Measure up 256 sec+ master quiz

Réussis tes devoirs et examens dès maintenant avec Quizwiz!

Several employees received emails that appeared to be from an online auction site. When the users click on the link, they are prompted for personal information. However, the link does not go to the auction site, but to a duplicate site set up by an attacker. What kind of attack has occurred? Choose the correct answer Pharming Scam Phishing Identity theft

A Explanation A phishing attack has occurred. During a phishing attack, an email is sent that appears to be from a legitimate source. The email links the recipient to a Web page designed to look like a legitimate Web site. The Web site is designed to prompt the recipient for personal information that the attacker captures. A scam is a different type of attack. Scams can take different forms, but in general they are designed to cheat potential customers through fake sales or services. A phishing attack can be used as part of an attempt at identity theft, but an identity theft attack is more specific. During identity theft. the target's identity is stolen and then used to commit fraud. A pharming attack is like a phishing attack in that users are redirected to a fraudulent site. However, an email containing a fraudulent link is not the attack vector. Instead, the redirection occurs either by altering the hosts file on the computer or by DNS poisoning.

A server has failed four times in the past year. Which measurement is used to determine the amount of time the server was operational? Choose the correct answer ARO ALE MTBF MTTF

A Explanation Mean Time Between Failures (MTBF) is the measurement used to determine the amount of time that a repairable system was operational. Mean Time To Failure (MTTF) is the measurement used to determine how long it will be before an event makes a system un-repairable. Annualized Loss Expectancy (ALE) is a measurement that indicates the cost of loss due to a risk over the course of a year. It is calculated by multiplying Single Loss Expectancy (SLE) by Annualized Rate of Occurrence (APO). SLE is the amount of loss expected for a single occurrence of risk and ARO is the number of occurrences of a risk anticipated over the year.

What is the role of SOAR runbooks in incident response and mitigation? Choose the correct answer A SOAR runbook is a linear checklist of steps necessary to respond to specific incidents or threats. A SOAR runbook documents configuration settings applied as SOAR components launch. A SOAR runbook is documentation that provides a set of standardized documents, references, and procedures. A SOAR runbook is a series of conditional steps that perform actions to help automate the incident response or security operations process.

A Explanation Security Orchestration, Automation, and Response (SOAR) is a software stack made up of multiple security applications. The goal of SOAR solutions is to improve the emciency of security operations and automate security processes and procedures. A SOAR runbook is a series of conditional steps that perform actions to help automate the incident response or security operations process. The goal of the runbook is the assessment, investigation, and containment of incidents and threats. In addition to automated elements, a runbook can also contain human decision elements. A SOAR runbook is not a linear checklist of steps necessary to respond to specific incidents or threats. This describes a SOAR playbook, which is used to help establish formal incident response processes and procedures. A playbook can include both automated actions and human tasks. Playbooks and runbooks are often used together in incident response. A SOAR runbook is not documentation that provides a set of standardized documents, references, and procedures. This describes an type of documentation prepared and maintained by an organization's IT professionals that is also known as a runbook, but is not related to SOAR. A SOAR runbook does not document configuration settings applied as SOAR components launch. These is no one source where this information is documented, although SOAR components often do have configuration options available.

A security analyst is developing an Internet-based application. Users will need to create passwords that are eight or more characters in length for authentication. The analyst needs a secure method to store user passwords. The analyst wants a solution that is as secure as possible against brute force attacks. Which algorithms can the analyst use for creating password-based key derivations? (Choose two.) Choose the correct answers CRYPT Bcrypt MD5 PBKDF2 SHAI

A Explanation The analyst should use Password-Based Key Derivation Function 2 (PBKDF2) or bcrypt for password strengthening. You need to implement key stretching, also known as key strengthening, to use an algorithm to create an enhanced key that is too large to be easily compromised through a brute-force attack. PBKDF2 and bcrypt work by applying a pseudorandom function to a password and salt value through multiple (1000 or more) iterations. Of the two, bcrypt is considered the most secure, but both are acceptable solutions. The analyst should not use CRYPT. It uses a 12-bit salt, supports no more than 12 iterations, and is limited to eight-character passwords. It is commonly seen as a minimum inconvenience to modern password crackers rather than a true protection. The analyst should not use Message Digest Algorithm 5 (MD5) or Secure Hash Algorithm 1 (SHAI) as the encryption algorithm. These create a password hash, which does provide some protection, but not as much protection as key stretching provides.

A company needs to set up two-factor authentication for a cloud-based application. The authentication should include a one-time use, limited time password that is delivered to the user through the Google Authenticator mobile app. The password should be based on a shared key and the current date and time, What type of authentication should the company use? Choose the correct answer PIV CAC TOTP HOTP

A Explanation The company should use a Time-based One-time Password (TOT P). This is a password that is generated from a shared key and the current time stamp. Depending on how it is set up, the password changes every 30 to 60 seconds. The password can be delivered to the user through a mobile app (such as Google Authenticator), a hardware security token, or a text message from a central server. The administrator should not use a HMAC-based One-time Password (HOTP). This is similar to a TOTP, but is based on a shared key and an incrementing counter instead of a time stamp. The administrator should not use a personal identity verification (PIV). This is a United States Federal smart card used for certificate-based authentication used to gain access to Federal facilities and information systems. The administrator should not use a Common Access Card (CAC), which is a smart card used with a Personal Identification Number (PIN) for certificate-based authentication, As with the PIV, this is a United States Federal authentication card.

A critical web server is compromised by a persistent XSS attack. Which two steps should be taken as part of the containment process? Choose the correct answers Reimage the server. Redirect traffic to a different web server. Create a forensic image of the server. Review the web application logs. Implement input validation.

A Explanation The containment process includes three basic steps: short-term containment, preserving forensic evidence, and long-term containment. A persistent Cross-site Scripting (XSS) attack is one in which an attacker adds malicious content that is then accessed by a user. For example, the attacker might create a post that includes a malicious link. To contain the attack and prevent it from spreading to more users, you would remove the content. In this case, because the server is a critical server, you need to redirect tramc to a temporary web server that is not affected by the problem, for example, a web server with static content that is not vulnerable to an XSS attack. After traffc has been redirected, you need to concentrate on preserving the forensic evidence by taking a forensic image of the hacked server. Reimaging the server is not part of the containment process. Depending on the exact nature of the attack, it might be necessary to reimage the server, but this would be part of the eradication phase. In this example, you should reimage the server in order to eradicate any malicious content or backdoors that might have been installed by the attacker. Implementing input validation is an important mitigation against an XSS attack. However, it is not part of the containment phase.

Refer to the exhibit Which command produced the output shown? Choose the correct answer netstat -r netstat -n nbtstat -n nbtstat -s netstat -no nbtstat -S

A Explanation The netstat -no command was used. You use this command to view active TCP connections and statistics. The -no switch displays process ID and addresses numerically. The netstat command can help you identify suspicious network activity and identify malware. The netstat -r command produces the IP routing table and is similar to the route print command. The netstat -n command shows active TCP connections in numerical form. You would use the n switch to prevent the netstat command from attempting to determine DNS names. The nbtstat -n command displays active connections numerically but does not show process IDs. The nbtstat command allows you to troubleshoot NetBIOS problems and produces a completely different output that includes current sessions and statistics of NetBIOS.

An organization's users are redirected to a dummy vendor website that uses a stolen SSL certificate. The users unknowingly make purchases on the site using a corporate credit card. What should the organization do to mitigate this risk? Choose the correct answer Validate the certificate with the CA. Configure all browsers to use OCSP. Validate each vendor site's CSR. Deploy PKI for certificate management.

A Explanation The organization should configure all browsers to use Online Certificate Status Protocol (OCSP). OCSP can be used to verify an X.509 certificate's validity. Public Key Infrastructure (PKI) uses the X.509 standard for defining and creating digital certificates. Public X.509 certificates are generated by Certificate Authorities (CAs). A CA is a publicly trusted entity that Uses its own methods for validating a certificate requestor prior to issuing the certificate. This allows an entity to present a certificate from a trusted third party as a form of authentication. Validating a certificate verifies the identity of the certificate owner. When a user connects to a vendor website, OCSP can be queried to validate the certificate, check the identity of the vendor, and ensure that the certificate has not be created by a malicious actor. The organization should not validate each vendor site's Certificate Signing Request (CSR). CSRs are generated by applications, users, or services and are submitted to CAS for validation. The CSR identifies the certificate owner and is used by the CA to generate an X.509 certificate. The organization should not validate the certificate with the CA. CAS can be private or public. Public CAS act as a root of trust in PKI. When a public CA generates a certificate for an entity, it is validating and, in some cases, guaranteeing the entity's identity. The organization should not deploy PKI. PKI provides the framework for creating and managing certificates but does not publish certificate validation information.

Some network tramc is being redirected to a client that is infected with a Trojan. The IP addresses and MAC addresses on the redirected packets do not match up correctly. All packets have the MAC address of the infected system, The IP addresses are legitimate host addresses, This is a symptom of which kind of attack? Choose the correct answer DoS attack ARP poisoning IP spoofing DNS poisoning

A Explanation The symptoms describe Address Resolution Protocol (ARP) poisoning, ARP is used to determine a host's Media Access Control (MAC) address from its IP address, Computers cache recently resolved MAC addresses locally in the ARP cache to improve communication effciency, The IP address uniquely identifies a host on a network by its network and host addresses, It also ensures that routed packets are delivered to the correct network in a routed environment. The MAC address, which is the address that is hard-coded on each network adapter, is used for final delivery to the correct host once a packet has reached the correct network. ARP broadcasts are used to find a computer's MAC address from its IP address. However, if the sending computer has the destination computer's MAC address in its ARP cache, it uses the cached address instead of using ARP to resolve the address. In ARP poisoning, invalid MAC address information is injected into hosts' ARP caches, This causes the packets to be delivered to the wrong destination or not delivered at all. ARP poisoning is sometimes used as part of information gathering when actively sniffng a network, and it can facilitate other types of attacks, such as Denial of Service (DoS) or man-in-the-middle attacks. This is not an example of IP spoofing because it does not appear that the IP addresses are being changed, nor is an attacking system using a legitimate system's IP address, which is what happens during IP spoofing. Domain Name System (DNS) poisoning occurs when the attacker injects incorrect DNS record information into the DNS database or corrupts the contents of the DNS database. The DNS database does not appear to be affected by the attack described in this scenario. This is not a denial of service (DoS) attack. In a DoS attack, a computer or network sewice is made unavailable, usually by flooding the resource with more traffc than it can process and handle.

You discover a program running in the background on a computer. The program is collecting address and computer name information from your network and sending it to an address on the Internet. This is an example of what kind of threat? Choose the correct answer Worm Watering hole attack Spyware Rootkit

A Explanation This is an example of spyware. Spyware is a type of malware that collects information and sends it to a third party. Depending on the spyware, it might collect personal information (such as credit card numbers or passwords) or network information (such as addresses and computer names). Spyware typically runs in the background and is usually a stealthy program (attempting to run without drawing attention to itself). This is not an example of a worm. A worm is a self-replicating program, typically designed as a network threat, copying itself to network clients. This is not an example of a rootkit. A rootkit is a specialized type of software designed to provide a backdoor into the infected computer. Rootkits are typically stealthy and do not in themselves cause any destruction. A rootkit would not collect and return information from a computer, for example, but it would make it easier for an attacker to connect to the computer from a remote location so that he or she can then directly collect information. This is not an example of a watering hole attack. With a watering hole attack, the attacker identifies a website that is frequently visited by members of a specific company and then infects that website with malware.

A company needs to secure tramc between SMTP servers over the internet. Servers that can connect securely must use a secure connection, but servers that cannot connect securely must still be able to connect. Which protocol offers the best solution? Choose the correct answer S/MIME HTTPS PGP TLS

A Explanation You should use Transport Layer Security (TLS). When you enable TLS, you can enable the server to request a secure connection with servers that also use TLS. The server will also be able to accept connections from servers that do not support TLS. The TLS connection offers authentication and encryption or just encryption. Secure/Multipurpose Internet Mail Extensions (S/MIME) and Pretty Good Privacy (PGP) are used to secure messages between the server and a mail client by using encryption and digital signatures. They do not secure connections between SMTP servers. Hypertext Transfer Protocol over Secure Sockets Layer (HTTPS) is used to secure connections between a web server and the client's web browser. It can be used for web-based email clients. It cannot be used to secure connections between SMTP servers.

What should be used to ensure non-repudiation on outgoing emails? Choose the correct answer Steganography Digital signature Cryptographic hash Ephemeral key

A Explanation You should use a digital signature in this situation. Non-repudiation on outgoing mail means ensuring that you can identify the source of the e-mail and that the e-mail has not been modified since it was sent. Both of these can be accomplished by including a digital signature with the message. You should not use a cryptographic hash. A hash can be used to verify data integrity, which means that the data has not changed, but it does not provide identification or authentication of the sender. You should not use an ephemeral key in this situation. An ephemeral key is generated at the beginning of a communication session to provide secure communication. An ephemeral key is a key that is generated during the key establishment process sending one ephemeral key per message. The key is based on a combination of the sender's private key and the recipient's public key. You should not use steganographv Steganography is a cryptographic method of embedding data inside a file as hidden content. For example, data might be hidden inside of a digital image.

Match each attack description with the correct vulnerability type.

An attack that leveraged a previously unknown vulnerability describes an attack based on a zero day vulnerability. A zero day vulnerability is one that was unknown and unsuspected before an attack occurred. A rise in successful social engineering attacks indicates a vulnerability in user training. Training users to recognize and avoid social engineering attacks is the best way to prevent the attacks from being successful. Social engineering attacks can take different forms, including face-to-face, by phone, or by email. An attacker gaining administrative access to routers or other devices is usually due to a default configuration vulnerability. If default users and passwords are not changed on devices, they provide an attacker with easy access to the devices. An application that is highly susceptible to buffer overflow and denial of service attacks indicates probable vulnerabilities in input validation, error handling, or both. These often result from design weaknesses in which proper support was not included in the design. None of the descriptions indicates a certificate management vulnerability. This can lead to several problems, including compromised encryption and security, unauthorized access, or a web site being falsely identified as hazardous. None of the descriptions indicates a race condition vulnerability. A race condition occurs when, in a multiprocessing application, steps are executed out of order between parallel thread executions.

A server is the victim of a data breach. Customer password information is exposed to the attacker. Which step in the incident response process is necessary to mitigate the risk of a reoccurrence of the attack? Choose the correct answer Quarantine the server. Escalate the incident to the CEO. Notify the customers that their passwords should be changed. Conduct a post-mortem review to identify lessons learned.

Conducting a post-mortem review to identify lessons learned is important for preventing a reoccurrence of the incident or a similar incident. It is important to keep in mind that incident handling is an iterative process. The documentation and lessons learned from an incident is used to help prepare for and protect against future incidents. A post-mortem review is part of the preparation process and helps identify vulnerabilities and make recommendations for hardening the environment. Escalating the incident to the CEO will not prevent a reoccurrence of the incident, although it is likely that you will need to notify the CEO that the incident occurred and obtain sign-off to implement the changes necessary to prevent the incident from reoccurring. You would know whether or not to escalate an incident by checking if it met the escalation criteria defined in the incident handling procedures. Quarantining the server is not a way to prevent a reoccurrence of the attack. You quarantine a server as a way to reduce the impact of an ongoing attack. This is part of the incident isolation process. Notifying the customers that their passwords should be changed will not prevent the incident from reoccurring. However, you will need to notify the customers that their passwords should be changed as part of the incident response in order to reduce the impact of the attack. Failure to notify the customers will result in loss of reputation and increased liability.

A company deploys a NIDS in its perimeter network. What type of control is the company using? Choose the correct answer Detective Compensating Deterrent Preventive

Explanation A network-based intrusion detection system (NIDS) is a detective control. A NIDS monitors network activity and issues alerts when anomalous activity is detected. A NIDS does not take any preventive or corrective action. This is not an example of a deterrent control. A deterrent control is one designed to discourage the violation of security policies and principles. Warning signs stating that entry is limited to authorized only is a deterrent control. This is not a preventive control. A preventive control is designed to prevent security violations. Use of data loss prevention (DIP) to stop data leakage by protecting sensitive data is a type of preventive control. This is not a compensating control. A compensating control is used to supplement security controls when a better solution is not available or cannot be implemented. User training to make users aware of security policies when technical solutions cannot be put in place is a type of compensating control.

What is the most cost-effective way to defend against whaling attacks? Choose the correct answer use strong passwords. Educate and train upper management. use biometrics. Educate and train all employees. Keep servers locked in a secure location.

Explanation A whaling attack is similar to a phishing attack in that it appears to be a legitimate email that contains a malicious link, However, a whaling attack targets upper level executives and the email is crafted to appeal to a high level executive. Social engineering attacks occur when a potential attacker attempts to gain information about the network by talking to people. The attacker may pretend to be an employee, a spouse, a business partner, or a customer to gain information that might be useful, Because someone who tells an attacker his username and password leaves the network wide open, educating users about the dangers of social engineering can prevent this type of attack _ Educating all employees is not the most cost-effective way to defend against whaling attacks because a whaling attack targets only upper-level management. You should, however, provide all users with training in how to recognize phishing and spear-phishing attacks. A spear-phishing attack is a phishing attack in which the sender appears to be a manager or executive of the company, Keeping servers in a secure location, such as a locked closet, is an important factor in securing the network, but it does not protect against a social engineering attack. Biometrics is a type of authentication based on physical characteristics, such as a fingerprint or retina scan, Biometrics would not prevent a social engineering attack _ Strong passwords contain a combination of uppercase and lowercase letters, numbers, and punctuation and other symbols. Security policies should require users to use strong passwords. However, even a strong password is susceptible to a social engineering attack if a user tells the attacker his password.

What is the primary security concern regarding zero-day vulnerabilities? Choose the correct answer The vulnerability cannot be blocked or mitigated. The vulnerability goes unknown and undetected until after it is exploited. The vulnerability can be detected only through proactive threat hunting. The vulnerability is designed to disable a computer based on a specific calendar date.

Explanation A zero-day vulnerability goes unknown and undetected until after it is exploited. The vulnerability can be a software, firmware, or hardware flaw unknown to the manufacturer or anyone else responsible for correcting the vulnerability, and it gtæs undetected until the first time it is used in an attack. A zero-day vulnerability does not refer to a vulnerability that can be detected only through proactive threat hunting. Proactive threat hunting is used to identify attacks that cannot be detected through traditional monitoring and testing. A zero-day vulnerability is not designed to disable a computer based on a specific calendar date. Although there have been viruses of this type in the past, mostly causing nuisance rather than being dangerous or malicious, now they are not very common. A zero-day vulnerability can be blocked or mitigated once detected and identifie

A company has an office on the fifth floor of a building in a city that is prone to earthquakes. Earthquakes have been identified as the most important risk to mitigate. Which risk mitigation controls would be most important when ensuring employee safety? (Choose three.) Choose the correct answers Drills Access controls CCTV Emergency lighting Escape plans

Explanation Because the office is in a city that is susceptible to earthquakes, it is especially important to create an escape plan that includes escape routes. If an earthquake occurs, it is best to stay still and undercover until after the shaking stops. However, even after the earthquake, you should avoid elevators because of the possibility of power outages, aftershocks, or structural damage. Therefore, employees would need to know the location of emergency exits in case evacuation was necessary after the earthquake. Because structural damage can occur, they should be familiarized with multiple possible escape routes. Conducting drills will help employees become familiar with the reinforced safe areas where they should take cover during the earthquake, as well as the escape plans and escape routes to evacuate the building if there is a need to do so after the earthquake stops. It will also help to ensure safe and orderly behavior if an earthquake actually occurs. Emergency lighting would also help to ensure employee safety if an earthquake occurs. Power outages often accompany earthquakes. Battery-backed emergency lights will allow users to see if the power fails. Employees will be less likely to be injured if they have good visibility. A closed-circuit television system (CCTV) is not the most important control when the primary risk is an earthquake. CCTV would help the company detect theft or other inappropriate behavior, but it would not help mitigate the risk of an earthquake. Access controls help guard the confidentiality of data. Access controls might include software controls like authentication and permissions or hardware controls such as a card reader or proximity reader.

Which of the following can be used to launch a coordinated DDoS attack? Choose the correct answer Adware Worm Rootkit Bot

Explanation Bots, organized as a botnet, can be used to launch a coordinated distributed denial-of-service (DDoS) attack. A bot is a Web program, sometimes called a zombie, that can be programmed to perform remote actions. One possible action is a DDoS attack against a specific target. A Trojan (a malware program that appears to be one thing but is actually something else) is sometimes used to build the network used by the bots to attack, and is therefore part of the coordinating program. A Trojan can open a back door into a computer that lets it act as a platform for launching the attack. A worm is a malicious destructive program that is usually designed to destroy files on target computers. Adware falls under the general category of malware, but it is not directly destructive. Adware is often designed to collect information to make the computer an easier target for spam. A rootkit is a program that typically installs itself in the operating system kernel. The primary goal of most rootkit programs is to open a backdoor into a computer.

A company deploys a DNS server with a single zone in a test environment as a proof of concept. Which step is required to add DNSSEC on the DNS server? Choose the correct answer SSL has to be enabled on the DNS server. The DNS zone has to be encrypted using AES. The NSEC protocol has to be enabled on the DNS server. The DNS zone has to be digitally signed.

Explanation Domain Name System Security Extensions (DNSSEC) requires the zone to be digitally signed. When complete this step, a set of new resource records will be created. For example, the DNSKEY record is used to store public keys and the RRSIG (resource record signature) record contains signatures. DNSSEC is an extension of DNS that offers data integrity and origin authentication. DNSSEC protects networks against spoofing attacks using DNS data. It uses digital signatures and public key cryptography to achieve this. The DNS zone does not have to be encrypted using AES_ There is no confidentiality (encryption) implemented on DNSSEC_ DNSSEC does not require SSL to protect DNS data. Secure Sockets Layer (SSL) and its successor Transport Layer Security (TLS) is used to secure a connection between two points, typically a server and a client. It is recommended that you use TLS/SSL and DNSSEC to provide a secure and reliable connection over the Internet. Next Secure (NSEC) is not a protocoL NSEC is a resource record that validates negative responses.

A company deploys a DLP system. A security offcer wants to create a policy to match and block access to documents that include any linked PII. Which three of the following should be included? (Choose three,) Choose the correct answers Gender information Personal phone numbers E-mail addresses Post codes Credit card numbers Salary information

Explanation E-mail addresses, personal phone numbers, and credit card numbers are considered linked personally identifiable information (PII)_ PII allows you to identify, locate or link an individual. PII is divided into two main categories: linked and linkable information. A linked piece of information allows anyone to identify an individual easily. A linkable piece of information is less sensitive and allows you to identify someone when combined with other sources and information. Examples of linked PII include: Full name Social security number Full address • Credit card number and account number Biometric information Personal phone numbers Examples of linkable information include: Post code Date of birth Gender Salary information IP addresses A data loss prevention (DLP) system can block access to files with PII and prevent unauthorized operations on PII files.

A company is designing and developing an automated authentication system based on biometric attributes. One of the goals is to keep the authentication process as transparent and unobtrusive to employees as possible. The company installed close-circuit television (CCTV) cameras throughout its corporate campus. Images are fed through an artificial intelligence (A1) analysis system for employee identification. Human operators provide feedback to assist with machine learning and improve accuracy. Which biometric attributes are BEST suited to this application? (Select two.) Choose the correct answers Retina Fingerprint Facial Voice Gait Vein

Explanation Facial (facial recognition) and gait are the two attributes best suited to this application. Both are attributes that can be easily and clearly captured by the CCTV cameras. Facial and gait analysis and recognition are established biometric factors. Relatively high false positive and false negative rates should be expected during initial development with the accuracy improving through machine learning. The system should not use retina, fingerprint, or vein. These all require a closer scan than facial or gait, and they would not be easily captured through CCTV The system should not use voice. One reason is that it would require that an employee is talking while moving through the campus, which is not necessarily guaranteed. There are also issues about recording quality and its impact on accuracy.

Which cloud service model provides servers, storage, and network infrastructure but not operating systems or applications? Choose the correct answer caas saas IaaS paas

Explanation In the infrastructure as a service (IaaS) cloud service model, the cloud service provider provides servers, storage, and network infrastructure. Operating systems, applications, and their maintenance and upkeep are the responsibility of the customer. IaaS gives consumers a way to implement a cloud-based data center either in place of or in addition to an on-premises data center. Software as a service (SaaS) refers to application subscription services where the application is hosted by the cloud service provider and made available to subscribers through the internet The cloud service provider is responsible for all maintenance and upkeep for the application. The acronym SaaS is also sometimes used to refer to storage as a service, a cloud-based offering that provides storage support only. Platform as a service (PaaS) falls between IaaS and SaaS. PaaS provides a cloud-based software deployment and development environment. The cloud service provider is responsible for servers, storage, development tools, and networking. Communication as a service (CaaS) provides a cloud-based communication infrastructure. It is one of the newer offerings sometimes referred to as anything as a service (XaaS)_

A security administrator discovers multiple network nodes sending and receiving command-and-control tramc followed by a spike in traffc. What is the MOST likely impact of this discovery? Choose the correct answer Loss of availability Loss of authenticity Loss of confidentiality Loss of integrity

Explanation Loss of availability is the most likely impact. Command-and-control (C2) connections occur when a piece of malware is installed and executed on a target computer. The malware attempts to "phone home", signaling to a remote attacker that compromise is complete. The attacker may send additional instructions and malware to the compromised node to gather information or infect other machines. However, based on the provided information, the infected nodes have been recruited as part of a botnet and will be used to launch Distributed Denial of Service (DDoS) attacks. Loss of confidentiality typically occurs when weak encryption protocols, or no encryption, are used. In this scenario, many nodes sending and receiving C2 does not indicate a loss of confidentiality. Loss of integrity occurs when data is manipulated or corrupted, Data integrity can be verified by using hashing algorithms or digital signatures, Loss of authenticity occurs when the source of data cannot be verified or proven. Digital signatures can be used to verify data authenticity.

What is an advantage of a penetration tester running a non-credentialed scan instead of a credentialed scan? Choose the correct answer A non-credentialed scan provides a complete view of vulnerabilities on targeted devices. A non-credentialed scan cannot be detected or blocked. A non-credentialed scan provides a more accurate idea of installed applications. A non-credentialed scan provides a penetration tester an outsider's view of the network. A non-credentialed scan can be run as an external or internal scan.

Explanation One advantage of running a nan-credentialed scan is that a nan-credentialed scan provides a penetration tester an outsider's view of the network, This allows the tester to see the network in much the same way as a potential attacker would initially see the network, A credentialed scan uses authentication credentials to gain access to target systems and provides an insider's view A nan-credentialed scan does not provide a more accurate idea of installed applications. You might be able to get some idea of installed applications but would not be able to get many details about the applications, There would also be applications that are not visible to the scan. A nan-credentialed scan does not provide a complete view of vulnerabilities on the targeted devices. This requires a credentialed scan, since the tester would need access to files and applications on the target devices, A nan-credentialed scan can be detected or blocked, Non-credentialed scans use standard communication protocols and have recognizable activity patterns. A nan-credentialed scan can be run as an external or internal scan, but this is also a feature of credentialed scans, so neither scan type has an advantage over the other in this area. Nan-credentialed scans are more commonly run as external scans, at least initially,

A company is transitioning from using WPA2-PSK to WPA2-Enterprise to improve wireless network security. What is a requirement when setting up to support WPA2- Enterprise? Choose the correct answer A wildcard certificate must be installed on each wireless access point (WAP) and client. A RADIUS server is required for client authentication. A certificate is required on each wireless access point (WAP) for unique identification. The length of encryption keys must be increased.

Explanation One requirement for setting up WPA2-Enterprise is that you must have a Remote Authentication Dial-ln User Service (RADIUS) server to authenticate network users. This is not required with WPA2-PSK, which uses the same pre-shared key value for all clients. There are no special certificate requirements for WAPs or clients when using WPA2_ WPA3-Enterprise, the most recent version, has the option of requiring a certificate on the WAP for identification. This can help prevent the introduction of rogue access points into a network. Encryption keys are specified with WPA2-PSK, not with WPA2-Enterprise, so there is no requirement on key length.

A system has six 100 GB hard disks available for data storage. Which RAID configuration will provide the most available storage with fault tolerance? Choose the correct answer RAID4) RAID-I RAID-5 RAID-IO

Explanation RAID-5 provides the most available storage with fault tolerance. Data and parity information is striped across all of the hard disks. Data remains available even if one hard disk is lost. You lose the equivalent of one hard disk to parity information, so this configuration would provide 500 GB of available storage. You calculate RAID-5 using the following formula: (smallest disk size) • (number of disks - 1). You need a minimum of three disks. RAID-O is not a fault tolerant configuration. Data is striped across all of the hard disks, giving you 600 GB of disk storage, but the loss of any hard disk will result in loss of all data and require recovery from backups. RAID-I is a disk mirroring configuration. Disks are paired with both disks in the pair containing the same data. Data remains available if one disk is lost out of any pair. This configuration would give you only 300 GB of storage. A RAID-10 mirrors two sets of RAID-O disks. Data is maintained if any (or all) of the disks are lost from one of the RAID-O disk sets. This configuration also gives you only 300 GB of disk storage.

Identify the control type for each listed control. Choose the correct options Control Control type Mantrap Physical Recovery procedure plan Admininstrative IDS Technical Honeypot Technical Biometric lock Physical Security controls can be categorized as administrative, physical, and technical controls. Administrative controls include procedural controls, as well as legal regulations and compliance requirements. Physical controls include items such as fences, video surveillance, lights, and security guards. Technical controls include network security devices and applications. A mantrap is a type of physical control. It is used to control entrance to and exit from a secure or sensitive area. A mantrap is effectively a small area with two dtnrs (or gates). One door must be closed before the other can be opened. A recovery procedure plan is a type of administrative control. Administrative controls include all organization's policies and procedures. An intrusion detection system ('DS) is a technical control. An IDS monitors activity to identify intrusion attempts or suspicious activities. A honeypot is a technical controL A honeypot is a system deployed with known vulnerabilities to tempt attackers. It can be used to collect information about attackers and intrusion attempts. A biometric lock is a physical control because it is used to physical control entrance or isolate an area.

Explanation Security controls can be categorized as administrative, physical, and technical controls. Administrative controls include procedural controls, as well as legal regulations and compliance requirements. Physical controls include items such as fences, video surveillance, lights, and security guards. Technical controls include network security devices and applications. A mantrap is a type of physical control. It is used to control entrance to and exit from a secure or sensitive area. A mantrap is effectively a small area with two dtnrs (or gates). One door must be closed before the other can be opened. A recovery procedure plan is a type of administrative control. Administrative controls include all organization's policies and procedures. An intrusion detection system ('DS) is a technical control. An IDS monitors activity to identify intrusion attempts or suspicious activities. A honeypot is a technical controL A honeypot is a system deployed with known vulnerabilities to tempt attackers. It can be used to collect information about attackers and intrusion attempts. A biometric lock is a physical control because it is used to physical control entrance or isolate an area.

Which of the following statements describes a benefit of implementing stored procedures for a web app? Choose the correct answer Mitigation of injection attacks Protection against data exfiltration Normalization of data input Protection against CSRF attacks

Explanation Stored procedures can help to mitigate Structured Query Language (SQL) injection attacks. Many web applications use string concatenation to build a SQL query at runtime. This method potentially allows any code statement entered into e field to be executed. Stored procedures define and store a SQL query in the database and only allow properly typed data (a string or integer) to be passed as parameters. Stored procedures do not protect against Cross-Site Request Forgery (CSRF) attacks. In a CSRF attack, an attacker lures a user into clicking on a malicious link while the user is logged on to a target website. Implementing stored procedures does not normalize data. Since it relates to secure coding, normalization ensures that all data input is in a known and expected format This can protect an application from buffer overflow and other similar attacks. Implementing stored procedures does not protect against data exfiltration. Data Loss Prevention (DLP) platforms provide this capability.

What is the role of OWASP in software development? Choose the correct OWASP provides testing services to help identify zero-day and other vulnerabilities. OWASP provides free materials to promote and support web application security. OWASP develops structured guidelines for application development methodologies. OWASP offers a publicly available version control system and code repository.

Explanation The Open Web Application Security Project (OWASP) is an international non-profit organization, OWASP maintains a website where its materials are freely available and easily accessible. Materials include documentation, tools, videos, and forums. One of the primary materials is the OWASP Top 10 list, which provides a regularly updated list of the top ten security risks, with recommendations on how to avoid them, OWASP does not develop structured guidelines for application development methodologies. One of the most commonly used sets of software development guidelines is the Software Development Life Cycle (SDLC), It does not provide a specific methodology, but software development methodologies follow the SDLC. The SDLC is a generally accepted industry standard, OWASP does not provide testing services to help identify zero-day and other vulnerabilities. Various companies and organizations do provide free testing services. OWASP does not offer a publicly available version control system and code repository. The most common offering of this type is GitHub,

The PCl DSS defines standard policies and procedures for securing what type of data? Choose the correct answer PHI PII Government and defense information Credit, debit, and cash card transaction information

Explanation The Payment Card Industry Data Security Standard (PCl DSS) provides standards for securing credit, debit, and cash card transaction information. This includes protection of personal financial and credit information. The standard defines objectives for secure processing environments, storage requirements, access to data, and protection against malicious acts. The standards that protect personal health information (PHI) vary somewhat from country to country, but standards tend to be mostly similar, In the United States, the primary standard is the Health Insurance Portability and Accountability Act of 1996 (HIPAA). Personal identifiable information (PII) is covered under regulations and standards that apply at various levels depending on where the individual lives and works, the type of data, and where the data is physically stored. Government and defense information regulations are set by government bodies and cover wide-ranging topics. The same data can often fall under multiple regulations, making compliance verification diffcult.

After an administrator installs a new firewall, users complain they have intermittent access to the Internet. The firewall rules are shown in the exhibit. What should the administrator do to fix the issue? Choose the correct answer In rule number 7. change UDP to TCP under PORT. In rule number 5. change TCP to UDP under PORT. In rule number 7. change the port to 80. In rule number 3. change the action to Allow. In rule number 3. change the port to 80. In rule number 5. change the direction to Inbound.

Explanation The administrator should change rule number 7, which has been misconfigured using UDP port 443 and should be changed to TCP port 443. Hypertext Transfer Protocol Secure (HTTPS) uses TCP port 443, not UDP port 443. Browsing the Internet requires both HTTP and HTTPS to be allowed outbound, which can explain why users have intermittent access to the Internet. The HTTP protocol is allowed by rule number 5. The administrator should not change rule number 3. This is an inbound rule blocking HTTPS access. Users complain they have intermittent access to the Internet, which means that an outbound rule should be verified. You should not change rule number 5. This rule allows users to browse the Internet using TCP port BO. A firewall is designed to enforce security policies and to grant or reject network access. You would use a firewall to protect your network and internal resources.

A malicious user plans to initiate a DoS attack against a target network by plugging in an unauthorized switch. What should be done to best mitigate this risk? Choose the correct answer Enable BPDU Guard on access ports. Configure DHCP snooping on all LAN switches. Disable MAC filtering on access ports. Create VLAN on all switches.

Explanation The administrator should enable Bridge Protocol Data IJnit (BPDU) Guard on access ports. BPDLJs are used to convey information required by the Spanning Tree Protocol (ST P). Because STP is designed to run on switches with the primary goal of preventing switching loops, BPDUs should only be sent by switching devices and are only necessary on ports connected to other switches. End nodes should not send BPDlJs, and it is considered a best practice to explicitly detect BPDlJs received on access ports. When configured on a switch port, BPDIJ Guard disables the port if BPDLJs are received. The administrator should not disable Media Access Control (MAC) filtering on access ports. MAC filtering is used on networks to allow or prevent connections based on the MAC address of the sender. Enabling MAC filtering could be used to mitigate the risk of unauthorized devices being connected to the network. The administrator should not configure Dynamic Host Configuration Protocol (DHCP) snooping on all LAN switches. DHCP snooping prevents unauthorized DHCP servers from providing network configuration information to clients. The administrator should not create Virtual Local Area Networks (VLANs) on all switches. VLANs are used to segment networks for performance and security purposes. However, VLANs do not prevent broadcast storms, they only contain them.

A network administrator must configure a wireless controller to allow authentication for devices that do not support EAR Once configured, client authentication must be automatic. However, unauthorized users should not be able to access network resources. Which of the following actions should the administrator take ? Choose the correct answer Configure 802.1 x on the controller and set up RADIUS. Configure the controller to support CCMP. Deploy PKI and require clients use certificates to authenticate. Enable WPA2-PSK authentication on the controller.

Explanation The administrator should enable Wi-Fi Protected Access 2 - Pre-shared Key (WPA2-PSK) authentication on the controller. WPA2-PSK uses pre-shared keys to facilitate authentication. This is useful in scenarios where clients do not support Extensible Authentication Protocol (EAP) This is also useful in scenarios where clients may support EAP, but the network does not support centralized authentication using 802. lx, such as in a home network. The administrator should not deploy Public Key Infrastructure (PKI) and require clients use certificates to authenticate. Certificate-based authentication for wireless networks is facilitated by EAP-based protocols, such as Extensible Authentication Protocol - Transport Layer Security (EAP-TLS). The administrator should not configure 802,1x on the controller and set up Remote Authentication Dial-ln user Service (RADIUS), 802, lx facilitates centralized authentication for wireless networks and does not support pre-shared keys. This approach requires EAR, and therefore it does not meet the requirements, The administrator should not configure the controller to support Counter Mode CBC-MAC Protocol (CCMP). CCMP defines the encryption mechanism used by a wireless network and uses Advanced Encryption Standard (AES) as its encryption algorithm. WPA2-PSK uses CCMR CCMP controls wireless encryption but does not facilitate or control wireless authentication,

Following a breach, a security administrator is instructed to run a vulnerability scan against the affected servers. There is evidence that the attack was network-based, but the administrator is unsure which vulnerability was exploited. What should the administrator do to pinpoint the vulnerability? Choose the correct answer Investigate the attack vector metric for all server vulnerabilities. Evaluate all vulnerabilities with a CVSS score of 8 or higher. Evaluate any vulnerabilities with a scope of unchanged. Investigate all services that use TCP ports between 1 and 1023.

Explanation The administrator should investigate the attack vector metric for all server vulnerabilities. Many vulnerability scanners, including the popular Nessus scanner, report a Common Vulnerability Scoring System (CVSS) score and the associated metrics for each vulnerability. One component of a CVSS score is the attack vector, which can be network, adjacent, or local. In this scenario, the administrator should investigate vulnerabilities that can be exploited via a network connection. CVSS provides a scoring system for vulnerabilities. CVSS scores security vulnerabilities based on several metrics such as how complex an attack is (attack complexity) and whether authentication is required. CVSS scores range from O to 10, with a base score of 10 indicating a severe vulnerability. A CVSS score of 8 or higher does not indicate whether a vulnerability is network-based. The administrator should not investigate all services that use Transmission Control Protocol (TCP) ports between 1 and 1023. Well-known ports are associated with popular protocols such as Hypertext Transfer Protocol (HTTP) and Simple Mail Transfer Protocol (SMTP). However, the attack in the question may have occurred over ports beyond 1023. The sco# metric tracks whether a vulnerability only impacts resources in a single scope, or also impacts resources in other security scopes. An application or operating system would be classified as different security scopes. An application vulnerability that could also impact the underlying operating system would show a scope metric of changed. The other supported scope metric value is unchanged.

A security analyst is helping an organization develop a backup plan. They need to ensure that data backups are available in case of a catastrophic failure and the plan needs to be as inexpensive as possible. Which is the BEST course of action? Choose the correct answer Back up to removable media and store a copy offsite. Back up to a different file server on the network. Set up a cold site. Set up a hot site.

Explanation The analyst should back up to removable media and store a copy offsite. This helps ensure that the data will be available in case of a catastrophic failure. Costs are minimal, requiring only spare backup media and a secure offsite location. Many cost-effective offsite locations, such as a safety deposit box at a bank, could be used for storage. You should not back up to a different file server on the network in this situation. The server hosting the backups is as likely to be damaged or destroyed as the server being backed up. You should not set up a hot or cold backup site in this situation. Both options are significantly more expensive because of the additional hardware investment required. A hot backup site is a site set up in a different location with the hardware and data necessary to resume operations. A cold backup site is a separate site location with hardware only and no data.

A compan's recovery plan states that it will take, on average, three hours to restore services to an operational level after a catastrophic failure, What is this value is known as? Choose the correct answer RPO MTBF MTTR RTO

Explanation The average time needed to restore data is known as the mean time to restore or mean time to recovery (MT TR or MT R). When disaster recovery services are delivered by an outside provider, the MTR is often specified in the service contract. This does not guarantee recovery within three hours in every situation, it is just the average value. Acronyms in a service contract should be clearly defined, MT TR can also be used to stand for mean time to repair. However, this repair time would not necessarily include the time needed to restore data. The situation does not indicate the recovery time objective (RTO). RTO is the specification of the maximum time it should take to get back to operational status, There are ways to reduce the RTO, such as having hot sites with equipment ready and data loaded. However, the shorter the RTO, the more expensive the support The situation does not indicate the recovery point objective (RPO). The RPO refers to the maximum acceptable amount of data loss after recovery. For example, if your organization can accept losing the last hour before the failure, you have an RPO of one hour. Reducing RPO requires more frequent backups and often the use of redundant data storage. The shorter the RPO, the more expensive it is to support. The situation does not indicate the mean time between failures (MTBF). The MTBF specifies how much time should pass, on average, between failures. You would use this in your disaster planning to determine frequency of occurrence.

The basic formula for calculating ALE uses what two values? Choose the correct answers Maintenance and upkeep costs relating to risk avoidance The estimated number of days required to recover from a risk occurrence The number of times you can expect a risk to occur during a year The relative priority of recovering lost resources Revenue loss from a single risk occurrence

Explanation The basic formula for calculating ALE (Annualized Loss Expectancy) is: ALE SLE • ARO Two values are included in the calculation. You multiply the revenue loss from a single risk occurrence (Single Loss Expectancy or SLE) by the number of times you can expect a risk to occur during a year (Annual Rate of Occurrence or ARC)). The value for ARO does not have to be a whole number. For example, if you can expect a risk to occur once every 20 years, the ARO would have a value of .05 (the decimal value for 1,'20)_ The relative priority of recovering lost resources is not part of your ALE calculation. It is, however, important to recovery planning as it allows you to focus on the most critical resources. Maintenance and upkeep costs are ongoing expenses and are not part of the ALE calculation. Most, if not all, maintenance and upkeep could be considered as helping to prevent risk occurrences. The estimated number of days required to recover from a risk occurrence would be included in revenue loss relating to the occurrence, but it would not be used directly (or by itself) in the calculation.

Internal security determines that an insider threat has resulted in unauthorized distribution of PII about company employees and customers. Security personnel are working with network administrators to minimize the risk of this occurring again in the future. What is the BEST way to avoid this in the future? Choose the correct answer Use URL filtering. Implement MDM. Configure DLP. Fine-tune firewall settings.

Explanation The best way to prevent the data exfiltration of personally identifying information (PII) described in the scenario is to configure data loss prevention (DLP). DLP is used to protect data and to help companies meet regulatory requirements. DLP defends against data loss and data leakage. The company should not implement mobile device management (MDM) to mitigate its data leakage issues. MDM is used to control, secure, and enforce policies on mobile devices. Although MDM does provide for some data protections, such as data encryption on mobile devices, but it does not prevent enterprise-level data exfiltration. The company should not use URL filtering. URL filter is a way of helping protect users browsing the internet by configuring URL blacklists (to explicitly block access) or URL whitelists (to explicitly allow access). URL filtering does not provide specific protection against data exfiltration. The company should not fine-tune firewall settings as its primary means to prevent data exfiltration. Fine- tuning firewall settings involves using firewall rules to control traffc through the firewall, such as controlling traffc between the network and the internet. Firewall rules do not include rule criteria based on specific types of sensitive data.

A company decides to implement a COPE policy for mobile devices. The company wants to block users from access to game and social media apps while at work. The company also wants to prevent the use of some custom company apps when the user is away from work. What should the company use to accomplish this? Choose the correct answer Geolocation Context-aware authentication Geofencing Containerization

Explanation The company has chosen a corporate-owned personally enabled (COPE) policy for mobile devices. This means that the company owns the mobile devices that are made available to users. Other options include bring your own device (BYOD) and choose your own device (CYOD) policies. A COPE policy gives the company the greatest control over the devices. The company should use geofencing. Geofencing uses the device's global positioning sensor (GPS) to determine the device location. You can configure restrictions as to which apps are available based on device location, The company should not use geolocation. Geolocation is similar to geofencing in that it also uses the device's GPS to determine its location but does not let you configure app restrictions. The company should not use containerization. Containerization is way to configure a safe location for corporate data on a mobile device. It is not used to control app access. The company should not use context-aware authentication. Context-aware authentication is used to include information such as locatlon and time of day to allow or block authentication but does not control access after authentication.

A company is concerned about users sending sensitive information to recipients outside of the network. This is a concern due to potential insider threats and the need to meet stringent data privacy requirements. What should the company implement to help prevent this? Choose the correct answer Hashing DNS sinkhole DLP SSUTLS

Explanation The company should implement data loss prevention (DLP). DLP refers to software solutions used to classify data and ensure that users cannot send critical or sensitive data outside of the company network. DLP is used to help prevent both accidental and malicious data disclosure. The company should not use secure sockets layer (SSL)/transport layer security (TLS) to prevent data disclosure by users. SSL/TLS are data encryption protocols used to encrypt data sent between network hosts. One common use is with Hypertext Transfer Protocol Secure (HTTPS), which is used for secure communication between users and websites. The company should not implement a Domain Name System (DNS) sinkhole. This is a method used to intercept DNS requests that attempt to connect users with known unauthorized or known malicious URLs. This is used to prevent users from communicating with known malicious internet destinations. The company should not implement hashing. Hashing is used to generate a unique, fixed-length string based on input values and a hashing algorithm. Hashing is used as a file validation method and is commonly used to determine if a fle was changed during transmission.

A company wants to introduce a new enterprise mobility strategy for all users. Which deployment model will the enterprise use if it wants to allow an employee to choose a mobile phone from a company- approved list of devices? Choose the correct answer BYOD VDI COPE CYOD

Explanation The company should implement the Choose Your Own Device (CYOD) model. C YOD offers a list of approved devices that can also be used for private purposes. Bring Your Own Device (BYOD) does not meet the requirements specified. BYOD allows employees to choose any device they want and use it in the corporate network. Corporate Owned, Personally Enabled (COPE) is a strategy in which a mobile device is chosen by a company, but it can be used for personal activities as well. BYOD adds challenges for companies because of no clear usage policies, potential data breaches, and no clear corporate responsibility. COPE addresses a lot of these issues but does not allow an employee to choose a mobile device. Virtual desktop infrastructure (VDI) allows an employee to connect to a hosted server using a private device. VDI offers improved security and centralized management. VDI can be used as a BYOD strategy and reduce the risk of stolen or lost data, because all information is hosted in a secure data center.

A company needs to ensure that, if anyone enters the server room after hours, the doors are locked and cannot be opened from the inside. The company wants to minimize the recurring costs related to the solution. What should the company install? Choose the correct answer Mantrap Motion detector Security guard Video surveillance

Explanation The company should install one or more motion detectors. Motion detectors will detect any movement in the server room and can be used to enable server room locks. The company should not install a mantrap. A mantrap is used to control entry into a secure area by passing through a small room with two doors. The first door must be closed and secured before the second door can be opened. The company should not use a security guard. You could have a guard to monitor the server room, but using a security guard would increase the recurring cost of the solution. The company should not use video surveillance. This would provide a way to document anyone in the server room, but it could not be used to lock the server room unless someone who can lock the door monitors the live video feed.

A company needs a single SSL certificate that can be used across the following domains: • company.com • company.org • company.net • company2.com • dev.company2.com Secure access is required for external users. What type of certificate is needed? Choose the correct answer Wildcard SAN Self-signed Root

Explanation The company should use a multi-domain Subject Alternative Name (SAN) certificate. A SAN certificate lets you list multiple domains for which the certificate is valid. All domains in the subject alternate name field of the certificate can be protected by the same certificate. The company should not use a wildcard certificate. A wildcard certificate is similar, but it allows for unlimited subdomains of the same domain. For example, a wildcard certificate for •.company.com could also be used with dev.company.com, but not with dev.company2.com. The company should not use a self-signed certificate. A self-signed certificate is generated internally for an application rather than issued by a certificate authority (CA). A self-signed certificate cannot be used across multiple domains and does not support external users. A self-signed certificate should be used during initial testing only. The company should not use a root certificate. A root certificate resides on the root CA within a public key infrastructure (PKI) hierarchy and is the source from which any other certificates issued inherit their authority.

A company's workforce includes several mobile users who access company resources through the internet. The company needs a cloud-based security solution that: Prevents users from accessing known malicious web sites • Enforces the company's acceptable use policies for internet access • Ensures that applicable regulations regarding data protection are applied Filters data to and from social media for protected devices The solution should include encrypted traffc analysis. What should the company use? Choose the correct answer CASB SWG WAF SIEM

Explanation The company should use a secure web gateway (SWG). An SWG meets the scenario's security requirements. The SWG protects users working in the offlce or outside the office who are accessing resources from the internet. An SWG can be implemented as on-premises or it can be cloud-based. The company should not use a cloud access security broker (CASB). A CASB provides protections between a company's on-premises network and a cloud provider. Protections include authentication services, web application firewall (WAF), data loss prevention (DIP), and firewall services. A CASB cannot enforce data regulations (other than DLP) or prevent access to third-party web sites. The company should not use security information and event management (SIEM). A SIEM system aggregates event data from multiple sources, identifies anomalous activity, and takes appropriate actions such as issuing an alert about the action. It does not provide the protections needed in the scenario.

A company institutes a C YOD policy for end-user mobile devices. Users have sometimes downloaded potentially dangerous apps while at work. The company wants to limit the devices to a set of preselected apps only while users are at work. The company wants to minimize the effort to implement and maintain this restriction. What should the company use? Choose the correct answer Application approved list Quarantining Application blocked list Application deny list

Explanation The company should use an application approved list. also referred to as whitelisting. You would configure a list of approved apps and deny or block other apps from the device. This will require updating the devices if the approved apps list changes. This would be combined with geofencing or geolocation for location detection. This can be somewhat automated through use of mobile device management (MDM) tools. In a choose your own device (CYOD) environment, the company provides pre-approved mobile devices from which employees can select. The employee is responsible as owner of the device and, in many cases, has the option of purchasing the device. The company should not use an application blocked or application deny list. These are both examples of blacklisting, which is explicitly listing the apps that cannot be run on the device. The implementation and management of this method of controlling access to application would be diffcult because of the number of apps that would need to be included on the list. The company should not use quarantining as a way to control app access. Quarantining is most often associated with anti-virus and antimalware as a way of preventing access to suspected malicious apps-

A company wants to implement a federated identity authentication service that provides login credential authentication for user and internet-connected devices. The solution should support a single identity token across various platforms, application, and networks. What should the company use? Choose the correct answer CASB IdP PKI TPM

Explanation The company should use an identity provider (ldP), sometimes referred to as an authentication as a service (AaaS) provider, The ld? is a third-party authentication authority that works like a directory service such as Microsoft's Active Directory (AD). When used in an enterprise environment, AD can be considered an ldP. Other ldPs currently available for solutions include Google, Microsoft Azure, and Amazon Web Services. The company should not use a public key infrastructure (PKI). An ld? can be used for authentication based on certificates, but a PKI is not required for using ldP. Even when using certificates for authentication, it is not necessary for a company to implement its own PKI. It could instead use certificates issues by a public The company should not use a cloud access security broker (CASB). A CASB provides protections between a company's on-premises network and a cloud provider. A CASB does not support use as an ld? for a federated identity system. The company should not use trusted platform module (TPM). The TPM is security hardware installed in a computer system that stores encryption keys to support applications such as disk encryption.

A developer is preparing to deploy an e-commerce website. The website uses dynamically generated web pages based on user input. This is a requirement for the application running on the website. The site must be designed to prevent cross-site scripting attacks. What should the developer do? Choose the correct answer Implement URL filtering. implement user input validation, Use only inline JavaScript, Use encrypted cookies.

Explanation The developer should implement user input validation. Cross-site scripting (XSS) uses code passed through user input to attack online applications. The script passed usually includes HTML tags and script code. Tags commonly used in a XSS attack include SCRIPT>, 4PPLET>, and Input validation lets you check for tags and other content that identifies an attempted XSS attack, letting you block the input, In some cases, you might have the user's connection broken at the same time. XSS attacks can use a number of different technologies in the attack, including JavaScript, VBScript, HTML, Perl, • , ActiveX, and Flash. using encrypted cookies will not mitigate the risk of an XSS attack. using encrypted cookies will mitigate the risk that an authentication cookie might be used to hijack a user's session. using only inline JavaScript will not increase security in any way. Implementing URL filtering will not prevent XSS attacks. URL filtering is used to prevent clients from accessing a specific website.

A newly deployed API is frequently targeted by successful buffer overflow attacks that cause the API to hang or crash. Application logs show numerous entries where malformed data was submitted by various API clients who used SSL to encrypt their sessions. As part of their analysis, the developers must ensure that the API can process input without issues. Which of the following actions should the developer take? Choose the correct answer Distribute source code and employ static code analysis. Deploy automated dynamic code analysis and record output. Test the applications with fuzzing tools. Perform a manual code review.

Explanation The developers should use fuzzing. Fuzzing is an automated process that sends random or malformed data to an application in an attempt to trigger unplanned behaviors or failures. This approach can be used to discover buffer overflow and other vulnerabilities in which an application does not properly process input. Fuzzing is also referred to as fuzz testing. Static code analysis is a form a white box application testing. During static code analysis, code is manually reviewed, often line by line, to discover vulnerabilities. Although it is time consuming, static analysis can uncover vulnerabilities that would be missed by automated analysis methods. Dynamic code analysis is a form of black box application testing. In dynamic code analysis, the application is executed, and output is monitored. This method may discover buffer overflow vulnerabilities, but that is not its primary design purpose. Unlike static code analysis, the application code is not reviewed during dynamic code analysis. Black box analysis is a dynamic testing method that involves running an application and monitoring output. This method is may discover buffer overflow vulnerabilities, but that is not its primary design purpose.

A company's incident response team and the Chief Security Offcer identify an employee who is working with an outside threat actor to compromise and exploit network resources. The team moves to seize the employee's desktop computer and mobile devices. The team wants to ensure that the seized artifacts can be used as evidence in any legal proceedings. What should the team do FIRST? Choose the correct answer Start a chain of custody for each device. Run a full backup of each device. Create a hash for every file on each device. Create a digital image clone of all storage media.

Explanation The first thing the team should do is start a chain of custody for each device. This is required if the devices seized might be used as evidence in any legal proceedings. The chain of custody form records the sequence of custody, control, transfer, analysis, and disposition of any artifact that might be used as evidence. This should be done before any analysis or other activity is done on the devices. The team should not create file hashes before the chain of custody. If data is hashed it would need to be documented in the chain of custody. Rather than hashing files on the original devices it is more likely that the team would create data images and then apply hashes to those images. The team should not run a full backup or create digital image clones of the data on the devices. It is likely that the team will create image clones where possible, but not until after the chain of custody is in place. A team might create full backups, but disk images are typically more useful for digital forensics because the images are exact copies of the storage media.

Which are valid examples of multifactor MFA requirements? (Choose two.) Choose the correct answers Retina scan and voice analysis Password and PIN Retina scan and password Smart card and PIN Access token and smart card

Explanation The following are valid examples of MFA requirements: • Smart card and PIN • Retina scan and password MFA requires the user to provide at least two different types of authentication factors, which can include: Something you know • Something you have • Something you are A smart card and PIN require something you have and something you know. A retina scan and password are something you are and something you know. A password and PIN do not qualify because both are something you know A retina scan and voice analysis do not qualify because both are something you are. An access token and smart card do not qualify because both are something you have. MFA is sometimes defined as including both authentication factors and attributes. Authentication attributes include: • Somewhere you are Something you can do • Something you exhibit • Someone you know Depending on how you define authentication attributes, they can overlap with authentication factors.

After organizing an incident response team, the team's leader wants to guide the team through a mock incident. What should the team leader do? Choose the correct answer Request members to review the incident response plan checklist. Schedule a tabletop exercise for all team members. Schedule a parallel test and include IT Services. Perform a group-based threat modeling exercise.

Explanation The incident response team leader should schedule a tabletop exercise for all team members. A tabletop exercise allows an incident response team to convene and review each member's role. Additionally, the team can work through a scenario and talk about how they would respond and the actions that would be taken at each step. During this exercise, no changes are made to production systems. The incident response team leader should not perform a group-based threat modeling exercise. Threat modeling is the process of identifying and evaluating threats. Threat modeling is an important part of risk analysis. However, given the scenario in the question, this should have already occurred. The incident response team leader should not ask each member to review the incident response plan checklist. This is sometimes referred to as a checklist review and allows each member to read through the plan and evaluate the plan on their own, prior to meeting as a team. The incident response team leader should not schedule a parallel test and include IT Services. Parallel tests are done as part of disaster recovery planning and involve activating a disaster recovery site to test the activation process.

A company's internal incident response team is responding to a suspected insider threat attack, The attack was traced back to an Ubuntu Linux desktop computer. The incident response team needs to make an exact copy of the computer's hard disk. What command should the incident response team use? Choose the correct answer dd dig cp rsync

Explanation The incident response team should use the Linux dd command. This dd command lets you clone a hard disk, making an exact image copy of the hard disk _ You could use a command string similar to the following: if=/dev/sda This would create an exact copy of the of the hard disk sda on the device sdb. The team should not use the cp command. This is a file-by-file copy command. It would let the team copy all accessible files but does not create an identical image. The team should not use the rsync command. The rsync command is used to transfer files between two locations. As with cp, this is a file-by-file copy utility. The team should not use the dig command. The dig command is not a disk copy command. It is used to query Domain Name Service (DNS) servers and perform DNS lookups, It is commonly used when troubleshooting suspected DNS problems,

A segment of a company's network is periodically overwhelmed with traffc from an older network switch, causing communication problems. The problem occurs on one switch only, and the increase in tramc occurs only on the subnet on which the switch is deployed. Resetting the switch corrects the problem. What type of network attack does this indicate? Choose the correct answer MAC flooding MAC spoofing DNS poisoning DDOS

Explanation The indicators reported are symptoms of a Media Access Control (MAC) flooding attack. A device's MAC address gives the device a unique identity. A switch builds a table of connected MAC addresses in Content Addressable Memory (CAM). In a MAC flooding attack, a threat actor sends a stream of false MAC addresses and eventually overflows the CAM table. The switch will begin to act as a network hub at that point, sending all tramc through without any filtering. The symptoms are not an indicator of MAC spoofing. In MAC spoofing, the attacking system uses a false MAC address, usually impersonating a valid network client by using that device's MAC address. A Distributed Denial of Service (DDoS) attack is not indicated. In a DDoS attack, a network or targeted servers are flooded with traffc from multiple external sources, resulting in network errors and possibly crashing the servers. A DDoS attack is not indicated because additional traffc has not been detected outside of the affected subnet, A Domain Name Service (DNS) poisoning (DNS cache poisoning) attack is not indicated. In a DNS poisoning attack, the attacker introduces incorrect DNS mappings into the DNS cache. When the attack is under way, computers requesting address information from DNS are given the incorrect information, and traffc is directed to the wrong location.

A file server is deployed on a company's on-premises network. A security review finds that several ports open for services are not in use on the computer. What is the MOST likely risk associated with this? Choose the correct answer The computer is configured with default settings. users may be unable to recognize the server as a file server. The computer's attack surface is unnecessarily increased. unsecure protocols are currently in use on the computer.

Explanation The most likely risk is that the computers attack surface is unnecessarily increased, Each open port is a possible backdoor that an attacker can use to infiltrate a computer. You should limit open ports to only those ports needed by services in use on the computer. This does not indicate that the computer is configured with default settings. Default settings for host firewalls are usually used to open a minimum number of ports and configure additional open ports as necessary. A computer configured with default settings carries an inherent security risk in that these settings are well known by potential attackers and do not represent an optimum security configuration, Having additional open ports does nothing to make users unable to recognize the server as a file server. End users will typically not have any idea of what ports are open on a computer unless a port needed to support a service has been closed. This does not necessarily mean that unsecure protocols are currently in use on the computer. Because the open ports are not associated with services in use on the computer, it is more likely that the ports are not currently in use unless an active attack is underway.

An organization supplies each employee with a laptop and smartphone. The organization wants to ensure that users can only successfully authenticate using an Android-based MFA app after their location is determined using GPS coordinates. What should the organization do to meet this requirement? Choose the correct answer Configure network-based tracking for each mobile device. Configure geofencing policies for each users laptop. Configure geotagging for all authentication approvals. Configure IP geolocation tracking for each users laptop.

Explanation The organization should configure geotagging for all authentication approvals. Geotagging appends coordinates derived from a Global Positioning System (GPS) to photos, files, and other server requests. Based on this information, an authentication system can allow or deny authentication based on attributes such as physical location, time and distance between logon attempts, or other information. Internet Protocol (IP) geolocation tracking locates devices based on information from IP address registry databases. While IP location can be very accurate, it only exposes the location of the IP address. A user could easily spoof their location by using a virtual private network (VPN)_ Geofencing uses a device's location to enforce certain policies or settings. For example, based on a device's location, an application might be enabled or disabled. In this scenario, configuring geofencing for each user's laptop does not guarantee the location of their smartphone, which is where the Multifactor Authentication (MFA) app is located. Network-based tracking for each mobile device provides very accurate location information for cellular devices. However, this method does not use GPS and instead relies on triangulation between cellular towers.

An organization prepares to deploy specialized medical systems that will remotely collect and monitor health information from each patient's home, The remote systems have limited hardware capabilities, and patients should not be required to purchase additional equipment or perform complex configurations. What should the organization do to ensure that PHI is protected? Choose the correct Configure a VPN concentrator with remote device accounts. Configure tunnel mode IPsec on organization routers. Deploy X,509 certificates on organization web servers. Deploy a NAT gateway and configure restrictive ACLs.

Explanation The organization should deploy X.509 certificates on its web servers. X, 509 certificates are used in Public Key Infrastructure (PKI) to facilitate secure network communications. Protocols such as Transport Layer Security (TLS) use x,50q certificates, In this scenario, once certificates are configured on each web server, the remote medical systems can connect, establish a TLS session with the web server, and securely transmit health information, No additional configuration is required on the remote systems, Internet Protocol security (IPsec) is a suite of protocols that can be used to protect data in motion and is often deployed across the internet as part of a virtual private network (VPN), IPsec tunnel mode is used between routers to protect data in motion, In this scenario, it is highly unlikely that patients would be able to deploy IPsec-capable routers in their homes. A Network Address Translation (NAT) gateway typically sits between public networks like the internet and private networks and allows privately addressed nodes to access and be accessed by publicly addressed nodes. While a NAT gateway with restrictive access control lists (ACLs) could help protect the organization's servers, it will not protect personal health information (PHI) sent from a patient's home, A VPN concentrator with remote device accounts should not be configured. Installing a VPN concentrator (or server) can reduce a network's attack surface if users cannot access network resources outside of an authenticated, secure VPN connection. However, this requires that a VPN agent be installed and configured on each remote device, which cannot happen in this scenario.

An organization implements a distributed, cloud-based app using resources and services from multiple CSPs. App nodes authenticate with one another using shared secrets _ The organization equipped each node with trusted x_sog certificate. Which method should the organization use to ensure that shared secrets can be sent securely and can only be decrypted by the destination node? Choose the correct answer Encrypt the shared secrets with the destination node's private key. Encrypt the shared secrets with the sending node's private key. Encrypt the shared secrets with the destination node's public key. Encrypt the shared secrets with the sending node's public key.

Explanation The organization should encrypt the shared secrets with the destination node's public key. Public Key Infrastructure (PKI) keys come in asymmetric pairs, which means that when one key is used to encrypt data, the corresponding key is used to decrypt that same data. The public key is shareable and is embedded in an X.50g certificate. The private key is not sharable. In this scenario, using the destination node's public key to encrypt shared secrets means that they can only be decrypted using the corresponding private key, which only the destination node holds. Any shared secrets encrypted with the sending node's public key can only be decrypted with the sending node's private key. The destination node does not hold this key and therefore cannot decrypt the shared se crets_ Any shared secrets encrypted with the destination node's private key can be decrypted by the destination node's public key. Since public keys are meant to be shared, any entity with the destination node's certificate could decrypt the shared secrets. Any shared secrets encrypted with the sending node's private key can be decrypted using the sending node's public key This key is sharable via a certificate, which means other entities besides the destination node could decrypt the shared secrets _

An organization plans to deploy a centrally managed wireless network that will require a PKI_ The organization needs to ensure that user onboarding is as seamless and error free as possible. What should the organization do first? Choose the correct answer Obtain a certificate from a public CA Install and configure a CA. Obtain a self-signed certificate. Generate a CSR.

Explanation The organization should generate a Certificate Signing Request (CSR) first. CSRs are generated by applications, users, or services and are submitted to a publicly trusted Certificate Authority (CA) for validation. The CSR identifies the certificate owner and is used by the CA to generate an X_509 certificate. Certificates generated by public CAS are typically inherently trusted by client systems and browsers. Any certificates issued by one of these authorities or their subsidiaries are automatically trusted. Once a CSR is generated, it can be submitted to a public CA for validation. The CA will then issue a Secure Sockets Layer (SSL) certificate to the client. Notably, although SSL is still commonly used when describing secure Internet communications, it has been replaced by the more secure Transport Layer Security (TLS)_ The terms are often used interchangeably. A self-signed certificate is generated by the certificate holder or a related entity, and its authenticity and validity is not independently verified. Because they are not inherently trusted, most client systems and browsers will display an alert to a user indicating that the certificate is not from a trusted source. An X_509 certificate can be generated by private or public CAs_ A public CA is a trusted entity that uses its own methods for validating a certificate requestor prior to issuing the certificate. This allow an entity to present a certificate from a trusted third-party as a form of authentication. If the organization installs and configures their own CA, the certificates issued by this CA will not be inherently trusted.

Following several zero-day attacks where vulnerable web servers were used to gain access to internal resources, an organization decides to replace the existing NIDS system with a NIPS_ A network tap is created on the organization's core switch and the NIPS is configured for anomaly-based detection. However, a new attack successfully compromises a server. Which action should the organization take? Choose the correct answer Install the NIPS inline with the servers. Move the NIPS to the DMZ. Forward all firewall traffic to the NIPS. Enable signature-based detection.

Explanation The organization should install the Network-based Intrusion Prevention System (NIPS) inline. A network tap copies or mirrors tramc to a monitoring port or destination. As a result, network taps can only be used for passive monitoring or intrusion detection. To prevent intrusions, a NIPS must be installed in the tramc flow so that it can block malicious packets. Moving the NIPS to the demilitarized zone (DMZ) will not necessarily prevent web server breaches. The NIPS must be installed inline with the web server to detect and mitigate attacks. Signature-based detection relies on predefined signatures to detect attacks. In this question, the web servers were compromised by zero-day attacks, which means there were likely no signatures for these attacks. Anomaly-based detection is the best defense against such attacks. The organization should not forward Next Generation Firewalls (NGFVV) tramc to the NIPS_ Forwarding tramc from the firewall is another tap method and only allows passive intrusion detection.

In order to increase security, an organization that stores PHI has decided to implement tokenization of sensitive data, What should the organization do with the original data that was tokenized? Choose the correct answer Mask the data and store it with the token. Store it in an encrypted file or database. Hash the data and store it offline. Discard the data because it is no longer needed.

Explanation The organization should store the original data in an encrypted file or database. Tokenization is designed to protect Personal Health Information (PHI) and other sensitive information by replacing the original data with data in the same format, Most tokenization methods use random character replacement and store the original-to-tokenized data mapping in an encrypted database or file. If the tokenized data is compromised, will be of little use to an attacker. The organization should not discard the original data. The token itself is random and only serves as a placeholder for the original data. If the original data is lost or deleted, the token is useless, The organization should not hash the original data and store it offline. Hashing algorithms produce fixed- length, irreversible output. Hashes are often used to verify data integrity. The organization should not mask the data and store it with the token. Masking permanently replaces the original data. The new data may be in the same format as the original data, but this is not a requirement. For example, a Social Security number may be masked with the symbols

An organization collects extensive cyber threat intelligence (CTI) and would like to share this information with partners. Which of the following should the organization use when formatting and structuring this information? Choose the correct answer TAXII OSINT XML STIX

Explanation The organization should use Structured Threat Information Expression (STIX). STIX is a standardized formatting language that can used to structure cyber threat intelligence (CTI). STIX was developed for this singular purpose and allows diverse organizations to share CTI using a commonly understood and accepted format. This also allows CTI to be serialized in such a way that it can be automatically consumed by Intrusion Detection Systems (IOS) and other security platforms. Trusted Automated Exchange of Intelligence Information (TAXII) is closely tied to STIX and provides the underlying protocols that facilitate CTI sharing. TAXII facilitates this sharing between Clients and Servers using Hypertext Transfer Protocol Secure (HTTPS). However, TAXII is not used to format CTI. Open source intelligence (OSINT) is publicly available information that a potential attacker or security researcher can use to learn more about how and where an organization operates. Attackers use OSINT during the reconnaissance phase of an attack. Extensible Markup Language (XML) is a markup/formatting language that is designed to be human-readable. XML consists of hierarchical trees of elements that include start and end tags, as well as optional attributes. Technically, XML could be used to format any type of structured data. However, STIX is an open-sourced language designed for this very purpose.

An organization is concerned that privilege creep may lead to data exfiltration. Which principle or practice should the organization implement to mitigate this risk? Choose the correct answer Discretionary access Mandatory vacations Job rotation Least privilege

Explanation The principle of least privilege helps prevent authorization creep. Authorization creep is most common when users are granted new privileges as part of a role or job title change. When new privileges or rights are granted, existing access is usually not reviewed. By implementing the principle of least privilege, each user's access would be periodically evaluated to ensure that the user has only the permissions they need to perform their duties. Authorization creep is also referred to as access creep or privilege creep. The practice of mandatory vacations is not used to prevent authorization creep. Mandatory vacations are used to detect fraud. When an employee is on vacation, it is unlikely they will be able to conceal fraudulent activities, particularly if a co-worker performs their duties while away. The practice of job rotation is not used to prevent authorization creep. While job rotation can help employees to cross-train, it can also serve to detect and deter fraudulent behavior. The principle of discretionary access is not used to prevent authorization creep. Access control is used to limit what a user can do and is commonly associated with file or folder access. In a discretionary access control (DAC) model, file owners or those with similar privileges can grant access to other groups or users.

A penetration tester's tools cause an out-of-scope web server to crash, leading to a prolonged outage, Which of the following documents, if followed by the tester, would have prevented this situation? Choose the correct answer Master service agreement Rules of engagement Non-disclosure agreement Statement of work

Explanation The rules of engagement document, if followed, would have prevented this situation. The rules of engagement document outlines how a penetration test will be conducted and should include client information, notification instructions, and a project summary. One of the most important elements of this document will be a scope statement that defines the applications, systems, and networks that are within the scope of testing, A statement of work (SOVV) defines deliverables for a penetration testing project. This should include when and where the work will take place and the project's cost. A nan-disclosure agreement (NDA) protects all information discovered during a penetration test, including the test report, Additionally, an NDA should stipulate that the tactics, tools, and procedures (TTPs) used by the penetration tester to gain access to an environment not be disclosed. A master service agreement (MSA) is a high-level document that outlines a contractual relationship between two parties. It may include information about the purpose of the relationship, an overview of the type of projects or work that may be completed, and dispute resolution procedures,

A user reports odd behavior when attempting to access network resources from their Windows laptop. While reviewing the Host-eased Intrusion Detection System (RIDS) logs on the laptop, a security administrator discovers that files in the directory have been modified. Which type of attack has the security administrator most likely uncovered? Choose the correct answer MAC cloning Domain hijacking Man-in-the-Middle DNS poisoning

Explanation The security administrator has uncovered a Domain Name System (DNS) poisoning attack that adds a new or overwrites an existing cached hostname to Internet Protocol address entries. For example, an attacker could add an invalid DNS cache entry for comptia.org such that when a user navigates to comptia.org they are instead directed to a malicious website. On a Windows system, the file that initially populates the DNS cache is known as the hosts file and is stored in the directory. Media Access Control (MAC) cloning does not rely on changes to system files. MAC cloning involves mimicking the MAC address of a target host. By imitating another host in this way, an attacker can intercept network traffc meant for the target. Domain hijacking involves manipulating domain registrations in public domain name registries. In domain hijacking, the attacker is attempting to steal a domain name. A Man-in-the-Middle (MITM) occurs when an attacker intercepts communications between two nodes. Depending on the sophistication of the attack, the attacker may be able to read and even modify data in transit between the nodes. DNS poisoning, Address Resolution Protocol (ARP) poisoning, and Dynamic Host Configuration Protocol (DHCP) spoofing can all be used to perpetrate a MITM attack _

A company deploys a highly advanced HVAC system in a datacenter. Which two security measures should a security S#cialist recommend for that system? (Choose two.) Choose the correct answers Integrate with internal network Isolate HVAC management devices. Install cameras and alarms. Install a DLP system. Move all systems to the cloud.

Explanation The security specialist should recommend installing IP cameras and alarms systems and isolating HVAC management devices. Heating, ventilation, and air conditioning (HVAC) systems should be protected by installing cameras, closed circuit TV (CCTV), and alarm systems _ The company should isolate the HVAC management devices and never allow connections from the internal network _ If HVAC has access to the Internet, the security specialist should secure this connection and use a Virtual Private Network (VPN) to connect. The company could consider adding a log book for all visitors and audit all systems on a regular basis to identify unauthorized access attempts. The security specialist should not recommend a Data Loss Prevention (DLP) system here. DLP could be used to avoid potential data breaches and loss of confidential information. DLP allows you to block unauthorized file uploads to external servers and protects sensitive files. The security specialist should not move any systems or files to the cloud. By using a cloud solution, he can introduce new risks and vulnerabilities. The security specialist should isolate the HVAC network and restrict access to it.

The incident response team copied several files to removable media as part of its digital forensics after a security-related incident. The team wants to ensure that it can identify whether any of the files are accidentally or maliciously modified after collection. What should the team do? Choose the correct answer Generate a hash on each of the files. Start a chain of custody form. Encrypt each of the files. Designate a legal hold.

Explanation The team should generate a hash on each of the files. Applying a hash algorithm generates a unique value for the file. Using the same hash algorithm later should generate the same value, indicating that the file has not changed. The team should not designate a legal hold. A legal hold is used in the context of an operating environment to prevent critical data from being deleted or modified. There is no way to reliably place the contents of removable media on legal hold. The team should not start a chain of custody form as a way of verifying the files. A chain of custody form would likely be used to indicate who has had access to the storage media and when and how it has been stored. This does not prevent the files from being modified or provide a way to identify whether they have changed. If the files do change, the chain of custody can be helpful in identifying who might have made the changes. The team should not encrypt the files. Encryption is used as a way to restrict access to the file, Encryption is not used to identify whether a file has been changed. Someone who has access to the encryption keys could decrypt, modify, and then re-encrypt the file. The encryption and decryption process can introduce subtle changes to a file.

A penetration tester gains access to a computer running Windows Server 2016 that is deployed on a company's perimeter network _ The server is configured as a VM host. The tester is able to compromise the host operating system. The tester wants to ensure the ability to gain access to the computer in the future. What should the tester use? Choose the correct answer VM escape Pivoting Privilege escalation Persistence

Explanation The tester should use persistence. The tester can use persistence to configure a backdoor into the compromised system, making it easier to get access to the system in the future. Persistence can be configured in various ways, such as using start up or login scripts or by modifying the system registry. The tester should not use pivoting. Pivoting is a technique in which you use a system that you have already compromised as a platform to compromise another system. It is often used to compromise a system on a different network segment. It is not a way of ensuring access back into the initially compromised system. The tester should not use privilege escalation, After gaining access to a system, privilege escalation is used to gain greater access that is not normally available to the credentials used in the initial compromise. The tester should not use virtual machine (VM) escape. VM escape is used after accessing a VM to gain access to and interact with the host operating system. In this scenario, the tester already has access to the host operating system.

A portion of the results of a recent security audit are shown in the table in the exhibit. What should be done to correct the vulnerability shown in the exhibit? Choose the correct answer Set the password minimum age policy. Set the password minimum length policy. Set the password maximum age policy. Set the password complexity policy.

Explanation The vulnerability shown in the table is that User27's password has not been changed in 340 days. The longer a user continues to use the same password, the more likely is that the password might be compromised. Settings the password maximum age policy will force password changes. There is nothing to indicate a need to change the password minimum age policy. This policy is used as a way to prevent users from bypassing restrictions on reusing passwords, There is no need to set or change the password complexity policy. All passwords shown would meet most password complexity requirements. For a password to be considered complex, it should include characters from at least three of the following five categories: Uppercase characters • Lowercase characters • Base 10 digits (O through 9) • Nonalphanumeric characters + • Unicode characters not categorized as uppercase or lowercase There is no need to set or change the minimum password length. All passwords are at least eight characters long, which is generally considered suffcient.

A network administrator backs up the server by using an incremental backup strategy. He uses seven ta#s, one tape per day, and he performs the backup at the end of each business day. He does a full backup on Friday and Tuesday and an incremental on the other days (Sunday, Monday, Wednesday, Thursday, and Saturday). The server crashes on Sunday morning before the opening of business. How many tapes will he use to perform the restore on Sunday? Choose the correct answer 1 2 3 4

Explanation There are three main backup strategies used in networking - full, incremental, and differential. A full backup strategy backs up all data and takes the maximum amount of time. The archive bit is cleared to indicate that the data has been backed up. The fastest restore strategy is the full backup strategy. An incremental strategy backs up all changed data since the last full or incremental backup. The archive bit is cleared in an incremental backup. The fastest backup strategy is the incremental. A differential backup strategy backs up all changed data since the last full backup. The archive bit is not cleared. Therefore, all data changed since the last full backup, no matter what day it is changed, is backed up in a differential strategy. Differential backups take longer than incremental backups to perform, but they provide a faster restore process than incremental backups. Incremental and differential strategies should not be combined. In this scenario, the server crashed before business on Sunday. There was a full backup on Friday and an incremental backup on Saturday. To restore the server, the administrator would have to use both of those tapes.

A security analyst receives an email message that appears to be from the IT director at the company. The email warns the analyst about a zero-day virus and instructs him to find and delete a certain file on the computer. When the security analyst deletes the file, the computer no longer boots. Which attack methods were used? (Choose two.) Choose the correct answers Hoax Impersonation Evil twin Brute force Spear phishing Dumpster diving

Explanation This attack uses impersonation to make it more likely the victim will fall for a computer virus hoax. An attack that uses impersonation is more effective if the person being impersonated is someone with authority, someone who the victim trusts, or who is, at least, familiar to the victim. A computer virus hoax is a fraudulent email describing a virus. In the worst computer virus hoaxes, the user is instructed to perform an action that is harmful to the computer. A computer hoax attack is more effective if the victim is led to believe that something bad will happen if they do not act - a form of intimidation. This attack is not a spear phishing attack. Although, in a spear phishing attack, the email appears to come from someone you know, the payload of a spear phishing attack is a link to a malicious website. This attack is not an evil twin attack. An evil twin attack is a Wi-Fi attack in which a rogue access point is configured to gather information by eavesdropping. Users connect to the evil twin, thinking that it is the

A security administrator discovers attempts to compromise a Web site. The attacks are based on commands sent from authenticated users' Web browsers to the Web site. The commands execute at the user's permission level. Users who have been contacted had no idea that the commands were being sent from their computers. What kind of attack does this represent? Choose the correct answer Cross-site request forgery Buffer overflow SQL injection Cross-site scripting

Explanation This is a cross-site request forgery (CSRF or XSRF) attack. In this type of attack, the user's browser is tricked into sending an HTTP request to the target Web site. The Web site trusts the user and executes requests sent by the user. The user can either be logged onto the target Web site, or simply have a saved cookie that is valid for authentication. This is not an example of Cross-site scripting (XSS), though XSRF and XSS are related. XSS, instead of exploiting a Web site's trust of a user, exploits a user's trust of the Web site. With XSS, malicious client-side scripting code is injected into the Web site and then downloaded to users' browsers. This is not an example of SQL injection. With SQL injection, SQL commands are embedded in user input and are then passed to a SQL database server for execution. This is not an example of buffer overflow In buffer overflow, an application overwrites its buffer, writing data into adjacent memory. This can make the application unstable or might cause it to crash or behave erratically. This is a potential vulnerability that is exploited by many hackers.

You download a file management application from the Internet. When you launch the application, your screen goes blank and your hard disk's active light starts flashing. You restart the computer and discover that your hard disk partitions have been deleted. This is an example of what kind of threat? Choose the correct answer Spyware Logic bomb RAT Trojan horse

Explanation This is an example of a Trojan horse (or Trojan). A Trojan horse is a program that appears to be one thing, but is actually something else. The Trojan horse contains a malicious application and is often data- destructive. Examples include programs at delete the file allocation table from a hard disk, delete disk partitions, delete or overwrite data or operating system files, and so forth. This is not an example of a remote access Trojan (RAT). Like a Trojan horse, a RAT masquerades as a different type of program, but rather than directly damaging the target, it opens a backdoor, exposing the computer to other threats, such as a keylogger. This is not an example of spyware. Spyware operates in the background, collecting information and sending it to another location. This is not an example of a logic bomb. A logic bomb is a type of malware that is designed to attack a computer system based on a specific event, such as a calendar date.

A subscription to a productivity application allows users in a company to create and share documents. The service is not hosted on a dedicated server. What two things is this an example of? (Choose two.) Choose the correct answers PaaS Hybrid cloud IaaS Community cloud Public cloud Private cloud SaaS

Explanation This is an example of a public cloud offering of software as a service (SaaS). Software as a service is an application that is hosted on a server. If a user or company subscribes to a hosted service that is utilized by many different companies, it is an example of public cloud. Infrastructure as a service (IaaS) is a cloud-based subscription that includes infrastructure services, such as networking, computing, and storage. An example of IaaS is HP Cloud Services. Platform as a service (PaaS) is a cloud-based subscription that provides services to support application development, including source code control, development platforms, and a database management system (DBMS). Microsoft Azure is an example of PaaS

An attacker modified the custom error pages for a website through data input through a data form on the website. Error pages are dynamically generated when an error occurs, and the page is rendered containing a script that directs the user to a malicious website. This is an example of what type of attack? Choose the correct answer SQL injection Privilege escalation Cross-site scripting Cross-site request forgery

Explanation This is an example of cross-site scripting (XSS). With XSS, malicious client-side scripting code is injected into the website and then downloaded to users' browsers. XSS is a specialized type of code injection attack. One of the best defenses against XSS is user input validation. This is not an example of privilege escalation. With privilege escalation, a user exploits a vulnerability that leads to the user gaining greater access privileges. This is not an example of SQL injection. SQL injection is more specific in that user input is used to pass commands to a SQL server for execution. It is also typically prevented through user input validation. This is not an example of cross-site request forgery (CSRF or XSRF). XSRF exploits the website's trust of the user account. XSRF attacks pass HTTP requests via an authenticated user.

Network access control is designed so that remote users are limited to accessing the network during normal business hours only. Policies regarding user access apply to all users. This is an example of which type of access control? Choose the correct answer MAC DAC Rule-based access control Role-based access control

Explanation This is an example of rule-based access control. In rule-based access control, access is defined by policies (or rules) established by an administrator. Users cannot change access settings set by administrators. Role-based access control assigns access permissions based on a user's job function in an organization. This is different than a group-based access control model because, while a user can be assigned membership in multiple groups, a user can only be assigned to one role within the organization. This is not an example of discretionary access control (DAC). In the DAC model, users have control over access to their own data or local computer resources. This model is used, for example, to manage security on client computers in a peer-to-peer network environment. This is not an example of mandatory access control (MAC). In the MAC model, a hierarchical access model is used with all access permissions set by administrators. Resource objects, such as data files, are assigned security labels that assign a classification and category to each object. Classification and category information is also assigned to each user account, and access is determined by comparing the user and object security properties.

When users log on to the domain, in addition to being given access to domain file resources, they are given access to a Microsoft SQL Server database server and an internal website through Windows integrated authentication. This is an example of which authentication model? Choose the correct answer Three-factor authentication DAC Two-factor authentication

Explanation This is an example of single sign-on (SSO). With SSO, a user is granted access to a variety of resources after a logon. This keeps the user from having to keep track of multiple passwords for resource access. SSO is supported with Windows integrated authentication, but it is also supported for Kerberos-based, smart card-based, one-time password token-based, and certificate-based authentication. This is not an example of two-factor or three-factor authentication. These are authentication methods, but they do not determine whether the user will be able to access multiple resources. Two- and three-factor authentication methods are based on a combination of what a user knows, what a user has, and what a user is or does. This is not an example of discretionary access control (DAC). DAC is an access control method in which users control access to resources they own.

When users log on to the domain, in addition to being given access to domain file resources, they are given access to a Microsoft SQL Server database server and an internal website through Windows integrated authentication. This is an example of which authentication model? Choose the correct answer Three-factor authentication sso DAC Two-factor authentication

Explanation This is an example of single sign-on (SSO). With SSO, a user is granted access to a variety of resources after a logon. This keeps the user from having to keep track of multiple passwords for resource access. SSO is supported with Windows integrated authentication, but it is also supported for Kerberos-based, smart card-based, one-time password token-based, and certificate-based authentication. This is not an example of two-factor or three-factor authentication. These are authentication methods, but they do not determine whether the user will be able to access multiple resources. Two- and three-factor authentication methods are based on a combination of what a user knows, what a user has, and what a user is or does. This is not an example of discretionary access control (DAC). DAC is an access control method in which users control access to resources they own.

A security administrator discovers that company confidential information is encoded into graphics files and sent to a destination outside of the company. This is an example of which kind of cryptography? Choose the correct answer Digital signature Hashing Steganography Ephemeral key

Explanation This is an example of steganography. Steganography is the process of hiding a "secret" message inside an ordinary message or file. The secret is often encrypted and then hidden to make it harder to discover and decode. Graphics files are commonly used because of the file size and because minor changes can usually be made to pixel colors without them being easily detected. For example, the least significant bit in each pixel of a digital image can be altered to contain different data without being detectable by the human eye. This is not an example of hashing. Hashing involves applying an algorithm to data that reduces the data to a fixed-length value. This is not a digital signature. A digital signature is an electronic signature used to authenticate an e-mail message, document, or other file. A digital signature can be used with encrypted or unencrypted files to verify that the files are delivered unchanged. This is not an example of ephemeral key. An ephemeral key is a cryptographic key that is regenerated for each session or for each use.

A company is designing a data processing application that will support various levels of context- and location-sensitive levels of access Sensitive data is replaced in the database with a nan-sensitive data equivalent that has no exploitable meaning or value. The database value is securely mapped to the actual data, which is stored in a separate location. What is this an example of? Choose the correct answer Tokenization Data masking Encryption De-identification

Explanation This is an example of tokenization. Tokenization is the process of replacing sensitive data with a non- sensitive equivalent that has no exploitable meaning or value, referred to as a token. The token is mapped back to the original value through a tokenization system. This is not an example of data masking. Data masking is used in testing to protect personal health information (PHI) from accidental disclosure. Data masking uses inauthentic data that is structured like the actual data for testing or for user training. Many companies use data masking to prevent accidental disclosure of real data. This is not an example of encryption. Encryption is the process of scrambling or substituting clear text with a new value based on an encryption key. A decryption key is required to access the data in a clear text format. This is not an example of de-identification. De-identifcation refers to data from which all personally identifiable information (Pl'), including PHI, has been removed. The data has been replaced in the database with a token value, but not completely removed.

Which is an example of an alternate business practice that could be included in a business continuity plan (BCP)? Choose the correct answer Using hand-written invoices during a computer failure Configuring a cluster configuration with automatic failover Training employees to take multiple roles as needed Preparation of a secure offsite storage location for backups

Explanation Using hand-written invoices during a computer failure is an example of an alternate business practice. An alternate business practice is a plan that enables you to continue operations, only in a manner that is different than normal. This may not be possible for some business operations. Configuring a cluster configuration with automatic failover is not an example of an alternate business plan. It is a means of automating business continuity in case of failure and enables the business to continue normal operations. Preparation of a secure offsite storage location for backups is not an example of an alternate business plan. This is part of a recovery plan, making backups available to recover after a catastrophic failure. Training employees to take multiple roles as needed is not an example of an alternate business plan. This is an example of redundancy, allowing operations to continue if key personnel are unavailable.

A company is implementing BYOD_ The company will take advantage of cloud-based apps to synchronize data between the user's computer and tablet. Which two tasks should the company's BYOD policy address as part of its offboarding policy? (Choose two.) Choose the correct answers Removing the device from the asset tracking system Deleting accounts for cloud-based apps Removing company data from the personal device uninstalling the cloud-based apps from the personal device Removing the device from the inventory tracking system

Explanation When a company implements a Bring Your Own Device (BYOD) policy, it should include mechanisms for secure offboarding of employees who resign or are terminated. The offboarding policy when personal devices are used for work needs to include a mechanism for removing company data from the personal device. One way to do that is with a selective remote wipe, if your Mobile Device Management (MOM) solution supports it. Because cloud apps are used in this scenario, the offboarding policy should also include deleting any accounts on the cloud apps that relate to the company's business. Many MDM solutions support features that automatically remove company data from a device after it has been retired. You should not remove the device from the asset tracking system. An asset tracking system is used to track equipment owned by the company, not personal devices. Although the user will probably decide to uninstall the cloud-based apps from the #rsonal device in order to conserve space, this step is not required for offboarding t»ecause without the account, the user will not be able to log on to the app. You should not remove the device from the inventory tracking system. The inventory tracking system is used to keep track of hardware owned by the company that is stored in a warehouse or storage facility. The personal device is not owned by the company.

A company has a database that is used to store product inventory. The cost to the company is very high if the database is not available. Which two technology controls could be used to improve the database's availability? (Choose two.) Choose the correct answers RAID Hashing Clustering Traffic shaping

Explanation You can use clustering to improve the database's availability. Clustering is used to provide fault tolerance and redundancy for services that require shared storage. A database server needs to store the database in a location that can be accessed by each database server in the cluster. With clustering, you can configure a node as active or passive. Active nodes are used to process requests. If the active node fails, the passive node takes over and begins servicing requests. You can also use Redundant Array of Independent (or Inexpensive) Disks (RAID) to improve availability. RAIC provides storage redundancy. RAID 1 provides this redundancy by storing a mirror of the data on a separate disk. RAID 5 provides redundancy by striping the data across all disks and including a parity stripe that can be used to regenerate the data if a disk in the volume fails. RAID 6 is similar to RAID 5, but provides protection against the failure of two disks. RAID 10 combines RAID 1 and RAID 5 by first mirroring the data and then striping it across multiple drives. RAID 10 provides fault tolerance against multiple disk failures. as long as all of the drives on one of the mirror images do not fail.

Field sales personnel have product and price lists loaded on their smartphones. This is critical data for the business. This data must not accidentally be disclosed or compromised while salespeople are traveling or are at customer sites. What two steps should be taken? (Choose two.) Choose the correct answers Implement full device encryption. Disable unused device features. Install and enable remote wipe. Keep product and price information on removable storage. Require Passwords on mobile devices.

Explanation You should install (if necessary) and enable remote wipe on the sales smartphones. Remote wipe gives you the ability to delete all data from a device from a remote location. This provides a way to remove all of the confidential company data from the smartphone if it is lost or stolem You should also require a password on each mobile device. This will help to prevent someone from getting into the device and disabling the network before the device can be wiped You should not keep product and price information on removable storage as your only protection. If the device is lost along with the removable storage, or the removable storage is lost by itself, the data is at risk. using removable storage could actually increase the risk to the data. You should not disable unused device features to protect the data. Disabling unused features does help to make a device more secure and less vulnerable to attack, but it does nothing to protect data on a lost or stolen device. You should not implement full device encryption in place of remote wipe. This does not provide as much protection as remote wipe.

A server application produces plain text output. The output needs to be encrypted before being delivered to local and remote client computers. Output varies in length depending on the client request. The processing requirements and the volume of data sent should be kept to a minimum. What type of cipher should be used? Choose the correct answer Stream cipher Hash encryption Block cipher Transport encryption

Explanation You should use a stream cipher in this scenario. The only valid candidates for use are stream or block cipher. Stream ciphers are usually faster and require less hardware resources. A stream cipher also encrypts data character-by-character. Block ciphers encrypt a set block size, Because the amount of data varies, padding will be used to fill out the block if it is not the correct size. Block ciphers do not meet the requirements of the scenario. Hash encryption is used to create a check code for verification. This is a one-way encryption and cannot be decrypted to retrieve a value. Transport encryption refers to a process of encrypting data for transfer. It does not refer to a specific cipher type because serial or block ciphers can be used in different applications.

A network for a small project group is being deployed. Each group member should be responsible for securing access to his or her own computer's resources. What access control model should be used? Choose the correct answer MAC DAC Role-based access control Rule-based access control

Explanation You should use discretionary access control (DAC) in this situation. In the DAC model, users have control over access to their own data or local computer resources. This is the access control model needed. This model is used, for example, to manage security on client computers in a peer-to-peer network environment. You should not use mandatory access control (MAC). In the MAC model, a hierarchical access model is used, with all access permissions set by administrators. Resource objects, such as data files, are assigned security labels that assign a classification and category to each object. Classification and category information is also assigned to each user account, and access is determined by comparing the user and object security properties. You should not use rule-based access control. In rule-based access control, access is defined by policies (or rules) established by an administrator. Users cannot change access settings set by administrators. Access is tracked through an access control list (ACL) associated with each object. Because access is based on user account or group membership but does not further classify objects or users, rule-based access control is considered less strict than MAC _ You should not use role-based access control. Role-based access control assigns access permissions based on a user's job function in an organization. This is different than a group-based access control model because, while a user can be assigned membership in multiple groups, a user can only be assigned to one role within the organization.

During which phase of a penetration test is the tester most likely to use OSINT? Choose the correct answer Maintaining access Gaining access Analysis Reconnaissance

Explanation source intelligence (OSINT) is publicly available information that a potential attacker or penetration tester can use to learn more about how and where an organization operates. The first phase of penetration testing is typically considered to be planning and reconnaissance. Depending on the type of penetration test being conducted, during black box testing for example, the tester may have to rely solely on OSINT during this initial phase. During the gaining access phase, the pen tester uses information learned during reconnaissance to penetrate the system or network _ The tester may use a variety of techniques, from pre-packaged exploits to brute force password attacks. During the maintaining access phase, the pen tester tries to maintain persistence on the compromised endpoint. Additionally, the tester tries to move laterally within the network by compromising other systems. During the analysis phase, the pen tester processes the results of the test. This information is used to compile a detailed report that will presented to the client.

An organization recently suffered an account breach due to a successful rainbow table attack. What should the organization do to mitigate the risk of this type of attack reoccurring? Choose the correct answer Perform regular account audits. Implement a password complexity policy. Only allow logons during normal working hours. Set account lockout after 3 failed logons.

Explannion The organization should implement a password complexity policy. A rainbow table is a massive database of precomputed password hashes. Users can steal password databases or files, which often contain hashed passwords, and can rapidly discover passwords by doing lookups using the rainbow table. When a matching hash is found, the associated password can be determined. The more complex a password is, the less likely its hash will be precomputed and stored in a rainbow table. Ideally, stored passwords would be randomized using salt, which renders rainbow tables useless for an attacker. Only allowing logons during normal working hours will not mitigate this risk. Logon hour restrictions are meant to limit when an account can be used. Performing regular account audits is good security practice, but it will not mitigate rainbow table attacks. Account audits look for things like abandoned accounts or accounts with suspicious logon behaviors. Setting account lockout after 3 failed logons is a good practice and is useful for mitigating password guessing attacks. However, this will not mitigate a rainbow table attack because a rainbow attack is performed offline, without retrying passwords against a live system.

A DoS has occurred. Which two questions should be answered during the incident identification phase? What servers have been compromised? What is the impact to the business? Has any malware planted by the attacker been removed? When can the affected service be restored? Are all affected servers isolated from those that are not affected?

A Explanation During the incident identification phase of an incident handling plan, you need to answer questions that help you understand the scope of the incident, including the impact to the business and what servers have been compromised in this Denial of Service (DoS) attack. You determine whether affected servers are isolated from those that are not affected during the containment phase. You determine whether malware planted by the attacker has been removed during the eradication phase. You determine when the affected service will be restored as part of the recovery and restoration phase.

What is a limitation of using a CRL to determine if a certificate is valid? Choose the correct answer A CRL does not provide for real-time updates. A CRL is not recognized in most PKI deployments. A CRL does not allow for manual revocation of certificates. A CRL cannot be used to block access.

A Explanation A limitation of using a Certificate Revocation List (CRL) is that a CRL does not provide for real-time updates. The CRL is updated periodically, but a recent copy of the CRL must be downloaded for you to have the most recent information. Because of this, some Public Key Infrastructure (PKI) deployments are now using Online Certificate Status Protocol (OCSP), which lets you query the status of a certificate and retrieve real- time information. A CRL does allow for manual revocation of certificates. This is one of the main uses of a CRL: manually revoking a certificate when you discover it is being used for malicious purposes. A CRL is recognized in most PKI deployments and is a standard PKI component. A CRL can be used to block access. Access decisions are made based on whether or not a certificate presented for authentication is listed in a CRL.

An engineering team has deployed PKI within their organization. To meet legal reporting requirements, they need to implement a way to provide decryption keys to a third party on an as-needed basis. What should they do? Deploy an additional CA. Implement a key escrow arrangement. Use certificate registration. Identify a recovery agent.

A Explanation The team needs to implement a key escrow arrangement. In this type of arrangement, the decryption keys are stored in a centralized location, or held in escrow in case they are needed. Keys held in escrow can be released to a third party on an as-needed basis. You should not use a recovery agent in this scenario. A recovery agent is used with the Windows Encrypting File System (EFS) to make it possible to recover encrypted data. You should not deploy an additional Certificate Authority (CA). A CA issues certificates for use in encryption, but adding a CA does nothing to make certificates available to a third party. You should not use certificate registration. Certificate registration is part of the process for requesting a new certificate. During registration, the certificate request is registered with a CA in preparation for issuing a certificate.

Which two types of attacks rely mainly on the attacker seeming to be familiar to the victim for their effectiveness? (Choose two.) Choose the correct answers Spear phishing Whaling Pharming Tailgating

Explanation Tailgating is a social engineering attack in which the attacker follows the victim into a secured area. Because this attack relies on the common courtesy of holding the door open for someone, one factor that makes it effective is social norms. This type of attack is also more likely to be effective if the victim is familiar with the attacker. A spear phishing attack is one in which an email appears to be sent from someone you know. The email contains a malicious link. This type of attack relies on familiarity and sometimes authority for its effectiveness. A pharming attack is one in which traffc to a web server is redirected to a malicious server, either by DNS poisoning or malicious a hosts file on client computers. A whaling attack is one in which an email that appears to be related to an urgent business matter is sent to an executive. The email contains a malicious link. This type of attack relies on urgency for its effectiveness.

A security administrator learns that sensitive information has been exfiltrated using DNS tunneling. What should the administrator do FIRST to investigate the incident? Investigate DNS server logs for the registration of unauthorized domains. Check the firewall for evidence of outbound C&C communications. Investigate web logs for logons from untrusted IP addresses. Check the Netflow traffic metrics for a sudden spike in UDP traffic.

Explanation The administrator should check the Security Information and Event Management (SIEM) traffic metrics for a sudden spike in User Datagram Protocol (UDP) traffc. Domain Name System (DNS) is used extensively on public and private IP-based networks to resolve friendly hostnames with IP addresses. When a client needs to resolve a hostname, a query is sent to a known DNS server specifying the name that needs to be resolved. In DNS tunneling, an attacker registers a DNS domain and uses requests to that domain to send and receive data over UDP port 53, a port that must be open for legitimate DNS requests. NetFlow is a network protocol that is used to capture packets and analyze traffic statistics on network nodes. In most NetFlow implementations, network devices are configured with the Internet Protocol (IP) address of a NetFlow collector - a dedicated system that collects NetFlow data. The NetFlow collector may have advanced analytical, reporting, and alerting functionality. In this scenario, Netflow traffic statistics could be checked for the increased UDP traffic that would occur as a result of a DNS tunneling attack. Command and control (C&C) connections occur when a piece of malware is installed and executed on a target computer. The malware attempts to "phone home", signaling to a remote attacker that infection has been complete. C&C commands are sometimes sent using DNS tunneling, but this is not always the case. Web logs will include all requests for resources hosted by the web server. Because DNS tunneling does not

A security analyst finds the following lines in a real-time log viewer on a network device: [i. CHLen=10, What type of network attack is happening? Choose the correct answer Eavesdropping Identity spoofing Sniffer attack DOS

Explanation The log shows a denial of service (DoS) attack. The first line indicates a port scanning activity, and the second line describes a user Datagram Protocol (UDP) flood attack, which means someone is sending a lot of packets to a device behind a firewall, You should analyze all logs and identify these attacks. Unified Threat Management (UTM) devices and firewalls can stop these attacks and alert an administrator automatically. Eavesdropping is an unauthorized real-time interception of a private phone call, chat, or instant messaging, Identity spoofing applies to multiple protocols: IP, DNS, and ARP. An attacker using identify spoofing fakes the identity of another user or device, A sniffer attack happens when someone is eavesdropping on your communications. There are multiple solutions to prevent these attacks that can be implemented on firewalls, routers, switches, and end devices,

To protect sensitive PHI, an organization plans to substitute random characters for original data, while maintaining the data's format. Which of the following technologies or methods should they use? Choose the correct answer Tokenization Hashing Encryption Masking

Explanation The organization should use tokenization. Tokenization is designed to protect Personal Health Information (PHI) and other sensitive information by replacing the original data with data in the same format. Most tokenization methods use random character replacement and store the original-to-tokenized data mapping in an encrypted database or file. If the tokenized data is compromised, it is of little use to an attacker. Masking permanently replaces the original data. The new data may be in the same format as the original data, but this is not a requirement. For example, a Social Security number may be masked with symbols: Encryption uses a reversible algorithm, unlike tokenization, which is meant to be random. Encrypted output would not retain the same data format. Hashing algorithms produce fixed-length, irreversible output. Hashes are often used to verify data integrity.

A company's systems engineer is devising an incident management plan. What should be the primary goal of the incident management plan for a DoS attack on the company's ecommerce servers? Restore normal operations as quickly as possible. Implement DPI on the firewall. Discover the identity of the attacker. Identify the vulnerabilities that the attacker exploited.

Explanation The primary goal of incident management is to restore normal operations as quickly as possible. Often this is accomplished by replacing the compromised server or servers with new devices. Performing research to discover the identity of the attacker could be one of the goals included in the incident response plan, but it is not the primary goal of incident management. Identifying the vulnerabilities the attacker exploited is an important part of the incident response plan, but this part of the plan will be performed after normal operations are restored. Although during the course of researching the attack the engineer may discover that deep packet inspection (DPI) is necessary on the firewalls, this is not the primary goal of incident management.

An organization want to ensure compliance with ISO 27001. Which of the following should the organization plan to implement? A Next-Generation Firewall (NGFW) A Security Information and Event Management (SIEM) Remote Authentication Dial-ln User Service (RADIUS) An Information Security Management System (ISMS)

A Explanation The organization should plan to implement an Information Security Management System (ISMS). International Organization for Standardization (ISO) 27001 is jointly published by the ISO and the International Electrotechnical Commission (IEC) under the full name, ISO/IEC 27001 Information technology — Security techniques — Information security management systems — Requirements. The ISO 27001 standard is designed to help organizations design, implement, manage, and maintain an ISMS. An ISO 27001 compliant organization may or may not implement Remote Authentication Dial-ln User Service (RADIUS). A RADIUS server provides Authentication, Authorization, and Accounting (AAA) functionality for networked systems. AAA describes a system that can enhance security by authenticating users, authorizing users to perform certain tasks, and then tracking what users do on the network. An ISO 27001 compliant organization may or may not implement a Security Information and Event Management (SIEM). A SIEM is designed to ingest data from a variety of network components, such as user workstations or laptops, network routers and switches, firewalls, servers, and other appliances. The SIEM then analyzes the data to identify trends, pending security issues, and security breaches. An ISO 27001 compliant organization may or may not implement a Next-Generation Firewall (NGF\N). Firewalls can be simple routers configured with strict access control lists (ACLs) that limit inbound and outbound traffc based on source and destination IP addresses. However, most NGFVVs track session states and offer complex rulesets. Beyond simple firewalling, they may also scan traffc for malware and offer

A company's security team is setting security standards for mobile devices. One suggestion was to disable unused features and functionality. One of the security team recommends disabling GPS on all company-owned mobile phones. Which security feature would this impact? Asset tracking Lockout Application control Remote wipe

Explanation Disabling GPS on company-owned mobile phones would disable asset tracking. Asset tracking uses a device's GPS to physically locate the device. One potential use of this technology is being able to locate a lost device. Asset tracking is often used as part of an asset management program. Disabling GPS does not impact remote wipe. Remote wipe remotely deletes all information from a device. It does not rely on knowing the device's location. Disabling GPS does not directly impact application control. Application control refers to policies, procedures, and security settings used to manage applications. Disabling GPS does not impact lockout. Lockout refers to remotely configuring a device to prevent it from accessing a provider's data or cellular network.

A company is determining its wireless network authentication requirements. The authentication solution must support mutual authentication. The solution should require both client and server certificates. The solution must support the network's bring your own device (BYOD) implementation. Which authentication protocol should the company use? PEAP EAP-FAST EAP-TLS EAP-TTLS

Explanation The company should use EAP-TLS as its authentication protocol. All of the protocols listed support mutual authentication. All except EAP-FAST require a server certification for authentication. Only EAP-TLS requires both a server and a client certificate. This provides for a very high level of security but makes this option the most difficult to deploy and configure. EAP-TLS is gaining popularity as the preferred solution for BYOD network configurations. EAP-FAST does not require a certificate.

A company is launching a team to conduct a forensics investigation. They need to analyze the low-level content of a suspected hard disk. What is the BEST tool for this activity? Hex editor Disk cloning software Regex editor Log editor

Explanation The company should use a hex editor to analyze the low-level content of a suspected hard disk. A hex editor allows a forensics investigator to verify a file and a disk at the low-level in a hexadecimal format. Software like this can help search for evidence, recover deleted files, crack copy-protected applications, and analyze malware infections. The company should not use a regular expression (regex) editor. Regex editors do not allow you to analyze a disk. Regex is a program that allows an investigator to match a string only. An investigator can use a hex editor and a regex to find a string much faster. A regex expression can be used to identify email addresses, credit card numbers, passwords, IP addresses, and other sensitive information. The company should not use log editors here. Log editors open log files only and are not designed for low- level operations. The company should not use disk cloning software for low-level analysis. Disk cloning software creates an exact copy of a hard drive and protects electronic evidence.

Which is NOT a vulnerability associated with embedded systems? The operating system versions used are unstable and difficult to manage. Embedded systems are susceptible to replicated attacks across multiple devices. Software patches are rarely available and even more rarely applied. Embedded systems use older operating systems versions. ices.

Explanation The operating system versions used are stable, but older, versions of well-known operating systems. The operating system versions used are not a cause of management difficulty, even though operating system- level management tools may not be available. It is a vulnerability that embedded systems use older operating systems versions, often going unchanged even as new versions of the devices are released. The use of older, less secure operating system versions is one of the ways manufacturers minimize their costs. The operating systems are also vulnerable to attack because software patches are rarely available and even less rarely applied. One reason patching is diffcult is because the devices usually bring together applications and custom code from multiple sources, leaving no one with the responsibility or technical expertise for reliable updates. Because the devices are mass produced, effectively releasing identical devices in the market, embedded systems are susceptible to replicated attacks across multiple devices. Once someone has designed a successful exploit it can easily be applied across multiple dev

An organization deploys cloud-based compute resources. The organization needs to ensure stateful packet filtering for these resources. Which action should the organization take? Deploy a secure web gateway. Configure a gateway endpoint. Configure a security group. Only expose trusted ports.

Explanation The organization should configure a security group. Stateful packet filtering only allows inbound packets if they are in response to an outbound request. This feature is common on network firewalls. In an Amazon Web Services (AWS) deployment, security groups facilitate inbound and outbound access to Virtual Private Clouds (VPCs). In essence, security groups provide Layer 4 firewall services for all resources within the VPC. Exposing trusted ports is often done on a border firewall. For example, an organization might only expose the commonly used Hypertext Transfer Protocol (HTTP) and Hypertext Transfer Protocol Secure (HTTPS) ports for a web server. However, this does not ensure stateful packet filtering. The organization should not deploy a secure web gateway (SVVG) to inspect traffic. An SVVG sits between end users and the Internet and monitors and protects access to Internet resources. An SVVG can be located on-premises or in the cloud. A gateway endpoint is a type of Virtual Private Cloud (VPC) endpoint used in Amazon Web Services (AWS). Gateway endpoints facilitate connectivity between VPCs and AWS services such as storage.

An organization plans to move an ecommerce application's credit-card processing functionality to a cloud- based VM. What should the organization do to ensure that they maintain compliance with PCI-DSS requirements? Deploy a cloud-based firewall. Encrypt disks on the cloud VMs. Implement MFA on the cloud VMs. Purge data after it has been used.

Explanation The organization should deploy a cloud-based firewall. Payment Card Industry Data Security Standard (PCl- DSS) is a standard mandated by credit card companies that applies to any organization that handles card- holder data. The standard stipulates that a firewall be used to protect cardholder data. PCI-DSS does not require cardholder data to be encrypted while at rest. However, the standard does require transport encryption for all sessions carrying cardholder data. PCI-DSS does not require Multifactor Authentication (MFA). The standard does require that access to cardholder data be restricted, which implies that some type of authentication is required. PCI-DSS does not require that data be purged after it is used. General Data Protection Regulation (GDPR) requires data to be purged after it is used for the specified purpose.

Recently, a client used an organization's guest wireless network to distribute pirated materials. To protect themselves from litigation, the organization wants to ensure that all guest WiFi users agree to an acceptable use policy prior to gaining access. What should the organization do to meet this requirement? Choose the correct answer Configure the network to support 802. lx authentication. Configure open authentication on the controller. Enable a captive portal on the wireless controller. Enable PSK-based authentication on the APS.

Explanation The organization should enable a captive portal on the wireless controller. A captive portal is a mandatory landing page that is presented to users when they connect to a wireless network. The captive portal can require uses to agree to an acceptable use policy (AUP) prior to gaining network access. If the user does not accept the AUP, they are disconnected from the network. The organization should not configure the network to support B02.1x authentication. B02.1x facilitates centralized authentication for wireless networks. B02.1x does not require a user to accept an A1-JP The organization should not enable pre-shared key (PSK) based authentication on the access points (APS). PSK-based authentication uses a common key, or password, to facilitate authentication. This method does not require a user to accept an A1-JP The organization should not configure open authentication on the controller. Unless some other authentication method is configured, clients will be able to access the network without providing credentials.

An organization determines that their working production control is susceptible to attack. What should the organization implement to mitigate the risk of compromised code integrity? Normalization Obfuscation Version control Elasticity

Explanation The organization should implement version control. Version control systems store master code files in repositories, or repos. There are two flavors of version control systems: local and remote. In a centralized version control system (CVCS), a developer checks out a code file, which retrieves a working copy from the central code repo and locks the master copy. If code is accidentally or maliciously changed, a saved version of the code can be easily recovered. Since it relates to secure coding, normalization ensures that all data input is in a known and expected format. This can protect an application from buffer overflow and other similar attacks. Code obfuscation is meant to make code harder to reverse engineer. This makes it more diffcult for an attacker to find weaknesses in an application's logic or processes. An elastic application can scale up or down based on workload. This feature has become popular with the advent cloud-based application hosting, which supports easy scaling of compute resources.

An organization plans to supply users with company-owned smartphones. The devices are primarily intended to be used for business purposes. However, employees will be able to install their own apps and use the devices for personal tasks. Device procurement and management overhead should be minimized. What should the organization do? Institute a VDI model configure all devices with remote access policies. Institute a CYOD model and enroll all devices in an MDM platform. Institute a BYOD model and enroll all devices in a MAM platform. Institute a COPE model and supply all users with a common device.

Explanation The organization should institute a corporate-owned personally enabled (COPE) model and supply all users with a common model. This allows the organization to have more control over the device and the organization can dictate device usage via policy or using technical controls such as Mobile Device Management (MDM). In a bring your own device (BYOD) model, employees would purchase a device and would use it for work and personal purposes. This does not meet the requirement for the company to own the device. In a choose your own device (CYOD) model, the organization presents employees with several device models to choose from. This does not meet the requirement to minimize procurement and management overhead because each model will have to be purchased, managed, and maintained separately. A virtual desktop infrastructure (VDI) is designed to provide users with a virtual machine-based desktop hosted centrally. This allows users to perform work using a consistent, secure platform regardless of the client's operating system.

An attacker successfully brute forces an organization's web service. The attacker is able to quickly move laterally to a database server and a file server on the same network. What should be done to mitigate the risk of this type of attack in the future? Configure all accounts to use MFA. Enforce password uniqueness for all accounts. Limit privileges assigned to service accounts. Configure a password expiration policy.

Explanation The organization should limit privileges assigned to service accounts. Service accounts are used for non interactive logons by web, database, and other services. These accounts run in the background and often are granted excessive privileges. Service accounts should receive restrictive permissions so they can only access the resources that are required for the service to operate. In this scenario, the hacked web service account had excessive privileges that allowed the attacker to access other network resources. Service accounts are not good candidates for Multifactor Authentication (MFA). Because the service account authenticates in a non-interactive way, there is no user available to provide additional authentication factors. Configuring a password expiration policy is a good practice. However, in this scenario the service account had excessive privileges. Enforcing password uniqueness for all accounts is a good practice. However, once the attacker brute forces the web service password, they were able to move laterally to other servers in the environment.

When an account authenticates with a web service, the service issues a temporary token that can be used to authenticate client requests. What should be done to maximize security for issued tokens? Require TLS for all connections. Configure password complexity policies. Require clients to hash tokens. Store tokens in service config files.

Explanation The organization should require Transport Layer Security (TLS) for all connections. Many services and Application Programming Interfaces (APIs) use temporary tokens to facilitate authentication requests. This allows future requests to be automated and allows the account password to be disassociated from the request. However, tokens are themselves sensitive and must be secured against disclosure. The best method for maximizing token security is to encrypt all sessions between clients and the web service. Tokens should not be stored in service config files. No credentials of any type should be stored in plain text, particularly on servers exposed to the Internet. Hashing tokens generates an irreversible, fixed-length output. Unless the web service and the client both know the same token and can hash and compare the results, hashed tokens cannot be used for authentication. While configuring password complexity policies is considered a best practice, this will not maximize security for tokens once they are issued.

A employee receives a direct message from a friend on a social network. The message is about an offer to receive a $100 gift card if they are one of the first 25 to respond to a survey. They click the link and become infected with malware. Which attack principles contribute to the effectiveness of this attack? (Choose two.) Choose the correct answers Authority Trust Intimidation Scarcity Consensus

Explanation This attack relies on trust and scarcity for its effectiveness, Because the message comes from a friend, you are more likely to trust it than one that was posted by a stranger. Also, the fact that there are only a limited number of gift cards available propels the victim to click on the link quickly instead of checking it out. This is an example of a quid pro quo attack because the victim is being offered something in return for filling out a survey. This is not an example of intimidation. Intimidation would involve threatening the victim that something bad will happen if an action is not taken. This is not an example of authority. A spear phishing attack is an example of one that might utilize authority, particularly if the message appeared to come from a superior. This is not an example of consensus. An attack that relies on consensus is one that uses a social norm or expected behavior to facilitate the attace One example of an attack that involves consensus is a tailgating attack because holding the door for someone behind you is accepted as polite behavior. Consensus is similar to social proof. A quid pro quo attack could use social proof if it encouraged users to click the link by showing how many people had liked the link, or by using a celebrity endorsement,

Your company has three computer security professionals. Every month, a different one is assigned to auditing duties. What principle does this illustrate? Separation of duties Job rotation Principle of least privilege Discretionary access

Explanation This illustrates job rotation. In job rotation, a user performs a task for a limited period of time before the task is assigned to a different user. This can enhance security in some situations because one employee cannot easily hide detrimental activity. Job rotation is also used to make employees more motivated and skillful. In separation of duties, permissions are assigned to users based on operational or duty requirements. The model is based around checks and balances used to ensure that it requires multiple users to complete different parts of a sensitive or hazardous task. The principle of discretionary access places the responsibility for assigning permissions on the owner of the resource or another user who has been granted the permission to assign permissions. With the principle of least privilege, the minimum rights are assigned for a task to be accomplished.

A company recently started using an agile development methodology and is making extensive use of automation in testing and in managing the development and deployment process. The company uses a software engineering practice where development is completed in incremental chunks and held in a staging environment until manually released. What is this an example of? Continuous delivery Continuous validation Continuous deployment Continuous integration

Explanation This is an example of continuous delivery. Code changes are developed in small, incremental pieces. Developers are able to make changes to the application, prepare bug fixes, and make other changes quickly, making it possible to roll them out into production. With continuous delivery, the code is completed and tested but does not go into production release automatically. Production release requires human interaction. Continuous deployment extends this model by moving incremental code changes into automatic deployment. The code goes through automated testing and validation before moving into deployment. Some development models combine the continuous delivery and deployment steps. Continuous integration occurs before continuous delivery. Incremental changes can be made on the fly and are automatically integrated back into the main code base. This enables developers to integrate and test their code multiple times during the day. This helps to speed up the development process and make for a more timely deployment. Continuous validation refers to black box and white box texting based on defined validation criteria. This elos to ensure that the code is stable when handed off to test teams,

The administrator deploys three web servers, all hosting the same web application and data, on his company's perimeter network. The administrator implements load balancing through the use of a load balancer. This is BEST described as an example of which resiliency strategy? Distributive computer Elasticity High availability Scalability

Explanation This is an example of high availability. The use of load balancing means that load is shared between the web servers, making the application more readily available to users. Though it is not listed, it could also be argued that this configuration provides a level of fault tolerance. However, load balancing is not typically listed as a fault tolerant feature. Fault tolerance refers to the ability to continue working in spite of a failure. This is not an example of elasticity or scalability. These are closely related terms. Scalability refers to the ability to adjust available resources based on processing load. Elasticity refers to the same ability, but in reference to a cloud computing environment. The scenario described does not provide for changing the resources available to the web application. This is not an example of distributed computing, also referred to as distributed allocation. Distributed computing refers to components and resources being deployed on different systems that coordinate the actions by passing messages between the computers on which they are hosted.

All computers in an organization come with TPM installed. What type of data encryption most often uses keys generated from the TPM? Choose the correct answer Full disk encryption File encryption Data in transit encryption Database encryption

Explanation Trusted Platform Module (TP'M) is a dedicated microprocessor used for securing computing hardware and providing cryptographic support. One of the most common uses for TPM is to provide full-disk encryption, usually with an external key or passcode used for decryption. File and database encryption typically do not need or rely on TPM_ These are typically supported completely through software, rather than through hardware support with TPM_ Data in transit encryption refers to methods for encrypting data for transmission. This is usually based on an encryption key or shared secret using a software-based encryption algorithm.

A company's incident response team is responding to an active incident. The teams must start digital forensic data acquisition based on the order of volatility. In which order should the incident response team collect data? Arrange the data categories in the correct order. Create a list in the correct order Data to be collected Cache memory System memory Temporary file system Disk Remote logging [monitoring data Physical configuration/archive data

A Explanation A The proper order of data acquisition during digital forensics is from the most volatile to the least volatile data. The more volatile the data, the greater the risk that it might be lost or modified before it is collected. The order of acquisition, based primarily on volatility, is: . Cache memory System memory 2. 3. Temporary file systems 4. Disk

Which of the following can be used to prevent external electrical fields from affecting sensitive equipment? Faraday cage UPS Hot and cold aisles Halon

A Explanation A Faraday cage can be used to prevent external electrical fields from affecting sensitive equipment. A Faraday cage can be used to protect equipment from lightning strikes or from electrostatic discharges. A Faraday cage can also be used to keep electromagnetic emanations contained within a building or room. For example, Faraday cages can be used to make a building TEMPEST certified. TEMPEST is a set of standards designed to prevent data emanations from reaching outside a secured building. Hot and cold aisles is a configuration that is used to promote better airflow in a data center and thereby reduce cooling costs. Halon is one of several inert gases that can be used to suppress fires in areas with electrical equipment. Inert gases replace the oxygen and make it difficult or impossible for fire to burn. Safety precautions must be taken when using inert gases like Halon and carbon dioxide because they can also cause suffocation. Halon can also deplete the ozone layer. An uninterruptible power supply (OPS) enables a computer to continue working in case of power loss. Typically, the role of the UPS is to provide time for the computer to shut down gracefully. Some UPSs act as power conditioners by always supplying power from the battery and recharging the battery while the power is on. A UPS can be combined with a backup generator to provide an emergency power system.

A set of programs provide a hacker with administrator access to a computer that cannot be detected through normal means. What is the BEST description of this threat? Rootkit Armored virus Backdoor Xmas/Christmas tree attack

A Explanation A rootkit is made up of a set of (usually malicious) programs that enable administrator access to a computer. These typically include programs such as spyuare and other monitoring programs and programs that open a backdoor into the computer for easy access. A rootkit usually hides itself by modifying the hard disk's boot record. Rootkits typically propagate the same way as viruses, by attaching themselves to other programs that are then copied between computers. This is not an example of an armored virus. An armored virus is one that contains code to obfuscate how it works and make it more diffcult for virus researchers to defend against it. Although this threat includes backdoor functionality, this is not the best answer. A backdoor is a broader category. A rootkit can open a backdoor; a backdoor can also exist in an operating system or application's code. For example, a programmer could include a secret name and password to be used in testing and then fail to remove it when the application is distributed. Another example of a backdoor is a program like Back Orifice. This is not an example of an Xmas attack. An Xmas attack is a type of denial of service (DoS) attack that involves network packets with every option set to true.

Which of the following provides the best protection against zero-day attacks? Choose the correct answer Up-to-date cyber threat intelligence Anomaly-based detection Effective patch management Transport encryption

A Explanation A zero-day attack is one which is either not known to software or application developers or is publicly known but has not been remediated. Depending on the capabilities of antivirus software, zero-day attacks can be detected using behavior-based or anomaly-based detection. These approaches look for other attack indicators, such as an increase in network traffc or unexplained files located on a system drive. Cyber threat intelligence (CT l) is information concerning threats or vulnerabilities that is used to identify attacks. In the case of zero-day attacks, CTI has not yet been created as the attack is new. Transport encryption is used to protect data as it traverses a network. Transport Layer Security (TLS) is a popular transport encryption protocol that is used between web browsers and web servers. TLS can be used to protect against eavesdropping attacks. Effective patch management ensures that updates and hotfixes are installed as soon as possible on an endpoint. These updates often include fixes for recently discovered vulnerabilities. However, zero-day attacks exploit new, unknown vulnerabilities.

Malware has infected a server in a company. The security analyst makes a digital copy of the hard drive to analyze and places the original drive in a secure cabinet. Which aspect of incident response does this illustrate? Choose the correct answer Chain of custody Damage control Loss control Incident isolation

A Explanation Chain of custody refers to the process of ensuring that there is documentation describing the seizure, custody, control, and analysis of evidence. By removing the drive, making a digital copy for analysis, and storing the original in a secure cabinet, you are helping establish the chain of custody. Documenting each step is also an important part of maintaining the chain of custody. This scenario does not illustrate damage or loss control. Damage and loss control refer to taking steps to limit the amount of damage or loss that is caused by an incident. This does not illustrate incident isolation. Incident isolation is the process of limiting the exposure of other computers, services, or segments. One example of incident isolation is to quarantine an affected computer by removing it from the network.

A company needs to identify the appropriate type of recovery sites to meet business requirements. Drag the appropriate recovery site to each set of business requirements. Drag and drop the answers Business requirements The company must ensure business continuity through use of an alternate prcressing that its standard business præesses in case of failure at the main site. The company must have an alternate kyation available with the facilities infrastructure to supgx)rt business operations. Costs must kept to a mnmum. The company must able to retum to full operations as quickly as possible after a catastrophic failure. The site will maintain copiæ of all current backups Hot site

A Explanation Cold site site Hot site Cold site Hot site Offsite backup Warm site A hot site is necessary to ensure business continuity through use of an alternate processing location that supports its standard business processes in case of failure at the main site. A hot site is a duplicate or near duplicate of the primary site, including hardware, software, and data. A hot site can be used as an alternate processing site. An alternate location available with the facilities infrastructure to support business operations is a cold site. Costs must be kept to a minimum because the site does not have any hardware, data, or personnel. A hot site is necessary to return to full operations as quickly as possible after a catastrophic failure. The site can include copies of all current backups and can double as a secure offsite location for backups.

Which process ensures that code vulnerabilities can be patched and updated code placed into production as quickly as possible? CI/CD cvcs Obfuscation Normalization

A Explanation Continuous Integration/Continuous Delivery (CI/CD) ensures that code vulnerabilities can be patched (continually integrated) and updated code placed into production (continuously delivered) as quickly as possible. CI/CD is designed to ensure that functional code can be delivered at any time. This process supports fixing bugs as soon as they are discovered, testing the resulting code, and then placing the code in production as quickly as possible. Since it relates to secure coding, normalization ensures that all data input is in a known and expected format. This can protect an application from buffer overflow and other similar attacks. Code obfuscation is meant to make code harder to reverse engineer. This makes it more diffcult for an attacker to find weaknesses in an application's logic or processes. Version control systems store master code files in repositories, or repos. There are two flavors of version control systems, local and remote. In a centralized version control system (CVCS), a developer checks out a code file, which retrieves a working copy from the central code repo and locks the master copy. Upon completion, the developer checks the code file back into the repo, which tags a new version.

Which server acts as a mirror of the real environment and is used by developers to test and finalize new software prior to rollout? Proxy Staging Production Development

A Explanation Developers should use a staging server to test and finalize new software prior to rollout. A staging server is a pre-production environment which can be used to perform final tests before going live. If possible, a staging server should mirror the production server to guarantee a successful rollout of new software. Developers should not use a development server (DEV). A development server is used to develop new software and patches. A development server does not mirror the real environment. A production server is a live server. Developers should not use it to test new software. They use a staging server to do that. A proxy server is installed to intercept all requests to the real server and filter what is allowed in the network. Developers should not use a proxy server to test new software.

A networking hardware vendor uses several platforms to deliver firmware updates to customers. Recently, customers have complained that installing firmware updates also installs malware on systems. The hardware vendor is concerned that the malware is being bundled with the updates that are hosted on popular software repositories. What should the vendor do to ensure that firmware updates can be safely hosted on third-party sites. Choose the correct answer Encrypt each update using AES prior to release. Create a digest for each update using a hashing algorithm. Attach an X.509 certificate to the update to prove authenticity. Digitally sign each firmware update prior to release.

A Explanation Digital signatures use Public Key Infrastructure (PKI) to ensure data integrity. Ensuring data integrity is critical when transferring files across untrusted networks because file contents may be modified in transit. The signature is created by the file's signer using the private key that is created when a certificate request is generated. The signature can be verified using the signer's public key, which is stored in the signer's X. 509 certificate. Among other uses, digital signatures can be used to ensure firmware, drivers, and software updates have not been modified by malicious parties. Modified files will have invalid signatures and can be discarded. Hashing algorithms can be used to create an irreversible, fixed-length digest of a source file. While hashing can be used to ensure a file's integrity, it does not protect the file from being modified and a new hash calculated. Advanced Encryption Standard (AES) is a symmetric encryption algorithm that ensures data confidentiality, not data integrity. An attacker could easily decrypt the firmware update, inject malware, and re-encrypt the firmware using the same key. Attaching a certificate to a file will not prove authenticity. However, digitally signing a file using a private key can provide this function. The receiver can use the signer's certificate to verify the signature and, therefore, the file's authenticity.

When calculating risk assessment for an organization, what is the role of impact assessment? Estimating preparedness to meet a threat Estimating threat frequency based on historical data Estimating the potential costs related to a threat Estimating the likelihood that a threat will occur

A Explanation Impact assessment is the process of estimating the potential costs related to a threat. Threat assessment typically relies on threat, impact, and vulnerability assessment for any resource. Once a threat has been identified, impact assessment is used to determine the potential monetary cost, should the threat occur. Estimating the likelihood that a threat will occur and the threat frequency based on historical data are both part of the threat assessment process. Estimating preparedness to meet a threat is part of vulnerability assessment. After a specific threat is identified, you can then use vulnerability assessment to determine how well prepared you are to handle that specific threat.

What is an advantage of implementing a policy of control diversity in a network? The potential avenues of attack are significantly reduced. An attack is less likely to impact multiple devices. Network administrative overhead and training requirements are reduced. Greater fault tolerance in case of device failure.

A Explanation Implementing control diversity helps to ensure that an attack is less likely to impact multiple devices. With control diversity, controls from different categories are used to meet the same control objective. Different controls mean different attack surfaces and resistance to different types of attacks. A successful attack on one control is less likely to be effective against another control performing the same task. Control diversity does not necessarily mean that potential avenues of attack are significantly reduced. Multiple control types could result in multiple attack options. Network administrative overhead and training requirements are increased, not reduced. Different controls will have different management requirements and will likely have a different interface. Control diversity does not, in itself, provide greater fault tolerance in case of device failure. This is accomplished through control redundancy.

Despite implementing security controls to mitigate data exfiltration, emails with credit card numbers are escaping detection and are being sent to external recipients. What should be done to address this issue? Ensure that email servers use the STARTTLS command. Modify regex expressions on the DLP system. Modify the detection rules on the NIPS. Configure S/MIME to encrypt outbound emails.

A Explanation Modifying regex expressions on the Data Loss Prevention (DLP) system will address this issue. DLP and regex can be used as part of a data exfiltration solution. DLP is designed to prevent exfiltration of an organization's sensitive or proprietary data. DLP is usually configured on email servers and firewalls. Regex, or regular expressions, are part of a powerful, highly customizable language that can be used to search for and extract information from log files, documents, and emails. For example, the following regular expression could be used to locate any email with an embedded Social Security number: A [0-8] CO 9] {2} [0 9) Configuring Secure/M,ultipurpose Internet Mail Extensions (S/MI,ÅAE) to encrypt outbound emails will not address this issue. S/MIME is used to protect email communications from eavesdropping. Encrypting emails will likely prevent the DLP system from detecting any data exfiltration attempts. The START TLS command is used by email servers to initiate Transport Layer Security (TLS) connections, which protects communications from eavesdropping. This will not prevent data exfiltration. A Network-based Intrusion Prevention System (NIPS) is used to monitor and prevent network-based attacks. A NIPS does not scan email content to prevent data exfiltration attacks.

Which of the following is designed to be a full-scoped attack simulation? Choose the correct answer Regression testing Gray box testing White team testing Red team testing

A Explanation Red teaming or red team assessments are designed to be full-scoped attack simulations. Red teaming typically aims to evaluate an entire organization, including breach detection and incident response procedures and effectiveness. Red teaming is a form of goal-based assessment. In most red team engagements, members of the attacking (red) team can use any tools, tactics, or procedures (TTPs) they choose. A white team operates as a neutral group during an attack simulation. The white team might define certain systems off limits and acts as a referee during the simulation. Regression testing is used to ensure that an application continues to function as expected after a code change has occurred. Security regression testing focuses on ensuring new vulnerabilities have not been inadvertently introduced during the development process. In gray box testing, the tester has partial knowledge of the system. This is meant to simulate a guest user or an employee who has limited knowledge or access.

Following several successful cyber attacks involving malware, an organization needs to improve its incident handling capabilities. Which of the following is the best option for minimizing the time required to eradicate infections? Configure a SOAR runbook. Implement NGFW security policies. Enable SIEM breach responses. Configure security alerts on a NIDS.

A Explanation Security Orchestration, Automation and Response (SOAR) is the best option for minimizing the time required to eradicate infections. SOAR is a collection of systems and processes that aims to increase the effciency of security operations. Security orchestration is the process of correlating information and events to create a more holistic picture of an environment. Security automation is the process of automating tasks such as periodic vulnerability scans or log searches. Security response is the process of responding to incidents as they are detected. SOAR runbooks can be used to automate portions or all of the malware eradication process. Enabling breach responses on a Security Information and Event Management (SIEM) system is not the best option for eradicating infections. A SIEM is designed to ingest data from a variety of network components, such as user workstations or laptops, network routers and switches, firewalls, servers, and other appliances. The SIEM then analyzes the data to identify trends, pending security issues, and security breaches. Most SIEBAs are complex platforms with highly customizable dashboards and hundreds of built-in reports. Some SIEBAs can perform Intrusion Prevention System (IPS) functions, but they do not eradicate infections. Configuring security alerts on a Network-based Intrusion Detection System (NIDS) is not the best option for eradicating infections. A NIDS monitors for and alerts on suspected breaches. A NIDS is not used to eradicate infections.

An administrator sets up a VM for testing different versions of an application. The administrator wants to be able to return to the baseline state as quickly as possible between each test. What should the administrator do? Create a snapshot of the VM. Configure a sandbox environment. Run a full backup of the host. Implement automatic change management.

A Explanation The administrator should create a snapshot of the virtual machine (VM) before running the first test. A snapshot is a backup taken at a point-in-time, providing a way to quickly restore to that point. That gives you a way to return to the baseline for each test. Configuring a sandbox does nothing to facilitate recovery. A sandbox is an isolated environment that prevents the software being tested from affecting the rest of the network. The administrator should not run a full backup of the host. There is no need to go to this extreme, and depending on how the backup is run, it might not back up all of the VM components necessary. Automatic change management does nothing to help resolve this scenario. Change management is a way of documenting and tracking changes that are made to computers and software.

A security administrator discovers a suspicious executable on a server. The antivirus system on the server did not flag the file as infected, but the administrator discovers other artifacts that indicate a breach has occurred. What should the administrator do to obtain an auto-generated, detailed report of the executable's behavior? Analyze the file using WinHex. Perform black box analysis of the file. Active the file in a detonation chamber. Submit the file to the Cuckoo API.

A Explanation The administrator should submit the file to the Cuckoo API for automated analysis. Cuckoo is an open source malware analysis system. Cuckoo provides a submission Application Programming Interface (API) that can be used to automate the submission/analysis process. Behind the scenes, Cuckoo will active the file in an isolated environment, monitor and record output, and then generate a report based on what is discovered. Black box analysis is a dynamic testing method that involves running an application and monitoring output. This method is typically used during application development and does not generate a detailed report of a file's behavior. A detonation chamber is a type of sandbox where malware analysis can take place. The physical implementations may differ, but a detonation chamber typically consists of a virtualize environment where malware can be activated and its behavior monitored, including file system changes, configuration changes, and network connections. This approach does not necessarily auto-generate a detailed report of the file's behavior. WinHex is a hexadecimal editing utility that is useful for analysis of all types of files, include malware executables. However, WinHex is a static analysis tool and will not generate a detailed report of a file's behavior.

After a risk assessment of a company's data centers, the company determines that the most cost-effective risk response strategy is to purchase cyberinsurance for the data centers. What type of risk control strategy has the company implemented? Avoida nce Mitigation Acceptance Transference

A Explanation The company has selected a transference risk control strategy for its data centers. Risk transference is the act of shifting the risk to an outside entity, in this case, the company issuing the insurance policy. Risk acceptance refers to understanding the risk and its consequences and accepting that risk without implementing controls or attempting mitigation. This is often the preferred path when a risk has a low likelihood to occur or would have minimal impact if it did occur. Risk avoidance refers to applying safeguards to eliminate or reduce the impact of uncontrolled risks. This usually involves user training and establishing company policies related to the risk. Risk mitigation is the act of taking steps to prevent a vulnerability from being exploited or minimize the potential impact of an identified risk. This includes putting technical controls in place and developing disaster recovery plans.

A company wants to deploy a secure system that will constantly monitor network devices and alert a network administrator when an incident occurs. What is the BEST solution? Upload a script to all network devices that will collect information about the network activity and send a report. Deploy a dedicated SIEM system and use SSH to collect information from network devices. Enable SNMPv3 and send traps to a dedicated SIEM system. Build a secure tunnel between a network device and a SIEM system using IPSec.

A Explanation The company should use Simple Network Management Protocol (SNMP) version 3 and send traps to a dedicated Security Information and Event Management (SIEM) system. SNMPv3 is a secure protocol designed to monitor network activity. The company would use SNMP traps to alert a network administrator when an incident occurs. SNM,P supports polling information as well. SIEM combines security information management systems and simplifies threat detection and reporting. Creating and manually uploading a script to poll information is not efficient. SNM\P is a better choice because it offers a way to poll information from a device directly. Building a secure tunnel is not enough to poll information. You should use SNMP traps. Secure Shell (SSH) is not the best protocol to collect information about network activity. You should use SSH to manage and configure a network device. SSH does not offer any methods to poll information from a device directly. SNMP is a better choice.

During a risk assessment, potentially sensitive data is discovered on a file server. Which entity is responsible for determining the risk associated with leaving this data in its current storage location? Data subject Data owner Data custodian Data steward

A Explanation The data owner is responsible for determining the risk associated with leaving this data in its current storage location. The data owner is typically a high-ranking executive or director. Although the data owner will not deal with day-to-day data management, they will be called on if the data is not handled properly. The data owner determines who has access to the data, how frequently it should be backed up, and how it should be stored. The data steward is not responsible for managing the risk associated with data. The data steward monitors data integrity and ensures that the data is used correctly. In smaller organizations, this role may be merged with the data owner role. The data custodian is not responsible for managing the risk associated with data. The data custodian is responsible for the day-to-day management of the data. For example, the data custodian performs regular data backups. The data subject is not responsible for managing the risk associated with data. Under the General Data Protection Regulation (GDPR), the data subject is the person whose data is being collected and stored.

A company discovers that is has been under attack from an APT for several months. Through which type of attack was the initial breach most likely accomplished? Watering hole Spear phishing Tailgating Brute force

A Explanation The initial network breach by an advanced persistent threat (APT) is usually made through a spear phishing attack. An APT is a long-term attack in which the attacker gains access to a network and attempts to remain undiscovered, unlike other attacks in which the goal is to get in and then get back out quickly. During an APT attack, the attacker has a primary goal of stealing information, but during the attack will likely perform other actions, such as installing backdoor utilities. APT attacks usually require a significant amount of resources to remain undetected. This type of attack is often used by state-sponsored attack threats. A spear phishing attack is a targeted attack against a network user, attempting to gain access to sensitive information, such as information on accessing the network, by way of spoofed email. An APT attack is unlikely to use a brute force attack. A brute force attack is a means of cracking passwords to gain access to a network. An APT attacker would not use this method because it is relatively easy to detect. An APT attack would not use a watering hole attack. In a watering hole attack, web sites frequently visited by users are hacked, usually with the goal of infecting the users with malware. An APT attack would not use a tailgating attack. This type of attack is used to gain physical access by following an authorized person into a secure area, not as a way of gaining network access.

An organization plans to contract with a provider for a disaster recovery site that will host server hardware. When the primary data center fails, data will be restored, and the secondary site will be activated. Costs must be minimized. Which type of disaster recovery site should the organization deploy? Cold site Mobile site Hot site Warm site

A Explanation The organization should deploy a warm site. A warm site includes power, networking, and server hardware. In the event of a disaster, the servers must be powered on and operating systems installed or updated. Data from the most recent primary site backups can then be restored. A warm site does not typically host all the same hardware as the primary site, and often provides just enough processing capability for the organization to operate while the primary site is restored. A hot site mirrors the primary site and includes all the hardware, software, and connectivity required to support full operations. Data is mirrored from the primary to the hot site on a frequent schedule, if not in real time. A mobile site can be compared to a warm site. The provider supplies a trailer with power, networking, and hardware, and systems must be configured and data restored. However, due to the mobility requirements, mobile sites do not minimize costs. A cold site is a facility with power, but typically does not host any server hardware. During a failover, hardware must be installed, network connectivity provisioned, and data restored. Cold sites are the least expensive recovery option but require the longest time to spin up.

Which method can be used to implement a managerial control for an educational institution that stores sensitive information about students? Require users who access sensitive information remotely to use a VPN. Perform a risk assessment for servers holding sensitive information. Implement MFA on all servers holding sensitive information. Implement full-disk encryption on servers holding sensitive information.

A Explanation The organization should perform a risk assessment for servers holding sensitive information. Security controls fall into three families or categories: managerial, operational, or technical. A risk assessment is a managerial control. During a risk assessment, vulnerabilities and threats are identified and the impact of a vulnerability being exploited is calculated. The organization should not implement full-disk encryption on servers holding sensitive information. Full disk encryption is a technical control that secures data at rest and mitigates the risks presented by a lost or stolen hard drive. The organization should not implement Multifactor Authentication (MFA) on all servers holding sensitive information. Systems that implement MFA require two or more successful authentication methods before access is granted. MFA is a technical control. The organization should not require users who access sensitive information remotely to use a Virtual Private Network (VPN). A VPN is a technical control designed to provide authenticated, secure communications between networks and clients.

What are two advantages of implementing a vendor diversity policy? (Choose two.) Reduced equipment costs Simplified administration requirements Improved network troubleshooting Layered defense strategies Access to the most recent technologies

A Explanation Two advantages of implementing a vendor diversity policy are access to the most recent technologies and reduced equipment costs. Vendors develop and implement technology changes at different rates, some vendors being able to release some technologies earlier than others. Sourcing from different vendors lets you leverage cost strategies and make deals with vendors to reduce equipment costs. Vendor diversity policy does not help to simplify administration requirements. These requirements often become more complicated because different vendors have different management requirements and administrative interfaces. Vendor diversity policy refers to getting resources from different sources. This may help provide for control diversity, but does not imply a layered defense strategy, which requires defenses implemented at different levels. Vendor diversity policy does not necessarily lead to improved network troubleshooting and can, in some cases, make troubleshooting more difficult. When a problem arises, different vendors may try to place the blame on other vendor's products.

Users report that they lose connection to the wireless access point. Radio frequencies that have a similar pattern to those transmitted by the access point are discovered. What type of attack does this indicate? NFC attack Evil twin Jamming WPS attack

A Explanation You should suspect a jamming attack. In a jamming attack, the attacker configures a stronger Wi-Fi access point to transmit a signal that matches the frequency pattern used by the legitimate access point. This prevents devices from establishing a connection with the legitimate access point. Attackers can use this attack simply as a denial of service (DoS) attack, for eavesdropping, or to take control of the device. This attack can be diagnosed by using a radio frequency (RF) scanner. However, you might encounter false positives from innocuous devices. You should not suspect an evil twin attack. An evil twin attack is a Wi-Fi attack in which a rogue access point is configured to gather information by eavesdropping. Users connect to the evil twin, thinking it is the legitimate access point. An evil twin attack does not use signals with the same frequency patterns as the legitimate access point. Instead, it configures the access point to appear legitimate and trick the user into connecting to it instead of the legitimate one. You should not suspect a Wi-Fi Protected Setup (MIPS) attack. A WPS attack is a brute force attack that is used to gain access to the Wi-Fi PIN. You should not suspect a near field communication (NFC) attack. An NFC attack uses NFC as the attack vector. NFC is a radio field transmission used to allow devices to communicate over a very short distance

For each description, select the most closely matching cloud computing model from the drop-down lists. Choose the correct options This model supplies an appropriate environment for developing, testing, and deploying applications. The provider is responsible for the operating system, development environment, and other resources. This model gives the user the most direct control over the environment. The is responsible for maintaining the operating system and other resources. This model offers access to applications on a subscription or pay-as-you-go basis. The provider is responsible for upgrades and all management requirements except user preference settings.

A Explanation paas saas Platform as a service (PaaS) is a cloud model in which the provider supplies an appropriate environment for developing, testing, and deploying applications. The provider is responsible for the operating system, development platform, and other resources. Some level of customization is supported to let you configure the environment to meet specific development requirements. Infrastructure as a service (IaaS) is a model that gives you the most direct control over your environment. You are responsible for installing and maintaining the operating system and other resources. The provider is responsible for the underlying infrastructure. Software as a service (SaaS) offers access to applications on a subscription or pay-as-you-go basis. The

For each of the following statements, select Yes if the statement is true about credentialed scans. Otherwise, select No.

Credentialed scans are less intrusive to the network than non-credentialed vulnerability scans. That is because a credentialed scan runs on the target host rather than accessing the target from the network, as is done with a non-credentialed scan. A credentialed scan will provide a more detailed report of open ports on a host firewall because it can use host-based utilities to check for open ports. A non-credentialed scan can find only those open ports on which a program is listening. Credentialed scans are designed to find missing patches better than non-credentialed scans. This is because credentialed scans run as an authenticated user on the target host. Credentialed scans do not simulate an outside attacker better than non-credentialed scans. Outside attacks will often start as non-credentialed scans to search for vulnerabilities that can be used to compromise a target.

A company is configuring a secure Web server. What must be submitted to a CA when requesting an SSL certificate? CRL CSR OCSP OID

Explanation A Certificate Signing Request (CSR) must be submitted to a Certificate Authority (CA) when requesting a Secure Sockets Layer (SSL) certificate. The CSR contains the information that a CA must have to issue a certificate. The CSR and the public and private encryption key pair to be used with the certificate must be created on the server on which the certificate will be used. A Certificate Revocation List (CRL) is used to track certificates revoked by the issuing CA and is not part of the certificate creation process. The Online Certificate Status Protocol (OCSP) is used to retrieve certificate revocation information as an alternative to using a CRL. The protocol is not part of the certificate creation process. Unique object identifiers (OIDs) are used to manage certificate policies and are configured on the CA. They are not provided by the server requesting a certificate.

Which security goal is compromised by a DDoS attack? Nonrepudiation Integrity Confidentiality Availability

Explanation A Distributed Denial of Service (DDoS) attack compromises a computer's availability. Availability is the security goal that ensures that data or a service can be accessed at all times. A DDoS attack prevents access by overwhelming the computer with illegitimate traffc so it cannot respond to legitimate traffc. A DDoS attack does not compromise confidentiality. Confidentiality is the security goal that guarantees that information is not disclosed to unauthorized individuals. Permissions and encryption are used to provide confidentiality. A DDoS attack does not compromise integrity. Integrity is the security goal that guarantees that data is not modified unnoticed while it is being transmitted. Encryption and digital signature both help ensure integrity. A DDoS attack does not compromise nonrepudiation. Nonrepudiation prevents a user from denying that he or she performed a specific action. Auditing helps ensure nonrepudiation.

A company is planning to outsource the application hosting for a critical business application. The systems administrator needs to determine the policies that are required. Select the policy that corresponds to each definition. Choose the correct options Definition An agreement that is not legally binding An agreement that permits purchases A legally binding agræment that defines the level of service, including uptime and performance criteria An agreement that governs the Policy BPA connectivity details systems in the organizations

Explanation A Memorandum of Understanding (MOIJ) is not a legally binding agreement. Instead, it is a more casual agreement between two or more parties. An MOU is typically used when a legally binding agreement is not possible. A Blanket Purchase Agreement (BPA) is an agreement that permits recurring purchases. For example, you might use a BPA if you will be placing multiple orders or hiring a contractor for more than one job. An Interconnection Security Agreement (ISA) is an agreement that defines the technical specification for connectivity between the systems in two or more organizations. A Service Level Agreement (SLA) is an agreement that guarantees a specific level of service, including uptime, performance requirements, mean time between failures, and other characteristics.

An organization struggles to manage and search logs stored on various servers and network nodes. Which platform provides log aggregation and can be used for log analysis and security assessments? NGFW SNMP SIEM AAA

Explanation A Security Information and Event Management (SIEM) platform provides log aggregation and can be used for log analysis and security assessments. A SIEM is designed to ingest data from a variety of network components, such as user workstations or laptops, network routers and switches, firewalls, servers, and other appliances. SIEM then analyzes the data to identify trends, pending security issues, and security breaches. SIEM can be configured to alert on any combination of events that might be concerning for an organization. The real benefit of SIEM is its ability to correlate information from a variety of sources in order to create a clearer view of what is happening on a network. A Next-Generation Firewall (NGFVV) is not used to aggregate server and system logs for analysis. Firewalls can be simple routers configured with strict access control lists (ACLs) that limit inbound and outbound traffc based on source and destination IP addresses. However, most NGFM/s track session states and offer complex rulesets. Beyond simple firewalling, they may also scan traffc for malware and offer intrusion prevention functionality. Simple Network Management Protocol (SNM,P) is used to send status, diagnostic, and event information from network nodes to a centralized server. SNMP can collect performance and event information from network devices. Many SNMP management systems can also be configured to alert on performance thresholds and system availability. Authentication, Authorization, and Accounting (AAA) describes a system that can enhance security by _.uthenticacineusers. authorizing users to oerform certain tasks,.nd then tracking what users do on

Which of the following is also known as a Type 1 hypervisor? Hosted Bare metal Virtual machine Docker container

Explanation A bare metal hypervisor is also known as a Type 1 hypervisor. A hypervisor is hardware, software, and/or firmware that sits between virtual machines and physical hardware. Bare metal deployments run virtualization software directly on hardware by providing their own operating system, as VMWare ESXi does. Type 1 hypervisors are not designed to be full-featured desktop operating systems, and as such, they typically offer better performance than Type 2 hypervisors. Virtual machines run as guests on a host platform. The host is typically a normal operating system, such as Windows 10 or Windows Server, running virtualization software, such as VMWare Workstation. These systems run a Type 2 hypervisor. Containers do not use a hypervisor and consist of an application or group of applications. Containers provide many of the same benefits as virtual machines and are designed to be portable and largely self contained. They share a host operating system that manages kernel and device driver access. Docker is a popular container ecosystem. A hosted hypervisor runs on top of a host operating system. Hosted hypervisors are also known as Type 2 hypervisors.

Which of the following are block cipher modes? (Choose three.) Choose the correct answers CBC CRC SSL GCM ECB

Explanation A block cipher works in many different modes: • Electronic Codebook (ECB) Cipher Block Chaining (CBC) Cipher Feedback (C F B) • Output Feedback (OFB) • Counter (CT R) • Galois/Counter Mode (GCM) The simplest and weakest method is ECB, which should be avoided, You should use a more secure block cipher with authenticated encryption if possible. Cyclic Redundancy Check (CRC) is not a block cipher. CRC is used to detect any changes that could be introduced during transmission or storage, Secure Socket Layer (SSL) is not a block cipher, SSL secures a connection between a client and a server.

An organization has moved most of its applications and services to cloud-based platforms. The organization wants to ensure that the security for these diverse environments can be managed centrally. What should the organization do? Configure an SWG and configure secure access polices. Configure a CASB to enforce organizational security policies. Deploy an MDM server and enroll all cloud service platforms. Deploy a cloud-based proxy and connect each platform to the proxy.

Explanation A cloud access security broker (CASB) can be configured to enforce organizational security policies on cloud-based resources. CASBs are designed to provide data, app. and identity security for cloud-based services and platforms. Among other features, a CASB can identify compromised accounts and mitigate the risk of data exfiltration. Cloud-based proxies provide secure internet access to end users. Cloud proxies can scan client requests and server responses for malware, detect and prevent access to unsecure sites, and provide Uniform Resource Locator (URL) filtering. A secure web gateway (SWG) is similar to a cloud-based proxy. The SWG sits between end users and the internet and not only secures outbound requests, but also protects the organization from unauthorized inbound access. A Mobile Device Management (BADM) server is used to manage mobile devices such as smartphones, tablets, and laptops. An MDM can ensure that a mobile device is securely configured, up-to-date, and only runs approved applications.

A competitor learns company secrets by examining the contents of a USB drive that he found in a trash can during a site visit. How can the company best mitigate this type of risk? A data disposition policy Surveillance cameras Periodic permissions review A UTM appliance

Explanation A data disposition policy is one possible way to mitigate this type of data leakage. A company should have a well-defined policy that describes acceptable ways in which to dispose of confidential company data. This type of policy helps mitigate the risk of dumpster diving attacks like the one described in this question. Implementing a unified threat management (UTM) appliance will not mitigate this risk. A UTM monitors data as it leaves and enters the edge of the network. It should not be used to control whether or not data is copied to a USB drive. Periodic permissions review is not the best way to mitigate this risk. There is no indication in the scenario that the employee who copied data to the USB drive did not have permission to access the file. Surveillance cameras are not the best way to mitigate this risk. A surveillance camera positioned at each trash can might allow you to see that the competitor picked up something from the trash, which might help in prosecution, but it would not mitigate the risk.

Which of the following best describes a digital signature? Choose the correct answer A message hash encrypted with the recipient's public key A message hash encrypted with the sender's public key A message hash encrypted with the sender's private key A message hash encrypted with the recipient's private key

Explanation A digital signature provides proof that a message really came from the sender. A digital signature is really a hash of the message that has been encrypted with the sender's private key. The recipient then uses the sender's public key to decrypt the hash. If the hash values match, the message and signature have been received unmodified. A digital signature does not provide confidentiality for the message because it does not encrypt the message. It provides a check for integrity and non-repudiation. The use of the hashing function provides a way to ensure that the message has not been altered. The use of the asymmetric keys proves that it was sent by the apparent sender.

A company is designing its disaster recovery plan. The company wants potential down time after a disaster kept to a minimum. Data loss and reposting requirements should also be kept to a minimum. The ability to physically secure the site and prevent any outside entry is a primary concern. What is the BEST disaster recovery site option? Colocation site Cold site Hot site Warm site

Explanation A hot site best meets the company's data recovery requirements. A hot site is a fully configured and fully staffed copy of your operational site. Data is already loaded on the computers at the hot site and continuously updated through incremental updates. The company can switch over from its operational site to the hot site with little or no time lost. This is the most expensive disaster recovery option. A cold site does not meet the company's requirements. With a cold site, nothing is configuring and running and few if any personnel are on site. The hardware for the site might be stored in a different location and would have to be moved before it can be used. The time required to install operating systems and applications and to recover data from backups can be significant. This is the least expensive site option. A warm site does not meet the company's requirements. A warm site falls somewhere between hot and cold sites both in advanced preparation and associated costs. A warm site has equipment installed and running but does not match the full configuration and capabilities of the operational site. Warm site computers do have data but are not continuously updated, so it would be necessary to recover the most recent available data from backups. A colocation site does not describe advanced preparation and readiness to take over but instead the model under which the site is run. A colocation site is a shared data center with multiple clients setting up disaster

Which of the following physical controls is the best option for mitigating tailgating attacks? Mantrap Air gap TEMPEST Badges

Explanation A mantrap is a physical control that can be used to mitigate tailgating attacks. A mantrap is like a vestibule with locking doors on each end. The mantrap enhances physical security by "trapping" an individual while identity verification is performed. Mantraps are often combined with other security controls such as physical guards, badge readers, or biometric devices to enhance security. TEMPEST will not mitigate tailgating attacks. TEMPEST is a government program for gathering information from and protecting systems that emit electronic signals. A Faraday cage is a component in a TEM\PEST system. An air-gapped server or network is physically isolated from other networks. Air gapping is meant to isolate a device from remote connectivity and requires an attacker to be in the same location as the air-gapped component. Air gaps will not mitigate tailgating attacks. Badges are physical security controls that can serve as authentication and authorization when a user attempts to enter a secure area. Badges can be simple photo IDs or complex biometric devices that require proximity to an authentication device before entry is allowed. Badges do not necessarily mitigate tailgating attacks as they are easily stolen and can be cloned. Additionally, even when a badge reader is deployed, an attacker could tailgate the person using the badge.

A company is comparing vulnerability scanning options. Which statement accurately describes a non credentialed scan? The scan is run from outside the target host system. The scan will find all open ports on a target host firewall. The scan must include a password cracker. The scan leaves no traceable footprint.

Explanation A non-credentialed scan is run from outside the target host system. The scan works by probing the target system from outside the system. The scan collects information about a host, but does not run on the host. The scan will not find all open ports on a target host firewall. It can find ports on which there is a service actively listening, but it will not necessarily find all open ports. The scan will not necessarily include a password cracker. This would be a requirement for a penetration test in which you wanted to test password security, but it does not have to be part of a vulnerability scan because you are not entering credentials for the host system. The scan leaves a traceable footprint. The activities during a non-credentialed scan be logged and leave a traceable footprint.

A script kiddie would most likely be involved in what type of activity? Creating password cracking scripts to compromise networks Intercepting and modifying email messages Vandalizing public web sites Developing and testing hacker tools

Explanation A script kiddie would most likely be involved in vandalizing public web sites or similar activities. Script kiddies are relatively unsophisticated hackers who lack the ability to write their own hacks, but instead download and use hacks that they are able to find on the Internet. Their goal is most often to just bring attention to themselves. The vast majority of script kiddies have neither the skill, patience, or interest to invest time in developing and testing hacker tools. At most, they might copy and paste code together from existing hacks. Script kiddies seldom have a serious goal in mind and would not spend time creating password hacking scripts. The interests of script kiddies do not run toward intercepting and modifying email messages. This type of activity does not carry enough visibility to hold their interest.

A security administrator is working on a confidential report in a crowded airport terminal. The administrator is not connected to the airport's Wi-Fi hotspot. What type of attack is MOST likely to occur? NFC Shoulder surfing Quid pro quo Man-in-the-middle

Explanation A shoulder surfing attack is one that occurs when an attacker eavesdrops by looking over your shoulder as you work or enter a PIN number or password. These types of attacks are most likely to occur in a crowded public place. A near field communication (NFC) attack is one that uses NFC radio signals as an attack vector. Close proximity is required for an NFC attack. However, the scenario does not involve NFC-enabled devices or communication. A man-in-the-middle attack is used to hijack a communication session. Because you are not connected to a network, this is not a risk. A quid pro quo attack is one in which the victim is lured into performing some action by the offer of a gift. For example, an attacker might send an email offering a gift card if you log on to a site. The link will be to a malicious site that either gathers data from or downloads malware to the victim.

A company needs a security solution consisting of a set of compatible security applications that: Collect and organize data from multiple sources. • Define, prioritize, and automate incident response functions. Orchestrate workflows, policies, and reporting. • Automatically respond to low-level threats. Which security solution meets these requirements? CVE SOAR SIEM cvss

Explanation A solution, orchestration, automation, and response (SOAR) solution meets all of these solution requirements. SOAR is a software stack made up of multiple security applications. The goal of SOAR solutions is to improve the effciency of security operations and automate security processes and procedures. SOAR solutions include support for: Threat and vulnerability management • Security incident response • Security operations automation Security information and event management (SIEM) does not meet the solution requirements. SIEM solutions do aggregate security and monitor data from multiple sources, but they do not include support for automated response. SIEM solutions are often paired with SOAR solutions to implement a more complete security environment. Common Vulnerability Scoring System (CVSS) is not a security software solution. It is a standard for rating security vulnerabilities in software by severity. A rating of None (no risk) is given a score of O. A score of

Which of the following threat actors is MOST likely to be classified as an APT? Hacktivist Malicious insiders Criminal syndicates State actors

Explanation A state actor is most likely to be classified as an advanced persistent threat (APT). An APT is one that persists over time, often employing complex attack chains to infiltrate and maintain access to a system or network. Due to their complexity, such activities typically require funding from nation states and APT groups that are either part of government cyberwarfare corps or are sponsored by a state actor. Criminal syndicates are groups of threat actors primarily focused on exploiting a system for financial gain. Such organizations are often behind complex fraud or extortion schemes. Criminal syndicates are also known as organized crime syndicates. Malicious insiders are employees that work for the victim organization or contractors who have a high level of access. They are considered dangerous because they can access resources on the Local Area Network (L AN), thus bypassing border protection mechanisms such as firewalls. Additionally, insiders have a better understanding of an organization's operations and may have relationships with individuals who have access to sensitive information. Hacktivists are individuals or groups that do not hack for financial gain. Instead, a hacktivist uses hacking to forward a political agenda or cause.

A high-level executive at a company is concerned that an administrator might accidentally introduce a security vulnerability when installing a new server. What process could be used to mitigate this risk? Audit policies Change management Incident management User rights review

Explanation A well-defined change management process can help mitigate the risk that an administrator might accidentally introduce a security vulnerability when installing a new server. A change management process defines the actions that must occur before a change is made, including security testing and approvals. It also ensures that each change is properly documented. An incident management process will not mitigate the risk that an administrator might accidentally introduce a security vulnerability when installing a new server. An incident management process is one that is enacted when a security breach (incident) occurs. An incident management process describes the actions that should occur to reduce the impact of the attack, mitigate the risk that it will occur again, and collect the evidence necessary to prosecute the attacker. A user rights review will not mitigate the risk that an administrator might accidentally introduce a security vulnerability when installing a new server. An administrator typically has the rights to install a new server on the network. Audit policies will not mitigate the risk that an administrator might accidentally introduce a security vulnerability when installing a new server. Audit policies provide nonrepudiation to identify the user who took a specific action. In this example, an audit policy might reveal which administrator installed the server, but it would not mitigate the risk of the vulnerability.

What is the MAIN reason for a security administrator to run a password cracker in a company? To check a hash of a password. To identify weak passwords. To identify hashed passwords. To reset a password for a user.

Explanation An administrator should use password crackers to identify weak passwords in the network. To avoid disclosure, a password cracker tool can provide the strength of passwords only. An administrator can also use software like this to crack a password using dictionary, brute force, hybrid, and rainbow table attacks. An administrator should not use a password cracker to reset a password for a user. Instead, a dedicated method for recovering or resetting a lost password should be used. Cracking a password is a time- consuming process and may lead to unauthorized access attempts. An administrator should not use a password cracker to find a hash of a password. Password crackers should be used to identify weak passwords.

What is the primary risk of an integer overflow attack? Directory traversal Header manipulation Arbitrary code execution Session hijacking

Explanation An integer overflow attack is one in which an integer variable's value is modified in such a way that it overflows the defined type. This type of attack is most successful against applications written in C or C++ because the prevalence of bitwise operations in these languages make it diffcult for a compiler to differentiate between a mistake that causes a vulnerability and a purposeful bit manipulation. When an integer overflow attack occurs, the execution pointer can be redirected to execute code stored at an arbitrary location in memory. Session hijacking is not a risk of an integer overflow attack. Session hijacking is used to obtain access to information that only an authenticated user of a website should have. Session hijacking is also known as cookie hijacking because the attacker sniffs the user's session key, which is often stored in a session cookie. The session key is used by the web application to keep track of a user's state throughout the session. For example, a session key would be used to identify the shopping cart in an ecommerce application. Directory traversal is not a risk of an integer overflow attack. A directory traversal attack is one in which an application is tricked into accessing a file that is stored at a different path than the file the application is supposed to access. A header manipulation attack is one that is accomplished by modifying the Hypertext Transfer Protocol (HTTP) response header. Header manipulation can be used as part of a cross-site scripting (XSS) attack or a browser hijacking attack.

Which of the following uses infected removable media as an attack vector? Baiting SPIM Evil twin Pass the hash

Explanation Baiting is a social engineering attack that involves placing USB drives loaded with malware in a target organization. Baiting attempts to appeal to a person's curiosity or greed to entice them into taking a desired action. Baiting can use digital goods such as the lure of free music or videos, or physical goods, such as a USB drive or CD. The bait is often laden with malware that is installed when the bait is accessed. A pass the hash (PtH) attack involves extracting password hashes from a computer's memory using a tool like mimikatz. These stolen password hashes are then used in place of a typed password to authenticate with a system. An evil twin is a wireless access point (AP) that broadcasts the same wireless network name as an organization's wireless system. Evil twins offer a variety of exploitable opportunities for an attacker, including Man-in-the-Middle (BAITM) attacks. A Spam over Instant Messaging (SPIN,) attack involves sending unsolicited content via an instant messaging (1M) tool. SPIM is once again becoming a popular attack vector due to pervasive 1M tools that are now part of social media apps and platforms.

Identify the control type used in each control example. Drag the appropriate control type to each control example. Drag and drop the answers Control example Signs warn that will A server is restored from Security guards monitor building entrances. Vldeo cameras are mounta:i in server rooms. Firewalls set network Control type Deterrent Deterrent Detective Preventive Detective Corrective

Explanation Deterrent Preventive Compensating Signs warning that trespassers will be prosecuted are an example of a deterrent control. Deterrent controls are designed to delay or discourage an attempt to attack. Security guards are also a type of deterrent control. A server restored from backups is an example of a corrective control. A corrective control is something applied after an attack to correct the damage or return to operational status. Video cameras mounted in server rooms represent a type of detective control. Detective controls are designed to identify when an attack or intrusion has occurred. They could be deterrent if there are signs advising that the area is under video surveillance, but the cameras themselves are detective. Firewalls that set perimeter network boundaries are an example of preventive controls. None of the control examples is a compensating control. A compensating control is an alternate control that is designed to accomplish the same purpose as the original control. A hot site, for example, is designed to provide the same processing support as the site it replaces.

Which of the following tasks occurs during the identification phase of the incident response process? An anti-malware scan is initiated using updated signatures. A risk assessment is performed. Logged events are correlated based on time. Server logs are signed and retained for evidence.

Explanation During the identification phase of the incident response process, logged events are correlated based on time. Log correlation is the process of collecting and analyzing logs from various sources. The correlation is typically done using timestamps to identify the time and sequence in which malicious activity occurred. For this reason, accurate time keeping is critical in a networked environment. Server logs are signed and retained for evidence during the lessons learned phase of the incident response process. This is especially important if legal remedies will be pursued in response to the attack. A risk assessment is performed during the preparation phase of the incident response process. A risk assessment allows the organization to evaluate vulnerabilities and risks and determine which vulnerabilities should be mitigated. An anti-malware scan is initiated using updated signatures during the eradication phase of incident response process. During this phase, any infections or other malicious artifacts are quarantined or eliminated.

An application development plan calls for fuzzing. What is fuzzing used to test for? Amount of network traffic generated by the application Strength of application data encryption Application performance when processing fuzzy data Application flaws relating to data input

Explanation Fuzzing tests for application flaws relating to data input. Fuzzing is an automated or semi-automated process that sends varying data input to an application while monitoring for failure. Fuzzing is commonly used in testing for buffer overflow and cross-site scripting vulnerabilities. Fuzzing should be used as part of a comprehensive testing program. Fuzzing has nothing to do with fuzzy data processing. Fuzzy data deals with approximate, rather than firm, data values. Fuzzy processing is used where data can vary and approximations provide usable results. Fuzzing does not test the strength of data encryption. Various data cracker and decryption programs are available for this purpose. Fuzzing does not test for network traffic generated by an application. However, during fuzzy testing, you can get some idea of the traffc resulting from high-speed data input.

A security administrator responds to a server breach involving highly sensitive information. As part of the digital forensics process, what should the administrator do on the affected machine FIRST? Collect network connection information. Extract the contents of RAM. Collect a snapshot of all running processes. Verify and collect the operating system time.

Explanation In a computer forensic investigation, network connection data should be collected first. Volatile operating system (OS) data is data that changes as the system is used, times out and is flushed, or is lost when the system changes state, such as during a reboot. According to NIST SP 800-86, network connection information should be collected before all other volatile data. During a forensic investigation, OS time should not be collected first. Time is an important factor when correlating events written in logs or file timestamps. OS time is the last piece of volatile data that should be collected. During a forensic investigation, Random Access Memory (RAM) contents should not be collected first. According to NIST SP 800-86, RAM contents should be collected third, after network connections and login sessions. During a forensic investigation, running process information should not be collected first. According to NIST SP 800-86, running process information should be collected fourth, after RAM contents.

Which of the following statements describes black box penetration testing? The tester is granted the same level of access as internal users. The tester can only perform operations on a specific server. The tester has no information about the target environment. The tester has extensive knowledge about the target environment.

Explanation In black box penetration testing, the tester has no information about the target environment. In this type of test, the pen tester has no information about the network, systems, or applications being tested. This simulates an external hacker who must first discover information about the organization through reconnaissance. Black box penetration testing is also known as zero knowledge testing. In black box penetration testing, the tester does not have extensive knowledge about the target environment. This describes full knowledge testing. In a full knowledge, or white box test, the tester has extensive knowledge about the target environment. This can be used to simulate a knowledgeable insider. In black box penetration testing, the tester is not granted the same level of access as internal users. This describes partial knowledge testing. Partial knowledge testing is also known as gray box testing. In black box penetration testing, the tester is not necessarily limited to performing operations on a specific server. The servers that can be tested are outlined in the rules of engagement.

An organization plans to deploy remote IoT devices that will monitor environmental conditions. Due to processing constraints, the devices do not support PKI, but the organization is concerned that stored secrets might be easily compromised if a device is stolen. Which of the following can be used to mitigate this risk? TPM 802.1x VPN IPsec

Explanation Internet of Things (IoT) devices that support Trusted Platform Modules (TPMs) can mitigate this risk. A TPM is a cryptographic component, typically installed as a discrete chip or integrated with other chipsets, that protects encryption keys. The TPM provides a hardware root of trust because the keys it holds cannot be exported. If the TPM chip is tampered with, the keys are invalidated and cannot be used for further encryption operations. 802. lx is an Institute of Electrical and Electronics Engineers (IEEE) standard that defines port-based network access control. 802. lx is used extensively in enterprise environments to facilitate access to wired and wireless networks. 802. lx controls network access and will not mitigate the risk of lost secrets on a stolen IoT device. Internet Protocol security (IPsec) is a suite of protocols that can be used to protect data in motion and is often deployed across the internet as part of a Virtual Private Network (VPN). IPsec can be configured to ensure data confidentiality (via encryption) and data integrity (via digital signatures). Although it is frequently deployed between routers, IPsec can also be used to directly connect endpoints. IPsec will not protect the stored secrets on an IoT device. A virtual private network (VPN) is designed to provide authenticated, secure communications between etworks and clients. 8 VPN is primarilv used to orovide remote client access to an organization's netwo

A company is deploying IoT devices on its production network. What are two vulnerabilities that can place the network at greater risk? Devices cannot be detected or monitored by network access controls or intrusion detection devices. Devices introduce non-standard network protocols that interfere with secure protocols. Devices do not have the computing resources to implement advanced security. Devices use hard-coded or well-known default passwords. Devices cannot be patched or updated.

Explanation Internet of things (IoT) is a blanket term used to describe a wide variety of devices that support internet connectivity, including computing devices, sensors, offce equipment, appliances, and even personal devices like watches. Connecting these devices to a production network introduces vulnerabilities that can put the network as a whole at a greater risk. Smart home devices, manufacturing controls, and vehicles are considered to be especially at risk. Two common vulnerabilities are that devices use hard-coded or well-known default passwords and do not have the computing resources to implement advanced security. Other vulnerabilities include: • Default configuration settings are unsecure and rarely change. • Devices often use weak encryption or no encryption at all for data at rest or in motion. Security controls are inconsistent due to a lack of industry-accepted security standards. The above is a partial list of inherent vulnerabilities in IoT devices. IoT devices do not introduce non-standard network protocols that interfere with secure protocols. They use standard, but often unsecure, protocols that are compatible with other network protocols.

Which statement describes a primary benefit provided by MFA? Mitigation of phishing attacks Protection of data in motion Federated authentication Required use of biometrics

Explanation Multifactor Authentication (M,FA) can help reduce the impact of successful phishing attacks. MFA requires at least two different authentication factors for successful authentication. Authentication factors can be something you know, something you have, or something you are. Some MFA solutions can also verify a user's location, implementing somewhere you are. MFA mitigates phishing and other social engineering attacks that successfully compromise a user's password, because the attacker will be unable to provide a second factor. MFA does not protect data in motion. Data in motion can be protected using transport encryption protocols such as Transport Layer Security (TLS) and Internet Protocol Security (IPsec). MFA does not necessarily facilitate federated authentication. In federated authentication, trusted partner organizations are allowed to authenticate user access to an organization's resources. For example, a shopping site may allow a user to authenticate using their Google account. MFA does not require the use of biometrics. MFA requires two or more authentication factors, and many MFA systems use something you have and something you know as factors.

Two devices communicate using NFC. Which attack represents the greatest vulnerability? Brute force Evil twin Bluesnarfing Eavesdropping

Explanation Near field communication (NFC) is a technology that allows devices that have an NFC chip to communicate over very small distances. The advantage is that the connection is fast and easy to configure. It also consumes less power than a Bluetooth connection. However, data is sent over NFC in clear text, so eavesdropping is possible. The range for NFC eavesdropping is 1 meter for a passive device or 10 meters for an active device. Bluesnarfing is an attack that uses Bluetooth as the attack vector. With bluesnarfing, data is compromised. An evil twin attack is a Wi-Fi attack in which a rogue access point is configured to gather information by eavesdropping. Users connect to the evil twin, thinking it is the legitimate access point. An evil twin attack does not use signals with the same frequency patterns as the legitimate access point. Instead, it configures the access point to appear legitimate and tricks the user into connecting to it instead of the legitimate one. A brute force attack is one designed to learn a password or encryption key by checking each possible combination. NFC does not use passwords or encryption.

An nmap scan of open ports includes TCP ports 21, 22, 23, 80, 443, and 990. Which three ports indicate that unsecure protocols are in use on the computer? Select three. Choose the correct answers 23 443 80 990 21 22

Explanation Ports 21, 23, and 80 indicate unsecure protocols are in use. File Transfer Protocol (FTP) uses port 21. FTP is unsecure and unencrypted and often configured to allow anonymous access. Protocols like FTP Secure (FTPS) are a better choice from a security standpoint. Port 23 is used by Telnet, which lets you connect to and run commands on remote computers. All Telnet traffc is unencrypted. Secure Shell (SSH) is recommended instead of Telnet. Port 80 is the default Hypertext Transfer Protocol (HTTP). There are various ways to lock down access through HTTP, but data transfers are unencrypted and the protocol is considered inherently unsecure. It is recommended that, whenever possible, HTTP Secure (HTTPS) be used instead.

An organization collects extensive information about its clients. Which of the following is most likely protected by PHI laws or regulations? Prescriptions Ethnicity Credit card number Social Security number

Explanation Prescriptions are most likely protected by Personal Health Information (PHI) laws or regulations. PHI includes any information related to a person's health that is individually identifiable, meaning that the information could be used to identify an individual. Examples of PHI include physical or mental conditions, prescriptions, or other diagnoses. In the United States, PHI is typically protected by The Health Insurance Portability and Accountability Act (HIPAA). A Social Security number is not considered PHI. This is Personally Identifiable Information (PII). A credit card number is not considered PHI. This is PII and is protected by standards like Payment Card Industry Data Security Standard (PCI-DSS). Ethnicity is not considered PHI. Depending on local laws, ethnicity may or may not be considered PII. In most locales, it is labeled as non-sensitive PII, which means it can be shared publicly.

To reduce management complexity and increase operational security, an organization plans to deploy AAA services. Which of the following platforms or technologies will help the organization meet this goal? SIEM NIPS SDN RADIUS

Explanation Remote Authentication Dial-ln User Service (RADIUS) will help the organization meet its goal. A RADIUS server provides Authentication, Authorization, and Accounting (AAA) functionality for networked systems. AAA describes a system that can enhance security by authenticating users, authorizing users to perform certain tasks, and then tracking what users do on the network. For example, in a wireless network, a wireless LAN controller (M/LC) can forward client authentication requests to a RADIUS server. The RADIUS server can verify the client's identity, return attributes to the WLC that can be used to authorize the client to access a certain network, and track the authentication time, username, wireless access point (AP) used, etc. A Security Information and Event Management (SIEBA) platform is used to aggregate server and system logs for analysis. The SIEM then analyzes the data to identify trends, pending security issues, and security breaches. Software-Defined Networking (SDN) aims to separate network control and data planes in an effort to make networking systems programmable, automatable, and highly modular. SDN facilitates treating as infrastructure as code (laC). A Network-based Intrusion Prevention System (NIPS) typically sits in-line between trusted and untrusted networks. If malicious activity is detected, a NIPS may limit or terminate network connectivity.

A company includes security awareness training as part of its new hire process. What three topics should always be covered by a security bulletin? Zero-day threats Industry regulation changes Data labeling policy Tailgating policy New viruses

Explanation Security bulletins should be issued to address new viruses and threats, as well as industry regulation changes. New security threats continue to emerge. Therefore, employees should be educated about new viruses and other threats when they emerge. Similarly, industry regulations change periodically. Ongoing employee education is essential to ensure that the company stays compliant. A zero-day threat is a threat that has not yet been identified and patched. If a zero-day threat occurs that applies to users, a security bulletin should be sent out immediately. Tailgating should be covered as part of the new hire security awareness training. It should not be necessary to cover it in a security bulletin, unless there have been wide-spread problems with non-compliance. The data labeling policy should be covered as part of either organization-wide or role-based security training, depending on the company's policy. It should not be necessary to cover data labeling in a security bulletin unless there are changes to policy or issues with non-compliance.

A company's network is configured as a Windows AD domain named company.com. The network is configured to log successful and failed domain login attempts from domain clients. Windows event logs are consolidated in a central location. A network administrator reviews the Windows event logs periodically. The administrator discovered multiple instances where the username "company\fmiller" was used to log in interactively on several network clients. Several logins occur at the same or nearly the same time. What vulnerability does this MOST likely indicate? Brute-force password attack Use of shared credentials APT in progress Use of a service account

Explanation Simultaneous or overlapping logins across multiple Active Directory (AD) domain clients most likely indicates the use of shared credentials: multiple users sharing the same username for domain login. This is strongly discouraged from a security standpoint. For example, the more the credentials are shared between individuals, the greater the risk of the credentials being exposed outside of the company. Also, if malicious activity is tracked to the username, it is more diffcult to know which individual is responsible, and it requires evaluating other information such as MAC or IP address. Either would give you the computer, but not necessarily identify the user. This scenario does not indicate the use of a service account. A service account is a specialized domain account type that an application or service uses for login and to interact with the operating system. Windows includes built-in service accounts, but you can also create domain user accounts as custom service accounts.

For each description, select the most appropriate type of threat actor. Drag and drop the answers Description This is an actor whose primary goal is to either draw attention to a cause or reduce support for a cause rather than a monetary goal. This is an actor primarily interested in covert collection of data and in performing acts of cyber espionage. This is an actor that is best positioned to take advantage of a security and infrastructure in executing an attack. This is an actor that is motivated primarily by monetary gain, focusing on attacks such as ransomware and identity theft. Actor Hacktivist State-sponsored Internal Organized crime Internal Hacktivist Competitor

Explanation State-sponsored White hat Organized crime A hacktivist is an actor whose primary goal is to either draw attention to a cause or reduce support for a cause rather than a monetary goal. When the goal is political or is to generate terror, the term cyber terrorist is used. A state-sponsored actor is primarily interested in covert collection of data and in performing acts of cyber espionage. These acts may be targeted against other nation states or against large organizations such as multi-national corporations. An internal actor is best positioned to take advantage of a company's security and infrastructure in executing an attack. This is because an internal actor will typically have a better understanding of the internal organization and will have some level of authorized access.

An organization deploys a MODBUS based SCADA system to manage production machinery. Which of the following methods should be the organization's first choice for securing the new system? FDE NGFW EDR HIDS

Explanation Supervisory Control and Data Acquisition (SCADA) is a type of Industrial Control System (ICS) that is typically deployed to monitor and manage production machinery, plant operations, and energy and water distribution systems. MODBUS is the most popular application protocol used in SCADA systems. However, MODBUS, developed in 1979, was not designed for modern, interconnected networks, and it lacks encryption, authentication, and other security features. As a result, SCADA systems should be isolated completely, or protected with a Next-Generation Firewall (NGFVV). Most SCADA devices are not capable of full disk encryption (FDE). F DE is a technical control that secures data at rest and mitigates the risks presented by a lost or stolen hard drive. Most SCADA devices are not capable of running Host-Based Intrusion Detection System (HIDS) software. A HIDS is software that is installed on network endpoints to detect, log, and alert when intrusion attempts are detected. Most SCADA systems are not capable of running Endpoint Detection and Response (EDR) software. EDR encompasses a continuous process of threat detection and mitigation on endpoints.

Which type of system is MOST susceptible to costly and possibly catastrophic failures caused by operator errors? FPGA SCADA soc RTOS

Explanation Supervisory control and data acquisition (SCADA) networks are often highly susceptible to failure due to user errors or intentional internal malicious acts. SCADA networks are implemented through hardware and software commonly used in industrial control systems, but they are also used to control other types of systems, including key infrastructure systems such as water, electricity, and gas. This makes the systems tempting targets for hackers and terrorists. SCADA are complex, programmable control systems. Most user errors are related to poor training, inexperience, or carelessness. Field programmable gate arrays (FPGA) are programmable integrated circuits (ICs) that provide flexibility in how they are used. An FPGA can be reprogrammed and reconfigured to change the majority of its functionality by design engineers either during assembly, or after the device has been put into use. FPGAs are not directly accessible to users and not a direct risk for operator errors. A real-time operating system (RTOS) is a specialized type of operating system designed for use in real time and time-critical applications. Data is streamed directly to and through the RTOS in automated applications. Users have little, if any, direct access to the RTOS. A system-on-a-chip (SoC) is a specialized device that combines most, or all, of the functionality of a computer on a single IC. These devices are commonly used in a wide variety of consumer devices, including portable computing devices such as smart phones and tablets. An SoC device is designed wit

A Chief Financial Officer (CFO) receives an email that appears to be from the company's President. The email is tailored for the CFO and requests details regarding an upcoming quarterly report that will be presented to shareholders. No other employees receive this email. The CFO was the target of which type of social engineering attack? Piggybacking Vishing Smishing Whaling

Explanation The Chief Financial Officer (CFO) was the target of a whaling attack. Whaling is a form of phishing that targets high-ranking employees or political offcials. Whaling uses emails that are often crafted to look like they are sent from another high-ranking employee in the same or a different organization. For example, an attacker could pose as a board member of an organization while requesting that a CFO transfer funds to a special bank account for an upcoming project. Piggybacking involves following an authorized user through a locked door or into a restricted area. Piggybacking is also known as tailgating. Smishing is a form of phishing that uses texting or Short Message Services (SMS). Like phishing, smishing attacks attempt to entice unsuspecting users into clicking on malicious links or divulging confidential information. Vishing, or voice phishing, mimics a phishing attack using the telephone. Vishing often targets customer service and help desk employees.

Which standard provides standard guidelines for risk management? Choose the correct answer ISO 27001 GDPR SSAE SOC 2 ISO 37000

Explanation The International Standards Organization ('SO) 37000 provides guidelines for risk management that can be applied across a variety of industries and to nearly any size of company. It is important to note that ISO 37000 provides guidelines but does not specify requirements. Companies can use the guidelines and framework provided to improve risk management, but companies do not become ISO 37000 certified by applying the guidelines. There is no path to certification in ISO 37000. ISO 27001 is a specification for information security management systems. The standard provides details for documentation, management responsibility, internal audits, continual improvement, and corrective and preventive action. Organizations meeting all requirements can be certified as ISO 27001 compliant. The General Data Protection Regulation (GDPR) is similar to ISO 27001 in that it regulates information security. It is generally accepted as the toughest security and privacy law in the world. The obligations specified in GDPR apply not only to organizations based in the European Union (EU), but also to organizations doing business with the EU if they target or collect data on EU residents. Statement on Standards for Attestation Engagements (SSAE) Service Organization Control (SOC) 2 refers to a report that documents an internet service provider's security, availability, processing integrity, confidentiality, and privacy. It is designed to give organizations working with the service provider assurances about secure data transmission and storage, as well as data availability.

A security administrator discovers that an employee is exfiltrating proprietary company information. The administrator is concerned that the user may try to cover their tracks. What should the administrator do first? Install a keylogger on the employee's workstation. Implement a legal hold on the user's mailbox. Create a bit-stream image of the employee's workstation. Enable data loss prevention on email servers.

Explanation The administrator should implement a legal hold on the user's mailbox. A legal hold is typically the first action in an eDiscovery process. A legal hold can be a process, a software feature, or a combination of both. A Human Resources or Legal department will likely approve a legal hold and notify data custodians such as system administrators to retain all files related to an incident. The legal hold feature on an email or file server may retain all changes, including file deletions, while the hold is active. Whatever the process, a legal hold is meant to preserve evidence. The administrator should not install a keylogger on the employee's workstation. In addition to the ethical issues this approach might raise, installing a keylogger will not preserve existing evidence. The administrator should not enable data loss prevention (DLP) on email servers. DLP is typically enabled on servers and other network devices to detect and prevent data exfiltration. An effective DLP program might have prevented the data exfiltration. The administrator should not create a bit-stream image of the employee's workstation. Bit-stream images are taken during computer forensic investigations. This may occur later in the eDiscovery process.

Engineering department computers are deployed on a screened subnet. The computers must be protected against malware attacks. What should the administrator do? Install a HIDS on each of the departmental computers. Deploy a NIDS for the screened subnet. Filter traffic at the subnet's router. Filter traffic by port at each of the departmental computers.

Explanation The administrator should install a Host-based Intrusion Detection System (HIDS) on each of the departmental computers. Malware is a general term referring to malicious software, such as viruses, worms, and spyware. A HIDS includes a variety of applications that are designed to protect a computer against malware, such as antivirus software. The HIDS monitors the computer for changes that indicate a possible attack. The administrator should not deploy a Network-based Intrusion Detection System (NIDS) for the screened subnet. A NIDS monitors network activity and traffc to watch for potential attacks. Because viruses are often attached to or screened by a legitimate traffc, a NIDS will not protect against the wide range of possible malware attacks. However, you may want to deploy a NIDS to protect against other types of attacks. The administrator should not filter traffc by port at each of the departmental computers as the only protection against malware. This lets you limit the type of traffc accepted by the computer, but it does not filter packet contents. Filtering traffic at the subnet's router has the same shortcoming.

An attacker may be sending damaged packets into a network to compromise the firewall. What should the administrator use to collect as much information about network traffic as possible? Protocol analyzer Firewall logs Rogue system detection Vulnerability scanner

Explanation The administrator should use a protocol analyzer. A protocol analyzer captures network traffc and allows for detailed traffic analysis. In this situation, you can have the protocol analyzer identify damaged packets. Damaged packets are incorrectly formatted. By looking at the specific details of the packet content, you can often get some insight into the type of attack being launched and take appropriate mitigating actions. The administrator should not use rogue system detection. This is the process of looking for rogue systems, such as rogue access points or DHCP servers, connected to your network. In this scenario, you are most likely looking for an external threat. The administrator should not use a vulnerability scanner. A vulnerability scanner searches for vulnerabilities in a computer or a network based on a database containing the information needed to check for security holes. It does not help you collect information about an active attacker. The administrator should not use the firewall logs. Firewall logs provide general information, but they do not provide the level of specific detail that you need. Depending on the firewall, the logs can give you some traffc statistics as to raw volume or percent usage by protocol and port. Most logs will include entries for any attempts to reconfigure the firewall.

A security administrator is looking for a way to know when people approach any of several secure areas. The method must be active 24-hours a day. They want to keep recurring expenses related to the solution to a minimum. What should the administrator use? Video surveillance A guard dog in each area A posted human guard in each area Proximity readers

Explanation The administrator should use video surveillance. After the initial expense of cameras and monitors, ongoing expenses are minimal. One guard, with a rack of monitors, can keep track of several areas at the same time. The administrator should not use a posted human guard. You would have to have a guard in each secure area. The initial expense would likely be less than setting up video surveillance, but it costs more over time. The administrator should not use proximity readers. A proximity reader can read a security token, such as a smart card, carried in the individual's pocket or somewhere on the individual's person. You would have the expense of readers in each location. Also, if a person was not carrying a proximity token or card, he or she would not be detected. The administrator should not use guard dogs. Not only do you have the ongoing expenses relating to the dogs, you would also need to have a guard (or someone) near enough to the dog to hear it bark.

A security administrator discovers an attack that uses PowerShell to make unauthorized registry changes. What should the administrator do to prevent this attack on sensitive systems? Whitelist allowed applications. Install a HIDS on sensitive systems. Configure each system's firewall. Disable access to the CLI.

Explanation The administrator should whitelist allowed applications. An application whitelist can be used to prevent unauthorized software from running on a user's devices. An application whitelist is a list of all applications that can run on a system. Whitelist rules can identify specific executables or folders that are trusted by the system. Any application not on the list will not be allowed to install or run. In this scenario, PowerShell would not be whitelisted. The administrator should not install a Host-based Intrusion Detection System (HIDS). An IDS is designed to detect, record, and alert on malicious behavior. Even if the HIDS detects registry changes, it cannot prevent them. The administrator should not configure the system's firewall. Host-based firewalls are used to reduce a workstation's attack surface by limiting inbound and outbound network connectivity. A firewall will not block PowerShell scripts or registry changes on the local system. The administrator should not disable access to the command-line interface (CLI). On a Windows-based system, the CLI is also known as the command prompt. PowerShell does not rely on the command prompt

A security administrator discovers port 23 is open and actively used on many servers. Which of the following should be the administrator's PRIMARY concern? Buffer overflows Eavesdropping Data exfiltration Password-based attacks

Explanation The administrator's primary concern should be eavesdropping. Port 23 is used by the popular Telnet utility, which does not encrypt traffic. When data in motion/transit is encrypted, it is secure from sniffng and eavesdropping while transferred between network nodes. In this scenario, Telnet should be disabled and its secure alternative, Secure Shell (SSH), should be configured. Data exfiltration occurs when an organization's sensitive or proprietary data is copied, emailed, shared, or otherwise removed from the organization. Data Loss Prevention (DLP) software and systems are designed to detect and prevent data exfiltration. Password-based attacks can take a variety of forms, but typically involve brute-force or dictionary attacks. In this scenario, passwords are sent in clear text using Telnet, which makes a password attack unnecessary. In a buffer overflow attack, an attacker supplies excess information to a process in an attempt to write outside of a process's memory buffer. This can cause the process to crash or even allow malicious code to

A remote collection server is managed through command-line commands. Until recently, a company has been using Telnet to connect to the server, but now they suspect that one or more passwords have been compromised. The company's security analyst is going to disable Telnet connectivity on the server. They need to use a more secure method for logging in and executing commands. What should the analyst use? Choose the correct answer SSL HTTPS SSH SNMP

Explanation The analyst should use Secure Shell (SSH) to manage the server. SSH was designed as a more secure alternative for logging on and executing management commands. The fundamental flaw with Telnet is that all communication traffic, including logon credentials, is passed in clear text. SSH communication traffc is encrypted. You would not use Secure Sockets Layer (SSL). SSL is used to provide secure Internet communications over the Hypertext Transfer Protocol (HTTP). You would not use HTTPS. HTTPS is HTTP secure encryption using either SSL or Transport Layer Security (TLS). You would not use Simple Network Manaeement Protocol (SNMP). SNMP is an automated management

An organization has migrated its primary application from a monolithic stack to a microservices architecture. Which of the following is the primary benefit of this migration? Deployment and operational complexities are reduced. Coordination between components is easily managed. The application can scale to meet increased demand. Security controls can focus on a single platform.

Explanation The application can scale to meet increased demand. In a microservices architecture, scaling to meet increased demand is easier. In this approach, application elements are coded independently, and their functionality is hidden from other services. Compared to a monolithic architecture where the user interface (IJI), data management, and business logic are contained in a single application, microservices components can be scaled independently, on a service-by-service basis. Deployment and operational complexities are not reduced. Because each service is developed independently, deployment and operation require a higher level of coordination between components. Additionally, each service must be configured to communicate securely with other dependent services. However, as individual services are more self-contained, they are easier for developers to maintain. Coordination between components is not easily managed. Independent services must be configured to coordinate and share information and processing. This often requires each service to use a standardized method for communication. Security controls cannot focus on a single platform. Because application elements are decoupled and deployed on different platforms such as servers and containers, deploying and managing security controls becomes more complex.

An attacker is attempting to hack into a secure server. An insider provides the attacker with a file containing the server's hashed passwords. Company guidelines recommend using multiple word passwords. Which type of attack would be used to MOST quickly find passwords in the hashed password file? Choose the correct answer Dictionary attack Rainbow table attack Brute force attack Birthday attack

Explanation The attacker would use a rainbow table attack. From the standpoint of time required to crack passwords, this is the most efficient method. The attack uses a table that is called the rainbow table that contains precomputed hash chains. These can be compared against the hash values in the password file to identify passwords. The major drawback of this method is that, to be efficient, the rainbow tables used must be very large, often multiple terabytes in size. It is generally accepted that storing passwords as hashes should be avoided when possible because of the potential security risks. The attacker would not use a dictionary attack. This attack is similar in that it works from a large database o potential passwords, but it uses passwords and not their hashes and requires access to the server to test the passwords. The attacker would not use a brute force attack, which is a process of trying different character combinations until finding one that works. This method also requires access to the server. Both dictionary and brute force attacks can often be thwarted through password policies, such as locking an account after a number of failed attempts or forcing a delay between attempts. A birthday attack is another type of cryptographic attack based on hashes, but it is not used to crack _attack based onurobabilities filesorotected b

A user opens an attachment that is infected with a virus. The user's boss decides that operational controls should be implemented so that this type of attack does not occur again. What should the boss do? Enable TLS enforcement for all server sessions. Implement aggressive anti-phishing policies on email servers. Schedule security awareness training for end users. Install fingerprint scanners at all user workstations.

Explanation The boss should schedule security awareness training for end users. Security awareness training is an operational control that is designed to teach users to recognize and actively avoid security risks. Operational controls include concepts like configuration management, incident response, and awareness training. Managerial controls are also known as administrative controls. The boss should not implement aggressive anti-phishing policies on email servers as a managerial control. Anti-phishing policies on an email server are categorized as a technical control. The boss should not install fingerprint scanners at all user workstations as a managerial control. Biometric devices are considered physical controls. The boss should not enable Transport Layer Security (TLS) enforcement for all server sessions as a managerial control. TLS is considered a technical control.

A company works with a large, volatile set of certificates to maintain security throughout the organization. The company wants to avoid the need for clients to frequently download status information about certificates. What technology does the company need to implement? Choose the correct answer ocsp CSR CRL RA

Explanation The company needs to use Online Certificate Status Protocol (OCSP). There are two methods commonly used to determine whether a certificate is valid: OCSP and Certificate Revocation List (CRL). OCSP is a newer technology than CRL and has superseded it in some applications, especially for enabling browsers to check the validity of a certificate on a Web server. Rather than downloading a CRL to clients, OCSP works by having the client send a request for status information. Information for that certificate only is returned to the client. A certificate signing request (CSR) is not used with certificate status. Instead, it provides a way for a server to request a Secure Sockets Level (SSL) digital certificate. A registration authority (RA) verifies requests for digital certificates, not certificate status.

Many of a company's users have to spend a great deal of time surfing the web. This has led to various security incidents including users browsing to malicious websites, users downloading malware and other malicious code, and data leakage. The company needs to implement a solution to improve security. What should the company use? DLP SWG CASB WAF

Explanation The company should implement a secure web gateway (SVVG) solution. A SXNG provides protection against the types of incidents outlined in the scenario. A SXNG typically includes: URL filtering to block dangerous websites • Real-time malicious traffc detection and filtering Enforcing company application controls for web applications Data leak prevention SVVG protection includes protection for off-site and roaming employees when they browse the web. It helps ensure that the same security policies apply when working inside and outside of the office. The company should not implement a web application firewall (WAF). A WAF is designed to protect websites and web applications by monitoring, filtering, and (if appropriate) blocking incoming and outgoing packets. A WAF is designed to protect against incidents such as zero-day exploits, malware infections, and impersonation. It does not provide the type of client protection required in this scenario. The company should not implement a cloud access security broker (CASB). A CASB is designed to act as an intermediary between users and cloud service providers to provide security across software as a service (SaaS), platform as a service (PaaS), and infrastructure as a service (IaaS) environments. A CASB applies

A company has an Ethernet network with four switches, as well as two wireless APS. All devices that connect to either network must be authenticated using EAP. What should the company use? 802.1X WPA XTACACS SAML

Explanation The company should use 802.1X. The 802. IX protocol allows centralized authentication, authorization, and accounting for various types of connections, including wired Ethernet, wireless, and virtual private network (VPN). The authentication protocol used is Extensible Authentication Protocol (EAP), which supports various types of authentication. The connectivity device is known as the authenticator and is a client of the authentication server. Its role is actually to pass authentication requests to an authentication server. The most common authentication server used is a Remote Authentication Dial-ln User (RADIUS) server. However, the Diameter protocol is an enhancement to RADIUS and is gradually replacing it. The client in an 802. IX architecture must implement 802. IX and is known as a supplicant. The company could use Wi-Fi Protected Access (VVPA) on the wireless access points. WPA supports 802.1x. However, a more secure choice would be WPA2. Also, WPA would not be used on the Ethernet networks. The company should not use Security Assertion Markup Language (SAML). SAML is an open-source data format that supports single sign-on by specifying a structure for sending authentication data between two parties. The company should not use Extended Terminal Access Controller Access-Control System (XTACACS). XTACACS is a protocol used by remote access servers to communicate with an authentication server.

A company is pursuing a PCl DSS certification. The company wants to implement secure management of the entire cryptography key lifecycle for the enterprise and prevent outside access to cryptographic keys. What should the company use? HSM TPM NIPS CA

Explanation The company should use a hardware security module (HSM)_ An HSM can be implemented as a physical device that can be plugged into a computer. The HSM provides secure management for cryptographic keys and is used to provide cryptographic keys for activities such as encryption, decryption, and authentication. The Payment Card Industry Data Security Standard (PCl DSS) certification defines standards for storing, processing, and transmitting a customer's credit card data. The company should not use a Trusted Platform Module (TPM) to manage the key lifecycle and protect keys for the enterprise. The TPM is a specialized chip installed in endpoint devices, including most computers, to store and manage Rivest, Shamir, & Adleman (RSA) encryption keys specific to that device. TPM is used for security functions such as hard drive encryption and smart card authentication. The company should not use a Network Intrusion Protection System (NIPS) for key management. A NIPS monitors and responds to anomalous activity on a network. It can alert key personnel about an attack attempt but is not designed to specifically protect cryptographic keys. The company should not use a certificate authority (CA) in this scenario. A CA is deployed as part of a public key infrastructure (PKI) as a device that issues digital certificates that link a network entity with a public key.

A company's network is configured with four interconnected switches. Networked devices are frequently moved between different physical locations. The network suffers occasional crashes without warning. A consultant is contracted to diagnose the problem. The consultant determines that the crashes are due to high volumes of broadcast traffc looping through the network. Which solution should the consultant configure? NAC STP MAC address filtering DHCP snooping

Explanation The consultant should configure spanning tree protocol (ST P). The problem described indicates that a broadcast storm is occurring. A broadcast storm (or broadcast loop) can occur on a network with interconnected switches. Interconnected switches are used to provide redundant communication paths. Broadcast storms can result from various causes, including introduction of unrecognized devices on the network. STP prevents bridge looping and helps the network avoid broadcast storms. The consultant should not configure media access control (MAC) address filtering. MAC address filtering is a network address control method that prevents devices with an unrecognized MAC address from connecting to the network. MAC address filtering does not provide broadcast loops. The consultant should not configure network access control (NAC). NAC is used to verify that connecting devices meet configuration policy requirements before granting access to the network. Devices that do not meet configuration requirements can be blocked from access, quarantined, or granted limited access only to the network. The consultant should not configure DHCP snooping. DHCP snooping is used to identify when a rogue nauthorized) DHCP is jntroducedjnto thenetwork

A consultant is gathering information about a recent security incident that impacted a server running Linux. The consultant wants to review syslog content filtered by date. What should the consultant use? Choose the correct answer NetFlow sFlow syslog-ng journalctl

Explanation The consultant should use journalctl to review the Linux system logs and filter log content. The journalctl command supports multiple filtering options, including: Message importance • Time period By data field By boot message When filtering by time period, you can specify start and end times or specify a relative time period. The consultant should not use syslog-ng. This is a mechanism for capturing system logs and lets you consolidate the logs on a central server. It does not provide a way to view the logs. The consultant should not use NetFlow or sFlow. These are both network protocols used for collecting and monitoring router and switch traffc, not log analysis tools.

A security consultant is contracted by a company to perform a grey-box penetration test. The consultant plans to use a computer running Kali Linux to map the open ports on critical network servers. Which two commands can the consultant use? (Choose two.) nslookup nmap dig netcat curl

Explanation The consultant should use the netcat or nmap command to map the open ports on critical servers. Both are Linux commands available on a Kali Linux computer and both can be used to generate a list of open ports. The nmap command can also be used to generate a list of live hosts and IP addresses in use. The netcat command can also be used to debug or monitor network connections and transfer files. The consultant should not use the nslookup or dig commands. Both commands are used to retrieve information from Domain Name System (DNS) name servers. They are also used for troubleshooting DNS servers. The consultant should not use the curl command. The curl command is a file transfer utility that can transfer data to or from a server using the HTTP, HTTPS, FTP, FTPS, scp, SFTP, TFTP, DICT, TELNET, LDAP, or FILE protocols.

During a risk assessment, potentially sensitive data is discovered on a file server. Which entity is responsible for determining the risk associated with leaving this data in its current storage location? Data subject Data owner Data custodian Data steward

Explanation The data owner is responsible for determining the risk associated with leaving this data in its current storage location. The data owner is typically a high-ranking executive or director. Although the data owner will not deal with day-to-day data management, they will be called on if the data is not handled properly. The data owner determines who has access to the data, how frequently it should be backed up, and how it should be stored. The data steward is not responsible for managing the risk associated with data. The data steward monitors data integrity and ensures that the data is used correctly. In smaller organizations, this role may be merged with the data owner role. The data custodian is not responsible for managing the risk associated with data. The data custodian is responsible for the day-to-day management of the data. For example, the data custodian performs regular data backups. The data subject is not responsible for managing the risk associated with data. Under the General Data Protection Regulation (GDPR), the data subject is the person whose data is being collected and stored.

A server application is currently under development. It has been discovered that some errors, such as a divide by zero error, can leave the application running in an unstable condition. The application needs to respond more appropriately to errors and generate an error message when they occur. What should the developers implement? (Choose the BEST answer.) Application hardening Input validation Exception handling Patch management

Explanation The developers should implement exception handling. Exception handling provides a way for errors, exceptions, and other anomalous conditions to be detected and resolved in a graceful manner. It provides a way to report the error, continue application execution if possible, or properly exit the application. This prevents leaving the application in an unstable state, which can be used to perform an escalation of privilege or other type of attack. Application hardening is not the best answer. Application hardening is the process of taking multiple steps to make an application less susceptible to attack. The term is more commonly used in the context of a finished application rather than one that is under development, and could include items such as firewall use, communication encryption, and so forth. Patch management is used with finished applications to make sure that patches and security fixes are applied in a timely manner. Input validation is a way of helping to prevent some types of errors, but it does not impact how an application responds to an error during processing.

Refer to the exhibit. A consultant is asked to analyze logs from a couple of network devices. Which devices MOST likely generated these messages? LOG 1 - DLP, LOG 2- Firewall LOG 1 - IPS, LOG 2- Firewall LOG 1 - DLP, LOG 2 LOG 1 - Firewall, LOG 2 IPS LOG 1 - Firewall, LOG 2 - DLP LOG 1 -AP, LOG 2- DLP

Explanation The first log has been generated by an Intrusion Prevention System (IPS). You can see the signature number that has triggered (3051/1) - a Denial of Service attack (DoS). An IPS is designed to analyze network traffc, find anomalies, and drop a message if required. The second log has been generated by a firewall. You can see a TCP connection that has been dropped. In this case, it was due to asymmetric routing. A firewall is designed to secure a network by blocking unauthorized access. Data Loss Prevention system (DLP) is designed to verify network traffc and the way company files are accessed and transferred. You would use DLP to protect sensitive information and detect potential data breach incidents. Message = I D: Here is an example of a log message from a DLP system: S918, policy Violated: POLICY CREDIT CARD WJM, Count : 11

A company was using wireless desktop computers to process warehouse pick slips for customer orders. The company switched to mobile devices that warehouse workers can take with them while pulling orders to improve effciency. Workers discover that there are several places in the warehouse where their devices are unable to connect. What should the company do FIRST? Perform a site survey. Check channel usages on WAPs. Look for rogue access points. Increase the signal strength on all WAPs.

Explanation The first thing the company should do is perform a site survey. The most likely problem is that there are either dead spots where the signal is not strong enough to support a connection or that there are wireless access points (WAPs) with overlapping channels that are causing interference. A site survey will enable the company to measure the signal strength throughout the warehouse and check for interfering signals. Performing a site survey should also be the first step when setting up a new network with multiple WAPs, or expanding an existing network. Some WAPs have the ability to detect rogue access points, but this is not a common feature. The company should not start by increasing the signal strength on all WAPs. This could help if WAPs are not configured at the maximum signal to help cover dead areas, but it could make problems with interference between WAPs worse. The company should not check channel usages on WAPs as its first step, though this may be necessary at some point before the problem is completely resolved. It is necessary to configure WAPs with non- overlapping channel usage when using multiple WAPs that have overlapping coverage areas. A site survey will help the company determine if channel overlap is part of the problem.

During a vulnerability scan, a security administrator discovers an application that is no longer supported by the vendor. The administrator's manager decides that purchasing the latest version of the application is not in the organization's budget. Which risk management technique has the manager employed? Risk acceptance Risk transference Risk mitigation Risk avoidance

Explanation The manager has employed risk acceptance. Risk acceptance is the process of acknowledging a risk and not taking any additional action. At some point, all organizations accept some level of risk, even after other measures have been implemented. In this scenario, the cost of mitigating the risk was determined to be higher than the cost of letting the risk persist. The manager has not employed risk avoidance. Risk avoidance means eliminating the risk. For example, if a company was considering building a plant in an area prone to earthquakes, risk avoidance would result in the company not building in that location. The manager has not employed risk transference. Risk transference occurs when organizational risk is transferred to a third party. Risk transference is mostly accomplished via some type of insurance. Cyber security insurance and flood insurance are examples of risk transference. The manager has not employed risk mitigation. Risk mitigation involves implementing a safeguard or security control that either minimizes or reduces the vulnerability, or reduces the potential impact of an event if the risk is realized. Why Are Rules Of Engagement Important To My Penetration Test?

A user installs an application on a computer. After installing the application, the computer begins receiving a series of pop-up ads. The ads do not display after the user enables the popup blocker. What most likely occurred? The application is a Trojan horse. The application installed ransomware. The application installed adware on t he computer.The application contains a logic bomb.

Explanation The most likely explanation is that the application installed adware on the computer. Some applications install adware when you install the primary application. You cannot install the application without installing the adware, but you usually can remove the adware after installation. This happens most often with freeware or shareware downloaded from the Internet. Adware is an application that causes advertisements to appear on the user's computer, typically as banner ads or pop-up ads, which can be blocked by enabling a popup blocker. Most adware is annoying rather than a direct threat, but some adware also acts as spyware, collecting information and forwarding it to a third party. Spyware activities are NOT blocked by a popup blocker. The application is not a Trojan horse. A Trojan horse is an application that looks like one thing but is actually something else. A Trojan horse often provides a backdoor into the system. The application does not contain a logic bomb. A logic bomb is an application that is designed to attack a computer system based on a specific event, such as a calendar date. The application did not install ransomware. Ransomware prevents normal use of the computer until the user pays a fee. While ransomware might cause popup ads to display, these ads would not be blocked by enabling the popup blocker.

A security consultant is brought in to test recent changes made to a company's network by its in-house security personnel. The consultant discovered a file named passwd.csv that was located at the disk root on a web server deployed in the company's perimeter network. The web server runs Linux. What is the MOST likely reason for this file? The file was left there by an external attacker to help configure persistence. The file was placed there as a honeyfile by in-house security. The file is evidence that the web server is a staging point for an active data exfiltration effort. The file is an optional Linux configuration file.

Explanation The most likely reason for the file is that it was placed there as a honeyfile by in-house security. A honeyfile is a file left on a system, usually a system with known vulnerabilities, to tempt someone into attempting to attack the network. The web server is probably set up as a honeypot, which is a system with known vulnerabilities designed to tempt potential attackers into triggering an alarm or giving away information about themselves. The file was probably not left there by an external attacker to help configure persistence. Persistence is normally set using an executable file or batch configured to run based on specific triggers, such as: System startup User login • Scheduled execution The file is not likely to be evidence that the web server is a staging point for an active data exfiltration effort. A data exfiltration effort attempts to disguise its activities as much as possible and leave as little footprint as possible. The file is not an optional Linux configuration file. Linux does use a file named passwd to store user information, but the file is maintained in the ./etc directory.

An organization does business with customers located in European Union countries. In order to avoid fines, what must the organization do to comply with GPDR requirements? Deploy anti-malware on systems that collect user data. Collect all data for a user during a single transaction. Keep any collected personal information up to date. Only use collected data within the processing organization.

Explanation The organization must keep any collected personal information up to date. The General Data Protection Regulation (GDPR) aims to protect the privacy of all European Union (EU) citizens, and is applicable to any organization doing business in the EU, or with EU citizens, even if the organization is not located in the EU. Data minimization, one of GDPR's requirements, stipulates that any collected personal information is kept up to date. The organization should not collect all data for a user during a single transaction. GDPR stipulates that only absolutely necessary information should be gathered about a user. The organization should not deploy anti-malware on systems that collect user data. This is a requirement of Payment Card Industry Data Security Standard (PCI-DSS). The organization should not limit use of collected data within the processing organization. GDPR stipulates that an organization should limit the use of collected data to a specific purpose.

An organization needs to evaluate how it collects and stores customer information. Which of the following audits or assessments should the organization conduct? Choose the correct answer SOC 2 Type 2 PIA PCI-DSS GDPR

Explanation The organization should conduct a Privacy Impact Assessment (PIA). A PIA is used to determine how an organization collects, processes, stores, and shares Personally Identifiable Information (PII). Based on this assessment, the organization can identify and remedy privacy issues that could impact the organization's operations. Depending on the organization's jurisdiction, privacy violations often incur regulatory fines. A Service Organization Control (SOC) 2 Type 2 may or may not involve the analysis of PII practices. This type of audit measures an organization's security stance and capabilities over time. The organization should not conduct a General Data Protection Regulation (GDPR) audit. GDPR aims to protect the privacy of all European Union (EU) citizens and is applicable to any organization doing business in the EU or with EU citizens, even if the organization is not located in the EU. In this scenario, the organization may or may not be subject to GDPR. The organization should not conduct a Payment Card Industry Data Security Standard (PCI-DSS) audit. PCl DSS is a standard mandated by credit card companies that applies to any organization that handles card holder data.

To enhance availability, an organization has configured authentication and storage servers that provide redundancy for on-premises servers. However, the organization must ensure that all data is encrypted between the data center and the private cloud network. What should the organization do to meet this requirement? Deploy NGFW appliances in the data center and cloud and share X.509 certificates. Configure an IPsec tunnel between the data center and cloud gateway routers. Deploy a NAT gateway and only permit inbound connections from the cloud network. Configure IPsec in transport mode between routers in each location.

Explanation The organization should configure an Internet Protocol Security (IPsec) tunnel between the data center and cloud gateway routers. IPsec is a Layer 3 protocol that can be used to enforce data confidentiality and data integrity for Internet Protocol (IP) packets. IPsec can be configured in one of two modes: tunnel mode or transport mode. Tunnel mode is used to create a secure tunnel between two trusted networks. A Network Address Translation (NAT) gateway typically sits between public network like the internet and private networks and allows privately addressed nodes to access and be accessed by publicly addressed nodes. While a NAT gateway could help protect the organization's servers, it will not encrypt data sent between the cloud and data center networks. A Next-Generation Firewall (NGFVV) is used to provide advanced intrusion detection and prevention capabilities for traffc traversing between network zones. NGF\Ns are commonly used to protect user sessions and to prevent attacks from the Internet. IPsec transport mode is used to connect two endpoints, such as a client and a server. Transport mode is not used to send data between trusted networks.

An organization recently deployed an office-wide wireless network using 100 APS. However, the wireless administrator has found managing authentication for each of the APs cumbersome. To remedy this, the organization has deployed a wireless LAN controller and a server running Microsoft Active Directory. How should the wireless network be configured so that users are centrally authenticated using their individual accounts? Configure WPA2-PSK authentication on the controller and provision the APS. Configure the WLAN controller to use 802. lx and specify a RADIUS server. Enable key-based authentication on each of the APs and distribute keys to users. Configure MAC filtering on the WLAN controller and define trusted addresses.

Explanation The organization should configure the Wireless Local Area Network (L AN) controller (\NLC) to use 802.1x and specify a Remote Authentication Dial-ln User Service (RADIUS) server. When WLC is configured to use 802.1x, an authentication server that can process client authentication requests must be defined. In most environments, this is done by configuring an external RADIUS server. This server in turn submits client authentication requests to an authentication server, such as Microsoft Active Directory. The organization should not enable key-based authentication on each of the access points (APS) and distribute keys to users. This approach does not facilitate centralized authentication with individual user accounts. The organization should not configure Media Access Control (MAC) filtering on the WLC and define trusted addresses. MAC filtering is used to allow or deny access to network nodes based on MAC addresses. MAC filtering is not a centralized authentication. The organization should not configure Wi-Fi Protected Access 2 - Pre-shared Key (M/PA2-PSK) authentication on the controller and provision the APS. In this approach, a common password, or key, is created and shared, thus the name pre-shared key. Every user would use this same key to authenticate with _ihe wireless network, This aooroach does not facilitate centralized authentication with individual user

Several employees of an organization had their smartphones stolen while they were traveling. Sensitive information stored on the phones was compromised. To mitigate this risk, the organization would like the ability to remotely wipe devices. Which solution or technology should the organization deploy? Configure MAM and specify policies for managing phone settings. Enable geolocation support on devices and configure GPS policies. Enable storage encryption and sideload secure settings to the phones. Deploy a centralized MDM and enroll smartphones before use.

Explanation The organization should deploy Mobile Device Management (M,DM). MDM platforms offer a broad range of management capabilities. An MDM could be used to remotely wipe a device if it is lost or stolen. This process removes all sensitive data and applications on the device. Additionally, the MDM could be used to enforce storage encryption and password requirements for added security. Mobile application management (MAM) focuses specifically on application management for mobile devices. For example, a MAM platform can ensure that new devices are provisioned with only trusted apps that have been verified to be secure. Geolocation uses the Global Positioning System (GPS) to determine the location of a device. This can be used for tracking or as the basis for geofencing policies. Using a geofencing policy, the organization could automatically lock or remotely wipe a device if it used out of a specified area, such as devices that should only be used on a hospital campus. Sideloading is the process of adding files or applications directly to a device. Sideloading is sometimes used by users to bypass restrictive device policies that prevent downloading certain apps. Sideloading often reduces the security of a device.

An organization discovers that a rogue email administrator has been downloading email attachments from a centralized email server. The attachments contain highly sensitive information that if divulged could cost the organization millions of dollars in lost business. What should the organization do to prevent this kind of breach from occurring in the future? Enable whole-disk encryption on all email servers and MTA gateways. Ensure that all secure email communications use S/MIME. Require TLS for all communications between clients and email servers. Deploy HSMs on all machines that store or process email.

Explanation The organization should ensure that all secure email communications use Secure/Multipurpose Internet Mail Extensions (S/MI,ME). S/MIBAE uses Public Key Infrastructure (PKI) to ensure the integrity, authenticity, and confidentiality of email. With SIMIME, an email's contents are encrypted at the sender's computer, are transferred in an encrypted format, and remain encrypted on the email server and recipient's computer. When the recipient opens the email, the email is decrypted in memory. Requiring Transport Layer Security (TLS) for all communications between clients and email servers will not secure email attachments. This approach will mitigate eavesdropping attacks while the data is in motion but will not protect data at rest. Enabling whole-disk encryption on all email servers and message transfer agent (M,TA) gateways will not prevent the administrator from downloading attachments. The email administrator likely has logon rights to the email server and can access any files stored locally. Most whole-disk encryption schemes decrypt a file when it is open on a machine. This approach is used to protect data when a hard drive is stolen. The organization should not deploy Hardware Security Modules (HSMs) on all machines that store or process email. An HSM might be a dedicated compute device located in a data center or a card that plugs into a server's motherboard. An HSM stores and manages digital keys and performs cryptographic

An organization wants to maximize availability for cloud-based resources. What should the organization do to minimize latency while guaranteeing that web servers in the same cluster are never hosted in the same data center? Ensure that cluster members are located in the same region but in different availability zones. Ensure that each cluster member is located in a different region. Ensure that each cluster member is located in a different availability zone. Ensure that all cluster members are located in the same availability zone.

Explanation The organization should ensure that cluster members are located in the same region but in different availability zones. An availability zone consists of one or more data centers that may share power and networking connectivity. A region consists of multiple availability zones that do no share resources. Placing cluster members in the same region reduces latency. Placing each member in a different availability zone ensures that members are never hosted in the same data center. Locating each cluster member in a different availability zone prevents members from being hosted in the same data center. However, this alone does not minimize latency because the zones could be in geographically dispersed regions. Locating all cluster members in the same availability zone may reduce latency, but it does not guarantee that cluster members will not reside in the same data center. Locating cluster members in different regions will ensure that they will not reside in the same data center but does not minimize latency.

An organization deploys a distributed app that uses multiple servers. The organization wants to ensure that each app component is properly secured. What should the organization do? Deploy and configure host-based firewalls on all servers. Install and configure a Host-Based Intrusion Detection System (HIDS) on each server. Implement a framework-based benchmark for each server or service. Minimize complexity by hardening servers with a common configuration.

Explanation The organization should implement a framework-based benchmark for each server or service. By default, many servers and services are not installed or delivered in a secure state. This configuration is left for the organization deploying the server or service. To ensure that such systems are secure, a wide variety of frameworks and benchmarks have been created. For example, the Center for Internet Security (CIS) benchmarks consist of over one-hundred security configuration guidelines that can be used to securely configure a network, server, or service. The organization should not try to minimize complexity by hardening servers with a common configuration. Unless servers host the same content and are essentially clones of one another, they should not use a common configuration. This could allow services or applications to remain vulnerable. The organization should not deploy and configure host-based firewalls on all servers. This approach could be part of a defense-in-depth security architecture. However, a firewall alone will not ensure a system's security. The organization should not install and configure a Host-Based Intrusion Detection System (HIDS) on each server. A HIDS is used to monitor for and report on potential breaches. However, as a passive system, a HIDS alone will not make a server more secure.

An attacker posing as a janitor is able to access a storage area where sensitive printed documents are kept. Which method should the organization use to implement a preventive physical control? Install surveillance cameras throughout the storage area. Define a policy that forbids unauthorized access to the storage area. Install a locked fence that limits access to the storage area. Install alarms on all doors leading to the storage area.

Explanation The organization should install a locked fence that limits access to the storage area. Security controls fall into three families or categories: managerial, operational, or technical. A control's function defines what the control does, and includes detective, corrective, and preventive features, among others. A physical preventive control is a physical component, such as a lock, a wall, or a fence, that prevents access to a secure location. The organization should not install surveillance cameras throughout the storage area. Cameras are physical detective controls. The organization should not define a policy that forbids unauthorized access to the storage area. Such a policy is an administrative preventive control. The organization should not install alarms on all doors leading to the storage area. Alarms are detective physical controls.

An organization recently deployed a biometric authentication system. Which of the following should the organization use as its primary tuning metric? False acceptance rate True positive rate Crossover error rate False rejection rate

Explanation The organization should make the crossover error rate their primary tuning metric. Biometric system tuning seeks to find a balance between the false acceptance rate (FAR) and the false rejection rate (FRR). The point where these two rates meet is known as the crossover error rate (CER) or equal error rate (EER). In a well- tuned biometric system, the CER will be as low as possible. A false acceptance event occurs when an unauthorized user is granted access, and the FAR measures the rate of such occurrences. A high FAR means that many unauthorized users may be able to access the system. The FRR measures the frequency of authorized users not being granted access by the system. A high F RR rate can lead legitimate users to find ways around the faulty system. True positives occur in antivirus and Intrusion Detection System (IDS) systems when the system correctly identifies a threat.

An organization is forced to run an out-of-date web server for a key client. The organization wants to mitigate the risk of network-wide infection if the server is compromised. What should the organization do? Move the web server to the DMZ. Place the web server behind the firewall. Enable MFA for all sensitive systems. Install a NIDS on the ISP connection.

Explanation The organization should move the web server to the demilitarized zone (DMZ). A DMZ is an isolated network designed to protect internet-facing hosts. Inbound access from the internet to the DMZ is allowed, usually through a firewall. However, inbound DMZ-to-Local Area Network (L AN) traffc is typically not allowed, and outbound LAN-to-DMZ traffc is heavily secured. In this scenario, if the out-of-date web server is compromised, the impact of a network-wide infection is significantly reduced. The organization should not place the web server behind the firewall. In this scenario, if the web server is compromised, the firewall offers no protection to LAN hosts. The organization should not enable Multifactor Authentication (M,FA) on all systems. Although this is a best practice, if the web server is compromised, not all attacks will require authentication, and an attacker may be able to infect other systems without encountering MFA. The organization should not install a Network based Intrusion Detection System (NIDS) on the internet service provider (ISP) connection. This will only detect intrusion attempts on inbound and outbound internet traffc and will not protect LAN hosts from a local infection outbreak.

An organization wants to assert to potential customers that their information security management program is applied correctly and consistently over time. Which type of audit should the organization request? SOC 2 Type 1 PCI-DSS GDPR SOC 2 Type 2

Explanation The organization should request a Service Organization Control (SOC) 2 Type 2 audit. The SOC reporting framework was created and is managed by the American Institute of Certified Public Accountants (AICPA). This framework is used evaluate the effectiveness of an organization's security controls and allows the results of such an evaluation to be included in a certified attestation report. If an organization successfully completes a SOC 2 Type 2 audit, which is conducted by a third-party, it proves that their information security practices are sound not only at a particular instant, but over a period of time as well. The organization should not request a Payment Card Industry Data Security Standard (PCI-DSS) audit. PCl- DSS is a standard mandated by credit card companies that applies to any organization that handles card holder data. The organization should not request a General Data Protection Regulation (GDPR) audit. GDPR aims to protect the privacy of all European Union (EU) citizens and is applicable to any organization doing business in the EU or with EU citizens, even if the organization is not located in the EU. The organization should not request a SOC 2 Type 1 audit. This type of audit is less rigorous than a SOC 2 Type 2 audit and only attests to sound security practices at a particular point in time.

An organization deploys web services on a custom, hardened OS. The organization plans to move most of its operations to the cloud. Which of the following models should the organization select? Choose the correct answer IDaaS SaaS PaaS IaaS

Explanation The organization should select Infrastructure as a Service (IaaS). In IaaS, network, compute, and storage resources are offered by a cloud provider. These resources may be shared by multiple tenants or they can be dedicated to a single tenant. Some cloud providers offer full data center IaaS solutions, including a physically secure room or building. A custom, hardened operating system (OS) can be installed on the hardware allocated by an IaaS provider. The Software as a Service (SaaS) model does not support deploying a custom OS. SaaS is software that is hosted on the cloud and available to customers over the Internet. Google's G Suite and Microsoft's Office 365 are examples of SaaS. The Platform as a Service (PaaS) model does not support deploying a custom OS. PaaS offers a cloud- based platform that can be used to build and/or deliver applications. Oracle's Cloud Database is an example of PaaS. The Identity as a Service (IDaaS) model does not support deploying a custom OS. IDaaS services offer cloud-based authentication. Okta is an example of IDaaS.

As part of a security assessment, an organization must be able to rank vulnerabilities based on severity. Which of the following protocols or platforms should the organization use? SOAR CVE SIEM cvss

Explanation The organization should use Common Vulnerability Scoring System (CVSS). CVSS is a scoring system for rating security vulnerabilities based on several metrics such as how complex an attack is (attack complexity). CVSS scores range from O to 10, with a score of 1 indicating a low vulnerability and a score of 10 indicating a severe vulnerability. Common Vulnerabilities and Exposures (CVE) does not provide a scoring system for vulnerabilities. CVE is a catalog of publicly disclosed security vulnerabilities. A vulnerability is a weakness in a system that has not been mitigated. CVE is maintained by The MITRE Corporation (MITRE). Security Orchestration, Automation and Response (SOAR) is a collection of systems and processes that aims to increase the efficiency of security operations. Security orchestration is the process of correlating information and events to create a more holistic picture of an environment. Security automation is the process of automating tasks such as periodic vulnerability scans and log searches. Security response is the process of responding to incidents as they are detected. A Security Information and Event Management (SIEM,) is used to aggregate server and system logs for analysis. The SIEM then analyzes the data to identify trends, pending security issues, and security breaches.

An organization has deployed a controller-based wireless network that will use 802. lx for centralized authentication. The organization hopes to leverage a pre-existing PKI installation to ensure that authentication is as secure as possible. However, the system should not require mutual authentication. What solution should the organization deploy? Configure the wireless controller to support EAP-MD5 based authentication. Deploy server certificates and configure EAP-TTLS on the controller. Configure the controller to support EAP-FAST and distribute a Protected Access Credential (pAC)• Deploy X.509 certificates to all wireless participants and enable EAP-TLS.

Explanation The organization should use Extensible Authentication Protocol - Tunneled Transport Layer Security (EAP- TTL S). 802. lx uses EAP to facilitate communication between authentication components: the supplicant, the authenticator, and the authentication server. In EAP-TTLS, wireless controllers present an X.509 certificate to the client to prove their identity and to facilitate symmetric key transfer. However, EAP-TTLS does not require client-side certificates for authentication. EAP - Flexible Authentication via Secure Tunneling (EAP-FAST), created by Cisco, does not use certificates for authentication. Instead, EAP-FAST uses a credential that is distributed prior to the first connection that is called a Protected Access Credential (PAC). EAP - Transport Layer Security (EAP-TLS) is similar to EAP-TTLS, with the exception that both wireless controllers and clients must present certificates. This facilitates mutual authentication between the connecting parties. The requirements in the scenario rule out mutual authentication. EAP - Message Digest 5 (EAP-MD5) provides one-way authentication between the controller and the client. Since MD5 is vulnerable to dictionary attacks, EAP-BAD5 is considered a weak wireless authentication protocol.

A penetration tester discovers an exploitable vulnerability in a web application. One of the goals of the penetration test project is to test the company's internal incident response team's ability to detect and react to exploit attempts executed using real-world cyber-attack techniques. What type of team exercise should the penetration tester initiate? White team Red team Purple team Blue team

Explanation The penetration tester should initiate a red team exercise. A red team exercise uses real-world attack techniques to emulate attempts by an attacker to exploit a vulnerability. This will test the incident response team's ability to detect and respond to the attempt in a simulated real-world environment. The tester should not use a blue team exercise. A blue team exercise is used to analyze network systems to find ways to keep them safe. In this scenario, the company's incident response team is acting as a blue team. The tester should not use a purple team exercise. A purple team is not a unique team type. It is a mix of red and blue team members working together in an exercise and sharing resources, reporting, and knowledge. A purple team that includes incident response team members would effectively invalidate testing the incident response team. By including the incident response team, you would not be meeting the goal of testing the company's internal incident response team's ability to detect and react to exploit attempts. The tester should not use a white team exercise. This is not always recognized as a unique exercise type. In this type of exercise, the "attacker" is provided with credentials and information about the target that would not be available to a real-world attacker.

A company uses an internet of things (IoT) processing solution that uses a distributed architecture with a large number of distributed nodes to support smart buildings. Short-term analytic processing occurs at the local area network (L AN) level, providing quick results and low latency data transfers to gateway devices. Processing can occur when no internet bandwidth is immediately available. Which computer model does this describe? Fog computing Thin client Anything as a Service (XaaS) Transit gateway

Explanation The processing model is commonly referred to as fog computing. Fog computing is an outgrowth of cloud computing, but it moves the processing closer to the IoT data sources. This provides for lower network and internet latency, minimizing bandwidth requirements. Initial processing occurs near the data source with processed data transferred to the cloud for long-term processing and storage. The term edge computing is often used interchangeably with fog computing. Some experts say that they are effectively the same, while others point to small differences between them. The primary difference is that with edge computing, processing occurs on devices attached to sensors or closer to the sensors than with fog computing. This is not an example of XaaS. XaaS is a blanket term referring to delivery of anything as a service and includes examples such as software as a service (SaaS), platform as a service (PaaS), infrastructure as a service (IaaS), and database as a service (DBaaS). This is not an example of a transit gateway. A transit gateway is a network transit hub used to connect virtual private clouds (VPCs) with on-premises networks. It provides a relatively easy method to scale multiple VPC peering connections.

A social media provider is the frequent target of attacks that crash its web servers. As a result, users are unable to access their accounts and the provider is losing advertising revenue. The provider wants to improve availability for users. Which action should the provider take? Deploy a web server farm and configure active/active load balancing. Deploy a NIDS between the network firewall and the web server. Place the web server in the DMZ and configure restrictive ACLs. Deploy a NAT gateway and configure port forwarding rules.

Explanation The provider should deploy a web server farm and configure active/active load balancing. In active/active load balancing, a hardware or software load balancer distributes traffic across two or more nodes. In this scenario, the provider could build a web farm with all web servers hosting the same content. A load balancer could then be configured to distribute requests using the round-robin method. If any single server fails or is otherwise busy, the remaining servers can service requests. The provider should not place the web server in the demilitarized zone (DMZ) and configure restrictive Access Control Lists (ACLs). A DMZ is used to host Internet-accessible servers on a protected network that is separate from the production Local Area Network (L AN). This approach will not necessarily enhance availability. The provider should not deploy a Network Address Translation (NAT) gateway and configure port forwarding rules. NAT is often used to enhance network privacy by hiding a network behind one or more public Internet Protocol (IP) addresses. This approach will not necessarily enhance availability. The provider should not deploy a Network-based Intrusion Detection System (NIDS) between the network firewall and the web server. A NIDS monitors and analyzes traffc and reports intrusion attempts.

Which key is used to encrypt data in an asymmetric encryption system? The recipient's private key. The sender's private key. The recipient's public key. The sender's public key.

Explanation The recipient's public key is used to encrypt data in an asymmetric encryption (public-key cryptography) system. The recipient makes his or her public key available to anyone who wants to send him or her data. The sender uses this public key to encrypt the data, which can then be decrypted only with the recipient's private key. References Cryptography Basics How Does Public Key Encryption Work? I Public Key Cryptography and SSL WHAT IS ENCRYPTION KEY MANAGEMENT?

A company is developing a new, very large web application. Developers run periodic vulnerability scans. The scans report multiple vulnerabilities. The developers have traced these to false positives from text on some of the web pages. What is the risk if this continues? Developers may miss valid vulnerabilities. Attackers are likely to leverage the web page text. Application performance can be compromised. The application is more likely to fail when rolled out.

Explanation The risk is that developers may miss valid vulnerabilities. The longer the list of false positives, the more likely it becomes that a real vulnerability is missed or developers spend less time verifying vulnerabilities. False positives do not represent any kind of error condition. In nearly all cases, they result from valid content that happens to match the signature of a known vulnerability. False positives do not indicate that application performance can be compromised. Other testing is used to determine application performance. False positives, because they do not indicate a vulnerability or error condition, do not provide anything that can be leveraged by an attacker. False positives do not indicate that an application is more likely to fail when rolled out.

A security administrator is designing physical security for network servers. The design requirements call for the servers to be kept in a locked room with limited physical access. The administrator wants to ensure that physical access is controlled as tightly as possible and prevent unauthorized access. What should the security analyst do? Secure the room with a magnetic key lock requiring a user ID card. Secure the room with a biometric-based lock. Secure the room with a keyed lock. Secure the room with a combination lock.

Explanation The security administrator should secure the room with a biometric-based lock. A biometric-based lock verifies authorized personnel through unique physical features such as a fingerprint, hand geometry, iris or retinal pattern, face recognition, or voice recognition. Someone attempting to gain entry would need an authorized person to unlock the server room. The security administrator should not secure the room with a keyed lock. Keyed locks will usually stop casual attempts to enter a secure area. They are less secure because keys can be stolen or copied, or the lock can be picked. The security administrator should not secure the room with a combination lock. Several social engineering methods could lead to the combination being compromised, such as shoulder surfing, dumpster diving to find a combination change, and so forth. The security administrator should not secure the room with a magnetic key lock requiring a user ID card. ID cards can be stolen and, in some cases, relatively easily copied.

A security administrator is looking for a method to manage access to a secure area. They want to allow entry through a locked gate that unlocks automatically and track individuals going into and out of the area. Which method should the administrator use? Access list Motion detector Video surveillance Proximity reader

Explanation The security administrator should use a proximity reader together with a fence or building and electronically locked gate. The fence or building and gate restrict access to the area. A proximity reader can read a security token, such as a smart card, carried in the individual's pocket or somewhere on the individual's person. The information from the token can be used to authenticate the individual and remotely unlock the gate, relocking as the individual passes through. The data can be recorded for later review. One decision that must be made with this type of security system is whether to have the gate set up as failsafe or failopen in case of power or other failure. A failsafe system would remain locked and secure. This would protect whatever was in the restricted area, but could force anyone to remain in that area until the failure is resolved. Failopen would open the gate, giving people a way out, but leaving the area unsecured. Devices of this type have seen extensive use in the automotive industry for keyless entry and keyless startup. The driver is able to unlock and start the vehicle as long as he or she is carrying the key, but without ever having to insert it. The security administrator should not use video surveillance alone. Video surveillance does provide a record of entry and exit, but someone could hide their face from the camera. Also, this method does not provide automatic entry. However, video surveillance could be used in conjunction with a proximity reader to help identify instances of tailgating.

A user arrives at a datacenter and is challenged by three authentication methods as shown in the exhibit. What is the BEST description of the multifactor authentication policy that is in use? The authentication depends on something he knows, something he is, and somewhere he is. The authentication depends on something he has, something he is, and somewhere he is. The authentication depends on something he has, something he does, and somewhere he is. The authentication depends on something he knows, something he does, and somewhere he IS.

Explanation The smartcard reader represents something you have. The GPS device is responsible for geolocation and refers to somewhere you are. Finally, the fingerprint scanner is a biometric device and refers to something you are. None of these devices refers to the something you know multifactor authentication method. You would need a secret question, password, or PIN for that. There is no something you do method here. You would enforce this by using signature analysis or voice patterns.

A brute-force password attack is used to compromise an account. An incident response team is unsure which systems may have been affected. Which of the following actions should the team take FIRST? Search the NIPS logs for events related to multiple failed logon attempts. Search the SIEM logs for logons using the compromised account. Search the firewall logs traffic to and from the attacker's IP address. Search all Security logs for successful and failed logon events.

Explanation The team should search the Security Information and Event Management (SIEM) logs for logons using the compromised account. SIEM software is designed to ingest data from a variety of network components, such as user workstations or laptops, network routers and switches, firewalls, servers, and other appliances. The SIEM then analyzes the data to identify trends, pending security issues, and security breaches. Most SIEMs are complex platforms with highly customizable dashboards and hundreds of built-in reports. In this scenario, the aggregated logs on the SIEM could be searched using the compromised account name. The team should not search Network-based Intrusion Prevention System (NIPS) logs first. A NIPS monitors for, delivers alerts on, and can mitigate breaches. However, once the password for an attacked account is discovered, the NIPS may or may not track activity related to the account. The team should not search all Security logs for successful and failed logon events first. The Windows Security log tracks logon events. However, there are likely other, non-VVindows systems that have been affected by the breach. Ideally, the Windows Security and other logs will be shipped to the SIEM, where they can be searched with logs from other systems. The team should not search the firewall logs traffic to and from the attacker's Internet Protocol (IP) address. Once the account is compromised, the attacker would likely have moved laterally to other compromised systems from a single compromised host.

While at work, an unsuspecting user clicks on a link in a phishing email. The user is directed to a logon page crafted to mimic the organization's intranet site. The organization's incident response team is attempting to determine where the cloned page is hosted. What should the team do FIRST? Search syslog for events related to TCP port 25. Search the firewall logs for outbound connections. Search the SMTP logs on the email server. Search the System log on the affected user's workstation.

Explanation The team should search the firewall logs for outbound connections. Phishing attacks send specially crafted, legitimate-looking messages with the intent of stealing information or compromising a system. In this scenario, the phishing email included a link to a cloned logon page. When a user clicks on the link in the phishing email, this activity will be tracked in the organization's firewall logs and will include the source and destination Internet Protocol (IP) addresses used. The team should not search syslog for events related to Transmission Control Protocol (TCP) port 25. Syslog is a standardized protocol that is used widely on network devices and servers. Unless syslog is used to aggregate logs from the firewall, it is unlikely these logs will be useful to the team. The team should not search the System log on the affected user's workstation. The System log records system-related events on Windows computers. The System log would not track the IP address of a link included in a phishing email. The team should not search the Simple Mail Transfer Protocol (SMTP) logs on the email server. SBATP logs track conversations between email servers. Email content is not recorded in SMTP logs.

A company is preparing to deploy several new computers that have the most recent version of TPM hardware installed. What is the significance of TPM being installed in the computers? The TPM will check to ensure that the operating system you install on the computers is configured for multifactor authentication. The TPM will encrypt the hard disks so that they will be encrypted before the computers are set up. The TPM will require you to configure full disk encryption after you install each computer's operating system. The TPM will work with encryption to generate keys that require a TPM and system platform measurements for decryption.

Explanation The trusted platform module (TPM) will work with encryption to generate keys that require a TPM and system platform measurements (system characteristics) for decryption. A TPM is a hardware component that provides cryptographic functionality. It works with the computer's BIOS and encryption software to provide high-level encryption support. For example, Microsoft's BitLocker disk encryption is designed to work with T PBR. However, a computer might have multiple applications that take advantage of TPM hardware. The TPM will not check to ensure that the operating system you install on the computers is configured for multifactor authentication. TPM can be part of the multifactor authentication used by an encryption system, but it does not in itself enforce authentication requirements. The TPM will not require you to configure full disk encryption after you install each computer's operating system. It is typically used, when available, by disk encryption software. The TPM will not encrypt the hard disks so that they

When network users attempt to navigate to your company's public website, they are being redirected to a different website. This is an example of which type of attack? ARP poisoning DNS poisoning IP spoofing Phishing

Explanation This is an example of DNS poisoning. DNS poisoning occurs when valid DNS IP address/computer name mappings are replaced with non-valid entries. When a client queries the DNS server for the web server's address, it delivers the address of the non-valid website. The client computer uses the IP address it receives to navigate to the non-valid website. This is not an example of IP spoofing. In IP spoofing, an attacker uses a legitimate IP address to try to hack into a network, masquerading as a legitimate client. This is not an example of phishing. In phishing, the user receives an email that appears to come from a valid source, such as an online retailer. The email contains a link to a website that is designed to look like a valid website but is designed to collect sensitive information from the user. This is not an example of Address Resolution Protocol (ARP) poisoning. ARP is used to locate computers located on the same subnet. A computer checks its internal ARP cache before attempting to discover another computer's media access control (MAC) address, the address used for final local delivery. If the ARP cache has been modified (poisoned), traffc is redirected to a different computer or lost.

Your organization has developed a fault-tolerant design to help ensure business continuity in case of a disaster. The disaster recovery site has mission-critical hardware already installed and connectivity already established. Data backups of critical data are on hand, but they may be up to a week old. This is an example of which of the following? Hot site Cold site Warm site Off-site storage site

Explanation This is an example of a warm site. Typically, the site will have current application versions and may have the most recent backups it has received already applied on the computers. The site is designed so that it can be brought on line relatively quickly. It is generally seen as a cost- and time-effective compromise between a cold site and a hot site. This is not a cold site. A cold site typically has hardware, but the hardware is not set up. Also, a cold site will typically not have any data on hand. This is not a hot site. A hot it is a fully ready-to-run site with current (or near-current) data. It is the most expensive solution to maintain, but it may be necessary in situations where it is critical to minimize down time. This is not an off-site storage site. In an off-site storage site, you would have data, but no (or insufficient)

A web-based application is designed so that it runs under a security context that has been granted only the permissions required for the application to run. This is an example of which of the following? Choose the correct answer Implicit deny Principle of least privilege Separation of duties MAC

Explanation This is an example of principle of least privilege (POLP). In POLP, the minimum rights are assigned for a task to be accomplished. This is an access control method that originated in the United States Department of Defense in the 1970s. POLP can help minimize several security risks, such as attacks involving privilege escalation. In privilege escalation, the attacker typically uses flaws in system or application software to gain a higher permission level. It can be used to gain, for example, administrator privilege into a system. This is not an example of implicit deny. Implicit deny is an access control model in which the default permission in an access control list (ACL) denies a privilege that is not explicitly granted through the ACL. This is not an example of separation of duties. In separation of duties, permissions are assigned to users based on operational or duty requirements. The model is based around checks and balances to ensure that multiple users have to complete different steps in a sensitive or hazardous task. This is not an example of mandatory access control (MAC). In the MAC model, a hierarchical access model is used with all access permissions set by administrators. Resource objects, such as data files, are assigned security labels that assign a classification and category to each object. Classification and category information is also assigned to each user account, and access is determined by comparing the user and object security properties.

A security company is contracted for black hat penetration testing at a large corporation. The security company relies only on publicly available information for its initial reconnaissance, and it does not attempt to contact the corporation or access the corporation's network or resources. What is this BEST described as? OSINT Footprinting CVE War flying

Explanation This method of reconnaissance is best described as open source intelligence (OSINT). OSINT uses various methods and sources, such as social media, print archives, web searches, and such to gather as much information as possible without coming in direct contact with the target. OSINT relies on public information sources only. This is not an example of Common Vulnerabilities and Exposures (CVE). CVE is not a surveillance or reconnaissance method. It is a catalog of known security threats with the threats identified as vulnerabilities and exposures. This is publicly available information. This is not best described as footprinting. Footprinting is also used in initial reconnaissance and information gathering, but it is not limited to public information sources only. Active footprinting collects information through direct interaction with the target. This is not an example of war flying. War flying is a means of locating Wi-Fi networks, usually by using a drone with a wireless network scanner attached. This is an airborne extension of war driving, which locates wireless networks from a vehicle, and war walking, which is simply walking around looking for networks.

A company hosts a customer feedback forum on its website. Visitors are redirected to a different website after opening a recently posted comment. What kind of attack does this MOST likely indicate? SQL injection Directory transversal Code injection Cross-site scripting (XSS)

Explanation This most likely indicates a specifically stored or persistent Cross-site Scripting (XSS) attack. In this type of attack, the attack is stored on the server, usually through a public forum or other access type. Malicious script is posted to the website and used to exploit visiting users. This is not an example of a directory transversal attack. A directory transversal attack uses a GET or POST request to a website that includes redirection to a restricted directory. Directory transversal attacks can also be used to execute commands. This is not an example of a SQL injection attack. A SQL injection attack is targeted from the user to the vulnerable website in the form of an embedded (usually a command query) SQL query. A SQL injection attack can be used to access data or force execution of commands on a database server. This is not an example of a code injection attack. A code injection attack is when malicious code is inserted into a vulnerable website's code for execution by the website. The problem in the scenario is that the code is being executed by web users.

Which threat actor BEST matches each description? To answer, select a threat actor from the drop-down list. Choose the correct options Description A group that wants to bring attention to issue, person, or organization. The group's motivation is about making a point rather than financial gain. This is a threat actor with minimal technical skills who relies on tools developed by others. Goals include hacking in just to hack in. A group whose primary goal is financial gain and relies on attacks such as ransomware and data exfiltration activities. A group that uses hard-to-detect tools to persist its connection to target systems, usually with data theft or financial gain as goals. Involved in activities coming from malicious actions, negligence, or incompetence by an organization's employees.

Explanation Threat actor Organized crime Insider threat A hacktivist is a threat actor who is part of a group that wants to bring attention to an issue, person, or organization. The group's motivation is about making about a point rather than financial gain. Hacktivists are usually either trying to promote a person or movement or disclose negative information about a target. A script kiddie is a threat actor with minimal technical skills who relies on tools developed by others. Tools are usually downloaded or purchased from the internet. Goals include hacking in purely for the sake of hacking in. Gaining notoriety may also be a goal. Organized crime has financial gain as its primary goal and relies on attacks such as ransomware and data exfiltration activities. Many organized crime activities follow the same general models as other criminal

The company CSO has ordered that all emails sent or received by senior management personnel be preserved. Managers should not be able to delete emails. If changes are made to an email, both the original and modified versions should be preserved. Managers should still have access to their email accounts. Security personnel are tasked with ensuring this. What should the security personnel use? Principle of least privilege Chain of custody Legal hold Forensic hashing

Explanation To carry out the chief security offcer's request (CSO), the security personnel should place managers' email accounts on legal hold. Legal precedent in the United States and many other countries requires that relevant information be preserved when there is a reasonable anticipation of legal action. Most email systems support placing accounts on legal hold. The way it is implemented can vary by the specific email system. Users may be prevented from deleting emails or deleted emails may be placed on hold and remain available. Similarly, users may either be prevented from modifying emails or both the original and modified versions of any emails are maintained. The security personnel should not use hashing to protect the emails. Hashing is used to preserve the integrity of data by generating a value based on the data content. It would let personnel know when data has changed but does not protect the original data or provide a way to retrieve the original content. It also does not prevent deletion. The security personnel would not use chain of custody to protect the emails. Chain of custody is used to document any activity relating to seized artifacts, and records the sequence of custody, control, transfer, analysis, and disposition of any artifact that might be used as evidence.

A security engineer is concerned that a tool being used to manage a critical server does not support encryption of data in motion. What should the engineer do to assess the tool in question? Perform a port scan on the server using scanless. Define a listener on the server with ncat. Scan the managed system using Nessus. Perform a packet analysis with Wireshark. .

Explanation Wireshark is the best choice for determining whether transport encryption is being used. Wireshark is a popular protocol analysis tool that can be used to capture network packets and investigate packet headers and payloads. Using Wireshark, the tester would be able to determine the types of traffc traversing the network, the applications and ports associated with that traffc, and when and where transport encryption is being used. Additionally, if sensitive file streams are captured, Wireshark can decode, reassemble, and export those files. Nessus is a popular vulnerability scanning tool. Tools like Nessus typically operate by scanning a host against a database of popular vulnerabilities. This requires scanning for open ports, determining the service that is running on that port, and then scanning for configuration issues, missing patches, and other vulnerabilities. However, Nessus is not used to verify transport encryption. Ncat was created as an improved version of netcat. Ncat is integrated into nmap, and can be used to define network sockets, or listeners, using Transmission Control Protocol (T CP) or User Datagram Protocol (UDP) on a target host. Ncat is not used to verify transport encryption. Scanless is not used to verify transport encryption. Scanless is a command-line tool that can be used to automate port scanning using public, web-based scanners

Your network is attacked by a self-replicating program. What type of malware does this indicate? Trojan horse Worm Logic bomb Virus

Explanation Worms are code sequences that spread from computer to computer on their own. Worms do not rely on other programs to spread. Code Red is an example of a Worm. A worm may initially be sent as an e-mail attachment, but it propagates on its own. Many worms have no other function than to spread, but some have payloads that perform other actions. Worms without payloads can harm a network by causing excessive congestion. A common payload of worms is a backdoor that allows the host computer to be controlled by the author of the worm. These zombie computers can be networked into botnets and used for Denial of Service (DoS) attacks. The Sobig and Mydoom worms created zombies. Viruses are code sequences that spread from computer to computer by attaching to files. The Melissa virus is an example of a virus spread through Microsoft Word documents sent as email attachments. Trojan horses are code sequences that appear benign but, when executed, can destroy a user's data. Logic bombs are code sequences that can quietly reside on a computer until something, like a specific time or date, triggers them. When the bomb is triggered, it can erase a user's data on a computer.

An email server supports IBMP connections. What must be done to ensure that all IMAP traffc is encrypted? (Choose two.) Allow traffic on TCP port 990. Allow traffic on UDP port 995. Allow traffic on TCP port 993. Block traffic on UDP port 138. Block traffic on TCP port 143.

Explanation You should allow traffc on Transmission Control Protocol (TCP) port 993. Port 993 is the port assigned to Internet Messaging Application Protocol (IMAP) over Secure Sockets Layer (SSL), which is the protocol used to transmit encrypted 1M,AP traffc. All email protocols operate over T CP. You should also block traffc on TCP port 143. This is the port used for unencrypted IMAP traffc. You should not allow traffc on UDP port 995. TCP port 995 is used for encrypted Post Offce Protocol (POP3) traffc. You should not allow traffc on TCP port 990. This is the control port for File Transfer Protocol over SSL You should not block traffc on UDP port 138. This is the protocol used to receive NetBIOS name resolution response datagrams.

A server is being configured to be used as an FTPS server using well-known port assignments. Only connections encrypted with TLS should be permitted. The host firewall is configured for implicit deny. The following firewall rules are created: Allow UDP port 989 Allow TCP port 989 Which two additional firewall rules should be defined? (Choose two.) Allow UDP port 443 Block TCP port 21 Allow TCP port 443 Allow UDP port 990 Allow TCP port 990 Block TCP port 20

Explanation You should configure port 990 as the control port and port 989 as the data port. File Transfer Protocol over SSL (FTPS) is a secure version of FTP that operates over Secure Sockets Layer (SSL) or Transport Layer Security (TLS). It has two modes: implicit mode and explicit mode. With implicit mode, all connections are secure. Implicit mode requires port 990 as the control port. If any port other than port 990 is used as the control port, the client will be able to request encryption. This mode is known as explicit mode. However, clients that do not request encryption will send and receive data in clear text. The default port for sending data over FTPS is port 989. FTPS operates over both User Datagram Protocol (UDP) and Transmission

A financial application needs to ensure that all tasks relating to the transfer of money require actions by more than one user through a series of checks and balances. All activity must be audited and logged. What access control method should be used? Separation of duties Principle of least privilege Job rotation Implicit deny

Explanation You should design access control around the separation of duties (SOD) model. In the separation of duties model, permissions are assigned to users based on operational or duty requirements. The model is based around checks and balances to ensure that it requires multiple users to complete different parts of a sensitive or hazardous task. You should not design your access control around job rotation, but you might consider job rotation in addition to SOD to make the solution more secure. In job rotation, a user performs a task for a limited period of time before the task is assigned to a different user. You should not design your access control around implicit deny. Implicit deny is an access control model in which the default permission in an access control list (ACL) denies a privilege not explicitly granted through the ACL. Implicit deny is related to access to specific resources. You should not design your access control based on a strict principle of least privilege (POLP) model. The POLP model, in itself, is not complete enough to meet your requirements. In POLP, the minimum rights are assigned for a task to be accomplished. You would apply POLP to each duty, but you would delegate permissions among multiple users.

A server was the victim of a DoS attack. Where should an administrator look for evidence first? User accounts Surveillance camera footage Network logs Registers and cache

Explanation You should look for evidence first in the most volatile location the registers and cache on the server. A volatile location is one where evidence is most likely to be destroyed by the actions you perform on the system. Although you should examine the network logs, network logs are not very volatile. On the other hand, some network information like routing tables and the ARP cache are volatile, so these should be examined for evidence early. You should not look for evidence in the surveillance camera footage. Because this is a Denial of Service (DoS) attack, it was probably not launched by the attacker physically visiting your facility. Also, if you suspect that the attacker did visit the premises, you can view the footage later because it is not volatile. You should not look for evidence of user account modification first. User accounts are not terribly volatile.

A critical server application IS susceptible to shell injection privilege escalation attacks k . How can the potential impact of this type of attack be reduced? Configure a firewall on the server running the application. Rename all operating system default accounts. Run the application with the minimum permissions required. Require strong passwords for all users.

Explanation You should run the application with the minimum permissions required. In a shell injection attack, the attacker takes advantage of the application's ability to run commands from the command line or command shell. Commands run at the security context of the application. To minimize what an attacker can do from the command line, you need to minimize the application's permissions. Requiring strong passwords will not minimize the potential impact. The attack occurs because of an application's permissions, not a user's. However, strong passwords are generally recommended as part of a general security configuration. Renaming default accounts will not minimize the potential impact because default accounts are not directly involved in this type of attack. Renaming default accounts does close a potential hole in your security because the accounts could be used to attempt logging on to the system, but renaming default accounts would not help in this situation. You should not configure a firewall on the server running the application. A firewall can be used to limit access to the server, but server access is not the problem in this case.

What can be done prevent an internet attacker from using a replay attack to gain access to a secure public website? Timestamp session packets. Require user name and password for authentication. Deploy the web server in the internal network. Deploy the web server in a perimeter network.

Explanation You should timestamp session packets. By placing a timestamp on the packets, they become time sensitive. If the attacker attempts to retransmit the packets to gain access, the server will be able to determine if the time is outside of a reasonable tolerance and refuse to accept the packets. Deploying the web server in a perimeter network or on the internal network will not prevent replay attacks. Replay attacks gain access by retransmitting authentication information and masquerading as a valid user. A public website, one that is accessed from the internet, should be deployed in a perimeter network rather than the internal network as a security precaution. The perimeter network helps protect your internal network from the internet. Allowing internet clients direct access to your internal network is considered a potential security risk. You should not require user name and password for authentication as a way to prevent replay attack. A replay attack is designed to bypass this type of authentication by retransmitting the traffc used to authenticate a session.

A company wants to create a secure tunnel between two sites. Which set of protocols will offer the highest level of security and efficiency? Choose the BEST answer. DH-1024, 3DES, and SHA-512 DH-1024, 3DES, and MD5 DH-1024, AES, and SHA-512 ECDH-384, AES, and MD5 ECDH-384, AES, and SHA-512 ECDH-384, 3DES, and SHA-I

Explanation You should use ECDH-384, AES, and SHA-512. The ECDH is Diffie-Hellman based on Elliptic Curve Cryptography (ECC), which is more secure than DH-1024, which is the older version. ECDH is a key exchange protocol. Modern firewalls, routers, and servers support Diffie-Hellman based on ECC to provide higher security than the older method: modular exponentiation (MODP). Advanced Encryption Standard (AES) is a well-known, fast, and efficient symmetric encryption algorithm. AES is considered better and more secure than 3DES. SHA-512 is the next-generation hashing algorithm. You should avoid using MD5 and SHA-I due to known issues with these algorithms. You should not use 3DES in your solution because AES is more secure.

A company is looking to develop an Internet-level browser-based SSO solution. What should they use to accomplish this? RADIUS TACACS+ LDAPS SAML

Explanation You should use Security Assertion Markup Language (SAM,L). SAML is a way to provide web browser single-sign on (SSO) solutions. It provides an XML-based data format for exchanging authentication and authorization. You should not use RADIUS or TACACS+. Both are methods of providing centralized support for authentication, authorization, and accounting management for networks. Neither is designed to facilitate a browser-based SSO solution. You should not use secure LDAP (L DAPS). LDAP is an industry standard protocol for maintaining distributed directory services. LDAPS is a non-standard implementation using encrypted communication. LDAP is commonly used to support SSO in an intranet environment, but not for Internet-based.

An organization wants to deploy a centralized authentication structure that can be used to authenticate routers, servers, and switches. They want this structure to be as secure as possible. What is the best solution? Choose the correct answer. TACACS+ RADIUS Kerberos SAML

Explanation You should use TACACS+ in this scenario. TACACS+ is more secure by design the other choices listed. The only two technologies that could be used in this situation are RADIUS and TACACS+. TACACS+ is the preferred solution when security is a primary concern. Unlike RADIUS, TACACS+ separates authentication, authorization, and accountability functions, and the entire authentication session is encrypted. RADIUS encrypts the password only. Security Assertion Markup Language (SAML) would not be used in this scenario. SAM,L is a way to provide web browser single-sign on (SSO) solutions. It provides an XML-based data format for exchanging authentication and authorization. Kerberos is a secure protocol used with authentication, but does not provide the authentication structure.

A company is deploying a PKI. They want to use a hardware device separate from their Windows servers to manage and maintain cryptographic keys. What should the company use? DLP TPM HSM TACACS+

Explanation You should use a hardware security module (HSM). An HSM is a hardware device that can function as a cryptographic service provider (CSP) device. A CSP can help improve key generation and management by providing secure key generation and secure onboard storage, whether or not the key was initially generated by the CSP. When using an HSM, secure key backup is typically designed into the device. When setting up a certificate authority (CA) that uses an HSM to store certificates, you must install and configure the HSM before the CA. You would not use a DLP. DLP refers to data loss prevention, an umbrella term that refers to protecting data. You would not use a trusted platform module (TPM). A TPM is hardware component that provides cryptographic functions. It works with the computer's BIOS and encryption software to provide high-level encryption support. This does not meet the solution requirements because it does not provide the key management needed as part of the solution. You should not use Terminal Access Controller Access-Control System Plus (TACACS+). TACACS is an authentication protocol.

A company's internal network has experienced several attempted attacks from the Internet. The administrator needs to collect as much information about the attackers and their attack methods as possible. The administrator should minimize the risk to the internal network. What should the administrator use? VLAN Extranet DMZ Honeynet

Explanation You should use a honeynet that is isolated from your internet network. A honeynet is a decoy network set up to look like an operational network, but configured with intentional vulnerabilities and devices designed to capture information about attackers (honeypots). A honeynet is often set up with applications and simulated network activity to make it a more tempting target. You should not use a DMZ. A is a perimeter network that provides a layer of secure isolation between your internal network and the Internet. Because a DMZ can give a hacker a potential way into your internal network, leaving a DMZ intentionally open to attack puts the internal network at risk. Both the Internet-facing and internal-facing firewalls on a DMZ should be as secure as possible. You should not use an extranet. An extranet is a configuration where you provide access to internal network resources to an outside partner over a public pathway (the Internet). You would not configure intentional vulnerabilities into an extranet. You should not use a virtual LAN (VLAN). A VLAN is a network configuration that enables you to change network boundaries through switch configurations rather than having to physically rewire your network infrastructure. This is configured as part of your internal network, so it would place your internal network at

A company's network is configured as a distributed directory environment. The company wants to configure an SSO environment through their intranet. All traffic related to authentication should be encrypted. What should be used to accomplish this? LDAPS SAML RADIUS TACACS+

Explanation You should use secure Lightweight Directory Access Protocol (L DAPS). LDAP is an industry standard protocol for maintaining distributed directory services. LDAPS is a non-standard implementation using encrypted communication. LDAP is commonly used to support single sign-on (SSO) in an intranet environment. You should not use Security Assertion Markup Language (SAML). SANIL is as a way to provide web browser SSO solutions for the internet. You should not use RADIUS. RADIUS encrypts passwords, but not the entire authentication session. You should not use TACACS+. TACACS+ is used to provide authentication for servers, switches, and routers.

An application environment needs to be kept as secure as possible and requires the strictest access control model. What access control model should be used? Rule-based access control Role-based access control MAC DAC

Explanation You should use the mandatory access control (MAC) model. This is considered the strictest access control model. In the MAC model, a hierarchical access model is used, with all access permissions set by administrators. Resource objects, such as data files, are assigned security labels that assign a classification and category to each object. Classification and category information is also assigned to each user account, and access is determined by comparing the user and object security properties. You should not use rule-based access control. In rule-based access control, access is defined by policies (or rules) established by an administrator. Users cannot change access settings set by administrators. Access is tracked through an access control list (ACL) associated with each object. Because access is based on user account or group membership but does not further classify objects or users, rule-based access control is considered less strict than MAC. You should not use role-based access control. Role-based access control assigns access permissions based on a user's job function in an organization. This is different than a group-based access control model because, while a user can be assigned membership in multiple groups, a user can only be assigned to one role within the organization. You should not use discretionary access control (DAC). In the DAC model, users have control over access to ataor ocal computer r t own This model is used. or example

An administrator needs to match authentication protocol choices to different scenarios. To answer, drag a protocol to the most appropriate box next to each authentication scenario. An administrator is configuring authentication for a PPP connection. The connection supports Windows clients only. Both the authentication password and data need to be encrypted.MSCHAP An administrator is configuring authentication based on an open standard for a directory services-based connection that supports mutual authentication. Kerberos An administrator is configuring web site authentication that supports multi-factor authentication, single sign-on, and provides to delegation to other sites and services.OAUTH An administrator is configuring authentication for a wide variety of legacy clients, some that do not support encryption, over a SLIP connection. PAP OAUTH

The administrator should use Microsoft Challenge Handshake Authentication Protocol (MSCHAP) when configuring authentication for a point-to-point protocol (PPP) connection. The connection supports Windows clients only. Both the authentication password and data need to be encrypted. This is Microsoft's proprietary implementation of the industry standard Challenge Handshake Authentication Protocol (CHAP) protocol. CHAP supports encrypting passwords for authentication, but does not include support for data encryption. The administrator should use Kerberos when configuring authentication based on an open standard for a directory services-based connection that supports mutual authentication. Kerberos is an open standard and is the current default standard for directory services implementations, including Windows, Linux, and UNIX. The administrator should use OAUTH when configuring web site authentication that supports multi-factor authentication, single sign-on, and delegation to other sites and services. OAUTH is an open source implementation based on the Security Assertion Markup Language (SAML) standard. The administrator should use Password Authentication Protocol (PAP) when configuring authentication for a wide variety of legacy clients, some that do not support encryption, over a Serial Line Internet Protocol (SLIP) connection. You would use PAP because you are connecting over a SLIP connection. PAP can be used with a PPP connection, although it is strongly discouraged because it sends passwords in clear text. PAP is typically only used with non-VVindows legacy operating systems that do not support password encryption. The administrator should not use Terminal Access Controller Access-Control System Plus (TACACS+) with any of the scenarios. TACACS+ is a Cisco proprietary implement of the TACACS standard and is used with routers, switches, and other devices to provide authentication, authorization, and accounting support.

Entity responsible for technical control of data including availability, security, scalability, technical standards, and backup and restore. Entity who collects or creates the data and is legally responsible and accountable for the data and its protection. Entity responsible for protecting the rights and privacy of the data's subject and controlling the procedures and purpose of data use. Entity that works with the data under the direction of a responsible party but does not control the data or its use. Data custodian Data owner Data processor

The data custodian is the entity responsible for technical control of data including availability, security, scalability, technical standards, and backup and restore. The data custodian works with the data daily. The term data steward is sometimes used interchangeably with data custodian, but the data steward is responsible for business accountability, including data and metadata quality. The data steward acts as the liaison between the business side of the organization and IT. The data owner is the entity who collects or creates the data and is legally responsible and accountable for the data and its protection. When an organization uses data classifications, the data owner is responsible for classifying the data. The data controller is the entity responsible for protecting the rights and privacy of the data's subject and controlling the procedures and purpose of data use. The data custodian also takes on the responsibilities of the data owner when there is no clear data owner. The data processor is the entity that works with the data under the direction of a responsible party but does not control the data or its use. The data processor is accountable to the data owner or data controller. None of the responsibilities refer to the data subject. The data subject is the entity that the data is about.

A honeypot is BEST described what type of control? Choose the correct answer Detective Compensating Preventive Directive

Explanation A honeypot is best described as a detective control. Detective controls are used to identify unwanted or unauthorized activity. A honeypot is used as a decoy for attackers so you can detect and study hacking attempts. Other detective controls include intrusion detection systems (IDS) and motion detectors. A honeypot is not classified as a preventive control. Preventive controls are used to stop unwanted and unauthorized activity. Examples include antivirus software, fences, and security policies. A honeypot is not a directive control. A directive control is used to direct or confine activity and include examples like direction signs and security guards. A honeypot is not a compensating control. A compensating control is used to provide options when other controls are too difficult, expensive, or damaging to use, such as having a mantrap at an entrance instead of a security guard. A control can often fall under multiple categories. Visible security cameras could be considered preventive, deterrent, and detective controls, for example.

A company is deploying the PKI infrastructure shown in the work area, The network administrator needs to determine whether each certificate authority should be deployed as an online or offline CA to provide a secure infrastructure, Users must be able to request certificates for local use, To answer, choose the correct deployment option from the drop-down menus.

The root CA is the authoritative source for the public key infrastructure (P KI). It should be kept offline except when it is brought online for maintenance to limit the risk of the infrastructure being compromised. Intermediate CAS should also be deployed offline to ensure a secure infrastructure. The issuing CAS should be deployed online. They must be online to be available to users so they can request certificates.


Ensembles d'études connexes

Ch 4: Hazard Recognition Risk Assessment and Control

View Set

History of Rock 'n' Roll (MUS 244)

View Set

Chapter 3: Communication and Customer Care

View Set

Integumentary System, integumentary, NURS 3107 - Exam 4 - EAQs: Integumentary Assessment, Ch. 24 NCLEX Practice, DavisEdge Quiz: Nursing Care of Patients with Skin Disorders

View Set

ATI PHARMACOLOGY upper respiratory disorders

View Set

Western Civ. Mr. E Final Exam Study

View Set