Mock Exam 2

You are the security administrator for a multinational corporation that has an Active Directory domain. What type of attack uses HTML tags with JavaScript inserted between the script> and /script> tags? a. Cross-site scripting b. Man-in-the-middle c. Cross-site forgery d. SQL injection

a Concept: Cross-Site Scripting (XSS) uses HTML tags or JavaScript.

Footage of people relaxing in their homes started appearing on the internet without the knowledge of the people being filmed. The people being filmed were warned by relatives and co-workers, resulting in an enquiry being launched by the police. Initial evidence reported a similarity in that they had all recently purchased IoT devices, such as health monitors, baby monitors, smart TVs, and refrigerators. Which of the following best describes why the attacks were successful? a. The devices' default configurations had not been changed b. Their houses had been broken into and hidden cameras were installed c. The victims' wireless networks were broadcasting beyond the boundaries of their homes d. The manufacturers of the devices installed hidden devices, allowing them to film

a Concept: IoT home-based automated devices should have the default configurations of the username and password changed. Most users do not realize that these passwords exist.

The serious crimes agency has just taken control of a laptop belonging to a well-known criminal that they have been trying to track down for the last 20 years. They want to ensure that everything is done by the book and that no errors are made. What is the first step in their forensic investigation, prior to starting the chain of custody? a. Make a system image of the laptop b. Place it in a polythene bag and seal it c. Has the data so that data integrity is assured d. Ask for proof of ownership of the laptop

a Concept: The first step is to create a system image or, if it is a hard drive, create a forensic copy.

An attacker managed to access a guest machine and then attacked a database server and managed to exfiltrate the credit card details of 20,000 users. What type of attack did they carry out? a. VM escape b. VM sprawl c. System sprawl d. VM containerization

a Concept: VM escape can be used for a lateral attack on the virtual host or the other virtual machines.

From a security perspective, what is the major benefit of using imaging technology, such as Microsoft WDS server or Symantec Ghost, on image desktop computers and laptops that are being rolled out? a. It provides a consistent baseline for all new machines b. It ensures that all machines are patched c. It reduces the number of vulnerabilities d. It allows a non-technical person to roll out the images

a Concept: When you build an image, all of the applications will have the same settings and updates and therefore will be consistent. A baseline consists of the applications that are installed at the current time.

A company has just installed a new wireless network and has found that some devices are intefering with other wireless devices. Which of the following have the administrators failed to carry out? Choose the best two. a. Heat map b. Checking wireless channels c. Site survey d. Low-power directional antennas

a, c Concept: A site survey should be carried out prior to installing a wireless network as it maps out all of the items that would interfere with a wireless connection. A heat map shows the coverage with blue/green areas showing poor connectivity and red showing great connectivity.

You are working for the serious crimes unit of the United Nations and have been given a laptop to investigate. You need to ensure that the evidence you are investigating has not been tampered with during your investigation. How are you going to prove this to the court when it is time to present your findings? Which of the following techniques will you adopt to best prove this? Select all that apply. a. MD5 b. 3DES c. SHA 1 d. Blowfish

a, c Concept: Hashing proves data integrity. SHA1 and MD5 are both hashing algorithms.

You are the security administrator for a medium-sized company that needs to enforce a much stricter password policy via group policy. The aims of this policy are to do the following: - Prevent using the same password within 12 password changes. - Ensure that users cannot change the password more than once a day. - Prevent weak passwords or simple passwords, such as 123456 or password, from being used Select the options that you will need to fulfill all of these goals. a. Enforce password history b. Minimum password length c. Passwords must meet complexity requirements d. Minimum password age e. Maximum password length

a, c, d Concept: The password history is the number of passwords that you need to remember before you can reuse them. Password complexity requires users to use three of the four following characters in the password: lowercase, uppercase, numbers, and special characters not used in programming. A minimum password age set to 1 means that you can change the password only once a day, preventing password rotation until you get back to the original password.

Which of the following constitutes risk transference? Choose two. a. Outsourcing you IT support b. Purchasing anti-virus software c. Identifying and classifying the asset d. Purchasing cybersecurity insurance

a, d Concept: Risk transference is where you transfer the responsibility of the risk to a third party, purchasing insurance of any kind and outsourcing your IT are examples.

You are the new IT director of a small, family-owned business that is rapidly expanding. You have submitted your annual budget for the IT team and the owners of the company want to know why you have asked for funds for vendor diversity. They have asked you to provide two good reasons as to why they should grant you the funds. Which of the following are the most suitable reasons why you wish to implement vendor diversity? a. Reliability b. Regulatory compliance c. It is a best practice in your industry d. Resilience

a, d Concept: Vendor diversity involves getting a service from two different providers at the same time. Vendor diversity provides reliability and resilience. For example, if broadband from one provider fails, then the second provider's broadband should still be up and running.

You are a security administrator and you wish to implement an encrypted method of authentication for your wireless network. Which of the following protocols is the most secure for your wireless network? a. WPA2-PSK b. EAP-TLS c. PEAP d. PAP

b Concept: EAP-TLS is a secure wireless authentication protocol, as it uses certificates. An X509 certificate is installed on the endpoint. This is the most secure EAP standard.

Which of the following is a measure of reliability? a. MTTR b. MTBF c. MTTF d. RPO

b Concept: Mean Time Between Failures (MTBF) is the measure of the number of failures. If I purchased a car and it broke down every day for the next week, I would take it back, as it would be unreliable.

A security administrator looked at the top five entries from a report received from a SIEM server that showed the following output: Name: Invalid Login Attempts: John Templeton 220 George Scott 219 Mary Shaw 219 Ian Neil 219 Joe Shipley 219 What type of attack did the SIEM system discover: a. Password history b. Password spraying c. RAT d. Dictionary attack

b Concept: Password spraying is where an attacker obtains a list of employees and then tries common passwords against each account.

A security administrator found that a domain controller was infected by a virus. They isolated it from the network and then removed the virus and turned off the telnet service. Which of the following has the administrator just carried out? a. Containment b. Eradication c. Recovery d. Lessons learned

b Concept: Removing viruses and turning off services are carried out at the eradication phase.

You are the security administrator of a multinational company that has recently prevented brute-force attacks by using account lockout settings with a low value using group policy. The CEO of the company has now dictated that the company will no longer use account lockout settings as he read an article about it and got the wrong impression. Facing this dilemma, how can you ensure that you can make it more difficult for brute force to be successful? a. Obfuscation b. Salting c. XOR d. ROT 13

b Concept: Salting appends random characters to a password before it is hashed. As the passwords are then longer, brute-force attacks need more processing and computation resources to crack them.

You are the network administrator for a large multinational corporation, and you have captured packets that show that the administrator's credentials between their desktop and the network devices are in cleartext. Which of the following protocols could be used to secure authentication? Select the best choice. a. SNMP v3 b. Secure Shell c. SCP d. SFTP

b Concept: Secure Shell (SSH) is used for secure remote access and credentials are protected.

A company recently suffered a break-in, where the company's research and development data was stolen, and the assembly line was damaged. Which of the following threat actors is most likely to have carried this out? a. A criminal syndicate b. A competitor c. A script kiddie d. A nation state

b Concept: The R&D department creates a lot of the company's trade secrets; therefore, a competitor would steal them to beat you to the marketplace. If they damaged your production line, it would prevent you from getting a product to market.

The political adviser to the Prime Minister of the United Kingdom has returned from the two months of summer break that all staff are entitled to. He has applied for an immediate transfer to another department, stating that his health is bad, and the job was far too intense. When his replacement arrives, he finds that, during the summer recess, the political adviser has shredded all documents relating to a political inquiry that has involved his cousin. The police are immediately called in and say that they cannot prosecute the political adviser due to lack of evidence. What precautions could the Houses of Parliament security team take to prevent further events such as this from happening in the future? a. Create a change management document to ensure that the receptionists are more vigilant to people coming in out of hours b. Enforce time-based access restrictions so that nobody can access the IT systems during summer breaks c. Enforce separation of duties to ensure that any document that is destroyed has been witness by a second person d. Enforce mandatory vacations to prevent him coming in during the recess

b Concept: Time-based access restrictions would have prevented someone from accessing the system during the holidays.

Your organization has many different ways of connecting to your network, ranging from VPN and RAS to 802.1x authentication switches. You need to implement a centrally managed authentication system that will record periods of access. Select the two most suitable methods of authentication. a. PAP b. TACACS+ c. NTLM d. RADIUS

b, d Concept: AAA servers are used for centralized authentication as they provide authentication, authorization, and accounting. They can record all log-ins and log-outs in a database.

You are the system administrator for a multinational company that wants to implement two-factor authentication. At present, you are using facial recognition as the method of access. Which of the following would allow you to obtain two-factor authentication? Select all that apply. a. Palm reader b. Signature verification c. Thumb scanner d. Gait e. Iris scanner

b, d Concept: Facial recognition is something you use for authentication. b and d are both something you do - you have a unique signature, and your gait is how you walk.

The security auditor has just visited your company and is recommending change management to reduce the risks from the unknown vulnerabilities of any new software introduced into the company. What will the auditor recommend for reducing the risk when you first evaluate the software? Select the best two practices to adopt from the following list. a. Jailbreaking b. Sandboxing c. Bluesnarfing d. Chroot jail e. Fuzzing

b, d Concept: Sandboxing and chroot jail (Linux version) allow you to isolate an application inside a virtual guest machine.

You provide a service for people who have recently fulfilled their contract with their mobile phone provider to unlock their phone and then install third-party applications on it. They will then no longer be tied to using the mobile phone vendor's app store. Which of the following techniques will you use to achieve this? Select all that apply. a. Tethering b. Sideloading c. Slipstreaming d. Jailbreaking or rooting e. Degaussing

b, d Concept: Sideloading involves loading third-party applications onto an unblocked mobile Phone. Jailbreaking (iOS), or rooting (Android), is where the phone has been unlocked, removing the vendor's restrictions on the mobile phone.

You are the purchasing manager for a very large multinational company, and you are looking at the company's policy of dealing with the insurance of laptops. Last year, the company lost a record number of laptops. Your company is losing 10 laptops per month and the monthly insurance cost is $10,000. Which of the following laptop purchases would prevent you from purchasing insurance? a. A budget laptop at $1,300 each b. A budget laptop at $1,200 each c. A budget laptop at $1,000 each d. A budget laptop at $1,001 each

c Concept: SLE = ALE/ARO ALE = 12 x 10,000 = $120,000 ARO = 12 x 10 = 120 laptops a year Single loss expectancy = $120,000/120 = $1,000

If an attacker is looking for information about the software versions that you use on your network, which of the following tools could they use? Select all that apply: a. Netstat b. Port scanning c. Nmap d. The harvester

c Concept: A Network mapper (Nmap) can identify new hosts on the network, identify what services are running, and identify what operating systems are installed. It can also be used for banner grabbing.

A security administrator has discovered that members of the sales team are connecting their own laptops to the company network without permission. What type of threat to the network have they discovered? a. Malicious insider b. BYOD c. Shadow IT d. Competitor

c Concept: A shadow IT threat is where someone connects their device to private network without permission.

Which of the following attacks cannot be detected by any monitoring systems? a. Pass-the-hash b. Man-in-the-middle c. Zero-day virus d. Smurf attacks

c Concept: A zero-day virus is a newly released virus, and no monitoring system can detect it until it receives an update in about 7 days' time. There are no patches for it either.

A research and development computer that holds trade secrets needs to be isolated from other machines on the network. Which of the following is the best solution? a. VLAN b. PVC c. Air gap d. Containment

c Concept: An airgap isolates a computer from the network as it has no physical or wireless connections. The only way to extract data is by removable media.

Fifteen developers are working on producing a new piece of software. After 4 weeks, they all submit the code that they have produced, and it has just been moved into the development phase of the software development. All of this code will be automated. What has just been carried out? a. Continuous validation b. Continuous monitoring c. Continuous integration d. Continuous development e. Automated courses of action

c Concept: Continuous Integration is where code from multiple sources is integrated together.

A cybersecurity administrator is looking at a customer database and has noticed the following against the credit card of a customer: **** **** **** 3456 What has the administrator come across? a. Tokenization b. Obfuscation c. Data masking d. XOR

c Concept: Data masking masks all or some of the data held in a field.

You are the security administrator for a multinational corporation and you recently carried out a security audit. Following the audit, you told the server administrators to disable NTLM and enable Kerberos on all servers. Which of the following types of attack best describes why you took this action? a. It will improve the server's performance b. To prevent a man-in-the-middle attack c. To prevent a pass-the-hash attack d. To prevent a POODLE attack

c Concept: Disabling NTLM or enabling Kerberos will prevent pass-the-hash attacks. Kerberos is the best of the two as passwords are held in an encrypted database.

Which of the following are the characteristics of a third-party to third-party authentication protocol that uses XML-based authentication? a. Single sign-on (SSO) b. Kerberos c. SAML d. Secure Shell

c Concept: Federation services is a third-party-to-third-party authentication method that uses SAML, an XML-based method for authentication. SAML passes credentials to the Identity Provider (IdP).

Which of the following is footprinting? a. Creating a list of approved applications b. Listing network connections c. Creating a diagram about network connections and hosts d. A list of approved applications

c Concept: Footprinting maps out network topology including active hosts.

A web server was the victim of an integer overflow attack. How could this be prevented in the future? a. Install a proxy server b. Install a SQL injection c. Input validation forms d. Install a web application firewall

c Concept: Input validation prevents buffer-overflow attacks, integer-overflow attacks, and SQL injection by restricting the input to a certain format.

You are the security administrator for a multinational corporation based in Miami, and your company has recently suffered a replay attack. Following lessons learned, you have decided to use a protocol that uses timestamps and USN to prevent replay attacks. Which of the following protocols is being implemented here? Select the best answer. a. Federation services b. EAP-TLS c. Kerberos d. RADIUS federation

c Concept: Kerberos issues tickets for authentication, and each change has a different Updated Sequence Number (USN) and timestamps. It prevents both replay and pass-the-hash attacks.

A company that is allowing people to access their internet application wants the people who log in to the application to use an account managed by someone else. An example of this is using their Facebook account with a technology called OpenID Connect. Which of the following protocols is this based on? Select the best choice. a. Kerberos b. SAML c. OAuth 2.0 d. Federation Services

c Concept: OAuth 2.0 is the industry-standard protocol for authorization. It is used by OpenID Connect, where people can be authenticated using their Facebook or Google account.

You are the owner of a small business that has just installed a terminal for allowing payment by credit/debit card. Which of the following regulations must you adhere to? a. SSAE b. NIST c. PCI DSS d. GDPR e. ISO 31000

c Concept: Payment Card Industry Data Security Standard (PCI DSS) lays out the regulations for the handling and storage of financial information.

You work on the cybersecurity team of a large multinational corporation, and you have been alerted to an attack on the web server inside your screened subnet that is used for selling you products on the internet. You can see by running netstat that you have an unknown active connection. What should be the first step you take when investigating this incident? a. Isolate the web server by disconnecting it from the network to prevent further damage b. Disconnect all external active connections to ensure that any attack is stopped c. Run a packet sniffer to capture the network traffic to identify the attacker d. Take a screenshot of the damage done to the website and report the incident to the police

c Concept: The first stage in any attack is to capture the volatile evidence. In this incident, you would capture the network traffic to identify the source of the attack.

You are the operational manager for a financial company that has just suffered a disaster. Which of the following sites will you choose to be fully operational in the smallest amount of time? a. Cold site b. Warm site c. Hot site d. Off site

c Concept: The hot site should be up and running with data that has been replicated.

You are the network administrator for an IT training company that has over 20 training rooms that are all networked together in their Miami office. Last week they suffered an attack from the internet. What solution should be deployed to prevent this in the future? a. Create a VLAN on the switch and put the corporate admin team in the VLAN b. Install a router in the LAN and place the corporate admin team in the new subnet c. Create a NAT from the firewall and put the corporate machines in that network d. Install a proxy server

c Concept: A NAT hides the internal network from external users

You are the auditor of a large multinational corporation and the SIEM server has been finding vulnerabilities on a server. Manual inspection proves that it has been fully hardened and has no vulnerabilities. What are the two main reasons why the SIEM server is producing this output? a. There was a zero-day virus b. False negatives c. False positives d. The wrong filter was used to audit

c, d Concept: If we are using the wrong configuration for the SIEM server, we will get poor monitoring, resulting in false positives. This would also happen if you scanned the wrong type of host.

Which of the following is a standard for data privacy and handling? a. SSAE b. NIST c. PCI DSS d. GDPR e. ISO 31000

d Concept: GDPR is a framework for data protection law ensuring the privacy rights of individuals. It deals with data privacy and data sharing.

You need to install a new wireless access point that should be as secure as possible, while also being backward compatible with legacy wireless systems. Which of the following do you choose to implement? a. WPA2 PSK b. WPA c. WPA2 CCMP d. WPA2 TKIP

d Concept: WPA2 is the most secure and TKIP is backward compatible. WPA also works with legacy but is not the best choice.

You work in the forensics team of a very large multinational corporation, where an attack has happened across three different sites in two different countries. You are now going to install a SIEM server to collect the following log files from all of the locations. - Security logs - DNS logs - Firewall logs - NIPS logs - NIDS logs what is the first action that you need to take before collating these logs? a. Apply time normalization to these logs b. Copy them into a worm drive so that they cannot be tampered with c. Sort out the sequence of events by site d. Install a Network Time Protocol (NTP) server

d Concept: We need to install an NTP server to synchronize the time of all of the servers so that the events can be put into a sequence of events.

You are the administrator for a large multinational organization. You wish to purchase a new biometric system. Which of the following is a critical factor when making the purchase? a. High FAR b. Low FRR c. Low FAR d. Low CER e. High CER f. High FRR

d Concept: When the FAR and FRR are equal, this is known as the CER. A system with a low CER is the best choice as it has very few errors

You want to protect the admin password for a wireless router. Which of the following wireless features would be most appropriate to achieve this objective? a. WPA2-Enterprise b. TKIP c. WPS d. PSK e. CCMP

e Concept: CCMP uses AES for encryption and is the strongest wireless security.

I need to purchase a certificate that I can install on five internet-facing mail servers. Which of the following is the most cost-effective solution? a. PEM certificate b. Wildcard certificate c. Subject Alternative Name (SAN) certificate d. Root certificate

b Concept: A wildcard certificate can be used on multiple servers, normally those that are internet facing.

You are the system administrator for an Active Directory domain and deal with authentication on a daily basis. Which of the following would you use as multifactor authentication? a. Smart card b. Kerberos c. WPS d. TOTP

a Concept: A smart card is "something you have," inserting the card into the reader is something "something you do," and then when you insert the PIN, it is "something that you know."

A biometric system has been letting in unauthorized users ever since it had a patch upgrade. Which of the following is being measured? a. CER b. FAR c. FRR d. CVE

b Concept: Unauthorized users are allowed. Look at the middle initial in FAR - it is A for allow.

Why would a network administrator install a Network Intrusion Detection System (NIDS)? Select the two best options. a. It identifies vulnerabilities b. It identifies new network hosts c. It identifies viruses d. It identifies new traffic patterns e. It identifies new web servers

b, d Concept: A NIDS uses sensors and collectors to identify changes to the network.

You are the security administrator for a multinational company, and you know that one of your X509 certificates, used in at least 300 desktop machines, has been compromised. What action are you going to take to protect the company, using the least amount of administrative effort? a. Email the people involved and ask them to delete the X509 from their desktop immediately b. Carry out certificate pinning to prevent the CA from being compromised c. Revoke the root CA X509 so it is added to the CRL d. Revoke the X509 so it is added to the CRL

d Concept: Once a certificate has been compromised, it should immediately be revoked so it is added to the CRL.