Cysa questions

Which of the following vulnerabilities can be prevented by using proper input validation? (SELECT ANY THAT APPLY) A.Cross-site scripting B.SQL injection C.Directory traversal D.XML injection

A,B,C,D. OBJECTIVE 2.2 Proper input validation can prevent cross-site scripting, SQL injection, directory traversal, and XML injections from occurring. Where an application accepts string input, the input should be subjected to normalization or sanitization procedures before being accepted. Normalization means that a string is stripped of illegal characters or substrings and converted to the accepted character set. This can prevent SQL and XML injections from occurring. Input validation is also good at preventing cross-site scripting (XSS) in forms that accept user input. Directory traversals can be prevented by conducting input validation in file paths or URL that is accepted from a user. This prevents a canonicalization attack being able to disguise the nature of the malicious input that could cause a directory traversal.

CIO has recently made a purchasing decision to install a new security appliance that will automatically sandbox all attachments as they enter the enterprise network in order to run dynamic and static code analysis on them. Which of the following questions about the appliance should you consider as the SOC manager who will be responsible for operating this new appliance for the company? (SELECT FOUR) A.Do you have security personnel and procedures in place to review the output from this appliance and take action where appropriate? B.Does the new appliance provide a detailed report or alert showing why it believes an attachment is malicious? C.Will the security appliance violate your employee's right to privacy? D.How will the appliance receive updated signatures and scanning engines? E.How will the appliance receive security patches and updates? F.Will the device inadvertently alter anyone's data when it is analyzed in the sandbox?

A,B,D,E. OBJECTIVE 3.4 Often, cybersecurity professionals fall in love with a new technological solution without fully considering the true cost of ownership and risks it poses to their organization. Even if this is the perfect security mechanism, the organization must plan for how they will respond to the alerts provided by this appliance. Additionally, you must consider if you have the right people and procedures to effectively use the new application. Also, the appliance will need to receive security patches, feature updates, and signature definition files routinely to remain effective and secure. At later stages of analysis, your security team may need to determine why a false-positive or false-negative occurred, which requires detailed alerts or reports from the machine. In corporate environments, privacy is limited for employees as most companies have a 'right to monitor' included as part of their AUP and access policies. Therefore privacy is a minimal area of concern in this case. The appliance cannot manipulate the information that is passing through it since it will analyze the information by placing a copy into a sandbox. This allows it to make a allow or deny decision, and will not modify the original data is processed.

Which of the following will an adversary so during the exploitation phase of the Lockheed Martin kill chain? (SELECT THREE) A.Take advantage of a software, hardware, or human vulnerability B.Select backdoor implant and appropriate command and control infrastructure for operation C.Wait for a malicious email attachment to be opened D.Wait for a user to click on a malicious link E.A webshell is installed on a web server F.A backdoor/implant is placed on a victim's client

A,C,D. OBJECTIVE 2.1 During this phase, activities taken during the exploitation phase are conducted against the target's system. Taking advantage of or exploiting an accessible vulnerability, waiting for a malicious email attached to be opened, or waiting for a user to click on a malicious link are all part of the exploitation phase. The installation of a webshell, backdoor, or implant are all performed during the installation phase. Selecting a backdoor implant and appropriate command and control infrastructure occurs during the weaponization phase.

Which of the following is typically used to secure the CAN bus in a vehicular network?

Air gap

If you want to conduct an operating system identification during a Nmap scan, which syntax should you utilize? A.nmap -os B.nmap -O C.nmap -id D.nmap -osscan

B The -O flag indicates to nmap that it should attempt to identify the operating system of the target during the scanning process. It does this by evaluating the responses it received during the scan against its database of signatures for each operating system.

Which of the following is the most important feature to consider when designing a system on a chip? A.Type of real-time operating system in use B.Space and power savings C.Ability to interface with industrial control systems D.Ability to be reconfigured after manufacture

B. OBJECTIVE 2.3 A system on a chip is an integrated circuit that integrates all or most components of a computer or other electronic system. These components almost always include a central processing unit, memory, input/output ports, and secondary storage - all on a single substrate or microchip, the size of a coin. This makes the savings of space and power the most important feature to consider when designing a system on a chip.

Which of the following is a common attack model of an APT attack? A.Involves sophisticated DDoS attacks B.Quietly gathers information from compromised systems C.Relies on worms to spread laterally D.Holds an organization's data hostage using encryption

B. OBJECTIVE 1.2 An APT refers to the ongoing ability of an adversary to compromise network security by using a variety of tools and techniques to obtain and maintain access. An APT is usually a highly sophisticated nation-state threat actor that quietly gathers information from compromised systems and can lay in waiting for several months during an ongoing attack. In general, an APT is primarily focused espionage and strategic advantage, but some target companies purely for commercial gain. An APT is unlikely to conduct a DDoS attack, use worms to spread throughout the network, or use ransomware as part of their covert attacks.

When using tcpdump, which option or flag would you use to record the ethernet frames during a packet capture? -n -nn -e -X

-e The -e option includes the ethernet header during packet capture. The -n flag will show the IP addresses in numeric form. The -nn option shows IP addresses and ports in numeric format. The -X option will capture the packet's payload in hex and ASCII formats.

While performing a vulnerability scan, Christina discovered an administrative interface to a storage system is exposed to the internet. She looks through the firewall logs and attempts to determine whether any access attempts have occurred from external sources. Which of the following IP addresses in the firewall logs would indicate a connection attempt from an external source? 10.15.1.100 192.186.1.100 172.16.1.100 192.168.1.100

192.186.1.100 This question is testing your ability to determine if an IP address is a publicly routable IP (external connection) or private IP (internal connection). During your CompTIA A+, Network+, and Security+ studies, you should have learned that private IP addresses are either 10.x.x.x, 172.16-31.x.x, or 192.168.x.x. All other IP addresses are considered publicly routable over the internet (except localhost and APIPA addresses). Therefore, the answer must be 192.186.1.100, since it is not a private IP address.

A cybersecurity analyst is reviewing the logs of a Citrix NetScaler Gateway running on a FreeBSD 8.4 server and saw the following output: 10.1.1.1 - - [10/Jan/2020:13:23:51 +0000] 'POST /vpn/../vpns/portal/scripts/newbm.pl HTTP/1.1' 200 143 'https://10.1.1.2/' 'USERAGENT ' 10.1.1.1 - - [10/Jan/2020:13:23:53 +0000] 'GET /vpn/../vpns/portal/backdoor.xml HTTP/1.1' 200 941 '-' 'USERAGENT' 10.1.1.1 - - [10/Jan/2020:16:12:31 +0000] 'POST /vpns/portal/scripts/newbm.pl HTTP/1.1' 200 143 'https://10.1.1.2/' 'USERAGENT' What type of attack was most likely being attempted by the attacker? A.SQL injection B.Directory traversal C.XML injection D.Password spraying

A A directory traversal attack aims to access files and directories that are stored outside the webroot folder. By manipulating variables or URLs that reference files with "dot-dot-slash (../)" sequences and its variations or by using absolute file paths, it may be possible to access arbitrary files and directories stored on file system including application source code or configuration and critical system files. The example output provided comes from a remote code execution vulnerability being exploited in which a directory traversal is used to access the files. XML Injection is an attack technique used to manipulate or compromise the logic of an XML application or service. SQL injection is the placement of malicious code in SQL statements via web page input. Password spraying attempts to crack various user's passwords by attempting a compromised password against multiple user accounts.

Jeff has been contacted by an external security company and told that they have found a copy of his company's proprietary source code on GitHub. Upon further investigation, Jeff has determined that the repository where the source code is located is owned by his organization. Which of the following mitigations should Jeff apply immediately? A.Change the repository from public to private B.Delete the repository C.Reevaluate the organization's information management policies D.Investigate if the source code was downloaded

A Jeff should immediately change the repository from public to private in order to prevent further exposure of the source code. Deleting the repository would also fix the issue, but could compromise the company's ongoing business operations. Reevaluation of the company's information management policies should be done as well, but this is not as time-critical as changing the repository's public/private setting. Once the repository is configured to be private, then Jeff should investigate any possible compromises that may have occurred and reevaluate their policies.

You have noticed some unusual network traffic outbound from a certain host. The host is communicating with a known malicious server over port 443 using an encrypted TLS tunnel. You ran a full system anti-virus scan of the host with an updated anti-virus signature file, but the anti-virus did not find any signs of infection. Which of the following has MOST likely occurred? A.Zero-day attack B.Password spraying C.Session hijacking D.Directory traversal

A Since you scanned the system with the latest anti-virus signatures and did not find any signs of infection, it would most likely be evidence of a zero-day attack. A zero-day attack has a clear sign of compromise (the web tunnel being established to a known malicious server), and the anti-virus doesn't have a signature yet for this particular malware variant. Password spraying occurs when an attacker tries to log in to multiple different user accounts with the same compromised password credentials. Session hijacking is the exploitation of a valid computer session to gain unauthorized access to information or services in a computer system. Based on the scenario, it doesn't appear to be session hijacking since the user would not normally attempt to connect to a malicious server. Directory traversal is an HTTP attack that allows attackers to access restricted directories and execute commands outside of the web server's root directory. A directory traversal is usually indicated by a dot dot slash (../) in the URL being attempted.

Your organization's primary operating system vendor just released a critical patch for your servers. Your system administrators have recently deployed this patch and verified the installation was successful. This critical patch was designed to remediate a vulnerability that can allow a malicious actor to remotely execute code on the server over the Internet. You ran a vulnerability scan of the network and determined that all of the servers are still being reported as having the vulnerability. You verified all your scan configurations are correct. Which of the following might be the reason that the scan report still showing the servers as vulnerability? (SELECT ALL THAT APPLY) A.The vulnerability assessment scan is returning a false positive B.This critical patch did not remediate the vulnerability C.You conducted the vulnerability scan without waiting long enough after the patch was installed D.The wrong IP address range was scanned during your vulnerability assessment

A, B There are two reasonable choices presented: (1) the vulnerability assessment scan is returning a false positive, or (2) this critical patch did not remediate the vulnerability. It is impossible to know which based on the description in the question. If the patch was installed successfully as the question states, then it is possible that the critical patch was coded incorrectly and did not actually remediate the vulnerability. While most operating system vendors do test their patches prior to release to prevent this, with extremely critical patches, they are sometimes rushed into production and the patch does not actually remediate the vulnerability on all systems. When this occurs, the vendor will issue a subsequent patch will be released to fix it and superseded the original patch. The other option is that the vulnerability assessment tool is incorrectly configured and is returning a false positive. This can occur when the signature used to detect the vulnerability is too specific or too generic to actually detect whether the system was patched for the vulnerability or not. The other options are incorrect, as you do not have to wait a certain period of time after installation before scanning, and it is assumed that you are scanning the same IP range both times as you have verified your scan configuration.

You identified a critical vulnerability in one of your organization's databases. You researched a solution, but it will require the server to be taken offline during the patch installation. You have received permission from the Change Advisory Board to implement this emergency change at 11 pm once everyone has left the office. It is now 3 pm, what action(s) should you take now to best prepare for implementing this evening's change? (SELECT ALL THAT APPLY) A.Ensure all stakeholders are informed of the planned outage B.Document the change in the change management system C.Take the server offline at 10 pm in preparation for the change D.Identify any potential risks associated with installing the patch E.Take the opportunity to install a new feature pack that has been requested F.Validate the installation of the patch in a staging environment

A,B,D,F. OBJECTIVE 2.1 You should send out a notification to the key stakeholders to ensure they are notified of the planned outage this evening. You should test and validate the patch in a staging environment prior to installing it on the production server. You should identify any potential risks associated with installing this patch. You should also document the change in the change management system. You should not take the server offline before your change window begins at 11 pm, as this could affect users who are relying on the system. You should not take this opportunity to install any additional software, features, or patches unless you have received approval from the Change Advisory Board (CAB).

You have just returned from a business trip to a country with a high rate of intellectual property theft. Which of the following precautions should you take prior to reconnecting your laptop to your corporate network? (SELECT TWO) A.The laptop should be scanned for malware B.The laptop should be physically inspected and compared with images made before you left C.The laptop should be permanently destroyed D.The laptop should be sanitized and reimaged E.The laptop's hard drive should be degaussed prior to use F.The laptop's hard drive should have full-disk encryption enabled

A,B. OBJECTIVE 2.3 While scanning for viruses is a good idea and should be done, that alone is insufficient to detect all the ways an advanced adversary could have manipulated your laptop if it were outside of your custody for any significant length of time, such as leaving it in your hotel room. In order to detect possible hardware modifications, a 'before' image would be needed to compare the laptop to upon returning. Destruction might be wasteful without evidence of a possible crime. Therefore, this is not the best option. Reimaging may be advantageous but will not remove any hardware modifications an attacker may have installed. Degaussing is considered a purging activity, but it will also destroy the laptop's hard drive. While enabled full disk encryption is a good security practice, it should have been enabled before the trip. Once you return, encrypting the drive will not help if the attacker already modified the laptop.

Which of the following are valid concerns when migrating to a serverless architecture? (SELECT THREE) A.Protection of endpoint security B.Management of VPC offerings C.Dependency on the cloud service provider D.Limited disaster recovery options E.Patching of the backend infrastructure F.Management of physical servers

A,C,D. OBJECTIVE 2.1 Serverless is a modern design pattern for service delivery. With serverless, all the architecture is hosted within a cloud, but unlike "traditional" virtual private cloud (VPC) offerings, services such as authentication, web applications, and communications aren't developed and managed as applications running on servers located within the cloud. Instead, the applications are developed as functions and microservices, each interacting with other functions to facilitate client requests. In a serverless architecture system, there is a heavy dependency on the cloud service provider since all of the patching and management functions of the back end infrastructure is done by them. An organization using such an architecture would still need to prevent compromise of the user endpoints, though, since these are not managed by the cloud service provider. Another concern with serverless architectures is that there are limited options for disaster recovery if service provisioning fails. Patching of backend infrastructure is eliminated because the infrastructure is eliminated with serverless architectures. Once migration is complete, there are no physical servers to manage, which reduces the workload on your system administration teams.

Which of the following will an adversary so during the command and control phase of the Lockheed Martin kill chain? (SELECT TWO) A.Open up a two-way communication channel to an established infrastructure B.Create a point of presence by adding services, scheduled tasks, or AutoRun keys C.Utilize web, DNS, and email protocols to conduct control of the target D.Conduct internal reconnaissance of the target network E.Destroy systems F.Release of malicious email

A,C. OBJECTIVE 1.2 During the command and control (C2) phase, the adversary is testing that they have control over any implants that have been installed. This can be conducted using web, DNS, and email protocols to control the target and relies on an established two-way communication infrastructure to control the target system using remote access. Internal reconnaissance or destructive actions occur in the actions on objectives phase. Release of malicious email occurs in the delivery phase.

Which of the following will an adversary so during the delivery phase of the Lockheed Martin kill chain? (SELECT THREE) A.Direct action against public-facing servers B.Select a decoy document to present to the victim C.Collect press releases, contract awards, and conference attendee lists D.Deliberate social media interactions with the target's personnel E.Release of malicious email F.Adversary triggering exploits for non-public facing servers

A,D,E. OBJECTIVE 1.2 During the delivery phase, the adversary is firing whatever exploits they have prepared during the weaponization phase. At this stage, they still do not have access to their target, though. Therefore, taking direct action against a public-facing web server, sending a spear-phishing email, placing a USB drive with malware, or starting a conversation on social media all fit within this phase. Internet-facing servers were enumerated during reconnaissance. Selecting a decoy document to present to the victim occurs during weaponization. Collecting press releases, contract awards, and conference attendee lists occur during the reconnaissance phase.

After analyzing and correlating activity from the firewall logs, server logs, and the intrusion detection system logs, a cybersecurity analyst has determined that a sophisticated breach of the company's network security may have occurred from a group of specialized attackers in a foreign country over the past five months. Up until now, these cyberattacks against the company network had gone unnoticed by the company's information security team. How would you best classify this threat? A.Advanced persistent threat (APT) B.Spear phishing C.Insider threat D.Privilege escalation

A. OBJECTIVE 1.1 An advanced persistent threat (APT) is a network attack in which an unauthorized person gains access to a network and stays there undetected for a long period of time. The intention of an APT attack is to steal data rather than to cause damage to the network or organization. An APT refers to the ongoing ability of an adversary to compromise network security, to obtain and maintain access, and to use a variety of tools and techniques. They are often supported and funded by nation-states, or work directly for a nation-states' government. Spear phishing is the fraudulent practice of sending emails ostensibly from a known or trusted sender in order to induce targeted individuals to reveal confidential information. An insider threat is a malicious threat to an organization that comes from people within the organization, such as employees, former employees, contractors, or business associates, who have inside information concerning the organization's security practices, data, and computer systems. Privilege escalation is the act of exploiting a bug, design flaw, or configuration oversight in an operating system or software application to gain elevated access to resources that are normally protected from an application or user. While an APT may use spear phishing, privilege escalation, or an insider threat to gain access to the system, the scenario presented in this question doesn't specify what method was used. Therefore, APT is the best answer to select.

An analyst's vulnerability scanner did not have the latest set of signatures installed. Due to this, several unpatched servers may have vulnerabilities that were undetected by their scanner. You have directed the analyst to update their vulnerability scanner with the latest signatures at least 24 hours before conducting any scans, but the results of their scans still appear to be the same. Which of the following logical controls should you use to address this situation? A.Create a script to automatically update the signatures every 24 hours B.Ensure the analyst manually validates that the updates are being performed as directed C.Test the vulnerability remediations in a sandbox before deploying them into production D.Configure the vulnerability scanners to run in credentialed mode

A. OBJECTIVE 1.3 Since the analyst appears to not be installing the latest vulnerability signatures according to your instructions, it would be best to create a script and automate the process to eliminate human error. The script will always ensure that the latest signatures are downloaded and installed in the scanner every 24 hours without any human intervention. While you may want the analyst to manually validate the updates were performed as part of their procedures, this is still error-prone and likely to not be conducted properly. Regardless of whether the scanners are being run in uncredentialed or credentialed mode, they will still miss vulnerabilities if they are using out-of-date signatures. Finally, the option to test the vulnerability remediations in a sandbox is a good suggestion, but it won't solve this scenario since we are concerned with the scanning portion or vulnerability management and not remediation in this question.

Which of the following would a virtual private cloud infrastructure be classified as? A.Infrastructure as a Service B.Platform as a Service C.Software as a Service D.Function as a Service

A. OBJECTIVE 1.6 Infrastructure as a Service (SaaS) is a computing method that uses the cloud to provide any or all infrastructure needs. In a VPC environment, an organization may provision virtual servers in a cloud-hosted network. The service consumer is still responsible for maintaining the IP address space and routing internally to the cloud. Platform as a Service (PaaS) is a computing method that uses the cloud to provide any platform-type services. Software as a Service (SaaS) is a computing method that uses the cloud to provide application services to users. Function as a Service (FaaS) is a cloud service model that supports serverless software architecture by provisioning runtime containers in which to execute code in a particular programming language.

What is the proper threat classification for a security breach that employs brute-force methods to compromise, degrade, or destroy systems? A.Attrition B.Impersonation C.Improper usage D.Loss or theft of equipment

A. OBJECTIVE 1.7 Attrition attacks employ brute-force methods to compromise, degrade, or destroy systems, networks, or services. An impersonation attack occurs when the attacker gains control of an employee's account and uses it to convince other employees to perform fraudulent actions. Improper usage occurs when an employee or other authorized user utilizes the systems or networks in a way they are not intended or designed. The loss or theft of equipment usually relates to a smartphone, tablet, or laptop is lost or stolen, and then the data on it becomes compromised.

You have just received some unusual alerts on your SIEM dashboard and want to collect the payload associated with it. Which of the following should you implement to effectively collect these malicious payloads that the attackers are sending towards your systems without impacting your organization's normal business operations? A.Honeypot B.Jumpbox C.Sandbox D.Containerization

A. OBJECTIVE 2.1 A honeypot is a host set up with the purpose of luring attackers away from the actual network components and/or discovering attack strategies and weaknesses in the security configuration. A jumpbox is a hardened server that provides access to other hosts. A sandbox is a computing environment that is isolated from a host system to guarantee that the environment runs in a controlled, secure fashion. Containerization is a type of virtualization applied by a host operating system to provision an isolated execution environment for an application.

Nicole's organization does not have the budget or staff to conduct 24/7 security monitoring of their network. To supplement her team, she contracts with a managed SOC service. Which of the following services or providers would be best suited for this role? A.MSSP B.IaaS C.PaaS D.SaaS

A. OBJECTIVE 2.1 A managed security service provider (MSSP) provides security as a service (SECaaS). IaaS, PaaS, and SaaS (infrastructure, platform, and software as a service) do not include security monitoring as part of their core service offerings. Security as a service or a managed service provider (MSP) would be better suited for this role. This question may seem beyond the scope of the exam, but the objectives allow for 'other examples of technologies, processes, or tasks pertaining to each objective may also be included on the exam although not listed or covered' in the bulletized lists of the objectives. The exam tests the equivalent to 4 years of hands-on experience in a technical cybersecurity job role. The content examples listed in the objectives are meant to clarify the test objectives and should not be construed as a comprehensive listing of all the content of this examination. Therefore, questions like this are fair game on test day. That said, your goal isn't to score 100% on the exam, it is to pass it. Don't let questions like this throw you off on test day. If you aren't sure, take your best guess and move on!

You are deploying OpenSSL in your organization and must select a cipher suite. Which of the following ciphers should NOT be used with OpenSSL? A.DES B.AES C.RSA D.ECC

A. OBJECTIVE 2.1 DES is outdated and should not be used for any modern applications. The AES, RSA, and ECC are all current secure alternatives that could be used with OpenSSL. This question may seem beyond the scope of the exam, but the objectives allow for 'other examples of technologies, processes, or tasks pertaining to each objective may also be included on the exam although not listed or covered' in the bulletized lists of the objectives. The exam tests the equivalent to 4 years of hands-on experience in a technical cybersecurity job role. The content examples listed in the objectives are meant to clarify the test objectives and should not be construed as a comprehensive listing of all the content of this examination. Therefore, questions like this are fair game on test day. That said, your goal isn't to score 100% on the exam, it is to pass it. Don't let questions like this throw you off on test day. If you aren't sure, take your best guess and move on!

Which security control would prevent unauthorized users from connecting to a company's wireless network? A.NAC B.Firewall C.IPS D.Segmentation

A. OBJECTIVE 2.1 Network Access Control (NAC) prevents unauthorized users from connecting to a network. Firewalls and intrusion prevention systems (IPS) are meant to restrict access from external sources and block known attacks. They would not keep out an intruder who is already in range of the wireless network. Network segmentation would limit the access that an intruder has to network resources but would not block the connection itself.

Which of the following protocols could be used inside of a virtual system to manage and monitor the network? A.SNMP B.SMTP C.BGP D.EIGRP

A. OBJECTIVE 2.1 SNMP is used to monitor and manage networks, both physical and virtual. SMTP is used for email. BGP and EIGRP are used for routing network data.

Which of the following protocols is considered insecure and should never be used in your networks? A.Telnet B.SSH C.SFTP D.HTTPS

A. OBJECTIVE 2.1 Telnet is an application protocol used on the internet or local area network to provide a bidirectional interactive text-oriented communication facility using a virtual terminal connection. It is considered insecure and should never be used in secure networks because it transmits everything in cleartext, including your authentication credentials. Telnet should be replaced with a more secure option, such as the secure shell (SSH) protocol. SSH performs the same functions as telnet, but uses an encrypted tunnel to maintain the confidentiality of the data be sent over it. SSH File Transfer Protocol (SFTP) is a network protocol that provides file access, file transfer, and file management over any reliable data stream. Hypertext Transfer Protocol Secure (HTTPS) is an extension of HTTP that is used for secure communication over a computer network by encrypting data being transferred over it with either TLS or SSL.

Which of the following is not considered a component that belongs to the category of identity management infrastructure? A.Human resource system B.LDAP C.Provisioning engine D.Auditing system

A. OBJECTIVE 2.1 The human resource system may be a data source for identity management, but it is not part of the infrastructure itself. LDAP servers, provisioning engines, and auditing systems are all part of identity management infrastructures. Most organizations rely on a LDAP Directory to store users, groups, roles, and relationships between those entities. A provisioning engine is responsible for the process of coordinating the creation of user accounts, email authorizations in the form of rules and roles, and other tasks such as provisioning of physical resources associated with enabling new users. The auditing system is responsible for verifying the identities present in the organization's systems are valid and correct.

Susan is worried about the security of the master account associated with a cloud service and the access to it. This service is used to manage payment transactions. She has decided to implement a new multifactor authentication process where one individual has the password to the account, but another user in the accounting department has a physical token to the account. In order to login to the cloud service with this master account, both users would need to come together. What principle is Susan implementing by using this approach? A.Dual control authentication B.Transitive trust C.Least privilege D.Security through obscurity

A. OBJECTIVE 2.1 This approach is an example of dual control authentication. Dual control authentication is used when performing a sensitive action and requires the participation of two different users in order to login (in this case, one with the password and one with the token). Transitive trust is a technique via which a user/entity that has already undergone authentication by one communication network to be able to access resources in another communication network without having to undergo authentication a second time. Least privilege is the concept and practice of restricting access rights for users, accounts, and computing processes to only those resources absolutely required to perform routine, legitimate activities. Security through obscurity is the reliance on security engineering in the design or implementation of secrecy as the main method of providing security to a system or component

Which of the following vulnerabilities involves leveraging access from a single virtual machine to other machines on a hypervisor? A.VM escape B.VM migration C.VM sprawl D.VM data remnant

A. OBJECTIVE 2.1 Virtual machine escape vulnerabilities are the most severe issue that may exist in a virtualized environment. In this attack, the attacker has access to a single virtual host and then leverages that access to intrude on the resources assigned to different virtual machines. Data remnant is the residual representation of digital data that remains even after attempts have been made to remove or erase the data. Virtualization sprawl is a phenomenon that occurs when the number of virtual machines on a network reaches a point where the administrator can no longer manage them effectively. Virtual machine migration is the task of moving a virtual machine from one physical hardware environment to another.

Which of the following is the biggest advantage of using Agile software development? A.Reacts quickly to changing customer requirements since it allows all phases of software development to run in parallel B.Its structured and phase-oriented approach ensures that customer requirements are rigorously defined before development begins C.Its inherent agility allows developers to maintain focus on the overall goals of the project D.It can produce better, more secure, and more efficient code

A. OBJECTIVE 2.2 Agile development can react quickly to changing customer requirements since it allows all phases of software development to run in parallel, as opposed to a linear or sequenced approach. Waterfall development, not agile development, is a structured and phase-oriented model. A frequent criticism is that the agile model can allow developers to lose focus on the overall objective of the project. Agile models do not necessarily produce better, more secure, or more efficient code than other methods

A software assurance test analyst is performing a dynamic assessment on an application by automatically generating random data sets and inputting them in an attempt to cause an error or failure condition. Which technique is the analyst utilizing? A.Fuzzing B.Sequential data sets C.Static code analysis D.Known bad data injection

A. OBJECTIVE 2.2 Fuzzing is an automated software assessment technique that involves providing invalid, unexpected, or random data as inputs to a computer program. The program is then monitored for exceptions (crashes), for failing built-in code assertions, or for finding potential memory leaks. Dynamic code analysis relies on studying how the code behaves during execution. Fuzzing a specific type of dynamic code analysis, making it a better answer to this question. Static code analysis is a method of debugging by examining source code before a program is run. Known bad data injection is a technique where data that is known to cause an exception or fault is entered as part of the testing/assessment. With known bad data injections, you would not use randomly generated data sets, though.

James is working with the software development team to integrate some real-time security reviews into some of their SDLC processes. Which of the following would best meet this requirement? A.Pair Programming B.Pass-around code review C.Tool-assisted review D.Formal code review

A. OBJECTIVE 2.2 Pair programming is a real-time process that would meet this requirement. It utilizes two developers working on one workstation, where one developer reviews the code being written in real-time by the other developer. While the other three options can also provide a security review, none of them are considered 'real-time' since they are asynchronous processes that are performed after the coding has already been completed.

Your service desk has been receiving a large number of complaints from external users that a web application is responding slowly to requests and frequently receives a "connection timed out" error message when they attempt to submit information to the application. Which software development best practice should have been implemented in order to prevent this from occurring? A.Stress testing B.Regression testing C.Input validation D.Fuzzing

A. OBJECTIVE 2.2 Stress testing is a software testing activity that determines the robustness of software by testing beyond the limits of normal operation. Stress testing is particularly important for mission-critical software but can be used with all types of software. Stress testing is an important component in the capacity management process of IT service management and ensures adequate resources are available to support the needs of the end-user when an application goes into a production environment. Regression testing is defined as a type of software testing to confirm that a recent program or code change has not adversely affected existing features. Input validation is the process of ensuring any user input have undergone cleansing to ensure it is properly formatted, correct, and useful. Fuzzing is an automated software testing technique that involves providing invalid, unexpected, or random data as inputs to a computer program.

Which term refers to the consistent and tamper-resistant operation of every element within an enterprise? A.Trusted computing environment B.Trusted foundry C.Trust certified enterprise D.Accredited network

A. OBJECTIVE 2.3 A trusted computing environment refers to the consistent and tamper-resistant operation of every element within an enterprise. The Trusted Foundry Program also called the trusted suppliers program is a United States Department of Defense program designed to secure the manufacturing infrastructure for information technology vendors providing hardware to the military. An accredited network means that a relevant system has been approved for use and the risk involved has been accepted by an authorizing official. The term trust certified enterprise is not an industry-standard term and was created as a distractor from the correct answer.

Which of the following has occurred if a device fails to activate because it has detected an unknown modification? A.Self-checking B.Obfuscation C.Failed trusted foundry D.Improper authentication

A. OBJECTIVE 2.3 NIST defines self-checking behavior as a control that is used to prohibit elicit modification to hardware components. This can be done using anti-tamper technology like a field programmable gate array (FPGA), a physically unclonable function (PUF), or other techniques. Obfuscation is the act of making something obscure, unclear, or unintelligible. Usually, this is done by encoding strings or binary information to make it less detectable by signature-based detection mechanisms. Improper authentication occurs when an attacker claims to have a given identity and the software does not prove or insufficiently proves that the claim is correct. The Trusted Foundry Program, also called the trusted suppliers program, is a United States Department of Defense program designed to secure the manufacturing infrastructure for information technology vendors providing hardware to the military.

Which of the following programs was designed to secure the manufacturing infrastructure for information technology vendors providing hardware to the military? A.Trusted Foundry (RF) B.Supplies Assured (SA) C.Supply Secure (SS) D.Trusted Access Program (TAP)

A. OBJECTIVE 2.3 The Trusted Foundry program, also called the trusted suppliers program, is a United States Department of Defense program designed to secure the manufacturing infrastructure for information technology vendors providing hardware to the military. Trusted Foundry was created to provide a chain of custody for classified/unclassified integrated circuits, ensure there is no reasonable threat related to supply disruption, prevent intentional/unintentional modification of integrated circuits, and protect integrated circuits from reverse engineering and vulnerability testing.

Which of the following lists the UEFI boot phases in the proper order? A.Security, Pre-EFI initialization, Driver Execution Environment, Boot Device Select, Transient System Load, Runtime B.Pre-EFI initialization, Security, Boot Device Select, Transient System Load, Driver Execution Environment, Runtime C.Boot Device Select, Security, Pre-EFI initialization, Driver Execution Environment, Transient System Load, Runtime D.Driver Execution Environment, Boot Device Select, Security, Transient System Load, Pre-EFI initialization, Runtime

A. OBJECTIVE 2.3 The security must be first in order to prevent any potential contamination from advanced malware from effecting the system as it proceeds into its startup process. Security consists of initialization of the code that the system executes after powering on the EFI system. Pre-EFI initialization initializes the CPU, temporary memory, and boot firmware volume (BFV). Driver Execution Environment initializes the entire system physical memory, I/O, and MIMO (Memory Mapped Input Output) resources and finally begins dispatching DXE Drivers present in the system Firmware Volumes (given in the HOBL). Boot Device Select interprets the boot configuration data and selects the Boot Policy for later implementation. Runtime focuses on clearing the UEFI program from memory and transferring control to the operating system.

What method might a system administrator use to replicate the DNS information from one DNS server to another, but could also be used maliciously by an attacker? A.Zone transfers B.DNS registration C.CNAME D.DNSSEC

A. OBJECTIVE 2.3 Zone transfers provide an easy way to send all the DNS information from one DNS server to another, but an attacker could also use it for reconnaissance against your organization. For this reason, most administrators disable zone transfers from untrusted servers. DNSSEC strengthens authentication in DNS using digital signatures based on public-key cryptography. CNAME is a Canonical Name Record or Alias Record. A type of resource record in the Domain Name System (DNS) that specifies that one domain name is an alias of another canonical domain name. DNS registration is a service, which allows the owner of a domain name to use their name servers, which can match the domain name in question.

When using the netstat command during an analysis, which of the following connection status messages indicates whether an active connection between two systems exists? A.ESTABLISHED B.LISTENING C.LAST_ACK D.CLOSE_WAIT

A. OBJECTIVE 3.1 The ESTABLISH message indicates that an active and established connection is created between two systems. The LISTENING message indicates that the socket is waiting for an incoming connection from the second system. The LAST_ACK message indicates that the remote end has shut down the connection and the socket is closed and waiting for an acknowledgement. The CLOSE_WAIT message indicates that the remote end has shut down the connection and is waiting for the socket to close. This question may seem beyond the scope of the exam. Still, the objectives allow for 'other examples of technologies, processes, or tasks pertaining to each objective may also be included on the exam although not listed or covered' in the bulletized lists of the objectives. The exam tests the equivalent to 4 years of hands-on experience in a technical cybersecurity job role. The content examples listed in the objectives are meant to clarify the test objectives and should not be construed as a comprehensive listing of all the content of this examination. Therefore, questions like this are fair game on test day. That said, your goals aren't to score 100% on the exam, it is to pass it. Don't let questions like this throw you off on test day. If you aren't sure, take your best guess and move on!

An analyst is reviewing the configuration of a triple-homed firewall connects to the internet, a private network, and one other network. Which of the following would best describe the third network connected to this firewall? A.DMZ B.Subnet C.NIDS D.GPO

A. OBJECTIVE 3.2 A triple-homed firewall connects to three networks internal (private), external (internet/public), and the demilitarized zone (DMZ). The demilitarized zone (DMZ) network hosts systems that require access from external hosts. Group Policy Object (GPO) is a collection of Group Policy settings that defines what a system looks like and how it behaves for a defined group of users. A network intrusion detection system (NIDS) is a system that attempts to detect hacking activities, denial of service attacks, or port scans on a computer network or a computer itself. A subnet is a logical subdivision of an IP network.

An organization utilizes a BYOD policy with its employees. This allows the employees to store sensitive corporate data on their personally owned devices. Which of the following occurred if an employee accidentally left their device in the back of a taxi? A.Failed deperimeterization management B.Failed data loss prevention C.A data breach D.An advanced persistent threat

A. OBJECTIVE 3.2 Deperimeterization is a strategy for protecting a company's data on multiple levels by using encryption and dynamic data-level authentication. Since the employee lost the device which contained sensitive corporate data outside of the network, this would be classified as failed deperimeterization management. Data loss prevention (DLP) detects potential data breaches/data exfiltration transmissions and prevents them by monitoring, detecting, and blocking sensitive data while in use, in motion, and at rest. DLP does not apply to this scenario since the employee was authorized to have the corporate data on the device under the BYOD policy. A data breach is an incident that exposes confidential or protected information. Based on the scenario provided, we are not told whether anyone has tried to access the data on the device. If an attacker accesses the data on the device, then it may be considered a data breach or inadvertent data disclosure depending on your organization's policies. An advanced persistent threat is a stealthy computer network threat actor, typically a nation-state or state-sponsored group, which gains unauthorized access to a computer network and remains undetected for an extended period.

Review the following packet captured at your NIDS: 23:12:23.154234 IP 86.18.10.3:54326 > 71.168.10.45:3389 Flags [P.], Seq 1834:1245, ack1, win 511, options [nop,nop, TS val 263451334 erc 482862734, length 125 After reviewing the packet above, you discovered there is an unauthorized service running on the host. Which of the following ACL entries should be implemented to prevent further access to the unauthorized service while maintaining full access to the approved services running on this host? A.DENY TCP ANY HOST 71.168.10.45 EQ 3389 B.DENY IP HOST 71.168.10.45 ANY EQ 25 C.DENY IP HOST 86.18.10.3 EQ 3389 D.DENY TCP ANY HOST 86.18.10.3 EQ 25

A. OBJECTIVE 3.2 Since the question asks you to prevent access to the unauthorized service, we need to block port 3389 from accepting connections on 71.168.10.45 (the host). This option will deny ANY workstation from connecting to this machine (host) over the Remote Desktop Protocol service that is unauthorized (port 3389).

During a vulnerability scan of your network, you identified a vulnerability is on an appliance that was installed by a vendor on your network under an ongoing service contract. You do not have access to the operating system of the appliance as the device was installed under a support agreement with the vendor. What is your best course of action to remediate or mitigate this vulnerability? A.Contact the vendor to provide an update or to remediate the vulnerability B.Try to gain access to the underlying operating system and install the patch C.Mark the identified vulnerability as a false positive D.Wait 30 days, run the scan again, and determine if the vendor corrected the vulnerability

A. OBJECTIVE 3.2 You should contact the vendor to determine if a patch is available for installation. Since this is a vendor-supported appliance installed under a service contract, the vendor is responsible for the management and security of the appliance. You should not attempt to gain access to the underlying operating system to patch the vulnerability yourself, as this could void your warranty and void your service contract. Based on the information provided, there is no reason to believe that this is a false positive, either. You should not simply wait 30 days and rerun the scan, as this is a non-action. Instead, you should contact the vendor to fix this vulnerability. Then, you could rerun the scan to validate they have completed the mitigations and remediations.

Rory is about to conduct forensics on a virtual machine. Which of the following processes should be used to ensure that all of the data is acquired forensically? A.Suspend the machine and copy the contents of the directory it resides in B.Perform a live acquisition of the virtual machine's memory C.Suspend the machine and make a forensic copy of the drive it resides on D.Shutdown the virtual machine off and make a forensic copy of its disk image

A. OBJECTIVE 4.4 The best option is to suspend the machine and copy the contents of the directory as long as you ensure you protect the integrity of the files by conducting a hash on them before and after copying the files. This procedure will store the virtual machine's RAM and disk contents. Since a virtual machine stores all of its data in a single file/folder on a host's hard drive, you can simply copy then entire Copying the folder will give all the information needed, but the virtual machine should not be powered off because creating a copy of the drive is not necessary because the files would still have to be validated. Live acquisition relies on a specialist hardware or software tool that can capture the contents of memory while the computer is running. This is unnecessary for a virtual machine since suspending a virtual machine writes the entire contents of memory to a file on the hard disk. Shutting down the machine is a bad idea since this runs the risk that the malware will detect the shutdown process and perform anti-forensics to try to remove traces of itself. While you could image the entire drive the virtual machine resides on, it is unnecessary, will take much longer, and will require you to shutdown the host machine to conduct the bit-by-bit copy.

Which law requires that government agencies and other organizations that operate systems on behalf of government agencies to comply with security standards? A.FISMA B.SOX C.HIPPA D.COPPA

A. OBJECTIVE 5.1 The Federal Information Security Management Act (FISMA) is a United States federal law that defines a comprehensive framework to protect government information, operations, and assets against natural or man-made threats. FISMA requires that government agencies and other organizations that operate systems on behalf of government agencies comply with security standards. The Health Insurance Portability and Accountability Act (HIPPA) is a United States federal law designed to provide privacy standards to protect patients' medical records and other health information provided to health plans, doctors, hospitals, and other health care providers. The Children's Online Privacy Protection Act (COPPA) is a United States federal law that imposes certain requirements on operators of websites or online services directed to children under 13 years of age, and on operators of other websites or online services that have actual knowledge that they are collecting personal information online from a child under 13 years of age. Sarbanes-Oxley (SOX) is a United States federal law that set new or expanded requirements for all U.S. public company boards, management, and public accounting firms.

You are reviewing a rule within your organization's IDS. You see the following output: -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-= alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any msg: "BROWSER-IE Microsoft Internet Explorer CacheSize exploit attempt"; flow: to_client,established; file_data; content:"recordset"; offset:14; depth:9; content:".CacheSize"; distance:0; within:100; pcre:"/CacheSize\s*=\s*/"; byte_test:10,>,0x3ffffffe,0,relative,string; max-detect-ips drop, service http; reference:cve,2016-8077; classtype: attempted-user; sid:65535;rev:1; -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-= Based on this rule, which of the following malicious packets would this IDS alert on? An inbound malicious TCP packet Any outbound malicious packets An outbound malicious TCP packet Any inbound malicious packets

An inbound malicious tcp packets The rule header is set to alert only on TCP packets based on the first line of this IDS rule. The flow condition is set as "to_client,established", which means that only inbound traffic will be analyzed against this rule and only inbound traffic for connections that are already established. Therefore, this rule will alert on an inbound malicious TCP packet only when the packet matches all the conditions listed in this rule. This rule is an example of a Snort IDS rule. For the exam, you do not need to be able to create your own IDS rules, but you should be able to read them and pick out data.

Which of the following techniques listed below are not appropriate to use during a passive reconnaissance exercise against a specific target company? A.WHOIS lookups B.Banner grabbing C.BGP looking glass usage D.Registrar checks

B Banner grabbing requires a connection to the host in order to successfully grab the banner. This is an active reconnaissance activity. All other options are considered to be passive processes and typically use information retrieved from third-parties that do not require a direct connection to an organization's remote host.

Which of the following vulnerability scans would provide the best results if you want to determine if the target's configuration settings are correct? A.Non-credentialed scan B.Credentialed scan C.External scan D.Internal scan

B Credentialed scans log into a system and retrieve their configuration information. Therefore, it should provide you with the best results. Non-credentialed scans rely on external resources for configuration settings that can be altered or incorrect. The network location of the scanner does not have a direct impact on the ability to read the configuration information, so it would not make a difference if you conducted an external or internal scan.

Which of the following security controls provides Windows system administrators with an efficient way to deploy system configuration settings across a large number of devices? A.Patch management B.GPO C.HIPS D.Anti-malware

B Microsoft's Group Policy Object (GPO) is a collection of Group Policy settings that defines what a system will look like and how it will behave for a defined group of users. It allows an administrator to create a policy and deploy it across a large number of devices in the domain or network. Patch management, host intrusion prevention systems (HIPS), and anti-malware software are different types of host security controls, but only GPOs have the ability to configure settings across multiple Windows devices efficiently.

Your organization has recently migrated to a SaaS provider for its enterprise resource planning (ERP) software. Prior to this migration, a weekly port scan conducted to help validate the security of the on-premise systems. Which of the following actions should you take to validate the security of the cloud-based solution? A.Utilize a different scanning tool B.Utilize vendor testing and audits C.Utilize a third-party contractor to conduct the scans D.Utilize a VPN to scan inside the vendor's security perimeter

B The best option is to utilize vendor testing and audits in a cloud-based environment. Most SaaS providers will not allow customers to conduct their own port scans or vulnerability scans against the SaaS service. This means you cannot scan using a VPN connection, utilize different scanning tools, or hire a third-party contractor to scan on your behalf.

A vulnerability scan has returned the following results: Detailed Results 10.56.17.21 (APACHE-2.4) Windows Shares Category: Windows CVE ID: - Vendor Ref: - Bugtraq ID: - Service Modified - 8.30.2017 Enumeration Results: print$ c:\windows\system32\spool\drivers files c:\FileShare\Accounting Temp c:\temp What best describes the meaning of this output? A.There is an unknown bug in an Apache server with no Bugtraq ID B.Connecting to the host using a null session allows enumeration of the share names on the host C.Windows Defender has a known exploit that must be resolved or patched D.There is no CVE present, so this is a false positive caused by Apache running on a Windows server

B This is the result of a vulnerability scan that conducted an enumeration of open Windows shares on an Apache server. The enumeration results show three share names (print$, files, Temp), that have been found using a null session connection. There is no associated CVE with this vulnerability, but it is not a false positive. Not all vulnerabilities have a CVE associated with them. Nothing in this output indicates anything concerning Windows Defender, so this is not the correct answer. Bugtraq IDs are a different type of identification number issued for vulnerabilities by SecurityFocus. Generally, if there is a CVE, there will also be a Bugtraq ID. The fact that both the CVE and Bugtraq ID are blank is not suspicious since we are dealing with a null enumeration result.

Which of the following would be part of an active defense strategy? (SELECT THREE) A.Blocking adversary C2 infrastructure B.Deploy a honeypot C.Implement decoy assets D.Installing a new IDS signature E.Implement fictitious DNS entries F.Deletion of adversary malware

B,C,E. OBJECTIVE 2.1 Active defense refers to controls that perform some type of counterattack. Active defense means an engagement with the adversary, but this can be interpreted in several different ways. Laying traps such as decoy assets or deploying honeypots would be classified as active defense. Another active defense technique is to implement fictitious DNS entries that can also be used to delay or slow down an adversary's enumeration of your network. Blocking the adversary's C2 infrastructure and the deletion of adversary malware are considered a part of normal incident response actions. Installing a new IDS signature would be considered vulnerability management and not active defense.

A cybersecurity analyst is reviewing the logs of a proxy server and saw the following: https://www.google.com/search?q=password+filetype%3Axls+site%3Adiontraining.com&pws=0&filter=p Which of the following is true about the results of this search? (SELECT THREE) A.All search filters are deactivated B.Returns only files hosted at diontraining.com C.Returns only Microsoft Excel spreadsheets D.Find sites related to diontraining.com E.Excludes Microsoft Excel spreadsheets F.Personalization is turned off

B,C,F. OBJECTIVE 3.3 The above example searches for files with the name 'password' in them (q=password) and (+) have a filetype equal to xls (filetype%3Axls, %3A is the hex-code for ':') and (+) limits the results to files hosted on diontraining.com (site%3Adiontraining.com) and (&) disables personalization (pws=0) and (&) deactivates the directory filtering function (filter=p). If you wanted to exclude Microsoft Excel spreadsheets, this would be done by typing -filetype%3Axls as part of the search query. To find related websites or pages, you would include the 'related:' term to the query. To deactivate all filters from search, the 'filter=0' should be used. To deactivate the directory filtering function, the 'filter=p' is used.

A cybersecurity analyst just finished conducting an initial vulnerability scan and is reviewing their results. To avoid wasting their time on results that are not really a vulnerability, the analyst wants to remove any false positives before they begin to remediate the findings. Which of the following is an indicator that something in their results would be a false positive? A.A finding that shows the scanner compliance plug-ins are not up-to-date B.Items classified by the system as Low or as For Informational Purposes Only C.A scan result showing a version that is different from the automated asset inventory D.A 'HTTPS entry that indicates the web page is securely encrypted

B. OBJECTIVE 1.3 When conducting a vulnerability scan, it is common for the report to include some findings that are classified as "low" priority or "for informational purposes only". These are most likely false positives and can be ignored by the analyst when first starting their remediation efforts. 'A HTTPS entry that indicates the web page is securely encrypted' is not a false positive, but a true negative (a non-issue). A scan result showing a version that is different from the automated asset inventory is something that should be investigated and is likely a true positive. A finding that shows the scanner compliance plug-ins are not up-to-date would likely also be a true positive that should be investigated.

A recent threat has been announced in the cybersecurity world stating that there is a critical vulnerability in the kernel of a particular operating system. Your company, unfortunately, has not maintained a current asset inventory, so you are unsure of how many of your servers may be affected. What should you do to find all of the affected servers within your network? A.Manually review the syslog server's logs B.Conduct an OS fingerprinting scan across the network C.Conduct a packet capture of data traversing the server network D.Conduct a service discovery scan on the network

B. OBJECTIVE 1.4 By utilizing operating system fingerprinting using a tool like nmap, you can identify the servers that are running each version of an operating system. This will give you an accurate list of the possibly affected servers. Once you have this list, then you can focus your attention on just those servers that need further inspection and scanning. Manually review the syslog server's log would take too long, and would not find any servers that are not configured to send their logs to the syslog server. Conducting a packet capture would only allow you to find the server actively transmitting data during the period of time you are capturing. Conducting a service discovery scan would not identify which servers are running which operating systems effectively. For example, if you see that the Apache web service is running on port 80, that doesn't indicate if you are running Linux or Windows as the underlying server.

Tony works for a company as a cybersecurity analyst. His company runs a website that allows public postings. Recently, users have started complaining about the website having pop-up messages asking for their username and password. Simultaneously, your security team has noticed there has been a large increase in the number of compromised user accounts on the system. What type of attack is most likely the cause of both of these events? A.SQL injection B.Cross-site scripting C.Cross-site request forgery D.Rootkit

B. OBJECTIVE 1.7 OBJECTIVE 1.7: This scenario is a perfect example of the effects of a cross-site scripting (XSS) attack. If your website's HTML code does not perform input validation to remove scripts that may be entered by a user, then an attacker can create a popup window that collects passwords and uses that information to further compromise other accounts. A cross-site request forgery (CSRF) is an attack that forces an end user to execute unwanted actions on a web application in which they are currently authenticated. An XSS will allow an attacker to execute arbitrary JavaScript within the browser of a victim user (such as creating pop-ups), a CSRF would allow an attack to induce a victim to perform actions that they do not intend to perform. A rootkit is a set of software tools that enable an unauthorized user to gain control of a computer system without being detected. SQL injection is the placement of malicious code in SQL statements, via web page input. None of the things described in this scenario would indicate a CSRF, rootkit, or an SQL injection.

While conducting a security test to ensure that information about your company's web server is protected from inadvertent disclosure, you request an HTML file from the webserver and received the following output: HTTP/1.1 404 Object Not Found Server: Microsoft-IIS/6.0 Date: Tuesday, 5 Sep 2017 1034:12 GMT Content-Type: text/html Content-Length: 132 There is no web site configured at this address. This page is a placeholder until construction begins. Which of the following actions should you take to remediate this vulnerability? A.Set 'VerifyNormalization' to 1 in the URLScan.ini configuration file B.Set "RemoveServerHeader" to 1 in the URLScan.ini configuration file C.Set "EnableLogging" to 1 in the URLScan.ini configuration file D.Set "PerProcessLogging" to 1 in the URLScan.ini configuration file

B. OBJECTIVE 1.7 This output is an example of banner grabbing being conducted against your web server. To prevent valuable information from being sent in the response, you should configure the "RemoveServerHeader" in the Microsoft IIS configuration file (URLScan.ini). If you set 'RemoveServerHeader' to 1, UrlScan will remove the server header on all responses, and the value of AlternateServerName will be ignored. If you set 'EnableLogging' to 1, UrlScan will log its actions in a file called UrlScan.log that will be created in the same directory that contains UrlScan.dll. If you set 'PerProcessLogging' to 1, UrlScan will append the process ID of the IIS process that is hosting UrlScan.dll to the log file name; for example, UrlScan.1234.log. If you set 'VerifyNormalization' to 1, UrlScan verifies normalization of the URL and will defend against canonicalization attacks, where a URL contains a double encoded string in the URL. Please note, this question may seem beyond the scope of the exam, but the objectives allow for 'other examples of technologies, processes, or tasks pertaining to each objective may also be included on the exam although not listed or covered' in the bulletized lists of the objectives. The exam tests the equivalent to 4 years of hands-on experience in a technical cybersecurity job role. The content examples listed in the objectives are meant to clarify the test objectives and should not be construed as a comprehensive listing of all the content of this examination. Therefore, questions like this are fair game on test day. That said, your goal isn't to score 100% on the exam, it is to pass it. Don't let questions like this throw you off on test day. If you aren't sure, take your best guess, and move on!

What technology is NOT PKI x.509 compliant and cannot be used in a variety of secure functions? A.AES B.Blowfish C.PKCS D.SSL/TLS

B. OBJECTIVE 2.1 AES, PKCS, and SSL/TLS are all compatible with x.509 and can be used in a wide variety of functions and purposes. AES is used for symmetric encryption. PKCS is used as a digital signature algorithm. SSL/TLS is used for the secure key exchange.

Which protective feature is used to prevent a buffer overflow attack from specific applications by randomizing where components of a program are run from in memory? A.DLP B.ASLR C.DLL D.DEP

B. OBJECTIVE 2.1 ASLR randomizes where components of a running process (such as the base executable, APIs, and the heap) are placed in memory, which makes it more difficult to conduct a buffer overflow at specific points in the address space. The Windows Data Execution Prevention (DEP) feature to protect processes against exploits that try to execute code from writable memory area (stack/heap). Windows DEP prevents code from being run from a non-executable memory region. Data loss prevention (DLP) software detects potential data breaches/data ex-filtration transmissions and prevents them by monitoring, detecting, and blocking sensitive data while in use, in motion, and at rest. A dynamic link library (DLL) is a library that contains code and data that can be used by more than one program at the same time.

Which of the following is not a recognized adversarial attack vector according to the MITRE ATT&CK framework? A.Cyber B.Informational C.Physical D.Human

B. OBJECTIVE 2.1 Cyber, human, and physical are all recognized adversarial attack vectors in the framework. While information may be exchanged in all of these factors, the term is too generic to uniquely describe any given attack vector under the MITRE ATT&CK framework. Cyber is the use of hardware or software IT systems. Human is the use of social engineering, coercion, impersonation, or force. Physical relies on gaining local access.

You have been asked to recommend a capability to monitor all of the traffic entering and leaving the corporate network's default gateway. Additionally, the company's CIO requests the ability to block certain types of content before it leaves the network based on operational priorities. Which of the following solution should you recommend to meet the requirements? A.Configure IP filtering on the internal and external interfaces of the router B.Install a NIPS on the internal interface and a firewall on the external interface of the router C.Install a firewall on the router's internal interface and a NIDS on the router's external interface D.Installation of a NIPS on both the internal and external interfaces of the router

B. OBJECTIVE 2.1 Due to the requirements provided, you should install a NIPS on the internal interface of the gateway router and a firewall on the external interface of the gateway router. The firewall on the external interface will allow the bulk of the malicious inbound traffic to be filtered prior to reaching the network. Then, the NIPS can be used to conduct an inspection of the traffic entering the network and provide protection for the network using signature-based or behavior-based analysis. A NIPS is less powerful than a firewall and could easily 'fail open' if it is overcome with traffic by being placed on the external interface. The NIPS being installed on the internal interface would also allow various content types to be quickly blocked using custom signatures developed by the security team. For the same reasons that we wouldn't want to place the NIPS on the external interface in the correct choice, we also wouldn't choose to install a NIPS on both the internal and external connections. IP filtering on both interfaces of the router will not provide the ability to monitor the traffic or to block traffic based on content type. Finally, we would not want to rely on a NIDS on the external interface alone, since it can only monitor and not provide the content blocking capabilities needed.

You want to provide controlled remote access to the remote administration interfaces of multiple servers hosted on a private cloud. What type of segmentation security solution is the best choice for this scenario? A.Airgap B.Jumpbox C.Bastion hosts D.Physical

B. OBJECTIVE 2.1 Installing a jumpbox as a single point of entry for the administration of servers within the cloud is the best choice for this requirement. The jumpbox only runs the necessary administrative port and protocol (typically SSH). Administrators connect to the jumpbox then use the jumpbox to connect to the admin interface on the application server. The application server's admin interface has a single entry in its ACL (the jumpbox) and denies connection attempts from any other hosts. A bastion host is a special-purpose computer on a network specifically designed and configured to withstand attacks. The computer generally hosts a single application. For example, a proxy server and all other services are removed or limited to reduce the threat to the computer. An airgap system is a network or single host computer with unique security requirements that may physically separated from any other network. Physical separation would prevent a system from accessing the remote administration interface directly and require an airgap system to reach the private cloud.

During her login session, Sally is asked by the system for a code that is sent to her via text (SMS) message. Which of the following concerns should she raise to her organization's AAA services manager? A.SMS should be encrypted to be secure B.SMS messages may be accessible to attackers via VoIP or other systems C.SMS should be paired with a third factor D.SMS is a costly method of providing a second factor of authentication

B. OBJECTIVE 2.1 NIST's SP 800-63-3 recommends that SMS messages be deprecated as a means of delivering a second factor for multifactor authentication because they may be accessible to attackers. SMS is unable to be encrypted (at least without adding additional applications to phones). A third factor is typically not a user-friendly recommendation and would be better handled by replacing SMS with the proposed third factor instead. SMS is not a costly method since it can be deployed for less than $20/month at scale.

A cybersecurity analyst is preparing to run a vulnerability scan on a dedicated Apache server that is going to be moved into a DMZ. Which of the following vulnerability scans is least likely to provide valuable information to the analyst? A.Web application vulnerability scan B.Database vulnerability scan C.Port scan D.Network vulnerability scan

B. OBJECTIVE 2.1 Since the server being scanned is running an Apache server, and this indicates it is a web server. Therefore, a web application vulnerability scan would be the most likely to provide valuable information. A network vulnerability scan or port scan can provide valuable information against any network-enabled server. Since an Apache server doesn't contain a database by default, running a database vulnerability scan is not likely to provide any valuable information to the analyst.

Which analysis framework makes no allowance for an adversary retreat in its analysis? A.MITRE ATT&CK framework B.Diamond Model of Intrusion Analysis C.Lockheed Martin cyber kill chain D.AlienVault (AT&T Cybersecurity) Cyber Kill Chain

B. OBJECTIVE 2.1 The Lockheed Martin cyber kill chain implicitly assumes a unidirectional workflow. Therefore, it fails to consider that an adversary may retreat during an attack. MITRE and Diamond's models are more dynamic systems that allow for a broader range of adversary behaviors. AlienVault was specifically designed to avoid the rigidity of the Lockheed Martin cyber kill chain.

Your organization has just migrated to provisioning its corporate desktops as virtual machines and accessing them using thin clients. The organization believes this will enhance security since the desktop can be rewritten with a new baseline image every time the user logs into it. Based on this scenario, which of the following technologies has the organization adopted? A.VPN B.VDI C.VPC D.UEBA

B. OBJECTIVE 2.1 Virtual desktop infrastructure (VDI) is a virtualization implementation that separates the personal computing environment from a user's physical computer. Virtual private cloud (VPC) is a private network segment made available to a single cloud consumer on a public cloud. A virtual private network (VPN) is a secure tunnel created between two endpoints connected via an insecure network, typically the internet. User and entity behavior analytics (UEBA) is a system that can provide automated identification of suspicious activity by user accounts and computer hosts.

What should a vulnerability report include if a cybersecurity analyst wants it to reflect the assets scanned accurately? A.Processor utilization B.Virtual hosts C.Organizational governance D.Log disposition

B. OBJECTIVE 2.1 Vulnerability reports should include both the physical hosts and the virtual hosts on the target network. A common mistake of new cybersecurity analysts is to only include physical hosts, thereby missing a large number of assets on the network.

An electronics store was recently the victim of a robbery where an employee was injured, and some property was stolen. The store's IT department hired an external supplier to expand the store's network to include a physical access control system. The system has video surveillance, intruder alarms, and remotely monitored locks using an appliance-based system. Which of the following long-term cybersecurity risks might occur based on these actions? A.There are no new risks due to the install and the company has a stronger physical security posture B.These devices should be isolated from the rest of the enterprise network C.These devices should be scanned for viruses before installation D.These devices are insecure and should be isolated from the internet

B. OBJECTIVE 2.1 While the physical security posture of the company has definitely been improved by adding the cameras, alarms, and locks, this appliance-based system may pose additional risks to the store's network. Specialized technology and appliance-based systems rarely receive security updates at the same rate as regular servers or endpoints. These devices need to be on a network in order to ensure that that their network functions can continue, but they don't necessarily need to be on the enterprise production network. A good option would be to set up a parallel network that is physically or logically isolated from the enterprise network and install the video cameras, alarms, and lock on that one. These devices cannot be isolated from the internet without compromising their functions, such as allowing remote monitoring of the system and locks. The devices should be scanned for viruses before installation, but that is a short-term consideration and doesn't protect them long-term.

Jason is conducting an assessment of a network-enabled software platform that contains a published API. In reviewing the key management for the platform, he discovers that API keys are embedded in the source code for the application. Which of the following statements best describes the security flaw with this coding practice? A.Key management is no longer required since the key is embedded in the source code B.The embedded key may be discovered by an attacker who reverse engineers the source code C.It is difficult to control the permission levels for embedded keys D.Changing the API key will require a corresponding software upgrade

B. OBJECTIVE 2.2 A sophisticated adversary may be able to discover the embedded key in the software through reverse engineering the source code. This inadvertent key disclosure could then allow an attacker to abuse the API in ways other than which it was intended. Key management would still be required, even if the key is embedded in the source code. Permission levels of a software-embedded key are still controlled like any other key. While the added inconvenience of having to install new software on the client side every time the key is changed would be inconvenient, this option does not address the underlying security issues with embedding API keys into the source code.

Dion Consulting Group has just won a contract to provide updates to an employee payroll system that was originally written years ago in C++. During your assessment of the source code, you notice the command strcpy is being used in the application. Which of the following provides is cause for concern, and what mitigation would you recommend to overcome this concern? A.strcpy could allow a buffer overflow to occur; you should rewrite the entire system in Java B.strcpy could allow a buffer overflow to occur; upgrade the operating system to run ASLR to prevent a buffer overflow C.strcpy could allow an integer overflow to occur; you should rewrite the entire system in Java D.strcpy could allow an integer overflow to occur; upgrade the operating system to run ASLR to prevent a buffer overflow

B. OBJECTIVE 2.2 C and C++ contain built-in functions such as strcpy that do not provide a default mechanism for checking if data will overwrite the boundaries of a buffer. The developer must identify such insecure functions and ensure that every call made to them by the program is performed securely. Many development projects use higher-level languages, such as Java, Python, and PHP. These interpreted languages will halt execution if an overflow condition is detected. However, changing languages may be infeasible in an environment that relies heavily on legacy code. By ensuring that the operating system supports ASLR, you can make it impossible for a buffer overflow to work by randomizing where objects in memory are being loaded. Rewriting the source code would be highly desirable, but could be costly, time-consuming, and is not an immediate mitigation to the problem. The strcpy function (which is short for String copy) does not work on integers, and it only works on strings. As strcpy does not check for boundary conditions, buffer overflows are certainly possible using this deprecated method.

DeepScan supports data-flow analysis and understands the execution flow of a program. It allows you to see possible security flaws without executing the code. Which of the following types of tools would DeepScan be classified as? A.Fuzzer B.Static code analyzer C.Decompiler D.Fault injector

B. OBJECTIVE 2.2 DeepScan is an example of a static code analysis tool. It inspects the code for possible errors and issues without actually running the code. Fuzzing is an automated software testing technique that involves providing invalid, unexpected, or random data as inputs to a computer program through the use of a fuzzer. A decompiler is a computer program that takes an executable file as input and attempts to create a high-level source file that can be recompiled successfully. Fault injection is a testing technique that aids in understanding how a system behaves when stressed in unusual ways. A fuzzer, decompiler, and fault injector are all dynamic analysis tools because they require the program being tested to be run in order to be analyzed.

Dion Consulting Group has recently received a contract to develop a networked control system for a self-driving car. The CIO of the company is concerned about the liability of a security vulnerability being exploited that may result in the death of a passenger or an innocent bystander. Which of the following methodologies would provide the single greatest mitigation if successfully implemented? A.Rigorous user acceptance testing B.Formal methods of verification C.DevSecOps D.Peer review of source code

B. OBJECTIVE 2.2 Formal methods of verification uses a mathematical model of the inputs and outputs of a system to prove that the system works as specified in all cases. Given the level of certainty achieved through formal methods of verification, this approach provides the single greatest mitigation against this threat. Formal methods are designed for use in critical software in which corner cases must be eliminated. For example, what should the car do if a child jumps out in front of it, and the only way to avoid the child is to swear off the road (which might kill the driver)? This is a classic corner case that needs to be considered for a self-driving car. User acceptance testing (UAT) is a beta phase of software testing. When the developers have tested the software, it is installed to a limited set of users who follow test schemes and report on findings. DevSecOps is a combination of software development, security operations, and systems operations, and refers to the practice of integrating each discipline with the others. Peer review of source code allows for the review of uncompiled source code by other developers. While DevSecOps, peer review, and user acceptance testing help bring down the risk involved in the system, only a formal method of verification could limit the liability involved with such a critical application as a self-driving car.

Keith wants to validate the application file that he downloaded from the vendor of the application. Which of the following should he compare against the file to verify the integrity of the downloaded application? A.File size and file creation date B.MD5 or SHA1 hash digest of the file C.Private key of the file D.Public key of the file

B. OBJECTIVE 2.2 Keith should conduct a hash of the downloaded file and compare it against the MD5 hash digest listed on the server of this file. This file needs to be a verifiable MD5 hash file in order to validate the file integrity has not been compromised during the download. This is an important step to ensure the file was not modified in transit during the download. The other options are insufficient to guarantee the integrity of the downloaded file since integrity checking relies on comparison of hash digests. A public or private key would not be assigned solely to a single file, nor do they provide integrity on their own. Public and private keys are used to ensure the confidentiality of data, whereas a hash digest ensures integrity. The file size and file creation date are additional forms of metadata that could be used to help validate the integrity of a file, but they of a much lower quality and trust factor than using a hash digest, therefore MD5 or SHA1 is still a better choice.

Which of the following technologies is NOT a shared authentication protocol? A.OpenID Connect B.LDAP C.OAuth D.Facebook Connect

B. OBJECTIVE 2.2 LDAP can be used for single sign-on but is not a shared authentication protocol. OpenID, OAuth, and Facebook Connect are all shared authentication protocols. Open ID Connect (OIDC) is an authentication protocol that can be implemented as special types of OAuth flows with precisely defined token fields. OAuth is designed to facilitate the sharing of information (resources) within a user profile between sites.

Annah is deploying a new application that she received from a vendor, but she is unsure if the hardware is adequate to support a large number of users during peak usage periods. What type of testing could Annah perform to determine if the application will support the required number of users? A.User acceptance testing B.Load testing C.Regression testing D.Fuzz testing

B. OBJECTIVE 2.2 Load testing or stress testing puts an application, network, or system under full load conditions to document any lapses in performance. User Acceptance Testing is the process of verifying that a created solution/software works for a user. Regression testing is defined as a type of software testing to confirm that a recent program or code change has not adversely affected existing features. Fuzz testing, or fuzzing, is a quality assurance technique used to discover coding errors and security loopholes in software, operating systems or networks. It involves inputting massive amounts of random data to the test subject in an attempt to make it crash. User acceptance testing, regression testing, and fuzz testing are not designed to test a system under heavy load conditions. Therefore, they will not be suitable for Annah's needs in this scenario.

Which of the following secure coding best practices ensures a character like < is translated into the &lt string when writing to an HTML page? A.Session management B.Output encoding C.Error handling D.Input validation

B. OBJECTIVE 2.2 Output encoding involves translating special characters into some different but equivalent form that is no longer dangerous in the target interpreter, for example, translating the < character into the &lt; string when writing to an HTML page. Input validation is performed to ensure only properly formed data is entering the workflow in an information system, preventing malformed data from persisting in the database and triggering the malfunction of various downstream components. Improper error handling can introduce a variety of security problems where detailed internal error messages such as stack traces, database dumps, and error codes are displayed to an attacker. The session management implementation defines the exchange mechanism that will be used between the user and the web application to share and continuously exchange the session ID

Which role validates the user's identity when using SAML for authentication? A.SP B.IdP C.User agent D.RP

B. OBJECTIVE 2.2 The IdP provides the validation of the user's identity. Security assertions markup language (SAML) is an XML-based framework for exchanging security-related information such as user authentication, entitlement, and attributes. SAML is often used in conjunction with SOAP. SAML is a solution for providing single sign-on (SSO) and federated identity management. It allows a service provider (SP) to establish a trust relationship with an identity provider (IdP) so that the identity of a user (the principal) can be trusted by the SP without the user having to authenticate directly with the SP. The principal's User Agent (typically a browser) requests a resource from the service provider (SP). The resource host can also be referred to as the relying party (RP). If the user agent does not already have a valid session, the SP redirects the user agent to the identity provider (IdP). The IdP requests the principal's credentials if not already signed in and, if correct, provides a SAML response containing one or more assertions. The SP verifies the signature(s) and (if accepted) establishes a session and provides access to the resource.

What phase of the software development lifecycle is sometimes known as the acceptance, installation, and deployment phase? A.Development B.Training and transition C.Operations and maintenance D.Disposition

B. OBJECTIVE 2.2 The training and transition phase ensures that end users are trained on the software and that the software has entered general use. Because of these activities, this phase is sometimes called the acceptance, installation, and deployment phase. Disposition is focused on the retirement of an application or system. Operations and maintenance is focused on the portion of the lifecycle where the application or system goes into use to provide value to the end-users. Development is the portion of the lifecycle focused on designing and coding the application or system.

A cybersecurity analyst has received an alert that well-known call home messages are continuously observed by sensors at their network boundary, but the organization's proxy firewall is properly configured to successfully drop the messages prior to them leaving the network. Which of the following is MOST likely the cause of the call home messages being sent? A.An attacker is performing reconnaissance the organization's workstations B.An infected workstation is attempting to reach a command and control server C.A malicious insider is trying to exfiltrate information to a remote network D.Malware is running on a company workstation or server

B. OBJECTIVE 3.1 A call home message is an indicator of compromise known as beaconing. Beaconing usually occurs after a stage 1 malware program has been implanted on an organization's workstation or server, but that isn't the most correct answer to this question. Instead, beaconing indicates that a workstation or server is infected and is trying to communicate with the attacker's command and control server. This beaconing will continue until the infected system (workstation or server) is found and cleared of the malware, or until the botnet gives the infected host further instructions to perform (such as to attack). The reason that 'malware is running on a company workstation or server' is incorrect is because we do not have positive verification of that based on this scenario. A beacon does not have to be malware, for example, it can simply be a single ping packet or DNS request being sent out every day at a certain time using the Windows task scheduler. Be careful on the exam to answer the question being asked and choose the 'most' accurate answer to the question. Since the call home signal is coming from the internal network and attempting to connect to an external server, it cannot be evidence of an attacker performing reconnaissance on your workstations. Also, nothing in the question is indicative of an insider threat trying to exfiltrate information, since a call home message is generally very small in size and not large enough to exfiltrate data.

You are analyzing a Linux server that you suspect has been tampered with by an attacker. You went to the terminal and typed 'history' into the prompt and see the output: > echo 127.0.0.1 diontraining.com >> /etc/hosts Which of the following best describes what actions were performed by this line of code? A.Added the website to system's whitelist in the hosts file B.Routed traffic destined for the diontraining.com domain to the localhost C.Routed traffic destined for the localhost to the diontraining.com domain D.Attempted to overwrite the host file and deleted all data except this entry

B. OBJECTIVE 3.1 Based on the output provided, it appears that the attacker has attempted to route all traffic destined for diontraining.com to the IP address specified (127.0.0.1). This is typically done to prevent a system from communicating with a specific domain in order to redirect a host to a malicious site. In this example, the IP/domain name pair of 127.0.0.1 and diontraining.com are being written to the /etc/hosts file. Modifying your hosts file enables you to override the domain name system (DNS) for a domain on a specific machine. The command echo >> redirects the output of the content on the left of the >> to the end of the file on the right of the >> symbol. If the > was used instead of >>, then this command would have overwritten the host file completely with this entry. The hosts file is not a system whitelist file.

Which of the following provides a cryptographic authentication mechanism to positively identify an organization as the authorized sender of email for a particular domain name? A.SPF B.DKIM C.SMTP D.DMARC

B. OBJECTIVE 3.1 DomainKeys Identified Mail (DKIM) provides a cryptographic authentication mechanism. This can replace or supplement SPF. To configure DKIM, the organization uploads a public key as a TXT record in the DNS server. Sender Policy Framework (SPF) uses a DNS record published by an organization hosting an email service. The SPF record identifies the hosts authorized to send email from that domain and there must be only one per domain. SPF does not provide a cryptographic authentication mechanism like DKIM does, though. The Domain-Based Message Authentication, Reporting, and Conformance (DMARC) framework ensures that SPF and DKIM are being utilized effectively. DMARC relies on DKMI for the cryptographic authentication mechanism, making it the incorrect option for this question. The simple mail transfer protocol (SMTP) is a communication protocol for electronic mail transmission, which does not utilize cryptographic authentication mechanisms by default.

An employee contacts the service desk because they are unable to open an attachment they receive in their email. The service desk agent conducts a screen sharing session with the user and investigates the issue. The agent notices that the attached file is named Invoice1043.pdf, and a black popup window appears and then disappears quickly when the attachment was double-clicked. Which of the following is most likely causing this issue? A.The user doesn't have a PDF reader installed on their computer B.The attachment is using a double file extension to mask its identity C.The file contains an embedded link to a malicious website D.The email is a form of spam and should be deleted

B. OBJECTIVE 3.1 The message contains a file attachment in the hope that the user will execute or open it. The nature of the attachment might be disguised by formatting tricks such as using a double file extension, such as Invoice1043.pdf.exe, where the user only sees the first extension since .exe is a known file type in Windows. This would explain the black popup window that appears and then disappeared, especially if the exe file was running a command-line tool. This file is most likely not a PDF, so there is no need for a PDF reader. Additionally, most modern web browsers, such as Chrome and Edge, can open PDF files by default for the user. The file would not contain an embedded link since an embedded link is another popular attack vector that embeds a link to a malicious site within the email body, not within the file. This email is likely not spam and would be better categorized as a phishing attempt instead.

While performing a vulnerability scan, Christina discovered an administrative interface to a storage system is exposed to the internet. She looks through the firewall logs and attempts to determine whether any access attempts have occurred from external sources. Which of the following IP addresses in the firewall logs would indicate a connection attempt from an external source? A.10.15.1.100 B.192.186.1.100 C.172.16.1.100 D.192.168.1.100

B. OBJECTIVE 3.1 This question is testing your ability to determine if an IP address is a publicly routable IP (external connection) or private IP (internal connection). During your CompTIA A+, Network+, and Security+ studies, you should have learned that private IP addresses are either 10.x.x.x, 172.16-32.x.x, or 192.168.x.x. All other IP addresses are considered publicly routable over the internet (except localhost and APIPA addresses). Therefore, the answer must be 192.186.1.100, since it is not a private IP address.

Your company just launched a new invoicing website for use by your five largest vendors. You are the cybersecurity analyst and have been receiving numerous phone calls that the webpage is timing out and the website overall is performing slowly. You have noticed that the website received three million requests in just 24 hours and the service has now become unavailable for use. What do you recommend should be implemented to restore and maintain the availability of the new invoicing system? A.Intrusion Detection System B.Whitelisting C.VPN D.MAC filtering

B. OBJECTIVE 3.2 By implementing whitelisting of the authorized IP addresses for the five largest vendors, they will be the only ones who will be able to access the webserver. This can be done by creating rules in the Access Control List (ACL) to deny ALL other users except these five vendors, thereby dropping a large number of requests from any other IP addresses, such as those from an attacker. Based on the description in the scenario, it appears like the system is under some form of denial of service attack, but by implementing a whitelist at the edge of the network and blackholing any traffic from IP addresses that are not whitelisted, the server will no longer be overwhelmed or perform slowly to respond to legitimate requests. MAC filtering is only applicable at layer 2 of the OSI model (which would not work for traffic being sent over the internet from your vendors to your server). A VPN is a reasonable solution to help secure the connection between the vendors and your systems, but it will not deal with the DoS condition being experienced. An intrusion detection system may detect the DoS condition, but an IDS cannot resolve the condition (whereas an IPS could).

You are a cybersecurity analyst and your company has just enabled key-based authentication on its SSH server. Review the following log file: Sep 09 13:15:24 diontraining sshd[3423]: Failed password for root from 192.168.3.2 port 45273 ssh2 Sep 09 15:43:15 diontraining sshd[3542]: Failed password for root from 192.168.2.24 port 43543 ssh2 Sep 09 15:43:24 diontraining sshd[3544]: Failed password for jdion from 192.168.2.24 port 43589 ssh2 Sep 09 15:43:31 diontraining sshd[3546]: Failed password for tmartinez from 192.168.2.24 port 43619 ssh2 Sep 09 15:43:31 diontraining sshd[3546]: Failed password for jdion from 192.168.2.24 port 43631 ssh2 Sep 09 15:43:37 diontraining sshd[3548]: Failed password for root from 192.168.2.24 port 43657 ssh2 Which of the following actions should be performed to secure the SSH server? A.Disable anonymous SSH logon B.Disable password authentication for SSH C.Disable SSHv1 D.Disable remote root SSH logons

B. OBJECTIVE 3.2 It is common for attackers to attempt to log in remotely using the ssh service and the root or other user accounts. The best way to protect your server is to disable password authentication over ssh. Since your company just enabled key-based authentication on the SSH server, all legitimate users should be logging in using their RSA key pair on their client machines, not usernames and passwords. Based on the logs, you see the server is running SSHv2, so there is no need to disable SSHv1 (it may already be disabled). You don't want to fully disable remote root SSH logons, either, since this would make it difficult for administrators to conduct their work. Finally, based on the logs, it doesn't appear that anonymous SSH logons are an issue, either, as we don't see any anonymous attempts in the logs.

Which type of system would classify traffic as malicious or benign based on explicitly defined examples of malicious and benign traffic? A.Artificial intelligence B.Machine learning C.Deep leaning D.Generative adversarial network

B. OBJECTIVE 3.4 A machine learning (ML) system uses a computer to accomplish a task without ever being explicitly programmed to do it. In the context of cybersecurity, ML generally works by analyzing example data sets to create its own ability to classify future items presented. If the system was presented with large datasets of malicious and benign traffic, it will learn which is malicious and use that to categorize future traffic presented to it. Artificial Intelligence is the science of creating machines with the ability to develop problem-solving and analysis strategies without significant human direction or intervention. AI goes beyond ML and can make a more complicated decision than just the classifications made by ML. A deep learning system is one which is able to determine what is malicious traffic without having the prior benefit of being told what is benign/malicious. A generative adversarial network is an underlying strategy used to accomplish deep learning but is not specific to the scenario described.

Which of the following would NOT be useful in defending against a zero-day threat? A.Segmentation B.Patching C.Threat intelligence D.Whitelisting

B. OBJECTIVE 4.2 While patching is a great way to combat threats and protect your systems, it is not effective against zero-day threats. By definition, a zero-day threat is a flaw in software, hardware or firmware that is unknown to the party or parties responsible for patching or otherwise fixing the flaw. This attack has no time (or days) between the time the vulnerability is discovered and the first attack, and therefore no patch would be available to combat it. By using segmentation, whitelisting, and threat intelligence, a cybersecurity analyst can put additional mitigations in place that would protect the network even if a zero-day attack was successful.

You are reverse engineering a malware sample using the Strings tool when you notice the code inside appears to be obfuscated. You look at the following line of output on your screen: ZWNobygiSmFzb24gRGlvbiBjcmVhdGVkIHRoaXMgQ29tcFRJQSBDeVNBKyBwcmFjdGljZSBleGFtIHF1ZXN0aW9uLiBJZiB5b3UgZm91bmQgdGhpcyBxdWVzdGlvbiBpbiBzb21lb25lIGVsc2UncyBjb3Vyc2UsIHRoZXkgc3RvbGUgaXQhIik7= Based on the output above, which of the following methods do you believe the attacker used to prevent their malicious code from being easily read or analyzed? A.QR coding B.Base64 C.XML D.SQL

B. OBJECTIVE 4.2 While there are many different formats used by attackers to obfuscate their malicious code, Base64 is by far the most popular. If you see a string like the one above, you can attempt to decode it using an online Base64 decoder. In fact, I recommend you copy the string above and decode it to see how easy it is to reverse a standard Base64 encoded message. Some more advanced attackers will also use XOR and a key shift in combination with Base64 to encode the message and make it harder to decode, but using a tool like CyberChef can help you decode those, as well. Structured Query Language (SQL) is used to communicate with a database. Extensible Markup Language (XML) is a markup language that defines a set of rules for encoding documents in a format that is both human-readable and machine-readable. SQL and XML are not considered obfuscation techniques. A QR Code is a two-dimensional version of the barcode, known from product packaging in the supermarket. QR coding is the process of converting some kind of data into a single QR code. QR coding might be considered a form of obfuscation, but it is not shown in the example output provided in this question.

Which of the following tools could be used to detect unexpected output from an application being managed or monitored? A.A log analysis tool B.A behavior-based analysis tool C.A signature-based detection tool D.Manual analysis

B. OBJECTIVE 4.3 A behavior-based analysis tool can be used to capture/analyze normal behavior and then alert when an anomaly occurs. Configuring a behavior-based analysis tool requires more effort to properly set up, but it requires less work and manual monitoring once it is running. Signature-based detection is a process where a unique identifier is established about a known threat so that the threat can be identified in the future. Manual analysis requires a person to read all the output and determine if it is erroneous. A log analysis tool would only be useful to analyze the logs, but it would not be able to detect unexpected output by itself. Instead, the log analysis tool would need to use a behavior-based or signature-based detection system.

Your company explicitly obtains permission from its customers to use their email address as an account identifier in its CRM. Max, who works at the marketing department in the company's German headquarters, just emailed all of the customers to let them know about a new sales promotion this weekend. Which of the following privacy violations has occurred, if any? A.There was no privacy violation because only corporate employees had access to their email addresses B.There was a privacy violation since the customer's explicitly gave permission to use the email address as an identifier and did not consent to receiving marketing emails C.There was no privacy violation since the customer's were emailed securely through the customer relationship management tool D.There was a privacy violation since data minimization policies were not followed properly

B. OBJECTIVE 5.1 According to the European Union's General Data Protection Regulation (GDPR), personal data collected can only be used for the exact purpose in which explicit consent was obtained. In order to use email addresses for marketing purposes, a separate explicit consent should have been obtained. Since the company operates in Germany, it must follow the GDPR privacy standard. Even if a company doesn't operate within the European Union, its customers might be European Union citizens, and therefore the company should still optional follow the GDPR guidelines. While data minimization is a good internal policy to utilize, not following it doesn't equate to a privacy violation or breach. Data minimization is the principle that data should only be processed and stored if that is necessary to perform the purpose for which it is collected. The option concerning the customer relationship management (CRM) tool is a distractor since the issue is the use of the data in ways that were not consented to by the customer, not which system the email was actually sent through. A privacy violation can occur when data is viewed by corporate employees if those employees do not have a need to know, a valid business requirement to use the data, or consent from the customer to use the data for the specific purpose (as was the case in this scenario).

Your company is required to remain compliant with PCI-DSS due to the type of information processed by your systems. If there was a breach of this data, which type of disclosure would you be required to provide during your incident response efforts? A.Notification to local law enforcement B.Notification to your credit card processor C.Notification to federal law enforcement D.Notification to Visa and Mastercard

B. OBJECTIVE 5.1 Any organization that processes a credit card will be required to work with their credit card processor instead of working directly with the card issuers (Visa and Mastercard). Conducting notification to your bank or credit card processor is one of the first steps in the incident response effort for a breach of this type of data. Typically, law enforcement does not have to be notified of a data breach at a commercial organization.

Which of the following agreements is used between companies and employees, between companies and contractors, and between two companies to protect information assets? A.ISA B.NDA C.SLA D.DSUA

B. OBJECTIVE 5.1 Non-disclosure agreement (NDA) is the legal basis for protecting information assets. NDAs are used between companies and employees, between companies and contractors, and between two companies. If the employee or contractor breaks this agreement and does share such information, they may face legal consequences. NDAs are useful because they deter employees and contractors from violating the trust that an employee places in them. An interconnection security agreement (ISA) is defined by NIST's SP800-4 and is used by any federal agency interconnecting its IT system to a third party must create an ISA to govern the relationship. A service level agreement (SLA) is a contractual agreement that sets out the detailed terms under which a service is provided. A data sharing and use agreement (DSUA) states that personal data can only be collected for a specific purpose. A DSUA can specify terms for the way a dataset can be analyzed and proscribe the use of reidentification techniques.

What is a reverse proxy commonly used for? A.Allowing access to a virtual private cloud B.To prevent the unauthorized use of cloud services from the local network C.Directing traffic to internal services if the contents of the traffic comply with policy D.To obfuscate the origin of a user within a network

C A reverse proxy is positioned at the cloud network edge and directs traffic to cloud services if the contents of that traffic comply with policy. This does not require configuration of the users' devices. This approach is only possible if the cloud application has proxy support. You can deploy a reverse proxy and configure it to listen for client requests from a public network, like the internet. The proxy then creates the appropriate request to the internal server on the corporate network and passes the response from the server back to the external client. They are not generally intended to obfuscate the source of a communication, nor are they necessarily specific to the cloud. A cloud access security broker (CASB) can be used to prevent unauthorized use of cloud services from the local network.

Which of the following types of attackers are considered to be a sophisticated and highly organized person or team who are typically sponsored by a nation-state? A.Script kiddies B.Hacktivists C.Advanced Persistent Threat D.Ethical hacker

C Advanced Persistent Threat (APT) attackers are sophisticated and have access to financial and technical resources typically provided by a government. An APT is an attacker with the ability to obtain, maintain, and diversify access to network systems using exploits and malware. A hacktivist is an attacker that is motivated by a social issue or political cause. A script kiddie has little skill or sophistication, and simply uses publicly available tools and techniques. An ethical hacker is someone who specializes in penetration testing and in other testing methodologies that ensures the security of an organization's information systems. An ethical hacker is also known as a white hat hacker.

Which of the following is the default Nmap scan type when you do not provide with a flag when issuing the command? A.A TCP FIN scan B.A TCP connect scan C.A TCP SYN scan D.A UDP scan

C By default, Nmap performs a SYN Scan, though it substitutes a connect scan if the user does not have proper privileges to send raw packets (requires root access on Unix). A UDP scan requires the -sU flag to be issued when launching a nmap scan. A TCP FIN scan requires the -sF flag to be issued when launching a nmap scan.

A threat intelligence analyst is researching a new indicator of compromise. At the same time, the web proxy server-generated an alert for this same indicator of compromise. When asked about this alert, the analyst insists that they did not visit any of the related sites, but instead they were simply listed in the results page of their search engine query. Which of the following is the BEST explanation for what has occurred? A.The standard approved browser was not being used by the analyst B.A link related to the indicator was accidentally clicked by the analyst C.Prefetch is enabled on the analyst's web browser D.Alert is unrelated to the search that was conducted

C Prefetch is a capability in modern web browsers that is used to speed up web browsing by grabbing content that may be asked for by the user at a later time. For example, if you search for a term and the results are being shown to the user, prefetch will download the first three results in anticipation of the user clicking one of the top three links. In the scenario presented in this question, the prefetch has downloaded the malicious content and therefore caused the alert.

You are interpreting a Nessus vulnerability scan report and identified a vulnerability in the system which has a CVSS attack vector rating of A. Based on this information, which of the following statements would be true? A.The attacker must have physical or logical access to the affected system B.Exploiting the vulnerability requires the existence of specialized conditions C.The attacker must have access to the local network that the system is connected to D.Exploiting the vulnerability does not require any specialized conditions

C The attack vector explains what type of access that the attacker must have to a system or network and does not refer to the types of specialized conditions that must exist. In this case, the A rating refers to Adjacent, where the attacker must launch the attack from the same shared physical (such as Bluetooth or Wi-Fi network), logical network (such as a local subnet), or a limited administrative domain (such as a VPN or MPLS). An attack vector of Network (N) would allow the attack to extend beyond these options and conduct a remote exploitation of the vulnerability. An attack vector of Local (L) would require the attacker to conduct the exploit locally at the workstation via the keyboard or over an SSH connection. An attack vector of Physical (P) would require the attacker to physically touch or manipulate the vulnerable component themselves, such as conducting a cold boot attack.

In which phase of the security intelligence cycle is published information relevant to security issues provided to those who need to act on that information? A.Feedback B.Analysis C.Dissemination D.Collection

C The dissemination phase refers to publishing information produced by analysis to consumers who need to act on the insights developed. The collection phase is usually implemented by administrators using various software suites, such as security information and event management (SIEM). This software must be configured with connectors or agents that can retrieve data from sources such as firewalls, routers, IDS sensors, and servers. The analysis phase focuses on converting collected data into useful information or actionable intelligence. The final phase of the security intelligence cycle is feedback and review, which utilizes the input of both intelligence producers and intelligence consumers. The goal of this phase is to improve the implementation of the requirements, collection, analysis, and dissemination phases as the life cycle is developed.

You are analyzing the SIEM for your company's ecommerce server when you notice the following URL in the logs of your SIEM: https://www.diontraining.com/add_to_cart.php?itemId=5'+perItemPrice='0.00'+quantity='100'+/><item+id='5&quantity=0 Based on this line, what type of attack do you expect has been attempted? A.SQL injection B.Buffer overflow C.XML injection D.Session hijacking

C This is an example of a XML injection. XML injection manipulates or compromises the logic of an XML application or service. The injection of unintended XML content and/or structures into an XML message can alter the intended logic of an application, and XML Injection can cause the insertion of malicious content into resulting messages/documents. In this case, the URL is attempting to modify the server's XML structure. The original XML structure would be: <addToCart> <item id='5' perItemPrice='50.00' quantity='1' /> </addToCart>. By using the URL above, this would be modified to the following: <addToCart> <item id='5' perItemPrice='0.00' quantity='10' /> <item id='5' perItemPrice='50.00' quantity='0' /> </addToCart>. The result would be that a new line was added in the XML document that could be processed by the server. This line would allow 10 of the product at $0.00 to be added to the shopping cart, while 0 of the product at $50.00 is added to the cart. This defeats the integrity of the e-commerce store's add to cart functionality through this XML injection. A SQL injection occurs when data input by a user is interpreted as a SQL command rather than as normal data by the backend database. A buffer overflow is an exploit that attempts to write data to a buffer and exceed that buffer's boundary to overwrite an adjacent memory location. A session hijacking attacks consists of the exploitation of the web session control mechanism, which is normally managed for a session token. The real key to answering this question is identifying the XML structured code being entered as part of the URL, which is shown by the bracketed data.

You are analyzing the logs of a web server and see the following entry: 192.168.1.25 - - [05/Aug/2020:15:16:42 -0400] "GET /%27%27;!-%22%3CDION%3E=&{()} HTTP/1.1″ 404 310 "-" "Mozilla/5.0 (X11; U; Linux x86_64; en-US; rv:1.9.0.12) Gecko/2009070812 Ubuntu/19.04 (disco dingo) Firefox/3.0.12 ″ Based on this entry, which of the following attacks was attempted? A.XML injection B.Buffer overflow C.XSS D.SQL injection

C This is an example of an XSS attack as recorded by the log of a web server. In this example, the XSS attack was obfuscated by the attacker using HTML encoding. The encoding of %27%27 translates to two single quote marks (' '). While you don't need to be able to decode the exact string used in the logs, when you see HTML encoding on the exam it is usually going to be a XSS attack unless you see SQL or XML statements in the string, which in this case there are neither of those. Cross-site scripting (XSS) attacks use a specially crafted URL that includes attack code that will cause information that a user enters into their web browser to be sent to the attacker. An attacker finds a web server that is vulnerable to XSS and sends a legitimate looking URL with XSS attack code appended to the end of the URL through a phishing email or other message to trick the user into clicking the link. A buffer overflow is any attempt to write data to a buffer that overruns the buffer's boundary and write data into the adjacent memory locations, which is not occurring in this example.

Which of the following is the most difficult to confirm with an external vulnerability scan? A.Cross-site scripting (XSS) B.Cross-site request forgery (XSRF/CSRF) C.Blind SQL injection D.Unpatched web server

C Vulnerability scanners typically cannot confirm that a blind SQL injection with the execution of code has previously occurred. XSS and CSRF/XSRF are typically easier to detect because the scanner can pick up information that proves a successful attack. Unpatched servers can usually be identified by the banner information.

What remediation strategies are the MOST effective in reducing the risk to an embedded ICS from a network-based compromise? (Select TWO) A.Patching B.NIDS C.Disabling unused services D.Segmentation

C,D. OBJECTIVE 2.1 Segmentation is the best method to reduce the risk to an embedded ICS system from a network-based compromise. Additionally, you could disable unused services to reduce the footprint of the embedded ICS. Many of these embedded ICS systems have a large number of default services running. So, by disabling the unused services, we can better secure these devices. By segmenting the devices off the main portion of the network, we can also better protect them. A NIDS might detect an attack or compromise, but it would not reduce the risk of the attack succeeding since it can only detect it. Patching is difficult for embedded ICS devices since they usually rely on customized software applications that are rarely provided updates.

Which of the following must be combined with a threat to create risk? A.Malicious actor B.Mitigation C.Vulnerability D.Exploit

C. OBJECTIVE 1.2 A risk results from the combination of a threat and a vulnerability. A vulnerability is a weakness in a device, system, application, or process that might allow an attack to take place. A threat is an outside force that may exploit a vulnerability. Remember, a vulnerability is something internal to your organization's security goals. Therefore, you can control, mitigate, or remediate a vulnerability. A threat is external to your organization's security goals. A threat could be a malicious actor, a software exploit, a natural disaster, or other external factors. In the case of an insider threat, they are considered an external factor for the purposes of threats and vulnerabilities since their goals lie outside your organization's security goals.

A supplier needs to connect several laptops to an organization's network as part of their service agreement. These laptops will be operated and maintained by the supplier. Victor, a cybersecurity analyst for the organization, is concerned that these laptops could potentially contain some vulnerabilities that could weaken the security posture of the network. What can Victor do to mitigate the risk to other devices on the network without having direct administrative access to the supplier's laptops? A.Scan the laptops for vulnerabilities and patch them B.Increase the encryption level of VPN used by the laptops C.Implement a jumpbox system D.Require 2FA (two-factor authentication) on the laptops

C. OBJECTIVE 2.1 A jumpbox is a system on a network used to access and manage devices in a separate security zone. This would create network segmentation between the supplier's laptops and the rest of the network to minimize the risk. A jump-box system is a hardened and monitored device that spans two dissimilar security zones and provides a controlled means of access between them. While the other options listed are all good security practices, they do not fully mitigate the risk that insecure systems pose since Victor cannot enforce these configurations on a supplier provided laptop. Instead, he must find a method of segmenting the laptops from the rest of the network, either physically, logically, using an airgap, or using a jumpbox.

Which of the following is the leading cause for cross-site scripting, SQL injection, and XML injection attacks? A.Directory traversals B.File inclusions C.Faulty input validation D.Output encoding

C. OBJECTIVE 2.1 A primary vector for attacking applications is to exploit faulty input validation. The input could include user data entered into a form or URL, passed by another application or link. This is heavily exploited by cross-site scripting, SQL injection, and XML injection attacks. Directory traversal is the practice of accessing a file from a location that the user is unauthorized to access. The attacker does this by ordering an application to backtrack through the directory path so that the application reads or executes a file in a parent directory. In a file inclusion attack, the attacker adds a file to the running process of a web app or website. The file is either constructed to be malicious or manipulated to serve the attacker's malicious purposes. Cross-site scripting (XSS) is one of the most powerful input validation exploits. XSS involves a trusted site, a client browsing the trusted site, and the attacker's site.

You need to perform an architectural review and select a view that focuses on the technologies, settings, and configurations used within the architecture. Which of the following views should you select? A.Operational view B.Acquisition view C.Technical view D.Logical view

C. OBJECTIVE 2.1 A technical view focuses on technologies, settings, and configurations. An operational view looks at how a function is performed or what it accomplishes. A logical view describes how systems interconnect. An acquisition views focus on the procurement process.

Which of the following type of threats did the Stuxnet attack rely on to cross an airgap between a business and an industrial control system network? A.Directory traversal B.Cross-site scripting C.Removable media D.Session hijacking

C. OBJECTIVE 2.1 Airgaps are designed to remove connections between two networks in order to create a physical segmentation between them. The only way to cross an airgap is to have a physical device between these systems, such as using a removable media device to transfer files between them. A directory traversal is an HTTP attack that allows attackers to access restricted directories and execute commands outside of the web server's root directory. Cross-Site Scripting (XSS) attacks are a type of injection, in which malicious scripts are injected into otherwise benign and trusted websites. A session hijacking attack compromises the session token by stealing or predicting a valid session token to gain unauthorized access to the Web Server. A directory traversal, cross-site scripting, or session hijacking attack cannot by itself cross an airgap.

Which of the following techniques would be the most appropriate solution to implementing a multi-factor authentication system? A.Fingerprint and retinal scan B.Password and security question C.Smartcard and PIN D.Username and password

C. OBJECTIVE 2.1 Multi-factor authentication (MFA) creates multiple layers of security to help increase the confidence that the user requesting access is who they claim to be by requiring two distinct factors for authentication. These factors can be something you know (knowledge factor), something you have (possession factor), something you are (inheritance factor), something you do (action factor), or somewhere you are (location factor). By selecting a smartcard (something you have) and a PIN (something you know), you have implemented multi-factor authentication. Choosing a fingerprint and retinal scan would instead use only one factor (inheritance). Choosing a username, password, and security question would also be only using one factor (knowledge). For something to be considered multi-factor, you need items from at least two different authentication factor categories: knowledge, possession, inheritance, location, or action.

Which party in a federation provides services to members of the federation? A.IdP B.SSO C.RP D.SAML

C. OBJECTIVE 2.1 Relying parties (RPs) provide services to members of a federation. An identity provider (IdP) provides identities, makes assertions about those identities, and releases information about the identity holders. The Security Assertion Markup Language (SAML) is an open standard for exchanging authentication and authorization data between parties between an identity provider and a service provider (SP) or relaying party (RP). Single sign-on (SSO) is an authentication scheme that allows a user to log in with a single ID and password to any of several related yet independent software systems across a federation. SAML and SSO are not parties. Therefore, they cannot possibly be the right answer to this question.

Your organization is updating its Acceptable User Policy (AUP) to implement a new password standard that requires a guest's wireless devices to be sponsored before receiving authentication. Which of the following should be added to the AUP to support this new requirement? A.Sponsored guest passwords must be at least 14 alphanumeric characters containing a mixture of uppercase, lowercase, and special characters B.Open authentication standards should be implemented on all wireless infrastructure C.All guests must provide valid identification when registering their wireless devices for use on the network D.Network authentication of all guest users should occur using the 802.1x protocol as authenticated by a RADIUS server

C. OBJECTIVE 2.1 Sponsored authentication of guest wireless devices requires a guest user to provide valid identification when registering their wireless device for use on the network. This requires that an employee validates the guest's need for access, which is known as sponsoring the guest. While setting a strong password or using 802.1x are both good security practices, these alone do not meet the sponsorship requirement posed by the question. An open authentication standard only requires that the guest be aware of the Service-Set Identifier (SSID) to gain access to the network. Therefore, this does not meet the sponsorship requirement.

Which of the following authentication protocols was developed by Cisco to provide authentication, authorization, and accounting services? A.RADIUS B.CHAP C.TACACS+ D.Kerberos

C. OBJECTIVE 2.1 TACACS+ is an extension to TACACS (Terminal Access Controller Access Control System) and was developed as a proprietary protocol by Cisco. The Remote Authentication Dial-In User Service (RADIUS) is a networking protocol that operates on port 1812 and provides centralized Authentication, Authorization, and Accounting management for users who connect and use a network service, but it was not developed by Cisco. Kerberos is an open-source network authentication protocol designed by Matte Challenge-Handshake Authentication Protocol (CHAP) is used to authenticate a user or network host to an authenticating entity. CHAP is an authentication protocol but does not provide authorization or accounting services.

Which model of software development emphasizes individuals and interactions over processes and tools, customer collaboration over contract negotiation, and working software over comprehensive documentation? A.Waterfall B.Spiral C.Agile D.RAD

C. OBJECTIVE 2.2 Agile software development is characterized by the principles of the Agile Manifesto. The Agile Manifesto emphasizes individuals and interactions over the processes and tools that Spiral and Waterfall rely on. It also focuses on working software, customer collaboration, and responding to change as key elements of the Agile process. The waterfall model is a breakdown of project activities into linear sequential phases, where each phase depends on the deliverables of the previous one and corresponds to a specialization of tasks. Rapid Application Development (RAD) is a form of agile software development methodology that prioritizes rapid prototype releases and iterations. Unlike the Waterfall method, RAD emphasizes the use of software and user feedback over strict planning and requirements recording. Spiral development is a risk-driven software development model that guides a team to adopt elements of one or more process models, such as incremental, waterfall, or evolutionary prototyping.

Dion Consulting Group has been hired to analyze the cybersecurity model for a new videogame console system. The manufacturer's team has come up with four recommendations to prevent intellectual property theft and piracy. As the cybersecurity consultant on this project, which of the following would you recommend they implement first? A.Ensure that all games for the console are distributed as encrypted so that they can only be decrypted on the game console B.Ensure that all games require excessive storage sizes so that it is difficult for unauthorized parties to distribute C.Ensure that all each individual console has its own unique key for decrypting individual licenses and tracking which console has purchased which game D.Ensure that all screen capture content is visibly watermarked

C. OBJECTIVE 2.2 Ensuring that each individual console has its own unique key will allow the console manufacturer to track who has purchased which games when using digital rights management licensing. Additionally, this can be achieved by using a hardware root of trust, such as a TPM module in the processor. While encrypting the games during distribution will provide some security, if the encryption key were ever compromised, then the games could be decrypted and distributed by unauthorized parties. The recommendation of making the game arbitrarily large will frustrate both authorized and unauthorized, which could negatively impact sales, so it is a poor recommendation to implement. Visibly watermarking everything will only aggravate the user, provide a negative customer experience, and will not help fight software piracy.

A software assurance laboratory is performing a dynamic assessment on an application by automatically generating random data sets and inputting them in an attempt to cause an error or failure condition. Which of the following is the laboratory performing? A.Fuzzing B.Stress testing C.User acceptance testing D.Security regression testing

C. OBJECTIVE 2.2 Fuzzing or fuzz testing is an automated software testing technique that involves providing invalid, unexpected, or random data as inputs to a computer program. The program is then monitored for exceptions such as crashes, failing built-in code assertions, or potential memory leaks. User Acceptance Testing is the process of verifying that a created solution/software works for the user. Security regression testing ensures that changes made to a system do not harm its security, are therefore of high significance and the interest in such approaches has steadily increased. Stress testing verifies the stability and reliability of the system by measuring the system on its robustness and error handling capabilities under extremely heavy load conditions.

Jorge and Marta are working on a programming project together. During a code review, Marta explains to Jorge the code she wrote while he looks at the code on her computer. Which of the following code review techniques is being used in this scenario? A.Pair programming B.Dual control C.Over-the-shoulder D.Tool-assisted review

C. OBJECTIVE 2.2 Over-the-shoulder code reviews rely on a programmer explaining their code to a peer. This provides a chance for a review of the code and a better understanding of the code for both programmers. In this example, Marta is explaining her code to Jorge, while he looks over her shoulder. Pair programming alternates between programmers, with one strategizing and reviewing it while the other enters the code into the computer. Dual control is a personnel security process that requires more than one employee available to perform a specific task. This is used with split knowledge and is not a form of code review. A tool-assisted review is conducted using a software tool or other form of automation.

Dion Training's security team recently discovered a bug in their software's code. The development team released a software patch to remove the vulnerability caused by the bug. What type of test should a software tester perform on the application to ensure that the application is still functioning properly after the patch is installed? A.Fuzzing B.User acceptance testing C.Regression testing D.Penetration testing

C. OBJECTIVE 2.2 Regression testing is re-running functional and non-functional tests to ensure that previously developed and tested software still performs after a change. After installing any patch, it is important to conduct regression testing to confirm that a recent program or code change has not adversely affected existing features or functionality. Fuzzing is an automated software testing technique that involves providing invalid, unexpected, or random data as inputs to a computer program. The program is then monitored for exceptions such as crashes, failing built-in code assertions, or potential memory leaks. User acceptance testing is a test conducted to determine if the requirements of a specification or contract have been met. A penetration test is an authorized simulated cyberattack on a computer system, performed to evaluate the security of the system.

Which of the following does a User Agent request a resource from when conducting a SAML transaction? A.Relying party (RP) B.Identity provider (IdP) C.Service provider (SP) D.Single sign-on (SSO)

C. OBJECTIVE 2.2 Security assertions markup language (SAML) is an XML-based framework for exchanging security-related information such as user authentication, entitlement, and attributes. SAML is often used in conjunction with SOAP. SAML is a solution for providing single sign-on (SSO) and federated identity management. It allows a service provider (SP) to establish a trust relationship with an identity provider (IdP) so that the identity of a user (the principal) can be trusted by the SP without the user having to authenticate directly with the SP. The principal's User Agent (typically a browser) requests a resource from the service provider (SP). The resource host can also be referred to as the relying party (RP). If the user agent does not already have a valid session, the SP redirects the user agent to the identity provider (IdP). The IdP requests the principal's credentials if not already signed in and, if correct, provides a SAML response containing one or more assertions. The SP verifies the signature(s) and (if accepted) establishes a session and provides access to the resource.

According to the Center for Internet Security's system design recommendation, which of the following control categories would contain information on the best security practices to implement within the SLDC? A.Inventory of authorized/unauthorized devices B.Controlled use of administrative privileges C.Application software security D.Malware defenses

C. OBJECTIVE 2.2 Since the software development lifecycle (SDLC) is focused on building software applications, the best control category would be application software security. While all other documents hosted by the Center for Internet Security contain useful information, the application software security control is the one most likely to contain relevant information relating to best practices to implement in the SDLC.

Your company has been contracted to develop an Android mobile application for a major bank. You have been asked to verify the security of the Java function's source code below: int verifyAdmin(String password) { if (password.equals('mR7HCS14@31&#')) { return 0; } return 1; } Which of the following vulnerabilities exist in this application's authentication function based solely on the source code provided? A.The function is using parameterized queries B.The function is vulnerable to an SQL injection attack C.The function is using hard-coded credentials to verify the password entered by the user D.The function is vulnerable to a buffer overflow attack

C. OBJECTIVE 2.2 The function is using hard-coded credentials in the function, which is an insecure practice that can lead to compromise. The password for the application is shown in the source code as mR7HCS14@31&#. Even if this was obfuscated using encoding or encryption, it is a terrible security practice to include hard-coded credentials in the application since they can be reverse engineered by an attacker, and in this case, it could be used to rob the bank or its customers! There is no evidence of a SQL injection or buffer overflow attack vulnerability based on the code being shown. In fact, this code doesn't even show any SQL or ability to connect to an SQL database. We cannot see the variable initiation in this code, either, so we cannot determine if it is vulnerable to a buffer overflow attack. Finally, a parameterized query is a security feature, not a vulnerability, and this source code does not show any evidence of parameterized queries being used.

You are reviewing the latest list of important web application security controls published by OWASP. Which of these items is LEAST likely to appear on that list? A.Implement identity and authentication controls B.Implement appropriate access controls C.Obscure web interface locations D.Leverage security frameworks and libraries

C. OBJECTIVE 2.2 The least likely option to appear in the list is to obscure web interface locations. This recommendation is based on the concept of security through obscurity and is not considered a good security practice. The other options are all considered best practices in designing web application security controls and help to create software assurance in our programs.

Which of the following options places the correct phases of the waterfall method of the Software Development Lifecycle in the correct order? A.Planning, requirements analysis, design, implementation, deployment, testing, maintenance B.Requirements analysis, planning, design, implementation, testing, deployment, and maintenance C.Planning, requirements analysis, design, implementation, testing, deployment, and maintenance D.Requirements analysis, planning, design, implementation, deployment, testing, maintenance

C. OBJECTIVE 2.2 The software development lifecycle (SDLC) can be conducted using waterfall or agile methods. The waterfall method moves through seven phases: planning, requirements, design, implementation, testing, deployment, and maintenance. Planning involves training the developers and testers in security issues, acquire security analysis tools, and ensuring the security of the development environment. Requirements analysis is used to determine the needs for security and privacy in terms of data processing and access controls. Design identifies threats and controls or secure coding practices to meet the requirements. Implementation performs white box source code analysis and code reviews to identify and resolve vulnerabilities. Testing performs black box or grey box analysis to test for vulnerabilities in the published application and its publication environment. Deployment installs and operates the software packages and best practice configuration guides. Maintenance involves the ongoing security monitoring and incident response procedures, patch development and management, and other security controls. For a question like this on the real certification exam, you may be asked to drag and drop the seven steps into the proper order instead of receiving this as a multiple-choice question.

A web developer wants to protect their new web application from a man-in-the-middle attack. Which of the following controls would best prevent an attacker from stealing tokens stored in cookies? A.Forcing the use of TLS for the web application B.Forcing the use of SSL for the web application C.Setting the secure attribute on the cookie D.Hashing the cookie value

C. OBJECTIVE 2.2 When a cookie has the Secure attribute, the user agent includes the cookie in an HTTP request only if the request is transmitted over a secure channel (typically HTTPS). Although seemingly useful for protecting cookies from active network attackers, the Secure attribute protects only the cookie's confidentiality. Forcing the web application to use TLS or SSL does not force the cookie to be sent over TLS/SSL, so you still would need to set the Secure attribute on the cookie. Hashing the cookie provides integrity of the cookie, not confidentiality; therefore, it will not solve the issue presented by this question.

Following a root cause analysis of the unexpected failure of an edge router, a cybersecurity analyst discovered that the system administrator had purchased the device from an unauthorized reseller. The analyst suspects that the router may be a counterfeit device. Which of the following controls would have been most effective in preventing this issue? A.Increase network vulnerability scan frequency B.Ensure all anti-virus signatures are up to date C.Conduct secure supply chain management training D.Verify that all routers are patched to the latest release

C. OBJECTIVE 2.3 Anti-counterfeit training is part of the NIST 800-53r4 control set (SA-19(1)) and should be a mandatory part of your supply chain management training within your organization. All other options may produce security gains in the network. They are unlikely to reliably detect a counterfeit item or prevent its introduction into the organization's supply chain. Training on detection methodologies (i.e., simple visual inspections) and training for acquisition personnel will better prevent recurrences.

Which of the following ensures multi-threaded processing is conducted securely? A.Trusted execution B.Processor security extensions C.Atomic execution D.Secure enclave

C. OBJECTIVE 2.3 Atomic execution by operations and distributes their processing across the multi-threaded processing environment securely. Trusted execution ensures that the attestation of the authenticity of the platform and its operating system is conducting, that the operating system starts in a trusted environment, and that a trusted operating system cannot be run on an unproven platform. The secure enclave is a secure coprocessor that includes a hardware-based key manager, which is isolated from the main processor to provide an extra layer of security. Processor security extensions are built into many modern processors to provide secure processing capabilities.

Which operating system feature is designed to detect malware that is loaded early in the system startup process or before the operating system can load itself? A.Advanced anti-malware B.Startup Control C.Measured boot D.Master Boot Record analytics

C. OBJECTIVE 2.3 Measured boot is a feature where a log of all boot actions is taken and stored in a trusted platform module for later retrieval and analysis by anti-malware software on a remote server. Master boot record analysis is used to capture the required information of the hard disk to support a forensic investigation and would not detect malware during the system's boot-up process. Startup control would be used to determine which programs will be loaded when the operating system is initially booted, but this would be too late to detect malware loaded during the pre-startup and boot process. Advanced anti-malware solutions are programs that are loaded within the operating system. Therefore, they are loaded too late in the startup process to be effective against malicious boot sector viruses and other BIOS/UEFI malware variants.

ou have been investigating how a malicious actor was able to exfiltrate confidential data from a web server to a remote host. After an in-depth forensic review, you determine that the web server's BIOS had been modified by the installation of a rootkit. After you remove the rootkit and reflash the BIOS to a known good image, what should you do in order to prevent the malicious actor from affecting the BIOS again? A.Install an anti-malware application B.Install a host-based IDS C.Utilize secure boot D.Utilize file integrity monitoring

C. OBJECTIVE 2.3 Since you are trying to protect the BIOS, utilizing secure boot is the best choice. Secure boot is a security system offered by UEFI. It is designed to prevent a computer from being hijacked by a malicious OS. Under secure boot, UEFI is configured with digital certificates from valid OS vendors. The system firmware checks the operating system boot loader using the stored certificate to ensure that it has been digitally signed by the OS vendor. This prevents a boot loader that has been changed by malware (or an OS installed without authorization) from being used. The TPM can also be invoked to compare hashes of key system state data (boot firmware, boot loader, and OS kernel) to ensure they have not been tampered with by a rootkit. The other options are all good security practices, but they only apply once you have already booted into the operating system. This makes them ineffective against boot sector or rootkit attacks.

Which of the following BEST describes when a third-party takes components produced by a legitimate manufacturer and assembles an unauthorized replica that is sold in the general marketplace? A.Recycling B.Capitalism C.Counterfeiting D.Entrepreneurship

C. OBJECTIVE 2.3 While the unauthorized third-party may assemble a component that was legitimately made from OEM parts, the fact remains that those parts were never intended for distribution under the manufacturer's legitimate label. Therefore, this is considered counterfeiting. As a cybersecurity analyst, you need to be concerned with your organization's supply chain management. There have been documented cases of counterfeit hardware (like switches and routers) being sold with malware or lower mean time between failures, both of which affect the security of your network.

Your company was recently the victim of a cross-site scripting attack. The system administrators claim this wasn't possible since they performed input validation using REGEX to alert on any strings that contain the term '[Ss]cript' in them. Which of the following statements concerning this attack is true? A.An SQL injection must have occurred since their input validation would have prevented (lessthan(justpicturethesymbolbecausequizletwontletme)SCRIPT(greaterthan) or (lessthan)script(greaterthan) from being used B.The server has insufficient logging and monitoring configured C.The REGEX expression to filter using '[Ss]cript' is insufficient. As an attacker could use SCRIPT or SCRipt or %53CrIPT to evaded it D.The attacker has modified the logs to cover their tracks and prevent a successful investigation

C. OBJECTIVE 3.1 The most likely explanation is that the REGEX filter was insufficient to eliminate every single possible cross-site scripting attack that could occur. Since cross-site scripting relies on the script and /script HTML tags to launch, the system administrators had a good idea of creating input validation using a REGEX for those keywords. Unfortunately, they forgot to include a more inclusive version of this REGEX to catch all variants. For example, simply using [Ss][Cc][Rr][Ii][Pp][Tt] would have been much more secure, but even this would miss %53CrIPT would evade this filter. To catch all variants of the letter S, you would need to use [%53%%73Ss], which includes the capital S in hex code, the lower case s in hex code, the capital S, and the lowercase s. While it is possible that an attacker used an SQL injection instead, their REGEX input validation would still have allowed a cross-site scripting attack to occurs, so this option must be eliminated. As for the logging options, both are possible in the real world, but they do not adequately answer this question's scenario. The obvious flaw in their input validation is their REGEX filter.

You suspect that your server has been the victim of a web-based attack. Which of the following ports would most likely be seen in the logs to indicate the target of the attack? A.389 B.3389 C.443 D.21

C. OBJECTIVE 3.1 Web-based attacks would likely appear on port 80 (HTTP) or port 443 (HTTPS). An attack against Active Directory is likely to be observed on port 389 LDAP. An attack on an FTP server is likely to be observed on port 21 (FTP). An attack using the remote desktop protocol would be observed on port 3389 (RDP).

You just received a notification that your company's email servers have been blacklisted due to reports of spam originating from your domain. What information do you need to start investigating the source of the spam emails? A.Firewall logs showing the SMTP connections B.The SMTP audit log from his company's email server C.The full email header from one of the spam messages D.Network flows for the DMZ containing the email servers

C. OBJECTIVE 3.1 You should first request a copy of one of the spam messages that include the full email header. By reading through the full headers of one of the messages, you can determine where the email originated from, whether it was from your email system or if it was external, and if it was a spoofed email or a legitimate email. Once this information has been analyzed, you can then continue your analysis further based on those findings, whether that be analyzing your email server, the firewalls, or other areas of concern. If enough information cannot be found by analyzing the email headers, then you will need to conduct more research to determine the best method to solve the underlying problem.

Which tool should a malware analyst utilize to track the changes made to the registry and the file system while running a suspicious executable on a Windows system? A.ProcDump B.DiskMon C.Process Monitor D.Autoruns

C. OBJECTIVE 4.2 Process Monitor is an advanced monitoring tool for Windows that shows real-time file system, Registry, and process/thread activity. Autoruns shows you what programs are configured to run during system bootup or login. ProcDump is a command-line utility whose primary purpose is monitoring an application for CPU spikes and generating crash dumps during a spike that an administrator or developer can use to determine the cause of the spike. DiskMon is an application that logs and displays all hard disk activity on a Windows system. This question may seem beyond the scope of the exam, but the objectives allow for 'other examples of technologies, processes, or tasks pertaining to each objective may also be included on the exam although not listed or covered' in the bulletized lists of the objectives. The exam tests the equivalent to 4 years of hands-on experience in a technical cybersecurity job role. The content examples listed in the objectives are meant to clarify the test objectives and should not be construed as a comprehensive listing of all the content of this examination. Therefore, questions like this are fair game on test day. That said, your goal isn't to score 100% on the exam, it is to pass it. Don't let questions like this throw you off on test day. If you aren't sure, take your best guess and move on!

Stephanie believes that her computer had been compromised because her computer suddenly begins to slow down and often freezes up. Worried her computer was infected with malware, she immediately unplugged the network and power cables from the back of her computer. Per the company procedures, she contacts the help desk, fills out the appropriate forms, and a cybersecurity analyst is sent to investigate. The analyst was not able to confirm or deny the presence of possible malware on her computer. Which of the following should have been performed during the incident response preparation phase to prevent this issue? A.Documenting the organization's incident response procedures B.Install additional network monitoring to conduct full packet capture of all network traffic C.Train users to not unplug their computers when a suspected incident is occurring D.The computer should have been scanned for vulnerabilities and patched

C. OBJECTIVE 4.2 The issue presented in this scenario is that Stephanie unplugged the computer before anyone had a chance to investigate it. During the preparation phase of the incident response process, the company should train its users on what to do in the case of an anomaly or suspected malware intrusion. Many years ago, it was commonly assumed that unplugging the computer is the best thing to do when a system is suspected to be infected with malware. This is no longer true because many types of malware are installed when the computer is running, but when you power off and reboot the machine, they can encrypt the hard drive, infect the boot sector, or corrupt the operating system. In modern cybersecurity organizations, users are instead trained to contact the service desk or the security operations center, and then an analyst can decide the best course of action (i.e., segmentation, isolation, reconstruction, or disposal). Monitoring of network traffic might have detected that something was on Sue's computer, but it would not necessarily have provided an IOC to the same degree that a volatile memory capture might have. Based on the scenario, the company clearly had documented procedures that were used and followed. Based on the scenario, there is no indication that the company's current scanning or patching policy is at fault. It is very expensive and resource-intensive to conduct full network packet capture of the network at all times. Many organizations do not have the need for this type of extensive monitoring. Therefore, it is only done as part of threat hunting or in specific ranges, such as in the DMZ or for a specific critical server.

Which of the following is NOT a host-related indicator of compromise? A.Processor consumption B.Drive capacity consumption C.Beaconing D.Memory consumption

C. OBJECTIVE 4.3 Beaconing is considered a network-related indicator of compromise. Memory consumption, processor consumption, and drive capacity consumption are all classified as host-related indicators of compromise.

Barrett needs to verify settings on a macOS computer to be sure that the configuration he expects is what is currently set on the system. What type of file is commonly used to store configuration settings for a macOS system? A.The registry B..profile files C.plists D..config files

C. OBJECTIVE 4.3 Preference and configuration files in macOS use property lists (plists) to specify the attributes, or properties, of an app or process. An example is the preferences plist for the Finder in the Library/Preferences/ folder of a user's home folder. The file is named com.apple.finder.plist. The registry is used to store registration configuration settings on Windows systems. A profile (.profile) file is a start-up file of an UNIX user, like the autoexec.bat file of DOS. A configuration (.config) file is a configuration file used by various applications containing plain text parameters that define settings or preferences for building or running a program. This is commonly used in Windows systems.

When using tcpdump, which option or flag would you use to record the ethernet frames during a packet capture? A.-n B.-nn C.-e D.-X

C. OBJECTIVE 4.4 The -e option includes the ethernet header during packet capture. The -n flag will show the IP addresses in numeric form. The -nn option shows IP addresses and ports in numeric format. The -X option will capture the packet's payload in hex and ASCII formats.

Which one of the following is an open-source forensic tool suite? A.FTK B.EnCase C.SIFT D.Helix

C. OBJECTIVE 4.4 The SIFT (SANS investigative forensics toolkit) Workstation is a group of free, open-source incident response and forensic tools designed to perform detailed digital forensic examinations in a variety of settings. It can match any current incident response and forensic tool suite. SIFT demonstrates that advanced incident response capabilities and deep-dive digital forensic techniques to intrusions can be accomplished using cutting-edge open-source tools that are freely available and frequently updated. FTK, EnCase, and Helix are all commercially available tools.

Which of the following is a senior role with the ultimate responsibility for maintaining confidentiality, integrity, and availability in a system? A.Data custodian B.Data steward C.Data owner D.Privacy officer

C. OBJECTIVE 5.1 A data owner is a person responsible for the confidentiality, integrity, availability, and privacy of information assets. They are usually senior executives and somebody with authority and responsibility. A data owner is responsible for labeling the asset and ensuring that it is protected with appropriate controls. The data owner typically selects the data steward and data custodian and has the authority to direct their actions, budgets, and resource allocations. The data steward is primarily responsible for data quality. This involves tasks such as ensuring data are labeled and identified with appropriate metadata, and that data is collected and stored in a format and with values that comply with applicable laws and regulations. The data custodian is the role that handles managing the system on which the data assets are stored. This includes responsibility for enforcing access control, encryption, and backup/recovery measures. The privacy officer is the role responsible for oversight of any PII/SPI/PHI assets managed by the company.

Taylor needs to sanitize hard drives from some leased workstations that are being returned to a supplier at the end of the lease period. The workstations' hard drives contained sensitive corporate data. Which is the most appropriate choice to ensure that data exposure doesn't occur during this process? A.Clear, validate, and document the sanitization of the drives B.Clear the drives C.Purge, validate, and document the sanitization of the drives D.The drives must be destroyed to ensure no data loss

C. OBJECTIVE 5.1 Purging the drives, validating that the purge was effective, and documenting the sanitization is the best response. Purging includes methods that eliminate information from being feasibly recovered even in a lab environment. For example, performing a cryptographic erasure (CE) would sanitize and purge the data from the drives without harming the drives themselves. Clearing them leaves the possibility that some tools would allow data recovery. Since the scenario indicates that these were leased drives that must be returned at the end of a lease, they cannot be destroyed.

Which of the following is typically used to secure the CAN bus in a vehicular network? A.Anti-virus B.UEBA C.Endpoint protection D.Airgap

D The majority of vehicles do not currently have a mechanism by which an attacker can remotely access a vehicle. However, there have been numerous demonstrations where the CAN bus can be accessed and corrupted through an available diagnostic port within the automobile or unmanned aerial vehicle. The most typical security measure used is an airgap between a vehicle's entertainment system (which may have internet access) and the vehicle's CAN bus. Endpoint protection, anti-virus, and user and entity behavior analytics (UEBA) are not usually installed in vehicular networks as a security measure.

Which of the following is NOT a part of the vulnerability management lifecycle? A.Remediation B.Testing C.Detection D.Investigating

D. OBJECTIVE 1.3 The three phases of the vulnerability management lifecycle are detection, remediation, and testing.

Syed is developing a vulnerability scanner program for a large network of sensors that are used to monitor his company's transcontinental oil pipeline. What type of network is this? A.SoC B.CAN C.BAS D.SCADA

D. OBJECTIVE 1.5 SCADA (supervisory control and data acquisition) networks is a type of network that works off of an ICS (industry control system) and is used to maintain sensors and control systems over large geographic areas. A building automation system (BAS) for offices and data centers ('smart buildings') can include physical access control systems, but also heating, ventilation, and air conditioning (HVAC), fire control, power and lighting, and elevators and escalators. Vehicular networks are called a controller area network (CAN). A CAN uses serial communication buses to connect electronic control units and other subsystems in cars and unmanned aerial vehicles (UAV). System-on-chip (SoC) is a design where all these processors, controllers, and devices are provided on a single processor die or chip.

Which of the following is NOT considered part of the Internet of Things? A.SCADA B.ICS C.Smart television D.Laptop

D. OBJECTIVE 1.5 Supervisory control and data acquisition (SCADA) systems, industrial control systems (ICS), internet-connected televisions, thermostats, and many other things examples of devices classified as the Internet of Things (IoT). A laptop would be better classified as a computer or host than as part of the Internet of Things. The Internet of things (IoT) is a system of interrelated computing devices, mechanical and digital machines provided with unique identifiers (UIDs) and the ability to transfer data over a network without requiring human-to-human or human-to-computer interaction.

What sanitization technique uses only logical techniques to remove data, such as overwriting a hard drive with a random series of ones and zeroes? A.Purge B.Degauss C.Destroy D.Clear

D. OBJECTIVE 2.1 Clear applies logical techniques to sanitize data in all user-addressable storage locations for protection against simple non-invasive data recovery techniques. Clearing involves overwriting data once (and seldom more than three times) with repetitive data (such as all zeros) or resetting a device to factory settings. Purging data is meant to eliminate information from being feasibly recovered even in a laboratory environment. Destroy requires physical destruction of the media, such as pulverization, melting, incineration, and disintegration. Degaussing is the process of decreasing or eliminating a remnant magnetic field. Degaussing is an effective method of sanitization for magnetic media, such as hard drives and floppy disks.

Which protocol is paired with OAuth2 to provide authentication of users in a federated identity management solution? A.Kerberos B.ADFS C.SAML D.OpenID Connect

D. OBJECTIVE 2.1 OAuth 2 is explicitly designed to authorize claims and not to authenticate users. The implementation details for fields and attributes within tokens are not defined. Open ID Connect (OIDC) is an authentication protocol that can be implemented as special types of OAuth flows with precisely defined token fields. Security Assertion Markup Language (SAML) is an open standard for exchanging authentication and authorization data between parties, in particular, between an identity provider and a service provider. SAML is an XML-based markup language for security assertions. Active Directory Federation Services (ADFS) is a software component developed by Microsoft that can run on Windows Server operating systems to provide users with single sign-on access to systems and applications located across organizational boundaries. Kerberos is a computer-network authentication protocol that works on the basis of tickets to allow nodes communicating over a non-secure network to prove their identity to one another in a secure manner.

What is the lowest layer (bottom layer) of a bare-metal virtualization environment? A.Hypervisor B.Host operating system C.Guest operating system D.Physical hardware

D. OBJECTIVE 2.1 The bottom layer is physical hardware in this environment. It is what sits beneath the hypervisor and controls access to guest operating systems. The bare-metal approach doesn't have a host operating system.

Which of the following types of encryption would ensure the best security of a website? A.SSLv1 B.SSLv2 C.SSLv3 D.TLS

D. OBJECTIVE 2.1 Transport Layer Security (TLS) is a widely adopted security protocol designed to facilitate privacy and data security for communications over the internet. A primary use case of TLS is encrypting the communication between web applications and servers, such as web browsers loading a website. TLS was developed in 1999 as SSLv3.1, but its name was changed to separate itself from Netscape, who developed the original SSL protocol. Because of this history, the terms TLS and SSL are often used interchangeably. Secure Socket Layer uses three versions: SSLv1, SSLv2, and SSLv3. All of these versions of SSL are considered obsolete and insecure.

You work as a cybersecurity analyst at a software development firm. The software developers have begun implementing commercial and open source libraries into their codebase so that they can minimize the time it takes to develop and release a new application. Which of the following should be your biggest concern as a cybersecurity analyst? A.There are no concerns with using commercial or open-source libraries to speed up developments B.Open-source libraries are inherently insecure because you do not know who wrote them C.Whether or not the libraries being used in the projects are the most up to date versions D.Any security flaws present in the library will also be present in the developed application

D. OBJECTIVE 2.2 Any security flaws present in a commercial or open-source library will also be present in the developed application. A library is vulnerable, just as any other application or code might be. There are both known (discovered) and unknown vulnerabilities that could exist in the libraries being integrated into the project. Therefore, the software development team needs to ensure that they are monitoring the applicable libraries for additional CVEs that might be uncovered at a later date, that they have plans for how to distribute appropriate patches to their customers and a plan for integrating subsequent updates into their own codebase. Open-source libraries are not more vulnerable or insecure than commercial available or in-house developed libraries. In fact, most open-source software is more secure because it is widely analyzed and reviewed by programmers all around the world. While ensuring the most up to date versions of the libraries is a valid concern, as a cybersecurity analyst, you should be more concerned with current security flaws in the library so you can conduct risk management and implement controls to mitigate these vulnerabilities, and determine the method for continuing updates and patch support.

An independent cybersecurity researcher has contacted your company with proof of a buffer overflow vulnerability in one of your applications. Which technique would have been most likely to identify this vulnerability in your application during development? A.Dynamic code analysis B.Pair programming C.Manual Peer Review D.Static code analysis

D. OBJECTIVE 2.2 Buffer overflows are most easily detected by conducting a static code analysis. Manual peer review or pair programming methodologies might have been able to detect the vulnerability, but they do not have the same level of success as a static code analysis using proper tools would. DevSecOps methodology would also improve the likelihood of detection of such an error but still rely on a human to human interactions and human understanding of source code in order to detect the fault. Dynamic code analysis also may have detected this if the test found exactly the right condition, but again, a static code analysis tool is designed to find buffer overflows more effectively.

Which of the following secure coding best practices ensures special characters like <, >, /, and ' are not accepted from the user via a web form? A.Session management B.Output encoding C.Error handling D.Input validation

D. OBJECTIVE 2.2 Input validation is performed to ensure only properly formed data is entering the workflow in an information system, preventing malformed data from persisting in the database and triggering a malfunction of various downstream components. Input validation should happen as early as possible in the data flow, preferably as soon as the data is received from the user. Improper error handling can introduce a variety of security problems where detailed internal error messages such as stack traces, database dumps, and error codes are displayed to an attacker. The session management implementation defines the exchange mechanism that will be used between the user and the web application to share and continuously exchange the session ID. Output encoding involves translating special characters into some different but equivalent form that is no longer dangerous in the target interpreter, for example translating the < character into the &lt; string when writing to an HTML page.

What control provides the best protection against both SQL injection and cross-site scripting attacks? A.Hypervisors B.Network layer firewalls C.CSRF D.Input validation

D. OBJECTIVE 2.2 Input validation prevents the attacker from sending invalid data to an application and is a strong control against both SQL injection and cross-site scripting attacks. A network layer firewall is a device that is designed to prevent unauthorized access, thereby protecting the computer network. It blocks unauthorized communications into the network and only permits authorized access based on the IP address, ports, and protocols in use. Cross-site request forgery (CSRF) is another attack type. A hypervisor controls access between virtual machines.

You have just completed identifying, analyzing, and containing an incident. You have verified that the company uses self-encrypting drives as part of its default configuration. As you begin the eradication and recovery phase, you must sanitize the data on the storage devices before restoring the data from known-good backups. Which of the following methods would be the most efficient to use to sanitize the affected hard drives? A.Incinerate and replace the storage devices B.Conduct zero-fill on the storage devices C.Use a secure erase (SE) utility on the storage devices D.Perform a cryptographic erase (CE) on the storage device

D. OBJECTIVE 2.3 Sanitizing a hard drive can be done using cryptographic erase (CE), secure erase (SE), zero-fill, or physical destruction. In this case, the hard drives already used data at rest. Therefore, the most efficient method would be to choose CE. The cryptographic erase (CE) method sanitizes a self-encrypting drive by erasing the media encryption key and then reimaging the drive. A secure erase (SE) is used to perform the sanitization of flash-based devices (such as SSDs or USB devices) when cryptographic erase is not available. The zero-fill method relies on overwriting a storage device by setting all bits to the value of zero (0), but this is not effective on SSDs or hybrid drives, and it takes much longer than the CE method. The final option is to conduct physical destruction, but since the scenario states that the storage device will be reused, this is not a valid technique. Physical destruction occurs by mechanical shredding, incineration, or degaussing magnetic hard drives.

Which of the following is not normally part of an endpoint security suite? A.IPS B.Software firewall C.Anti-virus D.VPN

D. OBJECTIVE 3.1 Endpoint security includes software host-based firewalls, host-based intrusion protection systems (HIPS), and anti-virus software. A VPN is not typically considered an endpoint security tool because it is a network security tool.

What containment techniques is the strongest possible response to an incident? A.Segmentation B.Isolating affected systems C.Isolating the attacker D.Enumeration

D. OBJECTIVE 4.2 Isolation involves removing an affected component from whatever larger environment it is a part of. This can be everything from removing a server from the network after it has been the target of a DoS attack, to placing an application in a sandbox virtual machine (VM) outside of the host environments it usually runs on. Segmentation-based containment is a means of achieving the isolation of a host or group of hosts using network technologies and architecture. Segmentation uses VLANs, routing/subnets, and firewall ACLs to prevent a host or group of hosts from communicating outside the protected segment. Removal is not an industry term used but would be a synonym for isolation. Enumeration is defined as the process of extracting user names, machine names, network resources, shares, and services from a system. Isolating the attacker would only stop their direct two-way communication and control of the affected system, but it would not be the strongest possible response since there could be malicious code still running on your victimized machine.

Which of the following are the four phases of an OODA loop? A.Organize, Orchestrate, Design, Apply B.Orchestrate, Observe, Deliver, Act C.Orient, Organize, Detect, Apply D.Observe, Orient, Decide, Act

D. OBJECTIVE 4.2 The OODA (Observe, Orient, Decide, Act) loop was first created by US Military strategist Colonel John Boyd. COL Boyd famously demonstrated his thought model within the air-to-air combat domain with a high success rate. COL Boyd's claim was that he could begin any scenario with an adversary pilot directly behind him and within a tactically short period of time, he could reverse the alignment so that he was behind his adversary. The OODA loop construct has been successfully applied to almost every field where competition against an adversary is a definitive feature. Therefore, it can be useful for cybersecurity defenders in trying to our maneuver and adversary in their networks, too!

Which of the following items represents a document that includes detailed information on when an incident was detected, how impactful the incident was, how it was remediated, the effectiveness of the incident response, and any identified gaps that might require improvement? A.Forensic analysis report B.Chain of custody report C.Trends analysis report D.Lessons learned report

D. OBJECTIVE 4.2 The lessons learned report provides you with the details of the incident, its severity, the remediation method, and, most importantly, how effective your response was. Additionally, it provides recommendations for improvements in the future. A forensic analysis report would not provide recommendations for future improvements, even though it provides many of the other details. A trend analysis report describes whether behaviors have increased, decreased, or stayed the same over time. Chain of custody report is the chronological documentation or paper trail that records the sequence of custody, control, transfer, analysis, and disposition of physical or electronic evidence.

If an attacker is able to compromise an Active Directory domain by utilizing an attack to grant administrative access to the domain controllers for all members of the domain, which type of attack is being used? A.Pass the hash B.Lateral movement C.Pivoting D.Golden ticket

D. OBJECTIVE 4.3 A golden ticket is a Kerberos ticket that can grant other tickets in an Active Directory environment. Attackers who can create a golden ticket can use it to grant administrative access to other domain members, even to domain controllers. Pass the Hash (PtH) is the process of harvesting an account's cached credentials when the user logs in to a single sign-on (SSO) system. This would then allow the attacker to use the credentials on other systems, as well. Lateral movement is an umbrella term for a variety of attack types. Attackers can extend their lateral movement by a great deal if they are able to compromise host credentials. Pivoting is a process similar to lateral movement. When attackers pivot, they compromise one central host (the pivot) that allows them to spread out to other hosts that would otherwise be inaccessible.

Which of the following Wireshark filters should be applied to a packet capture to detect applications that are sending passwords in cleartext to a REST API located at 10.1.2.3? A.http.request.method=='POST' B.ip.proto=tcp C.ip.dst=10.1.2.3 D.http.request.methd=='POST' && ip.dst=10.1.2.3

D. OBJECTIVE 4.4 Filtering the available PCAP with just the http 'post' methods would display any data sent when accessing a REST API, regardless of the destination IP. Filtering the available PCAP with just the desired IP address would show all traffic to that host (10.1.2.3). By combining both of these, you can minimize the data displayed to only show things posted to the API located at 10.1.2.3. The ip.proto=tcp filter would display all TCP traffic on a network, regardless of the port, IP address, or protocol being used. It would simply produce too much information to analyze.

Jamie's organization is attempting to budget for the next fiscal year. Jamie has calculated that a data breach will cost them $120,000 for each occurrence. Based on her analysis, she believes that a data breach will occur once every four years and have a risk factor is 30%. What is the ALE for a data breach within Jamie's organization? A.$9,000 B.$36,000 C.$90,000 D.$360,000

D. OBJECTIVE 5.2 The single loss expectancy (SLE) is the amount that would be lost in a single occurrence (AV) times the risk factor (RF). The annual loss expectancy (ALE) is the total cost of a risk to an organization on an annual basis. This is determined by multiplying the SLE by the annual rate of occurrence (ARO). SLE = AV x RF = $120,000 x 0.3 = $36,000 ALE = SLE x ARO = $36,000 x 0.25 = $9,000

Which of the following security policies could help detect fraudulent cases that occur even when other security controls are already in place? A.Separation of duties B.Least privilege C.Dual control D.Mandatory vacations

D. OBJECTIVE 5.3 Mandatory vacation policies require employees to take time away from their job and help to detect fraud or malicious activities. Even if other controls such as separation of duties, least privilege, and dual control are used, an employee could still collude with others to conduct fraud. By utilizing mandatory vacation policies, this fraud can often be discovered since a new person will be conducting the duties assigned to the person on vacation. Separation of duties is the concept of having more than one person required to complete a particular task to prevent fraud and error. Dual control, instead, requires both people to perform the action together. For example, a nuclear missile system uses dual control and requires two people to each turn a different key simultaneously to allow for a missile launch to occur. Least privilege is the concept and practice of restricting access rights for users, accounts, and computing processes to only those resources absolutely required to perform routine, legitimate activities.

You have been hired as a consultant to help Dion Training develop a new disaster recovery plan. Dion Training has recently grown in the number of employees and information systems infrastructure used to support its employees. Unfortunately, Dion Training does not currently have any documentation, policies, or procedures for its student and faculty networks. What is the first action you should take to assist them in developing a disaster recovery plan? A.Conduct a risk assessment B.Develop a data retention policy C.Conduct a vulnerability scan D.Identify the organization's assets

D. OBJECTIVE 5.3 The first step to developing an effective disaster recovery plan is to identify the assets. It is imperative that the organization understands exactly what assets they own and operate. Once identified, you can then determine what assets and services are essential to business operations, what risks are facing them, and how best to recovery in the event of a disaster. To best understand the risks facing the organization, they will undertake an organization-wide risk assessment and conduct a vulnerability scan of its assets.

A company's NetFlow collection system can handle up to 2 Gbps. Due to excessive load, this has begun to approach full utilization at various times of the day. If the security team does not have additional money in their budget to purchase a more capable collector, which of the following options could they use to collect useful data? Enable QoS Enable NetFlow compression Enable sampling of the data Enable full packet capture

Enable sampling of the data Sampling can help them to capture network flows that could be useful without collecting everything passing through the sensor. This reduces the bottleneck of 2 Gbps and still provide useful information.

You received an incident response report that indicates a piece of malware was introduced into the company's network through a remote workstation that was connected to the company's servers over a VPN connection. Which of the following controls should be applied to prevent this type of incident from occurring again? A.ACL B.NAC C.SPF D.MAC filtering

Network Access Control (NAC) is an approach to computer security that attempts to unify endpoint security technology (such as anti-virus, host intrusion prevention, and vulnerability assessment), user or system authentication, and network security enforcement. When a remote workstation connects to the network, NAC will place it into a segmented portion of the network (sandbox), scan it for malware and validate its security controls, and then based on the results of those scans either connect it to the company's networks or place the workstation into a separate quarantined portion of the network for further remediation. An access control list (ACL) is a type of network traffic filter that can control incoming or outgoing traffic. An ACL alone would not have prevented this issue. MAC Filtering refers to a security access control method whereby the MAC address assigned to each network card is used to determine access to the network. MAC filtering operates at layer 2 and is easy to bypass. Sender Policy Framework (SPF) is an email authentication method designed to detect forging sender addresses during the delivery of the email.

While studying for your CompTIA CySA+ course at Dion Training, you decided you want to install a SIEM to collect data on your home network and its systems. You do not want to spend any money purchasing a license, so you decide to use an open-source option instead. Which of the following SIEM solutions utilize an open-source licensing model? Splunk QRadar OSSIM ArcSight

OSSIM OSSIM is an open-source SIEM developed by AlienVault. It is capable of pulling information together from a wide variety of sources. ArcSight, Qradar, and Splunk are all proprietary, commercially licensed SIEM solutions.

Evaluate the following log entry: -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-= Jan 11 05:52:56 lx1 kernel: iptables INPUT drop IN=eth0 OUT= MAC=00:15:5d:01:ca:55:00:15:5d:01:ca:ad:08:00 SRC=10.1.0.102 DST=10.1.0.10 LEN=52 TOS=0x00 PREC=0x00 TTL=128 ID=3988 DF PROTO=TCP SPT=2583 DPT=23 WINDOW=64240 RES=0x00 SYN URGP=0 -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-= Based on this log entry, which of the following statements is true? MAC filtering is enabled on the firewall An attempted connection to the ssh service was prevented The packet was blocked inbound to the network Packets are being blocked inbound to and outbound from the network

The packet was blocked inbound to the network Firewall log formats will vary by vendors, but this example is a commonly used format from the Linux iptable firewall tool. This log starts with the date and time of the event and provides some key pieces of information. For example, the word "drop" shows the action this log entry recorded. In this case, the firewall dropped a packet due to an ACL rule being applied. Also, you can see that the packet was detected on the inbound connection over eth0, so we know that packets are being scanned and blocked when they are headed inbound to the network.

A cybersecurity analyst is conducting proactive threat hunting on a network by correlating and search the Sysmon and Windows Event logs. The analyst uses the following query as part of their hunt: -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-= Query: "mimikatz" NOT "EventCode=4658" NOT "EventCode=4689" EventCode=10 | stats count by _time, SourceImage, TargetImage, GrantedAccess -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-= Based on the query above, which of the following potential indicators of compromise is the threat hunter relying on? Data Exfiltration Unauthorized Software Processor Consumption Irregular peer to peer communication

Unauthorized software This is a difficult question, but you should see a keyword in the query, "mimikatz". Mimikatz is a leading post-exploitation tool that dumps passwords from memory, as well as hashes, PINs, and Kerberos tickets. Other useful attacks it enables are pass-the-hash, pass-the-ticket, or building Golden Kerberos tickets. This makes post-exploitation lateral movement within a network easy for attackers. It is definitely considered unauthorized software and should be immediately alerted upon if discovered in your network.

Which technique would provide the largest increase in security on a network with ICS, SCADA, or IoT devices? Installation of anti-virus tools Use of a host-based IDS or IPS Implement endpoint protection platforms User and entity behavior analytics

User and entity behavior analytics Since ICS, SCADA and IoT devices often run proprietary, inaccessible, or unpatchable operating systems, the traditional tools used to detect the presence of malicious cyber activity in normal enterprise networks will not function properly. Therefore, the use of user and entity behavior analytics (UEBA) is best suited to detect and classify known-good behavior from these systems to create a baseline. Once a known-good baseline is established, deviations can be detected and analyzed. UEBA may be heavily dependent on advanced computing techniques like artificial intelligence and machine learning.

A cybersecurity analyst is attempting to perform an active reconnaissance technique to audit their company's security controls. Which DNS assessment technique would be classified as active? A DNS forward or reverse lookup A zone transfer A whois query Using maltego

Zone transfer DNS zone transfer, also sometimes known by the inducing DNS query type AXFR, is a type of DNS transaction. It is one of the many mechanisms available for administrators to replicate DNS databases across a set of DNS servers. DNS zone transfers are an active technique.

Which term defines the collection of all points from which an adversary could interact with a system and cause it to function in a way other than how it was designed? A.Attack surface B.Attack vector C.Threat model D.Adversary capability set

A The collection of all points from which an adversary may attack is considered the attack surface. The attack vector represents the specific points an adversary has chosen for a particular attack. The threat model defines the behavior of the adversary. An adversary capability set is the list of items an adversary can use to conduct their attack.

Your company is making a significant investment in infrastructure-as-a-service (IaaS) hosting to replace its data centers. Which of the following techniques should be used to mitigate the risk of data remanence when moving virtual hosts from one server to another in the cloud? A.Zero-wipe drives before moving systems B.Use full-disk encryption C.Use data masking D.Span multiple virtual disks to fragment data

B To mitigate the risk of data remanence, you should implement full disk encryption. This method will ensure that all data is encrypted and cannot be exposed to other organizations or the underlying IaaS provider. Using a zero wipe is typically impossible because VM systems may move without user intervention during scaling and elasticity operations. Data masking can mean that all or part of the contents of a field is redacted, by substituting all character strings with 'x' for example. Data masking will not prevent your corporate data from being exposed by data remanence. Spanning multiple disks will leave the data accessible, even though it would be fragmented, and would make the data remanence problem worse overall.

Which of the following is the correct usage of the tcpdump command to create a packet capture filter for all traffic going to and from the server located at 10.10.1.1? A.tcpdump -i eth0 proto 10.10.1.1 B.tcpdump -i eth0 host 10.10.1.1 C.tcpdump -i eth0 dst 10.10.1.1 D.tcpdump -i eth0 src 10.10.1.1 24. Which of the following categories of controls are firewalls, intrusion detection systems, and a RADIUS server classified as? A.Administrative controls B.Technical controls C.Physical controls D.Compensating controls

B. OBJECTIVE 4.4 Knowing tcpdump is an essential skill that will come in handy for any system administrator, network engineer, or security professional. The tcpdump tool is used to conduct packet capturing of network traffic. The host option specifies a filter to capture all traffic going to (destination) and from (source) the designated IP address. If the dst filter is used, this only captures data going to the designated IP address. If the src filter is used, this only captures data going from the designated IP. If the proto filter is used, this will capture all traffic going to or from a designated port, such as ftp is proto 21 was used.

Which of the following is NOT one of the main criteria that should be included in a penetration testing plan? A.Timing B.Scope C.Account credentials D.Authorization

C. OBJECTIVE 5.2 The three main criteria that should be included in a penetration testing plan are timing, scope, and authorization. Account credentials are usually provided during a white box test or vulnerability assessment, usually not provided for a penetration test.

During the analysis of data as part of ongoing security monitoring activities, which of the following is NOT a good source of information to validate the results of an analyst's vulnerability scans of the network's domain controllers? Configuration management systems DMARC and DKIM SIEM systems Log files

DMARC AND DKIM Vulnerability scans should never take place in a vacuum. Analysts should correlate scan results with other information sources, including logs, SIEM systems, and configuration management systems. DMARC (domain-based message authentication, reporting, and conformance) and DKIM (domain keys identified mail) are configurations that are performed on a DNS server to verify whether email being sent by a third-party is verified to send it on behalf of the organization.

Which of the following functions is not provided by a TPM? A.Random number generation B.Secure generation of cryptographic keys C.Remote attestation D.Binding E.Sealing F.User authentication

F. OBJECTIVE 2.3 User authentication is performed at a much higher level in the operating system. Trusted Platform Module (TPM) technology is designed to provide hardware-based, security-related functions. A TPM chip is a secure crypto-processor that is designed to carry out cryptographic operations. The chip includes multiple physical security mechanisms to make it tamper-resistant, and malicious software is unable to tamper with the security functions of the TPM. The TPM provides random number generation, secure generation of cryptographic keys, remote attestation, binding, and sealing functions securely.

Syed is developing a vulnerability scanner program for a large network of sensors that are used to monitor his company's transcontinental oil pipeline. What type of network is this?

SCADA

You are conducting an intensive vulnerability scan to detect which ports might be open to exploitation. During the scan, one of the network services becomes disabled and causes an impact on the production server. Which of the following sources of information would provide you with the most relevant information for you to use in determining which network service was interrupted and why? Syslog Network mapping Firewall logs NIDS

Syslog The syslog server is a centralized log management solution. By looking through the logs on the syslog server, the technician could determine which service failed on which server, since all the logs are retained on the syslog server from all of the network devices and servers.

You just received a notification that your company's email servers have been blacklisted due to reports of spam originating from your domain. What information do you need to start investigating the source of the spam emails? Firewall logs showing the SMTP connections The SMTP audit log from his company's email server The full email header from one of the spam messages Network flows for the DMZ containing the email servers

THE FULL EMAIL HEADER You should first request a copy of one of the spam messages that include the full email header. By reading through the full headers of one of the messages, you can determine where the email originated from, whether it was from your email system or if it was external, and if it was a spoofed email or a legitimate email. Once this information has been analyzed, you can then continue your analysis further based on those findings, whether that be analyzing your email server, the firewalls, or other areas of concern.

Your company just launched a new invoicing website for use by your five largest vendors. You are the cybersecurity analyst and have been receiving numerous phone calls that the webpage is timing out and the website overall is performing slowly. You have noticed that the website received three million requests in just 24 hours and the service has now become unavailable for use. What do you recommend should be implemented to restore and maintain the availability of the new invoicing system? Intrusion Detection System VPN Whitelisting MAC filtering

Whitelisting By implementing whitelisting of the authorized IP addresses for the five largest vendors, they will be the only ones who will be able to access the webserver. This can be done by creating rules in the Access Control List (ACL) to deny ALL other users except these five vendors, thereby dropping a large number of requests from any other IP addresses, such as those from an attacker.

You are a cybersecurity analyst who has been given the output from a system administrator's Linux terminal. Based on the output provided, which of the following statements is correct? -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- BEGIN OUTPUT ———————--------- # nmap win2k16.local Nmap scan report for win2k16 (192.168.2.15) Host is up (0.132452s latency) Not shown: 997 closed ports PORT STATE SERVICE 22/tcp open ssh 80/tcp open http # nc win2k16.local 80 220 win2k16.local DionTraining SMTP Server (Postfix/2.4.1) # nc win2k16.local 22 SSH-2.0-OpenSSH_7.2 Debian-2 # ———————--------- END OUTPUT -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- Your email server is running on a non-standard port Your email server has been compromised Your organization has a vulnerable version of the SSH server software installed Your web server has been compromised

Your email server is running on a non standard port As shown in the output of the nmap scans, only two standard ports are being utilized: 22 (SSH) and 80 (HTTP). But, when netcat is run against port 80, the banner that is provided shows the SMTP server is running on port 80. SMTP is normally run on port 25 by default, so running it on port 80 means your email server (SMTP) is running on a non-standard port.