CASP+ Practice Tests
You are conducting a quick nmap scan of a target network. You want to conduct an SYN scan, but you don't have raw socket privileges on your workstation. Which of the following commands should you use to conduct the SYN scan from your workstation? nmap -sT nmap -O nmap -sX nmap -sS
nmap -sT nmap -sT is a full TCP connect scan. This is a good alternative to a -sS "half-open" SYN scan, which requires raw socket privileges and never completes the full TCP connection.
An e-commerce company is running a web server on premises, and the resource utilization is usually less than 30%. During the last two holiday seasons, the server experienced performance issues because of too many connections, and several customers were not able to finalize purchase orders. The company is looking to change the server configuration to avoid this kind of performance issue. Which of the following is the MOST cost-effective solution? A. Move the server to a cloud provider. B. Change the operating system. C. Buy a new server and create an active-active cluster. D. Upgrade the server with a new one.
Answer: A I: Moving the server to a cloud provider will allow additional resources to be added to the server during peak times.
A business stores personal client data of individuals residing in the EU in order to process requests for mortgage loan approvals. Which of the following does the business's IT manager need to consider? A. The availability of personal data B. The right to personal data erasure C. The company's annual revenue D. The language of the web application
Answer: B I: GDPR, the EU standard for data privacy, includes the "right to be forgotten" provision, which guarantees citizens the right to demand that all of their data be deleted by an organization if they so choose, and the organization must comply.
An enterprise is deploying APIs that utilize a private key and a public key to ensure the connection string is protected. To connect to the API, customers must use the private key. Which of the following would BEST secure the REST API connection to the database while preventing the use of a hardcoded string in the request string? A. Implement a VPN for all APIs. B. Sign the key with DSA. C. Deploy MFA for the service accounts. D. Utilize HMAC for the keys. Answer: D I: HMAC sends a request that is encrypted with the HMAC, which is always different.
Answer: D, HMAC I: HMAC sends a request that is encrypted with the HMAC, which is always different.
An organization's hunt team thinks a persistent threats exists and already has a foothold in the enterprise network. Which of the following techniques would be BEST for the hunt team to use to entice the adversary to uncover malicious activity? A. Deploy a SOAR tool. B. Modify user password history and length requirements. C. Apply new isolation and segmentation schemes. D. Implement decoy files on adjacent hosts.
Answer: D, deploy decoy files I: Keyword here is "entice" which is a weird one, but it can only be D
Which of the following is the MOST important security objective when applying cryptography to control messages that tell an ICS how much electrical power to output? A. Importing the availability of messages B. Ensuring non-repudiation of messages C. Enforcing protocol conformance for messages D. Assuring the integrity of messages
Answer: D, integrity of the messages I: Integrity is most important, as it will ensure that a message is not altered and the ICS generates too much or too little power, potentially destroying other systems or endangering safety.
A company hired a third party to develop software as part of its strategy to be quicker to market. The company's policy outlines the following requirements: The credentials used to publish production software to the container registry should be stored in a secure location. Access should be restricted to the pipeline service account, without the ability for the third-party developer to read the credentials directly. Which of the following would be the BEST recommendation for storing and monitoring access to these shared credentials? A. TPM B. Local secure password file C. MFA D. Key vault
Answer: D, key vault I: A key vault is very common secure key storage location
A security analyst is reviewing network connectivity on a Linux workstation and examining the active TCP connections using the command line. Which of the following commands would be the BEST to run to view only active Internet connections? A. sudo netstat -antu | grep "LISTEN" | awk '{print$5}' B. sudo netstat -nlt -p | grep "ESTABLISHED" C. sudo netstat -plntu | grep -v "Foreign Address" D. sudo netstat -pnut -w | column -t -s $'\w' E. sudo netstat -pnut | grep -P ^tcp
Answer: E, this will only return results in which are TCP, which are considered "connections"
Due to locality and budget constraints, an organization's satellite office has a lower bandwidth allocation than other offices in the organization. As a result, the local security infrastructure staff is assessing architectural options that will help preserve network bandwidth and increase speed to both internal and external resources while not sacrificing threat visibility. Which of the following would be the BEST option to implement? A. Distributed connection allocation B. Local caching C. Content delivery network D. SD-WAN vertical heterogeneity
Answer: Either B or C, but B more likely. I: Local caching will achieve similar results as a CDN, while also being cheaper.
Layers of the three-tiered network architecture:
Core layer: the "backbone" of the network, this is where geographically separated networks are merged back into one cohesive unit. In general, you will have at least two routers at the core level, operating in a redundant configuration. Distribution/aggregation layer: located under the core layer, it provides boundary definition by implementing access lists and filters to define the policies for the network. Access/edge layer: the lowest layer, this is where all endpoints such as computers, laptops, servers, printers, wireless access points, etc are connected.
Dion Security Group is analyzing the encryption implementation of one of its customers. An analyst has discovered that they are using a mode of operation that uses an initialization vector and an incrementing value that is added to the key to generate the keystream uses in encryption. Which of the following modes of operation is being used by the customer? Galois/counter mode Output feedback Counter mode Cipher block chaining
Counter mode Counter (CTR) mode allows symmetric block ciphers to work with large amounts of data, and it uses an initialization vector and an incrementing counter value to the key to generate the keystream.
You have been asked to select the best endpoint security control to meet the following requirement. The endpoint is a user workstation that is used by a typical office employee to conduct basic office functions like word processing and creating spreadsheets. Your organization wants to be able to determine if any unexpected behavior occurs on the endpoint or the system state is changed. Which of the following endpoint security controls would create alerts based on signature rules matching known malicious activity on the endpoint? Host-based firewall User and entity behavior analytics (UEBA) Host-based intrusion detection system (HIDS) Endpoint detection and response (EDR)
Host-based intrusion detection system (HIDS) HIDS is an IDS technology that monitors for unexpected behavior or drastic changes in the computer's state. The keyword here is that HIDS are usually signature-based, and are configured to alert on explicitly-defined actions, such as the presence of known malware signature, or if critical system files are modified. As opposed to EDR, which are more proactive by regularly collecting system data and logs to be analyzed for possible intrusion.
Which role validates the user's identity when using SAML for authentication? IdP User agent SP RP
IdP The IdP is kind of like a root authority; the client authenticates with them before accessing any resources in an SSO federation, and the IdP verifies their identity to the SPs/RPs within the federation.
Which of the following will an adversary do during the installation phase of the Lockheed Martin kill chain? (SELECT FOUR) Install a backdoor/implant on a client victim Collect user credentials Install a webshell on a server Open two-way communications channel to an established C2 infrastructure Create a point of presence by adding services, scheduled tasks, or AutoRun keys Timestomp a malware file to make it appear as if it is part of the operating system
Install a backdoor/implant on a client victim Install a webshell on a server Open two-way communications channel to an established C2 infrastructure Create a point of presence by adding services, scheduled tasks, or AutoRun keys
Risk Appetite vs Risk Tolerance
Risk Appetite is the amount of risk that an organization is willing to tolerate after all compensating controls have been implemented. Risk Tolerance divides risk into tiers, such as low/med/high. Remember risk Tolerance is Tiers, with a T.
Which of the following does a User-Agent request a resource from when conducting a SAML transaction? Relying party (RP) Identity provider (IdP) Service provider (SP) Single sign-on (SSO)
Service provider (SP) The user (client) initially requests a resource from the Service Provider, often referred to as the host; they are the server that the client wishes to connect to. However, the SP will redirect the user to authenticate with the IdP (Identity Provider), who will then validate the client's identity, and assert to the SP that the client has been validated and can access their resources.
Which of the following features of homomorphic encryption allows two parties to jointly evaluate a private function without revealing their respective inputs? Private Function Evaluation Private Information Retrieval Secure Multi-Party Computation Secure Function Evaluation
Private Function Evaluation Private Function Evaluation (PFE) allows two parties to jointly evaluate a private function without revealing their respective inputs. The keyword here is PRIVATE function evaluation, which allows two parties to jointly evaluate a PRIVATE function, as opposed to Secure Function Evaluation, which allows two parties to evaluate a PUBLICLY KNOWN function.
Which of the following features of homomorphic encryption allows an item to be retrieved from a service's database without revealing which item was retrieved? Private Function Evaluation Secure Function Evaluation Secure Multi-Party Computation Private Information Retrieval
Private Information Retrieval This is pretty self-explanatory.
Dion Training has recently set up some virtual servers in a virtual private cloud (VPC) with a cloud service provider. These servers need to connect to services outside the VPC while still preventing external services from initiating a connection with those virtual servers. Which of the following services should be implemented to meet these security requirements? NAT gateway API gateway VPN gateway XML gateway
NAT gateway A NAT gateway allows subnets inside a cloud environment (VPC) access to the internet. They can be configured so that connections can only be initiated by devices within the subnet, but no outside devices can attempt to initiate a connection.
Which type of RAID should be used for a virtualization server that must have the fastest speed and highest redundancy level? RAID 0 RAID 1 RAID 5 RAID 10
RAID 10 RAID 10 provides the fastest speed, best reliability, and highest redundancy, but it is the most costly as it will use much higher disk storage. It requires a minimum of four disks. It combines disk mirroring and disk striping to protect data stored in the array.
Which RAID configuration provides block-level striping with distributed parity to provide redundancy, and uses a minimum of three disks?
RAID 5 This is generally considered the most common RAID configuration
Define Recovery Service Level (RSL)
RSL can have two meanings: 1) It is the amount of computing power, as expressed as a percentage of the company's resources/computational power, that are needed in response to an incident. 2) It can also mean the prioritization of resources that are necessary to complete the rest of the disaster recovery process; for instance, in the event of an outage, the main webserver should be prioritized so that customers can continue to the website, and then data backups can be performed. This is similar to mission-critical functions.
Following an incident, the incident response team has generated many recommendations for additional controls and items to be purchased to prevent future recurrences. Which of the following approaches best describes what the organization should do next? Immediately procure and install all of them because the adversary may reattack at any time Conduct a cost/benefit analysis of each recommendation against the company's current fiscal posture Submit a prioritized list with all of the recommendations for review, procurement, and installation Contract an outside security consultant to provide an independent assessment of the network and outsource the remediation efforts
Submit a prioritized list with all of the recommendations for review, procurement, and installation
Which of the following authentication protocols was developed by Cisco to provide authentication, authorization, and accounting services? TACACS+ RADIUS Kerberos CHAP
TACACS+ Terminal Access Controller Access Control System is a Cisco-proprietary protocol used to provide triple-A (Authentication, Authorization, and Accounting)
A company needs to implement stronger authentication by adding an authentication factor to its wireless system. The wireless system only supports WPA with pre-shared keys, but the backend authentication system supports EAP and TTLS. What should the network administrator implement? 802.1x using EAP with MSCHAPv2 MAC address filtering with IP filtering PKI with user authentication WPA2 with a complex shared key
802.1x using EAP with MSCHAPv2 Since the backend uses RADIUS, the administrators can install 802.1x using EAP with MSCHAPv2.
An application developer is including third-party background security fixes in an application. The fixes seem to resolve a currently identified security issue. However, when the application is released to the public, reports come In that a previously remediated vulnerability has returned. Which of the following should the developer integrate into the process to BEST prevent this type of behavior? A. Peer review B. Regression testing C. User acceptance D. Dynamic analysis
A: Regression testing
A company wants to protect its intellectual property from theft. The company has already applied ACLs and DACs. Which of the following should the company use to prevent data theft? A. Watermarking B. DRM C. NDA D. Access logging
Answer: B I: Digital Right Management is the only option that would really prevent theft, as it actively prevents certain kinds of digital media from being copied or recorded
A company has decided to purchase a license for software that is used to operate a mission-critical process. The third-party developer is new to the industry but is delivering what the company needs at this time. Which of the following BEST describes the reason why utilizing a source code escrow will reduce the operational risk to the company if the third party stops supporting the application? A. The company will have access to the latest version to continue development. B. The company will be able to force the third-party developer to continue support. C. The company will be able to manage the third-party developer's development process. D. The company will be paid by the third-party developer to hire a new development team.
Answer: A I: Source code escrow allows a company to take ownership of a third-party company's source code in the event that they are no longer able to develop it, such as they go bankrupt, or if they refuse to continue doing business.
A security engineer thinks the development team has been hard-coding sensitive environment variables in its code. Which of the following would BEST secure the company's CI/CD pipeline? A. Utilizing a trusted secrets manager B. Performing DAST on a weekly basis C. Introducing the use of container orchestration D. Deploying instance tagging
Answer: A I: Utilizing a trusted secrets manager would be the best solution, as this will help protect all sensitive authorization information such as passwords, tokens, PINs, keys, credentials, etc. "Trusted secrets management" is used organizationally but is specifically often referred to when talking about development environments.
A developer wants to maintain integrity to each module of a program and ensure the code cannot be altered by malicious users. Which of the following would be BEST for the developer to perform? (Choose two.) A. Utilize code signing by a trusted third party. B. Implement certificate-based authentication. C. Verify MD5 hashes. D. Compress the program with a password.E. Encrypt with 3DES. F. Make the DACL read-only.
Answer: A and B, utilize code signing by a trusted third-party and implement certificate-based authentication I: Code signing would ensure the integrity of the program, and implementing certificate-based authentication would ensure that only authorized users can access the code
A health company has reached the physical and computing capabilities in its datacenter, but the computing demand continues to increase. The infrastructure is fully virtualized and runs custom and commercial healthcare applications that process sensitive health and payment information. Which of the following should the company implement to ensure it can meet the computing demand while complying with healthcare standards for virtualization and cloud computing? A. Hybrid IaaS solution in a single-tenancy cloud B. PaaS solution in a multi-tenancy cloud C. SaaS solution in a community cloud D. Private SaaS solution in a single-tenancy cloud.
Answer: A or D, torn on this one
A junior developer is informed about the impact of new malware on an Advanced RISC Machine (ARM) CPU, and the code must be fixed accordingly. Based on the debug, the malware is able to insert itself in another process memory location. Which of the following technologies can the developer enable on the ARM architecture to prevent this type of malware? A. Execute never B. No-execute C. Total memory encryption D. Virtual memory encryption
Answer: A, Execute Never (XN) I: Execute Never is an option that tells the CPU to never execute code in certain regions of memory reserved for the storage of program data. This is used to prevent buffer overflows, as well as to prevent malicious code from injecting itself into the memory region of other processes.
A satellite communications ISP frequently experiences outages and degraded modes of operation over one of its legacy satellite links due to the use of deprecated hardware and software. Three days per week, on average, a contracted company must follow a checklist of 16 different high-latency commands that must be run in serial to restore nominal performance. The ISP wants this process to be automated. Which of the following techniques would be BEST suited for this requirement? A. Deploy SOAR utilities and runbooks. B. Replace the associated hardware. C. Provide the contractors with direct access to satellite telemetry data. D. Reduce link latency on the affected ground and satellite segments.
Answer: A, deploy SOAR runbooks I: Security Orchestration Automation and Response is a methodology which employs automated runbooks to handle many security or network administration tasks.
A home automation company just purchased and installed tools for its SOC to enable incident identification and response on software the company develops. The company would like to prioritize defenses against the following attack scenarios: Unauthorized insertions into application development environments Authorized insiders making unauthorized changes to environment configurations Which of the following actions will enable the data feeds needed to detect these types of attacks on development environments? (Choose two.) A. Perform static code analysis of committed code and generate summary reports. B. Implement an XML gateway and monitor for policy violations. C. Monitor dependency management tools and report on susceptible third-party libraries. D. Install an IDS on the development subnet and passively monitor for vulnerable services. E. Model user behavior and monitor for deviations from normal. F. Continuously monitor code commits to repositories and generate summary logs.
Answer: A,F I: Performing static code analysis of committed code and generating summary reports would prevent unauthorized changes, while an IDS would help monitor for and detect intrusion.
A SOC analyst is reviewing malicious activity on an external, exposed web server. During the investigation, the analyst determines specific traffic is not being logged, and there is no visibility from the WAF for the web application. Which of the following is the MOST likely cause? A. The user agent client is not compatible with the WAF. B. A certificate on the WAF is expired. C. HTTP traffic is not forwarding to HTTPS to decrypt. D. Old, vulnerable cipher suites are still being used.
Answer: B I: A certificate on the WAF is expired, which would then not allow the WAF to see any part of the site that the certificate was for.
A company is implementing SSL inspection. During the next six months, multiple web applications that will be separated out with subdomains will be deployed. Which of the following will allow the inspection of the data without multiple certificate deployments? A. Include all available cipher suites. B. Create a wildcard certificate. C. Use a third-party CA. D. Implement certificate pinning.
Answer: B I: A wildcard certificate is a certificate that allows a certificate to also work on any subdomain that the domain owns. For instance, *.somedomain.com will allow the certificate to work with blog.somedomain, help.somedomain, admin.somedomain, shop.somedomain, etc
An organization wants to perform a scan of all its systems against best practice security configurations. Which of the following SCAP standards, when combined, will enable the organization to view each of the configuration checks in a machine-readable checklist format for fill automation? (Choose two.) A. ARF B. XCCDF C. CPE D. CVE E. CVSS F. OVAL
Answer: B, F I: SCAP is Security Content Automation Protocol, which is a standard that allows network owners to scan and compare their network against industry-wide baselines and best practices. Extensible Configuration Checklist Description Format (XCCDF) is the standard format for creating machine-readable and shareable configuration checklists, and it allows an organization to define and automate assessment of security standards. OVAL is a standard for expressing vulnerabilities and security issues in human-readable format, and can be used to automate the process of scanning and evaluating systems to determine risk. OVAL uses CVE and CVSS as a part of its language to assess risk.
A security analyst discovered that the company's WAF was not properly configured. The main web server was breached, and the following payload was found in one of the malicious requests: <ENTITY xxe SYSTEM "file:///etc/password">]> Which of the following would BEST mitigate this vulnerability? A. CAPTCHA B. Input validation C. Data encoding D. Network intrusion prevention
Answer: B, Input validation
A new web server must comply with new secure-by-design principles and PCI DSS. This includes mitigating the risk of an on-path attack. A security analyst is reviewing the web server's cipher suites. Which of the following ciphers should the security analyst remove to support the business requirements? A. TLS_AES_128_CCM_8_SHA256 B. TLS_DHE_DSS_WITH_RC4_128_SHA C. TLS_CHACHA20_POLY1305_SHA256 D. TLS_AES_128_GCM_SHA256
Answer: B, RC4 is completely depreciated in every application by now.
A security analyst is researching containerization concepts for an organization. The analyst is concerned about potential resource exhaustion scenarios on the Docker host due to a single application that is overconsuming available resources. Which of the following core Linux concepts BEST reflects the ability to limit resource allocation to containers? A. Union filesystem overlay B. Cgroups C. Linux namespaces D. Device mapper
Answer: B, cgroups I: cgroups (abbreviated from Control Groups) is a Linux Kernel feature that limits, accounts for, and isolates resource usage of a collection of processes. Essentially, it allows you to assign and control access to hardware resources to tasks or processes. A docker is similar to a VM, except for a server; it is an open-source platform for servers that manages containers on the server.
While investigating a security event, an analyst finds evidence that a user opened an email attachment from an unknown source. Shortly after the user opened the attachment, a group of servers experienced a large amount of network and resource activity. Upon investigating the servers, the analyst discovers the servers were encrypted by ransomware that is demanding payment within 48 hours or all data will be destroyed. The company has no response plans for ransomware. Which of the following is the NEXT step the analyst should take after reporting the incident to the management team? A. Pay the ransom within 48 hours. B. Isolate the servers to prevent the spread. C. Notify law enforcement. D. Request that the affected servers be restored immediately.
Answer: B, isolate the servers to prevent the spread I: Isolation to prevent spready of malware is generally one of the very first things you should do during an incident reponse.
Which of the following terms refers to the delivery of encryption keys to a CASB or a third-party entity? A. Key sharing B. Key distribution C. Key recovery D. Key escrow
Answer: B, key distribution I: Key escrow is the process of securely storing a key for recover purposes; key distribution is delivering them to a CASB to be distributed to clients.
A security engineer needs to implement a solution to increase the security posture of user endpoints by providing more visibility and control over local administrator accounts. The endpoint security team is overwhelmed with alerts and wants a solution that has minimal operational burdens. Additionally, the solution must maintain a positive user experience after implementation. Which of the following is the BEST solution to meet these objectives? A. Implement Privileged Access Management (PAM), keep users in the local administrators group, and enable local administrator account monitoring. B. Implement PAM, remove users from the local administrators group, and prompt users for explicit approval when elevated privileges are required. C. Implement EDR, remove users from the local administrators group, and enable privilege escalation monitoring. D. Implement EDR, keep users in the local administrators group, and enable user behavior analytics.
Answer: B, use PAM to remove users from the admin group, and prompt users for explicit approval when elevated privileges are required. This uses the concept of least privilege, and ensures only admins can approve users who require elevated access.
A network architect is designing a new SD-WAN architecture to connect all local sites to a central hub site. The hub is then responsible for redirecting traffic to public cloud and datacenter applications. The SD-WAN routers are managed through a SaaS, and the same security policy is applied to staff whether working in the office or at a remote location. The main requirements are the following: * 1. The network supports core applications that have 99.99% uptime. * 2. Configuration updates to the SD-WAN routers can only be initiated from the management service. * 3. Documents downloaded from websites must be scanned for malware. Which of the following solutions should the network architect implement to meet the requirements? A. Reverse proxy, stateful firewalls, and VPNs at the local sites B. IDSs, WAFs, and forward proxy IDS C. DoS protection at the hub site, mutual certificate authentication, and cloud proxy D. IPSs at the hub, Layer 4 firewalls, and DLP
Answer: C I: DoS protection would enhance availability by preventing denial of service, mutual authentication would ensure that the management service must present valid credentials before the server authenticates, and a cloud proxy can be configured to inspect packets for malware before forwarding them to the internal cloud network
A security architect is implementing a web application that uses a database back end. Prior to the production, the architect is concerned about the possibility of XSS attacks and wants to identify security controls that could be put in place to prevent these attacks. Which of the following sources could the architect consult to address this security concern? A. SDLC B. OVAL C. IEEE D. OWASP
Answer: D I: Open Web Application Security Project (OWASP) is generally the best resource to consult when addressing webapp vulnerabilities, as it is a worldwide community-driven webapp project.
Over the last 90 days, many storage services have been exposed in the cloud services environments, and the security team does not have the ability to see what is creating these instances. Shadow IT is creating data services and instances faster than the small security team can keep up with them. The Chief information security Officer (CIASO) has asked the security officer (CISO) has asked the security lead architect to recommend solutions to this problem. Which of the following BEST addresses the problem with the least amount of administrative effort? A. Compile a list of firewall requests and compare them against interesting cloud services. B. Implement a CASB solution and track cloud service use cases for greater visibility. C. Implement a user-behavior system to associate user events and cloud service creation events. D. Capture all logs and feed them to a SIEM and then for cloud service events
Answer: C I: It looks like a toddler wrote this question but the best option is C
A security architect works for a manufacturing organization that has many different branch offices. The architect is looking for a way to reduce traffic and ensure that the branch offices receive the latest copy of revoked certificates issued by the CA at the organization's headquarters location. The solution must also have the lowest power requirement on the CA. Which of the following is the BEST solution? A. Deploy an RA on each branch office. B. Use Delta CRLs at the branches. C. Configure clients to use OCSP. D. Send the new CRLs by using GPO.
Answer: C most likely, but possibly B I: Leaning towards OCSP, since it is the newer technology and is intended to overall replace CRL. However, it could still be Delta CRL; Delta CRL is a supplemental list to the CRL, that only contains the latest updates since the last full CRL was generated. Think of it as an incremental backup for a CRL. This will have the lowest power requirement, as it will still contain a list of all current revoked certificates, without having to download the entire CRL, and without having to generate a OCSP query for every validity check. I'm gonna go with OCSP for now.
A security analyst is concerned that a malicious piece of code was downloaded on a Linux system. After some research, the analyst determines that the suspected piece of code is performing a lot of input/ output (I/O) on the disk drive. Based on the output above, from which of the following process IDs can the analyst begin an investigation? A. 65 B. 77 C. 83 D. 87
Answer: C, 83 I: C is the only one doing a lot of reading AND writing from the drive; look at the BI and BO columns https://www.examtopics.com/discussions/comptia/view/71083-exam-cas-004-topic-1-question-59-discussion/
A shipping company that is trying to eliminate entire classes of threats is developing an SELinux policy to ensure its custom Android devices are used exclusively for package tracking. After compiling and implementing the policy, in which of the following modes must the company ensure the devices are configured to run? A. Protecting B. Permissive C. Enforcing D. Mandatory
Answer: C, Enforcing mode I: Enforcing mode is the default, and in this mode SELinux will enforce the set security policy throughout the whole system.
A high-severity vulnerability was found on a web application and introduced to the enterprise. The vulnerability could allow an unauthorized user to utilize an opensource library to view privileged user information. The enterprise is unwilling to accept the risk, but the developers cannot fix the issue right away. Which of the following should be implemented to reduce the risk to an acceptable level until the issue can be fixed? A. Scan the code with a static code analyzer, change privileged user passwords, and provide security training. B. Change privileged usernames, review the OS logs, and deploy hardware tokens. C. Implement MFA, review the application logs, and deploy a WAF. D. Deploy a VPN, configure an official open-source library repository, and perform a full application review for vulnerabilities.
Answer: C, implement MFA, review application logs, and deploy a WAF I: Implementing MFA can add an extra layer of security to protect against unauthorized access if the vulnerability is exploited. Reviewing the application logs can help identify if any attempts have been made to exploit the vulnerability, and deploying a WAF can help block any attempts to exploit the vulnerability. While the other options may provide some level of security, they may not directly address the vulnerability and may not reduce the risk to an acceptable level.
An organization is designing a network architecture that must meet the following requirements: Users will only be able to access predefined services. Each user will have a unique allow list defined for access. The system will construct one-to-one subject/object access paths dynamically. Which of the following architectural designs should the organization use to meet these requirements? A. Peer-to-peer secure communications enabled by mobile applications B. Proxied application data connections enabled by API gateways C. Microsegmentation enabled by software-defined networking D. VLANs enabled by network infrastructure devices
Answer: C, microsegmentation enabled by SDN
A company is migrating from company-owned phones to a BYOD strategy for mobile devices. The pilot program will start with the executive management team and be rolled out to the rest of the staff in phases. The company's Chief Financial Officer loses a phone multiple times a year. Which of the following will MOST likely secure the data on the lost device? A. Require a VPN to be active to access company data. B. Set up different profiles based on the person's risk. C. Remotely wipe the device. D. Require MFA to access company applications.
Answer: C, remote wipe I: The VPN and MFA options would help prevent an attacker who stole the phone from getting into the network, but only remote wipe would prevent the data already on the phone from being stolen AND prevent them from getting into the network..... although this is kinda weird on a BYOD device.
A security engineer was auditing an organization's current software development practice and discovered that multiple open-source libraries were Integrated into the organization's software. The organization currently performs SAST and DAST on the software it develops. Which of the following should the organization incorporate into the SDLC to ensure the security of the open-source libraries? A. Perform additional SAST/DAST on the open-source libraries. B. Implement the SDLC security guidelines. C. Track the library versions and monitor the CVE website for related vulnerabilities. D. Perform unit testing of the open-source libraries.
Answer: C, track library versions and monitor for related CVEs. I: DAST and SAST are Dynamic/Static Application Security Testing.
A cybersecurity analyst is analyzing what they believe to be an active intrusion into their network. The indicator of compromise maps to suspected nation-state group that has strong financial motives, APT 38. Unfortunately, the analyst finds their data correlation lacking and cannot determine which assets have been affected, so they begin to review the list of network assets online. The following servers are currently online: PAYROLL_DB, DEV_SERVER7, FIREFLY, DEATHSTAR, THOR, and DION. Which of the following actions should the analyst conduct first? Conduct a Nessus scan of the FIREFLY server Conduct a data criticality and prioritization analysis Hardening the DEV_SERVER7 server Logically isolate the PAYROLL_DB server from the production network
Conduct a data criticality and prioritization analysis
Dion Training selected an EAP implementation to use for authentication on their network. The company has decided to avoid using digital certificates on both the clients and the servers. Instead, the company will create a Protected Access Credential (PAC) based on the server's master key for each user. The client's PAC will be installed on each user's laptop before issuing the device to the user. Which of the following EAP implementations did the organization select? EAP-TLS PEAP EAP-TTLS EAP-FAST
EAP-FAST (Extensible Authentication Protocol with Flexible Authentication via Secure Tunneling) Creates a protected tunnel without using a digital certificate, and then passes the user's authentication credentials through the tunnel to the authentication server. Instead of a digital certificate, the client is issued a PAC (Protected Access Credential) based on the server's master key, but that PAC must be securely distributed to the client before then can use EAP-FAST.
Dion Training wants to set up remote access and authentication for its users utilizing EAP. Which EAP implementation should they utilize to allow for the establishment of an encrypted TLS tunnel between a client and a server using a public key certificate from both the client and server to allow for mutual authentication? EAP-FAST EAP-TLS PEAP EAP-TTLS
EAP-TLS EAP-TLS is the strongest form of EAP. It establishes an encrypted tunnel using BOTH the server and the client's public key certificates for mutual authentication. Remember that TLS is the most SECURE, because it has just "TLS" in the name, but EAP-TTLS is the most flexible.
Dion Training is determining which EAP implementation to use for authentication on their network. The company hasn't decided whether to use PAP, CHAP, or MS-CHAP for user authentication with a traditional username and password yet. The server will utilize a server-side public-key certificate that is used to create an encrypted tunnel between the supplicant (client) and the authentication server. To keep their user authentication available for any of the three options being considered, which of the following EAP implementations should the organization select? EAP-FAST EAP-TLS LEAP EAP-TTLS
EAP-TTLS EAP-TTLS uses the server-side certificate to establish a tunnel through which the user's credentials are transmitted to the authentication server. One important distinction, however, is that EAP-TTLS is very flexible can use just about any inner authentication protocol, such PAP, CHAP, MSCHAP, and GTC. Whereas PEAP can only use EAP-MSCHAP or EAP-GTC. Remember that it is the most flexible because it has the most letters in the name I guess.
Dion Training is creating a new mobile application and needs to select an appropriate encryption algorithm to protect the user's data transmitted by the app to the company's remote servers. The company wants to choose an asymmetric encryption algorithm that supports fast key agreements and provides extremely high levels of security using only a 384-bit key. Which of the following encryption algorithms should be selected to meet these requirements? RSA ChaCha AES ECC
ECC (Elliptical Curve Cryptography) A public-key cryptography algorithm based on the algebraic structure of elliptical curves over finite fields. ECC allows for smaller key sizes compared to non-elliptical curve cryptography methods, while still providing the equivalent level of security. ECC also supports very fast key agreements, and thus is used extensively in mobile devices and low-powered devices.
Jeff, a developer with the ACME corporation, is concerned about the impact of new malware on an ARM CPU. He knows that the malware can insert itself in another process memory location. Which of the following technologies can the developer enable on the ARM architecture to prevent this type of malware?
Execute Never / No Execute (XN / NX) These are options enabled by Intel and AMD CPUs that prevent the execution of code in areas that are assigned for data storage; it is meant to make buffer overflows more difficult, and also to make it more difficult for malware to hide in memory locations allocated for the storage of other programs.
You are planning an engagement with a new client. The client wants your penetration testers to target their web and email servers that are hosted in a screened subnet and are accessible to visitors over the Internet. Which target type best describes these targets? First-party hosted External Third-party hosted Internal
External
You have been asked to recommend a capability to monitor all of the traffic entering and leaving the corporate network's default gateway. Additionally, the company's CIO requests to block certain content types before it leaves the network based on operational priorities. Which of the following solution should you recommend to meet these requirements? Install a NIPS on the internal interface and a firewall on the external interface of the router Install a firewall on the router's internal interface and a NIDS on the router's external interface Installation of a NIPS on both the internal and external interfaces of the router Configure IP filtering on the internal and external interfaces of the router
Install a NIPS on the internal interface and a firewall on the external interface of the router
Which protocol relies on mutual authentication of the client and the server for its security? RADIUS LDAPS CHAP Two-factor authentication
LDAPS LDAP Secure, or Secure LDAP, uses a client-server model for mutual authentication.
Layers of Software-Defined Networking (SDN)
Management Plane: allows network administrators to oversee the network, monitor traffic conditions, network status, etc Application Layer: focuses on the communication resource requests or information about the network. Essentially, it receives and translates traffic requests, and passes the information to the control layer. Control Layer: uses information from applications to make decisions about how to route traffic. In short, it takes the raw traffic information from the application layer, and assesses how it should be routed, before passing it to the infrastructure layer. They key word is control, because it's the one that makes decisions about how to route traffic. Infrastructure Layer: contains the physical networking devices that receive information from the control layer about where to move data, and then perform those movements; IE, the physical routers and switches. Once the traffic has been sorted by the application layer, and its routing assessed by the control layer, the infrastructure layer does the actual routing.
Dion Security Group is analyzing the encryption implementation of one of its customers. An analyst has discovered that they are using a mode of operation that creates a chain of encrypted blocks by using an initial chaining vector (ICV) during the first round of encryption and then combines the output of the previous rounds into the subsequent rounds to create a securely encrypted ciphertext result. Which of the following modes of operation is being used by the customer? Counter mode Galois/counter mode Output feedback Cipher block chaining
Output feedback Output Feedback (OFB) allows symmetric block ciphers to work with large sets of data by using an initial chaining vector (ICV) during the first round of encryption, and then combining the output of the previous rounds into subsequent rounds. It goes off of the feedback of the previous output to encrypt subsequent blocks.
Dion Training needs to implement EAP for authentication on its network. The users will utilize a traditional username and password using MS-CHAPv2 for authentication from the client. The server will utilize a server-side public key certificate that is used to create an encrypted tunnel between the supplicant (client) and the authentication server. Which of the following EAP implementations should the organization select to meet these requirements? EAP-TLS EAP-FAST LEAP PEAP
PEAP (Protected Extensible Authentication Protocol) Uses an encrypted TLS tunnel between the client and server, but only utilizes the server-side public key certificate, making it prone to password guessing and on-path attacks.
Which RAID configuration provides good speed and performance by using disk striping only, and requires at least two disks?
RAID 0
Which RAID configuration provides good redundancy by using only mirroring, and requires at least two disks?
RAID 1
Which party in a federation provides services to members of the federation? IdP SSO SAML RP
RP (Relying Party) This is the exact same thing as the SP, they provided the resource, it's just the word OpenID uses for it because they decided to be different. The client requests a resource or service from the RP or SP, the RP/SP redirects them to the IdP to verify their identity, then once they are verified, they are directed back to the RP/SP to access the service they requested.
Eduardo is reviewing the security of Dion Training's website and is reviewing an error concerning their digital certificate. The error code states DLG_FLAGS_SEC_CERT_DATE_INVALID. Which of the following actions should Eduardo perform to fix this error? Request his current digital certificate be revoked and reissued Update his operating system to support modern cipher suites Request a new digital certificate from the certificate authority Update his web browser to support modern cipher suites
Request a new digital certificate The alert tells us that the certificate has expired, so he will need to request a new one. There is no need to request a revocation in this case, since the cert has already expired and thus is invalid. The only time you would need to request a revocation is if someone has stolen the certificate or it has otherwise been compromised.
Which of the following features of homomorphic encryption allows two parties to jointly evaluate a publicly known function without revealing their respective inputs?
Secure Function Evaluation Secure Function Evaluation (SFE) allows two parties to jointly evaluate a publicly known function without revealing their respective inputs. The keyword here is SECURE function evaluation, which evaluates a PUBLICLY KNOWN function.
Which of the following features of homomorphic encryption creates methods for parties to jointly compute a function over their inputs while keeping those inputs private? Private Function Evaluation Secure Function Evaluation Private Information Retrieval Secure Multi-Party Computation
Secure Multi-Party Computation Secure Multi-Party Computation creates methods for parties to jointly compute a function over their inputs while keeping those inputs private. They key word here is that it allows parties to COMPUTE a function, rather than EVALUATE an existing function, like private/secure function evaluation.
Which of the following authentication methods is an open-source solution for single sign-on across organizational boundaries on the web? Shibboleth Kerberos RADIUS TACACS+
Shibboleth Shibboleth is an open-source SSO project that allows any site to trust the credentials of users across other sites that are part of a federation. It uses the standard SAML transaction to authenticate users.
Developers are building sensitive references and account details into the application code. Security engineers need to ensure that the organization can secure the continuous integration/continuous delivery (CI/CD) pipeline. What would be the best choice? Perform dynamic application security testing. Use a centralized trusted secrets manager service. Use interactive application security testing. Ensure the developers are using version control.
Use a centralized trusted secrets manager service. Secrets Management broadly refers to the processes and controls in place to protect sensitive authentication information, such as passwords, keys, tokens, APIs, etc. While secrets management is a concept that applies across an enterprise, it is most often a term used in reference to the DevOps/DevSecOps process, or generally the software development process.
Which of the following functions is not provided by a TPM? Secure generation of cryptographic keys Binding Remote attestation User authentication Sealing Random number generation
User authentication User authentication is done within the operating system itself; the TPM can, however, provide binding (tying two elements together cryptographically, such as binding an identity and a key to create a digital certificate), remote attestation (verifying to a remote entity that the host can be trusted), sealing (I guess the process of wrapping a digitally signed document so that it can't be altered), random number generation to be used for cryptographic key generation, and the generation of those actual keys.