Sec plus study sets

What could most easily be compromised by the mishandling of forensic material?

- Admissibility Forensic material is only admissible in court if you can demonstrate that it was legally collected and unaltered until submission in court. Mishandling it at any point can prevent that. You must be able to document the provenance and chain of custody for all evidence.

A network technician has been asked to troubleshoot recently observed performance issues as well as the root cause of new alerts regarding network traffic anomalies. Which monitoring tool should the technician choose first to troubleshoot both problems?

- Bandwidth monitor Bandwidth monitors examine traffic levels, either on the overall network or on specific devices and interfaces. They can be used to diagnose network performance problems or act as a side-channel to detect the effects of unexpected traffic.

Which part of the incident response process is represented by removing all but one data connection from an Ethernet switch, keeping only the compromised system attached?

- Containment This method of containment may seem unorthodox, but some threats are able to detect when network access has been lost, triggering a detonation of their malicious payload. This method may be able to buy some time to save the infected system by leading the source of the threat to believe nothing has changed yet, possibly keeping it subdued as it prepares its action on objectives.

Concerning the rules of engagement of a penetration test, which statements accurately represent key concepts that should be covered? Each correct answer represents a complete solution. Choose three. A - Duration and impact on operations B - Testing targets, including personnel for social engineering C - Communication expectations on the part of the teams D - Blue team's knowledge of the exact red team TTP E - Red team's pre-test knowledge of current vulnerabilities F - Where the red team should send invoices when the engagement is complete

- Duration and impact on operations - Testing targets, including personnel for social engineering - Communication expectations on the part of the teams Answers A, B, and C are correct.The rules of engagement (ROE) should include the total duration of the engagement and the acceptable impact on normal business operations, which often stems from the budget afforded for testing based on risk management decisions. The ROE should always specify testing targets, such as hosts, applications, networks, and business functions. If testing must include personnel-based vulnerabilities, the exact details of the limits of such testing must be expressed with total clarity. The cost of remaining vague on this point can be loss of morale among employees who are targeted for an assessment that can be perceived as personal. Communication is one of the most vital components of an assessment of this scale. Not only should the white or purple team monitor the level of communication between the red and blue teams, but there should be a clear directive for how to handle communications with parties who react to the test as if a real attack is underway. This may be to foster that belief or, conversely, to read in new individuals on the engagement that is taking place. Note that internal security forces and external law enforcement agencies should always be informed of the proposed testing unless, in rare cases, these forces are to be included in the assessment.Answer D is incorrect. The precise tactics that the red team will use in the pentest are virtually never revealed to the blue team or anyone else. As long as the white team is confident that the red team has chosen such techniques and tactics based on the ROE, the details are quite often part of the red team's signature plan or are perhaps partially unknown to all parties until opportunities resulting in new targets and methods, which must comply with the ROE, reveal themselves to the red team during their planned activities.Answer E is incorrect. Within the context of white-, gray-, and black-box assessments of this type, which are within the scope of the ROE, knowledge of current vulnerabilities is not a topic of discussion. Instead, these related concepts refer to the knowledge, or lack of knowledge, of the target environment with regard to details that footprinting and fingerprinting techniques tend to reveal. In fact, discovering vulnerabilities is the objective of vulnerability assessments, which are often partially performed in the reconnaissance phase of penetration tests. Therefore, vulnerabilities are always considered unknown until the assessment uncovers them.Answer F is incorrect. This is a detail for the statement of work and an official contract between the client being assessed and the external organization carrying out the assessment and, as such, will not appear in the ROE.

Question 17 : Which of the following terms refers to a technique in threat hunting that can be employed to better understand an active attack that appears to be leveraging a newly discovered threat by interacting with the threat agent?

- Maneuver Maneuvering can refer to a constant adjustment of controls and tactics to counter the new and modified threats that ongoing threat intelligence reveals. The term can also evoke the idea of a defender engaging a threat actor as they attempt to outsmart them in an active attack based on a newly unleashed threat or a newly discovered active threat agent, each one attempting to evade detection by the other.

Which of the following is an example of a detective control?

- Motion sensor Motion sensors detect the presence of personnel and are usually enabled during times when human traffic is prohibited or unexpected

What kind of tool, often called a sniffer, is used to capture network traffic, allowing the operator to visualize the various processes involved in the communication?

- Protocol analyzer They're also known as packet analyzers because they capture and analyze network traffic, enabling you to examine the encapsulated protocols at each level of the network stack.

What XSS techniques don't require the attacker to store data on the target server? Each correct answer represents a complete solution. Choose two A - Persistent B - Reflected C - DOM-based D - Injection E - CSRF

- Reflected - DOM-based Answers B and C are correct.Reflected XSS attacks place the malicious script in a server request which will be displayed verbatim on a web page so that the browser will execute it. Examples include scripts placed in error messages or search results. DOM-based XSS attacks place scripts into the Document Object Model of the web browser, commonly through a malicious web link sent to the target. Answer A is incorrect. Persistent XSS attacks upload a malicious script to the web server on a page that accepts user-submitted content. Examples include comment fields and message forums. Answer E is incorrect. Cross-Site Request Forgery attacks are similar to XSS, but are not XSS attacks. In CSRF, client-side code controls a request made by the victim's browser to the target site, exploiting the site's trust in the victim. By contrast, XSS exploits the victim's browser's trust in the target site, executing scripts which appear to be from a trusted site. Answer D is incorrect. Injection attacks are server-side attacks which force a server to execute commands or code which would normally not be directly available to the user. XSS attacks are client-side attacks which force code to execute in a victim's web browser.

Which of the following statements about environments for software development, deployment, and automation are correct?

- The QA environment is aimed less at testing for functionality than the other environments. - Each environment has a distinct purpose in the process. Development, test, QA, and staging environments all have different purposes in the development process. For instance, the QA environment, in particular, focuses on process management and stakeholder needs. Functionality and security should be verified in the test or staging environments, depending on what you need to know.

In terms of data governance policies, what is the relationship between the terms data custodian and data steward?

- The custodian is interested in the technical nature of data security, while the steward is focused on its value, usefulness, and compliance to standards. Under the direction of the data owner, data custodians control user permissions to access data, implement security controls to keep it safe but available, log access data, and produce reports for data owners. Data stewards ensure that data quality meets business and stakeholder needs, that it has sufficient metadata to make it easy to use, and that it meets all regulatory requirements.

Which of the following tools are used primarily to gather OSINT?

- TheHarvester - Dnsenum Dnsenum is a DNS harvesting tool that can locate all of an organization's DNS servers and records, while TheHarvester enumerates email accounts, employee names, and other information related to people.

Question 22 : The forensic specialist associated with your company's incident response team has requested the various dump files of a system for which you are the administrator. Why might the specialist request such files?

- To obtain a snapshot of the state of the system's RAM under one or more circumstances Dump files are complete RAM contents saved to a file automatically, whether periodically or in response to an event, or upon the request of a privileged user. They are the best way to preserve volatile data stored in running applications and system processes and are a vital resource in the field of digital forensics.

Which of the following are best practice considerations when using fences as a security control?

- Use a material on top, such as barbed wire, to prevent or discourage climbing over. - Consider emergency entry and escape when designing secure gates and fencing. Barbed wire and spikes are examples of measures to deter climbing, and a secure gate or fence with no easy exit is a safety risk in case of fire or other emergencies.

What technology can be used to give users in one enterprise identity system access to resources of another enterprise without having associated user accounts established for them?

A Federation A federation enables its members to share authentication standards whether or not they're directly associated with one another. If two enterprises join the same federation, one can authorize resource access for user accounts created by the other.

An administrator sets up a new virtualization server with virtual machines intended to run instances of a web-based application while following secure configuration guides from CIS for the operating system, hypervisor, webserver, and application server. What can the administrator use to confirm that all efforts to secure these components were successful or to find out what steps are recommended to bridge any gaps that might exist?

A benchmark In this context, a benchmark is a CIS-made secure configuration guide for a specific product. You can audit the new configuration against the benchmark, either manually or using an automated tool, such as the CIS Controls Assessment Specification (CAS).

What is an example of IP theft?

A competitor's unauthorized use of your organization's original engineering documents If your organization did not authorize the use of engineering documents that were internally produced, the competition can leverage that stolen intellectual property (IP) to gain an advantage over your company or to diminish your company's current advantage.

What is the main purpose of CCM that is designed from CSA?

A framework for cloud computing security controls that mitigate the risks associated with the adoption of cloud computing technology The non-profit Cloud Security Alliance (CSA) designed the Cloud Controls Matrix (CCM) as a standard list of security controls that cloud service consumers and providers can use to demonstrate and verify security features in cloud services.

If a password cracker is not in a particular hurry and wants to target a system with a very large number of user accounts and a policy that locks accounts after three failed login attempts, which attack has the best chance of succeeding to find even a single account to compromise?

A password spraying attack Password spraying targets many accounts at the same time by attempting to compromise one with a weak password. With just one or two attempts across a relatively large user base, the cracker may find one or more accounts that are not protected by strong passwords, limiting the likelihood of lockouts or administrator alerts. Performing the attack over a longer period of time can also avoid triggering intrusion detection systems in some cases. Stronger password policies make spraying attacks less effective.

Which of the following is an example of a corrective and compensating control?

A tape disk backup system that a regulatory agency approved for use in lieu of a required fault-tolerance solution for a period not to exceed six months Corrective controls minimize the harm caused by a threat, and compensating controls are equal or better alternatives used when the control mandated by policy or regulatory requirements is not feasible or requires a fallback. The ability to restore from backups allows the correction of data lost from a system failure; it is a compensating control because the regulatory agency approved it in lieu of the mandated fault tolerance solution as an equal or better control.

Which of the following statements about third-party risks is accurate?

A third-party application begins to produce risk just by losing vendor support. If the application vendor stops providing support, particularly for proprietary commercial software, the risk of using the application increases daily. Security flaws will not be fixed; other software, including new operating systems, might cause incompatibilities; and you'll have fewer options if you run into an application issue that you can't fix yourself.

You want to implement an access control model that lets you easily assign users to a combination of multiple roles, and also restrict access to some actions based on the time of day and physical location of the user. Which model is the best fit?

ABAC Attribute-based access control (ABAC) is a flexible add-on for other access-control models. Here, it is augmenting role-based access control (the other RBAC). Attributes can be any observable characteristic or measurable detail that can be used to establish a threshold beyond which access is denied, regardless of whether the companion access-control model approves access. For instance, if discretionary access control (DAC) approves a user's access to a system based on permissions associated with the user's account and group membership, the usual behavior would be to grant access to the user. However, if there is an impossible travel time test applied through ABAC, and the user logged out ten minutes ago from North America and is now trying to log in from Asia, the access control system would override the DAC-level approval and deny access based on the broken ABAC rule

When performing a penetration test, how would OSINT be classified as a resource?

As a form of passive reconnaissance Open-source intelligence (OSINT) is information that can be gathered without creating identifying traffic that can be traced back to the observer or by searching public sources that allow the requester to blend in with the crowd. This type of information gathering is the definition of passive reconnaissance

A co-worker mentioned a utility called the Sleuth Kit, also known as TSK, indicating that it's a great piece of software for storage forensics but that the command-line interface is a little tough to deal with, never having been great with scripting or CLIs in general. Which of the following is a graphical front-end for TSK that you should mention as an option, so your co-worker won't have to deal with the CLI as much?

Autopsy Answer D is correct. Autopsy is a free Windows program that packages the Sleuth Kit along with a graphical front-end. You can use it to create and extract data from forensic disk images. .Answer C is incorrect. An exploitation framework is a software package containing exploit modules for penetration testing. Some have graphical interfaces, but they are not intended for storage forensics. Answer B is incorrect. WinHex is a disk and hex editor that allows you to perform storage and memory forensics. It has a GUI, but is not a front end for TSK or a direct replacement for its functions. Answer A is incorrect. PowerShell is an advanced command shell for Windows systems. You can use a CLI interface to run programs and perform system tasks, not a forensics utility or a GUI.

As a user, which of the following precautions is most likely to protect you from man-in-the-middle (on-path) attacks?

Avoid connecting to open Wi-Fi routers Insecure Wi-Fi connections allow an attacker to intercept and relay your communications, inserting themselves in the conversation without your knowledge. The encrypted communications of secure Wi-Fi connections make it more difficult for a local attacker to read, much less modify, your communications. However, as Layer 2 encryption, it will not protect you from attackers on remote segments of the path.

An organization chooses, among other competing options, to replace insecure legacy systems with newer ones that are compatible with modern digital security techniques and protocols. Which risk management strategy is being employed?

Avoidance By no longer using the legacy systems, the organization is choosing to avoid the risks associated with using systems that cannot be properly secured and that may serve as vectors to the attack of internal systems and other assets that would likely be secure in the absence of the legacy systems.

During a massive security-impacting incident that takes a critical system offline, which type of plan should be consulted to determine the correct procedure to minimize lost revenue until the system can be brought back online?

BCP A business continuity plan (BCP) is the most comprehensive sort of disaster-planning document and includes general procedures for maintaining or restoring service in the event of a disaster. It is often less focused on technical procedures than specific recovery plans but it speaks to maintaining essential functions such as payroll and customer service.

A network technician has been asked to troubleshoot recently observed performance issues as well as the root cause of new alerts regarding network traffic anomalies. Which monitoring tool should the technician choose first to troubleshoot both problems?

Bandwidth monitor Bandwidth monitors examine traffic levels, either on the overall network or on specific devices and interfaces. They can be used to diagnose network performance problems or act as a side-channel to detect the effects of unexpected traffic.

What is the difference between a bluejacking and a bluesnarfing attack?

Bluesnarfing involves data compromise. Bluesnarfing attacks steal or compromise data on a target device, while bluejacking attacks simply send unsolicited messages. The difference means bluesnarfing has a much greater security impact; however, on modern devices it usually requires insecure pairing settings or social engineering.

Complex passwords that are combinations of upper and lower case letters, numbers, and special characters protect your system from which types of attacks?

Brute force Dictionary

Which of the following are implicitly secure protocols that were created by adding SSL/TLS security to protocols that were insecure on their own? Each correct answer represents a complete solution. Choose three. A - SSH B - SFTP C - SNMPv3 D - HTTPS E - FTPS F - SCP G - slogin

C - SNMPv3 D - HTTPS E - FTPS FTP Secure (FTPS), HTTP Secure (HTTPS), and Simple Network Management Protocol version 3 (SNMPv3) all work by tunneling the corresponding older, insecure protocol over a TLS tunnel to provide full cryptographic security. They allow security to be added with minimal changes to client or server applications Answer B is incorrect. SSH File Transfer Protocol (SFTP) is a file transfer protocol which uses the Secure Shell (SSH) protocol to create a secure tunnel. It was designed as a secure replacement for FTP but is a separate protocol and is not implemented by simply securing an insecure protocol nor does it derive its security from SSL/TLS.Answer A is incorrect. Secure Shell (SSH) is a protocol for secure remote login shells. It was designed to replace older insecure remote shells such as Telnet and rlogin but it is a new protocol rather than an extension to them. SSH itself can also be used for secure file transfers or to create secure tunnels for other protocols.Answer G is incorrect. In Linux, the secure login (slogin) function is part of the ssh command and is a secure replacement for the insecure remote login (rlogin) function, used for remote shell access.Answer F is incorrect. Secure Copy Protocol (SCP) is an SSH-based replacement for the older and insecure Remote Copy Protocol (RCP). It duplicates RCP's functionality, but it's a separate protocol and not an extension.

Which mobile deployment model allows users to carry a single mobile device for business and personal use while allowing the enterprise to retain ownership of, and control over, the selection of devices on which support staff must be trained and skilled

COPE In the Corporate Owned, Personally Enabled (COPE) model, devices are company-issued and supported, but employees can use them for personal purposes within guidelines set by the employer.

What is the industry term for a user-training method that pits teams against one another to see which one can most quickly and accurately accomplish the objectives of the competition?

CTF Capture the flag (CTF) exercises, a form of gamification, are highly effective in the realm of training cybersecurity professionals and for maintaining skills through practicing their use. The term originates with the outdoor version of the challenge in which two or more teams begin in different parts of the wilderness, for instance, and win when they progress physically to the camp of the competition and literally capture a flag or similar token of that camp's sovereignty.

While doing forensic investigation and gathering evidence, which of the following should you keep in mind?

Classify available evidence according to its order of volatility. You should classify available evidence according to its order of volatility. By collecting the most time-sensitive or easily changed evidence first, you minimize the chance of losing it.

Which policy is focused on preventing data loss?

Clean desk policy The clean desk policy governs both the employee's physical desk space and what can be accessed or seen openly on their computer screen. By minimizing what passersby can see freely, including what is written on office or cubicle dry erase boards and windows, private and sensitive information is less likely to be exfiltrated without detection.

Which part of the incident response process is represented by removing all but one data connection from an Ethernet switch, keeping only the compromised system attached?

Containment This method of containment may seem unorthodox, but some threats are able to detect when network access has been lost, triggering a detonation of their malicious payload. This method may be able to buy some time to save the infected system by leading the source of the threat to believe nothing has changed yet, possibly keeping it subdued as it prepares its action on objectives.

Which automated application-development process primarily reduces manual requirements during the auditing process?

Continuous validation Continuous validation adds a validation package as an output to a CI/CD time line. It contains evidence that mandated development practices were followed during the development process, reducing the need for manual auditing steps.

A host on the network is potentially infected with a novel virus, and you don't want it to spread while you study it. You've decided that network segmentation won't be effective enough and you'd prefer to isolate the host. Which of the following will best achieve that goal?

Creating an air gap An air gap is a physical isolation from the network, such as by unplugging its network cable. It will prevent all network communications from the host to the local and outside networks, barring exotic and unusual methods.

Which of the following tools is used to sandbox suspected malware and report on what occurred during its execution?

Cuckoo Cuckoo Sandbox, or just plain Cuckoo, is a downloadable sandboxing utility. Although you could manually run an unfamiliar application in an isolated virtual machine to see what it does, Cuckoo will automate the process and report on the results, including the behavior of the suspected file

Which of the following technologies helps to control what information can be exfiltrated from internal users and systems and what form such data can take?

DLP Data loss prevention (DLP) software uses rule-based controls to govern how and where controlled data can be viewed, copied, and transmitted. For instance, a DLP rule could prevent certain emails from being forwarded to outside parties, or prevent classified files from being copied to a removable drive or cloud service.

Which product of the BIA process should be consulted after a major outage caused by a meteorological event that affected Internet access and destroyed portions of the on-premises corporate data center after operations have been transferred to an offsite data center?

Disaster recovery plan The disaster recovery plan (DRP) outlines the steps and solutions involved in repairing damage from a disaster, natural or otherwise. Its use follows actions taken as part of the business continuity plan (BCP), which would have explained the process of throwing operations to an alternate data center or a third-party provider of disaster recovery sites.

Which of the following are examples of password policies which were once against conventional wisdom, but are now recommended by NIST to reduce the likelihood of users forgetting their passwords or needing to write them down to remember them?

Do not require users to create complex passwords. Do not require passwords to be changed on a regular basis.

Which of the following are examples of password policies which were once against conventional wisdom, but are now recommended by NIST to reduce the likelihood of users forgetting their passwords or needing to write them down to remember them? Each correct answer represents a complete solution. Choose two.

Do not require users to create complex passwords. Do not require passwords to be changed on a regular basis Password complexity requirements and scheduled password changes are both popular policies that can actually reduce security in practice. NIST now recommends to check passwords against known lists of weak passwords instead of enforcing complexity and requiring passwords to be changed only when there is reason to believe they are compromised.

Which of the following factors has no effect on chain of custody, with regard to digital evidence that is presented to the court?

Documentation of the presiding judge and opposing counsel Chain of custody is the documentation of where, how, and by whom digital evidence was collected, as well as the series of custodians of that evidence as it was handed from person to person until it is turned over to the courts, regardless of the identities of the court officers.

Which of the following is an algorithm employed in asymmetric cryptography that uses newer complex mathematical approaches to create relatively short but very secure and high-performance keys?

ECC Elliptic curve cryptography (ECC) uses algorithms based on the difficulty of calculating specific properties of elliptical curves. ECC can provide security equivalent to asymmetric algorithms such as RSA and DSA, but with much shorter keys and higher performance. It's especially popular in power-limited embedded devices and applications where performance is a significant concern.

One server closet has particularly sensitive equipment that's suffering network-data loss from EMI caused by a nearby electrical motor. You can't move either the equipment or the motor, so what option might help?

Faraday cage A Faraday cage is an enclosure most often constructed of a metallic mesh having holes smaller in opening than the wavelength of the interfering electromagnetic waveform that is being targeted for exclusion. By placing the EMI-sensitive equipment within the cage, the EMI should have virtually no effect on the equipment.

After finishing a full antimalware scan on all drives in a server, a technician is convinced an infection of some sort persists. Which of the following malware variants would have evaded the scan that was performed?

Fileless virus Scanning a drive for malware means that the filesystem was scanned, but not other resources like firmware or RAM. A fileless virus is loaded directly into memory and leaves no traces for scanning the drive to find. The other options tend to establish persistence by installing files that can run each time the system boots and the OS loads.

Drag the digital certificate file format from the bottom up to the spot next to its description. Here, in this type of question, you have to match the item on the left with the correct item on the right or as described in the question. Matching can be done by selecting and placing the item. Select the item using Enter key. Place the item using Enter key. If you want to remove an attached item, press Delete or Backspace.

Following are the digital certificate file formats with their correct descriptions: DER: A binary file format found mainly in Java environments PEM: A very popular Base-64 ASCII-encoded file format PFX: The predecessor to PKCS #12 and compatible when used in naming to P12 .cer: Used to signify a file carrying just a single certificate P7B: A format for sharing and archiving certificates without the private key

What type of cryptography is most commonly used for secure password storage?

Hashing Hashing uses one-way functions that don't allow the original data to be recovered easily, but it's easy to compare another value to the original by comparing their hashes. A password stored as a hash instead of as plaintext is harder to steal from a compromised database, but typed passwords can be hashed the same way and then compared to the stored hash.

What is the best way to visualize the Wi-Fi channels being used in a facility, their signal strength, and how they overlap with one another?

Heatmap A heatmap is a visual map showing channels and their signal strength as potentially overlapping shapes on a facility floor map. You could use it to identify places with poor coverage or potential signal interference.

You're receiving many unauthorized network scans using methods carefully designed to bypass existing firewall rules. What device or feature would be the best way to recognize and block those scans

IPS Intrusion prevention systems (IPSs) evaluate and allow or block traffic like firewalls, but they have rules focused on recognizing threat activity, such as attack signatures, non-standard use of protocols, or heuristic evaluation to detect unusual traffic. They are frequently configured to recognize and react to network scans.

As an organization becomes large enough that the scale of their systems and software begin to get out of hand, what is a form of external risk that can immediately produce insurmountable liabilities for the organization if not considered and addressed up front?

Licensing Software licensing violations are common and extremely expensive. There is no official grace period for licensing violations, so the risk from legal action brought by external organizations begins the moment the violation occurs. Depending on the size of the infraction, the penalty could easily exceed the value of the business and the organization's ability to settle the monetary obligations that ensue.

What could you use to help with building a specific and detailed defense methodology against the recent attacks on your corporate network that rely on various forms of privilege escalation for success? You are looking for information on the nature of the attacks and how to detect them to be sure you are attempting to defend against the correct threat, in addition to actual mitigation techniques and advice.

MITRE ATT&CK Adversarial Tactics, Techniques, and Common Knowledge (ATT&CK) is a useful knowledge base for common, known tactics, techniques, and procedures (TTPs) used by attackers. You could consult its matrices to look for privilege escalation techniques and then, research for more information about the variants used against your network. You could even learn more about which threat actors use it.

What technology uses the TPM to store hashes of signed boot files for comparison the next time the system boots and for export in a quote for remote attestation?

Measured boot Measured boot technologies detect changes in boot files and configuration by storing hashes securely in the trusted platform module (TPM) and comparing them to subsequent boots. The results can be sent to a remote attestation server.

During a discussion of user account policies, someone suggests lowering the account-lockout threshold on the Windows domain. What would be the net effect of this change?

More security and less convenience for users The account-lockout threshold is defined, in its most basic sense, as the number of unsuccessful login attempts at which the associated account is locked for a period of time or until an administrator unlocks it. One of the most common thresholds is three attempts. By lowering this threshold, attackers have fewer chances to brute-force their way into a system using a particular account. However, authorized users occasionally enter the wrong credentials innocently. Lowering the threshold would lead to more legitimate users being locked out of their own accounts. This inconvenience may be deemed acceptable or necessary by security policymakers in order to minimize the effectiveness of online password-cracking attempts.

During a discussion of user account policies, someone suggests lowering the account-lockout threshold on the Windows domain. What would be the net effect of this change?

More security and less convenience for users The account-lockout threshold is defined, in its most basic sense, as the number of unsuccessful login attempts at which the associated account is locked for a period of time or until an administrator unlocks it. One of the most common thresholds is three attempts. By lowering this threshold, attackers have fewer chances to brute-force their way into a system using a particular account. However, authorized users occasionally enter the wrong credentials innocently. Lowering the threshold would lead to more legitimate users being locked out of their own accounts. This inconvenience may be deemed acceptable or necessary by security policymakers in order to minimize the effectiveness of online password-cracking attempts.

Which kind of attacker is an APT most commonly associated with?

Nation states Nation states are the most likely sources of advanced persistent threats (APTs) because they have time, manpower, and resources to engage in long-term attack campaigns.

Which aspect of digital forensics is most concerned with the definitive and indisputable identification of the source of admissible evidence?

Non-repudiation Non-repudiation guarantees the ability to identify the originator of the creation, communication, or other production or delivery of digital information, removing the ability for the source to deny such origination or be denied as the originator

After a security incident, you rush to take a screenshot of a telltale running process before you leisurely take a backup of suspicious files on the hard drive. What forensic principle are you exercising

Order of volatility Collecting data from more volatile and easily changed locations first prevents it from being lost while you collect less volatile evidence. If you backed up the hard drive first, the process might stop running before the backup completes.

Which of the following is the most serious concern when rebuilding the content of a failed RAID drive from parity?

Other drives in the array may fail. Rebuilding a RAID array puts stress on the remaining disks, and can cause them to fail as well. RAID 6 is more secure than RAID 5 because the second parity disk means you can have two failures without losing data.

What kind of security training is most important for a company executive?

Overall awareness of the organization's assets and threats to them Executives are focused primarily on corporate vision and the overall needs of the company; they usually delegate technical decisions and tasks. The most important security training for them is to identify the company's assets, the general classes of threats that can affect them, and the types of security controls that can protect them. Once they understand the nature and importance of cybersecurity, they can provide oversight, guidance, and policy clarification for the security professionals who will create and implement detailed security plans.

With respect to digital forensics, what common goal do video and hashing share?

Provenance Provenance is the demonstration of the origin and history of a piece of evidence. Recording the collection and preservation of evidence documents its authenticity, while recording data hashes of digital evidence allow you to later prove that such evidence has not been altered since its collection.

Which privacy-enhancing technology performs a reversible substitution of PII, storing the private data elsewhere, reducing the likelihood that a breach of the records containing the non-private substituted information will lead to legal jeopardy for the organization entrusted with the PII?

Pseudo-anonymization

Which of the following RAID levels does not use disk striping to increase performance over the alternative? a RAID 1 b RAID 0 c RAID 5 D RAID 10

RAID1 Answer A is correct.RAID 1 employs disk mirroring, in which all data is written in identical format to two or more separate disks, so that if one fails the other remains intact. Although RAID 1 technically separates the data it stores on the disks into blocks in the same manner that disk striping does, RAID 1 uses exactly two disks to provide strict redundancy between the two disks. Because the same information is saved to the identical block location on both disks, there is no performance advantage to the array the way there is when disk striping results in different data populating the same block location on each drive, as in RAID levels 0, 5, and 10, among others. As with RAID levels that benefit in performance from disk striping, the space used for RAID 1 on each of the two disks must be of equal size. Therefore, the advantage of RAID 1 is absolute 1:1 redundancy with relatively simple configuration. Its primary disadvantage is that you must purchase exactly twice as much storage as will be used for unique content, which results in 50% space efficiency. Answer B is incorrect. RAID 0 employs disk striping exclusively for its performance advantage. Sequential RAID 0 blocks are spread across two or more disks in stripes, so that read and write operations are performed in parallel across all drives in the array simultaneously. The result is a much higher transfer speed than a single drive, and even other RAID levels, can offer; however, it offers no data redundancy. In fact, the failure of any drive in the array causes all data to be lost, so it's statistically less secure than storing data on a single drive. Answer C is incorrect. RAID 5 uses block-level striping to spread read and write operations across three or more disks. It provides redundancy by creating one parity block from the data in each stripe and storing the parity block on one of the disks in the array, a different disk for each consecutive stripe until all disks have been used, followed by starting the cycle over again with the first disk. If one disk in the array fails, its contents can be restored from the parity data for stripes with a data block on the failed disk, in real-time for data requests until the array is rebuilt, as well as permanently by replacing the failed disk and rebuilding the array. Striping allows it to use disk space more efficiently than RAID 1 but less efficiently than RAID 0; the parity process reduces performance in comparison to RAID 0, but striping ensures increased performance over that of RAID 1. Answer D is incorrect. RAID 10 (RAID 1+0) is a nested RAID level which combines the striping of RAID 0 and the mirroring of RAID 1. It consists of two or more RAID 1 arrays, each containing two mirrored disks. Each RAID1 set is then treated as one disk in an overarching RAID 0 array, with data striped from one RAID 1 set to the next. RAID 10 requires at least four drives and, as a hybrid of RAID 1 and RAID 0, exhibits features of both RAID levels for which it is named. As such, RAID 10 provides the high throughput and low latency of RAID 0, so it's popular for high-performance applications such as database servers. Additionally, RAID 10 shares 1:1 redundancy and 50% space efficiency with RAID 1.

Which of the following statements about the incident response is most accurate?

Recommended controls serve to help in preparation for potential incidents. The preparation phase of the incident response process is the time to use appropriate security controls to mitigate known risks that the organization chooses to address. With the right controls in place, if the incident is not prevented, it may at least be minimized, and the response team can often use logs and behavior of the controls to inform the process of identifying the root cause of the incident and begin the remainder of the response process in earnest. This is also the time to engage the team in training and practicing the skills that will be required to complete each pre- or post-incident phase of the process in the least amount of time and with the highest level of effectiveness.

Your company has long maintained an email server, but it's insecure and unreliable. As a solution, you're considering outsourcing email to an external company that provides secure cloud-based email services. What risk management strategy are you employing?

Risk transference Risk transference hands some or all of the risk of loss associated with a behavior to another party.

What account-policy term accounts for not allowing the same account to log in from two separate geographical locations in less time than it would take to travel between them?

Risky login Risky login rules account for the possibility that a sign-in attempt comes from someone other than the account owner. One example is the use of impossible-travel time rules to recognize login attempts from two different physical locations, with too little time in between for the user to have traveled from one to the other.

What is the difference between a playbook and a runbook?

Runbooks contain conditional steps for clearly defined processes, while playbooks are more broad and procedural, often containing multiple runbooks. Runbooks are used for clearly defined, easily automated processes such as log review, vulnerability scanning, or response to a specific incident type. Playbooks are looser workflows or checklists that focus more on assisting security analysts in processes requiring human decision-making. A runbook might be one defined section within a playbook, and multiple runbooks can appear wherever necessary within the playbook to ease the manual effort required of humans.

Which wireless networking technology brings additional security to PSK modes without invoking additional ciphers or AAA servers?

SAE Simultaneous Authentication of Equals (SAE) is a new authentication method included with WPA3-Personal. The shared password is never exposed on the network, even in hashed form, or even directly used in key generation. That change improves security relative to WPA2.

You've been asked to consult on security for an application that's designed to interoperate with Google and Salesforce SSO systems. What protocol should you study first?

SAML Security Assertion Markup Language (SAML) is an XML-based standard used for single sign-on (SSO) in many web applications using federated-identity environments, including Salesforce and Google.

How is ALE computed?

SLE x ARO In a quantitative risk assessment, the annual loss expectancy (ALE) is the total cost per year you can expect from the threat. In other words, it's the single loss expectancy (SLE) times the annual rate of occurrence (ARO).

What organization or cybersecurity framework specifies the Service Organization Control 2 (SOC2) Type I and Type II IT-security reports, which focus on security, confidentiality, privacy, integrity, and availability when storing and processing customer data, and that must be considered highly confidential?

SSAE The Statements on Standards for Attestation Engagements (SSAE) auditing specifications from the American Institute of Certified Public Accountants (AICPA) offer service providers, especially CSPs, an avenue to certify to a set of professional auditing standards that ensure their clients, through various levels of reporting, that the provider initially met the requirements of the standard and continues to do so from one auditing period to the next.

Your organization has decided to outsource several IT services to a cloud provider. They're hosted outside your enterprise network, but you want to centrally manage all authentication, encryption, activity logging, and other security policies for connections between local computers and the cloud and would like to keep this management and control internal to your organization. What security solution would address these issues?

Security broker Answer D is correct.The security broker in this instance will be a Cloud Access Security Broker (CASB). As stated in the question, a CASB is instrumental in allowing an enterprise to centrally apply its security policies to all cloud access from the enterprise network. Features can include security policies, access control rules, access auditing, data encryption and tokenization, malware detection, threat analytics, and DLP rules. Answer A is incorrect. On-premises policies work to secure on-premises resources and assets. It sounds as if there may be a mixture of on-premises and cloud services in this scenario. One thing is certain: There will be cloud services to consider, which cannot be done with on-premises policies. The mixture of services requires a mixture of policies. Answer B is incorrect. Although a private cloud deployment does add a modicum of security through isolation of services for the express use of a single enterprise consumer, all of the management and monitoring mentioned does not come standard with any deployment model. Answer C is incorrect. Security as a Service (SECaaS) provides everything offered by a CASB. However, the management of these controls is part of the "as a Service" concept. If your organization would like to keep this managerial control in-house, SECaaS would not be the right solution.

What kind of attack is most likely when you're doing sensitive work on your laptop at a coffee shop?

Shoulder surfing Watching someone who is viewing or entering sensitive information, or eavesdropping on confidential conversations is called shoulder surfing. While it can be literally over the shoulder, people have been caught using binoculars or hidden cameras to steal passwords or ATM PINs. Shoulder surfing is especially a danger for employees doing work-related communications on mobile devices in public places. Still, it's a risk whenever guests or visitors are in the office, or when a malicious employee wants to learn something from a coworker with more system access.

What security control might have a positive effect on security in one context and a negative effect when employed in a context outside of use as a security control?

Signage Signage can be a useful deterrent control, but it can also harm security by giving useful information to an intruder. For instance, a sign indicating a restricted area will deter casual intruders and allow security controls to focus on more determined intruders. On the other hand, signage showing the locations of valuable assets, even if useful for authorized personnel navigating a large facility, can show intruders where to break in.

What class of attacks are access control vestibules designed to mitigate?

Social engineering Both tailgating and piggybacking are forms of social engineering where a person without access credentials gets through a secure entryway by tagging along with a group or getting someone to hold the door. Access control vestibules, or mantraps, require that the outermost entryway be locked before the next door in series inward can be opened and that the next door must be opened and closed before the entryway can be reopened by the next person, raising personnel awareness of such manipulative access. In more secure environments, these vestibules are being continuously monitored by security personnel, just to make sure there is no attempted or realized abuse of the system. Fully automated, highly secure mantraps are produced with card access, for instance, to establish identity through possession to open the first door and biometrics to confirm identity through inherence to open the second door. Sensors can be present in these vestibules to detect if more than one person has entered. If so, the first door opens again, and all occupants are directed to exit through the way they entered, requiring that they start over, one at a time.

Which of the following is a risk associated with storing data with a cloud provider vs. storing the same data on-premises?

Sovereignty Data sovereignty is a principle that states that data is subject to the legal restrictions of any jurisdiction where it is collected, stored, or processed. Many cloud providers maintain data centers throughout the world. Doing so can offer customers from many locales faster access to their own data stored in the cloud. It can also allow the provider cost-saving options when customers choose subscriptions at cheaper storage rates and allow the provider to choose the details surrounding that storage. Unfortunately, subscribers can be surprised when their strongly encrypted data is confiscated by the hosting country's government under suspicion of clandestine operations being carried out under the cloak of data secrecy. The subscriber should know the details of their subscription agreement and pay for a plan that allows them to specify the country and locale for the storage they intend to use for encrypted content.

Several co-workers in the sales department received an email claiming to be from you. Each message was personally addressed and contained a link to a "test site" and a request to log in with standard user credentials. You never sent it, and on examination, the supposed test site is a phishing scam. Exactly what variant of phishing is this?

Spear-phishing Typical phishing attacks are sent blindly to a long mailing list in hopes that someone will respond. By contrast, spear-phishing sends tailored content to a specific person or group of people—most commonly employees or customers of a specific company. A message claiming to be from an actual person in HR or customer service is more likely to get a response than a cold request to random people. It's even more convincing when it contains other personal or professional information previously acquired by the attacker. Carefully targeted spear-phishing by well-informed attackers is an increasingly common and dangerous attack.

Which of the following statements concerning Syslog and SIEM is most accurate?

Syslog offers central log collection; SIEM draws upon those log entries for analysis. Although Syslog is an older concept than security information and event management (SIEM), both technologies focus on log entries in different ways. While Syslog offers the centralized collection and retention of log entries across an entire enterprise, SIEM collects these entries as well as other entries directly from components that do not support communication with Syslog services, a process referred to as aggregation. SIEM then correlates the aggregated entries, which includes deduplication of redundant entries and their metadata, normalization of timestamps, and performance of analysis on all entries, providing long-term retention for them as well. The resulting SIEM reports can be used as it is or can be adapted for any intended audience(s). SIEM's comprehensive coverage enables it to discover trends across the entire enterprise that human observers could perceive as one or more unrelated innocuous events.

Which functions are performed by the Kerberos KDC?

TGT Authentication service The Kerberos KDC performs the functions of authenticating the principal and supplying the principal with a Ticket Granting Ticket (TGT) that the principal can return to the KDC in its function as the Ticket Granting Service (TGS) for which the KDC sends the principal a service ticket in return, for its use with the resource server, which is a not a function provided by the KDC.

You were told to set up a "structured walkthrough" of a disaster recovery plan, but that terminology isn't in the procedures manual. What other term should you look for?

Tabletop exercise In a structured walkthrough, the team gathers together physically or virtually to review a business continuity plan (BCP) or disaster recovery plan (DRP) and then, walk through a theoretical disaster step by step. Tabletop exercises are a good way to identify missing steps or oversights and then, assign responsibility to participants or other personnel to bridge the gaps that have been identified.

Drag each ISO 27K and 31K cybersecurity or risk-management framework standard on the left to its corresponding description on the right.

The correct associations are as follows: 27001: Details the steps to implement a compliant information security management system (ISMS) 27002: Defines the various security controls in greater detail 27701: Focuses on personal data and privacy 31000: A framework for enterprise risk management

What data management model assists professionals in decision making with regard to the creation of policy based on the convergence of data security and privacy, focusing on such aspects as to how it's attained and classified, how it's used and stored, and how it's archived and destroyed?

The information life cycle The information life cycle (ILC) is a general model that can be implemented in a variety of ways, but most implementations share the four basic phases: creation/acquisition, which covers the classification and tagging of information as it is created internally or acquired from a third party; use/storage, focusing on least privilege, encryption in transit and at rest, and alternative storage, such as removable and cloud; retention/archiving, answering the questions of how long data will be kept after it is no longer useful and how it will be stored and protected; and wiping/disposal, which treats the concerns over how to avoid leaving any sort of data remnants that can be compromised in the same way that the original data could have been when it was still in use.

A manufacturer that relies on purchasing various components for the fabrication of their finished products made the decision to work only with suppliers that use a particular blockchain solution to track individual items along the supply chain. What is the key feature of a private blockchain that assures the manufacturer that the status transformation of any given component along its journey cannot be forged or corrupted, ensuring all status updates are verified accurately?

The public ledger The blockchain is, in its simplest description, a distributed and immutable public ledger. Blockchain transactions all use digital signatures and hashes based on previous transactions in the chain, so altering any transaction requires altering all subsequent transactions, which in turn requires the consensus of a majority of nodes in the network. However, any user can view and verify a transaction, thus adding security through integrity to the entire system.

In order to get a better mental picture of the operating environment of a critical enterprise server, you perform a manual review of three separate lists labeled System, Application, and Security. What is the purpose of these lists that you have decided to review in this way?

They are log files that you can use to inspect the various severity levels of the entries as well as their attributable sources. These are the names of the primary types of logs visible in Event Viewer on Microsoft Windows operating systems.

Which of these factors or methods best ensures the orderly correlation of events that occurred across many systems all around the world?

Timestamps Timestamps on log entries enable their timing to be compared not only with other events on the same system, but with events on all systems throughout the network.

If a policy requires regular password changes, why would you set a minimum password age?

To keep users from bypassing history requirements Without a minimum password age, some users will change their password several times until the password-history settings allow them to return to their original, familiar password. Doing so defeats the benefit of regular password changes. Minimum password-age policies make that strategy take too long to be very appealing.

If a policy requires regular password changes, why would you set a minimum password age?

To keep users from bypassing history requirements Without a minimum password age, some users will change their password several times until the password-history settings allow them to return to their original, familiar password. Doing so defeats the benefit of regular password changes. Minimum password-age policies make that strategy take too long to be very appealing.

A user complains that after entering a URL into a browser, what appeared to be the correct page is displayed in the browser. However, after clicking a few links on the page, it became obvious that the site the user arrived at was not the correct site, but instead a malicious copy of the site the user intended to visit. Which of the following attacks did the user most likely fall prey to?

Typosquatting A typosquatting attack is one in which the perpetrator registers a domain that is almost identical to a reputable or popular domain. Whenever a user commits a typographical error while attempting to enter a URL into the address field of a browser that contains the legitimate domain name, entering instead the attacker's domain name, the user is presented the malicious webpage in lieu of the legitimate page.

What tool or technique might a pentester use to surveil the physical features of a target?

UAV An unmanned aerial vehicle (UAV), or drone, is capable of performing active physical reconnaissance on the external physical structure of a testing target. It is also conceivable that a legitimately operated drone with a wireless transmitter could be compromised in such a way that the attacker is not detected as they tap into and receive the drone's camera feed, arguably resulting in a form of passive reconnaissance of the same target due to the lack of risk of launch detection.

Which of the following is an accurate characteristic of virtual private networks (VPNs) or their features?

VPNs offer secure communications over wired and wireless networks alike. A VPN provides an authenticated, encrypted tunnel between two points, such as a client to a network or a LAN and another LAN. The tunnel itself can operate over wired or wireless networks, and over a larger enterprise network or the public Internet.

Your company rents a spare server room in a secondary location. It has all the necessary hardware, software, and network services, so you can power everything up, man it, and load backups of your production environment before taking over. What is this scenario referring to?

Warm site A warm site is any sort of alternate site that has some hardware and software resources on hand, but isn't immediately ready to take over operations because current data backups would need to be restored before taking over operations. If you kept the alternate site powered on with synchronized data it would be a hot site instead and would also be more expensive to maintain. In disaster recovery (DR) terms, warm sites meet low-to-medium recovery time objectives (RTOs) and recovery point objectives (RPOs), or the amount of lost content that cannot be restored or recovered.

A co-worker issued the tcpdump udp -w example.pcapng command. You received an email on your Windows system with the example.pcapng file attached. Trusting the source and understanding the behavior of .pcapng files, you chose to double-click the attachment to open the file. What most likely happened next?

Wireshark opened with the UDP datagrams captured in the example.pcapng file displayed in the packet list pane. The tcpdump command captured UDP packets and saved (-w means write to the following file) them in a Wireshark-compatible file.

A user is having difficulty accessing the Internet. After a bit of investigating, you find there are more users who are having problems. You determine that all of the affected systems are on a set of subnets that use the same pair of DNS servers. Users whose systems do not use those DNS servers have no trouble accessing the Internet as they normally do. You want to query a public DNS server from the same subnet having issues for an FQDN that the user's system failed to resolve. Which CLI tools could you use to accomplish this goal?

dig nslookup The nslookup command is the basic TCP/IP tool used to perform manual DNS queries in Windows and Linux. The dig command is a similar Linux tool but with more advanced function

Which tool allows you to see the log entries that have been created on the local system and output them to one of a variety of standard log formats?

journalctl The journald daemon stores logs for the Linux systemd software suite in a binary format that appears unreadable to humans. The journalctl command-line utility can be used to access those logs and output them in standard, readable formats, such as JSON

An attacker with a fraudulent certificate for your bank is planning to intercept your transactions in an on-path (MitM) attack. The certificate hasn't been revoked yet, but what technology could still let you know something is wrong?

key pinning Key pinning is a technique where clients store a copy or hash of a known certificate or public key. Then, on each new connection, the browser verifies the certificate offered by the server against its stored copy. Any change to the certificate is detected. In this case, key pinning would identify the fraudulent certificate as different from your bank's usual certificate.