CompTIA Security+ (SY0-601) Practice Exam #4

Dion Training has a $15,000 server that has frequently been crashing. Over the past 12 months, the server has crashed 10 times, requiring the server to be rebooted to recover from the crash. Each time, this has resulted in a 5% loss of functionality or data. Based on this information, what is the Annual Loss Expectancy (ALE) for this server? $1,500 $15,000 $7,500 $2,500

$7,500 Explanation OBJ-5.4: To calculate the ALE, you need to multiple the Single Loss Expectancy (SLE) by the Annual Rate of Occurrence (ARO). The SLE is calculated by multiplying the Exposure Factor (EF) by the Asset Value (AV). Therefore, SLE = EF x AV, and ALE = SLE x ARO. For this scenario, the asset value is $15,000, the annual rate of occurrence is 10 times per year, and the exposure factor is 5% (or 0.05). To calculate the SLE, SLE = 0.05 x $15,000 = $750. Therefore, the ALE = SLE x ARO = $750 x 10 = $7,500.

Your firewall is blocking outbound email traffic that is attempting to be sent. Which port should you verify is set to ALLOW in the firewall to ensure your emails are being sent? 80 25 22 143

25 Explanation OBJ-3.1: The simple mail transfer protocol (SMTP) is the protocol used to send mail between hosts on the Internet using TCP port 25. Port 25 must be set to OPEN or ALLOW in the firewall for SMTP (Sendmail transfer protocol) to function properly. Secure shell (SSH) is the protocol used for remote administration and file copying using TCP port 22. SSH is considered secure since it uses authenticated and encrypted sessions for communication. Secure shell (SSH) is the protocol used for remote administration and file copying using TCP port 22. SSH is considered secure since it uses authenticated and encrypted sessions for communication. The internet message access protocol (IMAP) is a TCP/IP application protocol that provides a means for a client to access email messages stored in a mailbox on a remote server using TCP port number 143. Unlike POP3, messages persist on the server after the client has downloaded them. IMAP also supports mailbox management functions, such as creating subfolders and access to the same mailbox by more than one client at the same time.

Which of the following cryptographic algorithms is classified as symmetric? 3DES PGP ECC RSA

3DES Explanation OBJ-2.8: Triple DES (3DES) is a symmetric-key block cipher that applies the DES cipher algorithm three times to each data block to increase its security over DES. RSA, PGP, and ECC are all asymmetric algorithms.

Dion Training just installed a new webserver within a screened subnet. You have been asked to open up the port for secure web browsing on the firewall. Which port should you set as open to allow users to access this new server? 80 443 21 143

443 Explanation OBJ-3.1: The hypertext transfer protocol secure (HTTPS) is a secure protocol used to provide web content to browsers using SSL/TLS encryption over port 443. The hypertext transfer protocol (HTTP) is a protocol used to provide web content to browsers using port 80. The hypertext transfer protocol (HTTP) is a protocol used to provide web content to browsers using port 80. The file transfer protocol (FTP) is the protocol used to transfer files across the internet over ports 20 and 21.

(Sample Simulation - On the real exam for this type of question, you would have to rearrange the steps into the proper order by dragging and dropping them into place.) Using the image provided, place the port numbers in the correct order with their associated protocols. 25, 80, 53, 69 69, 25, 80, 53 53, 69, 25, 80 80, 53, 69, 25

69, 25, 80, 53 Explanation OBJ-3.1: For the exam, you need to know your ports and protocols. The Trivial File Transfer Protocol (TFTP) uses port 69. The Simple Mail Transfer Protocol (SMTP) uses port 25. The Hypertext Transfer Protocol (HTTP) uses port 80. The Domain Name Service (DNS) protocol uses port 53.

What access control model will a network switch utilize if it requires multilayer switches to use authentication via RADIUS/TACACS+? 802.11ac 802.3af 802.1x 802.1q

802.1x Explanation OBJ-3.8: If you are using RADIUS/TACACS+ with the switch, you will need to use 802.1x for the protocol. The IEEE 802.1x standard is a network authentication protocol that opens ports for network access when an organization authenticates a user's identity and authorizes them for access to the network. This defines port security. The user's identity is determined based on their credentials or certificate, which is confirmed by the RADIUS server.

Which of the following tools could be used to detect unexpected output from an application being managed or monitored? A log analysis tool A behavior-based analysis tool A signature-based detection tool Manual analysis

A behavior-based analysis tool Explanation OBJ-3.3: A behavior-based analysis tool can capture/analyze normal behavior and then alert when an anomaly occurs. Configuring a behavior-based analysis tool requires more effort to set up properly, but it requires less work and manual monitoring once it is running. Signature-based detection is a process where a unique identifier is established about a known threat so that the threat can be identified in the future. Manual analysis requires a person to read all the output and determine if it is erroneous. A log analysis tool would only be useful to analyze the logs, but it would not detect unexpected output by itself. Instead, the log analysis tool would need to use a behavior-based or signature-based detection system.

Which of the following access control methods provides the most detailed and explicit type of access control over a resource? ABAC RBAC DAC MAC

ABAC Explanation OBJ-3.8: Attribute-based access control (ABAC) provides the most detailed and explicit type of access control over a resource because it is capable of making access decisions based on a combination of subject and object attributes, as well as context-sensitive or system-wide attributes. Information such as the group membership, the OS being used by the user, and even the machine's IP address could be considered when granting or denying access.

What role does the red team perform during a tabletop exercise (TTX)? Network defender System administrator Cybersecurity analyst Adversary

Adversary Explanation OBJ-1.8: The red team acts as the adversary, attempting to penetrate the network or exploit it as a rogue internal attacker. The red team might select members of in-house security staff, a third-party company, or a consultant contracted to perform the role. The blue team operates the security system with a focus on detecting and repelling the red team. The blue team usually consists of system administrators, cybersecurity analysts, and network defenders.

What information should be recorded on a chain of custody form during a forensic investigation? Any individual who worked with evidence during the investigation The list of former owners/operators of the workstation involved in the investigation The list of individuals who made contact with files leading to the investigation The law enforcement agent who was first on the scene

Any individual who worked with evidence during the investigation Explanation OBJ-4.5: Chain of custody forms list every person who has worked with or who has touched the evidence that is a part of an investigation. These forms record every action taken by each individual in possession of the evidence. Depending on the organization's procedures, manipulation of evidence may require an additional person to act as a witness to verify whatever action is being taken. While the chain of custody would record who initially collected the evidence, it does not have to record who was the first person on the scene (if that person didn't collect the evidence). The other options presented by the question are all good pieces of information to record in your notes, but it is not required to be on the chain of custody form.

Alexa is an analyst for a large bank that has offices in multiple states. She wants to create an alert to detect if an employee from one bank office logs into a workstation located at an office in another state. What type of detection and analysis is Alexa configuring? Heuristic Anomaly Trend Behavior

Behavior Explanation OBJ-1.7: This is an example of behavior-based detection. Behavior-based detection (or statistical- or profile-based detection) means that the engine is trained to recognize baseline traffic or expected events associated with a user account or network device. Anything that deviates from this baseline (outside a defined level of tolerance) generates an alert. The heuristic analysis determines whether several observed data points constitute an indicator and whether related indicators make up an incident depending on a good understanding of the relationship between the observed indicators. Human analysts are typically good at interpreting context but work painfully slowly, in computer terms, and cannot hope to cope with the sheer volume of data and traffic generated by a typical network. Anomaly analysis is the process of defining an expected outcome or pattern to events and then identifying any events that do not follow these patterns. This is useful in tools and environments that enable you to set rules. Trend analysis is not used for detection but instead to better understand capacity and the system's normal baseline. Behavioral-based detection differs from anomaly-based detection. Behavioral-based detection records expected patterns concerning the entity being monitored (in this case, user logins). Anomaly-based detection prescribes the baseline for expected patterns based on its observation of what normal looks like.

(Sample Simulation - On the real exam for this type of question, you would receive 3-5 pictures and drag and drop them into place next to the correct term.) How would you appropriately categorize the authentication method displayed here? Multifactor authentication PAP authentication Biometric authentication One-time password authentication

Biometric authentication Explanation OBJ-2.4: For the exam, you need to know the different authentication categories and what type of authentication methods belong to each category. A fingerprint scan is a type of biometric authentication. Biometric authentications include any authentication system that relies on a person's physical characteristics for authentication.

Dion Training has applied a new Group Policy to all student accounts that will lock out any account in which the student enters their password incorrectly 3 times in a row. Once the account is locked out, the student must wait 15 minutes before they can attempt to log in again. What type of attack is this mitigation strategy trying to prevent? Spoofing On-path attack Privilege escalation Brute force attack

Brute force attack Explanation OBJ-1.2: Since the policy will lock out the student for 15 minutes between attempts, it is a valid mitigation technique against a brute force attack. By extending the waiting period, the attacker's brute force attempts are less effective. A brute force attack is a type of password attack where an attacker uses an application to exhaustively try every possible alphanumeric combination to crack encrypted passwords. An on-path attack is an attack where the threat actor makes an independent connection between two victims and can read, and possibly modify traffic. A privilege escalation is a practice of exploiting flaws in an operating system or other application to gain a greater level of access than was intended for the user or application. Spoofing is a type of attack that disguises a communication from an unknown source as being from a known, trusted source. Spoofing can occur using different methods, such as MAC spoofing, IP spoofing, call spoofing, and others.

Which of the following is required for evidence to be admissible in a court of law? Chain of custody Order of volatility Legal hold Right to audit

Chain of custody Explanation OBJ-4.4: Chain of custody forms list every person who has worked with or who has touched the evidence that is a part of an investigation. These forms record every action taken by each individual in possession of the evidence. Depending on the organization's procedures, manipulation of evidence may require an additional person to act as a witness to verify whatever action is being taken. A legal hold is a process that an organization uses to preserve all forms of potentially relevant information when litigation is pending or reasonably anticipated. A right to audit is a clause in a contract or service agreement that allows a company the authority to audit the systems and information processed. Order of volatility refers to the order in which you should collect evidence.

During your annual cybersecurity awareness training in your company, the instructor states that employees should be careful about what information they post on social media. According to the instructor, if you post too much personal information on social media, such as your name, birthday, hometown, and other personal details, it is much easier for an attacker to conduct which type of attack to break your passwords? Birthday attack Brute force attack Cognitive password attack Rainbow table attack

Cognitive password attack Explanation OBJ-1.2: A cognitive password is a form of knowledge-based authentication that requires a user to answer a question, presumably something they intrinsically know, to verify their identity. If you post a lot of personal information about yourself online, this password type can easily be bypassed. For example, during the 2008 elections, Vice Presidential candidate Sarah Palin's email account was hacked because a high schooler used the "reset my password" feature on Yahoo's email service to reset her password using the information that was publically available about Sarah Palin (like her birthday, high school, and other such information).

A cybersecurity analyst is analyzing what they believe to be an active intrusion into their network. The indicator of compromise maps to suspected nation-state group that has strong financial motives, APT 38. Unfortunately, the analyst finds their data correlation lacking and cannot determine which assets have been affected, so they begin to review the list of network assets online. The following servers are currently online: PAYROLL_DB, DEV_SERVER7, FIREFLY, DEATHSTAR, THOR, and DION. Which of the following actions should the analyst conduct first? Logically isolate the PAYROLL_DB server from the production network Conduct a Nessus scan of the FIREFLY server Hardening the DEV_SERVER7 server Conduct a data criticality and prioritization analysis

Conduct a data criticality and prioritization analysis Explanation OBJ-5.4: While the payroll server could be assumed to hold PII, financial information, and corporate information, the analyst would only be making that assumption based on its name. Even before an incident response occurs, it would be a good idea to conduct a data criticality and prioritization analysis to determine what assets are critical to your business operations and need to be prioritized for protection. After an intrusion occurs, this information could be used to better protect and defend those assets against an attacker. Since the question states the analyst is trying to determine which server to look at based on their names, it is clear this organization never performed a data criticality and prioritization analysis and should do that first. After all, with names like FIREFLY, DEATHSTAR, THOR, and DION, the analyst has no idea what is stored on those systems. For example, how do we know that DEATHSTAR doesn't contain their credit card processing systems that would be a more lucrative target for APT 38 than the PAYROLL_DB. The suggestions of hardening, logically isolating, or conducting a vulnerability scan of a particular server are random guesses by the analyst since they don't know which data they should focus on protecting or where the attacker is currently.

Fail to Pass Systems has just become the latest victim in a large-scale data breach by an APT. Your initial investigation confirms a massive exfiltration of customer data has occurred. Which of the following actions do you recommend to the CEO of Fail to Pass Systems in handling this data breach? Conduct notification to all affected customers within 72 hours of the discovery of the breach Purchase a cyber insurance policy, alter the date of the incident in the log files, and file an insurance claim Conduct a 'hack-back' of the attacker to retrieve the stolen information Provide a statement to the press that minimizes the scope of the breach

Conduct notification to all affected customers within 72 hours of the discovery of the breach Explanation OBJ-1.6: Generally speaking, most laws require notification within 72 hours, such as the GDPR. All other options are either unethical, constitute insurance fraud, or are illegal. Conducting a hack-back is considered illegal, and once data has been taken, it is nearly impossible to steal it back as the attacker probably has a backup of it. Providing an incorrect statement to the press is unethical, and if your company is caught lying about the extent of the breach, it could further hurt your reputation. Purchasing a cyber insurance policy and altering the log file dates to make it look like the attack occurred after buying the policy would be insurance fraud. This is unethical and illegal.

Which term is used in software development to refer to the method in which app and platform updates are committed to a production environment rapidly? Continuous deployment Continuous integration Continuous monitoring Continuous delivery

Continuous deployment Explanation OBJ-2.3: Continuous deployment is a software development method in which app and platform updates are committed to production rapidly. Continuous delivery is a software development method in which app and platform requirements are frequently tested and validated for immediate availability. Continuous integration is a software development method in which code updates are tested and committed to development or build server/code repositories rapidly. Continuous monitoring is the technique of constantly evaluating an environment for changes so that new risks may be more quickly detected and business operations improved upon. While continuous deployment and continuous delivery sound very similar, there is one key difference. In continuous delivery, a human is still required to approve the release into the production environment. In continuous deployment, the test and release process into the production environment is automated, making the changes available for immediate release once the code is committed.

Which of the following actions should be done FIRST after forensically imaging a hard drive for evidence in an investigation? Encrypt the image file to ensure it maintains data integrity Encrypt the source drive to ensure an attacker cannot modify its contents Create a hash digest of the source drive and the image file to ensure they match Digitally sign the image file to provide non-repudiation of the collection

Create a hash digest of the source drive and the image file to ensure they match Explanation OBJ-4.5: The first thing that must be done after acquiring a forensic disk image is to create a hash digest of the source drive and destination image file to ensure they match. A critical step in the presentation of evidence will be to prove that analysis has been performed on an identical image to the data present on the physical media and that neither data set has been tampered with. The standard means of proving this is to create a cryptographic hash or fingerprint of the disk contents and any derivative images made from it. When comparing hash values, you need to use the same algorithm used to create the reference value. While encrypting the image files is a good security practice to maintain the data's confidentiality, it does not provide data integrity like a hash digest does. Once imaged, the source drive should not be altered or encrypted. Digitally signing the image file could serve the function of non-repudiation, but it is an uncommon practice and not required to be performed.

Which of the following vulnerability scans would provide the best results if you want to determine if the target's configuration settings are correct? Internal scan Non-credentialed scan External scan Credentialed scan

Credentialed scan Explanation OBJ-1.7: Credentialed scans log into a system and retrieve their configuration information. Therefore, it should provide you with the best results. A non-credentialed scan relies on external resources for configuration settings that can be altered or incorrect. The scanner's network location does not directly impact the ability to read the configuration information, so it would not make a difference if you conducted an external or internal scan.

Your company recently suffered a small data breach caused by an employee emailing themselves a copy of the current customer's names, account numbers, and credit card limits. You are determined that something like this shall never happen again. Which of the following logical security concepts should you implement to prevent a trusted insider from stealing your corporate data? Firewall MDM DLP Strong passwords

DLP Explanation OBJ-2.1: Data loss prevention software detects potential data breaches/data ex-filtration transmissions and prevents them by monitoring, detecting, and blocking sensitive data while in use (endpoint actions), in-motion (network traffic), and at rest (data storage). Since the user was an authorized user (employee), changing your password policy, reconfiguring the firewall, or setting up an MDM solution would not solve this problem. Instead, a DLP solution must be implemented.

Dion Consulting Group has recently been awarded a contract to provide cybersecurity services for a major hospital chain in 48 cities across the United States. Previously, the consultants have won numerous contracts with financial services and publicly traded companies, but they are new to the healthcare industry. Which of the following laws must the consultants review to ensure the hospital and its customers are fully protected? SOX GLBA HIPAA COSO

HIPAA Explanation OBJ-5.2: The Health Insurance Portability and Accountability Act (HIPAA) was created primarily to modernize the flow of healthcare information, stipulate how Personally Identifiable Information maintained by the healthcare and healthcare insurance industries should be protected from fraud and theft, and address limitations on healthcare insurance coverage. This is a federal law that must be followed in the United States. The Gramm-Leach-Bliley Act (GLBA) requires financial institutions to explain their information-sharing practices to their customers and safeguard sensitive data. This includes companies that offer consumers financial products or services like loans, financial or investment advice, or insurance. The Sarbanes-Oxley Act of 2002 is a federal law that established sweeping auditing and financial regulations for public companies. Lawmakers created the legislation to help protect shareholders, employees, and the public from accounting errors and fraudulent financial practices. The Committee of Sponsoring Organizations of the Treadway Commission (COSO) guides governance-related topics, including fraud, controls, finance, and ethics. COSO's ERM-integrated framework defines risk, and related common terminology lists key components of risk management strategies and supplies direction and criteria for enhancing risk management practices.

What should administrators perform to reduce a system's attack surface and remove unnecessary software, services, and insecure configuration settings? Stealthing Hardening Harvesting Windowing

Hardening Explanation OBJ-3.2: Hardening is usually the process of securing a system by reducing its surface of vulnerability, which is larger when a system performs more functions; in principle, a single-function system is more secure than a multipurpose one. Reducing available ways of attack typically includes changing default passwords, removing unnecessary software, unnecessary usernames or logins, and disabling or removing unnecessary services. Windows is the use of windows for the simultaneous display of more than one item on a screen. Harvesting is the process of gathering data, normally user credentials. Stealthing is a made-up term in this question.

When conducting forensic analysis of a hard drive, what tool would BEST prevent changing the hard drive contents during your analysis? Hardware write blocker Degausser Forensic drive duplicator Software write blocker

Hardware write blocker Explanation OBJ-2.7: Both hardware and software write blockers are designed to ensure that forensic software and tools cannot change a drive inadvertently by accessing it. But, since the question indicates that you need to choose the BEST solution to protect the drive's contents from being changed during analysis, you should pick the hardware write blocker. A hardware write blocker's primary purpose is to intercept and prevent (or 'block') any modifying command operation from ever reaching the storage device. A forensic drive duplicator copies a drive and validates that it matches the original drive but cannot be used by itself during analysis. A degausser is used to wipe magnetic media. Therefore, it should not be used on the drive since it would erase the hard drive contents.

Barbara received a phone call from a colleague asking why she sent him an email with lewd and unusual content. Barbara doesn't remember sending the email to the colleague. What is Barbara MOST likely the victim of? Ransomware Phishing Spear phishing Hijacked email

Hijacked email Explanation OBJ-1.1: Barbara is MOST likely the victim of hijacked email. Hijacked email occurs when someone takes over your email account and sends out messages on your behalf. Hijacked email can occur after a system is taken over by an attacker. The victim usually finds out about it when someone asks about an email the victim sent them, or the victim sees an automated out-of-office reply from one of the recipients of the victim's emails. Phishing is an email-based social engineering attack in which the attacker sends an email from a supposedly reputable source, such as a bank, to try to elicit private information from the victim. Phishing attacks target an indiscriminate large group of random people. Spear phishing is the fraudulent practice of sending emails from a seemingly known or trusted sender to induce targeted individuals to reveal confidential information. Ransomware is a type of malware designed to deny access to a computer system or data until a ransom is paid. Ransomware typically spreads through phishing emails or by unknowingly visiting an infected website. Once infected, a system or its files are encrypted, and then the decryption key is withheld from the victim unless payment is received.

Jason has created a new password cracking tool using some Python code. When he runs the program, the following output is displayed: Linux:~ diontraining$ ./CrackPWD.py Password cracking in progress... Passwords found for 4 users: 1) jason:rover123 2) tamera:Purple6! 3) sahra: 123Password 4) tim:cupcakes2 Based on the output, what type of password cracking method does Jason's new tool utilize? Brute force attack Dictionary attack Rainbow attack Hybrid attack

Hybrid attack Explanation OBJ-1.2: Based on the passwords found in the example, Jason's new password cracker is most likely using a hybrid approach. All of the passwords found are dictionary words with some additional characters added to the end. For example, Jason's password of rover123 is made up of the dictionary word "rover" and the number 123. The cracker likely attempted to use a dictionary word (like rover) and the attempted variations on it using brute force (such as adding 000, 001, 002, ...122, 123) to the end of the password until found. Combining the dictionary and brute force methods into a single tool is known as a hybrid password cracking approach.

You are trying to select the best device to install to detect an outside attacker trying to reach into your internal network. The device should log the event, but it should not take any action to stop it. Which of the following devices would be the BEST for you to select? IPS IDS Proxy server Authentication server

IDS Explanation OBJ-3.3: An intrusion detection system is a device or software application that monitors a network or system for malicious activity or policy violations. Any malicious activity or violation is typically reported to an administrator or collected centrally using a security information and event management system. Unlike an IPS, which can stop malicious activity or policy violations, an IDS can only log these issues and not stop them. An intrusion prevention system (IPS) conducts the same functions as an IDS but can also block or take actions against malicious events. An authentication, authorization, and accounting (AAA) server is a server used to identify (authenticate), approve (authorize), and keep track of (account for) users and their actions. AAA servers can also be classified based on the protocol they use, such as a RADIUS server or TACACS+ server. A proxy server is a server that acts as an intermediary between a client requesting a resource and the server that provides that resource. A proxy server can be used to filter content and websites from reaching a user.

You are trying to select the best device to install to proactively stop outside attackers from reaching your internal network. Which of the following devices would be the BEST for you to select? Syslog server Proxy server IDS IPS

IPS Explanation OBJ-3.3: An intrusion prevention system (IPS) is a form of network security that detects and prevents identified threats. Intrusion prevention systems continuously monitor your network, looking for possible malicious incidents, and capturing information about them. An IPS can block malicious network traffic, unlike an IDS, which can only log them. A proxy server is a server application that acts as an intermediary between a client requesting a resource and the server providing that resource. System Logging Protocol (Syslog) uses port 514 and is a way network devices can use a standard message format to communicate with a logging server. It was designed specifically to make it easy to monitor network devices. Devices can use a Syslog agent to send out notification messages under a wide range of specific conditions.

Which role validates the user's identity when using SAML for authentication? SP IdP RP User agent

IdP Explanation OBJ-3.8: The IdP provides the validation of the user's identity. Security assertions markup language (SAML) is an XML-based framework for exchanging security-related information such as user authentication, entitlement, and attributes. SAML is often used in conjunction with SOAP. SAML is a solution for providing single sign-on (SSO) and federated identity management. It allows a service provider (SP) to establish a trust relationship with an identity provider (IdP) so that the SP can trust the identity of a user (the principal) without the user having to authenticate directly with the SP. The principal's User Agent (typically a browser) requests a resource from the service provider (SP). The resource host can also be referred to as the relying party (RP). If the user agent does not already have a valid session, the SP redirects the user agent to the identity provider (IdP). The IdP requests the principal's credentials if not already signed in and, if correct, provides a SAML response containing one or more assertions. The SP verifies the signature(s) and (if accepted) establishes a session and provides access to the resource.

You have been hired as a consultant to help Dion Training develop a new disaster recovery plan. Dion Training has recently grown in the number of employees and information systems infrastructure used to support its employees. Unfortunately, Dion Training does not currently have any documentation, policies, or procedures for its student and faculty networks. What is the first action you should take to assist them in developing a disaster recovery plan? Develop a data retention policy Conduct a vulnerability scan Identify the organization's assets Conduct a risk assessment

Identify the organization's assets Explanation OBJ-4.2: The first step to developing an effective disaster recovery plan is to identify the assets. The organization must understand exactly what assets they own and operate. Once identified, you can then determine what assets and services are essential to business operations, what risks are facing them, and how best to recovery in the event of a disaster. To best understand the organization's risks, they will undertake an organization-wide risk assessment and conduct a vulnerability scan of its assets.

An analyst reviews the logs from the network and notices that there have been multiple attempts from the open wireless network to access the networked HVAC control system. The open wireless network must remain openly available so that visitors can access the internet. How can this type of attack be prevented from occurring in the future? Enable WPA2 security on the open wireless network Enable NAC on the open wireless network Implement a VLAN to separate the HVAC control system from the open wireless network Install an IDS to protect the HVAC system

Implement a VLAN to separate the HVAC control system from the open wireless network Explanation OBJ-1.5: A VLAN is useful to segment out network traffic to various parts of the network and stop someone from the open wireless network from logging to the HVAC controls. By utilizing NAC, each machine connected to the open wireless network could be checked for compliance and determine if it is a 'known' machine, but they would still be given access to the entire network. Also, since this is a publicly usable network, using NAC could prevent users from accessing all the network features. An IDS would be a good solution to detect the attempted logins, but it won't prevent them. Instead, an IPS would be required to prevent logins.

A cybersecurity analyst is reviewing the logs of a proxy server and saw the following URLs: BEGIN LOG https://test.diontraining.com/profile.php?userid=1546 https://test.diontraining.com/profile.php?userid=5482 https://test.diontraining.com/profile.php?userid=3618 END LOG What type of vulnerability does this website have? Weak or default configurations Race condition Insecure direct object reference Improper error handling

Insecure direct object reference Explanation OBJ-1.3: Insecure direct object references (IDOR) are a cybersecurity issue that occurs when a web application developer uses an identifier for direct access to an internal implementation object but provides no additional access control and/or authorization checks. An attacker could change the userid number and directly access any user's profile page in this scenario. A race condition is a software vulnerability when the resulting outcome from execution processes is directly dependent on the order and timing of certain events. Those events fail to execute in the order and timing intended by the developer. Weak or default configurations are commonly a result of incomplete or ad-hoc configurations, open cloud storage, misconfigured HTTP headers, unnecessary HTTP methods, permissive Cross-Origin resource sharing (CORS), and verbose error messages containing sensitive information. Improper handling of errors can reveal implementation details that should never be revealed, such as detailed information that can provide hackers important clues on the system's potential flaws.

Which type of threat actor can accidentally or inadvertently cause a security incident in your organization? Organized Crime Insider threat Hacktivist APT

Insider threat Explanation OBJ-1.5: An insider threat is a type of threat actor assigned privileges on the system that cause an intentional or unintentional incident. Insider threats can be used as unwitting pawns of external organizations or make crucial mistakes that can open up exploitable security vulnerabilities. Hacktivists, Organized Crimes, and advanced persistent threats (APT) entities do not accidentally or unwittingly target organizations. Instead, their actions are deliberate. A hacktivist is an attacker that is motivated by a social issue or political cause. Organized crime is a type of threat actor that uses hacking and computer fraud for commercial gain. An advanced persistent threat (APT) is a type of threat actor that can obtain, maintain, and diversify access to network systems using exploits and malware.

Which of the following biometric authentication factors relies on matching patterns on the eye's surface using near-infrared imaging? Facial recognition Iris scan Retinal scan Pupil dilation

Iris scan Explanation OBJ-2.4: Iris scans rely on the matching of patterns on the surface of the eye using near-infrared imaging, and so is less intrusive than retinal scanning (the subject can continue to wear glasses, for instance) and much quicker. Iris scanners offer a similar level of accuracy as retinal scanners but are much less likely to be affected by diseases. Iris scanning is the technology most likely to be rolled out for high-volume applications, such as airport security. There is a chance that an iris scanner could be fooled by a high-resolution photo of someone's eye.

What is the biggest disadvantage of using single sign-on (SSO) for authentication? The identity provider issues the authorization Systems must be configured to utilize the federation It introduces a single point of failure Users need to authenticate with each server as they log on

It introduces a single point of failure Explanation OBJ-5.4: Single sign-on is convenient for users since they only need to remember one set of credentials. Unfortunately, single sign-on also introduces a single point of failure. If the identity provider is offline, then the user cannot log in to any of the resources they may wish to utilize across the web. Additionally, if the single sign-on is compromised, the attacker now has access to every site that the user would have access to using the single set of credentials.

Which protocol relies on mutual authentication of the client and the server for its security? CHAP Two-factor authentication RADIUS LDAPS

LDAPS Explanation OBJ-3.1: The Lightweight Directory Access Protocol (LDAP) uses a client-server model for mutual authentication. LDAP is used to enable access to a directory of resources (workstations, users, information, etc.). TLS provides mutual authentication between clients and servers. Since Secure LDAP (LDAPS) uses TLS, it provides mutual authentication.

Dion Training is building a new data center. The group designing the facility has decided to provide additional HVAC capacity to ensure the data center maintains a consistently low temperature. Which of the following is the most likely benefit that will be achieved by increasing the designed HVAC capacity? Increase the availability of network services due to higher throughput Longer MTBF of hardware due to lower operating temperatures Longer UPS run time due to increased airflow Higher data integrity due to more efficient SSD cooling

Longer MTBF of hardware due to lower operating temperatures Explanation OBJ-5.4: The mean time between failure (MTBF) is the measure of the anticipated rate of failure for a system or component. This is effectively a measurement of the component's expected lifespan. If the HVAC capacity is increased, the server room can maintain a cooler temperature range. Datacenters produce a lot of heat from the equipment being operated. Excessive heat can damage components and cause premature hardware failure. Therefore, increasing the HVAC capacity and airflow can lead to longer lifespans for servers and networking equipment.

Dion Training has an open wireless network called "InstructorDemos" for its instructors to use during class, but they do not want any students connecting to this wireless network. The instructors need the "InstructorDemos" network to remain open since some of their IoT devices used during course demonstrations do not support encryption. Based on the requirements provided, which of the following configuration settings should you use to satisfy the instructor's requirements and prevent students from using the "InstructorDemos" network? MAC filtering NAT Signal strength QoS

MAC filtering Explanation OBJ-3.4: Since the instructors need to keep the wireless network open, the BEST option is to implement MAC filtering to prevent the students from connecting to the network while still keeping the network open. Since the instructors would most likely use the same devices to connect to the network, it would be relatively easy to implement a MAC filtering based on the list of devices that are allowed to use the open network and reject any other devices not listed by the instructors (like the student's laptops or phones). Reducing the signal strength would not solve this issue since students and instructors are in the same classrooms. Using Network Address Translation and Quality of Service will not prevent the students from accessing or using the open network.

You are conducting an incident response and want to determine if any account-based indicators of compromise (IoC) exist on a compromised server. Which of the following would you NOT search for on the server? Unauthorized sessions Off-hours usage Malicious processes Failed logins

Malicious processes Explanation OBJ-4.3: A malicious process is any process running on a system that is outside the norm. This is a host-based indicator of compromise (IOC) and not directly associated with an account-based IOC. Off-hours usage, unauthorized sessions, and failed logins are all account-based examples of an IOC. Off-hours usage occurs when an account is observed to log in during periods outside of normal business hours. An attacker often uses this to avoid detection during business hours. Unauthorized sessions occur when a device or service is accessed without authorization. For example, if a limited privilege user is signed into a domain controlled. A failed login might be normal if a user forgets or incorrectly types their password, but repeated failures for one account could also be an indication of an attack attempting to crack a user's password.

Which operating system feature is designed to detect malware that is loaded early in the system startup process or before the operating system can load itself? Measured boot Advanced anti-malware Master Boot Record analytics Startup Control

Measured boot Explanation OBJ-3.2: Measured boot is a feature where a log of all boot actions is taken and stored in a trusted platform module for later retrieval and analysis by anti-malware software on a remote server. Master boot record analysis is used to capture the hard disk's required information to support a forensic investigation. It would not detect malware during the system's boot-up process. Startup control would be used to determine which programs will be loaded when the operating system is initially booted, but this would be too late to detect malware loaded during the pre-startup and boot process. Advanced anti-malware solutions are programs that are loaded within the operating system. Therefore, they are loaded too late in the startup process to be effective against malicious boot sector viruses and other BIOS/UEFI malware variants.

When you are managing a risk, what is considered an acceptable option? Deny Mitigate Initiate Reject

Mitigate Explanation OBJ-5.4: Mitigating a risk makes the effect of a risk a little less unpleasant, harmful, or serious. The majority of risk management is focused on mitigating risks down to an acceptable level of loss or risk. The risk response actions are accept, avoid, mitigate, or transfer.

What is a legal contract outlining the confidential material or information that will be shared by the pentester and the organization during an assessment? MSA SLA SOW NDA

NDA Explanation OBJ-5.3: This is the definition of a non-disclosure agreement (NDA). There may be two NDAs in use: One from the organization to the pentester and another from the pentester to the organization. The Statement of Work (SOW) is a formal document stating what will and will not be performed during a penetration test. It should also contain the assessment's size and scope and a list of the assessment's objectives. A master service agreement (MSA) is a contract reached between parties, in which the parties agree to most of the terms that will govern future transactions or future agreements. The MSA is used when a pentester will be on retainer for a multi-year contract, and an individual SOW will be issued for each assessment to define the individual scopes for each one. A service level agreement (SLA) is a contract that outlines the detailed terms under which a service is provided, including reasons the contract may be terminated.

Your company is required to remain compliant with PCI-DSS due to the type of information processed by your systems. If there was a breach of this data, which type of disclosure would you be required to provide during your incident response efforts? Notification to Visa and Mastercard Notification to your credit card processor Notification to local law enforcement Notification to federal law enforcement

Notification to your credit card processor Explanation OBJ-4.5: Any organization that processes a credit card will be required to work with their credit card processor instead of working directly with the card issuers (Visa and Mastercard). Conducting notification to your bank or credit card processor is one of the first steps in the incident response effort for a breach of this type of data. Typically, law enforcement does not have to be notified of a data breach at a commercial organization.

An attacker recently compromised an e-commerce website for a clothing store. Which of the following methods did the attacker use to harvest an account's cached credentials when the user logged into an SSO system? Pass the hash Golden ticket Pivoting Lateral movement

Pass the hash Explanation OBJ-1.3: Pass the Hash (PtH) is the process of harvesting an account's cached credentials when the user logs in to a single sign-on (SSO) system. This would then allow the attacker to use the credentials on other systems, as well. A golden ticket is a Kerberos ticket that can grant other tickets in an Active Directory environment. Attackers who can create a golden ticket can use it to grant administrative access to other domain members, even to domain controllers. Lateral movement is an umbrella term for a variety of attack types. Attackers can extend their lateral movement by a great deal if they can compromise host credentials. Pivoting is a process similar to lateral movement. When attackers pivot, they compromise one central host (the pivot) that allows them to spread out to other hosts that would otherwise be inaccessible.

(Sample Simulation - On the real exam for this type of question, you would have to rearrange the steps into the proper order by dragging and dropping them into place.) What is the correct order of the Incident Response process? Containment, Eradication, Identification, Lessons learned, Preparation, and Recovery Lessons Learned, Recovery, Preparation, Identification, Containment, and Eradication Identification, Containment, Eradication, Preparation, Recovery, and Lessons Learned Preparation, Identification, Containment, Eradication, Recovery, and Lessons Learned

Preparation, Identification, Containment, Eradication, Recovery, and Lessons Learned Explanation OBJ-4.2: The proper order of the Incident Response process is Preparation, Identification, Containment, Eradication, Recovery, and Lessons Learned. Concepts with lists of steps are common questions asked as an ordering or a drag and drop question on the exam. For example, the steps of incident response, the order of volatility, or the strength of encryption schemes could be asked using this question format.

Samantha works in the human resource department in an open floorplan office. She is concerned about the possibility of someone conducting shoulder surfing to read sensitive information from employee files while accessing them on her computer. Which of the following physical security measures should she implement to protect against this threat? Privacy screen Badge reader Biometric lock Hardware token

Privacy screen Explanation OBJ-1.1: A privacy screen is a filter placed on a monitor to decrease the viewing angle of a monitor. This prevents the monitor from being viewed from the side and can help prevent shoulder surfing. The standard type of anti-glare filter consists of a coating that reduces the reflection from a glass or plastic surface. A biometric lock is any lock that can be activated by biometric features, such as a fingerprint, voiceprint, or retina scan. Biometric locks make it more difficult for someone to counterfeit the key used to open the lock or a user's account. A smart card is a form of hardware token. A smart card, chip card, or integrated circuit card is a physical, electronic authorization device used to control access to a resource. It is typically a plastic credit card-sized card with an embedded integrated circuit chip. In high-security environments, employee badges may contain a smart card embedded chip that must be inserted into a smart card reader to log in or access information on the system. A badge reader is used to read an employee's identification badge using a magnetic stripe, barcode, or embedded RFID chip.

Which of the following types of data breaches would require that the US Department of Health and Human Services and the media be notified if more than 500 individuals are affected by a data breach? Protected health information Trade secret information Personally identifiable information Credit card information

Protected health information Explanation OBJ-4.5: Protected health information (PHI) is defined as any information that identifies someone as the subject of medical and insurance records, plus their associated hospital and laboratory test results. This type of data is protected by the Health Insurance Portability and Accountability Act (HIPAA). It requires notification of the individual, the Secretary of the US Department of Health and Human Services (HHS), and the media (if more than 500 individuals are affected) in the case of a data breach. Personally identifiable information (PII) is any data that can be used to identify, contact, or impersonate an individual. Credit card information is protected under the PCI DSS information security standard. Trade secret information is protected by the organization that owns those secrets.

Dion Training is concerned with students entering the server room without permission. To prevent this from occurring, the organization wants to purchase and install an access control system that will allow each instructor to have access using an RFID device. Which of the following authentication mechanisms should Dion Training use to meet this requirement? CCTV Access control vestibule Proximity badge Biometric reader

Proximity badge Explanation OBJ-2.7: The best option is to use a proximity badge. This type of badge embeds an RFID chip into the card or badge. When an authorized user swipes their card or badge over the reader, it sends an RF signal that uniquely identifies the card's holder or badge. While some of the other options presented could be used for authentication (such as biometrics), these options do not use an RFID as stated in the requirements. Closed-circuit television is a type of video surveillance where video cameras transmit a signal to a specific place using a limited set of monitors. An access control vestibule is a physical security access control system comprising a small space with two sets of interlocking doors, such that the first set of doors must close before the second set opens. Biometrics are identifying features stored as digital data that can be used to authenticate a user. Typical features used include facial pattern, iris, retina, or fingerprint pattern, and signature recognition. This requires a relevant scanning device, such as a fingerprint reader, and a database of biometric information for authentication to occur.

You have been asked to develop a solution for one of your customers. The customer is a software development company, and they need to be able to test a wide variety of operating systems to test the software applications their company is developing internally. The company doesn't want to buy a bunch of computers to install all of these operating systems for testing. Which of the following solutions would BEST meet the company's requirements? Purchase a high-end computer that has a lot of CPU cores and RAM, install a hypervisor, and configure a virtual machine for each operating system that will be used to test the applications being developed Purchase multiple workstations, install a VM on each one, then install one operating system that will be used to test the applications being developed in each VM Purchase multiple inexpensive workstations and install one operating system that will be used to test the applications being developed on each workstation Purchase one computer, install an operating system on it, create an image of the system, then reformat it, install the next operating system, create another image, and reimage the machine each time you need to test a different application

Purchase a high-end computer that has a lot of CPU cores and RAM, install a hypervisor, and configure a virtual machine for each operating system that will be used to test the applications being developed Explanation OBJ-2.2: Since the company's main goal was to minimize the amount of hardware required, the BEST solution is to purchase a high-end computer that has a lot of CPU cores and RAM, install a hypervisor, and configure a virtual machine for each operating system that will be used to test the applications being developed. This allows a single machine to run multiple operating systems for testing with the least amount of hardware.

Users connecting to an SSID appear to be unable to authenticate to the captive portal. Which of the following is the MOST likely cause of the issue? RADIUS CSMA/CA WPA2 security key SSL certificates

RADIUS Explanation OBJ-3.8: Captive portals usually rely on 802.1x, and 802.1x uses RADIUS for authentication. The IEEE 802.1x standard is a network authentication protocol that opens ports for network access when an organization authenticates a user's identity and authorizes them for access to the network. This defines port security. The user's identity is determined based on their credentials or certificate, which is confirmed by the RADIUS server. The Remote Authentication Dial-in User Service (RADIUS) is used to manage remote and wireless authentication infrastructure. Users supply authentication information to RADIUS client devices, such as wireless access points. The client device then passes the authentication data to an AAA (Authentication, Authorization, and Accounting) server that processes the request. Secure Sockets Layer (SSL) is a security protocol developed by Netscape to provide privacy and authentication over the Internet. SSL is application independent that works at layer 5 [Session] and can be used with a variety of protocols, such as HTTP or FTP. Client and server set up a secure connection through PKI (X.509) certificates. Carrier-sense multiple access with collision avoidance (CSMA/CA) is a network multiple access method in which carrier sensing is used, but nodes attempt to avoid collisions by beginning transmission only after the channel is sensed to be idle. CSMA/CA occurs in the background when communicating with a wireless access point and would not prevent the user from authenticating to the captive portal. A WPA2 security key is a preshared password used to authenticate and connect to a wireless access point. If the user connected to the SSID, then the WPA2 security key was valid.

Which of the following hashing algorithms results in a 160-bit fixed output? SHA-2 RIPEMD NTLM MD-5

RIPEMD Explanation OBJ-2.8: RIPEMD creates a 160-bit fixed output. SHA-2 creates a 256-bit fixed output. NTLM creates a 128-bit fixed output. MD-5 creates a 128-bit fixed output.

Which party in a federation provides services to members of the federation? SSO SAML RP IdP

RP Explanation OBJ-2.4: Relying parties (RPs) provide services to members of a federation. An identity provider (IdP) provides identities, makes assertions about those identities, and releases information about the identity holders. The Security Assertion Markup Language (SAML) is an open standard for exchanging authentication and authorization data between parties between an identity provider and a service provider (SP) or a relying party (RP). Single sign-on (SSO) is an authentication scheme that allows a user to log in with a single ID and password to any of several related yet independent software systems across a federation. SAML and SSO are not parties. Therefore, they cannot possibly be the right answer to this question.

Which of the following terms is used to describe the timeframe following a disaster that an individual IT system may remain offline? RPO MTTR RTO MTBF

RTO Explanation OBJ-5.4: Recovery time objective (RTO) is when an individual IT system may remain offline following a disaster. This represents the amount of time it takes to identify a problem and then perform recovery (restore from backup or switch in an alternative system, for instance). Recovery point objective (RPO) is the amount of data loss that a system can sustain, measured in time. That is, if a virus destroys a database, an RPO of 24 hours means that the data can be recovered (from a backup copy) to a point not more than 24 hours before the database was infected. Mean time between failure (MTBF) represents the expected lifetime of a product before it fails and must be replaced or repaired. Mean time to repair (MTTR) is a measure of the time taken to correct a fault to restore the system to full operation.

A popular game allows for in-app purchases to acquire extra lives in the game. When a player purchases the extra lives, the number of lives is written to a configuration file on the gamer's phone. A hacker loves the game but hates having to buy lives all the time, so they developed an exploit that allows a player to purchase 1 life for $0.99 and then modifies the content of the configuration file to claim 100 lives were purchased before the application reading the number of lives purchased from the file. Which of the following type of vulnerabilities did the hacker exploit? Dereferencing Sensitive data exposure Race condition Broken authentication

Race condition Explanation OBJ-1.6: Race conditions occur when the outcome from execution processes is directly dependent on the order and timing of certain events. Those events fail to execute in the order and timing intended by the developer. In this scenario, the hacker's exploit is racing to modify the configuration file before the application reads the number of lives from it. Sensitive data exposure is a fault that allows privileged information (such as a token, password, or PII) to be read without being subject to the proper access controls. Broken authentication refers to an app that fails to deny access to malicious actors. Dereferencing attempts to access a pointer that references an object at a particular memory location.

Dion Training is concerned with the possibility of employees accessing another user's workstation in secured areas without their permission. Which of the following would BEST be able to prevent this from happening? Require a username and a password for user logins Require biometric identification for user logins Install security cameras in secure areas to monitor logins Enforce a policy that requires passwords to be changed every 30 days

Require biometric identification for user logins Explanation OBJ-2.4: The BEST choice is to implement biometric identification for user logins, such as a fingerprint reader or a retina scanner. This would ensure that even if an employee could discover another employee's username and password, they would be prevented from logging into the workstation without the employee's finger or eye to scan. Enforcing short password retention can limit the possible damage when a password is disclosed, but it won't prevent a login during the valid period. Security cameras may act as a deterrent or detective control, but they cannot prevent an employee from logging into the workstation as another employee. Security cameras could be used to determine who logged in after the fact, though.

Fail To Pass Systems has just been the victim of another embarrassing data breach. Their database administrator needed to work from home this weekend, so he downloaded the corporate database to his work laptop. On his way home, he left the laptop in an Uber, and a few days later, the data was posted on the internet. Which of the following mitigations would have provided the greatest protection against this data breach? Require data masking for any information stored in the database Require data at rest encryption on all endpoints Require a VPN to be utilized for all telework employees Require all new employees to sign an NDA

Require data at rest encryption on all endpoints Explanation OBJ-2.1: The greatest protection against this data breach would have been to require data at rest encryption on all endpoints, including this laptop. If the laptop were encrypted, the data would not have been readable by others, even if it was lost or stolen. While requiring a VPN for all telework employees is a good idea, it would not have prevented this data breach since the laptop's loss caused it. Even if a VPN had been used, the same data breach would still have occurred if the employee copied the database to the machine. Remember on exam day that many options are good security practices, but you must select the option that solves the issue or problem in the question being asked. Similarly, data masking and NDAs are useful techniques, but they would not have solved this particular data breach.

You are developing your vulnerability scanning plan and attempting to scope your scans properly. You have decided to focus on the criticality of a system to the organization's operations when prioritizing the system in the scope of your scans. Which of the following would be the best place to gather the criticality of a system? Scope the scan based on IP subnets Review the asset inventory and BCP Ask the CEO for a list of the critical systems Conduct a nmap scan of the network to determine the OS of each system

Review the asset inventory and BCP Explanation OBJ-4.2: To best understand a system's criticality, you should review the asset inventory and the BCP. Most organizations classify each asset in its inventory based on its criticality to the organization's operations. This helps to determine how many spare parts to have, the warranty requirements, service agreements, and other key factors to help keep these assets online and running at all times. Additionally, you can review the business continuity plan (BCP) since this will provide the organization's plan for continuing business operations in the event of a disaster or other outage. Generally, the systems or operations listed in a BCP are the most critical ones to support business operations. While the CEO may be able to provide a list of the most critical systems in a large organization, it isn't easy to get them to take the time to do it, even if they did know the answer. Worse, in most large organizations, the CEO isn't going to know what systems he relies on, but instead just the business functions they serve, again making this a bad choice. While conducting a nmap scan may help you determine what OS is being run on each system, this information doesn't help you determine criticality to operations. The same is true of using IP subnets since a list of subnets by itself doesn't provide criticality or prioritization of the assets.

Which of the following hashing algorithms results in a 256-bit fixed output? SHA-2 NTLM SHA-1 MD-5

SHA-2 Explanation OBJ-2.8: SHA-2 creates a 256-bit fixed output. SHA-1 creates a 160-bit fixed output. NTLM creates a 128-bit fixed output. MD-5 creates a 128-bit fixed output.

Your organization has been receiving many phishing emails recently, and you are trying to determine why they are effective in getting your users to click on their links. The latest email consists of what looks like an advertisement that is offering an exclusive early access opportunity to buy a new iPhone at a discounted price. Still, there are only 5 phones available at this price. What type of social engineering principle is being exploited here? Familiarity Intimidation Trust Scarcity

Scarcity Explanation OBJ-1.1: Scarcity is used to create a fear in a person of missing out on a special deal or offer. This technique is used in advertising all the time, such as "supplies are limited," "only available for the next 4 hours", and other such artificial limitations being used. Familiarity is a social engineering technique that relies on assuming a widely known organization's persona. For example, in the United States, nearly 25% of Americans have a Bank of America account. For this reason, phishing campaigns often include emails pretending to be from Bank of America since 1 in 4 people who receive the email in the United States are likely to have an account. This makes them familiar with the bank name and is more likely to click on the email link.

What technique is most effective in determining whether or not increasing end-user security training would benefit the organization during your technical assessment of their network? Social engineering Application security testing Network sniffing Vulnerability scanning

Social engineering Explanation OBJ-5.3: Social engineering refers to the psychological manipulation of people into performing actions or divulging confidential information. During your technical assessment, utilizing social engineering techniques such as phishing or pharming can help you determine if additional end-user security training should be included in the organization. The other three options focus solely on technical controls. Therefore adding end-user training would not affect these technology options.

Which of the following is not considered an authentication factor? Something you know Something you are Something you have Something you want

Something you want Explanation OBJ-2.4: The five factors of authentication are knowledge, possession, biometric, action, and location. This is also known as 'something you know,' 'something you have,' 'something you are,' 'something you do,' and 'somewhere you are.'

(Sample Simulation - On the real exam for this type of question, you would receive 3-5 pictures and be asked to drag and drop them into place next to the correct term.) Which of the following types of attacks occurs when an attacker attempts to gain confidential information or login credentials by sending targeted emails to a specific set of recipients within an organization? Pharming Phishing Vishing Hoax Spear phishing

Spear phishing Explanation OBJ-1.1: Spear phishing is the fraudulent practice of sending emails from a seemingly known or trusted sender to induce targeted individuals to reveal confidential information. The key to answering this question is that the attack was focused on a targeted set of people, not just an indiscriminate large group of random people.

Which of the following authentication protocols was developed by Cisco to provide authentication, authorization, and accounting services? CHAP RADIUS TACACS+ Kerberos

TACACS+ Explanation OBJ-3.8: TACACS+ is an extension to TACACS (Terminal Access Controller Access Control System) and was developed as a proprietary protocol by Cisco. The Remote Authentication Dial-In User Service (RADIUS) is a networking protocol that operates on port 1812 and provides centralized Authentication, Authorization, and Accounting management for users who connect and use a network service, but Cisco did not develop it. Kerberos is a network authentication protocol designed to provide strong mutual authentication for client/server applications using secret-key cryptography developed by MIT. Challenge-Handshake Authentication Protocol (CHAP) is used to authenticate a user or network host to an authenticating entity. CHAP is an authentication protocol but does not provide authorization or accounting services.

An employee contacts the service desk because they cannot open an attachment they receive in their email. The service desk agent conducts a screen-sharing session with the user and investigates the issue. The agent notices that the attached file is named Invoice1043.pdf, and a black pop-up window appears and then disappears quickly when the attachment was double-clicked. Which of the following is most likely causing this issue? The attachment is using a double file extension to mask its identity The user doesn't have a PDF reader installed on their computer The file contains an embedded link to a malicious website The email is a form of spam and should be deleted

The attachment is using a double file extension to mask its identity Explanation OBJ-1.1: The message contains a file attachment hoping that the user will execute or open it. The attachment's nature might be disguised by formatting tricks such as using a double file extension, such as Invoice1043.pdf.exe, where the user only sees the first extension since .exe is a known file type in Windows. This would explain the black popup window that appears and then disappeared, especially if the exe file was running a command-line tool. This file is most likely not a PDF, so there is no need for a PDF reader. Additionally, most modern web browsers, such as Chrome and Edge, can open PDF files by default for the user. The file would not contain an embedded link since an embedded link is another popular attack vector that embeds a link to a malicious site within the email body, not within the file. This email is likely not spam and would be better categorized as a phishing attempt instead.

You are an analyst and have been asked to review and categorize the following output from a packet analysis in Wireshark: Based on your review, what does this scan indicate? 173.12.15.23 might be infected with malware 192.168.3.145 might be infected with malware 173.12.15.23 might be infected and beaconing to a C2 server 192.168.3.145 might be infected and beaconing to a C2 server This appears to be normal network traffic

This appears to be normal network traffic Explanation OBJ-4.1: This appears to be normal network traffic. The first line shows that a DNS lookup was performed for a website (test.diontraining.com). The second line shows the response from the DNS server with the IP address of the website. The third line begins a three-way handshake between an internal host and the website. The fourth line is the SYN-ACK response from the website to the internal host as part of this handshake. The fifth line is a standard Windows NetBIOS query within the local area network to translate human-readable names to local IP addresses. The sixth and seventh lines appear to be inbound requests to port 443 and port 8080, both of which were sent the RST by the internal host's firewall since it is not running those services on the host. None of this network traffic appears to be suspicious.

Which of the following methods is used to replace all or part of a data field with a randomly generated number used to reference the original value stored in another vault or database? Data masking Anonymization Tokenization Data minimization

Tokenization Explanation OBJ-5.5: Tokenization means that all or part of data in a field is replaced with a randomly generated token. The token is stored with the original value on a token server or token vault, separate from the production database. An authorized query or app can retrieve the original value from the vault, if necessary, so tokenization is a reversible technique. Data masking can mean that all or part of a field's contents is redacted, by substituting all character strings with x, for example. Data minimization involves limiting data collection to only what is required to fulfill a specific purpose. Reducing what information is collected reduces the amount and type of information that must be protected. Data anonymization is the process of removing personally identifiable information from data sets so that the people whom the data describe remain anonymous.

Your company is making a significant investment in infrastructure-as-a-service (IaaS) hosting to replace its data centers. Which of the following techniques should be used to mitigate the risk of data remanence when moving virtual hosts from one server to another in the cloud? Use data masking Use full-disk encryption Zero-wipe drives before moving systems Span multiple virtual disks to fragment data

Use full-disk encryption Explanation OBJ-2.2: To mitigate the risk of data remanence, you should implement full disk encryption. This method will ensure that all data is encrypted and cannot be exposed to other organizations or the underlying IaaS provider. Using a zero wipe is typically impossible because VM systems may move without user intervention during scaling and elasticity operations. Data masking can mean that all or part of a field's contents is redacted, by substituting all character strings with "x," for example. Data masking will not prevent your corporate data from being exposed by data remanence. Spanning multiple disks will leave the data accessible, even though it would be fragmented, and would make the data remanence problem worse overall.

Which of the following functions is not provided by a TPM? Random number generation Remote attestation Secure generation of cryptographic keys User authentication Sealing Binding

User authentication Explanation OBJ-3.2: User authentication is performed at a much higher level in the operating system. Trusted Platform Module (TPM) technology is designed to provide hardware-based, security-related functions. A TPM chip is a secure crypto-processor that is designed to carry out cryptographic operations. The chip includes multiple physical security mechanisms to make it tamper-resistant, and malicious software cannot tamper with the security functions of the TPM. The TPM provides random number generation, secure generation of cryptographic keys, remote attestation, binding, and sealing functions securely.

You have been investigating how a malicious actor could exfiltrate confidential data from a web server to a remote host. After an in-depth forensic review, you determine that a rootkit's installation had modified the web server's BIOS. After removing the rootkit and reflashing the BIOS to a known good image, what should you do to prevent the malicious actor from affecting the BIOS again? Utilize secure boot Install an anti-malware application Install a host-based IDS Utilize file integrity monitoring

Utilize secure boot Explanation OBJ-3.2: Since you are trying to protect the BIOS, utilizing secure boot is the best choice. Secure boot is a security system offered by UEFI. It is designed to prevent a computer from being hijacked by a malicious OS. Under secure boot, UEFI is configured with digital certificates from valid OS vendors. The system firmware checks the operating system boot loader using the stored certificate to ensure that the OS vendor has digitally signed it. This prevents a boot loader that has been changed by malware (or an OS installed without authorization) from being used. The TPM can also be invoked to compare hashes of key system state data (boot firmware, boot loader, and OS kernel) to ensure they have not been tampered with by a rootkit. The other options are all good security practices, but they only apply once you have already booted into the operating system. This makes them ineffective against boot sector or rootkit attacks.

Your organization has just migrated to provisioning its corporate desktops as virtual machines and accessing them using thin clients. The organization believes this will enhance security since the desktop can be rewritten with a new baseline image every time the user logs into it. Based on this scenario, which of the following technologies has the organization adopted? VDI VPN VPC UEBA

VDI Explanation OBJ-3.5: Virtual desktop infrastructure (VDI) is a virtualization implementation that separates the personal computing environment from a user's physical computer. Virtual private cloud (VPC) is a private network segment made available to a single cloud consumer on a public cloud. A virtual private network (VPN) is a secure tunnel created between two endpoints connected via an insecure network, typically the internet. User and entity behavior analytics (UEBA) is a system that can provide automated identification of suspicious activity by user accounts and computer hosts.

You are working as a network administrator for Dion Training. The company has decided to allow employees to connect their devices to the corporate wireless network under a new BYOD policy. You have been asked to separate the corporate network into an administrative network (for corporate-owned devices) and an untrusted network (for employee-owned devices). Which of the following technologies should you implement to achieve this goal? WPA2 VPN VLAN MAC filtering

VLAN Explanation OBJ-3.3: A virtual local area network (VLAN) is a type of network segmentation configured in your network switches that prevent communications between different VLANs without using a router. This allows two virtually separated networks to exist on one physical network and separates the two virtual network's data. A virtual private network (VPN) is a remote access capability to connect a trusted device over an untrusted network back to the corporate network. A VPN would not create the desired effect. WPA2 is a type of wireless encryption, but it will not create two different segmented networks on the same physical hardware. MAC filtering is used to allow or deny a device from connecting to a network, but it will not create two network segments, as desired.

Which of the following vulnerabilities involves leveraging access from a single virtual machine to other machines on a hypervisor? VM migration VM data remnant VM escape VM sprawl

VM escape Explanation OBJ-2.2: Virtual machine escape vulnerabilities are the most severe issue that may exist in a virtualized environment. In this attack, the attacker can access a single virtual host and then leverages that access to intrude on the resources assigned to different virtual machines. Data remnant is the residual representation of digital data that remains even after attempts have been made to remove or erase it. Virtualization sprawl is a phenomenon that occurs when the number of virtual machines on a network reaches a point where the administrator can no longer manage them effectively. Virtual machine migration is the task of moving a virtual machine from one physical hardware environment to another.

Which of the following must be combined with a threat to create risk? Vulnerability Exploit Mitigation Malicious actor

Vulnerability Explanation OBJ-1.6: A risk results from the combination of a threat and a vulnerability. A vulnerability is a weakness in a device, system, application, or process that might allow an attack to take place. A threat is an outside force that may exploit a vulnerability. Remember, a vulnerability is something internal to your organization's security goals. Therefore, you can control, mitigate, or remediate a vulnerability. A threat is external to your organization's security goals. A threat could be a malicious actor, a software exploit, a natural disaster, or other external factors. In the case of an insider threat, they are considered an external factor for threats and vulnerabilities since their goals lie outside your organization's security goals.

Which of the following is the LEAST secure wireless security and encryption protocol? WPA WPA3 WPA2 WEP

WEP Explanation OBJ-3.4: Wired equivalent privacy (WEP) is an older mechanism for encrypting data sent over a wireless connection. WEP is considered vulnerable to attacks that can break its encryption. WEP relies on the use of a 24-bit initialization vector to secure its preshared key. Wi-Fi protected access (WPA) is an improved encryption scheme for protecting Wi-Fi communications that was designed to replace WEP. WPA uses the RC4 cipher and a temporal key integrity protocol (TKIP) to overcome the vulnerabilities in the older WEP protection scheme. Wi-Fi protected access version 2 (WPA2) replaced the original version of WPA after the completion of the 802.11i security standard. WPA2 features an improved method of key distribution and authentication for enterprise networks, though the pre-shared key method is still available for home and small office networks. WPA2 uses the improved AES cipher with counter mode with cipher-block chaining message authentication protocol (CCMP) for encryption. Wi-Fi protected access version 3 (WPA3) has replaced WPA2 as the most secure wireless encryption method. WPA3 uses the simultaneous authentication of equals (SAE) to increase the security of preshared keys. WPA3 provides the enhanced open mode that encrypts transmissions from a client to the access point when using an open network. WPA3 Enterprise mode supports the use of AES with the Galois/counter mode protocol (GCMP-256) for the highest levels of encryption.

You are trying to find a rogue device on your wired network. Which of the following options would NOT help find the device? MAC validation Site surveys Port scanning War walking

War walking Explanation OBJ-1.8: War walking is conducted by walking around a build while locating wireless networks and devices. War walking will not help find a wired rogue device. Checking valid MAC addresses against a known list, scanning for new systems or devices, and physically surveying for unexpected systems can be used to find rogue devices on a wired network.

(Sample Simulation - On the real exam for this type of question, you would receive 3-5 pictures and be asked to drag and drop them into place next to the correct term.) Which of the following types of attacks occurs when an attacker specifically targets the CEO, CFO, CIO, and other board members during their attack? Spear phishing Whaling Phishing Vishing Smishing

Whaling Explanation OBJ-1.1: Whaling occurs when the attacker targets the C-level executives (CEO, CFO, CIO, etc.), board members, and other senior executives within the organization.

What should be done NEXT if the final set of security controls does not eliminate all of the risks in a given system? You should ignore any remaining risk You should continue to apply additional controls until there is zero risk You should accept the risk if the residual risk is low enough You should remove the current controls since they are not completely effective

You should accept the risk if the residual risk is low enough Explanation OBJ-5.4: In most cases, you will be unable to remove all risks. Instead, it would be best to mitigate the risk to a low enough level to accept the residual risk. Removing the controls would add to the risk, which is a bad course of action to select. Ignoring the remaining risk is unacceptable; instead, you should acknowledge what risk remains and accept it if it is low enough. If it is not low enough, you should continue to mitigate the risk by adding additional control measures. It is unlikely you will ever be able to get all risk down to zero, but mitigating to a lower level and then accepting the residual risk is a common industry practice.

What popular open-source port scanning tool is commonly used for host discovery and service identification? nmap dd services.msc Nessus

nmap Explanation OBJ-4.1: The world's most popular open-source port scanning utility is nmap. The Services console (services.msc) allows an analyst to disable or enable Windows services. The dd tool is used to copy files, disks, and partitions, and it can also be used to create forensic disk images. Nessus is a proprietary vulnerability scanner developed by Tenable. While Nessus does contain the ability to conduct a port scan, its primary role is as a vulnerability scanner, and it is not an open-source tool.

An attacker uses the nslookup interactive mode to locate information on a Domain Name Service (DNS). What command should they type to request the appropriate records for only the name servers? locate type=ns request type=ns transfer type=ns set type=ns

set type=ns Explanation OBJ-4.1: The nslookup command is used to query the Domain Name System to obtain the mapping between a domain name and an IP address or to view other DNS records. The "set type=ns" tells nslookup only reports information on name servers. If you used "set type=mx" instead, you would receive information only about mail exchange servers.

You are troubleshooting a network connectivity issue and need to determine the packet's flow path from your system to the remote server. Which of the following tools would best help you identify the path between the two systems? ipconfig netstat nbtstat tracert

tracert Explanation OBJ-4.1: The tracert (trace route) diagnostic utility determines the route to a destination by sending Internet Control Message Protocol (ICMP) echo packets to the destination. In these packets, tracert uses varying IP Time-To-Live (TTL) values. When the TTL on a packet reaches zero (0), the router sends an ICMP "Time Exceeded" message back to the source computer. The ICMP "Time Exceeded" messages that intermediate routers send back show the route. The ipconfig tool displays all current TCP/IP network configuration values on a given system. The netstat tool is a command-line network utility that displays network connections for Transmission Control Protocol, routing tables, and some network interface and network protocol statistics on a single system. The nbtstat command is a diagnostic tool for NetBIOS over TCP/IP used to troubleshoot NetBIOS name resolution problems.