Security operations -1

10. Alfonzo is an IT professional at a Portuguese university who is creating a cloud environment for use only by other Portuguese universities . What type of cloud deployment model is he using ? A. Public cloud B. Private cloud C. Hybrid cloud D. Community cloud

10. D. Community clouds are cloud computing environments available only to members of a collaborative community, such as a set of universities. Public clouds are available to any customers who want to use them. Private clouds are for the use of the organization building the cloud only. Hybrid clouds mix elements of public and private clouds in an enterprise computing strategy.

33. Kevin is concerned that an employee of his organization might fall victim to a phishing attack and wants to redesign his social engineering awareness program . What type of threat is he most directly addressing ? A. Nation - state B. Hacktivist C. Unintentional insider D. Intentional insider

33. C. By conducting awareness training, Kevin is seeking to educate insiders about the risks posed by phishing attacks. Specifically, he is seeking to prevent an insider from unintentionally posing a risk to the organization by falling victim to a phishing attack.

35. A tarpit , or a system that looks vulnerable but actually is intended to slow down attackers , is an example of what type of technique ? A. A passive defense B. A sticky defense C. An active defense D. A reaction - based defense

35. C. Tarpits are a form of active defense that decoy or bait attackers. Passive defenses include cryptography, security architecture, and similar options. Sticky defenses and reaction-based defenses were made up for this question.

36. Susan needs to test thousands of submitted binaries . She needs to ensure that the applications do not contain malicious code . What technique is best suited to this need ? A. Sandboxing B. Implementing a honeypot C. Decompiling and analyzing the application code D. Fagan testing

36. A. Susan's best option is to use an automated testing sandbox that analyzes the applications for malicious or questionable behavior. Although this may not catch every instance of malicious software, the only other viable option is decompiling the applications and analyzing the code, which would be incredibly time-consuming. Since she doesn't have the source code, Fagan inspection won't work (and would take a long time too), and running a honeypot is used to understand hacker techniques, not to directly analyze application code.

39. During his analysis of a malware sample , Sahib reviews the malware files and binaries without running them . What type of analysis is this ? A. Automated analysis B. Dynamic analysis C. Static analysis D. Heuristic analysis

39. C. Sahib is performing static analysis, which is analysis performed without running code. He can use tools or manually review the code (and, in fact, is likely to do both).

4. What term is used to describe the groups of related organizations that pool resources to share cybersecurity threat information and analyses ? A. SOC B. ISAC C. CERT D. CIRT

4. B. The Department of Homeland Security collaborates with industry through information sharing and analysis centers (ISACs). These ISACs cover industries such as healthcare, financial, aviation, government, and critical infrastructure.

71. Which of the following parties directly communicate with the end user during a SAML transaction ? A. The relying party B. The SAML identity provider C.Both the relying party and the identity provider D.Neither the relying party nor the identity provider

71. C. In a SAML transaction, the user initiates a request to the relying party, who then redirects the user to the SSO provider. The user then authenticates to the SAML identity provider and receives a SAML response, which is sent to the relying party as proof of identity.

72. Support for AES , 3DES , ECC , and SHA - 256 are all examples of what A. Encryption algorithms B. Hashing algorithms C. Processor security extensions D. Bus encryption modules

72. C. These are all examples of processor security extensions providing additional cryptographic instructions. Since AES, 3DES, and ECC are all encryption algorithms and SHA-256 is a hashing algorithm, we know that this can't be either of the first two options alone. Bus encryption may use these, but they aren't just examples of bus encryption algorithms.

73. Which of the following is not a benefit of physical segmentation ? A. Easier visibility into traffic B. Improved network security C. Reduced cost D. Increased performance

73. C. Although physical segmentation can make it easier to see specific traffic while providing better network security and increased performance, running a separate infrastructure is rarely a less expensive option.

74. Which of the following options is most effective in preventing known password attacks against a web application ? A. Account lockouts B. Password complexity settings C. CAPTCHAS D. Multifactor authentication

74. D. Multifactor authentication is the most effective option because attackers will need to present both factors. Even if they know the password, unless they have the second factor their attempt to access the application will fail. Account lockouts and CAPTCHAs can be useful when attempting to prevent brute-force attacks, and complexity settings may make some brute-force attacks slower and harder to conduct.

75. Which of the following is not a common use case for network segmentation ? A. Creating a VoIP network B. Creating a shared network C. Creating a guest wireless network

75. B. Segmented networks are almost always used to isolate groups rather than to combine them. Common uses include specific network segments for VoIP, wireless, or specific trust zones and levels.

76. What three layers make up a software - defined network ? A. Application , Datagram , and Physical layers B. Application , Control , and Infrastructure layers C. Control , Infrastructure , and Session layers D. Data link , Presentation , and Transport layers

76. B. Software-defined networks (SDNs) consist of three major lavers: the application layer, where information about the network is used to improve flow, configuration, and other items; the control layer, which is where the logic from SDN controllers control the network infrastructure; and the infrastructure layer, which is made up of the networking equipment. If you're not deeply familiar with SDNs, you can address questions like this by reviewing what you do know. The other three options contain elements of the OSI model but don't make sense in the context of SDN.

1. Olivia is considering potential sources for threat intelligence information that she might incorporate into her security program . Which one of the following sources is most likely to be available without a subscription fee ? A. Vulnerability feeds B. Open source C. Closed source D. Proprietary

B. Open-source intelligence is freely available information that does not require a subscription fee. Closed-source and proprietary intelligence are synonyms and do involve payments to the providers. Vulnerability feeds may be considered threat intelligence, but they normally come with subscription fees

14. Kaiden is configuring a SIEM service in his IaaS cloud environment that will receive all of the log entries generated by other devices in that environment Which one of the following risks is greatest with this approach in the event of a DoS attack or other outage ? A. Inability to access logs B. Insufficient logging C. Insufficient monitoring D. Insecure API

14. A. The greatest risk in the event of a DoS attack is that the logs are stored in the same cloud environment that is under attack. Cybersecurity professionals may not be able to access those logs toinvestigate the incident.

101. Ian wants to capture information about privilege escalation attacks on a Linux system . If he believes that an insider is going to exploit a flaw that allows them to use sudo to assume root privileges , where is he most likely to find log information about what occurred ? A. The sudoers file B. / var / log / sudo C. /var/log/auth.log D. Root's .bash_log

101. C. The auth. log file on Linux systems will capture sudo events. A knowledgeable attacker is likely to erase or modify the auth. log file, so Ian should make sure that the system is sending these events via syslog to a trusted secure host. The sudoers file stored in / etc/sudoers contains details of which users can use sudo and what rights they have. There is not a file called / var /log/ sudo, and root's . bash log file might contain commands that root has run but won't have details of the sudo event-there's no reason for root to sudo to root!

102. What type of information can Gabby determine from Tripwire logs on a Linux system if it is configured to monitor a directory ? A. How often the directory is accessed B. If files in the directory have changed C. If sensitive data was copied out of the directory D. Who has viewed files in the directory

102. B. Tripwire can monitor files and directories for changes, which means Gabby can use it to monitor for files in a directory that have changed. It will not tell you how often the directory is accessed, who viewed files, or if sensitive data was copied out of the directory.

103. While reviewing systems she is responsible for , Charlene discovers that a user has recently run the following command in a Windows console window . What has occurred ? psexec \\ 10.0.11.1 -u Administrator -p examplepw cmd.exe A. The user has opened a command prompt on their workstation . B. The user has opened a command prompt on the desktop of a remote workstation . C. The user has opened an interactive command prompt as administrator on a remote workstation . D. The user has opened a command prompt on their workstation as Administrator .

103. C. Even if you're not familiar with the PS tools, you can use your knowledge of Windows command-line tools to figure out what is happening here. We see a remote workstation (it is highly unlikely you would connect to your own workstation this way!) indicated by the \lip.address, a -u flag likely to mean user ID with the administrator listed, and a -p for password. We know that cm. exe is the Windows command prompt, so it is reasonable and correct to assume that this will open a remote command prompt for interactive use. If this is a user who isn't an administrator, Charlene needs to start an incident investigation right away.

104. While reviewing tcpdump data , Kwame discovers that hundreds of different IP addresses are sending a steady stream of SYN packets to a server on his network . What concern should Kwame have about what is happening ? A. A firewall is blocking connections from occurring . B. An IPS is blocking connections from occurring . C. A denial - of - service attack . D. An ACK blockage .

104. C. SYN floods are a denial-of-service attack technique that is used to exhaust session handlers on systems. A flood of SYNs from many different IP addresses without a completed TCP three-way handshake is often a sign of a SYN flood attack.

105. While reviewing Windows event logs for a Windows system with reported odd behavior , Kai discovers that the system she is reviewing shows Event ID 1005 MALWAREPROTECTION_SCAN_FAILED every day at the same time . What is the most likely cause of this issue ? A. The system was shut down . B. Another antivirus program has interfered with the scan . C. The user disabled the scan . D. The scan found a file it was unable to scan .

105. B. First, Kai should check the scan log to review the scan type and error code to check it via the Microsoft support site. The most likely cause from the list of provided answers is a conflict with another security product. While security practitioners often worry about malware on systems, a common cause of scan failures is a second installed antivirus package. If Kai doesn't find a second antivirus package installed, she should conduct a scan using another tool to see if malware mav be the issue.

106. Charles wants to use his SIEM to automatically flag known bad IP addresses . Which of the following capabilities is not typically used for this with SIEM devices ? A. Blocklisting B. IP reputation C. Allowlisting D. Domain reputation

106. C. Blocklisting known bad IP addresses (previously known as blacklisting), as well as the use of both domain and IP reputation services, can help Charles accomplish his task. Allowlisting (previously known as whitelisting) allows only known addresses through and does not flag known bad addresses.

12. The company that Maria works for is making significant investments in infrastructure - as - a - service hosting to replace its traditional datacenter . Members of her organization's management have Maria's concerns about data remanence when Lauren's team moves from one virtual host to another in their cloud service provider's environment . What should she instruct her team to do to avoid this concern ? A. Zero - wipe drives before moving systems . B. Use full - disk encryption . C. Use data masking . D. Span multiple virtual disks to fragment data .

12. B. Maria's team should use full-disk encryption or volume encryption and should secure the encryption keys properly. This will ensure that any data that remains cannot be exposed to future users of the virtual infrastructure. Although many cloud providers have implemented technology to ensure that this won't happen, Maria can avoid any potential issues by ensuring that she has taken proactive action to prevent data exposure. Using a zero-wipe is often impossible because virtual environments may move without her team's intervention, data masking will not prevent unmasked data or temporary data stored on the virtual disks from being exposed, and spanning multiple virtual disks will still leave data accessible, albeit possibly in fragmented form

13. Geoff is reviewing logs and sees a large number of attempts to authenticate to his VPN server using many different username and password combinations . The same usernames are attempted several hundred times before moving on to the next one What type of attack is most likely taking place ? A. Credential stuffing B. Password spraying C. Brute - force D. Rainbow table

13. B. In a password spraying attack, the attacker tries a set of common passwords using many different accounts. The activity Geoff sees is consistent with this type of attack. Credential stuffing attacks seek to use username/password lists stolen from another site to log on to a different site. This would result in only one login attempt per username. Brute-force attacks would result in thousands or millions of attempts per username. Rainbow table attacks take place offline and would not be reflected in the logs.

17. Geoff is responsible for hardening systems on his network and discovers that a number of network appliances have exposed services , including telnet , FTP , and web servers . What is his best option to secure these systems ? A. Enable host firewalls . B. Install patches for those services . C. Turn off the services for each appliance . D. Place a network firewall between the devices and the rest of the network .

17. D. Geoff's only sure bet to prevent these services from being accessed is to put a network firewall in front of them. Many appliances enable services by default; since they are appliances, they may not have host firewalls available to enable. They also often don't have patches available, and many appliances do not allow the services they provide to be disabled or modified.

18. While conducting reconnaissance of his own organization Ian discovers that multiple certificates are self - signed . What issue should he report to his management ? A. Self signed certificates do not provide secure encryption for site visitors . B. Self signed certificates can be revoked only by the original creator . C. Self signed certificates will cause warnings or error messages . D. None of the above .

18. C. Using self-signed certificates for services that will be used by the general public or organizational users outside of a small testing group can be an issue because they will result in an error or warning in most browsers. The TLS encryption used for HTTPS will remain just as strong regardless of whether the certificate is provided by a certificate authority or self-signed, and a self-signed certificate cannot be revoked at all.

19. Brandon wants to perform a WHOIS query for a system he believes is located in Europe . Which NIC should he select to have the greatest likelihood of success for his query ? A. AFRINIC B. APNIC C. RIPE D. LACNIC

19. C. Brandon should select RIPE, the regional Internet registry for Europe, the Middle East, and parts of Central Asia. AFRINIC serves Africa, APNIC serves the Asia/Pacific region, and LACNIC serves Latin America and the Caribbean.

2. Roger is evaluating threat intelligence information sources and finds that one source results in quite a few false positive alerts . This lowers his confidence level in the source . What criteria for intelligence is not being met by this source ? A. Timeliness B. Expense C. Relevance D. Accuracy

2. D. An intelligence source that results in false positive errors is lacking in accuracy because it is providing incorrect results to the organization. Those results may still be timely and relevant, but they are not correct. Expense is not one of the three intelligence criteria.

22. Jennifer analyzes a Wireshark packet capture from a network that she is unfamiliar with . She discovers that a host with IP address 10.11.140.13 is running services on TCP ports 636 and 443. What services is that system most likely running ? A. LDAPS and HTTPS B. FTPS and HTTPS C. RDP and HTTPS D. HTTP and Secure DNS

22. A. TCP port 636 is often used for secure LDAP, and secure HTTP typically uses TCP 443. Although other services could use these ports, Jennifer's best bet is to presume that they will be providing the services they are typically associated with.

27. Angela wants to gather network traffic from systems on her network . What tool can she use to best achieve this goal ? A. Nmap B. Wireshark C. Sharkbait D. Dradis

27. B. Angela can use Wireshark, a tool that can capture network traffic using a graphical user interface to meet this objective. Nap is a tool used to perform port scans. Dradis is an open-source collaboration platform for security teams, and Sharkbait is not a security tool or term.

29. Which sources are most commonly used to gather information about technologies a target organization uses during intelligence gathering ? A. OSINT searches of support forums and social engineering B. Port scanning and social engineering C. Social media review and document metadata D. Social engineering and document metadata

29. A. Since organizations often protect information about the technologies they use, OSINT searches of support forums and social engineering are often combined to gather information about the technologies they have in place. Port scanning will typically not provide detailed information about services and technologies. Social media review may provide some hints, but document metadata does not provide much information about specific technologies relevant to a penetration test or attack.

3. Brad is working on a threat classification exercise , analyzing known threats and assessing the possibility of unknown threats . Which one of the following threat actors is most likely to be associated with an advanced persistent threat ( APT ? A. Hacktivist B. Nation - state C. Insider D. Organized crime

3. B. It is possible for any of these threat actors to be affiliated with an APT, but the highest likelihood is that a sophisticated APT threat would be associated with a nation-state, rather than a less-resourced alternative

30. Sarah has been asked to assess the technical impact of suspected reconnaissance performed against her organization . She is informed that a reliable source has discovered that a third party has been performing reconnaissance by querying WHOIS data . How should Sarah categorize the technical impact of this type of reconnaissance ? A. High . B. Medium . C. LOW D. She cannot determine this from the information given

30. C. Sarah knows that domain registration information is publicly available and that her organization controls the data that is published. Since this does not expose anything that she should not expect to be accessible, she should categorize this as a low impact.

40. Carol wants to analyze a malware sample that she has discovered . She wants to run the sample safely while capturing information about its behavior and impact on the system it infects . What type of tool should she use ? A. A static code analysis tool B. A dynamic analysis sandbox tool C. A Fagan sandbox D. A decompiler running on an isolated VM workstation

40. B. Since Carol wants to analyze a program as it runs, you know she needs a dynamic code analysis tool. With the added safety requirement, a sandbox is also needed. Static code analysis looks at source code, no mention is made of decompiling or reverse engineering the code, and Fagan inspection is a formal code analysis process.

41. Susan is reviewing files on a Windows workstation and believes that cmd.exe has been replaced with a malware package . Which of the following is the best way to validate her theory ? A. Submit cmd.exe to VirusTotal . B. Compare the hash of cmd.exe to a known good version . C. Check the file using the National Software Reference Library . D. Run cmd.exe to make sure its behavior is normal .

41. A. Susan's best option is to submit the file to a tool like Virus Total that will scan it for virus-like behaviors and known malware tools. Checking the hash either by using a manual check or by using the National Software Reference Library can tell her if the file matches a known good version but won't tell her if it includes malware. Running a suspect file is the worst option on the list.

42. Nishi is deploying a new application that will process sensitive health information about her organization's clients . To protect this information , the organization is building a new network that does not share any hardware or logical access credentials with the organization's existing network . What approach is Nishi adopting ? A. Network interconnection B. Network segmentation C. Virtual LAN ( VLAN ) isolation D. Virtual private network (VPN)

42. B. The strategy outlined by Nishi is one of network segmentation-placing separate functions on separate networks. She is explicitly not interconnecting the two networks. VPNs and VLANs are also technologies that could assist with the goal of protecting sensitive information, but they use shared hardware and would not necessarily achieve the level of isolation that Nishi requires.

43. Bobbi is deploying a single system that will be used to manage a sensitive industrial control process . This system will operate in a stand - alone fashion and not have any connection to other networks . What strategy is Bobbi deploying to protect this SCADA system ? A. Network segmentation B. VLAN isolation C. Airgapping D. Logical isolation

43. C. Bobbi is adopting a physical, not logical, isolation strategy. In this approach, known as air-gapping, the organization uses a standalone system for the sensitive function that is not connected to any other system or network, greatly reducing the risk of compromise. VLAN isolation and network segmentation involve a degree of interconnection that is not present in this scenario.

44. Geoff has been asked to identify a technical solution that will reduce the risk of captured or stolen passwords being used to allow access to his organization's systems . Which of the following technologies should he recommend ? A. Captive portals B. Multifactor authentication C. VPNs D. OAuth

44. B. Multifactor authentication helps reduce the risk of a captured or stolen password by requiring more than one factor to authenticate. Attackers are less likely to have also stolen a token, code, or biometric factor. A captive portal is used to authenticate users for guest networks or similar purposes. Virtual private networks (VPNs) are used to provide a private network connection that can make a local network act like it is part of a remote network. OAuth is an open protocol for secure authorization.

45. The company that Amanda works for is making significant investments in infrastructure - as - a - service hosting to replace their traditional datacenter . Members of her organization's management have expressed concerns about data remanence when Amanda's team moves from one virtual host to another in their cloud service provider's environment . What should she instruct her team to do to avoid this concern ? A. Perform zero - wipe drives before moving systems . B. Use full - disk encryption . C. Use data masking . D. Span multiple virtual disks to fragment data .

45. B. Amanda's team should use full-disk encryption or volume encryption and should secure the encryption keys properly. This will ensure that any data that remains cannot be exposed to future users of the virtual infrastructure. Although many cloud providers have implemented technology to ensure that this won't happen, Amanda can avoid any potential issues by ensuring that she has taken proactive action to prevent data exposure. Using a zero wipe is often impossible because virtual environments may move without her team's intervention, data masking will not prevent unmasked data or temporary data stored on the virtual disks from being exposed, and spanning multiple virtual disks will still leave data accessible, albeit possibly in fragmented form.

46. Which one of the following technologies is not typically used to implement network segmentation ? A. Host firewall B. Network firewallC. VLAN tagging D. Routers and switches

46. A. Host firewalls operate at the individual system level and, therefore, cannot be used to implement network segmentation. Routers and switches may be used for this purpose by either physically separating networks or implementing VLAN tagging. Network firewalls may also be used to segment networks into different zones.

47. Ian has been asked to deploy a secure wireless network in parallel with a public wireless network inside his organization's buildings . What type of segmentation should he implement to do so without adding additional costs and complexity ? A. SSID segmentation B. Logical segmentation C. Physical segmentation D. WPA segmentation

47. B. Ian knows that deploying multiple access points in the same space to deploy a physically segmented wireless network would significantly increase both the costs of deployment and the complexity of the network due to access points causing conflicts. His best choice is to logically segment his networks using one set of access points. SSID and WA segmentation are both made-up terms for this question.

68. Anja is assessing the security of a web service implementation . Which of the following web service security requirements should she recommend to reduce the likelihood of a successful on - path / man - in the - middle attack ? A. Use TLS . B. Use XML input validation C. Use XML output validation . D. Virus - scan files received by web service .

68. A. Using TLS will help to ensure that a third party is unable to insert itself into the message stream. TLS can be used to authenticate the service provider and service consumer while also providing message confidentiality, message integrity protection, and replay defenses.

48. Barbara has segmented her virtualized servers using VMware to ensure that the networks remain secure and isolated . What type of attack could defeat her security design ? A. VLAN hopping B. 802.1q trunking vulnerabilities C. Compromise of the underlying VMware host D. BGP route spoofing

48. C. Barbara should be most concerned about compromise of the underlying VMware host as a threat model for her virtual segmentation. VLAN hopping (typically done via 802.1q trunking attacks) requires trunking to be turned on, which is unlikely in a virtualized environment like this. Border Gatewav Protocol (BGP) route spoofing occurs at the router level and is once again unlikely to be a threat in a VMware environment. You may not always know all the technologies in a question like this, so when you prepare for the exam, you should consider what you do know when you run into this type of question. Here, you might note that relying on the underlying host for virtualization means that a compromise of the system would allow attackers to overcome the segmentation that is acting to protect them.

49. What major issue would Charles face if he relied on hashing malware packages identify malware packages ? A. Hashing can be spoofed B. Collisions can result in false positives . C. Hashing cannot identify unknown malware . D. Hashing relies on unencrypted malware samples .

49. C. Relying on hashing means that Charles will be able to identify only the specific versions of malware packages that have already been identified. This is a consistent problem with signature-based detections, and malware packages commonly implement polymorphic capabilities that mean that two instances of the same package will not have identical hashes due to changes meant to avoid signature-based detection systems.

5. Singh incorporated the Cisco Talos tool into his organization's threat intelligence program . He uses it to automatically look up information about the past activity of IP addresses sending email to his mail servers . What term best describes this intelligence source ? A. Open source B. Behavioral C. Reputational D. Indicator of compromise

5. C. This source provides information about IP addresses based on past behavior. This makes it a reputational source. A behavioral source would look at information about current behavior. This is a product offered by Cisco and is proprietary, not open source. It does not provide indicators that would help you determine whether your system had been compromised

50. Noriko wants to ensure that attackers cannot access his organization's building automation control network . Which of the following segmentation options provides the strongest level of assurance that this will not happen ? A. Air gap B. VLANS C. Network firewalls D. host firewalls

50. A. An air gap, or complete physical isolation, provides the strongest control available on the list provided. To traverse an air gap, one of Noriko's staff would need to physically copy files via a removable drive or would need to plug a device into the air-gapped network.

54. What purpose does the OpenFlow protocol serve in software - defined networks ? A. It captures flow logs from devices . B. It allows software - defined network controllers to push changes to devices to manage the network . C. It sends flow logs to flow controllers . D. It allows devices to push changes to SDN controllers to manage the network .

54. B. OpenFlow is used to allow software-defined network (SDN controllers to push changes to switches and routers, allowing flow control, network traffic partitioning, and testing of applications and configurations.

55. Rick's security research company wants to gather data about current attacks and sets up a number of intentionally vulnerable systems that allow his team to log and analyze exploits and attack tools . What type of environment has Rick set up ? A. A tarpit B. A honeypot C. A honeynet D. A blackhole

55. C. Rick's team has set up a honeynet-a group of systems set up to attract attackers while capturing the traffic they send and the tools and techniques they use. A honeypot is a single system set up in a similar way, whereas a tarpit is a system set up to slow down attackers. A blackhole is often used on a network as a destination for traffic that will be silently discarded.

56. Kalea wants to prevent DoS attacks against her serverless application from driving up her costs when using a cloud service . What technique is not an appropriate solution for her need ? A. Horizontal scaling B. API keys C. Setting a cap on API invocations for a given timeframe D. Using timeouts

56. A. Scaling a serverless system is a useful way to handle additional traffic but will not prevent denial-of-service (DoS) attacks from driving additional cost. In fact, horizontal scaling will add additional costs as it scales. API keys can be used to prevent unauthorized use of the serverless application, and keys can be deprovisioned if they are abused. Capping API invocations and using timeouts can help limit the maximum number of uses and how much they are used, both of which can help prevent additional costs.

57. What is the key difference between virtualization and containerization ? A. Virtualization gives operating systems direct access to the hardware , whereas containerization does not allow applications to directly access the hardware . B. Virtualization lets you run multiple operating systems on a single physical system , whereas containerization lets you run multiple applications on the same system . C. Virtualization is necessary for containerization , but containerization is not necessary for virtualization . D. There is not a key difference ; they are elements of the same technology .

57. B. Virtualization allows you to run multiple operating systems on the same underlying hardware, whereas contai.nerization lets you deploy multiple applications on the same operating system on a single system. Containerization can allow direct hardware access, whereas virtualization typically does not. Virtualization is not necessary for containerization, although it is often used, but containerization can get performance improvements from bare-metal installations. Finally, there is a key difference, as noted in option B.

69. What type of access is typically required to compromise a physically isolated and air - gapped system ? A. Wired network access B. Physical access C. Wireless network access D. None of the above , because an isolated , air - gapped system cannot be accessed

69. B. Physical access is the best (and often only) way to compromise an air-gapped, physically isolated system. Although some esoteric attack methods can gather information via RF, acoustic, or other leakage, real-world scenarios will require physical access in almost all cases.

58. Brandon is designing the hosting environment for containerized applications .. Application group A has personally identifiable information , application group B has health information with different legal requirements for handling , and application group C has business - sensitive data handling requirements . What is the most secure design for his container orchestration environment given the information he has ? A. Run a single , highly secured container host with encryption for data at rest . B. Run a container host for each application group and secure them based on the data they contain . C. Run a container host for groups A and B , and run a lower - security container host for group C. D. Run a container host for groups A and C , and run a health information - specific container host for group B due to the health information it contains .

58. B. Workloads in a secure containerization environment should be distributed in a way that allows hosts to run containers of onlv a specific security level. Since Brandon has three different security levels in his environment, he should use separate hosts that can be configured to secure the data appropriately while also limiting the impact if a container is breached.

59. Local and domain administrator accounts , root accounts , and service accounts are all examples of what type of account ? A. Monitored accounts B. Privileged accounts C. Root accounts D. Unprivileged accounts

59. B. Privileged accounts typically include local and domain administrators, SA (system administrator in SQL), and other accounts that manage databases, root accounts, and other administrative accounts on Linux and Unix systems, service accounts, and similar accounts on network and other devices.

6. Jamal is assessing the risk to his organization from their planned use of AWS Lambda , a serverless computing service that allows developers to write code and execute functions directly on the cloud platform . What cloud tier best describes this service ?A. SaaS B. PaaS C. IaaS D. FaaS

6. D. This is an example of function-as-a-service (FaaS) computing. A service like Lambda could also be described as platform-as-a-service (PaaS), because FaaS is a subset of PaaS. However, the term FaaS is the one that best describes this service.

60. Ned has discovered a key logger plugged into one of his workstations , and he believes that an attacker may have acquired usernames and passwords for all of the users of a shared workstation . Since he does not know how long the keylogger was in use or if it was used on multiple workstations , what is his best security option to prevent this and similar attacks from causing issues in the future ? A. Multifactor authentication B. Password complexity rules C. Password lifespan rules D. Prevent the use of USB devices

60. A. If Ned implements multifactor authentication for his environment, he can use security tokens or other one-time password (OTP) options to ensure that attackers will not be able to use stolen credentials successfully even if passwords are exposed. Password complexity rules won't help with a keylogger, and expiring passwords with lifespan rules can limit how long the attacker can use them, but even with very short lifespans the attacker may still have them available for some time. Finally, preventing USB devices from being plugged in can help, but software keyloggers won't be caught or prevented by this solution.

61. Facebook Connect , CAS , Shibboleth , and AD FS are all examples of what type of technology ? A. Kerberos implementations B. Single sign - on implementations C. Federation technologies D. OAuth providers

61. B. All of these are examples of single sign-on (SSO) implementations. They allow a user to use a single set of credentials to log in to multiple different services and applications. When federated, SSO can also allow a single account to work across a variety of services from multiple organizations.

62. Which of the following is not a common identity protocol for federation ? A. SAML B. OpenID C. OAuth D. Kerberos

62. D. SAML, OpenID, and OAuth are all common protocols used for federation. Kerberos is a network authentication protocol largely used inside organizations.

63. Naomi wants to enforce her organization's security policies on cloud service users . What technology is best suited to this ? A. O Auth B. CASB C. OpenID D. DMARC

63. B. A cloud access security broker (CASB) can perform actions such as monitoring activity, managing cloud security policies for SaaS services, enforcing security policies, logging, alerting, and in-line policy enforcement when deployed with agents on endpoint devices or as a proxy.

64. Elliott wants to encrypt data sent between his servers . What protocol is most commonly used for secure web communications over a network ? A. TLS B. SSL C. IPsec D. PPTP

64. A. Transport Layer Security (TLS) is used to secure web and other types of traffic. Many people still call TLS SSL out of habit, but TLS is actually a different protocol and has replaced Secure Sockets Layer (SSL). IPsec is an encryption protocol used for VPNs and other point-to-point connections between networks. Point-to-Point Tunneling Protocol (PPTP) has a number of security issues.

65. What occurs when a website's certificate expires ? A. Web browsers will report an expired certificate to users . B. The website will no longer be accessible . C. The certificate will be revoked . D. All of the above .

65. A. TLS can still work with an expired certificate; however, web browsers will report that the certificate is expired. Expired certificates are not revoked- in fact, revocation is a separate process, and certificates are checked against a certificate revocation protocol to ensure that they are valid. Although browsers may report an expired certificate and may make it harder to access the site, the website itself will remain accessible.

66. What term is used to describe defenses that obfuscate the attack surface of an organization by deploying decoys and attractive targets to slow down or distract an attacker ? A. An active defense B. A honeyjar C. A bear trap D. An interactive defense

66. A. Active defenses are aimed at slowing down attackers while using their resources. The rest of the terms listed here were made up for this question. Active defenses are sometimes referred to as deception technology.

67. What technology is most commonly used to protect data in transit for modern web applications ? A. VPN B. TLS

67. B. Transport Layer Security (TLS) is the security protocol used to protect modern web traffic in transit. SSL was the precursor to TLS, whereas VPN technology is used in specific point-to-point scenarios when connecting to remote services or networks. IPsec is a secure network protocol suite, but it is not the most common option in use for web traffic.

77. Micah is designing a containerized application security environment and wants to ensure that the container images . he is deploying do not introduce security issues due to vulnerable applications . What can he integrate into the CI / CD pipeline to help prevent this ? A. Automated checking of application hashes against known good versions B. Automated vulnerability scanning C. Automated fuzz testing D. Automated updates

77. B. If Micah implements automated vulnerability scanning, he can check to see if the applications that are about to be deployed have known vulnerabilities. Automated patching will also help with this, but will only apply available patches and will not assess whether there are configuration vulnerabilities or unpatched vulnerabilities. Fuzz testing can help to test if the applications have issues with unexpected input but will not address most vulnerabilities, and hashing will only tell him if he is running the version of code that he expects to, not if it is vulnerable.

78. Camille wants to integrate with a federation . What will she need to authenticate her users to the federation ? A. An IDP B. A SP C. An API gateway D. An SSO server

78. A. Camille will need to integrate her identity provider (IDP) to provide authentication and authorization. Once users are authenticated, they can use various service providers throughout the federation. She will also probably want to use some form of single sign-on (SSO) service, but it is not required to be part of a federation.

79. Brandon needs to deploy containers with different purposes , data sensitivity levels , and threat postures to his container environment . How should he group them ? A. Segment containers by purpose B. Segment containers by data sensitivity C. Segment containers by threat model

79. D. Where possible, NIST recommends segmenting by purpose, data sensitivity, and threat model to separate OS kernels.

9. Which one of the following functions is not a common recipient of threat intelligence information ? A. Legal counsel B. Risk management C. Security engineering D. Detection and monitoring

8. C. This flow sample shows four distinct hosts being accessed from 192.168.2.1. They are 10.2.3.1, 10.6.2.4, 10.6.2.5, and 10.8.2.5.

80. What issues should Brandon consider before choosing to use the vulnerability management tools he has in his non container - based security environment ? A.Vulnerability management tools may make assumptions about host durability . B. Vulnerability management tools may make assumptions about update mechanisms and frequencies . C. Both A and B. D. Neither A nor B.

80. C. The NIST 800-190 guidelines note that traditional vulnerability management tools may make assumptions like those in options A and B regarding the systems and applications they are scanning. Since containers are ephemeral and may be updated and changed very frequently, a traditional vulnerability scanning and management approach is likely to be a poor fit for a containerized environment.

81. What key functionality do enterprise privileged account management tools provide ? A. Password creation B. Access control to individual systems C. Entitlement management across multiple systems D. Account expiration tools

81. C. The most distinctive feature of privileged account management tools for enterprise use is the ability to manage entitlements across multiple systems throughout an enterprise IT environment. Broader identity and access management systems for enterprises provide user account management and life-cycle services, including account expiration tools and password life-cycle management capabilities.

82. Amira wants to deploy an open standard - based single sign - on ( SSO ) tool that supports both authentication and authorization . What open standard should she look for if she wants to federate with a broad variety of identity providers and service providers ? A. LDAP B. SAML C. OAuth D. OpenID Connect .

82. B. SAML provides all of the capabilities Amira is looking for. Unlike SAML, Outh is an authorization standard, not an authentication standard. LDAP provides a directory and can be used for authentication but would need additional tools to be used as described. Finally, OpenID Connect is an authentication layer on top of OAuth, which is an authorization framework. Together, they would also meet the needs described here, but individually they do not.

83. Adam is testing code written for a client - server application that handles financial information and notes that traffic is sent between the client and server via TCP port 80. Whatshould he check next ? A. If the server stores data in unencrypted form B. If the traffic is unencrypted C. If the systems are on the same network D. If usernames and passwords are sent as part of the traffic

83. B. Adam knows that TCP/80 is the normal port for unencrypted HTTP traffic. As soon as he sees the traffic, he should immediately check if the traffic is unencrypted. If it is, his first recommendation will likely be to switch to TLS encrypted traffic. Once that is complete, he can worry about whether data is encrypted at rest and if usernames and passwords are passed as part of the traffic, which might be acceptable if it was protected with TLS!

84. Faraj wants to use statistics gained from live analysis of his network to programmatically change its performance , routing , and optimization . Which of the following technologies is best suited to his needs ? A. Serverless B. Software - defined networking C. Physical networking D. Virtual private networks ( VPNs )

84. B. Software-defined networking (SDN) is designed to handle changing traffic patterns and use of data to drive network configurations, routing, and optimization efforts. Faraj's best option is to use a software-defined network. Serverless is a technology that runs compute runtimes rather than a network, and a VPN is used to connect networks or systems together via a private channel.

85. Elaine's team has deployed an application to a cloud - hosted serverless environment . Which of the following security tools can she use in that environment ? A. Endpoint antivirus B. Endpoint DLP C. IDS for the serverless environment . D. None of the above

85. D. Serverless environments are a shared service, and since there is not a system that is accessible to consumers, there is nowhere to install endpoint tools. Similarly, network IPSs cannot be placed in front of a shared resource. Elaine should also be aware that any flaw with the underlying serverless environment will likely impact all of the service hosting systems.

86. Lucca needs to explain the benefits of network segmentation to the leadership of his organization . Which of the following is not a common benefit of segmentation ? A. Decreasing the attack surface B. Increasing the number of systems in a network segment C. Limiting the scope of regulatory compliance efforts D. Increasing availability in the case of an issue or attack

86. B. Segmentation is typically used to decrease the number of systems in a network segment, rather than to increase it. Segmentation is often used to decrease an organization's attack surface by moving systems that don't need to be exposed to a protected segment. It can also be used to limit compliance impact by removing systems from a compliance zone that do not need to be part of it. Finally, limiting the number of svstems or devices in segment or keeping potentially problematic systems in an isolated network segment can help increase availability.

87. Kubernetes and Docker are examples of what type of technology ? A. Encryption B. Software - defined networking C. Containerization . D. Serverless

87. C. Kubernetes and Docker are both examples of containerization tools.

88. Nathan is designing the logging infrastructure for his company and wants to ensure that a compromise of a system will not result in the loss of that system's logs . What should he do to protect the logs ? A. Limit log access to administrators . B. Encrypt the logs . C. Rename the log files from their common name . D. Send the logs to a remote server .

88. D. Nathan's best option is to send the logs to a remote server. The server should be protected to ensure that the same exploits that might compromise other systems will not impact the secure log storage server or service. In many organizations, a SIEM device or security logging tool like ELK or Splunk may be used to store and work with these logs.

89. Ansel knows he wants to use federated identities in a project he is working on . Which of the following should not be among his choices for a federated identity protocol ? A. OpenID B. SAML C. OAuth D. Authman

89. D. OpenID, SAML, and OAuth are all commonly used protocols for federated identity. Ansel will need to better understand what the use cases for federated identity are in his environment and which organizations he will federate with before he chooses a protocol to implement and may eventually need to support more than one. Authman is a tool used to manage web user login files and is not a protocol.

90. James uploads a file that he believes is potentially a malware package to VirusTotal and receives positive results , but the file is identified with multiple different malware package names . What has most likely occurred ? A. The malware is polymorphic and is being identified as multiple viruses because it is changing . B. Different antimalware engines call the same malware package by different names . C. VirusTotal has likely misidentified the malware package , and this is a false positive . D. The malware contains multiple malware packages , resulting in the matches .

90. B. Sites like VirusTotal run multiple antimalware engines, which may use different names for malware packages. This can result in a malware package apparently matching multiple different infections.

91. Isaac wants to monitor live memory usage on a Windows system . What tool should he use to see memory usage in a graphical user interface ? A. MemCheck B. Performance Monitor C. WinMem D. Top

91. B. The Windows Performance Monitor (perfmon.exe) provides a live view of memory usage per running application or service. This can be useful for live memorv analvsis. MemCheck and WinMem were made up for this question, and top is a useful Linux tool for checking memory utilization. If you aren't familiar with tools like this, you may want to spend some time with Windows and Linux common command cheat sheets like the Linux sheet found at www.linuxtrainingacademy.com/linux-commands-cheat-sheet.

92. Abul wants to identify typical behavior on a Windows system using a built - in tool to understand memory , CPU , and disk utilization . What tool can he use to see both real - time performance and over a period of time ? A. sysmon B. sysgraph C. resmon D. resgraph

92. C. The Windows Resource Monitor (resmon. exe) application is a useful tool to both see real-time data and graph it over time, allowing Abul to watch for spikes and drops in usage that may indicate abnormal behavior.

93. The automated malware analysis tool that Jose is using uses a disassembler and performs binary diffing across multiple malware binaries . What information is the tool looking for ? A. Calculating minimum viable signature length B. Binary fingerprinting to identify the malware author C. Building a similarity graph of similar functions across binaries D. Heuristic code analysis of development techniques

93. C. Binary diffing looks at multiple potentially related binaries that have anti-reverse-engineering tools run on them and looks for similarities. Graphs map this data, helping the tool identify malware families despite the protections that malware authors bake in. As you might have guessed, the rest of the answers for this question were made up.

94. What does execution of wmic.exe , powershell.exe , or winrm . vbs most likely indicate if you discover one or more was run on a typical end user's workstation ? A. A scripted application installation B. Remote execution of code C. A scripted application uninstallation D. A zero - day attack

94. B. PowerShell, wmic, and winrm. vbs are all commonly used for remote execution of code or scripts, and finding them in use on a typical workstation should cause you to be worried as most users will never use any of the three.

95. Ben is reviewing network traffic logs and notices HTTP and HTTPS traffic originating from a workstation . What TCP ports should he expect to see this traffic sent to under most normal circumstances ? A. 80 and 443 B. 22 and 80 C. 80 and 8088 D. 22 and 443

95. A. Most common HTTP traffic will go to port 80, and HTTPS traffic will go to 443. The third most common port for web traffic is 8080 and would be a reasonable but significantly less common option. While other ports may be in use, if you aren't expecting traffic to nonstandard HTTP and HITPS ports, you may want to investigate the traffic.

96. While Lucy is monitoring the SIEM , she notices that all of the log sources from her organization's New York branch have stopped reporting for the past 24 hours . What type of detection rules or alerts should she configure to make sure she is aware of this sooner next time ? A. Heuristic B. Behavior C. Availability D. Anomaly

96. C. Availability analysis targets whether a system or service is working as expected. Although a SIEM may not have direct availability analysis capabilities, reporting on when logs or other data is not received from source systems can help detect outages. Ideally, Lucy's organization should be using a system monitoring tool that can alarm on availability issues as well as common system problems such as excessive memory, network, disk, or CPU usage.

97. After her discovery in the previous question , Lucy is tasked with configuring alerts that are sent to system administrators . She builds a rule that can be represented in pseudocode as follows : Send an SMS alert every 30 seconds when systems do not send logs for more than 1 minute . The average administrator at Lucy's organization is responsible for 150-300 machines . What danger does Lucy's alert create ? A. A DDoS that causes administrators to not be able to access systems B. A network outage C. Administrators may ignore or filter the alerts D. A memory spike

97. C. When faced with massive numbers of notification messages that are sent too aggressively, administrators are likely to ignore or filter the alerts. Once they do, they are unlikely to respond to actual issues, causing all of the advantages of monitoring to be lost. If she doesn't spend some time identifying reasonable notification thresholds and frequencies, Lucy's next conversation is likely to be with an angry system administrator or manager.

98. Lucy configures an alert that detects when users who do not typically travel log in from other countries . What type of analysis is this ? A. Trend B. Availability C. Heuristic D. Behavior

98. D. Lucy has configured a behavior-based detection. It is likely that a reasonable percentage of the detections will be legitimate travel for users who typically do not leave the country, but pairing this behavioral detection with other behavioral or anomaly detections can help determine if the login is legitimate.

99. Disabling unneeded services is an example of what type of activity ? A. Threat modeling B. Incident remediation . C. Proactive risk assessment D. Reducing the threat attack surface area

99. D. Disabling unneeded or risky services is an example of a strategy to reduce the attack surface area of a system or device. Threat modeling and proactive risk assessment are both activities that focus on preparation, rather than direct systems or technology action, and incident remediation might involve disabling a service, but there isn't enough information to know this for sure. What we do know for sure is that disabling unneeded services reduces the attack surface area for a system.

107. Gabby executes the following command . What is she doing ? ps -aux | grep apache2 | grep root A. Searching for all files owned by root named apache2 . B. Checking currently running processes with the word apache2 and root both appearing in the output of ps . C. Shutting down all apache2 processes run by root . D. There is not enough information to answer this question .

C. Blocklisting known bad IP addresses (previously known as blacklisting), as well as the use of both domain and IP reputation services, can help Charles accomplish his task. Allowlisting (previously known as whitelisting) allows only known addresses through and does not flag known bad addresses

100. Suki notices inbound traffic to a Windows system on TCP port 3389 on her corporate network . What type of traffic is she most likely seeing ? A. A NetBIOS file share B. A RADIUS connection C. An RDP connection D. A Kerberos connection .

C. RDP operates over TCP 3389. Most corporate workstations won't have RDP turned on inbound to workstations, and Suki may find that she has discovered a compromise or other behavior that her organization may not want to occur.

108. While reviewing email headers , Saanvi notices an entry that reads as follows : From : " John Smith , CIO " < [email protected] > with a Received : parameter that shows mail.demo.com [ 10.74.19.11 ] . Which of the following scenarios is most likely if demo.com is not a domain belonging to the same owner as example.com ? A. John Smith's email was forwarded by someone at demo.com .B. John Smith's email was sent to someone at demo.com . C. The headers were forged to make it appear to have come from John Smith . D. The mail . demo.com server is a trusted email forwarding partner for example.com .

C. The most likely scenario in this circumstance is that the headers were forged to make the email appear to come from example.com, but the email was actually sent from mail.demo.com.