Security+ Practice Exam
(Sample Simulation - On the real exam for this type of question, you might receive a list of attack vectors and targets. Based on these, you would select the type of attack that occurred.) (1) An attacker has been collecting credit card details by calling victims and using false pretexts to trick them. (2) An attacker sends out to 100,000 random email addresses. In the email the attacker sent, it claims that "Your Bank of America account is locked out. Please click here to reset your passwor
(1) Vishing and (2) Phishing Vishing uses a phone call to conduct information gathering and phishing type of actions.
A cybersecurity analyst is attempting to classify network traffic within an organization. The analyst runs the tcpdump command and receives the following output: Which of the following statements is true based on this output? - 10.0.19.121 is under attack from a host at 11.154.12.121 - 10.0.19.121 is a client that is accessing an SSH server over port 52497 - 11.154.12.121 is a client that is accessing an SSH server over port 52497 - 11.154.12.121 is under attack from a host at 10.0.19.121
10.0.19.121 is a client that is accessing an SSH server over port 52497 This output from the tcpdump command is displaying three packets in a larger sequence of events. Based solely on these three packets, we can only be certain that the server (11.154.12.121) runs an SSH server over port 22. This is based on the first line of the output. The second and third lines are the server responding to the request and sending data back to the client (10.0.19.121) over port 52497. There is no evidence of an attack against either the server or the client based on this output since we can only see the headers and not the content being sent between the client and server.
Review the network diagram provided. Which of the following ACL entries should be added to the firewall to allow only the Human Resources (HR) computer to have SMB access to the file server (Files)?(Note: The firewall in this network is using implicit deny to maintain a higher level of security. ACL entries are in the format of Source IP, Destination IP, Port Number, TCP/UDP, Allow/Deny.) - 172.16.1.12/24, 192.168.1.3/24, 445, TCP, ALLOW - 172.16.1.3, 192.168.1.12, ANY, TCP, ALLOW - 172.16.1.3,
172.16.1.3, 192.168.1.12, 445, TCP, ALLOW The ACL should be created with 172.16.1.3 as the Source IP, 192.168.1.12 as the Destination IP, 445 as the port number operating over TCP, and the ALLOW condition set.
You suspect that your server has been the victim of a web-based attack. Which of the following ports would most likely be seen in the logs to indicate the attack's target? - 3389 - 443 - 389 - 21
433 Web-based attacks would likely appear on port 80 (HTTP) or port 443 (HTTPS).
Using the image provided, place the port numbers in the correct order with their associated protocols. - 69, 25, 80, 53 - 80, 53, 69, 25 - 53, 69, 25, 80 - 25, 80, 53, 69
69, 25, 80, 53 The Trivial File Transfer Protocol (TFTP) uses port 69. The Simple Mail Transfer Protocol (SMTP) uses port 25. The Hypertext Transfer Protocol (HTTP) uses port 80. The Domain Name Service (DNS) protocol uses port 53.
You are reviewing a rule within your organization's IDS. You see the following output: Based on this rule, which of the following malicious packets would this IDS alert on? - A malicious inbound TCP packet - Any malicious inbound packets - Any malicious outbound packets - A malicious outbound TCP packet
A malicious inbound TCP packet The rule header is set to alert only on TCP packets based on this IDS rule's first line. The flow condition is set as "to_client, established," which means that only inbound traffic will be analyzed against this rule and only inbound traffic for connections that are already established. Therefore, this rule will alert on an inbound malicious TCP packet only when the packet matches all the conditions listed in this rule.
Which of the following cryptographic algorithms is classified as symmetric? - RSA - AES - Diffie-Hellman - ECC
AES The Advanced Encryption Standard (AES) is a symmetric-key algorithm for encrypting digital data. It was established as an electronic data encryption standard by NIST in 2001. AES can use a 128-bit, 192-bit, or 256-bit key, and uses a 128-bit block size.
You are in the kitchen cooking dinner while your spouse is in the other room watching the news on the television. The top story is about how hackers have been able to gain access to one of the state's election systems and tamper with the results. Unfortunately, you only heard a fraction of the story, but your spouse knows that you have been learning about hackers in your Security+ course and asks you, "Which type of hacker do you think would be able to do this?" - Hacktivists - Organized c
APTs APTs are highly organized, well-funded, and often part of a nation state's larger foreign policy and influence campaigns.
After analyzing and correlating activity from the firewall logs, server logs, and the intrusion detection system logs, a cybersecurity analyst has determined that a sophisticated breach of the company's network security may have occurred from a group of specialized attackers in a foreign country over the past five months. Up until now, these cyberattacks against the company network had gone unnoticed by the company's information security team. How would you best classify this threat? - Advan
Advanced persistent threat (APT) An advanced persistent threat (APT) is a network attack in which an unauthorized person gains access to a network and stays there undetected for a long period of time. An APT attack intends to steal data rather than to cause damage to the network or organization. An APT refers to an adversary's ongoing ability to compromise network security, obtain and maintain access, and use various tools and techniques. They are often supported and funded by nation-states or work directly for a nation-states' government.
What tool is used to collect wireless packet data? - Aircrack-ng - John the Ripper - Netcat - Nessus
Aircrack-ng Aircrack-ng is a complete suite of wireless security assessment and exploitation tools that includes monitoring, attacking, testing, and cracking of wireless networks. This includes packet capture and export of the data collected as a text file or pcap file.
What information should be recorded on a chain of custody form during a forensic investigation? - The list of individuals who made contact with files leading to the investigation - Any individual who worked with evidence during the investigation - The list of former owners/operators of the workstation involved in the investigation - The law enforcement agent who was first on the scene
Any individual who worked with evidence during the investigation Chain of custody forms list every person who has worked with or who has touched the evidence that is a part of an investigation. These forms record every action taken by each individual in possession of the evidence.
Your company has created a baseline image for all of its workstations using Windows 10. Unfortunately, the image included a copy of Solitaire, and the CIO has created a policy to prevent anyone from playing the game on the company's computers. You have been asked to create a technical control to enforce the policy (administrative control) that was recently published. What should you implement? - Application whitelist - Disable removable media - Application blacklist - Application hardening
Application blacklist
You have just walked up to the bank teller and requested to withdraw $100 from checking account #7654123 (your account). The teller asks for your name and driver's license before conducting this transaction. After she looks at your driver's license, she thanks you for your business, pulls out $100 from the cash drawer, and hands you back the license and the $100 bill. What category best describes what the bank teller just did? - Accounting - Authorization - Authentication - Availability
Authentication
Which mobile device strategy is most likely to result in the introduction of vulnerable devices to a corporate network? - COPE - CYOD - BYOD - MDM
BYOD
Which mobile device strategy is most likely to introduce vulnerable devices to a corporate network? - MDM - CYOD - COPE - BYOD
BYOD The BYOD (bring your own device) strategy opens a network to many vulnerabilities. People can bring their personal devices to the corporate network, and their devices may contain vulnerabilities that could be allowed to roam free on a corporate network.
Your smartphone begins to receive unsolicited messages while you are eating lunch at the restaurant across the street from your office. What might cause this to occur? - Packet sniffing - Bluesnarfing - Bluejacking - Geotagging
Bluejacking
Your company's Security Operations Center (SOC) is currently detecting an ongoing DDoS attack against your network's file server. One of the cybersecurity analysts has identified forty internal workstations on the network that are conducting the attack against your network's file server. The cybersecurity analyst believes these internal workstations are infected with malware and places them into a quarantined area of the network. The analyst then submits a service desk ticket to have the worksta
Botnet
A cybersecurity analyst is reviewing the logs of an authentication server and saw the following output: What type of attack was most likely being attempted by the attacker? - Credential stuffing - Brute force - Impersonation - Password spraying - Explanation
Brute force This is an example of a brute force attack. Unlike password spraying that focuses on attempting only one or two passwords per user, a brute force attack focuses on trying multiple passwords for a single user. The goal of this attack is to crack the user's password and gain access to their account. Password spraying, instead, refers to the attack method that takes a large number of usernames and loops them with a single password.
Dion Training has set up a lab consisting of 12 laptops for students to use outside of normal classroom hours. The instructor is worried that a student may try to steal one of the laptops. Which of the following physical security measures should be used to ensure the laptop is not stolen or moved out of the lab environment? - Biometric locks - Cable locks - Key fob - USB lock
Cable locks The Kensington lock is a small hole found on almost every portable computer or laptop made after 2000. It allows a cable lock to be attached to a portable computer or laptop to lock it to a desk and prevent theft. These locks often use a combination lock or padlock type of locking system. These locks do not affect the user's ability to use the laptop or device. It only prevents them from moving the laptop from the area.
(Sample Simulation - On the real exam for this type of question, you would have access to the log files to determine which server on a network might have been affected, and then choose the appropriate actions.) A cybersecurity analyst has determined that an attack has occurred against your company's network. Fortunately, your company uses a good logging system with a centralized Syslog server, so all the logs are available, collected, and stored properly. According to the cybersecurity analy
Capture network traffic using a sniffer, schedule a period of downtime to image and remediate the affected server, and maintain the chain of custody Since the database server is part of a critical production network, it is important to work with the business to time the remediation period to minimize productivity losses. You can immediately begin to capture network traffic since this won't affect the database server or the network (least intrusive) while scheduling a period of downtime in which to take a forensic image of the database server's hard drive. All network captures and the hard drive should be maintained under the chain of custody if needed for criminal prosecution or civil action after remediation. The server should be remediated and brought back online once the hard drive image has been created.
What sanitization technique uses only logical techniques to remove data, such as overwriting a hard drive with a random series of ones and zeroes? - Degauss - Clear - Purge - Destroy Explanation
Clear Clear applies logical techniques to sanitize data in all user-addressable storage locations for protection against simple non-invasive data recovery techniques. Clearing involves overwriting data once (and seldom more than three times) with repetitive data (such as all zeros) or resetting a device to factory settings.
Following a root cause analysis of the unexpected failure of an edge router, a cybersecurity analyst discovered that the system administrator had purchased the device from an unauthorized reseller. The analyst suspects that the router may be a counterfeit device. Which of the following controls would have been most effective in preventing this issue? - Increase network vulnerability scan frequency - Ensure all anti-virus signatures are up to date - Conduct secure supply chain management training
Conduct secure supply chain management training
Following a root cause analysis of an edge router's unexpected failure, a cybersecurity analyst discovered that the system administrator had purchased the device from an unauthorized reseller. The analyst suspects that the router may be a counterfeit device. Which of the following controls would have been most effective in preventing this issue? - Conduct secure supply chain management training - Verify that all routers are patched to the latest release - Increase network vulnerability scan freq
Conduct secure supply chain management training Anti-counterfeit training is part of the NIST 800-53r4 control set (SA-19(1)) and should be a mandatory part of your supply chain management training within your organization. All other options may produce security gains in the network. They are unlikely to reliably detect a counterfeit item or prevent its introduction into the organization's supply chain.
A cybersecurity analyst is working for a university that is conducting a big data medical research project. The analyst is concerned about the possibility of an inadvertent release of PHI data. Which of the following strategies should be used to prevent this? - Conduct tokenization of the PHI data before ingesting it into the big data application - Use DevSecOps to build the application that processes the PHI - Utilize a SaaS model to process the PHI data instead of an on-premise solution - Util
Conduct tokenization of the PHI data before ingesting it into the big data application The university should utilize a tokenization approach to prevent an inadvertent release of the PHI data. In a tokenization approach, all or part of data in a field is replaced with a randomly generated token. That token is then stored with the original value on a token server or token vault, separate from the production database. This is an example of a deidentification control and should be used since the personally identifiable medical data is not needed to be retained after ingesting it for the research project; only the medical data itself is needed.
You are at the doctor's office and waiting for the physician to enter the room to examine you. You look across the room and see a pile of patient records on the physician's desk. There is no one in the room and your curiosity has gotten the better of you, so you walk across the room and start reading through the other patient records on the desk. Which tenent of security have you just violated? - Authentication - Confidentiality - Integrity - Availability
Confidentiality
Which of the following BEST describes when a third-party takes components produced by a legitimate manufacturer and assembles an unauthorized replica that is sold in the general marketplace? - Recycling - Capitalism - Counterfeiting - Entrepreneurship
Counterfeiting
Which of the following actions should be done FIRST after forensically imaging a hard drive for evidence in an investigation? - Encrypt the image file to ensure it maintains data integrity - Encrypt the source drive to ensure an attacker cannot modify its contents - Create a hash digest of the source drive and the image file to ensure they match - Digitally sign the image file to provide non-repudiation of the collection
Create a hash digest of the source drive and the image file to ensure they match The first thing that must be done after acquiring a forensic disk image is to create a hash digest of the source drive and destination image file to ensure they match. A critical step in the presentation of evidence will be to prove that analysis has been performed on an identical image to the data present on the physical media and that neither data set has been tampered with. The standard means of proving this is to create a cryptographic hash or fingerprint of the disk contents and any derivative images made from it. When comparing hash values, you need to use the same algorithm used to create the reference value.
Review the following packet captured at your NIDS: After reviewing the packet above, you discovered there is an unauthorized service running on the host. Which of the following ACL entries should be implemented to prevent further access to the unauthorized service while maintaining full access to the approved services running on this host? - DENY TCP ANY HOST 71.168.10.45 EQ 3389 - DENY IP HOST 86.18.10.3 EQ 3389 - DENY IP HOST 71.168.10.45 ANY EQ 25 - DENY TCP ANY HOST 86.18.10.3 EQ 25
DENY TCP ANY HOST 71.168.10.45 EQ 3389 Since the question asks you to prevent unauthorized service access, we need to block port 3389 from accepting connections on 71.168.10.45 (the host). This option will deny ANY workstation from connecting to this machine (host) over the Remote Desktop Protocol service that is unauthorized (port 3389).
Which of the following cryptographic algorithms is classified as symmetric? - DSA - DES - ECC - GPG
DES The Data Encryption Standard (DES) is a symmetric-key algorithm for the encryption of digital data. Although its short key length of 56 bits makes it too insecure for applications, it was the standard used from 1977 until the early 2000s. GPG, ECC, and DSA are all asymmetric algorithms.
Your company recently suffered a small data breach that was caused by an employee emailing themselves a copy of the current customer's names, account numbers, and credit card limits. You are determined that something like this shall never happen again. Which of the following logical security concepts should you implement to prevent a trusted insider from stealing your corporate data? - Firewall - MDM - DLP - Strong passwords
DLP
Your organization requires the use of TLS or IPsec for all communications with an organization's network. Which of the following is this an example of? - Data in transit - Data in use - Data at rest - DLP
Data in transit Data in transit (or data in motion) occurs whenever data is transmitted over a network. Examples of types of data in transit include website traffic, remote access traffic, data being synchronized between cloud repositories, and more. In this state, data can be protected by a transport encryption protocol, such as TLS or IPsec.
When you purchase an exam voucher at diontraining.com, the system only collects your name, email, and credit card information. Which of the following privacy methods is being used by Dion Training? - Data masking - Data minimization - Tokenization - Anonymization
Data minimization Data minimization involves limiting data collection to only what is required to fulfill a specific purpose. Reducing what information is collected reduces the amount and type of information that must be protected. Since we only need your name and email to deliver the voucher and your credit card to receive payment for the voucher, we do not collect any additional information, such as your home address or phone number.
Dion Training is currently undergoing an audit of its information systems. The auditor wants to understand better how the PII data from a particular database is used within business operations. Which of the following employees should the auditor interview? - Data steward - Data controller - Data owner - Data protection officer
Data protection officer The primary role of the data protection officer (DPO) is to ensure that her organization processes the personal data of its staff, customers, providers, or any other individuals (also referred to as data subjects) in compliance with the applicable data protection rules.
A user reports that every time they try to access https://www.diontraining.com, they receive an error stating "Invalid or Expired Security Certificate". The technician attempts to connect to the same site from other computers on the network, and no errors or issues are observed. Which of the following settings needs to be changed on the user's workstation to fix the "Invalid or Expired Security Certificate" error? - Logon times - Date and time - User access control - UEFI boot mode
Date and time
Your organization has recently suffered a data breach due to a server being exploited. As a part of the remediation efforts, the company wants to ensure that the default administrator password on each of the 1250 workstations on the network is changed. What is the easiest way to perform this password change requirement? - Create a new security group - Utilize the key escrow process - Deploy a new group policy - Revoke the digital certificate
Deploy a new group policy A group policy is used to manage Windows systems in a Windows network domain environment utilizing a Group Policy Object (GPO). GPOs can include many settings related to credentials, such as password complexity requirements, password history, password length, and account lockout settings. You can force a reset of the default administrator account password by using a group policy update.
Dion Training's offices utilize an open concept floor plan. They are concerned that a visitor might attempt to steal an external hard drive and carry it out of the building. To mitigate this risk, the security department has recommended installing security cameras clearly visible to both employees and visitors. What type of security control do these cameras represent? - Administrative - Corrective - Compensating - Deterrent
Deterrent A deterrent control is designed to discourage the violation of a security policy. Since the cameras are clearly visible, they are acting as a deterrent control.
Which analysis framework provides a graphical depiction of the attacker's approach relative to a kill chain? - Lockheed Martin cyber kill chain - MITRE ATT&CK framework - Diamond Model of Intrusion Analysis - OpenIOC
Diamond Model of Intrusion Analysis The Diamond Model provides an excellent methodology for communicating cyber events and allowing analysts to derive mitigation strategies implicitly. The Diamond Model is constructed around a graphical representation of an attacker's behavior.
A cybersecurity analyst has deployed a custom DLP signature to alert on any files that contain numbers in the format of a social security number (xxx-xx-xxxx). Which of the following concepts within DLP is being utilized? - Classification - Exact data match - Statistical matching - Document matching
Exact data match An exact data match (EDM) is a pattern matching technique that uses a structured database of string values to detect matches.
Using the image provided, select four security features that you should use to best protect your servers in the data center. This can include physical, logical, or administrative protections. - Antivirus, Mantrap, Cable Lock, GPS Tracking - GPS Tracking, Biometrics, Proximity Badges, Remote Wipe - Strong Passwords, Biometrics, Mantrap, Cable Lock - FM-200, Biometric Locks, Mantrap, Antivirus
FM-200, Biometric Locks, Mantrap, Antivirus FM-200 is a fire extinguishing system commonly used in data centers and server rooms to protect the servers from fire. Biometric locks are often used in high-security areas as a lock on the access door. Additionally, biometric authentication could be used for a server by using a USB fingerprint reader. Mantraps often are used as part of securing a data center as well. This area creates a boundary between a lower security area (such as the offices) and the higher security area (the server room). Antivirus should be installed on servers since they can use signature-based scans to ensure files are safe before being executed.
Which of the following proprietary tools is used to create forensic disk images without making changes to the original evidence? - Memdump - dd - Autopsy - FTK Imager
FTK Imager FTK Imager can create perfect copies or forensic images of computer data without making changes to the original evidence. The forensic image is identical in every way to the original, including copying the slack, unallocated, and free space on a given drive.
Which of the following is the leading cause for cross-site scripting, SQL injection, and XML injection attacks? - Output encoding - File inclusions - Faulty input validation - Directory traversals
Faulty input validation A primary vector for attacking applications is to exploit faulty input validation. The input could include user data entered into a form or URL, passed by another application or link. This is heavily exploited by cross-site scripting, SQL injection, and XML injection attacks.
You have been hired as a cybersecurity analyst for a privately-owned bank. Which of the following regulations would have the greatest impact on your bank's cybersecurity program? - HIPAA - GLBA - FERPA - SOX
GLBA The Gramm-Leach-Bliley Act (GLBA) is a United States federal law that requires financial institutions to explain how they share and protect their customers' private information.
Which of the following security controls provides Windows system administrators with an efficient way to deploy system configuration settings across a large number of devices? - Patch management - GPO - HIPS - Anti-malware
GPO
Dion Consulting Group has recently been awarded a contract to provide cybersecurity services for a major hospital chain in 48 cities across the United States. Previously, the consultants have won numerous contracts with financial services and publicly traded companies, but they are new to the healthcare industry. Which of the following laws must the consultants review to ensure the hospital and its customers are fully protected? - HIPAA - GLBA - COSO - SOX
HIPAA The Health Insurance Portability and Accountability Act (HIPAA) was created primarily to modernize the flow of healthcare information, stipulate how Personally Identifiable Information maintained by the healthcare and healthcare insurance industries should be protected from fraud and theft, and address limitations on healthcare insurance coverage. This is a federal law that must be followed in the United States.
What should administrators perform to reduce the attack surface of a system and to remove unnecessary software, services, and insecure configuration settings? - Harvesting - Windowing - Hardening - Stealthing
Hardening
What should administrators perform to reduce a system's attack surface and remove unnecessary software, services, and insecure configuration settings? - Stealthing - Windowing - Harvesting - Hardening
Hardening Hardening is usually the process of securing a system by reducing its surface of vulnerability, which is larger when a system performs more functions; in principle, a single-function system is more secure than a multipurpose one. Reducing available ways of attack typically includes changing default passwords, removing unnecessary software, unnecessary usernames or logins, and disabling or removing unnecessary services.
You are installing Windows 2019 on a rack-mounted server and hosting multiple virtual machines within the physical server. You just finished the installation and now want to begin creating and provisioning the virtual machines. Which of the following should you utilize to allow you to create and provision virtual machines? - Device manager - Terminal services - Disk management - Hypervisor
Hypervisor A hypervisor, also known as a virtual machine monitor, is a process that creates and runs virtual machines (VMs). A hypervisor allows one host computer to support multiple guest VMs by virtually sharing its resources, like memory and processing.
You are trying to select the best device to install in order to detect an outside attacker who is trying to reach into your internal network. The device should log the event, but it should not take any action to stop it. Which of the following devices would be the BEST for you to select? - Proxy server - Authentication server - IPS - IDS
IDS
You are trying to select the best device to install to proactively stop outside attackers from reaching your internal network. Which of the following devices would be the BEST for you to select? - IPS - IDS - Syslog server - Proxy server
IPS An intrusion prevention system (IPS) is a form of network security that detects and prevents identified threats. Intrusion prevention systems continuously monitor your network, looking for possible malicious incidents, and capturing information about them. An IPS can block malicious network traffic, unlike an IDS, which can only log them
Which role validates the user's identity when using SAML for authentication? - IdP - RP - User agent - SP
IdP The IdP provides the validation of the user's identity. Security assertions markup language (SAML) is an XML-based framework for exchanging security-related information such as user authentication, entitlement, and attributes.
During an assessment of the POS terminals that accept credit cards, a cybersecurity analyst notices a recent Windows operating system vulnerability exists on every terminal. Since these systems are all embedded and require a manufacturer update, the analyst cannot install Microsoft's regular patch. Which of the following options would be best to ensure the system remains protected and are compliant with the rules outlined by the PCI DSS? - Identify, implement, and document compensating controls
Identify, implement, and document compensating controls Since the analyst cannot remediate the vulnerabilities by installing a patch, the next best action would be to implement some compensating controls. If a vulnerability exists that cannot be patched, compensating controls can mitigate the risk.
Dion Training allows its visiting business partners from CompTIA to use an available Ethernet port in their conference room to establish a VPN connection back to the CompTIA internal network. The CompTIA employees should obtain internet access from the Ethernet port in the conference room, but nowhere else in the building. Additionally, if any of the Dion Training employees use the same Ethernet port in the conference room, they should access Dion Training's secure internal network. Which of the
Implement NAC Network Access Control (NAC) uses a set of protocols to define and implement a policy that describes how to secure access to network nodes whenever a device initially attempts to access the network. NAC can utilize an automatic remediation process by fixing non-compliant hosts before allowing network access. Network Access Control can control access to a network with policies, including pre-admission endpoint security policy checks and post-admission controls over where users and devices can go on a network and what they can do. In this scenario, implementing NAC can identify which machines are known and trusted Dion Training assets and provide them with access to the secure internal network. NAC could also determine unknown machines (assumed to be those of CompTIA employees) and provide them with direct internet access only by placing them on a guest network or VLAN.
A supplier needs to connect several laptops to an organization's network as part of their service agreement. These laptops will be operated and maintained by the supplier. Victor, a cybersecurity analyst for the organization, is concerned that these laptops could contain some vulnerabilities that could weaken the network's security posture. What can Victor do to mitigate the risk to other devices on the network without having direct administrative access to the supplier's laptops? - Require
Implement a jumpbox system A jumpbox is a system on a network used to access and manage devices in a separate security zone. This would create network segmentation between the supplier's laptops and the rest of the network to minimize the risk. A jump-box system is a hardened and monitored device that spans two dissimilar security zones and provides a controlled means of access between them.
Your company just launched a new invoicing website for use by your five largest vendors. You are the cybersecurity analyst and have been receiving numerous phone calls that the webpage is timing out, and the website overall is performing slowly. You have noticed that the website received three million requests in just 24 hours, and the service has now become unavailable for use. What do you recommend should be implemented to restore and maintain the availability of the new invoicing system? - VP
Implement an allow list By implementing an allow list of the authorized IP addresses for the five largest vendors, they will be the only ones who can access the webserver. This can be done by creating rules in the Access Control List (ACL) to deny ALL other users except these five vendors, thereby dropping a large number of requests from any other IP addresses, such as those from an attacker. Based on the scenario's description, it appears like the system is under some form of denial of service attack. Still, by implementing an allow list at the edge of the network and sinkholing any traffic from IP addresses that are not allow listed, the server will no longer be overwhelmed or perform slowly to respond to legitimate requests.
Julie was just hired to conduct a security assessment of Dion Training's security policies. During her assessment, she noticed that many users were sharing group accounts to conduct their work roles. Julie recommended that the group accounts be eliminated and instead have an account created for each user. What improvement will this recommended action provide for the company? - More efficient baseline management - Increase password security - Increase individual accountability - More routing au
Increase individual accountability To adequately provide accountability, the use of shared or group accounts should be disabled. This allows you to log and track individual user actions based on individual user accounts. This enables the organization to hold users accountable for their actions, too.
During a penetration test, you find a hash value related to malware associated with an APT. What best describes what you have found? - Indicator of compromise - XSRF - Botnet - SQL injection
Indicator of compromise An indicator of compromise is an artifact observed on a network or in an operating system that, with high confidence, indicates a computer intrusion. Typical IOCs are virus signatures and IP addresses, MD5 hashes of malware files or URLs, or botnet command and control servers' domain names.
What control provides the best protection against both SQL injection and cross-site scripting attacks? - Input validation - CSRF - Network layer firewalls - Hypervisors
Input validation Input validation prevents the attacker from sending invalid data to an application and is a strong control against both SQL injection and cross-site scripting attacks.
You have just received an email that claims to be from the Federal Bureau of Investigation (FBI). The email claims that your computer was identified as part of a botnet being used to distribute pirated copies of a new movie. The email states that you must click the link below and pay a fine of $1000 within 24 hours, or federal agents will be sent to your home to arrest you for copyright infringement. What social engineering principle is this email relying on using? - Trust - Consensus - Intimida
Intimidation Intimidation is a commonly used technique during a social engineering campaign. It relies on trying to scare or frighten a person into clicking a link. Often, these emails will claim to be from the FBI, IRS, or other government agencies.
The local electric power plant contains both business networks and ICS/SCADA networks to control their equipment. Which technology should the power plant's security administrators look to implement first as part of configuring better defenses for the ICS/SCADA systems? - Intrusion prevention system - Automated patch deployment - Log consolidation - Anti-virus software
Intrusion prevention system Since this question is focused on the ICS/SCADA network, the best solution would be implementing an Intrusion Prevention System. ICS/SCADA machines utilize very specific commands to control the equipment and to prevent malicious activity. You could set up strict IPS rules to prevent unknown types of actions from being allowed to occur.
Which protocol relies on mutual authentication of the client and the server for its security? - RADIUS - CHAP - LDAPS - Two-factor authentication
LDAPS The Lightweight Directory Access Protocol (LDAP) uses a client-server model for mutual authentication. LDAP is used to enable access to a directory of resources (workstations, users, information, etc.).
The Security Operations Center Director for Dion Training received a pop-up message on his workstation that said, "You will regret firing me; just wait until Christmas!" He suspects the message came from a disgruntled former employee that may have set up a piece of software to create this pop-up on his machine. The director is now concerned that other code might be lurking within the network that could create a negative effect on Christmas. He directs his team of cybersecurity analysts to be
Logic Bomb
Which of the following types of access control provides the strongest level of protection? - ABAC - RBAC - DAC - MAC
MAC Mandatory Access Control (MAC) requires all access to be predefined based on system classification, configuration, and authentication. MAC is commonly used in highly centralized environments and usually relies on a series of labels, such as classification levels of the data.
Dion Training has an open wireless network called "InstructorDemos" for its instructors to use during class, but they do not want any students connecting to this wireless network. The instructors need the "InstructorDemos" network to remain open since some of their IoT devices used during course demonstrations do not support encryption. Based on the requirements provided, which of the following configuration settings should you use to satisfy the instructor's requirements and prevent students fr
MAC filtering Since the instructors need to keep the wireless network open, the BEST option is to implement MAC filtering to prevent the students from connecting to the network while still keeping the network open. Since the instructors would most likely use the same devices to connect to the network, it would be relatively easy to implement a MAC filtering based on the list of devices that are allowed to use the open network and reject any other devices not listed by the instructors (like the student's laptops or phones).
Keith wants to validate the application file that he downloaded from the vendor of the application. Which of the following should he compare against the file to verify the integrity of the downloaded application? - Public key of the file - File size and file creation date - Private key of the file - MD5 or SHA1 hash digest of the file
MD5 or SHA1 hash digest of the file Keith should conduct a hash of the downloaded file and compare it against the MD5 hash digest listed on the server of this file. This file needs to be a verifiable MD5 hash file to validate the file integrity has not been compromised during the download. This is an important step to ensure the file was not modified in transit during the download.
Windows file servers commonly hold sensitive files, databases, passwords, and more. What common vulnerability is usually used against a Windows file server to expose sensitive files, databases, and passwords? - Missing patches - Cross-site scripting - SQL injection CRLF injection
Missing patches Missing patches are the most common vulnerability found on both Windows and Linux systems. When a security patch is released, attackers begin to reverse engineer the security patch to exploit the vulnerability. If your servers are not patched against the vulnerability, they can become victims of the exploit, and the server's data can become compromised.
How would you appropriately categorize the authentication method being displayed here? - Multifactor authentication - PAP authentication - One-time password authentication - Biometric authentication
Multifactor authentication For the exam, you need to know the different authentication categories and what type of authentication methods belong to each category. This is an example of multifactor authentication because you are using both a username/password combination with an SMS code. This provides a knowledge factor (username/password) and a possession factor (your smartphone) to provide two factors of authentication, making this the best option.
What tool can be used to scan a network to perform vulnerability checks and compliance auditing? - Nmap - BeEF - Nessus - Metasploit
Nessus Nessus is a popular vulnerability scanner. It can be used to check how vulnerable your network is by using various plugins to test for vulnerabilities. Also, Nessus can perform compliance auditing, like internal and external PCI DSS audit scans.
A security analyst conducts a Nmap scan of a server and found that port 25 is open. What risk might this server be exposed to? - Clear text authentication - Open file/print sharing - Open mail relay - Web portal data leak
Open mail relay Port 25 is the default port for SMTP (Simple Message Transfer Protocol), which is used for sending an email. An active mail relay occurs when an SMTP server is configured in such a way that it allows anyone on the Internet to send email through it, not just mail originating from your known and trusted users. Spammers can exploit this type of vulnerability to use your email server for their benefit. File/print sharing usually operates over ports 135, 139, and 445 on a Windows server. Web portals run on ports 80 and 443. Clear text authentication could occur using an unencrypted service, such as telnet (23), FTP (20/21), or the web (80).
Which of the following cryptographic algorithms is classified as asymmetric? - AES - 3DES - PGP - RC4
PGP Pretty Good Privacy (PGP) is an encryption program that provides cryptographic privacy and authentication for data communication. PGP is used for signing, encrypting, and decrypting texts, emails, files, directories, and whole disk partitions and to increase the security of email communications. PGP is a public-key cryptosystem and relies on an asymmetric algorithm. AES, RC4, and 3DES are all symmetric algorithms.
Dion Training wants to get an external attacker's perspective on its security status. Which of the following services should they purchase? - Vulnerability scan - Penetration test - Asset management - Patch management
Penetration test Penetration tests provide an organization with an external attacker's perspective on their security status. The NIST process for penetration testing divides tests into four phases: planning, discovery, attack, and reporting. The penetration test results are valuable security planning tools, as they describe the actual vulnerabilities that an attacker might exploit to gain access to a network.
You have just completed identifying, analyzing, and containing an incident. You have verified that the company uses self-encrypting drives as part of its default configuration. As you begin the eradication and recovery phase, you must sanitize the storage devices' data before restoring the data from known-good backups. Which of the following methods would be the most efficient to use to sanitize the affected hard drives? - Conduct zero-fill on the storage devices - Perform a cryptographic erase
Perform a cryptographic erase (CE) on the storage devices Sanitizing a hard drive can be done using cryptographic erase (CE), secure erase (SE), zero-fill, or physical destruction. In this case, the hard drives already used data at rest. Therefore, the most efficient method would be to choose CE. The cryptographic erase (CE) method sanitizes a self-encrypting drive by erasing the media encryption key and then reimaging the drive.
Tim, a help desk technician, receives a call from a frantic executive who states that their company-issued smartphone was stolen during their lunch meeting with a rival company's executive. Tim quickly checks the MDM administration tool and identifies that the user's smartphone is still communicating with the MDM and displays the location of the device on a map. What should Tim do next to ensure the data on the stolen device remains confidential and inaccessible to the thief? - Reset the dev
Perform a remote wipe of the device
A firewall administrator has configured a new screened subnet to allow public systems to be segmented from the organization's internal network. The firewall now has three security zones set: Untrusted (Internet) [143.27.43.0/24]; DMZ (Screened Subnet) [161.212.71.0/24]; Trusted (Intranet) [10.10.0.0/24]. The firewall administrator has been asked to enable remote desktop access from a fixed IP on the remote network to a remote desktop server in the screened subnet for the Chief Security Officer t
Permit 143.27.43.32 161.212.71.14 RDP 3389 Due to the requirement to allow a single remote IP to enter the firewall, the permit statement must start with a single IP in the Untrusted (Internet) zone. Based on the options provided, only 143.27.43.32 could be correct. Next, the destination is a single server in the DMZ (screened subnet), so only 161.212.71.14 could be correct. The destination port should be 3389, which is the port for the Remote Desktop Protocol.
What is the lowest layer (bottom layer) of a bare-metal virtualization environment? - Hypervisor - Host operating system - Guest operating system - Physical hardware
Physical hardware
In which type of attack does the attacker begin with a normal user account and then seeks to gain additional access rights? - Privilege escalation - Cross-site scripting - Spear phishing - Remote code execution
Privilege escalation
You are working as part of a cyber incident response team. An ongoing attack has been identified on your webserver. Your company wants to take legal action against the criminals who have hacked your server, so they have brought a forensic analyst from the FBI to collect the evidence from the server. In what order should the digital evidence be collected based on the order of volatility? - Processor Cache, Swap File, Random Access Memory, Hard Drive or USB Drive - Processor Cache, Random Access M
Processor Cache, Random Access Memory, Swap File, Hard Drive or USB Drive The correct order for evidence collection based on the order of volatility is the Processor Cache, Random Access Memory, Swap File, and then the Hard Drive or USB Drive. Since the Processor Cache is the most volatile and changes the most frequently, it should be captured first. Random Access Memory (RAM) is temporary storage on a computer. It can quickly change or be overwritten, and the information stored in RAM is lost when power is removed from the computer, so it should be collected second. Swap files are temporary files on a hard disk used as virtual memory, and therefore, they should be collected third. The files on a hard disk or USB drive are the least volatile of the four options presented since they are used for long-term storage of data and are not lost when the computer loses power.
Which of the following types of data breaches would require that the US Department of Health and Human Services and the media be notified if more than 500 individuals are affected by a data breach? - Protected health information - Personally identifiable information - Trade secret information - Credit card information
Protected health information Protected health information (PHI) is defined as any information that identifies someone as the subject of medical and insurance records, plus their associated hospital and laboratory test results. This type of data is protected by the Health Insurance Portability and Accountability Act (HIPAA). It requires notification of the individual, the Secretary of the US Department of Health and Human Services (HHS), and the media (if more than 500 individuals are affected) in the case of a data breach. Personally identifiable information (PII) is any data that can be used to identify, contact, or impersonate an individual.
Which of the following hashing algorithms results in a 160-bit fixed output? - RIPEMD - NTLM - SHA-2 - MD-5
RIPEMD RIPEMD creates a 160-bit fixed output. SHA-2 creates a 256-bit fixed output. NTLM creates a 128-bit fixed output. MD-5 creates a 128-bit fixed output.
A popular game allows for in-app purchases to acquire extra lives in the game. When a player purchases the extra lives, the number of lives is written to a configuration file on the gamer's phone. A hacker loves the game but hates having to buy lives all the time, so they developed an exploit that allows a player to purchase 1 life for $0.99 and then modifies the content of the configuration file to claim 100 lives were purchased before the application reading the number of lives purchased from
Race condition Race conditions occur when the outcome from execution processes is directly dependent on the order and timing of certain events. Those events fail to execute in the order and timing intended by the developer. In this scenario, the hacker's exploit is racing to modify the configuration file before the application reads the number of lives from it.
Frank and John have started a secret club together. They want to ensure that when they send messages to each other, they are truly unbreakable. What encryption key would provide the STRONGEST and MOST secure encryption? - DES with a 56-bit key - ECC with a 256-bit key - AES with a 256-bit key - Randomized one-time use pad
Randomized one-time use pad The only truly unbreakable encryption is one that uses a one-time use pad. This ensures that every message is encrypted with a different shared key that only the two owners of the one-time use pad would know. This technique ensures that there is no pattern in the key for an attacker to guess or find. Even if one of the messages could be broken, all of the other messages would remain secure since they use different keys to encrypt them. Unfortunately, one-time use pads require that two identical copies of the pad are produced and distributed securely before they can be used.
On your lunch break, you walked down to the coffee shop on the corner. You open your laptop and connect to their wireless network. After a few minutes of surfing the Internet, a pop-up is displayed on your screen. You close the pop-up, finish your lunch break, shut down the laptop, and put it back into your backpack. When you get back to the office, you take out the laptop and turn it on, but instead of your normal desktop background, you are greeted by a full screen image with a padlock and a m
Ransomware
Which of the following type of threats did the Stuxnet attack rely on to cross an air gap between a business and an industrial control system network? - Cross-site scripting - Session hijacking - Directory traversal - Removable media
Removable media Air gaps are designed to remove connections between two networks to create physical segmentation between them. The only way to cross an air gap is to have a physical device between these systems, such as using a removable media device to transfer files between them.
Which type of method is used to collect information during the passive reconnaissance? - Network traffic sniffing - API requests and responses - Social engineering - Reviewing public repositories
Reviewing public repositories Passive reconnaissance focuses on collecting information that is widely and openly available from publicly available sources. While network traffic sniffing is considered passive, gaining access to the network to place a sniffer in a good network tap location would not be considered passive. Of the choices provided, publicly accessible sources are the best answer to choose.
A computer is infected with a piece of malware that has infected the Windows kernel in an effort to hide. Which type of malware MOST likely infected this computer? - Ransomware - Trojan - Rootkit - Botnet
Rootkit
A computer is infected with malware that has infected the Windows kernel to hide. Which type of malware MOST likely infected this computer? - Botnet - Ransomware - Rootkit - Trojan
Rootkit A rootkit is a clandestine computer program designed to provide continued privileged access to a computer while actively hiding its presence. A rootkit is generally a collection of tools that enabled administrator-level access to a computer or network. They can often disguise themselves from detection by the operating system and anti-malware solutions. If a rootkit is suspected on a machine, it is best to reformat and reimage the system.
The management at Steven's work is concerned about rogue devices being attached to the network. Which of the following solutions would quickly provide the most accurate information that Steve could use to identify rogue devices on a wired network? - Reviewing a central administration tool like an endpoint manager - A physical survey - Router and switch-based MAC address reporting - A discovery scan using a port scanner
Router and switch-based MAC address reporting The best option is MAC address reporting from a source device like a router or a switch. If the company uses a management system or inventory process to capture these addresses, then a report from one of these devices will show what is connected to the network even when they are not currently in the inventory. This information could then be used to track down rogue devices based on the physical port connected to a network device.
A penetration tester has been hired to conduct an assessment, but the company wants to exclude social engineering from the list of authorized activities. Which of the following documents would include this limitation? - Memorandum of understanding - Acceptable use policy - Rules of engagement - Service level agreement
Rules of engagement The rules of engagement define how that testing is to occur. Rules of engagement can state things like no social engineering is allowed, no external website scanning, etc.
Which of the following categories would contain information about a French citizen's race or ethnic origin? - SPI - PII - DLP - PHI
SPI According to the GDPR, information about an individual's race or ethnic origin is classified as Sensitive Personal Information (SPI). Sensitive personal information (SPI) is information about a subject's opinions, beliefs, and nature afforded specially protected status by privacy legislation. As it cannot be used to identify somebody or make any relevant assertions about health uniquely, it is neither PII nor PHI.
You are reviewing the IDS logs and notice the following log entry:-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-(where [email protected] and password=' or 7==7')-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-What type of attack is being performed? - XML injection - SQL injection - Header manipulation - Cross-site scripting
SQL injection
A security analyst is conducting a log review of the company's web server and found two suspicious entries: The analyst contacts the web developer and asks for a copy of the source code to the logon.php script. The script is as follows: Based on source code analysis, which type of vulnerability is this web server vulnerable to? - SQL injection - Command injection - LDAP injection - Directory traversal
SQL injection Based on the log entries, it appears the attack was successful in conducting a SQL injection. Notice the escape character (') used in the log. A connection to the MySQL database is being used in the script, which could be exploited since no input validation is being performed.
Which of the following describes the security method used when users enter their username and password only once and can access multiple applications? - SSO - Multifactor authentication - Inheritance - Permission propagation
SSO Single sign-on (SSO) is an authentication process that allows users to access multiple applications with one set of login credentials. SSO is a common procedure in enterprises, where a client accesses multiple resources connected to a local area network (LAN).
Your organization has been receiving many phishing emails recently, and you are trying to determine why they are effective in getting your users to click on their links. The latest email consists of what looks like an advertisement that is offering an exclusive early access opportunity to buy a new iPhone at a discounted price. Still, there are only 5 phones available at this price. What type of social engineering principle is being exploited here? - Trust - Scarcity - Familiarity - Intimidation
Scarcity Scarcity is used to create a fear in a person of missing out on a special deal or offer. This technique is used in advertising all the time, such as "supplies are limited," "only available for the next 4 hours", and other such artificial limitations being used.
Which type of personnel control is being implemented if Kirsten must receive and inventory any items that her coworker, Bob, orders? - Dual control - Separation of duties - Background checks - Mandatory vacation
Separation of duties This organization uses separation of duties to ensure that neither Kirsten nor Bob can exploit the organization's ordering processes for their gain. Separation of duties is the concept of having more than one person required to complete a particular task to prevent fraud and error.
A web developer wants to protect their new web application from a man-in-the-middle attack. Which of the following controls would best prevent an attacker from stealing tokens stored in cookies? - Forcing the use of TLS for the web application - Forcing the use of SSL for the web application - Setting the secure attribute on the cookie - Hashing the cookie value
Setting the secure attribute on the cookie
Which attack method is MOST likely to be used by a malicious employee or insider trying to obtain another user's passwords? - Phishing - On-path attack - Shoulder surfing - Tailgating
Shoulder surfing While a malicious employee or insider could use all of the methods listed to obtain another user's passwords, shoulder surfing is the MOST likely to be used. Shoulder surfing is a type of social engineering technique used to obtain personal identification numbers (PINs), passwords, and other confidential data by looking over the victim's shoulder.
Which of the following techniques would be the most appropriate solution to implementing a multi-factor authentication system? - Fingerprint and retinal scan - Password and security questions - Smartcard and PIN - Username and password
Smartcard and PIN Multi-factor authentication (MFA) creates multiple security layers to help increase the confidence that the user requesting access is who they claim to be by requiring two distinct factors for authentication. These factors can be something you know (knowledge factor), something you have (possession factor), something you are (inheritance factor), something you do (action factor), or somewhere you are (location factor). By selecting a smartcard (something you have) and a PIN (something you know), you have implemented multi-factor authentication.
You are attempting to prioritize your vulnerability scans based on the data's criticality. This will be determined by the asset value of the data contained in each system. Which of the following would be the most appropriate metric to use in this prioritization? - The type of data processed by the system - The depreciated hardware cost of the system - The cost of acquisition of the system - The cost of hardware replacement of the system
The type of data processed by the system The data's asset value is a metric or classification that an organization places on data stored, processed, and transmitted by an asset. Different data types, such as regulated data, intellectual property, and personally identifiable information, can determine its value.
Why would a company want to utilize a wildcard certificate for their servers? - To increase the certificate's encryption key length - To extend the renewal date of the certificate - To secure the certificate's private key - To reduce the certificate management burden
To reduce the certificate management burden A wildcard certificate is a public key certificate that can be used with multiple subdomains of a domain. This saves money and reduces the management burden of managing multiple certificates, one for each subdomain.
Which of the following methods is used to replace all or part of a data field with a randomly generated number used to reference the original value stored in another vault or database? - Data masking - Tokenization - Anonymization - Data minimization
Tokenization Tokenization means that all or part of data in a field is replaced with a randomly generated token. The token is stored with the original value on a token server or token vault, separate from the production database. An authorized query or app can retrieve the original value from the vault, if necessary, so tokenization is a reversible technique.
A user has reported that their workstation is running very slowly. A technician begins to investigate the issue and notices a lot of unknown processes running in the background. The technician determines that the user has recently downloaded a new application from the internet and may have become infected with malware. Which of the following types of infections does the workstation MOST likely have? - Rootkit - Trojan - Keylogger - Ransomware
Trojan
A user has reported that their workstation is running very slowly. A technician begins to investigate the issue and notices a lot of unknown processes running in the background. The technician determines that the user has recently downloaded a new application from the internet and may have become infected with malware. Which of the following types of infections does the workstation MOST likely have? - Keylogger - Rootkit - Trojan - Ransomware
Trojan A trojan is a type of malware that looks legitimate but can take control of your computer. A Trojan is designed to damage, disrupt, steal, or in general, inflict some other harmful action on your data or network. The most common form of a trojan is a Remote Access Trojan (RAT), which allows an attacker to control a workstation or steal information remotely. To operate, a trojan will create numerous processes that run in the background of the system.
STARWhich of the following programs was designed to secure the manufacturing infrastructure for information technology vendors providing hardware to the military? - Trusted Foundry (TF) - Supplies Assured (SA) - Supply Secure (SS) - Trusted Access Program (TAP)
Trusted Foundry (TF)
Which of the following cryptographic algorithms is classified as symmetric? - Diffie-Hellman - RSA - ECC - Twofish
Twofish Twofish is a symmetric key block cipher with a block size of 128 bits and key sizes up to 256 bits. ECC, RSA, and Diffie-Hellman are all asymmetric algorithms.
Karen lives in an area that is prone to hurricanes and other extreme weather conditions. She asks you to recommend an electrical conditioning device that will prevent her files from being corrupted if the building's power is unstable or lost. Additionally, she would like the computer to maintain power for up to an hour of uptime to allow for a graceful shutdown of her programs and computer. Which of the following should you recommend? - Power distribution unit - Uninterruptible power supply - Su
Uninterruptible power supply An uninterruptible power supply or uninterruptible power source (UPS) is an electrical apparatus that provides emergency power to a load when the input power source becomes too low or the main power fails. A UPS provides near-instantaneous protection from input power interruptions by using a battery backup. The on-battery run-time of most uninterruptible power sources is usually short (less than 60 minutes) but sufficient to properly shut down a computer system.
Dion Training is hiring a penetration testing firm to conduct an assessment of its corporate network. As part of the contract, the company has specified that it will not provide any network details to the penetration testing firm. Instead, the company wants to see how much information about the network can be found by the penetration testers using open-source research and scanning the corporate network. What type of assessment is this considered? - Semi-trusted environment testing - Partially kn
Unknown environment testing An unknown environment penetration test requires no previous information and usually takes the approach of an uninformed attacker. The penetration tester has no prior information about the target system or network in an unknown environment penetration test. These tests provide a realistic scenario for testing the defenses, but they can be costlier and more time-consuming to conduct as the tester is examining a system from an outsider's perspective.
Your company is making a significant investment in infrastructure-as-a-service (IaaS) hosting to replace its data centers. Which of the following techniques should be used to mitigate the risk of data remanence when moving virtual hosts from one server to another in the cloud? - Use data masking - Span multiple virtual disks to fragment data - Use full-disk encryption - Zero-wipe drives before moving systems
Use full-disk encryption To mitigate the risk of data remanence, you should implement full disk encryption. This method will ensure that all data is encrypted and cannot be exposed to other organizations or the underlying IaaS provider.
You have been investigating how a malicious actor was able to exfiltrate confidential data from a web server to a remote host. After an in-depth forensic review, you determine that the web server's BIOS had been modified by the installation of a rootkit. After you remove the rootkit and reflash the BIOS to a known good image, what should you do in order to prevent the malicious actor from affecting the BIOS again? - Install an anti-malware application - Install a host-based IDS - Utilize secur
Utilize secure boot
Which of the following vulnerabilities involves leveraging access from a single virtual machine to other machines on a hypervisor? - VM escape - VM migration - VM sprawl - VM data remnant
VM escape
Which of the following is not normally part of an endpoint security suite? - Software firewall - Anti-virus - VPN - IPS
VPN Endpoint security includes software host-based firewalls, host-based intrusion protection systems (HIPS), and anti-virus software. A VPN is not typically considered an endpoint security tool because it is a network security tool.
You need to determine the best way to test operating system patches in a lab environment prior to deploying them to your automated patch management system. Unfortunately, your network has several different operating systems in use, but you only have one machine available to test the patches on. What is the best environment to utilize to perform the testing of the patches prior to deployment? - Sandboxing - Virtualization - Purchase additional workstations - Bypass testing and deploy patches dire
Virtualization
Which of the following is the LEAST secure wireless security and encryption protocol? - WPA - WPA2 - WPA3 - WEP
WEP Wired equivalent privacy (WEP) is an older mechanism for encrypting data sent over a wireless connection. WEP is considered vulnerable to attacks that can break its encryption. WEP relies on the use of a 24-bit initialization vector to secure its preshared key.
Your company has just finished replacing all of its computers with brand new workstations. Colleen, one of your coworkers, has asked the company's owner if she can have the old computers that are about to be thrown away. Colleen would like to refurbish the old computers by reinstalling a new operating system and donating them to a local community center for disadvantaged children in the neighborhood. The owner thinks this is a great idea but is concerned that the private and sensitive corporate
Wiping Data wiping or clearing occurs by using a software tool to overwrite the data on a hard drive to destroy all electronic data on a hard disk or other media. Data wiping may be performed with a 1x, 7x, or 35x overwriting, with a higher number of times being more secure. This allows the hard drive to remain functional and allows for hardware reuse.
You are analyzing the SIEM for your company's ecommerce server when you notice the following URL in the logs of your SIEM:-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-https://www.diontraining.com/add_to_cart.php?itemId=5"+perItemPrice="0.00"+quantity="100"+/><item+id="5&quantity=0-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-Based on this line, what type of attack do you expect has been attempted? - SQL injection - Buffer overflow - XML injection - Session hijacking
XML injection
What should be done NEXT if the final set of security controls does not eliminate all of the risks in a given system? - You should accept the risk if the residual risk is low enough - You should remove the current controls since they are not completely effective - You should ignore any remaining risk - You should continue to apply additional controls until there is zero risk
You should accept the risk if the residual risk is low enough In most cases, you will be unable to remove all risks. Instead, it would be best to mitigate the risk to a low enough level to accept the residual risk.
Which type of threat will patches NOT effectively combat as a security control? - Zero-day attacks - Known vulnerabilities - Discovered software bugs - Malware with defined indicators of compromise
Zero-day attacks
Which type of threat will patches NOT effectively combat as a security control? - Discovered software bugs - Zero-day attacks - Malware with defined indicators of compromise - Known vulnerabilities
Zero-day attacks Zero-day attacks have no known fix, so patches will not correct them. A zero-day vulnerability is a computer-software vulnerability that is unknown to, or unaddressed by, those who should be interested in mitigating the vulnerability (including the vendor of the target software).
You have been hired to investigate a possible insider threat from a user named Terri. Which command would you use to review all sudo commands ever issued by Terri (whose login account is terri and UID=1003) on a Linux system? (Select the MOST efficient command) - journalctl _UID=1003 | grep -e [Tt]erri | grep -e 1003 | grep sudo - journalctl _UID=1003 | grep -e 1003 | grep sudo - journalctl _UID=1003 | grep -e [Tt]erri | grep sudo - journalctl _UID=1003 | grep sudo
journalctl _UID=1003 | grep sudo journalctl is a command for viewing logs collected by systemd. The systemd-journald service is responsible for systemd's log collection, and it retrieves messages from the kernel, systemd services, and other sources. These logs are gathered in a central location, which makes them easy to review. If you specify the parameter of _UID=1003, you will only receive entries made under the authorities of the user with ID (UID) 1003. In this case, that is Terri. Using the piping function, we can send that list of entries into the grep command as an input and then filter the results before returning them to the screen. This command will be sufficient to see all the times that Terri has executed something as the superuser using privilege escalation. If there are too many results, we could further filter the results using regular expressions with grep using the -e flag. Since the UID of 1003 is only used by Terri, it is unnecessary to add [Tt]erri to your grep f
An attacker uses the nslookup interactive mode to locate information on a Domain Name Service (DNS). What command should they type to request the appropriate records for only the name servers? - request type=ns - set type=ns - transfer type=ns - locate type=ns
set type=ns The nslookup command is used to query the Domain Name System to obtain the mapping between a domain name and an IP address or to view other DNS records. The "set type=ns" tells nslookup only reports information on name servers.
You are troubleshooting a network connectivity issue and need to determine the packet's flow path from your system to the remote server. Which of the following tools would best help you identify the path between the two systems? - netstat - nbtstat - ipconfig - tracert
tracert The tracert (trace route) diagnostic utility determines the route to a destination by sending Internet Control Message Protocol (ICMP) echo packets to the destination. In these packets, tracert uses varying IP Time-To-Live (TTL) values. When the TTL on a packet reaches zero (0), the router sends an ICMP "Time Exceeded" message back to the source computer. The ICMP "Time Exceeded" messages that intermediate routers send back show the route.
