hosts on your subnet, and spoof their MAC address so that you appear authenticated to the switch.

While reviewing the security controls in place for a web-based application, a security controls assessor notices that there are no password strength requirements in place. Because of this vulnerability, passwords might be easily discovered using a brute force attack. Which of the following password requirements will MOST effectively improve the security posture of the application against these attacks? (Select two) A. Minimum complexity B. Maximum age limit C. Maximum length D. Minimum length E. Minimum age limit F. Minimum re-use limit

A. Minimum complexity C. Maximum length When it comes to user authentication, the password is, and has been, the most used mechanism; passwords are used to access computers, mobile devices, networks or operating systems. In essence, they are part of our everyday lives. Through time, requirements have evolved and, nowadays, most systems' password must consist of a lengthy set of characters often including numbers, special characters and a combination of upper and lower cases. The strength of a password is seen as a function of how complex and/or long it is; but, what matters most, size or complexity? Any systems, regardless of which method is used for identification and/or authentication is susceptible to hacking. Password-protected systems or collection of data (think bank accounts, social networks, and e-mail systems) are probed daily and are subject to frequent attacks carried forward not only through phishing and social engineering methods, but also by means of passwords cracking tools. The debate is always open, and the length vs. complexity issue divides experts and users. Both have pros and cons as well as their own supporters.

A company exchanges information with a business partner. An annual audit of the business partner is conducted against the SLA in order to verify A. Performance and service delivery metrics B. Backups are being performed and tested C. Data ownership 1s being maintained and audited D. Risk awareness is being adhered to and enforced

A. Performance and service delivery metrics Service level agreements are paramount to the contract created between a vendor and their clients. An SLA represents the promise that the provider makes to offer the best possible service. However, simply having a service level agreement and being able to demonstrate its achievement is two very different matters. Service Level Agreements (SLA's) are fundamental to effective service provision. They provide the basis for managing the relationship between the service provider and the customer, describing the agreement between the service provider and customer for the service to be delivered, including how the service is to be measured. Basically, SLAs are intended to ensure the provider understands what they are supposed to deliver, the customer knows what to expect, and both can see (empirically) what is actually being delivered. Metrics and Key Performance Indicators (KPI) are a core element of an SLA. Ineffective or absent performance and service delivery metrics can cause a service to fall into disrepute and a blame culture can develop. Performance and service delivery metrics must accurately reflect the expectations and perceptions of both the customer and service provider.

A system administrator needs to implement 802.1x whereby when a user logs into the network, the authentication server communicates to the network switch and assigns the user to the proper VLAN. Which of the following protocols should be used? A. RADIUS B. Kerberos C. LDAP D. MSCHAP

A. RADIUS To understand 802.1x, let us define some fundamental terminology. Supplicant (Client)- In IEEE terminology, the supplicant refers to the client software that supports the 802.1x and EAP Protocols. The supplicant software integrates into the client operating system, the client device firmware, or implemented as add-in software. The term supplicant also refers to the actual client requesting access to the network. Authenticator - The device to which the supplicant directly connects and through which the supplicant obtains network access is an authenticator . The authenticator could be LAN switch ports and Wireless Access Points (WAP). In case of the Local Area Network, the switch must support 802.1x in order to work as authenticator. Authentication Server - As the name suggests, this is the actual source of authentication services provided to end points. Based on the username/password or the user credentials supplied to the server, it decides whether to allow or deny users access to the network. The 1 802.1x standard specifies that Remote Authentication Dial-In User Service (RADIUS) is the required Authentication Server

Multiple organizations operating in the same vertical wants to provide seamless wireless access for their employees as they visit the other organizations. Which of the following should be implemented if all the organizations use the native 802.1x client on their mobile devices? A. RADIUS federation B. SAML C. OAuth D. OpenlD connect

A. RADIUS federation Wireless scalability poses a challenge in decentralized environments where numerous groups and departments run their own networks or manage their own user accounts. Centralizing services to fix the problem is not always possible and may often be undesirable. Even extremely decentralized groups can develop a scalable, secure wireless network infrastructure using 802.1X and RADIUS. The only additional components needed in addition to those required for standard 802.1X is a trust relationship between RADIUS servers and a core to manage trust relationships and routing of authentication requests. The resulting collection of loosely associated networks is often called a federation. Federated networks are composed of several member networks that share some level of trust, but member networks retain their own administrative control. Each member network is constructed and run separately.

An organization has determined it can tolerate a maximum of three hours of downtime. Which of the following has been specified? A. RTO B. RPO C. MTBF D. MTTR

A. RTO The recovery time objective (RTO) is the targeted duration of time and a service level within which a business process must be restored after a disaster (or disruption) in order to avoid unacceptable consequences associated with a break in business continuity

A user clicked an email link that led to a website that infected the workstation with a virus. The virus encrypted all the network shares to which the user had access. The virus was not deleted or blocked by the company's email filter, website filter, or antivirus. Which of the following describes what occurred? A. The user's account was over-privileged B. The virus was a zero-day attack C. The email originated from a private email server with no malware protection. D. Improper error handling triggered a false nedgative in all three controls

A. The user's account was over-privileged The most dangerous insiders are usually the most trusted ones - employees with privileged accounts. Such accounts not only give them legitimate access to restricted information, but also full control over their systems, putting them in the best position to commit malicious actions. And despite investing heavily into cyber-security, not many organizations put forth the necessary money and specialists in order to deal with them. Monitoring and controlling privileged user access is the necessary part of any reliable security, but in order to do it right, many companies will need to change their approach to the problem - from treating it as an afterthought to taking a more proactive stance in employing the best practices and security solutions to protect your organization

An attacker discovers a new vulnerability in an enterprise application. The attacker takes advantage of the vulnerability by developing new malware. After installing the malware, the attacker is provided with access to the infected machine. Which of the following is being described? A. Zero-day exploit B. Remote code execution C. Session hijacking D. Command injection

A. Zero-day exploit @ A zero-day vulnerability, at its core, is a flaw. It is an unknown exploit in the wild that exposes vulnerability in software or hardware and can create complicated problems well before anyone realizes something is wrong. In fact, a zero-day exploit leaves no opportunity for detection at first. A zero-day attack happens once that flaw, or software/hardware vulnerability, is exploited and attackers release malware before a developer has an opportunity to create a patch to fix the vulnerability -hence "zero-day."

A security analyst is testing both Windows and Linux systems for unauthorized DNS zone transfers within a LAN on comptia.org from example.org. Which of the following commands should the security analyst use? (Select two.) A. nslookup comptia.org set type=ANY ls-d example.org B. nslookup comptia.org set type=MX example.org C. dig - axfr [email protected] D. ipconfig/flushDNS E. ifconfig eth0 down ifconfig eth0 up dhclient renew F. [email protected] comptia.org

A. nslookup comptia.org set type=ANY ls-d example.org

A security analyst is testing both Windows and Linux systems for unauthorized DNS zone transfers within a LAN on comptia.org from example.erg. Which of the following commands should the security analyst use? (Select two.) A. nslookup comptia.org set type=ANY ls-d example.org B. nslookup comptia.org set type=MX example.org C. dig - axfr [email protected] D. ipconfig/flushDNS E. ifconfig eth0 down ifconfig eth0 up dhcl1ent renew F. [email protected] comptia.org

A. nslookup comptia.org set type=ANY ls-d example.org C. dig - axfr [email protected] nslookup is a network administration command-line tool available for many computer operating systems for querying the Domain Name System (DNS) to obtain domain name or IP address mapping or for any other specific DNS record. When invoked without argument, nslookup will display the name server it uses, and enter interactive mode. At the' > ' prompt, you may type any domain name it should query for. By default, it asks for class A records, those containing the IP-address relating to the domain name. You may change this type by issuing "set type=type", where type is one of the resource record names or ANY. Is -d shows information about a symbolic link or directory, rather than about the link's target or listing the contents of a directory. A zone transfer from an external IP address is used as part of an attacker's reconnaissance phase. Usually a zone transfer is a normal operation between primary and secondary DNS servers in order to synchronize the records for a domain. This is typically not something you want to be externally accessible. If an attacker can gather all your DNS records,they can use thoseto select targets for exploitation. The dig command will be executed as follows to attempt the zone transfer. Dig -axfr comptia.org @example.erg

When considering a third-party cloud service provider, which of the following criteria would be the BEST to include in the security assessment process? (Select two.) A. Use of performance analytics B. Adherence to regulatory compliance C. Data retention policies D. Size of the corporation E. Breadth of applications support

B. Adherence to regulatory compliance C. Data retention policies There are a number of ways to assess the security of a cloud service provider, ranging from inspecting their premises to asking if the provider has any third-party certification or accreditation to back up the service contract, so here are a few things that are vital to do: • Identify what type of cloud-based services you want. Really nail down the personal or business requirements - you do not want to end up getting the wrong service or paying for functionality you do not need. • Identify who your data controller is. Organizations or businesses that are processing personal data must identify who their data controller is. Like it or not, this is the individual who will be legally held to account for the data, adherence to regulatory compliance, even if is in the cloud - yes, a problem shared is still your problem. • Decide what level of information assurance your data requires. You need to assess the impact that the loss of that data will have on your business/individuals. That will determine the level of service required in terms of confidentiality (how much protection does the data need in transit and storage, for instance does it always need to be encrypted); integrity (the more integrity a cloud service has, the more confident you can be that data will not be interfered with); and availability (how available do you want your data to be, e.g. instant access always) These levels should all be stipulated very clearly in a written contract with a service level agreement. • Check where your data is being stored. The Data Protection Act 1998 lists trusted areas as the European Economic Area (EEA), US companies party to the Safe Harbor agreement, and countries of "Adequacy". For some of the larger cloud service suppliers who have 24/7 "follow-the-sun" operations, it could very well mean that the data is supported and thus processed from countries not falling into the three categories of trust outlined above, potentially putting your personal data at risk.

A security analyst is investigating a security breach. Upon inspection of the audit and access logs, the analyst notices the host was accessed and the /etc/passwd file was modified with a new entry for username "gotcha" and user ID of 0. Which of the following are the MOST likely attack vector and tool the analyst should use to determine if the attack is still ongoing? (Select TWO) A. Logic bomb B. Backdoor C. Keylogger D. Netstat E. Tracert F. Ping

B. Backdoor D. Netstat Backdoor: is a malware type that negates normal authentication procedures to access a system. As a result, remote access is granted to resources within an application, such as databases and file servers, giving perpetrators the ability to remotely issue system commands and update malware. Netstat, the TCP/IP networking utility, has a simple set of options and identifies a computer's listening ports, along with incoming and outgoing network connections. This data can be very helpful if you are trying to resolve a malware issue or diagnose a security problem. Another reason I find Netstat such a useful tool is that it can be found on almost any computer by default, from Unix and Linux machines through to Windows and Macs. The fact you do not have to install and run a separate diagnostic tool can be a lifesaver when dealing with a client's PC or a quarantined machine. Every open port on your computer is an entry point that can be exploited to gain covert access. Therefore, if you need to know what connections a machine has to the internet and what services may be open and running, Netstat can quickly tell you.

Which of the following attack types is being carried out where a target is being sent unsolicited messages via Bluetooth? A. War chalking B. Bluejacking C. Bluesnarfing D. Rogue tethering

B. Bluejacking Explanation: Bluejacking is a hacking method that allows an individual to send anonymous messages to Bluetooth-enabled devices within a certain radius. First, the hacker scans his surroundings with a Bluetooth-enabled device, searching for other devices. The hacker then sends an unsolicited message to the detected devices.

A system's administrator has finished configuring firewall ACL to allow access to a new web answer. PERMIT TCP from: ANY to: 192.168.1.10:80 PERMIT TCP from: ANY to: 192.168.1.10:443 DENY TCP from: ANY to: ANY The security administrator confirms form the following packet capture that there is network traffic from the internet to the web server: TCP 10.23.243.2:2000->192.168.1.10:80 POST/default's TCP 172.16.4.100:1934->192.168.1.10:80GET/session.aspx? user 1 sessionid= a12ad8741d8f7e7ac723847aa8231a The company's internal auditor issues a security finding and requests that immediate action be taken. With which of the following is the auditor MOST concerned? A. Misconfigured firewall B. Clear text credentials C. Implicit deny D. Default configuration

B. Clear text credentials The biggest security issue with such traffic is the human-readable and understandable format it is in, even sensitive information as user credentials. Clear-text traffic can be easily understood by human beings without any additional processing, as we will see under this section. Many common protocols in our networks communicate in such a manner

An administrator has concerns regarding the traveling sales team who works primarily from smart phones. Given the sensitive nature of their work, which of the following would BEST prevent access to the data in case of loss or theft? A. Enable screensaver lockswhen the phones are not in use to prevent unauthorized access B. Configure the smart phones so that the stored data can be destroyed from a centralized location C. Configure the smart phones so that all data 1s saved to removable media and kept separate from the device D. Enable GPS tracking on all smart phones so that they can be quickly located and recovered

B. Configure the smart phones so that the stored data can be destroyed from a centralized location Remote wipe is a security feature that allows a network administrator or device owner to send a command to a computing device and delete data. What remote wipe accomplishes can depend on the device, its specific operating system version and any third- party mobile device management (MOM) software installed on the device. A remote wipe may delete data in selected folders, repeatedly overwrite stored data to prevent forensic recovery, return the device to factory settings or remove all programming on the device, essentially turning it into a brick, meaning that it is no longer of any use to anyone

A security consultant discovers that an organization is using the PCL protocol to print documents, utilizing the default driver and print settings. Which of the following is the MOST likely risk in this situation? A. An attacker can access and change the printer configuration B. SNMP data leaving the printer will not be properly encrypted C. An MITM attack can reveal sensitive information. D. An attacker can easily inject malicious code into the printer firmware E. Attackers can use the PCL protocol to bypass the firewall of client computers

B. SNMP data leaving the printer will not be properly encrypted The risk of PCL is the information being sent to the printer can be captured encrypted. Unencrypted print data are a weakness in every IT security environment because without encryption, all printing protocols transmit print data as (more or less) readable, clear text. The printer command languages PCL (Printer Control Language) and Postscript are page-description protocols that include the document information in clear text in addition to control and command characters. Reading a text transmitted in ASCII format is even simpler

A security administrator returning from a short vacation receives an account lock-out message when attempting to log into the computer. After getting the account unlocked the security administrator immediately notices a large amount of email alerts pertaining to several different user accounts being locked out during the past three days. The security administrator uses system logs to determine that the lock-outs were due to a brute force attack on all accounts that has been previously logged into that machine. Which of the following can be implemented to reduce the likelihood of this attack going undetected? A. Password complexity rules B. Continuous monitoring C. User access reviews D. Account lockout policies

B. Continuous monitoring @ Continuous monitoring is the process and technology used to detect compliance and risk issues associated with an organization's financial and operational environment. The financial and operational environment consists of people, processes, and systems working together to support efficient and effective operations. Continuous monitoring is one part of a six-step process in the NIST Risk Management Framework (RMF), from NIST publication 800-53. Continuous monitoring is an essential step for organizations to identify and measure the security implications for planned and unexpected changes to hardware, software, and firmware and to assess vulnerabilities in a dynamic threat space.

Two users need to securely share encrypted files via email. Company policy prohibits users from sharing credentials or exchanging encryption keys. Which of the following can be implemented to enable users to share encrypted data while abiding by company policies? A. Key escrow B. Digital signatures C. PKI D. Hashing

B. Digital signatures Digital signature is a mathematical technique used to validate the authenticity and integrity of a message, software or digital document. The digital equivalent of a handwritten signature or stamped seal, a digital signature offers security that is far more inherent and it is intended to solve the problem of tampering and impersonation in digital communications. Digital signatures can provide the added assurances of evidence of origin, identity and status of an electronic document, transaction or message and can acknowledge informed consent by the signer.

The administrator installs database software to encrypt each field as it is written to disk. Which of the following describes the encrypted data? A. In-transit B. In-use C. Embedded D. At-rest

B. In-use Just like matter, data exists in three states: in motion, at rest and in use. In order to secure enterprise data, it must be protected throughout its entire lifecycle: in all three states. If the data in use is not encrypted (i.e., while being processed), it is exposed and therefore, vulnerable. Data in use is more vulnerable than data at rest because, by definition, it must be accessible to those who need it. Of course, the more people and devices that have access to the data, the greater the risk that it will end up in the wrong hands at some point. The keys to securing data in use are to control access as tightly as possible and to incorporate some type of authentication to ensure that users are not hiding behind stolen identities. Data in use is data that is not just being stored passively on a hard drive or external storage media. This data is being processed by one or more applications. This is data currently in the process of being generated, updated, appended, or erased. It also includes data being viewed by users accessing it through various endpoints. Data in use is susceptible to different kinds of threats depending on where it is in the system and who is able to use it. The most vulnerable point for data in use is at the endpoints where users are able to access and interact with it.

A security administrator is trying to encrypt communication. For which of the following reasons should administrator take advantage of the Subject Alternative Name (SAN) attribute of a certificate? A. It can protect multiple domains B. It provides extended site validation C. It does not require a trusted certificate authority D. It protects unlimited subdomains

B. It provides extended site validation @ An Extended Validation SSL Certificate (also known as EV SSL for short) is the highest form of SSL Certificate on the market. While all levels of SSL - Extended Validation (EV), Organization Validated (OV), and Domain Validated (DV) - provide encryption and data integrity, they vary in terms of how much identity verification is involved and how the certificates display in browsers. The Subject Alternative Name field lets you specify additional host names (sites, IP addresses,common names, etc.) to be protected by a single SSL Certificate, such as a Multi-Domain (SAN) or Extend Validation Multi-Domain Certificate.

Company policy requires the use of passphrases instead of passwords. Which of the following technical controls MUST be in place in order to promote the use of passphrases? A. Reuse B. Length C. History D. Complexity

B. Length The National Institute of Science and Technology (NIST) released new standards for password security in the final version of Special Publication 600-83. Specifically, NIST refers to new password security guidelines in the document SP 800-636: Authentication & Lifecycle Management (PDF). Federal agencies and contractors use NIST's standards as guidelines on how to secure digital identities. New NIST guidelines recommend using long and complex passphrases instead of seemingly complex passwords . A passphrase is a "memorized secret" consisting of a sequence of words or other text used to authenticate their identity. It is longer than a password for added security.

A company wants to ensure that the validity of publicly trusted certificates used by its web server can be determined even during an extended internet outage. Which of the following should be implemented? A. Recovery agent B. OCSP C. CRL D. Key escrow

B. OCSP OCSP (Online Certificate Status Protocol) is one of two common schemes for maintaining the security of a server and other network resources. The other, older method, which OCSP has superseded in some scenarios, is know as Certificate Revocation List (CRL). OCSP overcomes the chief limitation of CRL: the fact that updates must be frequently downloaded to keep the list current at the client end. When a user attempts to access a server, OCSP sends a request for certificate status information. The server sends back a response of current, expired, or unknown. The protocol specifies the syntax for communication between the server (which is informed of that status). OCSP allows users with expired certificates a grace period, so they can access servers for a limited time before renewing.

A consultant has been tasked to assess a client's network. The client reports frequent network outages. Upon viewing the spanning tree configuration, the consultant notices that an old and slow performing edge switch on the network has been elected to be the root bridge. Which of the following explains this scenario? A. The switch also serves as the DHCP server B. The switch has the lowest MAC address C. The switch has spanning tree loop protection enabled D. The switch has the fastest uplink port

B. The switch has the lowest MAC address In STP all switches send BPDUs (Bridge Protocol Data Unit) which contain a priority and the BID (Bridge ID). The BID is 8 bytes long. 6 bytes is used for the MAC address of the bridge. 12 bits is used to indicate the VLAN, this is called extended system ID. 4 bits are used to set the priority. Lower priority means it is preferred compared to a higher. The priority is set in multiples of 4096. If there is a tie in priority then the lowest MAC address will determine which bridge becomes the root. The Root bridge (switch) is a special bridge at the top of the Spanning Tree (inverted tree). The branches (Ethernet connections) are then branched out from the root switch, connecting to other switches in the Local Area Network (LAN). All Bridges (Switches) are assigned a numerical value called bridge priority. A loop-free network in spanning-tree topologies is supported through the exchange of a special type of frame called bridge protocol data unit (BPDU). Peer STP applications running on the switch interfaces use BPDUs to communicate. Ultimately, the exchange of BPDUs determines which interfaces block traffic (preventing loops) and which interfaces become root ports and forward traffic. However, a blocking interface can transition to the forwarding state in error if the interface stops receiving BPDUs from its designated port on the segment. Such a transition error can occur when there is a hardware error on the switch or software configuration error between the switch and its neighbor. When loop protection is enabled, the spanning-tree topology detects root ports and blocked ports and makes sure both keep receiving BPDUs. If a loop-protection-enabled interface stops receiving BPDUs from its designated port, it reacts as it would react to a problem with the physical connection on this interface. It does not transition the interface to a forwarding state, but instead transitions it to a loop inconsistent state. The interface recovers and then it transitions back to the spanning-tree blocking state as soon as it receives a BPDU.

A remote user (User1) is unable to reach a newly provisioned corporate windows workstation. The system administrator has been given the following log files from the VPN, corporate firewall and workstation host. VPN log: [2015-03-25 08:00.23 CST-6: VPN-Server-1: User1 5.5.5.5 authentication failed. Wrong password.] [2015-03-25 08:00.29 CST-6: VPN-Server-1: User1 5.5.5.5 authentication failed. Wrong password.] [2015-03-25 08:00.40 CST-6: VPN-Server-1: User1 5.5.5.5 authentication failed. Wrong password.] [2015-03-25 08:01.11 CST-6: VPN-Server-1: User1 5.5.5.5 authentication succeeded.] [2015-03-25 09:01.35 CST-6: VPN-Server-1: User1 5.5.5.5 disconnected. Idle timeout.] Corporate firewall log: [2015-03-25 14:01.12 CST: denied 5.5.5.5 (icmp) -> 10.1.1.5 (icmp)] [2015-03-25 14:01.13 CST: denied 5.5.5.5 (icmp) -> 10.1.1.5 (icmp)J [2015-03 -25 14:01.14 CST: denied 5.5.5.5 (icmp)-> 10.1.1.5 (icmp)J [2015-03-25 14:01.15 CST: denied 5.5.5.5 (icmp)-> 10.1.1.5 (icmp)] [2015-03-25 14:01.16 CST: denied 5.5.5.5 (icmp)-> 10.1.1.5 (icmp)] [2015-03-25 14:01.16 CST: accepted 5.5.5.5 (1025) -> 10.1.1.5 (3389)] [2015-03-25 14:01.17 CST: denied 5.5.5.5 (icmp)-> 10.1.1.5 (icmp)] [2015-03-25 14:01.18 CST: denied 5.5.5.5 (icmp)-> 10.1.1.5 (icmp)] Workstation host firewall log: [2015-03-21 08:00.00 CST-5: 10.1.1.5 -> www.hackersite11111.com (httP.: f/www.hackersite11111.com/)_(h ttps) (action=allow)] [2015-03-22 08:00.00 CST-5: 10.1.1.5 -> www.hackersite11111.com (httP.: //www.hackersite11111.com/L(https) (action=allow)] [2015-03-2308:00.00 CST-5: 10.1.1.5 -> www.hackersite11111.com (httP.:// www.hackersite11111.com/)_(h ttps) (action=allow)] [2015-03-24 08:00.00 CST-5: 10.1.1.5-> www.hackersite11111.com (httP.:// www.hackersite1 1111.com/)_(h ttps) (action=allow)] [2015-03-25 08:00.00 CST-5: 10.1.1.5 -> www.hackersite11111.com (httP.: // www.hackersite11111.com/)_(h ttps) (action=allow)] [2015-03-25 09:01.17 CST-5: 5.5.5.5 -> 10.1.1.5 (msrdp) (action=drop)] [2015-03-26 08:00.00 CST-5: 10.1.1.5 -> www.hackersite11111.com (httP.:// www.hackersite11111.com/L(https) (action=allow)] Which of the following is preventing the remote user from being able to access the workstation? A. Network latency is causing remote desktop service request to time out B. User1 has been locked out due to too many failed passwords C. Lack of network time synchronization is causing authentication mismatches D. The workstation has been compromised and is accessing known malware sites E. The workstation host firewall is not allowing remote desktop connections

B. User1 has been locked out due to too many failed passwords A remote user (User1) causes 'too many failed login attempts'. This is caused by entering the wrong login credentials too many times in quick succession. To display the error message in the first instance, you need to type in the wrong login credentials multiple times. Once the error message has displayed and host has registered this 'too many failed login attempts' state, even if you input the correct user credentials, they won't register successfully until the wait period has expired.

Which of the following technologies would be MOST appropriate to utilize when testing a new software patch before a company-wide deployment? A. Cloud computing B. Virtualization C. Redundancy D. Application control

B. Virtualization Virtualization is used to host one or more operating systems in the memory of a single host computer and allows multiple operating systems to run simultaneously on the same hardware, reducing costs. Virtualization offers the flexibility of quickly and easily making backups of entire virtual systems, and quickly recovering the virtual system when errors occur. Furthermore, malicious code compromises of virtual systems rarely affect the host system, which allows for safer testing and experimentation

A security administrator determined that users within the company are installing unapproved software. Company policy dictates that only certain applications may be installed or ran on the user's computers without exception. Which of the following should the administrator do to prevent all unapproved software from running on the user's computer? A. Deploy antivirus software and configure ii to detect and remove pirated software B. Configure the firewall to prevent the downloading of executable files C. Create an application whitelist and use OS controls to enforce it D. Prevent users from running as administrator so they cannot install software.

C. Create an application whitelist and use OS controls to enforce it Windows it is possible to configure two different methods that determine whether an application should be allowed to run. The first I method, known as blacklisting, is when you allow all applications to run by default except for those you specifically do not allow. The other, and more secure, method is called whitelisting, which blocks every application from running by default, except for those you explicitly allow. Application whitelisting is the practice of specifying an index of approved software applications that are permitted to be present and active on a computer system. The goal of whitelisting is to protect computers and networks from potentially harmful applications. In general, a whitelist is an index of approved entities. Whitelisting works best in centrally managed OS controlled environments, where systems are subject to a consistent workload. The National Institute of Standards and Technology suggests using application whitelisting in high-risk environments, where it is vitally important that individual systems be secure and less important that software be useable without restrictions . To provide more flexibility, a whitelist may also index approved application components, such as software libraries, plug-ins, extensions and configuration files.

A security administrator has been assigned to review the security posture of the standard corporate system image for virtual machines. The security administrator conducts a thorough review of the system logs, installation procedures, and network configuration of the VM image. Upon reviewing the access logs and user accounts, the security administrator determines that several accounts will not be used in production. Which of the following would correct the deficiencies? A. Mandatory access controls B. Disable remote login C. Host hardening D. Disabling services

C. Host hardening Virtual Machine (VM) tools enable greater interaction between host -, and the virtual machine. VM tools are mandatory for several VM features to function. Most manufacturers recommend restricting VM tools installation access to only users who would need it. It is controlled by a privilege. This privilege allows mounting and un mounting the VM Tools CD installer as a CD-ROM for the guest operating system. This is on the Virtual Machine object. It is also a good idea to perform host hardening and restrict virtual machine data access. Note that data access means, the ability to cut/copy, paste data into and from virtual machine console. The administrator may also want to consider removing unwanted/unused virtual hardware of virtual machines. Doing this will eliminate some of the options available for hacker to compromise the systems. A virtual machine must be considered as a separate entity and its relevant security policies must be applied.

The security administrator receives an email on a non-company account from a coworker stating that some reports are not exporting correctly. Attached to the email was an example report file with several customers' names and credit card numbers with the PIN. Which of the following is the BEST technical controls that will help mitigate this risk of disclosing sensitive data? A. Configure the mail server to require TLS connections for every email to ensure all transport data is encrypted B. Create a user training program to identify the correct use of email and perform regular audits to ensure compliance C. Implement a OLP solution on the email gateway to scan email and remove sensitive data or files D. Classify all data according to its sensitivity and inform the users of. data that is prohibited to share

C. Implement a OLP solution on the email gateway to scan email and remove sensitive data or files @Data loss prevention (DLP) is a strategy for making sure that end users donot send sensitive or critical information outside the corporate newtowrk. The term is also used to describe software products that help a network administrator control what data end users can transfer. DLP software products use business rules to classify and protect confidential and critcal informaton so that the unauthorized end suers cannot accidentally or maliciously share data whose disclosure could put the organization at risk. For example, if an employee tried to forward a business email outside the corporate domain or upload a corporate file to consumer cloud storage service like Dropbox, the employee would be denied permission. Adoption of DLP is being driven by insider threats and by more rigorous state privacy laws, many of which have stringent data protection or access components. In addition to being able to monitor and control endpoint activities, some DLP tools can also be sued to filter data streams on the corporate network and protect data in motion.

Which of the following best describes routine in which semicolons, dashes, quotes, and commas are removed from a string? A. Error handling to protect against program exploitation B. Exception handling to protect against XSRF attacks. C. Input validation to protect against SQL injection. D. Padding to protect against string buffer overflows

C. Input validation to protect against SQL injection. Explanation : SOL injection is one of the most common web attack mechanisms utilized by attackers to steal sensitive data from organizations. While SQL Injection can affect any data driven application that uses a SQL database, it is most often used to attack web sites. SQL Injection is a code injection technique that hackers can use to insert malicious SQL statements into input fields for execution by the underlying SQL database. This technique is made possible because of improper coding of vulnerable web applications. These flaws arise because entry fields made available for user input unexpectedly allow SQL statements to go through and query the database directly. The good news is that there actually is a lot that website owners can do to prevent SOL injection. Although there is no such thing as a 100 percent guarantee in network security, formidable obstacles can be placed in the path of SQL injection attempts. Employ comprehensive input validation. Websites must filter all user input. Ideally, user data should be filtered for context. For example, email addresses should be filtered to allow only the characters allowed in an e-mail address, phone numbers should be filtered to allow only the characters allowed in a phone number, and so on.

A network administrator is attempting to troubleshoot an issue regarding certificates on a secure website. During the troubleshooting process, the network administrator notices that the web gateway proxy on the local network has signed all of the certificates on the local machine. Which of the following describes the type of attack the proxy has been legitimately programmed to perform? A. Transitive access B. Spoofing C. Man-in-the-middle D. Replay

C. Man-in-the-middle @ A man-in-the-middle (MITM) proxy is an SSL-capable proxy that works as man-in-the-middle for HTTP and HTTPS communication. A very good interactive tool allows for monitoring, modifying and replaying of HTTP/HTTPS traffic that goes through it. When using an HTTPS proxy server, there is very little difference in how the server functions from a HTTP server. It is set up between the internal network and the internet. All requests to any website, including HTTP or HTTPS sites go through the intermediate server, the proxy, and appear to the website to originate from the server. This protects the interior IP addresses in a network. Not only does this limit the information that hackers can obtain about the interior network, but it also allows the network IT administrator to control access to specific sites and to more effectively manage the use of resources.

Ann a security analyst is monitoring the IDS console and noticed multiple connections from an internal host to a suspicious call back domain. Which of the following tools would aid her to decipher the network traffic? A. Vulnerability Scanner B. NMAP C. NETSTAT D. Packet Analyzer

C. NETSTAT The netstat command (short for "network statistics") is used to display protocol statistics and current TCP/IP network connections. It is used to find a large amount of information about the state of the connection into the device including, but not limited to which ports are open for incoming connections, which ports are actively in use, the current state of existing connections, in-depth protocol statistics, and many other useful pieces of information.

After a routine audit, a company discovers that engineering documents have been leaving the network on a particular port. The company must allow outbound traffic on this port, as it has a legitimate business use. Blocking the port would cause an outage. Which of the following technology controls should the company implement? A. NAC B. Web proxy C. OLP D. ACL

C. OLP @Data loss prevention (OLP) is a strategy for making sure that end users do not send sensitive or critical information outside the corporate network. The term is also used to describe software products that help a network administrator control what data end users can transfer

Multiple employees receive an email with a malicious attachment that begins to encrypt their hard drives and mapped shares on their devices when it is opened. The network and security teams perform the following actions. Shut down all network shares. Run an email search identifying all employees who received the malicious message. Re-image all devices belonging to users who opened the attachment. Next, the teams want to re-enable the network shares. Which of the following BEST describes this phase of the incident response process? A. Eradication B. Containment C. Recovery D. Lessons learned

C. Recovery

When trying to log onto a company's new ticketing system, some employees receive the following message: Access denied: too many concurrent sessions. The ticketing system was recently installed on a small VM with only the recommended hardware specifications. Which of the following is the MOST likely cause for this error message? A. Network resources have been exceeded B. The software is out of licenses C. The VM does not have enough processing power. D. The firewall is misconfigured.

C. The VM does not have enough processing power. In this case, because the question states the ticketing system was recently installed on a "small VM" with only recommended hardware specifications, the VM does not have enough processing power to handle the large concurrent sessions. To help maintain the availability of resources in a virtual network, you can limit the number of connections to servers and published applications. Setting connection limits helps prevent: • Performance degradation and errors resulting from individual users who run more than one instance of a published application at the same time • Denial-of-service attacks by malicious users who run multiple application instances that consume server resources and connection license counts • Over-consumption of resources by non-critical activities such as Web browsing To conserve resources, you can limit the number of concurrent connections that users are permitted to establish. Limiting connections can help prevent over-consumption of server resources by a few users. Active sessions and disconnected sessions are counted for the total number of concurrent connections. For example, you can set a limit of three concurrent connections for users. If a user has three concurrent connections and tries to establish a fourth, the limit you set prevents the additional connection. A message tells the user that a new connection is not allowed.

A security analyst wishes to increase the security of an FTP server. Currently, all trails to the FTP server are unencrypted. Users connecting to the FTP server use a variety of modern FTP client software. The security analyst wants to keep the same port and protocol, while also still allowing unencrypted connections. Which of the following would BEST accomplish these goals? A. Require the SFTP protocolto connect to the file server. B. Use implicit TLS on the FTP server C. Use explicit FTPS for the connecitons. D. Use SSH tunneling to encrypt the FTP traffic.

C. Use explicit FTPS for the connections. Explicit FTPS is the newer method of FTPS transfer and has generally overtaken implicit FTPS use, with the exception of legacy systems. When explicit FTPS is used, a traditional FTP connection is established on the same standard port as FTP. Once the connection is made (before login), a secure SSL connection is established via port 21. Today, explicit FTPS (also FTPES) is supported by the majority of FTP servers since it is an approved, standard way of protecting data. With explicit FTPS, before a transfer can begin, the client will request encryption information to determine what portions of the data is protected. If the client has not set up these security requests, one of two things occurs - either the connection is declined, or the transfer is made insecurely using the basic FTP protocol. Explicit FTPS inherently provides users with flexibility regarding how files are sent. Therefore, you could choose to send data unencrypted, but protect your user credentials, or you could protect all information sent in a transfer. The client can decide how secure they want file transfers to be. The server can also disallow insecure requests, thereby forcing the client to use FTPS and not FTP

An analyst wants to implement a more secure wireless authentication for office access points. Which of the following technologies allows for encrypted authentication of wireless clients over TLS? A. PEAP B. EAP C. WPA2 D. RADIUS

C. WPA2 Short for Wi-Fi Protected Access 2, WPA2 is the securiyt method added to WPA for wireless networks that provide stronger data protection and network access control. It provides enterprise and consumer Wi-Fi users with a high level of assurance that only authorized users can access their wireless networks. Based on the IEE 802.11i standard, WPA2 provides government grade security by implementing the National Institute of Standards and Technology (NIST) FIPS 140-2 compliant AES encryption algorithm and 802.1x-based authentication. There are two version of WPA2: WPA2-Personal, and WPA2-Enterprise. WPA2-Personal protects unauthorized network access by utilizing a set-up password. WPA2-Enterprise verifies netowrk users through a server using TLS. WPA2 is backward compatible with WPA.

A systems administrator is attempting to recover from a catastrophic failure in the datacenter. To recover the domain controller, the systems administrator needs to provide the domain administrator credentials . Which of the following account types is the systems administrator using? A.Shared account B.Guest account C.Service account D.User account

C.Service account A domain user account enables the service to take full advantage of the service security features of Windows and Microsoft Active Directory Domain Services. The service has whatever local and network access is granted to the account, or to any groups of which the account is a member

The help desk is receiving numerous password change alerts from users in the accounting department. These alerts occur multiple times on the same day for each of the affected users' accounts. Which of the following controls should be implemented to curtail this activity? A. Password Reuse B. Password complexity C. Password History D. Password Minimum age

D. Password Minimum age Setting the minimum password age is normally used in conjunction with a setting to prepvent re-use of X number of previous passwords - the minimum password age is intended to discourage users from cycling through their previous passwords to get back to a preferred one. Obviously, the effectiveness is dependent on both the minimum password age setting and the users. Setting a Minimum password age is useful in conjunction with Enforce Password History to prevent users from entering new passwords repeatedly to bypass Enforce Password History.

A member of a digital forenscs team, Joe arrives at a crime scene and is preparing to collect system data. Before powering the system off, Joe knows that he must collect the most volatile data first. Which of the following is the correct order in which Joe should collect the data? A. CPU cache, paging/swap files. RAM, remote logging data B. RAM. CPU cache. Remote logging data. paging/ swap files C. Paging/swap files CPU cache. RAM, remote logging data D. CPU cache, RAM, paging/swap files, remote logging data

D. CPU cache, RAM, paging/swap files, remote logging data Evidence handling is clearly one of the most important aspects in the expanding field of computer forensics. The never-ending innovation in technologies tends to keep best practices in constant flux in effort to meet industry needs. One of the more recent shifts in evidence handling has been the shift away from simply "pulling the plug" as a first step in evidence collection to the adoption of methodologies to acquire evidence "Live" from a suspect computer. Effectively forensics provides for the collection of digital evidence in an order of collection actually based on the life expectancy of the evidence in question. The most important evidence gathered in digital evidence collection today and for the near future is the volatile data contained within the computers RAM. Order of volatility of digital evidence 1. CPU, cache and register content 2. Routing table, ARP cache, process table, kernel statistics 3. Memory 4. Temporary file system / swap space 5. Data on hard disk 6. Remotely logged data 7. Data contained on archival media

Many employees are receiving email messages similar to the one shown below: From IT department To employee Subject email quota exceeded Please click on the following link http://www.website.info/email.php? quota=1Gb (http://www .website.info/email.php?quota=1Gb) and provide your username and password to increase your email quota. Upon reviewing other similar emails, the security administrator realized that all the phishing URLs have the following common elements; they all use HTTP, they all come from .info domains, and they all contain the same URI. Which of the following should the security administrator configure on the corporate content filter to prevent users from accessing the phishing URL, while at the same time minimizing false positives? A. BLOCK http://www.*.info/" B. DROP http://"website.info/emali.php?* C Redirect http://www,*. lnfo/email.php? quota=*TOhttp://company.com/corporate_plioct.html D. DENY http://*.info/email.php?quota=1Gb

D. DENY http://*.info/email.php?quota=1Gb Phishing sites are sites that attackers disguise as legitimate websites with the aim to steal user information, especially the credentials that provide access to your network. When a phishing email enters a network, it takes just a single user to click the link and enter credentials to set a breach into motion. You can detect and prevent in-progress phishing attacks, thereby preventing credential theft, by controlling sites to which user can submit corporate credentials submitting credentials to untrusted sites while allowing users to continue to submit credentials to corporate and sanctioned sites. To enable Credential phishing prevention you must configure both User-ID to detect when users submit valid corporate credentials to a site (as opposed to personal credentals) and URL Filtering to specify the URL categroies in which you want to prevent users from entering their corporate credentials. In this question, the security administrator would block access to the known dangerous URL phishing attac in the conten filter using DENY http://*.info/email.php?quota=1Gb

The SSID broadcast for a wireless router has been disabled but a network administrator notices that unauthorized users are accessing the wireless network. The administer has determined that attackers are still able to detect the presence of the wireless network despite the fact the SSID has been disabled. Which of the following would further obscure the presence of the wireless network? A. Upgrade the encryption to WPA or WPA2 B. Create a non-zero length SSID for the wireless router C. Reroute wirelessusers to a honeypot D. Disable responses to a broadcast probe request

D. Disable responses to a broadcast probe request In order to make the discovery and selection of an AP easier, a Service Set Identifier (SSID) is assigned to it, which is human readable name for the network with a maximum length of 32 characters. Generally, AP devices have a unique SSID assigned to them at manufacturing time, but many users customize them for their convenience. A user, who desires to connect to a network, needs to select the SSID from the list of nearby networks and provide the corresponding password to establish a secure connection. To reduce user burden when re-connecting to known AP, devices typically cache credentials and SSIDs and scan for nearby APs. If a known AP is discovered, the device re-connects automatically to it. Although APs periodically announce their SSID and it is possible to scan them passively, the preferred way for scanning is active scanning by the client using WIFI probe request frames. A probe request is essentially a broadcast question: "Is AP with SSID xxxx listening? Please respond". These probe requests are sent out in bursts, one for every saved AP SSID, usually once every 60 seconds. Between the bursts the radio can be turned off, which saves power. Whenever an AP receives a probe request with its assigned SSID, it responds with a probe response frame and connection is initiated. The simplest and most secure option to obscure the presence of the wireless network of course is manually switch off WIFI when it is not used. Finding and disabling the option to automatically connect to WIFI networks should have similar effect. The option to not scan or automatically reconnect to known APs may not be present or may be ineffective disabling probe requests. In these cases it may be necessary to disable option to remember network for sensitive networks, to not use the device in places where monitoring is probable, and to manually switch off WIFI whenever possible.

An organization is trying to decide which type of access control is most appropriate for the network. The current access control approach is too complex and requires significant overhead. Management would like to simplify the access control and provide user with the ability to determine what permissions should be applied to files, document and directories. The access control method that BEST satisfies these objectives is: A, Rule-based access control B. Role-based access control C. Mandatory access control D. Discretionary access control

D. Discretionary access control Discretionary Access Control (DAC) is an access control policy that is enforced over all subjects and objects in an information system. The policy specifies that a subject that has been granted access to information . It can do one or more of the following: pass the information to other subject or objects; grants its privileges ot other subjects; change security attributes on subjects, objects, information systems, or system components, choose the security attributes to be associated with newly-created or revised objects; or change the rules governing access control. mandatory access controls restrict this capability. A means of restricting access to objects (e.g., files, data entities) based on the identity and need-to-know of subjects (e.g., users, processes) and/or groups to which the object belongs. The controls are discretionary in the sense that a subject with a certain access permission is capable of passing that permission (perhaps indirectly) on to any other subject (unless restrained by mandatory access control).

An in-house penetration tester is using a packet capture device to listen in on network communications. This is an example of: A. Passive reconnaissance B. Persistence C. Escalation of privileges D. Exploiting the switch

D. Exploiting the switch Packet sniffing in a non-switched environment is a wll understood tehcnologhy. Once in this mode, all netork traffic (irrespective of its destination) that reaches the newrok cared can be accessed by an applicaiton (such as a packet sniffing program). Exploiting the switch is all about the "man-in-the-middle". Sniffing traffic in a switched environment is achieved by setting up a "man-in-the-middle" attack. The attacker users a variety of techniques to force network traffic to/from the victim to go to the attacker's machine. When this occurs, the attacker can inspect (or even modify) the victim's network traffic. There are a large number of techniques that permit sniffing in a switch environment. Common techniques include ARP spoofing, MAC flooding, MAC duplicating, ICMP redirection, DHCP spoofing and port stealing.

Which of the following would MOST likely appear in an uncredentialed vulnerability scan? A. Self-signed certificates B. Missing patches C. Auditing parameters D. Inactive local accounts

D. Inactive local accounts Most vulnerability management solutions offer two kinds of vulnerability assessments: credentialed and non-credentialed (also known as authenticated and unauthenticated scans). Non credentialed scans are very useful tools that provide a quick view of vulnerabilities by only looking at network services exposed by the host. Unfortunately, these scans can't provide deeper insight into application and operating system vulnerabilities not exposed to the network, or those vulnerabilities that are potentially covered up by a firewall that sits between the scanner and the host. This could provide false hope that your system is safe, while in reality, those vulnerabilities are frequently targeted by attackers that have gained credentialed access, so they aren't an accurate indicator of security risk.

A security analyst receives an alert from a WAF with the following payload: var data= "<test test test>" ++ <../../../../../../etc/passwd>" Which of the following types of attacks is this? A. Cross-site request forgery B. Buffer overflow C. SQL injection D. JavaScript data insertion E. Firewall evasion scipt

D. JavaScript data insertion HTML injection is a type of attack focused upon the way HTML content is generated and interpreted by browsers at client side. Otherwise, JavaScript is a widely used technology in dynamic web sites, so the use of techniques based on this, like injection, complements the nomenclature of 'code injection'. When developing web applications, it's very recommendable to follow the next considerations to prevent possible code injection. Do not rely on client-side JavaScript validation whenever possible; as shown, this is easily deceived using "in-line" injection. For example, suppose you have a shopping portal where you rely the price of each item at the client side. Don't store sensible data into cookies, because they can be easily modified by an attacker, as seen in the question. If you need to store data in cookies, store them with a hash signature generated with a server side key

A security analyst has been asked to perform a review of an organization's software development lifecycle. The analyst reports that the lifecycle does not contain a phase in which team members evaluate and provide critical feedback of another developer's code. Which of the following assessment techniques is BEST described in the analyst's report? A. Architecture evaluation B. Baseline reporting C. Whitebox testing D. Peer review

D. Peer review The benefits of code review are widely accepted as a quality improvement and control strategy. The development community now understands the impact of code review on overall software quality the ability to identify and remediate errors and issues before the code is passed over to QA for testing. The software development lifecycle (SDLC) peer review contributes a measure of quality control practices to software development by allowing teams to review their development artifacts early and often. The ability to review these documents easily and thoroughly is critical to ensuring that everyone is one the same page, especially important as teams grapple with last-minute customer demands and requirements changes. The extended development team needs to understand the impact of changing requirements on everything from development effort to task and release management. The consistent review of all development artifacts helps teams meet specified project and delivery goals

A chief Financial Officer (CFO) has asked the Chief Information Officer (CISO) to provide responses to a recent audit report detailing deficiencies in the organization security controls. The CFO would like to know ways in which the organization can improve its authorization controls. Given the request by the CFO, which of the following controls should the CISO focus on in the report? (Select Three) A. Password complexity policies B. Hardware tokens C. Biometric systems D. Role-based permissions E. One time passwords F. Separation of duties G. Multifactor authentication H. Single sign-on I. Least privilege

D. Role-based permissions F. Separation of duties I. Least privilege Role-based access control (RBAC) is a method of access security that is based on a person's role within a business. Role-based access control is a way to provide security because it only allows employees to access information they need to do their jobs, while preventing them from accessing additional information that is not relevant to them. An employee's role determines the permissions he or she is granted and ensures that lower level employees are not able to access sensitive information or perform high-level tasks. Separation of duties is an internal control designed to prevent error and fraud by ensuring that at least two individuals are responsible for the separate parts of any task. Separation of duties involves breaking down tasks that might reasonably be completed by a single individual into multiple tasks so that no one person is solely in control. Payroll management, for example, is an administrative area in which both fraud and error are risks. A common segregation of duties for payroll is to have one employee responsible for the accounting portion of the job and someone else responsible for signing the checks. The principle of least privilege, an important concept in computer security, is the practice of limiting access rights for users to the bare minimum permissions they need to perform their work. Under principle of least privilege,users are granted permission to read, write or execute only the files or resources they need to do their jobs: In other words, the least amount of privilege necessary.

A security technician would like to obscure sensitive data within a file so that it can be transferred without causing suspicion. Which of the following technologies would BEST be suited to accomplish this? A. Transport Encryption B. Stream Encryption C. Digital Signature D. Steganography

D. Steganography Steganography is the hiding of a secret message within an ordinary message and the extraction of it at its destination. Steganography takes cryptography a step farther by hiding an encrypted message so that no one suspects it exists. Ideally, anyone scanning your data will fail to know it contains encrypted data. In modern digital steganography, data is first encrypted by the usual means and then inserted, using a special algorithm, into redundant (that is, provided but unneeded) data that is part of a particular file format such as a JPEG image. Think of all the bits that represent the same color pixels repeated in a row. By applying the encrypted data to this redundant data in some random or non-conspicuous way, the result will be data that appears to have the "noise" patterns of regular, non-encrypted data. A trademark or other identifying symbol hidden in software code is sometimes known as a watermark.