DS Tests 1, 2, 3

management information base (MIB)

A _______________ is a database used for managing the entities in a communication network.

Building Automation System (BAS)

A ___________________ for offices and data centers ("smart buildings") can include physical access control systems, but also heating, ventilation, and air conditioning (HVAC), fire control, power and lighting, and elevators and escalators.

-Enable sampling of the data The organization should enable sampling of the data collected. Sampling can help them capture network flows that could be useful without collecting everything passing through the sensor. This reduces the bottleneck of 2 Gbps and still provide useful information. Quality of Service (QoS) is a set of technologies that work on a network to guarantee its ability to run high-priority applications and traffic dependably, but that does not help in this situation. Compressing NetFlow data helps save disk space, but it does not increase the capacity of the bottleneck of 2 Gbps during collection. Enabling full packet capture would take even more resources to process and store and not minimize the bottleneck of 2 Gbps during collection.

A company's NetFlow collection system can handle up to 2 Gbps. Due to excessive load, this has begun to approach full utilization at various times of the day. If the security team does not have additional money in their budget to purchase a more capable collector, which of the following options could they use to collect useful data? -Enable full packet capture -Enable QoS -Enable NetFlow compression -Enable sampling of the data

-Web application vulnerability scan Since Apache is being run on the scanned server, this indicates a web server. Therefore, a web application vulnerability scan would be the most likely to provide valuable information. A network vulnerability scan or port scan can provide valuable information against any network-enabled server. Since an Apache server doesn't contain a database by default, running a database vulnerability scan is not likely to provide any valuable information to the analyst.

A cybersecurity analyst is preparing to run a vulnerability scan on a dedicated Apache server that will be moved into a DMZ. Which of the following vulnerability scans is most likely to provide valuable information to the analyst? -Port scan -Web application vulnerability scan -Database vulnerability scan -Network vulnerability scan

-Directory traversal A directory traversal attack aims to access files and directories stored outside the webroot folder. By manipulating variables or URLs that reference files with "dot-dot-slash (../)" sequences and its variations or using absolute file paths, it may be possible to access arbitrary files and directories stored on the file system, including application source code or configuration and critical system files. The example output provided comes from a remote code execution vulnerability being exploited in which a directory traversal is used to access the files. XML Injection is an attack technique used to manipulate or compromise an XML application or service's logic. SQL injection is the placement of malicious code in SQL statements via web page input. Password spraying attempts to crack various user's passwords by attempting a compromised password against multiple user accounts.

A cybersecurity analyst is reviewing the logs of a Citrix NetScaler Gateway running on a FreeBSD 8.4 server and saw the following output: -=-=-=-=--=-=-=-=--=-=-=-=--=-=-=-=--=-=-=-=--=-=-=-=--=-=-=-=- 10.1.1.1 - - [10/Jan/2020:13:23:51 +0000] "POST /vpn/../vpns/portal/scripts/newbm.pl HTTP/1.1" 200 143 "https://10.1.1.2/" "USERAGENT " 10.1.1.1 - - [10/Jan/2020:13:23:53 +0000] "GET /vpn/../vpns/portal/backdoor.xml HTTP/1.1" 200 941 "-" "USERAGENT" 10.1.1.1 - - [10/Jan/2020:16:12:31 +0000] "POST /vpns/portal/scripts/newbm.pl HTTP/1.1" 200 143 "https://10.1.1.2/" "USERAGENT" -=-=-=-=--=-=-=-=--=-=-=-=--=-=-=-=--=-=-=-=--=-=-=-=--=-=-=-=- What type of attack was most likely being attempted by the attacker? -SQL injection -Password spraying -XML injection -Directory traversal

Directory traversal A directory traversal attack aims to access files and directories that are stored outside the webroot folder. By manipulating variables or URLs that reference files with "dot-dot-slash (../)" sequences and its variations or using absolute file paths, it may be possible to access arbitrary files and directories stored on the file system, including application source code or configuration and critical system files.

A cybersecurity analyst is reviewing the logs of a proxy server and saw the following URL, http://test.diontraining.com/../../../../etc/shadow. What type of attack has likely occurred? -Buffer overflow -SQL injection -XML injection -Directory traversal

-Active scanning engine installed on the enterprise console. Since the college wants to ensure a centrally-managed enterprise console, using an active scanning engine installed on the enterprise console would best meet these requirements. Then, the college's cybersecurity analysts could perform scans on any devices connected to the network using the active scanning engine at the desired intervals. Agent-based scanning would be ineffective since the college cannot force the agents' installation onto each of the personally owned devices brought in by the students or faculty. A cloud-based or server-based engine may be useful, but it won't address the centrally-managed requirement. Passive scanning is less intrusive but is subject to a high number of false positives.

A cybersecurity analyst is working at a college that wants to increase its network's security by implementing vulnerability scans of centrally managed workstations, student laptops, and faculty laptops. Any proposed solution must scale up and down as new students and faculty use the network. Additionally, the analyst wants to minimize the number of false positives to ensure accuracy in their results. The chosen solution must also be centrally-managed through an enterprise console. Which of the following scanning topologies would be BEST able to meet these requirements? -Passive scanning engine located at the core of the network infrastructure. -Combination of server-based and agent-based scanning engines. -Active scanning engine installed on the enterprise console. -Combination of cloud-based and server-based scanning engines.

-Conduct tokenization of the PHI data before ingesting it into the big data application. The university should utilize a tokenization approach to prevent an inadvertent release of the PHI data. In a tokenization approach, all or part of data in a field is replaced with a randomly generated token. That token is then stored with the original value on a token server or token vault, separate from the production database. This is an example of a deidentification control and should be used since the personally identifiable medical data is not needed to be retained after ingesting it for the research project; only the medical data itself is needed. While using DevSecOps can improve the overall security posture of the applications being developed in this project, it does not explicitly define a solution to prevent this specific issue making it a less ideal answer choice for the exam. Formal verification methods can be used to prove that none of the AI/ML techniques that process the PHI data could inadvertently leak. Still, the cost and time associated with using these methods make them inappropriate for a system used to conduct research. A formal method uses a mathematical model of a system's inputs and outputs to prove that the system works as specified in all cases. It is difficult for manual analysis and testing to capture every possible use case scenario in a sufficiently complex system. Formal methods are mostly used with critical systems such as aircraft flight control systems, self-driving car software, and nuclear reactors, not big data research projects. The option provided that recommends utilizing a SaaS model is not realistic. There is unlikely to be a SaaS provider with a product suited to the big data research being done. SaaS products tend to be commoditized software products that are hosted in the cloud. The idea of migrating to a SaaS is a distractor on this exam, which is trying to get you to think about shifting the responsibility for the PHI to the service provider and away from the university, but due to the research nature of the project, this is unlikely to be a valid option in the real world and may not be legally allowed due to the PHI being processed.

A cybersecurity analyst is working for a university that is conducting a big data medical research project. The analyst is concerned about the possibility of an inadvertent release of PHI data. Which of the following strategies should be used to prevent this? -Utilize format methods of verification against the application processing the PHI. -Utilize a SaaS model to process the PHI data instead of an on-premise solution. -Use DevSecOps to build the application that processes the PHI. -Conduct tokenization of the PHI data before ingesting it into the big data application.

-Permit 143.27.43.32 161.212.71.14 RDP 3389 Due to the requirement to allow a single remote IP to enter the firewall, the permit statement must start with a single IP in the Untrusted (Internet) zone. Based on the options provided, only 143.27.43.32 could be correct. Next, the destination is a single server in the DMZ, so only 161.212.71.14 could be correct. The destination port should be 3389, which is the port for the Remote Desktop Protocol. Combining these three facts, only "permit 143.27.43.32 161.212.71.14 RDP 3389" could be correct.

A firewall administrator has configured a new DMZ to allow public systems to be segmented from the organization's internal network. The firewall now has three security zones set: Untrusted (Internet) [143.27.43.0/24]; DMZ (DMZ) [161.212.71.0/24]; Trusted (Intranet) [10.10.0.0/24]. The firewall administrator has been asked to enable remote desktop access from a fixed IP on the remote network to a remote desktop server in the DMZ for the Chief Security Officer to work from his home office after hours. The CSO's home internet uses a static IP of 143.27.43.32. The remote desktop server is assigned a public-facing IP of 161.212.71.14. What rule should the administrator add to the firewall?

-Changing hidden form values Since there are no indications in the IDS logs, the database, or the server, it is most likely that the hacker changed hidden form values to change the items' price in the shopping cart. A buffer overflow is an anomaly that occurs when a program overruns the buffer's boundary and overwrites adjacent memory locations while writing data to a buffer. Cross-Site Scripting (XSS) attacks are a type of injection in which malicious scripts are injected into otherwise benign and trusted websites. XSS attacks occur when an attacker uses a web application to send malicious code, generally in a browser side script, to a different end-user. SQL injection is a code injection technique used to attack data-driven applications. Malicious SQL statements are inserted into an entry field for execution, such as dumping the database contents to the attacker.

A hacker successfully modified the sale price of items purchased through your company's web site. During the investigation that followed, the security analyst has verified the web server, and the Oracle database was not compromised directly. The analyst also found no attacks that could have caused this during their log verification of the Intrusion Detection System (IDS). What is the most likely method that the attacker used to change the items' sale price? -SQL injection -Changing hidden form values -Cross-site scripting -Buffer overflow attack

-Rogue anti-virus Rogue anti-virus is a form of malicious software and internet fraud that misleads users into believing there is a virus on their computer and to pay money for a fake malware removal tool (that actually introduces malware to the computer). It is a form of scareware that manipulates users through fear and a form of ransomware. Since the alert is being displayed on a macOS system but appears to be meant for a Windows system, it is obviously a scam or fake alert and most likely a rogue anti-virus attempting to infect the system.

A macOS user is browsing the internet in Google Chrome when they see a notification that says, "Windows Enterprise Defender: Your computer is infected with a virus, please click here to remove it!" What type of threat is this user experiencing? -Worm -Rogue anti-virus -Pharming

-Vulnerability scanning The best option here is vulnerability scanning as this allows the IT team to know what risks their network is taking on and where subsequent mitigations may be possible. Configuration management, automatic updates, and patching could be a possible solution. These are not viable options without gaining administrative access to the appliance. Therefore, the analyst should continue to conduct vulnerability scanning of the device to understand the risks associated with it and then make recommendations to add additional compensating controls like firewall configurations, adding a WAF, providing segmentation. Other configurations outside the appliance to minimize the vulnerabilities it presents.

A new security appliance was installed on a network as part of a managed service deployment. The vendor controls the appliance, and the IT team cannot log in or configure it. The IT team is concerned about the appliance receiving the necessary updates. Which of the following mitigations should be performed to minimize the concern for the appliance and updates? -Configuration management -Scan and patch the device -Vulnerability scanning -Automatic updates

-Rules of engagement While the contract documents' network scope will define what will be tested, the rules of engagement define how that testing is to occur. Rules of engagement can state things like no social engineering is allowed, no external website scanning, etc. A memorandum of understanding (MOU) is a preliminary or exploratory agreement to express an intent to work together that is not legally binding and does not involve monetary exchange. A service level agreement contains the operating procedures and standards for a service contract. An acceptable use policy is a policy that governs employees' use of company equipment and internet services.

A penetration tester has been hired to conduct an assessment, but the company wants to exclude social engineering from the list of authorized activities. Which of the following documents would include this limitation? -Rules of engagement -AUP -Memorandum of understanding -SLA

RFID

A proximity card is a contactless card that usually utilizes _______to communicate with the reader on a physical access system. These are commonly used to access secured rooms (such as server rooms) or even a building itself (such as at a mantrap).

-A buffer overflow that is known to allow remote code execution The most serious vulnerability discovered is one that could allow remote code execution to occur. Since this buffer overflow vulnerability is known to allow remote code execution, it must be mitigated first to prevent a security breach most effectively. While the other issues should be addressed eventually, you need to prioritize the most critical one (remote code execution) on a public-facing IP address. A public-facing IP address means the device is accessible from the internet.

A recent vulnerability scan found several vulnerabilities on an organization's public-facing IP addresses. To reduce the risk of a breach, which of the following vulnerabilities should be prioritized for remediation? -A website utilizing a self-signed SSL certificate -A buffer overflow that is known to allow remote code execution -A cryptographically weak encryption cipher -An HTTP response that reveals an internal IP address

-SQL injection Based on the log entries, it appears the attack was successful in conducting a SQL injection. Notice the escape character (') used in the log. A connection to the MySQL database is being used in the script, which could be exploited since no input validation is being performed. Command injection is an attack in which the goal is to execute arbitrary commands on the host operating system via a vulnerable application. SQL injection is a specific type of command injection. LDAP injection is a code injection technique used to exploit web applications that could reveal sensitive user information or modify information represented in the LDAP (Lightweight Directory Access Protocol) data stores. Directory traversal or Path Traversal is an HTTP attack that allows attackers to access restricted directories and execute commands outside of the web server's root directory.

A security analyst is conducting a log review of the company's web server and found two suspicious entries: -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- [12Nov2020 10:07:23] "GET /logon.php?user=test'+oR+7>1%20—HTTP/1.1" 200 5825 [12Nov2020 10:10:03] "GET /logon.php?user=admin';%20—HTT{/1.1" 200 5845 -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- The analyst contacts the web developer and asks for a copy of the source code to the logon.php script. The script is as follows: -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- php include('../../config/db_connect.php'); $user = $_GET['user']; $pass = $_GET['pass']; $sql = "SELECT * FROM USERS WHERE username = '$user' AND password = '$pass'"; $result = MySQL_query($sql) or die ("couldn't execute query"); if (MySQL_num_rows($result) !=0 ) echo 'Authentication granted!'; else echo 'Authentication failed!'; ?> -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- Based on source code analysis, which type of vulnerability is this web server vulnerable to? -Command injection -Directory traversal -LDAP injection -SQL injection

-The attack widely fragmented the image across the host file system. Due to the VM disk image's deletion, you will now have to conduct file carving or other data recovery techniques to recover and remediate the virtualized server. If the server's host uses a proprietary file system, such as VMFS on ESXi, this can further limit support by data recovery tools. The attacker may have widely-fragmented the image across the host file system when they deleted the disk image. VM instances are most useful when they are elastic (meaning they optimally spin up when needed) and then destroyed without preserving any local data when security has performed the task, but this can lead to the potential of lost system logs. To prevent this, most VMs also save their logs to an external Syslog server or file. Virtual machine file formats are image-based and written to a mass storage device. Depending on the configuration and VM state, security must merge any checkpoints to the main image, using a hypervisor tool, not recovery from an old snapshot, and then roll forward. It is possible to load VM data into a memory analysis tool, such as Volatility. However, some hypervisors' file formats require conversion first, or it may not support the analysis tool.

An attacker has compromised a virtualized server. You are conducting forensic analysis as part of the recovery effort but found that the attacker deleted a virtual machine image as part of their malicious activity. Which of the following challenges do you now have to overcome as part of the recovery and remediation efforts? -The attack widely fragmented the image across the host file system. -File formats used by some hypervisors cannot be analyzed with traditional forensic tools. -All log files are stored within the VM disk image, therefore, they are lost. -You will need to roll back to an early snapshot and then merge any checkpoints to the main image.

-set type=ns The "set type=ns" tells nslookup only reports information on name servers. If you used "set type=mx" instead, you would receive information only about mail exchange servers.

An attacker uses the nslookup interactive mode to locate information on a Domain Name Service (DNS). What command should they type to request the appropriate records for only name servers? -set type=ns -locate type=ns -transfer type=ns -request type=ns

-Port scan targeting 10.10.3.6 Port Scanning is the name for the technique used to identify open ports and services available on a network host. Based on the logs, you can see a sequential scan of some commonly used ports (20, 21, 22, 23, 25, 80, 135, 443, 445) with a two-second pause between each attempt. The scan source is 10.10.3.2, and the destination of the scan is 10.10.3.6, making "Port scan targeting 10.10.3.6" the correct choice. IP fragmentation attacks are a common form of denial of service attack, in which the perpetrator overbears a network by exploiting datagram fragmentation mechanisms. A denial-of-service (DoS) attack occurs when legitimate users cannot access information systems, devices, or other network resources due to a malicious cyber threat actor's actions.

Consider the following snippet from a log file collected on the host with the IP address of 10.10.3.6. -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-Time: Jun 12, 2020 09:24:12 Port:20 Source: 10.10.3.2 Destination:10.10.3.6 Protocol:TCP Time: Jun 12, 2020 09:24:14 Port:21 Source: 10.10.3.2 Destination:10.10.3.6 Protocol:TCP Time: Jun 12, 2020 09:24:16 Port:22 Source: 10.10.3.2 Destination:10.10.3.6 Protocol:TCP Time: Jun 12, 2020 09:24:18 Port:23 Source: 10.10.3.2 Destination:10.10.3.6 Protocol:TCP Time: Jun 12, 2020 09:24:20 Port:25 Source: 10.10.3.2 Destination:10.10.3.6 Protocol:TCP Time: Jun 12, 2020 09:24:22 Port:80 Source: 10.10.3.2 Destination:10.10.3.6 Protocol:TCP Time: Jun 12, 2020 09:24:24 Port:135 Source: 10.10.3.2 Destination:10.10.3.6 Protocol:TCP Time: Jun 12, 2020 09:24:26 Port:443 Source: 10.10.3.2 Destination:10.10.3.6 Protocol:TCP Time: Jun 12, 2020 09:24:26 Port:445 Source: 10.10.3.2 Destination:10.10.3.6 Protocol:TCP -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- What type of activity occurred based on the output above? -DoS attack targeting 10.10.3.6 -Fragmentation attack targeting 10.10.3.6 -Port scan targeting 10.10.3.2 -Port scan targeting 10.10.3.6

-malicious scripts -browser

Cross-Site Scripting (XSS) attacks are a type of injection in which ____________ are injected into otherwise benign and trusted websites. XSS attacks occur when an attacker uses a web application to send malicious code, generally in a __________ side script, to a different end-user.

unauthorized commands are transmitted from a user that the web application trusts

Cross-site request forgery (CSRF or XSRF) is a type of malicious exploit of a website where _______________________________. There are many ways in which a malicious website can transmit commands, such as specially-crafted image tags, hidden forms, and JavaScript XMLHttpRequests can all work without the user's interaction or even knowledge.

web applications

Cross-site scripting (XSS) is a type of computer security vulnerability typically found in ___________. XSS enables attackers to inject client-side scripts into web pages viewed by other users. Attackers may use a cross-site scripting vulnerability to bypass access controls such as the same-origin policy.

removing

Data anonymization is the process of _____________ personally identifiable information from a data set so that the people whom the data describe remain anonymous.

redacted

Data masking can mean that all or part of a field's contents is ___________, by substituting all character strings with x, for example.

Recovery time objective (RTO)

Describes a period of time in which an enterprise's operations must be restored following a disruptive event, e.g., a cyberattack, natural disaster or communications failure.

-Implement NAC Network Access Control (NAC) uses a set of protocols to define and implement a policy that describes how to secure access to network nodes whenever a device initially attempts to access the network. NAC can utilize an automatic remediation process by fixing non-compliant hosts before allowing network access. Network Access Control can control access to a network with policies, including pre-admission endpoint security policy checks and post-admission controls over where users and devices can go on a network and what they can do. In this scenario, implementing NAC can identify which machines are known and trusted Dion Training assets and provide them with access to the secure internal network. NAC could also determine unknown machines (assumed to be those of CompTIA employees) and provide them with direct internet access only by placing them onto a guest network or VLAN. While MAC filtering could be used to allow or deny access to the network, it cannot by itself control which set of network resources could be utilized from a single ethernet port. A security information and event management (SIEM) system provides real-time analysis of security alerts generated by applications and network hardware. An access control list could define what ports, protocols, or IP addresses the ethernet port could be utilized. Still, it would be unable to distinguish between a Dion Training employee's laptop and a CompTIA employee's laptop like a NAC implementation could.

Dion Training allows its visiting business partners from CompTIA to use an available Ethernet port in their conference room to establish a VPN connection back to the CompTIA internal network. The CompTIA employees should obtain internet access from the Ethernet port in the conference room, but nowhere else in the building. Additionally, if a Dion Training employee uses the same Ethernet port in the conference room, they should access Dion Training's secure internal network. Which of the following technologies would allow you to configure this port and support both requirements? -Configure a SIEM -Implement NAC -MAC filtering -Create an ACL to allow access

-Transference Transference (or sharing) means assigning risk to a third party (such as an insurance company or a contract with a supplier that defines liabilities). Avoidance means that the company stops doing the activity that is risk-bearing. Risk mitigation is the overall process of reducing exposure to or the effects of risk factors, such as patching a vulnerable system. Acceptance means that no countermeasures are put in place either because the risk level does not justify the cost or because there will be an unavoidable delay before the countermeasures are deployed.

Dion Training is concerned with the possibility of a data breach causing a financial loss to the company. After performing a risk analysis, the COO decides to purchase data breach insurance to protect the company in an incident. Which of the following best describes the company's risk response? -Acceptance -Mitigation -Avoidance -Transference

root directory

Directory traversal or Path Traversal is an HTTP attack that allows attackers to access restricted directories and execute commands outside of the web server's __________.

-SMS messages may be accessible to attackers via VoIP or other systems NIST's SP 800-63-3 recommends that SMS messages be deprecated as a means of delivering a second factor for multifactor authentication because they may be accessible to attackers. SMS is unable to be encrypted (at least without adding additional applications to phones). A third factor is typically not a user-friendly recommendation and would be better handled by replacing SMS with the proposed third factor.

During her login session, Sally is asked by the system for a code sent to her via text (SMS) message. Which of the following concerns should she raise to her organization's AAA services manager? -SMS should be paired with a third factor -SMS should be encrypted to be secure -SMS messages may be accessible to attackers via VoIP or other systems

-Randomized one-time use pad The only truly unbreakable encryption is one that uses a one-time use pad. This ensures that every message is encrypted with a different shared key that only the two owners of the one-time use pad would know. This technique ensures that there is no pattern in the key for an attacker to guess or find. Even if one of the messages could be broken, all of the other messages would remain secure since they use different keys to encrypt them. Unfortunately, one-time use pads require that two identical copies of the pad are produced and distributed securely before they can be used. DES and AES both rely on a single shared secret key, making it vulnerable to attack. DES has already been broken, while AES remains unbroken (today). With enough time and computing power, though, an AES key could be discovered. RSA is also vulnerable to attack with enough time and computing power.

Frank and John have started a secret club together. They want to ensure that when they send messages to each other, they are truly unbreakable. What encryption key would provide the STRONGEST and MOST secure encryption? -AES with a 256-bit key -Randomized one-time use pad -DES with a 56-bit key -ECC with a 256-bit key

-Create a daily incremental backup to tape Since the RPO must be within 24 hours, daily or hourly backups must be conducted. Since the requirement is for backups to be conducted at a specific time each week, hourly snapshots would not meet this requirement and are not easily transported since they are being conducted as a disk-to-disk backup. Replication to a hot site environment also doesn't allow for transportation of the data to an off-site facility for storage, and replication would continuously occur throughout the day. Therefore, a daily incremental backup should be conducted since it will require the least amount of time to conduct. The tapes could be easily transported for storage and restored incrementally from tape since the last full backup was conducted.

Hilda needs a cost-effective backup solution that would allow for the restoration of data within a 24 hour RPO. The disaster recovery plan requires that backups occur during a specific timeframe each week, and then the backups should be transported to an off-site facility for storage. What strategy should Hilda choose to BEST meet these requirements? -Conduct full backups daily to tape -Create disk-to-disk snapshots of the server every hour -Configure replication of the data to a set of servers located at a hot site -Create a daily incremental backup to tape

-A compensating control Based on the question's wording, a compensating control would be most accurate for the given scenario. Compensating controls may be considered when an entity cannot meet a requirement explicitly, as stated due to legitimate technical or documented business constraints but has sufficiently mitigated the risk associated with the requirement by implementing other controls. Access requirements are a form of logical controls that can be implemented to protect a system and could be a form of a compensating control if used appropriately. A policy is a statement of intent and is implemented as a procedure or protocol within an organization. An engineering tradeoff is a situational decision that involves diminishing or losing one quality, quantity, or property of a set or design in return for gains in other aspects. Often, an engineering tradeoff occurs when we trade security requirements for operational requirements or vice versa.

If an administrator cannot fully remediate a vulnerability, which of the following should they implement? -A compensating control -A policy -Access requirements -An engineering tradeoff

-Improper error handling This is an example of an improper error handling vulnerability. A well-written application must be able to handle errors and exceptions gracefully. The main goal must be for the application not to fail and allows the attacker to execute code or perform an injection attack. One famous example of an improper error handling vulnerability is Apple's GoTo bug, as described above. For more details on this particular vulnerability, please see CVE-2014-1266. Insecure object reference refers to when a reference to an internal implementation object, such as a file or database key, is exposed to users without any other access control. Insufficient logging and monitoring allow attackers to achieve their goals without being detected due to the lack of monitoring and timely response by defenders. The use of insecure functions occurs in the C language when legacy functions like strcpy() are used. These insecure functions can lead to buffer overflow and other exploits being successful against a program.

In 2014, Apple's implementation of SSL had a severe vulnerability that, when exploited, allowed an attacker to gain a privileged network position that would allow them to capture or modify data in an SSL/TLS session. This was caused by poor programming in which a failed check of the connection would exit the function too early. Based on this description, what is this an example of? -Insufficient logging and monitoring -Use of insecure functions -Improper error handling -Insecure object reference

Data minimization

Involves limiting data collection to only what is required to fulfill a specific purpose. Reducing what information is collected reduces the amount and type of information that must be protected.

the matching of patterns on the surface of the eye

Iris scans rely on _________________ using near-infrared imaging, and so is less intrusive than retinal scanning (the subject can continue to wear glasses, for instance) and much quicker.

Data anonymization

Is the process of removing personally identifiable information from data sets so that the people whom the data describe remain anonymous.

-Contract the service desk or incident response team to determine what to do next. This is an example of either a data leak or a data breach. James is not sure how the website got the details of the product's specifications. Therefore, he should follow his organizational procedures for notification that internal company information has been leaked to the internet. In most organizations, the service desk acts as the single point of contact for all IT issues (even possible data breaches), and they can refer James to the incident response team (if one is currently stood up). Since James works as a programmer, it is unlikely that his team lead is responsible for handling a data leak or data breach, so it is better to contact the service desk first. James should not contact the website directly nor reply to the blog post. Instead, he should leave the response actions to the security team and the incident response team.

James, a programmer at Apple Computers, is surfing the internet on his lunch break. He comes across a rumor site focused on providing details of the upcoming iPhone being released in a few months. James knows that Apple likes to keep its product details a secret until it is publicly announced. As James is looking over the website, he sees a blog post with an embedded picture of a PDF containing detailed specifications for the next iPhone and labeled "Proprietary Information - Internal Use Only." The new iPhone is still several months away from release. What should James do next? -Contract the service desk or incident response team to determine what to do next. -Contact his team lead and ask what he should do next. -Contact the website's owner and request they take down the PDF.

code

LDAP injection is a ____injection technique used to exploit web applications that could reveal sensitive user information or modify information represented in the LDAP (Lightweight Directory Access Protocol) data stores.

-Processor cache -RAM -Swap File -Hard Drive/USB

List the correct order for evidence collection based on volatility

Open ID Connect (OIDC)

OAuth 2 is explicitly designed to authorize claims and not to authenticate users. The implementation details for fields and attributes within tokens are not defined. ________________ is an authentication protocol that can be implemented as special types of OAuth flows with precisely defined token fields.

managed security service provider (MSSP)

Provides Security as a Service (SECaaS). IaaS, PaaS, and SaaS (infrastructure, platform, and software as a service) do not include security monitoring as part of their core service offerings

an infrared light shone into the eye to identify the pattern of blood vessels

Retinal scans utilize ______________________. The arrangement of these blood vessels is highly complex and typically does not change from birth to death, except in the event of certain diseases or injuries.

-WAF WAF (web application firewall) is the best option since it can serve as a compensating control and protect against web application vulnerabilities like an SQL injection until the application can be fully remediated. Vulnerability scanning could only be used to detect the issue. Therefore, it is a detective control, not a compensating control. Encryption would not be effective in stopping an SQL injection. An IPS are designed to protected network devices based on ports, protocols, and signatures. It would not be effective against an SQL injection and is not considered a compensating control for this vulnerability.Bottom of FormTop of Form

Riaan's company runs critical web applications. During a vulnerability scan, Riaan found a serious SQL injection vulnerability in one of their web applications. The system cannot be taken offline to remediate the vulnerability. Which of the following compensating controls should Riaan recommend using until the system can be remediated? -Vulnerability scanning -WAF -IPS -Encryption

-data-driven -entry field

SQL injection is a code injection technique used to attack _____________ applications. Malicious SQL statements are inserted into an entry field for execution, such as dumping the database contents to the attacker.

web page input

SQL injection is the placement of malicious code in SQL statements via _______________.

XML

Security Assertion Markup Language (SAML) is an open standard for exchanging authentication and authorization data between parties, in particular, between an identity provider and a service provider. SAML is an ___-based markup language for security assertions.

Extensible Markup Language (XML)

Security Assertion Markup Language (SAML) is an open standard that allows identity providers (IdP) to pass authorization credentials to service providers (SP). SAML transactions use __________ for standardized communications between the identity provider and service providers. SAML is the link between the authentication of a user's identity and the authorization to use a service.

XML

Security assertions markup language (SAML) is an ____-based framework for exchanging security-related information such as user authentication, entitlement, and attributes. SAML is often used in conjunction with SOAP. SAML is a solution for providing single sign-on (SSO) and federated identity management.

-IPS Since this question is focused on the ICS/SCADA network, the best solution would be to implement an Intrusion Prevention System. ICS/SCADA machines utilize very specific commands to control the equipment and to prevent malicious activity. You could set up strict rules in the IPS to prevent unknown types of actions from being allowed to occur. Log consolidation is a good idea, but it won't prevent an issue and therefore isn't the most critical thing to add first. Automated patch management should not be conducted, as ICS/SCADA systems must be tested before conducting any patches. Often, patches will break ICS/SCADA functionality. Anti-virus software may or may not be able to run on the equipment, as well, since some ICS/SCADA systems often do not rely on standard operating systems like Windows.

The local electric power plant contains both business networks and ICS/SCADA networks to control their equipment. Which technology should the power plant's security administrators look to implement first as part of configuring better defenses for the ICS/SCADA systems? -Automated patch deployment -IPS -Log consolidation -Anti-virus software

-IPv6 IPv6 includes IPSec built into the protocol by default. Additionally, IPv6 also provides an extended IP address range for networks, eliminating the need for using NAT. IPv4 does not include IPSec or extended IP address ranges by default. WPA2 is the most modern and secure version of wireless encryption for WiFi networks, but it doesn't include IPSec or extended IP address ranges by default. WEP is an older version of wireless encryption for WiFi networks and doesn't provide these features by default, either.

To improve the Dion Training corporate network's security, a security administrator wants to update the configuration of their wireless network to have IPSec built into the protocol by default. Additionally, the security administrator would like for NAT to no longer be required for extending the number of IP addresses available. What protocol should the administrator implement on the wireless network to achieve their goals? -WPA2 -WEP -IPv4 -IPv6

all or part of data in a field

Tokenization means that ________________ is replaced with a randomly generated token. The token is stored with the original value on a token server or token vault, separate from the production database. An authorized query or app can retrieve the original value from the vault, if necessary, so tokenization is a reversible technique.

-replaced -randomly generated token

Tokenization means that all or part of data in a field is _______________with a _________________.

-RADIUS Captive portals usually rely on 802.1x, and 802.1x uses RADIUS for authentication.

Users connecting to an SSID appear to be unable to authenticate to the captive portal. Which of the following is the MOST likely cause of the issue? -CSMA/CA -RADIUS -WPA2 security key -SSL certificates

Controller Area Network (CAN)

Vehicular networks are called a _________________. A **** uses serial communication buses to connect electronic control units and other subsystems in cars and unmanned aerial vehicles (UAV).

-Filter the scan results to include only those items listed as critical in the asset inventory and remediate those vulnerabilities first. PHI is an abbreviation for Personal Health Information. When attempting to remediate numerous vulnerabilities, it is crucial to prioritize the vulnerabilities to determine which ones should be remediated first. In this case, there is a regulatory requirement to ensure the security of the PHI data. Therefore, those critical assets to the secure handling or storage of PHI are of the highest risk should be prioritized for remediation first. It is impractical to resolve all 2,592 vulnerabilities at once. Therefore, you should not identify all the false positives and exceptions and then resolve any remaining items since they won't be prioritized for remediation. You should also not wait to perform additional scanning because a scan is only a snapshot of your current status. If it takes 30 days to remediate all the vulnerabilities and do not scan, new vulnerabilities may have been introduced. Placing all the PHI asserts into a sandbox will not work either because then you have removed them from the production environment, and they can no longer serve their critical business functions.

Vulnerability scans must be conducted continuously to meet regulatory compliance requirements for the storage of PHI. During the last vulnerability scan, a cybersecurity analyst received a report of 2,592 possible vulnerabilities and was asked by the Chief Information Security Officer (CISO) for a plan to remediate all the known issues. Which of the following should the analyst do next?

-Security policy violations A network is only as strong as its weakest link (or host/server). When you comingle hosts/servers, there is a large risk that security policy violations could occur. This is because users may be used to following a less stringent security policy for one set of machines and carry over those procedures to a machine that should have had stronger security policies.

What is a major security risk that could occur when you comingle hosts/servers with different security requirements in a single network? -Password compromises -Security policy violations -Zombie attacks -Privilege creep

Risk appetite

What is the term for the amount of risk that an organization is willing to accept or tolerate?

-Social engineering Social engineering refers to the psychological manipulation of people into performing actions or divulging confidential information. During your technical assessment, utilizing social engineering techniques such as phishing or pharming can help you determine if additional end-user security training should be included in the organization. The other three options focus solely on technical controls. Therefore adding end-user training would not affect these technology options.

What technique is most effective in determining whether or not increasing end-user security training would benefit the organization during your technical assessment of their network? -Vulnerability scanning -Network sniffing -Social engineering -Application security testing

-Blowfish AES, PKCS, and SSL/TLS are all compatible with x.509 and can be used in a wide variety of functions and purposes. AES is used for symmetric encryption. PKCS is used as a digital signature algorithm. SSL/TLS is used for secure key exchange.

What technology is NOT PKI x.509 compliant and cannot be used in various secure functions? -SSL/TLS -PKCS -AES -Blowfish

-Hardware write blocker Both hardware and software write blockers are designed to ensure that forensic software and tools cannot change a drive inadvertently by accessing it. But, since the question indicates that you need to choose the BEST solution to protect the drive's contents from being changed during analysis, you should pick the hardware write blocker. A hardware write blocker's primary purpose is to intercept and prevent (or 'block') any modifying command operation from ever reaching the storage device. A forensic drive duplicator copies a drive and validates that it matches the original drive but cannot be used by itself during analysis. A degausser is used to wipe magnetic media. Therefore, it should not be used on the drive since it would erase the hard drive contents.

When conducting forensic analysis of a hard drive, what tool would BEST prevent changing the hard drive contents during your analysis? -Degaussser -Hardware write blocker -Forensic drive duplicator -Software write blocker

-Data masking Data masking can mean that all or part of a field's contents is redacted, by substituting all character strings with x, for example. Tokenization means that all or part of data in a field is replaced with a randomly generated token. The token is stored with the original value on a token server or token vault, separate from the production database. An authorized query or app can retrieve the original value from the vault, if necessary, so tokenization is a reversible technique. Data minimization involves limiting data collection to only what is required to fulfill a specific purpose. Reducing what information is collected reduces the amount and type of information that must be protected. Data anonymization is the process of removing personally identifiable information from a data set so that the people whom the data describe remain anonymous.

When your credit card data is written to the customer invoicing system at Dion Training, the first 12 digits are replaced with an x before storing the data. Which of the following privacy methods is being used? -Data minimization -Tokenization -Anonymization -Data masking

-http.request.methd=="POST" && ip.dst=10.1.2.3 Filtering the available PCAP with just the http "post" methods would display any data sent when accessing a REST API, regardless of the destination IP. Filtering the available PCAP with just the desired IP address would show all traffic to that host (10.1.2.3). Combining both of these can minimize the data displayed to only show things posted to the API located at 10.1.2.3. The ip.proto==tcp filter would display all TCP traffic on a network, regardless of the port, IP address, or protocol being used. It would simply produce too much information to analyze.

Which of the following Wireshark filters should be applied to a packet capture to detect applications that send passwords in cleartext to a REST API located at 10.1.2.3? -http.request.method=="POST" -ip.dst=10.1.2.3 -http.request.methd=="POST" && ip.dst=10.1.2.3 -ip.proto=tcp

-TOTP The Time-based One-time Password Algorithm (TOTP) is a refinement of the HOTP. One issue with HOTP is that tokens can be allowed to persist unexpired, raising the risk that an attacker might obtain one and decrypt data in the future. In TOTP, the HMAC is built from the shared secret plus a value derived from the device's and server's local timestamps. TOTP automatically expires each token after a short window (60 seconds, for instance).

Which of the following authentication mechanisms involves receiving a one-time use shared secret password, usually through a token-based key fob or smartphone app, that automatically expires after a short period of time (for example, 60 seconds)? -TOTP -EAP -Smart card -HOTP

-HOTP HMAC-based One-time Password Algorithm (HOTP) is an algorithm for token-based authentication. The authentication server and client token are configured with the same shared secret. The token could be a fob-type device or implemented as a smartphone app. The token does not have an expiration under HOTP, but an improved version known as TOTP does include token expirations.

Which of the following authentication mechanisms involves receiving a one-time use shared secret password, usually through a token-based key fob or smartphone app, that does not expire? -Smart card -TOTP -EAP -HOTP

-SP (Service Provider) Security assertions markup language (SAML) is an XML-based framework for exchanging security-related information such as user authentication, entitlement, and attributes. SAML is often used in conjunction with SOAP. SAML is a solution for providing single sign-on (SSO) and federated identity management. It allows a service provider (SP) to establish a trust relationship with an identity provider (IdP) so that the SP can trust the identity of a user (the principal) without the user having to authenticate directly with the SP. The principal's User Agent (typically a browser) requests a resource from the service provider (SP). The resource host can also be referred to as the relying party (RP). If the user agent does not already have a valid session, the SP redirects the user agent to the identity provider (IdP). The IdP requests the principal's credentials if not already signed in and, if correct, provides a SAML response containing one or more assertions. The SP verifies the signature(s) and (if accepted) establishes a session and provides access to the resource.

Which of the following does a User Agent request a resource from when conducting a SAML transaction? -RP (Relying Party) -SP (Service Provider) -SSO -IDP (Identity Provider)

-Classification of information Data retention policies highlight what types of information an organization will maintain and the length of time they will maintain it. Data classification would not be covered in the retention policy but would be a key part of your organization's data classification policy.

Which of the following elements is LEAST likely to be included in an organization's data retention policy? -Minimum retention period -Maximum retention period -Description of information that needs to be retained -Classification of information

-Tickets used to identify authenticated users Whether you learned the in-depth details of each of these protocols during your studies or not, you should be able to answer this question by remembering that Kerberos is all about 'tickets.' Kerberos uses a system of tickets to allow nodes to communicate over a non-secure network and securely prove their identity. Kerberos is used heavily in Windows domain environments.

Which of the following features is supported by Kerberos but not by RADIUS and Diameter? -XML for cross-platform interoperability -Services for authentication -SSO capability -Tickets used to identify authenticated users

-Quietly gathers information from compromised systems An APT refers to an adversary's ongoing ability to compromise network security by using a variety of tools and techniques to obtain and maintain access. An APT is usually a highly sophisticated nation-state threat actor that quietly gathers information from compromised systems and can lay in waiting for several months during an ongoing attack. In general, an APT is primarily focused on espionage and strategic advantage, but some target companies purely for commercial gain. An APT is unlikely to conduct a DDoS attack, use worms to spread throughout the network, or use ransomware as part of their covert attacks.

Which of the following is a common attack model of an APT attack? -Quietly gathers information from compromised systems -Involves sophisticated DDoS attacks -Holds an organization's data hostage using encryption -Relies on worms to spread laterally

-PII The four forms of regulated data covered by the CompTIA A+ (220-1002) exam are PII (Personally Identifiable Information), PCI (Payment Card Industry), GDPR (General Data Protection Regulation), and PHI (Protected Health Information).

Which of the following is considered a form of regulated data? -DMCA -DRM -PII

-VPN Endpoint security includes software host-based firewalls, host-based intrusion protection systems (HIPS), and anti-virus software. A VPN is not typically considered an endpoint security tool because it is a network security tool.

Which of the following is not normally part of an endpoint security suite? -VPN -IPS -Software firewall -Anti-virus

-Full packet capture Full packet capture records the complete payload of every packet crossing the network. The other methods will not provide sufficient information to detect a cleartext password being sent. A net flow analysis will determine where communications occurred, by what protocol, to which devices, and how much content was sent. Still, it will not reveal anything about the content itself since it only analyzes the metadata for each packet crossing the network. A SIEM event log being monitored might detect that an authentication event has occurred. Still, it will not necessarily reveal if the password was sent in cleartext, as a hash value, or in the ciphertext. A software design documentation may also reveal the designer's intentions for authentication when they created the application, but this only provides an 'as designed' approach for a given software and does not provide whether the 'as-built' configuration was implemented securely.

Which of the following methods should a cybersecurity analyst use to locate any instances on the network where passwords are being sent in cleartext? -Full packet capture -Net flow capture -Software design documentation review -SIEM event log monitoring

-GPO Microsoft's Group Policy Object (GPO) is a collection of Group Policy settings that defines what a system will look like and how it will behave for a defined group of users. It allows an administrator to create a policy and deploy it across many devices in the domain or network. Patch management, host intrusion prevention systems (HIPS), and anti-malware software are different host security controls. Still, only GPOs have the ability to configure settings across multiple Windows devices efficiently.

Which of the following security controls provides Windows system administrators with an efficient way to deploy system configuration settings across many devices? -Patch management -HIPS -GP -Anti-malware

-OpenID Connect OAuth 2 is explicitly designed to authorize claims and not to authenticate users. The implementation details for fields and attributes within tokens are not defined. Open ID Connect (OIDC) is an authentication protocol that can be implemented as special types of OAuth flows with precisely defined token fields. Security Assertion Markup Language (SAML) is an open standard for exchanging authentication and authorization data between parties, in particular, between an identity provider and a service provider. SAML is an XML-based markup language for security assertions. Active Directory Federation Services (ADFS) is a software component developed by Microsoft that can run on Windows Server operating systems to provide users with single sign-on access to systems and applications located across organizational boundaries. Kerberos is a computer network authentication protocol that works based on tickets to allow nodes communicating over a non-secure network to prove their identity to one another in a secure manner.

Which protocol is paired with OAuth2 to provide authentication of users in a federated identity management solution? -Kerberos -SAML -OpenID Connect -ADFS

-Purging Degaussing is classified as a form of purging. Purging eliminates information from being feasibly recovered even in a laboratory environment. Purging includes degaussing, encryption of the data with the destruction of its encryption key, and other non-destructive techniques. Some generic magnetic storage devices can be reused after the degaussing process has finished, such as VHS tapes and some older backup tapes. For this reason, though, the technique of degaussing is classified as purging and not destruction, even though hard drives are rendered unusable after being degaussed. Clearing data prevents data from being retrieved without the use of state of the art laboratory techniques. Clearing often involves overwriting data one or more times with repetitive or randomized data. Destroying data is designed not merely to render the information unrecoverable but also to hinder any reuse of the media itself. Destruction is a physical process that may involve shredding media to pieces, disintegrating it into parts, pulverizing it to powder, or incinerating it to ash. Erasing or deleting is considered a normal operation of a computer, which erases the data file's pointer on a storage device. Erasing and deleting are easily reversed, and the data can be recovered with commercially available or open-source tools.

Which type of media sanitization would you classify degaussing as? -Purging -Destruction -Erasing -Clearing

-Separation of duties This organization uses separation of duties to ensure that neither Kirsten nor Bob can exploit the organization's ordering processes for their own individual gain. Separation of duties is the concept of having more than one person required to complete a particular task to prevent fraud and error. Dual control, instead, requires both people to act together. For example, a nuclear missile system uses dual control and requires two people to each turn a different key simultaneously to allow for a missile launch to occur. Mandatory vacation policies require employees to take time away from their job and detect fraud or malicious activities. A background check is a process a person or company uses to verify that a person is who they claim to be and provides an opportunity for someone to check a person's criminal record, education, employment history, and other past activities to confirm their validity.

Which type of personnel control is being implemented if Kirsten must receive and inventory any items that her coworker, Bob, orders? -Dual control -Separation of duties

logic

XML Injection is an attack technique used to manipulate or compromise an XML application or service's ________.

-Evaluate if the web interface must remain open for the system to function; if it isn't needed, block the web interface.Top of Form The most immediate protection against this emergent threat would be to block the web interface from being accessible over the network. Before doing this, you must evaluate whether the interface needs to remain open for the system to function properly. If it is not needed, you should block it to minimize the SCADA/ICS component's attack surface. Ideally, your SCADA/ICS components should already be logically or physically isolated from the enterprise network. Since the question doesn't mention the networks as an area of concern, we can assume they are already following the industry best practice of logical or physical segmentation between the SCADA/ICS network and the enterprise network. On the exam, make sure you focus on the question being asked. In this case, the question focuses on the web interface. Developing a patch can be a time-consuming process, therefore waiting for the manufacturer to provide a patch will not provide immediate protection to your components. The same is true for replacing the affected components. Even if you could get the company to authorize the funding for such a purchase, it would take time to order, ship, receive and install the new components. Additionally, you would cause unwanted downtime in the factory during the installation of the components, making it an ineffective option when simply blocking the web interface is free, quick, and effective.

You are attending a cybersecurity conference and just watched a security researcher demonstrating the exploitation of a web interface on a SCADA/ICS component. This caused the device to malfunction and be destroyed. You recognize that the same component is used throughout your company's manufacturing plants. Which of the following mitigation strategies would provide you with the most immediate protection against this emergent threat? -Replace the affected SCADA/ICS components with more secure models from a different manufacturer. -Demand that the manufacturer of the component release a patch immediately and deploy the patch as soon as possible. -Evaluate if the web interface must remain open for the system to function; if it isn't needed, block the web interface. -Logically or physically isolate the SCADA/ICS component from the enterprise network.

-Data exfiltration If attackers use SQL injection to extract data through a Web application, the requests issued by them will usually have a larger HTML response size than a normal request. For example, if the attacker extracts the full credit card database, then a single response for that attacker might be 20 to 50 MB, where a normal response is only 200 KB. Therefore, this scenario is an example of a data exfiltration indicator of compromise.

You are conducting threat hunting for an online retailer. Upon analyzing their web server, you identified that a single HTML response returned as 45 MB in size, but an average response is normally only 275 KB. Which of the following categories of potential indicators of compromise would you classify this as? -Beaconing -Data exfiltration -Introduction of new accounts -Unauthorized privilege

-The beacon's protocol The beacon's protocol is not typically a means of identifying a malware beacon. A beacon can be sent over numerous protocols, including ICMP, DNS, HTTP, and numerous others. Unless you specifically knew the protocol being used by the suspected beacon, filtering out beacons by the protocol seen in the logs could lead you to eliminate malicious behavior prematurely. Other factors like the beacon's persistence (if it remains after a reboot of the system) and the beacon's interval (how much time elapses between beaconing) are much better indicators for fingerprinting a malicious beacon. The removal of known traffic by the script can also minimize the amount of data the cybersecurity analyst needs to analyze, making it easier to detect the malicious beacon without wasting their time reviewing non-malicious traffic.

You are creating a script to filter some logs so that you can detect any suspected malware beaconing. Which of the following is NOT a typical means of identifying a malware beacons behavior on the network? -The beacon's persistence -The beacon's protocol -The beaconing interval -The removal of known traffic

-War walking War walking is conducted by walking around a build while locating wireless networks and devices. War walking will not help find a wired rogue device. Checking valid MAC addresses against a known list, scanning for new systems or devices, and physically surveying for unexpected systems can be used to find rogue devices on a wired network.

You are trying to find a rogue device on your wired network. Which of the following options would NOT help find the device? -Port scanning -Site surveys -War walking -MAC validation

-Metadata Netflow is a flow analysis tool. Netflow does not capture the full packet capture of data as it crosses the network sensor but instead captures metadata and statistics about the network traffic. This metadata can highlight trends and patterns in the traffic generated by the malicious user, such as the volume of data sent and received. This could indicate data exfiltration if a large amount of data was sent in a short period of time. File contents and email messages could be retrieved from a full packet capture, but unfortunately, that was not provided in this scenario. Application logs are stored locally on a host or a centralized server, but those would not be captured in the netflow data.

You have been asked to assist with an investigation into a malicious user's activities. Unfortunately, your organization did not have full packet capture available for the time period of the suspected activities. Instead, you have received netflow data that contains statistics and information about the network traffic during that time period. Which of the following best represents the type of data you can obtain from this netflow data to support the investigation? -Metadata -Email messages -Application logs -File contents

-You tell the developer to review their code and implement a bug/code fix. Since your company owns the website, you can require the developer to implement a bug/code fix to prevent the form from allowing the AUTOCOMPLETE function to work on this website. The code change to perform is quite simple, simply adding "autocomplete=off" to the code's first line. The resulting code would be <form action="authenticate.php" autocomplete="off">.

You have been asked to scan your company's website using the OWASP ZAP tool. When you perform the scan, you received the following warning: "The AUTOCOMPLETE output is not disabled in HTML FORM/INPUT containing password type input. Passwords may be stored in browsers and retrieved." You begin to investigate further by reviewing a portion of the HTML code from the website that is listed below: -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- <form action="authenticate.php"> Enter your username: <BR> <input type="text" name="user" value="" autofocus><BR> Enter your Password: <BR> <input type="password" name="pass" value="" maxlength="32"><BR> <input type="submit" value="submit"> </form> -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- Based on your analysis, which of the following actions should you take? -You tell the developer to review their code and implement a bug/code fix. -This is a false positive, and you should implement a scanner exception to ensure you don't receive this again during your next scan. -You recommend that the system administrator disables SSL on the server and implements TLS instead. -You recommend that the system administrator pushes out a GP update to reconfigure the web browsers security settings.

-IaaS Infrastructure as a Service (Iaas) is focused on moving your servers and computers into the cloud. If you purchase a server in the cloud and then install and manage the operating system and software on it, this is Iaas.

You want to create a website for your new technical support business. You decide to purchase an on-demand cloud-based server and install Linux, Apache, and WordPress on it to run your website. Which of the following best describes which type of service you have just purchased? -IaaS -SaaS -PaaS -DaaS

-DaaS Desktop as a Service (DaaS) provides a full virtualized desktop environment from within a cloud-based service. This is also known as VDI (Virtualized Desktop Infrastructure) and is coming in large enterprise businesses focused on increasing their security and minimizing their operational expenses. Shadow PC (shadow.tech) provides a version of DaaS for home users who want to have a gaming PC without all the upfront costs.

You want to play computer-based video games from anywhere in the world using your laptop or tablet. You heard about a new product called a Shadow PC that is a virtualized Windows 10 Home gaming PC in the cloud. Which of the following best describes this type of service? -PaaS -DaaS -SaaS -IaaS

-Disable WPS WPS was created to ease the setup and configuration of new wireless devices by allowing the router to automatically configure them after a short eight-digit PIN was entered. Unfortunately, WPS is vulnerable to a brute-force attack and is easily compromised. Therefore, WPS should be disabled on all wireless networks. If Bob could enter your apartment and press the WPS button, he could have configured his laptop to use your wireless network without your WPA2 password.

Your home network is configured with a long, strong, and complex pre-shared key for its WPA2 encryption. You noticed that your wireless network has been running slow, so you checked the list of "connected clients" and see that "Bob's Laptop" is connected to it. Bob lives downstairs and is the maintenance man for your apartment building. You know that you never gave Bob your password, but somehow he has figured out how to connect to your wireless network. Which of the following actions should you take to prevent anyone from connecting to your wireless network without the WPA2 password? -Disable SSID broadcast -Disable WPS -Disable WPA2 -Enable WPA

-Bluejacking Bluejacking is the sending of unsolicited messages over Bluetooth to Bluetooth-enabled devices such as smartphones and tablets. Bluesnarfing, on the other hand, involves taking data from a smartphone or tablet over Bluetooth without permission. Bluetooth has a very limited range, so the attacker is likely within 10 meters of the victimized device. Geotagging involves embedded the geolocation coordinates into a piece of data (normally a photo or video). Packet sniffing is a passive method of collecting network traffic for follow-on analysis at a later time.

Your smartphone begins to receive unsolicited messages while you are eating lunch at the restaurant across the street from your office. What might cause this to occur? -Bluesnarfing -Bluejacking

Command

___________ injection is an attack in which the goal is to execute arbitrary commands on the host operating system via a vulnerable application. SQL injection is a specific type of command injection.

Known bad data

____________ injection is a technique where data known to cause an exception or fault is entered as part of the testing/assessment. With ******** injections, you would not use randomly generated data sets, though.

Netcat

____________ is used to create a reverse shell from a victimized machine back to an attacker.

NetFlow

____________ provides information about network traffic.

Aircrack-ng

_____________ is a complete suite of wireless security assessment and exploitation tools that includes monitoring, attacking, testing, and cracking of wireless networks. This includes packet capture and export of the data collected as a text file or pcap file.

System-on-chip (SoC)

_____________ is a design where all these processors, controllers, and devices are provided on a single processor die or chip.

John the Ripper

______________ is a password cracking software tool. Nessus is a vulnerability scanner

Insecure object reference

_______________ refers to when a reference to an internal implementation object, such as a file or database key, is exposed to users without any other access control.

Security Assertion Markup Language (SAML)

________________ is an open standard that allows identity providers (IdP) to pass authorization credentials to service providers (SP). SAML transactions use Extensible Markup Language (XML) for standardized communications between the identity provider and service providers. SAML is the link between the authentication of a user's identity and the authorization to use a service.

Static code analysis

__________________ is a method of debugging by examining source code before a program is run.

Defense in depth

__________________ is the concept of layering various network appliances and configurations to create a more secure and defensible architecture.

SCADA (supervisory control and data acquisition)

__________________ networks work off of an ICS (industry control system) and is used to maintain sensors and control systems over large geographic areas.

Simple Network Management Protocol (SNMP)

___________________ is commonly used to gather information from routers, switches, and other network devices. It provides information about a device's status, including CPU and memory utilization, and many other useful details about the device.

Fuzzing

___________is an automated software assessment technique that involves providing invalid, unexpected, or random data as inputs to a computer program. The program is then monitored for exceptions (crashes), failing built-in code assertions, or finding potential memory leaks. Dynamic code analysis relies on studying how the code behaves during execution. ****** is a specific type of dynamic code analysis.