Pretest 3

In a federation, the trust relationship allows a relying party to establish identity through an identity provider. In which of the following situations is this relationship most beneficial to the relying party? ANSWER A user wants to ask sales staff a question about a product on the relying party's website Staff have requested Single-Sign On (SSO) for all of their accounts; the identity provider establishes this The relying party wants secure and easy credit card sales transactions The relying party, a company, needs help managing its staff accounts, and uses a third party

A user wants to ask sales staff a question about a product on the relying party's website WHAT YOU NEED TO KNOW The relying party benefits from users gaining access to outer layers of a relying party's website through federated identity management. For example, a company may use the credentials provided to a popular website such as Google, to allow users access to their chat function. This provides accessibility for the user to chat with staff without registering for a full account; thus enabling the foot-in-the-door phenomenon.When a sale is initiated, it is necessary for the personal security and the security of the relying party's accounts for a user to create an account. Credit card information should be relayed over an established account, versus relying on the third-party credential.Staff accounts should be managed within a company, as the company opens itself to vulnerabilities by relying on federated partnerships for such internal matters.Single Sign-On at the company level may be established, but it is not wise to enable single-sign on to outside websites for internal accounts.

WPA (Wi-Fi Protected Access) was designed to fix the security problems with WEP (Wired Equivalent Privacy) by adding TKIP (Temporal Key Integrity Protocol) to the RC4 cipher to make it stronger. TKIP fixes the checksum problem, uses a larger Initialization Vector (IV), transmits it as an encrypted hash, and adds a sequence counter to resist replay attacks. What replaced RC4/TKIP to make WPA2 significantly more secure than WPA? ANSWER SHA-2/CCMP AES/CCMP AES/IEEE 802.1x SHA-2/IEEE 802.1x

AES/CCMP WHAT YOU NEED TO KNOW For WPA2, AES (Advanced Encryption Standard) is deployed within CCMP (Counter Mode with Cipher Block Chaining Message Authentication Code Protocol). AES replaces RC4 and CCMP replaces TKIP. AES is used for encryption and CCMP is used for message integrity.IEEE 802.1x is a standard for encapsulating EAP (Extensible Authentication Protocol) communications over a LAN or WLAN. WPA2-Enterprise uses this standard.SHA-2 (Secure Hashing Algorithm 2) is a hashing algorithm, not an encryption method. It is widely implemented as part of security standards and protocols, such as SSL, IPsec, and the Digital Signature Standard (DSS).IEEE 802.1x, which is a Port-Based Network Access Control (PNAC) does not provide message integrity. SHA-2 has no purpose with 802.1x.

Any employee has exposed a company computer system to malware. After an investigation, it was found that the employee was using personal email throughout the day, which is in violation of company policy. A meeting is now being held by human resource to ensure users are aware of the company's fair use policy. Examining the policy that is being presented expresses which components that must be followed? (Select two). ANSWER SELECT ALL THAT APPLY Legal Acceptable Malicious Adverse

Acceptable Adverse WHAT YOU NEED TO KNOW Adverse actions are a violation of policy. Typically, a policy will forbid the use of equipment to defraud, defame, or to obtain illegal material. It is also likely to prohibit the installation of unauthorized hardware or software. A fair use or acceptable use policy includes both acceptable and adverse activity descriptions and examples.Acceptable use guidelines must be reasonable and not interfere with employees' fundamental job duties or human rights. A fair use or acceptable use policy includes both acceptable and adverse activity descriptions and examples.Malicious refers to the intent of a security breach. A malicious act is intentionally enacted to cause problems.Legal refers to complioance in many areas of security. While a fair use or acceptable use policy will not usually contain legal compliance information, legal activity may be the result of unacceptable use by an employee.

A select group of users need access to a folder for a limited amount of time. What access control measure will best balance ease of access and folder security? ANSWER Create a shared account for all users to access the folder for the duration of the project Assign users to a group that has permissions to the folder for the duration of the project Grant each user a one-time password token each time they need to open the folder Assign users discretionary access to the folder

Assign users to a group that has permissions to the folder for the duration of the project WHAT YOU NEED TO KNOW Assigning users to a group that has permissions to the folder for the project's duration gives users access based on their roles, and allows them ease of access, but also maintains accountability, as each user's actions will be recorded in audit logs. Group permissions can be revoked at the end of a project.A one-time password for each time a user accesses the folder would make it secure, but not easy to manage, as token control, number of one-time passwords issued, and frequency with which they must be issued must all be considered.Assigning users discretionary access to the folder would give them the proper permissions, but when the project is over, it is important to remove those permissions, and this need to maintain the permissions at the folder-level is cumbersome for a security manager who has multiple tasks to perform.Creating a shared account violates non-repudiation; it is difficult to maintain security of a folder if the administrator cannot keep accurate account and auditing of who accessed the folder, and when. Shared accounts open resources to risk, because several users could have performed an action, and therefore, could deny performing an unauthorized action or breeching security protocol.

A system had recently been breached at a local bank. When IT security experts arrived on the scene, it was discovered that the hard drive had already been pulled from the system. Several employees were interviewed to locate the hard drive. When it was finally recovered, it was found safely on a user's desk for safe keeping. After analyzing the sequence of events, what security protocols had been impacted as a result? (Select two) ANSWER SELECT ALL THAT APPLY Chain of custody Standard Operating Procedure (SOP) Data sovereignty Preservation

Chain of custody Preservation WHAT YOU NEED TO KNOW Chain of custody records where, when, and who collected the evidence, who subsequently handled it, and where it was stored. It is used to track every point from the crime scene to the court room. In this case, chain of custody has been broken as evidence was handled without documentation.Preservation refers to the safe keeping of evidence. For example, ant-static bags should be used to protect electronic components. In this case, the drive was found unprotected on a desk.Data sovereignty refers to cross-border transactions. There is the need to respect local, national, and inter-national laws affecting privacy and data processing.A Standard Operating Procedure (SOP) is an inflexible, step-by-step listing of the actions that must be completed for any given task. Most critical tasks should be governed by SOPs.

A company building outside of the United States must connect their employees to headquarters. The company intranet SharePoint site and general shares must be available to those external users. What is the best method to ensure these users get the access they require using the most secure connection? ANSWER Configure a DMZ at company headquaters Enable the use of SSH Configure VPN concentrators at each site Setup VPN client agents

Configure VPN concentrators at each site WHAT YOU NEED TO KNOW Configure VPN (virtual private network) concentrators or gateways at each site will create a Site-to-Site VPN. The VPN concentrators handle the encryption of data so it may travel across the public Internet. This creates a virtual direct connect to the headquarters' main network. VPN client agents on computers are best for roaming employees who connect to coffee shop wireless networks to access company networks. SSH (secure shell) is a protocol commonly used by administrators rather than regular users. It is not ideal for this situation. A DMZ or demilitarized zone, will provide adequate protection of the internal network from the outside world, but it does not secure a connection with the international office.

A company researches ways to prevent the proprietary information from escaping through USB, social media, or cloud storage. A DLP (Data Loss Prevention) suite will provide the required security, but at a huge cost for the company. What is an alternative option that will provide the same or similar protection using existing systems? ANSWER Enable hardware security modules Configure domain group policies Enforce a computer use policy Turn on BitLocker encryption

Configure domain group policies WHAT YOU NEED TO KNOW Companies commonly use Windows domain and configure domain group policies to configure security settings on client computers. These settings may disable the use of removable devices and populate a list of trusted sites for Internet Explorer. A computer use policy is a written document specifying what to do and what not to do on a company-owned system. Policies may deter, but they do not prevent the users from connecting external devices to their system. A hardware security module like a TPM (Trusted Platform Module) is used to store encryption keys. BitLocker is a built-in Windows solution that encrypts full hard drives and external USB devices. It does not prevent the copying of files to a USB or the Internet.

A hacker cracks a substitution cipher easily using frequency analysis. Carefully consider the following cryptographic techniques to determine which one was likely ignored when the cipher was developed? ANSWER Confusion Obfuscation Hashing Diffusion

Confusion WHAT YOU NEED TO KNOW Basic substitution and transposition ciphers are vulnerable to cracking by frequency analysis, which detects patterns in the ciphertext, revealing the cipher and key used for encryption. Confusion addresses substitution and transposition ciphers, while diffusion only addresses transposition. On this alone, confusion is the right answer.Confusion prevents attackers from selectively generating encrypted versions of plaintext messages and looking for certain patterns in their relationship. Diffusion prevents attackers from selectively determining parts of the message encrypted by the same key.Hashing is generally used to store passwords or ensure the validity of data. Unlike ciphers, it is not an encryption technique.A substitution cipher is an obfuscation technique, so by definition, obfuscation was not ignored when developing the cipher.

A physical server hosts several Windows Server 2016 virtual machines. Management prohibits the use of all systems, to prevent the loss or leakage of proprietary company information. Which of the following actions will provide an adequate amount of USB security for this virtual host? ANSWER Disable all USB ports on virtual host. Disable USB on the virtual machines. Disable unused USB ports on virtual host. Create a USB policy on a DLP appliance.

Disable unused USB ports on virtual host. WHAT YOU NEED TO KNOW A common setup for virtual host includes a KVM (key, video, mouse) device for initial setup and troubleshooting. A KVM connection will use at least one USB connection for the mouse and keyboard. All other USB (universal serial bus) ports can be safely disabled.Disabling all USB ports will also prevent the use of a KVM device which is crucial in many circumstances (e.g., troubleshooting).Most virtual machines are created without a USB controller so it may be a non-issue. However, question was related to the virtual host specifically.DLP (data loss prevention) appliances help to prevent data leakage by removing the use of USB devices. However, a DLP does not interact directly with a hypervisor.

In a physical setting, an account administrator can verify a new user's identity, but in an online account registration procedure, this is more difficult. Analyze each action to determine how the system administrator can ensure the identity of a newly enrolled user. (Choose two) ANSWER SELECT ALL THAT APPLY Employ a Completely Automated Public Turing Test to Tell Computers and Humans Apart (CAPTCHA) Require an in-person meeting with each new user Activate the user's webcam to verify facial recognition Get credentials from an authorized site within a federated network

Employ a Completely Automated Public Turing Test to Tell Computers and Humans Apart (CAPTCHA) Get credentials from an authorized site within a federated network WHAT YOU NEED TO KNOW In online registration, CAPTCHA is an easy way to differentiate between humans and bots or computer-generated users and attempts to access the system without the presence of a human being.In single-sign on architecture, credential-sharing is allowed between trusted websites, using federation. Federated identity management establishes trust between networks that allows communications and protocols that allow users to authenticate and be authorized with access permission and rights.Activating a user's webcam is only authorized with the user's express permission, and should not be adopted as a standard practice for identity verification.Unless the information to which the user is requesting access is of a classified nature, it is time-consuming and unnecessary to personally visit a website's users.

An attacker launches a vishing social engineering attack by impersonating a police officer. The attacker calls the victims and tries to exploit this behavior by demanding the victims give the attacker their name and address immediately. This type of attack does NOT demonstrate what type of social engineering principle? ANSWER Urgency Familiarity/liking Intimidation Authority

Familiarity/liking WHAT YOU NEED TO KNOW One of the basic tools of a social engineer is simply to be affable, likable, and persuasive, and to present the requests they make as completely reasonable and unobjectionable. Social engineers can try to intimidate their target by pretending to be someone else, such as someone of authority or superior in rank or expertise. Creating a false sense of urgency can disturb people's ordinary decision-making process. The social engineer can try to pressure his or her target by demanding a quick response. Many people find it difficult to refuse a request by someone they perceive as superior to them. Social engineers can try to exploit this behavior by pretending to be someone of authority.

An electronics manufacturer has created a device that can provide live statistics and report engine diagnostics information. The module plugs into a standard diagnostic port found on modern vehicles. After some time, troubleshooting the device uncovers a flaw that impacts electronic controls and damages sensors on particular vehicles. What effect will this flaw have on the manufacturer? (Select two). ANSWER SELECT ALL THAT APPLY Finance Property Reputation Safety

Finance Reputation WHAT YOU NEED TO KNOW As news of the flawed device (and the possible related incidents caused by using the device) spreads, the manufacturer's reputation will be directly impacted.As the flawed device's sales likely stop, the manufacturer's financial future will be directly impacted. Additionally, possible lawsuits from consumers that have been impacted will also impact the manufacturer's finances.As vehicle controls have been reported to be compromised by using the device, the consumer will be directly impacted with safety concerns.As vehicle sensors have been reported to be damaged by using the device, the consumer will be directly impacted with property concerns.

A server with important data requires that a new backup scheme be implemented. The goal is to use a solution that balances the time required to backup and to restore the data. Evaluate the backup strategies and choose the most appropriate backup strategy. ANSWER Full backup followed by incremental backups Full backup followed by snapshot backups Full backup followed by differential backups Snapshot followed by incremental backups

Full backup followed by differential backups WHAT YOU NEED TO KNOW Full backups are used to backup all selected data. Differential backups are used to backup any data that has changed since the last full backup, Using differential backups after a full backup is known to offer a balance in backup and restore times.Full backups are used to backup all selected data. Incremental backups are used to backup any data that has changed since the last backup. Using incremental backups can be time consuming during restore operations.Full backups are used to backup all selected data. A snapshot is not a backup type, but rather a method that is used to backup open files.A snapshot is not a backup type, but rather a method that is used to backup open files. Using incremental backups can be time consuming during restore operations.

A recent walkthrough of an office revealed several employees running unauthorized software, such as games and video editing software. The administrator removed the software from the client's computers. Which of the following are the next steps to preventing this issue from happening again? (Select two). ANSWER SELECT ALL THAT APPLY Scan all the client's computers. Investigate how they installed the applications. Include the applications on a whitelist. Include the applications on a blacklist.

Investigate how they installed the applications. Include the applications on a blacklist. WHAT YOU NEED TO KNOW Admins must find out how the unauthorized software was retrieved, to prevent all options from being accessible again. Event logs and browsing history may assist in the investigation.Antivirus software includes blacklist features, where any list applications will be prohibited from running on a system.Applications included in a whitelist will be allowed to run on a system. Unauthorized software should never be listed here.The scanning of client computers is the third step, after the investigation is done, and the blacklist has been populated with as many known unauthorized software.

How does key stretching make a password harder to crack? ANSWER Key stretching adds a randomly generated number to the user password hash to make it more complex. Key stretching puts the password through thousands of rounds of hashing, which can slow an attacker's cracking attempt. Key stretching adds salt values to the hash, adding an additional layer of complexity to the password hashes themselves. Key stretching makes it difficult for the attacker to replicate the plaintext password by using a random number generator to assign each plaintext value a number for the hash.

Key stretching puts the password through thousands of rounds of hashing, which can slow an attacker's cracking attempt. WHAT YOU NEED TO KNOW Key stretching can be envisioned as someone playing with silly putty. The password hash is imprinted on the silly putty, then someone stretches, kneads, and rearranges the silly putty through their hands until the values in the hash are randomly distributed throughout the silly putty. The hash is rearranged simply by multiple manipulations, or stretches of the key, much like the silly putty.Key stretching does not add salt, or random values, to the hash. It does not add an extra layer to the password to add complexity. The benefit of key stretching is the extra time it would require someone to go through all of the permutations or stretches the key has gone through, slowing them down.Key stretching does not add anything to the password hash to add complexity.The original, plaintext password is encrypted using different algorithms to derive the hash. The encryption algorithm, from which the hash is derived, contributes to password strength.

A company maintains sensitive credit card data. It has recently implemented a process that handles this data from creation to destruction and improves upon security. After performing analysis of the proposed security controls and the process details, which areas benefit best from the implementation? (Select two) ANSWER SELECT ALL THAT APPLY License compliance Fair use policy compliance Legal compliance Data governance

Legal compliance Data governance WHAT YOU NEED TO KNOW Regulations for the payment card industries contain many specific terms for preventing data breach. A company that does not comply with the regulations could face hefty fines and be prevented from accessing the marketData governance is the overall management of the availability, usability, and security of the information used in an organization.License compliance pertains to software licensing for systems and maintaining compliance for the use of that software.A fair use or acceptable use policy includes both acceptable and adverse activities. Typically, a policy will forbid the use of equipment to defraud, defame, or to obtain illegal material. Guidelines must be reasonable and not interfere with employees' fundamental job duties or human rights.

"Somewhere you are" authentication can be problematic because so many users sign on to services remotely. Analyze this challenge to determine the most effective implementation of location-based authentication. (Select two). ANSWER SELECT ALL THAT APPLY Location-based authentication is best as a continuous authentication measure or access control, to monitor IP location. Location-based authentication is best used as a Virtual Private Network (VPN)-hopping monitor, to protect against users hopping between IP address. Location-based authentication is best used as a secondary form of authentication after a primary authentication factor for multifactor authentication. Location-based authentication is best used as a primary authentication method, based on the geographic location of the user's IP address.

Location-based authentication is best as a continuous authentication measure or access control, to monitor IP location. Location-based authentication is best used as a secondary form of authentication after a primary authentication factor for multifactor authentication. WHAT YOU NEED TO KNOW Location-based authentication is best used as a secondary form of authentication, and works well for continuous authentication or access control feature.If a remote user registers at a VPN gateway but their IP address is in a different country, access may be denied. This can help deny users with malicious intent.Location-based authentication should not be used as a primary authentication method because it is mobile and location services are neither precise nor infallible.Location-based authentication can help detect the use of a VPN in a different geographic location from the user, but it's not meant as a VPN-hopping monitor; other tools are more well-suited for this type of detection.

A security manager leaves the company. If this security manager had remote access, which steps must the new security manager perform to secure their system? (Select three). ANSWER SELECT ALL THAT APPLY Make sure account is disabled Change administrative passwords on network devices Delete the account and all permissions linked to it Review security procedures and perform usage audit

Make sure account is disabled Change administrative passwords on network devices Review security procedures and perform usage audit WHAT YOU NEED TO KNOW The new security manager should make sure the old account is disabled to restrict access to the old account holder. Because it's a security manager account, it's better to disable it than to delete it, as deletion might cause problems with other encrypted documents and protocol created by the old security manager.Because the old security manager had remote access, the company must change administrative passwords on all network devices (routers, firewalls, etc.) to deny future access to the system.Deleting the account and its permissions may be problematic because it was a security manager account, so it is better to disable and monitor the account.Any time an administrator leaves the company, reviewing security procedures and conducting a usage audit is a good idea.

Analyze the choices to determine which of them are attributes of Diffie-Hellman (D-H). (Select three) ANSWER SELECT ALL THAT APPLY Not used to encrypt messages Key agreement protocol Depends on the use of a group D-H is the same as a key exchange

Not used to encrypt messages Key agreement protocol Depends on the use of a group WHAT YOU NEED TO KNOW Diffie-Hellman (D-H) is a key agreement protocol, published in 1976 by Whitfield Diffie and Martin Hellman. These authors also acknowledge the work of Ralph Merkle and suggest that the protocol be referred to as Diffie-Hellman-Merkle.D-H itself is not used to encrypt messages or to authenticate senders. It is used to securely agree on a key to encrypt messages using a symmetric encryption algorithm, such as AES.Diffie-Hellman is different than key exchange—the client and server never exchange the secret key. They use a combination of private and shared integers to derive the same shared secret.D-H depends on the use of a group, which can be any mathematical operation with the properties of a trapdoor function.

Applying the concept of OPENID Connect (OIDC), what does the user control when they log in to their computer to access a given website? (Select two). ANSWER SELECT ALL THAT APPLY OIDC allows the user a choice of which service provider they use for login and credential management. OIDC allows the user to choose which identity provider to provide with their credentials. OIDC allows the user to choose which relying party they login to and provide their credentials. OIDC allows the user to choose which web services they trust with their credential.

OIDC allows the user to choose which identity provider to provide with their credentials. OIDC allows the user to choose which web services they trust with their credential. WHAT YOU NEED TO KNOW OIDC allows the "sign on with" feature that enables a user to select their identity provider, for example, Google or Microsoft Azure. The user enters his/her login and password credentials to their preferred identity provider, then OIDC allows access to other federated sites.OIDC allows the user a choice in which web services they trust with their credential, as this is just another way of saying they can choose which identity provider they sign in with (for example, Amazon web services, which can act as a security association markup language (SAML) provider).The identity provider does not provide the credential itself to the relying party (a secondary website from the identity provider). The identity provider keeps the credential secure and the user is signed in to the other website through the identity provider.The user always has some degree of choice in which service provider they choose when signing up for internet access.

Why must token devices to be closely synchronized with the authentication server? (Select three). ANSWER SELECT ALL THAT APPLY One-Time Passwords (OTPs) often contain a timestamp that expires quickly if not used. Setting a time limit for the code helps ensure it is not used by an unauthorized user should a token-bearing device be lost. If the authentication server is not accessed within the allotted time window, a notification is sent to the token issuer so they can investigate the deviation. Synchronizing the systems allow for accurate accounting and auditing of when systems are accessed and by what means.

One-Time Passwords (OTPs) often contain a timestamp that expires quickly if not used. Setting a time limit for the code helps ensure it is not used by an unauthorized user should a token-bearing device be lost. Synchronizing the systems allow for accurate accounting and auditing of when systems are accessed and by what means. WHAT YOU NEED TO KNOW Device loss is a consideration for HMAC-Based One-Time Password Algorithm (HOTP)-derived passcodes. HOTP passcodes are sent to the token device to be used to authenticate to the server.Time synchronization adds an additional layer of safety, with time-based one-time password algorithm (TOTP). Devices must be synchronized to the server so the timestamp is accurate and timing algorithm on the OTP is activated at the appropriate time, when the OTP is issued.Synchronization helps with auditing and accounting, identifying how the server is accessed and with what devices. In HOTP, a timestamp is part of the encryption, and it expires if not used, so devices must be synchronized to allow the OTP to be used effectively.Servers in HOTP are configured so if the token and server counters go out of synchronization, an OTP is simply disabled so the server is not waiting for authentication from this device. This can happen if an OTP is generated but not used.

Why would a network administrator in charge of managing network devices most likely choose TACAS+? (Select two). ANSWER SELECT ALL THAT APPLY RADIUS is less flexible and reliable, and with TACACS+ it is easy to see when a server is down. The network utilizes only non-Cisco servers and devices, and therefore, cannot use RADIUS. TACACS+ allows for centralized control of accounts set up to manage routers, switches, and firewall appliances and their associated account privileges. The network utilizes only Cisco servers, and therefore only has operability with TACACS+.

RADIUS is less flexible and reliable, and with TACACS+ it is easy to see when a server is down. TACACS+ allows for centralized control of accounts set up to manage routers, switches, and firewall appliances and their associated account privileges. WHAT YOU NEED TO KNOW TACACS+ allows for centralized control of accounts and privileges set up to manage routers, switches, and firewall appliances.TACACS+ uses a similar protocol as RADIUS, but is more flexible and reliable, with a connection-oriented delivery system that makes it easier to detect when a server is down. It is used more for device management than for authenticating end users, and all of the data in a TACACS+ packet is encrypted, rather than just the authentication data.The manufacturer of the server should not matter in this case; TACACS+ should work whether or not the servers and devices are made by Cisco.RADIUS, in general, has some interoperability issues when products do not support the same authentication and accounting technologies.

Users with permission to use a specific resource should be on its Access Control List (ACL). Analyze and determine how the access control list keeps unauthorized users from accessing a resource in a RADIUS server. ANSWER The Authentication, Authorization, and Accounting (AAA) server decrypts the password sent in the Access-Request packet and responds with an Access-Reject packet if the user is not on the ACL. The IP address of the sending computer must match the credential found in the ACL. If it does not, the packet is rejected. The RADIUS client prompts the user for their authentication details, including username and password or digital certificate. The user is rejected if this data is not on the ACL. The username and password are encrypted and sent to the RADIUS client with a message authenticator, which must match the ACL.

The Authentication, Authorization, and Accounting (AAA) server decrypts the password sent in the Access-Request packet and responds with an Access-Reject packet if the user is not on the ACL. WHAT YOU NEED TO KNOW There are several steps in the RADIUS authentication process. The AAA server decrypts the password in an access request packet during the fifth step outlined in the text. It compares the decrypted password authentication data against the ACL and sends an accept, reject, or challenge message at this point.Encrypted data is not compared to the ACL; the RADIUS AAA service decrypts data that is checked against the ACL.First, the requesting individual (a remote user) connects to a RADIUS server, then enters their username and password as the next step. The RADIUS client uses this information to create an Access-Request packet, with authentication data, which is encapsulated and sent to the AAA server.The IP address is part of the encrypted request packet that is encapsulated and sent to the AAA server.

The DMZ (demilitarized zone) has a new virtual firewall server. A user reported that Internet websites are viewable, but no longer has a connection to an FTP (file transfer protocol) site. Which of the following is most likely the cause of the disconnection? ANSWER A network cable disconnected from the server. The ACL still requires setting up. The user does not have access to the FTP site. The Firewall implicitly denied access to the FTP site.

The Firewall implicitly denied access to the FTP site. WHAT YOU NEED TO KNOW A firewall server manages traffic going in and out with rules. In most cases a rule that has not been defined to accept or deny access, is implicitly denied. The virtual server is hosted on a physical server that is most likely fitted with redundant physical network connections. A single cable disconnection will not prevent access elsewhere. The user only recently lost connection to the FTP site, which coincides with the deployment of the new firewall server. This is most likely the cause. As most firewalls are setup to implicitly deny connections out of the box, knowing the user has access to Internet websites assumes that the firewall's ACL (access control list) has been setup

A firm conducting business with the government has data that is highly sensitive. As a result, military usage rules have been employed to label this data, and a new document needs to be labeled. After examining the labeling criteria, determine which description applies to confidential data. ANSWER There are no restrictions on viewing the document The information is too valuable to permit any risk of its capture The information is highly sensitive, for viewing only by approved persons within the organization Viewing is restricted to the owner organization or to third-parties under an NDA

The information is highly sensitive, for viewing only by approved persons within the organization WHAT YOU NEED TO KNOW Confidential (or low) information is considered to be highly sensitive. Viewing is only allowed by approved persons within the organization (and also possibly by trusted third-parties under NDA).Classified (private/restricted/internal use only/official use only) documents dictate that viewing is restricted to the owner organization or to third-parties under an NDA.Unclassified (public) documents have no restrictions for viewing the document.Secret (or medium) information dictates that the information is too valuable to permit any risk of its capture. Viewing is severely restricted. This type of data is normally encrypted.

While conducting an audit of their network, the network administrator discovers a log entry that has multiple gaps in the event log. What could this anomalous log entry indicate? (Select two). ANSWER SELECT ALL THAT APPLY This could indicate changes to the system's configuration and installation of a backdoor. This could indicate that a user has been altering the event logs to cover malicious or suspicious activity. This could mean an attacker is modifying and deleting logs to cover suspicious activity. This could indicate the presence of malware spreading and extracting chunks of data from targeted folders.

This could indicate that a user has been altering the event logs to cover malicious or suspicious activity. This could mean an attacker is modifying and deleting logs to cover suspicious activity. WHAT YOU NEED TO KNOW This log entry indicates someone is trying to cover their tracks. This could be an insider threat (one of the system's authorized users).This could be an outside attacker. Either way, this entity is trying to mask their system activity by deleting it from the log.The spread of malware or exfiltration of data will reflect in an audit log as an unusual or excessive use of bandwidth, perhaps during off-peak traffic cycles.Indicators of a backdoor installation would come in the form of unscheduled changes to the system's configuration, aimed at opening it up so the attacker can exfiltrate data from the network.

A penetration testing consultant company creates a computer with a cluster of high-end graphics cards. Why would this machine benefit a penetration test? ANSWER To increase the speed of cracking lengthy passwords with brute force attacks. To increase the speed of cracking a lengthy encoded digital certificate. To increase the speed of cracking lengthy passwords with Pass-the-Hash attacks. To increase the speed of cracking plaintext passwords.

To increase the speed of cracking lengthy passwords with brute force attacks. WHAT YOU NEED TO KNOW A brute force attack attempts every combination to derive a plaintext password from a hash. The longer the key, the more difficult it is to crack. Brute force attacks distributed across a password cracker with a cluster of high-end graphics cards are more successful at cracking longer passwords. With Pass-the-Hash attacks, if an attacker obtains the hash of a user's password, it is possible to authenticate with the hash without cracking it. You can encode a certificate as a file, store cryptographic information, like the public key, and encryption and hashing algorithms in digital certificates, and forge signatures. But a password cracker cannot "crack" digital certificates. If a password is already in plaintext, it doesn't need to be cracked.

The security team would like to implement a security measure controlled by a touch screen keypad that requires six digits entered in the correct combination, which will allow entry to the server room. What type of security measure is this? ANSWER Biometrics Smart Card Cipher lock Proximity Card

WHAT YOU NEED TO KNOW A Cipher Lock is a physical security control to allow only authorized personnel access in a certain area to protect assets, data, and resources.Biometrics is the practice of using an individual's physical characteristics to authenticate and provide (or deny) access to a facility or system. Biometrics do not require the use of data entries.Smart Cards are credential cards microchipped to authenticate access or use. Smart cards are a physical card carried.Proximity Cards use embedded antenna wires connected to a chip to provide authentication.

A company CIO worked on building a room that prevents Wi-Fi, cellular and RFI signals from emitting in and out of a defined area to secure the employees environment and to protect from data leakage. What did the CIO construct? ANSWER Faraday Cage Mantrap Honeynet Bollard

WHAT YOU NEED TO KNOW A Faraday Cage is used to block electromagnetic, radio frequencies and electrostatic signals. The enclosure can keep signals out and block them from going into the secure area providing a physical security layer.A honeynet is a network setup with intentional vulnerabilities. It invites an attack, so that activities and methods can be studied and used to increase network security. It does not block frequencies.A mantrap is a physical security control, but does not block radio frequency signals.A Bollard is a physical security control that acts as a vehicle barricade.

A NIDS or Network Intrusion Detection System, actively monitors the network. This appliance helps to provide real-time analysis of any malicious activity going on with the network. Management requests implementation of other security mechanisms to actively protect client computers, such as a NIDS. Which of the following will fulfill this requirement? ANSWER NIPS HIDS HIPS Web firewall

WHAT YOU NEED TO KNOW A HIPS (Host Intrusion Prevention System) will monitor for malicious network activity entering into the client computer and will stop malicious connections where necessary.A HIDS (Host Intrusion Detection System) will monitor activity and only alert or log the malicious network activity once it occurs. It does not act upon network breaches of any sort.A NIPS (Network Intrusion Prevention System is an appliance like a NIDS (network intrusion detection system) but actively engages in stopping any malicious activity on the network before it reaches client computers.A web firewall can be hardware appliance or server. It may be included in a NIPS appliance as well. It is not heuristic.

A Black Hat wants to make some easy money. The attacker infected multiple computers with Trojans and gathered farms of zombies to rent out to spammers. In this way, the spammers can use the zombies to put phishing Trojans in spam email. What did the Black Hat essentially create? ANSWER A Denial of Service (DoS) attack A Smurf attack A botnet A Distributed Reflection Denial of Service (DRDoS) attack

WHAT YOU NEED TO KNOW A botnet is a set of computers that has been infected to enable attackers to exploit computers to mount attacks. Black Hats can gather "farms" of zombies (botnets) infected with Trojans and rent them out to spammers who put phishing Trojans in spam email. A Distributed Reflection Denial of Service (DRDoS) is a TCP SYN flood attack. The adversary spoofs the victim's IP address and attempts to open connections with multiple servers, and consumes the victim's available bandwidth. In a Smurf attack, the adversary spoofs the victim's IP address and pings the broadcast address of a third-party network. Each host directs its echo responses to the victim server. A Denial of Service (DoS) attack causes a service to become unavailable.

A security breach has occurred at a small business. The objective at this point is to restore a backup to bring systems back online. Which security control type should be implemented? ANSWER Preventive Technical Corrective Compensating

WHAT YOU NEED TO KNOW A compensating control does not prevent an attack but it restores the function of a system. This could be through some means such as using data backup or moving to another site - such as a hot site.A preventive control physically or logically restricts unauthorized access. A lock is an example of a preventive control.A technical control is implemented in operating systems, software, and security appliances. An example is an Access Control List (ACL).A corrective control responds to and fixes an incident and may also prevent its reoccurrence.

Employees must pass through a turnstile, one at a time, using their building badge to gain entry to the server room. This is an example of what type of physical security control? ANSWER Biometrics Tailgating Honeypot Mantrap

WHAT YOU NEED TO KNOW A mantrap is a physical security control designed to control access to secure areas. Mantraps provide the capability to lock a single person in area if needed.Biometrics is an authentication form that utilizes the "something you are" construct. Biometrics uses physical characteristics of an individual.A honeypot is a server that is intentionally left open or available, so that an attacker will be drawn to it versus a live network.Tailgating is when an unauthorized person follows closely behind an authorized person in order to gain access. A mantrap is a solution to this security concern.

An attacker injected malicious code into a process that caused a system to become unstable, by reducing performance, preventing other processes from starting, exhausting (random access memory) RAM usage, and periodically crashing the (operating system) OS. Which of the following best associates with this type of behavior? ANSWER A DLL injection A memory leak A race condition A pointer deference

WHAT YOU NEED TO KNOW A memory leak is a vulnerability that occurs when software does not release allocated memory when it is done using it, leading to system instability. DLL injection is not a vulnerability, but of the way the operating system allows one process to attach to another, and then force it to load a malicious link library. If the pointer that references an object at a memory location was set to a null value by a malicious process, this can create a null pointer exception, causing instability and crashes. Race conditions occur when the outcome from execution processes is dependent on the order and timing of certain events, and those events fail to execute in the order and timing intended.

Which of the following devices uses the transparent security inspection of network traffic by redirecting user packets prior to sending the packets to the intended destination? ANSWER Protocol analyzer Load balancers Virtual Private Network (VPN) concentrator Proxies

WHAT YOU NEED TO KNOW A proxy is a device that acts on behalf of another service. A proxy examines the data and makes rule-based decisions about whether the request should be forwarded or refused.A load balancer splits the traffic intended for a website into individual requests, that are then rotated to redundant servers as they become available.A protocol analyzer is a tool used to examine the contents of network traffic. A protocol analyzer is a packet capturing tool that can collect network traffic and store it in memory or onto a storage device.A Virtual Private Network (VPN) concentrator incorporates the most advanced encryption and authentication techniques.

An attacker wants to install malware that is difficult to detect by changing core system files so that local shell processes conceal its presence. What type of backdoor could the attacker install to achieve this goal? ANSWER Crypto-malware Adware Spyware A rootkit

WHAT YOU NEED TO KNOW A rootkit is backdoor malware that is difficult to detect and remove. Rootkits work by changing core system files and programming interfaces, so that local shell processes do not reveal their presence. Spyware is a program that monitors user activity and sends the information to someone else. This can occur with or without the user's knowledge. Adware is any type of software that displays commercial offers and deals. Adware software can have a negative impact on performance and can include accepting a long license agreement. Crypto-malware is a class of ransomware that attempts to encrypt data files. The user will be unable to access the files without obtaining the private encryption key, held by the attacker.

Five Windows servers running on a physical virtual host, require updates and a mandatory security patch. All servers will have the same security patch. Management wants to test the patch on one of the servers. Which of the following is the easiest way to prepare and recover the server's system state, in the event the patch crashes the server? ANSWER Take a full backup of the virtual host. Take a full backup fo the virtual machine. Create a Windows restore point. Take a snapshot of the virtual machine.

WHAT YOU NEED TO KNOW A snapshot of a virtual machine (VM) takes little time to create and can be performed while the VM is powered on. Reverting to a snapshot takes little time and is the easiest option. Creating a Windows restore point will take little time, but the recovery process takes more time than using snapshots and may not be as easy. Taking a full backup of the virtual host of the physical server is not common practice. Hypervisors are relatively easy to rebuild, while VMs are hosted on other virtual hosts. Taking a full backup of the virtual machine with an app like Windows Backup, will take more time to create and recover from. This option is not ideal for patch testing.

An hacker is trying to crack encrypted text. Frequency analysis suggests the text is encrypted with a substitution cipher. Which of the following satisfy this criteria for the encryption method? ANSWER XOR ROT13 ECC 3DES

WHAT YOU NEED TO KNOW A substitution cipher hides information by replacing units (a letter or blocks of letters) in the plaintext with different ciphertext. As such, ROT13 is a substitution cipher that rotates each letter in the alphabet by 13 places. The other choices are not substitution ciphers.3DES (Triple DES) is a symmetric block cipher where the plaintext is encrypted three times using different subkeys.ECC (Elliptic Curve Cryptography) is an asymmetric encryption technique that leverages the algebraic structures of elliptic curves over finite fields to generate public/private key pairs.XOR is an operation that outputs 0 (false) if both values are the same and 1 (true) if the values are different.

An IT contractor will begin working for an organization in the next few weeks. At this time, the preliminary candidate has been selected but not officially hired. What agreement can be put in place to express an intent for the contractor and the organization to work together? ANSWER Memorandum of Agreement (MOA) Business Partners Agreement (BPA) Memorandum of Understanding (MOU) Non-Disclosure Agreement (NDA)

WHAT YOU NEED TO KNOW An MOU is a preliminary or exploratory agreement to express an intent to work together. MOUs are usually intended to be relatively informal and not to act as binding contracts.An MOA is a formal agreement (or contract) that contains specific obligations of a work relationship rather than a broad understanding.An NDA is a legal basis for protecting information assets. NDAs are used between companies and employees, between companies and contractors, and between two companies.A BPA is the most common model in IT for partner agreements that large IT companies (such as Microsoft and Cisco) set up with resellers and solution providers.

A bank developed a database application, and will deploy them on new mobile devices at their branches. Kiosks will have the mobile devices, to make it easier for customers to open up new accounts without teller interaction. What step of application auditing best describes what will determine the necessary security requirements for the underlying database application? ANSWER The code review The verification process The architecture review The validation process

WHAT YOU NEED TO KNOW An architecture review will analyze the systems on which the application depends. This could include the underlying OS and database application, programming language and development environment, client browsers, plug-ins, and so on. A code review is an in-depth examination of the way the application is written, to ensure that it is well-written and does not expose the application to known input validation or injection attacks. Verification is a compliance testing process to ensure that the product or system meets its design goals. Validation is the process of determining whether the application is fit-for-purpose (i.e., its design goals meet the user requirements).

A security analyst performs a vulnerability assessment for the company. While reviewing the results of the assessment, the analyst discovers a Windows operating system no longer receives security updates and has multiple vulnerabilities. After reviewing the policy from the vendor, the analyst discovers that the vendor previously announced the developers no longer support this operating system. Which of the following best describes the type of vulnerability management challenge this problem proposes? ANSWER The operating system needs configuration with the web address of the updated software repository. The operating system reached its end-of-life. The operating system needs to use the built-in update client to install patches and updates. There is lack of vendor support for the operating system.

WHAT YOU NEED TO KNOW An end-of-life system is one where the developer or vendor has previously announced a timescale for withdrawing support in terms of providing patches and updates. End-of-life systems no longer receive security updates. Lack of vendor support is a situation where the vendor refuses to fix known issues even though the product might remain on sale, or when a product is no longer supported, when the original vendor or developer is no longer available. Linux is based on distributions which contain the Linux kernel and other software packages, and are posted to a software repository. Windows operating systems do not use repositories. End-of-life systems no longer receive security updates and so represent a critical vulnerability if any remain in active use.

A user at your company connects to the open guest Wi-Fi access point (AP), but notices two Service Set Identifiers (SSIDs) with the same name. Once the user connects to one of them, a landing page requests the user's credentials. The user is a victim of what type of wireless attack? ANSWER An evil twin attack A deauthentication attack A jamming attack A disassociation attack

WHAT YOU NEED TO KNOW An evil twin is a rogue access point (AP) masquerading as a legitimate one, and can have a similar Service Set Identifier (SSID) name as the legitimate AP. The evil twin can harvest information from users entering their credentials. A deauthentication attack sends a stream of spoofed deauth frames to cause a client to deauthenticate from an AP. This might allow the attacker to interpose the rogue AP or sniff information about the authentication process. A disassociation attack hits the target with disassociation packets and is used to perform a Denial of Service (DoS) attack against the wireless infrastructure. A jamming (interference) attack disrupts a wireless network by interference from other radio sources, often to jam an access point (AP).

A new fitness watch, available on the market, pairs with all modern smart phones. Which of the following technologies can connect this fitness watch to other devices? (Select two). ANSWER SELECT ALL THAT APPLY NFC Bluetooth ANT Infrared

WHAT YOU NEED TO KNOW Bluetooth is the standard pairing technology for modern smart phones and fitness bands. A passcode is used to verify a pairing and is quick to set up.The ANT protocol is similar to Bluetooth and is used in communicating health and fitness sensor data between devices.NFC (near field communication) is a technology and chip sensor that allows mobile devices to make a payment with contactless Point-of-Sale (POS) machines.Infrared is a technology used commonly for remote controls for a TV, for example. It is not used to connect devices like a smart phone to a fitness watch.

A user wants to use a custom theme for an Android smart phone. The theme requires root access to install custom firmware for its special features. An app in Google Play advertises the ability to root the phone, but is unable to. Which of the following options will provide a better chance to root the phone? ANSWER Moden phones use official apps from cellular carriers to gain root access. Reset the phone to factory settings. Remotely access the phone. Connect the phone to a laptop.

WHAT YOU NEED TO KNOW Connecting the phone to a laptop is called tethering. Effective rooting applications and processes use tethering so the phone boots from a file from the laptop, rather than from the phone.Resetting the phone to factory does not root the phone, or provide root access to other areas of the phone.Gaining remote access to the phone does nothing to root a phone. Although a hacker may use remote access to find and copy data from the user, it does not require root privileges.Cellular carriers do not advertise the use of applications that root a phone. Most carriers may stop support for phones that are rooted and even disable service.

An application developer accessed a library of cryptographic standards to find the correct syntax for incorporating hashing functions and encryption algorithms in the code, which was found in CryptoAPI. However, the developer is still learning the craft, and unwisely selects a deprecated algorithm for the application. Since the webserver is configured to disable weak ciphers, the application crashes when launched. Based on this scenario, which of the following statements is false? ANSWER CyptoAPI is a crypto module A cryptographic service provider is a software library of cryptographic standards Application selection can impact implementation CryptoAPI is a cryptographic service provider

WHAT YOU NEED TO KNOW CryptoAPI is not a cryptographic service provider.CryptoAPI is a Windows crypto module. A crypto module a set of hardware, software, and/or firmware that interprets and packages algorithms as a computer program or programming library.Algorithm selection impacts implementation. In this scenario, the decision to use a deprecated algorithm in the application caused it to crash due to settings on the webserver. If the server wasn't configured to disable weak ciphers, the application would run, but the server would be susceptible to attacks.A cryptographic service provider is a library of cryptographic standards. These libraries are part of a crypto module.

Which of the following is NOT a symmetric algorithm? ANSWER Blowfish Data Encryption Standard (DES) Digital Signature Algorithm (DSA) Advanced Encryption Standard (AES)

WHAT YOU NEED TO KNOW DSA (Digital Signature Algorithm) is not a symmetric (secret key) algorithm. It is an asymmetric (public/private key) algorithm used for digital signatures that provides authentication and integrity verification for messages.DES (Data Encryption Standard) is a symmetric algorithm published by NIST (National Institute of Standards and Technology). It is an implementation of a Feistel Cipher. DES and its replacement, 3DES, are considered weak.Blowfish is a symmetric algorithm. It is a 64-bit block cipher that uses a variable length key. Its keys are known to be weak.AES (Advanced Encryption Standard) is a symmetric algorithm and is the preferred choice for many new applications.

Some domains sound very convincing such as my-credit-card.com, when the authentic domain is mycreditcard.com. There are different processes in place to legitimize these domains. Which process is highly vulnerable to compromise? ANSWER Root certificate Email certificate Domain validation Extended validation

WHAT YOU NEED TO KNOW Domain Validation is proving ownership of a particular domain by responding to an email to the authorized domain contact, or by publishing a text record to the domain. It will appear as a green padlock in the browser, but the owner is not verified. This is highly vulnerable to compromise.Extended Validation is a process that requires more rigorous checks on the subject's legal identity and control over the domain or software being signed. The verified name of the owner will appear with the padlock.A root certificate is one that a CA signs for itself.An email certificate can be used to sign and encrypt email messages, typically using S/MIME or PGP.

The client wants to deploy a wireless network that uses a smart card or a certificate that can be installed on the client's PC. Which type of authentication mechanism is most suitable for this task? ANSWER PEAP EAP-TTLS EAP-TLS EAP-FAST

WHAT YOU NEED TO KNOW EAP-TLS requires client certificates, but most other types of EAP can be configured to perform mutual authentication (including EAP-TTLS, PEAP with TLS, and EAP-FAST).PEAP and EAP-TTLS both use a server-side public key certificate to establish an encrypted tunnel between the user and authentication server. The user does not require a certificate. The main distinction between these protocols is that EAP-TTLS can use any tunnelled authentication protocol, while PEAP must use EAP-MSCHAP or EAP-GTC.EAP-FAST is similar to PEAP, but instead of using a certificate to set up the tunnel, it uses a Protected Access Credential (PAC), which is generated for each user from the authentication server's master key.

Fingerprint scanning is one of the most straightforward methods of biometric identification. Which of these concerns are most pertinent to the use of this technology? (Select two). ANSWER SELECT ALL THAT APPLY Revocability of credentials High expense of installation Surfaces must be clean and dry Ease of spoofing

WHAT YOU NEED TO KNOW Ease of spoofing is a concern- it's relatively easy to obtain a copy of a person's fingerprint and make a model. Fingerprinting is also associated with criminality, so there's a stigma attached to fingerprint identification.Revocability is an issue with all biometric factors, but because fingerprint scanning technology is cheaper in comparison to other technologies, accessing and revoking certificates is also easier to do.Cleanliness of reader and of fingerprints are issues in getting a "good read" of a fingerprint. Body temperature can also affect the readability of fingerprint scans on devices such as smart phones (cold hands may not activate the scanner).While expense is a concern for all biometrics, fingerprint scanning is cost-effective when compared to most other biometric scanning technologies.

A company maintained operations even though one of their critical components failed using the existing software and hardware. What mechanism allowed this to occur? ANSWER Scalability Availability Elasticity Fault Tolerance

WHAT YOU NEED TO KNOW Fault Tolerance is a product of redundancy and allows for in the event of a crash, the system will maintain operations by removing the single point of failure. The system will continue to operate without notice.Scalability is the capacity to increase the workload on current resources.Availability is part of the CIA security triad and ensures systems are operational and available to end users. Fault tolerance is a way to ensure availability.Elasticity is the ability to resize an environment based on the load. Elasticity is a part of virtualization and can reduce costs. A user can increase or decrease resources as necessary.

With the goal of creating a major blackout, a hacker manages to compromise the meter of an electricity consumer household. Hoping to gain access to the electricity supplier's system, the hacker is dismayed to learn a code was needed to authenticate to the network and continue the attack. Analyze the options to determine which goal of cryptography is described in this scenario. ANSWER High resiliency Confidentiality Integrity Non-repudiation

WHAT YOU NEED TO KNOW High resiliency is the best answer. It occurs when compromise of a small part of a system is prevented from allowing compromise of the whole system. Cryptography assists this goal by ensuring the authentication and integrity of messages delivered over the system.The goal of integrity in cryptography is keeping organizational information accurate, free of errors, and without unauthorized modifications.Confidentiality is goal of keeping information and communications private and protected from unauthorized access. In cryptography, it involves encrypting data so that it can only be decrypted by the appropriate key.Non-repudiation is the goal of ensuring that the party that sent a transmission or created data remains associated with that data and cannot deny sending or creating that data.

A stock trading company's network went down, and as a result, its trading floor lost communication to its partners. Which of the following would help identify this type of vulnerable business process? ANSWER Radio Frequency IDs (RFIDs) Impacts on life and safety Supply chains Risk assessments

WHAT YOU NEED TO KNOW If a company operates with vulnerable business processes, it could lead to loss of service to customers. The degree of risk that exists must be assessed by calculating its likelihood and impact. Tangible assets can be identified using a barcode label or Radio Frequency ID (RFID) tag attached to the device (or more simply, using an identification number). A supply chain is a series of companies involved in fulfilling a product. Assessing a supply chain involves determining whether each link in the chain is sufficiently robust. The most critical type of impact is one that could lead to injury or loss of life. Risks to life and safety come from natural disasters, manmade disasters, and accidents (such as fire).

A contractor implements a secure system design for a large accounting firm. The contractor disables unnecessary services and deploys the system using only services and protocols necessary to the company. What principle does this employ? ANSWER SELECT ALL THAT APPLY Access Control List Least Functionality Least Privileged Hardening

WHAT YOU NEED TO KNOW In implementing a secure system, hardening is the practice of removing default values to ensure the system is more secure. One of the processes of hardening a system is that of Least Functionality. Least Functionality employs the principle of deploying systems with only the services and protocols required to perform the job.Least Privileged is a control management principle, in which individuals are only granted privileges and access to perform their tasks. Least privilege can reduce risk by limiting access to data otherwise not necessary to a user.An access control list is a set of rules that regulates what traffic is allowed or denied based on networks, ports and protocols.

Which cloud deployment model requires self-installation, maintenance and security management of provided resources? ANSWER SaaS Hybrid PaaS IaaS

WHAT YOU NEED TO KNOW Infrastructure as a service, or IaaS, allows for outsourcing of equipment and support operations. The service provider owns, maintains and manages the equipment. It is a self-managed solution to cloud concepts.Platform as a Service, PaaS, provides preconfigured environments for developing and managing environments. The service provides on-demand computing.Software as a Service, SaaS, is typically managed by a vendor. It is available over a network. It is essentially a full service product and is pay-as-you-go type model.Hybrid is a combination of multiple cloud models that act collectively.

A user entered special characters into an alphanumeric field. Immediate rejection of the database commands occurred with results returned as: "Error." What is this is an example of? ANSWER Race conditions Dead code Code obfuscation Input validation

WHAT YOU NEED TO KNOW Input validation verifies data is valid. Proper input validation uses a set of rules to validate entries in fields for proper use. In the event an entry is invalid, the application will reject the entry.Race conditions occur when multiple applications attempt to access the same resource at the same time, causing a conflict.Dead code is code in the application that is never used or executed Dead code can be created in many ways to include logic errors, copying code, and the misuse of code reuse.Code obfuscation is the method of disguising coding methods by way of renaming variables, replacing strings, and hiding comments.

An administrator reconfigured a system back to its baseline settings after a vulnerability scanner detected deviation from the baseline configuration to improve the overall security posture of the system. What did the admin exercise in the Group Policy? ANSWER Integrity measurements Blacklist Sandboxing Least functionality

WHAT YOU NEED TO KNOW Integrity measurements are done to identify baseline deviations. Automated tools continuously monitor the system for any baseline changes. If changes are found, Group Policy will force the system back to its original state.Least functionality employs the principle of deploying systems with only the services and protocols required to perform the job. This is a component of system hardening, but is not forced upon finding a vulnerability.Blacklisting is a Group Policy that blocks certain applications to be installed, but allows all else.Sandboxing is an isolated area for testing and developing.

Within the confines of available resources, the concept of resource versus security constraints involves a tradeoff between employing the best possible security. Which of the following is an important consideration balancing cryptography use and the quality of real-time streaming voice and video? ANSWER Low collision Low power devices Low resiliency Low latency

WHAT YOU NEED TO KNOW Latency is the time delay that can occur in real-time channels, like voice and video. Therefore, low latency is preferable in voice and video streaming. Cryptography requires processing overhead, which could impact signal quality.Low power devices are a consideration for technologies that require more processing cycles and memory space. This is not the best answer regarding consideration of cryptography's impact on streaming quality.A collision is where a function produces the same hash value for two different inputs. It is unrelated to streaming quality.Resilience involves a network's quality of service (QoS), or a control system's ability to compartmentalize its various components to prevent a compromise from spreading to other components. This is also unrelated to streaming quality.

A company has multiple web servers to handle the large amount of traffic and caching they incur. Recently, they had several servers crash, causing unscheduled downtime. To correct this error, what technology should the company implement? ANSWER Cold recovery site Load balancer Proxies Backups

WHAT YOU NEED TO KNOW Load balancers can equalize the traffic load between servers, eliminating unscheduled downtimes. Load balancing uses multiple servers to support a single service. Load balancing can ensure system availability.To prevent loss of data, backups can be made in multiple forms. This would not prevent downtime, but copies of the data could be reinstated.A cold recovery site would take time to reactivate the system due to its limited resources. A cold site only allows for generic resources for continued operations. The company would have to provide the equipment and software to get the COOP running.Proxies are used to forward requests for services.

Several new servers have been installed for a large business. After six months in service, there have been a total of three hard disk failures. Management needs to be provided information that will determine the reliability of the servers. After examining all gathered details, which metric type and specific formula should be used? (Select two). ANSWER SELECT ALL THAT APPLY Mean Time Between Failures (MTBF) (number of servers*numbers of hours running)/number of failures (number of servers*number of hours running)/number of servers Mean Time to Failure (MTTF)

WHAT YOU NEED TO KNOW Mean Time Between Failures (MTBF) (number of servers*numbers of hours running)/number of failures Mean Time Between Failures (MTBF) is used to represent devices that can be repaired. In this case, a server can be repaired by replacing a failed drive.The calculation for MTBF is the total time (number of devices * hours running) divided by the number of failures.Mean Time to Failure (MTTF) is used to represent devices that cannot be repaired. A failed hard drive cannot be repaired.The calculation for MTTF for the same test is the total time (number of devices * hours running) divided by the number of devices.

During a vulnerability assessment, a security consultant discovers a networked camera system (CCTV) server accessible from the public internet. The consultant can gain access to the server with the username admin and password admin. What type of vulnerability did the consultant identify? ANSWER A misconfigured security configuration A hardened security configuration A security configuration with least functionality A security configuration with baseline deviation reporting

WHAT YOU NEED TO KNOW Misconfigured security configurations leave administrative access with a default password that is publicly available, sensitive ports open to the Internet, etc. Any service or interface that is enabled through the default installation and left unconfigured, is considered a vulnerability. The process of putting an operating system or application in a secure configuration is called hardening. Hardening is implemented to conform with the security requirements in a defined security policy. Least functionality is a security principle, which states that a system should run only the protocols and services required by legitimate users and no more. Baseline deviation reporting refers to testing the configuration of clients and servers to ensure they are patched and that their configuration settings match the baseline template.

The public is allowed to use a library computer system for research. This computer is new and will have online access. In preparation for use, all operating system updates and security patches have been installed, as well as a reliable antivirus software package. As a result, which type of security control has been put in place to reduce the risk of threats? ANSWER Mitigation Avoidance Acceptance Transference

WHAT YOU NEED TO KNOW Mitigation is the overall process of reducing exposure to the effects of risk. There are several ways of mitigating risk. In this case, hardening a system with security updates and antivirus software places it in a position where risk is reduced.Acceptance means that no countermeasures are put in place either because the level of risk does not justify the cost or because there will be unavoidable delay before the countermeasures are deployed.Transference means assigning risk to a third-party. With IT systems, third-party monitoring and remediation systems or personnel may be used.Avoidance is the act of stopping the activity that causes risk. In this case removing the system completely would remove the risk.

A cellular company updates cell towers across the country. They plan to update the baseband of their mobile users, to fully support the new towers. How may the company effectively deploy this new update? ANSWER Send updates through OTA Send updates over Wi-Fi Add to next android version Via USB

WHAT YOU NEED TO KNOW OTA (over the air) refers to the process of updating basebands on mobile devices through the cellular network. This option is more effective and efficient and requires very little interaction by the user. user.Updates over the Wi-Fi require a user to connect to a Wi-Fi, which is not efficient nor effective. Most updates via Wi-Fi, require navigating to a website or service and then download the update.Android versions are managed and pushed by Google. New versions can be pushed alongside other updates from cellular companies. Baseband updates are not part of an Android operation system.Connecting a mobile or radio device to a computer via USB, is not an effect since it requires more manual work.

A penetration tester established a Command and Control (C2 or C&C) network to control a compromised host and use it as a Remote Access Tool (RAT) or backdoor. What did the penetration tester successfully achieve? ANSWER Persistence Action on objectives A pivot point Initial exploitation

WHAT YOU NEED TO KNOW Persistence refers to a pen tester's ability to reconnect to the compromised host and use it as a Remote Access Tool (RAT) or backdoor, via a Command and Control (C2 or C&C) network. In the initial exploitation (a.k.a. weaponization) phase, an exploit is used to gain some sort of access to the target's network. A pivot point is a system and/or set of privileges that allow the tester to compromise other network systems (lateral spread). The initial exploit might give the tester local administrator privileges, and use these to obtain privileges on other machines. Action on objectives refers to the adversary or penetration tester stealing data from one or more systems (data exfiltration).

A virtual host running several virtual machines (VMs), has a single Ethernet connection to a Layer 3 switch. The switch configurations show the Ethernet connection with several sub-interfaces, each with specific ACLs. Each VM are in different subnet ranges. Which of the following is most likely the reason for the sub-interfaces? ANSWER For QoS To set up access ports The switch has several VLANs Preparation for additional Ethernet connections

WHAT YOU NEED TO KNOW Physical Ethernet connections are divided into multiple logical interfaces to create sub-interfaces. This is commonly done for VLAN (virtual local area network) routing internally and externally.Although new Ethernet connections can be added to the sub-interfaces, it is not meant for any future planning purposes. Virtual hosts use the minimum amount of redundant physical connections and allow logical segmentation to build multiple virtual networks.Access ports are not used in this situation, since the virtual machines that are in different subnets will require multiple VLANs to go through the single connection. The port on the switch is a trunk port.QoS (Quality of Service) prioritizes packets for media-rich applications like video teleconferencing. There is no requirement for QoS.

A risk assessment must be performed on the storage infrastructure and security of Personally Identifiable Information (PII). Which risk assessment type aims to assign concrete values to a risk factor? ANSWER Qualitative Quantitative Proactive Reactive

WHAT YOU NEED TO KNOW Quantitative risk assessment aims to assign concrete values to each risk factor. The process of determining and assigning asset values can be extremely complex and time consuming.Qualitative risk assessment is focused on identifying significant risk factors. The qualitative approach seeks out people's opinions of which risk factors are significant.Proactive relates to change management and not risk assessment. With a proactive approach, the need for change is initiated internally to avoid risk.Reactive relates to change management and not risk assessment. With a reactive approach, the need for change is forced upon an organization, often in response to a risk.

A recent breach at a local business has put a great deal of pressure on internal processes. The breach caused many problems for the business and its customers. As a result, security controls for data systems are now being re-audited. At what stage is the business currently practicing in its incident response plan? ANSWER Recovery Lessons learned Identification Containment

WHAT YOU NEED TO KNOW Recovery from an attack will involve several steps. Re-auditing security controls is important to ensure they are not vulnerable to another attack. A new attack could be launched with information gathered from the network.Identification is the process of collating events and determining whether any of them should be managed as incidents or as possible precursors to an incident.Containment deals with examing how widespread the incident is and keeping it as isolated as possible.During lessons learned, it is important to analyze the incident and responses to identify whether procedures or systems could be improved. Therefore, it is imperative to document all aspects of the incident.

A system engineer would like to remove the single point of failure and improve performance, while upgrading subsystems with four disks, at the lowest cost possible. Which of the following is the engineer most likely to invest in? ANSWER On-premise Differential Backups RAID-6 Clustering

WHAT YOU NEED TO KNOW Redundant array of inexpensive disks (RAID) provide increased system availability and fault tolerance for disks. RAID-6 requires four disks and can survive a failure on two.Clustering provides for high availability for servers and can remove the single point of failure. Clustering is similar to load balancing, but is more costly than RAID implementations.On-premise computing refers to a company's resources all maintained within the same building. On-premise computing would not be an upgrade in this scenario.Backups are copies of data, created to ensure data can be restored if corrupted or lost. A differential backup saves information deltas since the previous full backup. This would not upgrade the system.

An attacker crafts a Uniform Resource Locator (URL) to perform code injection against a trusted website, and emails the link to a victim user. When the user clicks the link, the trusted site executes the malicious code in the client's browser, with the same permission level as the trusted site. What type of input Cross-Site Scripting (XSS) validation vulnerability did the attacker exploit? ANSWER Reflected Cross-Site Scripting (XSS) Stored Cross-Site Scripting (XSS) Cross-site Request Forgery (XSRF) Document Object Model (DOM)-based

WHAT YOU NEED TO KNOW Reflected Cross-Site Scripting (XSS) is a server-side input validation exploit that injects a script into a website. Once the victim visits the infected website, the malicious code executes in the user's browser. Stored (or persistent) Cross-Site Scripting (XSS) is a server-side script attack that aims to insert code into a back-end database used by the trusted site. Document Object Model (DOM) Cross-Site Scripting (XSS) exploits vulnerabilities in client-side scripts to modify the content and layout of a web page. A Cross-site Request Forgery (XSRF) exploits applications using cookies to authenticate users and track sessions. The attacker convinces the victim to visit the target site, and then passes an HTTP request to the victim's browser, spoofing an action on the site.

A company hosts its own web servers. These web servers provide multiple services that employees need while on the road. A recent security audit advises the company to find a more secure way to publish these web services to the Internet. Which of the following will accomplish this? ANSWER DLP DMZ Reverse Proxy Load balancer

WHAT YOU NEED TO KNOW Reverse proxies can publish specific applications from the corporate network to the Internet by listening for specific client requests. This will ensure other intranet services are not exposed. A DLP or data loss prevention system uses algorithms to identify confidential information and prevent such information from leaving company systems. A DMZ or demilitarized zone, is a logical and/or physical separation of the intranet and Internet. This separation is not as granular as a proxy server for web applications. A load balancer will be able to balance the service requests among multiple servers that provide the same service. It does not determine an authorized connection like a proxy server.

An admin wants to gather UPS (Uninterruptible Power Supply) device configurations and statistics, to run a program that will automatically shut down systems in the event battery power is low. Which of the following can fulfill the requirement without compromising device configuration and supports authentication? ANSWER SSH SNMPv2 TFTP SNMPv3

WHAT YOU NEED TO KNOW SNMPv3 supports message integrity (using MD5 or SHA hash), authentication, and encryption. A query can still be set up to use no security, authentication only, or authentication and encryption.SNMPv2 uses community names to determine access, and are sent in plain text. Like SNMPv3, SNMPv2 collects status and configuration information, and does not change it.Although SSH (secure shell) can be used to query device status and configuration, it can also be used to change device configuration.TFTP (trivial file transfer protocol) is a simplified form of FTP (file transfer protocol) supporting only file copying and is used where authentication and directory visibility is not required.

An Exchange 2016 server runs on a virtual infrastructure. The server has large amounts of space. Management plans to keep user emails on the server, until users request to read or open it on their client computer. Which of the following protocols is the best way to secure this process? ANSWER IMAP SPOP3 HTTPS SMTP

WHAT YOU NEED TO KNOW SPOP3 (Secure Post Office Protocol v3) is the secured version of POPv3 and uses TCP (Transmission Control Protocol) port 995 by default. POP3 is a mailbox protocol that stores mail on a server and only downloads mail to recipients' email clients at their convenience.SMTP (Small Mail Transfer Protocol) is used to deliver mail from mail server to client computers that are permanently available for the user. It is not secure.IMAP (Internet Message Access Protocol) is an application protocol that allows a client to access email messages stored in a mailbox on the remote server and manage it. IMAPS (Secure IMAP) is the secured version.HTTPS (Hyper Text Transfer Protocol Secure) is used for secure sessions with public Internet websites.

Management provided two wireless access points (WAPs) on the second floor of their building. This is to accommodate the use of legacy and modern mobile devices. What is the best way to configure the WAPs so users know which one to connect to? ANSWER Increase the signal strength for one device Use the 5 GHz band Modify the SSIDs Change the WLAN protocol to 802.11n

WHAT YOU NEED TO KNOW SSID or service set identifier is the public name of the Wi-Fi device so users may know which device to connect to. Depending on the band selection, specifying '24' in the name for 2.4 GHz or '5' for 5 GHz is helpful. The 802.11n WLAN (wireless local area network) protocol selection may be a default selection for most modern Wi-Fi devices. Enabling the 802.11bg protocol will accommodate legacy devices. Modern devices will recognize the 5 GHz band. The secondary device should operate at the 2.5 GHz band for legacy devices. Increasing or decreasing the signal strength just makes the Wi-Fi connection more or less available outside of the workplace.

A mobile phone has the Samsung Pay application. It currently requires a PIN to use for payment. What other options are available to securely use NFC (near field communication) for payment? ANSWER Pattern Wi-Fi Face recognition Fingerprint

WHAT YOU NEED TO KNOW Samsung Pay can work with a registered fingerprint of the user, to enable the NFC (near field communication) chip to make a payment on compatible payment devices. A PIN is still registered along with the fingerprint, in case the fingerprint cannot be recognized.The phone's Wi-Fi has no direct relation making NFC mobile payments. However, it can be used to download the latest Android updates and updates to Samsung Pay faster.Face recognition is an option to unlock a Samsung smart phone, but it is not currently used with NFC payments for Samsung Pay.Pattern is an option to unlock most smart phones, including Samsung phones. It is not used for Samsung Pay.

An attacker gains access to a CCTV monitoring system, and remotely observes an employee type in a password. What type of an attack is this? ANSWER Tailgating Keylogging Shoulder Surfing A lunchtime attack

WHAT YOU NEED TO KNOW Shoulder surfing refers to stealing secure information by watching the user type it. The attacker does not have to be in close proximity to the target—they could use high-powered binoculars or CCTV to directly observe the target remotely. If a user leaves a workstation unattended while logged on, an attacker can physically gain access to the system (often described as a lunchtime attack). Tailgating is a means of entering a secure area without authorization by following close behind the person that has been allowed to open the door or checkpoint. A keylogger is a type of spyware that actively attempts to steal confidential information. It can monitor user activity and can send information to the attacker.

An employee extracts proprietary information from the company and sells it to other companies. An investigation began, to include an extensive search of the employee's desk, computer, and email. There are no signs of using an external hard drive to extract information. However, large amounts of emails sent to different companies over the course of two months, included harmless texts, pictures, and a description of where he would like to go on vacation. What did the employee use to extract information from the company's computers? ANSWER RAT Steganography Wireshark BitLocker

WHAT YOU NEED TO KNOW Steganography is a technique for obscuring the presence of a message. The harmless vacation pictures may have embedded company information that are extracted by the receiver of the emails.RAT or remote access trojan is software that gives an adversary the means of remotely accessing the network. The employee did not need RAT, since proprietary information was regularly accessed.Wireshark is a sniffing tool that captures and displays packet information passing through any network interface.BitLocker is a Windows encryption technology used to encrypt full internal or external hard drives. There were no indications that external devices were used.

An attacker impersonates a member of the cleaning crew for a company's building, and requests an employee to hold the door open while the impersonator brings in a cleaning cart. The employee fell victim to what type of attack? ANSWER Dumpster diving Shoulder surfing A lunchtime attack Piggy backing

WHAT YOU NEED TO KNOW Tailgating is a means of entering a secure area without authorization by following close behind the person that has been allowed to open the door or checkpoint. Like tailgating, piggy backing is a situation where the attacker enters a secure area with an employee's permission. If a user leaves a workstation unattended while logged on, an attacker can physically gain access to the system (often described as a lunchtime attack). Shoulder surfing refers to stealing a password or PIN (or other secure information) by watching the user type it, either in close proximity or remotely. Dumpster diving refers to combing through an organization's (or an individual's) garbage to find useful documents (or even files stored on discarded removable media).

An application utilizes NIST controls to focus on cybersecurity activties and risk. What type of framework does this suggest is in place? ANSWER Regulatory International National Industry-specific

WHAT YOU NEED TO KNOW The National Institute of Standards and Technology framework regulates the cybersecurity risks and activities in the United States. It is part of the U.S. Department of Commerce and considered a national framework.Regulatory frameworks are based on specific laws and regulations and ensure compliance of those standards. Medical records are governed by regulatory laws.Industry-specific frameworks are governed according to the type of product provided. Financial information (i.e. credit card, bank account) is covered under industry-specific standards.International frameworks are governed by international standards and are to be implemented globally versus nationally.

The security manager for a large company is installing facial recognition scanners for authentication and is considering several locations. Which of these implementations is least likely to cause issues? ANSWER Scanners installed on each employee's company cellular device A scanner which activates doors exiting the facility A scanner at the entry to a server room in the main building A scanner at the entrance to the main facility that activates an entry turnstile

WHAT YOU NEED TO KNOW The cell phone device implementation is least likely to cause issues, because it is already popular on many cell phones and can provide an out-of-office authentication procedure for employees that won't create traffic flow problems in physical buildings.A scanner at the main entry, set up to activate a turnstile is likely to have false rejection rates, frustrating the traffic flow and throughput of employees into the building. False Acceptance Rates (FAR) at this point can also allow unauthorized access.The FAR becomes more of a concern in the server room entry setting, where it is more crucial for unauthorized entry to be stopped. This area would be better protected with multifactor authentication.Placing a biometric scanner at an exit door to a facility brings up the issue of fire safety and whether the building has accessible egress points in case of emergency, so this is not the best location.

Comparing Kerberos to Public Key Infrasrtucture (PKI), what is the main advantage of Kerberos over PKI? ANSWER PKI uses asymmetric encryption, while Kerberos uses asymmetric encryption with timestamps PKI uses symmetric encryption, while Kerberos uses asymmetric encryption with timestamps PKI uses asymmetric encryption, while Kerberos uses symmetric encryption with timestamps PKI uses symmetric encryption, while Kerberos uses symmetric encryption without timestamps

WHAT YOU NEED TO KNOW The main advantage Kerberos adds to encryption over PKI is the use of symmetric encryption with timestamps, allowing mutual authentication while mitigating the risk of replay attacks with a timestamp. The key difference between PKI and Kerberos is how the data is encrypted, symmetrically (with Kerberos) or asymmetrically (with PKI).PKI uses asymmetric encryption, while Kerberos uses symmetric encryption. Timestamping the tickets/tokens for single-sign on in Kerberos gives it proof against replay attacks.The key difference between PKI and Kerberos is how the data is encrypted, symmetrically (with Kerberos) or asymmetrically (with PKI).PKI encryption is asymmetric, as it uses a private key it does not share with the network, and a public key it shares for exchanging information.Kerberos uses symmetric encryption with timestamps.

An attacker recently purchased a lot of misspelled domain names related to a bank, and starts hosting malware and adware, and begins launching pharming attacks from them. This is an example of what type of cybersquatting? ANSWER Tasting Kiting Domain hijacking Uniform Resource Locator (URL) hijacking

WHAT YOU NEED TO KNOW Uniform Resource Locator (URL) hijacking (typosquatting) relies on users navigating to misspelled domains. An attacker registers a domain name with a common misspelling of an existing domain. Users who misspell a URL in web browser, are taken to the attacker's website. Domain hijacking is a type of hijacking attack in which the attacker steals a domain name by altering its registration information and then transferring the domain name to another entity. Kiting is the act of continually registering, deleting, and reregistering a name within the five-day grace period without having to pay for it. Tasting is a Domain Name Server (DNS) exploit that involves registering a domain temporarily to see how many hits it generates within the five-day grace period.

While running an initiating Windows Defender scan on a Windows 10 workstation, an administrator notices the scans taking longer than usual. The workstation needs restarting, and there is a two-month overdue update for the Windows Defender. What type of update will most likely solve the slow scan issues? ANSWER Critical Definition Feature Packs Security

WHAT YOU NEED TO KNOW Updates are widely released fixes for bugs. Critical updates address performance issues within the application, and sometimes within the guest operating system.Security updates address vulnerabilities and can be rated by severity (critical, important, moderate, or low). Critical security updates are normally pushed out first, and depending on the vulnerability, are implemented in production even before testing.Definition updates apply to software such as malware scanners and junk mail filters. Adding additional definitions does not have a detrimental effect on performance of Windows Defender.Feature packs add new functionality to the software.

Management rolls out Office 365 applications using virtual machine images of Windows 10. The user will login, using a thin client, and all virtual machines will use rapid deployment. Which of the following deployment options is most likely in use? ANSWER Workspaces Single sign-on VDI BYOD

WHAT YOU NEED TO KNOW VDI or virtual desktop infrastructure is a solution used by companies, like Citrix and VMware, to deploy multiple virtual desktops to users. A set of baseline applications can be loaded onto an image. VMware uses a technology called instant clones, to rapidly deploy new desktops to new user logins.Workspaces are a web-based offering of applications in a single view for users to select from. Amazon Workspaces or VMware Workspace One are examples of workspaces.Single sign-on is an authentication mechanism that can authorize the use of deployed virtual desktop and/or applications, but it does not deploy any service.BYOD stands for "bring your own device." Users will be using a thin client, which are company-owned.

When developers check out code to add auditing capability to access logs, they record their credentials, as well as the changes they make in the code. What type of secure coding practice is this? ANSWER Change Management Version Control Provisioning Code Quality

WHAT YOU NEED TO KNOW Version control tracks the versions of software in real time. It will record whom has accessed the code as well, as what was changed. Version Control also allows for rollback if necessary.Change management is a process that follows a change to a system from identification to implementation. It is used for controlled identification and implementation of required changes within a computer system.Provisioning is the process of procuring, configuring and making available an application or system. This process provides resources to users.Code Quality is the use of certain standards to measure how useful and maintainable application code is.

When a particular software program runs, it typically restricts functionality for the average user. However, attackers can execute their own Trojan into this application. Once the Trojan executes, it grants the ability to access functionality that would normally be unavailable. What type of application exploit is this software vulnerable to? ANSWER Transitive access An SQL injection Directory traversal Vertical privilege escalation

WHAT YOU NEED TO KNOW Vertical privilege escalation (or elevation) occurs when a user or application can access functionality or data that should not be available to them. An SQL injection attack inserts an SQL query as part of user input, which allows an attacker to extract or insert information into the database or execute arbitrary code. Directory traversal occurs when the attacker gets access to a file outside the web server's root directory, if the input is not filtered properly, and access permissions on the file are the same as those on the web server root. Transitive access describes the problem of authorizing a request for a service that depends on an intermediate service.

A security operations center (SOC) analyst responds to a Denial of Service (DoS) attack, but has difficulty finding the origin of the attack. After researching the traffic in a protocol analyzer, the SOC analyst wants to block traffic from the attacking system, but suspects the attacker changed the source address recorded in the packets. What kind of attack could this represent? ANSWER Network Address Port Translation (NAPT) overloading Internet Protocol (IP) spoofing Internet Control Message Protocol (ICMP) redirect Fingerprinting

WHAT YOU NEED TO KNOW With IP spoofing, the attacker changes the source and/or destination address in IP packets to disguise the real identity of the attacker's host machine. This is also used in Denial of Service (DoS) attacks, making it harder for the target system to block packets from the attacking system. Network Address Port Translation (NAPT) overloading maps private host IP addresses onto a single public IP address. Fingerprinting is the act of port scanning using a tool, such as Nmap (network mapping), which can reveal the presence of a router and what dynamic routing and management protocols it is running. ICMP redirect (a.k.a. ARP poisoning), tricks hosts on the subnet into routing through the attacker's machine rather than the legitimate default gateway.

An attacker appends code to a webpage that inserts a Structured Query Language (SQL) query as part of the user input. When the web server processes a submission, the code gets executed, allowing the attack to enumerate password hashes from the database. What type of application exploit did the attacker implement? ANSWER Directory traversal Transitive access SQL injection Command injection

WHAT YOU NEED TO KNOW With SQL injection, the attacker embeds code within the input or appends code to it that executes when the server processes the submission. An SQL injection attack attempts to insert an SQL query as part of user input. Directory traversal is where the attacker gets access to a file outside the web server's root directory, and access permissions on the file are the same as on the web server root. A command injection attack runs OS shell commands from the browser, and allows commands to operate outside of the server's directory root, forcing commands to run as the web "guest" user. Transitive access describes the problem of authorizing a request for a service that depends on an intermediate service.