measure up sec+ 3/3/2023

Which of the following is the best example of a fog computing environment?

A network of oil field sensors that send data to a local IoT gateway for preprocessing Answer D is correct.The oil field sensor example is the best example of fog computing because the remote sensors are sending data to a local gateway for preprocessing. Fog computing is a related concept that uses IoT (Internet of Things) gateway devices that are located in close physical proximity to the sensors.Answer C is incorrect. The camera that performs preprocessing itself is a better example of edge computing.Answer A is incorrect. The satellite is a standard cloud client-server computing model.Answer B is incorrect. The vehicle is not using the cloud at all.

Drag the authentication standard from the bottom to its description. All standards will be used, and one standard will be associated with two descriptions.

Following are the authentication standards and their descriptions: 802.1X:Uses an authenticator to block communications between unauthorized users or workstations and the local networkRequires the use of EAP and an authentication server Kerberos:Centrally secures access to server resources deployed within or across a non-secure network Point to Point Protocol (PPP) with Challenge Handshake Authentication Protocol (CHAP):Restricts access to a LAN via a WAN link

Which of the following virtualization models provides the highest level of efficiency?

Type I hypervisor Answer C is correct.Type I hypervisors, also known as bare-metal hypervisors, run the hypervisor directly on top of the physical hardware, without requiring a host operating system. This is the model most commonly used in datacenter virtualization because it is highly efficient.Answer D is incorrect. Type II hypervisors require a host operating system, which reduces efficiency.Answers A and B are incorrect. Type III and IV hypervisors do not exist.

Bob is interested in standing up his first web server for his small organization. Having no idea how to assess and confirm if his server will be as secure as possible, what resource can Bob avail himself for guidance that is based on the industry's best practices?

Benchmarks and secure configuration guides

Carla is creating a new mobile application that will communicate with a backend server. What technology can she use to provide the app with a public key that it should expect from the backend server?

Certificate pinning Answer A is correct.Certificate pinning provides a cryptographic communicator with the public key that it should expect from a remote server. Certificate pinning approaches instruct browsers to attach a certificate to a subject for an extended period of time. When sites use certificate pinning, the browser associates that site with their public key. This allows users or administrators to notice and intervene if a certificate unexpectedly changes.Answers C, D, and B are incorrect. Certificate stapling, the Online Certificate Status Protocol (OCSP), and certificate revocation lists (CRLs) are all used to manage the status of current and revoked digital certificates.

Drag the attack framework from the bottom onto its description

Following are the attack frameworks and their correct descriptions: MITRE ATT&CK: A knowledge base of adversary techniques presented as a matrix for enterprise The Diamond Model of Intrusion Analysis: Describes attacks as the pivoting interactions among adversaries, victims, capabilities, and infrastructure Cyber Kill Chain: A linear seven-step attack model that defenders use to interrupt the steps and stop the attack

Nadean is a software developer who is preparing a new application for release. She wishes to use code signing for the application file that will be deployed to a customer. What key should she use to sign the application?

Her organization's private key Digital signatures are always created using the private key of the person or organization creating the digital signature. In this case, Nadean should use her organization's private key to sign the application. Lesson

Jen's firm is planning to open a new retail store that will accept credit cards. What regulation must the firm comply with as a result of this processing?

PCI DSS Answer A is correct.The Payment Card Industry Data Security Standard (PCI DSS) is an industry regulatory framework that specifies the cybersecurity requirements for organizations involved in credit card transactions. The Payment Card Industry Data Security Standard (PCI DSS) provides detailed rules about the storage, processing, and transmission of credit and debit card information.Answer B is incorrect. The Family Educational Rights and Privacy Act (FERPA) requires that U.S. educational institutions implement security and privacy controls for student educational records.Answer C is incorrect. The Health Insurance Portability and Accountability Act (HIPAA) includes security and privacy rules that affect health-care providers, health insurers, and health information clearinghouses in the United States.Answer D is incorrect. The Gramm-Leach-Bliley Act (GLBA) covers U.S. financial institutions, broadly defined. It requires that those institutions have a formal security program and designate an individual as having overall responsibility for that program

Which of the following is the least volatile according to the forensic order of volatility?

Logs Answer B is correct.Logs, along with any file that is stored on disk without the intention of being frequently overwritten, are the last volatile item listed. The order of volatility documents what data is most likely to be lost due to system operations or normal processes.Answers C, A, and D are incorrect. In order from most volatile to least from the answers here, you could list these as CPU registers, the system's routing table, temp files, and logs.

What policy document generally describes mutual goals between organizations?

MOU Answer A is correct.A memorandum of understanding (MOU) is similar to a letter of intent and is used to shape the policies of multiple organizations to lead them into alignment. It's a relatively informal document, which may or may not be legally binding. Sometimes an MOU is used when a formal contract is pending or inappropriate.Answer B is incorrect. A business partnership agreement (BPA) defines a general business relationship in practical terms rather than organizational goals. It defines the sharing of profits, losses, property, and liability; it typically also includes partner responsibilities and a dissolution process for when a partner leaves the agreement with the goal of reducing disagreements and litigation surrounding what assets and liabilities rightfully belong to each party after the split.Answer C is incorrect. An interconnection security agreement (ISA) specifies technical requirements for a secure data interconnection between two parties. It might include connection requirements, security controls, and connection topology.Answer D is incorrect. A service-level agreement (SLA) formally defines a service provided by one organization to another. It typically includes obligations and expectations for performance, reliability, and other service metrics. Also included are remedies and details about compensation for the client in case the service provider fails to meet contractual obligations.

What wireless technology is most frequently used for wireless payment solutions?

NFC Answer D is correct.Near-field communications, or NFC, is the most frequently used technology for wireless payment systems. NFC provides a very short-range, low-bandwidth wireless connection, which is well suited to payment systems.Answers B and C are incorrect. Cellular and Bluetooth are not commonly used for wireless payment systems, although some Bluetooth implementations do exist.Answer A is incorrect. Wireless USB (universal serial bus) does exist but isn't widely used.

Bob Smith received an email delivered to his enterprise email account. The email stressed the importance for Bob to verify the balance in his bank account and offered a link to do so. Bob hovered his mouse cursor over the link and observed a popup tag containing a URL ending in a domain that was not related to his bank. All of the logos in the email were legitimate icons for his bank. What kind of attack is Bob likely the victim of?

Phishing Answer B is correct.This is an example of a phishing email, which attempts to trick the recipient by using familiar imagery and wording. The attack enters the next phase when the email recipient clicks on deceptive links or opens malicious attachments.Answer A is incorrect. Pharming is a DNS-related attack.Answer D is incorrect. Spam is annoying and/or unwanted email that is usually not dangerous to interact with.Answer C is incorrect. Typosquatting occurs when bad actors register domains that represent common typographical transformations of legitimate domain names to trick unlucky victims into communicating with a malicious host.

Which of the following is a technique used to expand the access an attacker has to an already compromised system?

Privilege escalation Answer C is correct.Privilege escalation is a technique used to expand the access an attacker has to an already compromised system. They exploit vulnerabilities that allow the transformation of a normal user account into a more privileged account, such as the root superuser account.Answers D, A, and B are incorrect. Pivoting, maneuver, and lateral movement are all similar terms that involve moving from one compromised system to compromise other systems on the same network.

Jan is concerned that attackers might use a rainbow table attack against her organization's stored passwords. What is the most effective defense against this type of attack?

Salting Answer A is correct.Rainbow table attacks attempt to reverse hashed password values by precomputing the hashes of common passwords. The attacker takes a list of common passwords and runs them through the hash function to generate the rainbow table. They then search through lists of hashed values, looking for matches to the rainbow table. The most common approach to preventing these attacks is salting, which adds a randomly generated value to each password prior to hashing.Answer B is incorrect. Pinning is the process of associating a host with their expected X509 certificate or public key.Answer C is incorrect. Key escrow is a cryptographic key exchange process in which a key is held in escrow, or stored, by a third party.Answer D is incorrect. Input validation, also known as data validation, is the proper testing of any input supplied by a user or application.

What do reading irresponsibly placed sticky notes on monitors and stealing a certificate's private key have in common?

They are both forms of credential harvesting. Answer A is correct.Credential harvesting is the act of obtaining passwords, encryption keys, and the like. Some users have too many passwords to memorize and resort to writing some or all of them down and posting them in relatively conspicuous or predictable places, such as on monitors, in desk drawers, and under keyboards. Well-written and strictly enforced corporate policies against such behavior and single sign-on solutions can help to mitigate these irresponsible acts. Poorly protected private keys can result in their compromise and use in decrypting messages and data encrypted with the related certificate's corresponding public key.Answer D is incorrect. Although a password may be used as a symmetric key and thus used to decrypt that which it has encrypted, a private key is used in asymmetric cryptography and can only decrypt what a corresponding public key has encrypted; the public key is required to decrypt what the private key encrypted.Answer C is incorrect. Perhaps it can be argued that reading a password from a sticky note is unethical, but doing so is not illegal. Recovering a private key is not necessarily illegal and may be necessary to avoid losing access to encrypted information, but the use of the word stealing indicates that recovery, in this case, was not performed legally.Answer B is incorrect. Technically, neither of these exploits need to be carried out in person, although reading the password from a sticky note most likely would be. Alternatively, a especially aimed camera could feed the text of the note to a character-recognition program to produce the password. A script could be written to perform the acquisition and subsequent use without any human intervention during the operation. Automated techniques also exist to harvest inadequately protected private key

In the field of account management, which of the following sources can be used individually as proof of identity when authenticating a user or system? Each correct answer represents a complete solution. Choose four.

Token Smart card IdP Certificate Answers A, B, F, and G are correct.Identity providers (IdPs) are systems which provide user authentication as a service to other systems which trust the IdP. Certificates are digital possession factors containing identity and proof of private key possession. Tokens are hardware devices or secure mobile apps containing secret information such as a certificate or a one-time password (OTP) generator; depending on the contents it might include both identity and an authentication factor. Smart cards are digital authentication cards with stored certificates and typically cryptographic functions which make them a complete proof of identity.Answer C is incorrect. A username is a claim of identity, but it doesn't carry any proof. It also requires an authentication factor such as a password.Answer D is incorrect. A password is a secret which serves as a knowledge factor, but to prove identity it must be associated with an identity claim such as a username or system ID.Answer E is incorrect. An IP address is a claim of identity for a system, but it's easy to spoof or change, so it isn't valuable without some authentication factor like a device certificate.

Which of the following involves contacting a separate host known as a responder to verify the revocation status of a digital certificate?

OCSP Answer B is correct.Online Certificate Status Protocol (OCSP) allows a client to contact a CA-owned host and ask whether a particular certificate has been revoked. OCSP requires fewer network resources than downloading a full revocation list to each client and it pulls from a database that is always up to date.Answer A is incorrect. A certificate revocation list (CRL) is a digitally signed list of all certificates revoked by a CA. CAs regularly update the CRL and publish it to a website where clients can download or consult it. This is the list that OCSP saves network and client resources by responding to a single request at a time.Answer D is incorrect. A certificate signing request (CSR) is a document created and signed by the entity requesting the certificate. It contains identifying information of the subject (called a distinguished name) and is accompanied by a public key and optional attributes. The most popular syntax of the CSR is known as PKCS#10, an encoded form of ASN.1, which can be saved and submitted in a binary DER file format or a base 64-encoded ASCII PEM file format and submitted as an attachment to the CA or, quite often, one of their registration authorities (RAs). Alternatively, some CAs and their RAs allow the text of the base-64 version to be copied and pasted into a web form for submission.Answer C is incorrect. A certificate authority (CA) is a trusted service or provider that signs, issues, and revokes digital certificates. The CA would maintain the certificate revocation list and the responder for OCSP requests.

Which of the following threat vectors can an attacker exploit with the least dependence on intentional or inadvertent cooperation by another person?

Wireless Answer C is correct.Wireless network attacks can take place remotely, as long as the attacker is within the radio range of the organization's facilities. No cooperation from other individuals is necessary.Answers D and A are incorrect. Email and removable media attacks require a victim who must act upon an email message or use infected removable media.Answer B is incorrect. Supply chain attacks are complex and typically require the cooperation of a vendor, delivery contractor, or other insiders.

Tony finds the digital certificate files shown here in a repository. Which is most likely to contain a certificate in ASCII format?

certificate.pem Answer A is correct.The Privacy Enhanced Mail (PEM) certificate format is an American Standard Code For Information Interchange (ASCII) text version of the Distinguished Encoding Rules (DER) format. PEM certificates are normally stored in files with the .PEM or .CRT extensions. Certificates in PEM and P7B files are usually in ASCII format.Answers B, C, and D are incorrect. Certificates in DER, Compilation Error Message (CER), Personal Information Exchange (PFX), and P12 files are usually in binary format.

Your organization is interested in implementing secure email services. Communication with outbound email servers is already secured, so securing email retrieval protocols is of particular interest. Additionally, it has been mandated that internal emails be sent confidentially and that these emails sent to others within the organization be stored by the sender in a secured format.Which of the following changes will be required to fulfill the goals to secure the company's email as described? Each correct answer represents a part of the solution. Choose three.

ssue encryption certificates to all employees. Use port 993. Use port 995 Answers A, B, and C are correct.You can secure email retrieval from Internet sources via connections using TLS-encrypted POP3 (POP3S) on TCP port 995 or TLS-encrypted IMAP (IMAPS) on TCP port 993 with the enterprise Internet-facing email server. If all users are assigned an encryption certificate, each internally sent email can be securely stored locally by using the sender's public key to encrypt and their private key to decrypt when needed. If users exchange encryption certificates with one another internal confidential emails can be sent with S/MIME or PGP/OpenPGP/GPG.Answer F is incorrect. Ports 110 and 143 are generally used by plaintext POP3 and IMAP clients. They are not secure.Answer E is incorrect. Port 587 is typically used on TLS-encrypted SMTP connections for outbound emails. It's generally a good idea, but if outbound communication is already secured, use of TCP port 587 or some equivalent measure has been implemented already.Answer D is incorrect. Signing certificates allow users to sign email messages, providing authenticity and non-repudiation for recipients who can verify the chain of trust for the associated certificate. However, unless the employees also have encryption certificates, the internal messages will not be confidential in transit or at rest.

Oren obtained a certificate for his domain covering *.acmewidgets.net. Which of the following domains would not be covered by this certificate?

test.mail.acmewidgets.net Answer D is correct.Wildcard certificates protect the listed domain as well as all first-level subdomains. www.acmewidgets.net, acmewidgets.net, and mobile.acmewidgets.net are the first-level subdomains. test.mail.acmewidgets.net is a second-level subdomain of acmewidgets.net and would not be covered by this certificate.

What type of cryptographic attack is especially effective against passwords stored in hashed format?

Rainbow table Answer C is correct.Rainbow table attacks attempt to reverse hashed password values by precomputing the hashes of common passwords. The attacker takes a list of common passwords and runs them through the hash function to generate the rainbow table. They then search through lists of hashed values, looking for matches to the rainbow table.Answer B is incorrect. In a chosen plain text attack, the attacker obtains the ciphertexts corresponding to a set of plain texts of their own choosing. Answer A is incorrect. Key stretching is used to create encryption keys from passwords in a strong manner.Answer D is incorrect. A downgrade attack is sometimes used against secure communications such as TLS (Transport Layer Security) in an attempt to get the user or system to inadvertently shift to less secure cryptographic modes.

In what cloud security model does the cloud service customer bear the most responsibility for implementing security controls?

optionB IaaS Answer B is correct.The cloud service customer bears the most responsibility for implementing security controls in an Infrastructure as a Service (IaaS) environment and the least responsibility in a SaaS environment. This is due to the division of responsibilities under the cloud computing shared responsibility model.Answer A is incorrect. Software as a service (SaaS) offerings provide customers with access to a fully managed application running in the cloud. Answer C is incorrect. Platform as a service (PaaS) offerings fit into a middle ground between SaaS and IaaS solutions. In a PaaS offering, the service provider offers a platform where customers may run applications that they have developed themselves.Answer D is incorrect. Function as a service (FaaS) platforms are an example of PaaS computing. This approach allows customers to upload their own code functions to the provider and then the provider will execute those functions on a scheduled basis, in response to events, and/or on demand.

An embedded hardware modification that acts as a backdoor was discovered in some of the highly customized machines that your company produced and sold. Upon investigation, the backdoor was also discovered in some of the newly arriving chassis shipped from a trusted vendor that were to be used as raw materials in your future manufacturing process. What is the most likely vector that was used to introduce this unauthorized modification?

optionD Supply chain compromise

During a penetration testing engagement, the blue team notices a large number of familiar packets being sent to an applications server. Upon closer inspection, it appears that, in an attempt to exploit a vulnerability in the server, the red team created thousands of packets with slight adjustments to a few legitimate packets that had been sent earlier to the same server. Which method was likely used to copy valid packets and transmit those copies in this way?

tcpreplay Answer B is correct.It's most likely that traffic was captured with another tool, such as tcpdump or Wireshark, and sent again by tcpreplay.Answers A and D are incorrect. The tcpdump utility is a Linux command-line utility that creates packet-capture files. Wireshark is GUI-based utility with an associated command-line utility called tshark. Either of these utilities could have captured the traffic that is being repeated here with the tcpreplay command.Answer C is incorrect. The Sn1per utility, run with the sniper CLI command or as a function within other scanning and exploitation utilities, is an automated scanner and exploitation tool which performs OSINT recon, port enumeration, vulnerability scanning, and exploits with minimal human interaction. This utility is included with Kali Linux and has a community-update version that is free to download and use. Unlike tcpreplay, the Sn1per utility cannot replay captured traffic.

Chris wants to run a RAID that is a mirror of two disks. What RAID level does he need to implement?

1 Answer D is correct.Chris needs to implement RAID 1 that is a mirror of two disks with each disk a complete copy of the other disk. All data is copied exactly to another drive or drives.Answer A is incorrect. RAID 0 is a stripe of two disks and does not help with redundancy, instead of focusing on performance.Answer C is incorrect. RAID 2 is rarely used and stripes data and uses error correction.Answer B is incorrect. RAID 5 stripes by blocks of data and distributes parity information among drives.

Gary is reviewing his system's SSH logs and sees logins for the user named "Gary" with passwords like password1, passsword2, and so on. What type of attack has Gary discovered?

A dictionary attack Answer D is correct.Gary has discovered a dictionary attack. This attack will use a set of likely passwords along with common variants of those passwords to try to break into an account. Repeated logins for a single userID with iterations of various passwords is likely a dictionary account.Answer C is incorrect. A rainbow table is used to match a hashed password with the password that was hashed to that value.Answer B is incorrect. A pass-the-hash attack provides a captured authentication hash to try to act like an authorized user.Answer A is incorrect. A password spraying attack uses a known password (often from a breach) for many different sites to try to log in to them.

Jen is conducting a penetration test for a client. The client did not provide her with any details about their systems in advance of the test and Jen is determining this information using reconnaissance techniques. What type of test is Jen performing?

Black box Answer B is correct.Jen is performing black-box tests that are intended to replicate what an attacker would encounter. Testers are not provided with access to or information about an environment, and instead, they must gather information, discover vulnerabilities, and make their way through infrastructure or systems as an attacker would.Answer C is incorrect. White-box tests are performed with full knowledge of the underlying technology, configurations, and settings that make up the target.Answer D is incorrect. Gray-box tests are a blend of black-box and white-box testing.Answer A is incorrect. Blue-box tests are not a type of penetration test.

Robin is planning to conduct a risk assessment in her organization. She is concerned that it will be difficult to perform the assessment because she needs to include information about both tangible and intangible assets. What would be the most effective risk assessment strategy for her to use?

Combination of quantitative and qualitative risk assessment Answer C is correct.Robin would have achieved the best results by combining elements of quantitative and qualitative risk assessment. Quantitative risk assessment excels at analyzing tangible, financial risks, whereas qualitative risk assessment is good for intangible risks. Combining the two techniques provides a well-rounded risk picture.

Gwen is working on the implementation of a new feature in an application used by her organization. She is writing code to improve the user interface. What environment should Gwen be working in?

Development Answer C is correct.Gwen should be working in the development environment. Developers working on active changes to code should always work in the development environment.Answer D is incorrect. The test environment is where the software or systems can be tested without impacting the production environment.Answer A is incorrect. The staging environment is a transition environment for code that has successfully cleared testing and is waiting to be deployed into production.Answer B is incorrect. The production environment is the live system. Software, patches, and other changes that have been tested and approved the move to production.

Ben would like to join a group of security professionals in his industry who share information about current threats. What would be the best type of group to join?

ISAC Answer A is correct.Information sharing and analysis centers (ISACs) are groups organized specifically for the purpose of sharing information about security threats. ISACs operate on a trust model, allowing in-depth sharing of threat information for both physical and cyber threats. Answer D is incorrect. The Payment Card Industry Data Security Standard (PCI DSS) is an industry regulatory framework that specifies the cybersecurity requirements for organizations involved in credit card transactions. Answer C is incorrect. The Family Educational Rights and Privacy Act (FERPA) requires that U.S. educational institutions implement security and privacy controls for student educational records.Answer B is incorrect. The Health Insurance Portability and Accountability Act (HIPAA) includes security and privacy rules that affect health-care providers, health insurers, and health information clearinghouses in the United States.

April is working with an independent auditor to produce an audit report that she will share with her customers under NDA (nondisclosure agreement) to demonstrate that her organization has appropriate security controls in place and that those controls are operating effectively. What type of audit report should April expect?

SOC 2 Type 2 Answer B is correct.April should expect the SOC 2 Type 2 report. The fact that the auditor will be assessing the effectiveness of the controls means that this is a Type 2 report, not a Type 1 report. The fact that it will be shared only under NDA means that it is a SOC 2 assessment.Answer A is incorrect. SOC 2 Type 1 reports provide the auditor's opinion on the description provided by management and the suitability of the design of the controls.Answers C and D are incorrect. There are no SOC 3 Type 3 and SOC 3 Type 4 reports.

What hardware device is used to create the hardware root of trust for modern desktops and laptops?

TPM Answer C is correct.A hardware root of trust provides a unique element that means that board or device cannot be replicated. TPM, or Trusted Platform Module, is commonly used to provide the hardware root of trust.Answers D and B are incorrect. CPUs and system memory are not unique in this way for common desktops and laptops.Answer A is incorrect. HSM, or hardware security module, is used to create, manage, and store cryptographic certificates as well as perform and offload cryptographic operations

Chris is designing a data loss prevention (DLP) implementation for his organization. His primary goal is to protect a set of product plans that reside in a small data repository. New files are added to this repository on a periodic basis, and all of the files in the repository require protection. What technology would meet Chris's needs?

Watermarking Answer C is correct.Chris could use either host-based or network-based DLP to meet his needs. The key technology in this scenario is the use of watermarking as the identification technique for sensitive data. Chris can tag all the documents in the secure repository with digital watermarks to flag them to the DLP system.Answer A is incorrect. Honeypots are systems that are intentionally configured to appear to be vulnerable but that are actually heavily instrumented and monitored systems that will document everything an attacker does while retaining copies of every file and command they use.Answer B is incorrect. Beartraps are not a security term. It occurs when there is a quick price increase in a downtrend.Answer D is incorrect. A darknet is unused network space that is instrumented to allow the observation of network probes and attacks, particularly those that target network space by iterating through IP (Internet Protocol) address ranges.

Which of the following techniques would allow an attacker to gain access to a target's network with the lowest investment and lowest probability of detection?

War driving

The chief financial officer (CFO) of a large corporation has been tasked with assessing tangible and intangible losses associated with the recent exploitation of a vulnerability in a critical enterprise system. Which of the following classes of impact should cause the CFO to be most concerned about loss of future business?

optionA Reputation Answer A is correct.A serious incident might give the corporation a reputation as having lax security standards, being unable to recover well from an attack, or even failing to be honest and open with its customers. Any of those might cause customers to take their business to more trustworthy competitors.Answer D is incorrect. Direct financial costs can certainly harm the business and its bottom line, but they only impact future earnings if the company does not restore services quickly. Reputational losses are harder to restore.Answer C is incorrect. Data loss can have a serious impact since data is a valuable asset that might be entirely irreplaceable. It can impact present and future business in many ways, but loss of future revenue is only a small part of it if any.Answer B is incorrect. Loss of service availability will impact revenue during the period of data loss, but if the organization's reputation is relatively unharmed, future earnings should be less affected.

Which of the following is an example of an attribute that strengthens the authentication process but does not act as a primary authentication factor?

A point-of-contact signing someone else into a secure facility Answer A is correct.A point-of-contact is a "someone you know" attribute. It isn't really an authentication factor since it doesn't strongly demonstrate who the visitor is like if they were an authorized user. The security staff at the facility will likely still want the visitor's name and identification and might reject entry if there is a reason to. However, the trusted employee vouching for the visitor strengthens their claim to enter.Answer D is incorrect. A single-use PIN texted to a mobile phone is a possession factor demonstrating possession of a known user's phone. It's usually used as part of two-factor authentication such as with a password, but nothing keeps it from being a primary authentication factor of its own. For instance, you might be texted a PIN as part of resetting a password you've forgotten.Answer C is incorrect. Answering three secret questions is a common, if insecure, password reset/recovery measure. It serves as a separate knowledge-based authentication factor: by knowing the answers, you gain access just as though you had known the password.Answer B is incorrect. For mobile devices with this type of pattern on the lock-screen, the user must trace the correct sequence of dots without lifting their finger in order to unlock the phone. This constitutes the "something you can do" attribute but also performs the same primary-authentication function as would biometrics or entering a password on the same screen.

Samantha is investigating a cybersecurity incident where an internal user used her computer to participate in a denial-of-service attack against a third party. What type of policy was most likely violated?

AUP Answer B is correct.This activity was almost certainly a violation of the organization's acceptable use policy (AUP), which should contain provisions describing the appropriate use of networks and computing resources belonging to the organization. The acceptable use policy (AUP) that provides network and system users with clear direction on permissible uses of information resources.Answer D is incorrect. Business partnership agreements (BPAs) exist when two organizations agree to do business with each other in a partnership.Answer A is incorrect. Service level agreements (SLA) are written contracts that specify the conditions of service that will be provided by the vendor and the remedies available to the customer if the vendor fails to meet SLA.Answer C is incorrect. A memorandum of understanding (MOU) is a letter written to document aspects of the relationship.

You have a lingering problem with mobile users who connect to untrusted Wi-Fi networks without enabling their VPN, out of forgetfulness or lack of technical knowledge. What technology might help solve the problem?

Always-on VPN Answer A is correct.Always-on VPNs detect when the device connects to an untrusted network and establish a VPN connection. If it cannot connect it displays a warning and may block risky traffic. The security measures reduce the risk of a user conducting sensitive business over an insecure network by mistake.Answer D is incorrect. Encapsulating Security Payload (ESP) is the IPsec component that provides encryption for packet payloads. It is an important part of many VPNs but it's only enabled when the VPN itself is.Answer C is incorrect. Full tunneling sends all traffic from the VPN client through the VPN tunnel regardless of its destination. It places more burden on the other VPN endpoint and can reduce network performance, but it greatly improves security when connecting to an insecure network. You want to use full tunneling for clients on untrusted Wi-Fi networks, but since it only works when the VPN is enabled, it alone won't solve your problem.Answer B is incorrect. Secure Shell (SSH) is a secure communications protocol used to replace insecure shells and file transfer protocols like Telnet and FTP. It can also tunnel other applications as a limited VPN. SSH can operate securely across untrusted Wi-Fi networks, but it won't solve the problem you're having.

Among the options listed, which mitigation technique is known most for increasing security at the expense of flexibility?

Application whitelisting Answer B is correct.Application whitelisting is characterized by allowing the installation of only specific applications. Although whitelisting won't allow the installation of any application that is not configured as being allowed, making the environment more secure, this behavior doesn't accommodate accidental omissions from the list or new legitimate applications that simply have not been added to the list yet, affecting overall productivity until the corrections have been made by an administrator. Not allowing users to install any application they deem necessary removes overall flexibility in the process.Answer C is incorrect. Application blacklisting creates a list of applications that are strictly not allowed to be installed. By implication, all other applications will be allowed. While this may be a highly flexible environment for installing applications that may never result in security issues, the risk that must be assessed for the possibility of such issues may be enough to cause risk-averse policymakers to shun this highly flexible, lower-security model instead of testing the theory.Answer D is incorrect. Mobile device management (MDM) tools and policies increase the flexibility regarding the variety of devices that employees can use to access corporate resources, but doing so increases the overall risk to the organization because of a concept known as deperimeterization, which alludes to the challenge of setting up perimeter defenses when the perimeter can no longer be clearly defined.Answer A is incorrect. Security Orchestration, Automation, and Response (SOAR) platforms automate and analyze security data with the goal of streamlining and standardizing incident-response workflows. Where possible, the SOAR platform will automate the response process, reducing the number of alerts that require a human response in the first place. In the case of SOAR, security increases through the use of playbooks and runbooks that tighten up the process of step-by-step responses to security incidents, which also increases the flexibility of the overall environment, allowing quicker responses through automation. The reduced requirements on the human level reduces fatigue in general from such sources as false alarms and the need for constant mental focus. This increased mental acuity coupled with the automation and orchestration adds to the overall flexibility of the combined human-digital collaboration.

Which of the following enterprise mobile deployment models introduces the greatest amount of risk for the implementing organization?

BYOD Answer D is correct.A bring your own device (BYOD) model has the greatest risk to the enterprise; the organization must support and secure an arbitrary number of device models owned and controlled by employees.Answer C is incorrect. The corporate-owned, personally enabled (COPE) model is relatively low-risk for the organization. Personal use of company-owned devices introduces risk, but the enterprise can restrict device security settings and user permissions as much as desired, and support complexity is a known quantity because the devices were chosen by the organization, and not by the employees.Answer B is incorrect. The choose your own device (CYOD) model reduces the risk of BYOD by limiting the number of models the organization needs to support. Risks from employee-owned devices and personal use still exist, but as with COPE, the enterprise is aware of all models that are in use and can effectively administer and support them.Answer A is incorrect. The corporate-owned, business-only (COBO) model represents the least risk for the organization. Devices are fully controlled by the enterprise and used only for approved work purposes. The drawback is that it is inconvenient for and unpopular with employees, who are relegated to carrying two devices or forgoing use of their personal device while at work.

Gary's organization is conducting a cybersecurity exercise. Gary is responsible for defending his systems against attack during the test. What role is Gary playing in the exercise?

Blue team Answer D is correct.Gary is playing the role of the blue team. Blue teams are responsible for managing the organization's defenses.Answer A is incorrect. Red team members are the attackers who attempt to gain access to systems. Offensive hacking is used by red teams as they attempt to gain access to systems on the target network.Answer B is incorrect. White teams serve as the neutral moderators of the exercise. White team members are the observers and judges.Answer C is incorrect. Purple teaming is conducted after an exercise to bring together the red and blue teams for knowledge sharing.

Carl's organization is subject to PCI DSS (Payment Card Industry Data Security Standard). He determines that he will be unable to meet one of the PCI DSS objectives due to technical limitations and has obtained permission from his merchant bank to implement an alternative mechanism in place of the PCI DSS requirement. What type of control is Carl implementing?

Compensating Answer A is correct.The scenario does not tell us whether the control is preventive, detective, or corrective. We do know, however, that it is being used in place of another control requirement that Carl's organization is unable to meet and is, therefore, a compensating control. Compensating controls are controls designed to mitigate the risk associated with exceptions made to a security policy.Answer D is incorrect. Preventive controls intend to stop a security issue before it occurs.Answer B is incorrect. Detective controls identify security events that have already occurred.Answer C is incorrect. Corrective controls remediate security issues that have already occurred.

What automation practice keeps code created by multiple developers from diverging or conflicting?

Continuous integration Answer A is correct. Continuous integration (CI) practices merge code changes to the main branch several times a day, so that developers can't introduce conflicts through individual working copies of the code. To prevent merging bade code, CI automates testing and building processes as well as the merging process itself, orchestrating them into a single workflow.Answer B is incorrect. Continuous delivery (CD) extends continuous integration by using short development cycles and frequent releases to make sure that software is constantly ready for release. After code is committed, the only manual decision which needs to be made is whether to deploy it to customers.Answer C is incorrect. Continuous deployment (also CD) extends continuous delivery by automating and orchestrating the release process from committing code to deploying production software. Once software is confirmed to be built, tested, and ready to deploy it automatically goes to customers.Answer D is incorrect. Continuous monitoring automates performance monitoring of an application and its environment after deployment. It is often used as a final quality safeguard in fast-paced DevOps environments.

Jeff is concerned about the effects that a ransomware attack might have on his organization and is designing a backup methodology that would allow the organization to quickly restore data after such an attack. What type of control is Jeff implementing?

Corrective Answer D is correct.Jeff is implementing corrective controls that remediate security issues that have already occurred. Restoring backups after a ransomware attack is an example of corrective control.Answer C is incorrect. Preventive controls intend to stop a security issue before it occurs.Answer B is incorrect. Detective controls identify security events that have already occurred.Answer A is incorrect. Deterrent controls seek to prevent an attacker from attempting to violate security policies.

Ron receives an emergency alert that computers throughout his organization have begun to display a message demanding that a ransom be paid in Bitcoin to allow restoration of access to important business documents and other files. What type of malware often uses this type of behavior

Crypto malware Answer C is correct.Crypto malware frequently demands a ransom paid in Bitcoin to unlock files. Although paying does often result in the files being restored, this is a dangerous option and does not guarantee results. Secure, independent backups are the best insurance against cryptographic malware taking your business out of operation.Answer A is incorrect. Worms spread themselves, usually by targeting vulnerable applications or services.Answer B is incorrect. Keyloggers capture keystrokes so that attackers can steal passwords or other sensitive data.Answer D is incorrect. Spyware is malware that is designed to obtain information about an individual, organization, or system.

Which of the following is a form of ransomware?

Crypto-malware Answer C is correct.Crypto-malware is a form of ransomware that encrypts a filesystem or individual objects within one. The victim must pay a ransom to get the hostage data decrypted and avoid its release to the public.Answer D is incorrect. A rootkit is a type of malware that infiltrates a system at its core and establishes the highest level of privilege and control. Unlike with ransomware, the victim may not even know that the rootkit is present if the objective is not to disrupt normal system behavior.Answers A and B are incorrect. Command and control (C&C or C2) servers remotely control bots, which are agents installed on a system that turns it into a zombie. The collection of zombies under the control of the C&C server is known as a botnet. The zombies are less of a victim and more of unwitting accomplice to the attacker running the C&C server. The ultimate victim often experiences a DDoS under the distributed computing might of the botnet, but not a captive system being held for ransom.

The VP of human resources has put you in charge of securing a critical server for the department. You'll be hardening its operating system according to company policies and regularly checking configuration and system logs. In asset management terms, what role have you taken on?

Custodian Answer D is correct.The role of the data custodian is to apply the security settings to the data in compliance with the classification level dictated by the data owner.Answer C is incorrect. The role of administrator is not generally applied to issues of data classification and security. Administrators are more often responsible for directing or performing the tasks associated with configuring and maintaining information systems, especially servers and high-end workstations. Similarly, information security administrators are more often responsible for ensuring that security policies are taken into consideration when placing and configuring security controls within the enterprise network.Answer B is incorrect. The data owner's responsibility is to classify information according to the organization's data classification policy before handing it off to the data custodian to be secured.Answer A is incorrect. Users of data benefit from the roles of the owners, custodians, and stewards but have no input concerning securing the data, to begin with.

Kevin is attempting to determine whether he can destroy a cache of old records that he discovered. What type of policy would most directly answer his question?

Data retention Answer D is correct.The most relevant policy here is the organization's data retention policy, which should outline the standards for keeping records before destruction or disposal. The data retention policy outlines what information the organization will maintain and the length of time different categories of work product will be retained prior to destruction.Answer A is incorrect. The data governance policy clearly states the ownership of information created or used by an organization.Answer B is incorrect. The data classification policy describes the classification structure used by an organization and the process used to properly assign classifications to data.Answer C is incorrect. The data minimization reduces risk by reducing the amount of sensitive information that we maintain on a regular basis.

Vince is conducting a penetration test against an organization and believes that he is able to gain physical access to the organization's facility. What threat vector does this access allow him to exploit that would otherwise be unavailable?

Direct access Answer A is correct.Engaging in a direct access attack requires physical access and would only be possible if he can gain entry to a facility during his penetration test. Bold attackers may seek to gain direct access to an organization's network by physically entering the organization's facilities. One of the most common ways they do this is by entering public areas of a facility, such as a lobby, customer store, or other easily accessible location, and sitting and working on their laptops, which are surreptitiously connected to unsecured network jacks on the wall.Answers D, C, and B are incorrect. Vince could engage in wireless, cloud, or supply chain attacks without gaining access to the target's facilities.

Ed wants to trick a user into connecting to his evil twin access point. What type of attack should he conduct to increase his chances of the user connecting to it?

Disassociation Answer B is correct.If Ed can cause his target to disassociate from the access point they are currently connected to, he can use a higher transmission power or closer access point to appear higher in the list of access points. If he is successful at fooling the user or system into connecting to his AP (access point), he can then conduct man-in-the-middle attacks or attempt other exploits.Answer A is incorrect. A birthday attack is an attack on cryptographic hashes, based on something called the birthday theorem. Answer D is incorrect. A known plain-text attack is a type of cryptographic attack and is not useful for this type of attempt.Answer C is incorrect. Rainbow table attacks attempt to reverse hashed password values by precomputing the hashes of common passwords.

Derek's organization securely shreds all documents before they are disposed of and secures their trash. What information gathering technique are they attempting to prevent?

Dumpster diving Answer D is correct.Dumpster diving recovers paper records and even electronic devices and media from the trash as part of intelligence gathering operations. Derek's organization is taking two common steps to prevent it.Answer B is incorrect. Shoulder surfing involves looking over someone's shoulder to acquire information.Answer C is incorrect. Pharming attacks attempt to redirect traffic to a site provided by the attacker.Answer A is incorrect. Tailgating is a physical entry attack that requires simply following someone who has authorized access to an area so that as they open secured doors you can pass through as well.

Which technology or category of products was developed to allow agents installed on hosts to report a variety of measurable statistics for central processing and analysis?

EDR Answer D is correct.Endpoint Detection and Response (EDR) is a product category consisting of comprehensive endpoint security software which gathers security-related behaviors from individual network hosts, then uses the data to investigate suspicious activities and trends. Data collected might include processes, configuration changes, file system activity, and network connections.Answer A is incorrect. A host-based intrusion detection (HIDS) system protects an individual host by watching for signs of attack and generating alerts. It is not necessarily a centrally managed solution, even though it can be.Answer B is incorrect. A network-based intrusion detection system (NIDS) protects a network by watching for signs of attack and generating alerts. It does not rely on agents installed on hosts; it typically is installed on a network appliance.Answer C is incorrect. Unified threat management (UTM) appliances are advanced firewalls containing numerous other network security features. They do not rely on host-based agents.

While conducting a penetration test, you've just managed to get access to a critical server. You are concerned, however, because you gained access through a session-hijacking attack that took both luck and precise timing and that you might be cut off at any time. Given potentially limited time, what should your next step be?

Establish persistence. Answer B is correct.Establishing persistence will make it easier for you to regain system access if you suddenly lose it. Once you have persistent access, you can perform other tasks at your leisure. In some cases, you might need to escalate privileges in order to establish persistence, such as by creating a new account on the target server, but that is more of a case-by-case judgment.Answer A is incorrect. Escalating privileges will improve your control over the target system, but if you lose access without establishing persistence all of your work so far will be lost. The only case where you would want to escalate privileges first is if you cannot establish persistence with your current privilege level.Answer D is incorrect. Your connection is tenuous right now, and if you want to maintain access to the critical server you should establish persistence, and then perform reconnaissance.Answer C is incorrect. Pivoting can give you more access and visibility through the rest of the network, but if you're suddenly cut off before you establish persistence, you'll have to start over from square one.

A company is planning to outsource the application hosting for a critical business application. The systems administrator needs to determine the policies that are required. Select the policy that corresponds to each definition. Choose the correct options Definition An agreement that S not legally binding An agreement that pernuts repetitive purchases A legally binding agreernent that defines the level of service, including uptme and criteria An agreement that governs the Policy organizations

Explanation A Memorandum of Understanding (MOU) is not a legally binding agreement. Instead, it is a more casual agreement between two or more parties. An MOU is typically used when a legally binding agreement is not possible. A Blanket Purchase Agreement (BPA) is an agreement that permits recurring purchases. For example, you might use a BPA if you will be placing multiple orders or hiring a contractor for more than one job. An Interconnection Security Agreement (ISA) is an agreement that defines the technical specification for connectivity between the systems in two or more organizations. A Service Level Agreement (SLA) is an agreement that guarantees a specific level of service, including uptime, performance requirements, mean time between failures, and other characteristics.

A security administrator discovers that an employee is exfiltrating proprietary company information. The administrator is concerned that the user may try to cover their tracks. What should the administrator do first? Choose the correct answer Create a bit-stream image of the employee's workstation. Implement a legal hold on the user's mailbox. Install a on the employees workstation. Enable data loss prevention on email servers.

Explanation The administrator should implement a legal hold on the user's mailbox. A legal hold is typically the first action in an eDiscovery process. A legal hold can be a process, a software feature. or a combination of both. A Human Resources or Legal department will likely approve a legal hold and notify data custodians such as system administrators to retain all files related to an incident. The legal hold feature on an email or file server may retain all changes, including file deletions, while the hold is active. Whatever the process, a legal hold is meant to preserve evidence. The administrator should not install a keylogger on the employee's workstation. In addition to the ethical issues this approach might raise, installing a keylogger will not preserve existing evidence. The administrator should not enable data loss prevention (DLP) on email servers. DLP is typically enabled on servers and other network devices to detect and prevent data exfiltration. An effective DLP program might have prevented the data exfiltration. The administrator should not create a bit-stream image of the employee's workstation. Bit-stream images are taken during computer forensic investigations. This may occur later in the eDiscovery process.

After a risk assessment of a company's data centers, the company determines that the most cost-effective risk response strategy is to purchase cyberinsurance for the data centers. What type of risk control strategy has the company implemented? Choose the correct answer Mitigation Acceptance Transference Avoidance

Explanation The company has selected a transference risk control strategy for its data centers. Risk transference is the act of shifting the risk to an outside entity, in this case, the company issuing the insurance policy. Risk acceptance refers to understanding the risk and its consequences and accepting that risk without implementing controls or attempting mitigation. This is often the preferred path when a risk has a low likelihood to occur or would have minimal impact if it did occur. Risk avoidance refers to applying safeguards to eliminate or reduce the impact of uncontrolled risks. This usually involves user training and establishing company policies related to the risk. Risk mitigation is the act of taking steps to prevent a vulnerability from being exploited or minimize the potential impact of an identified risk. This includes putting technical controls in place and developing disaster recovery plans.

A company has an Ethernet network with four switches, as well as two wireless APS. All devices that connect to either network must be authenticated using EAP_ What should the company use? Choose the correct answer 802. IX W PA SAML XTACACS

Explanation The company should use 802.1k The g02_1x protocol allows centralized authentication, authorization, and accounting for various types of connections, including wired Ethernet, wireless, and virtual private network (VPN)_ The authentication protocol used is Extensible Authentication Protocol (EAR), which supports various types of authentication. The connectivity device is known as the authenticator and is a client of the authentication server. Its role is actually to pass authentication requests to an authentication server. The most common authentication server used is a Remote Authentication Dial-ln user (RADIUS) server _ However, the Diameter protocol is an enhancement to RADIUS and is gradually replacing it. The client in an 802.1X architecture must implement B02.1X and is known as a supplicant. The company could use Wi-Fi Protected Access (VVPA) on the wireless access points WPA supports 802.1k However, a more secure choice would be WPA2_ Also, W PA would not be used on the Ethernet networks. The company should not use Security Assertion Markup Language (SAML)_ SAML is an open-source data format that supports single sign-on by specifying a structure for sending authentication data between two parties. The company should not use Extended Terminal Access Controller Access-Control System (XTACACS)_ XTACACS is a protocol used by remote access servers to communicate with an authentication server. XTACACS is a legacy protocol and is no longer being maintained

A security consultant is contracted by a company to perform a grey-box penetration test. The consultant plans to use a computer running Kali Linux to map the open ports on critical network servers. Which two commands can the consultant use? (Choose two.) Choose the correct answers dig nslookup curl nmap netcat

Explanation The consultant should use the netcat or nmap command to map the open ports on critical servers. Both are Linux commands available on a Kali Linux computer and both can be used to generate a list of open ports. The nmap command can also be used to generate a list of live hosts and IP addresses in use. The netcat command can also be used to debug or monitor network connections and transfer files. The consultant should not use the nslookup or dig commands. Both commands are used to retrieve information from Domain Name System (DNS) name servers. They are also used for troubleshooting DNS servers. The consultant should not use the curl command. The curl command is a file transfer utility that can transfer data to or from a server using the HTTP, HTTPS, FTP, FTPS, scp, SFTP, TFTP, DICT, TELNET, LDAP, or FILE protocols.

A company is contracting with a third-party security company to perform penetration testing. Which two considerations are NOT defined in the rules of engagement? Select two. Choose the correct answers Testing goals Evidence handling procedures Targeted IP ranges and domains Permission to test Physical location of testers

Explanation The following considerations are NOT part of the rules of engagement for penetration testing: • Targeted IP ranges and domains Testing goals Like the rules of engagement, these considerations are part of the pre-engagement interactions for setting up penetration testing. The rules of engagement document typically specifies: • Testing timeline • Physical location of testers Evidence handling • Regular meetings • Time of day to test Acceptable/unacceptable shunning • Permission to test Legal considerations Changes to these components would require renegotiating the rules of engagement.

During a vulnerability scan, a security administrator discovers an application that is no longer supported by the vendor. The administrator's manager decides that purchasing the latest version of the application is not in the organization's budget. Which risk management technique has the manager employed? Choose the correct answer Risk acceptance Risk transference Risk avoidance Risk mitigation

Explanation The manager has employed risk acceptance. Risk acceptance is the process of acknowledging a risk and not taking any additional action. At some point, all organizations accept some level of risk, even after other measures have been implemented. In this scenario, the cost of mitigating the risk was determined to be higher than the cost of letting the risk persist The manager has not employed risk avoidance. Risk avoidance means eliminating the risk. For example, if a company was considering building a plant in an area prone to earthquakes, risk avoidance would result in the company not building in that location. The manager has not employed risk transference. Risk transference occurs when organizational risk is transferred to a third party. Risk transference is mostly accomplished via some type of insurance. Cyber security insurance and flood insurance are examples of risk transference. The manager has not employed risk mitigation. Risk mitigation involves implementing a safeguard or security control that either minimizes or reduces the vulnerability, or reduces the potential impact of an event if the risk is realized.

What is the EU regulation called that protects privacy and limits the transfer of personal data outside of the EU?

GDPR Answer D is correct.The General Data Protection Regulation (GDPR) is sweeping privacy law that not only applies to companies based in the EU but also to businesses anywhere in the world that do business with or market to EU residents.Answer C is incorrect. The Center for Internet Security (CIS) is a non-profit organization that develops and promotes best practices in cybersecurity. It develops security benchmarks and assessment tools for operating systems and network applications.Answer B is incorrect. The International Organization for Standardization (ISO) 31000 series isn't a regulation. It's a certification framework for managing general organizational risk. It isn't limited to information systems and doesn't directly relate to private data; it focuses more on organizational leadership.Answer A is incorrect. The ISO 27000 series isn't a regulation, but a certification framework for information security practices. Although ISO 27701, in particular, does provide guidance on the protection of privacy, it is neither a regulation, as previously stated, nor specific to the EU.

Which of the following controls primarily protect data integrity? Each correct answer represents a complete solution. Choose tw

Hashing Backups Answers A and B are correct.Data integrity is defined as the measure of accuracy of data received across a network, for instance, or read from storage, when compared to the data originally sent or stored. Integrity can be maintained by creating one or more additional copies of the original data, such as through a backup process. Integrity can also be verified by using a hashing algorithm to produce a message digest and attaching that digest to the data being sent. The same hashing operation as was performed on the original data is performed on the received data, and if the digests match, the data is considered authentic.Answers E and C are incorrect. Encryption and least privilege are confidentiality, not integrity, controls.Answer D is incorrect. Fault tolerance seeks to maintain availability by eliminating single points of failure.

While analyzing the shortcomings in the operation of the enterprise's NIDS, you discover that in its current mode of operation, only known attacks are being reported. What is recommended to enable detection of previously unknown attack methods through the use of artificial intelligence (AI)?

Heuristic Answer D is correct.Heuristic methods look for behavior which seems unusual, relative to the normal baseline; it is also called anomaly-based. Artificial intelligence systems are a good way to implement them, since heuristic rules are difficult to create manually, and machine learning speeds the process. Heuristics are the most reliable way to identify previously unknown attacks but they're most effective when you have a large amount of baseline data to compare against. Care must be taken to ensure that training data does not come from a compromised system, thus tainting the baseline.Answer C is incorrect. Stateful protocol analysis uses packet inspection and rules that compare incoming traffic with a profile of how its protocols are intended to work. It can detect attacks simple signature-based rules will not, but it's still limited against totally new attacks or poorly documented proprietary protocols.Answer B is incorrect. Signature-based rules compare incoming traffic to behavior characteristic of specific known attacks. It's the least "intelligent" form of analysis but also the easiest to implement. While signature-based detection is great against well-known attacks, it's totally useless against new threats.Answer A is incorrect. Passive detection is listening to existing traffic without interacting with or disturbing it. That's how a NIDS usually works and, thus, isn't a particularly applicable way to detect novel threats.

Your department just deployed some fake DNS servers which only interact with automated scripts, never legitimate clients. When they receive unexpected requests, they send an alert to the SIEM. What technique is being used?

Honeypot Answer B is correct.Honeypots are fake systems and services that are designed to detect threat activities without giving an attacker access to useful resources. In this case, an unexpected request to the fake DNS server means that an attacker is likely performing network reconnaissance, or perhaps attempting a DNS-related attack.Answer C is incorrect. Intrusion prevention systems (IPSs) monitor traffic to a host or through a network segment, detecting and blocking traffic that's likely part of an attack. They are placed transparently in the network path, rather than imitating another sort of service, so while they might detect illicit DNS traffic they would not be an endpoint of it.Answer D is incorrect. A next-generation firewall (NGFW) or unified threat management (UTM) appliance would include features such as firewall and IPS that would detect or block suspicious traffic directed to actual network hosts and services. While it might provide some network services of its own, it would not contain any fake services meant to distract an attacker.Answer A is incorrect. A DNS sinkhole is a DNS server that gives false results to DNS requests for specific domain names, such as those associated with malware. To do so, it must accept and respond to DNS requests from hosts that are not infected, unlike a honeypot, which does not serve a normal network function.

Kathleen wants to set up a system that allows access into a high-security zone from a low-security zone. What type of solution should she configure?

Jump box Answer A is correct.Kathleen should configure jump boxes that are systems or servers that are used to provide a presence and access path in a different security zone. Jump boxes should be configured to create and maintain a secure audit trail, with copies maintained in a separate environment to allow for incident and issue investigations.Answer B is incorrect. VDI is a virtual desktop infrastructure and is used to provide controlled virtual systems for productivity and application presentation among other uses.Answer C is incorrect. A container is a way to provide a scalable, predictable application environment without having a full underlying virtual system.Answer D is incorrect. DMZ (demilitarized zone) is a secured zone exposed to a lower trust level area or population.

A secure records room installed a new iris scanner, chosen for its low crossover error rate. What does that mean it has?

Low FRR and low FAR Answer A is correct.The Crossover Error Rate occurs at the sensitivity level where the False Acceptance Rate and False Rejection Rate are equal. That isn't always the sensitivity level you actually want, but a low CER indicates a device with a relatively low error rate.Answer B is incorrect. A high False Rejection Rate and a high False Acceptance Rate would indicate a scanner prone to error and generally undesirable. It would also have a high CER.Answer C is incorrect. A high False Rejection Rate and a low False Acceptance Rate would indicate a sensitive scanner which seldom authenticates the wrong person but tends to reject legitimate users. It would have a relatively high CER, and would be secure but hard to use.Answer D is incorrect. A low False Rejection Rate and a high False Acceptance Rate would indicate a scanner that easily accepts users, but often mistakes unauthorized parties for known users. It would be convenient to use, not terribly secure, and have a relatively high CER.

Which tool can your organization use to remotely wipe a lost mobile phone when BYOD has been implemented in the enterprise?

MDM Answer B is correct.Mobile device management (MDM) software allows centralized management of mobile devices, including troubleshooting and remote wiping of sensitive data. In a bring your own device (BYOD) environment, device owners must allow installation of MDM agents on their own devices, but the software functions remain the same.Answer C is incorrect. Data loss prevention (DLP) software is designed to prevent sensitive data from being exfiltrated to external networks or unauthorized devices. Removing data from a lost device isn't a typical use; preventing it from being copied to an insecure mobile device might be. In a BYOD environment, users might be expected to install DLP clients or might be protected by network-based DLP when connected to the company network, but it won't be as useful in this situation.Answer D is incorrect. Firewalls govern network traffic, but do not affect what happens to data at rest. Data stored on a phone is beyond a firewall's reach. In a BYOD environment, devices on enterprise networks would be protected by network firewalls, and device owners might be required to install a firewall application.Answer A is incorrect. Mobile application management (MAM) software is used to provision and configure approved enterprise apps. In a BYOD environment, you might use a MAM to distribute and secure commercial or in-house applications available for mobile work devices.

Colleen's organization recently suffered a security breach in which the attacker was able to destroy a system that processes customer orders. Colleen is concerned that the breach is slowing down the delivery of those orders. What type of risk concerns Colleen the most?

Operational Answer D is correct.A breach that disrupts customer order processing may cause many different impacts on the organization, including operational, financial, and reputational risk. However, in this scenario, Colleen's primary concern is the disruption to the business, making this an operational risk. Operational risk is a risk to the organization's ability to carry out its day-to-day functions.Answer B is incorrect. Strategic risk is the risk that an organization will become less effective in meeting its major goals and objectives as a result of the breach.Answer C is incorrect. Financial risk is, as the name implies, the risk of monetary damage to the organization as the result of a data breach. Answer A is incorrect. Reputational risk occurs when the negative publicity surrounding a security breach causes the loss of goodwill among customers, employees, suppliers, and other stakeholders.

An in-house application crashes whenever a particular module is called and executed. Upon closer inspection, it is discovered that the module calls a variable associated with user input for the purpose of reading the contents of the corresponding memory location to which the variable is set. The code contained an instruction to check the validity of the variable, but the instruction followed the line of code that calls the variable. Which types of application vulnerabilities are likely the cause of this undesired behavior? Each correct answer represents a part of the solution. Choose two.

Pointer dereferencing Race condition Answers A and B are correct.Pointer dereferencing is a normal process in programming languages that use pointers; it refers to accessing the content at the memory location referenced in a variable known as a pointer. The term becomes a security topic when the pointer is "null," or empty, which usually causes the application or, worse yet, the system to crash. Even if a language, such as C, interprets null as zero, that can cause the kernel to access a predictable memory location, which can be populated by the attacker in some cases. In other instances, an attacker can set the value of the pointer to a specific value, null or otherwise, in the interest of carrying out an attack.In this case, a race condition is also at the root of the problem. In particular, a time-of-check/time-of-use (TOCTOU) issue is the cause. The programmer needs to check that the pointer is not set to null before dereferencing it. Although the source of the vulnerability was innocent, the availability concerns are serious and, if known or suspected by an attacker, can be exploited to cause a DoS. Answers C and D are incorrect. Overflow concerns arise during write operations when that which is being written exceeds the length of the memory location (buffer) or number of digits in the variable (integer) to which it is being written. In this case, information is being read, not written. Answer E is incorrect. In situations where null-pointer dereferencing occurs, there is no amount of error handling that can avoid the crash of the module or application. The solution here is to correct the code to eliminate the possibility of dereferencing a null pointer.

Which of the following techniques allows a threat actor to engage more in the act of eliciting information than in interview and interrogation of the victim?

Pretexting Answer C is correct.Pretexting is the act of developing a back story as to why the attacker is contacting the victim, which may include a fair amount of reconnaissance, including compromising the email accounts of the victim or their business contacts. Using information gleaned from such sources, the attacker can create the illusion of happening upon an appropriate casual conversation with the victim as an insider, flattering them to draw them in and even making intentionally inaccurate comments about the subject at hand so the victim has the opportunity to feel authoritative on the topic by feeding the attacker the correct information in a seemingly innocent exchange.Answer D is incorrect. Credential harvesting involves stealing passwords and cryptographic keys. Although this type of attack could be used to fuel the narrative used by the attacker, credential harvesting is not a direct technique for eliciting information.Answer A is incorrect. Fraudulently assuming the identity of the victim would cause immediate suspicion and discomfort on the part of the victim. Stealing the identity of someone the victim knows would have a similar effect. Even the theft of the identity of a person with whom the victim is less familiar is less effective than simply spoofing their identity through digital means, an act that often enables and accompanies pretexting, making the victim more comfortable with the ensuing interactions with the attacker.Answer B is incorrect. Prepending refers to adding common prefixes to email subject lines to give the appearance that an email is in response to an ongoing thread. An alert recipient of such emails might look into the veracity of such a thread and become quite suspicious of the attacker.

Gary discovers that his organization is storing some old files in a cloud service that are exposed to the world. He deletes those files. What type of risk management strategy is this?

Risk avoidance Gary is changing business practices to eliminate the risk entirely. This is, therefore, an example of risk avoidance. Risk avoidance is a risk management strategy where we change our business practices to completely eliminate the potential that a risk will materialize.Answer D is incorrect. Risk mitigation is the process of applying security controls to reduce the probability and/or magnitude of a risk.Answer C is incorrect. Risk acceptance is the final risk management strategy and it boils down to deliberately choosing to take no other risk management strategy and to simply continue operations as normal in the face of the risk.Answer A is incorrect. Risk transference shifts some of the impacts of risk from the organization experiencing the risk to another entity. Lesson

Andrew is working with his financial team to purchase a cybersecurity insurance policy to cover the financial impact of a data breach. What type of risk management strategy is he using?

Risk transference Answer D is correct.Andrew is using the risk transference strategy. Purchasing insurance is the most common example of risk transference—shifting liability to a third party. Risk transference shifts some of the impacts of risk from the organization experiencing the risk to another entity.Answer A is incorrect. Risk avoidance is a risk management strategy where we change our business practices to completely eliminate the potential that a risk will materialize.Answer C is incorrect. Risk acceptance is the final risk management strategy and it boils down to deliberately choosing to take no other risk management strategy and to simply continue operations as normal in the face of the risk.Answer B is incorrect. Risk mitigation is the process of applying security controls to reduce the probability and/or magnitude of a risk.

Eve is investigating a security incident where the user of a web application submitted an internal URL to the application and tricked the web server into retrieving sensitive data from that URL and displaying it as output. What term best describes this attack?

SSRF Answer A is correct.Server-side request forgery (SSRF) attacks trick a server into visiting a URL (uniform resource locator) based on user-supplied input. SSRF attacks are possible when a web application accepts URLs from a user as input and then retrieves information from that URL. If the server has access to nonpublic URLs, an SSRF attack can unintentionally disclose that information to an attacker.Answers B and D are incorrect. Cross-site request forgery attacks, abbreviated as XSRF or CSRF attacks, are similar to cross-site scripting attacks but exploit a different trust relationship. Cross-site scripting (XSS) attacks exploit the trust that a user has in a website to execute code on the user's computer.Answer C is incorrect. Cross-site scripting (XSS) attacks occur when web applications allow an attacker to perform Hypertext Markup Language (HTML) injection, inserting their own HTML code into a web page.

Frank's organization recently suffered an attack in which a senior system administrator executed some malicious commands and then deleted the log files that recorded his activity. Which of the following would mitigate the risk of this activity recurring in the future?

Separation of duties Answer D is correct.Separation of duties is the most effective way to mitigate this risk. Administrators who have access to perform privileged activities on systems should not also have the ability to alter log files.Answer C is incorrect. Mandatory vacations serve a purpose by forcing employees to take annual vacations of a week or more consecutive time and revoking their access privileges during that vacation period.Answer B is incorrect. Job rotation takes employees with sensitive roles and moves them periodically to other positions in the organization.Answer A is incorrect. Security awareness training commonly incorporates elements of gamification, designed to make training more enjoyable and help users retain the message of the campaign.

You require your users to log on using a user name, password, and rolling 6-digit code sent to a keyfob device. They are then allowed computer, network, and email access. What type of authentication have you implemented?

Single sign-on Multifactor authentication

Jean recently completed the user acceptance testing process and is getting her code ready to deploy. What environment should house her code before it is released for use?

Staging Answer C is correct.The staging environment is a transition environment for code that has successfully cleared testing and is waiting to be deployed into production. Answer D is incorrect. The test environment is where the software or systems can be tested without impacting the production environment.Answer A is incorrect. The production environment is the live system. Software, patches, and other changes that have been tested and approved the move to production.Answer B is incorrect. The development environment is typically used for developers or other builders to do their work.

Which of the following statements about STIX and TAXII is most accurate?

TAXII enables the automated sharing of STIX-structured threat information. Answer B is correct.The Trusted Automated eXchange of Indicator Information (TAXII) protocol enables exchange of threat intelligence, while the Structured Threat Information eXpression (STIX) standard provides a format for the threat intelligence indicators themselves.Answer A is incorrect. STIX is a common format allowing cyber threat intelligence (CTI) indicators to be easily shared with others. Services and message exchanges can contain STIX-formatted data, but are not STIX themselves. This is closer to a TAXII definition than to a STIX definition.Answer D is incorrect. Both STIX and TAXII are standards published by MITRE and are meant to be used in concert, neither one being able to do the other's job alone.Answer C is incorrect. TAXII is a protocol used to exchange and share STIX data. It is not the second or newer version of it.

Which of the following is a process that provides integrity, authenticity, and non-repudiation?

Use of digital signatures Answer C is correct.A digital signature hashes the signed data, then encrypts it with the sender's private key. Anyone can use the corresponding public key to verify the signature, but only the owner of the private key can create the signature. It has integrity since changes to the message would be detected via the hash, authenticity since anyone can verify the sender's private key was used, and non-repudiation since no one else should have access to the private key.Answer D is incorrect. Hashing provides integrity, but not authenticity or non-repudiation. Anyone could have hashed the data originally.Answer A is incorrect. Key exchange does not inherently provide any of those factors. Secure key exchange methods use different methods to guarantee authenticity to prevent on-path attacks during the exchange process.Answer B is incorrect. A certificate signing request (CSR) does not provide integrity, authenticity, or non-repudiation. In fact, it should be protected by a secure channel or physical meeting in high security situations. The certificate eventually granted is digitally signed, and many certificates can be used for signatures themselves, providing integrity, authenticity, and non-repudiation.

When is it appropriate to establish a legal hold on information?

When the information is not in your control but is legally relevant Answer C is correct.Placing a legal hold on information relevant to an investigation or courtroom proceeding obligates its owner to preserve it unaltered until the situation has been resolved. You could, for example, require a service provider to preserve logs of a potential attack, even beyond their normal log retention period.Answer B is incorrect. A legal hold applies to data under the control of other parties. If information is under your control you can use forensic preservation and confidentiality controls to protect it. However, if others establish a legal hold on data that you control, you must preserve it and comply with lawful eDiscovery requests.Answer A is incorrect. Regulatory compliance includes data retention requirements, in part because regulated information might be needed for auditing processes or investigations. However, legal holds generally apply to specific information needed for a particular investigation.Answer D is incorrect. Legal holds do not generally apply to internal investigations or the information they gather, unless such information is placed under a hold by another party. The converse is also true, regarding information that other parties gather that you need for them to hold on your behalf.

What is the primary difference between SIEM and SOAR?

While SIEM can automate security monitoring, SOAR can orchestrate automated responses to an incident according to a related workflow. Answer C is correct.Security Information and Event Monitoring (SIEM) utilities are employed to gather information, correlate the multitude of events collected, and analyze them to discover trends and alert administrators to any conclusions arrived upon. Security Orchestration, Automation, and Response (SOAR) utilities, by contrast, coordinate and automate tasks among various tools, providing quicker cybersecurity response and improved enterprise security posture.Answer B is incorrect. This does not accurately represent the relationship between these two technologies. This description applies more to syslog for log collection and SIEM for the log analysis.Answer A is incorrect. Runbooks and playbooks are two approaches to the security response in the face of an incident. In short, a playbook can use multiple runbooks in its workflow, which is often used as guidance to response-analysts for navigating the human-based response that may include engaging various runbooks for automating clearly defined processes along the way.Answer D is incorrect. SOAR absolutely leverages the power behind runbooks and playbooks in its orchestration, which is a term that refers to bringing multiple automated processes together into a complete workflow. SIEM is simply one form of automation for security monitoring, which does not include orchestration.