SECURITY+ STUDY GUIDE #3
Analyze and select the items demonstrating advantages Terminal Access Controller Access-Control System Plus (TACACS+) has over Remote Authentication Dial-In User Service (RADIUS). (Select all that apply.) - It is easier to detect when a server is down. - It provides greater flexibility and reliability. - It only encrypts authentication data. - It allows detailed management of privileges assigned to users.
- It is easier to detect when a server is down. - It provides greater flexibility and reliability. TACACS+ uses TCP communications for reliable, connection-oriented delivery, making it easier to detect when a server is down. TACACS+ is similar to RADIUS but Cisco designed it with flexibility in mind. Its connection-oriented delivery method increases reliability and flexibility. It is supported by third parties and open-source RADIUS implementations. All data in TACACS+ packets is encrypted (not just authentication data).
Which attack types are client-side attacks that are impacted by malicious code? (Select all that apply.) - Integer overflow - Session replay - Cross-site scripting - Directory traversal
- Session replay - Cross-site scripting A session replay is a client-side attack. This means that the attack executes arbitrary code on the user's browser. A cross-site scripting (XSS) attack exploits the fact that the browser is likely to trust scripts that appear to come from a site the user has chosen to visit.
Security admins are evaluating Windows server vulnerabilities related to Dynamic Link Library (DLL) injections. Modern applications are running on these Windows servers. How would an attacker exploit these vulnerabilities? (Select all that apply.) - Use malware with administrator privilege. - Navigate laterally using pass the hash. - Enable legacy mode through shimming. - Evade detection through refactoring.
- Use malware with administrator privilege. - Evade detection through refactoring. The malware must evade detection by anti-virus to be successful. This can be done through code refactoring which means the code performs the same function by using different methods, such as changing its signature. Dynamic Link Library (DLL) injection is deployed with malware that is already operating on the system with local administrator or system privileges.
A network administrator can conduct a site survey to find potential placement locations of wireless access points (WAP) using which of the following? (Select all that apply.) - Wireless controller - Wi-Fi analyzer - Wi-Fi Protected Setup (WPS) - Heat map
- Wi-Fi analyzer - Heat map A Wi-Fi analyzer is software on a laptop or mobile device with a wireless network adapter. Information about the signal is obtained at regularly spaced points as the surveyor moves around. A heat map is a visual of the information gathered from a Wi-Fi analyzer. It can show where a signal is strong (red) or weak (green/blue), and which channel is being used.
Failed logins or instances of denial of access to restricted files may be indicators of compromise. Suggest where records of such incidents might be found. (Select all that apply.) -DNS cache -Authentication logs -Dump files -Security logs
-Authentication logs -Security logs Windows system and security logs can provide insight on certain events, providing a timeline with who may have logged on or tried to log on to the system. Even though investigating every security and network log manually would take forever, by comparing irregularities in authentication logs (such as incomplete authentication), investigators can correlate corresponding entries.
Where might one find operating system files during acquisition? (Select all that apply.) -Cache -Random-access memory (RAM) -Firmware -Pagefile
-Cache -Random-access memory (RAM) -Pagefile System caches are a place likely to contain operating system files. Some of these may be relevant to the investigation. Operating system files active during acquisition may be present in the pagefile or swap. Operating system files active during acquisition may be present in the random-access memory (RAM).
What type of strategy is a blackhole? (Select all that apply.) -Segmentation -Containment -Isolation -Data Loss Prevention
-Containment -Isolation Isolation is the act of disconnecting an entire system or network. Isolation is a malware containment procedure. Containment is a strategy that controls access to files, data, systems, or networks across points of entry, using isolation or segmentation techniques.
A large company is moving to a new facility and selling its current office fully-furnished with the company's older PC workstations. Not only must the move be as quick as possible, but the company will also provide employees with new equipment. The IT department has backed up all the important data, and the company purchasing the office and equipment is a market competitor. Therefore, the company has instructed the IT department to perform full data sanitation and implement the recycling policy. Recommend types of data sanitation procedures the IT department should use before leaving the facility for good. (Select all that apply.) -Degauss magnetic tape drives -Crypto erase hard drives -Pulverize USB drives -Perform a factory installation of Windows on all workstations
-Degauss magnetic tape drives -Crypto erase hard drives -Pulverize USB drives For drives that support it, such as self-encrypting drives (SEDs), crypto-erase is among the most secure methods of drive deletion. Crypto-erase, sometimes called Secure Erase, encrypts all data on the drive using a media encryption key. Then, the key is deleted, rendering the data unrecoverable. USB hard drives can be pulverized, leaving a poor chance of data recovery. Hard disks can be pulverized as well, but this should be done with industrial-grade machinery. Degaussing is erasing data using a strong magnet on the hard disk or magnetic tapes. Degaussing removes the possibility of recovering any information.
A company deployed a wireless access point and wishes to enable the Enterprise mode for secure wireless connections. The servers have certificates, but the supplicants do not. Which of the following options would fit the company's needs? (Select all that apply.) -EAP-FAST -RADIUS Federation -PEAP -EAP-MD5
-EAP-FAST -PEAP EAP-FAST (Flexible Authentication via Secure Tunneling) is Cisco's replacement for LEAP. It addresses LEAP vulnerabilities using TLS (Transport Layer Security) with PAC (Protected Access Credential) instead of certificates. PEAP (Protected Extensible Authentication Protocol) uses a server-side public key certificate to create an encrypted tunnel between the supplicant and authentication server. PEAP is an industry standard.
A software developer created a new application, and the software company pressured the developer to release it to the public. Which of the following helps ensure the application is secure before the release? (Select all that apply.) -Error handling -Input validation -Application auditing -Proper authentication and authorization
-Error handling -Input validation -Proper authentication and authorization Some of the challenges of application development include the pressure to release a solution ahead of schedule, as well as neglecting secure development practices, such as error handling. Input validation is another secure development practice that a software developer should not neglect. Proper authentication and authorization is an important part of performing secure coding practices.
Determine appropriate methods the team can use to acquire OS-level information from Windows. (Select all that apply.) -Use memdump to capture data from volatile memory. -Initiate sleep mode and analyze the hibernation file. -Reboot and analyze memory dump files. -Check system and security logs.
-Initiate sleep mode and analyze the hibernation file. -Reboot and analyze memory dump files. -Check system and security logs. When Windows encounters an unrecoverable kernel error, Windows writes contents of memory to a dump file or a mini dump file. Investigators can then analyze the contents for a variety of information. Windows creates a hibernation file at the root of the boot volume when in sleep mode. The data can be recovered and decompressed, then loaded into a software tool for analysis. Windows system and security logs can provide insight on certain events, providing a timeline with who may have logged on or tried to log on to the system.
Which of the following is TRUE about false negatives in relation to vulnerability scanning tools? (Select all that apply.) -Is identified -Is a high risk -Is not identified -Is not high risk
-Is a high risk -Is not identified False negatives are the potential vulnerabilities that are not identified by the scanning tool. It is possible the vulnerability has not been discovered, or a hacker may have spoofed the vulnerability as if nothing is wrong. A false negative is a high security risk because a possible threat could go unnoticed for long periods. This can be mitigated by running repeat scans and by using scanning tools from other vendors. A false positive is something that is identified by a scanner or other assessment tool as being a vulnerability, when in fact it is not. A false positive is not a high risk and more of a nuisance. Researching these issues cost time and effort.
Identify the concepts that function as alternatives to kill chain life cycle analysis in threat intelligence. (Select all that apply.) -Incident response plans -Continuity of operation planning (COOP) -MITRE ATT&CK -The Diamond Model of Intrusion Analysis
-MITRE ATT&CK -The Diamond Model of Intrusion Analysis The MITRE ATT&CK framework stands for Adversarial Tactics, Techniques, and Common Knowledge. It is a database of known TTPs (tactics, techniques, procedures) that can function as an alternative to the cyber kill chain. The Diamond Model of Intrusion Analysis is a framework that analyzes intrusion events by examining relationships between four core features and can be utilized as an alternative to the cyber kill chain.
An organization remodels an office which results in the need for higher security during construction. Placing a security guard by the data center utilizes which control types? (Select all that apply.) -Preventative -Corrective -Compensating -Operational
-Preventative -Operational Operational control is implemented primarily by people rather than systems. For example, security guards and training programs are operational controls. A preventative control acts to eliminate or reduce the likelihood that an attack can succeed. A preventative control operates before an attack can take place.
A foreign country is planning to target another country to destabilize its economy and upcoming elections. A hacktivist group and government leaders are working together using hybrid warfare tactics to accomplish their goal. What are the most effective methods the foreign country can use to carry out their plan? (Select all that apply.) -Soft power -Fake tweets -Espionage -Dumpster diving
-Soft power -Fake tweets -Espionage Hybrid warfare involves espionage and other hacking and social engineering techniques to launch a hostile campaign against another country. Espionage is the practice of spying on another country. Soft power refers to using diplomatic and cultural assets to achieve an objective. This can influence the operations of companies and or organizations in the target country to assist with hybrid warfare. Using fake news or hoaxes on social media can mislead citizens of the target country very quickly. This can promote hysteria and even dangerous protesting campaigns on the ground.
A cloud service provider (CSP) dashboard provides a view of all applicable logs for cloud resources and services. When examining the application programming interface (API) logs, the cloud engineer sees some odd metrics. Which of the following are examples that would concern the engineer? (Select all that apply.) -Spike in API calls -High native-cloud firewall cost -Low latency responses -Average error rate of 78%
-Spike in API calls -Average error rate of 78% An unexplained spike in Application Programming Interface (API) calls could be an indicator of a DDoS attack. This metric is captured in requests per second or per minute. Error rates measure the number of errors as a percentage of total calls, usually classifying error types under category headings. High errors may represent an overloaded system or security issue.
Which of the following are examples of weak patch management for operating systems and device firmware in a classified network? (Select all that apply.) -Undocumented processes -Non-centralized deployment -Two-year-old devices -Open access to share folder
-Undocumented processes -Non-centralized deployment A non-centralized deployment process makes patch management difficult. For example, Microsoft Endpoint Configuration Manager can schedule, monitor, and auto-deploy patches to Windows systems and applications. An undocumented process makes it difficult to maintain a consistent workflow for patch management in a closed or classified network. Personnel should know how to download patches from the Internet and upload them to the closed network.
Which type of certificate does Secure Multipart Internet Message Extensions (S/MIME) NOT use to sign a message? (Select all that apply.) -User certificate -Root certificate -Machine certificate -Email certificate
-User certificate -Root certificate -Machine certificate User certificates are used in a directory-based network for a wide range of use cases. In Active Directory (AD), there are user certificate templates for standard users, administrators, smart card logon/users, and recovery agent users. Machine certificates are used to identify servers, PCs, smartphones, and other network devices. This allows devices to trust other devices on the network. The root certificate is the one that identifies the Certificate Authority (CA) itself. The root certificate is self-signed.
Specify elements that a playbook should include. (Select all that apply.) -When to report compliance incidents -Backup passwords and private keys -Incident categories and definitions -Query strings to identify incident types
-When to report compliance incidents -Incident categories and definitions -Query strings to identify incident types Specific query strings and signatures easily scan and detect specific types of incidents. These strings improve response and resolution time. How to address compliance incidents with, for example, Health Insurance Portability and Accountability Act (HIPAA) laws should be outlined. It may include a list of contacts and their information, how to contact them, and when. Incident categories and descriptions help ensure that all management and operational staff have a shared framework for interpreting the meaning of terms, concepts, and definitions.
Identify which tools would be used to identify suspicious network activity. (Select all that apply.) -Metasploit -Wireshark -tcpreplay -tcpdump
-Wireshark -tcpreplay -tcpdump tcpdump is a command-line packet capture utility for Linux. The utility will display captured packets until halted manually, and it can save frames to a .pcap file. This tool commonly uses filter expressions to reduce the number of frames captured, such as Type, Direction, or Protocol. Wireshark is a graphical application that can capture all types of traffic by sniffing the network, and save that data to a .pcap file. tcpreplay is a command-line utility for Linux that can replay data from a .pcap file, for example, to analyze traffic patterns and data. Metasploit is an exploitation framework that can identify vulnerabilities through penetration testing, but it is not useful for gathering real-time information that would identify attacks in progress.
A social engineer used a phishing attack to trick users into visiting a website. Once users visit the site, a vulnerability exploit kit installs, which actively exploits vulnerabilities on the client. What type of attack did the users become a victim of? -Cross-site Request Forgery (XSRF) -HTTP Response Splitting -A Man-in-the-Browser (MitB) attack -Locally Shared Objects (LSOs)
A Man-in-the-Browser (MitB) attack A MitB attack compromises the web browser by installing malicious plug-ins, scripts, or intercepting API calls. Vulnerability exploit kits installed on a website can actively try to exploit vulnerabilities in clients browsing the site.
At the Windows desktop screen, a user reports a small pop-up window that shows information about a blocked IP (Internet protocol) address before disappearing. The user fears that Internet access dropped. Describe the type of pop-up window the user reported. -A Windows update notification -A host-based firewall notification -A USB connection notification -Wi-Fi disconnection notification
A host-based firewall notification A host-based firewall application, with rules to block specific IP subnet ranges, or specific port or protocol connections, may be configured by default for user notification when the system enforces a denial rule.
A hacker used a Man-in-the-Middle (MitM) attack to capture a user's authentication cookie. The attacker disrupted the legitimate user's session and then re-sent the valid cookie to impersonate the user and authenticate to the user's account. What type of attack is this? -A replay attack -A Man-in-the-Middle (MitM) attack -A downgrade attack -A birthday attack
A replay attack In a replay attack, the attacker captures some data used to log on or start a session legitimately. The attacker then disrupts the legitimate session and resends the captured data to re-enable the connection.
Which of the following is an example of a vulnerability database that a security administrator can use with Tenable Nessus to assess the security state of servers on the network? A. CVE B. TAXII C. Threat map D. STIX
A. CVE Common Vulnerabilities and Exposures (CVE) is a database of information about vulnerabilities that are codified as signatures. A vulnerability scanner like Tenable Nessus uses CVE to scan the network to determine the security state of almost any device.
Which of the following is designed to mitigate losses from cyber incidents such as data breaches, outages, and network damage? A. Cybersecurity insurance B. Administrative controls C. Control diversity D. Clean desk policy
A. Cybersecurity insurance Cybersecurity insurance is a product that is offered to individuals and companies to protect them from the effects and consequences of cyber related attacks.
A system administrator implements a process that provides two separate paths from each server node to every disk in a redundant array of inexpensive disks set up to remove a single point of failure. What concept has the administrator implemented? A. Multipathing B. Load balancing C. Fault tolerance D. Longevity
A. Multipathing Multipathing allows users to configure multiple input/output (I/O) paths between server nodes and storage arrays into a single device to remove a single point of failure and increase redundancy.
A cardiovascular patient is sent home with a monitoring device that records and sends data to a healthcare provider when triggered by abnormal cardiac activity. Response time to the data is critical to patient health. Which embedded platform is the medical device using? A. Real-time B. Standalone C. Networked D. Distributed
A. Real-time A real-time operating system (RTOS) is in an embedded system intended to serve real-time applications that process data as it comes in. It provides a quicker reaction to external events than a typical operating system.
A hardware manufacturer has designed a smart-device for consumers to use at home. The device responds to voice commands and has interactivity with a mobile application. After several months on the market, the manufacturer discovered that the device collected personal data without consent. This caused a negative impact on sales of the device. As a result of the privacy issue, lost sales, and bad product reviews, what type of impact has occurred to the manufacturer? A. Reputation B. Property C. Finance D. Safety
A. Reputation An organization's reputation can be severely impacted by a negative incident. It is typically difficult to bounce back when consumer trust is lost. In this case, lost sales, poor reviews of the company and the product have contributed to a having a poor reputation.
A water company has replaced outdated equipment with units that can record and report water consumption from a consumer's home to the office. This eliminates the need to send a technician out monthly to read the equipment. What has the company invested in? A. Smart meter B. RTOS C. VoIP D. Embedded system
A. Smart meter A smart meter is an electronic device that records information and communicates the information to the consumer remotely. Smart meters can electronically transmit data on utility use on a predetermined time basis, rather than a company sending out an employee and relying on an estimate.
A recent attack on a major retail chain reported that customers' private information, including credit card information, was stolen. The report explained that a heating, ventilation, and air conditioning (HVAC) contractor copied the information to an external hard drive while servicing an air conditioner unit, and later uploaded the data to a cloud storage resource. A security engineer would classify this type of attack as which of the following? A. Supply chain attack B. USB cable attack C. Cloud-based attack D. Birthday attack
A. Supply chain attack A supply chain attack involves a threat actor seeking methods to infiltrate a company in its supply chain. A heating, ventilation, and air conditioning (HVAC) supplier is one example of using a maintenance service to gain access to sensitive areas like a datacenter. A cloud-based attack involves a threat actor compromising one account that has access to cloud resources to further compromise other cloud assets. A birthday attack is a type of brute force attack aimed at exploiting collisions in hash functions. A Universal Serial Bus (USB) cable attack involves accessing unsuspecting users after they try to plug their device into a malicious USB cable or plug, similar to card skimmers.
A network administrator needs a service to easily manage Virtual Private Cloud (VPC) and edge connections. The service must have a central console for ease of monitoring all components. Which of the following is the best solution for the administrator to use in a cloud computing environment? A. Transit gateway B. Cloud storage gateway C. NAT gateway D. gateway endpoint
A. Transit gateway A transit gateway is a cloud network hub that allows users to interconnect virtual private clouds (VPC) and on-premises networks through a central console.
Which failover type does an engineer configure so that all nodes are always on? -Active/active -Split tunnel -Full tunnel -Active/passive
Active/active With failover, an active/active cluster means that both nodes are processing connections concurrently. This allows the administrator to use the maximum capacity from the available hardware while all nodes are functional.
A Security Information Event System (SIEM) parses network traffic and log data from multiple sensors, appliances, and hosts to implement correlation rules on metrics derived from data sources. SIEM assists the systems admin to detect events that may be potential incidents. Define the term for notifications passed upon detection of a potential incident. -Alerts -Correlation -Sensitivity -Trends
Alerts SIEM dashboards are one of the main sources of automated alerts. The event is listed on a dashboard or incident handling system for an agent to assess. Then, the SIEM dashboard will automatically notify the staff in charge of security.
Determine the type of code execution policy that would ensure that unrecognized software cannot run. -Allow list -Code signing -Block list -AppLocker
Allow list An allow list is a list of applications in an Access Control List with permission to run. Applications not found on the list cannot run. This often causes issues and results in more support calls and higher costs.
In a cloud environment, which of the following would be most detrimental in relation to access management of storage resources? -Private subnet -Encryption -Container namespaces -Any wildcard
Any wildcard Cloud resource policies configure read and/or write access to resources such as storage or services. Using any wildcard in read or write can break the principle of least privilege and opens up a high risk of exploitation.
A software developer enables a security feature commonly known as stack protection but does not execute the source code. Which of the following best describes what the developer is using? A. Input validator B. Compiler C. Interpreter D. Vulnerability scanner
B. Compiler A compiler is a program that translates high-level programming language into machine code that can later be executed many times against different data. A compiler does not execute source code.
An application processes and transmits sensitive data containing personally identifiable information (PII). The development team uses secure coding techniques such as encryption, obfuscation, and code signing. Which of the following is the development team concerned with? A. Data exfiltration B. Data exposure C. Data execution D. Public data
B. Data exposure Sensitive data should be protected to prevent data exposure. Secure coding techniques such as encryption, code obfuscation, and signing can prevent data from being exposed and modified.
Describe an intrusion prevention system (IPS) that also makes it a single point of failure for network traffic if there is no fault tolerance mechanism in place. A. Passive appliance B. Inline appliance C. Heuristic appliance D. Anomaly appliance
B. Inline appliance Intrusion prevention system (IPS) appliances that must have all traffic pass through them are "inline" with the network. This also makes them a single point of failure if there is a no fault tolerance mechanism in place.
Which of the following are deployed similarly to a credit card skimmer? A. Malicious flash drive B. Malicious USB plug C. Keyloggers D. Card cloner
B. Malicious USB plug A malicious Universal Serial Bus (USB) charging cable and plug are deployed similar to card skimmers. The device may be placed over a public charging port at airports and other transit locations. The device can then access a smartphone when connected.
A vendor ensures that each Internet of Things (IoT) device produced uses random, unique cryptographic keys in accordance with the established certificate and key management practices found in The National Institute of Standards and Technology (NIST) publications. Which of the following constraints is the vendor preventing? A. Stretching B. Reuse C. Salting D. Escrow
B. Reuse The practice of reusing a cryptographic key can make a system vulnerable to cyber attacks. The longer a key is in use, the easier it is for an attacker to compromise it. Randomly generated, unique keys provide better security.
Select the type of incident response exercise that involves recreating system interfaces or using emulators to allow students to practice configuration tasks, or even practice with other trainees to mimic real-time attack scenarios. A. Capture the Flag B. Simulations C. Walkthrough D. Tabletop
B. Simulations Simulation is an activity in which two teams replicate a scenario and play the scenario out on real hardware, with one team representing the attackers, and the other team representing the response team.
What can a threat actor use to perform the popular social engineering technique of dropping USB media around a college campus? A. Gray box B. UAV C. OSINT D. Van
B. UAV An unmanned aerial vehicle (UAV), or drone, provides a vector a popular social engineering technique that drops infected USB media around college campuses. UAVs are also used for war flying.
Two employees use Instant Messaging (IM) in separate buildings at work. They change the communications over to a video call with one click. Compare the types of communication services and determine which service the employees used. A. Video Teleconferencing B. Unified Communications C. Web Conferencing D. Voice over Internet Protocol
B. Unified Communications The project managers are utilizing Unified Communications (UC). These solutions are messaging applications that combine multiple communications channels and technologies into a single platform. These communications channels can include voice, messaging, interactive whiteboards, data sharing, email, and social media.
Which of the following represents a non-intrusive scanning type of framework? A. Metasploit B. Vulnerability scanning C. Penetration testing D. An exploitation framework
B. Vulnerability scanning Whether they use purely passive techniques or some sort of active session or agent, vulnerability scanners represent a non-intrusive scanning type. The scanner identifies vulnerabilities from its database by analyzing things, such as build and patch levels or system policies.
An attacker came within close proximity of a victim and sent the mobile device user spam of an unsolicited text message. Once the user clicked the link in the message, Trojan malware infected the user's device. What type of attack did the hacker most likely infect the mobile user with? -Skimming -Bluejacking -Bluesnarfing -WiPhishing
Bluejacking A Bluetooth-discoverable device is vulnerable to bluejacking, similar to spam, where someone sends an unsolicited text (or picture/video) message or vCard (contact details). This can also be a vector for Trojan malware.
What type of attack can exploit the memory area that an application reserves for use on a server? -Directory traversal -Privilege escalation -Buffer overflow -Integer overflow
Buffer overflow A buffer is an area of memory that the application reserves to store expected data. To exploit a buffer overflow vulnerability, the attacker passes data that deliberately overfills the buffer.
Server B requests a secure record exchange from Server A. Server A returns a package along with a public key that verifies the signature. What does this scenario demonstrate? A. DNS Server Cache Poisoning B. Dynamic Host Configuration Protocol C. DNS Security Extensions D. DNS Spoofing
C. DNS Security Extensions Domain Name System Security Extensions (DNSSEC) helps to mitigate against spoofing and poisoning attacks. The authoritative server for the zone creates a package of resource records, called an RRset, signed with a private key known as the zone signing key.
The NIST Computer Security Incident Handling Guide describes six stages of the incident response lifecycle. Indicate in which stage of the incident response lifecycle the incident response team would review and analyze their response and possibly integrate changes into the team's Incident Response Plan. A. Recovery B. Identification C. Lessons learned D. Preparation
C. Lessons learned The "lessons learned" phase occurs when the team's response is evaluated. It is for this reason that it is important to document the entire response process.
A Local Area Network (LAN) is set up with an Authentication, Authorization, and Account (AAA) server. The AAA server allows remote supplicants to access the LAN through a Network Access Point (NAP). Which of the following best describes the type of remote authentication solution that is set up on the LAN? A. PAP B. 802.1x C. RADIUS D. EAP
C. RADIUS Remote Authentication Dial-in User Service (RADIUS) is made up of an Authentication, Authorization, and Account (AAA) server, a Network Access Control (NAC) or RADIUS client, and the supplicant. A supplicant is any device that is trying to access the local network remotely.
An instructor in the Logistics Planning class has restricted the ability to save and edit forms within the online application of students due to the sensitivity of information. What type of data protection does this most closely represent? A. Least privileged B. RBAC C. Rights management D. MAC
C. Rights management Rights management allows a data owner to exert control over information and provides a certain level of access to users of a system. The control extends to what users can do with the data such as read, write, edit functions.
An organization that is planning a move to the cloud checks to see that the chosen CSP uses a standard method for creating and following security competencies. Which method does the CSP likely implement? -National, territory, or state laws -Cloud controls matrix -Service Organization Control (SOC2) -Reference architecture
Cloud controls matrix Cloud controls consists of specific controls and assessment guidelines that should be implemented by CSPs. A matrix acts as a starting point for agreements as it provides a baseline level of security competency that the CSP should meet.
Which principle of social engineering can a threat actor use to get many people to act as others would? -Liking -Consensus -Scarcity -Trust
Consensus The principle of consensus or social proof refers to techniques that cause many people to act just as others would without force. The attacker can use this instinct to persuade the target that to refuse a request would be odd.
What is the best solution that Enterprise Mobility Management seeks for enterprise workspaces? -Geofencing -Baseband update -Containerization -Rooting
Containerization Enterprise Mobility Management is moving more toward containerization as the best solution for enterprise workspaces. These solutions can use cryptography to protect the workspace in a way that is much harder to compromise, even from a rooted/jailbroken device.
A program office provides a mock production environment where users and test agencies can persistently test application code as it is being checked in after development. This practice ensures the product meets user acceptance testing and design goals. Which Agile product does this most likely represent? -Continuous Integration -Continuous deployment -DevSecOps -Continuous validation
Continuous validation Continuous validation is the process in which a product is continually tested throughout the development lifecycle to ensure it is meeting the functional and security goals of a customer.
A Windows firewall rule allows all programs, all protocols, and all ports within a 192.168.0.0/24 subnet to connect to the network. What type of Windows Firewall with Advanced Security is this? A. Transport Layer Security B. Secure Socket Layer C. Data Leak Prevention D. Access Control List
D. Access Control List An access control list contains rules that define the type of data packet and the appropriate action to take when it exits or enters a network or system. The general actions are to either deny or accept.
Which coding automation concept relates to committing and testing updates often? A. Continuous delivery B. Continuous deployment C. Continuous monitoring D. Continuous integration
D. Continuous integration Continuous integration (CI) is the principle that developers should commit and test updates often, such as every day or sometimes even more frequently. For effective CI, it is important to use an automated test suite to validate each build quickly.
Routine analysis of technical security controls at an organization prompts a need for change. One such change is the addition of Network Intrusion Detection System (NIDS) technology. A firewall that supports this function is on order. Considering how the organization will implement NIDS, what other technology completes the solution? A. Static code analyzers B. Correlation engines C. Aggregation switches D. Sensors
D. Sensors Sensors gather information to determine if the data being passed is malicious or not. The internet-facing sensor will see all traffic and determine its intent. The sensor behind the firewall will only see filtered traffic. The sensors send findings to the NIDS console.
A cloud customer prefers separating storage resources that hold different sets of data in virtual private clouds (VPCs). One of those data sets must comply with the Health Insurance Portability and Accountability Act (HIPAA) guidelines for patient data. How should the customer configure these VPCs to ensure the highest degree of network security? A. Monitor the virtual instance usage. B. Use third-party next generation firewall. C. Create multiple security groups. D. Split segments between VPCs.
D. Split segments between VPCs. Network segmentation can assist with separating workloads for performance and load balancing, keeping data processing within an isolated segment for compliance with laws and regulations and compartmentalizing data access and processing for different departments or functional requirements.
A user notices several new icons for unknown applications after downloading and installing a free piece of software. IT support determines that the applications are not malicious but are classified as which type of software? -Worms -PUPs -Trojans -Fileless viruses
PUPs Potentially unwanted programs (PUP) are software installed alongside a package selected by the user, or perhaps bundled with a new computer system.
A tech considers installing either a Raspberry Pi or Arduino system inside a small enclosure as a control device for sensitive tasks. The utilization of this technology is an example of which embedded system type? A. Programmable Logic Controller (PLC) B. Field Programmable Gate Array (FPGA) C. Real-Time Operating System (RTOS) D. System on Chip (SoC)
D. System on Chip (SoC) System on chip (SoC) is a design where processors, controllers, and devices are provided on a single processor die (or chip). Raspberry Pi and Arduino are examples of SoC boards.
A small department at a company manages a server, separate from IT, for data access and backup purposes. What role does the department fulfill? -Data custodian -Data processor -Data controller -Data owner
Data custodian The data custodian role handles managing the system on which the data assets are stored. This includes responsibility for enforcing access control, encryption, and backup/recovery measures.
A Security Information and Event Management (SIEM) system is heavily dependent on which of the following to provide meaningful information about security events and trends? -SCAP -Packet captures -Data inputs -Reports
Data inputs Common Vulnerabilities and Exposures (CVE) is a dictionary of vulnerabilities in published operating systems and applications software provided by cve.mitre.org. It includes CVE ID, brief descriptions, a URL reference list, and data of entry.
An engineer enables event logging on a server. Which type of security did the engineer implement? -Deterrent -Compensating -Detective -Corrective
Detective A detective control may not prevent or deter access, but it will identify and record any attempted or successful intrusion.
A team lead oversees onboarding new system administrators in an IT company. Part of the process is explaining the complex IT infrastructure. Which of the following configuration management strategies would BEST help the team lead explain the infrastructure? -Diagrams -Change management -Master Image -Baseline configuration
Diagrams The use of diagrams provides a visual representation of complex relationships between network topologies, workflows, internet protocols, and architecture within a system. Diagrams must be updated as system components change. Baseline configurations are documented and agreed-upon sets of specifications for information systems.
The 802.1x framework establishes several ways for devices and users to be securely authenticated before they are permitted access to LAN (Local Area Network) or WLAN (Wireless LAN). Identify the actual authentication mechanism established. -AES -WPA -EAP -RSA
EAP 802.1x, which is the Port-based Network Access Control framework, establishes several ways for devices and users to be securely authenticated before they are permitted full network access. EAP or extensible authentication protocol is the actual authentication mechanism.
A mobile phone user smiles at the screen of the phone to unlock it for use. Which authentication method is being used? -Behavioral biometrics -Retina scanner -Keystroke dynamics -Facial recognition
Facial recognition Facial recognition is a biometric authentication method in which a user registers a physical characteristic with an authentication system and uses the characteristic to authorize access. Facial recognition can include several facial features.
A logistics company requires a supervisory control and data acquisition (SCADA) system to collect and analyze real-time tracking of equipment and to monitor delays in shipping and receiving. The SCADA must provide reports to management to facilitate data-driven decisions on transporting equipment. What is the SCADA a part of? -SoC -RTOS -Embedded system -ICS
ICS An industrial control system (ICS) is a complex integration of hardware and software with network connectivity to support the critical infrastructure of a large industry. Supervisory control and data acquisition (SCADA) controls an ICS and can be used in the logistics industry.
A microfabrication company recently suffered a breach of their R&D servers, from which blueprints and proprietary development documents were downloaded. What is likely the most impactful organizational consequence of this breach? -Identity theft -Fines -Reputation damage -IP-theft
IP-theft Theft of intellectual property means stealing innovations, technologies, and artistic expressions from individuals or corporations, known as "intellectual property," which may cover anything from trade secrets and patented products and components.
When implementing a native-cloud firewall, which layer of the Open Systems Interconnection (OSI) model will require the most processing capacity to filter traffic based on content? -Layer 1 -Layer 4 -Layer 3 -Layer 7
Layer 7 At layer 7, or the application layer of the OSI model, the firewall can parse application protocol headers and payloads (such as HTTP packets) and make filtering decisions based on their contents. This requires the most processing capacity (or load balancing), or the firewall will become a bottleneck causing network latency.
A Cloud Service Provider (CSP) outsources the entire cyber security elements to a third party for the infrastructure in which an application resides due to lack of resources. The CSP maintains responsibility of the environment and attributes. What is this an example of? -Pay as you go -MSSP -Resource pooling -SECaaS
MSSP A managed service provider (MSP)/Managed security service provider (MSSP) offers fully outsourced responsibility for information assurance to a third party.
An engineer configures a security control that oversees and monitors other controls for effectiveness. Which category of control does the engineer utilize? -Operational -Managerial -Availability -Technical
Managerial A managerial control gives oversight of an information system. Examples could include risk identification or a tool allowing the evaluation and selection of other security controls.
Two organizations plan on forming a partnership to provide systems security services. Part of the onboarding requirements for both sides includes a mutual understanding of quality management processes. Which approach details this requirement? -Service level agreement (SLA) -Business partnership agreement (BPA) -Non-disclosure agreement (NDA) -Measurement systems analysis (MSA)
Measurement systems analysis (MSA) Measurement systems analysis (MSA) relates to quality management processes, such as Six Sigma, that make use of quantified analysis methods to determine the effectiveness of a system and may be part of an onboarding requirement.
Information security and cybersecurity tasks can be classified into five functions. Which regulatory concept or entity relates to these functions? -Payment Card Industry Data Security Standard (PCI DSS) -National Institute of Standards and Technology (NIST) -General Data Protection Regulation (GDPR) -Center for Internet Security (CIS)
National Institute of Standards and Technology (NIST) Information security and cybersecurity tasks can be classified as five functions (Identify, Protect, Detect, Respond, Recover), following the framework developed by the National Institute of Standards and Technology.
IT management wants to make it easier for users to request certificates for their devices and web services. The company has multiple intermediate certificate authorities spread out to support multiple geographic locations. In a full chain of trust, which entity would be able to handle processing certificate requests and verifying requester identity? -CSR -OCSP -RA -CA
RA A Registration Authority (RA) is a function of certificate enrollment and its services would be combined with a Certificate Authority (CA) in a single CA hierarchy. An RA is responsible for validating and submitting a request on behalf of end users.
Sometimes data is archived after it is past its usefulness for purposes of security or regulatory compliance. What is this called? -Trends -Correlation -Retention -Sensitivity
Retention When policy dictates preserving data in an archive after the date it is still being used, whether for regulatory or security purposes, this is known as a retention policy.
A global corporation assesses risk appetite and how risks in various regions could influence mission-critical operations. They are assessing compliance with local laws and licensing requirements to prevent financial risk or resolve security risks, and changing the risk posture and implementing risk controls to compensate. Conclude what type of assessment the team is performing. -Penetration testing -Risk control assessment -Vulnerability assessment -Site risk assessment
Risk control assessment Risk and control self-assessment (RCSA) is the method by which companies evaluate and analyze the operational risks and the efficacy of the controls used to manage them.
After reading an article online, a business stakeholder is concerned about a risk associated with Denial of Service (DoS) attacks. The stakeholder requests information about what countermeasures would be taken during an attack. Where would the security analyst look to find this information? -Risk regulations -Risk register -Risk heat map -Risk and Control Assessment
Risk register The risk register shows the results of risk assessments in a comprehensible document format. Information in the register includes impact, likelihood ratings, date of identification, description, countermeasures, owner/route for escalation, and status.
A system administrator moves a file from a server to a client using Secure Shell (SSH) over port 22. Compare the protocols for file transfers to deduce the protocol utilized. -SFTP -FTPS -TFTP -FTPES
SFTP
Which resource can help for a cloud consumer to evaluate a cloud service provider as services relate to integrating on-premise controls? -Security guidance -Service Organization Control -Cloud control matrix -Reference architecture
Security guidance Security guidance offers a best practice summary analyzing the unique challenges of cloud environments and how on-premises controls can be adapted to them.
An organization receives numerous negative reviews on social media platforms in response to a recent public statement. Experts use machine learning to identify any threatening language. Which approach do the experts use to identify security risks? -Security monitoring -Sentiment analysis -Threat feeds -User behavior analysis
Sentiment analysis Sentiment analysis is used to monitor social media for incidents, such as disgruntled consumers posting negative content. In terms of security, this can be used to gather threat intelligence.
A test team performs an in-depth review of completed code and analyzes its compatibility with the environment it will be deployed to. Which of the following environments is the test occurring in? -Production -Staging -Development -Test
Staging A staging environment mimics that of a production environment. It is used for dynamic analysis of an application in a complete but separate production-like environment.
What purpose does the Linux utility grep serve? -Views or changes read and write permissions for a file -String-match search using regex syntax -Uses byte order swapping to convert ASCII and EBCDIC encodings -Reads data from a file and returns the contents as output
String-match search using regex syntax The grep command accepts regex syntax to perform string matching and searching the entire contents of a specified file for the specified string. This command will easily fulfill the analyst's needs.
Which of the following is a computer that uses remote desktop protocol to run resources stored on a central server instead of a localized hard drive and provides minimal operating system services? -VDI -Edge computing -Thin client -Fog computing
Thin client A thin client is a computer that runs from resources stored on a central server instead of a localized hard drive. Thin clients work by connecting remotely to a central server-based computing environment where all resources and data are stored.
Today's hackers are keen on knowing that security teams are actively hunting for threats on the network. Hackers may use resources to trigger a diversion to keep threat hunters busy, while another attack is initiated to carry out the primary objective of the planned penetration attack. How can a security team best circumvent this strategic hacking technique? -Apply intelligence fusion techniques. -Monitor threat feeds from ISACs. -Review security advisories. -Use a defensive maneuver.
Use a defensive maneuver. A defense maneuver uses passive discovery techniques so that threat actors do not know they have been discovered. This gives the security team a chance to investigate the source of the attack and plan a resolution before the threat moves on to the next objective.
