Certmaster Security
Which of the following is NOT an example of improper or weak application patch management. No documentation Unmanaged assets Performance degradation Application design flaw
Application design flaw An application design flaw is a vulnerability in the software. It can cause the security system to be circumvented or will cause the application to crash. For this reason, proper patch management processes are required to ensure service availability of the application.
Which of the following is an example of a vulnerability database that a security administrator can use with Tenable Nessus to assess the security state of servers on the network? CVE TAXII Threat map STI
CVE Common Vulnerabilities and Exposures (CVE) is a database of information about vulnerabilities that are codified as signatures. A vulnerability scanner like Tenable Nessus uses CVE to scan the network to determine the security state of almost any device.
Identify types of metadata that would be associated with CDR (call detail records) of mobile devices. (Select all that apply.) Call durations List of towers connected to SMS text timestamps GPS location data
Call durations List of towers connected to SMS text timestamps Call detail records (CDR) routinely contain times and durations of incoming, outgoing, and attempted calls, as well as the phone numbers of said calls. By examining the list of towers a device has connected to in the call detail records (CDR), it is possible to ascertain the general vicinity of locations in which the device has been present. SMS text time, duration, and phone number of origin are recorded in the call detail records (CDR) metadata associated with mobile devices. GPS location data is, in most cases, private user data and not grouped with call detail records (CDR) metadata.
A logistics company requires a supervisory control and data acquisition (SCADA) system to collect and analyze real-time tracking of equipment and to monitor delays in shipping and receiving. The SCADA must provide reports to management to facilitate data-driven decisions on transporting equipment. What is the SCADA a part of? Embedded system SoC ICS RTOS
ICS An industrial control system (ICS) is a complex integration of hardware and software with network connectivity to support the critical infrastructure of a large industry. Supervisory control and data acquisition (SCADA) controls an ICS and can be used in the logistics industry.
Which classification of data is likely to be immediately escalated in the case of a breach? Public data Critical data Personally identifiable information (PII) Non-PII customer data
Critical data Critical data, sometimes top-secret, is too valuable to permit any risk of a breach. Therefore, any detected abnormality should immediately be escalated to senior decision-makers.
Which of the following is designed to mitigate losses from cyber incidents such as data breaches, outages, and network damage? Administrative controls Cybersecurity insurance Clean desk policy Control diversity
Cybersecurity insurance Cybersecurity insurance is a product that is offered to individuals and companies to protect them from the effects and consequences of cyber related attacks.
What is it known as when a particular jurisdiction prevents or restricts processing and storage from taking place on systems that do not physically reside within that jurisdiction? Provenance E-discovery Data sovereignty Preservation
Data sovereignty Data sovereignty refers to a jurisdiction that prohibits or limits the processing, storage, and retrieval of data that do not geographically fall under that jurisdiction.
An employee at a financial firm is responsible for ensuring that data is stored in accordance with applicable laws and regulations. What role does the employee have in terms of data governance? Data custodian Data processor Data steward Data owner
Data steward The data steward is primarily responsible for data quality. This involves tasks such as ensuring data is labeled and identified with appropriate metadata, as well as ensuring the data is collected and stored in a format containing values that comply with applicable laws and regulations.
New users of an application created for telework purposes must enroll using their work email, cell phone number, and office symbol. Upon completion, a text message is sent to the registered number in order to provide a two-factor authentication. Which authentication method is this? Code signing Static code analyzer SMS Push notification
SMS A Short Message Service is a two-factor authentication (2FA) method that uses basic text messaging to send a code to a mobile device.
Finance representatives at an organization meet professional standards by providing reports that are highly detailed and designed to be restricted. As members of the American Institute of Certified Public Accountants (AICPA), which standards do the finance representatives follow? SSAE SOC 2 Type III SSAE SOC 2 Type II International Organization for Standardization (ISO) 31000 International Organization for Standardization (ISO) 27K
SSAE SOC 2 Type II A Service Organization Control (SOC2) Type II report assesses the ongoing effectiveness of the security architecture over a period of 6-12 months. SOC2 reports are highly detailed and designed to be restricted.
A systems administrator plans to protect a data center with various security controls and safety mechanisms. Which solution does the administrator plan based on a "triangle" principle? Fire suppression Motion detection Noise detection Industrial camouflage
Fire suppression The fire triangle works on the principle that fire requires heat, oxygen, and fuel to ignite and burn. Removing any one of those elements provides fire suppression.
A basic installation of a web server will require which of the following to allow unauthenticated access? Guest account Shared account User account Service account
Guest account A guest account is a special type of shared account with no password. It allows anonymous and unauthenticated access to a resource. Guest accounts are created when installing web services, as most web servers allow unauthenticated access.
A data exfiltration attack at a well-known retail company exposes a great deal of private data to the public. A portion of the data details the CEO's political and religious affiliations. When considering data classification types, which has been exposed? Proprietary Sensitive Critical Confidential
Sensitive A sensitive label is usually used in the context of personal data. This is privacy-sensitive information about a subject that could harm them if made public and could prejudice decisions made about them.
An attacker installed a fraudulent Radio Frequency ID (RFID) reader to steal credit card numbers any time someone used a card to make a purchase. What type of attack does this describe? Skimming Bluesnarfing Wiphishing Bluejacking
Skimming Skimming is an RFID attack where an attacker uses a fraudulent RFID reader to read the signals from a contactless bank card.
An organization configures virtual network appliances as part of an infrastructure as code (IaC) deployment. What approach handles the near real-time collection, aggregation, and reporting of data of the implementation? Network functions virtualization (NFV) Network controller application APIs Software-defined networking (SDN) Software-defined visibility (SDV)
Software-defined visibility (SDV) Software-defined visibility (SDV) supports assessment and incident response functions. Visibility is the near real-time collection, aggregation, and reporting of data about network traffic.
Which of the following practices would help mitigate the oversight of applying coding techniques that will secure the code of an internal application for a company? Input validation Normalization Dead code removal Static code analysis
Static code analysis Static code analysis is the manual review of code to identify oversights, mistaken assumptions, or a lack of knowledge or experience. This may ensure security or improve the code depending on who is peer-reviewing it.
Which aspect of certificate and key management should an administrator consider when trying to mitigate or prevent the loss of private keys? OCSP Revocation Storage Expiration
Storage Private keys or certificates must be securely stored to prevent unauthorized use and loss. The certificate authority that creates the key pair must provide strict access control to the database and maybe even data-at-rest encryption.
Evaluate and select the differences between WPA and WPA2. (Select all that apply.) WPA2 supports an encryption algorithm based on the Advanced Encryption Standard (AES) rather than the version of RC4 "patched" with the Temporal Key Integrity Protocol (TKIP). WPA2 is a security protocol developed by the Wi-Fi Alliance for use in securing wireless networks. WPA2 is much more secure than WEP, where WPA is not. WPA2 requires entering a longer password than WPA.
-WPA2 supports an encryption algorithm based on the Advanced Encryption Standard (AES) rather than the version of RC4 "patched" with the Temporal Key Integrity Protocol (TKIP) -WPA2 requires entering a longer password than WPA. WPA and WPA2 are both security protocols developed by the Wi-Fi Alliance for use in securing wireless networks. WPA was developed in 2003 and WPA2 was developed in 2004. WPA and WPA2 are both much more secure than WEP (wired equivalent privacy).
An attacker evaded antivirus detection in a Linux kernel, as multiple threads attempted to write an object at the same memory location. What type of vulnerability did the attacker use? An integer overflow A pointer dereference A buffer overflow A race condition
A race condition A race condition vulnerability occurs when multiple threads are attempting to write at the same memory location. Race conditions can deploy as an anti-virus evasion technique.
With no specific target in mind, and without a reasonable goal, an attacker launched an unstructured phishing attack with an attachment of a replicating computer worm. If the attacker did not fully understand how this malware worked, and just wanted to gain attention, what classification of threat actor is this person? Advanced Persistent Threat (APT) Organized crime Hacktivist A script kiddie
A script kiddie A script kiddie uses hacker tools without necessarily understanding how they work or having the ability to craft new attacks. Script kiddie attacks might have no specific target or any reasonable goal, other than gaining attention or proving technical abilities.
A developer implements a single sign-on (SSO) login standard using Security Assertion Markup Language (SAML) for logging users into an application to eliminate the need for username/password credentials. This implementation is part of which of the following? API consideration SSL/TLS URL filtering HTTPS
API consideration API considerations are programming code that enables data transmission between one software product to another. It also contains the terms of this data exchange.
Which of the following attacks would allow an attacker to sniff all traffic on a switched network? Transmission Control Protocol/Internet Protocol (TCP/IP) hijacking Domain Name System (DNS) spoofing Address Resolution Protocol (ARP) poisoning Internet Protocol (IP) spoofing
Address Resolution Protocol (ARP) poisoning To sniff all traffic on a switched network, the switch must be overcome using ARP poisoning. ARP poisoning occurs when an attacker, with access to the network, redirects an IP address to the MAC address of an unintended computer. Domain Name System (DNS) spoofing is an attack that compromises the name resolution process and used to facilitate pharming or Denial of Service (DoS) attacks. IP spoofing occurs when an attacker sends IP packets from a false (or spoofed) source address to communicate with targets. Transmission Control Protocol/Internet Protocol (TCP/IP) hijacking is a type of spoofing attack where the attacker disconnects a host, then replaces it with his or her own machine, spoofing the original host's IP address. previous next
A threat actor is using which of the following techniques to circumvent the usual authentication method to a remote host? Rootkit Backdoor Logic bomb Keylogger
Backdoor A backdoor is any type of access method to a host that circumvents the usual authentication method and gives the remote user administrative control.
List methods of containment that are based on the concept of isolation. (Select all that apply.) Blackhole Physical disconnection/air gapping Sandboxing Sinkhole
Blackhole Physical disconnection/air gapping Sandboxing Blackholes correspond to locations in the network that quietly discard (or "drop") incoming or outgoing messages without notifying the source that it did not reach its intended recipient. Blackholes are an isolation technique because they isolate the attacker from the network. Air gapping indicates the physical isolation of a system from all network resources, often by being physically disconnected. The exploit becomes isolated to the disconnected device and cannot "escape." A sandbox is an isolated environment created for analyzing malware and exploits safely, such as Cuckoo, for example. Sinkhole routing means suspicious traffic that is flooding a specific IP address routes to another network for analysis. This is a form of segmentation because it maintains the connection to other networks.
A small company has set up the domain environment to prevent the installation of a list of prohibited software. Employees received this same list via email. What type of method prevents the installation of specific software on workstations? Anti-malware Blacklisting Whitelisting Application hardening
Blacklisting Execution control, to prevent the use of unauthorized software, can be implemented as a blacklist. This control means that anything not on the prohibited blacklist can run.
A small company has set up the domain environment to prevent the installation of a list of prohibited software. Employees received this same list via email. What type of method prevents the installation of specific software on workstations? Anti-malware Application hardening Blacklisting Whitelisting
Blacklisting Execution control, to prevent the use of unauthorized software, can be implemented as a blacklist. This control means that anything not on the prohibited blacklist can run. Whitelisting is another method to block the use of unauthorized software. This control means that nothing can run if it is not on the approved whitelist.
An attacker came within close proximity of a victim and sent the mobile device user spam of an unsolicited text message. Once the user clicked the link in the message, Trojan malware infected the user's device. What type of attack did the hacker most likely infect the mobile user with? WiPhishing Skimming Bluejacking Bluesnarfing
Bluejacking A Bluetooth-discoverable device is vulnerable to bluejacking, similar to spam, where someone sends an unsolicited text (or picture/video) message or vCard (contact details). This can also be a vector for Trojan malware.
Which boot integrity concepts utilize the trusted platform module (TPM)? (Select all that apply.) UEFI Boot attestation Measured boot Secure Boot
Boot attestation Measured boot Boot attestation is the capability to transmit a boot log report signed by the TPM via a trusted process to a remote server, such as a network access control server. A trusted or measured boot process uses platform configuration registers (PCRs) in the TPM at each stage in the boot process to check whether hashes of key system state data have changed.
A network engineer is plugging in new patch cables and wants to prevent inadvertent disruptions to the network while doing so. What will the engineer prevent if a Spanning Tree Protocol (STP) is configured on the switches? DHCP spoofing Signature-based intrusion MAC floods Broadcast storms
Broadcast storms A Spanning Tree Protocol (STP) is a means for bridges to organize themselves into a hierarchy and prevent loops from forming. These loops have the potential for broadcasting multiple times creating a storm.
In a software as a service (SaaS) model, where the organization is responsible for the security and patching of the application and its components, which entity would be responsible for providing security services for the infrastructure? CASB CSP CM IAM
CSP The cloud service provider (CSP) would be responsible for the security of the infrastructure. A shared responsibility model includes both the CSP and the customer sharing security aspects of a cloud service model.
A recent change to an API exposes an exploit in a web application. Developers working on the project discover that dead code in the application had been executed as a result of which practice? Normalization code Unreachable code Code obfuscation Code reuse
Code reuse Code reuse is the copying of code from one location into another. Careless or mismanaged code reuse can introduce instances of dead code.
Security content automation protocol (SCAP) allows compatible scanners to compare computers with which of the following? Common Vulnerability Scoring System Configuration baseline Log collector Security bulletin
Configuration baseline Security content automation protocol (SCAP) allows compatible scanners to determine whether a computer meets a configuration baseline. The Extensible Configuration Checklist Description Format (XCCDF) audits for best-practice configuration checklists and rules.
A retail organization documents a workflow. By doing so, it can supply evidence of why processing and storage of particular fields of customer data are required. What data collection principle does the organization practice? Data minimization Data masking Pseudo-anonymization Anonymization
Data minimization Data minimization is the principle that data should only be processed and stored if necessary, to perform the purpose for which it is collected.
Which of the following describes a device that only runs administrative protocols such as secure shell (SSH) or remote desktop protocol (RDP) to securely manage application servers in a demilitarized zone (DMZ)? Jump server Forward proxy server Hardware security module Reverse proxy server
Jump server A jump server only runs the necessary administrative ports and protocols (typically SSH or RDP). Administrators connect to the jump server then use the jump server to connect to the admin interface of application servers in a demilitarized zone (DMZ).
Two organizations plan on forming a partnership to provide systems security services. Part of the onboarding requirements for both sides includes a mutual understanding of quality management processes. Which approach details this requirement? Business partnership agreement (BPA) Measurement systems analysis (MSA) Service level agreement (SLA) Non-disclosure agreement (NDA)
Measurement systems analysis (MSA) Measurement systems analysis (MSA) relates to quality management processes, such as Six Sigma, that make use of quantified analysis methods to determine the effectiveness of a system and may be part of an onboarding requirement.
A European company that offers subscription services has recently experienced a data breach wherein private data, including personally identifiable information (PII), was compromised. What step should be taken by the company to avoid regulatory fines or lawsuits? Identify the vulnerability that led to the breach. Hide the occurrence of the breach. Fix the vulnerability that led to the breach. Notify those affected by the breach.
Notify those affected by the breach. Many laws and regulations require immediate notification of all third parties affected by a breach, including the GDPR in the EU. Failing to do so could lead to fines and potential reputation damage.
Specify elements that a playbook should include. (Select all that apply.) Query strings to identify incident types When to report compliance incidents Backup passwords and private keys Incident categories and definitions
Query strings to identify incident types When to report compliance incidents Incident categories and definitions Specific query strings and signatures easily scan and detect specific types of incidents. These strings improve response and resolution time. How to address compliance incidents with, for example, Health Insurance Portability and Accountability Act (HIPAA) laws should be outlined. It may include a list of contacts and their information, how to contact them, and when. Incident categories and descriptions help ensure that all management and operational staff have a shared framework for interpreting the meaning of terms, concepts, and definitions. Passwords and private keys are never stored in a document or file that can be shared or viewed by unauthorized personnel.
Where might one find operating system files during acquisition? (Select all that apply.) Random-access memory (RAM) Pagefile Firmware Cache
Random-access memory (RAM) Pagefile Cache System caches are a place likely to contain operating system files. Some of these may be relevant to the investigation. Operating system files active during acquisition may be present in the pagefile or swap. Operating system files active during acquisition may be present in the random-access memory (RAM). Firmware contains hardware-level abstractions but generally does not contain files related to monolithic operating systems.
An organization suffers a breach and learns a lesson in the proper approach of maintaining archived data. An engineer writing a report focuses on which areas? (Select all that apply.) Attack walkthrough Retention policies Lessons learned Response plan
Retention policies Lessons learned A retention policy refers to the safe storage and archiving of live or backed up data. A retention policy should be a proactive measure and not a reactive one. Lessons learned address the incident and responses to identify whether procedures or systems could be improved. The need for an improved retention policy is an example.
A vendor ensures that each Internet of Things (IoT) device produced uses random, unique cryptographic keys in accordance with the established certificate and key management practices found in The National Institute of Standards and Technology (NIST) publications. Which of the following constraints is the vendor preventing? Escrow Reuse Salting Stretching
Reuse The practice of reusing a cryptographic key can make a system vulnerable to cyber attacks. The longer a key is in use, the easier it is for an attacker to compromise it. Randomly generated, unique keys provide better security.
The virtual teleconference room has a Session Initiation Protocol (SIP) endpoint for communication with remote branch offices. Company policy requires the VTC components use secure session and call data before others can use it. Which of the following protocols will provide encryption for the call data? ESP HTTPS SRTP SIPS
SRTP Secure Real-time Transport Protocol (SRTP) is an encryption protocol that provides confidentiality for the actual call data.
A vulnerability database loaded on a scanning tool such as Tenable Nessus will commonly show which of the following properties? (Select all that apply.) Score Dictionary Packet data Security data inputs
Score Dictionary Common Vulnerabilities and Exposures (CVE) is a dictionary of vulnerabilities in published operating systems and applications software provided by cve.mitre.org. It includes CVE ID, brief descriptions, a URL reference list, and data of entry. Common Vulnerability Scoring System (CVSS) is maintained by the Forum of Incident Response and Security Teams (first.org/cvss). Scores range from 0 (low) to 9+ (critical).
Which resource can help for a cloud consumer to evaluate a cloud service provider as services relate to integrating on-premise controls? Reference architecture Security guidance Cloud control matrix Service Organization Control
Security guidance Security guidance offers a best practice summary analyzing the unique challenges of cloud environments and how on-premises controls can be adapted to them.
A developer uses a prepackaged set of tools that includes documentation, application programming interfaces (APIs), code samples, and libraries to easily integrate an application with the company Linux operating system. Which secure coding process is the developer using? Stored procedure Software development kit (SDK) APIs Code reuse
Software development kit (SDK) A software development kit (SDK) provides developers a prepackaged set of tools, libraries, documentation, and code samples to create software applications on a specific platform.
A test team performs an in-depth review of completed code and analyzes its compatibility with the environment it will be deployed to. Which of the following environments is the test occurring in? Staging Development Production Test
Staging A staging environment mimics that of a production environment. It is used for dynamic analysis of an application in a complete but separate production-like environment.
An organization wants to implement a certificate on a website domain. The organization prepares for a rigorous check to prove its identity using extended validation. Evaluate the options and conclude why the certificate would not be issued. Multiple root CAs are trusted. The root CA is offline. A TXT record is used for verification. The domain uses a wildcard.
The domain uses a wildcard. Extended Validation (EV) is a proof of ownership process that requires rigorous checks on the subject's legal identity and control over a domain. An EV certificate cannot be issued for a wildcard domain.
In what way does Challenge Handshake Authentication Protocol (CHAP) protect against replay attacks? The client responds with a hash calculated from the server challenge message and a shared secret. The challenge is different every time a user authenticates to the server. The handshake is repeated with different challenge messages periodically throughout the session connection. Mutual authentication is performed every time the handshake is initiated and repeated throughout the session.
The handshake is repeated with different challenge messages periodically throughout the session connection. In CHAP, the handshake is repeated with different challenge messages throughout the session, which updates the session timestamp and guards against replay attacks.
A company is looking into integrating on-premise services and cloud services with a cloud service provider (CSP) using an Infrastructure as a Service (IaaS) plan. As a cloud architect works on architectural design, which of the following statements would NOT apply in this case? The provider must update the firmware and security patches of physical servers. The provider is responsible for the availability of the software. The company must establish separation of duties mechanisms. The company is liable for legal and regulatory requirements for customer data.
The provider is responsible for the availability of the software. In a Software as a Service (SaaS) plan, the provider is responsible for the availability of the software. The software may include an appliance with Windows Server 2016 already installed and available to use.
Which of the following is a computer that uses remote desktop protocol to run resources stored on a central server instead of a localized hard drive and provides minimal operating system services? Edge computing VDI Fog computing Thin client
Thin client A thin client is a computer that runs from resources stored on a central server instead of a localized hard drive. Thin clients work by connecting remotely to a central server-based computing environment where all resources and data are stored.
A network administrator needs a service to easily manage Virtual Private Cloud (VPC) and edge connections. The service must have a central console for ease of monitoring all components. Which of the following is the best solution for the administrator to use in a cloud computing environment? NAT gateway Cloud storage gateway Transit gateway gateway endpoint
Transit gateway A transit gateway is a cloud network hub that allows users to interconnect virtual private clouds (VPC) and on-premises networks through a central console.
A systems administrator learns Linux commands to view log files. Which command should be used if line numbers are required to view an entire file? cat grep head tail
cat The Linux command cat allows for viewing the entire contents of one or more files. For example, to view the contents of two log files, use cat -n access.log access2.log. The -n switch adds line numbers.
An Information Security Manager working for an ISP has discovered that an attacker has poisoned the DNS server cache by spamming it with recursive queries. Predict what tools the manager might use to discover whether the attacker has inserted any false records. (Select all that apply.) dnsenum Memdump nslookup/dig tcpreplay
dnsenum nslookup/dig The nslookup (or dig tool in Linux) can query the name records and cached records held by a server to discover whether an attacker has inserted any false records. dnsenum packages a number of tests into a single query, as well as hosting information and name records. dnsenum can try to work out the IP address ranges that are in use.
Which de-identification method does an administrator use when choosing to replace the contents of a data field by redacting and substituting character strings? Data masking Pseudo-anonymization Tokenization Anonymization
Data masking Data masking can mean that all or part of the contents of a field is redacted, by substituting all character strings with "x" for example.
During a risk assessment, a company indicates the value of employee used laptops to be $1,500.00 a piece. What should the company define to come up with the annual loss expectancy in a quantitative risk assessment RPO ALE ARO RTO
ARO The annual rate of occurrence (ARO) indicates how many times a loss will occur within a year. An ARO is used in conjunction with the single loss expectancy (SLE) to figure the annual loss expectancy (ALE).
A company allows the use of corporate apps on employee-owned mobile devices. Mobile application management (MAM) services make this possible. Examining the list of available enterprise mobility management (EMM) features in today's market, which of the following would NOT be available for use in this case? (Select all that apply.) Ability to remote wipe Deployment of workspaces Use of containers Manage camera use
Ability to remote wipe Manage camera use The ability to remote wipe a mobile device is made possible using policies created by mobile device management (MDM) services. A company cannot forcefully control an employee-owned device in this manner. Managing the use of the mobile device's camera is a policy-based feature using MDM services. This is a commonly configured security feature for corporate-owned mobile devices.
An engineer configures server systems to failover in a way that connections are maintained; however, performance is degraded. Evaluate the options and determine which type the engineer configures. Persistence Always on Active/active Active/passive
Active/active An active/active cluster means that both nodes are processing connections concurrently. In the event of a failover the workload of the failed node is transparently shifted onto the remaining node. During failover, performance can be adversely affected.
A Security Information Event System (SIEM) parses network traffic and log data from multiple sensors, appliances, and hosts to implement correlation rules on metrics derived from data sources. SIEM assists the systems admin to detect events that may be potential incidents. Define the term for notifications passed upon detection of a potential incident. Sensitivity Correlation Alerts Trends
Alerts SIEM dashboards are one of the main sources of automated alerts. The event is listed on a dashboard or incident handling system for an agent to assess. Then, the SIEM dashboard will automatically notify the staff in charge of security.
Determine the type of code execution policy that would ensure that unrecognized software cannot run. Allow list Code signing Block list AppLocker
Allow list An allow list is a list of applications in an Access Control List with permission to run. Applications not found on the list cannot run. This often causes issues and results in more support calls and higher costs.
Simulate the hypertext transfer protocol secure (HTTPS) protocol in use. A server submits a request for resources using TCP port 80. A protocol between the application and transport layers of the TCP/IP stack encrypts a TCP connection. An encrypted TCP connection protects sensitive banking information during online transmission. A payload serves an HTML web page in plaintext.
An encrypted TCP connection protects sensitive banking information during online transmission. HyperText Transfer Protocol Secure (HTTPS) is used to encrypt Transmission Control Protocol (TCP) connections. Websites for banking, email, or shopping should use HTTPS to encrypt data for protection when submitting the data.
A government system uses Public Key Infrastructure to enable users to securely exchange data using both a public and private cryptographic key pair that is obtained and shared through a trusted authority. This process most likely describes which of the following? IAM 2FA Authentication application Something you know authentication
Authentication application An authentication application is used to verify access to a user. Authentication applications use various means to identify a user such as static codes, token keys and Public Key Infrastructure.
What does the process of carving refer to? Non-repudiation Data recovery Strategic counterintelligence Acquiring evidence according to order of volatility
Data recovery Data recovery refers to the analysis of a disk (or a disk image) for file fragments retained in slack space. These fragments may represent deleted or overwritten files.
Conclude which terms represent a core feature of the Diamond Model of Intrusion Analysis. (Select all that apply.) Capability Victim Infrastructure Eradication
Capability Victim Infrastructure A victim is the target of the adversary and against whom vulnerabilities and exposures are exploited and capabilities used. It is useful to define the victim in terms of both the people or organization targeted, as well as the victim's assets (i.e., the attack surface). The infrastructure feature describes the communication structures the adversary uses to utilize a capability. The capability feature describes the tools and/or techniques of the adversary used in the event. All of the vulnerabilities and exposures utilized by the individual's capability, regardless of the victim, is its capacity. Eradication is one of the six steps of implementing a structured incident response and is not directly related to the Diamond Model of Intrusion Analysis. previous next
Which of the following hardening procedures can protect a multifunction printer from a cybersecurity attack? (Select all that apply.) Change default password Place on public network Delete queued data Enable logging
Change default password Delete queued data Enable logging Administrators should change all passwords from the factory defaults of a multifunction printer to ensure a secure system. Enabling logging allows administrators to monitor and audit printer use. Reviewing the logs on a regular basis helps determine suspicious activity. Automatically deleting queued data can protect the disclosure of information that is stored on the multifunction printer hard drive. Placing a multifunction printer on a public network is a security risk. Printers should be placed on a private network intended for only authorized users to access.
A software developer enables a security feature commonly known as stack protection but does not execute the source code. Which of the following best describes what the developer is using? Input validator Vulnerability scanner Compiler Interpreter
Compiler A compiler is a program that translates high-level programming language into machine code that can later be executed many times against different data. A compiler does not execute source code.
Which coding automation concept relates to committing and testing updates often? Continuous integration Continuous deployment Continuous delivery Continuous monitoring
Continuous integration Continuous integration (CI) is the principle that developers should commit and test updates often, such as every day or sometimes even more frequently. For effective CI, it is important to use an automated test suite to validate each build quickly. Continuous deployment is a process of making changes to the production environment to support the new app version.
A recent security audit necessitates the need to separate network resources on a departmental level. Admin will implement the separation across hardware and software devices. After analyzing a list of suggestions, which approach provides a complete solution to the problem? Create VLANs Create an airgap Add a proxy Apply firewall filters
Create VLANs A Virtual Local Area Network (VLAN) is a logical group of network devices on the same LAN, despite their geographical distribution. It can divide the devices logically on the data link layer, and group users according to departments.
Two companies are planning to provide their users with easier access to wireless access points at any of the company locations using personal company credentials. The companies will use Extensible Authentication Protocol (EAP) so that users are not required to memorize more passwords. How would a network administrator set up such a wireless network for these users? Create a Demilitarized Zone Create a RADIUS federation Deploy new domain controllers Use a TACACS+ solution
Create a RADIUS federation RADIUS federation means that multiple organizations allow access to one another's users by joining their RADIUS servers into a RADIUS hierarchy or mesh. Replacing the RADIUS solutions with Terminal Access Controller Access-Control System Plus (TACACS+) is not feasible. TACACS+ usually manages switches and routers.
A database export allows personally identifiable information (PII) to display in report format and on screen. This poses a potential data leakage concern. In order to protect this PII, what de-identification method should the programmer consider implementing? Data masking Tokenization Salting Hashing
Data masking Data masking is a secure coding technique used to hide sensitive or private data from disclosure. All or part of the data fields are altered by substituting character strings with a random character.
The local operational network consists of physical electromechanical components controlling valves, motors, and electrical switches. All devices enterprise-wide trust each other in the internal network. Which of the following attacks could overwhelm the network by targeting vulnerabilities in the headers of specific application protocols? Malicious PowerShell attack DNS amplification attack DDoS attack Man-in-the-middle attack
DNS amplification attack Domain name system (DNS) amplification attack is an application attack that targets vulnerabilities in the headers and payloads of specific application protocols. It triggers a short request for a long response at the victim network.
A cyber security team would like to gather information regarding what type of attacks are occurring on a network. Which of the following implementations would assist in routing information on the attackers to a Honeynet? Spear phishing DDoS DNS sinkhole honeypot
DNS sinkhole Domain Name Service (DNS) sinkhole is used to intercept DNS requests attempting to connect to known malicious or unwanted domains and returning a fake IP address.
A small department at a company manages a server, separate from IT, for data access and backup purposes. What role does the department fulfill? Data controller Data custodian Data owner Data processor
Data custodian The data custodian role handles managing the system on which the data assets are stored. This includes responsibility for enforcing access control, encryption, and backup/recovery measures.
A small business was robbed, and several workstations were stolen. The business stored customer data within a plain spreadsheet on one of the stolen workstations. Customer data and other business files are restored from an external hard drive soon after. Describe the issues that the business faced during this trying time. (Select all that apply.) Data was exfiltrated from the office. Customer identity was not stolen. Business had a privacy breach. Customer data was permanently lost.
Data was exfiltrated from the office. Business had a privacy breach. Data exfiltration is the methods and tools an attacker uses to take data without authorization from the victim's systems. The data can be physically taken or transferred to an external network or media. A privacy breach is where personal data is not collected, stored, or processed in full compliance with the laws or regulations governing personal information. A plain spreadsheet and a computer with no encryption capability are not enough security to hold sensitive data. The customer's identity was stolen and can be sold on the black market on the dark web, for example. Data loss occurred only for a short moment and was not permanent. Customer data and other business files were restored from a backup and made available.
In which environment can multiple developers check out software code and include change management processes? Test Production Staging Development
Development A development environment is where developers create a product. Developers check out code for editing or updating. Version control and change management occur in the development environment to track development.
The IT team has purchased a few devices that are compatible with the Trusted Computing Group Security Subsystem Class called Opal. Which of these device specifications will take advantage of Opal's security features? Disk encryption Operating system Registry settings Automatic vendor updates
Disk encryption The Opal security subsystem class is a set of specifications that defines a management interface for a host application to activate, provision, and manage encryption of user data on self-encrypting drives (SED).
A cloud service provider informs its consumers that Amazon Linux version 1 products will no longer be supported after 31 December. Consumers using these products must have a plan in place to upgrade to the newest Amazon Linux product, version 2. After the deadline, Amazon Linux 1 products will only receive critical patches. Which of the following best describes the degradation of the product. EOS Legacy system EOL Multiparty risk
EOL The end of life (EOL) for a software product occurs when a product will no longer be produced or sold. These products are most likely to be replaced by a newer version or model.
An enterprise has recently experienced a severe malware attack. Admin has identified and removed the cause, and they are now checking the systems and bringing them back online. How would one categorize the cause with respect to incident response procedures? Preparation Recovery Containment Eradication
Eradication Eradication is an incident response lifecycle phase requiring the identification of the root cause of an incident. For instance, a user clicking on a suspicious attachment in an email is a root cause of a potentially larger problem.
Which of the following protocols would secure file transfer services for an internal network? SSTP LDAPS FTPES DNSSEC
FTPES File Transfer Protocol Explicit Secure (FTPES) uses the AUTH TLS command to upgrade an unsecure connection established over port 21 to a secure one. This protects authentication credentials.
The financial staff at an organization works with IT and management to determine the risks associated with currently deployed systems. What measure of risk results from this analysis? Risk appetite Inherent risk Residual risk Control risk
Inherent risk The result of quantitative or qualitative analysis is a measure of inherent risk. Inherent risk is the level of risk before any type of mitigation has been attempted.
Which value is the result of a quantitative or qualitative risk analysis? Annualized loss expentancy Single loss expentency Risk factor Inherent risk
Inherent risk The result of quantitative or qualitative analysis is a measure of inherent risk. Inherent risk is the level of risk before any type of mitigation has been attempted.
A software developer created a new application, and the software company pressured the developer to release it to the public. Which of the following helps ensure the application is secure before the release? (Select all that apply.) Input validation Application auditing Error handling Proper authentication and authorization
Input validation Error handling Proper authentication and authorization Some of the challenges of application development include the pressure to release a solution ahead of schedule, as well as neglecting secure development practices, such as error handling. Input validation is another secure development practice that a software developer should not neglect. Proper authentication and authorization is an important part of performing secure coding practices. Application audits should occur after the application's first commission, or when the application gets upgraded, and at regular intervals thereafter. Performing these audits helps to ensure the application is not vulnerable to new threats.
Recommend a strategy to establish what witnesses were doing at the scene, whether they observed any suspicious behavior or activity, and to gather information about the computer system. Apply tags Read digital forensics reports Interview witnesses Video record the investigation
Interview witnesses The investigator could interview witnesses to decide what they were doing on the scene, whether they noticed any unusual actions, and also to collect details about the device.
What type of strategy is a blackhole? (Select all that apply.) Isolation Containment Segmentation Data Loss Prevention
Isolation Containment Isolation is the act of disconnecting an entire system or network. Isolation is a malware containment procedure. Containment is a strategy that controls access to files, data, systems, or networks across points of entry, using isolation or segmentation techniques.
When implementing a native-cloud firewall, which layer of the Open Systems Interconnection (OSI) model will require the most processing capacity to filter traffic based on content? Layer 7 Layer 4 Layer 1 Layer 3
Layer 7 At layer 7, or the application layer of the OSI model, the firewall can parse application protocol headers and payloads (such as HTTP packets) and make filtering decisions based on their contents. This requires the most processing capacity (or load balancing), or the firewall will become a bottleneck causing network latency.
A large firm uses a non-persistent operating system for its remote users. This allows the employees to access company resources while teleworking. When the computers are turned off, the operating system disappears. Which of the following operating systems is the company using? Trusted operating system TPM Live boot media Full disk encryption
Live boot media Live boot media is a non-persistent operating system on a compact disk or USB. Live boot media can be run on any computer to provide the user a complete operating system while the computer is on.
Identify the concepts that function as alternatives to kill chain life cycle analysis in threat intelligence. (Select all that apply.) Continuity of operation planning (COOP) MITRE ATT&CK Incident response plans The Diamond Model of Intrusion Analysis
MITRE ATT&CK The Diamond Model of Intrusion Analysis The MITRE ATT&CK framework stands for Adversarial Tactics, Techniques, and Common Knowledge. It is a database of known TTPs (tactics, techniques, procedures) that can function as an alternative to the cyber kill chain. The Diamond Model of Intrusion Analysis is a framework that analyzes intrusion events by examining relationships between four core features and can be utilized as an alternative to the cyber kill chain.
A company is renovating a new office space and is updating all Cisco routers. The up-to-date Internetwork Operating System (iOS) will provide the best protection from zero-day exploits. What other options could a network administrator configure for route security? (Select all that apply.) Message authentication Block source routed packets SNMP trap collections IPv6 on clients
Message authentication Block source routed packets Most dynamic routing protocols support message authentication via a shared secret configured on each device. This allows routers to accept routing updates that are managed by the network team. Blocking source routed packets will prevent the chance of spoofed IP addresses from bypassing routers and firewall filters.
Mobile engineers are designing a phone that can support internal key-pair certificates for authentication and encryption/decryption capabilities for an internal organization or corporation. Which component may the engineers want to include in the design of this phone? Tethering MicroSD HSM SEAndroid UBG OTG
MicroSD HSM Micro Secure Digital (MicroSD) Hardware Security Module (HSM) is designed to store cryptographic keys, such as a key-pair certificate, in a secure manner. It requires no extra drivers or uncommon hardware components to use.
A system administrator implements a process that provides two separate paths from each server node to every disk in a redundant array of inexpensive disks set up to remove a single point of failure. What concept has the administrator implemented? Load balancing Fault tolerance Multipathing Longevity
Multipathing Multipathing allows users to configure multiple input/output (I/O) paths between server nodes and storage arrays into a single device to remove a single point of failure and increase redundancy.
A network administrator is installing a device that uses redundant array of inexpensive disks (RAID) technologies for redundancy and provides employees remote access so that files can be accessed anywhere. The device does not require licensing and stores data at the file level. Which device is the employee likely installing in the infrastructure? NAS VDI SAN RDP
NAS Network-attached storage (NAS) is a file-level data storage server attached to a network that provides data access to a common group of clients. NAS is a single storage device that serves files over Ethernet. NAS can be accessed remotely and uses RAID technologies for hard drive failure.
What protocol alters public IP addresses to private IP addresses and vice versa, in an attempt to protect internal computers from the Internet? Firewall Proxy NAT URL Filter
NAT Network addressing protocol (NAT) translates public IP addresses to private and vice versa. By using the NAT protocol on the firewall, a company can hide assets from the public internet.
Information security and cybersecurity tasks can be classified into five functions. Which regulatory concept or entity relates to these functions? Center for Internet Security (CIS) General Data Protection Regulation (GDPR) National Institute of Standards and Technology (NIST) Payment Card Industry Data Security Standard (PCI DSS)
National Institute of Standards and Technology (NIST) Information security and cybersecurity tasks can be classified as five functions (Identify, Protect, Detect, Respond, Recover), following the framework developed by the National Institute of Standards and Technology.
Select the tools that do any form of network scanning, such as port scanning, IP scanning, etc. (Select all that apply.) Nmap cat ping Netcat
Nmap ping Netcat Nmap is a versatile tool, allowing users to perform various types of network scans. The packet-sniffing library Npcap can be added to Nmap to provide packet sniffing and injection capability. The nc (or Netcat) command reads and writes data across network connections. Netcat can be used for things such as port scanning and fingerprinting. Ping can execute a sweep of all the IP addresses in a subnet with just a short script. The cat command (or concatenate) is a commonly used Linux command that allows a user to create single or multiple files, view contents of files and redirect the output of the terminal to a file.
Which of the following is NOT a critical profiling factor when assessing the risk that any one type of threat actor poses to an organization? Non-repudiation Structure Motivation Intent
Non-repudiation Non-repudiation is a term that describes a property of a secure network where a sender cannot deny having sent a message.
An aviation tracking system maintains flight records for equipment and personnel. The system is a critical command and control system that must maintain an availability rate of 99% for key parameter performance. The cloud service provider (CSP) guarantees a failover to multiple zones if an outage occurs. In addition to the multi-zonal cloud failover, what other backup solution could the system invest in order to maintain data locally? Control diversity Vendor diversity Sandboxing Offline
Offline
An aviation tracking system maintains flight records for equipment and personnel. The system is a critical command and control system that must maintain an availability rate of 99% for key parameter performance. The cloud service provider (CSP) guarantees a failover to multiple zones if an outage occurs. In addition to the multi-zonal cloud failover, what other backup solution could the system invest in order to maintain data locally? Control diversity Vendor diversity Sandboxing Offline
Offline An offline backup solution would be a good implementation to safeguard the systems data and have it readily available to access in the event of an outage.
A file system audit shows a malicious account was able to obtain a password database. The malicious account will be able to use the information without interacting with an authentication system. What type of attack will the malicious account be able to perform on systems? Offline password attack Online password attack Dictionary attack Password spraying attack
Offline password attack An offline password attack means that the attacker has managed to obtain a database of password hashes from an Active Directory credential store, for example. A password cracker tool does not need to interact with the authentication system in this case.
An organization remodels an office which results in the need for higher security during construction. Placing a security guard by the data center utilizes which control types? (Select all that apply.) Operational Compensating Preventative Corrective
Operational Preventative Operational control is implemented primarily by people rather than systems. For example, security guards and training programs are operational controls. A preventative control acts to eliminate or reduce the likelihood that an attack can succeed. A preventative control operates before an attack can take place. A corrective control is used after an attack. A good example is a backup system that can restore data that was damaged during an intrusion. A compensating control serves as a substitute for a principal control, as recommended by a security standard.
Describe what distinguishes tabletop training from walkthrough training. Participants describe their course of action, using no computer equipment. The scenario is from the point of view of the attacker. Participants demonstrate their chosen course of action The scenario is more realistic.
Participants describe their course of action, using no computer equipment. In tabletop instruction, the facilitator poses a situation and the respondents describe what steps they might take to identify, contain, and eradicate the potential threat. Scenario data are mostly implemented as flashcards and do not require computing equipment.
An application user is contacted after an attempt to login to a company application to verify activity. Which form of two-factor authentication is this? Push notification Phone call SMS Voice recognition
Phone call A phone call is a form of two-factor authentication (2FA). An automated service dials the registered number on file to confirm authentication of a user.
A basic dictionary attack includes using which of the following? Rainbow table Plaintext On-path Collisions
Plaintext A dictionary attack is performed when software generates hash values from a dictionary of plaintexts to match with a captured hash to gain access.
An attacker is preparing a phishing email mimicking the contents of a legitimate company email. The email will include a fake invoice to request payment for medical services and an email address that looks convincing. What can the attacker modify on the email to make it more convincing? Ask for personal information. Prepend "RE:" to the subject line. Increase the invoice number by 1. Change the employee's identity.
Prepend "RE:" to the subject line. Prepending means adding text that appears to have been generated by the mail system. For example, an attacker may add "RE:" to the subject line to make it appear more legitimate and a reply to a previous email thread.
The IT team manages multiple root accounts on a spreadsheet that provides access to virtual hosts. Although only administrators have access to the share location where the spreadsheet exists, management would like to add auditing measures to these accounts. Which solution will support the requirement? Privilege access management File system permissions Mandatory access control Discretionary access control
Privilege access management Enterprise privilege access management products provide a solution for storing high-risk credentials in a vault rather than a spreadsheet for auditing elevated privileges generally.
After software testing activities have been completed, a system administrator moves the .war file to an environment that allows end users to access the application. Which environment is the completed software being deployed to? Development Production Staging Test
Production A production environment is where the final product is placed. All testing and development are complete at this point. A development environment is where developers create a product. Developers check out code for editing or updating. A test environment does not fully simulate a production environment. The test environment allows for vulnerability scanning, penetration testing, and functional user testing before being deployed to the staging environment. A staging environment mimics that of a production environment. It is used for dynamic analysis of an application in a complete but separate production-like environment.
A company provides smartphones to their employees. IT administrators have the ability to deploy, secure, and remove specific applications and data from the employees' smartphones. Analyze the selections and determine how IT can perform this type of control. Storage segmentation Push notifications Content management Baseband update
Storage segmentation Storage segmentation is personal data segmented from organizational data on a mobile device. It gives IT administrators control over corporate assets on employees' mobile devices.
What purpose does the Linux utility grep serve? String-match search using regex syntax Views or changes read and write permissions for a file Uses byte order swapping to convert ASCII and EBCDIC encodings Reads data from a file and returns the contents as output
String-match search using regex syntax The grep command accepts regex syntax to perform string matching and searching the entire contents of a specified file for the specified string. This command will easily fulfill the analyst's needs.
A tech considers installing either a Raspberry Pi or Arduino system inside a small enclosure as a control device for sensitive tasks. The utilization of this technology is an example of which embedded system type? System on Chip (SoC) Real-Time Operating System (RTOS) Programmable Logic Controller (PLC) Field Programmable Gate Array (FPGA)
System on Chip (SoC) System on chip (SoC) is a design where processors, controllers, and devices are provided on a single processor die (or chip). Raspberry Pi and Arduino are examples of SoC boards.
A network administrator researched Secure Sockets Layer/Transport Layer Security (SSL/TLS) versions to determine the best solution for the network. Security is a top priority along with a strong cipher. Recommend the version to implement, which will meet the needs of the company. SSL 3.0 SSL 2.0 TLS 1.2 TLS 1.1
TLS 1.2 Transport Layer Security (TLS) 1.2 added support for the strong Secure Hash Algorithm (SHA)-256 cipher along with improvements to the cipher suite negotiation process and protection against known attacks.
A system engineer is researching backup solutions that are inexpensive and can store large amounts of data offline. The backup solution must be portable and maintainable for a certain length of time defined in the company's backup recovery plan. Which of the following is the best backup solution? Tape Disk SAN NAS
Tape A tape backup solution is the storing of data on a magnetic tape. It is less expensive than most backup solutions. When stored properly, tape can last longer and is small and portable.
A company uses a DevSecOps approach for developing and maintaining software. In one environment, developers complete penetration and vulnerability scanning to ensure the system is free of bugs and coding errors early on. Which of the following best describes this environment? Production Test Development Staging
Test A test environment does not fully simulate a production environment. The test environment allows for vulnerability scanning, penetration testing, and functional user testing before being deployed to the staging environment.
What are the main features that differentiate the Test Access Point (TAP) from a Switched Port Analyzer (SPAN)? (Select all that apply.) Test access point (TAP) is a separate hardware device. Test access point (TAP) is considered 'active' only. Test access point (TAP) is a temporary solution. Test access point (TAP) avoids frame loss.
Test access point (TAP) is a separate hardware device. Test access point (TAP) avoids frame loss. A test access point (TAP) is a hardware device that copies signals from the physical layer and the data link layer, while SPAN (switched port analyzer) is simply mirroring ports. Since no network or transport logic is used with a test access point (TAP), every frame is received, allowing reliable packet monitoring.
Analyze the active defense solution statements and determine which best describes the purpose of a honeyfile. It is helpful in analyzing attack strategies and may provide early warnings of attacks. Configurations are in place to route suspect traffic to a different network. A decoy is set as a distraction to emulate a false topology and security zones. The attempts to reuse can be traced if the threat actor successfully exfiltrates it.
The attempts to reuse can be traced if the threat actor successfully exfiltrates it. A honeyfile is convincingly useful but actually fake data. This data can be made trackable, so that when a threat actor successfully exfiltrates it, the attempts to reuse or exploit it can be traced. A honeypot is a computer system set up to attract threat actors with the intention of analyzing attack strategies and tools to provide early warnings of attack attempts.
Auditing SIP (Session Initiation Protocol)-based VoIP logs can reveal evidence of Man-in-the-Middle attacks. When handling requests, what do the call manager and any intermediate servers add to the SIP log file? The IP address of the intended recipient A hop count A list of IP addresses of previous hops Their own IP address
Their own IP address
Flow analysis tools, such as IPFIX or Netflow, collect metadata about network traffic without capturing each frame. Evaluate the type of analysis that uses these tools. Trend analysis Log analysis Vulnerability analysis Packet analysis
Trend analysis Since flow analyzers gather metadata and statistics about network traffic, they are commonly used to visualize traffic statistics in order to assist in identifying trends.
A company with offices in multiple countries deployed a cyber threat intelligence (CTI) appliance in the cloud to detect network attacks. The security team examined last week's data and spent a significant amount of time trying to better predict future attacks and ways to improve security. How can the team take advantage of cloud resources to better analyze these threats? Use code repositories Use proprietary software Use OSINT Use artificial intelligence
Use artificial intelligence Artificial intelligence (AI), especially machine learning, is available with cloud service providers (CSP) such as the Google Cloud Platform. AI can help analyze threat data in real-time to make better predictions, and initiate workflows to stop attacks as they happen.
A threat actor logs in to a website as a free user and submits a request for a file. The request references the parent directory of the web server. This injection attack is successful by using a canonicalization attack to disguise the nature of the malicious input. How was the threat actor able to retrieve the file? Use an XML injection attack. Using an LDAP injection attack. Using a directory traversal attack. Use a DLL injection attack
Using a directory traversal attack. A directory traversal attack is an injection attack that uses specific code to request information from a web server's root directory by submitting the directory path.
A hacker can use Microsoft Office applications as an attack vector to automatically run multiple tasks in the background using which of the following? VBA ARP poisoning PowerShell Bash
VBA Microsoft Office uses the Visual Basic for Applications (VBA) languages to script macros, for example, in a Word document to carry out multiple tasks automatically.
A representative at a company reports that they receive unsolicited phone calls seeking banking information for a credit report. Which social engineering variant is the finance director experiencing? Spear phishing Whaling Vishing Smishing
Vishing Vishing is a phishing attack conducted through a voice channel (telephone or VoIP, for instance). Targets could be called by someone purporting to represent their bank or some other official institution.