CompTIA Security+ Practice Test #2
A security engineer for a tech firm tests authentication mechanisms for multi-factor authentication. Which personality trait-based solution does the engineer test? Something you are Something you exhibit Something you know Something you can do
Something you exhibit Something you exhibit refers to behavioral-based authentication and authorization, with specific emphasis on personality traits.
An application developer uses a third-party source to send cryptographic data through multiple processors to stretch the data and ensure secure algorithms. What is the developer preventing the use of? Collision Rainbow table attack Salting Weak keys
Weak keys Weak keys are poor or short algorithms in cryptographic keys used with a specific cipher. They are vulnerable to cybersecurity attacks. Stretching keys can strengthen the algorithm to make it more secure.
What type of strategy is a blackhole? (Select all that apply.) *Containment *Data Loss Prevention *Isolation *Segmentation
*Containment *Isolation Isolation is the act of disconnecting an entire system or network. Isolation is a malware containment procedure. Containment is a strategy that controls access to files, data, systems, or networks across points of entry, using isolation or segmentation techniques.
Describe scenarios where containment measures, such as isolation and segmentation techniques, should be taken. (Select all that apply.) *A worm has infected a device on the network. *The investigation of a recent incident is ongoing. *An unauthorized user accesses a server. *A compromised host pings another host periodically.
*A worm has infected a device on the network. *The investigation of a recent incident is ongoing. *An unauthorized user accesses a server. Containment is a strategy that controls network access across points of entry. Isolation is the act of disconnecting an entire system or network. Isolation is a malware containment procedure. Containment is a strategy that controls access to files, data, systems, or networks across points of entry. Isolation and segmentation techniques, such as blackholes, sinkholes, or honeypots, prevent intrusions. Containment or isolation during an investigation is a best practice and is appropriate, especially when investigators are still gathering evidence.
A cloud service provider (CSP) dashboard provides a view of all applicable logs for cloud resources and services. When examining the application programming interface (API) logs, the cloud engineer sees some odd metrics. Which of the following are examples that would concern the engineer? (Select all that apply.) *Average error rate of 78% *Low latency responses *High native-cloud firewall cost *Spike in API calls
*Average error rate of 78% *Spike in API calls An unexplained spike in Application Programming Interface (API) calls could be an indicator of a DDoS attack. This metric is captured in requests per second or per minute. Error rates measure the number of errors as a percentage of total calls, usually classifying error types under category headings. High errors may represent an overloaded system or security issue.
A small business was robbed, and several workstations were stolen. The business stored customer data within a plain spreadsheet on one of the stolen workstations. Customer data and other business files are restored from an external hard drive soon after. Describe the issues that the business faced during this trying time. (Select all that apply.) *Customer data was permanently lost. *Business had a privacy breach. *Data was exfiltrated from the office. *Customer identity was not stolen.
*Business had a privacy breach. *Data was exfiltrated from the office. Data exfiltration is the methods and tools an attacker uses to take data without authorization from the victim's systems. The data can be physically taken or transferred to an external network or media. A privacy breach is where personal data is not collected, stored, or processed in full compliance with the laws or regulations governing personal information. A plain spreadsheet and a computer with no encryption capability are not enough security to hold sensitive data.
Conclude which terms represent a core feature of the Diamond Model of Intrusion Analysis. (Select all that apply.) *Capability *Infrastructure *Victim *Eradication
*Capability *Infrastructure *Victim A victim is the target of the adversary and against whom vulnerabilities and exposures are exploited and capabilities used. It is useful to define the victim in terms of both the people or organization targeted, as well as the victim's assets (i.e., the attack surface). The infrastructure feature describes the communication structures the adversary uses to utilize a capability. The capability feature describes the tools and/or techniques of the adversary used in the event. All of the vulnerabilities and exposures utilized by the individual's capability, regardless of the victim, is its capacity.
Which certificate attribute describes the computer or machine it belongs to? (Select all that apply.) *Company name *Common name *Certificate authority name *Subject alternate name
*Common name *Subject alternate name The common name (CN) attribute identifies the computer or machine by name, usually a fully qualified domain name (FQDN), such as www.comptia.org. The subject alternative name (SAN) extension field is structured to represent different types of identifiers, including domain names. This is more commonly used as the CN attribute has been deprecated.
Which attack types are client-side attacks that are impacted by malicious code? (Select all that apply.) *Integer overflow *Cross-site scripting *Directory traversal *Session replay
*Cross-site scripting *Session replay A session replay is a client-side attack. This means that the attack executes arbitrary code on the user's browser. A cross-site scripting (XSS) attack exploits the fact that the browser is likely to trust scripts that appear to come from a site the user has chosen to visit.
An administrator goes through regular tasks every morning at the office to quickly gather health metrics of the network and associated systems. The admin connects to a Windows jump server using a secure shell (SSH) to run health scripts which outputs the data to a .xls file on a local shared folder accessible to all employees. The most recent run of the health script failed immediately without any indication of the issue. If an Information System Security Officer (ISSO) examined these morning tasks, what would be considered a weak configuration? (Select all that apply.) *Unsecure remote access *Default settings *Open permissions *Unformatted error messages
*Default settings *Open permissions Open permissions can allow anyone on the network with access to files and services. Although the file share is available to internal employees, only administrators should be reviewing gathered health information. Default settings are usually unsecure settings that leave the environment and data open to compromise. A shared folder that provides access to everyone on the Internal network is an example of a default setting when shared folders are created.
Which of the following will reduce the risk of data exposure between containers on a cloud platform? (Select all that apply.) *Namespaces *Public subnets *Control groups *Secrets management
*Namespaces *Control groups In a container engine such as Docker, each container is isolated from others through separate namespaces. Namespaces prevent one container from reading or writing processes in another. Control groups ensure that one container cannot overwhelm others in a DoS-type attack. Namespaces and control groups reduce the risk of data exposure between containers.
Select the tools that do any form of network scanning, such as port scanning, IP scanning, etc. (Select all that apply.) *Nmap *cat *Netcat *ping
*Nmap *Netcat *ping Nmap is a versatile tool, allowing users to perform various types of network scans. The packet-sniffing library Npcap can be added to Nmap to provide packet sniffing and injection capability. The nc (or Netcat) command reads and writes data across network connections. Netcat can be used for things such as port scanning and fingerprinting. Ping can execute a sweep of all the IP addresses in a subnet with just a short script.
Which control types does a systems engineer implement when an initial locking mechanism does not perform as expected? (Select all that apply.) *Corrective *Detective *Preventative *Compensating
*Preventative *Compensating A compensating control serves as a substitute for a principal control, as recommended by a security standard, and affords the same (or better) level of protection. A preventive control acts to eliminate or reduce the likelihood that an attack can succeed. It operates before an attack can take place. An example of this control type is a lock.
A risk management implementation begins with which of the following characteristics? (Select all that apply.) *Priortization *Mitigation *Classification *Identification
*Priortization *Classification *Identification Identifying assets requires indicating which hardware and software a company maintains. Identifying assets early in the risk management process allows for a smoother risk management implementation. Classifying assets and data according to criticality provides a company a basis to assess risks in the implementation process. Prioritizing assets allows a company to decide which assets are most important to protect. Mitigating risks is a risk response technique that allows an organization to implement controls to reduce a risk.
Identify security control options that can be categorized as "corrective." (Select all that apply.) *Quarantine of infected hosts *Digital Loss Prevention (DLP) software configurations *Firewall rules *Containment of the threat
*Quarantine of infected hosts *Containment of the threat Corrective controls act to eliminate or reduce the impact of an intrusion event. During an attack, for instance, a corrective control can eliminate the threat. Quarantining infected or compromised machines is a corrective control.
A security consultant recently audited a company's cloud resources and web services. The consultant found ineffective secrets management and a lack of input validation mechanisms. What type of attack would the company's cloud resources be susceptible to at its current state? (Select all that apply.) *Resource exhaustion *API attack *Client-side request forgery *SQL injection
*Resource exhaustion *API attack *SQL injection Application Programming Interfaces (APIs) allow consumers to automate tasks on a web or cloud resource. Ineffective secrets management could compromise these services on a wide scale if the threat actor retrieves API keys. A Structured Query Language (SQL) injection modifies basic functions by adding code to some input accepted by an application to execute the attacker's own set of SQL queries. Input validations can prevent this type of attack. Resource exhaustion uses privilege access to deplete resources such as writing thousands of files to disk. Ineffective secrets management can cause these types of malicious processes.
An organization suffers a breach and learns a lesson in the proper approach of maintaining archived data. An engineer writing a report focuses on which areas? (Select all that apply.) *Attack walkthrough *Retention policies *Response plan *Lessons learned
*Retention policies *Lessons learned A retention policy refers to the safe storage and archiving of live or backed up data. A retention policy should be a proactive measure and not a reactive one. Lessons learned address the incident and responses to identify whether procedures or systems could be improved. The need for an improved retention policy is an example.
Users in a company complain that they cannot reach internal servers when using WiFi. IT discovers that the SSID of the broadcasted network is similar to the company's but is not legitimate. IT plans on searching the network to remove which disruptive technologies? (Select all that apply.) *Rogue access point *Jamming attack *Disassociation attack *Evil twin
*Rogue access point *Evil twin A rogue WAP masquerading as a legitimate one is called an evil twin. An evil twin might just have a similar name (SSID) to the legitimate one. A rogue access point is one that has been installed on the network without authorization, whether with malicious intent or not.
Evaluate the attack types and determine which are used when a high-level executive is targeted via a suspicious text message. (Select all that apply.) *SMiShing *Whaling *Vishing *Pharming
*SMiShing *Whaling SMiShing refers to using simple message service (SMS) text communications with a mobile device as an attack vector. Whaling is a spear phishing attack directed specifically against upper levels of management in the organization (CEOs and other "big fish").
A network with two normal-working switches has several client computers connected for work and Internet access. After adding two new switches and more client computers, the new computers, as well as some of the old client computers, cannot access the network. What are most likely the cause and the solution? (Select all that apply.) *STP *A loop in the network *Flood guard *Port security
*STP *A loop in the network A switch loop on the network will cause network connections to drop since the packet cannot make the appropriate hop to the next switch to its final destination. Switching loops also generates broadcast storms. STP (Spanning Tree Protocol) is a means for the bridges to organize themselves into a hierarchy and prevent loops from forming.
A user cannot install an app from Google Play, referred to by a colleague. The user downloads the .apk file from a website and successfully installs the app. This process is known as sideloading. What are valid security concerns for installing software on a mobile device from a website rather than an app store? (Select all that apply.) *The website may have an outdated version. *It will classify the phone as "rooted." *The .apk file may be a malicious software. *The file may be corrupt.
*The website may have an outdated version. *The .apk file may be a malicious software. Official applications from companies are offered through app stores like Google Play and are usually scanned for malicious code. Installing an application by any other means is at risk of being hacked. An older version of an app installed using a download .apk file may run outdated code and use older methods or secure communication. Google Play offers the latest versions provided by companies.
Unlike transport layer security (TLS), internet protocol security (IPSec) can use two modes. One mode encrypts only the payload of the IP packet, leaving the IP address unencrypted. The other mode encrypts the whole IP packet and adds a new IP header. What are these modes? (Select all that apply.) Tunnel Stateful Stateless Transport
*Tunnel *Transport IPsec uses the tunnel mode to provide encrypted communication by encrypting the entire network packet. Unsecured networks mostly use this method. IPsec uses the transport mode to provide encrypted communication by only encrypting the payload. Private networks mostly use this method.
Management is planning a secure network design for corporate mobile devices given to remote employees. One security suggestion involves only allowing corporate apps to access the corporate network when the mobile device is connected via a virtual private network (VPN). Which of the following will support this design? (Select all that apply.) *Unified endpoint management *Mobile application management *Context-aware authentication *Security-enhanced Android
*Unified endpoint management *Mobile application management *Context-aware authentication Context-aware authentication can, for example, disable screen locks when the mobile device is in a trusted location, such as a home. It can also check whether the network connection is trusted before allowing apps to communicate externally. Mobile Application Management (MAM) sets policies for apps that can process corporate data and prevents data transfer to personal apps. This type of solution configures an enterprise-managed container or workspace. Unified Endpoint Management (UEM) is a suite of applications and features that extends the concept of network access control (NAC) solutions to the mobile device. UEM may include MAM.
Security admins are evaluating Windows server vulnerabilities related to Dynamic Link Library (DLL) injections. Modern applications are running on these Windows servers. How would an attacker exploit these vulnerabilities? (Select all that apply.) *Use malware with administrator privilege. *Evade detection through refactoring. *Enable legacy mode through shimming. *Navigate laterally using pass the hash.
*Use malware with administrator privilege. *Evade detection through refactoring. The malware must evade detection by anti-virus to be successful. This can be done through code refactoring which means the code performs the same function by using different methods, such as changing its signature. Dynamic Link Library (DLL) injection is deployed with malware that is already operating on the system with local administrator or system privileges.
A company purchased a few rack servers from a different vendor to try with their internal cluster. After a few months of integration failures, the company opted to remain with their previous vendor and to upgrade their other rack servers. The current commercial software will be migrated to the new rack servers. What may have caused the company to remain with their previous vendor for new rack servers? (Select all that apply.) *The code is unsecure. *Vendor lacks expertise. *Servers are incompatible. *Disks are self-encrypting.
*Vendor lacks expertise. *Servers are incompatible. Devices or software that are incompatible with other devices or software make them difficult to manage. Companies often seek compatibility factors to ensure full integration with existing assets. A vendor that lacks expertise is also unable to support deployment and other activities required for using a rack server in the environment. Customer experience is vital to future purchases.
Evaluate and select the differences between WPA and WPA2. (Select all that apply.) *WPA2 supports an encryption algorithm based on the Advanced Encryption Standard (AES) rather than the version of RC4 "patched" with the Temporal Key Integrity Protocol (TKIP). *WPA2 is much more secure than WEP, where WPA is not. *WPA2 requires entering a longer password than WPA. *WPA2 is a security protocol developed by the Wi-Fi Alliance for use in securing wireless networks.
*WPA2 supports an encryption algorithm based on the Advanced Encryption Standard (AES) rather than the version of RC4 "patched" with the Temporal Key Integrity Protocol (TKIP). *WPA2 requires entering a longer password than WPA. WPA2 supports an encryption algorithm based on the Advanced Encryption Standard (AES) rather than the version of RC4 "patched" with the Temporal Key Integrity Protocol (TKIP). WPA and WPA2 are both much more secure than WEP (wired equivalent privacy). WPA and WPA2 are both security protocols developed by the Wi-Fi Alliance for use in securing wireless networks. WPA was developed in 2003 and WPA2 was developed in 2004. Another difference between WPA and WPA2 is the length of their passwords. WPA2 requires the user to enter a longer password than WPA requires. previous
While assisting a customer over the phone to connect a laptop to a new wireless router, the user suddenly reports it is connected. Upon further inquiry into how the connection occurred, the user stated they pushed a circular button. Analyze the situation and determine which button the user pressed, and how it functions. (Select all that apply.) *WPS *Authentication server *8-character PIN *Wireless password
*WPS *8-character PIN WPS or Wi-Fi Protected Setup works with multiple compatible devices, like a printer, where the WPS button is pushed to establish a connection. Activating WPS on the wireless router and the adapter simultaneously associates the devices using an 8-digit PIN, then associate the adapter with the access point using WPA2. The system generates a random Service Set Identifier (SSID) and Pre-shared Key (PSK).
A support technician wants to test a system's connectivity by examining TCP and UDP ports. If the technician requires the ability to test both Linux and Windows systems, which tools qualify? (Select all that apply.) *netstat *nmap *netcat *pathping
*netstat *nmap The netstat command is useful in showing the state of TCP/UDP ports on a system. The same command is used on both Windows and Linux, though with different options for syntax. The Nmap Security Scanner is one of the most popular open-source IP scanners. Nmap can use diverse methods of host and port discovery, some of which can operate stealthily.
An Information Security Manager working for an ISP has discovered that an attacker has poisoned the DNS server cache by spamming it with recursive queries. Predict what tools the manager might use to discover whether the attacker has inserted any false records. (Select all that apply.) *Memdump *nslookup/dig *tcpreplay *dnsenum
*nslookup/dig *dnsenum The nslookup (or dig tool in Linux) can query the name records and cached records held by a server to discover whether an attacker has inserted any false records. dnsenum packages a number of tests into a single query, as well as hosting information and name records. dnsenum can try to work out the IP address ranges that are in use.
Identify which tools would be used to identify suspicious network activity. (Select all that apply.) *Metasploit *tcpdump *Wireshark *tcpreplay
*tcpdump *Wireshark *tcpreplay tcpdump is a command-line packet capture utility for Linux. The utility will display captured packets until halted manually, and it can save frames to a .pcap file. This tool commonly uses filter expressions to reduce the number of frames captured, such as Type, Direction, or Protocol. Wireshark is a graphical application that can capture all types of traffic by sniffing the network, and save that data to a .pcap file. tcpreplay is a command-line utility for Linux that can replay data from a .pcap file, for example, to analyze traffic patterns and data.
During a risk assessment, a company indicates the value of employee used laptops to be $1,500.00 a piece. What should the company define to come up with the annual loss expectancy in a quantitative risk assessment ALE ARO RPO RTO
ARO - annual rate of occurrence (ARO) The annual rate of occurrence (ARO) indicates how many times a loss will occur within a year. An ARO is used in conjunction with the single loss expectancy (SLE) to figure the annual loss expectancy (ALE).
Which failover type does an engineer configure so that all nodes are always on? Split tunnel Active/passive Full tunnel Active/active
Active/active With failover, an active/active cluster means that both nodes are processing connections concurrently. This allows the administrator to use the maximum capacity from the available hardware while all nodes are functional.
A Security Information Event System (SIEM) parses network traffic and log data from multiple sensors, appliances, and hosts to implement correlation rules on metrics derived from data sources. SIEM assists the systems admin to detect events that may be potential incidents. Define the term for notifications passed upon detection of a potential incident. Correlation Trends Sensitivity Alerts
Alerts SIEM dashboards are one of the main sources of automated alerts. The event is listed on a dashboard or incident handling system for an agent to assess. Then, the SIEM dashboard will automatically notify the staff in charge of security.
A system administrator ensures that the checksum on the developed code checked into the Nexus repository matches the checksum presented to the customer to ensure the finished product is what was agreed upon. This best represents which of the following processes? Change management Benchmarking Configuration control Baseline configuration
Baseline configuration Baseline configurations are documented and agreed-upon sets of specifications for information systems. Baseline configurations serve as the starting point for development, patching, and changes to information systems.
Which of the following is an example of a vulnerability database that a security administrator can use with Tenable Nessus to assess the security state of servers on the network? Threat map TAXII STIX CVE
CVE Common Vulnerabilities and Exposures (CVE) is a database of information about vulnerabilities that are codified as signatures. A vulnerability scanner like Tenable Nessus uses CVE to scan the network to determine the security state of almost any device.
An IT company purchases a commercial off the shelf (COTS) product that allows for four developers to access and run the product against developed code for vulnerability and threat assessments. An IT audit indicates that five developers have accessed the product. Which of the following best describes what the company is in violation of? Terms of agreement Compliance/Licensing Vendor diversity Regulatory framework
Compliance/Licensing Software compliance and licensing is a legally binding agreement that means only using a software in accordance with the software developers' conditions of usage.
Security content automation protocol (SCAP) allows compatible scanners to compare computers with which of the following? Log collector Common Vulnerability Scoring System Security bulletin Configuration baseline
Configuration baseline Security content automation protocol (SCAP) allows compatible scanners to determine whether a computer meets a configuration baseline. The Extensible Configuration Checklist Description Format (XCCDF) audits for best-practice configuration checklists and rules.
What is the best solution that Enterprise Mobility Management seeks for enterprise workspaces? Baseband update Geofencing Containerization Rooting
Containerization Enterprise Mobility Management is moving more toward containerization as the best solution for enterprise workspaces. These solutions can use cryptography to protect the workspace in a way that is much harder to compromise, even from a rooted/jailbroken device.
A company implements automated tools and processes to increase the visibility and transparency of network activity to mitigate the risk of cyber-attacks and detect application performance issues. Which of the following did the company implement? Continuous deployment Continuous monitoring Continuous integration Continuous delivery
Continuous monitoring Continuous monitoring is the process used to detect compliance and risk issues associated with an organization in real-time. Continuous monitoring allows an organization the ability to react to issues swiftly.
A user at a company executes a program that displays a threatening message. The message says "files on the computer will remain encrypted until bitcoin is paid to a virtual wallet." Which of the following best describes this type of infection? A logic bomb Crypto-malware A mine A worm
Crypto-malware Ransomware is a type of Trojan malware that extorts money from the victim. The computer remains locked until the user pays the ransom. Crypto-malware is ransomware that attempts to encrypt data files. The user will be unable to access the files without the private encryption key.
The local operational network consists of physical electromechanical components controlling valves, motors, and electrical switches. All devices enterprise-wide trust each other in the internal network. Which of the following attacks could overwhelm the network by targeting vulnerabilities in the headers of specific application protocols? Man-in-the-middle attack Malicious PowerShell attack DDoS attack DNS amplification attack
DNS amplification attack Domain name system (DNS) amplification attack is an application attack that targets vulnerabilities in the headers and payloads of specific application protocols. It triggers a short request for a long response at the victim network.
A cyber security team would like to gather information regarding what type of attacks are occurring on a network. Which of the following implementations would assist in routing information on the attackers to a Honeynet? DNS sinkhole honeypot Spear phishing DDoS
DNS sinkhole Domain Name Service (DNS) sinkhole is used to intercept DNS requests attempting to connect to known malicious or unwanted domains and returning a fake IP address.
A database export allows personally identifiable information (PII) to display in report format and on screen. This poses a potential data leakage concern. In order to protect this PII, what de-identification method should the programmer consider implementing? Salting Tokenization Hashing Data masking
Data masking Data masking is a secure coding technique used to hide sensitive or private data from disclosure. All or part of the data fields are altered by substituting character strings with a random character.
As a part of an effort toward a DevSecOps-based approach, a large tech company establishes a dedicated cyber incident response team (CIRT). The objective of the program is to exchange knowledge and insights and to work together to mitigate threats. Considering the team's need for diversity among team members, decide which type of individual they should include. Privileged user System administrator Privacy officer Decision maker
Decision maker Members of such a team should be able to have the breadth of decision-making and technical expertise necessary to cope with various kinds of accidents. The team should include a person with the authority to authorize intervention.
A cloud service provider informs its consumers that Amazon Linux version 1 products will no longer be supported after 31 December. Consumers using these products must have a plan in place to upgrade to the newest Amazon Linux product, version 2. After the deadline, Amazon Linux 1 products will only receive critical patches. Which of the following best describes the degradation of the product. Multiparty risk EOL Legacy system EOS
EOL The end of life (EOL) for a software product occurs when a product will no longer be produced or sold. These products are most likely to be replaced by a newer version or model.
A lack of which of the following measures of disorder can leave a cryptosystem vulnerable and unable to encrypt data securely? Entropy Longevity Integrity Nonce
Entropy Entropy is a measure of cryptographic unpredictability. Using high entropy sources of data provides more security than using low sources. A lack of good entropy can leave a system vulnerable.
An application requires continuity of operations within a 24 hour period due to the command and control capabilities it maintains. The failover site must be physically separated from the program office and be available within the required timeframe with live data. Which of the following redundancy solutions best meets the failover requirement? Recovery time objective Failover clusters Meantime between failure Geographical dispersal
Geographical dispersal Geographical dispersal is a failover consideration that replicates data in hot and warm sites physically distanced from one another in the event of a catastrophe.
A fraudulent credit card purchase is an impact of which of the following? Privacy breach Reputation damage Identity theft Availability loss
Identity theft Identity theft involves stealing someone's identity to perform tasks in their name. For example, a threat actor uses personal details and financial information to make fraudulent credit applications and purchases.
Which value is the result of a quantitative or qualitative risk analysis? Annualized loss expentancy Single loss expentency Risk factors Inherent risk
Inherent risk The result of quantitative or qualitative analysis is a measure of inherent risk. Inherent risk is the level of risk before any type of mitigation has been attempted.
A security administrator protects systems' passwords by hashing their related keys. The administrator discovers that this approach does not make the key any more difficult to crack. Analyze the different security properties and determine which one the administrator implemented. Key length Key stretching Digital signatures Key exchange
Key stretching Key stretching takes a key that is generated from a user password and repeatedly converts it to a longer and more random key. This does not make the key stronger but causes a hacker to spend more time using a reverse hashing algorithm.
When implementing a native-cloud firewall, which layer of the Open Systems Interconnection (OSI) model will require the most processing capacity to filter traffic based on content? Layer 4 Layer 7 Layer 1 Layer 3
Layer 7 At layer 7, or the application layer of the OSI model, the firewall can parse application protocol headers and payloads (such as HTTP packets) and make filtering decisions based on their contents. This requires the most processing capacity (or load balancing), or the firewall will become a bottleneck causing network latency.
The ARP cache stores what kind of information about recent connections? MAC addresses Round trip time (RTT) of network hops Packet data Latency and packet loss stats
MAC addresses The ARP(Address Resolution Protocol) cache displays the MAC address of the interface corresponding with each IP address recently communicated with by the local host. This can be useful for identifying Man-in-the-Middle or other spoofing attacks.
Which type of network attack involves asserting the use of an arbitrary hardware address onto a network interface card (NIC)? ARP poisoning MAC flooding URL redirection MAC cloning
MAC cloning Media access control (MAC) cloning, or MAC address spoofing, changes the hardware address configured on an adapter interface or asserts the use of an arbitrary MAC address.
Which of the following are deployed similarly to a credit card skimmer? Keyloggers Malicious USB plug Malicious flash drive Card cloner
Malicious USB plug A malicious Universal Serial Bus (USB) charging cable and plug are deployed similar to card skimmers. The device may be placed over a public charging port at airports and other transit locations. The device can then access a smartphone when connected.
A system engineer can monitor and control voltage factors in a data center. The engineer can make critical decisions on the center's energy consumption and load balancing. Which device is the engineer likely using to make these decisions? UPS Generator Managed PDUs SIEM
Managed PDUs A managed power distribution unit (PDU) is a power protection and management system that allows a user to monitor and manage voltage and electrical current in an environment.
What protocol alters public IP addresses to private IP addresses and vice versa, in an attempt to protect internal computers from the Internet? Firewall NAT Proxy URL Filter
NAT - Network addressing protocol (NAT) Network addressing protocol (NAT) translates public IP addresses to private and vice versa. By using the NAT protocol on the firewall, a company can hide assets from the public internet.
A European company that offers subscription services has recently experienced a data breach wherein private data, including personally identifiable information (PII), was compromised. What step should be taken by the company to avoid regulatory fines or lawsuits? Hide the occurrence of the breach. Identify the vulnerability that led to the breach. Notify those affected by the breach. Fix the vulnerability that led to the breach.
Notify those affected by the breach. Many laws and regulations require immediate notification of all third parties affected by a breach, including the GDPR in the EU. Failing to do so could lead to fines and potential reputation damage.
There are several ways to check on the status of an online certificate, but some introduce privacy concerns. Consider how each of the following is structured and select the option with the best ability to hide the identity of the certificate requestor. CRL OCSP stapling OCSP OCSP responder
OCSP stapling Stapling addresses the privacy issues surrounding Online Status Certificate Protocol (OCSP) by having the SSL/TLS web server periodically obtain a time-stamped response from the Certificate Authority. Then, when a client submits an OCSP request, the web server returns the time-stamped response.
An aviation tracking system maintains flight records for equipment and personnel. The system is a critical command and control system that must maintain an availability rate of 99% for key parameter performance. The cloud service provider (CSP) guarantees a failover to multiple zones if an outage occurs. In addition to the multi-zonal cloud failover, what other backup solution could the system invest in order to maintain data locally? Control diversity Sandboxing Offline Vendor diversity
Offline An offline backup solution would be a good implementation to safeguard the systems data and have it readily available to access in the event of an outage.
A company's infrastructure and resources are set up in a vault on the second floor of a building. The company is responsible for maintaining services and equipment. Which of the following best describes the company's cloud concept? Cloud computing XaaS Hybrid cloud On-premise
On-premise On-premise computing refers to a company's infrastructure and resources which are all maintained locally in the company. The company is responsible for managing and maintaining assets.
The company's current network utilizes EAP-TTLS (EAP-Tunneled TLS) for supplicant clients connecting to the network. Newer model devices and systems are deployed on the network and are not compatible with EAP-TTLS. These systems require MS-CHAPv2 for authentication. Which of the following options will support these new systems? PEAP EAP-FAST EAP-MD5 LEAP
PEAP PEAP uses MSCHAPv2 in PEAPv0 (also known as EAP-MSCHAPv2). Where required, another iteration called PEAPv2 (also known as EAP-GTC), which is a Cisco implementation, can be used.
An attacker is preparing a phishing email mimicking the contents of a legitimate company email. The email will include a fake invoice to request payment for medical services and an email address that looks convincing. What can the attacker modify on the email to make it more convincing? Prepend "RE:" to the subject line. Ask for personal information. Increase the invoice number by 1. Change the employee's identity.
Prepend "RE:" to the subject line. Prepending means adding text that appears to have been generated by the mail system. For example, an attacker may add "RE:" to the subject line to make it appear more legitimate and a reply to a previous email thread.
Systems administrators rely on ACLs to determine access to sensitive network data. What control type do the administrators implement? Corrective Deterrent Preventative Detective
Preventative Preventative controls act to eliminate or reduce the likelihood that an attack can succeed. A preventative control operates before an attack can take place. An ACL (network access control list) is an example of this control type.
A cardiovascular patient is sent home with a monitoring device that records and sends data to a healthcare provider when triggered by abnormal cardiac activity. Response time to the data is critical to patient health. Which embedded platform is the medical device using? Distributed Real-time Standalone Networked
Real-time A real-time operating system (RTOS) is in an embedded system intended to serve real-time applications that process data as it comes in. It provides a quicker reaction to external events than a typical operating system.
Which team performs the offensive role in a penetration exercise? Blue team Purple team White team Red team
Red team The red team performs the offensive role to try to infiltrate the target. This team is one of two competing teams in a penetration testing exercise.
After reading an article online, a business stakeholder is concerned about a risk associated with Denial of Service (DoS) attacks. The stakeholder requests information about what countermeasures would be taken during an attack. Where would the security analyst look to find this information? Risk regulations Risk and Control Assessment Risk heat map Risk register
Risk register The risk register shows the results of risk assessments in a comprehensible document format. Information in the register includes impact, likelihood ratings, date of identification, description, countermeasures, owner/route for escalation, and status.
Analyze the methods and determine which a technician uses as a non-persistent recovery method on a server using a system baseline. Revert to known state Build from a template Rollback to known configuration Live boot media
Rollback to known configuration Rollback to known configuration is a mechanism for restoring a baseline system configuration, such as Windows System Restore.
A company requires a means of managing storage centrally and the ability to share the storage with multiple hosts where users can access data quickly and with little to no latency. Which of the following storage architectures would best meet the company's needs? Disk SAN RAID NAS
SAN - storage area network (SAN) A storage area network (SAN) solution provides access to block-level data storage that can be accessed by multiple users. A SAN offers flexibility, availability, and performance to consumers.
An employee can conduct meetings using a corporate owned personally enabled mobile (COPE) device while on a company related work trip. The service for the device is provided by Verizon Wireless. What component of the device authenticates the device to the provider? Token key Implied trust Context aware SIM
SIM A subscriber identity module (SIM) card is used to identify and authenticate subscribers on mobile and cellular devices. The SIM is issued by a cellular provider with roaming to allow use of other suppliers' tower relays.
A company desires a basic protocol for email. The owner requested that a local system store and manage email for each user. Compare the various mail protocols and recommend the best solution for the company. Secure Post Office Protocol v3 Simple Mail Transfer Protocol Secure Internet Message Access Protocol v4 Secure Multipurpose Internet Mail Protocol
Secure Post Office Protocol v3 Secure Post Office Protocol v3 (POP3) is a mailbox protocol designed to allow mail to be stored on a server and downloaded to the recipient's email client at their convenience.
A data exfiltration attack at a well-known retail company exposes a great deal of private data to the public. A portion of the data details the CEO's political and religious affiliations. When considering data classification types, which has been exposed? Sensitive Proprietary Confidential Critical
Sensitive A sensitive label is usually used in the context of personal data. This is privacy-sensitive information about a subject that could harm them if made public and could prejudice decisions made about them.
How does the General Data Protection Regulations (GDPR) classify data that can prejudice decisions, such as sexual orientation? Private Sensitive Confidential Proprietary
Sensitive The sensitive classification is used in the context of personal data about a subject that could harm them if made public and could prejudice decisions made about them if referred to by internal procedures.
An organization receives numerous negative reviews on social media platforms in response to a recent public statement. Experts use machine learning to identify any threatening language. Which approach do the experts use to identify security risks? Sentiment analysis Security monitoring Threat feeds User behavior analysis
Sentiment analysis Sentiment analysis is used to monitor social media for incidents, such as disgruntled consumers posting negative content. In terms of security, this can be used to gather threat intelligence.
How might responsibilities be divided among individuals to prevent abuse of power in an organization? Clean desk space Job rotation Separation of duties Least privilege
Separation of duties Separation of duties is a means of establishing checks and balances against the possibility that critical systems or procedures can be compromised by insider threats. Divided duties among individuals prevent ethical conflicts or abuses of power.
In regards to performing forensic investigation in public clouds, what document would contain the right to audit clause, giving the investigator the authority to audit files on the network? Forensic reports Checksums Pagefile Service-level agreements (SLA)
Service-level agreements (SLA) A Service Level Agreement (SLA) is a formal agreement that lays out the detailed conditions in which the service is rendered. These could include terms and conditions for security access controls and risk evaluations, plus authentication criteria for proprietary and private data.
Which system allows a user to authenticate once to a local device and to be authenticated to other servers or services without entering credentials again? OpenID Connect Single sign-on Password vault OAuth
Single sign-on A single sign-on (SSO) system allows the user to authenticate once to a local device and be authenticated to compatible application servers without having to enter credentials again.
Which aspect of certificate and key management should an administrator consider when trying to mitigate or prevent the loss of private keys? OCSP Expiration Storage Revocation
Storage Private keys or certificates must be securely stored to prevent unauthorized use and loss. The certificate authority that creates the key pair must provide strict access control to the database and maybe even data-at-rest encryption.
A company provides smartphones to their employees. IT administrators have the ability to deploy, secure, and remove specific applications and data from the employees' smartphones. Analyze the selections and determine how IT can perform this type of control. Content management Baseband update Storage segmentation Push notifications
Storage segmentation Storage segmentation is personal data segmented from organizational data on a mobile device. It gives IT administrators control over corporate assets on employees' mobile devices.
Analyze the active defense solution statements and determine which best describes the purpose of a honeyfile. *A decoy is set as a distraction to emulate a false topology and security zones. *The attempts to reuse can be traced if the threat actor successfully exfiltrates it. *It is helpful in analyzing attack strategies and may provide early warnings of attacks. *Configurations are in place to route suspect traffic to a different network.
The attempts to reuse can be traced if the threat actor successfully exfiltrates it. A honeyfile is convincingly useful but actually fake data. This data can be made trackable, so that when a threat actor successfully exfiltrates it, the attempts to reuse or exploit it can be traced.
Flow analysis tools, such as IPFIX or Netflow, collect metadata about network traffic without capturing each frame. Evaluate the type of analysis that uses these tools. Packet analysis Trend analysis Log analysis Vulnerability analysis
Trend analysis Since flow analyzers gather metadata and statistics about network traffic, they are commonly used to visualize traffic statistics in order to assist in identifying trends.
A malicious actor successfully registered a domain called support247.onmicrosoft.com. This domain will be used to send emails to users to convince them to click the included links and attached files. Which social engineering technique is the malicious actor specifically using in this case? Reconnaissance Typosquatting Hybrid warfare Prepending
Typosquatting Typosquatting means that the threat actor registers a domain name that is very similar to a real one, such as connptia.org, hoping that users will not notice the difference.
What can a threat actor use to perform the popular social engineering technique of dropping USB media around a college campus? UAV Van Gray box OSINT
UAV An unmanned aerial vehicle (UAV), or drone, provides a vector a popular social engineering technique that drops infected USB media around college campuses. UAVs are also used for war flying.
The RADIUS server is down, and employees need immediate access to Wi-Fi routers in the office building. The WAPs (Wireless Access Points) service smartphones and tablets. After disabling Enterprise mode, how will users connect to the WAPs? Use a pre-shared key Use 5 GHz band Use company credentials Set devices to 802.11n
Use a pre-shared key PSK (Pre-shared Key) is the password needed to gain access to a WAP (Wireless Authentication Protocol) that is WPA2 enabled, for example.
A user reported that their Excel spreadsheets delete everything except the active sheet when running a recorded task called "Unhide worksheets" on a workbook. Command prompts have also been popping up on the Windows workstation when it restarts. If the workstation was legitimately compromised, how would an attacker maliciously reconfigure a recorded task on an Excel workbook? Using macro commands Using bash commands Using PowerShell commands. Using Python commands
Using macro commands A document macro is a sequence of actions performed in the context of a word processor, spreadsheet, or presentation file. This can be recorded and re-recorded in the application to change the outcome of the named task.
