Security (CompTia) +

An engineer plans to acquire data from a disk. The disk is connected to the forensics workstation and is ready for the engineer. Which steps indicate a correct order of acquisition as they relate to integrity and non-repudiation? a). - 1. A hash of the disk is made 2. A bit-by-bit copy is made 3. A second hash is made 4. A copy is made of the reference image b). - 1. A hash of the disk is made 2. A copy is made of the reference image 3. A second hash is made 4. A bit-by-bit copy is made c). - 1. A copy is made of the reference image 2. A hash of the disk is made 3. A bit-by-bit copy is made 4. A second hash is made d). - 1. A copy is made of the reference image 2. A bit-by-bit copy is made 3. A hash of the disk is made 4. A second hash is made

a). - 1. A hash of the disk is made 2. A bit-by-bit copy is made 3. A second hash is made 4. A copy is made of the reference image In the correct first step, the engineer makes a cryptographic hash of the disk media, using either the MD5 or SHA hashing function. The output of the function is a checksum. In the correct second step, the engineer makes a bit-by-bit copy of the media using the imaging utility. In the correct third step, the engineer then makes a second hash of the image, which should match the original hash of the media. In the correct fourth step, the engineer makes a copy of the reference image and then validates it again by the checksum. The engineer then performs an analysis on the copy.

A Certificate Revocation List (CRL) has a publish period set to 24 hours. Based on the normal procedures for a CRL, what is the most applicable validity period for this certificate? a). 26 hours b). 1 hour c). 23 hours d). 72 hours

a). 26 hours One or two hours over the publish period is considered normal thus making 26 hours within the window. The validity period is the period during which the CRL is considered authoritative. This is usually a bit longer than the publish period, giving a short window to update and keep the CRL authoritative. The validity period would not be less than the publish period as it would make the CRL nonauthoritative prior to the next publishing. If the validity period was set to 72 hours this would be much too long after the publish period. The CRL would be published two additional times prior to the validity period ending.

Which of the following statements summarizes a disadvantage to performing an active vulnerability scan? (Select all that apply.) a). Active scanning consumes more network bandwidth. b). Active scanning runs the risk of causing an outage. c). Active scanning will identify all of a system's known vulnerabilities. d). Active scanning techniques do not use system login.

a). Active scanning consumes more network bandwidth. b). Active scanning runs the risk of causing an outage. Scan intrusiveness is a measure of how much the scanner interacts with the target. Active scanning consumes more network bandwidth than passive scanning. Active scanning means probing the device's configuration using some type of network connection with the target. This type of scanning runs the risk of crashing the target of the scan or causing some other sort of outage. Active scanning has the possibility of failing due to any security settings that may prevent certain scans. A non-credentialed scan proceeds by directing test packets at a host without being able to log on to the OS or application. A non-credentialed scan provides a view of what the host exposes to an unprivileged user on the network.

Analyze the features of behavioral technologies for authentication, and choose the statements that accurately depict this type of biometric authentication. (Select all that apply.) a). Behavioral technologies are cheap to implement, but have a higher error rate than other technologies. b). Signature recognition is popular within this technology because everyone has a unique signature that is difficult to replicate. c). Obtaining a voice recognition template for behavioral technologies is rather easy and can be obtained quickly. d). Behavior technologies may use typing as a template, which matches the speed and pattern of a user's input of a passphrase.

a). Behavioral technologies are cheap to implement, but have a higher error rate than other technologies. d). Behavior technologies may use typing as a template, which matches the speed and pattern of a user's input of a passphrase. Behavioral technologies are sometimes classified as "something you do." These technologies often have a lower cost to implement than other types of biometric cryptosystems, but they have a higher error rate. Typing is used as a behavioral technology, and the template is based on the speed and pattern of a user's input of a passphrase. Signature recognition is not based on the actual signature due to it being easy to replicate. Instead, it is based on the process of applying a signature such as stroke, speed, and pressure of the stylus. Obtaining a voice recognition template is not a fast process, and can be difficult. Background noise and other environmental factors can also interfere with authentication.

The IT department head returns from an industry conference feeling inspired by a presentation on the topic of cybersecurity frameworks. A meeting is scheduled with IT staff to brainstorm ideas for deploying security controls by category and function throughout the organization. Which of the following ideas are consistent with industry definitions? (Select all that apply.) a). Deploy a technical control to enforce network access policies. b). Deploy an operational control to monitor compliance with external regulations. c). Schedule quarterly security awareness workshops as a preventive control to prevent social engineering attacks. d). Deploy a restore from backup following an attack to eliminate or mitigate the attack's impact

a). Deploy a technical control to enforce network access policies. c). Schedule quarterly security awareness workshops as a preventive control to prevent social engineering attacks. d). Deploy a restore from backup following an attack to eliminate or mitigate the attack's impact A technical control is enforced by computer hardware and software, such as an access control list (ACL) configured on a network firewall. Monitoring of risk and compliance is a type of managerial control, not an operational control. Operational controls are categorized as those performed by people, such as security guards. A preventive control such as user education and training is one that eliminates or reduces the likelihood of an attack before it can take place. A corrective control such as backup is used following an attack to eliminate or mitigate its impact.

A security administrator employs a security method that can operate at layer 3 of the OSI model. Which of the following secure communication methods could the security administrator be using?(Select all that apply.) a). ESP b). AH c). TLS d). IKE

a). ESP b). AH Encapsulation Security Payload (ESP) provides confidentiality and/or authentication and integrity. ESP is one of the two core protocols of IPsec. AH is another core protocol of IPsec. The Authentication Header (AH) protocol performs a cryptographic hash on the whole packet, including the IP header, plus a shared secret key (known only to the communicating hosts), and adds this HMAC in its header as an Integrity Check Value (ICV). Transport Layer Security is applied at the application level, either by using a separate secure port or by using commands in the application protocol to negotiate a secure connection. The Internet Key Exchange (IKE) protocol handles authentication and key exchange, referred to as Security Associations (SA).

A user presents a smart card to gain access to a building. Authentication is handled through integration to a Windows server that's acting as a certificate authority on the network. Review the security processes and conclude which are valid when using Kerberos authentication. (Select all that apply.) a). Inputting a correct PIN authorizes the smart card's cryptoprocessor to use its private key to create a Ticket Granting Ticket (TGT) request. b). The smart card generates a one-time use Ticket Granting Service (TGS) session key and certificate. c). The Authentication Server (AS) trusts the user's certificate as it was issued by a local certification authority. d). The Authentication Server (AS) is able to decrypt the request because it has a matching certificate.

a). Inputting a correct PIN authorizes the smart card's cryptoprocessor to use its private key to create a Ticket Granting Ticket (TGT) request. c). The Authentication Server (AS) trusts the user's certificate as it was issued by a local certification authority. Inputting a correct PIN authorizes the smart card's cryptoprocessor to use its private key to create a Ticket Granting Ticket (TGT) request to an Authentication Server (AS). The AS can place trust when the user's certificate is issued by a local or third-party root certification authority. An AS responds with a TGT and Ticket Granting Service (TGS) session key, not the smart card. An AS would be able to decrypt the request because it has a matching public key and trusts the user's smart-card certificate.

Identify the attack that can launch by running software against the CAM table on the same switch as the target. a). MAC flooding b). MAC spoofing c). ARP poisoning attack d). LLMNR

a). MAC flooding MAC flooding is a variation of an ARP poisoning attack. While ARP poisoning is directed at hosts, MAC flooding is used to attack a switch. MAC spoofing changes the MAC address configured on an adapted interface or asserts the use of an arbitrary MAC address. It is simple to override a MAC address in software via OS commands, alterations to the network driver configuration, or using packet crafting software. An ARP poisoning attack broadcasts unsolicited ARP reply packets. A sophisticated ARP attack can launch by running software such as Dsniff or Ettercap. LLMNR is a name resolution services used in a Windows environment to resolve network addresses. Responder is an on-path type tool that can be used to exploit name resolution on a Windows network.

A networking administrator is reviewing available security products to further fine-tune the existing firewall and appliance settings. An administrator should analyze which system logs in order to tune firewall rulesets and remove or block suspect hosts and processes from the network? a). Network-based intrusion detection system (NIDS) b). Unified threat management (UTM) product c). Network-based intrusion prevention system (IPS) d). Network behavior and anomaly detection (NBAD) product

a). Network-based intrusion detection system (NDIS) Analyzing NIDS logs allows an administrator to tune firewall rulesets, remove or block suspect hosts and processes from the network, or deploy additional security controls to mitigate any identified threats. A Unified threat management (UTM) product centralizes many types of security controls into a single appliance. A UTM might not perform as well as software or a device with a single dedicated security function. Intrusion Prevention System (IPS) differs from NIDS as it can provide an active response to any network threats that it matches, rather than just alerting the administrator. For example, an IPS might block traffic from a specific IP address that is known to be malicious. An NBAD engine uses heuristics to generate a statistical model baseline normal traffic. The system generates false positives and false negatives until it improves its statistical model of what is "normal."

When using a digital envelope to exchange key information, the use of what key agreement mitigates the risk inherent in the Rivest-Shamir-Adleman (RSA) algorithm, and by what means? a). Perfect forward secrecy (PFS) uses Diffie-Hellman (DH) key agreement to create ephemeral session keys without using the server's private key. b). The Cipher Block Chaining (CBC) key agreement mode uses an initialization vector (IV) to create ephemeral session keys without using the server's private key. c). Counter mode in key agreement makes the advanced encryption standard (AES) algorithm work as a stream cipher, by applying an initialization vector to issue a security certificate. d). A certificate authority (CA) validates the public key's owner and creates an initialization vector to protect the exchange from snooping.

a). Perfect forward secrecy (PFS) uses Diffie-Hellman (DH) key agreement to create ephemeral session keys without using the server's private key. Perfect forward secrecy (PFS) mitigates the risk from RSA key exchange, using Diffie-Hellman (DH) key agreement to create ephemeral session keys without using the server's private key. Modes of operation refer to AES use in a cipher suite. Cipher Block Chaining (CBC) mode applies an initialization vector (IV) to a chain of plaintext data and uses padding to fill out blocks of data. Counter mode makes the AES algorithm work as a stream cipher. Each block of data can be processed individually and in parallel, improving performance. A certificate authority (CA), validates the owner of a public key, issuing a signed certificate. The process of issuing and verifying certificates is called public key infrastructure (PKI).

Consider the role trust plays in federated identity management and determine which models rely on networks to establish trust relationships. (Select all that apply.) a). SAML b). OAuth c). OpenID d). LDAP

a). SAML b). OAuth c). OpenID Security Assertion Markup Language (SAML) is an identity federation format used to exchange authentication information between the principal, the service provider, and the identity provider. Authentication and authorization for a RESTful API is often implemented using the Open Authorization (OAuth) protocol. OpenID is an identity federation method enabling users authentication on cooperating websites by a third-party authentication service. Lightweight Directory Access Protocol (LDAP) is not an identity federation. It is a network protocol used to access network directory databases storing information about authorized users and their privileges, as well as other organizational information.

What describes the Ticket Granting Ticket (TGT) role w/in the Authentication Service (AS). (Select all) a). The AS responds with a TGT that contains info on the client incl their name/IP address w/a timestamp and validity period. The TGT is encrypted w/secret key of the Authentication Server (AS) to ensure its conf/integrity during transmission/storage. b). The TGS is resp for issuing service tickets to the client which contain a session key that is shared betw the client/req'd service. The TGT does not respond w/a service session key for use betw the client/appl server. c). The client req the TGT must be time synchronized w/the server w/in 2' or the req will fail. d). The TGT is a credential that the client issues to authenticate to the AS and contains a session key shared only betw the client and TGS. This session key encrypts the client's credentials/authenticates the client to the TGS when req service ticket.

a). The AS responds with a TGT that contains information about the client, including their name and IP address, along with a timestamp and validity period. The TGT is encrypted with the secret key of the Authentication Server (AS) to ensure its confidentiality and integrity during transmission and storage. b). The TGS is responsible for issuing service tickets to the client, which contain a session key that is shared between the client and the requested service. The TGT does not respond with a service session key for use between the client and the application server. The AS issues a TGT to the client after successful authentication, and it contains information about the client, including their name and IP address, along with a timestamp and validity period. The TGT is encrypted with the secret key of the Authentication Server (AS) to ensure its confidentiality and integrity during transmission and storage.The TGS issues service tickets to the client, and these tickets contain a session key that is shared between the client and the requested service. The TGT does not contain any service session key for use between the client and the application server.The TGT is time-stamped. This means that workstations and servers on the network must be synchronized (to within five minutes), or a TGT will be rejected. This helps prevent replay attacks.The TGT is not a credential that the client uses to authenticate to the AS. The TGT is issued to the client by the AS after successful authentication, and it contains a session key that is used to authenticate the client to the TGS when requesting a service ticket.

Select the appropriate methods for packet capture. (Select all that apply.) a). Wireshark b). Packet analyzer c). Packet injection d). tcpdump

a). Wireshark d). tcpdump Wireshark and tcpdump are packet sniffers. A sniffer is a tool that captures packets, or frames, moving over a network. Wireshark is an open source graphical packet capture and analysis utility. Wireshark works with most operating systems, where tcpdump is a command line packet capture utility for Linux. A packet analyzer works in conjunction with a sniffer to perform traffic analysis. Protocol analyzers can decode a captured frame to reveal its contents in a readable format, but they do not capture packets. A packet injection involves sending forged or spoofed network traffic by inserting (or injecting) frames into the network stream. Packets are not captured with packet injection.

A document contains information about a company that is too valuable to permit any risks, and viewing is severely restricted. Analyze levels of classification and determine the appropriate classification for the document. a). Critical b). Confidential c). Classified d). Unclassified

a). critical Documents labeled as critical contain information that is too valuable to permit any risk of its capture, and viewing is severely restricted. Documents labeled as confidential contain information that is highly sensitive and is for viewing only by approved persons within the organization or possibly by third parties under a Nondisclosure Agreement (NDA). This classification may also be called low. Documents labeled as classified contains information that limits viewing by only persons within an organization or by third parties that are under an NDA. This classification may also be called private, restricted, internal use only, or official use only. Unclassified documents are unrestricted and anyone can view the document. This document does not contain information that will harm the company if released. This classification is also known as public.

Data exists in several states, each requiring different security considerations. Evaluate the following items and select which data state presents the greatest challenge due to decryption? a). Data in use b). Data in transit c). Data in motion d). Data at rest

a). data in use Data in use is when data is present in volatile memory. When a user works with data, that data needs to be decrypted, which puts it at risk. Transmitting data over a network refers to data in transit. The encryption challenge is not as great as with data in use. Data in motion is another name for data in transit. When data is at rest, it is usually possible to encrypt the data using a variety of techniques, such as whole disk encryption, database encryption, and file- or folder-level encryption.

Which of the following utilizes both symmetric and asymmetric encryption? a). Digital envelope b). Digital certificate c). Digital evidence d). Digital signature

a). digital envelope A digital envelope is a type of key exchange system that utilizes symmetric encryption for speed and asymmetric encryption for convenience and security. A digital certificate is an electronic document that associates credentials with a public key. This only involves asymmetric encryption. Digital evidence or Electronically Stored Information (ESI) is evidence that cannot be seen with the naked eye; rather, it must be interpreted using a machine or process. There is no encryption involved. A digital signature is a message digest encrypted with a user's private key. It uses only asymmetric encryption to prove the identity of the sender of a message and to show a message has not been tampered with.

When a company attempts to re-register their domain name, they find that an attacker has supplied false credentials to the domain registrar and redirected their host records to a different IP address. What type of attack has occurred? a). Domain hijacking b). Domain name system client cache (DNS) poisoning c). Rogue dynamic host configuration protocol (DHCP) d). Domain name system server cache (DNS) poisoning

a). domain hijacking In domain hijacking (or brandjacking), the attacker steals a domain name by altering its registration information and then transferring the domain name to another entity. Before DNS is contacted, a text file named HOSTS is checked that may have name:IP address mappings recorded. If an attacker can place a false name:IP address mapping in the HOSTS file, poisoning the DNS cache, the attacker can redirect traffic. The Dynamic Host Configuration Protocol (DHCP) facilitates automatic network address allocation. If an attacker establishes a rogue DHCP, it can perform DoS or snoop on network information. DNS server cache poisoning corrupts records within the DNS server itself.

Analyze the features of Microsoft's Information Rights Management (IRM) and choose the scenarios that accurately depict IRM. (Select all that apply.) a). File permissions are assigned based on the roles within a document. b). A document is emailed as an attachment, but cannot be printed by the receiver. c). A document does not allow screen capture in a web browser view. d). An email message cannot be forwarded to another employee.

a). file permissions are assigned based on the roles within a document b). a document is emailed as an attachment, but cannot be printed by the receiver d). an email message cannot be forwarded to another employee A benefit of IRM is that file permissions can be assigned for different document roles, such as author, editor, or reviewer. Each role can have specific access such as sending, printing, and editing. Printing and forwarding of documents can be restricted even when the document is sent as a file attachment. This means that just because a document is forwarded it may not have printing capabilities. Printing and forwarding of email messages can be restricted. Microsoft's IRM helps prevent an authorized viewer from copying, pasting, modifying, and printing content for unauthorized use. It does not have the ability to prevent screen captures from occurring when documents are viewed in a browser.

An engineer utilizes digital forensics for information gathering. While doing so, the first focus is counterintelligence. Which concepts does the engineer pursue? (Select all that apply.) a). Identification and analysis of specific adversary tactics b). Retrospective network analysis c). Configure and audit active logging systems d). Inform risk management provisioning

a). identification and analysis of specific adversary tactics c). configure and audit active logging systems Counterintelligence includes the identification and analysis of specific adversary tactics, techniques, and procedures (TTP). This information furthers the betterment of understanding adversary approaches that counterintelligence can note for monitoring. Counterintelligence provides information about how to configure and audit active logging systems so that they are most likely to capture evidence of attempted and successful intrusions. A Retrospective Network Analysis (RNA) solution provides the means to record network events at either a packet header or payload level. Strategic intelligence is information that security specialists have gathered through research and provides insights used to inform risk management and security control provisioning.

A security team desires to modify event logging for several network devices to work over TCP and use secure connections. What uses more types of filter expressions in its configuration file to customize message handling? a). Syslog-ng b). Rsyslog c). Syslog d). NXlog

b). rsyslog Rsyslog can work over TCP and use a secure connection. It uses the same configuration file syntax as Syslog. Rsyslog can use more types of filter expressions in its configuration file to customize message handling. Syslog-ng is an update to Syslog that can use TCP secure communications, but it uses a different configuration file syntax than Syslog. Syslog provides an open format, protocol, and server software for logging event messages. A very wide range of host types use Syslog, as well as UDP for communications. NXlog is an open-source log normalization tool. One common use for it is to collect Windows logs, which use an XML-based format and then normalize them to a standard syslog format.

Select the phase of risk management a company has performed if they analyzed workflows and identified critical tasks that could cause their business to fail, if not performed. a). Identify mission essential functions b). Identify vulnerabilities c). Identify threats d). Analyze business impacts

a). identify mission essential functions The first phase of risk management is to identify mission essential functions. Mitigating risk can involve a large amount of expenditure so it is important to focus efforts. Part of risk management is to analyze workflows and identify the mission essential functions that could cause the whole business to fail if they are not performed. The second phase of risk management is to identify vulnerabilities for each function or workflow. This includes analyzing systems and assets to discover and list any vulnerabilities or weaknesses to which they may be susceptible. The third phase of risk management is to identify threats. Threats that may take advantage of, exploit, or accidentally trigger vulnerabilities. Threat refers to the sources or motivations of people and things that could cause loss or damage. The fourth phase of risk management is to analyze business impacts and the likelihood of a vulnerability being activated as a security incident by a threat and the impact of that incident on critical systems.

Analyze and eliminate the item that is NOT an example of a reconnaissance technique. a). Initial exploitation b). Open Source Intelligence (OSINT) c). Social engineering d). Scanning

a). initial exploitation The initial exploitation phase (also referred to as weaponization) is not a reconnaissance technique. It is an exploit that is used to gain some sort of access to the target's network. Open Source Intelligence (OSINT) refers to using web search tools and social media to obtain information about the target. Social engineering refers to obtaining information, physical access to premises, or even access to a user account through the art of persuasion. Scanning refers to using software tools to obtain information about a host or network topology. Scans may be launched against web hosts or against wired or wireless network segments, if the attacker can gain physical access to them.

A security team suspects the unauthorized use of an application programming interface (API) to a private web-based service. Which metrics do the team analyze and compare to a baseline for response times and usage rates, while investigating suspected DDoS attacks? (Select all that apply.) a). Number of requests b). Error rates c). Latency d). Endpoint connections

a). number of requests c). latency The number of requests is a basic load metric that counts the number of requests per second or requests per minute. Depending on the service type, admin can set a baseline for typical usage. Latency is the time in milliseconds (ms) taken for the service to respond to an API call. This can be measured for specific services or as an aggregate value across all services. Error rates measure the number of errors as a percentage of total calls, usually classifying error types under category headings. Admin can manage unauthorized and suspicious endpoint connections to the API in the same sort of way as remote access.

In the event of a cloud server breach, an organization must navigate various challenges unique to cloud environments when attempting to acquire data for forensic analysis. What are these challenges? (Select all that apply.) a). On-demand services b). Jurisdiction c). Chain of custody d). Notification laws

a). on-demand services b). jurisdiction c). chain of custody The on-demand nature of cloud services means that instances are often created and destroyed again, with no real opportunity for forensic recovery of any data. Jurisdiction and data sovereignty may restrict what evidence the CSP is willing to release to the organization. Chain of custody issues are complex as it may have to rely on the CSP to select and package data for the organization. If the CSP is a data processor, it will be bound by data breach notification laws and regulations. This issue does not relate to the acquisition of data.

A network administrator conducts a network assessment to determine where to implement a network intrusion detection system (NIDS). Which sensor deployment option is most ideal if the admin is concerned about system overloads and resiliency in the event of power loss? a). Passive test access point (TAP) b). Active test access point (TAP) c). Aggregation test access point (TAP) d). Switched port analyzer (SPAN)/mirror port

a). passive test access point (TAP) With a passive TAP, the monitor port receives every frame—corrupt, malformed, or not—and load does not affect copying. Because it performs an active function, an active TAP becomes a point of failure for the links in the event of power loss. When deploying an active TAP, it is important to use a model with backup power options. Aggregation TAPs rebuild the upstream and downstream channels into a single channel, but these can drop frames under very heavy load. SPAN/mirror port sensor is not completely reliable, as frames with errors will not be mirrored and frames may be dropped under heavy load.

You are developing a script to automate part of an incident response playbook. The script queries information from a database of security logs aggregated across multiple network systems to identify a data exfiltration event, and then automatically configures network security appliance and mail server settings to mitigate the incident. Which of the following is NOT required to implement the solution? a). Playbook API b). Security Information and Event Management API c). Unified Threat Management API d). Mail server API

a). playbook API A playbook sets out procedures and steps for completing incident response tasks. While the script might automate part of the playbook, the playbook is not itself a target of automation and does not have an API.Security Information and Event Management (SIEM) implements the collection and aggregation of logs from across enterprise systems. Its API provides a source of information for the script to query.A Unified Threat Management (UTM) appliance implements various security filtering functions. Its API allows a script to apply additional filter or block rules.A mail server facilitates messaging and file attachments, which could be misused for data exfiltration. The mail server API allows a script to mitigate incidents by blocking, redacting, or deleting non-compliant data transfers.

Select the options that can be configured by Group Policy Objects (GPOs). (Select all that apply.) a). Registry settings b). Code signing c). Access policies d). Baseline deviation

a). registry settings c). access policies On a Windows Active Directory network, access policies can be configured via group policy objects (GPOs). GPOs can be used to configure access rights for user/group/role accounts. GPOs can configure registry settings across a range of computers. Code signing is the principal means of proving the authenticity and integrity of code (an executable or a script). A GPO can deploy Code Integrity (CI) policies to check for application publisher digital signatures, but not for signing or creating new digital signatures. Baseline deviation reporting tests the configuration of clients and servers to ensure they are patched, and their configuration settings match the baseline template.

Which statement best describes a key benefit of symmetric over asymmetric cryptographic ciphers? a). Symmetric encryption is primarily used for encrypting large volumes of data and uses the same key for encryption and decryption. b). Symmetric encryption uses different keys for encryption and decryption, similar to asymmetric encryption. c). Symmetric encryption is primarily used for non-repudiation, similar to asymmetric encryption. d). Symmetric encryption is less computationally efficient compared to asymmetric encryption when encrypting large volumes of data.

a). symmetric encryption is primarily used for encrypting large volumes of data and uses the same key for encryption and decryption Symmetric encryption is efficient and used when large amounts of data need to be encrypted. It uses the same key for both encryption and decryption.This statement describes asymmetric encryption, not symmetric encryption. In asymmetric encryption, different keys are used for encryption and decryption.Non-repudiation is not a primary use case for symmetric encryption. Non-repudiation, which ensures a party cannot deny the authenticity of their signature, is a feature more associated with asymmetric encryption.Symmetric encryption is more efficient compared to asymmetric encryption, particularly when dealing with large amounts of data. Asymmetric encryption is computationally expensive and generally used for smaller data payloads or for secure key exchange.

A developer considers using an API for service integration and automation. If choosing Representational State Transfer (REST) as the API, which features can the developer expect? (Select all that apply.) a). The ability to submit a request as an HTTP operation/verb b). It is a looser architectural framework c). It can only use XML format messaging d). It has built-in error handling

a). the ability to submit a request as a HTTP operation/verb b). it is a looser architectural framework Requests sent as Simple Object Access Protocol (SOAP) must be in a correctly formatted XML document. However, with Representational State Transfer (REST) requests, they can be submitted as an HTTP operation/verb (GET or POST for example). Representational State Transfer (REST) is a looser architectural framework, also referred to as RESTful APIs. SOAP is a tightly specified protocol. Simple Object Access Protocol (SOAP) uses XML format messaging and has a number of extensions in the form of Web Services (WS) standards. Simple Object Access Protocol (SOAP) also has built-in error handling and supports common features, such as authentication, transport security, and asynchronous messaging.

A system administrator is deploying a new web server. Which hardening procedures should the administrator consider? (Select all that apply.) a). The administrator should use SFTP to transfer files to and from the server remotely. b). Any guest web access that exist on the webserver should be disabled or removed. c). The administrator should assign a digital certificate and enable the use of TLS 1.3. d). The configuration templates should not be used with web servers.

a). the administrator should use SFTP to transfer files to and from the server remotely c). the administrator should assign a digital certificate and enable the use of TLS 1.3 Secure file transfer protocol (SFTP) safely transfers files remotely via SSH. Transport layer security (TLS) enables secure communication between the client and the web server. This is implemented by assigning a certificate to the web server. TLS 1.3 prevents downgrade attacks. Most web servers must allow for secure access to guest web access. Guest web access should only be allowed to view content in the website and not from any other web server directory. Web servers should deploy using configuration templates where possible.

An attacker finds a way to exploit a vulnerability in a target application that allows the attacker to bypass a password requirement. Which method did the attacker most likely use? a). The attacker added LDAP filters as unsanitized input by creating a condition that is always true. b). The attacker inserted code into a back-end database by submitting a post to a bulletin board with a malicious script embedded in the message. c). The attacker embedded a request for a local resource via XML with no encryption. d). The attacker modified a basic SQL function, adding code to some input that an app accepts, causing it to execute the attacker's query.

a). the attacker added LDAP filters as unsanitized input by creating a condition that is always true An attacker could exploit the vulnerability with an LDAP injection attack, inserting the (&) operator to return a condition that is always true, dropping the password filter for a name=value pair. A stored/persistent cross-site scripting (XSS) attack aims to insert unsanitized code into a back-end database a trusted site uses. When other users view the posted message, the malicious script executes. Data submitted via extensible markup language (XML) with no encryption or input validation is vulnerable to spoofing, request forgery, and injection of arbitrary data or code. In a SQL injection attack, the attacker modifies basic SQL functions by adding code. This could be with input an app accepts. In this case, LDAP was compromised and not an input to an application.

A security engineer is investigating a potential system breach. When compiling a report of the incident, how does the engineer classify the actor and the vector? a). Threat b). Vulnerability c). Risk d). Exploit

a). threat A threat is the potential for something to exploit a vulnerability. The thing that poses the threat is called an actor, while the path used can be referred to as the vector. A vulnerability is a weakness that could be triggered accidentally or exploited intentionally to cause a security breach. Risk is the likelihood and impact (or consequence) of a threat actor exploiting a vulnerability. An exploit is a method that is used to expose and compromise a vulnerability.

A technician is configuring Internet Protocol Security (IPSec) for communications over a Virtual Private Network (VPN). Evaluate the features of available modes and recommend the best option for implementation. a). Tunnel mode because the whole IP packet is encrypted, and a new IP header is added. b). Transport mode because the whole IP packet is encrypted, and a new IP header is added. c). Tunnel mode because the payload is encrypted. d). Transport mode because the payload is encrypted.

a). tunnel mode because the whole IP packet is encrypted and a new IP header is added. The technician should use tunnel mode because the whole IP packet, including header and payload, is encrypted and a new IP header added. This mode is used for communications across an unsecure network (creating a VPN). In transport mode, the IP header for each packet is not encrypted, just the data (payload). This mode is used for secure communications on a private network (an end-to-end implementation). In tunnel mode, the header and the payload are encrypted. In transport mode, the payload is encrypted but this does not provide sufficient security for a VPN.

A critical server has a high availability requirement of 99.99%. What would be a tolerable downtime based on this requirement? a). 0:53:56 annual downtime b). 0:49:23 annual downtime c). 1:24:19 annual downtime d). 2:48:42 annual downtime

b). 0:49:23 annual downtime The Maximum Tolerable Downtime (MTD) metric states the requirement for a particular business function. High availability is usually described as 24x7. For a critical system, availability will be described from 99% to 99.9999%. In this scenario, the requirement is 99.99%, resulting in the maximum downtime of 00:52:34. Since 00:49:23 is less downtime than the maximum requirement, this results in the system meeting the requirement. A downtime of 00:53:56 is more than the maximum annual downtime of 00:52:34. As a result, it is outside of the MTD. A downtime of 01:24:19 is more than the maximum annual downtime of 00:52:34. As a result, it is outside of the MTD. A downtime of 02:48:42 is more than the maximum annual downtime of 00:52:34. As a result, it is outside of the MTD.

An employee is working on a team to build a directory of systems they are installing in a classroom. The team is using the Lightweight Directory Access Protocol (LDAP) to update the X.500 directory. Utilizing the standards of an X.500 directory, which of the following distinguished names is the employee most likely to recommend? a). OU=Univ,DC=local,CN=user,CN=system1 b). CN=system1,CN=user,OU=Univ,DC=local c). CN=user,DC=local,OU=Univ,CN=system1 d). DC=system1,OU=Univ,CN=user,DC=local

b). CN=system1,CN=user,OU=Univ,DC=local A distinguished name is a unique identifier for any given resource within an X.500-like directory and made up of attribute=value pairs, separated by commas. The most specific attribute lists first, and then successive attributes become progressively broader. Also referred to as the relative distinguished name, the most specific attribute (in this case, system1) uniquely identifies the object within the context of successive attribute values. The directory schema describes the types of attributes, what information they contain, and the way attributes define object types. Some of the attributes commonly used include Common Name (CN), Organizational Unit (OU), Organization (O), Country (C), and Domain Component (DC). In this scenario, CN=system1 is the Common Name, CN=User is the broader common name, OU=Univ is the Organizational Unit, and DC=local is the Domain Component. This goes in order of a specific system to the broadest Domain Component.

Compare and contrast the modes of operation for block ciphers. Which of the following statements is true? a). ECB and CBC modes allow block ciphers to behave like stream ciphers. b). CTM mode allows block ciphers to behave like stream ciphers. c). ECB allows block ciphers to behave like stream ciphers. d). CBC and CTM modes allow block ciphers to behave like stream ciphers.

b). CTM mode allows block ciphers to behave like stream ciphers Counter Mode (CTM) combines each block with a counter value, allowing each block to be processed individually and in parallel, improving performance. This parallel processing is similar to how stream ciphers operate.While ECB and CBC modes are both modes of operation for block ciphers, they do not allow block ciphers to behave like stream ciphers.ECB mode does not allow block ciphers to behave like stream ciphers. As mentioned earlier, ECB mode applies the same key to each plaintext block, resulting in identical plaintext blocks producing identical ciphertexts, which is not how a stream cipher operates.While CTM mode does allow block ciphers to behave like stream ciphers, CBC mode does not. As mentioned earlier, CBC mode applies an Initialization Vector (IV) to the first plaintext block to ensure that the key produces a unique ciphertext from any given plaintext, which is not how a stream cipher behaves.

The _____ requires federal agencies to develop security policies for computer systems that process confidential information. a). Federal information Security Management Act (FISMA) b). Computer Security Act c). Gramm-Leach-Bliley Act (GLBA) d). Sarbanes-Oxley Act (SOX)

b). Computer Security Act The Computer Security Act (1987) specifically requires federal agencies to develop security policies for computer systems that process confidential information. The Federal Information Security Management Act (2002) governs the security of data processed by federal government agencies. This act requires agencies to implement an information security program. The Gramm-Leach-Bliley Act (1999) is a United States federal law that requires financial institutions to explain how they share and protect their customers' private information. The Sarbanes-Oxley Act (2002) mandates the implementation of risk assessments, internal controls and audit procedures. This act is not for any specific entity.

A network manager assists with developing a policy to protect the company from data exfiltration. The employee devises a list of focus points to include. Which plans, when consolidated, provide the best protection for the company? (Select all that apply.) a). Store backups of critical data, that may be targeted for destruction or ransom, on-site within a secure space. b). Creating a training program for all employees that reiterates the importance of knowing how to use encryption to secure data. c). Only allow removable media if it is company property, if it is required to perform a task, and if it has been cleared through the proper channels d). Encrypt all sensitive data at rest and disconnect systems that are storing archived data from the network

b). Creating a training program for all employees that reiterates the importance of knowing how to use encryption to secure data. c). Only allow removable media if it is company property, if it is required to perform a task, and if it has been cleared through the proper channels d). Encrypt all sensitive data at rest and disconnect systems that are storing archived data from the network Employees need training in document confidentiality and how to use encryption to store and transmit data securely. Annual refresher training will remind employees of its importance. One mechanism for data exfiltration is by copying data to removable media or other device storage, such as USB drives or memory cards. Limiting the use of these to company property and only for job-related tasks helps reduce this risk. Always encrypt sensitive data at rest. Transferring data outside of the network will likely be useless without the decryption key. Offsite backups are the most secure for data that may be targeted for destruction or ransom. The data will remain on site, but the backups are offsite and provide redundancy for the company in the event of destruction or ransom demands.

Identify the command that can be used to detect the presence of a host on a particular IP address. a). ipconfig b). ifconfig c). ip d). ping

d). ping The ping command can be used to detect the presence of a host on a particular IP address or that responds to a particular host name. This command is a fast and easy way to determine if a system can communicate over the network with another system. The ipconfig command is used to report the configuration assigned to the network adapter in Windows. The ifconfig command can be used to report the adapter configuration in Linux. The ip command is a more powerful command in Linux and gives options for managing routes as well as the local interface configuration.

Which statement regarding attacks on media access control (MAC) addresses accurately pairs the method of protection and what type of attack it guards against? (Select all that apply.) a). MAC filtering guards against MAC snooping. b). Dynamic Host Configuration Protocol (DHCP) snooping guards against MAC spoofing. c). MAC filtering guards against MAC spoofing. d). DAI guards against invalid MAC addresses

b). DHCP snooping guards against MAC spoofing d). DAI guards against invalid MAC addresses In MAC filtering, a switch will record the specified number of MACs allowed to connect to a port, but then drop any traffic from other MAC addresses. DHCP snooping inspects traffic arriving on access ports to ensure that a host is not trying to spoof its MAC address. MAC filtering on a switch defines which MAC addresses are allowed to connect to a particular port, dropping other traffic to protect against MAC flooding attacks. DAI allows a network administrator to intercept, log, and discard ARP packets with invalid MAC address to IP address bindings.

A company has a critical encryption key that has an M-of-N control configuration for protection. Examine the examples and select the one that correctly illustrates the proper configuration for this type of protection of critical encryption keys. a). M=1 and N=5 b). M=3 and N=5 c). M=6 and N=5 d). M=0 and N=5

b). M=3 and N=5 A correct configuration for an M-of-N control is M=3 and N=5. M stands for the number of authorized administrators that must be present to access the critical encryption keys and N is the total number of authorized administrators. In this scenario, 3 of the 5 administrators must be present for access. M is always greater than 1 for this type of configuration making M=1 and N=5 not a valid choice. If only 1 administrator must be present, this configuration would be unnecessary. M=6 and N=5 is not possible as this configuration is asking for more administrators to be present than is authorized. The final option of M=0 is not viable because M must always equal more than 1.

Given knowledge of secure firmware implementation, select the statement that describes the difference between secure boot and measured boot. a). Secure boot requires a (UEFI) and (TPM), but measured boot requires only a unified extensible firmware interface (UEFI). b). Secure boot provisions certificates for trusted operating systems (OSes) and blocks unauthorized OSes. Measured boot stores and compares hashes of critical boot files to detect the presence of unauthorized processes. c). Secure boot is the process of sending a signed boot log or report to a remote server, while measured boot provisions certificates for trusted operating systems (OSes) and blocks unauthorized OSes. d). Secure boot requires a unified extensible firmware interface (UEFI) but does not require a trusted platform module (TPM). Measured boot is the mechanism by which a system sends signed boot log or report to a remote server.

b). Secure boot provisions certificates for trusted operating systems (OSes) and blocks unauthorized OSes. Measured boot stores and compares hashes of critical boot files to detect the presence of unauthorized processes. Secure boot is about provisioning certificates for trusted operating systems and blocking unauthorized OSes. Measured boot stores and compares hashes of critical boot files to detect unauthorized processes. Secure boot requires UEFI but does not require a TPM. A trusted or measured boot process uses platform configuration registers (PCRs) in the TPM at each stage in the boot process to check whether hashes of key system state data have changed. Attestation is the process of sending a signed boot log or report to a remote server. Secure boot prevents the use of a boot loader or kernel that has been changed by malware (or an OS installed without authorization).

Select the example that provides an accurate simulation of a company engaging in the identifying threats phase of risk management. a). A company develops a list of processes that are necessary for the company to operate. b). A company conducts research to determine which vulnerabilities may be exploited. c). A company conducts penetration testing to search for vulnerabilities. d). A company determines how the company will be affected in the event a vulnerability is exploited.

b). a company conducts research to determine which vulnerabilities may be exploited The third phase of risk management is identify threats. Threats that may take advantage of, exploit, or accidentally trigger vulnerabilities. Threat refers to the sources or motivations of people and things that could cause loss or damage. The first phase of risk management is to identify mission essential functions. Mitigating risk can involve a large amount of expenditure, so it is important to focus efforts. Part of risk management is to analyze workflows and identify the mission essential functions that could cause the whole business to fail if they are not performed. The second phase of risk management is to identify vulnerabilities for each function or workflow. This includes analyzing systems and assets to discover and list any vulnerabilities or weaknesses to which they may be susceptible. The fourth phase of risk management is to analyze business impacts and the likelihood of a vulnerability being activated as a security incident by a threat and the impact of that incident on critical systems.

Which of the following solutions best addresses data availability concerns that may arise with the use of application-aware next-generation firewalls (NGFW) and unified threat management (UTM) solutions? a). Signature-based detection system b). Active or passive test access point (TAP) c). Secure web gateway (SWG) d). Network-based intrusion prevention system (IPS)

b). active or passive test access point (TAP) A TAP is a hardware device that allows you to access and monitor data flowing across a computer network. In an active setup, it can redirect traffic if the security appliance fails, thereby ensuring data availability. In a passive setup, it can continue to pass network traffic even if the security tool fails, also contributing to data availability. A signature-based detection (or pattern-matching) engine is loaded with a database of attack patterns or signatures. If traffic matches a pattern, then the engine generates an incident. An SWG acts as a content filter, which applies user-focused filtering rules and also conducts threat analysis. Intrusion prevention systems (IPS), positioned like firewalls at borders between network zones, provide an active response to network threats.

There are several types of security zones on a network. Analyze network activities to determine which of the following does NOT represent a security zone. a). DMZ b). Screened host c). Wireless d). Guest network

b). screened host A screened host is when a smaller network accesses the Internet using a dual-homed proxy/gateway servers. A Demilitarized Zone (DMZ) is a protected but untrusted area (zone) between the Internet and the private network. Traffic from wireless networks might be less trusted than from a cabled network. If unauthenticated open access points or authenticated guest Wi-Fi networks exist on the network, admin should keep them isolated. A guest network is a zone that allows untrusted or semi-trusted hosts on the local network. Examples include publicly accessible computers or visitors bringing their own portable computing devices to the premises.

What is the trade-off when considering which type of encryption cipher to use? a). Asymmetric encryption is the strongest hashing algorithm, which produces longer and more secure digests than symmetric encryption. b). Asymmetric encryption involves substantially more computing overhead than symmetric encryption. Asymmetric encryption is inefficient when encrypting a large amount of data on a disk or transporting it over a network. c). Symmetric encryption requires substantially more overhead computing power than asymmetric encryption. Symmetric encryption is inefficient when transferring or encrypting large amounts of data. d). Symmetric encryption is not considered as safe as asymmetric encryption, but it might be required for compatibility between security products.

b). asymmetric encryption involves substantially more computing overhead than symmetric encryption. Asymmetric encryption is inefficient when encrypting a large amount of data on a disk or transporting it over a network. While more secure, asymmetric encryption involves substantially more computing overhead than symmetric encryption, making it inefficient when encrypting large amounts of data on a disk or transporting it over a network. Option A is incorrect because it mistakenly suggests that asymmetric encryption is a hashing algorithm and produces longer and more secure digests than symmetric encryption, which is not entirely accurate. Option C is incorrect because it mistakenly suggests that symmetric encryption is inefficient when transferring or encrypting large amounts of data, which is inaccurate. Option D is only partially correct in stating that symmetric encryption is not as safe as asymmetric encryption, but it also mentions compatibility, which isn't a direct trade-off between the two types of encryption.

Which statement most accurately describes the mechanisms by which blockchain ensures information integrity and availability? a). Blockchain ensures availability by cryptographically linking blocks of information, and integrity through decentralization. b). Blockchain ensures availability through decentralization, and integrity through cryptographic hashing and timestamping. c). Blockchain ensures availability through cryptographic hashing and timestamping, and integrity through decentralization. d). Blockchain ensures both availability and integrity through decentralization and peer-to-peer (P2P) networking.

b). blockchain ensures availability through decentralization, and integrity through cryptographic hashing and timestamping The blockchain ledger is decentralized and distributed across a peer-to-peer (P2P) network to mitigate the risks of a single point of failure or compromise. Each block in a blockchain validates the hash of the previous block, all the way through to the beginning of the chain, ensuring that each historical transaction has not been tampered with. Blockchain is open. It may ensure the integrity and transparency of financial transactions, among other potential applications. Each block typically includes a timestamp of transactions, as well as the data involved in the transactions themselves, helping ensure data integrity. One of the most important characteristics of a blockchain is decentralization. Being distributed across a peer-to-peer (P2P) network ensures availability, but integrity is achieved through cryptographic hashing and timestamping.

An engineer uses an abstract model that represents network functionality. Using infrastructure as code to deploy and manage a network, how does the engineer make control decisions? a). By managing compatible physical appliances through infrastructure as code. b). By prioritizing and securing traffic through infrastructure as code. c). By monitoring traffic conditions using abstract network models. d). By using security access controls to configure network functionality through code.

b). by prioritizing and securing traffic through infrastructure as code When using infrastructure as code to deploy and manage a network, an engineer can make control decisions by defining access controls and configuring rules and policies in the code to prioritize and secure network traffic. Although infrastructure as code can be employed to deploy and manage physical network appliances, such as routers and switches, it is not the primary method for making control decisions. Monitoring traffic conditions is crucial for maintaining network performance and availability, but it is not the primary method for making control decisions. Utilizing security access controls is essential for making control decisions through infrastructure as code; however, it is not the only method. Engineers also need to configure rules and policies in the code to prioritize and secure network traffic.

A startup designs a new online service and uses a serverless approach for some business functions. With this approach, how does the startup accomplish these functions? (Select all that apply.) a). Virtual machines b). Containers c). Physical servers d). Orchestration

b). containers d). orchestration When an operation needs processing by using a container, the cloud spins up the container to run the code, performs the processing, and then destroys the container. Serverless architecture depends heavily on the concept of event-driven orchestration, with many services involved to facilitate operations. A virtual machine is a full-fledged operating system that runs in a virtual environment and is considered a server, not serverless. Serverless refers to creating and using containers when needed. The serverless paradigm eliminates the need to manage physical or virtual server instances, so there is no management effort for software and patches, administration privileges, or file system security monitoring.

Incident management relies heavily on the efficient allocation of resources. Which of the following factors should an IT manager consider regarding the overall scope of preparing for incidents in general? (Select all that apply.) a). Planning time b). Downtime c). Detection time d). Recovery time

b). downtime c). detection time d). recovery time Downtime is a critical factor to consider to the degree to which an incident disrupts business processes. An incident can either degrade (reduce performance) or interrupt (completely stop) the availability of an asset, system, or business process. Detection time is an important consideration requiring that the systems used to search for intrusions are thorough, and the response to detections must be fast. Recovery time must be considered, as some incidents that need to have complex system changes require lengthy remediation. This extended recovery period should trigger heightened alertness for continued or new attacks. Planning time can refer to the expected time for completing a project plan, or a period of time scheduled for an IT team to work together to plan out projects. It is not a consideration for incident remediation efforts.

In which of these situations might a non-credentialed vulnerability scan be more advantageous than a credentialed scan? (Select all that apply.) a). When active scanning poses no risk to system stability b). External assessments of a network perimeter c). Detection of security setting misconfiguration d). Web application scanning

b). external assessments of a network perimeter d). web application scanning Non-credentialed scanning is often the most appropriate technique for external assessment of the network perimeter or when performing web application scanning. A non-credentialed scan proceeds by directing test packets at a host without being able to log on to the OS or application. A non-credentialed scan provides a view of what the host exposes to an unprivileged user on the network. A passive scan has the least impact on the network and on hosts but is less likely to identify vulnerabilities comprehensively. Configuration reviews investigate how system misconfigurations make controls less effective or ineffective, such as antivirus software not being updated, or management passwords left configured to the default. Configuration reviews generally require a credentialed scan.

You are asked to help design a security system. What are some methods that can be used to mitigate risks to embedded systems in security environments? (Select all that apply.) a). Faraday cage b). Firmware patching c). Network Segmentation d). Wrappers

b). firmware patching c). network segmentation d). wrappers Firmware patching for embedded systems is just as vital as keeping host OS software up to date on a traditional computer. Network segmentation is one of the core principles of network security. This control network should be separated from the corporate network using firewalls and VLANs. One way of increasing the security of data in transit for embedded systems is through the use of wrappers, such as IPSec. The only thing visible to an attacker or anyone sniffing the wire is the IPSec header, which describes only the tunnel endpoints. A faraday cage would help prevent outside interference or leakage of wireless radio frequencies, but may inhibit the use of a security system, such as a keyless door.

Which reconnaissance suite uses -sS to run TCP SYN scans? a). tcpdump b). nmap c). Wireshark d). nslookup

b). nmap Nmap uses -sS to do a TCP SYN scan, which is a fast technique also referred to as half-open scanning, as the scanning host requests a connection without acknowledging it. The target's response to the scan's SYN packet identifies the port state.tcpdump is a command line packet capture utility for Linux (linux.die.net/man/8/tcpdump). The basic syntax of the command is tcpdump -i eth0, where eth0 is the interface to listen on. It does not use the -sS command.Wireshark (wireshark.org) is an open-source graphical packet capture and analysis utility with installer packages for most operating systems. Having chosen the interface to listen on, the output is displayed in a three-pane view. It does not use the -sS command.nslookup/dig is a utility to query name records for a given domain using a particular DNS resolver under Windows (nslookup) or Linux (dig). An attacker may test a network to find out if the DNS service is misconfigured. It does not use the -sS command.

An employee handles key management and has learned that a user has used the same key pair for encrypting documents and digitally signing emails. Prioritize all actions that should be taken and determine the first action that the employee should take. a). Revoke the keys. b). Recover the encrypted data. c). Generate a new key pair. d). Generate a new certificate.

b). recover the encrypted data The first step is to recover any data encrypted with the key so the data can be decrypted. Once the data is recovered, the key can be revoked and an administrator can issue a new key pair. After the data has been recovered, the keys should be revoked. They are compromised and should not be used for any future tasks. After the compromised keys are revoked, the user can be issued new keys. The user requires two sets of keys, one for encrypting messages and the other for digitally signing documents. Certificate generation is used to identify the public part of a key pair as belonging to a subject and will occur after the user's new keys have been generated.

A system compromise prompts the IT department to harden all systems. The technicians look to block communications to potential command and control servers. Which solutions apply to working with egress filtering? (Select all that apply.) a). Mediate the copying of tagged data b). Restrict DNS lookups c). Remove compromised root certificates d). Allow only authorized application ports

b). restrict DNS lookups d). allow only authorized application ports A recommended filtering approach would be to restrict DNS lookups to an ISP's DNS services or authorized public resolvers, such as Google's, helps to prevent lookups of malicious hosts. A recommended filtering approach would be to allow only authorized application ports and, if possible, restricting the destination addresses to authorized Internet hosts helps to avoid contact with malicious servers. Data loss prevention (DLP) pertains to protecting sensitive information by mediating the copying of tagged data to restrict it to authorized media and services. If an attacker has managed to install a root certificate on a system, the attacker can make malicious hosts and services seem trusted. Admin must remove suspicious root certificates from the client's cache. This is not an egress filtering solution.

An attacker compromises a Linux host, installing a web shell as a backdoor. If the attacker gained access to the host through a connection the host established, what type of attack has occurred? a). Man-in-the-Browser (MitB) b). Reverse shell c). Rootkit d). Session hijacking

b). reverse shell A reverse shell is a common attack vector against a Linux host, where a victim host opens a connection to the attacking host through a maliciously spawned remote command shell. A man-in-the-browser (MitB) attack compromises the web browser. An attacker may be able to inspect session cookies, certificates, and data, change browser settings, perform redirection, and inject code. Malware running with system or root level privilege is referred to as a rootkit, which gives an attacker unrestricted access to everything from the root of the file system down. Session hijacking involves replaying a web application cookie in some way. Attackers can sniff network traffic to obtain session cookies sent over an unsecured network.

Compare and evaluate the various levels and types of security found within a Trusted OS (TOS) to deduce which scenario is an example of a hardware Root of Trust (RoT). a). A security system is designed to prevent a computer from being hijacked by a malicious operating system b). The boot metrics and operating system files are checked, and signatures verified at logon. c). Digital certificates, keys, and hashed passwords are maintained in hardware-based storage. d). The industry standard program code that is designed to operate the essential components of a system.

b). the boot metrics and operating system files are checked, and signatures verified at logon. A hardware RoT, or trust anchor, is a secure subsystem that can provide attestation. When a computer joins a network, it may submit a report to the NAC declaring valid OS files. The RoT scans the boot metrics and OS files to verify their signatures. A secure boot is a security system designed to prevent a computer from being hijacked by a malicious OS. A Trusted Platform Module (TPM) is a specification for hardware-based storage of digital certificates, keys, hashed passwords, and other user and platform identification information. The Basic Input/Output System (BIOS) provides an industry standard program code that operates the essential components of the PC and ensures that the design of each manufacturer's motherboard is PC compatible.

A security technician needs to transfer a large file to another user in a data center while ensuring non-repudiation. Which statement best illustrates what type of encryption the technician should use to perform the task? a). The technician should use symmetric encryption for authentication and data transfer. b). The technician should use asymmetric encryption to verify the data center user's identity and agree on a symmetric encryption algorithm for the data transfer. c). The technician should use asymmetric encryption for authentication and data transfer. d). The technician should use symmetric encryption to verify the data center user's identity and agree on an asymmetric encryption algorithm for the data transfer.

b). the technician should use asymmetric encryption to verify the data center user's identity and agree on a symmetric encryption algorithm for the data transfer. Asymmetric encryption is used for authentication, non-repudiation, and key agreement and exchange. Symmetric encryption is more efficient for bulk encryption of large amounts of data for transfer. Symmetric encryption is very fast and used for bulk encryption of large amounts of data. Symmetric encryption cannot be used for authentication or integrity, because both parties know the same key. Asymmetric encryption can be used to prove identity. Asymmetric encryption involves substantial computing overhead compared to symmetric encryption, so it is inefficient for large data transfers. Key agreement/exchange refers to settling on a secret symmetric key to use for bulk encryption without anyone else discovering it.

A systems breach occurs at a manufacturer. The system in question contains highly valuable data. An engineer plans a live acquisition, but ultimately, is not successful. What reason may be stopping the engineer? a). There is no hibernation file present b). The tools are not preinstalled or running c). The crash dump file is missing d). The pagefile is corrupt

b). the tools are not preinstalled or running A specialist hardware or software tool can capture the contents of memory while the host is running (live acquisition). This type of tool needs to be pre-installed or a standalone executable needs to be run, as it requires a kernel mode driver to dump any data of interest. When a Windows host is in a sleep state, the system creates a hibernation file on disk in the root folder of the boot volume. This file is not a prerequisite for a live acquisition. When Windows encounters an unrecoverable kernel error, it can write contents of memory to a dump file. This file is not a prerequisite for a live acquisition. The pagefile/swap file/swap partition stores pages of memory in use that exceed the capacity of the host's RAM modules. This file is not a prerequisite for a live acquisition.

A user would like to install an application on a mobile device that is not authorized by the vendor. The user decides the best way to accomplish the install is to perform rooting on the device. Compare methods for obtaining access to conclude which type of device the user has, and what actions the user has taken. a). The user has an iOS device and has used custom firmware to gain access to the administrator account. b). The user has an Android device and has used custom firmware to gain access to the administrator account. c). The user has an iOS device and has booted the device with a patched kernel. d). The user has an iOS device and has installed a third-party app store.

b). the user has an Android device and has used custom firmware to gain access to the administrator account. Rooting is a term associated with Android devices. Some vendors provide authorized mechanisms for users to access the root account on their device. For some devices, it is necessary to exploit a vulnerability or use custom firmware. A user who has an iOS device and wants access to the administrator account will perform an action called jailbreaking versus rooting. If the user had an iOS device, and has booted the device with a patched kernel, the term would have been jailbreaking. Installing a third-party app store does not involve gaining access to the administrator account and is not considered rooting.

A system administrator has configured a security log to record unexpected behavior and review the logs for suspicious activity. Consider various types of audits to determine which type aligns with this activity. a). Permission auditing b). Usage auditing c). Information security audit d). Compliance audit

b). usage auditing Usage auditing refers to configuring the security log to record key indicators and then reviewing the logs for suspicious activity. Behavior recorded by event logs that differs from expected behavior may indicate everything from a minor security infraction to a major incident. The systems administrator puts in place permission auditing to review privileges regularly. This includes monitoring group membership and access control lists for each resource plus identifying and disabling unnecessary accounts. An information security audit measures how the organization's security policy is employed and determines how secure the network or site is that is being audited. A compliance audit reviews a company's policies and procedures and determines if it is in compliance with regulatory guidelines.

Consider the life cycle of an encryption key. Which of the following is NOT a stage in a key's life cycle? a). Storage b). Verification c). Expiration and renewal d). Revocation

b). verification Verification is not a stage in a key's life cycle. It is part of the software development life cycle. The stages are: key generation, certificate generation, storage, revocation, and expiration and renewal. Storage is the stage where a user must take steps to store the private key securely. It is also important to ensure that the private key is not lost or damaged. The expiration and renewal stage addresses that a key pair expires after a certain period. Giving the key a "shelf-life" increases security. Certificates can be renewed with new key material. Revocation is the stage that concerns itself with the event of a private key being compromised; it can be revoked before it expires.

Compare and contrast vulnerability scanning and penetration testing. Select the true statement from the following options. a). Vulnerability scanning is conducted by a "white hat" and penetration testing is carried out by a "black hat." b). Vulnerability scanning by eavesdropping is passive, while penetration testing with credentials is active. c). Penetration testing and vulnerability scanning are considered "black hat" practices. d). Vulnerability scanning is part of network reconnaissance, but penetration testing does not involve network reconnaissance.

b). vulnerability scanning by eavesdropping is passive, while penetration testing with credentials is active Vulnerability scanning and penetration testing can use passive or active reconnaissance techniques. A passive approach tries to discover issues without causing an impact to systems, whereas an active approach may cause instability on a scanned system. Penetration testing is non-malicious; therefore, it is a "white hat" activity, not "black hat." Penetration testing is considered "ethical hacking," but vulnerability scanning is not. Vulnerability scanning is used to uncover system weaknesses, not to try to hack into the system. Penetration testing involves network reconnaissance, or information gathering. The hacker likely has to find some way of escalating the privileges available to them.

Analyze the features of a Full Disk Encryption (FDE) to select the statements that accurately reflect this type of security. (Select all that apply.) a). FDE only encrypts the files that are listed as critical with one encryption key. b). The encryption key that is used for FDE can only be stored in a TPM on the disk for security. c). A drawback of FDE is the cryptographic operations performed by the OS reduces performance. d). FDE requires the secure storage of the key used to encrypt the drive contents.

c). A drawback of FDE is the cryptographic operations performed by the OS reduces performance. d). FDE requires the secure storage of the key used to encrypt the drive contents. FDE means that the entire contents of the drive, including system files and folders, are encrypted. The cryptographic operations performed by the OS reduces performance. FDE normally utilizes a Trusted Platform Module (TPM) to secure the storage of the key used to encrypt the drive contents. FDE means that the entire content of the drive (or volume), including system files and folders, are encrypted. This is not limited to only critical files. FDE requires secure storage of the key used to encrypt the drive contents. Normally, this is in a TPM. It is also possible to use a removable USB drive if USB is a boot device option.

An attacker tricks a host within a subnet into routing through an attacker's machine, rather than the legitimate default gateway, allowing the attacker to eavesdrop on communications and perform a Man-in-the-Middle (MitM) attack. Compare the types of routing vulnerabilities and conclude what the attacker is exploiting in this scenario. a). Route injection b). Denial of service c). ARP poisoning d). Source routing

c). ARP poisoning ARP poisoning occurs by tricking hosts on the subnet into routing through the attacker's machine rather than the legitimate default gateway. This allows the attacker to eavesdrop on communications and perform replay or MitM attacks. Route injection occurs when routing protocols have weak or no authentication. This can mean traffic misdirected to a monitoring port, sent to a black hole, or continuously looped. Denial of service is redirecting traffic to routing loops or black holes, or overloading the router. Source routing uses an option in the IP header to pre-determine the route a packet will take through the network that it must pass through.

An attacker modifies the HOSTS file on a workstation to redirect traffic. Consider the types of attacks and deduce which type of attack has likely occurred. a). DNS server cache poisoning b). DNS spoofing c). DNS client cache poisoning d). Typosquatting

c). DNS client cache poisoning The HOSTS file is checked before using Domain Name System (DNS). Its contents are loaded into a cache of known names and the client only contacts a DNS server if the name is not cached. If an attacker can place a false name, then the attacker will be able to direct traffic. A DNS server cache poisoning attack is a redirection attack that aims to corrupt the records held by the DNS server itself. DNS spoofing is an attack that compromises the name resolution process. Typosquatting means that the threat actor registers a domain name that is very similar to a real one, such as connptia.org, hoping that users will not notice the difference.

Analyze the available detection techniques and determine which are useful in identifying a rogue system through software management. (Select all that apply.) a). Visual inspection of ports and switches will prevent rogue devices from accessing the network. b). Network mapping is an easy way to reveal the use of unauthorized protocols on the network or unusual traffic volume. c). Intrusion detection and NAC are security suites and appliances that combine automated network scanning with defense and remediation suites to prevent rogue devices from accessing the network. d). Wireless monitoring can reveal whether there are unauthorized access points.

c). Intrusion detection and NAC are security suites and appliances that combine automated network scanning with defense and remediation suites to prevent rogue devices from accessing the network. d). Wireless monitoring can reveal whether there are unauthorized access points. Intrusion detection and NAC are security suites and appliances that can combine automated network scanning with defense and remediation suites to prevent rogue devices from accessing the network. Wireless monitoring can reveal the presence of unauthorized or malicious access points and stations. Visual inspection of ports/switches will reveal any obvious unauthorized devices or appliances; however, a sophisticated attack can prevent observation, such as creating fake asset tags. Network mapping can identify hosts unless an OS is actively trying to remain unobserved by not operating when scans are running. Identifying a rogue host on a large network from a scan may still be difficult.

Using the STARTTLS method, a system administrator is setting up a new Simple Mail Transfer Protocol (SMTP) configuration. Make recommendations for how the administrator should configure the ports. (Select all that apply.) a). Port 80 should be used for message submission over implicit TLS. b). Port 143 should be used to connect clients. c). Port 25 should be used for message relay. d). Port 587 should be used by mail clients to submit messages for delivery.

c). Port 25 should be used for message relay. d). Port 587 should be used by mail clients to submit messages for delivery. Port 25 is used for message relay between Simple Mail Transfer Protocol (SMTP) servers or Message Transfer Agents (MTA). If security is required and supported by both servers, the STARTTLS command can be used to set up the secure connection.Port 587 is used by mail clients (Message Submission Agents) to submit messages for delivery by an SMTP server.Port 465, versus 80, is used by providers and mail clients for message submission over implicit Transport Layer Security (TLS).Port 143 is used by Internet Message Access Protocol (IMAP) to connect clients. IMAP supports permanent connections to a server and connecting multiple clients to the same mailbox simultaneously.

Analyze each statement and determine which describes a fundamental improvement on traditional log management that security information and event management (SIEM) offers. a). SIEM is completely automated; it requires no manual data preparation. b). SIEM logs ensure non-repudiation, whereas other logs cannot link a specific user to an action. c). SIEM can perform correlation, linking observables into meaningful indicators of risk or compromise. d). SIEM addresses the issue of sheer volume of alerts, using machine learning to facilitate threat hunting.

c). SIEM can perform correlation, linking observables into meaningful indicators of risk or compromise While SIEM can automate many functions of log collection and review, security managers may also have to manually prepare data using a Linux command line. Logs typically associate an action with a particular user, satisfying non-repudiation. SIEM correlates individual events or data points (observables) into a meaningful indicator of risk, or Indicator of Compromise (IOC). Correlation is the principal factor distinguishing it from basic log management. Security orchestration, automation, and response (SOAR) is a solution to the problem of the volume of alerts overwhelming analysts' ability to respond. A security engineer may implement SOAR as a standalone technology or integrate it with a SIEM, using machine/deep learning techniques to enrich data for use in incident response and threat hunting.

Which cookie attribute can a security admin configure to help mitigate a request forgery attack? a). Secure b). HttpOnly c). SameSite d). Cache-Control

c). SameSite Cookies can be a vector for session hijacking and data exposure if not configured correctly. Use the SameSite attribute to control where a cookie may be sent, mitigating request forgery attacks. Set the Secure attribute to prevent a cookie from being sent over unencrypted HTTP. Set the HttpOnly attribute to make the cookie inaccessible to document object model/client-side scripting. A number of security options can be set in the response header returned by the server to the client, including Cache-Control, which sets whether the browser can cache responses. Preventing caching of data protects confidential and personal information where multiple users might share the client device.

A security engineer encrypted traffic between a client and a server. Which security protocol is the best for the engineer to configure if an ephemeral key agreement is used? a). AES 256 b). TLS 1.2 c). TLS 1.3 d). SHA 384

c). TLS 1.3 Only ephemeral key agreement is supported in TLS 1.3. The signature type is supplied in the certificate, so the cipher suite only lists the bulk encryption key strength and mode of operation (AES_256_GCM), plus the cryptographic hash algorithm (SHA384). Prior to TLS 1.3, Elliptic Curve Diffie-Hellman Ephemeral mode for session key agreement, RSA signatures, 128-bit AES-GCM (Galois Counter Mode) for symmetric bulk encryption, and 256-bit SHA for HMAC functions can be used. AES 256 refers to a mode of operation used by TLS to encrypt data that is communicated between systems. SHA 384 refers to a cryptographic hashing algorithm that is used for encryption by protocols such as TLS.

A company is reviewing options for installing a new wireless network. They requested recommendations for utilizing WEP, WPA, or WPA2. Differentiate between WEP and WPA. Determine which statements distinguish between options (Select all) a). WEP/WPA use RC4 w/TKIP while WPA2 uses a 24-bit IV. WPA2 combines the 24-bit IV w/AES to add security. b). WEP is the strongest encryption scheme, followed by WPA2, then WPA. WEP is difficult to crack when protected by a strong password or if deploying enterprise authentication. WPA2 is vulnerable to decryption due to replay attacks. c). WPA/WEP use RC4, while WEP uses a 24-bit IV. WPA uses TKIP and WPA2 uses AES for encryption. d). WPA2 is the strongest encryption scheme, followed by WPA, then WEP. WPA2 is difficult to crack if protected by a strong password, or if deploying enterprise authentication. WEP is vulnerable to decryption due to replay attacks.

c). WPA and WEP use RC4, while WEP uses a 24-bit Initialization Vector (IV). WPA uses a Temporal Key Integrity Protocol (TKIP), and WPA2 uses an Advanced Encryption Standard (AES) for encryption. d). WPA2 is the strongest encryption scheme, followed by WPA, then WEP. WPA2 is difficult to crack if protected by a strong password, or if deploying enterprise authentication. WEP is more vulnerable to decryption due to replay attack possibilities. WPA2 uses an Advanced Encryption Standard (AES) for encryption, while WPA and WEP use RC4. WPA combines the RC4 with a Temporal Key Integrity Protocol (TKIP), while WEP uses a 24-bit Initialization Vector (IV). WPA2 is the strongest encryption scheme due to the use of AES. WPA is stronger than WEP because of the TKIP. WEP uses the 24-bit IV, which has known vulnerabilities and is the weakest encryption system of the three. A strong password, or the use of enterprise authentication, makes WPA difficult to crack. WEP is the most vulnerable due to the possibility of replay attacks. The encryption options have grown stronger with each development, with WEP deploying first, followed by WPA and WPA2.

Which of the following are types of log collection for SIEM? (Select all that apply.) a). Log aggregation b). Firewall c). Agent-based d). Listener/Collector

c). agent-based d). listener/collector With the agent-based approach, one must install an agent service on each host. As events occur on the host, logging data is filtered, aggregated, and normalized at the host, then sent to the SIEM server for analysis and storage. With the listener/collector approach, rather than installing an agent, hosts can be configured to push updates to the SIEM server using a protocol such as syslog or SNMP. A process runs on the management server to parse and normalize each log/monitoring source. Log aggregation refers to normalizing data from different sources so that it is consistent and searchable and does not refer to a type of log collection Firewalls are a source of logs that are often sent into a SIEM but is not a type of log collection for SIEMs.

An organization routinely communicates directly to a partner company via a domain name. The domain name now leads to a fraudulent site for all users. Systems administrators for the organization find incorrect host records in DNS. What do the administrators believe to be the root cause? a). A server host has a poisoned arp cache. b). Some user systems have invalid hosts file entries. c). An attacker masquerades as an authoritative name server. d). The domain servers have been hijacked.

c). an attacker masquerades as an authoritative name server DNS server cache poisoning aims to corrupt the records held by the DNS server itself. A DNS server queries an authoritative server for domain information. An attacker can masquerade as an authoritative name server and respond with fraudulent information. An ARP cache contains entries that map IP addresses to MAC addresses. An ARP cache is not related to name resolution. Before developers created DNS, early name resolution took place using a text file named HOSTS. In this case, all users are experiencing an issue, not just some. Domain Reputation can be impacted if an attacker hijacks public servers. In this case, systems admin found invalid host records, which ruled out hijacking.

A security team is in the process of selecting a cryptographic suite for their company. Analyze cryptographic implementations and determine which of the following performance factors is most critical to this selection process if users primarily access systems on mobile devices. a). Speed b). Latency c). Computational overhead d). Cost

c). computational overhead Some technologies or ciphers configured with longer keys require more processing cycles and memory space, which makes them slower and consume more power. This makes them unsuitable for handheld devices and embedded systems that work on battery power. Speed is most impactful when processing large amounts of data. For some use cases, the time required to obtain a result is more important than a data rate. Latency issues may negatively affect performance when an operation or application times out before the authentication handshake. Cost issues may arise in any decision-making process, but for mobile device cryptography, computing overhead is a primary limiting factor.

A system analyst is tasked with searching the dark web for harvested customer data. Because these sites cannot be readily found in standard website searches, what would the system analyst often find in "word of mouth" bulletin boards? a). The Onion Router (TOR) b). Dark web search engine c). Dark Website URL d). Open Source Intelligence (OSINT)

c). dark website URL Access to deep web sites, especially those hidden from search engines, are accessed via the website's URL. These are often only available via "word of mouth" bulletin boards. The Onion Router (TOR) is software used to establish a network overlay to the Internet infrastructure to create the dark net. TOR, along with other software like Freenet or I2P, anonymizes the usage of the dark net. A dark web search engine can be used to find dark web website collections, which constitute roughly 1% of the deep web. Some dark web websites have hidden IP addresses and cannot be found by search engines or require additional software to gain access to the site. Open-source intelligence (OSINT) is cybersecurity-relevant information harvested from public websites and data records.

IT staff looks to provide a high level of fault tolerance while implementing a new server. With which systems configuration approach does the staff achieve this goal? a). Adapting to demand in real time b). Adding more resources for power c). Duplicating critical components d). Increasing the power of resources

c). duplicating critical components A system often achieves fault tolerance by provisioning redundancy for critical components and single points of failure. Although not required, a redundant component is available for system recovery. Elasticity refers to the system's ability to handle any changes in resource demand in real-time. Elasticity often applies to processing power and storage. A system achieves scalability by adding resources. To scale out is to add more resources in parallel with existing resources. A system achieves scalability by adding resources. To scale up is to increase the power of existing resources.

Digital certificates are based on the X.509 standard that defines the fields (or information) about a subject (or entity using the certificate) and the certificate's issuer. Which of the following fields would not be included in a standard public certificate? a). Extensions b). Public key c). Endorsement key d). Subject

c). endorsement key An endorsement key is not required for a digital certificate. It is part of a Trusted Platform Module (TPM) and used to create subkeys for key storage, signature, and encryption operations. The Extensions field defines which extended attributes a certificate supports. V3 certificates can be defined with extended attributes, such as friendly subject or issuer names, contact email addresses, and intended key usage. The Public key field denotes the public key and algorithm used by the certificate holder. This key is distributed to the public to initiate a secure connection with a website or remote server. The Subject field names the certificate holder, expressed as a distinguished name (DN). Within this, the common name (CN) usually matches either the fully qualified domain name (FQDN) of a server or a user email address.

An engineer creates a new virtualized cloud server with no security settings. What actions are typically recommended to secure such a resource? (Select all that apply.) a). Ensure virtual machines are logging all events for auditing. b). Enforce the principle of most privilege for access to VMs. c). Ensure software and hosts are patched regularly. d). Configure devices to support isolated communications.

c). ensure software and hosts are patched regularly d). configure devices to support isolated communications Virtual Machine (VM) software, hosts and guest Operating Systems (OS) should be patched on regular intervals. Regular patching provides fixes for identified vulnerabilities. Virtual networking devices should be configured to support isolated communications wherever necessary. This will allow communications with the necessary clients. Virtual machines should log all critical events versus all events. Logging all events will be counterproductive as critical events could be missed due to too much data. The principle of least privilege for access to virtual machines should be utilized for security purposes. Most privilege would not maximize security for virtualized or cloud-based resources.

A security professional is looking to harden systems at an industrial facility. In particular, the security specialist needs to secure an HVAC system that is part of an IoT network. Which areas does the specialist look to secure from data exfiltration exploits? (Select all that apply.) a). Personal computing devices b). Network routers c). Fog node d). Edge gateway

c). fog node d). edge gateway Fog nodes are data processing layers located close to edge gateways, helping in the prioritization of critical data transmission. These nodes are high-value targets for both denial of service and data exfiltration attacks.Edge gateways carry out some pre-processing of data to and from edge devices for prioritization and manage the connectivity for data transfer to and from the storage and processing networks. Edge gateways are prime targets for exploitation.While personal computing devices are essential parts of the broader network, they're not typically the primary focus when securing an IoT device like an HVAC system against data exfiltration exploits. While network routers are an integral part of the network infrastructure and do require security measures, they are not typically the primary targets for data exfiltration in an IoT environment, especially for specialized systems like HVAC. Therefore, they are not the primary focus in this specific context.

A network manager needs a map of the network's topology. The network manager is using Network Mapper (Nmap) and will obtain the visual map with the Zenmap tool. If the target IP address is 192.168.1.1, determine the command within Nmap that will return the necessary data to build the visual map of the network topology. a). nmap -sn --ipconfig 192.168.1.1 b). nmap -sn --ifconfig 192.168.1.1 c). nmap -sn --traceroute 192.168.1.1 d). nmap -sn --nslookup 192.168.1.1

c). nmap -sn --traceroute 192.168.1.1 The traceroute command is used to probe a path from one end system to another, and lists the intermediate systems providing the link. The Nmap combined with Zenmap tools will give a visual of the network topology. The ipconfig and ifconfig commands are used for looking at the configuration of a system's network adapter. The primary difference between the ipconfig and ifconfig commands are the type of systems the network is using. The ipconfig is designed for Windows, while the ifconfig is designed for use on Linux systems. The nslookup command is used to query the Domain Name System (DNS).

An engineer looks to implement security measures by following the five functions in the National Institute of Standards and Technology (NIST) Cybersecurity Framework. When documenting the "detect" function, what does the engineer focus on? a). Evaluate risks and threats b). Install, operate, and decommission assets c). Ongoing proactive monitoring d). Restoration of systems and data

c). ongoing proactive monitoring Detect refers to performing ongoing proactive monitoring to ensure that controls are effective and capable of protecting against new types of threats. Identify covers developing security policies and capabilities, evaluating risks, threats, and vulnerabilities, and recommending security controls to mitigate them. Protect and procure covers the processes to install, operate, and decommission IT hardware and software assets with security as an embedded requirement of every stage of an operations life cycle. Recovery deals with the implementation of cybersecurity resilience to restore systems and data if other controls are unable to prevent attacks.

Evaluate the Agile paradigm within a Software Development Lifecycle (SDLC) to determine which statement demonstrates the idea of continuous tasks. a). Devising an application's initial scope and vision for the project b). Prioritizing the requirements and work through the cycles of designing, developing, and testing c). Releasing well-tested code in smaller blocks d). Perform the final integration and testing of the solution

c). releasing well-tested code in smaller blocks Agile development flips the waterfall model by iterating through phases concurrently on smaller modules of code. In this model, development and provisioning tasks are conceived as continuous. The concept phase includes devising the initial scope and vision for the project and to determine its feasibility. The iteration phase consists of prioritizing requirements and working through cycles of designing, developing, testing, and test deploying solutions to the project goals. The transition phase includes performing the final integration and testing of the solution and preparing for deployment in the user environment.

Which of the following is NOT a use of cryptography? a). Non-repudiation b). Obfuscation c). Security through obscurity d). Resiliency

c). security through obscurity Security through obscurity involves keeping something a secret by hiding it, but not necessarily encrypting it. While this can fool the unwitting observer, it is easily detectable by those involved in cybersecurity and their tools. Non-repudiation is when the sender cannot deny sending the message. If the message has been encrypted in a way known only to the sender, logic follows the sender must have composed it. Obfuscation is the art of making a message difficult to understand. Cryptography is a very effective way of obfuscating a message by encrypting it. Resiliency occurs when the compromise of a small part of the system is prevented from allowing compromise of the whole system. Cryptography ensures the authentication and integrity of messages delivered over the control system.

A threat actor programs an attack designed to invalidate memory locations to crash target systems. Which statement best describes the nature of this attack? a). The attacker created a null pointer file to conduct a dereferencing attack. b). The attacker programmed a dereferencing attack. c). The attacker programmed a null pointer dereferencing exception. d). The attacker created a race condition to perform a null pointer dereferencing attack.

c). the attacker programmed a null pointer dereferencing exception Dereferencing occurs when a pointer variable stores a memory location, which is attempting to read or write that memory address via the pointer. If the memory location is invalid or null, this creates a null pointer dereference type of exception and the process may crash. Dereferencing does not mean deleting or removing; it means read or resolve. A null pointer might allow a threat actor to run arbitrary code. Programmers can use logic statements to test that a pointer is not null before trying to use it. A race condition is one means of engineering a null pointer dereference exception. Race conditions occur when processes depend on timing and order, and those events fail to execute in the order and timing intended.

Windows has several service account types, typically used to run processes and background services. Which of the following statements about service accounts is FALSE? a). The Network service account and the Local service account have the same privileges as the standard user account. b). Any process created using the system account will have full privileges over the local computer. c). The local service account creates the host processes and starts Windows before the user logs on. d). The Local Service account can only access network resources as an anonymous user.

c). the local service account creates the host processes and starts Windows before the user logs on. The System account, not the Local Service account, creates the host processes that start Windows before the user logs on. The Network Service account and the Local Service account have the same privileges as the standard user account. Standard users have limited privileges, typically with access to run programs, create, and modify files only belonging to their profile. Any process created using the System account will have full privileges over the local computer. The System account has the most privileges of any Windows account. The Local Service account can only access network resources as an anonymous user, unlike a Network Service account. Network Service accounts can present the computer's account credentials when accessing network resources.

What is Open Source Intelligence (OSINT)? a). Obtaining information, physical access to premises, or even access to a user account through the art of persuasion b). The means the organization will take to protect the confidentiality, availability, and integrity of sensitive data and resources c). Using web search tools and social media to obtain information about the target d). Using software tools to obtain information about a host or network topology

c). using web search tools and social media to obtain information about the target OSINT is using web search tools and social media to obtain information about the target. It requires almost no privileged access as it relies on finding information that the company makes publicly available, whether intentionally or not. Obtaining information, physical access to premises, or access to a user account through the art of persuasion is social engineering. The means the organization will take to protect the confidentiality, availability, and integrity of sensitive data and resources is considered a security policy. Using software tools to obtain information about a host or network topology is considered scanning.

Consider the challenges with providing privileged management and authorization on an enterprise network. Which of the following would the network system administrator NOT be concerned with when configuring directory services? a). Confidentiality b). Integrity c). Non-repudiation d). DoS

d). DoS Denial of Service (DoS) is a network-based attack that consumes the network's bandwidth that could impact a directory service, but is more of a network concern than when managing a directory service. Confidentiality of the information on the network (read access) is a concern. A user may be able to see a file but not read it. The integrity of the information on the network (write access) is also a concern. Only users who have write access are able to modify a file. Non-repudiation means a subject cannot deny doing something, such as creating, modifying, or sending a resource. It is a consideration for managing privileges and authorization.

A systems engineer configures a disk volume with a Redundant Array of Independent Disks (RAID) solution. Which solution does the engineer utilize when allowing for the failure of two disks? a). Level 1 b). Level 0 c). Level 5 d). Level 6

d). Level 6 Redundant Array of Independent Disks (RAID) Level 6 has double parity or Level 5 with an additional parity stripe. This allows the volume to continue when two disks have been lost. Level 1 uses mirroring where data is written to two disks simultaneously, which provides redundancy. The main drawback is its storage efficiency is only 50%. RAID Level 0 is striping without parity resulting in no fault tolerance. Data is written in blocks across several disks. RAID Level 5 has striping with parity. Data is written across three or more disks but calculates additional information. This allows the volume to continue if one disk is lost. This solution has better storage efficiency than RAID 1.

How might the goals of basic network management not align with the goals of security? a). Management focuses on confidentiality and availability. b) Management focuses on confidentiality over availability. c). Management focuses on integrity and confidentiality. d). Management focuses on availability over confidentiality.

d). management focuses on availability over confidentiality Security is increasingly thought of as a dedicated function. The goals of a network manager are not always well-aligned with the goals of security; network management focuses on availability over confidentiality. System security may be a dedicated business unit with its own management structure. As a result, network management might only concern itself with availability. The goals of a basic network management are not always well-aligned with the goals of security; network management would not focus on confidentiality, but rather availability. Network management would encompass the responsibility for systems up-time and availability. Security administrators would focus on integrity and confidentiality.

Analyze and compare the access control models in terms of how Access Control Lists (ACL) are written and determine which statement accurately explains the Discretionary Access Control (DAC) model. a). A DAC model is the most flexible and weakest access control model. Administrative accounts have control of the resource and grants rights to others. b). A DAC model is the least flexible and strongest access control model. The owner has full control over the resource and grants rights to others. c). A DAC model is the least flexible and strongest access control model. Administrative accounts have control of the resource and grant rights to others. d). A DAC model is the most flexible and weakest access control model. The owner has full control over the resource and grants rights to others.

d). a DAC model is the most flexible and weakest access control model. The owner has full control over the resource and grants rights to others. In DAC, the owner has full control over the resource, meaning that he or she can modify its ACL to grant rights to others. DAC is the most flexible and weakest control model. With DAC, decision-making lies with the resource owner. In rule-based access control (RBAC) and mandatory access control (MAC), it lies with the system owner (that is, the controls are enforced system-wide and cannot be countermanded or accepted by users "within" the system). DAC is the easiest model to compromise, as it is vulnerable to insider threats and abuse of compromised accounts. Attribute-based access control (ABAC) is a fine-grained, strong access control mechanism, making access decisions based on a combination of subject, object, and context-sensitive or system-wide attributes.

A security analyst needs to contain a compromised system with the quickest approach that requires no configuration. Which solution does the analyst utilize? a). Black hole b). VLAN c). ACL d). Air gap

d). air gap A simple option is to disconnect the host from the network completely (creating an air gap) or disabling its switch port. This is the least stealthy option and may reduce opportunities to analyze the attack or malware due to the isolation. The analyst can implement a routing infrastructure to isolate one or more infected virtual LANs (VLANs) in a black hole that is not reachable from the rest of the network. Segmentation-based containment is a means of achieving the isolation of a host or group of hosts using network technologies and architecture such as VLANs. ACLs can prevent a host or group of hosts from communicating outside of a protected segment.

Compare and analyze the types of firewalls available to differentiate between them. Choose the answer with the most correct description. a). Packet filtering firewalls operate at layer 5 of the OSI model, while circuit-level stateful inspection firewalls operate at layer 3. b). An appliance firewall is also known as a stateful multilayer inspection or a deep packet inspection. An application aware firewall is a stand-alone hardware firewall that performs the function of a firewall only. c). A packet filtering firewall maintains stateful information about a connection between two hosts and implements an appliance firewall as a software application running on a single host. d). An application firewall can analyze the HTTP headers to identify code that matches a pattern, while an appliance firewall monitors all traffic passing into and out of a network segment.

d). an application firewall can analyze the HTTP headers to identify code that matches a pattern, while an appliance firewall monitors all traffic passing into and out of a network segment. An application firewall can inspect the contents of packets at the application layer and can analyze the HTTP headers. It also analyzes the HTML code present in HTTP packets, to try to identify code that matches a pattern in its threat database. Packet filtering firewalls operate at level 3 of the OSI model while circuit-level stateful inspection firewalls operate at layer 5 of the model. An application aware firewall is also known as a stateful multilayer inspection or a deep packet inspection. An appliance firewall is a stand-alone hardware firewall that performs the function of a firewall only. A packet filtering firewall is stateless, and an application firewall is a software application running on a single host.

A systems breach occurs at a financial organization. The system in question contains highly valuable data. When performing data acquisition for an investigation, which component does an engineer acquire first? a). RAM b). Browser cache c). SSD data d). Disk controller cache

d). disk controller cache The order of volatility outlines a general list of which components the engineer should examine for data. The engineer should first examine CPU registers and cache memory (including the cache on disk controllers and GPUs). The engineer should acquire contents of nonpersistent system memory (RAM), including routing tables, ARP caches, process tables, and kernel statistics after any cache memory. The engineer performs data acquisition on persistent mass storage devices after any available system caches or memory. This includes temporary files, such as those found in a browser cache. The engineer performs data acquisition on persistent mass storage devices (such as HDDs or SSDs) after any available system caches or memory.

What is the purpose of a web server certificate? a). Sign and encrypt email messages. b). Guarantee the validity of a browser plug-in. c). Provide identification of the certificate authority. d). Guarantee the identity of a website.

d). guarantee the identity of a website A web server certificate guarantees the identity of the server that provides web services like a website or e-commerce sites. The web server's public certificate allows users to submit data securely to the web server. Signing and encrypting email messages is done with an email certificate, typically using Secure/Multipurpose Internet Mail Extensions (SMIME) or Pretty Good Privacy (PGP). A code signing certificate is issued to a software publisher following an identity check and validation process to guarantee the validity of a software application or browser plug-in. A root certificate identifies the certificate authority (CA) and is self-signed. The operating system or browser mark self-signed certificates as untrusted, but an administrative user can choose to override this.

A hospital must balance the need to keep patient privacy information secure and the desire to analyze the contents of patient records for a scientific study. What cryptographic technology can best support the hospital's needs? a). Blockchain b). Quantum computing c). Perfect forward security (PFS) d). Homomorphic encryption

d). homomorphic encryption Homomorphic encryption is used to share privacy-sensitive data sets. It allows a recipient to perform statistical calculations on data fields, while keeping the data set as a whole encrypted, thus preserving patient privacy. Blockchain uses cryptography to secure an expanding list of transactional records. Each record, or block, goes through a hash function. Each block's hash value links to the hash value of the previous block. Quantum computing could serve as a secure foundation for secure cryptosystems and tamper-evident communication systems that would allow secure key agreement. Perfect forward security (PFS) mitigates the risks from RSA key exchanges through the use of ephemeral session keys to maintain confidentiality.

Which two cryptographic functions can be combined to authenticate a sender and prove the integrity of a message? a). Hashing and symmetric encryption b). Public key cryptography and digital enveloping c). Hashing and digital enveloping d). Public key cryptography and hashing

d). public key cryptography and hashing Public key cryptography (public and private keys) can be used to authenticate a sender. Combine this with a hash output of the message and a secret (or private) key to create a message authentication code (MAC) to validate the integrity of the message. A key exchange system known as a digital envelope or hybrid encryption combines the bulk encryption capabilities of symmetric encryption with the authentication capability of public key cryptography. Asymmetric encryption is also called public key cryptography. A digital envelope allows the sender and recipient to exchange a symmetric encryption key securely by using public key cryptography. Hashing proves integrity by computing a unique checksum from input. Digital envelope is another term for the hybrid encryption that combines public key encryption and symmetric encryption.

An employee handling key management discovers that a private key has been compromised. Evaluate the stages of a key's life cycle and determine which stage the employee initiates upon learning of the compromise. a). Certificate generation b). Key generation c). Expiration and renewal d). Revocation

d). revocation Upon learning of a compromise, the current key should be revoked, and a new key can then be generated. Certificate generation identifies the public part of a key pair as belonging to a subject, and the subject submits it for signing by the CA as a digital certificate with the appropriate key usage. Key generation occurs during the initial distribution of the key, or after having revoked one. Expiration and renewal are used for a key pair that has not been revoked or expired after a certain period. A given shelf-life increases security.

An IT director reads about a new form of malware that targets a system widely utilized in the company's network. The director wants to discover whether the network has been targeted, but also wants to conduct the scan without disrupting company operations or tipping off potential attackers to the investigation. Evaluate vulnerability scanning techniques and determine the best option for the investigation. a). Credentialed scan b). Configuration review c). Penetration testing d). Threat hunting

d). threat hunting Where a pen test attempts to demonstrate a system's weakness or achieve intrusion, threat hunting is based only on analysis of data within the system. It is potentially less disruptive than pen testing. A credentialed scan has a user account with logon rights to hosts and permissions appropriate for the testing routines. Credentialed scans are intrusive and allow in-depth analysis and insight to what an insider attack might achieve. A configuration review assesses the configuration of security controls and application settings & permissions compared to established benchmarks. Penetration testing, an intrusive, active scanning technique, does not stop at detection, but attempts to gain access to a system.

Which situation would require keyboard encryption software to be installed on a computer? a). To set up single sign-on privileges b). To comply with input validation practices c). For the purpose of key management d). To protect against spyware

d). to protect against spyware Keyboard encryption software is used to protect against keyloggers, which record keystrokes for the purpose of stealing data. Keyloggers are spyware. Single sign-on is a technology that enables a user to authenticate once and receive authorizations for multiple services. It does not require keyboard encryption. Input validation involves limiting the type of data a user can enter into specific fields, such as not allowing special characters in a user name field. Encryption is not a concern. Key management is the process of administering cryptographic keys and is performed by a Certificate Authority. It is not applicable to keyboard encryption.