Security (core 2)
Your company's wireless network was recently compromised by an attacker who utilized a brute force attack against the network's PIN to gain access. Once connected to the network, the attacker modified the DNS settings on the router and spread additional malware across the entire network. Which TWO of the following configurations were most likely used to allow the attack to occur?
default administrative login credentials WPS enabled OBJ-2.9: Wireless networks that rely on a PIN to connect devices use the Wi-Fi Protected Setup (WPS). It is a wireless network security standard that tries to make connections between a router and wireless devices faster and easier. WPS relies on an 8-digit PIN, but it is easily defeated using a brute force attack due to a poor design. Once connected to the network using the WPS PIN, the attacker may have logged into the router using the default administrative login credentials and then modified the router/gateway's DNS. Commonly, many network administrators forget to change the default username/password of their devices, leaving an easy vulnerability for an attacker to exploit.
Your company recently suffered a small data breach caused by an employee emailing themselves a copy of the current customer's names, account numbers, and credit card limits. You are determined that something like this shall never happen again. Which of the following logical security concepts should you implement to prevent a trusted insider from stealing your corporate data?
DLP OBJ-2.1: Data loss prevention software detects potential data breaches/data ex-filtration transmissions and prevents them by monitoring, detecting, and blocking sensitive data while in use (endpoint actions), in-motion (network traffic), and at rest (data storage). Since the user was an authorized user (employee), changing your password policy, reconfiguring the firewall, or setting up an MDM solution would not solve this problem. Instead, a DLP solution must be implemented.
John is setting up 100 Windows 10 computers for a new corporate office. He wants to ensure that no one can change the boot order and boot from an unauthorized operating system. What feature should he ensure is enabled?
BIOS password Required OBJ-2.6: John should utilize the BIOS to set up a password to prevent unauthorized access to the Basic Input/Output System (BIOS) by other users. The BIOS is software that utilizes a small memory chip on the motherboard to hold the settings specialized for an organization to prevent access and tampering, thus reducing the workstations' overall attack surface and the network. Full disk encryption is used to encrypt the user and system data stored in the device's internal storage. RAM integrity checking is conducted by default on most systems during the initial boot process but it doesn't prevent a user from booting the system or changing the boot order. The purpose of Secure Boot is to prevent malicious and unauthorized apps from loading into the operating system (OS) during the startup process. Secure Boot is enabled by default in Windows 10. When the PC starts, the firmware checks the signature of each piece of boot software, including UEFI firmware drivers (also known as Option ROMs), EFI applications, and the operating system. If the signatures are valid, the PC boots and the firmware gives control to the operating system.
Which of the following BEST describes how a DHCP reservation works?
by matching a MAC address to an IP address within Dhcp scope OBJ-2.9: When the client requests an IP address by sending a message on the network to the DHCP server, the DHCP server will assign an IP from its DHCP scope to the client and reserve it based on its MAC address. DHCP reservations allow the DHCP server to pre-set an IP address to a specific client based on its MAC address. This ensures that the client will always get the same IP address from the DHCP server when it connects to the network. DHCP reservations are usually used with servers or printers on your internal network and are rarely used with end-user or client devices.
Your company has just installed a brand new email server, but you determined that the server cannot send emails to another server during your initial testing. You decide to check the firewall's ACL to see if the server's outgoing email is being blocked. Which of the following ports should you ensure is open and not blocked by the firewall?
25 OBJ-2.1: The Simple Mail Transfer Protocol (SMTP) uses port 25 and is an internet standard communication protocol for electronic mail transmission. Internet Message Access Protocol (IMAP) uses port 143 and is an Internet standard protocol used by email clients to retrieve email messages from a mail server over a TCP/IP connection. Post Office Protocol version 3 (POP3) uses port 110 and is an application-layer Internet standard protocol used by e-mail clients to retrieve e-mail from a mail server. Secure Shell (SSH) uses port 22 to securely create communication sessions over the Internet for remote access to a server or system.
The server administrators have asked you to open the default port on the firewall for a new DNS server. Which of the following ports should you set to ALLOW in the ACL?
53 OBJ-2.9: Port 53 is used for DNS. The Domain Name System (DNS) is a hierarchical and decentralized naming system for computers, services, or other resources connected to the Internet or a private network. Port 67 is used for DHCP. The Dynamic Host Configuration Protocol (DHCP) is a network management protocol used on Internet Protocol (IP) networks for automatically assigning IP addresses and other communication parameters to devices connected to the network using a client-server architecture. Port 110 is used for POP3. Post Office Protocol version 3 (POP3) is an application-layer Internet standard protocol used by e-mail clients to retrieve e-mail from a mail server. Port 3389 is used for RDP. Remote Desktop Protocol (RDP) is a proprietary protocol developed by Microsoft which provides a user with a graphical interface to connect to another computer over a network connection.
How would you represent r-xrw-r-- in octal notation?
564 OBJ-2.6: R-X is 5, RW- is 6, and R-- is 4. In Linux, you can convert letter permissions to octal by giving 4 for each R, 2 for each W, and 1 for each X. R is for read-only, W is for write, and X is for execute. The permissions strings are written to represent the owner's permissions, the group's permissions, and the other user's permissions.
How would you represent the Linux permissions rwxr-xr-- in octal notation?
754 OBJ-2.6: RWX is 7, R-X is 5, and R-- is 4. In Linux, you can convert letter permissions to octal by giving 4 for each R, 2 for each W, and 1 for each X. R is for read-only, W is for write, and X is for execute. The permissions strings are written to represent the owner's permissions, the group's permissions, and the other user's permissions.
You are configuring a SOHO network and only allowing specific IP addresses to access the network while blocking any IP addresses that are not on the list. Which of the following should be implemented?
Allow List OBJ-2.9: An allow list is a form of protection where only the items identified specifically on the list are allowed, whereas all others are denied. For example, if you create an access control list that relies on an allow list, it would block every IP address that is not found in the allow list. A blocklist contains every address or port that is blocked from accessing the network. MAC filtering is the application of an access control list to a switch or access point so that only clients with approved MAC addresses connect. Port forwarding allows a router to take requests from the Internet for a particular application and send them to a designated host on the LAN
Which type of security measure is used to control access to an area by using a retina scan?
Biometric OBJ-2.1: Retina scans are considered a biometric control. Other biometric controls contain fingerprint readers and facial scanners. A cipher lock is a lock that is opened with a programmable keypad that is used to limit and control access to a highly sensitive area. An optical reader is a device found within most computer scanners that can capture visual information and translate the image into digital information the computer is capable of understanding and displaying. Multi-factor authentication is an electronic authentication method in which a user is granted access to a website or application only after successfully presenting two or more pieces of evidence to an authentication mechanism: knowledge, possession, and inherence.
An increased amount of web traffic to an e-commerce server is observed by a network administrator but without increasing the number of financial transactions. Which kind of attack might the company be experiencing?
DOS OBJ-2.4: A DoS attack or denial-of-service attack works by overloading a server with multiple requests (more than it can handle), thus eventually knocking the server offline. When a denial-of-service attack occurs, there will be an increase in the amount of web traffic on the server, but since that traffic is not being sent by legitimate customers there will be no financial transactions occurring. ARP spoofing is a type of attack in which a malicious actor sends falsified ARP (Address Resolution Protocol) messages over a local area network. This results in the linking of an attacker's MAC address with the IP address of a legitimate computer or server on the network. Phishing is a type of social engineering where an attacker sends a fraudulent email designed to trick a human victim into revealing sensitive information to the attacker or to deploy malicious software on the victim's infrastructure like ransomware. Bluejacking is the sending of unsolicited messages over Bluetooth to Bluetooth-enabled devices such as mobile phones, PDAs, or laptop computers, sending a vCard which typically contains a message in the name field to another Bluetooth-enabled device via the OBEX protocol.
Dion Training will be hiring 10 college students as interns to work over the summer. Each year, the same interns will work for the company for 8 weeks, but then they will return to school. Next summer, they will return to the company and will need to reaccess their accounts. What is the BEST policy to use so that the interns can use the accounts during the summer but cannot log in during the school year?
Disable user account at the end of each summer OBJ-2.6: If the accounts are disabled at the end of the summer, the interns will be unable to log in again until their accounts are enabled again when they return next summer. This is the best method since deleting the accounts would require the interns to get new accounts each summer, and they would lose all their data and configurations.
Which of the following types of screen locks uses a biometric authentication mechanism that relies upon mapping the geography of a user's eyes, nose, mouth, and other features before granting access to a mobile device?
Face ID OBJ-2.7: Apple developed FaceID as a facial recognition biometric authentication system. It creates a map of a user's face using an infrared image. This also accounts for changes in a user's appearance, such as wearing sunglasses, makeup, or even changes in the lighting of the environment. With over 30,000 individual, invisible dots that create the mapping of the user's face, the FaceID system is extremely secure. Based on tests, it has a false positive rate of less than 1 in 1 million attempts. Touch ID is an electronic fingerprint recognition feature designed and released by Apple. A swipe lock is a term for unlocking a device by tracing a predetermined on-screen pattern or joining dots on the screen. This was commonly used in Android devices until biometric methods like fingerprint scanners and facial recognition became more prevalent. A passcode unlock is a term for unlocking a device by entering a 4 to 6 digit pin.
A corporate workstation was recently infected with malware. The malware was able to access the workstation's credential store and steal all the usernames and passwords from the machine. Then, the malware began to infect other workstations on the network using the usernames and passwords it stole from the first workstation. The IT Director has directed its IT staff to develop a plan to prevent this issue from occurring again. Which of the following would BEST prevent this from reoccurring?
Install an antivirus/anti-malware solution that uses heuristic analysis OBJ-2.3: The only solution that could stop this from reoccurring would be to use an anti-virus or anti-malware solution with heuristic analysis. The other options might be able to monitor and detect the issue but not stop it from spreading. Heuristic analysis is a method employed by many computer anti-virus programs designed to detect previously unknown computer viruses and new variants of viruses already in the wild. This is behavior-based detection and prevention, so it should detect the issue and stop it from spreading throughout the network. A host-based intrusion detection system (HIDS) is a device or software application that monitors a system for malicious activity or policy violations. Any malicious activity or violation is typically reported to an administrator or collected centrally using a security information and event management system. The UTM is also acting as an IDS in this scenario based on the option presented.
You are configuring a SOHO network that will contain 7 devices, but you only have a single public IP address. Which of the following concepts should be configured to allow the 7 devices to share that single IP when connecting to the internet?
NAT OBJ-2.9: Network address translation (NAT) is a network service provided by a router or proxy server to map private local addresses to one or more publicly accessible IP addresses. NAT can use static mappings but is commonly implemented as network port address translation (PAT) or NAT overloading, where a few public IP addresses are mapped to multiple LAN hosts using port allocations. The dynamic host control protocol (DHCP) is a protocol used to allocate IP addresses to a host when it joins a network. Universal plug-and-play (UPnP) is a protocol framework allowing network devices to autoconfigure services, such as allowing a games console to request appropriate settings from a firewall. A perimeter network (formerly called a Demilitarized Zone or DMZ) is a portion of a private network connected to the Internet and protected against intrusion. Certain services may need to be made publicly accessible from the Internet (such as a web, email, or Minecraft server) and they should be installed in the perimeter network instead of in your intranet. If communication is required between hosts on either side of a perimeter network, then a host within the perimeter network will act as a proxy to take the request.
Which type of antivirus scan provides the best protection for a typical home user?
On- Access scans OBJ-2.5: On-access scans are a type of antivirus scan where the AV software intercepts operating system calls to open files to scan the file before allowing or preventing the file from being opened. On-access scans reduce performance somewhat but are essential to maintaining effective protection against malware. Weekly and daily scans are good to use, but they are not as effective in preventing infections as an on-access scan. A system administrator normally conducts safe mode scans after malware is found by an on-access scan, daily, or weekly scan.
Which of the following pairs of authentication factors should you choose to meet the requirements associated with MFA?
Thumbprint and password OBJ-2.1: Multi-factor authentication (MFA) requires a user to provide at least two different forms of authentication: something you know (username, password, pin), something you have (token, key fob, smartphone), something you are (fingerprint, retina scan), something you do (the way you speak a phrase or sign your name), or somewhere you are (location factor based on IP address or geolocation).
Samantha works in the human resource department in an open floorplan office. She is concerned about the possibility of someone conducting shoulder surfing to read sensitive information from employee files while accessing them on her computer. Which of the following physical security measures should she implement to protect against this threat?
Privacy screen OBJ-2.1: A privacy screen is a filter placed on a monitor to decrease the viewing angle of a monitor. This prevents the monitor from being viewed from the side and can help prevent shoulder surfing. The standard type of anti-glare filter consists of a coating that reduces the reflection from a glass or plastic surface. A biometric lock is any lock that can be activated by biometric features, such as a fingerprint, voiceprint, or retina scan. Biometric locks make it more difficult for someone to counterfeit the key used to open the lock or a user's account. A smart card is a form of hardware token. A smart card, chip card, or integrated circuit card is a physical, electronic authorization device used to control access to a resource. It is typically a plastic credit card-sized card with an embedded integrated circuit chip. In high-security environments, employee badges may contain a smart card embedded chip that must be inserted into a smart card reader to log in or access information on the system. A badge reader is used to read an employee's identification badge using a magnetic stripe, barcode, or embedded RFID chip.
Which type of authentication method is commonly used with physical access control systems and relies upon RFID devices embedded into a token?
Proximity cards OBJ-2.1: A proximity card is a contactless card that usually utilizes RFID to communicate with the reader on a physical access system. These are commonly used to access secured rooms (such as server rooms) or even a building itself (such as at an access control vestibule). Some smart cards contain proximity cards within them, but the best answer to this question is proximity cards since that is the function of the smart card would be the device used to meet this scenario's requirements. An HMAC-based one-time password (HOTP) is a one-time password algorithm based on hash-based message authentication codes. A Time-based one-time password (TOTP) is a computer algorithm that generates a one-time password that uses the current time as a source of uniqueness.
Dion Training wants to implement a new wireless network using WPA3 in their offices. Which of the following features of WPA3 is used to provide a password-based authentication using the dragonfly handshake instead of the older WPA 4-way handshake?
SAE OBJ-2.2: Simultaneous Authentication of Equals (SAE) is a password-based authentication and password-authenticated key agreement method used in WPA3 that replaced the 4-way handshake used in WPA-based wireless networks. The SAE handshake is also known as the dragonfly handshake. Enhanced Open enables encryption for traffic being sent and received over a wireless network when still using open authentication. AES Galois Counter Mode Protocol (GCMP) is a high-performance mode of operation for symmetric encryption that supports authenticated encryption with associated data (AEAD). Management protection frames protect unicast and multicast management action frames to protect against eavesdropping and forgery in WPA3-based wireless networks.
Which of the following is a connectionless protocol that utilizes on UDP?
TFTP OBJ-2.1: The user datagram protocol (UIDP) is a protocol in the TCP/IP suite that operates at the transport layer to provide connectionless, non-guaranteed communication with no sequencing or flow control. UDP is faster than TCP, but it does not provide reliable delivery of the packets. The trivial file transfer protocol (TFTP) is a protocol used to get a file from a remote host or put a file onto a remote host. TFTP is commonly used with embedded devices or systems that retrieve firmware, configuration information, or a system image during the boot process. TFTP operates over UDP port 69. The hypertext transfer protocol (HTTP) is a protocol used to provide web content to browsers using TCP port 80. The hypertext transfer protocol (HTTP) is a protocol used to provide web content to browsers using TCP port 80. The hypertext transfer protocol secure (HTTPS) is a secure protocol used to provide web content to browsers using SSL/TLS encryption over TCP port 443.
You are renting space in another company's data center. To protect your server from being physically accessed when you are not in the building, what device should you use?
Server Lock OBJ-2.1: A server lock is a physical locking mechanism installed on a server cabinet to prevent unauthorized from accessing the servers. The server lock could be a cipher lock, biometric lock, or a simple keyed lock depending on the level of security needed. USB lock prevents unauthorized data transfer through USB ports, reducing the risk of data leakage, data theft, computer viruses, and malware by physically locking and blocking the USB Ports. A smart card, chip card, PIV card, or integrated circuit card is a physical, electronic authorization device used to control access to a resource. It is typically a plastic credit card-sized card with an embedded integrated circuit chip. In high-security environments, employee badges may contain a smart card embedded chip that must be inserted into a smart card reader to log in or access information on the system. An entry control roster is an administrative control used to log each person who enters or leaves a secure room.
Which of the following types of attacks occurs when an attacker attempts to gain confidential information or login credentials by sending tar
Spear phishing OBJ-2.4: Spear phishing is the fraudulent practice of sending emails from a seemingly known or trusted sender to induce targeted individuals to reveal confidential information. The key to answering this question is that the attack was focused on a targeted set of people, not just an indiscriminate large group of random people. Phishing is an email-based social engineering attack in which the attacker sends an email from a supposedly reputable source, such as a bank, to try to elicit private information from the victim. Whaling is an email-based or web-based form of phishing that targets senior executives or wealthy individuals. Vishing is a social-engineering attack where the attacker extracts information while speaking over the phone or leveraging IP-based voice messaging services (VoIP).
Which of the following encryption types was used by WPA to better secure wireless networks than WEP?
TKIP OBJ-2.2: Wi-Fi protected access (WPA) is an improved encryption scheme for protecting Wi-Fi communications designed to replace WEP. WPA uses the RC4 cipher and a temporal key integrity protocol (TKIP) to overcome the vulnerabilities in the older WEP protection scheme. Wired equivalent privacy (WEP) is an older mechanism for encrypting data sent over a wireless connection. WEP is considered vulnerable to attacks that can break its encryption. WEP relies on the use of a 24-bit initialization vector to secure its preshared key. Wi-Fi protected access version 2 (WPA2) replaced the original version of WPA after the completion of the 802.11i security standard. WPA2 features an improved method of key distribution and authentication for enterprise networks, though the pre-shared key method is still available for home and small office networks. WPA2 uses the improved AES cipher with counter mode with cipher-block chaining message authentication protocol (CCMP) for encryption.
An ethical hacker has been hired to conduct a physical penetration test of a company. During the first day of the test, the ethical hacker dresses up like a plumber and waits in the building's main lobby until an employee goes through the main turnstile. As soon as the employee enters his access number and proceeds to go through the turnstile, the ethical hacker follows them through the access gate. What type of attack did the ethical hacker utilize to access the restricted area of the building?
Tailgating OBJ-2.4: Based on the description, the ethical hacker conducted a very specialized type of social engineering attack known as tailgating. Sometimes on a certification exam, there are two correct answers, but one is more correct. This question is an example of that concept. Tailgating involves someone who lacks the proper authentication following an employee into a restricted area. Social engineering uses deception to manipulate individuals into divulging confidential or personal information that may be used for fraudulent purposes. Shoulder surfing is a type of social engineering technique used to obtain personal identification numbers (PINs), passwords, and other confidential data by looking over the victim's shoulder. Spoofing is the act of disguising a communication from an unknown source as being from a known, trusted source.
Which of the following types of mobile device screen locks uses biometrics to securely unlock the device?
Touch ID and Face ID OBJ-2.7: The FaceID and TouchID screen locks rely upon biometric data to securely unlock the device. Face ID is a facial recognition system designed and developed by Apple. Touch ID is an electronic fingerprint recognition feature designed and released by Apple. Since biometrics are body measurements and calculations related to human characteristics, the use of a person's face or fingerprint is classified as a biometric authentication system. A swipe lock is a term for unlocking a device by tracing a predetermined on-screen pattern or joining dots on the screen. This was commonly used in Android devices until biometric methods like fingerprint scanners and facial recognition became more prevalent. A passcode unlock is a term for unlocking a device by entering a 4 to 6 digit pin.
Which of the following is the BEST way to regularly prevent different security threats from occurring within your network?
User training and awarness OBJ-2.3: An enterprise network's end users are the most vulnerable attack vector. Studies have shown that an investment in end-user cybersecurity awareness training has the best return on investment of any risk mitigation strategy. While a penetration test might detect various threats and vulnerabilities in your network, it does not prevent them from occurring. Disaster recovery planning creates a disaster recovery plan, which is a documented, structured approach that describes how an organization can quickly resume work after an unplanned incident. Business continuity training will teach employees what to do in the case of a business continuity plan execution. A business continuity plan defines how an organization will continue the delivery of products or services at pre-defined acceptable levels following a disruptive incident. Only end-user awareness training mitigates the biggest network vulnerability we have: our users.
Which of the following types of attacks occurs when an attacker specifically targets the CEO, CFO, CIO, and other board members during their attack?
Whaling OBJ-2.4: Whaling is an email-based or web-based form of phishing that targets senior executives or wealthy individuals. Spear phishing is the fraudulent practice of sending emails from a seemingly known or trusted sender to induce targeted individuals to reveal confidential information. A spear phishing attack is focused on a targeted set of people, not just an indiscriminate large group of random people. Phishing is an email-based social engineering attack in which the attacker sends an email from a supposedly reputable source, such as a bank, to try to elicit private information from the victim. Vishing is a social-engineering attack where the attacker extracts information while speaking over the phone or leveraging IP-based voice messaging services (VoIP).
You are working as a penetration tester and have discovered a new method of exploiting a vulnerability within the Windows 10 operating system. You conduct some research online and discover that a security patch against this particular vulnerability doesn't exist yet. Which type of threat would this BEST be categorized as?
Zero-day OBJ-2.4: A zero-day attack happens once that flaw, or software/hardware vulnerability, is exploited, and attackers release malware before a developer has an opportunity to create a patch to fix the vulnerability, hence the term zero-day. A Distributed Denial of Service (DDoS) attack is an attempt to make an online service unavailable by overwhelming it with traffic from multiple sources. A brute-force attack consists of an attacker systematically trying all possible password and passphrase combinations until the correct one is found. Spoofing is the act of disguising a communication from an unknown source as being from a known, trusted source.
Which mitigation provides the best return on investment by mitigating the most vulnerable attack vector in an enterprise network?
provide end-user awareness training for office staff OBJ-2.3: An enterprise network's end users are the most vulnerable attack vector. Studies have shown that an investment in end-user cybersecurity awareness training has the best return on investment of any risk mitigation strategy. While all of the options presented are valid security mitigations, only end-user awareness training mitigates the biggest network vulnerability we have: our users.
A small doctor's office has asked you to configure their network to use the highest levels of wireless security and desktop authentication. The office only uses cloud-based SaaS applications to store their patient's sensitive data. Which TWO of the following protocols or authentication methods should you implement for the BEST security?
multifactor and WPA2 OBJ-2.2: Since everything is being stored within a cloud-based SaaS application, the doctor's office needs to ensure their network connection uses the highest encryption level (WPA2), and their desktop authentication should use a multifactor authentication system. Multifactor authentication relies on using at least 2 of the following factors: something you know (password or pin), something you have (smart card or key fob), something you are (fingerprint or retinal scan), or something you do (draw a pattern or how you sign your name). Wi-Fi protected access version 2 (WPA2) replaced the original version of WPA after the completion of the 802.11i security standard. WPA2 features an improved method of key distribution and authentication for enterprise networks, though the pre-shared key method is still available for home and small office networks. WPA2 uses the improved AES cipher with counter mode with cipher-block chaining message authentication protocol (CCMP) for encryption. Wired equivalent privacy (WEP) is an older mechanism for encrypting data sent over a wireless connection. WEP is considered vulnerable to attacks that can break its encryption. WEP relies on the use of a 24-bit initialization vector to secure its preshared key. The Wi-Fi Protected Setup (WPS) is a mechanism for auto-configuring a WLAN securely for home users. On compatible equipment, users push a button on the access point and connect adapters to associate them securely. WPS is subject to brute force attacks against the PIN used to secure them, making them vulnerable to attack. The Remote Authentication Dial-in User Service (RADIUS) is used to manage remote and wireless authentication infrastructure. Users supply authentication information to RADIUS client devices, such as wireless access points. The client device then passes the authentication data to an AAA (Authentication, Authorization, and Accounting) server that processes the request. Single sign-on (SSO) is a type of mutual authentication for multiple services that can accept the credential from one domain or service as authentication for other services.
One of the routers in your network just failed. You have been asked to replace it with the same model router from the spare inventory closet as part of an emergency change request. You find the new router in the closet and notice it was signed into inventory 13 months ago. You install the router and attempt to enable HTTPS in the configuration to allow for remote access. The failed router had this capability, but this spare does not, even though they are the same model and were purchased at the same time. What should you do to enable HTTPS access for this router?
update the firmware OBJ-2.9: Since the new router was pulled from your spare inventory closet, it is likely using an older and out-of-date version of the firmware. You should update the firmware for this router and then check if the HTTPS can be enabled again. Firmware updates to switches and routers provide both security updates and additional features that were not initially available. Since the device has been in the supply closet for 13 months, it is possible the HTTPS configuration was not included in the initial version and has been included in an updated firmware that was not applied to the spare router.
You want to ensure that only one person can enter or leave the server room at a time. Which of the following physical security devices would BEST help you meet this requirement?
Access control Vestibule OBJ-2.1: An access control vestibule is a physical security access control system comprising a small space with two sets of interlocking doors, such that the first set of doors must close before the second set opens. Video monitoring is a passive security feature, so it won't prevent two people from entering at once. The thumbprint reader or cipher lock will ensure that only an authorized user can open the door, but it won't prevent someone from piggybacking and entering with them.
A network administrator has set up a firewall and set up only three allow rules so that traffic can be sent over ports 21, 110, and 25. Next, they added a final rule of "deny any any" to the end of the ACL to minimize the attack surface and better secure the network. Unfortunately, now the administrator is receiving complaints from users that they cannot access any web pages using their URLs, such as DionTraining.com. Which of the following should the administrator do to correct this issue?
Add a rule to the acl to allow traffic on ports 80 and 53 OBJ-2.1: The Hypertext Transfer Protocol (HTTP) uses port 80 and is an application layer protocol for distributed, collaborative, hypermedia information systems using unencrypted data transfer. The Domain Name System (DNS) uses port 53 and is a hierarchical and decentralized naming system for computers, services, or other resources connected to the Internet or a private network. If the outbound port 80 is not open, then users will not be able to connect to a remote web server. If the outbound port 53 is not open, then the users will be unable to conduct a DNS name resolution and determine the IP address of the given web server based on its domain name. Port 22 is used for SSH/SCP/SFTP. Port 143 is used for IMAP. Port 139 and 445 are used for SMB. Port 389 is used for LDAP. Port 110 is used for POP3.
Which mobile device strategy is most likely to introduce vulnerable devices to a corporate network?
BYOD OBJ-2.4: The BYOD (bring your own device) strategy opens a network to many vulnerabilities. People can bring their personal devices to the corporate network, and their devices may contain vulnerabilities that could be allowed to roam free on a corporate network. COPE (company-owned/personally enabled) means that the company provides the users with a smartphone primarily for work use, but basic functions such as voice calls, messaging, and personal applications are allowed, with some controls on usage and flexibility. With CYOD, the user can choose which device they wish to use from a small selection of devices approved by the company. The company then buys, procures, and secures the device for the user. The MDM is a mobile device management system that gives centralized control over COPE company-owned personally enabled devices.
You are working for a brand new startup company that allows you to use your laptop, tablet, or other devices while at work. The company does provide some rules and guidelines that you must follow based on their policy. Which of the following policies should you look at to ensure you understand these rules and guidelines?
BYOD OBJ-2.7: BYOD (Bring Your Own Device) refers to the policy of permitting employees to bring personally owned devices to their workplace and to use those devices to access privileged company information and applications. A memorandum of understanding (MOU) is important because it defines the responsibilities of each party in an agreement, provides the scope and authority of the agreement, clarifies terms, and outlines compliance issues. A non-disclosure agreement (NDA) is a legal contract or part of a contract between at least two parties that outlines confidential material, knowledge, or information that the parties wish to share for certain purposes, but wish to restrict access to. A service level agreement (SLA) is a commitment between a service provider and a client for particular aspects of the service, such as quality, availability, or responsibilities.
Fail to Pass Solutions has requested that its employees have a mobile device so that they can respond to questions when they are out of the office. Each employee is responsible for buying their Android smartphone and cellular plan service. To access the corporate network and its data, the employees need to install a company-provided APK on their device. This app contains access to their company-provided email, cloud storage, and customer relationship management (CRM) database. Which of the following policies BEST describes Fail to Pass's mobile device deployment model?
BYOD OBJ-2.7: Bring Your Own Device (BYOD) is a mobile device deployment model that facilitates the use of personally owned devices to access corporate networks and data. Corporate Owned Business Only (COBO) is a mobile device deployment model that provides the employee with a corporate-owned device that may only be used for official work functions and purposes. Corporate Owned Personally Enabled (COPE) is a mobile device deployment model where the device remains the property of the organization, but certain personal use, such as private email, social networking, and web browsing, is also permitted. Choose Your Own Device (CYOD) is a mobile device deployment model where employees are offered a selection of corporate devices for work and, optionally, private use.
Your company wants to increase the security of its server room. Which TWO of the following should they install to protect the server room's contents?
Badge reader and Bio metric lock OBJ-2.1: A badge reader and biometric lock can be used on a server room door to provide multifactor authentication. Biometrics are identifying features stored as digital data that can be used to authenticate a user. Typical features used include facial pattern, iris, retina, or fingerprint pattern, and signature recognition. This requires a relevant scanning device, such as a fingerprint reader, and a database of biometric information for authentication to occur. A badge reader can be used to read a security badge using RFID, a smart card, or a barcode to authenticate a user. Cable locks are used for laptops, not servers or server rooms. A bollard is used in the parking lot or the front of a building. Strong passwords are used for the servers, not the server room itself. Privacy windows shades could be used, but they are not as strong of a defense as a badge reader and biometric keypad on the door to the server room.
Dion Training has several Windows 10 Professional workstations with an internal 2 TB hard disk drive. The company wants to use full disk encryption to protect the contents of this hard drive. Which of the following security settings can be used to encrypt this storage device?
BitLocker OBJ-2.5: BitLocker performs full disk encryption of the internal hard drive or solid-state device on a Windows 10 system. BitLocker to Go performance full disk encryption of external storage devices such as external hard drives and flash drives. The encrypting file system (EFS) is used in NTFS to encrypt files or folders to ensure the privacy of the data. EFS encrypted files can only be opened by the user who encrypted them. FileVault is a full disk encryption program used in the macOS environment.
Which of the following physical security controls would be the most effective in preventing an attacker from driving a vehicle through the glass doors at the front of the organization's headquarters?
Bollards OBJ-2.1: Bollards are a physical security control that is designed to prevent a vehicle-ramming attack. Bollards are typically designed as sturdy, short, vertical posts. Some organizations have installed more decorative bollards created out of cement and are large enough to plant flowers or trees inside. Access control vestibules are designed to prevent individuals from tailgating into the building. Security guards and intrusion alarms could detect this from occurring but not truly prevent them.
Which of the following policies or plans would describe the access requirements for connecting a user's laptop to the corporate network?
Bring your own device policy OBJ-2.7: A bring your own device (BYOD) policy allows, and sometimes encourages, employees to access enterprise networks and systems using personal mobile devices such as smartphones, tablets, and laptops. A remote access policy is a document that outlines and defines acceptable methods of remotely connecting to the internal network. A password policy is a set of rules created to improve computer security by motivating users to create dependable, secure passwords and then store and utilize them properly. This document promotes strong passwords by specifying a minimum password length, complexity requirements, requiring periodic password changes, and placing limits on the reuse of passwords. An onboarding policy is a documented policy that describes all the requirements for integrating a new employee into the company and its cultures, as well as getting that new hire all the tools and information they need to begin their job successfully.
A cybersecurity analyst notices that an attacker is trying to crack the WPS pin associated with a wireless printer. The device logs show that the attacker tried 00000000, 00000001, 00000002 and continued to increment by 1 number each time until they found the correct PIN of 13252342. Which of the following type of password cracking was being performed by the attacker?
Brute Force OBJ-2.4: A brute-force attack consists of an attacker submitting many passwords or passphrases with the hope of eventually guessing correctly. In a traditional brute-force attack, the passcode or password is incrementally increased by one letter/number each time until the right passcode/password is found. A dictionary attack is a technique for defeating a cipher or authentication mechanism by trying to determine its decryption key or passphrase by trying hundreds or sometimes millions of likely possibilities, such as words in a dictionary. A rainbow table is a precomputed list of possible hashes used when trying to speed up the process of password cracking. A hybrid password cracking attack combines the use of a brute-force attack with a dictionary attack by using words from the dictionary's list as the basis for the brute-force attack. For example, if the diction had the word Jason in it, the hybrid attack might try Jason123, Jason!@#, and J@$0n as possible combinations based on the word Jason.
You are working as a military defense contractor and have been asked to dispose of 5 laptop hard drives used in systems that processed classified information. Which of the following physical data destruction and disposal methods is MOST appropriate to ensure the data cannot be recovered?
Degaussing of the HDD OBJ-2.8: The best option is to use degaussing on the hard drives. Degaussing exposes the disk to a powerful electromagnet that disrupts the magnetic pattern that stores the data on the disk surface. This renders the data on the disk inaccessible, but the disk will become unusable for other purposes. If the drive needs to be reused, repurposed, or recycled, you should not use degaussing. If the drive contains sensitive or classified information, then it should be degaussed or shredded. Standard formatting of the drives could allow the data to be restored and make the data vulnerable to exposure. Low-level formatting is a hard disk operation that will make recovering data from your storage devices difficult once the operation is complete.
Your organization has recently suffered a data breach due to a server being exploited. As a part of the remediation efforts, the company wants to ensure that the default administrator password on each of the 1250 workstations on the network is changed. What is the easiest way to perform this password change requirement?
Deploy a new group policy OBJ-2.1: A group policy is used to manage Windows systems in a Windows network domain environment utilizing a Group Policy Object (GPO). GPOs can include many settings related to credentials, such as password complexity requirements, password history, password length, and account lockout settings. You can force a reset of the default administrator account password by using a group policy update.
A cybersecurity analyst is applying for a new job with a penetration testing firm. He received the job application as a secured Adobe PDF file, but unfortunately, the firm locked the file with a password so the potential employee could not fill in the application. Instead of asking for an unlocked copy of the document, the analyst decides to write a script in Python to attempt to unlock the PDF file by using passwords from a list of commonly used passwords until he can find the correct password or attempts every password in his list. Based on this description, what kind of cryptographic attack did the analyst perform?
Dictionary attack OBJ-2.4: A dictionary attack is a technique for defeating a cipher or authentication mechanism by trying to determine its decryption key or passphrase by trying hundreds or sometimes millions of likely possibilities, such as words in a dictionary. The key to answering this question is that they were using passwords from a list. A brute-force attack consists of an attacker submitting many passwords or passphrases with the hope of eventually guessing correctly. A session hijacking attack compromises the session token by stealing or predicting a valid session token to gain unauthorized access to the webserver. An on-path attack is an attack where the attacker secretly relays and possibly alters the communications between two parties who believe that they are directly communicating with each other.
Your home network is configured with a long, strong, and complex pre-shared key for its WPA3 encryption. You noticed that your wireless network has been running slow, so you checked the list of "connected clients" and see that "Bob's Laptop" is connected to it. Bob lives downstairs and is the maintenance man for your apartment building. You know that you never gave Bob your password, but somehow he has figured out how to connect to your wireless network. Which of the following actions should you take to prevent anyone from connecting to your wireless network without the proper WPA3 password?
Disable WPS OBJ-2.9: WPS was created to ease the setup and configuration of new wireless devices by allowing the router to automatically configure them after a short eight-digit PIN was entered. Unfortunately, WPS is vulnerable to a brute-force attack and is easily compromised. Therefore, WPS should be disabled on all wireless networks. If Bob could enter your apartment and press the WPS button, he could have configured his laptop to use your wireless network without your WPA3 password. While disabling the SSID broadcast could help prevent someone from seeing your network, the issue was someone connecting to your network without having the password. Disabling the SSID broadcast would not solve this issue.
You are configuring a wireless access point (WAP) in a large apartment building for a home user. The home user is concerned that their neighbor may try to connect to their Wi-Fi and wants to prevent it. Which THREE of the following actions should you perform to increase the wireless network's security?
Disable the SSID broadcasting Enable WPA3 encryption Reduce transmission power OBJ-2.9: To BEST secure this wireless network in a large apartment building, you should first reduce the transit power. This will ensure the network's radio frequency signals remain within the apartment itself. You should then disable the SSID broadcast since this will prevent the home user's neighbor from seeing the network as available. Finally, the home user should use WPA3 encryption since it is the strongest encryption method for Wi-Fi networks. Reducing the channel availability would minimize the bandwidth available for the users. Disabling the DHCP server will prevent users from automatically getting their IP configuration settings when connecting to the network. WEP is considered a weak form of encryption and should not be used.
You are working as part of a penetration testing team during an assessment of Dion Training's headquarters. Your boss has requested that you search the company's recycling bins for any information that might be valuable during the reconnaissance phase of your attack. What type of social engineering method are you performing?
Dumpster Diving OBJ-2.4: Dumpster diving involves searching through publicly accessible garbage cans or recycling bins to find discarded paper, manuals, or other valuable types of information from a targeted company. This is often done as part of the reconnaissance phase before an attack is performed. Whaling is an email-based or web-based form of phishing that targets senior executives or wealthy individuals. Phishing is an email-based social engineering attack in which the attacker sends an email from a supposedly reputable source, such as a bank, to try to elicit private information from the victim. Impersonation is the act of pretending to be someone or something else. Malicious actors often couple pretexting and impersonation to craft a believable scenario and impersonate people in authority during a social engineering attack.
Which attack utilizes a wireless access point made to look as if it belongs to the network by mimicking the corporate network's SSID to eavesdrop on the wireless traffic?
Evil Twin OBJ-2.4: An evil twin is meant to mimic a legitimate hotspot provided by a nearby business, such as a coffee shop that provides free Wi-Fi access to its patrons. An evil twin is a type of rogue wireless access point that masquerades as a legitimate Wi-Fi access point so that an attacker can gather personal or corporate information without the user's knowledge. This type of attack may be used to steal the passwords of unsuspecting users by monitoring their connections or phishing, which involves setting up a fraudulent website and luring people there. A rogue access point is an access point installed on a network without the network owner's permission. For example, if an employee connected a wireless access point to a wall jack in their office so that they can use their smartphone or tablet, this would be considered a rogue access point. Therefore, an evil twin is the better answer to this question since it is specifically being made to look like it belongs on the network by mimicking the SSID of the corporate network. A WEP attack is a brute force password attack conducted against a wireless network that relies on WEP for its encryption and security. Shoulder surfing is a type of social engineering technique used to obtain information such as personal identification numbers, passwords, and other confidential data by looking over the victim's shoulder.
Elizabeth was replacing a client's security device that protects their screened subnet. The client has an application that allows external users to access the application remotely. After replacing the devices, the external users cannot connect remotely to the application anymore. Which of the following devices was MOST likely misconfigured and is now causing a problem?
FireWall OBJ-2.9: A firewall is an integral part of creating a screened subnet. If configured correctly, it can regulate exactly what traffic and users are allowed to access the server. This is different from a content filter because a content filter denies traffic to a user based on content, but not access to a server. If the firewall ruleset was not configured to allow external users to access the application remotely, the default condition is to "deny by default". Content filtering is the use of a program to screen and/or exclude access to web pages or emails deemed objectionable. The Dynamic Host Configuration Protocol (DHCP) uses port 67 and is a network management protocol used on Internet Protocol (IP) networks for automatically assigning IP addresses and other communication parameters to devices connected to the network using a client-server architecture. The Domain Name System (DNS) uses port 53 and is a hierarchical and decentralized naming system for computers, services, or other resources connected to the Internet or a private network.
Which of the following security controls provides Windows system administrators with an efficient way to deploy system configuration settings across many devices?
GPO OBJ-2.1: Microsoft's Group Policy Object (GPO) is a collection of Group Policy settings that defines what a system will look like and how it will behave for a defined group of users. A Group Policy is the primary administrative tool for defining and controlling how programs, network resources, and the operating system operate for users and computers in an organization. In an active directory environment, Group Policy is applied to users or computers based on their membership in sites, domains, or organizational units. A host-based intrusion detection system (HIDS) is a device or software application that monitors a system for malicious activity or policy violations. Any malicious activity or violation is typically reported to an administrator or collected centrally using a security information and event management system. Anti-malware software is a program that scans a device or network for known viruses, Trojans, worms, and other malicious software. Patch management is the process of distributing and applying updates to the software to prevent vulnerabilities from being exploited by an attacker or malware. Proper patch management is a technical control that would prevent future outbreaks.
Chris just downloaded a new third-party email client for his smartphone. When Chris attempts to log in to his email with his username and password, the email client generates an error messaging stating that "Invalid credentials" were entered. Chris assumes he must have forgotten his password, so he resets his email username and password and then reenters them into the email client. Again, Chris receives an "Invalid credentials" error. What is MOST likely causing the "Invalid credentials" error regarding Chris's email client?
His email requires multi factor authentication OBJ-2.7: If a user or system has configured their email accounts to require two-factor authentication (2FA) or multifactor authentication, then even if they enter their username and password correctly in the third-party email client, they will receive the "Invalid credentials" error message. Some email servers will allow the user to create an application-specific password to bypass the multifactor authentication requirement to overcome this. If not, then the user will have to use an email client that supports multifactor authentication. His email account is not locked out or requiring a stronger password, otherwise, those issues would have been solved when he reset the password. Full device encryption on the smartphone would not affect the use of the email client since the device is unencrypted once a user enters their PIN, password, TouchID, or FaceID as authentication.
While investigating a data breach, you discover that the account credentials used belonged to an employee who was fired several months ago for misusing company IT systems. The IT department never deactivated the employee's account upon their termination. Which of the following categories would this breach be classified as?
Insider threat OBJ-2.4: An insider threat is any current or former employee, contractor, or business partner who has or had authorized access to an organization's network, system, or data and intentionally exceeded or misused that access in a manner that negatively affected the confidentiality, integrity, or availability of the organization's information or information systems. Based on the details provided in the question, it appears the employee's legitimate credentials were used to conduct the breach. This would be classified as an insider threat. A zero-day is a vulnerability in software unpatched by the developer or an attack that exploits such a vulnerability. A known threat is a threat that can be identified using a basic signature or pattern matching. An advanced persistent threat (APT) is an attacker with the ability to obtain, maintain, and diversify access to network systems using exploits and malware.
When Jason needs to log in to his bank, he must use a hardware token to generate a random number code automatically synchronized to a code on the server for authentication. What type of device is Jason using to log in?
Key Fob OBJ-2.1: A key fob is a hardware token that generates a random number code synchronized to a code on the server. The code changes every 60 seconds or so. This is an example of a one-time password. A SecureID token is an example of a key fob that is produced by RSA. A smart card, chip card, PIV card, or integrated circuit card is a physical, electronic authorization device used to control access to a resource. It is typically a plastic credit card-sized card with an embedded integrated circuit chip. In high-security environments, employee badges may contain a smart card embedded chip that must be inserted into a smart card reader to log in or access information on the system. A biometric lock is any lock that can be activated by biometric features, such as a fingerprint, voiceprint, or retina scan. Biometric locks make it more difficult for someone to counterfeit the key used to open the lock or a user's account. A smart card is a form of hardware token.
A new corporate policy dictates that all access to network resources will be controlled based on the user's job functions and tasks within the organization. For example, only people working in Human Resources can access employee records, and only the people working in finance can access customer payment histories. Which of the following security concepts is BEST described by this new policy?
Least Privilaged OBJ-2.1: Least privilege is the concept and practice of restricting access rights for users, accounts, and computing processes to only those resources absolutely required to perform routine, legitimate activities. Privilege itself refers to the authorization to bypass certain security restraints. Permissions Creep, also known as privilege creep, is what happens when an employee moves between roles in an organization and keeps the access or permissions of the previous role. Directory permissions are used to determine which users can access, read, write, and delete files or directories within a given directory. A blocklist is a list of IP addresses, ports, or applications that are not allowed to be run or used on a given system.
Dion Training just released a new corporate policy that dictates all access to network resources will be controlled based on the user's job functions and tasks within the organization. For example, only people working in Human Resources can access employee records, and only the people working in finance can access customer payment histories. Which of the following security concepts is BEST described by this new policy?
Least Privilege OBJ-2.1: Least privilege is the concept and practice of restricting access rights for users, accounts, and computing processes to only those resources absolutely required to perform routine, legitimate activities. Privilege itself refers to the authorization to bypass certain security restraints. Zero-trust is a security framework that requires all users, whether in or outside the organization's network, to be authenticated, authorized, and continuously validated for security configuration and posture before being granted or keeping access to applications and data. Defense in Depth is an approach to cybersecurity in which a series of defensive mechanisms are layered to protect valuable data and information. An acceptable use policy (AUP) is a set of rules applied by the owner, creator, or administrator of a network, website, or service, that restrict how the network, website, or system may be used and sets guidelines as to how it should be used.
Dion Training is creating a new security policy that states all access to system resources will be controlled based on the user's job functions and tasks within the organization. For example, only people working in Human Resources can access employee records, and only the people working in finance can access customer payment histories. Which of the following policies or security practices is BEST described by this new policy?
Least privileged OBJ-2.1: Least privilege is a security policy that states someone or something should be allocated the minimum necessary rights, privileges, or information to perform the specific role. Separation of duties is a security policy that states that duties and responsibilities should be divided among individuals to prevent ethical conflicts or abuse of powers. Job rotation is a security policy that prevents any one individual from performing the same role or tasks for too long. Job rotation is useful in deterring fraud and providing better oversight of the person's duties. Mandatory vacation is a security policy that states when and how long an employee must take time off from work so that their activities may be subjected to a security review by having another employee conduct their job functions.
What type of wireless security measure can easily be defeated by a hacker by spoofing their network interface card's hardware address?
MAC Filtering OBJ-2.9: Wireless access points can utilize MAC filtering to ensure only known network interface cards are allowed to connect to the network. If the hacker changes their MAC address to a trusted MAC address, they can easily bypass this security mechanism. MAC filtering is considered a good security practice as part of a larger defense-in-depth strategy, but it won't stop a skilled hacker for long. MAC addresses are permanently burned into the network interface card by the manufacturer and serve as the device's physical address. WEP is the Wired Equivalent Privacy encryption standard, which is considered obsolete in modern wireless networks. WEP can be broken using a brute force attack within just a few minutes by an attacker. Another security technique is to disable the SSID broadcast of an access point. While this prevents the SSID broadcast, a skilled attacker can still find the SSID using discovery scanning techniques. WPS is the WiFi Protected Setup. WPS is used to connect and configure wireless devices to an access point easily.
You are configuring a SOHO network for a small coffee shop. They have found that certain customers will buy a single coffee cup and then sit at the coffee shop all day to use the WiFi. The owner has asked you to block this customer's laptop from connecting by placing it on a blocklist. Which of the following configurations would you use to blocklist this customer's device based on its unique hardware identifier?
MAC filitering OBJ-2.9: MAC filtering is the application of an access control list to a switch or access point so that only clients with approved MAC addresses connect. Port forwarding allows a router to take requests from the Internet for a particular application and send them to a designated host on the LAN. An allow list is a form of protection where only the items identified specifically on the list are allowed, whereas all others are denied. For example, if you create an access control list that relies on an allow list, it would block every IP address that is not found in the allow list. A blocklist contains every address or port that is blocked from accessing the network.
A printing company uses an isolated Windows XP workstation to print out large format banners for its customers on a custom printer. Unfortunately, the printer does not support newer versions of Windows and would cost $50,000 to replace it. To mitigate this risk, the workstation is not connected to the internet or a local area network. When a customer needs a banner printer, the technician takes a copy of their PDF file and moves it to the Windows XP workstation using a USB thumb drive. The workstation recently became infected with malware when printing a customer's file. The technician remediated the issue, but the workstation became infected again three
Manually update the antivirus on the workstation and set it to perform on access scans OBJ-2.4: This is a legacy workstation since it is running Windows XP. Since Windows XP is considered end-of-life, there are no security patches or updates available for it. To mitigate this risk, the workstation should be run only as an isolated workstation. Since the workstation is not connected to a network and receives files through the connection of a USB thumb drive, this would be the only way a piece of malware could enter the system. The technician most likely neglected to update the antivirus/antimalware software on this workstation during the remediation. The technician should manually update the antivirus/antimalware definitions weekly. The workstation should also be configured to conduct on-access/on-demand scanning, as well.
Windows file servers commonly hold sensitive files, databases, passwords, and more. What common vulnerability is usually used against a Windows file server to expose sensitive files, databases, and passwords?
Missing patches OBJ-2.4: Missing patches are the most common vulnerability found on both Windows and Linux systems. When a security patch is released, attackers begin to reverse engineer the security patch to exploit the vulnerability. If your servers are not patched against the vulnerability, they can become victims of the exploit, and the server's data can become compromised. Cross-Site Scripting (XSS) attacks are a type of injection in which malicious scripts are injected into otherwise benign and trusted websites. Cross-site scripting focuses on exploiting a user's workstation, not a server. CRLF injection is a software application coding vulnerability that occurs when an attacker injects a CRLF character sequence where it is not expected. SQL injection is the placement of malicious code in SQL statements via web page input. SQL is commonly used against databases, but they are not useful when attacking file servers.
What kind of attack is an example of IP spoofing?
On path attack OBJ-2.4: An on-path attack (formerly known as a man-in-the-middle attack) intercepts communications between two systems. For example, in an HTTP transaction, the target is the TCP connection between client and server. Using different techniques, the attacker splits the original TCP connection into 2 new connections, one between the client and the attacker and the other between the attacker and the server. This often uses IP spoofing to trick a victim into connecting to the attack. SQL injection is a code injection technique used to attack data-driven applications. Malicious SQL statements are inserted into an entry field for execution, such as dumping the database contents to the attacker. An on-path attack is an attack where the attacker secretly relays and possibly alters the communications between two parties who believe that they are directly communicating with each other. ARP Poisoning, also known as ARP Spoofing, is a type of cyber attack carried out over a Local Area Network (LAN) that involves sending malicious ARP packets to a default gateway on a LAN to change the pairings in its IP to MAC address table. Cross-Site Scripting (XSS) attacks are a type of injection in which malicious scripts are injected into otherwise benign and trusted websites. XSS attacks occur when an attacker uses a web application to send malicious code, generally in a browser side script, to a different end-user.
Which of the following types of screen locks uses a secret PIN or password to prevent access to a mobile device?
Passcode OBJ-2.7: A passcode lock relies upon something a user memorizes, known as a knowledge factor in authentication. This could be a PIN, password, or passphrase. This is the least secure mechanism of locking a mobile device as the PIN, password, or passphrase could be compromised by shoulder surfing or technical means. A swipe lock is a term for unlocking a device by tracing a predetermined on-screen pattern or joining dots on the screen. This was commonly used in Android devices until biometric methods like fingerprint scanners and facial recognition became more prevalent. The FaceID and TouchID screen locks rely upon biometric data to securely unlock the device. Since biometrics are body measurements and calculations related to human characteristics, the use of a person's face or fingerprint is classified as a biometric authentication system.
Which of the following policies or plans would dictate the complexity requirements for a wireless network's shared secret key?
Password Policy OBJ-2.6: A password policy is a set of rules created to improve computer security by motivating users to create dependable, secure passwords and then store and utilize them properly. This document promotes strong passwords by specifying a minimum password length, complexity requirements, requiring periodic password changes, and placing limits on the reuse of passwords. An acceptable use policy (AUP) is a set of rules applied by the owner, creator, or administrator of a network, website, or service, that restrict how the network, website, or system may be used and sets guidelines as to how it should be used. A data loss prevention policy is a document that defines how organizations can share and protect data. It guides how data can be used in decision-making without it being exposed to anyone who should not have access to it. The goal of a data loss prevention policy is to minimize accidental or malicious data loss. A remote access policy is a document that outlines and defines acceptable methods of remotely connecting to the internal network.
Marta's organization is concerned with the vulnerability of a user's account being vulnerable for an extended period of time if their password was compromised. Which of the following controls should be configured as part of their password policy to minimize this vulnerability?
Password expiration OBJ-2.6: A password expiration control in the policy would force users to change their passwords at specific time intervals. This will then locks out a user who types in the incorrect password or create an alter that the user's account has been potentially compromised. While the other options are good components of password security to prevent an overall compromise, they are not effective against the vulnerability described in this particular scenario. It states the issue is based on time. Password history is used to determine the number of unique passwords a user must use before using an old password again. The Passwords must meet complexity requirements policy setting determines whether passwords must meet a series of guidelines that are considered important for a strong password. Maximum password length creates a limit to how long the password can be, but a longer password is considered stronger against a brute force attack.
Several users have contacted the help desk to report that they received an email from a well-known bank stating that their accounts have been compromised and they need to "click here" to reset their banking password. Some of these users are not even customers of this particular bank, though. Which of the following best describes this type of attack?
Phishing OBJ-2.4: Phishing is an email-based social engineering attack in which the attacker sends an email from a supposedly reputable source, such as a bank, to try to elicit private information from the victim. Phishing attacks target an indiscriminate large group of random people. The email in this scenario appears to be untargeted since it was sent to both customers and non-customers of this particular bank so it is best classified as phishing. Spear phishing is the fraudulent practice of sending emails from a seemingly known or trusted sender to induce targeted individuals to reveal confidential information. Whaling is an email-based or web-based form of phishing that targets senior executives or wealthy individuals. A brute-force attack consists of an attacker submitting many passwords or passphrases with the hope of eventually guessing correctly.
A penetration tester sends an email out to 100,000 random email addresses. In the email the attacker sent, it claims that "Your Bank of America account is locked out. Please click here to reset your password." Which of the following attack types is being used?
Phishing OBJ-2.4: Phishing is an email-based social engineering attack in which the attacker sends an email from a supposedly reputable source, such as a bank, to try to elicit private information from the victim. Spear phishing is the fraudulent practice of sending emails from a seemingly known or trusted sender to induce targeted individuals to reveal confidential information. Spear phishing attacks focus on a targeted set of people, not just an indiscriminate large group of random people. Whaling is an email-based or web-based form of phishing that targets senior executives or wealthy individuals. Vishing is a social-engineering attack where the attacker extracts information while speaking over the phone or leveraging IP-based voice messaging services (VoIP).
You want to enable a security feature that would remember the Layer 2 address first connected to a particular switch port to prevent someone from unplugging a workstation from the switch port and connecting their own SOHO wireless router to that same switch port. Which of the following security features would BEST accomplish this goal?
Port Security OBJ-2.5: Port security enables an administrator to configure individual switch ports to allow only a specified number of MAC addresses to use that port. Port Security helps secure the network by preventing unknown devices from forwarding packets. When a link goes down, all dynamically locked addresses are freed. A firewall is used to prevent hackers and malicious software from gaining access to the workstation over the Internet or the local area network. Single sign-on (SSO) is a type of mutual authentication for multiple services that can accept the credential from one domain or service as authentication for other services. A login script is a text file with commands and settings to configure a user's environment that runs when the user logs on to a computer.
On your lunch break, you walked down to the coffee shop on the corner. You open your laptop and connect to their wireless network. After a few minutes of surfing the Internet, a pop-up is displayed on your screen. You close the pop-up, finish your lunch break, shut down the laptop, and put it back into your backpack. When you get back to the office, you take out the laptop and turn it on, but instead of your normal desktop background, you are greeted by a full-screen image with a padlock and a message stating you have to pay 0.1 BTC to regain access to your personal files. What type of malware has infected your laptop?
Ransomeware OBJ-2.3: This scenario is describing a ransomware attack. Your personal files are being held hostage and will not be released unless you pay a ransom (in this case, 0.1 BTC). Ransomware is a type of malware designed to deny access to a computer system or data until a ransom is paid. Ransomware typically spreads through phishing emails or by unknowingly visiting an infected website. Once infected, a system or its files are encrypted, and then the decryption key is withheld from the victim unless payment is received. A rootkit is a clandestine computer program designed to provide continued privileged access to a computer while actively hiding its presence. A rootkit is generally a collection of tools that enabled administrator-level access to a computer or network. They can often disguise themselves from detection by the operating system and anti-malware solutions. If a rootkit is suspected on a machine, it is best to reformat and reimage the system. Spyware is a program that monitors user activity and sends the information to someone else. It may be installed with or without the user's knowledge. It invades the device, steals sensitive information and internet usage data, and relays it to advertisers, data firms, or external users. A trojan is a type of malware that looks legitimate but can take control of your computer. A Trojan is designed to damage, disrupt, steal, or in general, inflict some other harmful action on your data or network. The most common form of a trojan is a Remote Access Trojan (RAT), which allows an attacker to control a workstation or steal information remotely. To operate, a trojan will create numerous processes that run in the background of the system.
A hospital's file server has become infected with malware. The files on the server all appear to be encrypted and cannot be opened. The network administrator receives an email from the attacker asking for 20 bitcoin in exchange for the decryption key. Which type of malware MOST likely infected these computers?
Ransomware OBJ-2.3: Ransomware is a type of malware designed to deny access to a computer system or data until a ransom is paid. Ransomware typically spreads through phishing emails or by unknowingly visiting an infected website. Once infected, a system or its files are encrypted, and then the decryption key is withheld from the victim unless payment is received. Spyware is a program that monitors user activity and sends the information to someone else. It may be installed with or without the user's knowledge. It invades the device, steals sensitive information and internet usage data, and relays it to advertisers, data firms, or external users. A keylogger actively attempts to steal confidential information by capturing the data when entered into the computer by the user. This is done by recording keystrokes entered into a web browser or other application. A software keylogger can be run in the background on a victim's computer. A hardware keylogger may be placed between the USB port and the wired keyboard. A rootkit is a clandestine computer program designed to provide continued privileged access to a computer while actively hiding its presence. A rootkit is generally a collection of tools that enabled administrator-level access to a computer or network. They can often disguise themselves from detection by the operating system and anti-malware solutions. If a rootkit is suspected on a machine, it is best to reformat and reimage the system.
Which attack method is MOST likely to be used by a malicious employee or insider trying to obtain another user's passwords?
Shoulder Surfing OBJ-2.4: While a malicious employee or insider could use all of the methods listed to obtain another user's passwords, shoulder surfing is the MOST likely to be used. Shoulder surfing is a type of social engineering technique used to obtain personal identification numbers (PINs), passwords, and other confidential data by looking over the victim's shoulder. Since a malicious employee or insider can work close to their victims (other users), they could easily use this technique to collect the victimized users' passwords. An on-path attack is an attack where the attacker secretly relays and possibly alters the communications between two parties who believe they are directly communicating with each other. The attacker makes independent connections with the victims and relays messages between them to make them believe they are talking directly to each other over a private connection. The attacker will intercept all relevant messages passing between the two victims and inject new ones. Tailgating is a social engineering technique to gain access to a building by following someone unaware of their presence. Phishing is an email-based social engineering attack in which the attacker sends an email from a supposedly reputable source, such as a bank, to try to elicit private information from the victim. Phishing attacks target an indiscriminate large group of random people.
Dion Training has an open wireless network so that their students can connect to the network during class without logging in. The Dion Training security team is worried that the customers from the coffee shop next door may be connecting to the wireless network without permission. If Dion Training wants to keep the wireless network open for students but prevents the coffee shop's customers from using it, which of the following should be changed or modified?
Signal strength or power level OBJ-2.9: Since Dion Training wants to keep the wireless network open, the BEST option is to reduce the signal strength of the network's power level. This will ensure the wireless network can only be accessed from within its classrooms and not from the coffee shop next door. Changing the SSID won't prevent the coffee shop's customers from accessing the network. While MAC filtering could be used to create an approved allow list of MAC addresses for all Dion Training's students, this would also require it to be continuously updated with each class of students that is very time-intensive and inefficient. Therefore, the BEST solution is to reduce the signal strength.
Which of the following types of attacks are usually used as part of an on-path attack?
Spoofing OBJ-2.4: Spoofing is often used to inject the attacker into the conversation path between the two parties. Spoofing is the act of disguising a communication from an unknown source as being from a known, trusted source. An on-path attack is an attack where the attacker secretly relays and possibly alters the communications between two parties who believe they are directly communicating with each other. The attacker makes independent connections with the victims and relays messages between them to make them believe they are talking directly to each other over a private connection. The attacker will intercept all relevant messages passing between the two victims and inject new ones. A Distributed Denial of Service (DDoS) attack is an attempt to make an online service unavailable by overwhelming it with traffic from multiple sources. Tailgating is a social engineering technique to gain access to a building by following someone unaware of their presence. A brute-force attack consists of an attacker submitting many passwords or passphrases with the hope of eventually guessing correctly.
Maria is trying to log in to her company's webmail and is asked to enter her username and password. Which type of authentication method is Maria using?
Single Factor OBJ-2.2: Single-factor authentication (SFA) is a process for securing access to a given system, such as a network or website, that identifies the party requesting access through only one category of credentials (something you know, something you have, something you are, something you do, or somewhere you are). The most common example of single-factor authentication occurs when a user is prompted to enter their username and password to authenticate. Multifactor authentication requires credentials that include at least 2 of the 5 authentication factors. The Remote Authentication Dial-in User Service (RADIUS) is used to manage remote and wireless authentication infrastructure. Users supply authentication information to RADIUS client devices, such as wireless access points. The client device then passes the authentication data to an AAA (Authentication, Authorization, and Accounting) server that processes the request. The Terminal Access Controller Access Control System (TACACS+) is a proprietary alternative to RADIUS developed by Cisco for handling authentication.
Which of the following techniques would be the most appropriate solution to implementing a multi-factor authentication system?
Smartcard and pin OBJ-2.1: Multi-factor authentication (MFA) creates multiple security layers to help increase the confidence that the user requesting access is who they claim to be by requiring two distinct factors for authentication. These factors can be something you know (knowledge factor), something you have (possession factor), something you are (inheritance factor), something you do (action factor), or somewhere you are (location factor). By selecting a smartcard (something you have) and a PIN (something you know), you have implemented multi-factor authentication. Choosing a fingerprint and retinal scan would instead use only one factor (inheritance). Choosing a username, password, and security question would also be only using one factor (knowledge). For something to be considered multi-factor, you need items from at least two different authentication factor categories: knowledge, possession, inheritance, location, or action.
Which of the following types of attacks occurs when an attacker attempts to gain confidential information or login credentials by sending targeted emails to a specific set of recipients within an organization?
Spear phishing OBJ-2.4: Spear phishing is the fraudulent practice of sending emails from a seemingly known or trusted sender to induce targeted individuals to reveal confidential information. The key to answering this question is that the attack was focused on a targeted set of people, not just an indiscriminate large group of random people. Phishing is an email-based social engineering attack in which the attacker sends an email from a supposedly reputable source, such as a bank, to try to elicit private information from the victim. A zero-day vulnerability is when the vendor is aware of a security flaw, but a patch has not been developed or applied on an affected system. At this point, a malicious actor can craft an attack and take advantage of the zero-day vulnerability. Spoofing is a type of attack that disguises a communication from an unknown source as being from a known, trusted source. Spoofing can occur using different methods, such as MAC spoofing, IP spoofing, call spoofing, and others.
Which of the following provides accounting, authorization, and authentication via a centralized privileged database, as well as challenge/response and password encryption?
TACACS+ OBJ-2.2: TACACS+ is a AAA (accounting, authorization, and authentication) protocol to provide AAA services for access to routers, network access points, and other networking devices. TACACS+ is a remote authentication protocol, which allows a remote access server to communicate with an authentication server to validate user access onto the network. TACACS+ allows a client to accept a username and password, and pass a query to a TACACS+ authentication server. Multifactor authentication is an authentication scheme that works based on something you know, something you have, something you are, something you do, or somewhere you are. These schemes can be made stronger by combining them (for example, protecting the use of a smart card certification [something you have] with a PIN [something you know]). Network Access Control (NAC) is a means of ensuring endpoint security by ensuring that all devices connecting to the network conform to a health policy such as its patch level, antivirus/firewall configuration, and other factors. Internet Security Association and Key Management Protocol (ISAKMP) is used for negotiating, establishing, modification, and deletion of SAs and related parameters in the IPSec protocol.
Which of the following authentication protocols was developed by Cisco to provide authentication, authorization, and accounting services?
TACAcS+ OBJ-2.2: TACACS+ is an extension to TACACS (Terminal Access Controller Access Control System) and was developed as a proprietary protocol by Cisco. The Remote Authentication Dial-In User Service (RADIUS) is a networking protocol that operates on port 1812 and provides centralized Authentication, Authorization, and Accounting management for users who connect and use a network service, but Cisco did not develop it. Kerberos is a network authentication protocol designed to provide strong mutual authentication for client/server applications using secret-key cryptography developed by MIT. Challenge-Handshake Authentication Protocol (CHAP) is used to authenticate a user or network host to an authenticating entity. CHAP is an authentication protocol but does not provide authorization or accounting services.
Which of the following types of screen locks uses a biometric authentication system to prevent access to a mobile device?
Touch ID OBJ-2.7: TouchID is a feature developed by Apple that uses fingerprint biometric information to grant access to the device. It is a form of biometric authentication. A swipe lock is a term for unlocking a device by tracing a predetermined on-screen pattern or joining dots on the screen. This was commonly used in Android devices until biometric methods like fingerprint scanners and facial recognition became more prevalent. A pattern lock is another name for a swipe lock. A passcode unlock is a term for unlocking a device by entering a 4 to 6 digit pin.
Jennifer decided that the licensing cost for a piece of video editing software was too expensive. Instead, she decided to download a keygen program to generate a license key and install a pirated version of the editing software. After she runs the keygen, a license key is created, but her system performance becomes very sluggish, and her antimalware suite begins to display numerous alerts. Which type of malware might her computer be infected with?
Trojan OBJ-2.3: A trojan is a program in which malicious or harmful code is contained inside a harmless program. In this example, the harmless program is the key generator (which does create a license key). It also has malicious code inside it causing the additional alerts from the antimalware solution. A Trojan is designed to damage, disrupt, steal, or in general, inflict some other harmful action on your data or network. The most common form of a trojan is a Remote Access Trojan (RAT), which allows an attacker to control a workstation or steal information remotely. To operate, a trojan will create numerous processes that run in the background of the system. A worm is a standalone malware computer program that replicates itself to spread to other computers. Often, it uses a computer network to spread itself, relying on security failures on the target computer to access it. A worm can spread on its own, whereas a virus needs a host program or user interaction to propagate itself. A logic bomb is a malicious program that is triggered when a logical condition is met, such as after a number of transactions have been processed, or on a specific date. Adware is software that displays unwanted advertisements on your computer.
A user has reported that their workstation is running very slowly. A technician begins to investigate the issue and notices a lot of unknown processes running in the background. The technician determines that the user has recently downloaded a new application from the internet and may have become infected with malware. Which of the following types of infections does the workstation MOST likely have?
Trojan OBJ-2.3: A trojan is a type of malware that looks legitimate but can take control of your computer. A Trojan is designed to damage, disrupt, steal, or in general, inflict some other harmful action on your data or network. The most common form of a trojan is a Remote Access Trojan (RAT), which allows an attacker to control a workstation or steal information remotely. To operate, a trojan will create numerous processes that run in the background of the system. Ransomware is a type of malware designed to deny access to a computer system or data until a ransom is paid. Ransomware typically spreads through phishing emails or by unknowingly visiting an infected website. Once infected, a system or its files are encrypted, and then the decryption key is withheld from the victim unless payment is received. A rootkit is a clandestine computer program designed to provide continued privileged access to a computer while actively hiding its presence. A rootkit is generally a collection of tools that enabled administrator-level access to a computer or network. They can often disguise themselves from detection by the operating system and anti-malware solutions. If a rootkit is suspected on a machine, it is best to reformat and reimage the system. A keylogger actively attempts to steal confidential information by capturing the data when entered into the computer by the user. This is done by recording keystrokes entered into a web browser or other application. A software keylogger can be run in the background on a victim's computer. A hardware keylogger may be placed between the USB port and the wired keyboard.
Which of the following must be enabled to allow a video game console or VoIP handset to configure your firewall automatically by opening the IP addresses and ports needed for the device to function?
UPnP OBJ-2.9: Universal plug-and-play (UPnP) is a protocol framework allowing network devices to autoconfigure services, such as allowing a games console to request appropriate settings from a firewall. UPnP is associated with several security vulnerabilities and is best disabled if not required. You should ensure that the router does not accept UPnP configuration requests from the external (internet) interface. If using UPnP, keep up-to-date with any security advisories or firmware updates from the router manufacturer. A mobile device management (MDM) software suite is used to manage smartphones and tablets within an enterprise. The dynamic host control protocol (DHCP) is a protocol used to allocate IP addresses to a host when it joins a network. DHCP utilizes UDP ports 67 and 68. Network address translation (NAT) is a network service provided by the router or proxy server to map private local addresses to one or more publicly accessible IP addresses. NAT can use static mappings but is commonly implemented as network port address translation (PAT) or NAT overloading, where a few public IP addresses are mapped to multiple LAN hosts using port allocations.
Which of the following types of wireless encryption uses a 40-bit encryption key with an RC4 encryption cipher?
WEP OBJ-2.2: The Wired Equivalent Privacy (WEP) encryption system is based on the RC4 encryption cipher. WEP uses a 40-bit encryption key and a 24-bit initialization vector by default, creating a 64-bit key. Newer versions of WEP support a 128-bit key size. A larger encryption key creates stronger encryption and is more difficult to attack. WEP is considered weak by today's standards and should be replaced by WPA2 or strong encryption schemes. Wi-Fi protected access (WPA) is an improved encryption scheme for protecting Wi-Fi communications designed to replace WEP. WPA uses the RC4 cipher and a temporal key integrity protocol (TKIP) to overcome the vulnerabilities in the older WEP protection scheme. Wi-Fi protected access version 2 (WPA2) replaced the original version of WPA after the completion of the 802.11i security standard. WPA2 features an improved method of key distribution and authentication for enterprise networks, though the pre-shared key method is still available for home and small office networks. WPA2 uses the improved AES cipher with counter mode with cipher-block chaining message authentication protocol (CCMP) for encryption. An open network does not use an encryption key or preshared key to protect the network.
What umask should be set for a directory to have 700 as its octal permissions?
rwx------ OBJ-2.6: RWX is 7 and --- is 0. In Linux, you can convert letter permissions to octal by giving 4 for each R, 2 for each W, and 1 for each X. R is for read-only, W is for write, and X is for execute. The permissions strings are written to represent the owner's permissions, the group's permissions, and the other user's permissions.
Which of the following types of encryption uses a 128-bit encryption key but is considered weak due to its use of a 24-bit initialization vector?
WEP OBJ-2.2: Wired equivalent privacy (WEP) is an older mechanism for encrypting data sent over a wireless connection. WEP is considered vulnerable to attacks that can break its encryption. WEP relies on the use of a 24-bit initialization vector to secure its preshared key. Wi-Fi protected access (WPA) is an improved encryption scheme for protecting Wi-Fi communications designed to replace WEP. WPA uses the RC4 cipher and a temporal key integrity protocol (TKIP) to overcome the vulnerabilities in the older WEP protection scheme. Wi-Fi protected access version 2 (WPA2) replaced the original version of WPA after the completion of the 802.11i security standard. WPA2 features an improved method of key distribution and authentication for enterprise networks, though the pre-shared key method is still available for home and small office networks. WPA2 uses the improved AES cipher with counter mode with cipher-block chaining message authentication protocol (CCMP) for encryption. The Wi-Fi Protected Setup (WPS) is a mechanism for auto-configuring a WLAN securely for home users. On compatible equipment, users push a button on the access point and connect adapters to associate them securely. WPS is subject to brute force attacks against the PIN used to secure them, making them vulnerable to attack.
Which of the following is the LEAST secure wireless security and encryption protocol?
WEP OBJ-2.2: Wired equivalent privacy (WEP) is an older mechanism for encrypting data sent over a wireless connection. WEP is considered vulnerable to attacks that can break its encryption. WEP relies on the use of a 24-bit initialization vector to secure its preshared key. Wi-Fi protected access (WPA) is an improved encryption scheme for protecting Wi-Fi communications that was designed to replace WEP. WPA uses the RC4 cipher and a temporal key integrity protocol (TKIP) to overcome the vulnerabilities in the older WEP protection scheme. Wi-Fi protected access version 2 (WPA2) replaced the original version of WPA after the completion of the 802.11i security standard. WPA2 features an improved method of key distribution and authentication for enterprise networks, though the pre-shared key method is still available for home and small office networks. WPA2 uses the improved AES cipher with counter mode with cipher-block chaining message authentication protocol (CCMP) for encryption. Wi-Fi protected access version 3 (WPA3) has replaced WPA2 as the most secure wireless encryption method. WPA3 uses the simultaneous authentication of equals (SAE) to increase the security of preshared keys. WPA3 provides the enhanced open mode that encrypts transmissions from a client to the access point when using an open network. WPA3 Enterprise mode supports the use of AES with the Galois/counter mode protocol (GCMP-256) for the highest levels of encryption.
Which of the following should be implemented to allow wireless network access for clients in the lobby using a shared password as the key?
WPA2 OBJ-2.2: Wi-Fi Protected Access 2 Pre-Shared Key or WPA2-PSK is a system of encryption used to authenticate users on wireless local area networks using a shared password as the key. WPA2-PSK [AES] is the recommended secure method of making sure no one can listen to your wireless data while it is being transmitted back and forth between your router and other devices on your network. A Firewall is a network security device that monitors and filters incoming and outgoing network traffic based on an organization's previously established security policies, not a shared password. Internet Protocol Security (IPsec) is a secure network protocol suite that authenticates and encrypts the packets of data to provide secure encrypted communication between two computers over an Internet Protocol network and is used in virtual private networks. A geofence is a virtual perimeter for a real-world geographic area. Geofencing does not use shared passwords to secure your next, it uses GPS coordinates or other location-based data.
You are installing a new wireless network in your office building and want to ensure it is secure. Which of the following configurations would create the MOST secure wireless network?
WPA2 and AES OBJ-2.2: The most secure wireless network configuration utilizes WPA2 with AES encryption. WPA2 is the most secure wireless encryption standard listed as an option and has replaced both WPA and WEP. Wi-Fi protected access version 2 (WPA2) replaced the original version of WPA after the completion of the 802.11i security standard. WPA2 features an improved method of key distribution and authentication for enterprise networks, though the pre-shared key method is still available for home and small office networks. WPA2 uses the improved AES cipher with counter mode with cipher-block chaining message authentication protocol (CCMP) for encryption. Wi-Fi protected access (WPA) is an improved encryption scheme for protecting Wi-Fi communications designed to replace WEP. WPA uses the RC4 cipher and a temporal key integrity protocol (TKIP) to overcome the vulnerabilities in the older WEP protection scheme. Wired equivalent privacy (WEP) is an older mechanism for encrypting data sent over a wireless connection. WEP is considered vulnerable to attacks that could probably break its encryption. WEP relies on the use of a 24-bit initialization vector to secure its preshared key. MAC filtering is the application of an access control list to a switch or access point so that only clients with approved MAC addresses connect.
Dion Training wants to implement a new wireless network in their offices. Which of the following types would support encryption for traffic being sent and received over the network while still allowing users to connect to the open network without a password, passphrase, or digital certificate?
WPA3 OBJ-2.2: One of the features of WPA3 (WIFI6) is enhanced open. Enhanced Open enables encryption for traffic being sent and received over a wireless network when still using open authentication. WEP, WPA, WPA2 do not provide encryption of traffic sent over the network unless the network is protected by a password, passphrase, or digital certificate
Which of the following is the MOST secure wireless security and encryption protocol?
WPA3 OBJ-2.2: Wi-Fi protected access version 3 (WPA3) has replaced WPA2 as the most secure wireless encryption method. WPA3 uses the simultaneous authentication of equals (SAE) to increase the security of preshared keys. WPA3 provides the enhanced open mode that encrypts transmissions from a client to the access point when using an open network. WPA3 Enterprise mode supports the use of AES with the Galois/counter mode protocol (GCMP-256) for the highest levels of encryption. Wi-Fi protected access version 2 (WPA2) replaced the original version of WPA after the completion of the 802.11i security standard. WPA2 features an improved method of key distribution and authentication for enterprise networks, though the pre-shared key method is still available for home and small office networks. WPA2 uses the improved AES cipher with counter mode with cipher-block chaining message authentication protocol (CCMP) for encryption. Wi-Fi protected access (WPA) is an improved encryption scheme for protecting Wi-Fi communications designed to replace WEP. WPA uses the RC4 cipher and a temporal key integrity protocol (TKIP) to overcome the vulnerabilities in the older WEP protection scheme. Wired equivalent privacy (WEP) is an older mechanism for encrypting data sent over a wireless connection. WEP is considered vulnerable to attacks that can break its encryption. WEP relies on the use of a 24-bit initialization vector to secure its preshared key.
Which of the following types of encryption is considered the most secure to utilize in a SOHO network?
WPA3 OBJ-2.2: Wi-Fi protected access version 3 (WPA3) has replaced WPA2 as the most secure wireless encryption method. WPA3 uses the simultaneous authentication of equals (SAE) to increase the security of preshared keys. WPA3 provides the enhanced open mode that encrypts transmissions from a client to the access point when using an open network. WPA3 Enterprise mode supports the use of AES with the Galois/counter mode protocol (GCMP-256) for the highest levels of encryption. Wi-Fi protected access version 2 (WPA2) replaced the original version of WPA after the completion of the 802.11i security standard. WPA2 features an improved method of key distribution and authentication for enterprise networks, though the pre-shared key method is still available for home and small office networks. WPA2 uses the improved AES cipher with counter mode with cipher-block chaining message authentication protocol (CCMP) for encryption. Wired equivalent privacy (WEP) is an older mechanism for encrypting data sent over a wireless connection. WEP is considered vulnerable to attacks that can break its encryption. WEP relies on the use of a 24-bit initialization vector to secure its preshared key. The Wi-Fi Protected Setup (WPS) is a mechanism for auto-configuring a WLAN securely for home users. On compatible equipment, users push a button on the access point and connect adapters to associate them securely. WPS is subject to brute force attacks against the PIN used to secure them, making them vulnerable to attack.
Your company has just finished replacing all of its computers with brand new workstations. Colleen, one of your coworkers, has asked the company's owner if she can have the old computers that are about to be thrown away. Colleen would like to refurbish the old computers by reinstalling a new operating system and donating them to a local community center for disadvantaged children in the neighborhood. The owner thinks this is a great idea but is concerned that the private and sensitive corporate data on the old computer's hard drives might be placed at risk of exposure. You have been asked to choose the best solution to sanitize or destroy the data while ensuring the computers will still be usable by the community center. What type of data destruction or sanitization method do you recommend?
Wiping OBJ-2.8: Data wiping or clearing occurs by using a software tool to overwrite the data on a hard drive to destroy all electronic data on a hard disk or other media. Data wiping may be performed with a 1x, 7x, or 35x overwriting, with a higher number of times being more secure. This allows the hard drive to remain functional and allows for hardware reuse. Degaussing a hard drive involves demagnetizing a hard drive to erase its stored data. You cannot reuse a hard drive once it has been degaussed. Therefore, it is a bad solution for this scenario. Purging involves removing sensitive data from a hard drive using the device's internal electronics or an outside source such as a degausser, or by using a cryptographic erase function if the drive supports one. Shredding involves the physical destruction of the hard drive. This is a secure method of destruction but doesn't allow for device reuse.
A computer was recently infected with a piece of malware. Without any user intervention, the malware is now spreading throughout the corporate network and infecting other computers that it finds. Which type of malware MOST likely infected these computers?
Worm OBJ-2.3: A worm is a standalone malware computer program that replicates itself to spread to other computers. Often, it uses a computer network to spread itself, relying on security failures on the target computer to access it. A worm can spread on its own, whereas a virus needs a host program or user interaction to propagate itself. A virus is malicious software designed to infect computer files or disks when it is activated. A virus may be programmed to carry out other malicious actions, such as deleting files or changing system settings. A trojan is a type of malware that looks legitimate but can take control of your computer. A Trojan is designed to damage, disrupt, steal, or in general, inflict some other harmful action on your data or network. The most common form of a trojan is a Remote Access Trojan (RAT), which allows an attacker to control a workstation or steal information remotely. To operate, a trojan will create numerous processes that run in the background of the system. Ransomware is a type of malware designed to deny access to a computer system or data until a ransom is paid. Ransomware typically spreads through phishing emails or by unknowingly visiting an infected website. Once infected, a system or its files are encrypted, and then the decryption key is withheld from the victim unless payment is received.
A cybersecurity analyst from BigCorp contacts your company to notify them that several of your computers were seen attempting to create a denial of service condition against their servers. They believe your company has become infected with malware, and those machines were part of a larger botnet. Which of the following BEST describes your company's infected computers?
Zombie OBJ-2.4: A zombie is a computer connected to the internet that has been compromised by a hacker, computer virus, or trojan horse program and can be used to perform malicious tasks of one sort or another under remote direction. Botnets of zombie computers are often used to spread email spam and launch denial-of-service attacks (DoS attacks). A zero-day attack happens once that flaw, or software/hardware vulnerability, is exploited, and attackers release malware before a developer has an opportunity to create a patch to fix the vulnerability, hence the term zero-day. A software bug is an error, flaw, or fault in an application. This error causes the application to produce an unintended or unexpected result, such as crashing or producing invalid results.
An attacker is using a word list that contains 1 million possible passwords as they attempt to crack your Windows password. What type of password attack is this?
dictionary OBJ-2.4: A dictionary attack uses a list of common passwords to crack a user's password. These lists do not have just dictionary words, though. For example, the word Dr@g0nBr3@+h (dragon breath) may be one such word but rewritten by substituting symbols or numbers for various letters. The dictionary file might have words like DRAGON, dragon, Dr@g0n, and many other forms. Most dictionary files contain millions of entries, and the password cracking tries each one until a match is found. A brute-force attack consists of an attacker submitting many passwords or passphrases with the hope of eventually guessing correctly. A hybrid attack combines a dictionary list with the ability to add brute-force combinations to crack a password that is slightly different than the dictionary list entry. A rainbow table is a tool for speeding up attacks against Windows passwords by precomputing possible hashes. A rainbow table is used to authenticate users by comparing the hash value of the entered password against the one stored in the rainbow table. Using a rainbow table makes password cracking a lot faster and easier for an attacker.
A network technician is tasked with designing a firewall to improve security for an existing FTP server on the company network. The FTP server must be accessible from the Internet. The security team is concerned that the FTP server could be compromised and used to attack the domain controller hosted within the company's internal network. What is the BEST way to mitigate this risk?
migrate the FTP server from the internal network to a screened subnet OBJ-2.9: A screened subnet (formerly called a demilitarized zone or DMZ) is a perimeter network that protects an organization's internal local area network (LAN) from untrusted traffic. A screened subnet is placed between the public internet and private networks. Public servers, such as the FTP server, should be installed in a screened subnet so that additional security mitigations like a web application firewall or application-aware firewall can be used to protect them. SFTP (Secure File Transfer Protocol) is a file transfer protocol that leverages a set of utilities that provide secure access to a remote computer to deliver secure communications by leveraging a secure shell (SSH) connection to encrypt the communication between the client and the server. This will prevent an attacker from eavesdropping on the communications between the SFTP server and a client, but it will not prevent an attacker from exploiting the SFTP server itself. An implicit deny is when a user or group is not granted specific permission in the security settings of an object, but they are not explicitly denied either. This is a best practice to enable, but the FTP server would still have some open ports, such as ports 20 and 21, to operate. These ports could then be used by the attacker to connect to the FTP server and exploit it. Adding a deny rule to the firewall's ACL that blocks port 21 outbound would simply prevent internal network users and servers from accessing external FTP servers. This would in no way prevent the exploitation of the company's FTP server since it has port 21 open and listening for inbound connections.
Which of the following types of encryption should be selected on a SOHO access point if you are running a coffee shop and want all of your customers to be able to join it by default?
open OBJ-2.2: An "open" wireless network is one in which no password or encryption is being used. If you have a public hotspot, such as in a library or coffee shop, then you may wish to configure it as "open." Wired equivalent privacy (WEP) is an older mechanism for encrypting data sent over a wireless connection. WEP is considered vulnerable to attacks that can break its encryption. WEP relies on the use of a 24-bit initialization vector to secure its preshared key. Wi-Fi protected access (WPA) is an improved encryption scheme for protecting Wi-Fi communications designed to replace WEP. WPA uses the RC4 cipher and a temporal key integrity protocol (TKIP) to overcome the vulnerabilities in the older WEP protection scheme. Wi-Fi protected access version 2 (WPA2) replaced the original version of WPA after the completion of the 802.11i security standard. WPA2 features an improved method of key distribution and authentication for enterprise networks, though the pre-shared key method is still available for home and small office networks. WPA2 uses the improved AES cipher with counter mode with cipher-block chaining message authentication protocol (CCMP) for encryption.
During a penetration test of your company's network, the assessor came across a spreadsheet with the passwords being used for several servers. Four of the passwords recovered are listed below. Which one is the weakest password and should be changed FIRST to increase the password's complexity?
pa55word OBJ-2.6: Password policies often enforce a mixture of standard character types, including uppercase letters, lowercase letters, numbers, and symbols. The option 'pa55word' is the weakest choice since it only includes lowercase letters and numbers. The option 'Pa55w0rd' is slightly more complex since it includes uppercase letters, lowercase letters, and numbers. The option 'P@$$W0RD is also similar in complexity since it includes uppercase letters, numbers, and special characters. The most secure option is 'P@5$w0rd' since it includes a mixture of uppercase letters, lowercase letters, numbers, and special characters.
What permissions would be represented by the octal 517?
r-x--xrwx OBJ-2.6: R-X is 5, --X is 1, and RWX is 7. In Linux, you can convert letter permissions to octal by giving 4 for each R, 2 for each W, and 1 for each X. R is for read-only, W is for write, and X is for execute. The permissions strings are written to represent the owner's permissions, the group's permissions, and the other user's permissions.
Dion Training is concerned with the possibility of employees accessing another user's workstation in secured areas without their permission. Which of the following would BEST be able to prevent this from happening?
require biometric identification for user log in OBJ-2.1: The BEST choice is to implement biometric identification for user logins, such as a fingerprint reader or a retina scanner. This would ensure that even if an employee could discover another employee's username and password, they would be prevented from logging into the workstation without the employee's finger or eye to scan. Enforcing short password retention can limit the possible damage when a password is disclosed, but it won't prevent a login during the valid period. Security cameras may act as a deterrent or detective control, but they cannot prevent an employee from logging into the workstation as another employee. Security cameras could be used to determine who logged in after the fact, though.