Pretest 2

An hacker is trying to crack encrypted text. Frequency analysis suggests the text is encrypted with a substitution cipher. Which of the following satisfy this criteria for the encryption method? ANSWER 3DES ECC THE CORRECT ANSWER ROT13 XOR

WHAT YOU NEED TO KNOW A substitution cipher hides information by replacing units (a letter or blocks of letters) in the plaintext with different ciphertext. As such, ROT13 is a substitution cipher that rotates each letter in the alphabet by 13 places. The other choices are not substitution ciphers.3DES (Triple DES) is a symmetric block cipher where the plaintext is encrypted three times using different subkeys.ECC (Elliptic Curve Cryptography) is an asymmetric encryption technique that leverages the algebraic structures of elliptic curves over finite fields to generate public/private key pairs.XOR is an operation that outputs 0 (false) if both values are the same and 1 (true) if the values are different.

The risk that a private key is compromised during a communication session is mitigated by Perfect Forward Secrecy (PFS). What does PFS apply Diffie-Hellman (D-H) key agreements to create in this situation? ANSWER Session key THE CORRECT ANSWER Ephemeral key Key exchange Key stretching

WHAT YOU NEED TO KNOW Ephemeral keys improve security because even if an attacker can obtain the key for one session, future sessions will remain confidential.While an ephemeral key is a session key, an important difference between the two is that an ephemeral key is only used for one session where a session key can be re-used.Key exchange is the process where the sender and receiver agree on which key to use for encryption. Key exchange is not created through use of D-H key agreements.Key stretching is a technique for making the key generated from a user password stronger. This is accomplished by putting it through thousands of rounds of hashing. It is unrelated to PFS.

A company runs multiple VM's on a single physical server to increase availability and lower operating costs. To update files, the company releases a Microsoft patch. While the patch update pushed out, it only reached a few of the machines degrading the functionality of the server. What type of phenomenon occurred? ANSWER DDoS VM Escape THE CORRECT ANSWER VM Sprawl Patch Management

WHAT YOU NEED TO KNOW Virtualization sprawl is a phenomenon that occurs when the number of virtual machines (VMs) on a network reaches a point where the administrator can no longer manage them effectively. This can happen by patch mismanagement or simply too many virtual machines.Virtual machine escape is a vulnerability that enables a user to gain access to the primary hypervisor and associated virtual machines.Patch management refers to the process of maintaining and updating software applications. It entails applying and testing each update.A DDoS (Distributed Denial of Service) attack occurs when multiple systems are compromised and used to attack a single system.

A Black Hat wants to make some easy money. The attacker infected multiple computers with Trojans and gathered farms of zombies to rent out to spammers. In this way, the spammers can use the zombies to put phishing Trojans in spam email. What did the Black Hat essentially create? ANSWER A Denial of Service (DoS) attack A Distributed Reflection Denial of Service (DRDoS) attack A Smurf attack THE CORRECT ANSWER A botnet

A botnet WHAT YOU NEED TO KNOW A botnet is a set of computers that has been infected to enable attackers to exploit computers to mount attacks. Black Hats can gather "farms" of zombies (botnets) infected with Trojans and rent them out to spammers who put phishing Trojans in spam email. A Distributed Reflection Denial of Service (DRDoS) is a TCP SYN flood attack. The adversary spoofs the victim's IP address and attempts to open connections with multiple servers, and consumes the victim's available bandwidth. In a Smurf attack, the adversary spoofs the victim's IP address and pings the broadcast address of a third-party network. Each host directs its echo responses to the victim server. A Denial of Service (DoS) attack causes a service to become unavailable.A botnetA botnet

Rather than trying to obtain the plain text New Technology LAN Manager (NTLM) password from a password database on a Windows Active Directory (AD) server, an attacker submits a captured hash to successfully authenticate with the domain. What type of attack did the malicious user perform? ANSWER A Man-in-the-Middle (MitM) attack A birthday attack A downgrade attack THE CORRECT ANSWER A pass-the-hash attack

A pass-the-hash attack WHAT YOU NEED TO KNOW A replay attack consists of intercepting a key or password hash then reusing it to gain access to a resource, such as the pass-the-hash attack. A birthday attack is a type of brute force attack aimed at exploiting collisions in hash functions. This type of attack can be used for the purpose of forging a digital signature. A downgrade attack can be used to facilitate a Man-in-the-Middle (MitM) attack by requesting that the server use a lower specification protocol with weaker ciphers and key lengths. A Man-in-the-Middle (MitM) attack is a form of eavesdropping in which the attacker makes an independent connection between two victims and steals information to use fraudulently.

What must be added to Microsoft Challenge Handshake Authentication Protocol (MS-CHAP) to ensure secure transmission of credentials? ANSWER THE CORRECT ANSWER A secure connection tunnel Repeated handshakes New Technology (NT) hashes An additional router

A secure connection tunnel WHAT YOU NEED TO KNOW MS-CHAP is Microsoft's first implementation of CHAP, supported by older clients. MS-CHAP should not be deployed without a secure connection tunnel (such as SSL or SSH), so credentials passed will be encrypted.NT hashes are vulnerable to hacking attempts, as NT is the most basic, legacy form of password encryption.CHAP periodically repeats the handshake throughout the session automatically, transparent to the user.Adding a router has the potential to provide mutual authentication, but there is not enough information in this question to determine whether this would work. CHAP typically provides a one-way handshake. Cisco's implementation of CHAP allows for mutual authentication (but only between two Cisco routers).

In a federation, the trust relationship allows a relying party to establish identity through an identity provider. In which of the following situations is this relationship most beneficial to the relying party? ANSWER Staff have requested Single-Sign On (SSO) for all of their accounts; the identity provider establishes this The relying party, a company, needs help managing its staff accounts, and uses a third party THE CORRECT ANSWER A user wants to ask sales staff a question about a product on the relying party's website The relying party wants secure and easy credit card sales transactions

A user wants to ask sales staff a question about a product on the relying party's website. WHAT YOU NEED TO KNOW The relying party benefits from users gaining access to outer layers of a relying party's website through federated identity management. For example, a company may use the credentials provided to a popular website such as Google, to allow users access to their chat function. This provides accessibility for the user to chat with staff without registering for a full account; thus enabling the foot-in-the-door phenomenon.When a sale is initiated, it is necessary for the personal security and the security of the relying party's accounts for a user to create an account. Credit card information should be relayed over an established account, versus relying on the third-party credential.Staff accounts should be managed within a company, as the company opens itself to vulnerabilities by relying on federated partnerships for such internal matters.Single Sign-On at the company level may be established, but it is not wise to enable single-sign on to outside websites for internal accounts.

The Human Resources department has just implemented an acceptable use policy for the company. The IT department provided guidance as it pertains to the use of company computer systems. Which component of the acceptable use policy should be reviewed to ensure security control is being put in place with this effort? ANSWER Preventive Deterrent Corrective THE CORRECT ANSWER Administrative

Administrative WHAT YOU NEED TO KNOW An administrative control is used to determine the way people act, including policies, procedures, and guidance.A preventive control physically or logically restricts unauthorized access. Examples of preventive controls are door locks and system passwords.A deterrent control may not physically or logically prevent access, but psychologically discourages an attacker from attempting an intrusion. A warning sign is an example of a deterrent.A corrective control responds to and fixes an incident and may also prevent its reoccurrence. A software security patch is an example of a corrective control.

Planning began on a new 10-story building. The IT department (made up of 6 people), want to deploy wireless access points (WAPs) on each floor. It is necessary to decide on how to deploy and manage these devices. Which of the following deployment options are ideal for the company? (Select two). ANSWER SELECT ALL THAT APPLY Correct Answers Your Choices Deploy 802.11a WAPs. Deploy fat APs on each floor. Connect a wireless controller to the network. Deploy thin APs on each floor.

Connect a wireless controller to the network. Deploy thin APs on each floor. WHAT YOU NEED TO KNOW An enterprise-level wireless controller can centrally manage up to 15,000 APs (access points) and 20,000 client computers. Central management will provide a better process for deployment, configuration and maintenance activities, especially with the small team of admins. A thin AP is smaller and simpler to deploy. Once connected, a thin AP can reach back to the wireless controller for specific settings like SSID (service set identifier), band selection, wireless protocol, and other security settings automatically. A fat AP has more processing power and can function on its own. A fat AP's autonomous nature can be a security concern when not managed. The 802.11a wireless protocol is an older technology which is not ideal for modern organizations.

A user wants to use a custom theme for an Android smart phone. The theme requires root access to install custom firmware for its special features. An app in Google Play advertises the ability to root the phone, but is unable to. Which of the following options will provide a better chance to root the phone? ANSWER THE CORRECT ANSWER Connect the phone to a laptop. Reset the phone to factory settings. Moden phones use official apps from cellular carriers to gain root access. Remotely access the phone.

Connect the phone to a laptop. WHAT YOU NEED TO KNOW Connecting the phone to a laptop is called tethering. Effective rooting applications and processes use tethering so the phone boots from a file from the laptop, rather than from the phone.Resetting the phone to factory does not root the phone, or provide root access to other areas of the phone.Gaining remote access to the phone does nothing to root a phone. Although a hacker may use remote access to find and copy data from the user, it does not require root privileges.Cellular carriers do not advertise the use of applications that root a phone. Most carriers may stop support for phones that are rooted and even disable service.

Some domains sound very convincing such as my-credit-card.com, when the authentic domain is mycreditcard.com. There are different processes in place to legitimize these domains. Which process is highly vulnerable to compromise? ANSWER Extended validation THE CORRECT ANSWER Domain validation Email certificate Root certificate

Domain validation WHAT YOU NEED TO KNOW Domain Validation is proving ownership of a particular domain by responding to an email to the authorized domain contact, or by publishing a text record to the domain. It will appear as a green padlock in the browser, but the owner is not verified. This is highly vulnerable to compromise.Extended Validation is a process that requires more rigorous checks on the subject's legal identity and control over the domain or software being signed. The verified name of the owner will appear with the padlock.A root certificate is one that a CA signs for itself.An email certificate can be used to sign and encrypt email messages, typically using S/MIME or PGP.

A group obtained cyber weapons to promote a political agenda, and attempts to obtain and release confidential information to the public. What type of threat actor does this describe? ANSWER Advanced Persistent Threats (APTs) Insider threats Hackers THE CORRECT ANSWER Hacktivists

Hacktivists WHAT YOU NEED TO KNOW Hacktivists use cyber weapons to promote a political agenda, and can attempt to obtain and release confidential information to the public domain, perform Denial of Service (DoS) attacks, or deface websites. Advanced Persistent Threats (APTs) are cyber nation state adversaries that have developed cybersecurity expertise and use cyber weapons to compromise network security and achieve military and commercial goals. Insider threats are employees who harbor grievances or perpetrate fraud. For example, an insider threat might plan and execute a campaign to modify invoices and divert funds. Hackers are individuals who have the skills to gain access to computer systems through unauthorized or unapproved means. The term is sometimes associated with illegal or malicious system intrusion.

A recent walkthrough of an office revealed several employees running unauthorized software, such as games and video editing software. The administrator removed the software from the client's computers. Which of the following are the next steps to preventing this issue from happening again? (Select two). ANSWER SELECT ALL THAT APPLY Correct Answers Your Choices Include the applications on a whitelist. Include the applications on a blacklist. Investigate how they installed the applications. Scan all the client's computers

Include the applications on a blacklist. Investigate how they installed the applications. WHAT YOU NEED TO KNOW Admins must find out how the unauthorized software was retrieved, to prevent all options from being accessible again. Event logs and browsing history may assist in the investigation.Antivirus software includes blacklist features, where any list applications will be prohibited from running on a system.Applications included in a whitelist will be allowed to run on a system. Unauthorized software should never be listed here.The scanning of client computers is the third step, after the investigation is done, and the blacklist has been populated with as many known unauthorized software.

A security operations center (SOC) analyst responds to a Denial of Service (DoS) attack, but has difficulty finding the origin of the attack. After researching the traffic in a protocol analyzer, the SOC analyst wants to block traffic from the attacking system, but suspects the attacker changed the source address recorded in the packets. What kind of attack could this represent? ANSWER THE CORRECT ANSWER Internet Protocol (IP) spoofing Network Address Port Translation (NAPT) overloading Fingerprinting Internet Control Message Protocol (ICMP) redirect

Internet Protocol (IP) spoofing WHAT YOU NEED TO KNOW With IP spoofing, the attacker changes the source and/or destination address in IP packets to disguise the real identity of the attacker's host machine. This is also used in Denial of Service (DoS) attacks, making it harder for the target system to block packets from the attacking system. Network Address Port Translation (NAPT) overloading maps private host IP addresses onto a single public IP address. Fingerprinting is the act of port scanning using a tool, such as Nmap (network mapping), which can reveal the presence of a router and what dynamic routing and management protocols it is running. ICMP redirect (a.k.a. ARP poisoning), tricks hosts on the subnet into routing through the attacker's machine rather than the legitimate default gateway.

What is the difference between jailbreaking and rooting? (Select two). ANSWER SELECT ALL THAT APPLY Correct Answers Your Choices Jailbreaking unlocks the device from the carrier. Jailbreaking is effective with tethering. Rooting is a term associated with Android devices. Rooting is a term associated with iPhone devices.

Jailbreaking is effective with tethering. Rooting is a term associated with Android devices. WHAT YOU NEED TO KNOW The term rooting is associated with Android devices. Many vendors today provide authorized mechanisms for users to access the root account on their device.iOS jailbreaking is accomplished by booting the device with a patched kernel and is mostly performed when the device is attached to a computer when it boots (tethered jailbreak).Jailbreaking does not unlock a device from a carrier. A SIM unlock will allow the device to connect to a different service carrier.Rooting is not associated with iPhone devices. The term jailbreaking is associated with iPhone devices.

"Somewhere you are" authentication can be problematic because so many users sign on to services remotely. Analyze this challenge to determine the most effective implementation of location-based authentication. (Select two). ANSWER SELECT ALL THAT APPLY Correct Answers Your Choices Location-based authentication is best used as a secondary form of authentication after a primary authentication factor for multifactor authentication. Location-based authentication is best used as a Virtual Private Network (VPN)-hopping monitor, to protect against users hopping between IP address. Location-based authentication is best as a continuous authentication measure or access control, to monitor IP location. Location-based authentication is best used as a primary authentication method, based on the geographic location of the user's IP address.

Location-based authentication is best used as a secondary form of authentication after a primary authentication factor for multifactor authentication. Location-based authentication is best as a continuous authentication measure or access control, to monitor IP location. WHAT YOU NEED TO KNOW Location-based authentication is best used as a secondary form of authentication, and works well for continuous authentication or access control feature.If a remote user registers at a VPN gateway but their IP address is in a different country, access may be denied. This can help deny users with malicious intent.Location-based authentication should not be used as a primary authentication method because it is mobile and location services are neither precise nor infallible.Location-based authentication can help detect the use of a VPN in a different geographic location from the user, but it's not meant as a VPN-hopping monitor; other tools are more well-suited for this type of detection.

Applying the concept of OPENID Connect (OIDC), what does the user control when they log in to their computer to access a given website? (Select two). ANSWER SELECT ALL THAT APPLY Correct Answers Your Choices OIDC allows the user a choice of which service provider they use for login and credential management. OIDC allows the user to choose which relying party they login to and provide their credentials. OIDC allows the user to choose which web services they trust with their credential. OIDC allows the user to choose which identity provider to provide with their credentials.

OIDC allows the user to choose which web services they trust with their credential. OIDC allows the user to choose which identity provider to provide with their credentials. WHAT YOU NEED TO KNOW OIDC allows the "sign on with" feature that enables a user to select their identity provider, for example, Google or Microsoft Azure. The user enters his/her login and password credentials to their preferred identity provider, then OIDC allows access to other federated sites.OIDC allows the user a choice in which web services they trust with their credential, as this is just another way of saying they can choose which identity provider they sign in with (for example, Amazon web services, which can act as a security association markup language (SAML) provider).The identity provider does not provide the credential itself to the relying party (a secondary website from the identity provider). The identity provider keeps the credential secure and the user is signed in to the other website through the identity provider.The user always has some degree of choice in which service provider they choose when signing up for internet access.

Password lockout is commonly utilized to prohibit users from logging in after a number of failed password attempts. While this practice may protect against unauthorized users gaining access to valid user login information, what disadvantages might implementing this practice have for an organization? (Select two). ANSWER SELECT ALL THAT APPLY Correct Answers Your Choices Password lockout is more vulnerable to social engineering than other techniques Password lockout is vulnerable to Denial of Service (DoS) attacks Password lockout increases the workload for security management Password lockout is not as secure as a password reset system

Password lockout is vulnerable to Denial of Service (DoS) attacks Password lockout increases the workload for security management WHAT YOU NEED TO KNOW Password lockout rules are vulnerable to DoS attacks. An attacker can simply overwhelm the password login system with login attempts and lock legitimate users out of their accounts, denying service.Password lockout also increases the workload for security managers, as this system typically requires an administrator to unlock locked accounts, and if this happens on a frequent basis, can be quite time consuming.Password lockout is no more or less vulnerable to social engineering than other password techniques. If people write down their passwords because they are required to be complex and they are likely to be locked out of their accounts, it would be easy for someone to obtain a physical copy of the written password. Password policies need to balance complexity requirements with security threats.Lockout is more secure than password reset systems, as the reset systems often rely on e-mail to convey a temporary password, pass code or question answer, which may be unsecured depending on the connection.

A penetration tester established a Command and Control (C2 or C&C) network to control a compromised host and use it as a Remote Access Tool (RAT) or backdoor. What did the penetration tester successfully achieve? ANSWER A pivot point Initial exploitation Action on objectives THE CORRECT ANSWER Persistence

Persistence WHAT YOU NEED TO KNOW Persistence refers to a pen tester's ability to reconnect to the compromised host and use it as a Remote Access Tool (RAT) or backdoor, via a Command and Control (C2 or C&C) network. In the initial exploitation (a.k.a. weaponization) phase, an exploit is used to gain some sort of access to the target's network. A pivot point is a system and/or set of privileges that allow the tester to compromise other network systems (lateral spread). The initial exploit might give the tester local administrator privileges, and use these to obtain privileges on other machines. Action on objectives refers to the adversary or penetration tester stealing data from one or more systems (data exfiltration).

Staff at a marketing company need to be able to log into the networks of their clients. Evaluate and select the authentication method that allows this task to be completed. ANSWER IEEE 802.x THE CORRECT ANSWER RADIUS federation LEAP 1

RADIUS federation WHAT YOU NEED TO KNOW RADIUS federation means that multiple organizations allow access to one another's users by joining their RADIUS servers into a RADIUS hierarchy or mesh. A RADIUS (Remote Access Dial-In User Service) server validates authentication credentials for each user.IEEE 802.1X Port-based Network Access Control is an authentication framework that establishes several ways for devices and users to be securely authenticated before they are permitted full network access. It is not am authentication method.LEAP relies on Microsoft Challenge Handshake Authentication Protocol (MS-CHAP) to transmit authentication credentials.EAP-FAST uses a Protected Access Credential (PAC), which is generated for each user from the authentication server's master key.

Evaluate and select the true statements about hashing algorithms. (Select two) ANSWER SELECT ALL THAT APPLY Correct Answers Your Choices HMAC provides non-repudiation because the key and message are combined. RSA replaced MD5 for use in password hashing and signing digital certificates. RIPEMD is the EU version of MD5 and SHA. MD5 is no longer considered secure for password hashing or signing digital certificates.

RIPEMD is the EU version of MD5 and SHA. MD5 is no longer considered secure for password hashing or signing digital certificates. While MD5 is a commonly used hash algorithm, it is considered weak since ways have been found to exploit collisions in the cipher. Therefore, it is not suitable for passwords and digital certificates.RIPEMD (The RACE Integrity Primitives Evaluation Message Digest) was designed as an alternative to MD5 and SHA in the European Union.HMAC (Hash-Based Message Authentication Code) is used to verify integrity and authenticity of a message by combining hash functions with a secret key. Since both the sender and the receiver know the secret key, there cannot be non-repudiation.RSA is widely deployed as a solution for creating digital signatures and key exchange, however, it is an encryption algorithm, not a hashing algorithm.

A recent breach at a local business has put a great deal of pressure on internal processes. The breach caused many problems for the business and its customers. As a result, security controls for data systems are now being re-audited. At what stage is the business currently practicing in its incident response plan? ANSWER Lessons learned Containment Identification THE CORRECT ANSWER Recovery

Recovery WHAT YOU NEED TO KNOW Recovery from an attack will involve several steps. Re-auditing security controls is important to ensure they are not vulnerable to another attack. A new attack could be launched with information gathered from the network.Identification is the process of collating events and determining whether any of them should be managed as incidents or as possible precursors to an incident.Containment deals with examing how widespread the incident is and keeping it as isolated as possible.During lessons learned, it is important to analyze the incident and responses to identify whether procedures or systems could be improved. Therefore, it is imperative to document all aspects of the incident.

An attacker crafts a Uniform Resource Locator (URL) to perform code injection against a trusted website, and emails the link to a victim user. When the user clicks the link, the trusted site executes the malicious code in the client's browser, with the same permission level as the trusted site. What type of input Cross-Site Scripting (XSS) validation vulnerability did the attacker exploit? ANSWER Cross-site Request Forgery (XSRF) Stored Cross-Site Scripting (XSS) THE CORRECT ANSWER Reflected Cross-Site Scripting (XSS) Document Object Model (DOM)-based

Reflected Cross-Site Scripting (XSS) WHAT YOU NEED TO KNOW Reflected Cross-Site Scripting (XSS) is a server-side input validation exploit that injects a script into a website. Once the victim visits the infected website, the malicious code executes in the user's browser. Stored (or persistent) Cross-Site Scripting (XSS) is a server-side script attack that aims to insert code into a back-end database used by the trusted site. Document Object Model (DOM) Cross-Site Scripting (XSS) exploits vulnerabilities in client-side scripts to modify the content and layout of a web page. A Cross-site Request Forgery (XSRF) exploits applications using cookies to authenticate users and track sessions. The attacker convinces the victim to visit the target site, and then passes an HTTP request to the victim's browser, spoofing an action on the site.

An electronics manufacturer has created a device that can provide live statistics and report engine diagnostics information. The module plugs into a standard diagnostic port found on modern vehicles. After some time, troubleshooting the device uncovers a flaw that impacts electronic controls and damages sensors on particular vehicles. What effect will this flaw have on the manufacturer? (Select two). ANSWER SELECT ALL THAT APPLY Correct Answers Your Choices Reputation Property Finance Safety

Reputation Finance WHAT YOU NEED TO KNOW As news of the flawed device (and the possible related incidents caused by using the device) spreads, the manufacturer's reputation will be directly impacted.As the flawed device's sales likely stop, the manufacturer's financial future will be directly impacted. Additionally, possible lawsuits from consumers that have been impacted will also impact the manufacturer's finances.As vehicle controls have been reported to be compromised by using the device, the consumer will be directly impacted with safety concerns.As vehicle sensors have been reported to be damaged by using the device, the consumer will be directly impacted with property concerns.

Differentiate between retinal and iris scanners. ANSWER Retinal scans identify the complex patterns of blood vessels in the eye using an IR light to show markers for disease, such as cataracts, as identifiers. THE CORRECT ANSWER Retinal scans are complex and intrusive, yet highly accurate, using infrared (IR) light to perform blood vessel pattern analysis. Iris scans are highly complex and intrusive, matching patterns on the surface of the eye with IR imaging. Retinal scans match the patterns on the surface of the eye using near-IR imaging, and are much faster than iris scans.

Retinal scans are complex and intrusive, yet highly accurate, using infrared (IR) light to perform blood vessel pattern analysis. WHAT YOU NEED TO KNOW Retinal scans are more intrusive and accurate than iris scans. Retinal scans use an IR light to identify blood vessel patterns, which remain largely unchanged throughout a person's lifespan. The equipment needed to perform retinal scans is expensive and the process is complex and intrusive.Iris scans match patterns on the surface of the eye using near-IR imaging, making the less intrusive and quicker than retinal scanning. Equipment is less expensive and easier to deploy, but iris scans might be spoofed with a high-resolution photo of a person's eye.Surface of the eye imaging is performed by iris scan, which is faster than a retinal scan.While retinal scans identify the complex patterns of blood vessels, disease may cause errors in the reliability of the scans, not serve as accurate markers for identification.

An organization has been collecting old and retired computer systems in a spare closet. In order to dispose of these systems, all storage media must be removed and destroyed first. Which method would be the most effective for optical media? ANSWER Burning Wiping THE CORRECT ANSWER Shredding Degaussing

Shredding WHAT YOU NEED TO KNOW Shredding is the easiest and most convenient way to destroy optical media (CD and DVD). Shredders can be easily obtained at office supply stores at a reasonable cost.Degaussing uses magnetics to erase data from storage media. Optical media is not magnetic. Degaussing would succeed on a traditional hard disk or backup tape.Wiping involves erasing or overwriting the content on storage media. While some optical media may be rewritable, most likely is not.Burning is an easy way to destroy storage media. However, it is not the most convenient. Any burning would need to be performed in a controlled environment. Additionally, media will contain toxins that will be exposed during burning - so it is not recommended.

A company has purchased a certain brand of network switches at a very low cost for all of its locations. After only 3 months in service, it was found that the switches have a security flaw that cannot be remedied. The company has decided to analyze the risk of replacing all switches of this brand to another. After examining risk assessment approaches, it has been decided to use a method that will assign concrete values to each risk factor in one sweep. Which assessment type and value will be used in this effort? (Select two). ANSWER SELECT ALL THAT APPLY Correct Answers Your Choices Qualitative risk assessment Annual loss expectancy Single loss expectancy Quantatative risk assessment

Single loss expectancy Quantatative risk assessment WHAT YOU NEED TO KNOW Quantitative risk assessment aims to assign concrete values to each risk factor. The process of determining and assigning these values is extremely complex and time consuming.Single Loss Expectancy (SLE) is the amount that would be lost in a single occurrence of the risk factor. This value is determined by multiplying the value of the asset by an Exposure Factor (EF).Qualitative risk assessment avoids the complexity of the quantitative approach. It is focused on identifying significant risk factors by seeking opinions of which risk factors are significant.Annual Loss Expectancy (ALE) is the amount that would be lost over the course of a year. This is determined by multiplying the SLE by the Annual Rate of Occurrence (ARO).

Management inquired about ways to secure the domain name servers. An admin suggests using DNS SEC or Domain Name Server Security Extensions to help mitigate against spoofing and poisoning attacks. Which port is ideal for DNSSEC traffic? ANSWER UDP 389 TCP and UDP 88 UDP 53 THE CORRECT ANSWER TCP 53

TCP 53 WHAT YOU NEED TO KNOW DNS traffic uses port 53. However, given that most DNSSEC packets can be larger than 512 bytes, which is the limit for UDP packets, DNSSEC uses TCP port 53.DNS queries are communicated through UDP port 53.TCP and UDP port 88 are used by Microsoft's Kerberos. It is an authentication service that is based on a time-sensitive, ticket-granting system beneficial for single sign-on requirements.UDP port 389 is used by (Lightweight Directory Access Protocol). It is a network protocol used to access network directory databases, which store information about authorized users and their privileges, as well as other organizational information.

An admin runs a software executable on a Windows 10 workstation, and it stops almost immediately. A pop-up message appears on the right corner of the task bar and quickly goes away. The admin notes the missing executable file. What did the antivirus do? ANSWER The antivirus deleted the file. THE CORRECT ANSWER The antivirus placed the file in quarantine. The antivirus reacts to a false positive event. The antivirus copied the executable to a different location.

The antivirus placed the file in quarantine. WHAT YOU NEED TO KNOW Antivirus software perform on-access scans when an executable or script is run. When malicious codes match its signature database, the process will be stopped, and the file will be placed in quarantine, to then ask the user what to do with it.Performing an action on the executable may be a false-positive. However, malicious software tends to look exactly like the real software. Further investigation is required to determine if it was a false-positive.The antivirus will not delete files, but rather place them in quarantine. Only when the admin has explicitly stated to delete the file will the antivirus engine finally delete it.A suspected file will be moved (not copied) to a different location by the antivirus software.

A security manager in charge of managing access control is assigned to a military intelligence unit. They identify that the unit uses Mandatory Access Control (MAC) and notice the inefficiencies withiin this model. What changes should the security manager make to the access control system? ANSWER The security manager should suggest rule-based access control, assigning individual users to groups. THE CORRECT ANSWER The security manager shouldn't make any changes despite the system's inefficiencies. The security manager should change the labels in the mandatory ACL to a higher security clearance level. The security manager should suggest Attribute-Based Access Control (ABAC) to fine-tune permissions.

The security manager shouldn't make any changes despite the system's inefficiencies. WHAT YOU NEED TO KNOW Military intelligence units will use Mandatory Access Control (MAC) despite its inefficiencies and the security manager should not recommend a change. The security manager should make sure the Access Control List (ACL) is current and updated regularly, but should not change the access control system due to the need to maintain "need to know" barriers with security clearances.Although ABAC allows for more fine-tuned access, military systems require the encumbrance of MAC, to restrict unauthorized access to resources.Changing the labels in the ACL effectively changes its security clearance definition, which would be problematic and potentially allow unauthorized access.MAC is already a rule-based access control system, where the system enforces rules, rather than system users, as in discretionary access control (DAC).

While conducting an audit of their network, the network administrator discovers a log entry that has multiple gaps in the event log. What could this anomalous log entry indicate? (Select two). ANSWER SELECT ALL THAT APPLY This could indicate the presence of malware spreading and extracting chunks of data from targeted folders. This could indicate that a user has been altering the event logs to cover malicious or suspicious activity. This could indicate changes to the system's configuration and installation of a backdoor. This could mean an attacker is modifying and deleting logs to cover suspicious activity.

This could indicate that a user has been altering the event logs to cover malicious or suspicious activity This could mean an attacker is modifying and deleting logs to cover suspicious activity. WHAT YOU NEED TO KNOW This log entry indicates someone is trying to cover their tracks. This could be an insider threat (one of the system's authorized users).This could be an outside attacker. Either way, this entity is trying to mask their system activity by deleting it from the log.The spread of malware or exfiltration of data will reflect in an audit log as an unusual or excessive use of bandwidth, perhaps during off-peak traffic cycles.Indicators of a backdoor installation would come in the form of unscheduled changes to the system's configuration, aimed at opening it up so the attacker can exfiltrate data from the network.

A penetration testing consultant company creates a computer with a cluster of high-end graphics cards. Why would this machine benefit a penetration test? ANSWER To increase the speed of cracking lengthy passwords with Pass-the-Hash attacks. THE CORRECT ANSWER To increase the speed of cracking lengthy passwords with brute force attacks. To increase the speed of cracking a lengthy encoded digital certificate. To increase the speed of cracking plaintext passwords. WHAT YOU NEED TO KNOW A brute force attack attempts every combination to derive a plaintext password from a hash. The longer the key, the more difficult it is to crack. Brute force attacks distributed across a password cracker with a cluster of high-end graphics cards are more successful at cracking longer passwords. With Pass-the-Hash attacks, if an attacker obtains the hash of a user's password, it is possible to authenticate with the hash without cracking it. You can encode a certificate as a file, store cryptographic information, like the public key, and encryption and hashing algorithms in digital certificates, and forge signatures. But a password cracker cannot "crack" digital certificates. If a password is already in plaintext, it doesn't need to be cracked.

To increase the speed of cracking lengthy passwords with brute force attacks. WHAT YOU NEED TO KNOW A brute force attack attempts every combination to derive a plaintext password from a hash. The longer the key, the more difficult it is to crack. Brute force attacks distributed across a password cracker with a cluster of high-end graphics cards are more successful at cracking longer passwords. With Pass-the-Hash attacks, if an attacker obtains the hash of a user's password, it is possible to authenticate with the hash without cracking it. You can encode a certificate as a file, store cryptographic information, like the public key, and encryption and hashing algorithms in digital certificates, and forge signatures. But a password cracker cannot "crack" digital certificates. If a password is already in plaintext, it doesn't need to be cracked.

A company CIO worked on building a room that prevents Wi-Fi, cellular and RFI signals from emitting in and out of a defined area to secure the employees environment and to protect from data leakage. What did the CIO construct? ANSWER Honeynet THE CORRECT ANSWER Faraday Cage Mantrap Bollard

WHAT YOU NEED TO KNOW A Faraday Cage is used to block electromagnetic, radio frequencies and electrostatic signals. The enclosure can keep signals out and block them from going into the secure area providing a physical security layer.A honeynet is a network setup with intentional vulnerabilities. It invites an attack, so that activities and methods can be studied and used to increase network security. It does not block frequencies.A mantrap is a physical security control, but does not block radio frequency signals.A Bollar

A healthcare organization is maintaining personal data for patient billing purposes. As a result, a security team is overseeing that the proper practices are in place. Part of this process includes a Privacy Threshold Analysis (PTA). After examining the listed audit purpose criteria, determine which one relates to a Privacy Threshhold Analysis (PTA). ANSWER Detailed study to assess the risks associated withstoring, processing, and disclosing PII Formal document listing PII maintained by a federal agency Compiling a prioritized list of probable and possible threats THE CORRECT ANSWER Determines whether a computer system or workflow collects, stores, or processes PII to a certain degree

WHAT YOU NEED TO KNOW A Privacy Threshold Analysis (PTA) is an initial audit that is used to determine whether a computer system or workflow collects, stores, or processes PII to a degree where a privacy impact assessment (PIA) must be performed.A Privacy Impact Assessment (PIA) is a detailed study to assess the risks associated with storing, processing, and disclosing PII. The study should identify vulnerabilities.A System of Records Notice (SORN) is a formal document listing PII maintained by a federal agency of the US government.A threat assessment is a means of compiling a prioritized list of probable and possible threats.

A physical server hosts several Windows Server 2016 virtual machines. Management prohibits the use of all systems, to prevent the loss or leakage of proprietary company information. Which of the following actions will provide an adequate amount of USB security for this virtual host? ANSWER Disable USB on the virtual machines. Disable all USB ports on virtual host. Create a USB policy on a DLP appliance. THE CORRECT ANSWER Disable unused USB ports on virtual host.

WHAT YOU NEED TO KNOW A common setup for virtual host includes a KVM (key, video, mouse) device for initial setup and troubleshooting. A KVM connection will use at least one USB connection for the mouse and keyboard. All other USB (universal serial bus) ports can be safely disabled.Disabling all USB ports will also prevent the use of a KVM device which is crucial in many circumstances (e.g., troubleshooting).Most virtual machines are created without a USB controller so it may be a non-issue. However, question was related to the virtual host specifically.DLP (data loss prevention) appliances help to prevent data leakage by removing the use of USB devices. However, a DLP does not interact directly with a hypervisor.

The DMZ (demilitarized zone) has a new virtual firewall server. A user reported that Internet websites are viewable, but no longer has a connection to an FTP (file transfer protocol) site. Which of the following is most likely the cause of the disconnection? ANSWER The ACL still requires setting up. A network cable disconnected from the server. The user does not have access to the FTP site. THE CORRECT ANSWER The Firewall implicitly denied access to the FTP site.

WHAT YOU NEED TO KNOW A firewall server manages traffic going in and out with rules. In most cases a rule that has not been defined to accept or deny access, is implicitly denied. The virtual server is hosted on a physical server that is most likely fitted with redundant physical network connections. A single cable disconnection will not prevent access elsewhere. The user only recently lost connection to the FTP site, which coincides with the deployment of the new firewall server. This is most likely the cause. As most firewalls are setup to implicitly deny connections out of the box, knowing the user has access to Internet websites assumes that the firewall's ACL (access control list) has been setup

1.0 Threats, Attacks and Vulnerabilities A user of a website entered bank account information into a form. However, the user did not know that an attacker monitored the activity and recorded the numbers the user entered. What type of spyware did the attacker use to collect this information? ANSWER An adware plug-in A rootkit THE CORRECT ANSWER A keylogger A ransomware Trojan

WHAT YOU NEED TO KNOW A keylogger is a type of spyware that attempts to steal confidential information. It can monitor user activity and can send information to the attacker without the user's knowledge. An adware browser plug-in displays commercial offers and deals. Some adware may exhibit spyware-like behavior, such as tracking the websites a user visits and displaying targeted ads, for instance. A rootkit represents a class of backdoor malware that works by changing core system files and programming interfaces, so that local shell processes no longer reveal their presence. Ransomware is a type of Trojan malware that tries to extort money from the victim. It will often display threatening messages, stating the computer will remain locked until the user pays the ransom.

A network administrator is tasked with designing a federated system comprised of open source components and processes. How will users establish their credentials on such a system? ANSWER Users will authenticate using an OAuth consumer website Users will sign on using Remote Authentication Dial-In User Service (RADIUS) THE CORRECT ANSWER Users will authenticate through Shibboleth Users will sign on using OPENID

WHAT YOU NEED TO KNOW A network designed with open source material is most likely to use the open source version of Security Association Markup Language (SAML), which is Shibboleth.The "Auth" in OAuth stands for authorization, not authentication. OAuth providers, not OAuth consumers, can authenticate users. OAuth transactions use Representational State Transfer (REST), while Shibboleth is an open source implementation of SAML.OPENID is an enterprise-controlled federated identity management system, which like Shibboleth, allows the user to choose their preferred identity provider. OPENID provides quick sign-on services through other sites.RADIUS is not open source, but there are open source implementations available.

A company has had a security breach in the past. A routine check found that updates were not in place and security control audits were not followed. What can be put in place remedy this issue? ANSWER Security policy Security control Company policy THE CORRECT ANSWER Standard Operating Procedure (SOP)

WHAT YOU NEED TO KNOW A standard operating procedure (SOP) is an inflexible, step-by-step listing of the actions that must be completed for any given task. Most critical tasks should be governed by SOPs. Having a task list to audit security controls is a good candidate for an SOP.A company policy addresses the expected overall behavior of employees of an organization.A security policy addresses and outlines guidelines pertaining to all areas of security within an organization. Examples are having vistors sign in and badges as well as computer use for employees.A security control is a logical or physical mechanism that is put in place to aid in security efforts. Door locks and computer passwords are examples of security controls.

What is a system that meets certain government requirements for security and uses multi-level security as part of its access control? ANSWER Operating System Secure Configuration MLS THE CORRECT ANSWER Trusted OS

WHAT YOU NEED TO KNOW A trusted operating system (TOS) is any operating system that meets the government's requirements for security. Trusted OS uses a form of mandatory access control (MAC) called Multi-Level Security.Secure configuration of systems refers to security measures that are implemented as a way to provide protection for computer systems. The implementation of secure configurations reduce the possibility of vulnerabilities and attacks.An Operating System is software that manages hardware while providing services for applications.MLS is an implementation of MAC that focuses on confidentiality. A Multi-Level Security operating system is able to enforce the separation of multiple classifications of information.

While testing a popular application's input validation routines through the use of fuzzing, a penetration tester discovers a remote code execution vulnerability within a program. This is the first exploitation of this program. The tester searches the internet, and determines that there is not a patch for it. Which of the following best describes the type of exploit discovered? ANSWER A buffer overflow THE CORRECT ANSWER A zero-day A birthday attack A dynamic link library (DLL) injection

WHAT YOU NEED TO KNOW A zero-day exploit is a vulnerability in software that is exploited before anyone knows about it and can fix and release a patch for it. A birthday attack is a brute force attack aimed at exploiting collisions in hash functions. This type of attack can be used for the purpose of forging a digital signature. A buffer overflow is an application attack that exploits fixed data buffer sizes in a target piece of software by sending data that is too large for the buffer. A DLL injection is not a vulnerability of an application, but a vulnerability in the way the operating system allows one process to attach to another, and then force it to load a malicious link library.

During a security assessment, a security engineer must make connections with the target hosts, and authenticate and establish sessions with the hosts, to detect a wide range of vulnerabilities and reduce false positives. What type of test routine does this best describe? ANSWER Passive scanning Passive reconnaissance Active reconnaissance THE CORRECT ANSWER Active scanning

WHAT YOU NEED TO KNOW Active scanning involves making a connection to the target host. This might mean authenticating and establishing a session with the host or running an agent on a host. Active techniques help detect vulnerabilities in host systems and reduce false positives. Passive scanning tests security controls by sniffing network traffic to identify assets communicating on the network, service ports used, and some types vulnerabilities. Active reconnaissance has more risk of detection than passive reconnaissance. Active techniques involve gaining physical access or using scanning tools on the target's web services and other networks. Publicly available information and tools for aggregating and searching it are referred to as Open Source Intelligence (OSINT). Gathering this kind of information is referred to as passive reconnaissance.

A user has installed software after accepting a 30-page license agreement. After the install, the user notices a negative impact on the system performance and starts experiencing pop-ups for new car deals. What type of software has the user installed? ANSWER Scareware A Remote Access Trojan (RAT) THE CORRECT ANSWER Adware A botnet

WHAT YOU NEED TO KNOW Adware is any type of software that displays commercial offers and deals. Adware software can have a negative impact on performance and can include accepting a long license agreement. Rogueware or scareware is a fake antivirus web pop-up that claims to have detected viruses on the computer and prompts the user to initiate a full scan, which installs the attacker's Trojan. A Remote Access Trojan functions as a backdoor, and allows the attacker to access the PC, upload files, and install software on it. A botnet is a set of computers that has been infected by a control program (a "bot"), that enables attackers to exploit the computers to mount attacks.

A company uses AirWatch for a complete management of corporate-owned and personal devices, such as iPhones and laptops. They want the ability to approve which applications employees can install, secure the data if the laptop is stolen, and keep personal data separate from corporate data on personal phones. Which features of AirWatch benefits the company? (Select three). ANSWER SELECT ALL THAT APPLY Correct Answers Your Choices Remote wipe Containerization Full drive encryption Application management

WHAT YOU NEED TO KNOW AirWatch can set policies on what applications on the mobile phone a user can use. It can also restrict the use of the App store icon on iPhone devices.AirWatch with Windows 10 can manage and deploy full drive encryption that are beneficial for laptops. Hackers will not be able to decrypt the stolen laptop or hard drive without a recovery password or key.Containerization allows the employer to manage and maintain the portion of an employee's personal device that interfaces with the corporate network. An example of this is the use of Workspace One apps from VMware for mobile devices.Remote wipe is not a requirement. Connection to the device is required to send a remote wipe task.

A select group of users need access to a folder for a limited amount of time. What access control measure will best balance ease of access and folder security? ANSWER Assign users discretionary access to the folder Create a shared account for all users to access the folder for the duration of the project Grant each user a one-time password token each time they need to open the folder THE CORRECT ANSWER Assign users to a group that has permissions to the folder for the duration of the project

WHAT YOU NEED TO KNOW Assigning users to a group that has permissions to the folder for the project's duration gives users access based on their roles, and allows them ease of access, but also maintains accountability, as each user's actions will be recorded in audit logs. Group permissions can be revoked at the end of a project.A one-time password for each time a user accesses the folder would make it secure, but not easy to manage, as token control, number of one-time passwords issued, and frequency with which they must be issued must all be considered.Assigning users discretionary access to the folder would give them the proper permissions, but when the project is over, it is important to remove those permissions, and this need to maintain the permissions at the folder-level is cumbersome for a security manager who has multiple tasks to perform.Creating a shared account violates non-repudiation; it is difficult to maintain security of a folder if the administrator cannot keep accurate account and auditing of who accessed the folder, and when. Shared accounts open resources to risk, because several users could have performed an action, and therefore, could deny performing an unauthorized action or breeching security protocol.

A hacker cracks a substitution cipher easily using frequency analysis. Carefully consider the following cryptographic techniques to determine which one was likely ignored when the cipher was developed? ANSWER THE CORRECT ANSWER Confusion Diffusion Hashing Obfuscation

WHAT YOU NEED TO KNOW Basic substitution and transposition ciphers are vulnerable to cracking by frequency analysis, which detects patterns in the ciphertext, revealing the cipher and key used for encryption. Confusion addresses substitution and transposition ciphers, while diffusion only addresses transposition. On this alone, confusion is the right answer.Confusion prevents attackers from selectively generating encrypted versions of plaintext messages and looking for certain patterns in their relationship. Diffusion prevents attackers from selectively determining parts of the message encrypted by the same key.Hashing is generally used to store passwords or ensure the validity of data. Unlike ciphers, it is not an encryption technique.A substitution cipher is an obfuscation technique, so by definition, obfuscation was not ignored when developing the cipher.

A computer lab installs a new wireless printer. Employees can access the printer via Bluetooth. Policy states that only authorized users may use the printer for unclassified work efforts. Which of the following will allow the company to enforce this policy? (Select two). ANSWER SELECT ALL THAT APPLY Correct Answers Your Choices Disable the Bluetooth capability in the computer lab. Ensure security fixes are up to date. Encrypt data at rest. Edit default user names and passwords for enabled share services and create an ACL.

WHAT YOU NEED TO KNOW Changing default configurations, such as usernames and passwords, is the first line of security. Creating an Access Control List will allow only authorized user access to the printer.Disabling Bluetooth capabilities will deny employees access to the printer. In this scenario, employees need Bluetooth capability to complete work functions.Security vulnerabilities are routinely found in systems and applications. They require updates or patches to maintain integrity and availability.Encrypting data at rest will provide unauthorized disclosure of data stored in the printer, but will not stop unauthorized access.

A company building outside of the United States must connect their employees to headquarters. The company intranet SharePoint site and general shares must be available to those external users. What is the best method to ensure these users get the access they require using the most secure connection? ANSWER Setup VPN client agents Enable the use of SSH THE CORRECT ANSWER Configure VPN concentrators at each site Configure a DMZ at company headquaters

WHAT YOU NEED TO KNOW Configure VPN (virtual private network) concentrators or gateways at each site will create a Site-to-Site VPN. The VPN concentrators handle the encryption of data so it may travel across the public Internet. This creates a virtual direct connect to the headquarters' main network. VPN client agents on computers are best for roaming employees who connect to coffee shop wireless networks to access company networks. SSH (secure shell) is a protocol commonly used by administrators rather than regular users. It is not ideal for this situation. A DMZ or demilitarized zone, will provide adequate protection of the internal network from the outside world, but it does not secure a connection with the international office.

The content owner is most important in which type of access control? ANSWER Role-Based Access Control (RBAC) Mandatory Access Control (MAC) Attribute-Based Access Control (ABAC) THE CORRECT ANSWER Discretionary Access Control (DAC)

WHAT YOU NEED TO KNOW DAC stresses the importance of the owner as the original creator of the resource. The owner has full control over the resource, able to modify its ACL and grant rights to others. This model is the most flexible and is most widely used in computer and network security. It is also the weakest model because it creates a system of centralized administration of security policies and it is the most difficult to enforce and easiest to compromise.RBAC adds a degree of administrative control by setting rules for different roles (such as administrator accounts), making it non-discretionary. Individual users cannot modify the ACL of a resource, even if they have permission to access and modify the resource in other ways. This keeps the ACL more secure by limiting its administration to those with a specific role, and is harder for an outside attacker to gain access by trying to escalate permissions.MAC is associated with security clearance levels and is most practical in military and secret service organizations, where confidentiality is more important than the workload created by implementing mandatory access controls.ABAC is sensitive and flexible, allowing for fine-tuned access.

A hacker publicly announces a successful hacking attempt, accessing company offices, and scanning the network for proprietary information. The hacker also made a video, recording the company's product manufacturing process, located in a locked warehouse. What type of attack did the hacker most likely perform when recording the manufacturing process? ANSWER Network penetration THE CORRECT ANSWER Data exfiltration Brute Force Attack Social engineering

WHAT YOU NEED TO KNOW Data exfiltration attacks involve the retrieval of valuable data, such as Personally Identifiable Information (PII) or proprietary company information. Copying data to an external hard drive or capturing picture or video of data are examples of data exfiltration.Social engineering was most likely used to gain entrance to the company building. Door pass codes may have been shared or an employee badge may have been stolen. This was not applicable to the actual recording of manufacturing processes.Network penetration is applicable to when the hacker scanned the network for proprietary data.Brute force attack is the act of successfully guessing a password to gain access. This is not applicable to the video recording.

A chain of security incidents has occurred at an organization which has impacted many systems. All of the incidents must be assessed for severity and prioritized for remediation. There are several factors that can affect this process. After examining the list of factors, determine which to consider when assessing the value of any systems information that is at risk. ANSWER Scope THE CORRECT ANSWER Data integrity Downtime Recovery time

WHAT YOU NEED TO KNOW Data integrity refers to the value of data that is at risk. While some information can easily be obtained elsewhere or is of little to no value, other information may be highly irreplaceable.The scope of an incident is not a direct indicator of priority. For example, large number of systems might be infected with a type of malware that degrades performance but is not a data breach risk.Recovery time is based on the incident type and impact. Some incidents require lengthy remediation as the system changes required to remedy are complex to implement.Downtime is the degree to which an incident disrupts business processes. An incident can either degrade or interrupt the availability of an asset, system, or business process.

n the contractual agreement describing the rules of engagement of a penetration test, the consultant will not have access to privileged information about the network and its security systems. What type of pen test is this? ANSWER A white box A gray box A sandbox THE CORRECT ANSWER A black box

WHAT YOU NEED TO KNOW During a black box pen test, the consultant is given no privileged information about the network, its security systems and its configuration. Black box tests are useful for simulating the behavior of an external threat. During a white box pen test, the consultant is given complete access to information about the network. This type of test is sometimes conducted as a follow-up to a black box test to fully evaluate flaws discovered during the black box test. During a gray box pen test, the consultant is given some information; this resembles the knowledge of junior or non-IT staff to model types of insider threats. Ideally, pen tests should be performed in a sandbox environment that accurately simulates the production environment.

The client wants to deploy a wireless network that uses a smart card or a certificate that can be installed on the client's PC. Which type of authentication mechanism is most suitable for this task? ANSWER EAP-FAST PEAP THE CORRECT ANSWER EAP-TLS EAP-TTLS

WHAT YOU NEED TO KNOW EAP-TLS requires client certificates, but most other types of EAP can be configured to perform mutual authentication (including EAP-TTLS, PEAP with TLS, and EAP-FAST).PEAP and EAP-TTLS both use a server-side public key certificate to establish an encrypted tunnel between the user and authentication server. The user does not require a certificate. The main distinction between these protocols is that EAP-TTLS can use any tunnelled authentication protocol, while PEAP must use EAP-MSCHAP or EAP-GTC.EAP-FAST is similar to PEAP, but instead of using a certificate to set up the tunnel, it uses a Protected Access Credential (PAC), which is generated for each user from the authentication server's master key.

A company maintained operations even though one of their critical components failed using the existing software and hardware. What mechanism allowed this to occur? ANSWER Availability THE CORRECT ANSWER Fault Tolerance Elasticity Scalability

WHAT YOU NEED TO KNOW Fault Tolerance is a product of redundancy and allows for in the event of a crash, the system will maintain operations by removing the single point of failure. The system will continue to operate without notice.Scalability is the capacity to increase the workload on current resources.Availability is part of the CIA security triad and ensures systems are operational and available to end users. Fault tolerance is a way to ensure availability.Elasticity is the ability to resize an environment based on the load. Elasticity is a part of virtualization and can reduce costs. A user can increase or decrease resources as necessary.

A server with important data requires that a new backup scheme be implemented. The goal is to use a solution that balances the time required to backup and to restore the data. Evaluate the backup strategies and choose the most appropriate backup strategy. ANSWER Full backup followed by incremental backups Full backup followed by snapshot backups Snapshot followed by incremental backups THE CORRECT ANSWER Full backup followed by differential backups

WHAT YOU NEED TO KNOW Full backups are used to backup all selected data. Differential backups are used to backup any data that has changed since the last full backup, Using differential backups after a full backup is known to offer a balance in backup and restore times.Full backups are used to backup all selected data. Incremental backups are used to backup any data that has changed since the last backup. Using incremental backups can be time consuming during restore operations.Full backups are used to backup all selected data. A snapshot is not a backup type, but rather a method that is used to backup open files.A snapshot is not a backup type, but rather a method that is used to backup open files. Using incremental backups can be time consuming during restore operations.

A security incident has occurred at a business that has exposed the personal data of numerous customers. In accordance with the National Institute of Standards and Technology (NIST) Computer Security Incident Handling Guide, at which stage in the incident response lifecycle should stakeholders be notified? ANSWER Containment THE CORRECT ANSWER Identification Eradication Preparation

WHAT YOU NEED TO KNOW Identification involves determining whether an incident has taken place and assessing how severe it might be. This is followed by notification of the incident to stakeholders.Eradication involves the removal or repairing the incident cause. Examples of eradication would be virus removal or installing a software security patch to fix an exposed vulnerability.Containment involves limiting the scope and impact of the incident. Examples of containment would be putting controls in place such as denying access to systems or password changes.Preparation involves hardening systems, writing policies and procedures, and establishing confidential lines of communication in the event of an incident.

Performing background checks satisfies which security objective? ANSWER Identity management THE CORRECT ANSWER Identity proofing Enrollment Credential management

WHAT YOU NEED TO KNOW Identity proofing is verifying subjects are who they say they are at the time an account is created. Performing background checks effectively identifies individuals and proves identity.Enrollment issues the user credentials, which should take place only after an individual's identity has been verified.The user is responsible for credential management, controlling when and where their credentials are used.Identity management encompasses all of the issues and problems to overcome in implementing authentication and identification systems and applications; this involves managing the number of digital identities an individual user has.

An attacker spoofs an (Internet Protocol) IP address of an invalid IP, misdirecting network traffic. After the server responds to the requests, over time, end-users cannot connect to the server, and the security analysts cannot ping it. Which of the following best describes what occurred? ANSWER The attacker bombarded the victim with responses to bogus DNS (Domain Name System) queries. A Smurf attack directed echo responses to the victim server. THE CORRECT ANSWER A SYN (synchronize) flood attack created a Denial of Service (DoS), which resulted in resource exhaustion on the server, crashing it. A SYN (synchronize) flood attack executed an amplification attack, which consumed the victim's available bandwidth.

WHAT YOU NEED TO KNOW In a SYN flood attack, an invalid IP is used to misdirect a server's SYN/ACKs. The server fills up with SYNs from the spoofed IP, creating a DoS. The DoS consumes CPU cycles and memory. In an amplification attack, the adversary spoofs the victim's IP and opens connections with multiple servers. Those servers direct their SYN/ACKs to the victim server, consuming the victim's bandwidth. In a Smurf attack, the adversary spoofs the victim's IP and pings the broadcast address of a third-party network. Each host directs its echo responses to the victim server. An attacker can bombard a victim network with responses to bogus DNS queries. The response to the DNS queries can overwhelm the bandwidth of the victim network.

A security engineer reviewing the password policy for a company, notices very low complexity requirements, and allows single words, obvious phrases, all lowercase, and easily memorized phases. What type of attack can these passwords be vulnerable to? ANSWER A hybrid password attack A brute force attack THE CORRECT ANSWER A dictionary attack A rainbow table attack

WHAT YOU NEED TO KNOW In a dictionary attack, software enumerates values in a dictionary wordlist. Enforcing password complexity makes passwords difficult to guess and compromise. Varying the characters in the password makes it more resistant to these attacks. A rainbow table attack is a password attack where an attacker uses a set of related plaintext passwords and their hashes to crack passwords. Values are computed in chains and only the first and last values need to be stored. A hybrid password attack is targeted against naively strong passwords. The password cracking algorithm tests dictionary words and names in combination with numeric prefixes and/or suffixes. A brute force attack attempts every possible combination in the key space, to derive a plaintext password from a hash.

Why is it dangerous for a server to allow Secure Sockets Layer (SSL) backwards compatibility? ANSWER SSL is a weaker cipher than TLS 2.0, and therefore becomes easier to crack Wi-Fi Protected Access (WPA). SSL is a weaker cipher than TLS 2.0, and therefore becomes easier to crack Wired Equivalent Privacy (WEP). THE CORRECT ANSWER SSL is a weaker cipher than TLS 2.0, and therefore becomes easier to forge the signature of a certificate authority. SSL is a weaker cipher than TLS 2.0, and therefore becomes easier to use a replay attack to intercept a hash, and reuse it to gain access to a resource.

WHAT YOU NEED TO KNOW In a downgrade attack the attacker exploits backward compatibility to force a computer system to abandon the use of encrypted messages, making it easier to forge the signature of a certificate authority. The success of a replay attack is not dependent on the strength of the cipher used. The attacker intercepts a key or password hash and reuses it, re-establishing a session. To crack Wired Equivalent Privacy (WEP), an attacker makes the access point by replaying ARP packets at it. WEP's weakness is in its encryption system, which is based on the RC4 cipher. Wi-Fi Protected Access (WPA) fixes security problems with Wired Equivalent Privacy (WEP), but still uses the RC4 cipher, although it adds Temporal Key Integrity Protocol (TKIP).

A business is using an older version of a popular Line of Business (LOB) Application for its operations. Management has suggested upgrading to a modern version to take advantage of important new features and security updates. In order to move to a new version of the software, the database will first need to be converted - a risky endeavor for the organization. To prepare for the upgrade, which step should be executed first? ANSWER Risk mitigation THE CORRECT ANSWER Request for Change (RFC) Risk deterrence Change Advisory Board (CAB)

WHAT YOU NEED TO KNOW In a formal change management process, the need for change and the procedure for implementing the change is captured in a Request for Change (RFC) document. This step should be performed first when any change that involves risk is proposed.Risk mitigation is the overall process of reducing exposure to or the effects of risk factors. Converting the database in a test environment would reduce risk, but it is not the first step.In a formal change management process, proposed changes to systems require approval through a Change Advisory Board (CAB). A CAB reviews and responds to an RFC.A countermeasure that reduces exposure to a threat or vulnerability is known as a risk deterrence (or reduction). Software updates are a form of risk reduction, but not a first step in this case.

A contractor implements a secure system design for a large accounting firm. The contractor disables unnecessary services and deploys the system using only services and protocols necessary to the company. What principle does this employ? ANSWER SELECT ALL THAT APPLY Correct Answers Your Choices Hardening Least Functionality Access Control List Least Privileged

WHAT YOU NEED TO KNOW In implementing a secure system, hardening is the practice of removing default values to ensure the system is more secure. One of the processes of hardening a system is that of Least Functionality. Least Functionality employs the principle of deploying systems with only the services and protocols required to perform the job.Least Privileged is a control management principle, in which individuals are only granted privileges and access to perform their tasks. Least privilege can reduce risk by limiting access to data otherwise not necessary to a user.An access control list is a set of rules that regulates what traffic is allowed or denied based on networks, ports and protocols.

How does key stretching make a password harder to crack? ANSWER THE CORRECT ANSWER Key stretching puts the password through thousands of rounds of hashing, which can slow an attacker's cracking attempt. Key stretching adds salt values to the hash, adding an additional layer of complexity to the password hashes themselves. Key stretching adds a randomly generated number to the user password hash to make it more complex. Key stretching makes it difficult for the attacker to replicate the plaintext password by using a random number generator to assign each plaintext value a number for the hash.

WHAT YOU NEED TO KNOW Key stretching can be envisioned as someone playing with silly putty. The password hash is imprinted on the silly putty, then someone stretches, kneads, and rearranges the silly putty through their hands until the values in the hash are randomly distributed throughout the silly putty. The hash is rearranged simply by multiple manipulations, or stretches of the key, much like the silly putty.Key stretching does not add salt, or random values, to the hash. It does not add an extra layer to the password to add complexity. The benefit of key stretching is the extra time it would require someone to go through all of the permutations or stretches the key has gone through, slowing them down.Key stretching does not add anything to the password hash to add complexity.The original, plaintext password is encrypted using different algorithms to derive the hash. The encryption algorithm, from which the hash is derived, contributes to password strength.

Within the confines of available resources, the concept of resource versus security constraints involves a tradeoff between employing the best possible security. Which of the following is an important consideration balancing cryptography use and the quality of real-time streaming voice and video? ANSWER Low resiliency THE CORRECT ANSWER Low latency Low power devices Low collision

WHAT YOU NEED TO KNOW Latency is the time delay that can occur in real-time channels, like voice and video. Therefore, low latency is preferable in voice and video streaming. Cryptography requires processing overhead, which could impact signal quality.Low power devices are a consideration for technologies that require more processing cycles and memory space. This is not the best answer regarding consideration of cryptography's impact on streaming quality.A collision is where a function produces the same hash value for two different inputs. It is unrelated to streaming quality.Resilience involves a network's quality of service (QoS), or a control system's ability to compartmentalize its various components to prevent a compromise from spreading to other components. This is also unrelated to streaming quality. previous

The public is allowed to use a library computer system for research. This computer is new and will have online access. In preparation for use, all operating system updates and security patches have been installed, as well as a reliable antivirus software package. As a result, which type of security control has been put in place to reduce the risk of threats? ANSWER Avoidance Transference Acceptance THE CORRECT ANSWER Mitigation

WHAT YOU NEED TO KNOW Mitigation is the overall process of reducing exposure to the effects of risk. There are several ways of mitigating risk. In this case, hardening a system with security updates and antivirus software places it in a position where risk is reduced.Acceptance means that no countermeasures are put in place either because the level of risk does not justify the cost or because there will be unavoidable delay before the countermeasures are deployed.Transference means assigning risk to a third-party. With IT systems, third-party monitoring and remediation systems or personnel may be used.Avoidance is the act of stopping the activity that causes risk. In this case removing the system completely would remove the risk.

Which of the following is true about phishing, spear phishing, and whaling social engineering attacks? ANSWER Whaling is an unfocused attack. Spear phishing is a focused attack against an individual. Phishing is a focused attack that targets C-level executives. THE CORRECT ANSWER Phishing is an unfocused attack. Spear phishing is a focused attack against an individual. Whaling is a focused attack that targets C-level executives. Spear phishing is an unfocused attack. Phishing is a focused attack against an individual. Whaling is a focused attack that targets C-level executives. Phishing is an unfocused attack. Whaling is a focused attack against an individual. Spear phishing is a focused attack that targets C-level executives.

WHAT YOU NEED TO KNOW Phishing, spear phishing, and whaling attacks combine social engineering and spoofing. Their differences refer to the intended targets and the degree of personalization used in the attack. Phishing is unfocused, relying on volume. Spear phishing is directed against a company or individual. Whaling is directed against executives or other senior staff. Whaling is a focused attack that targets C-level executives. Spear phishing is a focused attack against an individual. Phishing is an unfocused attack. Spear phishing is a focused attack against an individual. Phishing is an unfocused attack. Whaling is a focused attack that targets C-level executives. Phishing is an unfocused attack. Whaling is a focused attack that targets C-level executives. Spear phishing is a focused attack against an individual.

The local power plant has a number of spikes occur during non-peak hours. Upon further investigation from an evaluation team, a workstation in the corporate network contains a worm that generates several power surges nightly at various times. Where should a network admnistrator place a NIPS, to detect and prevent further attacks? ANSWER SCADA network THE CORRECT ANSWER Both internal and external networks DMZ Internal Private Network

WHAT YOU NEED TO KNOW Placing a network intrusion prevention system on both the internal and external networks will actively detect and stop attacks from within and outside.Use of a NIPS internally will only protect that piece of the network. The use of NIPS externally will only protect and defend externally. The use of a NIPs both internally and externally will provide protection for both pieces of the network.A Demilitarized Zone is not applicable, since it does not exist in the scenario. A DMZ is a buffer between the network and internal network.The SCADA network would be considered the internal network.

An employee plans to travel for work purposes and will require access to the company's website. The site restriction is for employees only and requires a secure means to gain access. The employee will most likely use: ANSWER Secure Shell THE CORRECT ANSWER Remote access VPN Site to Site Split Tunnel

WHAT YOU NEED TO KNOW Remote access Virtual Private Network (VPN) allows an authorized user to connect to an internal network from a remote location. Software on the remote device creates an encrypted tunnel to a VPN concentrator on the internal company network. The internal network decrypts the data and then provides access between the internal network and the remote user.Secure Shell encrypts moving traffic. While it can provide a secure connection for a remote user, it does not allow a user to connect to the company site while remote.In a split tunnel VPN, administrators decide where traffic is routed. A split tunnel can decipher whether traffic goes to a private network or not.A VPN that connects two local area networks is called a site to site VPN. Access is transparent to the user.

An admin wants to gather UPS (Uninterruptible Power Supply) device configurations and statistics, to run a program that will automatically shut down systems in the event battery power is low. Which of the following can fulfill the requirement without compromising device configuration and supports authentication? ANSWER SNMPv2 THE CORRECT ANSWER SNMPv3 TFTP SSH

WHAT YOU NEED TO KNOW SNMPv3 supports message integrity (using MD5 or SHA hash), authentication, and encryption. A query can still be set up to use no security, authentication only, or authentication and encryption.SNMPv2 uses community names to determine access, and are sent in plain text. Like SNMPv3, SNMPv2 collects status and configuration information, and does not change it.Although SSH (secure shell) can be used to query device status and configuration, it can also be used to change device configuration.TFTP (trivial file transfer protocol) is a simplified form of FTP (file transfer protocol) supporting only file copying and is used where authentication and directory visibility is not required.

Management provided two wireless access points (WAPs) on the second floor of their building. This is to accommodate the use of legacy and modern mobile devices. What is the best way to configure the WAPs so users know which one to connect to? ANSWER Use the 5 GHz band THE CORRECT ANSWER Modify the SSIDs Increase the signal strength for one device Change the WLAN protocol to 802.11n

WHAT YOU NEED TO KNOW SSID or service set identifier is the public name of the Wi-Fi device so users may know which device to connect to. Depending on the band selection, specifying '24' in the name for 2.4 GHz or '5' for 5 GHz is helpful. The 802.11n WLAN (wireless local area network) protocol selection may be a default selection for most modern Wi-Fi devices. Enabling the 802.11bg protocol will accommodate legacy devices. Modern devices will recognize the 5 GHz band. The secondary device should operate at the 2.5 GHz band for legacy devices. Increasing or decreasing the signal strength just makes the Wi-Fi connection more or less available outside of the workplace.

A mobile phone has the Samsung Pay application. It currently requires a PIN to use for payment. What other options are available to securely use NFC (near field communication) for payment? ANSWER Wi-Fi Face recognition Pattern THE CORRECT ANSWER Fingerprint

WHAT YOU NEED TO KNOW Samsung Pay can work with a registered fingerprint of the user, to enable the NFC (near field communication) chip to make a payment on compatible payment devices. A PIN is still registered along with the fingerprint, in case the fingerprint cannot be recognized.The phone's Wi-Fi has no direct relation making NFC mobile payments. However, it can be used to download the latest Android updates and updates to Samsung Pay faster.Face recognition is an option to unlock a Samsung smart phone, but it is not currently used with NFC payments for Samsung Pay.Pattern is an option to unlock most smart phones, including Samsung phones. It is not used for Samsung Pay.

A bank sets up a public facing website for users to access their account. The company will host their own web services and consolidate their resources to host virtual machines on multiple virtual hosts. These virtual machines will include a web server, file server, SharePoint server, and domain name server. Which of the following ports can users access their bank accounts online? ANSWER 25 80 THE CORRECT ANSWER 443 21

WHAT YOU NEED TO KNOW Secure access to a bank's website on a public facing Internet occurs with an HTTPS (Hyper Text Transfer Protocol Secure) connection on port 443. Signed digital certificates are used to verify a bank's server and encrypt traffic between user and server.HTTP (Hyper Text Transfer Protocol) uses port 80 or 8080 for unsecure connectivity. Banks will never use HTTP connections with the public Internet.An FTP (File Transfer Protocol) connection uses port 21. This port is applicable to the file server hosted by the bank.A SMTP (Simple Mail Transfer Protocol) uses port 25 and is applicable to a mail server used for routing email between mail servers.

There are several ways to check on the status of an online certificate, but some introduce privacy concerns. Consider how each of the following is structured and select the option with the best ability to hide the identity of the certificate requestor. ANSWER OCSP THE CORRECT ANSWER OCSP stapling CRL OCSP responder

WHAT YOU NEED TO KNOW Stapling addresses the privacy issues surrounding Online Status Certificate Protocol (OCSP) by having the SSL/TLS web server periodically obtain a time-stamped response from the Certificate Authority. Then, when a client submits an OCSP request, the web server returns the time-stamped response.An OCSP Responder accepts requests about certificates statuses. It is a server component of the public key infrastructure (PKI) that mainly solves scalability issues when it comes to the certificate revocation list for an Enterprise network.OCSP without stapling means the client contacts the OCSP responder directly.A CRL (Certificate revocation List) is a list of certificates that were revoked before their expiration date. It is published by the Certificate Authority, not requested by a client.

Network administrators perform maintenance work on layer 3 switches. The administrators use the local admin account as a normal process to update the switches. Coincidently, a third party auditor, inspecting the network, found the admin password in plaintext. Which of the following is most likely the cause of this? ANSWER Secure Shell (SSH) accessed the switches. The administrator wrote the password on a slip of paper. Data-at-rest encryption did not deploy. THE CORRECT ANSWER Telnet accessed the switches.

WHAT YOU NEED TO KNOW Switches are accessible using Telnet, which transmits all text, including passwords in plain view. Disabling Telnet is a regular security practice. The network was audited most likely using sniffing tools, such as tcpdump or tshark.SSH or secure shell, is a secure way of accessing a switch. This option does not send passwords in plaintext.Data-at-rest encryption always keeps data stored in a storage device encrypted, and decrypts the data as it leaves. This is not applicable in this case.Although it is possible the password is written on paper, the password was noticed during the network audit or scan.

What functionality does the Kerberos authentication system improve upon from Windows NT LAN Manager (NTLM) authentication to make it more secure? ANSWER Kerberos is backward-compatible with older systems, whereas NTLM is not Kerberos is better at authenticating workgroups (non-domain networks) THE CORRECT ANSWER Kerberos provides authentication to the Active Directory (AD), while NTLM only provides for client authentication Kerberos requires clients to re-authenticate multiple times, providing multiple layers of security

WHAT YOU NEED TO KNOW The Kerberos authentication method provides authentication to the Active Directory (AD), while NTLM only provides client authentication, leaving it vulnerable to man-in-the-middle and pass-the-hash attacks. NTLM also does not support biometric or token authentication, making it difficult to update to add security features.NTLMv2 should be used on non-domain networks (workgroups), as NTLM remains the only choice for workgroups at this time, and NTLMv2 provides better security than NTLM.Kerberos only requires clients to authenticate once- it is a single-sign on system. Once authenticated, a user is trusted by the system and doesn't need to continue to re-authenticate with different applications. Single sign-on helps mitigate problems created by clients keeping track of multiple passwords.NTLM is used on older systems. Kerberos is used as the default login provider for Windows 2000 and later, and is compatible with non-Windows operating systems.

An application utilizes NIST controls to focus on cybersecurity activties and risk. What type of framework does this suggest is in place? ANSWER International Industry-specific Regulatory THE CORRECT ANSWER National

WHAT YOU NEED TO KNOW The National Institute of Standards and Technology framework regulates the cybersecurity risks and activities in the United States. It is part of the U.S. Department of Commerce and considered a national framework.Regulatory frameworks are based on specific laws and regulations and ensure compliance of those standards. Medical records are governed by regulatory laws.Industry-specific frameworks are governed according to the type of product provided. Financial information (i.e. credit card, bank account) is covered under industry-specific standards.International frameworks are governed by international standards and are to be implemented globally versus nationally.

A new site includes a Windows domain controller, a DHCP (dynamic host configuration protocol) server, a Linux file server, and a Windows web server. An independent auditing team arrived to assess basic security guidelines and company policies. Today, the auditing team will perform the following tasks: (1) dynamically assign addresses on client Windows computers, and (2) verify installation of antivirus software. Which of these actions will provide any of the information needed for today's assessment? ANSWER Run ipconfig on the file server. Run ifconfig on the domain controller. THE CORRECT ANSWER Run ipconfig /all on a client computer. Run ifconfig -a on the file server.

WHAT YOU NEED TO KNOW The ipconfig /all is a Windows command. Running it on a client computer will output detailed network information for all connected network adapters. It will state if the address is dynamically assigned The ifconfig command is a Linux tool and will not work on a Windows domain controller. It will not show if an address is dynamically assigned. The ipconfig command is not able to run on the file server which has a Linux operating system. Running ipconfig without any switches will only show minimum network information. The ifconfig -a command is compatible with the Linux server, but it will not inform the admin if the address is dynamically assigned as an ipconfig /all command will do on a Windows system.

Users report they have lost access to the SharePoint site. It is completely inaccessible. There are no reports of power outages or network issues. The administrator enters username and password to login to vCenter and is unable to see virtual machines (VMs). Which of the following may resolve the administrator's issue? ANSWER Verify the users's permissions to their shares. Verify users' permissions to the SharePoint site. Have users restart their client computers. THE CORRECT ANSWER Verify roles and permissions in vCenter.

WHAT YOU NEED TO KNOW The issue is the inability to review the status of the SharePoint site that is a virtual machine (VM); however, the admin cannot see it. The vCenter roles and permissions will resolve the admins ability to see and manage VMs.Restarting a client computer is a common resolution for many issues. However, the issue is not isolated to a single client computer, since multiple users report the same issue.Permissions are not the immediate issue or may not be an issue at all, since the actual web page will not load into the browser, indicating an issue with the server itself.There are no reports of issues with user shares, so checking share permissions is irrelevant.

The Public Key Infrastructure (PKI) Trust Model shows how users and different Certificate Authorities (CAs) are able to trust one another. Consider the following statements to determine which is false. ANSWER The PKI Trust Model is a hierarchical model. Certificate chaining describes the process of tracing a leaf certificate back to the root CA. If a single CA issues certificates directly to users, it is the single point of failure because the entire PKI collapses if the CA is compromised. THE CORRECT ANSWER When the root CA issues certificates to several intermediate CAs, it is no longer the single point of failure.

WHAT YOU NEED TO KNOW The main weakness of a hierarchical trust model is the integrity of the root CA (Certificate Authority). Even though the root CA can "spread the risk" by issuing certificates to intermediate CAs, who can then issue certificates to users or other end-entities, it is still the single point of failure for the PKI structure.A single CA, which is also a root CA, is a single point of failure.Certificate chaining is the process of tracing a leaf certificate back to the root CA.The PKI (Public Key Infrastructure) Trust Model is a hierarchical model. The root CA issues certificates to several intermediate CAs. The intermediate CAs issue certificates to other end-entities.

A security incident occurs on a windows server. Network bandwidth is almost 100% utilized and network administrators point to network traffic coming from this windows server and an unknown computer. Before stopping the transfer, management asks to gather information about the IP (Internet protocol) address of the unknown computer and what the TCP (transmission control protocol)/UDP (user datagram protocol) port connects to. Which of the following actions provides the required information? ANSWER THE CORRECT ANSWER Run a netstat command on the server. Review the events from the NIDS. Run a tracert command on the server. Trace the network cable to the switch.

WHAT YOU NEED TO KNOW The netstat command allows you to check the state of ports on the local machine (Windows or Linux). You may also identify suspect remote connections to services and remote IP (Internet protocol) address. Tracing the network cable will provide only the location of the physical connection to the switch. Tracing all the way to the unknown computer is an inefficient use of time and effort. Unless the NIDS (network intrusion detection system) sees the connection as an incident, logs may not exist. Sifting through the data is time consuming. The tracert command probes the path from one end system to another, listing intermediate systems, such as routers. This tool is not useful without knowing the destination address.

What is the name of the infrastructure provisioned for open use by the general public? ANSWER Hybrid cloud Community cloud THE CORRECT ANSWER Public cloud Private cloud

WHAT YOU NEED TO KNOW The public cloud exists on the premises of the cloud provider. A service provider makes resources available to the general public over the internetA private cloud is defined as computing services offered either over the Internet or within a private internal network. Only certain authorized users can access a private cloud infrastructure.The hybrid cloud is an environment that uses a mix of public, community and private cloud concepts with a single management platform.A community cloud is a collaborative effort in which infrastructure is shared between several organizations that share a common interest.

A Microsoft Team Foundation patch is released and is ready for installation in the production environment. To maintain the application's integrity and to secure the baseline, the developer must examine this update before applying it to production. Which environment would be the MOST practical? ANSWER Staging THE CORRECT ANSWER Sandbox Development Production

WHAT YOU NEED TO KNOW The sandbox is an isolated environment that is often used for testing. Security, patches, and critical updates can be tested in a sandbox, without touching the system before implementation.The production environment is the final stage of the deployment effort. Testing in this environment would be too late given it is the operational environment.The Development environment is a place for creation. Requirements are turned into reality in this environment. It is not a complete copy of production but just the beginning of an application.The staging environment mimics that of production and allows for an environment to practice deployment. In the event deployment fails in this environment, it can roll back to the test and development environments.

What kind of virtualization runs directly on the system hardware without the need to run within the operating system? ANSWER THE CORRECT ANSWER Type 1 Hypervisor Type II Hypervisor Container VM Sprawl

WHAT YOU NEED TO KNOW Type I Hypervisors run directly on system hardware. They do not require operating system involvement. It is often referred to as "bare metal."Containers use the kernel as a host, but do not host an operating system. A container isolates and protects applications from other parts of the system.VM Sprawl is the effect of mismanaged Virtual Machines. If there are too many virtual machines running on a host, or the VMs are poorly updated, a VM Sprawl will occur.Type II Hypervisors run as host and require an operating system.

An attacker recently purchased a lot of misspelled domain names related to a bank, and starts hosting malware and adware, and begins launching pharming attacks from them. This is an example of what type of cybersquatting? ANSWER THE CORRECT ANSWER Uniform Resource Locator (URL) hijacking Domain hijacking Tasting Kiting

WHAT YOU NEED TO KNOW Uniform Resource Locator (URL) hijacking (typosquatting) relies on users navigating to misspelled domains. An attacker registers a domain name with a common misspelling of an existing domain. Users who misspell a URL in web browser, are taken to the attacker's website. Domain hijacking is a type of hijacking attack in which the attacker steals a domain name by altering its registration information and then transferring the domain name to another entity. Kiting is the act of continually registering, deleting, and reregistering a name within the five-day grace period without having to pay for it. Tasting is a Domain Name Server (DNS) exploit that involves registering a domain temporarily to see how many hits it generates within the five-day grace period.

A security analyst reviews the employee click results of a monthly simulated phishing campaign scenario for the company. Why is this data important from a vulnerability perspective? ANSWER The data can reveal which employees violated the security policy. The data can reveal unlicensed software installs affecting integrity. The data can reveal the internal point-of-contact for whistleblowers. THE CORRECT ANSWER The data can reveal those untrained users who need security awareness training.

WHAT YOU NEED TO KNOW Untrained users represent a serious vulnerability, since they are susceptible to social engineering and malware attacks and may be careless when handling sensitive or confidential data. Unlicensed software installs affecting integrity exposes an organization to large fines and penalties. The Human Resources (HR) department is likely to be the internal point-of-contact for whistleblowers. A policy violation is an act that bypasses or goes against an organizational security policy. If the violation was accidental, there might be disciplinary action or simply a recommendation for re-training, depending on the seriousness of the violation. previous

A company obtains Personally Identifiable Information (PII) as part of their application process. The company's current infrastructure allows for virtual machines to share the same physical host storing the PII. What can the company implement to protect the PII and yet maintain the current infrastructure? ANSWER Implement a firewall THE CORRECT ANSWER Isolate the sensitive data using a VLAN Add an air gap Use a layer 2 switch

WHAT YOU NEED TO KNOW Virtual Local Area Networks (VLAN) can separate traffic on physical networks. A VLAN can separate traffic types using the current infrastructure.A firewall ensures only specific types of authorized traffic passes in and out of the host. Adding a firewall would change the infrastructure.An air gap would also change the infrastructure of the company by disconnecting part of the portion containing PII from the rest of the system,A layer 2 switch forwards broadcast traffic to all ports. Switches increase the efficiency of a network, but cannot isolate traffic.