Maya's Cyber Security Study Set 7 02/22/24

SIMULATION- A systems admin needs to install a new wireless network for authenticated guest access. The wireless network should support 802.1x using the most secure encryption and protocol available. INSTRUCTIONS- Perform the following steps: 1. Configure the RADIUS server. 2. Configure the Wi-Fi controller 3. Preconfigure the client for an incoming guest. The guest AD credentials are: User: guest01- Password: Guestpass- If at any time you would like to bring back the initial state of the simulation, please click the Reset All Button.

- WiFi Controller - SSID: CORPGUEST Shared Key: SECRET AAA server IP: 192.168.1.20 PSK: BLANK Authentication Type: WPA2-EAP-PEAP-MSCHAPV2 Controller IP: 192.168.1.10 - Wireless Client- SSID: CORPGUEST Username: guest01 User password: guestpass PSK: BLANK Authentication Type: WPA2-Enterprise - RADIUS Server - Shared Key: SECRET Client IP: 192.168.1.10 Authentication Type: Active Directory Server IP: 192.168.1.20

A university is opening a facility in a location where there is an elevated risk of theft. The university wants to protect the desktops in its classrooms and labs. Which of the following should the university use to BEST protect these assets deployed in the facility? A. Visitor logs B. Cable locks C. Guards D. Disk Encryption E. Motion Detection

Cable locks: "The university wants to protect the desktops..." Cable locks, no organization is going to pay to have security in a classroom to oversee desktop theft and the question clearly states, "protect the desktops."

A security analyst needs to perform periodic vulnerability scans on production systems. Which of the following scan types would produce the BEST vulnerability scan report? A. Port B. Intrusive C. Host discovery D. Credentialed

Credentialed Scan: Credentialed scan will include versions of software applications that might be vulnerable. You'll get the most access and therefore the best intel regarding vulnerabilities if you have credentials to access the system.

An analyst is trying to identify insecure services that are running on the internal network. After performing a port scan, the analyst identifies that a server has some insecure service enabled on default ports. Which of the following BEST describes the services that are currently running and the secure alternatives for replacing them? A. SFTP, FTPS B. SNMPv2, SNMPv3 C. HTTP, HTTPS D. TFTP, FTP E. SNMPv1, SNMPv2 F. Telnet, SSH G. TLS, SSL H. POP, IMAP I. Login, rlogin

HTTP, HTTPS & SNMPv2, SNMPv3 & Telnet, SSH: ✗ A. SFTP, FTPS -SFTP is FTP over SSH, FTPS is FTP over SSL/TLS which means they both have encryption mechanisms built in. ✓ B. SNMPv2, SNMPv3 -v2 has no encryption. v3 does. ✓ C. HTTP, HTTPS -HTTP is plaintext. HTTPS is HTTP Secure (SSL and now TLS). ✗ D. TFTP, FTP -Neither of these are secure protocols. ✗ E. SNMPv1, SNMPv2 -Neither of these feature encryption, although as stated up v3 does. ✓ F. Telnet, SSH -Telnet is in the clear. SSH in encrypted. ✗ G. TLS, SSL -Both cryptographic protocols, TLS is an upgrade to SSL, not the other way around. While SSL in considered insecure, it's supposed to be, and these protocols don't have "default ports". ✗ H. POP, IMAP -You'd probably be looking for POP->POP3 or IMAP->IMAPS here. These email protocols that work a bit differently. ✗ I. Login, rlogin -These are not in the SY0-601 objectives from what I remember. I had to do a quick search: rlogin is a remote access protocol for Linux that sends passwords in-the-clear and was basically replaced by SSH.

A company's Chief Information Security officer(CISO) recently warned the security manager that the company's Chief Executive Officer(CEO) is planning to publish a controversial opinion article in a national newspaper, which may result in new cyberattacks. Which of the following would be BEST for the security manager to use in a threat model? A. Hacktivists B. White-hack hackers C. Script kiddies D. Insider threats

Hacktivists: No other threat actors will be motivated by a "Controversial opinion on an article" to engage in a cyber attack other than hacktivists. The CEO's controversial opinion article is likely to generate attention and potentially provoke strong reactions from various groups or individuals, including hacktivists who may target the company's systems in protest, or malicious insiders who may exploit the situation for personal gain.

A security analyst is performing a packet capture on a series of SOAP HTTP requests for a security assessment. The analyst redirects the output to a file. After the capture is complete, the analyst needs to review the first transactions quickly and then search the entire series of requests for a particular string. Which of the following would be BEST to use to accomplish this task? (Choose two). A. Head B. TCPdump C. Grep D. Tail E. Curl F. OpenSSL G. DD

Head & Grep: Tcpdump - cant be the answer as the question already specifies the capture is done and complete, which would have been the tcpdump, its A. head - as it reviews the transactions and C. grep - for searching.

A security engineer needs to implement the following requirements: -All Layers 2 switches should leverage Active Directory for authentication. - All Layer 2 switches should use local fallback authentication of Active Directory is offline. - All Layer 2 switches are not the same and are manufactured by several vendors. Which of the following actions should the engineer take to meet these requirements? (Choose two.) A. Implement RADIUS. B. Configure AAA on the switch with local login as secondary. C. Configure port security on the switch with the secondary login method. D. Implement TACACS+. E. Enable the local firewall on the Active Directory server. F. Implement a DHCP server.

Implement RADIUS & Configure AAA on the switch with local login as secondary: To meet the requirements, the security engineer should implement RADIUS (Remote Authentication Dial-In User Service) as the primary authentication method for all Layer 2 switches. RADIUS provides centralized authentication and authorization for network devices and can leverage the existing Active Directory infrastructure for user authentication. The engineer should also configure AAA (Authentication, Authorization, and Accounting) on the switches with local login as the secondary authentication method, so that if Active Directory is offline, the switch can still authenticate local users and maintain network availability. This ensures that the switches are able to authenticate users even if Active Directory is temporarily unavailable, while also providing centralized management of user authentication.

A worldwide manufacturing company has been experiencing email account compromises. In one incident, a user logged in from the corporate office in France, but then seconds later, the same user account attempted a login from Brazil. Which of the following account policies would BEST prevent this type of attack? A. Network location B. Impossible Travel Time C. Geolocation D. Geofencing

Impossible Travel Time: An impossible travel time/risky login policy tracks the location of login events over time. If these do not meet a threshold, the account will be disabled. For example, a user logs in to an account from a device in New York. A couple of hours later, a login attempt is made from LA, but this is refused and an alert raised because it is not feasible for the user to be in both locations. Geofencing is the practice of creating a virtual boundary based on real-world geography. Geofencing can be a useful tool with respect to controlling the use of camera or video functions or applying context-aware authentication geolocation The identification or estimation of the physical location of an object, such as a radar source, mobile phone, or Internet-connected computing device.

A security administrator checks the table of a network switch, which shows the following output: VLAN Physical ADDR Type Port 1 001a:42ff:5113 Dynamic Ge0/5 1 9faa:abcf:ddee Dynamic Ge0/5 1 c6a9:6b16:758e Dynamic Ge0/5 Which of the following is happening to this switch? A. MAC flooding B. DNS poisoning C. MAC cloning D. ARP poisoning

MAC flooding: All of the MAC addresses are 'flooding' one port! Essentially, MAC flooding inundates the network switch with data packets that disrupt the usual sender to recipient flow of data that is common with MAC addresses. The end result is that rather than data passing from a specific port or sender to a specific recipient, the data is blasted out across all ports.

A security analyst needs to make a recommendation for restricting access to certain segments of the network using only data-link layer security. Which of the following controls will the analyst MOST likely recommend? A. MAC B. ACL C. Bridge Protocol Data Unit(BPDU): security feature found in multiple networking devices. D. ARP

MAC: Data Link layer means switch port level. There are two ways to restrict switch port access aka port security. 1. MAC filtering 2. 802.1x. As others said, An ACL is usually matched with IP addresses not MAC. ARP and BPDU have nothing to do with port security. A MAC address is an address, not a control.

A security analyst is preparing a threat brief for an upcoming internal penetration test. The analyst needs to identify a method for determining the tactics, techniques, and procedures of a threat actor against the organization's network. Which of the following will the analyst MOST likely use to accomplish the objective? A. A tabletop exercise B. NIST CSF C. MITRE ATT&CK D. Open Worldwide Application Security Project(OSWAP): is a nonprofit foundation dedicated to improving software security.

MITRE ATT&CK: MITRE ATT&CK can be used to classify attacks. MITRE ATT&CK® is a globally-accessible knowledge base of adversary tactics and techniques based on real-world observations. The ATT&CK knowledge base is used as a foundation for the development of specific threat models and methodologies in the private sector, in government, and in the cybersecurity product and service community.

A network administrator has been asked to design a solution to improve a company's security posture. The administrator is given the following requirements: -The solution must be inline in the network. -The solution must be able to block known malicious traffic. -The solution must be able to stop network-based attacks. Which of the following should the network administrator implement to BEST meet these requirements? A. Host Based Intrusion(HIDS) B. Network Intrusion(NIDS) C. Host Based prevention (HIPS) D. Network prevention(NIPS)

Network Intrusion Prevention Systems(NIPS): ✑ "The solution must be inline in the network"; can't be host based so NIDS or NIPS. ✑ "The solution must be able to block known malicious traffic."; can't be IDS as must prevent so NIPS. ✑ "The solution must be able to stop network-based attacks."; again, network based so can't be HIDS or HIPS.

A company is upgrading its wireless infrastructure to WPA2-Enterprise using EAP-TLS. Which of the following must be part of the security architecture to achieve AAA? (Choose two.) A. DNSSEC B. Reverse proxy C. VPN concentrator D. PKI E. Active Directory F. RADIUS

PKI & RADIUS: To achieve AAA (Authentication, Authorization, and Accounting) for WPA2-Enterprise using EAP-TLS, the following two components must be part of the security architecture: D. PKI (Public Key Infrastructure) - A PKI infrastructure is necessary to secure the EAP-TLS protocol and ensure the authenticity of clients and servers during the authentication process. It is responsible for the issuance and management of digital certificates, which are used to verify the identity of clients and servers. F. RADIUS (Remote Authentication Dial-In User Service) - RADIUS is an AAA protocol used to manage user authentication, authorization, and accounting for wireless networks. It acts as an intermediary between the wireless clients and the authentication server, and is responsible for transmitting user credentials and authorization information between the two. When using EAP-TLS, RADIUS serves as the intermediary between the wireless client and the authentication server, providing the necessary security and authentication services to complete the AAA process.

The following are the logs of a successful attack: [DATA] attacking service ftp on port 21 [ATTEMPT] 09:00:01UTC target 192.168.50.1 - login "admin" - pass "p$55w0rd" [ATTEMPT] 09:00:01UTC target 192.168.50.1 - login "admin" - pass "AcCe55" [ATTEMPT] 09:00:01UTC target 192.168.50.1 - login "admin" - pass "A110w!" [21] [ftp] host: 192.168.50.1 login: admin password: L3tM31N! 1 of 1 target successfully completed, 1 valid password found in <1 second Which of the following controls would be BEST to use to prevent such a breach in the future? A. Password history: Number of unique passwords that must be used before an user can re-use his old password. B. Account expiration C. Password complexity D. Account lockout

Password Complexity: To prevent such a breach in the future, the BEST control to use would be Password complexity.Password complexity is a security measure that requires users to create strong passwords that are difficult to guess or crack. It can help prevent unauthorized access to systems and data by making it more difficult for attackers to guess or crack passwords.The best control to use to prevent a breach like the one shown in the logs is password complexity. Password complexity requires users to create passwords that are harder to guess, by including a mix of upper and lowercase letters, numbers, and special characters. In the logs, the attacker was able to guess the user's password using a dictionary attack, which means that the password was not complex enough.

A critical file server is being upgraded, and the systems admin must determine which RAID level the new server will need to achieve parity and handle two simultaneously disk failures. Which of the following RAID levels meet this requirement? A. RAID 0+1 B. RAID 2 C. RAID 5 D. RAID 6

RAID 6: RAID 6 uses double parity and can handle double disk failure therefore is the only option which fulfils both requirements. Raid 5 can only handle single disc failure. RAID 6 is the RAID level that meets the requirements of achieving parity and handling two simultaneous disk failures. RAID 6 uses two independent sets of parity data, which provides fault tolerance against the failure of up to two disks in the array.

After consulting with the Chief Risk Officer(CRO), a manager decides to acquire cybersecurity insurance for the company. Which of the following risk management strategies is the manager adopting? A. Risk acceptance B. Risk avoidance C. Risk transference D. Risk mitigation

Risk Transference: Whenever risk management is outsourced the risk is said to be transferred. Risk has been transferred to insurance company.

HOTSPOT- The security administrator has installed a new firewall which implements an implicit DENY policy by default. INSTRUCTIONS- Click on the firewall and configure it to allow ONLY the following communication: -The accounting workstation can ONLY access the web server on the public network over the default HTTPS port. The accounting workstation should not access other networks. -The HR workstation should be restricted to communicate with the Financial server ONLY, over the default SCP port. -The Admin workstation should ONLY be able to access the servers on the secure network over the default TFTP port. The firewall will process rules in a top-down manner in order as a first match. The port number must be typed in and only one port number can be entered per rule. Type ANY for all ports. If at any time you would like to bring back the initiation state of the simulation, please click the Reset All button.

Rule 1: SOURCE 10.10.9.12/32 to DESTINATION 192.168.10.5/32 PORT: 443 PROTOCOL: TCP ACTION: Permit (HTTPS) Rule 2: SOURCE 10.10.9.14/32 to DESTINATION 192.168.100.10/32 PORT: 22 PROTOCOL: TCP ACTION: Permit (Secure Copy Prot) Rule 3: SOURCE 10.10.9.18/32 to DESTINATION 192.168.100.10/32 PORT: 69 PROTOCOL: UDP ACTION: Permit (TFTP - trivial) Rule 4: SOURCE 10.10.9.18/32 to DESTINATION 192.168.100.18/32 PORT: 69 PROTOCOL: UDP ACTION: Permit (TFTP - trivial)

A security administrator currently spends a large amount of time on common security tasks, such as report generation, phishing investigations, and user provisioning and deprovisioning. This prevents the administrator from spending tie on other security projects. The business does not have the budget to add more staff members. Which of the following should the administrator attempt? A. Discretionary Access Control(DAC):is the principle of restricting access to objects based on the identity of the subject. B. Attribute-based access control(ABAC) C. SCRAP: Web scraping, also known as screen scraping, generally refers to the process of extracting, copying, saving and reusing third-party content on the internet. D. Security, Orchestration, Automation, and Response(SOAR): SOARK seeks to alleviate the strain on IT teams by incorporating automated responses to a variety of events.

SOAR: SOAR stands for Security Orchestration, Automation, and Response. SOAR platforms are a collection of security software solutions and tools for browsing and collecting data from a variety of sources. SOAR allows companies to collect threat-related data from a range of sources and automate the responses to the threat.

A database administrator needs to ensure all passwords are stored securely, so the administrator adds randomly generated data to each password before storing it. Which of the following techniques does BEST explain this action? A. Predictability B. Key stretching C. Salting D. Hashing

Salting: Is a concept that typically pertains to password hashing. Essentially, it's a unique value that can be added to the end of the password to create a different hash value. This adds a layer of security to the hashing process, specifically against brute-force attacks.

A security analyst is reviewing output of a web server log and notices a particular account is attempting to transfer large amounts of money: GET http: //yourbank.com/transfer.do?acctnum=087646958$amount=50000 HTTP/1.1 GET http: //yourbank.com/transfer.do?acctnum=087646958$amount=50000 HTTP/1.1 Which of the following types of attack is MOST likely being conducted? A. SQLi B. Cross-Site Request Forgery(CSRF): Is an attack that forces authenticated users to submit a request to a Web application against which they are currently authenticated. C. Session Replay D. Application Programming Interface(API): Security refers to the practice of preventing or mitigating attacks on APIs.

Session Replay: Session Replay Attacks are network-based security hacks that delay, replay, or repeat the valid transmission of data between a genuine user and a site. In this example, "replaying" the attack on same account# multiple times.

Which of the following BEST describes the MFA attribute that requires a callback on a predefined landline? A. Something you exhibit B. Something you can do C. Something you know D. Something you are

Something you can do or somewhere you are (Supposedly this is the answer): In other website it says somewhere you are. If ever this will be in the exam and the choices is somewhere you are, i will choose that.

A company just developed a new web application for a government agency. The application must be assessed and authorized prior to being deployed. Which of the following is required to assess the vulnerabilities resident in the application? A. Repository transaction logs B. Common Vulnerabilities and Exposure(CVE) C. Static code analysis D. Non-credentialed scans

Static Code Analysis: CompTIA official : Static code analysis (or source code analysis) is performed against the application code before it is packaged as an executable process. The analysis software must support the programming language used by the source code. The software will scan the source code for signatures of known issues, such as OWASP Top 10 Most Critical Web Application Security Risks or injection vulnerabilities generally.

A privileged user at a company stole several proprietary documents from a server. The user also went into the log files and deleted all records of the incident. The systems administrator has just informed investigators that other log files are available for review. Which of the following did the admin MOST likely configure that will assist the investigator? A. Memory dumps B. The syslog server C. The application log D. The log retention policy

The Syslog server: The syslog allows the separation of the software that generates messages, the system that stores them and the software that repots and analyze them. Therefore, it provides a way to ensure that critical events are logged and stored off the original server. An attacker's first effort after compromising a system is usually to cover their tracks left in the logs. Logs forwarded via Syslog are out of reach.

The website Http://companywebsite.com requires users to provide personal information, including security question responses, for registration. Which of the following would MOST likely cause a data breach? A. Lack of input validation: When software does not validate input properly, an attacker can craft the input in a form that is not expected by the rest of the application. This will lead to parts of the system receiving unintended input, which may result in altered control flow, arbitrary control of a resource, or arbitrary code execution. B. Open permissions C. Unsecure protocol D. Missing patches

Unsecure Protocol: Its http, an unsecure protocol. To secure the protocol they should have SSL/TLS certificate and when they have the certificate we will see the URL starts with httpS://

An organization relies on third-party video conferencing to conduct daily business. Recent security changes now require all remote workers to utilize a VPON to corporate resources. Which of the following would BEST maintain high-quality video conferencing while minimizing latency when connected to the VPN? A. Using geographic diversity to have VPN terminations closer to end users. B. Utilizing split tunneling so only traffic for corporate resources is encrypted. C. Purchasing higher-bandwidth connections to meet the increased demand. D. Configuring QoS properly on the VPON accelerators.

Utilizing split tunneling so only traffic for corporate resources is encrypted: Utilizing split tunneling so only traffic for corporate resources is encrypted would best maintain high-quality videoconferencing while minimizing latency when connected to the VPN. Split tunneling is a technique that allows a VPN user to access both the public internet and the private network simultaneously, without routing all traffic through the VPN. This can improve the performance and quality of videoconferencing applications that rely on low latency and high bandwidth, as well as reduce the load on the VPN server.