Practice Test #3

A security consultant recently audited a company's cloud resources and web services. The consultant found ineffective secrets management and a lack of input validation mechanisms. What type of attack would the company's cloud resources be susceptible to at its current state? (Select all that apply.) API attack SQL injection Client-side request forgery Resource exhaustion

API attack SQL injection Resource exhaustion Application Programming Interfaces (APIs) allow consumers to automate tasks on a web or cloud resource. Ineffective secrets management could compromise these services on a wide scale if the threat actor retrieves API keys. A Structured Query Language (SQL) injection modifies basic functions by adding code to some input accepted by an application to execute the attacker's own set of SQL queries. Input validations can prevent this type of attack. Resource exhaustion uses privilege access to deplete resources such as writing thousands of files to disk. Ineffective secrets management can cause these types of malicious processes. A client-side request forgery (CSRF) can exploit applications that use cookies to authenticate users and track sessions. This is a security risk on the client-side.

During a risk assessment, a company indicates the value of employee used laptops to be $1,500.00 a piece. What should the company define to come up with the annual loss expectancy in a quantitative risk assessment ARO RTO RPO ALE

ARO The annual rate of occurrence (ARO) indicates how many times a loss will occur within a year. An ARO is used in conjunction with the single loss expectancy (SLE) to figure the annual loss expectancy (ALE). The annual loss expectancy (ALE) is the single loss expectancy (SLE) times the annual rate of occurrence (ARO). It is a part of the quantitative risk assessment. The recovery point objective (RPO) identifies a point in time that data loss is acceptable. The recovery time objective (RTO) identifies the maximum time it takes to recover a system in the event of an outage.

Simulate the hypertext transfer protocol secure (HTTPS) protocol in use. An encrypted TCP connection protects sensitive banking information during online transmission. A protocol between the application and transport layers of the TCP/IP stack encrypts a TCP connection. A server submits a request for resources using TCP port 80. A payload serves an HTML web page in plaintext.

An encrypted TCP connection protects sensitive banking information during online transmission. HyperText Transfer Protocol Secure (HTTPS) is used to encrypt Transmission Control Protocol (TCP) connections. Websites for banking, email, or shopping should use HTTPS to encrypt data for protection when submitting the data. HyperText Transfer Protocol (HTTP) enables clients, typically web browsers, to request resources from a server. The payload usually serves HyperText Markup Language (HTML) web pages, which are plaintext files with coded tags. Secure Sockets Layer/Transport Layer Security (SSL/TLS) works as a layer between the application and transport layers of the TCP/IP stack. It usually encrypts TCP connections and the HTTP application. Uniform Resource Locator (URL) is how the HTTP server submits a request for a resource using an appropriate TCP port (default is 80).

An attacker caused a software program to calculate a value that exceeded the fixed lower and upper bounds, and caused a positive number to become a negative number. What vulnerability did the attacker exploit? A race condition A pointer dereference An integer overflow A buffer overflow

An integer overflow An integer overflow attack causes the target software to calculate a value that exceeds the upper and lower bounds. This may cause a positive number to become negative. To exploit a buffer overflow vulnerability, the attacker passes data that deliberately overfills the buffer (an area of memory) that the application reserves to store the expected data. A race condition is a software vulnerability that occurs when the outcome from execution processes is directly dependent on the order and timing of certain events, and events fail to execute in the order and timing intended. Pointer dereference is a software vulnerability that can occur when the code attempts to remove the relationship between a pointer and the thing it points to (pointee).

A system administrator ensures that the checksum on the developed code checked into the Nexus repository matches the checksum presented to the customer to ensure the finished product is what was agreed upon. This best represents which of the following processes? Change management Configuration control Baseline configuration Benchmarking

Baseline configuration Baseline configurations are documented and agreed-upon sets of specifications for information systems. Baseline configurations serve as the starting point for development, patching, and changes to information systems. Change management defines the process for system modifications and upgrades to ensure changes are documented and do not cause outages. Benchmarking is the process of measuring individual business metrics and practices and comparing them within business areas to improve performance. Configuration control is the process of managing a system's deliverables and related documents throughout the lifecycle of the system.

What type of attack can exploit the memory area that an application reserves for use on a server? Privilege escalation Buffer overflow Directory traversal Integer overflow

Buffer overflow A buffer is an area of memory that the application reserves to store expected data. To exploit a buffer overflow vulnerability, the attacker passes data that deliberately overfills the buffer. A directory traversal attack is an injection attack that uses specific code to request information from a web server's root directory by submitting the directory path. An integer overflow attack causes the target software to calculate integer values that exceed the bounds of a minimum and maximum. This may cause a positive number to become negative (changing a bank debit to a credit, for example). Privilege escalation is an application attack vector that involves giving higher privilege to malicious software to change the system and other files to compromise a system.

A gray hat hacker will perform which of the following when using hacking techniques on an organization or software? (Select all that apply.) Move laterally on the network. Cleanup evidence Seek a bug bounty Use a white box

Cleanup evidence Seek a bug bounty A gray hat hacker will try to find vulnerabilities in a product or network without seeking the approval of the owner. They often seek voluntary compensation like a bug bounty. A gray hat hacker will clean up evidence of an attack like a backdoor because an exploit will never be used as extortion. This is also true for white hat hackers. A white hat hacker is accustomed to working with a company or organization. The attack would occur in a known environment or a white box. A black hat hacker is accustomed to gaining access to one or more hosts by moving laterally on the network. This involves executing the attack tools over remote process shares or using scripting tools.

A company runs certain applications within isolated cells according to employee job functions to minimize access to resources on the operating system. This type of virtualization is which of the following? Intranet Hypervisor Container VPC

Container Containers decouple services and applications from a host operating system. Containers run within isolated cells and do not have their own kernel. They allow for continuous integration and continuous delivery. An intranet is a network topology that hosts a private internal network used to collaborate, communicate, and share information within a company. A hypervisor is the software that creates, runs, and manages a virtual machine (VM) on a physical system. A hypervisor allows VMs to share resources. A virtual private cloud (VPC) is a pool of shared computing resources isolated from but hosted within a public cloud.

Identify security control options that can be categorized as "corrective." (Select all that apply.) Digital Loss Prevention (DLP) software configurations Containment of the threat Quarantine of infected hosts Firewall rules

Containment of the threat Quarantine of infected hosts Corrective controls act to eliminate or reduce the impact of an intrusion event. During an attack, for instance, a corrective control can eliminate the threat. Quarantining infected or compromised machines is a corrective control. Data loss prevention (DLP) software prevents deletion, abuse, or access to sensitive data by unauthorized users. DLP software configurations serve as preventative measures to this type of abuse of data. Preventative measures act to eliminate or reduce the likelihood that an attack can succeed before an attack takes place. For instance, access control lists in the form of firewall rules can prevent access to files or prevent unauthorized applications from running.

Two companies are planning to provide their users with easier access to wireless access points at any of the company locations using personal company credentials. The companies will use Extensible Authentication Protocol (EAP) so that users are not required to memorize more passwords. How would a network administrator set up such a wireless network for these users? Create a Demilitarized Zone Create a RADIUS federation Use a TACACS+ solution Deploy new domain controllers

Create a RADIUS federation RADIUS federation means that multiple organizations allow access to one another's users by joining their RADIUS servers into a RADIUS hierarchy or mesh. Replacing the RADIUS solutions with Terminal Access Controller Access-Control System Plus (TACACS+) is not feasible. TACACS+ usually manages switches and routers. Deploying new domain controllers will not benefit the requirement. The domain controllers for each company will remain as is and the RADIUS clients can route user credentials to the appropriate RADIUS servers. Creating a Demilitarized Zone (DMZ) for these RADIUS servers is not an ideal setup. RADIUS servers will remain at the internal LANs and are only accessed by the RADIUS clients or wireless access points when necessary.

Outline possible tools or methods the team can use to acquire a disk image from a system. (Select all that apply.) Create snapshots of all volumes Copy disk with dd command Transfer file system via SMB Save disk image with FTK Imager

Create snapshots of all volumes Copy disk with dd command Save disk image with FTK Imager FTK Imager is a data imaging tool that quickly assesses electronic evidence to determine if it requires further analysis. The FTK Imager can save an image of a hard disk in one file or in segments, to reconstruct later if needed. The dd command can copy an entire disk as an image to a USB thumb drive. The team can then analyze the image in a sandbox environment. It is possible to create snapshots of the compromised volumes, and in some cases, it can boot a virtual machine, as a full disk image can. This may not be the most efficient method, however. By transferring files over the network, there is a risk of infection or compromise of other hosts.

Server B requests a secure record exchange from Server A. Server A returns a package along with a public key that verifies the signature. What does this scenario demonstrate? DNS Spoofing Dynamic Host Configuration Protocol DNS Server Cache Poisoning DNS Security Extensions

DNS Security Extensions Domain Name System Security Extensions (DNSSEC) helps to mitigate against spoofing and poisoning attacks. The authoritative server for the zone creates a package of resource records, called an RRset, signed with a private key known as the zone signing key. DNS server cache poisoning is a redirection attack that aims to corrupt the records held by the DNS server itself. DNS spoofing is an attack that compromises the name resolution process. The attacker may compromise the process of DNS resolution by replacing the valid IP address for a trusted website. Dynamic Host Configuration Protocol (DHCP) provides an automatic method for network address allocation.

Which data governance role is responsible for ensuring compliance with legal and regulatory frameworks specifically related to processing, retention, and/or disclosure of personally identifiable information (PII)? Data Custodian Data Steward Data Owner Data Privacy Officer (DPO)

Data Privacy Officer (DPO) The data privacy officer is responsible for the oversight of assets handled by the organization containing personally identifiable information (PII). The Privacy Officer maintains consistency with legislative and regulatory frameworks of the collection, disclosure, and protection of PII.The data custodian performs the maintenance of the system on which data assets are stored, such as regulating access, encryption, and backup.The data steward is mainly in charge of the quality of data, labeling, and categorizing with metadata, ensuring that data is collected and stored in a format that conforms with relevant laws and regulations.Usually, the data owner is a senior role with sole responsibility for protecting the privacy, integrity, and availability of a data asset.

Which de-identification method does an administrator use when choosing to replace the contents of a data field by redacting and substituting character strings? Data masking Tokenization Anonymization Pseudo-anonymization

Data masking Data masking can mean that all or part of the contents of a field is redacted, by substituting all character strings with "x" for example. A fully anonymized data set is one where individual subjects can no longer be identified, even if the data set is combined with other data sources. Identifying information is permanently removed. Pseudo-anonymization modifies or replaces identifying information so that reidentification depends on an alternate data source, which must be kept separate. Tokenization means that all or part of data in a field is replaced with a randomly generated token. The token is stored with the original value separate from the production database.

An employee at a financial firm is responsible for ensuring that data is stored in accordance with applicable laws and regulations. What role does the employee have in terms of data governance? Data processor Data custodian Data owner Data steward

Data steward The data steward is primarily responsible for data quality. This involves tasks such as ensuring data is labeled and identified with appropriate metadata, as well as ensuring the data is collected and stored in a format containing values that comply with applicable laws and regulations. The owner is responsible for labeling the asset and ensuring that it is protected with appropriate controls. The data custodian handles managing the system on which the data assets are stored. The data processor is the entity engaged by the data controller to assist with technical collection, storage, or analysis tasks.

Which of the following hardening procedures can protect a multifunction printer from a cybersecurity attack? (Select all that apply.) Delete queued data Enable logging Place on public network Change default password

Delete queued data Enable logging Change default password Administrators should change all passwords from the factory defaults of a multifunction printer to ensure a secure system. Enabling logging allows administrators to monitor and audit printer use. Reviewing the logs on a regular basis helps determine suspicious activity. Automatically deleting queued data can protect the disclosure of information that is stored on the multifunction printer hard drive. Placing a multifunction printer on a public network is a security risk. Printers should be placed on a private network intended for only authorized users to access.

A tablet uses a key-based technique for encrypting data. It focuses on a pair of public and private keys for decryption and encryption of web traffic using less power than other encryption methods. Which encryption method is this? Ephemeral Asymmetrical ECC Homomorphic

ECC Elliptic curve cryptography (ECC) is an asymmetric public and private key-based cryptographic technique for encrypting data. ECC generates keys through the properties of the elliptic curve equation providing smaller and more efficient cryptographic key processes. An ephemeral key is an asymmetric cryptographic key that is generated for each individual execution of a key establishment process. Homomorphic encryption is an encryption method that allows computation to be performed directly on encrypted data without requiring access to a secret key. Asymmetric encryption uses matched pair public and private keys to encrypt and decrypt data.

A foreign country is planning to target another country to destabilize its economy and upcoming elections. A hacktivist group and government leaders are working together using hybrid warfare tactics to accomplish their goal. What are the most effective methods the foreign country can use to carry out their plan? (Select all that apply.) Fake tweets Espionage Dumpster diving Soft power

Fake tweets Espionage Soft power Hybrid warfare involves espionage and other hacking and social engineering techniques to launch a hostile campaign against another country. Espionage is the practice of spying on another country. Soft power refers to using diplomatic and cultural assets to achieve an objective. This can influence the operations of companies and or organizations in the target country to assist with hybrid warfare. Using fake news or hoaxes on social media can mislead citizens of the target country very quickly. This can promote hysteria and even dangerous protesting campaigns on the ground. Dumpster diving refers to combing through an organization's (or individual's) garbage to find useful documents. This is labor-intensive and not effective on a wide scale.

Utilities, such as IPFix and Netflow, export a file based on collected IP traffic flow metadata. What is the name of this exported file? Throughput record DNS log Network log

Flow record Flow analyzers generate flow records, such as IPFix and Netflow, as a history of traffic flow, including timestamps and IP addresses. Equipment, such as routers, firewalls, switches, and access points, generate network logs. The log files record the operation and status of the device plus traffic and logs that reveal network behavior. DNS servers also supply some form of query logging, which is also known as analytical logging. All requests received by the server are detailed in these logs. Throughput records can be recorded with bandwidth monitors or with flow analyzers, but throughput records do not export as a file.

A datacenter requires an instantaneous failover power solution that is inexpensive. Which of the following is the least likely solution for the datacenter? Dual supply UPS Managed PDU Generator

Generator A generator is a device that converts mechanical energy into electrical energy for use in a peripheral circuit. Generators are an expensive option for power failover and do not immediately provide power. An uninterruptible power supply (UPS) consists of a collection of batteries and their charging circuit A UPS can be placed at the system level to provide instantaneous availability. A UPS implementation is inexpensive compared to a generator. A dual power supply implementation requires two or more electrical devices that supply electric power to an electrical load. A managed power distribution unit (PDU) is an electrical protection and management system that allows a user to monitor and manage voltage and electrical current in an environment.

An application requires continuity of operations within a 24 hour period due to the command and control capabilities it maintains. The failover site must be physically separated from the program office and be available within the required timeframe with live data. Which of the following redundancy solutions best meets the failover requirement? Recovery time objective Meantime between failure Failover clusters Geographical dispersal

Geographical dispersal Geographical dispersal is a failover consideration that replicates data in hot and warm sites physically distanced from one another in the event of a catastrophe. Failover clusters use multiple servers to maintain high availability for a server. One configuration remains active while the other inactive. If the active node fails, the inactive one takes over the load. The meantime between failures measures a system's reliability in hour measurements. A recovery time objective mandates the maximum amount of time it should take to restore a system after an outage. Though this meets the time criteria, it does not meet the geographical disposition.

A web administrator notices a few security vulnerabilities that must be addressed on the company Intranet. The portal must force a secure browsing connection, mitigate script injection, and prevent caching on shared client devices. Determine the secure options to set on the web server's response headers. (Select all that apply.) HTTP Strict Transport Security (HSTS) Cache-Control Secure Cookies Content Security Policy (CSP)

HTTP Strict Transport Security (HSTS) Cache-Control Content Security Policy (CSP) HTTP Strict Transport Security (HSTS) is a header option that forces the browser to connect using HTTPS only, mitigating downgrade attacks, such as SSL stripping. Content Security Policy (CSP) is a header option that mitigates clickjacking, script injection, and other client-side attacks. Cache-Control is a header option that sets whether the browser can cache responses. Preventing data caching protects confidential and personal information where the client device is shared by multiple users. Secure cookies mitigate the vector of session hijacking and data exposure. Cookies are made secure with key parameters for the SetCookie header that can, for example, only allow cookies to be used for HTTP.

A risk management implementation begins with which of the following characteristics? (Select all that apply.) Mitigation Identification Classification Priortization

Identification Classification Priortization Identifying assets requires indicating which hardware and software a company maintains. Identifying assets early in the risk management process allows for a smoother risk management implementation. Classifying assets and data according to criticality provides a company a basis to assess risks in the implementation process. Prioritizing assets allows a company to decide which assets are most important to protect. Mitigating risks is a risk response technique that allows an organization to implement controls to reduce a risk

List the terms that refer to a document that guides investigators to determine priorities and remediation plans by listing the procedures, contacts, and resources available to responders for various incident categories. (Select all that apply.) Data Loss Prevention Access Control List Incident Response Plan Runbook

Incident Response Plan Runbook A SOAR system that implements a playbook with a high degree of automation is also referred to as a runbook, although the two terms are used interchangeably. Referred to as a playbook, an incident response plan (IRP) guides investigators to determine priorities and remediation plans by listing the procedures, contacts, and resources available to responders for various incident categories. The Access Control List (ACL) is a table that specifies to a computer operating system which users have access privileges to specific system resources, such as file directories or individual files. Data loss prevention (DLP) software is a collection of tools and procedures used to avoid the deletion, abuse, or access to sensitive data by unauthorized users.

Which value is the result of a quantitative or qualitative risk analysis? Risk factors Single loss expentency Inherent risk Annualized loss expentancy

Inherent risk The result of quantitative or qualitative analysis is a measure of inherent risk. Inherent risk is the level of risk before any type of mitigation has been attempted. Annualized loss expectancy (ALE) is the amount that would be lost over the course of a year. This amount is determined by multiplying the SLE by the annualized rate of occurrence (ARO). The single loss expectancy (SLE) is the amount that would be lost in a single occurrence of the risk factor. This amount is determined by multiplying the value of the asset by an exposure factor (EF). A risk factor is a risk item used as a risk input during quantitative or qualitative analysis.

Determine appropriate methods the team can use to acquire OS-level information from Windows. (Select all that apply.) Use memdump to capture data from volatile memory. Initiate sleep mode and analyze the hibernation file. Reboot and analyze memory dump files. Check system and security logs.

Initiate sleep mode and analyze the hibernation file. Reboot and analyze memory dump files. Check system and security logs. When Windows encounters an unrecoverable kernel error, Windows writes contents of memory to a dump file or a mini dump file. Investigators can then analyze the contents for a variety of information. Windows creates a hibernation file at the root of the boot volume when in sleep mode. The data can be recovered and decompressed, then loaded into a software tool for analysis. Windows system and security logs can provide insight on certain events, providing a timeline with who may have logged on or tried to log on to the system. The memdump tool is a Linux-only utility, and not used on the Windows device portrayed in the example.

Describe an intrusion prevention system (IPS) that also makes it a single point of failure for network traffic if there is no fault tolerance mechanism in place. Inline appliance Anomaly appliance Passive appliance Heuristic appliance

Inline appliance Intrusion prevention system (IPS) appliances that must have all traffic pass through them are "inline" with the network. This also makes them a single point of failure if there is a no fault tolerance mechanism in place. Intrusion detection system (IDS) appliances perform passive detection. When traffic is matched to a detection signature, it raises an alert or generates a log entry, but does not block it. Heuristic appliances learn from experience or previous detection and/or prevention techniques to better analyze future traffic. The appliances may develop several profiles to model network use at different times of the day. Anomaly appliances use similar heuristic detection capabilities but can also mean specifically looking for irregularities in the use of protocols.

Which of the following is TRUE about a certificate authority (CA) in a hierarchical model as opposed to a single CA model? (Select all that apply.) PKI collapses if CA is compromised. Intermediate CA issue certificates. Offline CA is a best practice. Root certificate is self-signed.

Intermediate CA issue certificates. Offline CA is a best practic Powering off the root certificate authority (CA) in a hierarchical public key infrastructure (PKI) model is a security best practice. The root CA is a high-security risk and has the potential to compromise all subordinate certificates if not powered off. The intermediate CA is a hierarchical PKI that creates and issues certificates to users. Intermediate CAs can balance their work based on areas of responsibility. The root certificate for a single and hierarchical PKI mode is self-signed. The root CA always becomes the start of the chain of trust. The whole PKI may collapse if the CA, in both a single and hierarchical PKI model, is compromised. CA must be protected in both cases.

What type of strategy is a blackhole? (Select all that apply.) Data Loss Prevention Segmentation Isolation Containment

Isolation Containment Isolation is the act of disconnecting an entire system or network. Isolation is a malware containment procedure. Containment is a strategy that controls access to files, data, systems, or networks across points of entry, using isolation or segmentation techniques. Network segmentation in network management is the action or procedure of separating a computer network into subnetworks, each of which is a network segment. The benefits of such a split are mainly through boosting efficiency and enhancing protection. Data loss prevention (DLP) software is a collection of tools and procedures used to avoid the deletion, abuse, or access to sensitive data by unauthorized users.

Analyze and select the items demonstrating advantages Terminal Access Controller Access-Control System Plus (TACACS+) has over Remote Authentication Dial-In User Service (RADIUS). (Select all that apply.) It allows detailed management of privileges assigned to users. It is easier to detect when a server is down. It only encrypts authentication data. It provides greater flexibility and reliability.

It is easier to detect when a server is down. It provides greater flexibility and reliability. TACACS+ uses TCP communications for reliable, connection-oriented delivery, making it easier to detect when a server is down. TACACS+ is similar to RADIUS but Cisco designed it with flexibility in mind. Its connection-oriented delivery method increases reliability and flexibility. It is supported by third parties and open-source RADIUS implementations. All data in TACACS+ packets is encrypted (not just authentication data). TACACS+ is more often used for device management than for authenticating end user devices. It allows centralized control of accounts set up to manage routers, switches, and firewall appliances, and detailed management of privileges assigned to those accounts.

Which of the following baseband radio technologies support higher bandwidth capacities? Narrowband LTE-M FPGA Zigbee

LTE-M LTE Machine Type Communication (LTE-M) allows Internet of Things (IoT) devices to connect directly to a 4G network, without a gateway. It is a baseband radio technology that supports higher bandwidths. Narrowband is a communication technology that uses a low-power version of the long-term evolution (LTE). Narrowband transceivers transmit and receive digital or analog data over a very narrow bandwidth. Field Programmable Gate Arrays (FPGA) are semiconductor devices that contain programmable logic blocks and interconnection circuits. These devices can be programmed and reprogrammed to meet the required functionality. Difficulty in updating and patching is often a downfall of embedded systems such as FPGAs. Zigbee is a two-way wireless radio frequency communication between a sensor and a control system.

An application's appliance template virtual machine (VM) is running on the production network. A Linux administrator logs in to the system as the default root account to verify network settings. The appliance was deployed "out of the box" and is running healthy. A security engineer would have some concerns about which of the following configurations? (Select all that apply.) Log on as superuser Traffic over port 443 Application logging errors Default template settings

Log on as superuser Default template settings A superuser account, such as the root account on a Linux system, has no restrictions over system access. These accounts should be secured by disabling them and creating new admin accounts or groups. Default template virtual machines or appliances are susceptible to hackers because their baseline settings and credentials may be publicly available. Systems should be secured immediately after deployment. Errors with logs should be resolved immediately especially before running production data and services. In this case, the system is healthy. Port 443 is commonly used for secure web traffic communication using HyperText Transfer Protocol Secure (HTTPS). It is ideal to close port 80 on a web server to force web communication over port 443.

Identify the concepts that function as alternatives to kill chain life cycle analysis in threat intelligence. (Select all that apply.) MITRE ATT&CK Incident response plans Continuity of operation planning (COOP) The Diamond Model of Intrusion Analysis

MITRE ATT&CK The Diamond Model of Intrusion Analysis The MITRE ATT&CK framework stands for Adversarial Tactics, Techniques, and Common Knowledge. It is a database of known TTPs (tactics, techniques, procedures) that can function as an alternative to the cyber kill chain. The Diamond Model of Intrusion Analysis is a framework that analyzes intrusion events by examining relationships between four core features and can be utilized as an alternative to the cyber kill chain. Continuity of Operation Planning (COOP) refers to backup methods of functioning in the event that IT support is absent. An incident response plan (IRP) lists the procedures, contacts, and resources available to responders for various incident categories.

An employee has authorized access to the company's system and intentionally misused the data from that system. What type of attack has occurred? Social engineering Malicious insider threat Passive reconnaissance Impersonation

Malicious insider threat A malicious insider threat occurs when the perpetrator of an attack is a member of, ex-member of, or affiliated with the organization's own staff, partners, or contractors. Attackers can "cyber-stalk" their victims to discover information about them via Google Search, or by using other web or social media search tools. This information gathering is also known as passive reconnaissance. Social engineering (or "hacking the human") refers to various methods of getting users to reveal confidential information. Impersonation (pretending to be someone else) is one of the basic social engineering techniques.

A company allows the use of corporate apps on employee-owned mobile devices. Mobile application management (MAM) services make this possible. Examining the list of available enterprise mobility management (EMM) features in today's market, which of the following would NOT be available for use in this case? (Select all that apply.) Use of containers Manage camera use Deployment of workspaces Ability to remote wipe

Manage camera use Ability to remote wipe The ability to remote wipe a mobile device is made possible using policies created by mobile device management (MDM) services. A company cannot forcefully control an employee-owned device in this manner. Managing the use of the mobile device's camera is a policy-based feature using MDM services. This is a commonly configured security feature for corporate-owned mobile devices. Containerization allows the employer to manage and maintain the portion of a mobile device that interfaces with the corporate network. Corporate apps in containers can prevent data leak to other areas of a personal device. An enterprise workspace is a collection of corporate applications that are bundled and placed into a container(s) of a mobile device.

A company is renovating a new office space and is updating all Cisco routers. The up-to-date Internetwork Operating System (iOS) will provide the best protection from zero-day exploits. What other options could a network administrator configure for route security? (Select all that apply.) Message authentication SNMP trap collections IPv6 on clients Block source routed packets

Message authentication Block source routed packets Most dynamic routing protocols support message authentication via a shared secret configured on each device. This allows routers to accept routing updates that are managed by the network team. Blocking source routed packets will prevent the chance of spoofed IP addresses from bypassing routers and firewall filters. IPv6 addressing is commonly turned on by default, especially on Windows client computers. An unmanaged IPv6 configuration has the potential for malicious use as a backdoor or covert channel. Simple Network Management Protocol (SNMP) traps are alert messages that notify of certain events (e.g., Informational, Warning, Critical). These are used to monitor load status for CPU, memory, state tables, disk capacity, fan speeds, temperature, network link utilization, and so on.

A multinational company has partnered with several smaller, younger companies. To protect their supply chain and improve their own risk posture, the company offers to provide network security services for their new partners. Conclude what type of risk the company is addressing. Multiparty External Legacy systems Internal

Multiparty Multiparty risk occurs when an adverse event impacts multiple organizations. If a breach occurs for one party, all parties share the risk. External threat actors are a highly noticeable source of danger. The company will need to acknowledge broader threats than cyber attacks. Internal threats arise from assets and workflows that are owned and managed by the company. Legacy devices are a source of concern because they no longer receive software patches and because the knowledge in servicing and troubleshooting them is a finite resource.

What protocol alters public IP addresses to private IP addresses and vice versa, in an attempt to protect internal computers from the Internet? Firewall URL Filter NAT Proxy

NAT Network addressing protocol (NAT) translates public IP addresses to private and vice versa. By using the NAT protocol on the firewall, a company can hide assets from the public internet. A proxy acts on behalf of another service. A proxy examines the data and makes rule-based decisions about whether the request should be forwarded or refused. It will not hide IP addresses. Universal Resource Locator (URL) filtering allows you to control access to websites by permitting or denying access to specific websites based on information contained in an URL list. A firewall filters traffic. It can be used for a single host or between networks. It regulates both inbound and outbound traffic, providing a layer of security inbound and out.

A user at an organization reports that their mobile payment method may have been hacked. A security engineer determines that a compromise must have occurred through card skimming. Which technology was used for mobile payments? Bluetooth NFC RFID Infrared

NFC Near field communications (NFC) is based on a particular type of radio frequency ID (RFID). NFC sensors and functionality are now commonly incorporated into smartphones. NFC is susceptible to skimming. Bluetooth is one of the most popular technologies for implementing PANs. While native Bluetooth has fairly low data rates, it can be used to pair with another device. Infrared signaling has been used for PAN in the past (IrDA), but the use of infrared in modern smartphones is featured in devices such as proximity sensors. Radio Frequency ID (RFID) is a means of encoding information into passive tags, which can be easily attached to devices, structures, clothing, or almost anything else.

After a year of vulnerability scans, a security engineer realized that there were zero false positive cases. The application logs showed no issues with the scanning tool and reports. What type of scanning tool or configuration would result in zero false positives being reported? (Select all that apply.) Intrusive tool Non-intrusive tool Non-credentialed scan Credentialed scan

Non-intrusive tool Non-credentialed scan A non-credentialed scan is one that proceeds by directing test packets at a host without being able to log on to the operating system (OS) or application. Fewer vulnerabilities are detected, resulting in fewer false positives. A non-intrusive or passive scanning tool analyzes indirect evidence, such as the types of traffic generated by a device. Fewer vulnerabilities are detected, resulting in fewer false positives. A credentialed scan is given a user account with log-on rights to various hosts, plus whatever other permissions are appropriate for the testing routines. More vulnerabilities are detected, resulting in more false positives. An intrusive scanning tool interacts with the target host or system. More vulnerabilities are detected, resulting in more false positives.

What is the term describing a point in an investigation during which the suspect cannot deny his involvement? Non-repudiation Preservation Legal hold Provenance

Non-repudiation Establishing a timeline and recording the acquisition process establishes provenance of the evidence to ensure its admissibility. This proof of integrity ensures non-repudiation. Legal hold refers to the fact that investigators must retain information that could be important to a legal proceeding. If the provenance of the evidence is certain, then the threat actor, identified by analysis of the evidence, cannot deny their actions. The word provenance refers to the integrity of the evidence, rather than to the state of the investigation. Preservation refers to the necessity to physically protect the evidence, such as bagging using tamper-evident, anti-static bags.

Which of the following is NOT a critical profiling factor when assessing the risk that any one type of threat actor poses to an organization? Intent Structure Motivation Non-repudiation

Non-repudiation Non-repudiation is a term that describes a property of a secure network where a sender cannot deny having sent a message. There are critical factors when assessing the risk that any one type of threat actor poses to an organization. For example, the intent could be to vandalize and disrupt a system or to steal something. There are critical factors when assessing the risk that any one type of threat actor poses to an organization. For example, greed, curiosity, or some sort of grievance can motivate an attacker. Threats can be structured or unstructured (or targeted versus opportunistic) depending on the degree to which an attacker specifically targets an organization.

A file system audit shows a malicious account was able to obtain a password database. The malicious account will be able to use the information without interacting with an authentication system. What type of attack will the malicious account be able to perform on systems? Password spraying attack Online password attack Offline password attack Dictionary attack

Offline password attack An offline password attack means that the attacker has managed to obtain a database of password hashes from an Active Directory credential store, for example. A password cracker tool does not need to interact with the authentication system in this case. Password spraying is a horizontal brute-force online attack. This means that the attacker chooses one or more common passwords and tries them in conjunction with multiple usernames. A dictionary attack is performed when software generates hash values from a dictionary of plaintexts to match with a captured hash to gain access. An online password attack is where the threat actor interacts with the authentication service directly, a web login form, or VPN gateway, for instance.

The company's current network utilizes EAP-TTLS (EAP-Tunneled TLS) for supplicant clients connecting to the network. Newer model devices and systems are deployed on the network and are not compatible with EAP-TTLS. These systems require MS-CHAPv2 for authentication. Which of the following options will support these new systems? EAP-FAST LEAP EAP-MD5 PEAP

PEAP PEAP uses MSCHAPv2 in PEAPv0 (also known as EAP-MSCHAPv2). Where required, another iteration called PEAPv2 (also known as EAP-GTC), which is a Cisco implementation, can be used. LEAP (Lightweight Extensible Authentication Protocol) is vulnerable to password cracking attacks because of the use of MSCHAP. MSCHAPv2 is a requirement, in this case. EAP-FAST (EAP Flexible Authentication via Secure Tunneling) does not use certificates, rather it uses Protected Access Credential (PAC). This option does not use MSCHAPv2. EAP-MD5 is a secure hash of a password sent to the authenticating server. By itself, this does not provide mutual authentication from the client to the supplicant.

Describe what distinguishes tabletop training from walkthrough training. Participants demonstrate their chosen course of action The scenario is from the point of view of the attacker. The scenario is more realistic. Participants describe their course of action, using no computer equipment.

Participants describe their course of action, using no computer equipment. In tabletop instruction, the facilitator poses a situation and the respondents describe what steps they might take to identify, contain, and eradicate the potential threat. Scenario data are mostly implemented as flashcards and do not require computing equipment. In walkthrough sessions, the facilitator introduces the scenario as they would for a tabletop exercise, but the incident responders demonstrate what action to take in response. The realism of a scenario is not particularly considered, as a wide variety of incident scenarios are possible. During simulations or Capture the Flag exercises, it is common for one team to represent the attackers and the other to represent the response team.

Conclude what type of data has high trade values in black markets, is often anonymized or deidentified for use in scientific research, and when compromised, can lead to its use in blackmail or insurance fraud, as well as cause reputational damage to the responsible organization. Government Data Customer Data Personal health information (PHI) Financial Information

Personal health information (PHI) Personal health information (PHI), such as medical and insurance records, laboratory test results, etc., has a high value in black markets because of its potential use for blackmail and insurance fraud. It is often anonymized and used for research.Financial information refers to information from credit or debit cards, bank and investment accounts, or information from payroll and tax returns. There are many protections and remedies available for data breaches of this type. For instance, credit cards can be revoked and purchases can be appealed.Governments and other social organizations often collect and process data about citizens and taxpayers.Customer data can be of any type, but it usually belongs to third-party customers or clients.

Customers receive a seemingly genuine email from their trusted bank, informing them that their password needs updating. However, when authenticating, an attacker captures the customers' credentials. What kind of attack did the bank customers experience? Phishing SMiShing Vishing Whaling

Phishing Phishing is a combination of social engineering and spoofing, where the attacker sets up a spoof website to imitate a trusted one. The attacker then emails users of the genuine website, informing them that their account must be updated, supplying a disguised link that leads to their spoofed site. When users authenticate with the spoofed site, their logon credentials are captured. Vishing describes a phishing attack conducted through a voice channel (telephone or VoIP, for instance). SMiShing refers to fraudulent SMS texts. Other vectors could include instant messaging or social media sites. A spear phishing attack directed specifically against upper levels of management in the organization (i.e., CEOs and other "big beasts") is sometimes called whaling.

Which penetration technique allows a tester to bypass a network boundary and compromise servers on an internal network? Pivot Lateral movement Persistence Cleanup

Pivot A pivot bypasses a network boundary and compromises servers on an internal network. A pivot is normally accomplished using remote access and tunneling protocols. A cleanup means removing evidence of the attack or evidence that could implicate the threat actor. An example would be removing any backdoors or other tools. Lateral movement involves gaining control over other hosts. This can be done by harvesting credentials or detecting software vulnerabilities to widen access on the network. Persistence is the tester's ability to reconnect to the compromised host and use it as a remote access tool (RAT) or backdoor. The tester must establish a command and control (C2 or C&C) network to use to control the compromised host.

An attacker is preparing a phishing email mimicking the contents of a legitimate company email. The email will include a fake invoice to request payment for medical services and an email address that looks convincing. What can the attacker modify on the email to make it more convincing? Prepend "RE:" to the subject line. Increase the invoice number by 1. Change the employee's identity. Ask for personal information.

Prepend "RE:" to the subject line. Prepending means adding text that appears to have been generated by the mail system. For example, an attacker may add "RE:" to the subject line to make it appear more legitimate and a reply to a previous email thread. Modifying the invoice in any way, including the invoice number or even payment details, will result in an invoice scam because it is fake. Changing an employee's identity constitutes identity fraud and is punishable by law. This fraud would be more beneficial if the goal were to embarrass or get the employee fired. Eliciting information such as personal information may raise red flags and the recipient may label it as spam and report it. Such attempts will make the email less convincing.

Systems administrators rely on ACLs to determine access to sensitive network data. What control type do the administrators implement? Preventative Deterrent Detective Corrective

Preventative Preventative controls act to eliminate or reduce the likelihood that an attack can succeed. A preventative control operates before an attack can take place. An ACL is an example of this control type. Detective controls may not prevent or deter access to systems, but they will identify and record any attempted or successful intrusion. Logs provide one of the best examples of detective-type controls. Corrective controls act to eliminate or reduce the impact of an intrusion event. A corrective control, such as a backup system, is used after an attack. Deterrent controls may not physically or logically prevent access, but psychologically discourages an attacker from attempting an intrusion.

The IT team manages multiple root accounts on a spreadsheet that provides access to virtual hosts. Although only administrators have access to the share location where the spreadsheet exists, management would like to add auditing measures to these accounts. Which solution will support the requirement? File system permissions Mandatory access control Discretionary access control Privilege access management

Privilege access management Enterprise privilege access management products provide a solution for storing high-risk credentials in a vault rather than a spreadsheet for auditing elevated privileges generally. File system permissions involve associating an access control list (ACL) to a file system object such as a folder or file. The ACL contains a list of accounts allowed to access the resource and their permissions. Mandatory access control (MAC) is based on the idea of security clearance levels. Each object and subject are granted a clearance level, referred to as a label. Discretionary access control (DAC) is based on the primacy of the resource owner. The owner is originally the creator of the file, though ownership can be assigned to another user.

A connection cannot be established during a network connection test of a newly deployed WAP (Wireless Access Point) in WPA2 Enterprise (Wi-Fi Protected Access) mode. After checking the wireless controller, the 802.1x option was selected, but another configuration setting did not save. Apply knowledge of the network connection process to determine which of the following did not save. Open configuration RADIUS server settings Enterprise option EAP authentication option

RADIUS server settings A RADIUS (Remote Access Dial-in User Server) is required to complete the 802.1x setup. The wireless controller connects to the RADIUS server with a shared secret key, then credentials can be properly authenticated. 802.1x implementation on a controller is an Enterprise configuration. Some devices will show an 802.1x or Enterprise option; both are the same. In this case, the Enterprise option is enabled. 802.1x uses EAP (Extensible Authentication Protocol) authentication. There is no need to select it since 802.1x is already enabled. The EAP mechanism passes credentials to the RADIUS server. Open configuration, or open authentication of a wireless client or controller, does not require authentication. Traffic is also sent in plain view, which is not a secure option to use.

A start-up company operates all of its web servers and services on a cloud platform using Platform as a Service (PaaS). The company offices run a local domain controller for directory services. Which type of attacks would the cloud service provider consider as cloud-based attacks as opposed to on-premise? (Select all that apply.) Accessible USB ports for flash media Plaintext API keys in database RAT on web servers Backdoor to virtual platforms

RAT on web servers Backdoor to virtual platforms A backdoor is any type of access method to a host that circumvents the usual authentication method and gives the remote user administrative control. A remote access trojan (RAT) is backdoor malware that mimics the functionality of legitimate remote control programs but is designed specifically to operate covertly. Exploited server patches on USB flash media is an example of a malicious flash drive. This physical media can only be used effectively on on-premise workstations to affect the company's systems. Application programming interface (API) keys are used to interact with cloud services and applications. The API keys are the responsibility of the cloud customer and should be kept in a key management vault that is encrypted and only used when needed.

A cardiovascular patient is sent home with a monitoring device that records and sends data to a healthcare provider when triggered by abnormal cardiac activity. Response time to the data is critical to patient health. Which embedded platform is the medical device using? Networked Distributed Real-time Standalone

Real-time A real-time operating system (RTOS) is in an embedded system intended to serve real-time applications that process data as it comes in. It provides a quicker reaction to external events than a typical operating system. A networked embedded system is connected to a physical network, either wired or wireless, to provide output to the connected device. An automated teller machine (ATM) is an example of a network embedded system. A distributed operating system runs on a host and provides the capability to manage data, user groups, applications, and other networking functions. A stand-alone embedded system is independent of a host. It takes in analog or digital data and provides output.

Which attack vector would an insider threat use to effectively install malicious tools on specific sets of servers for backdoor access? (Select all that apply.) Wireless network Social media Removable media Direct access

Removable media Direct access Direct access is a type of physical or local attack. The threat actor could exploit an unlocked workstation, use a boot disk to try to install malicious tools, or steal a device. Removable media like a USB drive or SD card can conceal malware. With direct access, a malicious USB can be inserted, and in some cases, automatically run malware to easily compromise the device. Wireless or remote network attack vectors use, for example, credential harvesting to steal account details to access the network. Social media or the web can be used as an attack vector by luring users to download files through social engineering campaigns. These files can be loaded with Trojans to compromise user devices.

A system administrator applies a Windows patch to the virtual machines (VM) in a virtual desktop infrastructure (VDI). After the patch is complete, the VMs no longer authenticate with the server. Which of the following is the best next step to take for the system administrator? Take a snapshot. Revert to last known good configuration. Complete a vulnerability scan. Execute penetration test.

Revert to last known good configuration. The administrator should revert to the last known good configuration before the patch. The virtual machines (VM) were working before the patch. Reverting to the last known good configuration will get the system back up and running. Taking a snapshot of the server after installing the patch would not benefit the system administrator. A snapshot should be taken before applying the patch. A vulnerability scan checks an application for weaknesses so that program offices can identify and correct them. Executing a penetration test will not solve the issue. Penetration tests are performed on an application to exploit vulnerabilities by simulating an attack.

Analyze the methods and determine which a technician uses as a non-persistent recovery method on a server using a system baseline. Live boot media Rollback to known configuration Build from a template Revert to known state

Rollback to known configuration Rollback to known configuration is a mechanism for restoring a baseline system configuration, such as Windows System Restore. Snapshot/revert to known state is not a baseline but rather a saved system state at a specific period in time that can be reapplied to a system instance. Live boot media is an option of non-persistence that boots from read-only storage to memory rather than being installed on a local read/write hard disk. Building from a template uses build instructions for an instance. Rather than storing a master image, the software may build and provide an instance according to the template instructions.

A company requires a means of managing storage centrally and the ability to share the storage with multiple hosts where users can access data quickly and with little to no latency. Which of the following storage architectures would best meet the company's needs? Disk SAN NAS RAID

SAN A storage area network (SAN) solution provides access to block-level data storage that can be accessed by multiple users. A SAN offers flexibility, availability, and performance to consumers. Network-attached storage (NAS) is a file-level data storage server attached to a network that provides data access to a common group of clients. NAS is a single storage device that serves files over Ethernet. NAS is primarily focused on ease of use for consumers. A disk is a physical backup solution that is inexpensive and slower than a SAN solution. Redundant array of inexpensive disks (RAID) provides increased system availability and fault tolerance for disks.

An IT technician at a London-based company is setting up a new VoIP system in the CEO's office. The CEO has asked the technician to set up encryption for calls and informs the CEO that session-to-session encryption is implemented at the endpoints. The CEO wants not only the session encrypted but also the call data itself. Recommend a protocol that will encrypt VoIP call data. SFTP SRTP SIPS HTTPS

SRTP SRTP, which stands for Secure Real-time Transport Protocol, provides encryption and authentication for RTP (Real-Time Protocol) data in unicast and multicast data flows. SRTP will encrypt all data sent and received by each SIP endpoint for the entire journey. HTTPS, or Hypertext Transfer Protocol Secure, encrypts Web-based traffic using Transport Layer Security (TLS). It is not designed for this kind of data and would result in session encryption, like SIPS. SIPS (Session Initiation Protocol Secure) is the secure version of SIP (Session Initiation Protocol) and uses digital certificates to authenticate the endpoints and establish a TLS tunnel. SFTP (SSH File Transfer Protocol) is a secure file transfer protocol that runs over SSH.

The virtual teleconference room has a Session Initiation Protocol (SIP) endpoint for communication with remote branch offices. Company policy requires the VTC components use secure session and call data before others can use it. Which of the following protocols will provide encryption for the call data? HTTPS SRTP SIPS ESP

SRTP Secure Real-time Transport Protocol (SRTP) is an encryption protocol that provides confidentiality for the actual call data. Session Initiation Protocol Secure (SIPS) is the secure version of SIP. SIP is used for session controls of SIP clients (also known as user agents) such as IP-enabled handsets or client and server web conference software. Encapsulation Security Payload (ESP) provides confidentiality and/or authentication and integrity for the payload and/or header of a data packet when using IP Security (IPSec). Hypertext Transfer Protocol Secure (HTTPS) is the protocol used for secure communication between a client and web server using Secure Socket Layer (SSL) or Transport Layer Security (TLS).

A financial institution uses File Transfer Protocol Secure (FTPS) to transmit personally identifiable information (PII) to a receiving institution. Which encryption method would best be suitable for protecting the confidentiality of the information in transit? SSH IPsec SSL/TLS TCP

SSL/TLS Secure Socket Layer/Transport Layer Security (SSL/TLS) uses certificates issued by certifying authorities (CA) to encrypt data in transit. This encryption provides confidentiality of data. Secure Shell (SSH) also encrypts data in transit over Transmission Control Protocol (TCP) port 22. However, SSH is used in Secure File Transfer Protocol (SFTP) and File Transfer Protocol Secure (FTPS) uses Secure Socket Layer/Transport Layer Security (SSL/TLS). Internet Protocol Security (IPsec) is used to encrypt Internet Protocol (IP) traffic. It encapsulates and encrypts data payloads. Transmission Control Protocol (TCP) is a networking protocol that uses a three-way handshake for connection driven network traffic.

List methods of containment that are based on the concept of isolation. (Select all that apply.) Sandboxing Sinkhole Physical disconnection/air gapping Blackhole

Sandboxing Physical disconnection/air gapping Blackhole Blackholes correspond to locations in the network that quietly discard (or "drop") incoming or outgoing messages without notifying the source that it did not reach its intended recipient. Blackholes are an isolation technique because they isolate the attacker from the network. Air gapping indicates the physical isolation of a system from all network resources, often by being physically disconnected. The exploit becomes isolated to the disconnected device and cannot "escape." A sandbox is an isolated environment created for analyzing malware and exploits safely, such as Cuckoo, for example. Sinkhole routing means suspicious traffic that is flooding a specific IP address routes to another network for analysis. This is a form of segmentation because it maintains the connection to other networks.

How might responsibilities be divided among individuals to prevent abuse of power in an organization? Job rotation Clean desk space Separation of duties Least privilege

Separation of duties Separation of duties is a means of establishing checks and balances against the possibility that critical systems or procedures can be compromised by insider threats. Divided duties among individuals prevent ethical conflicts or abuses of power. Least privilege means that a user is granted sufficient rights to perform his or her job and no more. A clean desk policy means that each employee's work area should be free from any documents left there. Job rotation (or rotation of duties) means that no one person is permitted to remain in the same job for an extended period.

A data exfiltration attack at a well-known retail company exposes a great deal of private data to the public. A portion of the data details the CEO's political and religious affiliations. When considering data classification types, which has been exposed? Sensitive Confidential Proprietary Critical

Sensitive A sensitive label is usually used in the context of personal data. This is privacy-sensitive information about a subject that could harm them if made public and could prejudice decisions made about them. Confidential information is highly sensitive, for viewing only by approved persons within the owner organization, and possibly by trusted third parties under NDA. Critical information is organization data that is too valuable to allow any risk of its capture. Viewing is severely restricted. Proprietary information or intellectual property (IP) is information created and owned by the company, typically about the products or services that they make or perform.

How does the General Data Protection Regulations (GDPR) classify data that can prejudice decisions, such as sexual orientation? Confidential Proprietary Private Sensitive

Sensitive The sensitive classification is used in the context of personal data about a subject that could harm them if made public and could prejudice decisions made about them if referred to by internal procedures.Private data is information that relates to an individual identity. An example of private data can be information, such as an identification number.Proprietary information is created and owned by the company, typically about the products or services that they make or perform.Confidential information is highly sensitive, for viewing only by approved persons within the owner organization.

Routine analysis of technical security controls at an organization prompts a need for change. One such change is the addition of Network Intrusion Detection System (NIDS) technology. A firewall that supports this function is on order. Considering how the organization will implement NIDS, what other technology completes the solution? Static code analyzers Sensors Aggregation switches Correlation engines

Sensors Sensors gather information to determine if the data being passed is malicious or not. The internet-facing sensor will see all traffic and determine its intent. The sensor behind the firewall will only see filtered traffic. The sensors send findings to the NIDS console. A static code analyzer examines code quality and effectiveness without executing the code. An analyzer can be used in conjunction with development, for continued code quality checks, or once the code is in its finalization stages. An aggregation switch can connect multiple subnets to reduce the number of active ports. When aggregating subnets, the subnets are connected to the switch versus the router. A correlation engine is part of a Security Information and Event Manager (SIEM). It captures and examines logged events to alert administrators of potential threats on a network.

An organization receives numerous negative reviews on social media platforms in response to a recent public statement. Experts use machine learning to identify any threatening language. Which approach do the experts use to identify security risks? Threat feeds User behavior analysis Security monitoring Sentiment analysis

Sentiment analysis Sentiment analysis is used to monitor social media for incidents, such as disgruntled consumers posting negative content. In terms of security, this can be used to gather threat intelligence. A user behavior solution supports identification of malicious behaviors from comparison to a baseline. The analytics software tracks user account behavior across different devices and cloud services. Security monitoring refers to having systems in place that can monitor a network for malicious activity. Threat feeds can be useful in gathering security related news and other information from a variety of industry sources.

A cloud service provider (CSP) offers an organization the ability to build and run applications and services without having to manage infrastructure such as provisioning, authentication, and server maintenance. This offering reduces overhead and allows the organization to focus on the product being built. What type of design pattern is this? Service oriented architecture Software defined network Serverless architecture Microservice architecture

Serverless architecture A serverless architecture is a cloud model where applications are hosted by a third-party provider. A serverless architecture removes the responsibility of the consumer to provision, scale, and maintain server and storage solutions by applying functions and microservices. A microservice architecture structures an application as a collection of services that are independent of one another and structured around business capabilities. A Service Oriented Architecture (SOA) allows services to communicate with each other across different platforms and languages by implementing loose coupling technologies. A software defined network (SDN) separates the data and control planes of a network by using software and virtualization technologies.

A company purchased a few rack servers from a different vendor to try with their internal cluster. After a few months of integration failures, the company opted to remain with their previous vendor and to upgrade their other rack servers. The current commercial software will be migrated to the new rack servers. What may have caused the company to remain with their previous vendor for new rack servers? (Select all that apply.) The code is unsecure. Servers are incompatible. Disks are self-encrypting. Vendor lacks expertise

Servers are incompatible. Vendor lacks expertise Devices or software that are incompatible with other devices or software make them difficult to manage. Companies often seek compatibility factors to ensure full integration with existing assets. A vendor that lacks expertise is also unable to support deployment and other activities required for using a rack server in the environment. Customer experience is vital to future purchases. Self-encrypting disks require a key management system, making them difficult to maintain and expense. Encryption was not a requirement in this case. Unsecure code is a risk incurred from outsourcing code development to a third-party. Companies should verify code with internal developers or with vulnerability and penetration testing.

Which system allows a user to authenticate once to a local device and to be authenticated to other servers or services without entering credentials again? Single sign-on OAuth OpenID Connect Password vault

Single sign-on A single sign-on (SSO) system allows the user to authenticate once to a local device and be authenticated to compatible application servers without having to enter credentials again. Open Authorization (OAuth) is a protocol often implemented for authentication and authorization for RESTful application programming interface (API). It is designed to facilitate sharing of information (resources) within a user profile between sites. OpenID Connect (OIDC) is an authentication protocol that can be implemented as special types of OAuth flows with precisely defined token fields. A password vault is a software-based password manager. Most operating systems and browsers implement native password vaults, for example, Windows Credential Manager and Apple's iCloud Keychain.

List methods of containment based on the concept of segmentation. (Select all that apply.) Sinkhole Blackhole Sandboxing Honeynet

Sinkhole Honeynet Sinkhole routing means suspicious traffic that is flooding a specific IP address, routes to another network for analysis. Sinkhole routing is a form of segmentation because it maintains the connection to other networks. A honeynet is a segmented network composed entirely of honeypots. A honeypot is a decoy node intended to draw the attention of threat actors, to trick them into revealing their presence and potentially more information. Blackholes correspond to locations in the network that quietly discard incoming or outgoing messages, without notifying the source that it did not reach its intended recipient. Blackholes are an isolation technique. A sandbox, such as Cuckoo, is an isolated environment created for safely analyzing malware and exploits. Sandboxing is an isolation technique.

A water company has replaced outdated equipment with units that can record and report water consumption from a consumer's home to the office. This eliminates the need to send a technician out monthly to read the equipment. What has the company invested in? RTOS Embedded system VoIP Smart meter

Smart meter A smart meter is an electronic device that records information and communicates the information to the consumer remotely. Smart meters can electronically transmit data on utility use on a predetermined time basis, rather than a company sending out an employee and relying on an estimate. Voice over internet protocol (VoIP) technology enables traditional telephone services to operate over computer networks. A real-time operating system (RTOS) is system software that handles multiple events concurrently and ensures a system responds to those events within predictable time limits. An RTOS provides services and manages processor resources for applications. An embedded system is a combination of hardware and software that contains a dedicated function and uses a computer component to complete the function.

A user receives multiple emails daily from various vendors and companies. The emails seem legitimate but are overly excessive. What is the user most likely receiving? Spam advertisements SMiShing texts SPIM threats Vishing messages

Spam advertisements Spam or unsolicited messages via email are sent in bulk to users for advertisements or to deliver malware. SMiShing is a phishing technique that uses simple message service (SMS) text communications as the attack vector. The text message may include a link to a fake website asking a user to log in. SPIM is spam (or mass unsolicited messages) sent over instant messaging or Internet messaging services. Vishing is a phishing attack conducted through a voice channel (telephone or VoIP). Someone may attempt to represent a bank and ask the target to verify information over the phone.

Experts at a scientific facility suspect that operatives from another government entity have planted malware and are spying on one of their top-secret systems. Based on the attacker's location and likely goals, which attacker type is likely responsible? Criminal syndicates State actors Script kiddies Hacktivists

State actors State actors have been implicated in many attacks, particularly on energy and health network systems. They typically work at arm's length from the national government that sponsors and protects them, maintaining "plausible deniability." A criminal syndicate can operate across the internet from different jurisdictions than its victim, increasing the complexity of prosecution. Syndicates will seek any opportunity for criminal profit, but typical activities are financial fraud. A script kiddie is someone who uses hacker tools without necessarily understanding how they work or having the ability to craft new attacks. Hacktivists might attempt to obtain and release confidential information to the public domain, perform denial of service (DoS) attacks, or deface websites.

Which type of service account has the most privileges? Network service System Local service Group service

System The System account has the most privileges of any Windows account. This account creates the host processes and systems that receive full privileges to local computers. Local service accounts have the same privileges as standard user accounts. Local service accounts access network resources as an anonymous user. Network service accounts have the same privileges as the standard user account and have the authority to present the computer's credentials to access network resources. This type of account cannot control host processes. A group service account is not an official Microsoft naming convention for a service account. System accounts have the most privileges.

A network administrator researched Secure Sockets Layer/Transport Layer Security (SSL/TLS) versions to determine the best solution for the network. Security is a top priority along with a strong cipher. Recommend the version to implement, which will meet the needs of the company. SSL 3.0 TLS 1.1 TLS 1.2 SSL 2.0

TLS 1.2 Transport Layer Security (TLS) 1.2 added support for the strong Secure Hash Algorithm (SHA)-256 cipher along with improvements to the cipher suite negotiation process and protection against known attacks. Secure Sockets Layer (SSL) 3.0 is less secure than any of the TLS versions and does not support SHA-256 cipher. TLS 1.1 added the improvement to the cipher suite negotiation process and protection against known attacks but does not support SHA-256 cipher. SSL 2.0 is deprecated and should only be deployed when subject to risk assessments. This version does not support SHA-256 cipher.

A system engineer is researching backup solutions that are inexpensive and can store large amounts of data offline. The backup solution must be portable and maintainable for a certain length of time defined in the company's backup recovery plan. Which of the following is the best backup solution? Tape SAN Disk NAS

Tape A tape backup solution is the storing of data on a magnetic tape. It is less expensive than most backup solutions. When stored properly, tape can last longer and is small and portable. Network-attached storage (NAS) is a file-level data storage server attached to a network that provides data access to a common group of clients. NAS is not portable and maintained online. A disk backup solution is more expensive than a tape backup solution. A storage area network (SAN) provides access to block-level data storage. A SAN is used to access other storage devices, such as disks and tape libraries from servers.

Analyze the active defense solution statements and determine which best describes the purpose of a honeyfile. A decoy is set as a distraction to emulate a false topology and security zones. It is helpful in analyzing attack strategies and may provide early warnings of attacks. Configurations are in place to route suspect traffic to a different network. The attempts to reuse can be traced if the threat actor successfully exfiltrates it.

The attempts to reuse can be traced if the threat actor successfully exfiltrates it. A honeyfile is convincingly useful but actually fake data. This data can be made trackable, so that when a threat actor successfully exfiltrates it, the attempts to reuse or exploit it can be traced. A honeypot is a computer system set up to attract threat actors with the intention of analyzing attack strategies and tools to provide early warnings of attack attempts. A DNS sinkhole might be used to route suspect traffic to a different network, such as a honeynet, where it can be analyzed. A honeynet is a decoy network that provides an attacker a false representation of a network topology and its security zones (DMZ, LAN, etc.).

An organization wants to implement a certificate on a website domain. The organization prepares for a rigorous check to prove its identity using extended validation. Evaluate the options and conclude why the certificate would not be issued. Multiple root CAs are trusted. A TXT record is used for verification. The domain uses a wildcard. The root CA is offline.

The domain uses a wildcard. Extended Validation (EV) is a proof of ownership process that requires rigorous checks on the subject's legal identity and control over a domain. An EV certificate cannot be issued for a wildcard domain. A TXT record is a DNS record that is used for a variety of reasons. A TXT record may provide a string of characters for verification purposes. Multiple organizations may agree to share a root CA but may cause operational difficulties that could increase as the CA is trusted by more organizations. In practice, most clients are configured to trust multiple root CAs. Because of the risk posed by compromising a root CA, a secure configuration makes the root an offline CA. The root CA is brought online to add or update intermediate CAs.

Auditing SIP (Session Initiation Protocol)-based VoIP logs can reveal evidence of Man-in-the-Middle attacks. When handling requests, what do the call manager and any intermediate servers add to the SIP log file? A hop count Their own IP address A list of IP addresses of previous hops The IP address of the intended recipient

Their own IP address When managing requests, the call manager and all other intermediate servers add their IP address via the log header. The logs will show details of any Man-in-the-Middle attacks in which an unauthorized proxy intercepts data. There is no need to add the IP address of the intended recipient to the log header. The log header can easily determine the number of hops. However, hops are not explicitly counted as an integer, but obtained by counting the number of intermediate servers. A list is not added to the log at each hop. Instead, a list is built by each intermediate server adding their own IP address to the header.

Which of the following is a computer that uses remote desktop protocol to run resources stored on a central server instead of a localized hard drive and provides minimal operating system services? Fog computing Thin client Edge computing VDI

Thin client A thin client is a computer that runs from resources stored on a central server instead of a localized hard drive. Thin clients work by connecting remotely to a central server-based computing environment where all resources and data are stored. Fog computing analyses data on the network edge to avoid the need to transfer unnecessary data back to the local area network (LAN). Edge computing is a distributed model that is accomplished at or near the source of the data where it is needed. A virtual desktop infrastructure (VDI) is a technology used to create a virtualized desktop environment on a remote server setup.

A user reported that their Excel spreadsheets delete everything except the active sheet when running a recorded task called "Unhide worksheets" on a workbook. Command prompts have also been popping up on the Windows workstation when it restarts. If the workstation was legitimately compromised, how would an attacker maliciously reconfigure a recorded task on an Excel workbook? Using PowerShell commands. Using macro commands Using Python commands Using bash commands

Using macro commands A document macro is a sequence of actions performed in the context of a word processor, spreadsheet, or presentation file. This can be recorded and re-recorded in the application to change the outcome of the named task. Python is a popular language for development projects. Codes that have multiple logic and looping statements found in a .py file can indicate a Python scripting attempting. Bash or Bourne again shell is a command-line terminal for a Linux environment. Malicious shellcode commands targeting a Linux operating system are indicative of a bash scripting attack. PowerShell is the preferred method of performing Windows administration tasks. Common PowerShell cmdlets include Invoke-Expression, Invoke-Command, Invoke-WMIMethod, New-Service, etc.

Where should a systems administrator search for more information on how to fix a CPU vulnerability on a Dell rack server? Vendor support page Facebook Best Buy Geek Squad Black Hat conference

Vendor support page Vendors will provide guides, templates, and tools for configuring and securing operating systems, applications, and physical devices like a rack server. CPU vulnerabilities may require firmware updates that may only be available from the vendor. Conferences are hosted and sponsored by various institutions and provide an opportunity for presentations on the latest threats and technologies. The Black Hat conferences showcase the latest threats and hacker techniques in the industry. Social media platforms, such as Facebook, can showcase "How to" videos and posts, but they are limited. Support files are only available on vendor support pages. A local industry group or company like Best Buy's Geek Squad helps with smaller commercial and consumer products and is not ideal for rack server related items.

Specify elements that a playbook should include. (Select all that apply.) When to report compliance incidents Query strings to identify incident types Backup passwords and private keys Incident categories and definitions

When to report compliance incidents Query strings to identify incident types Incident categories and definitions Specific query strings and signatures easily scan and detect specific types of incidents. These strings improve response and resolution time. How to address compliance incidents with, for example, Health Insurance Portability and Accountability Act (HIPAA) laws should be outlined. It may include a list of contacts and their information, how to contact them, and when. Incident categories and descriptions help ensure that all management and operational staff have a shared framework for interpreting the meaning of terms, concepts, and definitions. Passwords and private keys are never stored in a document or file that can be shared or viewed by unauthorized personnel.