Security Plus continuation (C review questions)

Categorize the following traffic flows as ALLOWED or BLOCKED through the firewall Rule# SourceIP Destination IP Protocol Post Allow/block 1 Any 10.1.10.88 TCP 22 Allow 2 Any 10.1.10.120 TCP 80 allow 3 Any 10.1.10.120 TCP 443 Allow 4 Any 10.1.10.61 TCP 3389 Allow 5 Any Any UDP 53 Allow 6 Any Any UDP 123 Allow 7 Any Any ICMP Block 2. ____Share the desktop server 10.1.10.120

2. BLOCKED Share the desktop on server 10.1.10.120 Sharing a desktop using RDP (Remote Desktop Protocol) requires the use of TCP/3389. Although a rule 4 allows TCP/3389 to communicate to 10.1.10.61, the firewall rules for destination 10.1.10.120 only include TCP,'80 and TCP/443.

Categorize the following traffic flows as ALLOWED or BLOCKED through the firewall Rule# SourceIP Destination IP Protocol Post Allow/block 1 Any 10.1.10.88 TCP 22 Allow 2 Any 10.1.10.120 TCP 80 allow 3 Any 10.1.10.120 TCP 443 Allow 4 Any 10.1.10.61 TCP 3389 Allow 5 Any Any UDP 53 Allow 6 Any Any UDP 123 Allow 7 Any Any ICMP Block 3.____ Perform a DNS query from 10.1.10.88 to 9.9.9.9

3. ALLOWED Perform a DNS query from 10.1.10.88 to 9.9.9.9 Rule 5 allows DNS queries to run over UDP/53 from any address to any IP address.

Categorize the following traffic flows as ALLOWED or BLOCKED through the firewall Rule# SourceIP Destination IP Protocol Post Allow/block 1 Any 10.1.10.88 TCP 22 Allow 2 Any 10.1.10.120 TCP 80 allow 3 Any 10.1.10.120 TCP 443 Allow 4 Any 10.1.10.61 TCP 3389 Allow 5 Any Any UDP 53 Allow 6 Any Any UDP 123 Allow 7 Any Any ICMP Block 4. _______ View web pages on 10.1.10.120

4. ALLOWED View web pages on 10.1.10.120 Rule 2 allows TCP/80 traffic flows to 10.1.10.120, and rule 3 allows TCP/443 traffic to 10.1.10.120. Both of these rules would allow H"ITP and HTTPS traffic to communicate to the web server at 10.1.10.120.

Categorize the following traffic flows as ALLOWED or BLOCKED through the firewall Rule# SourceIP Destination IP Protocol Post Allow/block 1 Any 10.1.10.88 TCP 22 Allow 2 Any 10.1.10.120 TCP 80 allow 3 Any 10.1.10.120 TCP 443 Allow 4 Any 10.1.10.61 TCP 3389 Allow 5 Any Any UDP 53 Allow 6 Any Any UDP 123 Allow 7 Any Any ICMP Block 5. _____Authenticate to an LDAP server at 10.1.10.61

5. BLOCKED Authenticate to an LDAP server at 10.1.10.61 LDAP commonly uses TCP/389 for traffic flows, and none of the firewall rules specify this protocol. A firewall's implicit deny will block all traffic that does not match a specific rule.

see chart Categorize the following traffic flows as ALLOWED or BLOCKED through the firewall Rule# SourceIP Destination IP Protocol Post Allow/block 1 Any 10.1.10.88 TCP 22 Allow 2 Any 10.1.10.120 TCP 80 allow 3 Any 10.1.10.120 TCP 443 Allow 4 Any 10.1.10.61 TCP 3389 Allow 5 Any Any UDP 53 Allow 6 Any Any UDP 123 Allow 7 Any Any ICMP Block 6. ______ Synchronize the clock on a server at 10.1.10.17

6. ALLOWED Synchronize the clock on a server at 10.1.10.17 NT P (Network Time Protocol) uses UDP/ 123 for time syncronization, and firewall rule 6 allows NTP traff1C from any IP address to any IP address.

C18. An IT manager is leading a project to implement a global standard for a privacy information management system. Which of these standards would BEST apply to this project? ❍ A. ISO 27701 ❍ B. PCI DSS ❍ C. SSAE SOC 2 ❍ D. CSA CCM

A

C3. Match the characteristics to the attacker type Phishing, Dictionary, Spoofing, Rootkit, Tailgating, DoS ______ A website stops responding to normal requests

A DoS (Denial of Service) forces a service to fail, and it usually succeeds by taking advantage of a design failure or vulnerability

C2. Match the device to the description. Some device types will not be used. - WAF - PROXY - Load Balance, Access Point, MDM, Router, VPN concentrator, IPS Match the device to the description. Some device types will not be used. _____Evaluate the input to a browser-based application

A WAF (Web Application Firewall) examines user input to a browser-based application and allows or denies traffic based on the expected input. This is commonly used to prevent SQL injections, cross-site scripting, or similar input-related security concerns.

C52. Which of the following BEST describes a risk matrix? O A. A visual summary of a risk assessment O B. Identification of risk at each step of a project plan O C. A list of cybersecurity requirements based on the identified risks O D. Ongoing group discussions regarding cybersecurity

A. A visual summary of a risk assessment A risk matrix, or risk heat map, is often presented as a graphical chart comparing the likelihood of risk with the consequence.

C62. Which of the following malware types would cause a workstation to participate in a DoS? O A. Bot O B. Logic bomb O C. Ransomware C.) D. Keylogger

A. Bot A bot (robot) is malware that installs itselfon a system and then waits for instructions. It's common for botnets to use thousands of bots to perform DoS (Distributed Denial of Service) attack

CSI. Which of the following processes merges developed code, tests for issues, and automatically moves the newly developed application to production without any human intervention? O A. Continuous deployment O B. Continuity of operations O C. Continuous delivery O l). Continuous integration

A. Continuous deployment Continuous deployment automates every aspect of deploying software.

C58. A company is receiving complaints of slowness and disconnections to their Internet-facing web server. A network administrator monitors the Internet link and finds excessive bandwidth utilization from thousands of different IP addresses. Which of the following would be the MOST likely reason for these performance issues? O A. DDoS O B. Wireless jamming O C. MAC cloning O D. Rogue access point

A. DDoS A l)DoS (Distributed Denial of Service) is the failure of a service caused by many different remote devices. In this example, the DDoS is related to a bandwidth utilization exhaustion caused by excessive server requests.

C31. Sam, a user in the purchasing department, would like to send an email to Jack. Which of these would allow Jack to verify the sender of the email? ❍ A. Digitally sign it with Sam's private key ❍ B. Digitally sign it with Sam's public key ❍ C. Digitally sign it with Jack's private key ❍ D. Digitally sign it with Jack's public key

A. Digitally sign it with Sam's private key

C19. A company's security cameras have identified an unknown person walking into a fenced disposal area in the back of the building and then leaving with a box containing printed documents. Which of the following attacks is this person attempting? ❍ A. Dumpster diving ❍ B. Shoulder surfing ❍ C. Tailgating ❍ D. Phishing

A. Dumpster diving

C86. A group of business partners is using blockchain technology to monitor and track raw materials and parts as they are transferred between companies. Where would a partner find these tracking details? O A. Ledger O B. HSM O C. SIEM O D. SED

A. Ledger "the ledger is a shared document with a list of all blockchain transactions. "the ledger is shared among everyone in the blockchain, and all transactions are available to view on this central ledger.

C69. A security administrator is deploying a web server and needs to understand the methods an attacker could use to gain access to the system. Which of the following would be the BEST source of this information? O A. MITRE NIT&CK O B. Diamond model O C. Tabletop exercise O D. ISO 27701

A. MITRE NEI'&CK "The MIT RE NIT&CK framework is a knowledgebase that contains points of intrusion, methods used for attackers to move around, and a list of security techniques to prevent future attacks.

C44. A security administrator would like to minimize the number of certificate status checks made by web site clients to the certificate authority. Which of the following would be the BEST option for this requirement? ❍ A. OCSP stapling ❍ B. Certificate chaining ❍ C. CRL ❍ D. Certificate pinning

A. OCSP stapling

C68. A company has identified a web server data breach that resulted in the theft of financial records from 150 million customers. A security update to the company's web server software was available for two months prior to the breach. Which of the following would have prevented this breach from occurring? O A. Patch management O B. Full disk encryption O C. Disable unnecessary services O D. Application allow lists

A. Patch management 'This question describes an actual breach that occurred in 2017 to web servers at a large credit bureau. 'This breach resulted in the release of almost 150 million customer names, Social Security numbers, addresses, and birth dates. A web server vulnerability announced in March of 2017 was left unpatched, and attackers exploited the vulnerability two months later in May. 'The attackers were in the credit bureau network for 76 days before they were discovered. A formal patch management process would have clearly identified this vulnerability and would have given the credit bureau the opportunity to mitigate or patch the vulnerability well before it would have been exploited.

C61. Which of these cloud deployment models would BEST describe a company that would build a cloud for their own use and use systems and storage platforms in their data center? O A. Private O B. Community O C. Hybrid O D. Public

A. Private A private model requires that the end user purchase, install, and maintain their own application hardware and software. "This model also provides a high level of security.

C20. A technology company is manufacturing a military grade radar tracking system that can instantly identify any nearby unmanned aerial vehicles (UAVs). The UAV detector must be able to instantly identify and react to a vehicle without delay. Which of the following would BEST describe this tracking system? ❍ A. RTOS ❍ B. IoT ❍ C. ICS ❍ D. MFD

A. RTOS

C89. A receptionist at a manufacturing company recently received an email from the CEO asking for a copy of the internal corporate employee directory. The receptionist replied to the email and attached a copy of the directory. It was later determined that the email address was not sent from the CEO and the domain associated with the email address was not a corporate domain name. What type of training could help prevent this type of situation in the future? O A. Recognizing social engineering O B. Using emails for personal use C) C. proper use Of social media O D. Understanding insider threats

A. Recognizing social engineering Impersonating the CEO is a common social engineering technique. "there are many ways to recognize a social engineering attack, and it's important to train everyone to spot these situations when they are occurring.

C23. During a ransomware outbreak, an organization was forced to rebuild database servers from known good backup systems. In which of the following incident response phases were these database servers brought back online? ❍ A. Recovery ❍ B. Lessons learned ❍ C. Containment ❍ D. Identification

A. Recovery

C41. A medical imaging company would like to connect all remote locations together with high speed network links. The network connections must maintain high throughput rates and must always be available during working hours. In which of the following should these requirements be enforced with the network provider? ❍ A. Service level agreement ❍ B. Memorandum of understanding ❍ C. Non-disclosure agreement ❍ D. Acceptable use policy

A. Service level agreement

C26. An incident response team would like to validate their disaster recovery plans without making any changes to the infrastructure. Which of the following would be the best course of action? ❍ A. Tabletop exercise ❍ B. Hot site fail-over ❍ C. Simulation ❍ D. Penetration test

A. Tabletop exercise

C66. A security engineer is capturing packets on an internal company network and is documenting the IP addresses and MAC addresses associated with the local network devices. Which of these commands would provide the MAC address of the default gateway at 10.11.1.1? O A ping 10.11. 1.1 arp -a O B. tracer-E 10.11.1.1 O C. dig 10.11. 1.1 C.) D. ipconfig / all

A. ping 10.11.1. I arp —a The arp (Address Resolution Protocol) command can be used to view the local ARP cache. 'the cache contains a lookup table containing IP addresses and their associated MAC (Media Access Control) address. If an engineer pings a device on the local network and then views the ARP cache, they will see the MAC address that resolved during the ARP process.

see chart Categorize the following traffic flows as ALLOWED or BLOCKED through the firewall Rule# SourceIP Destination IP Protocol Post Allow/block 1 Any 10.1.10.88 TCP 22 Allow 2 Any 10.1.10.120 TCP 80 allow 3 Any 10.1.10.120 TCP 443 Allow 4 Any 10.1.10.61 TCP 3389 Allow 5 Any Any UDP 53 Allow 6 Any Any UDP 123 Allow 7 Any Any ICMP Block 1. ______ Use a secure terminal to connect to 10.1.10.88

ALLOWED Use a secure terminal to connect to 10.1.10.88 - the use a secure terminal requires SSH (Secure Shell) over TCP port 22. Rule 1 allows any IP address to connect to 10.1.10.88 over TCP/22.

C7. A system administrator is designing a data center for an insurance company's new public cloud and would like to restrict user access to sensitive data. Which of the following would provide ongoing visibility, data security, and control of cloud-based applications? ❍ A. HSM ❍ B. CASB ❍ C. 802.1X ❍ D. EDR

B - CASB

C42. A security administrator would like to encrypt all telephone communication on the corporate network. Which of the following protocols would provide this functionality? ❍ A. TLS ❍ B. SRTP ❍ C. SSH ❍ D. S/MIME

B. SRTP

C90. A company's security engineer is working on a project to simplify the employee onboarding and offboarding process. One of the project goals is to allow individuals to use their personal phones for work purposes. If the user leaves the company, the company data will be removed but the user's data would remain intact. Which of these technologies would meet this requirement? O A. Policy management O B. Geofencing O C. Containerization O D. Storage encryption

Answer: C. Containerization The storage segmentation of containerization keeps the enterprise apps and data separated from the apps and data. During the offboarding process, only the company information is deleted and the user's personal data is retained.

C65. A company would like to install an IPS to observe normal network activity and block any traffic that deviates from this baseline. Which of these IPS types would be the BEST fit for this requirement? O A. Heuristic O B. Anomaly-based O C. Behavior—based O l). Signature-based

B. Anomaly-based Anomaly-based detection will build a baseline of what it considers to be normal. Once the baseline is established, the IPS (Intrusion Prevention System) will then block any traffic that deviates from the baseline.

C32. The contract of a long-term temporary employee is ending. Which of these would be the MOST important part of the off-boarding process? ❍ A. Perform an on-demand audit of the user's privileges ❍ B. Archive the decryption keys associated with the user account ❍ C. Document the user's outstanding tasks ❍ D. Obtain a signed copy of the Acceptable Use Policies

B. Archive the decryption keys associated with the user account

C64.. A network administrator is installing a series of access points in a public library. Which of the following would be the BEST way to prevent theft of his laptop while performing this work? O A. Biometrics O B. cable lock O C. Protected distribution O D. Faraday cage

B. Cable lock A cable lock would attach the laptop to a solid object and prevent it from being moved or taken.

C45. A company is concerned their EDR solution will not be able to stop more advanced ransomware variants. Technicians have created a backup and restore utility that will get most systems up and running less than an hour after an attack. What type of security control is associated with this restore process? ❍ A. Managerial ❍ B. Compensating ❍ C. Preventive ❍ D. Detective

B. Compensating

C70. A system administrator has identified an unexpected username on a database server, and the user has been transferring database files to an external server over the company's Internet connection. The administrator then performed these tasks: • Physically disconnected the ethernet cable on the database server • Disabled the unknown account • Configured a firewall rule to prevent file transfers from the server Which of the following would BEST describe this part of the incident response process? O A. Eradication O B. Containment O C. Lessons learned O D. Preparation

B. Containment "The containment phase isolates events that can quickly spread and get out of hand. A file transfer from a database server can quickly be contained by disabling any ability to continue the file transfer.

C49. What type of vulnerability would be associated with this log information? ***************** GET http://example.com/show.asp?view=../../Windows/ system.ini HTTP/1.1 ***************** ❍ A. Buffer overflow ❍ B. Directory traversal ❍ C. DoS ❍ D. Cross-site scripting

B. Directory traversal

C47. A company is implementing a public file-storage and cloud-based sharing service, but does not want to build a separate authentication front-end. Instead, the company would like users to authenticate with an existing account on a trusted third-party web site. Which of the following should the company implement? A. SSO ❍ B. Federation ❍ C. Transitive trust ❍ D. X.509 certificates signed by a trusted CA

B. Federation

C72. Each salesperson in a company will receive a laptop with applications and data to support their sales efforts. The IT manager would like to prevent third parties from gaining access to this information if the laptop is stolen. Which of the following would be the BEST way to protect this data? O A. Remote wipe O B. Full disk encryption O C. Biometrics O D. BIOS user password

B. Full disk encryption With full disk encryption, everything written to the laptop\i local drive is stored as encrypted data. If the laptop was stolen, the thief would not have the credentials to decrypt the drive data.

C40. A security administrator has installed a network-based DLP solution to determine if file transfers contain PII. Which of the following describes the data during the file transfer? ❍ A. In-use ❍ B. In-transit ❍ C. At-rest ❍ D. Highly available

B. In-transit

C30. A network administrator is viewing a log file from a web server: https://www.example.com/?s=/Index/think/ app/invokefunction&function=call_user_ func_array&vars[0]=md5&vars[1][0]= __HelloThinkPHP Which of the following would be the BEST way to prevent this attack? ❍ A. Static code analyzer ❍ B. Input validation ❍ C. Allow list ❍ D. Secure cookies

B. Input validation

C12. A company maintains a server farm in a large data center. These servers are for internal use only and are not accessible externally. The security team has discovered that a group of servers was breached before the latest updates were applied. Breach attempts were not logged on any other servers. Which of these threat actors would be MOST likely involved in this breach? ❍ A. Competitor ❍ B. Insider ❍ C. Nation state ❍ D. Script kiddie

B. Insider

C11. The IT department of a transportation company maintains an on-site inventory of chassis-based network switch interface cards. If a failure occurs, the on-site technician can replace the interface card and have the system running again in sixty minutes. Which of the following BEST describes this recovery metric? ❍ A. MTBF ❍ B. MTTR ❍ C. RPO ❍ D. RTO

B. MTTR (Mean Time To Recover)

C39. In an environment using discretionary access controls, which of these would control the rights and permissions associated with a file or directory? ❍ A. Administrator ❍ B. Owner ❍ C. Group ❍ D. System

B. Owner

C59. A penetration tester is researching a company using information gathered from user profiles and posts on a social media site. Which of the following would describe this activity? O A. Pivot O B. Passive footprinting O C. White box testing O l). Persistence

B. Passive footprinting Passive footprinting gathers information from as many open sources as possible without performing any vulnerability checks or scans. Passive footprinting would include gathering information from social media, online forums, or social engineering.

C15. Which of the following is the process for replacing sensitive data with a non-sensitive and functional placeholder? ❍ A. Minimization ❍ B. Tokenization ❍ C. Retention ❍ D. Masking

B. Tokenization

C28. Which of these would be used to provide HA for a web-based database application? ❍ A. SIEM ❍ B. UPS ❍ C. DLP ❍ D. VPN concentrator

B. UPS

C56. An access point in a corporate headquarters office has the following configuration: IP address: 10.1. 10.1 Subnet mask: 255.255.255.0 DHCPv4 Server: Enabled SSID: Wireless Wireless Mode: 802.119 Security Mode: WEP—PSK frequency band: 2.4 GHz Software revision: 2.1 MAC Address: IPv4 Firewall: Enabled Which of the following would apply to this configuration? O A. Invalid frequency band O B. Weak encryption O C. Incorrect IP address and subnet mask O D. Invalid software version

B. Weak encryption A common issue is weak or outdated security configurations. Older encryptions such as DES and WEP should be updated to use newer and stronger encryption technologies.

C16. A security administrator has installed a new firewall to protect a web server VLAN. The application owner requires that all web server sessions communicate over an encrypted channel. Which of these rules should the security administrator include in the firewall rulebase? (Select TWO) ❍ A. Source: ANY, Destination: ANY, Protocol: TCP, Port: 23, Deny ❍ B. Source: ANY, Destination: ANY, Protocol: TCP, Port: 443, Deny ❍ C. Source: ANY, Destination: ANY, Protocol: TCP, Port: 80, Deny ❍ D. Source: ANY, Destination: ANY, Protocol: TCP, Port: 443, Allow ❍ E. Source: ANY, Destination: ANY, Protocol: TCP, Port: 80, Allow

C & D

C29. Each year, a certain number of laptops are lost or stolen and must be replaced by the company. Which of the following would describe the total cost the company spends each year on laptop replacements? ❍ A. SLE ❍ B. SLA ❍ C. ALE ❍ D. ARO

C. ALE

C88. A company runs two separate applications in their data center. security administrator has been tasked with preventing all communication between these applications. Which of the following would be the BEST way to implement this security requirement? O A. Firewall O B. Protected distribution O C. Air gap O D. VLANs

C. Air gap An air gap is a physical separation between networks. Air gapped networks are commonly used to separate networks that must never communicate to each other.

C77. An application team has been provided with a hardened version of Linux to use with a new application rollout, and they are installing a web service and the application code on the server. Which of the following would BEST protect the application from attacks? O A. Build a backup server for the application O B. Run the application in a cloud-based environment O C. Implement a secure configuration of the web service O D. Send application logs to the SIEM via syslog

C. Implement a secure configuration of the web service "the tech support resources for many services will include a list of hardening recommendations. This hardening may include account restrictions, file permission settings, internal service configuration options, and other settings to ensure that the service is as secure as possible.

C53. A security administrator would like to implement an authentication system that uses cryptographic tickets to validate users. Which of the following would provide this functionality? O A. RADIUS O B. LDAP O C. Kerberos O D. TACACS

C. Kerberos Kerberos is a network authentication protocol that provides single sign-on and mutual authentication using cryptographic "tickets" for the behind- the-scenes authentication process.

C63. Which of these are used to force the preservation of data for later use in court? O A. Chain of custody O B. Data loss prevention O C. Legal hold O D. Order of volatility

C. Legal hold A legal hold is a legal technique to preserve relevant information. This process will ensure the data remains accessible for any legal preparation that occurs prior to litigation.

C76. Which of the following would be the MOST significant security concern when protecting against criminal syndicates? O A. Prevent users from posting passwords near their workstations O B. Require identification cards for all employees and guests O C. Maintain reliable backup data O D. Use access control vestibules at all data center locations

C. Maintain reliable backup data Organized crime is often after data, and can sometimes encrypt or delete data on a service. A good set of backups can often resolve these issues quickly and without any ransomware payments to an organized crime entity.

C75. A set of corporate security policies is what kind of security control? C) A. Compensating O B. Detective O C. Managerial O l). Physical

C. Managerial A managerial control is a guideline that would control how people act, such as security policies and standard operating procedures.

C57. An application does not properly release unused memory, and eventually, it grows so large that it uses all available memory. Which of the following would describe this issue? O A. Integer overflow O B. NULL pointer dereference O C. Memory leak O l). Data injection

C. Memory leak A memory leak is when a poorly written application allocates memory for use by the application, but then does not release that memory after it is no longer needed. If the application runs on a system for an extended period of time, this memory leak can grow so large that it eventually uses all available memory and crashes the operating system.

C48. A system administrator is viewing this output from Microsoft's System File Checker: Which of the following malware types is the MOST likely cause of this output? 15:43:01 - Repairing corrupted file C:\Windows\System32\kernel32.dll 15:43:03 - Repairing corrupted file C:\Windows\System32\netapi32.dll 15:43:07 - Repairing corrupted file C:\Windows\System32\user32.dll 15:43:43 - Repair complete ❍ A. RAT ❍ B. Logic bomb ❍ C. Rootkit ❍ D. Bot

C. Rootkit

C37. A company is implementing a series of automated processes when responding to a security event. Which of the following would provide a linear checklist of steps to perform? ❍ A. MDM ❍ B. DLP ❍ C. Runbook ❍ D. Zero trust

C. Runbook

C50. A developer has created an application that will store password information in a database. Which of the following BEST describes a way of protecting these credentials by adding random data to the password? ❍ A. Hashing ❍ B. PFS ❍ C. Salting ❍ D. Asymmetric encryption

C. Salting Passwords are often stored as hashes, but the hashes themselves are often subject to brute force or rainbow table attacks. It's common to add some additional random data (a salt) to a password before the hashing process. This ensures that each password is truly random when stored, and it makes it more difficult for an attacker to discover all of the stored passwords.

C36. A server administrator is building a new web server and needs to provide operating system access to the web server executable. Which of the following account types should be configured? ❍ A. User ❍ B. Privileged ❍ C. Service ❍ D. Guest

C. Service

C22. A security administrator is concerned that a user may have installed a rogue access point on the corporate network. Which of the following could be used to confirm this suspicion? ❍ A. UTM log ❍ B. WAF log ❍ C. Switch log ❍ D. DLP log

C. Switch log

C9. A security administrator has identified an internally developed application that allows users to modify SQL queries through a web-based front-end. To prevent this modification, the administrator has recommended that all queries be completely removed from the application front-end and placed onto the back-end of the application server. Which of the following would describe this implementation? ❍ A. Input validation ❍ B. Code signing ❍ C. Stored procedures ❍ D. Obfuscation

C. stored procedures

C13. An organization has contracted with a third-party to perform a vulnerability scan of their Internet-facing web servers. The report shows that the web servers have multiple Sun Java Runtime Environment ( JRE) vulnerabilities, but the server administrator has verified that JRE is not installed. Which of the following would be the BEST way to handle this report? ❍ A. Install the latest version of JRE on the server ❍ B. Quarantine the server and scan for malware ❍ C. Harden the operating system of the web server ❍ D. Ignore the JRE vulnerability alert

D

C6. A finance company is legally required to maintain seven years of tax records for all of their customers. Which of the following would be the BEST way to implement this requirement? ❍ A. Create an automated script to remove all tax information more than seven years old ❍ B. Print and store all tax records in a seven-year cycle ❍ C. Allow users to download tax records from their account login ❍ D. Create a separate daily backup archive for all applicable tax records

D - create a separate daily backup archive fore all applicable tax records

C8. A device is exhibiting intermittent connectivity when viewing remote web sites. A security administrator views the local device ARP table: Internet Address Physical Address ************************************* 192.168.1.1 60:3d:26:69:71:fc 192.168.1.101 e2:c3:53:79:4c:51 192.168.1.102 7a:3b:8f:21:86:57 192.168.1.103 60:3d:26:69:71:fc 192.168.1.104 00:80:92:c7:c8:49 192.168.1.105 d0:81:7a:d3:f0:d5 ************************************** Which of the following would be the MOST likely explanation of this connectivity issue? ❍ A. DDoS ❍ B. Wireless disassociation ❍ C. Rogue access point ❍ D. ARP poisoning

D. ARP poisoning

C55. A company has contracted with a third party to provide penetration testing services. The service includes a port scan of each externally-facing device. This is an example of: O A. Initial exploitation O B. Escalation of privilege O C. Pivot O l). Active footprinting

D. Active footprinting Active footprinting sends traffic across the network that can be viewed and/or logged. Performing a port scan will send network traffic to a server, and most port scan attempts can be identified and logged by an IPS.

C21. A private company uses an SSL proxy to examine the contents of an encrypted application during transmission. How could the application developers prevent the use of this proxy examination in the future? ❍ A. OCSP stapling ❍ B. Offline CAs ❍ C. Certificate chaining ❍ D. Certificate pinning

D. Certificate pinning

C46. To upgrade an internal application, the development team provides the operations team with a patch and instructions for backing up, patching, and reverting the patch if needed. The operations team schedules a date for the upgrade, informs the business divisions, and tests the upgrade process after completion. Which of the following describes this process? ❍ A. Agile ❍ B. Continuity planning ❍ C. Usage auditing ❍ D. Change management

D. Change management

C87. A network technician at a bank has noticed a significant decrease in traffic to the bank's public website. After additional investigation, the technician finds that users are being directed to a website that looks similar to the bank's site but is not under the bank's control. Flushing the local DNS cache and changing the DNS entry does not have any effect. Which of the following has most likely occurred? O A. DDoS O B. Disassociation attack O C. Evil twin O D. Domain hijacking

D. Domain hijacking A domain hijacking will modify the primary DNS (Domain Name System) settings for a domain and will allow an attacker to direct users to any IP address.

C10. A system administrator is implementing a fingerprint scanner to provide access to the data center. Which of these metrics should be kept at a minimum in order to prevent unauthorized persons from accessing the data center? ❍ A. TOTP ❍ B. FRR ❍ C. HOTP ❍ D. FAR

D. FAR

C73. During sales meetings, visitors often require an Internet connection for demonstrations. Which of the following should the company implement to maintain the security of the internal network resources? O A. NAT O B. Ad hoc wireless workstations O C. Intranet O l). Guest network with captive portal

D. Guest network with captive portal A guest network would allow access to the Internet but prevent any access to the internal network. The captive portal would prompt each guest for authentication or to agree to terms of use before granting access to the network.

C35. A security administrator is researching the methods used by attackers to gain access to web servers. Which of the following would provide additional information about these techniques? ❍ A. IPS ❍ B. Hashing ❍ C. Obfuscation ❍ D. Honeypot

D. Honeypot

C33. Daniel, a cybersecurity analyst, has been asked to respond to a denial of service attack against a web server. Daniel first collects information in the ARP cache, then a copy of the server's temporary file system, and finally system logs from the web server. What part of the forensics gathering process did Daniel follow? ❍ A. Chain of custody ❍ B. Data hashing ❍ C. Legal hold ❍ D. Order of volatility

D. Order of volatility

C71. Which of the following would be the MOST effective use of asymmetric encryption? O A. Real-time video encryption O B. Store passwords O C. Protect data on mobile devices O l). Securely derive a session key

D. Securely derive a session key The Diffle-Hellman process can combine public and private keys to derive the same session key on both sides of a conversation without sending that session key across the network.

C17. Which of these would be used to provide multi-factor authentication? ❍ A. USB-connected storage drive with FDE ❍ B. Employee policy manual ❍ C. Null-modem serial cable ❍ D. Smart card with picture ID

D. Smart card with picture ID

C54. Richard is reviewing this information from an IPS log: Which of the following can be associated with this log information? (Select TWO) MAIN_IPS: 22June2019 09:02:50 reject 10.1.111.7 Alert: HTTP suspicious Weddav OPTIONS Method request; HOST: Server Severity: medium; Performance Impact:3; Category: info-leak; Packet capture; disable Proto:top; dst:192.168.11.1; src:10.1.111.7 ❍ A. The attacker sent a non-authenticated BGP packet to trigger the IPS ❍ B. The source of the attack is 192.168.11.1 ❍ C. The event was logged but no packets were dropped ❍ D. The source of the attack is 10.1.111.7 ❍ E. The attacker sent an unusual HTTP packet to trigger the IPS

D. The source of the attack is 10.1.111.7 and The attacker sent an unusual IVITP packet to trigger the IPS The second line of the IPS log shows the type of alert, and this record indicates that a suspicious IVITP packet was sent. "Ihe last line of the IPS log shows the protocol, destination, and source IP address information. The source IP address is 10.1.111.7.

C14. A user downloaded and installed a utility for compressing and decompressing files. Immediately after installing the utility, the user's overall workstation performance degraded, and it now takes twice as much time to perform any tasks on the computer. Which of the following is the BEST description of this malware infection? ❍ A. Ransomware ❍ B. Adware ❍ C. Logic bomb ❍ D. Trojan

D. Trojan

C43. A security administrator is preparing a phishing email that will be sent to employees as part of a periodic security test. The email is spoofed to appear as an unknown third-party and asks employees to immediately click a link or their state licensing will be revoked. Which of these social engineering principles are used by this email? ❍ A. Familiarity ❍ B. Social Proof ❍ C. Authority ❍ D. Urgency

D. Urgency

C34. An attacker was able to download ten thousand company employee login credentials containing usernames and hashed passwords. Less than an hour later, a list containing all ten thousand usernames and passwords in plain text were posted to an online file storage repository. Which of the following would BEST describe how this attacker was able to post this information? ❍ A. Improper certificate management ❍ B. Phishing ❍ C. Untrained users ❍ D. Weak cipher suite

D. Weak cipher suite

C67. A network administrator needs to identify all inbound connections to a Linux web server. Which of the following utilities would be the BEST choice for this task? O A. netcat O B. nmap O C. net view O l). netstat

D. netstat 'The netstat command can view inbound and outbound statistics for all connections to a device.

C3. Match the characteristics to the attacker type Phishing, Dictionary, Spoofing, Rootkit, Tailgating, DoS _____ A list of common passwords are attempted with a known username

Dictionary - Attackers will use a list of common passwords when reverse engineering authentication credentials. These passwords are stored in a list called a "dictionary

C60. A system administrator is configuring an IPsec VPN to a remote location and would like to ensure that the VPN provides confidentiality for both the original IP header and the data. Which of the following should be configured on the VPN? O A. ECB O B. AH O C. PEAP O D. HMAC O ESP

E. ESP ESP (Encapsulation Security Payload) encrypts the data in the IP packet. In IPsec (Internet Protocol Security) transport mode, the IP header is not encrypted and is used for routing. In tunnel mode, both the original IP header and data are encrypted and encapsulated within a separate IP header.

C2. Match the device to the description. Some device types will not be used. - WAF - PROXY - Load Balance, Access Point, MDM, Router, VPN concentrator, IPS Match the device to the description. Some device types will not be used. ______Block SQL injection over an Internet connection

IPS An IPS (Intrusion Prevention System) monitors network traffic for exploit attempts such as buffer overflows, cross-site scripting, SQL injections, or other known exploits. If an exploit attempt is identified in the traffic flow, the IPS will block the traffic and prevent the attack.

C2. Match the device to the description. Some device types will not be used. - WAF - PROXY - Load Balance, Access Point, MDM, Router, VPN concentrator, IPS Match the device to the description. Some device types will not be used. ______Configure a group of redundant web servers

Load balancer - Configure a group of redundant web servers Load balancers distribute traffic loads between servers. This allows an organization to build large-scale implementations of server farms to provide scalability and fault tolerance. If one of the servers on a load balancer were to fail, the other servers will balance the additional load to prevent any downtime.

C2. Match the device to the description. Some device types will not be used. - WAF - PROXY - Load Balance, Access Point, MDM, Router, VPN concentrator, IPS Match the device to the description. Some device types will not be used. _____ Intercept all browser requests and cache the results

Proxy Intercept all browser requests and cache the results Proxies are commonly installed between the users and the external network. The proxy will intercept the user requests and make the requests on their behalf. The proxy will provide access control, content scanning, and caching of web site traffic.

C3. Match the characteristics to the attacker type Phishing, Dictionary, Spoofing, Rootkit, Tailgating, DoS _____The malware is designed to remain hidden on a computer system

Rootkit - Malware installed as rootkit often modifies core system files to help remain invisible on the infected system.

C2. Match the device to the description. Some device types will not be used. - WAF - PROXY - Load Balance, Access Point, MDM, Router, VPN concentrator, IPS Match the device to the description. Some device types will not be used. ______Forward packets between separate VLANs

Router - Forward packets between separate VLANs Routers forward traffic between separate IP subnets or VLANs, and use the destination IP address to determine which interface on the router will be used as the next hop to the end destination.

C3. Match the characteristics to the attacker type Phishing, Dictionary, Spoofing, Rootkit, Tailgating, DoS ____ IP addresses are cloned to gain access without authenticating

Spoofing - One common method of attacking a network is for the attacker to make their system appear to be a trusted system. An attacker will spoof email addresses, IP addresses, caller ID numbers, and other identifiers to attempt to gain access to systems or information.

C83. A company is contracting with a third party to find vulnerabilities that employees could possibly exploit on the company's internal networks. Which of the following would be the BEST way for the third-party to meet this requirement? O A. Run a credentialed vulnerability scan O B. Capture packets of the application traffic flow from the internal network O C. Identify an exploit and perform a privilege escalation O D. Scan the network during normal working hours

The Answer A. Run a credentialed vulnerability scan A credentialed scan would provide login access and allow the scan to run

C8I. A security administrator would like use employee-owned mobile phones to unlock the door of the data center using a sensor on the wall. The users would authenticate on their phones with a fingerprint before the door would unlock. Which of the following features should the administrator use? (Select TWO) A. NFC B. Remote wipe C. Containerization D. Biometrics E. Push notification

The Answer. A. NFC and D. Biometrics the wall sensor will be activated with the phone's NFC (Near-field Communication) electronics and would authenticate using the biometric fingerprint reader on the phone.

C85. An attacker has circumvented a web-based application to send commands directly to a database. Which of the following would describe this attack type? O A. Session hijack O B. SQL injection O C. Cross-site scripting O D. On-path

The Answer. B. SQ. injection A SQL (Structured Query Language) injection takes advantage of poorly written web applications. "these web applications do not properly restrict the user input, and the resulting attack bypasses the application and "injects" SW commands directly into the database itself

C79. A company is building a broad set of conditional steps to follow when investigating a data breach. Which of the following would BEST describe these steps? O A. Managerial controls O B. DAC O C. Playbook O l). Order of volatility

The Answer. C. Playbook A playbook describes a broad set of steps to follow to manage a security event. For example, a playbook might describe the processes to follow when investigating a data breach or when recovering from a ransomware attack.

C78. A system administrator has configured MAC filtering on the corporate access point, but access logs show that unauthorized users are accessing the network. 'The administrator has confirmed that the address filter includes only authorized MAC addresses. Which of the following should the administrator configure to prevent this authorized use? O A. Enable WPA3 encryption O B. Remove unauthorized MAC addresses from the filter O C. Modify the SSID name O D. Modify the channel

The Answer: A. Enable WPA3 encryption A MAC (Media Access Control) address can be spoofed on a remote device, which means anyone within the vicinity of the access point can view legitimate MAC addresses and spoof them to avoid the MAC filter. To ensure proper authentication, the system administrator can enable WPA3 (Wi-Fi Protected Access version 3) with a shared key, or configure 802.1X to integrate with an existing authentication database.

C8O. During an initial network connection, a supplicant communicates to an authenticator, which then sends an authentication request to an Active Directory database. Which of the following would BEST describe this authentication technology? O A. Federation O B. AES o c. 802.1X O D. PKI

The Answer: C. 802. IX IEEE 802. IX is a standard for port-based network access control (NAC). When 802.1X is enabled, devices connecting to the network do not gain access until they provide the correct authentication credentials. "this 802. IX standard refers to the client as the supplicant, the switch is commonly configured as the authenticator, and the back- end authentication server is a centralized user database such as Active Directory.

C74. A company's web server has been infected with malware, and the security administrator has contained the system and would like to create a bit-by-bit image of the server storage drive. Which of the following would be the BEST choice for this task? O A. Memdump O B. chmod 0 C. dd O D. tcpdump

The Answer: C. dd "The Linux dd command is commonly used to create an image of a partition or disk.

C84 A company has recently moved from one accounting system to another, and the new system includes integration with many other divisions of the organization. Which of the following would ensure that the correct access has been provided to the proper employees in each division? O A. Location-based policies O B. On-boarding process O C. Account deprovisioning O D. Permission and usage audit

The Answer: D. Permission and usage audit A permission and usage audit will verify that all users have the correct permissions and that all users meet the practice of least privilege.

C82. Visitors to a corporate data center must enter through the main doors of the building. Which of the following security controls would be the BEST choice to successfully guide people to the front door? (Select TWO) A. Cable locks O B. Bollards C. Biometrics D. Fencing E. Industrial camouflage F. Video surveillance

The Answers: B. Bollards and D. Fencing Both bollards and fencing provide physical security controls that can direct people through an area by limiting their access to other areas.

C38. A transportation company maintains a scheduling application and a database in a virtualized cloud-based environment. Which of the following would be the BEST way to backup these services? ❍ A. Full ❍ B. Snapshot ❍ C. Differential ❍ D. Incremental

❍ B. Snapshot

C27. A system administrator has installed a new firewall between the corporate user network and the data center network. When the firewall is turned on with the default settings, users complain that the application in the data center is no longer working. Which of the following would be the BEST way to correct this application issue? ❍ A. Create a single firewall rule with an explicit deny ❍ B. Build a separate VLAN for the application ❍ C. Create firewall rules that match the application traffic flow ❍ D. Disable spanning tree protocol

❍ C. Create firewall rules that match the application traffic flow

C24. Which of the following cloud deployments would include CPU, storage, and networking, but not include any operating system or application? ❍ A. SaaS ❍ B. DaaS ❍ C. IaaS ❍ D. PaaS

❍ C. IaaS

C25. A network IPS has created this log entry: *Frame 4: 937 bytes on wire (7496 bits), 937 bytes captured *Ethernet II, Src: HewlettP_82:d8:31, Dst: Cisco_a1:b0:d1 I *Internet Protocol Version 4, Src: 172.16.22.7, Dst: 10.8.122.244 *Transmission Control Protocol, Src Port: 3863, Dst Port: 1433 *Application Data: SELECT * FROM users WHERE username='x' or 'x'='x' AND password='x' or 'x'='x' Which of the following would describe this log entry? ❍ A. Phishing ❍ B. Brute force ❍ C. SQL injection ❍ D. Cross-site scripting

❍ C. SQL injection