CompTIA Security+ Practice Exam
A user recently entered a username and password into a recruiting application website that had been forged to look like the legitimate site. Upon investigation, a security analyst the identifies the following: • The legitimate websites IP address is 10.1.1.20 and eRecruit local resolves to the IP • The forged website's IP address appears to be 10.2.12.99. based on NetFtow records • AH three at the organization's DNS servers show the website correctly resolves to the legitimate IP • DNS query logs show one of the three DNS servers returned a result of 10.2.12.99 (cached) at the approximate time of the suspected compromise. Which of the following MOST likely occurred? A. A reverse proxy was used to redirect network traffic B. An SSL strip MITM attack was performed C. An attacker temporarily poisoned a name server D. An ARP poisoning attack was successfully executed
Answer: C. An attacker temporarily poisoned a name server. This suggests that the DNS query logs show one of the DNS servers returned a result of 10.2.12.99 (cached) around the time of the suspected compromise. DNS poisoning involves manipulating the DNS cache to provide incorrect information to users, directing them to a malicious website. In this case, the user unknowingly accessed a forged recruiting application website due to the compromised DNS server returning the wrong IP address. Explanation: B. An SSL strip MITM attack was performed: SSL stripping is a different type of attack that involves downgrading a secure HTTPS connection to an unsecured HTTP connection. It doesn't directly manipulate DNS responses, so it's not the most fitting explanation for the given scenario. A. A reverse proxy was used to redirect network traffic: While a reverse proxy can be involved in redirecting network traffic, the information provided doesn't strongly indicate the use of a reverse proxy in this specific compromise. D. An ARP poisoning attack was successfully executed: ARP poisoning typically involves manipulating the ARP cache to associate an attacker's MAC address with the IP address of another device on the network. It's not directly related to DNS cache poisoning, which seems more likely in this case. Terms: AH, or Authentication Header, is a protocol in IPsec that ensures data integrity and authentication in transmitted IP packets. SSL (Secure Sockets Layer) is a cryptographic protocol that provides secure communication over a computer network. A proxy is a server that acts as an intermediary between a user's device and the internet, forwarding requests and responses to enhance privacy, security, or performance. MITM, or Man-in-the-Middle, is a type of cyberattack where an unauthorized entity intercepts and possibly
An employee has been charged with fraud and is suspected of using corporate assets. As authorities collect evidence, and to preserve the admissibility of the evidence, which of the following forensic techniques should be used? A. Order of volatility B. Data recovery C. Chain of custody D. Non-repudiation
Answer: C. Chain of Custody: Documented evidence-handling trail for integrity in legal context. Wrong Answers: Order of Volatility: Prioritizing data collection based on its likelihood to change. Data Recovery: Retrieving lost or inaccessible data from storage. Non-repudiation: Ensuring parties can't deny message authenticity.
A network administrator has been asked to install an IDS to improve the security posture of an organization. Which of the following control types is an IDS? A. Corrective B. Physical C. Detective D. Administrative
Answer: C. Detective IDS = Intrusion Detection System. It is passive and only notifies instead of blocking anything.
A RAT that was used to compromise an organization's banking credentials that was found on a user's computer. The RAT evaded antivirus detection. It was installed by a user who has local administrator rights to the system as part of a remote management tool set. Which of the following recommendations would BEST prevent this from reoccurring? A. Create a new acceptable use policy. B. Segment the network into trusted and untrusted zones. C. Enforce application whitelisting. D. Implement DLP at the network boundary.
Answer: C. Enforce application whitelisting. (Application Whitelisting: Allows only approved applications for enhanced security.) Wrong Answers: Acceptable Use Policy: Guidelines for proper and secure IT resource usage. DLP - Data Loss Prevention - Safeguards sensitive data from unauthorized access and exposure.
Which of the following types of controls is a turnstile? A. Physical B. Detective C. Corrective D. Technical
Answer: A. Physical
A user recently read an SMS on a mobile phone that asked for bank delays. Which of the following social-engineering techniques was used in this case? A. SPIM B. Vishing C. Spear phishing D. Smishing
Answer: D. Smishing (Smishing: Phishing attack via SMS, tricking users with text messages for malicious purposes.) Wrong Answers: SPIM: Spam over Internet Messaging - Unwanted messages in instant messaging, akin to email spam. Vishing: Phishing via voice communication, often phone calls, using social engineering to extract sensitive information. Spear Phishing: Targeted, customized phishing attacks for specific individuals or organizations.
A cybersecurity administrator has a reduced team and needs to operate an on-premises network and security infrastructure efficiently. To help with the situation, the administrator decides to hire a service provider. Which of the following should the administrator use? A. SDP B. AAA C. IaaS D. MSSP E. Microservices
Answer: Managed Security Service Provider (MSSP: Outsourced cybersecurity service provider for enhanced security.) Wrong Answers: SDP: Software Defined Perimeter - Dynamically creates secure perimeters for enhanced access control. AAA - primary components of security framework. Ensures access control through Authentication, Authorization, and Accounting. Infrastructure as a Service: IaaS - Cloud model offering virtualized computing resources over the internet.
A security assessment determines DES and 3DES at still being used on recently deployed production servers. Which of the following did the assessment identify? A. Unsecme(Insecure) protocols B. Default settings C. Open permissions D. Weak encryption
Answer: A Weak encryption Terms: DES: Historic symmetric key algorithm, now considered insecure. 3DES: Triple encryption using the Data Encryption Standard for enhanced security. Wrong Answers: Insecure protocols: Examples include Telnet, HTTP (without TLS/SSL), FTP (in active mode), and SMTP (without STARTTLS). Default settings: Preconfigured values upon installation, may require customization for security or preferences. Open Permissions: Broad access settings, may pose security risks.
A company recently set up an e-commerce portal to sell its product online. The company wants to start accepting credit cards for payment, which requires compliance with a security standard. Which of the following standards must the company comply with before accepting credit cards on its e-commerce platform? A. PCI DSS B. ISO 22301 C. ISO 27001 D. NIST CS
A. PCI DSS - Payment Card Industry Data Security Standard Wrong Answers: ISO 22301: International Standard for Business Continuity Management. ISO 27001: International Standard for Information Security Management. NIST CS: National Institute of Standards and Technology Cybersecurity Framework.
A manufacturer creates designs for very high security products that are required to be protected and controlled by the government regulations. These designs are not accessible by corporate networks or the Internet. Which of the following is the BEST solution to protect these designs? A. An air gap B. A Faraday cage C. A shielded cable D. A demilitarized zone
Answer: A. Air Gap (Physically isolating for enhanced security, no direct communication.) Wrong Answers: Faraday Cage: Shields electronics from electromagnetic interference. Shielded Cable: Reduces interference with a conductive layer. Demilitarized Zone (DMZ): Network buffer for services with partial exposure.
Select the appropriate attack and remediation from each drop-down list to label the corresponding attack with its remediation. Not all attacks and remediation actions will be used.
An attacker sends multiple SYN packets from multiple sources: Botnet (Botnet: Network of compromised computers controlled for malicious purposes.) > Enable DDOS protection The attack establishes a connection, which allows remote commands to be executed: RAT (RAT: Malicious software for unauthorized remote control of a system.) > Patch vulnerable systems The attack is self propagating and compromises a SQL database using well-known credentials as it moves through the network: Worm (Worm: Self-replicating malware spreading across networks, exploiting vulnerabilities.) > Change the default application password The attacker uses hardware to remotely monitor a user's input activity to harvest credentials: Keylogger (Keylogger: Captures keystrokes for unauthorized access or data theft.) > Disable remote access services The attacker embeds hidden access in an internally developed application that bypasses account login: Backdoor (Backdoor: Covert access point circumventing normal authentication.) > Conduct a code review
Which of the following describes the BEST approach for deploying application patches? A. Apply the patches to systems in a testing environment then to systems in a staging environment, and finally to production systems. B. Test the patches in a staging environment, develop against them in the development environment, and then apply them to the production systems C. Test the patches m a test environment apply them to the production systems and then apply them to a staging environment D. Apply the patches to the production systems apply them in a staging environment, and then test all of them in a testing environment
Answer: A. Apply the patches to systems in a testing environment then to systems in a staging environment, and finally to production systems.
An organization that is located in a flood zone is MOST likely to document the concerns associated with the restoration of IT operation in a: A. business continuity plan B. communications plan. C. disaster recovery plan. D. continuity of operations plan
Answer C: disaster recovery plan
To secure an application after a large data breach, an e-commerce site will be resetting all users' credentials. Which of the following will BEST ensure the site's users are not compromised after the reset? A. A password reuse policy B. Account lockout after three failed attempts C. Encrypted credentials in transit D. A geofencing policy based on login history
Answer: A. A password reuse policy Implementing a password reuse policy would help ensure that users do not reuse their old passwords, strengthening the security of their accounts after the reset.
A security auditor is reviewing vulnerability scan data provided by an internal security team. Which of the following BEST indicates that valid credentials were used? A. The scan results show open ports, protocols, and services exposed on the target host B. The scan enumerated software versions of installed programs C. The scan produced a list of vulnerabilities on the target host D. The scan identified expired SSL certificates
Answer: B. The scan enumerated software versions of installed programs A. The scan results show open ports, protocols, and services exposed on the target host: This information can be obtained without using valid credentials. It provides details about the services and ports available on the target host but doesn't necessarily require authentication. C. The scan produced a list of vulnerabilities on the target host: Vulnerability scans can identify potential vulnerabilities without using valid credentials. This information is often obtained by analyzing network behavior, configurations, and known vulnerabilities associated with software versions. D. The scan identified expired SSL certificates: Identifying expired SSL certificates does not necessarily require valid credentials. It can be determined by analyzing the certificate details during the scanning process. Valid credentials are typically needed for more in-depth assessments, such as identifying specific software versions and configurations. Terms: Briefly, enumerated means listing or counting items systematically. SSL, or Secure Sockets Layer, is a cryptographic protocol designed to provide secure communication over a computer network.
Which of the following describes the ability of code to target a hypervisor from inside A. Fog computing B. VM escape C. Software-defined networking D. Image forgery E. Container breakout
Answer: B. VM Escape (VM Escape: Unauthorized breakout from a virtual machine.) Wrong Answers: Fog Computing: Processes data closer to the network edge for efficiency. Software-defined networking - SDN: Separates network control for programmable management. Image Forgery: Manipulating images for deception or misleading purposes. Container Breakout: Unauthorized access to host from within a container.
The Chief Financial Officer (CFO) of an insurance company received an email from Ann, the company's Chief Executive Officer (CEO), requesting a transfer of $10,000 to an account. The email states Ann is on vacation and has lost her purse, containing cash and credit cards. Which of the following social-engineering techniques is the attacker using? A. Phishing B. Whaling C. Typo squatting D. Pharming
Answer: B. Whaling (Whaling: Phishing targeting high-profile individuals for unauthorized access.) Wrong Answers: Phishing: Deceptive attempts to obtain sensitive information through fraudulent means. Typo Squatting: Registering misspelled domains to capture user traffic. Pharming: Redirecting traffic to fraudulent sites, compromising DNS or hosts file.
A financial organization has adopted a new secure, encrypted document-sharing application to help with its customer loan process. Some important PII needs to be shared across this new platform, but it is getting blocked by the DLP systems. Which of the following actions will BEST allow the PII to be shared with the secure application without compromising the organization's security posture? A. Configure the DLP policies to allow all PII B. Configure the firewall to allow all ports that are used by this application C. Configure the antivirus software to allow the application D. Configure the DLP policies to whitelist this application with the specific PII E. Configure the application to encrypt the PII
Answer: D Configure the DLP policies to whitelist this application with the specific PII Terms: PII: Personally Identifiable Information - Identifying personal information like names or addresses. DLP: Data Loss Prevention - Safeguards sensitive data from unauthorized access or exposure. Firewall: Controls network traffic for security.
A global pandemic is forcing a private organization to close some business units and reduce staffing at others. Which of the following would be BEST to help the organization's executives determine the next course of action? A. An incident response plan B. A communications plan C. A disaster recovery plan D. A business continuity plan
Answer: D. A business continuity plan (Business Continuity: Ensures essential operations continue during disruptions.) Wrong Answers: Incident Response Plan: Preset procedures for managing security incidents. Communications Plan: Outlines how an organization communicates in normal and crisis situations. Disaster Recovery Plan: Outlines processes to recover IT systems post-disruption.
Which of the following policies would help an organization identify and mitigate potential single points of failure in the company's IT/security operations? A. Least privilege B. Awareness training C. Separation of duties D. Mandatory vacation
Answer: Mandatory vacation Wrong Answers: Least Privilege: Granting minimum access needed to perform tasks. Awareness Training: Programs to inform and promote knowledge on specific topics. Separation of Duties: Distributing tasks to prevent conflicts and enhance security.
Which of the following BEST explains the difference between a data owner and a data custodian? A. The data owner is responsible for adhering to the rules for using the data, while the data custodian is responsible for determining the corporate governance regarding the data B. The data owner is responsible for determining how the data may be used, while the data custodian is responsible for implementing the protection to the data C. The data owner is responsible for controlling the data, while the data custodian is responsible for maintaining the chain of custody when handling the data D. The data owner grants the technical permissions for data access, while the data custodian maintains the database access controls to the data
B. The data owner is responsible for determining how the data may be used, while the data custodian is responsible for implementing the protection to the data. Data Owner - the administrator/CEO/board/president of a company Data custodian - the ones taking care of the actual data - like IT staff (generally) or HR staff (for HR-related data)
An organization needs to implement more stringent controls over administrator/root credentials and service accounts. Requirements for the project include: ✑ Check-in/checkout of credentials ✑ The ability to use but not know the password ✑ Automated password changes ✑ Logging of access to credentials Which of the following solutions would meet the requirements? A. OAuth 2.0 B. Secure Enclave C. A privileged access management system D. An OpenID Connect authentication system
C. A privileged access management system Explanation: A Privileged Access Management (PAM) system is designed to manage and secure privileged accounts, such as administrator/root credentials and service accounts. It typically includes features like: - **Check-in/checkout of credentials:** Users can check out credentials when needed and check them back in when finished, ensuring accountability and control. - **The ability to use but not know the password:** Users can utilize credentials without having direct access to the actual passwords, enhancing security. - **Automated password changes:** The PAM system can automate the process of regularly changing passwords for privileged accounts to reduce the risk of compromise. - **Logging of access to credentials:** All access to privileged credentials is logged for auditing purposes, providing visibility into who accessed what and when. The other options explained: - **A. OAuth 2.0:** OAuth 2.0 is an authorization framework commonly used for third-party application access but is not designed for the specific requirements related to privileged access management. - **B. Secure Enclave:** A secure enclave is a secure and isolated area in a computing system. While it contributes to security, it doesn't provide the comprehensive privileged access management features mentioned in the requirements. - **D. An OpenID Connect authentication system:** OpenID Connect is an authentication protocol that allows for secure authentication but is not focused on privileged access management and does not provide the specific features mentioned in the requirements.
The IT department's on-site developer has been with the team for many years. Each time an application is released, the security team is able to identify multiple vulnerabilities. Which of the following would BEST help the team ensure the application is ready to be released to production? A. Limit the use of third-party libraries. B. Prevent data exposure queries C. Obfuscate the source code. D. Submit the application to QA before releasing it.
D. Submit the application to QA before releasing it. Terms: Obfuscate: Making code or data intentionally harder to understand. QA: Quality Assurance - Ensuring products or processes meet specified standards.
CORRECT TEXT A company recently added a DR site and is redesigning the network. Users at the DR site are having issues browsing websites. INSTRUCTIONS Click on each firewall to do the following: ✑ Deny cleartext web traffic. ✑ Ensure secure management protocols are used. ✑ Resolve issues at the DR site. The ruleset order cannot be modified due to outside constraints.
Terms: DR: Disaster Recovery. Ensures the recovery of vital technology systems after a disaster. CHECK QUESTION 56
A host was infected with malware. During the incident response, Joe, a user, reported that he did not receive any emails with links, but he had been browsing the Internet all day. Which of the following would MOST likely show where the malware originated? A. The DNS logs B. The web server logs C. The SIP traffic logs D. The SNMP logs
Ans: B. The web server logs: Web server logs would likely contain information about the URLs visited by Joe during his Internet browsing. Analyzing these logs could provide insights into any malicious or suspicious activities, helping to identify the source of the malware. Wrong Ans: A. The DNS logs: DNS logs primarily contain information about domain name resolutions. While they can be valuable for understanding network activity, they might not directly reveal details about web browsing behavior or the source of malware related to web server interactions. C. The SIP traffic logs: Session Initiation Protocol (SIP) logs are typically associated with VoIP (Voice over Internet Protocol) communications. Since Joe reported issues with email and web browsing, SIP logs are less likely to provide relevant information in this context. D. The SNMP logs: Simple Network Management Protocol (SNMP) logs are used for network management and monitoring. They may not be directly related to web browsing or email activities, making them less relevant for identifying the source of malware in this scenario. In summary, web server logs are the most appropriate choice for investigating the web-related activities that might be linked to the malware infection reported by Joe.
A company's bank has reported that multiple corporate credit cards have been stolen over the past several weeks. The bank has provided the names of the affected cardholders to the company's forensics team to assist in the cyber-incident investigation. An incident responder learns the following information: ✑ The timeline of stolen card numbers corresponds closely with affected users making Internet-based purchases from diverse websites via enterprise desktop PCs. ✑ All purchase connections were encrypted, and the company uses an SSL inspection proxy for the inspection of encrypted traffic of the hardwired network. ✑ Purchases made with corporate cards over the corporate guest WiFi network, where no SSL inspection occurs, were unaffected. Which of the following is the MOST likely root cause? A. HTTPS sessions are being downgraded to insecure cipher suites B. The SSL inspection proxy is feeding events to a compro
Ans: D. The adversary has not yet established a presence on the guest WiFi network. The information provided suggests that the corporate credit card theft is associated with purchases made from enterprise desktop PCs over the hardwired network where SSL inspection is implemented. However, purchases made over the corporate guest WiFi network, without SSL inspection, were unaffected. This indicates that the adversary may not have a presence on the guest WiFi network, and the compromise is more likely associated with the hardwired network where SSL inspection is in place. Wrong Ans: A. HTTPS sessions are being downgraded to insecure cipher suites: This option is less likely because the purchases made over the corporate guest WiFi network (where SSL inspection is not implemented) were unaffected. If HTTPS sessions were being downgraded, it would likely affect transactions regardless of the network. B. The SSL inspection proxy is feeding events to a compromised SIEM: While a compromised SIEM could potentially be an issue, the fact that purchases over the corporate guest WiFi network are unaffected suggests that the root cause might not be directly related to the SSL inspection proxy or the SIEM. C. The payment providers are insecurely processing credit card charges: The information provided doesn't indicate any issues with the payment providers. The fact that purchases on the guest WiFi network were unaffected suggests that the payment providers themselves may not be the root cause.
A cybersecurity analyst needs to implement secure authentication to third-party websites without users' passwords. Which of the following would be the BEST way to achieve this objective? A. OAuth B. SSO C. SAML D. PAP
Ans: A. OAuth Explanation: • OAuth (Option A): OAuth (Open Authorization) is a secure and standardized protocol for authorization. It allows users to grant third-party applications limited access to their resources without sharing their credentials. OAuth is commonly used for authentication and authorization in scenarios where a user wants to grant access to their information on one site to another site without sharing their credentials. The other options and their considerations: • B. SSO (Single Sign-On): While SSO provides a seamless authentication experience across multiple applications, it doesn't specifically address the secure authentication to third-party websites without sharing passwords. • C. SAML (Security Assertion Markup Language): SAML is more focused on single sign-on and exchanging authentication and authorization data between parties, including between service providers. It is not primarily designed for securing authentication to third-party websites without sharing passwords. • D. PAP (Password Authentication Protocol): PAP is a simple authentication protocol that involves sending passwords in plaintext, and it is not considered secure. It is not suitable for secure authentication to third-party websites without compromising password security.
A security analyst is reviewing a new website that will soon be made publicly available. The analyst sees the following in the URL: http://dev-site.comptia.org/home/show.php?sessionID=77276554&loc=us The analyst then sends an internal user a link to the new website for testing purposes, and when the user clicks the link, the analyst is able to browse the website with the following URL: http://dev-site.comptia.org/home/show.php?sessionID=98988475&loc=us Which of the following application attacks is being tested? A. Pass-the-hash B. Session replay C. Object deference D. Cross-site request forgery
Answer. D. Cross-site request forgery The key indication in the scenario is the analyst's ability to browse the website with a different sessionID, suggesting an attempt to forge a request on behalf of the user without their knowledge or consent, characteristic of CSRF attacks. Explanation: 1. **Pass-the-hash:** This attack involves obtaining the hashed password and using it to authenticate to a system. It is not relevant to the scenario where URLs and session IDs are manipulated. 2. **Session replay:** In session replay attacks, an attacker captures and replays a session to impersonate a user. However, in the scenario described, the analyst is actively manipulating the sessionID parameter, indicating a CSRF attempt rather than replaying an existing session. 3. **Object deference:** This refers to manipulating references to objects, often in the context of programming languages. It is not applicable to the scenario where URLs and session IDs are manipulated.
A recently discovered zero-day exploit utilizes an unknown vulnerability in the SMB network protocol to rapidly infect computers. Once infected, computers are encrypted and held for ransom. Which of the following would BEST prevent this attack from reoccurring? A. Configure the perimeter firewall to deny inbound external connections to SMB ports. B. Ensure endpoint detection and response systems are alerting on suspicious SMB connections. C. Deny unauthenticated users access to shared network folders. D. Verify computers are set to install monthly operating system, updates automatically.
Answer: A. Configure the perimeter firewall to deny inbound external connections to SMB ports. (SMB stands for Server Message Block, a network file sharing protocol commonly used in Windows environments.) Terms: A zero-day refers to a software vulnerability or exploit that is unknown to the vendor or the public. It's called "zero-day" because there are zero days of protection or defense against it, as it becomes known to attackers before security experts or the software vendor are aware of it.
A workwide manufacturing company has been experiencing email account compromised. In one incident, a user logged in from the corporate office in France, but then seconds later, the same user account attempted a login from Brazil. Which of the following account policies would BEST prevent this type of attack? A. Network location B. Impossible travel time C. Geolocation D. Geofencing
Answer: B. The Impossible Travel Time policy would be the most effective in preventing this type of attack. It helps detect and prevent unauthorized access by flagging or blocking login attempts that occur from distant locations in a short period, making it difficult for a user to physically travel between those locations in the given time frame. Wrong Ans: - **Network location:** This policy focuses on the source network from which a user logs in. It might not be effective in preventing attacks involving compromised credentials used from different geographical locations. - **Geolocation:** Geolocation is about identifying the geographical location of an IP address. While it could be part of a broader security strategy, it might not be sufficient on its own. Users may legitimately travel between different locations. - **Geofencing:** Geofencing sets virtual boundaries and can trigger actions based on a device entering or leaving a specific area. While it has its uses, it might not be suitable for preventing unauthorized login attempts from different global locations in quick succession.
A security engineer is reviewing log files after a third-party discovered usernames and passwords for the organization's accounts. The engineer sees there was a change in the IP address for a vendor website one hour earlier. This change lasted eight hours. Which of the following attacks was MOST likely used? A. Man-in- the middle B. Spear-phishing C. Evil twin D. DNS poising
Answer: DNS poisoning - The MOST likely attack in this scenario is: D. DNS Poisoning Explanation: - DNS poisoning involves manipulating the DNS records to provide false information about the IP address associated with a domain. In this case, the change in the IP address for a vendor website suggests a potential compromise or poisoning of the DNS records. - This attack could redirect users to a malicious site controlled by an attacker, allowing them to capture usernames and passwords. - The fact that the change lasted for eight hours indicates a sustained effort to redirect traffic to a compromised destination. Wrong Answers: Man-in-the-Middle (MitM): Intercepting and altering communication. Spear Phishing: Targeted attacks exploiting personal information. Evil Twin: Rogue access point deceiving users for unauthorized access.
A security engineer is setting up password less authentication for the first time. INSTRUCTIONS Use the minimum set of commands to set this up and verify that it works. Commands cannot be reused. Q60 Chmod 644 ~/.ssh/id_rsa Chmod 777 ~/.ssh/authorized_keys Scp ~/.ssh/id_rsa user@server:.ssh/authorized_keys Ssh root@server Ssh-keygen -t rsa
Answer: ssh-keygen -t rsa (The command "ssh-keygen -t rsa" generates a new RSA key pair for SSH authentication.) ssh-copy-id -i ~/.ssh/id_rsa.pub user@server: Copies local SSH public key to the remote server's authorized_keys for passwordless authentication. Ssh -i ~/.ssh/id_rsa user@server: Initiates SSH connection using specified private key for authentication. Terms: RSA: Public key cryptosystem for secure data transmission and digital signatures. Wrong Answers: Chmod 644 ~/.ssh/id_rsa: Sets read and write permissions for the owner, and read-only permissions for others, for the RSA private key file. Chmod 777 ~/.ssh/authorized_keys: Sets wide-open permissions on the authorized_keys file, not recommended for security. Scp ~/.ssh/id_rsa user@server:.ssh/authorized_keys: Copies local SSH private key to the remote server's authorized_keys file for authentication. "ssh root@server" initiates an SSH connection to the server with the username "root."
A university with remote campuses, which all use different service providers, loses Internet connectivity across all locations. After a few minutes, Internet and VoIP services are restored, only to go offline again at random intervals, typically within four minutes of services being restored. Outages continue throughout the day, impacting all inbound and outbound connections and services. Services that are limited to the local LAN or WiFi network are not impacted, but all WAN and VoIP services are affected. Later that day, the edge-router manufacturer releases a CVE outlining the ability of an attacker to exploit the SIP protocol handling on devices, leading to resource exhaustion and system reloads. Which of the following BEST describe this type of attack? (Choose two.) A. DoS B. SSL stripping C. Memory leak D. Race condition E. Shimming F. Refactoring
Answer: - **DoS (Denial of Service):** The described scenario, where Internet and VoIP services are repeatedly disrupted, aligns with the characteristics of a DoS attack. The exploitation of the SIP protocol handling leading to resource exhaustion and system reloads indicates an intentional disruption of services. - **Memory leak:** The continuous system reloads and the need to handle SIP protocol issues suggest a potential memory-related problem, such as a memory leak. The attack could be causing the system to consume resources without releasing them properly, leading to the exhaustion of available memory. The other options are not directly applicable to the described situation: - **SSL stripping:** This involves downgrading secure connections to non-secure ones, but it doesn't seem relevant to the SIP protocol and system reloads. - **Race condition:** This occurs when the behavior of software depends on the relative timing of events. While it can lead to unexpected behavior, it doesn't align well with the described symptoms. - **Shimming and Refactoring:** These terms are related to software development and code modification and are not directly relevant to the described attack scenario. Term: WAN: A wide area network (WAN) connects distant local area networks (LANs) and spans large geographical areas. The Common Vulnerabilities and Exposures (CVE) system provides a reference catalog for publicly known security vulnerabilities and exposures. SIP: Session Initiation Protocol: Protocol for real-time communication sessions on the Internet. Wrong Answers: SSL stripping: Downgrading a secure HTTPS connection to unencrypted HTTP, enabling eavesdropping. Race condition: Timing-based software issue causing unpredictable outcomes. Shimming: A technique used to adapt or bridge between incompatible interfaces or compon
A security administrator suspects an employee has been emailing proprietary information to a competitor. Company policy requires the administrator to capture an exact copy of the employee's hard disk. Which of the following should the administrator use? A. dd B. chmod C. dnsenum D. logger
Answer: A (`dd` Command: Copies and converts files in Unix systems.) Terms: Proprietary: Owned and controlled by a specific entity, not freely available. Wrong Answers: `chmod`: Adjusts file or directory permissions in Unix systems. `dnsenum`: DNS enumeration tool for gathering domain information. `logger`: Unix command for adding log entries to system logs.
Company engineers regularly participate in a public Internet forum with other engineers throughout the industry. Which of the following tactics would an attacker MOST likely use in this scenario? A. Watering-hole attack B. Credential harvesting C. Hybrid warfare D. Pharming
Answer: A Watering-hole attack (Targets a specific group by infecting websites they are known to visit, exploiting trust for cyberattacks.) Wrong Answers: Credential Harvesting: Collecting login credentials, often through phishing, for unauthorized access. Hybrid Warfare: Blends conventional and unconventional tactics, including cyberattacks, for strategic objectives. Pharming: Redirects users to fraudulent websites to capture sensitive information, often through DNS manipulation.
A pharmaceutical sales representative logs on to a laptop and connects to the public WiFi to check emails and update reports. Which of the following would be BEST to prevent other devices on the network from directly accessing the laptop? (Choose two.) A. Trusted Platform Module B. A host-based firewall C. A DLP solution D. Full disk encryption E. A VPN F. Antivirus software
Answer: A,B TPM (Trusted Platform Module): Hardware for secure cryptographic functions in computing devices. (security alarm for your computer to prevent hackers or malware from accessing data) Host-Based Firewall: Software protecting an individual device's network traffic. Wrong Answers: DLP Solution: (Data Loss Prevention solution) - Safeguards against unauthorized access to sensitive data. Full Disk Encryption: Encrypts entire storage for data protection. VPN: Secures internet connections for privacy and data security. Antivirus Software: Guards against viruses and malware threats.
A security analyst discovers that a company username and password database was posted on an internet forum. The username and passwords are stored in plan text. Which of the following would mitigate the damage done by this type of data exfiltration in the future? A. Create DLP controls that prevent documents from leaving the network B. Implement salting and hashing C. Configure the web content filter to block access to the forum. D. Increase password complexity requirements
Answer: A. Create DLP controls that prevent documents from leaving the network Terms: DLP: Data Loss Prevention -Safeguards sensitive data from unauthorized access or exposure.
An organization's help desk is flooded with phone calls from users stating they can no longer access certain websites. The help desk escalates the issue to the security team, as these websites were accessible the previous day. The security analysts run the following command: ipconfig /flushdns, but the issue persists. Finally, an analyst changes the DNS server for an impacted machine, and the issue goes away. Which of the following attacks MOST likely occurred on the original DNS server? A. DNS cache poisoning B. Domain hijacking C. Distributed denial-of-service D. DNS tunneling
Answer: A. DNS cache poisoning (a cyber attack that involves corrupting or injecting false information into a DNS resolver's cache. This can lead to the redirection of domain name requests to malicious websites, compromising the integrity of the DNS system.) Wrong Answers: Domain hijacking is the unauthorized takeover of a domain name, often through exploiting security flaws or unauthorized access to registrar accounts, allowing the attacker to control and potentially misuse the domain. Distributed Denial of Service (DDoS) attack is a malicious attempt to disrupt the normal functioning of a network, service, or website by overwhelming it with a flood of internet traffic from multiple sources. DNS tunneling is a technique that involves encapsulating non-DNS traffic within DNS packets to bypass network security measures.
A network administrator needs to build out a new datacenter, with a focus on resiliency and uptime. Which of the following would BEST meet this objective? (Choose two.) A. Dual power supply B. Off-site backups C. Automatic OS upgrades D. NIC teaming E. Scheduled penetration testing F. Network-attached storage
Answer: A. Dual power supply / D. NIC teaming (Network Interface Card teaming - improves network reliability and performance by combining multiple network interfaces into a single logical interface.) The first and most essential item in the data center resiliency checklist is hardware redundancy.
A remote user recently took a two-week vacation abroad and brought along a corporate-owned laptop. Upon returning to work, the user has been unable to connect the laptop to the VPN. Which of the following is the MOST likely reason for the user's inability to connect the laptop to the VPN? A. Due to foreign travel, the user's laptop was isolated from the network. B. The user's laptop was quarantined because it missed the latest path update. C. The VPN client was blacklisted. D. The user's account was put on a legal hold.
Answer: A. Due to foreign travel, the user's laptop was isolated from the network.
In which of the following common use cases would steganography be employed? A. Obfuscation B. Integrity C. Non-repudiation D. Blockchain
Answer: A. Obfuscation - Making data unclear for protection, often used in coding or information to hinder reverse engineering. Terms: Steganography - Concealing data within files or messages for covert communication. Wrong Answers: Integrity: Ensuring data accuracy and authenticity through techniques like checksums and digital signatures. Non-repudiation - Ensuring that a user cannot deny the authenticity of their actions or transactions. Blockchain - A secure digital ledger for transparent and decentralized transaction recording.
A security analyst is performing a forensic investigation on compromised account credentials. Using the Event Viewer, the analyst was able to detect the following message, ''Special privileges assigned to new login.'' Several of these messages did not have a valid logon associated with the user before these privileges were assigned. Which of the following attacks is MOST likely being detected? A. Pass-the-hash B. Buffer overflow C. Cross-site scripting D. Session replay
Answer: A. Pass-the-hash Obtaining and using a hashed password without the need for cracking it. Wrong Answers: Buffer overflow - Overloading a program's buffer (A buffer is a temporary storage area in computer memory used to hold data while it's being transferred), potentially leading to unintended consequences like crashes or unauthorized access. Cross-site scripting (XSS) - security vulnerability that allows attackers to inject malicious scripts into web pages viewed by other users. Session replay - the process of recording and replaying a user's interactions with a website or application, often for analytical or troubleshooting purposes.
An organization with a low tolerance for user inconvenience wants to protect laptop hard drives against loss or data theft. Which of the following would be the MOST acceptable? A. SED B. HSM C. DLP D. TPM
Answer: A. SED (Self-Encrypting Drive (SED): A type of hard drive or SSD with built-in encryption capabilities to secure data on the drive.) Wrong Answers: HSM: Hardware Security Module - Safely manages cryptographic keys in a dedicated hardware device for enhanced security. DLP: Data Loss Prevention - Prevents unauthorized access and transmission of sensitive data within organizations. TPM: Trusted Platform Module - Hardware security module for key management and device integrity verification.
A small business just recovered from a ransomware attack against its file servers by purchasing the decryption keys from the attackers. The issue was triggered by a phishing email and the IT administrator wants to ensure it does not happen again. Which of the following should the IT administrator do FIRST after recovery? A. Scan the NAS for residual or dormant malware and take new daily backups that are tested on a frequent basis B. Restrict administrative privileges and patch ail systems and applications. C. Rebuild all workstations and install new antivirus software D. Implement application whitelisting and perform user application hardening
Answer: A. Scan the NAS for residual or dormant malware and take new daily backups that are tested on a frequent basis Terms: NAS: Network Attached Storage. Centralized file storage accessible over a network for sharing and backup. Ransomware: Encrypts files, demands payment for decryption key.
A large industrial system's smart generator monitors the system status and sends alerts to third-party maintenance personnel when critical failures occur. While reviewing the network logs the company's security manager notices the generator's IP is sending packets to an internal file server's IP. Which of the following mitigations would be BEST for the security manager to implement while maintaining alerting capabilities? A. Segmentation B. Firewall whitelisting C. Containment D. isolation
Answer: A. Segmentation (Memory segmentation: Dividing and organizing computer memory to improve multitasking and memory management.) Wrong Answers: Firewall whitelisting: Allowing only specified traffic to pass through a firewall based on predefined rules, enhancing network security. Containment: Restricting or isolating a security incident to prevent its spread, minimizing potential damage. Isolation: The act of separating or quarantining a system or network to contain security threats and prevent them from spreading.
Which of the following refers to applications and systems that are used within an organization without consent or approval? A. Shadow IT B. OSINT C. Dark web D. Insider threats
Answer: A. Shadow IT (Shadow IT: Unauthorized use of applications or services in an organization, posing security risks.) Wrong Answers: OSINT: Open Source Intelligence - Gathering intelligence from public sources like websites and social media. Dark Web: Hidden part of the internet, accessed for anonymity, often associated with illicit activities. Insider Threats: Security risks from within an organization, often by individuals with access to sensitive data.
Which of the following BEST explains the reason why a server administrator would place a document named password.txt on the desktop of an administrator account on a server? A. The document is a honey file and is meant to attract the attention of a cyberintruder. B. The document is a backup file if the system needs to be recovered. C. The document is a standard file that the OS needs to verify the login credentials. D. The document is a keylogger that stores all keystrokes should the account be compromised.
Answer: A. The document is a honey file and is meant to attract the attention of a cyberintruder. Honey File: Decoy data to detect unauthorized access or suspicious activity. Keylogger: Captures keystrokes for unauthorized access or information theft.
After a ransomware attack a forensics company needs to review a cryptocurrency transaction between the victim and the attacker. Which of the following will the company MOST likely review to trace this transaction? A. The public ledger B. The NetFlow data C. A checksum D. The event log
Answer: A. The public ledger (a transparent and decentralized record of transactions or information open to the public.) Wrong Answers: Netflow data: Network traffic details for analysis and monitoring, including source/destination IPs, ports, protocols, and data volume. Checksum: Verification code for data integrity. Event log: Record of system events for monitoring and troubleshooting.
After reading a security bulletin, a network security manager is concerned that a malicious actor may have breached the network using the same software flaw. The exploit code is publicly available and has been reported as being used against other industries in the same vertical. Which of the following should the network security manager consult FIRST to determine a priority list for forensic review? A. The vulnerability scan output B. The IDS logs C. The full packet capture data D. The SIEM alerts
Answer: A. The vulnerability scan output (Identifying and prioritizing system weaknesses to enhance security.) Wrong Answers: IDS logs - refer to the logs generated by Intrusion Detection Systems, capturing information about detected security events or potential threats on a network. Full packet capture data - includes the complete data packets transmitted over a network, providing detailed information about communication between devices. SIEM stands for Security Information and Event Management - involves real-time analysis of security alerts from different sources for effective security management.
The SOC is reviewing process and procedures after a recent incident. The review indicates it took more than 30 minutes to determine that quarantining an infected host was the best course of action. They allowed the malware to spread to additional hosts before it was contained. Which of the following would be BEST to improve the incident response process? A. Updating the playbooks with better decision points B. Dividing the network into trusted and untrusted zones C. Providing additional end-user training on acceptable use D. Implementing manual quarantining of infected hosts
Answer: A. Updating the playbooks with better decision points Terms: SOC: Security Operations Center. Monitors and responds to cybersecurity threats, enhancing overall security.
A software developer needs to perform code-execution testing, black-box testing, and non-functional testing on a new product before its general release. Which of the following BEST describes the tasks the developer is conducting? A. Verification B. Validation C. Normalization D. Staging
Answer: A. Verification Terms: Code Execution Testing: Identifying vulnerabilities for unauthorized code execution. Black-Box Testing: Assessing system functionality without internal code knowledge. Non-functional Testing: Evaluating aspects like performance and security beyond specific functionalities. Wrong Answers: Validation: Confirming accuracy, authenticity, or compliance. Normalization: Organizing data to reduce redundancy and improve efficiency. Staging: Pre-production testing environment for controlled releases.
A cybersecurity analyst reviews the log files from a web server and sees a series of files that indicates a directory-traversal attack has occurred. Which of the following is the analyst MOST likely seeing? A. Option A B. Option B C. Option C D. Option D
Answer: B Terms: Directory Traversal Attack: Exploiting web app vulnerabilities to access unauthorized files.
A smart switch has the ability to monitor electrical levels and shut off power to a building in the event of power surge or other fault situation. The switch was installed on a wired network in a hospital and is monitored by the facilities department via a cloud application. The security administrator isolated the switch on a separate VLAN and set up a patch routine. Which of the following steps should also be taken to harden the smart switch? A. Set up an air gap for the switch. B. Change the default password for the switch. C. Place the switch In a Faraday cage. D. Install a cable lock on the switch
Answer: B. Change the default password for the switch. Terms: Smart Switch: Enhanced network switch with management and security features. Wrong answers: Air Gap: Physically isolating for enhanced security, no direct communication. Faraday Cage: Shields electronics from electromagnetic interference.
A development team employs a practice of bringing all the code changes from multiple team members into the same development project through automation. A tool is utilized to validate the code and track source code through version control. Which of the following BEST describes this process? A. Continuous delivery B. Continuous integration C. Continuous validation D. Continuous monitoring
Answer: B. Continuous integration Terms: Integration: Combining systems for improved functionality and data sharing. Wrong Answers: Delivery: Transporting goods, services, or information to end users. Validation: Assessing for accuracy, authenticity, or compliance. Monitoring: Continuous observation to ensure proper function and identify issues.
A system administrator needs to implement an access control scheme that will allow an object's access policy to be determined by its owner. Which of the following access control schemes BEST fits the requirements? A. Role-based access control B. Discretionary access control C. Mandatory access control D. Attribute-based access control
Answer: B. Discretionary access control (DAC: User-controlled access permissions for personal data or resources.) Wrong Answers: RBAC: Restricting system access based on user roles for task-specific permissions. MAC: Enforcing system-wide access policies set by administrators. ABAC: Granting or denying access based on specific attributes like user roles, time, or environmental conditions.
A user reports constant lag and performance issues with the wireless network when working at a local coffee shop. A security analyst walks the user through an installation of Wireshark and get a five-minute pcap to analyze. The analyst observes the following output: Which of the following attacks does the analyst MOST likely see in this packet capture? A. Session replay B. Evil twin C. Bluejacking D. ARP poisoning
Answer: B. Evil Twin: Rogue access point deceiving users for unauthorized access. Terms: Pcap: Packet Capture - Captures and analyzes network traffic for troubleshooting or security. Wrong Answers: Session Replay: Intercepting and replaying user interactions for potential unauthorized access. Bluejacking: Sending unsolicited messages via Bluetooth for pranks or promotion. ARP Poisoning: Manipulating ARP for unauthorized access or eavesdropping.
A user contacts the help desk to report the following: ✑ Two days ago, a pop-up browser window prompted the user for a name and password after connecting to the corporate wireless SSID. This had never happened before, but the user entered the information as requested. ✑ The user was able to access the Internet but had trouble accessing the department share until the next day. ✑ The user is now getting notifications from the bank about unauthorized transactions. Which of the following attack vectors was MOST likely used in this scenario? A. Rogue access point B. Evil twin C. DNS poisoning D. ARP poisoning
Answer: B. Evil twin (Evil Twin: Deceptive Wi-Fi mimicking a legitimate network for potential data interception or malicious activities.) Terms: Wireless SSID: Service Set Identifier, a unique name assigned to a wireless network to distinguish it from others. Wrong Answers: Rogue Access Point: Unauthorized wireless point risking network security. DNS Poisoning: Tampering with DNS records to redirect users to malicious sites, risking security. ARP Poisoning: Manipulating ARP to redirect or intercept network traffic for malicious purposes.
A company's Chief Information Office (CIO) is meeting with the Chief Information Security Officer (CISO) to plan some activities to enhance the skill levels of the company's developers. Which of the following would be MOST suitable for training the developers'? A. A capture-the-flag competition B. A phishing simulation C. Physical security training D. Baste awareness training
Answer: B. Phishing Simulation: Simulated exercises to test and improve resistance to phishing attacks. Wrong Answers: Capture the Flag (CTF): Cybersecurity competition solving challenges to find hidden flags. Physical Security Training: Programs for safeguarding assets and premises. Basic Awareness Training: Foundational education on fundamental concepts for a specific subject.
The IT department at a university is concerned about professors placing servers on the university network in an attempt to bypass security controls. Which of the following BEST represents this type of threat? A. A script kiddie B. Shadow IT C. Hacktivism D. White-hat
Answer: B. Shadow IT (Shadow IT solutions increase risks with organizational requirements for control, documentation, security, reliability) Wrong Answers: A script kiddie is an individual who lacks advanced programming skills but uses readily available tools and scripts to launch cyberattacks. Hacktivism refers to the use of hacking techniques and activities to promote a political or social cause. A white hat refers to an ethical hacker or cybersecurity professional who uses their skills to identify and fix security vulnerabilities in systems, applications, or networks.
Which of the following would MOST likely support the integrity of a voting machine? A. Asymmetric encryption B. Blockchain C. Transport Layer Security D. Perfect forward secrecy
Answer: Blockchain - Decentralized digital ledger for secure and transparent transactions. "Blockchain technology has a variety of potential applications. It can ensure the integrity and transparency of financial transactions, online voting systems, identity management systems, notarization, data storage, and more. " Wrong Answers: Asymmetric Encryption: Uses paired public and private keys for secure communication. TLS: Transport Layer Security - Cryptographic protocol ensuring secure communication, often used for HTTPS. Perfect Forward Secrecy (PFS): Ensures past communication confidentiality even if keys are compromised by generating new session keys.
A network administrator is setting up wireless access points in all the conference rooms and wants to authenticate device using PKI. Which of the following should the administrator configure? A. A captive portal B. PSK C. 802.1X D. WPS
Answer: C. 802.1X (802.1X: Network access control standard for secure device authentication and authorization.) Terms: PKI: Public Key Infrastructure - Framework for secure communication using digital keys and certificates. Wrong Answers: Captive Portal: Interactive web page for network access control. PSK: Pre-Shared Key, a passphrase shared between parties for secure communication. WPS: Wi-Fi Protected Setup, simplifies the process of connecting devices to a secure wireless network.
A company recently experienced a data breach and the source was determined to be an executive who was charging a phone in a public area. Which of the following would MOST likely have prevented this breach? A. A firewall B. A device pin C. A USB data blocker D. Biometrics
Answer: C. A USB data blocker Wrong Answers: Firewall: Monitors and controls network traffic for security. Device PIN: Personal identification number for device security. Biometrics: Identity verification using unique physical or behavioral traits.
Which of the following would be the BEST method for creating a detailed diagram of wireless access points and hot-spots? A. Footprinting B. White-box testing C. A drone/UAV D. Pivoting
Answer: C. A drone/UAV Using a drone or unmanned aerial vehicle (UAV) would be an effective method for creating a detailed diagram of wireless access points and hotspots, providing a physical overview of their locations and configurations. Wrong Answers: A. Footprinting (Footprinting: collecting information about a target system or network to gather details about its structure, vulnerabilities, and potential points of entry for unauthorized access. White-box testing: Examining internal structures and logic of a system for security testing. Pivoting - Moving through a network from one compromised system to another to gain unauthorized access.
Which of the following is MOST likely to outline the roles and responsibilities of data controllers and data processors? A. SSAE SOC 2 B. PCI DSS C. GDPR D. ISO 31000
Answer: C. GDPR - General Data Protection Regulation: EU regulation for privacy and personal data protection. Wrong Answers: SSAE SOC 2: Service Organization Control 2 - Framework for securing data, emphasizing trust service criteria. PCI DSS: Payment Card Industry Data Security Standard - Security standards for handling credit card information. ISO 31000: International standard for effective risk management.
Which of the following ISO standards is certified for privacy? A. ISO 9001 B. ISO 27002 C. ISO 27701 D. ISO 31000
Answer: C. ISO 27701 (ISO 27701: International standard for Privacy Information Management System.) Info: ISO 27701 also abbreviated as PIMS (Privacy Information Management System) outlines a framework for Personally Identifiable Information (PII) Controllers and PII Processors to manage data privacy. Wrong Answers: ISO 9001: International standard for quality management systems. ISO 27002: Guidelines for information security management. ISO 31000: International standard for effective risk management.
Which of the following cloud models provides clients with servers, storage, and networks but nothing else? A. SaaS B. PaaS C. IaaS D. DaaS
Answer: C. IaaS Infrastructure as a Service (IaaS) provides clients with virtualized computing resources over the Internet. Clients have control over the operating systems, applications, and network infrastructure, while the cloud service provider manages the underlying physical hardware. Wrong Ans: - **SaaS (Software as a Service):** Provides access to software applications over the Internet. Users typically access the software through a web browser, and the software is hosted and maintained by a third-party provider. - **PaaS (Platform as a Service):** Offers a platform allowing customers to develop, run, and manage applications without dealing with the complexity of building and maintaining the underlying infrastructure. - **DaaS (Desktop as a Service):** Delivers virtualized desktop environments over the Internet. Users can access their desktop environments from various devices, and the infrastructure is hosted by a service provider.
Joe, a user at a company, clicked an email link led to a website that infected his workstation. Joe, was connected to the network, and the virus spread to the network shares. The protective measures failed to stop this virus, and It has continued to evade detection. Which of the following should administrator implement to protect the environment from this malware? A. Install a definition-based antivirus. B. Implement an IDS/IPS C. Implement a heuristic behavior-detection solution. D. Implement CASB to protect the network shares.
Answer: C. Implement a heuristic behavior-detection solution. Heuristic analysis is one of the few methods capable of combating polymorphic viruses — the term for malicious code that constantly changes and adapts, without the need for a specific signature. Terms: Cloud Access Security Broker (CASB): A solution that enforces security policies between users and cloud applications, providing visibility and control over cloud services.
A researcher has been analyzing large data sets for the last ten months. The researcher works with colleagues from other institutions and typically connects via SSH to retrieve additional data. Historically, this setup has worked without issue, but the researcher recently started getting the following message: Which of the following network attacks is the researcher MOST likely experiencing? A. MAC cloning B. Evil twin C. Man-in-the-middle D. ARP poisoning
Answer: C. Man-in-the-middle (MitM: Intercepting and potentially altering communication without knowledge.) Wrong Answers: MAC Cloning: Duplicating MAC address for unauthorized network access. Evil Twin: Rogue access point deceiving users for unauthorized access. ARP Poisoning: Faking MAC-IP association for unauthorized access or eavesdropping. Explanation: the message is basically saying the known_hosts that your client uses has a tuple that no longer matches this server, usually because the server is presenting a new key to the client, though it could be the same key on a new ip also. Which could be the result of a MITM attack. (key changed) https://serverfault.com/questions/193631/ssh-into-a-box-with-a-frequently-changed-ip (ip changed) https://stackabuse.com/how-to-fix-warning-remote-host-identification-has-changed-on-mac-and-linux/
A security analyst is reviewing the following attack log output: Which of the following types of attacks does this MOST likely represent? A. Rainbow table B. Brute-force C. Password-spraying D. Dictionary
Answer: C. Password-spraying (Systematic attempt using a few common passwords across many user accounts to avoid detection.) Wrong Answers: Rainbow Table: Precomputed table for quick password cracking by matching hash values to plaintext passwords. Brute Force: Methodical trial-and-error approach to finding the correct password by trying all possible combinations. Dictionary: Collection of common words and phrases used in attacks like password cracking.
Which of the following should be put in place when negotiating with a new vendor about the timeliness of the response to a significant outage or incident? A. MOU B. MTTR C. SLA D. NDA
Answer: C. SLA (Service Level Agreement - SLA: Agreement specifying service levels and consequences for non-compliance.) Wrong Answers: MOU: Memorandum of Understanding - A non-binding agreement outlining terms and understanding between parties. MTTR: Mean Time To Recover - The average time it takes to restore a system or service after a failure or disruption. NDA: Non-Disclosure Agreement -Confidentiality contract preventing information disclosure.
An auditor is performing an assessment of a security appliance with an embedded OS that was vulnerable during the last two assessments. Which of the following BEST explains the appliance's vulnerable state? A. The system was configured with weak default security settings. B. The device uses weak encryption ciphers. C. The vendor has not supplied a patch for the appliance. D. The appliance requires administrative credentials for the assessment.
Answer: C. The vendor has not supplied a patch for the appliance.
A security analyst is using a recently released security advisory to review historical logs, looking for the specific activity that was outlined in the advisory. Which of the following is the analyst doing? A. A packet capture B. A user behavior analysis C. Threat hunting D. Credentialed vulnerability scanning
Answer: C. Threat hunting (Threat Hunting: Proactive search to identify and eliminate security threats.) Wrong Answers: Packet Capture: Storing and analyzing network data packets. User Behavior Analysis: Monitoring actions for security threat detection. Credentialed Vulnerability Scanning: Assessing with credentials for thorough analysis.
An analyst visits an internet forum looking for information about a tool. The analyst finds a threat that appears to contain relevant information. One of the posts says the following: Which of the following BEST describes the attack that was attempted against the forum readers? A. SOU attack B. DLL attack C. XSS attack D. API attack
Answer: C. XSS attack Wrong Answers: SOU - Fake Term DLL attack - Fake Term - Dynamic Link Library (DLL: Code and data file for shared functionality in Windows.) API Attack: Unauthorized attempts to exploit vulnerabilities in an Application Programming Interface.
An organization is concerned that its hosted web servers are not running the most updated version of the software. Which of the following would work BEST to help identify potential vulnerabilities? A. Hping3 -s comptia, org -p 80 B. Nc -1 -v comptia, org -p 80 C. nmap comptia, org -p 80 -sV D. nslookup -port=80 comtia.org
Answer: C. nmap comptia, org -p 80 -sV (Nmap is a network scanning tool for discovering and auditing devices and services on a network.) Nmap is used to discover hosts and services on a computer network by sending packets and analyzing the responses. Nmap provides a number of features for probing computer networks, including host discovery and service and operating system detection. Wrong Answers: Hping3 -s comptia, org -p 80 (Hping is a network testing tool for generating and analyzing network packets.) Nc -1 -v comptia, org -p 80 (Netcat (nc) is a versatile networking tool used for reading and writing data across network connections.) nslookup -port=80 comtia.org (Nslookup is a command-line tool used for querying DNS (Domain Name System) to obtain domain name or IP address information.)
A root cause analysis reveals that a web application outage was caused by one of the company's developers uploading a newer version of the third-party libraries that were shared among several applications. Which of the following implementations would be BEST to prevent the issue from reoccurring? A. CASB B. SWG C. Containerization D. Automated failover
Answer: Containerization (Packs and runs applications with dependencies for consistent performance.) Wrong Answers: CASB: Cloud Access Security Broker. Enhances security for data and applications in the cloud. SWG: Secure Web Gateway. Guards against web-based threats with features like URL filtering and malware detection. Automated Failover: Swiftly switches to a backup system during a failure, minimizing downtime.
In the middle of a cybersecurity, a security engineer removes the infected devices from the network and lock down all compromised accounts. In which of the following incident response phases is the security engineer currently operating? A. Identification B. Preparation C. Eradiction D. Recovery E. Containment
Answer: Containment (Containment: Restricting or isolating a security incident to prevent its spread, minimizing potential damage and protecting the broader system.) Wrong Answers: Identification: Recognizing and validating the identity of a user, system, or entity in a security context. Preparation: Planning and preparation for responding to incidents. Eradication: The phase in incident response focused on eliminating the root cause of the incident. Recovery: The phase in incident response that involves restoring systems and services to normal operations.
A company uses wireless for all laptops and keeps a very detailed record of its assets, along with a comprehensive list of devices that are authorized to be on the wireless network. The Chief Information Officer (CIO) is concerned about a script kiddie potentially using an unauthorized device to brute force the wireless PSK and obtain access to the internal network. Which of the following should the company implement to BEST prevent this from occurring? A. A BPDU guard B. WPA-EAP C. IP filtering D. A WIDS
Answer: D. A WIDS (Wireless Intrusion Detection System) is the best choice to detect and prevent unauthorized access to the wireless network. It monitors the airwaves for malicious activities, unauthorized devices, and potential security threats. Explanation for why other answers are incorrect: A. BPDU guard: This is typically used in a wired network to protect against Bridge Protocol Data Unit (BPDU) attacks and is not directly related to wireless network security. B. WPA-EAP: While WPA-EAP (Wi-Fi Protected Access with Extensible Authentication Protocol) provides stronger authentication mechanisms than a pre-shared key (PSK), it doesn't specifically address the concern of preventing unauthorized devices from attempting to brute force the wireless PSK. C. IP filtering: IP filtering is a method of controlling network access based on the source or destination IP address. While it may be a component of network security, it doesn't directly address the specific concern of preventing brute force attacks on the wireless PSK.
Several employees return to work the day after attending an industry trade show. That same day, the security manager notices several malware alerts coming from each of the employee's workstations. The security manager investigates but finds no signs of an attack on the perimeter firewall or the NIDS. Which of the following is MOST likely causing the malware alerts? A. A worm that has propagated itself across the intranet, which was initiated by presentation media B. A file less virus that is contained on a vCard that is attempting to execute an attack C. A Trojan that has passed through and executed malicious code on the hosts D. A USB flash drive that is trying to run malicious code but is being blocked by the host firewall
Answer: D. A USB flash drive that is trying to run malicious code but is being blocked by the host firewall Terms: NIDS - A Network Intrusion Detection System (NIDS) is a security mechanism that monitors and analyzes network traffic for signs of malicious activity or unauthorized access. A vCard is a digital business card format that typically includes contact information, such as a person's name, address, phone number, email address, and other details.
In which of the following situations would it be BEST to use a detective control type for mitigation? A. A company implemented a network load balancer to ensure 99.999% availability of its web application. B. A company designed a backup solution to increase the chances of restoring services in case of a natural disaster. C. A company purchased an application-level firewall to isolate traffic between the accounting department and the information technology department. D. A company purchased an IPS system, but after reviewing the requirements, the appliance was supposed to monitor, not block, any traffic. E. A company purchased liability insurance for flood protection on all capital assets.
Answer: D. A company purchased an IPS system, but after reviewing the requirements, the appliance was supposed to monitor, not block, any traffic. Terms: Network Load Balancer: Distributes traffic for efficient resource use.
A company has drafted an insider-threat policy that prohibits the use of external storage devices. Which of the following would BEST protect the company from data exfiltration via removable media? A. Monitoring large data transfer transactions in the firewall logs B. Developing mandatory training to educate employees about the removable media policy C. Implementing a group policy to block user access to system files D. Blocking removable-media devices and write capabilities using a host-based security tool
Answer: D. Blocking removable-media devices and write capabilities using a host-based security tool
An organization has implemented a policy requiring the use of conductive metal lockboxes for personal electronic devices outside of a secure research lab. Which of the following did the organization determine to be the GREATEST risk to intellectual property when creating this policy? A. The theft of portable electronic devices B. Geotagging in the metadata of images C. Bluesnarfing of mobile devices D. Data exfiltration over a mobile hotspot
Answer: D. Data exfiltration over a mobile hotspot Terms: Geotagging adds location details, like coordinates, to media, enhancing context and mapping information. Metadata gives additional context about data, like timestamps or authorship, enriching the understanding of the main content.
A document that appears to be malicious has been discovered in an email that was sent to a company's Chief Financial Officer (CFO). Which of the following would be BEST to allow a security analyst to gather information and confirm it is a malicious document without executing any code it may contain? A. Open the document on an air-gapped network B. View the document's metadata for origin clues C. Search for matching file hashes on malware websites D. Detonate the document in an analysis sandbox
Answer: D. Detonate the document in an analysis sandbox (Analysis Sandbox: Secure environment for studying and testing potentially malicious software.) Wrong answers: Air-gapped network: Physically isolated for enhanced security. Metadata: Information describing data, including creation details. Matching File Hashes: Verifying file integrity using unique hash values. Hash: Alphanumeric string ensuring data integrity and uniqueness.
During an incident response, a security analyst observes the following log entry on the web server. Which of the following BEST describes the type of attack the analyst is experience? [2023-01-15 14:23:45] INFO: Request from 192.168.1.100 - Path: /vulnerable_app/read_file?file=../../../../etc/passwd A. SQL injection B. Cross-site scripting C. Pass-the-hash D. Directory traversal
Answer: D. Directory traversal (Directory Traversal: Exploits web app vulnerabilities for unauthorized file access.) Wrong Answers: SQL Injection: Injecting malicious SQL queries to compromise a database. Cross-Site Scripting (XSS): Injecting malicious scripts into web pages to compromise user data or sessions. Pass-the-Hash: Attacker uses hashed passwords for unauthorized authentication.
A company has limited storage available and online presence that cannot prolong for more than four hours. Which of the following backup methodologies should the company implement to allow for the FASTEST database restore time. In the event of a failure, which being mindful of the limited available storage space? A. Implement fulltape backup every Sunday at 8:00 p.m and perform nightly tape rotations. B. Implement different backups every Sunday at 8:00 and nightly incremental backups at 8:00 p.m C. Implement nightly full backups every Sunday at 8:00 p.m D. Implement full backups every Sunday at 8:00 p.m and nightly differential backups at 8:00
Answer: D. Implement full backups every Sunday at 8:00 p.m and nightly differential backups at 8:00 Terms: Full backup: A comprehensive copy of all data, ensuring a complete snapshot for recovery. Incremental backup: Short backups capturing changes since the last backup, minimizing storage and time requirements. Differential backup: Stores the changes made since the last full backup, providing a snapshot of the data's state at different points in time.
A network engineer needs to build a solution that will allow guests at the company's headquarters to access the Internet via WiFi. This solution should not allow access to the internal corporate network, but it should require guests to sign off on the acceptable use policy before accessing the Internet. Which of the following should the engineer employ to meet these requirements? A. Implement open PSK on the APs B. Deploy a WAF C. Configure WIPS on the APs D. Install a captive portal
Answer: D. Install a captive portal (Captive Portal: Requires user interaction for network access, common in public Wi-Fi.) Wrong Answers: Pre-Shared Key PSK: Shared secret for secure authentication, often in Wi-Fi networks. WAF: Web Application Firewall - Protects web applications by filtering and blocking malicious traffic. WIPS: Wireless Intrusion Prevention System - Actively prevents unauthorized access and attacks on wireless networks.
A retail executive recently accepted a job with a major competitor. The following week, a security analyst reviews the security logs and identifies successful logon attempts to access the departed executive's accounts. Which of the following security practices would have addressed the issue? A. A non-disclosure agreement B. Least privilege C. An acceptable use policy D. Offboarding
Answer: D. Offboarding (Offboarding is the process of managing an employee's departure from a company. It involves tasks such as revoking access to systems, returning company property, conducting exit interviews, and ensuring a smooth transition for the departing employee.) Wrong Answers: NDA stands for Non-Disclosure Agreement, a legal contract that outlines confidential information that parties agree not to disclose to others. Least privilege: Minimal access for tasks, reduced risk of unauthorized access or potential harm. AUP: Acceptable use policy - Rules for acceptable system use.
A cybersecurity administrator needs to add disk redundancy for a critical server. The solution must have a two- drive failure for better fault tolerance. Which of the following RAID levels should the administrator select? A. 0 B. 1 C. 5 D. 6
Answer: D. RAID 6 provides fault tolerance by allowing for two simultaneous drive failures, which is achieved through double parity. This means that data can be rebuilt even if two drives fail. In contrast: - RAID 0 does not provide redundancy; it's a striped configuration without any fault tolerance. - RAID 1 mirrors data for redundancy but only tolerates a single drive failure. - RAID 5, while providing parity for fault tolerance, can only withstand a single drive failure. Therefore, RAID 6 is the most suitable choice when the goal is to achieve fault tolerance with a two-drive failure capability.
A company recently transitioned to a strictly BYOD culture due to the cost of replacing lost or damaged corporate-owned mobile devices. Which of the following technologies would be BEST to balance the BYOD culture while also protecting the company's data? A. Containerization B. Geofencing C. Full-disk encryption D. Remote wipe
Answer: D. Remote Wipe Wrong Answers: Containerization: Portable application packaging for consistency and scalability. Geofencing: Virtual boundaries for automated location-based actions. Full-disk encryption: Protecting all disk data with comprehensive encryption.
The Chief Security Officer (CSO) at a major hospital wants to implement SSO to help improve in the environment patient data, particularly at shared terminals. The Chief Risk Officer (CRO) is concerned that training and guidance have been provided to frontline staff, and a risk analysis has not been performed. Which of the following is the MOST likely cause of the CRO's concerns? A. SSO would simplify username and password management, making it easier for hackers to pass guess accounts. B. SSO would reduce password fatigue, but staff would still need to remember more complex passwords. C. SSO would reduce the password complexity for frontline staff. D. SSO would reduce the resilience and availability of system if the provider goes offline.
Answer: D. SSO (SSO: One login for multiple services, simplifying access.) would reduce the resilience and availability of system if the provider goes offline.
A website developer is working on a new e-commerce website and has asked an information security expert for the most appropriate way to store credit card numbers to create an easy reordering process. Which of the following methods would BEST accomplish this goal? A. Salting the magnetic strip information B. Encrypting the credit card information in transit. C. Hashing the credit card numbers upon entry. D. Tokenizing the credit cards in the database
Answer: D. Tokenizing the credit cards in the database Credit Card Tokenization: Substituting credit card details with secure tokens for enhanced security. Credit card tokenization is the process of de-identifying sensitive cardholder data by converting it to a string of randomly generated numbers called a "token." Similar to encryption, tokenization obfuscates the original data to render it unreadable in the event of a data breach or other exposure.
When selecting a technical solution for identity management, an architect chooses to go from an in-house to a third-party SaaS provider. Which of the following risk management strategies is this an example of? A. Acceptance B. Mitigation C. Avoidance D. Transference
Answer: D. Transference (Risk Transference: Shifting risk through contracts or insurance.) Terms: SaaS: Software as a Service - Cloud-based software delivery over the internet. Wrong Answers: Risk Acceptance: Acknowledging and tolerating certain risks without mitigation. Risk Mitigation: Reducing impact and likelihood of identified risks. Risk Avoidance: Choosing not to engage in high-risk activities.
Which of the following will MOST likely adversely impact the operations of unpatched traditional programmable-logic controllers, running a back-end LAMP server and OT systems with human-management interfaces that are accessible over the Internet via a web interface? (Choose two.) A. Cross-site scripting B. Data exfiltration C. Poor system logging D. Weak encryption E. SQL injection F. Server-side request forgery
Answer: D. Weak encryption (The use of encryption algorithms that can be easily compromised or broken, providing inadequate security.) F. Server-side request forgery (SSRF: Unauthorized access to internal resources by tricking a server into making requests on behalf of the attacker.) Terms: "Adversely" refers to having a harmful or negative effect on something. LAMP stands for Linux, Apache, MySQL, and PHP/Python/Perl—a popular open-source web development stack. Operational Technology (OT systems manage industrial operations, emphasizing physical processes.) Wrong Answers: Cross-Site scripting - XSS: Web vulnerability injecting malicious scripts into pages, compromising user data and privacy. Data exfiltration: Unauthorized data transfer. Poor system logging: Insufficient system log records. SQL injection: Exploiting vulnerabilities in software to gain unauthorized access or manipulate data.
A Chief Information Security Officer (CISO) needs to create a policy set that meets international standards for data privacy and sharing. Which of the following should the CISO read and understand before writing the policies? A. PCI DSS B. GDPR C. NIST D. ISO 31000
Answer: GDPR (General Data Protection Regulation - EU regulation for personal data protection.) Wrong Answers: PCI DSS: Payment Card Industry Data Security Standard - Security standards for handling credit card information. NIST: National Institute of Standards and Technology - U.S. agency setting standards, including cybersecurity. ISO 31000: Global standard for effective risk management.
A company processes highly sensitive data and senior management wants to protect the sensitive data by utilizing classification labels. Which of the following access control schemes would be BEST for the company to implement? A. Discretionary B. Rule-based C. Role-based D. Mandatory
Answer: Mandatory Access Control (MAC): Security model restricting access based on policies set by system administrators. Wrong Answers: Discretionary Access Control (DAC): Security model granting or restricting access based on the discretion of the object owner. Rule-Based Access Control (RBAC): Security model where access decisions are based on predefined rules and policies assigned to users or roles. Role-Based Access Control (RBAC): Security model that restricts system access based on roles and responsibilities, allowing permissions to be assigned to roles rather than individuals.
A network administrator has been alerted that web pages are experiencing long load times. After determining it is not a routing or DNS issue, the administrator logs in to the router, runs a command, and receives the following output: "CPU 0 percent busy, from 300 sec ago 1 sec ave: 99 percent busy 5 sec ave: 97 percent busy 1 min ave: 83 percent busy" Which of the following is the router experiencing? A. DDoS attack B. Memory leak C. Buffer overflow D. Resource exhaustion
Answer: Resource exhaustion (Depleting system resources to cause performance issues.) Terms: DNS: Domain Name System - Translates domain names to IP addresses for internet navigation. Router: Directs data between networks, connecting to the internet. Command: Instruction for computer or software action. Logs: Records of events for analysis or troubleshooting. Wrong Answers: DDoS Attack: Distributed Denial of Service Attack - Overwhelming a network or website with excessive traffic. Memory Leak: Fails to release unnecessary memory, causing issues. Buffer Overflow: Writing too much data, risking crashes or unauthorized access.
A commercial cyber-threat intelligence organization observes IoCs across a variety of unrelated customers. Prior to releasing specific threat intelligence to other paid subscribers, the organization is MOST likely obligated by contracts to: A. perform attribution to specific APTs and nation-state actors. B. anonymize any PII that is observed within the IoC data. C. add metadata to track the utilization of threat intelligence reports. D. assist companies with impact assessments based on the observed data.
Answer: anonymize any PII that is observed within the IoC data. Terms: IoC: Indicator of Compromise - Evidence signaling a security incident or potential threat. PII: Personally Identifiable Information - Sensitive information identifying individuals, requiring special protection. APT: Advanced Persistent Threat - Prolonged, sophisticated cyberattack with unauthorized access and data exfiltration. Metadata: Details about data, including creation and author information.
Users have been issued smart cards that provide physical access to a building. The cards also contain tokens that can be used to access information systems. Users can log in to any client located throughout the building and see the same desktop each time. Which of the following technologies are being utilized to provide these capabilities? (Select TWO) A. COPE B. VDI C. GPS D. TOTP E. RFID F. BYOD
Answers: B VDI: Virtual Desktop Infrastructure, delivers virtual desktops to users' devices. E. RFID: Radio-Frequency Identification, a technology that uses radio waves to identify and track objects, people, or animals. Wrong Answers: COPE: Corporate-Owned, Personally Enabled. It refers to a mobile device management strategy where a company owns the device but allows employees some personal use. Global Positioning System: GPS - It's a satellite-based navigation system that provides location and time information globally. Time-based One-Time Password: TOTP - It's a type of two-factor authentication that generates a unique password based on the current time. Bring Your Own Device: BYOD - It refers to the practice of allowing employees to use their personal devices for work purposes.
Which of the following are the MOST likely vectors for the unauthorized inclusion of vulnerable code in a software company's final software releases? (Select TWO.) A. Unsecure protocols B. Use of penetration-testing utilities C. Weak passwords D. Included third-party libraries E. Vendors/supply chain F. Outdated anti-malware software
Answers: D. Included third-party libraries & E. Vendors/supply chain The primary concerns in the context of unauthorized inclusion of vulnerable code often stem from third-party libraries and the supply chain, as these elements can introduce vulnerabilities if not properly managed and vetted. Explanation: A. Unsecure protocols: Unsecure protocols refer to insecure communication channels, and while they can pose security risks, they are not typically vectors for the unauthorized inclusion of vulnerable code in software releases. They are more related to data transmission security. B. Use of penetration-testing utilities: Penetration-testing utilities are tools used for ethical hacking and security testing. While misused or mishandled tools can introduce vulnerabilities, they are not common vectors for unauthorized inclusion of vulnerable code in the final software releases. C. Weak passwords: Weak passwords could lead to unauthorized access, but they are not directly related to the inclusion of vulnerable code in the software. They are more associated with authentication security. F. Outdated anti-malware software: Outdated anti-malware software may leave systems vulnerable to known threats, but it is not a typical vector for the inclusion of vulnerable code during the software development process. Terms: Vectors: refer to the different methods or paths that threats or attacks can take to compromise a system or network.
A company recently moved sensitive videos between on-premises. Company-owned websites. The company then learned the videos had been uploaded and shared to the internet. Which of the following would MOST likely allow the company to find the cause? A. Checksums B. Watermarks C. Oder of volatility D. A log analysis E. A right-to-audit clause
B. **Watermarks** Watermarks are often used in videos to embed information about the source or ownership of the content. In this scenario, examining watermarks in the videos can provide insights into the source and potentially help the company trace how the videos were shared on the internet. While other options like checksums, order of volatility, log analysis, and a right-to-audit clause are relevant in various security and forensic contexts, watermarks specifically address the concern of identifying the source or ownership of multimedia content. Wrong Answers: A. **Checksums:** Checksums are used to verify data integrity but are not typically employed to track the source or ownership of multimedia content. C. **Order of Volatility:** This concept is more related to digital forensics and the sequence in which volatile data should be collected to preserve evidence. It's not directly associated with identifying the cause of videos being shared on the internet. D. **Log Analysis:** While log analysis is crucial for identifying security incidents, it may not directly reveal information about the source or ownership of videos. It is more focused on understanding system events and user activities. E. **Right-to-Audit Clause:** A right-to-audit clause is a contractual provision that allows an organization to assess the activities of another party, but it may not provide immediate insights into the cause of videos being shared on the internet. It's more about auditing and compliance assurance.
A security audit has revealed that a process control terminal is vulnerable to malicious users installing and executing software on the system. The terminal is beyond end-of-life support and cannot be upgraded, so it is placed on a projected network segment. Which of the following would be MOST effective to implement to further mitigate the reported vulnerability? A. DNS sinkholding B. DLP rules on the terminal C. An IP blacklist D. Application whitelisting
D. Application Whitelisting Explanation: • Application Whitelisting (Option D): Given that the process control terminal is vulnerable, placing it on a segregated network segment is a good step. Application whitelisting adds an additional layer of security by allowing only approved applications to run on the system. This prevents malicious users from installing and executing unauthorized software. The other options and their considerations: • A. DNS Sinkholing: DNS sinkholing is more related to redirecting malicious domain requests to a different IP address. While it can be part of an overall security strategy, it might not directly address the vulnerability of users installing and executing software on the system. • B. DLP Rules on the Terminal: Data Loss Prevention (DLP) rules are more focused on preventing unauthorized access and transmission of sensitive data. While important, they might not directly address the issue of users installing and executing software on the system. • C. An IP Blacklist: Blacklisting specific IP addresses might help in blocking traffic from known malicious sources, but it may not be as effective in preventing users from installing and executing software on the vulnerable terminal. Therefore, considering the context of the reported vulnerability, application whitelisting would be a more effective measure to control and restrict the execution of software on the process control terminal.