Security +

OBJ: 1.2 - Adaptive identity allows for more flexible and dynamic access control by using contextual data to make dynamic access control decisions. For example, the system might grant access to a sensitive resource based on the user's location or the time of day. Security zones are used to segment a network into smaller, more manageable areas, but they do not necessarily provide more flexible and dynamic access control. MAC (Mandatory Access Control) is an access control system that is very rigid. Access is granted through a system of rules and categorization of data. It does not provide more flexible and dynamic access control. Policy-driven access control allows for more flexible and dynamic access control by using pre-defined policies to make access control decisions, but it does not necessarily adapt to changing user behavior and access patterns.

A company wants to implement a more flexible access control system that can adjust to changing user behavior. Which of the following technologies can help the company achieve this goal?

OBJ: 4.1 - Using the root user for daily tasks is a high-risk practice because it gives complete control over all resources in the cloud account, making it a lucrative target for attackers. Unique secret keys for programmatic access are crucial for ensuring that interactions with the cloud are secure and authenticated. Using multi-factor authentication provides an additional layer of security by ensuring that users provide two or more verification factors to gain access. Delaying the transfer of a generated secret key might expose the key to risks, but immediate transfer ensures that the key is securely stored and ready for use.

At Kelly Innovations LLC, Susan is reviewing credential management practices for cloud services. Which approach is discouraged due to its inherent security risks?

OBJ: 3.2 - Intrusion Detection Systems (IDS) and Intrusion Prevention Systems (IPS) are designed to monitor network traffic for any malicious activity. If suspicious behavior is detected, they can raise alerts for administrators or even take automatic actions to block or mitigate the threat. Encryption secures data by converting it into a coded form, making it unreadable without the right decryption key. It does not, however, analyze or respond to network traffic patterns. A firewall mainly blocks or allows traffic based on predefined rules set on IP, port, and protocol. While it can restrict access, it does not analyze traffic behavior for potential malicious activity. DLP (Data loss prevention) systems primarily focus on preventing unauthorized data transfer or leakage of sensitive information. They are not designed to analyze and respond to unexpected surges in network traffic.

Emily, the network security administrator, noticed an unexpected surge in network traffic late at night. She suspects that this could be malicious activity. Which of the following controls should Emily rely on MOST to detect and respond to this potential security incident?

OBJ: 3.3 - Homomorphic encryption allows data to be processed without being decrypted, effectively securing data-in-use. Computations can be performed on the encrypted data directly, and the results, when decrypted, match as if the operations were done on the plaintext. A VPN encrypts network traffic between two points, ensuring data-in-transit security. It doesn't focus on safeguarding data actively being processed in a system's memory. DLP solutions monitor and control data transfers, helping to prevent data breaches. However, they don't provide specific protection for data being actively processed in memory. While FDE is effective for protecting data at rest, especially on hard drives or SSDs, it doesn't specifically secure data-in-use.

Kelly Financial Solutions processes thousands of credit card transactions daily. To enhance security, the IT department wants to ensure that sensitive data, such as credit card numbers, remains protected even while being actively processed in the system's memory. Which technology would be MOST effective in safeguarding data-in-use in this scenario?

OBJ: 4.5 - Content categorization systematically classifies websites based on their overall theme, making it easier to block access to unsuitable or irrelevant categories of web content. While a faster internet connection improves browsing speeds, it doesn't filter or categorize web content. Two-factor authentication increases login security but does not categorize or filter web content. Firewalls primarily focus on blocking or allowing traffic based on IP addresses and ports, not necessarily the thematic content of websites.

Last month at Kelly Innovations LLC, Jamario reported receiving inappropriate images while researching industry competitors. To prevent employees from accidentally accessing such media in the future, which of the following solutions would be MOST effective?

Snapshots capture the state of a system at a particular point in time and use less storage than full backups. They're ideal for quick rollbacks, especially after major updates. While they record changes since the last backup, incremental backups might not be as efficient as snapshots for rapid rollback after a software update. Though they capture every change, continuous backups might use more storage and might be overkill for this particular scenario. Differential backups store all changes made since the last full backup, potentially using more storage space than a snapshot.

Mary, working at Dion Training, is overseeing a major software update in their virtualized environment. Before pushing the update live, she wants to ensure a rapid recovery point without creating a full backup due to storage constraints. Which method would be MOST suitable for her needs?

OBJ: 1.4 - Asymmetric encryption, also known as public-key cryptography, involves two keys: a public key and a private key. The public key is used to encrypt data, while the private key is used to decrypt it. Only the corresponding private key can decrypt data encrypted with its associated public key, ensuring secure communication and data integrity. Symmetric encryption uses the same key for both encryption and decryption, but it doesn't use different keys for encryption and decryption. Key exchange involves the exchange of cryptographic keys between two parties, but it doesn't use different keys for encryption and decryption. Communication encryption encrypts data while it is being transferred from one location to another, but it doesn't use different keys for encryption and decryption.

Nicola, an IT manager, is considering an encryption method that uses public and private keys for encryption and decryption. What type of encryption is being considered?

OBJ: 1.2 - SSL/TLS uses digital certificates to authenticate the identity of the server and, optionally, the client during the SSL/TLS handshake. Smart cards are a physical object that can be used for authentication, but they are not used in this scenario for authenticating systems. Biometrics refers to the use of a biometric characteristic, such as a fingerprint or facial recognition, for authentication, but it is not used in this scenario for authenticating systems. Authentication, authorization, and accounting (AAA) architecture used within Kerberos and other EAP based authentication services

Stanley, an IT Technician, is setting up a secure connection between his company's web server and a client's web browser using SSL/TLS. Which common method for authenticating systems is being used in this scenario?

Hardware token-based authentication involves using a physical device (often a USB token) to gain access, eliminating the need for traditional passwords. A PIN (Personal Identification Number) is still a form of password; it's just numeric. Cognitive authentication requires users to answer knowledge-based questions, and doesn't involve any hardware devices. Biometric authentication uses unique biological traits of a user, like fingerprints or facial recognition, to grant access.

StellarTech Corp has always been at the forefront of adopting cutting-edge security measures. Recently, the company started a pilot program where employees use a physical device that they plug into their computers. When they tap a button on this device, they are instantly granted access to company systems. Which passwordless authentication method is StellarTech Corp trialing?

OBJ: 5.2 - Recurring risk assessment involves conducting risk assessments at regular intervals to adapt to changing threats and vulnerabilities over time. Continuous risk assessment involves ongoing and real-time monitoring of risks as part of the organization's daily operations. It aims to quickly identify and address emerging risks. While it is beneficial, it may not specifically involve periodic assessments at regular intervals. One-time risk assessment is conducted only once and does not involve periodic evaluations of risks. It may be suitable for specific projects or situations but is not focused on continuous monitoring. Ad hoc risk assessment refers to conducting risk assessments on an as-needed basis or when specific events trigger the need for assessment. It is not specifically focused on keeping up with changing threats and vulnerabilities.

To stay updated with changing threats and vulnerabilities, which of the following assessment methods BEST emphasizes periodic evaluations?

Capability

Which attribute of a threat actor refers to their ability to develop unique exploit techniques and tools?

OBJ: 2.5 - ECC (Elliptic Curve Cryptography) is a form of public key cryptography based on the algebraic structure of elliptic curves over finite fields primarily used for digital signatures and key exchanges. SHA-256 (Secure Hash Algorithm 256-bit) is a cryptographic hash function, not primarily used for digital signatures or key exchanges. DES (Data Encryption Standard) is an older symmetric-key method of data encryption which was largely replaced due to vulnerabilities, focusing primarily on data encryption. Twofish is a symmetric block cipher which, like AES, encrypts data in blocks using the same key for encryption and decryption.

Which of the following cryptographic algorithms is primarily used for digital signatures and key exchanges, rather than direct encryption of data?

OBJ: 4.3 - An Exposure Factor measures the likelihood of a vulnerability being exploited, which is essential for organizations to prioritize their remediation efforts based on the risk posed by potential attacks. A higher exposure factor indicates a higher risk of exploitation and may require immediate attention to prevent security breaches. While understanding the financial impact of a security breach is important, Exposure Factor specifically assesses the likelihood of vulnerability exploitation, not monetary losses. While incident response time is crucial for effective cybersecurity, Exposure Factor does not refer to the time required to detect and respond to a security incident. The exposure factor is not about evaluating the level of vulnerability in an organization's network infrastructure but rather measuring the likelihood of a specific vulnerability being exploited. It focuses on specific vulnerabilities, no

Which of the following statements BEST explains the function of an Exposure Factor in the context of vulnerability management?

It ensures timely access to resources and enhances productivity.

Which of the following statements BEST explains the importance of automating user provisioning?

OSINT (Open-source intelligence) leverages publicly available data sources to gather intelligence on targets, providing valuable insights without breaching any laws. Information-sharing organization are entities that facilitate the sharing of threat and vulnerability information among different organizations. Proprietary/third-party information is sourced from private or commercial databases, often available to paying subscribers or specific organizations. The dark web is a part of the internet that isn't indexed by traditional search engines, often associated with illicit activities and hidden services.

Which term refers to the collection of publicly available information used to inform about an individual, organization, or application, often aiding in vulnerability assessments or security research?

OBJ: 4.3 - CVEs allow cybersecurity professionals to talk about vulnerabilities in a consistent manner, ensuring everyone is on the same page. While CVEs detail vulnerabilities, they don't typically prescribe specific mitigation methods. Those come from other sources like vendor advisories. Severity scores, like those from CVSS, evaluate the risk of vulnerabilities, whereas CVEs simply identify them. CVEs identify vulnerabilities but don't serve as a versioning or software update system.

Why are CVE identifiers important for cybersecurity professionals?

Cellular connections use GSM (Global System for Mobile Communications) or CDMA (Code Division Multiple Access) technologies to provide wireless communication between devices. Cellular connections are more secure than Wi-Fi or Bluetooth because they use encryption and authentication mechanisms to protect the data. Cellular connections also have a high bandwidth and can support a large number of devices at a time. Therefore, cellular connections are the best choice for secure and reliable communication between branch offices. Bluetooth connections are not designed for long-distance communication. Bluetooth connections use short-range radio waves to connect devices within a few meters of each other. Bluetooth connections also have a low bandwidth and can only support a small number of devices at a time. Therefore, Bluetooth connections are not suitable for secure and reliable communication between branch offices. Wired

You are a network administrator for a company that has multiple branch offices. You need to ensure that the data transmitted between the offices is secure, reliable, and encrypted. Which of the following connection methods would you use?

OBJ: 1.2 - The policy engine is responsible for making access control decisions based on pre-defined policies and contextual information about the subject/system. The policy administrator is responsible for defining and managing the access control policies used by the policy engine. The subject/system refers to the entity (user or device) that is requesting access to a resource. The policy enforcement point is responsible for enforcing the access control decisions made by the policy engine.

A company wants to implement a system that can authenticate both users and devices before granting access to resources. For example, the system might check the user's credentials as well as the device's security posture before granting access. Which of the following components is responsible for making this decision?

OBJ: 3.1 - Many SCADA (supervisory control and data acquisition) systems utilize legacy communication protocols that lack modern security features, making them vulnerable to unauthorized interception or tampering. While multicore processing can improve performance, it's not a direct security concern linked to SCADA. Sandboxing is a method to run untrusted codes. This concern isn't directly associated with the innate vulnerabilities in SCADA systems. SCADA systems tend to have infrequent updates, not frequent OS patching.

A water treatment facility relies on SCADA (supervisory control and data acquisition) systems for automation. This environment can introduce which of the following security vulnerabilities?

OBJ: 5.1 - NIST's updated guidelines suggest that complexity rules should not be enforced, allowing users to choose their own passwords within certain broad parameters. Blocking common passwords like dictionary words is in line with the NIST guidelines, which recommend preventing the use of easily guessable passwords. While NIST does deprecate some traditional elements of password policy, it still advocates for blocking passwords that repeat contextual information, such as the username. NIST suggests that aging policies should not be enforced, giving users the autonomy to change their passwords based on their discretion, unless a compromise is detected.

According to the most recent NIST guidelines on password policies, which of the following is NOT a recommended practice?

OBJ: 4.1 - While simply hitting a hard drive with a hammer might damage it, a significant amount of data can still be recoverable. Industrial machinery is designed to destroy drives thoroughly, leaving no data intact. Incineration can be effective, but using municipal incinerators might leave some remnants of the drives, making this method less secure. Degaussing method exposes hard disks to powerful electromagnets, disrupting data storage patterns. However, not all types of drives, like SSDs and optical media, can be degaussed, limiting its applicability. While shredding can be an effective method, reducing drives or paper to 12mm strips (Level 1) might still leave data recoverable. More thorough shredding or additional measures would be required for complete data destruction.

After a security audit, Kelly Innovations LLC decided to dispose of several old storage drives containing sensitive data. They wish to employ a method that ensures the data on these drives is completely unrecoverable. Sasha suggests hitting the drives with a hammer. Given that this is not the most effective solution, which of the following is the BEST method to use?

OBJ: 1.1 - A Firewall is a technical security control that monitors and controls incoming and outgoing network traffic based on predetermined security rules. It can help prevent unauthorized access to a network or system. Background checks are an administrative security control that involves verifying the identity and history of employees or contractors. While it can help prevent insider threats, it does not directly monitor or control network traffic. An acceptable use policy is an administrative security control that outlines the acceptable use of company resources, including computer systems and networks. While it can help prevent misuse of resources, it does not directly monitor or control network traffic. Security awareness training is an administrative security control that involves educating employees about security threats and how to avoid them. While it is important, it does not directly monitor or control n

Albert, an IT technician, must implement a security measure to monitor and control incoming and outgoing network traffic based on predetermined security rules. Which of the following should the technician implement?

OBJ: 2.1 - While a contractor is not a full-time employee, they may have legitimate access to certain systems or data, making them a potential internal threat actor if they misuse this access. An activist group might have political or social motivations, but they don't inherently have permissions on the target system unless specified otherwise. An external threat actor does not have authorized access to the system and might employ methods like malware or social engineering to breach security. An employee typically has broader and more regular access to the company's systems, not just specific project-based access.

Among the following who is MOST likely to make unauthorized copies of sensitive data they were initially granted access to for a specific project?

OBJ: 3.3 - Data encryption and digital watermarking the spreadsheet ensures unauthorized parties cannot view its content, and digital watermarking embeds a hidden mark to track and verify the document's authenticity and integrity. While version control and backup are crucial for maintaining data history and recovery, neither directly ensures the spreadsheet's confidentiality or verifies its integrity. While network monitoring and firewall protect against unauthorized access and attacks, they don't directly ensure the confidentiality or integrity of specific spreadsheet data. Password protection restricts access, and read-only access prevents modifications, but neither ensures data confidentiality from unauthorized decryption or verifies its integrity against all forms of tampering.

An organization is looking to protect sensitive financial data stored in spreadsheets. Which of the following methods would be the MOST effective in ensuring the data's confidentiality and integrity?

OBJ: 2.4 - Impossible travel is an indicator of malicious activity that involves detecting login attempts from locations that are geographically inconsistent or implausible, suggesting that an attacker has compromised the user credentials. Account lockout is an indicator of malicious activity that involves detecting multiple failed login attempts for a user account, suggesting that an attacker is trying to guess the password. While this is the basic problem, the additional information that the attempts have come from different countries indicates that the problem is more complex than just account lockout. Blocked content is an indicator of malicious activity that involves detecting attempts to access restricted or malicious websites or files, suggesting that an attacker is trying to compromise the system. Concurrent session usage is an indicator of malicious activity that involves detecting multiple active sessions f

Angel, a system administrator, notices that a user account has been locked out due to multiple failed login attempts in a short span of time. She also observes that the source IP addresses for these attempts are from various countries. Which indicator of malicious activity is MOST likely present in this scenario?

OBJ: 4.1 - AES is currently the most secure and widely adopted encryption protocol for wireless networks. Its strong encryption algorithms and extensive testing demonstrate its effectiveness against various attacks. AES is the recommended choice for ensuring robust security in wireless communication. It is not deprecated. While TKIP was an improvement over an older encryption protocol, it is still considered weak and has known vulnerabilities. Due to its security limitations, using TKIP is not advisable, especially when more secure alternatives like AES are available. It is not a deprecated and is the best choice for devices that are not compatible with AES. WEP is an outdated encryption protocol that has been widely exploited and rendered highly insecure. Its weak key management and static keys make it vulnerable to various attacks, and it can be cracked relatively easily. It should be avoided in modern network envi

As a network administrator responsible for evaluating a company's encryption protocol method for wireless devices, you have discovered that the company is currently utilizing a deprecated encryption protocol that poses a significant security threat. Which of the following is the MOST appropriate encryption protocol to recommend upgrading to?

OBJ: 4.9 - Examining the TLS handshake details can help in verifying if the secure connection was established using strong cryptographic algorithms, and it can also reveal the certificate information to check for any anomalies or unauthorized certificates. Analyzing DNS query responses is crucial to understand which domain names were resolved and to identify any potential malicious or unauthorized domain interactions. Both of these details are vital for investigating the incident, especially given the nature of the communication to a sensitive server over a secure port and the observed abnormal DNS requests. HTTP GET and POST requests are used to retrieve or submit data over the web. Given that the incident involves communication on port 443, which is commonly used for HTTPS rather than HTTP, and there are specific concerns about DNS requests, focusing on HTTP GET and POST requests might not yield the most valuable i

As a security analyst, you are currently investigating a potential security breach within your organization's network, specifically focusing on unusual traffic that was detected coming from an external IP address. To dig deeper into this situation, you have decided to analyze the packet capture logs that were recorded during the time of the suspected incident. Given that the unauthorized access was attempting to communicate via TCP to a sensitive internal server on port 443, and there were also abnormal DNS requests observed, which of the following pieces of information from the packet captures would be MOST valuable to investigate the incident further?

OBJ: 5.6 - Encouraging employees to keep their passwords confidential and use strong, unique passwords for each account is a crucial aspect of password management best practices. This practice enhances security awareness by promoting secure password habits. Reusing passwords is a bad practice, so it should be avoided Letting users create unique long, strong passwords that they can remember is a better practice. In the past, aging rules were seen as a useful way to improve password management. However, in current NIST guidelines, aging rules are seen as counter-productive. Users are more likely to write down and reuse passwords when they are forced to change passwords frequently. Letting users create long, strong passwords that they can remember is a better practice. In the past, complexity rules were seen as a useful way to improve password management. However, in current NIST guidelines, complexity rules are seen as

At Dion Training, promoting security awareness is paramount. To fortify organizational data protection, what should Dion Training do to uphold and enhance password management best practices?

OBJ: 2.5 - The mean time to repair (MTTR) refers to the measure of the time taken to repair a system or process after it experiences a failure or disruption. It is the average time it takes to restore functionality. The recovery time objective (RTO) is the measure of the maximum time it takes to recover a system or process after a disruption. It represents the time within which normal operations need to be restored. The mean time between failures (MTBF) is the measure of the average time between two consecutive failures of a system or component. It represents the average reliability or time between incidents. The recovery point objective (RPO) is the measure of the maximum amount of data loss an organization is willing to tolerate in the event of a disruption. It determines the point in time to which data must be restored after recovery.

At Dion Training, the IT team is working on enhancing their business continuity plan. They want to determine the amount of the time they will need to repair the system after a disruption. This will help them to ensure timely recovery from the event. What measure do they want to determine?

OBJ: 1.3 - The approval process ensures that proposed changes in an organization are properly evaluated and authorized, helping to manage risks and align with business goals. Testing Processes focuses mainly on checking the functionality and is typically done after a change is approved. Development Processes are centered on creating new tools or systems and does not include reviewing or approving changes. Deployment Processes handle the actual implementation of changes and occurs after the approval process, without involving the initial evaluations or approvals.

Before implementing a change in the organization's critical infrastructure, it's essential to ensure the proposed modification is assessed, reviewed, and authorized. Which process ensures that these steps are followed?

OBJ: 5.6 - Operational security is a risk management process that encourages managers to view information protection from an adversary's perspective. Data loss prevention is a set of tools and processes designed to detect a potential data breach and prevent them by monitoring and controlling data transfers. Data masking is a method for creating a sanitized version of data with fictitious yet realistic information. Access control determines who is allowed to access a resource and what actions they can perform with it.

David, a project manager at Dion Training, ensures that details of his upcoming product release are shared only on a need-to-know basis, even within the company. He's wary of information leaks that could benefit competitors. Which of the following terms BEST describes David's approach?

OBJ: 3.2 - Centralizing servers in a room with controlled access ensures better security by reducing the number of potential physical entry points. While redundancy is essential, scattering servers across multiple rooms without considering access control can increase vulnerabilities. Placing servers near windows can make them visible and accessible to external threats, compromising their security. Having servers in a main hallway exposes them to more people, increasing the risk of unauthorized physical access.

Dion Training Solutions is expanding its campus and setting up a new server room. Considering security principles for proper device placement, which of the following actions is MOST appropriate?

OBJ: 1.4 - Record-level encryption protects data by encrypting individual entries or records within a database. By using unique encryption keys for each record, it ensures that sensitive information within each entry remains safeguarded, even if the broader database is compromised. Volume encryption refers to encrypting an entire storage volume or disk. It doesn't specifically target individual records within a database. Database segmentation involves dividing a database into separate segments based on criteria such as user roles or data sensitivity. While it enhances security, it doesn't encrypt individual records. Tokenization replaces sensitive data with non-sensitive substitutes or tokens. While it protects data, it's not focused on encrypting individual records in a database.

Dion Training Solutions is looking to implement a security measure where individual entries within their customer database are encrypted separately. By doing so, they aim to ensure that even if the overall database is compromised, specific customer information remains safe. Which of the following BEST describes this security approach?

NGFWs (Next-generation firewall) go beyond traditional firewalls by incorporating more advanced features like intrusion prevention, application awareness, and deep packet inspection. They provide enhanced visibility and can detect advanced threats, making them suitable for contemporary security challenges. A stateful firewall keeps track of the state of active connections and decides on packet allowance based on the context of the traffic. However, it doesn't offer the deeper visibility and advanced features of an NGFW. Proxy firewalls act as intermediaries for requests from users seeking resources from other servers, filtering requests at the application layer. They don't inherently provide the advanced threat detection capabilities of NGFWs. This type of firewall examines packets and permits or denies based on rules set for the source and destination IP addresses, protocols, and port numbers. It doesn't include the

Dion Training Solutions is looking to upgrade their current firewall to one that can detect and block advanced threats, provide additional functions like intrusion prevention, and give them deep visibility into traffic. Which of the following types of firewalls is BEST described here?

Purchase cyber liability insurance OBJ: 4.3 (Security Operations)- Cyber liability insurance is designed to offset costs involved with recovering from a cyber breach or similar events. This will financially safeguard Dion Training Solutions against potential repercussions of future cyber incidents. While encryption can secure data and prevent unauthorized access, it doesn't offer financial coverage against cyber breaches. While IDS can alert and help prevent unauthorized access, it does not provide financial protection against the consequences of cyberattacks. Migration might enhance security, but it doesn't shield the company from the financial implications of a cyberattack.

Dion Training Solutions recently experienced a cyberattack that resulted in significant data loss and financial implications. In an effort to protect against future financial consequences, the company decides to explore measures that could help mitigate these risks. Which action is Dion Training Solutions likely to take?

OBJ: 3.2 - Network sensors actively monitor and analyze network traffic for suspicious activity and anomalies, making them a crucial tool for Dion Training to detect potential threats in real-time and secure their infrastructure effectively. Intrusion Prevention Systems do analyze network traffic to prevent vulnerability exploitation, but they are more focused on preventing known threats rather than real-time analysis and detection of new, unknown threats. VPNs are primarily used to create a secure connection to another network over the Internet, ensuring secure communication, but they do not actively monitor and analyze network traffic for threats. While firewalls are essential for controlling incoming and outgoing network traffic based on an organization's previously established security policies, they are not specialized in analyzing traffic patterns for malicious activity.

Dion Training is looking to enhance the security of their enterprise infrastructure by detecting and analyzing malicious activity on their network in real-time. They need a solution that can monitor traffic, identify suspicious patterns, and send alerts for immediate action. Which of the following would be the MOST appropriate solution to apply in this scenario?

OBJ: 1.4 - Dion Training should consider a wildcard certificate, which can be used to secure multiple subdomains under a single main domain. It offers a convenient and cost-effective way to manage certificates for subdomains. A self-signed certificate is signed by its creator and doesn't inherently cover multiple domains or subdomains. A CSR is a formal message to a CA for a digital certificate. It's a request, not a type of certificate. While it is signed and verified by an external CA, a third-party certificate doesn't specify the number or type of domains covered and hence wouldn't inherently secure multiple subdomains.

Dion Training is planning to expand its online services, including launching multiple subdomains for different courses. They want a single certificate that can secure all these subdomains. Which type of certificate should Dion Training consider?

OBJ: 1.4 - Partition encryption, like LUKS (Linux Unified Key Setup) on Linux systems, allows the encryption of a particular partition or volume. It's ideal for Dion Training's need to secure a specific section of their server's hard drive. While file-level encryption can encrypt specific files or folders, it doesn't necessarily target entire sections or partitions of a hard drive. A wildcard certificate secures multiple subdomains of a main domain but is unrelated to disk encryption. Full-disk encryption encrypts the entire hard drive, which might be overkill if only a specific section needs encryption.

Dion Training wants to secure only a specific section of their server's hard drive that contains sensitive client data. Which encryption method would be BEST suited for this requirement?

OBJ: 4.5 - The main significance of implementing Endpoint Detection and Response (EDR) in the given scenario is its ability to use advanced behavioral analysis and threat intelligence to detect and respond to sophisticated cyber threats on endpoints. EDR helps identify suspicious activities and potential breaches, enabling proactive responses to protect against advanced threats. While Endpoint Detection and Response (EDR) may provide some network monitoring capabilities, its primary focus is on monitoring and detecting security-related events and activities on endpoints, not specifically on network traffic monitoring. While Endpoint Detection and Response (EDR) may assist in enforcing security policies on endpoints, its primary purpose is to detect and respond to advanced threats, which is more relevant to the scenario. Endpoint Detection and Response (EDR) identifies suspicious activity and potential breaches, but i

Dizzy Crows, a technology company, has experienced a series of sophisticated cyberattacks targeting their endpoints. To improve its endpoint security, the company has decided to implement Endpoint Detection and Response (EDR) capabilities across its network. Which of the following choices BEST explains the main advantage Dizzy Crows would gain after installing and configuring Endpoint Detection and Response (EDR) in the given scenario?

OBJ: 3.4 - Encrypting backups ensures that even if attackers access backup data, they cannot easily decipher its contents. This would be especially crucial if ransomware encrypted the primary data, making the backups a critical recovery point. Though necessary, merely scheduling backups does not prevent the contents from being accessed if not encrypted. While having multiple copies can be useful, without encryption, all copies could potentially be accessed and read by attackers. While file compression saves storage space, it doesn't provide protection against ransomware deciphering the backup files.

Enrique at Kelly Innovations LLC is worried about ransomware attacks after a competitor recently fell victim. While devising a multi-layered defense strategy, which aspect related to backups would be VITAL for him to consider?

Legacy platforms that can't be patched should be isolated to prevent potential intrusions, ensuring they remain inaccessible to attackers. While MFA is a strong security measure for user access, it doesn't safeguard an unpatched operating system from all types of vulnerabilities. While upgrading hardware might improve performance or compatibility, it doesn't address the core issue of an unsupported operating system. While backups are crucial for data recovery, they don't provide real-time protection against threats targeting an unpatched operating system.

Enrique identifies that the operating system used in some of the company's critical infrastructure equipment is no longer receiving patches. Instead of patching, which of the following is the BEST recommended security control to protect these systems from potential attackers?

OBJ: 2.4 - Crypto-malware targets user data by encrypting files and demanding a ransom in return for the decryption key. The symptoms at Dion Consultants - encrypted files with a ransom demand and a countdown timer - are consistent with this type of ransomware. Screen-locking ransomware locks users out of their device and displays threatening messages. The users still had access to their systems but were facing encrypted files, making this type inconsistent with the situation. Adware is software that displays unwanted ads on a user's device. This scenario does not describe symptoms of adware. A rootkit is a set of software tools that enables unauthorized access to a computer. While a rootkit can be part of a larger malware package, the specific events don't match the primary behavior of a rootkit.

Enrique, the IT head at Dion Consultants, received frantic calls from multiple departments. Users reported that their crucial files were encrypted and they were seeing a countdown timer. The message accompanying the timer indicated that unless a certain amount in cryptocurrency was transferred to a specific address before the countdown ended, the decryption key would be destroyed permanently. Which form of malware has MOST likely targeted Dion Consultants?

In a horizontal password attack, an attacker targets multiple accounts by trying a few common passwords across them. Enrique's observation of the same set of simple passwords being tried across a wide range of user accounts fits this profile. It's a method to bypass account lockout policies that would trigger if too many failed attempts are made on a single account. A dictionary attack involves using a predefined list of words to guess a password or key. While simple passwords were used in Enrique's observations, the method of targeting multiple accounts with the same passwords differentiates this from a typical dictionary attack. A vertical password attack involves targeting a single user account and trying a large number of password combinations until the correct one is found. Enrique's observations do not match this pattern since multiple accounts were targeted with only a few passwords. In a credential stuffing a

Enrique, the cybersecurity analyst at Kelly Innovations LLC, noticed an interesting trend in the company's access logs. Over the past week, a considerable number of different user accounts had experienced failed login attempts. What was peculiar was that the same set of simple passwords, such as "password" and "123456", were tried across these accounts. There wasn't a high volume of failed attempts per user, but the sheer number of accounts targeted raised Enrique's concerns. Which of the following types of attacks BEST describes Enrique's observations?

OBJ: 5.6 - A recurring report is a report generated at regular intervals, such as weekly, monthly, or quarterly, to keep stakeholders updated on ongoing security metrics, trends, and concerns. A policy review is a periodic assessment of the organization's security policies to ensure they remain current and effective. A threat intelligence briefing is a specialized report highlighting current and emerging threats, often sourced from external threat intelligence providers. An incident report is a detailed account of a specific security breach or event, outlining what occurred, its impact, and the steps taken in response.

Every month, Sasha from Kelly Innovations LLC reviews the company's firewall logs, intrusion detection system outputs, and other security tool logs. She compiles a document detailing trends, potential threats, and recommended actions, which she presents to the senior management. Which of the following types of reports BEST describes the one Sasha producing for the senior management?

OBJ: 3.1 - As the cloud provides resources abstracted from physical hardware, maintaining strict isolation between different workload instances ensures that one instance's vulnerabilities or threats don't compromise another. Breaching this isolation could allow lateral movement within the cloud environment. While essential for security, user authentication is more about controlling access than directly dealing with the compute resource's dynamic allocation in the cloud. Backup strategies are crucial for data integrity and recovery, but they don't address the specific security concerns introduced by the dynamic resource allocation of compute components. Restricting the number of VMs might conserve resources, but it doesn't directly address the inherent security implications of on-demand compute allocation in a cloud environment.

Given that cloud architecture provides dynamic resource allocation, which of the following security considerations is MOST critical when dealing with the compute component?

OBJ: 5.4 - Scherazade is the data controller because the data controller determines how and why the data is collected and used. Sahra is the data processor because the data processor follows the data controller's directions for using the data that is collected. The data owner is the person who is ultimately responsible for the confidentiality, integrity, and availability of the data. The data custodian handles the management of the system used to store and collect the data. The data owner is the person who is ultimately responsible for the confidentiality, integrity, and availability of the data.

In Dion Training's data management framework, Scherazade determines the why and how data will be collected. She then directs Sahra what should be done with the data that is collected. Which of the following BEST describes the roles that Scherazade and Sahra have?

OBJ: 5.3 - Staff is a component of a BPA identifies the personnel and various supports that are essential for the execution of a critical function. Though process flow describes the operational steps in detail, it does not specifically focus on the personnel and support resources. Outputs concern the data or products generated by the function, not the resources that support the function. Inputs define the required information for a process and the implications of their timing, not the human and support resources.

In a business process analysis (BPA), which factor encompasses the human resources and additional support needed to carry out a mission essential function?

OBJ: 4.6 - In the scenario described, the access control mechanism used in the large multinational corporation is "Attribute-Based access control" (ABAC). In an ABAC system, access permissions are dynamically evaluated based on various user attributes, such as job role, department, location, and time of access. The system combines these attributes to make access control decisions, allowing for more fine-grained and context-aware access control. "Role-Based access control" (RBAC) is a mechanism where access to resources is determined based on the roles or job functions of users. Users are assigned specific roles, and access permissions are associated with those roles. However, in the scenario, the access control mechanism is described as evaluating various attributes, including job role, location, and time of access, rather than being solely based on predefined roles. "Discretionary access control" (DAC) allows indivi

In a large multinational corporation, the access control mechanism dynamically evaluates various user features such as job role, department, location, and time of access to determine access rights to specific resources. Which type of access control mechanism is being used in this scenario?

The UI (User Interaction) metric specifies whether an attack can be executed solely by the attacker or if it necessitates user involvement to succeed. The Privileges Required (PR) metric measures the level of privileges an attacker must have to exploit the vulnerability, not user interaction. AV (Attack Vector) specifies the context of the exploit, like local or network-based, rather than user involvement. The AC (Attack Complexity) metric describes the conditions that must be met for an exploit to work but doesn't revolve around user behavior.

In the CVSS metric framework, which determines if the attacker must rely on user interaction, like a user opening a malicious email attachment, for successful exploitation?

OBJ: 5.4 - The data controller is an entity or person who determines the purposes and means of processing personal data. They have overall responsibility for ensuring that data processing is carried out in compliance with applicable privacy laws and regulations. The organization that handles data retention and storage is more aligned with a data custodian. A data custodian is responsible for the storage, protection, and maintenance of data. They ensure that data is kept secure and accessible to authorized users as required. The role described here is an external auditor who may conduct audits and assessments to ensure that organizations are complying with privacy regulations. The individual whose data is being processed refers to the data subject. The data subject is the individual to whom the personal data belongs, the person to whom the data is collected and processed.

In the context of privacy compliance, which of the following describes the role of a data controller?

OBJ: 5.1 - Automatically assigning all possible privileges to the user for a trial period can expose the organization to unnecessary risks. Privileges should be assigned based on role necessity and the principle of least privilege. Securing transmission of credentials to the employee so access is granted refers to creating and sending an initial password or issuing a smart card securely, ensuring the user has secure access to necessary systems. Training is vital to ensure that new employees are aware of security protocols and policies, ensuring that they understand and follow security guidelines. Providing the employee with resources that will be needed to complete the job is about provisioning computers or mobile devices for the user or agreeing to the use of bring-your-own-device handsets, ensuring the user has the tools they need while maintaining security standards.

In the onboarding process of a new employee, which of the following tasks does NOT accurately represent the responsibilities of the IT and HR functions in ensuring secure access for the individual?

OBJ 5.1 - A data owner is typically an individual or a functional role within an organization that is responsible for the data's classification, and ensuring it is in line with the organization's security policy. Data processors process data on behalf of the data controller and don't decide on data classifications. A data controller determines the purposes and means of processing personal data, but the classification and alignment with organizational policies is typically under the purview of the data owner. End users access and use the data but do not typically have responsibilities for classifying it or ensuring its alignment with organizational policies.

In the realm of systems and data management, who is primarily responsible for determining the classification of data and ensuring it aligns with organizational policies?

OBJ: 1.4 - Block ciphers process plaintext in equal-sized chunks, such as 128-bit blocks. If a plaintext doesn't align with this block size, it must be padded. The plaintext undergoes detailed transposition and substitution operations depending on the key value, ensuring secure encryption. The Advanced Encryption Standard is a widely-adopted encryption cipher and is a type of block cipher. While it provides an encryption mechanism, it's not a general category of symmetric encryption. Stream ciphers work by encrypting data one byte or bit at a time, making them ideal for scenarios where the total length of the message isn't known in advance. Transposition is a type of operation used within encryption processes, especially within block ciphers, but isn't a type of symmetric encryption on its own.

In which symmetric encryption method is plaintext divided into equal-sized parts, potentially requiring padding to fit the designated size, and then subjected to complex operations based on a specific key value?

OBJ: 4.1 - CYOD stands for Choose Your Own Device, which is a deployment model that allows employees to choose from a list of approved devices provided by the company. This model can offer some flexibility and convenience to the employees, as they can select the device that best suits their needs and preferences. However, this model also enables the company to maintain some security standards and policies on these devices, as it can limit the types and models of devices that are allowed, as well as enforce security configurations and updates on them. BYOD stands for Bring Your Own Device, which is a deployment model that allows employees to use their personal devices, such as laptops, smartphones, or tablets, to access the company's network and applications. This model can reduce the costs and risks associated with managing and securing these devices, as the responsibility is shifted to the employees. However, BYOD a

Initech has always provided employees with devices. Recently, Gregory, the Initech security analyst, became aware that many employees have been able to use their own devices. When he questioned the supervisors, he finds out they knew employees were using their own devices. The employees said they need devices that worked with more innovative software packages. None of the devices offered by Initech were robust enough to handle the software. Gregory says that having employees use their own devices isn't a possibility moving forward. He suggests that the company create a policy that prevents employees from putting their own software on devices and using their own devices. To address employee needs, he but suggests Initech provide a broader range of devices and purchase the software employees need. Initech will buy the devices for the employees. Which of the following deployment models is Gregory most likely suggesting?

OBJ: 4.5 - Port 21 is used for the File Transfer Protocol (FTP). Opening this port will allow users to transfer files to and from the server. Port 80 is the standard port for serving HTTP web pages. Opening this port allows users to access web pages on the server using their browsers. Port 25 is used for the Simple Mail Transfer Protocol (SMTP). This would be necessary if users are to send emails through the server. Though port 22 is essential for secure shell (SSH) access, Jamario's scenario does not mention the need for remote secure access to the server. Thus, it's not a required port for the specified tasks. While port 443 is used for serving secure web pages over HTTPS, Jamario's scenario does not specify the need for HTTPS. Therefore, it's not essential for the tasks mentioned.

Jamario, a network technician at Kelly Innovations LLC, is setting up a new server. He wants to ensure that users can access unencrypted web pages on the server and transfer files to and from it. Jamario should ensure which of the following ports are open? (Select TWO.)

OBJ: 4.5 - Jamario should implement SPF (Sender Policy Framework), as it lets him specify which mail servers are authorized to send emails on behalf of the company's domain. While DMARC (Domain-based Message Authentication, Reporting, and Conformance) uses the results of SPF and DKIM checks, it doesn't directly list authorized servers for a domain. DKIM (DomainKeys Identified Mail) provides validation of the domain name identity associated with a message through cryptographic authentication, but it doesn't dictate authorized servers. IMAP (Internet Message Access Protocol) is utilized for retrieving emails from a server and isn't designed to specify authorized sending servers for a domain.

Jamario, a sysadmin at Dion Training Solutions, wants to prevent unauthorized mail servers from sending emails on behalf of the company's domain. He needs a solution that allows him to specify which servers are allowed to send these emails. Which of the following is the MOST effective protocol he should implement?

OBJ: 5.2 - Quantitative risk analysis involves calculating the financial impact of specific risk events by considering both the probability of occurrence and the potential loss in monetary terms. Qualitative risk analysis involves assigning subjective values to risks based on descriptive terms such as "high," "medium," or "low" without precise financial figures. ALE is the expected financial loss that an organization may experience annually due to a specific risk, considering the SLE and the annual rate of occurrence (ARO). SLE is the measure of the potential financial loss associated with a specific risk event.

Jeremy, the CEO of Hooli, wants to gauge the financial implications of specific risks tied to the company's IT infrastructure. He has directed his team to create a list of possible incidents that could occur. Then he directed them to look at both the likelihood that an incident will occur and the potential economic, business, and resource fallout if the incident occurs to create a numerical score for each. Which of the following risk assessment methods has Jeremy directed his team to use?

OBJ: 3.4 - Due to the frequent changes and the unpredictability of software builds, continuous backups would ensure that all versions of the software are retained, allowing Mary to revert quickly. With software builds changing rapidly, a weekly backup could result in significant data and version losses. Capturing all the changes made since the last backup at the end of the day might not be sufficient, as several versions could be lost. Saving data changed since the last full backup wouldn't be efficient given the multiple changes throughout the day.

Kelly Innovations LLC frequently develops and tests new software builds. Mary noticed that sometimes they need to revert to a previous build several times a day due to unexpected issues. Which backup frequency would be the MOST appropriate for their use case?

OBJ: 4.5 - By implementing DKIM (DomainKeys Identified Mail), Kelly Innovations LLC can sign emails originating from their domain cryptographically. This allows receivers to verify that an email claiming to be from the domain genuinely is. While SPF (Sender Policy Framework) is valuable in identifying which servers are authorized to send emails on behalf of a domain, it doesn't cryptographically sign the emails for this assurance. DMARC (Domain-based Message Authentication, Reporting, and Conformance) uses the results of DKIM and SPF checks, but on its own, it doesn't cryptographically sign emails. SMTP (Simple Mail Transfer Protocol) is the standard for sending emails, but it doesn't inherently provide a cryptographic signing mechanism for email authenticity.

Kelly Innovations LLC has recently faced a series of phishing attacks where attackers are sending emails that appear to be from the company's domain. After an internal investigation, they discover that these emails are not originating from their servers. To cryptographically ensure that an email was actually sent from their domain, which of the following is the BEST mechanism should they implement?

OBJ: 3.2 -A WAF (Web application firewall) protects web applications by monitoring, filtering, and blocking HTTP/HTTPS traffic that can exploit any vulnerabilities in the application. Typically, it operates on Layer 7 (Application Layer) of the OSI model and can specifically defend against common web-based threats. A UTM (Unified threat management) is an all-in-one security solution that can include a WAF, but it also comprises other functionalities like anti-virus, anti-spam, VPN, and more. While a UTM can indeed monitor HTTP/HTTPS traffic, choosing a specific WAF might be more tailored to the described requirement. EAP (Extensible authentication protocol) is an authentication framework, not a specific protocol. While EAP offers several methods and supports authentication for wireless networks and point-to-point connections, it doesn't specifically filter or block malicious HTTP/HTTPS traffic targeting web applicati

Kelly Innovations LLC is looking to secure their web applications against various threats like cross-site scripting and SQL injection attacks. They also want to monitor and log HTTP/HTTPS traffic for malicious patterns. Given the requirement and the specific protocols mentioned, which of the following would be the MOST suitable solution?

OBJ: 3.2 - SASE (Secure access service edge) combines network security and WAN capabilities in a single cloud-based service, making it an ideal solution for ensuring secure and reliable access to data and applications irrespective of user/device location. The tunnel mode in IPSec is used for communications between VPN gateways across an insecure network. Although it encrypts the whole IP packet, it doesn't combine comprehensive network security and WAN functionalities. While ESP (Encapsulation security payload) is a part of IPSec that provides confidentiality and/or authentication and integrity, it doesn't integrate network security and WAN capabilities. SD-WAN (Software-defined wide area network) optimizes network performance and centralizes network management. While it enhances WAN connections, it doesn't inherently combine network security and WAN capabilities.

Kelly Innovations LLC is searching for a comprehensive cloud-based solution that combines both network security and WAN capabilities. They want a solution that seamlessly integrates these aspects, especially for users or devices located outside their primary office. Which of the following technologies should they consider adopting?

OBJ: 2.4 -Account lockout is an indicator of malicious activity that shows that an attacker or malware has tried to guess or brute force a password for an account, exceeding the maximum number of attempts allowed by the system. The lockout settings allowed 5 incorrect attempts before locking the user out. At that point, the attacker tried the next computer account. Concurrent session usage is an indicator of malicious activity that shows that an attacker or malware has compromised an account and is using it simultaneously with the legitimate user, creating multiple sessions from different locations or devices. The attack came from the same IP address and no legitimate users had sessions running in the scenario above. Missing logs is an indicator of malicious activity that shows that an attacker or malware has tampered with or erased the system's event logs to avoid detection and analysis. There is no indication tha

Linaeka, a security analyst, is investigating a malware incident. The logs show that someone made 5 attempts to enter a password and username on each computer in the marketing department between 2:30 and 3:00 am. None of the marketing department employees were working at that time. The attempts all came from the same IP address. Which of the following indicators of malicious activity most likely gave Linaeka the theory that this was an attempt at a brute force or dictionary attack?

OBJ: 3.2 - A VPN provides a secure method for remote operations by creating an encrypted connection over the internet. It establishes a secure tunnel so that data can be securely transferred even over insecure networks. Secure Access Service Edge (SASE) is a form of cloud architecture that combines a number of services as a single service. By providing services like Software-defined wide are network (SD-WAN), firewalls as a service, secure web gateways, and zero-trust network access, SASE will reduce cost and simplify management while improving security. The integrated nature of the architecture means the technologies used will work together efficiently. This is far more technology than the scenario indicates is needed. Transport Layer Security (TLS) is a protocol that is used to authenticate certificates and encrypt data for privacy and data integrity as it moves across networks. it doesn't provide the comprehensive

Log Cabin Bank has recently expanded its services by purchasing several other banks. They now face security challenges that they haven't faced before. The most significant challenge is providing the type of secure communication among the branches of the bank. State banking regulations require that all communications be secure even when traveling across unsecured networks. Which of the following will provide the BEST solution to the challenge faced by Log Cabin Bank?

OBJ: 5.3 -The Service-Level Agreement (SLA) is the document that precisely defines the agreed-upon service levels and performance metrics that the vendor is expected to meet. It outlines the specific services to be provided, performance expectations, response times, and remedies for not meeting the agreed-upon levels. The Memorandum of Understanding (MOU) outlines the terms of a partnership between two organizations and how they will collaborate on specific projects or initiatives. While it may establish the overall collaboration, it does not include service levels and performance metrics. The Master Service Agreement is a comprehensive document that establishes the overall framework for a long-term business relationship between Magnetic Island and the vendor. It outlines the general terms and conditions, but it does not specifically detail the service levels and performance metrics. The Work Order (WO) or Statement

Magnetic Island Networking is in the process of finalizing a contract with a new vendor to provide IT services. To ensure clear expectations, Magnetic Island wants to define the measurements of quality and performance they want from the vendor. Which of the following documents will they draw up for the vendor?

OBJ: 2.4 - A missing log is a strong sign of an attacker's presence since they often remove or alter logs to hide their actions. Given the context of the other anomalies, this is the most direct indicator of malicious activity. While failed login attempts could indicate a brute-force attack, most advanced security systems have measures against such obvious tactics. The use of valid usernames is concerning but might be explained by prior data leaks or breaches. While a spike in outbound traffic can indicate data exfiltration, it could also be a result of legitimate but unrecorded processes or activities. Alone, it's concerning but may not directly indicate malicious activity. While an increase in CPU usage can suggest unexpected activities (like crypto mining or running unauthorized processes), it's not definitive without more information. Alone, it's an anomaly but not necessarily malicious.

Maria, a cybersecurity analyst, is examining logs from a server with crucial financial data. She spots a few anomalies: a two-hour log gap without planned maintenance, a spike in outbound traffic to an unknown IP just before this gap, multiple failed logins from a foreign IP using valid usernames, and a higher CPU usage during the log gap despite no recorded actions. Which of these observations should Maria be MOST concerned with?

OBJ: 5.2 - Risk appetite refers to an organization's willingness to take on risk in pursuit of its business objectives. It reflects the organization's strategic approach to risk and how much risk it is willing to undertake to achieve specific goals. Risk tolerance is the extent to which an organization is comfortable with the level of risk it is willing to take. It represents the organization's ability to withstand potential losses or disruptions. Risk acceptance means that an organization understands the level of risk that in involved in an activity and is willing to accept the outcomes of taking the risk. The risk is either accepted or not, there aren't levels of risk acceptance. In this case they are not making a decision about a level of risk for a specific activity. Risk deterrence involves taking measures to reduce or mitigate the impact of an event. In this case, they aren't evaluating the impact or taking mea

Members of the Risk Management Team at Eclipse, an awning manufacturer, are discussing the organization's approach to risk management. They are considering the level of risk they are willing to accept to achieve the aggressive set of goals the CEO has created. What is the term for what they are considering?

An on-path attack is a type of network attack that involves intercepting or modifying data in transit between two parties, such as by using a packet sniffer or a proxy server, or, in the case above, a rogue WAP. An amplified attack is a type of DDoS attack that involves sending requests with spoofed source IP addresses to servers that generate large responses, amplifying the traffic sent to the target server. A reflected attack is a type of distributed denial-of-service (DDoS) attack that involves sending requests with spoofed source IP addresses to servers that redirect the responses to the target server, reflecting the traffic back to it. A wireless attack is a type of network attack that involves exploiting vulnerabilities or weaknesses in wireless networks or devices, such as encryption, authentication, or configuration. Although the attack took place through a wireless device, it wasn't due to specific vulnerabi

Recently, Antatack, a martial arts company, has had a data breech. Barzan, a security analyst, was hired to investigate. He found a rogue WAP near the building. The attacker used the WAP to gain information about Anatack's clients. Which of the following network attacks is BEST demonstrated by this finding?

OBJ: 4.5 - The main significance of implementing XDR in the given scenario is its ability to integrate and correlate security data from various sources, such as endpoints, network, and cloud environments. By doing so, XDR can detect and respond to sophisticated, multi-vector cyber threats more effectively, which aligns with XYZ Corp's goal to address the increase in sophisticated cyberattacks. While XDR may contribute to enforcing security policies, its primary role is to detect and respond to multi-vector cyber threats across the IT environment. While some XDR solutions may include features for software updates and patch management, the primary focus of XDR is not on updating and patching software on endpoints. XDR's primary purpose is to enhance threat detection and response capabilities. One of the main advantages of EDRs is that they provide real-time monitoring and reporting of attacks. So this is not the proble

Red Notes, a financial institution , has experienced a sophisticated, multi-vector cyberattack. Only quick action by their security team prevented a data breach. The security team has recommended using Extended Detection and Response (XDR) across the company environment. Which of the following problems best explains why they recommend XDR in this scenario?

OBJ: 1.4 - SRTP (Secure Real-time Transport Protocol) provides encryption, message authentication, and integrity for voice communications over IP. It's designed to protect Real-time Transport Protocol (RTP) and RTP Control Protocol (RTCP) traffic. ICMP (Internet Control Message Protocol) is mainly used by operating systems of networked computers to send error messages indicating, for instance, that a requested service is not available. It doesn't handle voice encryption. ARP (Address Resolution Protocol) is used for mapping a 32-bit IP address to a MAC address within a local network, not for encrypting voice traffic. DHCP (Dynamic Host Configuration Protocol) is used for assigning dynamic IP addresses to devices on a network. It does not encrypt voice traffic.

Safeguard Systems is looking to secure voice communication between its branch offices. Which of the following protocols would provide encryption specifically for voice traffic over IP?

OBJ: 4.6 - The principle of least privilege ensures that users are given the minimum levels of access necessary to perform their job functions, thereby limiting potential damage from errors or malicious actions. Under DAC (Discretionary Access Control), the data owner specifies who can access specific resources, primarily based on user discretion rather than the job function. Mandatory Access Control (MAC) restricts access based on sensitivity labels assigned to objects and the level of clearance of users. While RBAC (Role-Based Access Control) is about assigning system access to users based on their role within an organization, it doesn't necessarily restrict users to the minimum necessary permissions.

Sarah, a junior developer, has been given access to the development environment. However, she finds that she doesn't have the ability to make changes in the production environment. The company's IT policy allows only senior developers and administrators to make changes in production to minimize risks. Which of the following BEST describes the security principle the company is adhering to?

OBJ: 3.4 - Financial data is both sensitive and frequently updated. Continuous backups would ensure that every transaction is immediately backed up, minimizing potential data loss and maintaining compliance. Given the sensitivity and frequency of financial data updates, waiting a month for a full backup would be inadequate and might breach compliance regulations. Though daily incremental backups captures daily changes, in the event of a failure, a day's worth of financial transactions could be lost, potentially harming compliance standing. Differential backups could pose a risk, especially if the backup is done weekly, as several days' worth of financial data could be lost

Sasha at Kelly Innovations LLC is responsible for maintaining the financial records of several clients. Given the sensitivity and importance of this data, as well as compliance regulations, which backup strategy should she prioritize to ensure minimal data loss?

OBJ: 4.1 - During the establish phase of secure baselines, a set of initial configurations which include security controls such as encryption, firewalls, and access controls are designed and implemented. This baseline scenario ensures a specific standard of security is adhered to when the system is set up. While setting up logs is a crucial part of maintaining security, this step is usually associated with the Operate/Maintenance phase and ongoing security processes. It doesn't directly establish a secure baseline. Checking for and installing the latest updates is important for keeping the network secure, but it is part of the Operation/Maintenance phase rather than establishing a secure baseline. Conducting a vulnerability assessment is an essential process to identify any potential weaknesses, but it is generally executed after establishing a secure baseline, to test its effectiveness, and is part of the Evaluate/A

Schyler is a network administrator. She is setting up a new Wi-Fi network for a branch of a multinational corporation. She is currently in the establish phase of creating secure baselines. What will she do FIRST in this phase?

OBJ: 4.1 - Limiting unnecessary ports reduces the exposure of servers to potential vulnerabilities associated with these services. Using older SSL/TLS versions is not recommended due to known vulnerabilities. Allowing unrestricted ICMP could expose the servers to potential threats like a ping flood. Using public community strings is insecure, as it could allow unauthorized access or information disclosure.

Susan, the lead system administrator at Kelly Innovations LLC, is working on establishing a secure baseline for the company's servers. Part of her strategy is to ensure the servers aren't vulnerable to unnecessary exposure. Which action is MOST appropriate for her to take initially?

OBJ: 1.4 - Blockchain is a system that allows for transparent and public verification of transactions. It uses a peer to peer network that maintains a public ledger. This provides both integrity and permanency of records. Digital signatures are a type of electronic signature that uses a specific type of encryption to ensure the authenticity and integrity of a digital message or document. This system does not allow for transparent and public verification of transactions. Key stretching is a method used to increase the time it takes to hash a password, making brute force attacks less effective. This system does not allow for transparent and public verification of transactions. Salting is a technique used in cryptography to add random data to the input of a hash function to increase security. This system does not allow for transparent and public verification of transactions.

Sweet as Thyme, a flavoring supplier, uses a peer to peer network which relies on a public ledger to ensure the integrity of transactions and to provide a permanent record of all transactions. What is this technology they are using called?

OBJ: 3.3 - Tokenization is the process of substituting a sensitive data element with a non-sensitive equivalent, referred to as a token. The token and the data it substitutes are stored in a secure database. If the original data is needed, it can be accessed using the token and querying the database. The token will be a different size and have a different structure than the original data so the token can't be used to decipher the original data. Hashing is the process of converting an input of any length into a fixed size string of text, using a mathematical function. The process explained above doesn't indicate that a mathematical function is being used. Non-human readable data refers to a form of data that needs a computer or special software to interpret. In the case above both sets of data are human readable. Obfuscation is the hiding or camouflaging of information to prevent access to it. Obfuscation doesn't in

Tara, a database specialist, is planning out the way in which data will be stored. She has decided to substitute the sensitive data with non-sensitive representations. The sensitive data and non-sensitive representation will be stored in a separate database. Which data security technique is likely being used?

SCADA (supervisory control and data acquisition) is a category of software applications for controlling industrial processes, which is the gathering of data in Real Time from remote locations in order to control equipment and conditions.

What is SCADA (supervisory control and data acquisition) and how does it work?

Risk identification is the first step in the risk management process. It involves identifying potential threats and vulnerabilities that could pose a risk to an organization's assets or operations. Risk assessment is not the first step in the risk management process. It comes after risk identification and involves evaluating the identified risks to determine their potential impact and likelihood. Risk analysis is a subsequent step that follows risk identification. It involves evaluating the identified risks and their potential impact on an organization. A risk register is a tool used in the risk management process to document and track identified risks, but it is not the first step in the process. It comes after risk identification and analysis.

What is the first step in the risk management process that involves determining what potential threats and vulnerabilities exist within an organization's environment?

OBJ: 2.1 - Shadow IT is a type of threat actor that is the result of unauthorized or unapproved IT systems or devices within an organization. Shadow IT can introduce security risks because the unauthorized system or device may provide attackers with a way to gain access to an otherwise secure system. In most cases, the unapproved system or device will not create any disruption to the services. The unapproved system or device will only lead to data losses if a threat actor can use it to gain access and then leverage the access to exfiltrate data. Therefore, data losses aren't the main danger. An unapproved system or device will only lead to financial losses if a threat actor can use it to gain access and then leverage the access to create financial losses. Therefore, financial losses aren't the main danger.

What is the main danger that comes from Shadow IT?

OBJ: 1.3 - A private key is used in asymmetric encryption. It is used to decrypt data that has been encrypted with the corresponding public key. A public key is used in asymmetric encryption. It is used to encrypt data that is decrypted with the corresponding private key. A symmetric key is used in symmetric encryption where the same key is used for both encryption and decryption. It does not decrypt data encrypted with a public key. A hash key is used in hash functions to map data of arbitrary size to fixed-size values. It is not used for decryption.

What is the name of a key that is used primarily for decrypting data?

OBJ: 2.1 - The primary difference between an insider threat and a shadow IT threat actor is the malicious intent. An insider threat has malicious intent and abuses their legitimate access to an organization's systems or data for harmful purposes, such as revenge, blackmail, or data theft. A shadow IT threat actor does not have malicious intent and uses unauthorized or unapproved devices, software, or services within an organization for convenience, productivity, or innovation purposes. Level of sophistication/capability is not the primary difference between an insider threat and a shadow IT threat actor, as both can have varying levels of technical skills, knowledge, and experience. However, an insider threat can have more sophistication and capability than a shadow IT threat actor. Level of access is not the primary difference between an insider threat and a shadow IT threat actor, as both have legitimate access t

What is the primary difference between an insider threat and a shadow IT threat actor?

OBJ: 5.1 - The custodian ensures that data is managed securely in line with the guidelines provided by the data owner and controller. Developing and overseeing the execution of the organization's IT strategy is generally done by IT leadership or the governance board, rather than the custodian. The responsibility of data classification usually lies with the data owner. How personal data should be processed and for what purposes are decisions typically made by the controller, not the custodian.

What is the primary responsibility of a data custodian in the realm of data governance?

OBJ: 5.5 - The audit committee is responsible for overseeing and evaluating an organization's internal controls, financial reporting, and compliance processes. This includes assessing the effectiveness of security controls and regulatory compliance. Audit committees are internal to an organization. External auditing is conducted by external, third-party entities. Audit committees are independent entities within an organization. Their job is to evaluate and oversee internal controls from an objective, unbiased viewpoint. While their conclusions may confirm someone's hunches about weaknesses, the conclusions should be reached independently, not as directed by the CEO or anyone else. Audit committees act independently and produce audits. They do not approve audits produced by the CEO or another governance organization.

What is the purpose of the audit committee?

OBJ: 2.2 - Remote Desktop Protocol (RDP) port is a type of open service port that is commonly used for remote desktop servers and can be exploited by attackers to perform screen capture, keystroke logging, or malware delivery attacks. It is the default port for RDP, the protocol used to remotely control a Windows based system's desktop. Secure Shell (SSH) port is a type of open service port that is commonly used for remote access servers and can be exploited by attackers to perform on-path attacks, such as session hijacking or replay. It is the default port for SSH, the protocol used to securely access remote systems. SSH is cross-platform, not Windows based. Virtual Network Computing (VNC) port is a type of open service port that is commonly used for remote desktop servers and can be exploited by attackers to perform screen capture, keystroke logging, or malware delivery attacks. It is the default port for VNC, th

What is the term for a type of open service port that is commonly used for remote access servers and can be used to perform on-path attacks on a Windows computer, but not on computers using other operating systems?

OBJ: 1.4 - Key escrow is a system in which a copy of a cryptographic key is given to a third party. This allows for the recovery of keys if they are lost. Key exchange is a method in cryptography by which cryptographic keys are exchanged between two parties, allowing use of a cryptographic algorithm. Key generation is the process of generating keys in cryptography. It does not involve a third party having access to encrypted data. Public key infrastructure (PKI) is a set of roles, policies, and procedures needed to create, manage, distribute, use, store, and revoke digital certificates and manage public-key encryption.

What part of PKI allows the storing of encrypted keys with a third party so keys can be recovered if they are lost?

OBJ: 5.3 - In a BPA (Business Process Analysis), process flow details each operational step, describing how the mission essential function is systematically executed. Outputs relate to the final products or data produced by the function, which is the result of the process flow but not the description of the steps themselves. Hardware identifies the physical infrastructure used in the process, not the step-by-step procedural narrative. While inputs are crucial for starting the process, they do not constitute the sequential operational guide that is the process flow.

What part of a BPA for mission essential functions provides a detailed, step-by-step description of the procedural tasks performed?

OBJ: 4.3 - A system/process audit is a thorough review of an organization's operations, ensuring adherence to specific standards and identifying potential areas for improvement. Penetration testing is a simulated cyber-attack against a system to check for exploitable vulnerabilities, often involving a combination of tools and manual techniques. A risk assessment involves identifying, evaluating, and analyzing risks to an organization's assets and operations, with the aim of implementing measures to control and mitigate those risks. While risk assessments are crucial for understanding and mitigating potential risks and vulnerabilities within an organization, they do not specifically focus on ensuring that procedures, controls, and operations comply with established guidelines, standards, or regulations. OSINT leverages publicly available data sources to gather intelligence on targets, providing valuable insights wit

What term refers to a formal examination of an organization's procedures, controls, and operations, ensuring they comply with established guidelines, standards, or regulations?

OBJ: 5.2 - Probability refers to the expected frequency of occurrence of a specific risk within a given time frame. Likelihood is a qualitative term used to express the chance of a risk occurring, typically described in terms of low, medium, or high. The exposure factor represents the percentage of asset loss that would occur if a specific risk is realized. It is a quantitative risk analysis metric. The annualized rate of occurrence (ARO) is a quantitative risk analysis metric that represents the expected number of times a specific risk occurs in a year.

What term refers to the expected frequency of occurrence of a specific risk within a given time frame?

OBJ: 4.4 - Infrastructure monitoring is focused on ensuring the foundational IT components, like servers, data centers, and networking equipment, are both functional and secure. Systems monitoring evaluates the hardware, operating systems, and the essential services that applications run on but not the broader foundational structures of IT. Applications monitoring pertains to overseeing individual software solutions and ensuring their security and performance. While log aggregation collects logs for analysis, it's a tool or method used in monitoring but does not specify which component (system, application, or infrastructure) is being observed.

When a security specialist wishes to obtain a holistic view of the health and security status of foundational IT components, such as networks, cloud services, and servers, which type of monitoring should they prioritize?

The TCO (Total Cost of Ownership) not only includes the initial purchase price of the tool but also the ongoing expenses related to maintenance, updates, and other associated costs over its lifecycle. Operational Efficiency refers to the effectiveness and productivity of operations but doesn't directly address the financial impact of a tool over its lifecycle. CAPEX (Capital Expenditure) pertains to the initial costs to purchase the asset or tool, not the ongoing or total costs throughout its lifecycle. While ROI (Return on Investment) evaluates the profitability or benefit of a particular investment, it doesn't primarily focus on the entire financial impact over a tool's lifecycle.

When evaluating a new security tool for automation and orchestration in the organization's infrastructure, which factor primarily addresses the potential financial impact over the tool's lifecycle?

OBJ: 4.3 - Cyber liability insurance is designed to help organizations cover the costs and potential legal consequences of cybersecurity breaches. This is especially beneficial in situations where vulnerabilities lead to data breaches. While multi-factor authentication (MFA) strengthens access controls by requiring multiple forms of verification, it doesn't serve as a financial safeguard against cyber incidents. Regular backups ensure data availability in case of data loss scenarios, but they don't offer financial protection against the repercussions of breaches. Segmenting network zones can effectively reduce the spread of malicious activities within a network. However, it doesn't provide financial coverage against cyber incidents.

Which activity is often considered as a financial safeguard against the potential aftermath of a security breach?

One of the most important characteristics of blockchain is its decentralized nature, distributing the ledger across a peer-to-peer network, thus eliminating a single point of failure. Homomorphic encryption allows for computations on ciphertext, without the need for decryption first. Digital certificate rotation is the practice of changing digital certificates at regular intervals. While blockchain blocks often include time stamps, this feature doesn't protect against a singular point of compromise.

Which characteristic of blockchain technology ensures that the risk associated with having a single point of failure or compromise is mitigated?

OBJ: 5.1 - The Sarbanes-Oxley Act is a US legislation that mandates various practices to protect investors by improving the accuracy and reliability of corporate financial statements and disclosures. The Computer Security Act (1987) focuses on the security of federal computer systems processing confidential information, it does not deal with financial reporting transparency. FISMA (Federal Information Security Management Act) aims to govern the security of data processed by federal government agencies, but it doesn't specifically focus on financial transparency and accountability. GDPR (General Data Protection Regulation) is a European Union regulation that pertains to the protection of personal data and its processing, ensuring that entities collect and use such data fairly and transparently.

Which legislation mandates the implementation of risk assessments, internal controls, and audit procedures for ensuring transparency and accountability in financial reporting in the US?

OBJ: 3.1 - Containerization encapsulates an application with its environment, guaranteeing uniform behavior across systems. Serverless computing eliminates the need to manage server infrastructure but doesn't bundle applications with their environments. Logical segmentation focuses on dividing networks for traffic and security management, not on application encapsulation. Software-defined networking (SDN) centers on managing network control via software, not on packaging applications.

Which of the following BEST characterizes the method of bundling an application and its environment for consistent behavior across platforms?

OBJ: 1.2 - Policy-driven access control is an approach where permissions are set based on organizational policies, roles, or requirements, ensuring that users have the right level of access that aligns with their job functions or responsibilities. Permissions are assigned based on predefined roles in an organization, and individuals are then assigned to those roles. Users are given the minimum levels of access necessary to perform their job functions. If a condition is not explicitly met, access is denied by default.

Which of the following BEST describes a system that allocates permissions and access based on pre-defined organizational guidelines, strategies, codes, roles, or requirements?

Information-sharing organizations are entities that enable various groups to share data about threats and vulnerabilities, enhancing collective defense against cyber risks. Bug bounty programs are an initiative where organizations reward individuals for discovering and reporting software bugs. Security Operation Centers (SOCs) are crucial entities within organizations that continuously monitor and analyze an organization's security posture while preventing, detecting, analyzing, and responding to cybersecurity incidents. While SOCs play a vital role in organizational security, their primary function is not to facilitate the distribution and exchange of threat and vulnerability information among different organizations. Dynamic analysis evaluates software during its runtime, aiming to uncover vulnerabilities that might not be visible in a static state.

Which of the following BEST describes entities that facilitate the distribution and exchange of threat and vulnerability information among different organizations, often to improve collective security?

OBJ: 4.4 - When a file is quarantined, it is isolated, ensuring the user, or possibly any user, cannot access it. This can be achieved by encrypting the file or moving it to a designated quarantine zone in the file system. While quarantine can be a preliminary step before deciding to delete a file, they are not synonymous. Quarantine involves isolating the file without removing it completely. Quarantining specifically targets the suspicious or malicious file, not all files in its directory. While some quarantined files may be analyzed further, quarantine in itself doesn't imply immediate forwarding to another platform.

Which of the following BEST describes the action taken when a file is quarantined during an alert response?

OBJ: 5.1 - The controller is responsible for defining how personal data is handled and ensuring it meets GDPR and other regulatory requirements. Key management and secure generation are technical processes often overseen by IT security, not the controller. Holds ultimate decision-making authority and sets strategic data management policies is more indicative of the role of a governance board or an owner. While the controller may be involved in incident management, it is not their primary role; instead, it typically pertains to security teams and the custodian.

Which of the following BEST describes the data controller's role in relation to GDPR and data governance?

OBJ: 4.3 - A False Positive is a security alert that incorrectly identifies a legitimate action as a potential threat, while a False Negative is a security alert that mistakenly dismisses a real threat, leaving the system vulnerable to harm. A False Positive refers to a situation where a legitimate action is mistakenly identified as a threat and may lead to unnecessary alarms and investigation efforts. On the other hand, a False Negative occurs when a security system fails to detect an actual security incident, leaving the system vulnerable to potential harm. A False Positive is when a legitimate action is mistakenly flagged as a security threat, and a False Negative is when a security incident goes undetected. In reality, a False Positive refers to a situation where a security system mistakenly identifies a legitimate action as a threat, while a False Negative occurs when a security system fails to detect an actual

Which of the following BEST explains the difference between False Positive and False Negative in the context of vulnerability management?

OBJ: 4.2 - Inventory enables organizations to maintain up-to-date records of hardware, software, and data assets. This facilitates timely patch management, as administrators can easily identify assets that require updates or patches. Timely patching is crucial for mitigating security risks and reducing the possibility of exploitation through unpatched vulnerabilities. Proper inventory documentation may aid in financial tracking and budget allocation, but it is not the primary focus when discussing inventory's importance in the asset tracking process for security implications. The primary concern with inventory is maintaining accurate records of assets for security monitoring and management. Inventory does not specifically focus on the physical organization of assets for audits and investigations. While physical organization is relevant for efficient asset management, the primary purpose of inventory is to maintain ac

Which of the following BEST highlights the significance of inventory in managing hardware, software, and data assets effectively?

OBJ: 4.8 - The Preparation phase in the incident response process involves activities such as developing an incident response plan, defining roles and responsibilities of the incident response team, and conducting regular training and drills. These preparations ensure that the organization is ready to respond effectively and efficiently to any potential security incidents. Identifying and classifying incidents based on severity and impact is typically part of the "Detection" phase of the incident response process. It involves recognizing that an incident has occurred and understanding its potential implications. Triage takes place after an incident occurs, not in the "Preparation" phase. Analyzing the evidence and determining the root cause of the incident is part of the "Recovery and Lessons Learned" phase of the incident response process. It comes after the incident has been contained and the organization is workin

Which of the following activities take place during the preparation phase in the incident response process?

OBJ: 3.4 - Journaling is a form of backup that involves recording all transactions in a system which can be used to restore the system to a previous state. A full backup involves making a complete copy of all data in the system. While comprehensive, it's typically scheduled to occur at regular intervals (e.g., nightly or weekly) and does not provide real-time replication of each transaction. Differential backups capture all changes made since the last full backup. Like incremental backups, differential backups are not done in real-time but at specific intervals, and they accumulate changes since the last full backup. Incremental backups save only the changes made since the last backup, whether that was a full or another incremental backup. This method doesn't replicate transactions in real-time, but rather at scheduled intervals.

Which of the following backup methods involves real-time replication of every transaction made within a system?

OBJ: 2.5 - AES (Advanced Encryption Standard) is a symmetric encryption algorithm where the same key is used for both the encryption and decryption processes. RSA (Rivest-Shamir-Adleman) is an asymmetric encryption technique that involves two distinct keys - one private and one public, not using the same key for encryption and decryption. In ECC (Elliptic Curve Cryptography), public and private key pairs are generated based on elliptic curve mathematics. The public key is used for encryption, and the corresponding private key is used for decryption. Diffie-Hellman is an asymmetric key exchange method used to securely exchange cryptographic keys over a public channel, not a symmetric encryption method.

Which of the following cryptographic techniques uses the same key for both encryption and decryption processes, making it essential that the key remains secret and is shared securely among the involved parties?

OBJ: 2.2 - S/MIME (Secure Multipart Internet Message Extensions) leverages email certificates to both sign and encrypt email content, ensuring both authenticity and confidentiality. Transport Layer Security primarily encrypts the communication path between servers, but it doesn't use individual email certificates for signing and encrypting content within the email. Domain-based Message Authentication, Reporting & Conformance (DMARC) focuses primarily on the authenticity of the domain from which emails originate, rather than on using certificates to sign and encrypt the email content itself. Sender Policy Framework verifies the legitimacy of the sender's IP against a list of approved IPs for the domain, but doesn't use email certificates for content encryption or signature.

Which of the following email security techniques specifically utilizes email certificates to authenticate and safeguard email content?

OBJ: 5.1 - AES (Advanced Encryption Standard) is a symmetric encryption standard used to protect data at rest and in transit, ensuring confidentiality and security. SHA (Secure Hash Algorithm) is a set of cryptographic hash functions designed to ensure data integrity, not to encrypt data. HMAC (Hash-Based Message Authentication Code) is a specific construction for creating a message authentication code (MAC) involving a cryptographic hash function in combination with a secret key, rather than for encryption purposes. RSA (Rivest-Shamir-Adleman) is an asymmetric encryption standard typically used for secure data transmission, not specifically for data at rest.

Which of the following encryption standards is primarily used for securing data at rest and in transit through symmetric key cryptography?

OBJ: 4.4 - One of the primary objectives of alert tuning is to reduce false positives, increasing the overall accuracy of the alerting system. Alert tuning works to reduce false positives, not false negatives. Reducing false positives can actually increase the instance of false negatives. Alert tuning allows security analysts to identify common alerts and resolve them, which allows security analysts to focus on more significant issues. The primary purpose of alert tuning is to enhance the efficiency and accuracy of the alerting system by reducing false positives and tailoring the system to an organization's specific requirements. Alert tuning is not concerned with improving the user interface aesthetics of the alerting system.

Which of the following explains the concept of Alert Tuning?

OBJ: 4.4 - SIEM systems are not primarily used for software procurement or asset management. Their primary purpose is to provide real-time analysis of security alerts and to offer a holistic view of an organization's security scenario. They are not involved in tasks such as procurement and management of hardware. SIEM systems can indeed create and maintain a record of an organization's IT equipment as a part of their comprehensive data collection. One of the critical roles of SIEM is the real-time monitoring and analysis of security alerts across an organization's network. SIEM systems collect and aggregate log data from an array of sources within an organization's IT infrastructure, providing a centralized view of the security landscape

Which of the following is NOT true about the importance of Security Information and Event Management (SIEM)?

OBJ: 5.1 - The SDLC (Software Development Life Cycle) methodically divides the software creation and maintenance process into specific phases. By doing so, it ensures that security considerations are integrated and prioritized from the start of software development through its maintenance. CI/CD (Continuous Integration and Continuous Delivery) focuses on the frequent delivery of applications to customers by introducing automation into the stages of app development. Although it can incorporate security elements, its primary goal isn't to segment software creation and maintenance like the SDLC. While RAD (Rapid Application Development) emphasizes fast prototyping and speedy software delivery, it does not inherently focus on segmenting software creation into discrete security-focused phases as the SDLC does. While Scrum is an Agile framework used in software development that emphasizes collaboration and adaptability, it

Which of the following methodologies divides the creation and maintenance of software into discrete phases, emphasizing the integration of security throughout its stages?

OBJ: 3.3 - Encryption transforms data into a coded format using specific algorithms and a key. Only those possessing the correct key can decrypt and access the original data, making it a primary means to secure information against unauthorized access. Hashing converts data into a fixed-length string of characters, typically a hash value. Hashing is one-way; once data is hashed, it can't be reversed to its original form. Hashing is more about data integrity and verification than preventing unauthorized access. Tokenization replaces sensitive data with non-sensitive placeholders or "tokens." While it hides original data, it doesn't convert the entire data set into a coded format. Tokenized data often remains on-premise, with the original data stored securely offsite. Compression reduces the size of data to save space or accelerate transmission. Though it changes the data format, its primary purpose isn't security.

Which of the following methods converts original data into a coded format to prevent unauthorized access and requires a key to decode it?

Isolation is a mitigation technique that can help prevent malware from spreading from one system or process to another by limiting their interaction and communication. Isolation involves sandboxing or simply disconnecting an infected system. This prevents potentially malicious programs or scripts from accessing the rest of the system or network. Hardening is a technique that can help reduce the exposure of systems and devices to potential attacks by disabling unused features and services. Hardening involves removing unnecessary features and services, changing default settings, and applying security configurations to systems and devices. Hardening is preventative and takes place before malware is on the system. Isolation is most important when malware is on the system. Segmentation is a mitigation technique that involves dividing a network into smaller segments. Each has its own security policies and controls. Segment

Which of the following mitigation techniques can help prevent malware from spreading from one system or process to another by limiting their interaction and communication?

OBJ: 2.2 - A CEO's request to finance to wire money urgently is a classic example of a business email compromise (BEC). In this type of attack, cybercriminals impersonate executives or other key personnel in an organization. They craft persuasive emails directed towards employees, often in financial departments, tricking them into transferring money or revealing confidential data. A pop-up on a website asking for credit card details is type of threat is a web-based scam designed to trick users into divulging their personal or financial information. These malicious pop-ups can appear on compromised websites or be the result of malware on a user's system. An email from a coworker asking to review an attached invoice might seem like a potential business email compromise, especially if the coworker doesn't typically send invoices. However, it's more indicative of a spear phishing attempt or malicious attachment scheme. T

Which of the following scenarios MOST exemplify a business email compromise?

OBJ: 1.2 - The Control Plane within the Zero Trust model is fundamentally responsible for deciding on access based on policies and threats, which is a dynamic and multifaceted task. While it does consider user behavior as part of its decision-making process, employing security decisions based on user behavior is only one aspect of its function. Although the Control Plane's decisions can indirectly limit potential damage zones by enforcing segmented access to network resources, its primary role should not be confused with the outcomes of its policy enforcement. The Control Plane does not directly ensure the efficient transmission of data — this is a misconception, as that is the role of the Data Plane.

Which of the following statements BEST describes the Control Plane in the Zero Trust model?

Chain of Custody is the process of securing and preserving evidence related to a security incident for potential use in legal proceedings. When handling digital evidence, it is crucial to maintain a clear and documented Chain of Custody. This ensures that the evidence is collected, stored, and transferred in a way that maintains its integrity and authenticity, making it admissible and reliable in legal proceedings. Chain of Custody is not related to the evaluation of incidents but rather to the proper handling of evidence. While identifying the individuals or groups responsible for an incident might be valuable for legal proceedings, Chain of Custody itself is primarily focused on the proper handling and documentation of evidence. Following the Incident Response Plan is not the purpose of Chain of Custody. Chain of Custody is the process of securing and preserving evidence related to a security incident for potential

Which of the following statements BEST explains the importance of Chain of Custody in incident response?

OBJ: 4.4 - DLP involves a set of techniques and tools designed to detect and prevent the unauthorized transmission of sensitive data outside an organization's network, helping to protect valuable data from being leaked or exposed to unauthorized entities. While data encryption is an important security measure, DLP is not specifically focused on encrypting data in databases and cloud environments but on preventing data loss. While cybersecurity tools are essential for data protection, DLP specifically focuses on preventing data loss and unauthorized data transmission. DLP is not primarily focused on monitoring network traffic for DDoS attacks but is related to data protection.

Which of the following statements BEST explains the importance of DLP in the context of vulnerability management?

OBJ: 4.3 - Package monitoring involves keeping track of software package versions and security patches, which helps identify potential vulnerabilities and ensures that appropriate actions are taken to mitigate risks. By promptly addressing vulnerabilities, organizations can reduce the risk of potential exploits and maintain a more secure environment. The purpose of package monitoring which is keeping track of software package versions and security patches, not tracking software package dependencies. Tracking the physical location and status of hardware packages, is not the intended purpose of package monitoring. While updating software packages is essential for performance and functionality, package monitoring, in the context of vulnerability management, is not focused on general updates.

Which of the following statements BEST explains the importance of package monitoring in the context of vulnerability management?

SCAP is not used data encryption. Its main functionality lies in strengthening the security of systems via a standardized approach to maintaining system security, aiding in automating the process of detecting vulnerabilities, managing configurations, and maintaining compliance with regulatory standards. SCAP aids in automating vulnerability management and configuration settings in a system. It allows security teams to perform tasks effectively and efficiently. SCAP provides a standardized, consistent approach to maintaining system security, including a common language for expressing security content in a clear and consistent manner. SCAP does help in ensuring compliance with security guidelines and regulations. It provides a way for organizations to demonstrate that their systems adhere to certain security standards.

Which of the following statements about the importance of the Security Content Automation Protocol (SCAP) is NOT true?

The exposure factor is not calculated by multiplying the asset's total value by the yearly rate of occurrence. It is an estimate of the potential damage to an asset if a given threat exploits a vulnerability, and it is not directly connected to the asset's total value or frequency of threat events. An exposure factor of 100% suggests that a security incident or threat event would render the asset entirely unusable or worthless. The exposure factor is the proportion of an asset's value estimated to be affected or jeopardized during a particular security incident or threat event. Exposure factor is usually expressed as a percentage representing the portion of the asset's value likely to be lost in an incident.

Which of the following statements is NOT true about the Exposure Factor?

OBJ: 5.2 - Probability is a quantitative measure, usually expressed as a number between 0 and 1, or as a percentage, indicating the statistical likelihood of a risk event. Severity ranking may determine how serious an impact might be but does not directly relate to the probability of an event occurring. The exposure factor (EF) is the fraction of the asset value that is at risk in the event of a security incident. Likelihood is used in qualitative risk analysis to subjectively describe how probable a risk event is, often expressed in terms such as "low," "medium," or "high."

Which of the following terms BEST describes the measurement used to describe a 7% possibility of hardware failure in the next year based on past statistical data?

Risk identification is the proactive process of recognizing and recording potential threats that could adversely affect an organization. Policy review is an activity that may be part of risk identification but does not encompass the entire scope of identifying a range of potential risks. A vulnerability assessment is a specific method used within risk identification to determine the weaknesses within an organization's IT infrastructure. Threat intelligence involves the collection and analysis of information about current and potential attacks that threaten the security of an organization but does not directly refer to the broader process of risk identification.

Which of the following terms BEST describes the process of detecting and documenting potential threats, such as malware, insider threats, or inadequate policies, to inform an organization's risk management strategies?

OBJ: 5.2 - Likelihood measures how probable it is that a risk will occur, which is crucial for risk analysis and management. Risk frequency could be seen as similar to likelihood but is less specifically defined in risk management terminology. While ARO (Annualized rate of occurrence) is a measurement of how often a risk event is expected to happen annually, it doesn't describe the general probability or frequency as broadly as the term likelihood does. Probability also indicates the chance of a risk occurring but does not necessarily tie it to a specific time frame as likelihood does within the context of risk assessment.

Which of the following terms describes the qualitative frequency of a risk occurring within a specified period?

DAC (Discretionary access control) is a model where resource owners have the discretion to determine who can access specific resources and the actions they can perform. Mutual TLS (mTLS) authentication involves both client and server authenticating each other using certificates for secure communication. RBAC (Role-based access control) grants access based on the role of the user, not on the user's individual identity. OTP (One-time password) is an authentication mechanism where a unique password is valid for only one login session.

Which of the following terms refers to an authorization model that allows resource owners to grant or deny permissions based on their own judgment?

Threat scope reduction refers to the proactive steps and strategies taken to reduce the potential areas of attack within a system or network. By limiting the avenues that attackers can exploit, organizations can more effectively secure their assets. Zero Trust is a security concept that advocates for not trusting any entity inside or outside the organization's perimeter by default. It emphasizes the need for continuous verification and validation. A gap analysis identifies the differences between the current state of a system or process and its desired future state, providing a roadmap for achieving those desired outcomes. Physical security focuses on measures designed to protect the physical assets of an organization, such as buildings, devices, and personnel, from harm and unauthorized access.

Which of the following terms refers to the practice of minimizing the potential attack surface within an organization's network?

OBJ: 5.2 - RTO (Recovery time objective) sets the goal for the time taken to recover business operations after an outage, essential for continuity planning. BCP (Business continuity planning) is the overarching process that includes recovery time objectives, but it is not a time-specific recovery target. MTTR (Mean time to repair) is the average repair time for a failed system or component, not the timeframe for full business recovery. RPO (Recovery point objective) assesses the maximum tolerable data age for recovery purposes, unrelated to the duration for restoring operations.

Which of the following terms specifically represents the target duration for recovering IT and business operations after a disruptive event?

OBJ: 2.1 - Nation-state actors are a type of threat actor that is sponsored by a government or a country's military. They normally have high resources/funding and high level of sophistication/capability. Nation-state actors can launch advanced and persistent attacks against other countries, organizations, or individuals. Their goal is often to gain a strategic advantage in war or diplomacy. Organized crime is a threat actor that is composed of groups or networks that engage in illegal activities for profit. They usually target financial institutions, businesses, or individuals for fraud, theft, ransomware, etc. Their goals are to gain money, not a strategic advantage over a company. Shadow IT is a type of threat actor that is the result of unauthorized or unapproved IT systems or devices within an organization. Shadow IT can introduce security risks and compliance issues for an organization, but the damage is usually

Which of the following threat actors is MOST likely to be motivated by wanting to gain access to data to be used to gain a strategic advantage?

OBJ: 4.4 - SIEM tools are essential for consolidating and analyzing logs and alerts from various sources within an environment. These tools are known for their agentless capabilities, where they can collect and process logs without needing a dedicated agent on the source system, providing flexibility in diverse infrastructure setups While an IDS can detect malicious activities, it typically requires agents or sensors to capture traffic or system activities A WAF is designed to filter and monitor HTTP traffic to and from a web application, preventing web-based attacks. It doesn't specifically provide agentless monitoring/alerting at a better capacity of the options that are available. Antivirus software is geared towards detecting and removing malicious software from a system and typically requires an agent for operation.

Which of the following tools is MOST known for agentless security monitoring/alerting?

OBJ: 1.2 - The Policy Administrator in a Zero Trust model takes on the responsibility of maintaining and updating the policies that govern access control. They ensure that policies stay relevant, align with organizational security postures, and meet compliance requirements, making this option the correct one. Securing data during transmission is fundamentally about implementing secure communication protocols and doesn't fall under the Policy Administrator's primary responsibilities of managing and adjusting access policies. Adapting access decisions in real-time based on ongoing user actions points towards adaptive policy enforcement or potentially an adaptive identity approach, which continuously assesses risk and behavior. It doesn't define the Policy Administrator's role, which is to manage and update the policies, not to enforce them adaptively. Overseeing the actual enforcement of policies on the network implies

Which statement BEST captures the role of the Policy Administrator within the Zero Trust paradigm?

OBJ: 4.6 - Implementing a federation protocol, such as Security Assertion Markup Language (SAML), is the most effective approach for achieving a seamless user login experience for both internal employees and external partners. SAML allows for the secure exchange of authentication and authorization data between different organizations, enabling users to log in using their own organization's credentials while accessing resources and applications from other federated organizations without the need for separate accounts. It simplifies identity management and enhances user experience while maintaining centralized control. Creating separate user accounts for external partners within the organization's identity management system would result in a complex and difficult-to-maintain system. It would require managing multiple accounts for the same users, leading to duplication of effort and potential inconsistencies in access p

You are a cybersecurity analyst for a large organization that collaborates with several external partners, each having their own user authentication systems. The organization wants to simplify the user login experience for both internal employees and external partners while maintaining a centralized identity management system. As a cybersecurity analyst, you recommend implementing a federation solution for this purpose. Which of the following approaches would be the most effective way to implement federation in the given scenario?

OBJ: 4.9 - The details of specific suspicious activities such as source and destination IPs, port numbers, protocols, and timings can provide significant evidence for a security investigation. This information can help trace potential intruders and determine the methods they used for the breach. The source IPs, destination IPs, port numbers, protocols used, and timestamps for all connections in the past 2 weeks could be beneficial, but it is a lot of information to go through and it will be easy to overlook events. You will be better served by looking at suspicious activities rather than all activities. While the list of permitted IPs is an important part of managing access and controlling a network, it doesn't provide immediate, incident-specific information for a security breach investigation. The sheer number of connections doesn't provide specific or actionable information about a potential security breach. Detai

You are a security analyst tasked with investigating a suspected security breach in your organization's network. You decide to examine the Intrusion Prevention System/Intrusion Detection System (IPS/IDS) logs. Which of the following pieces of information would be MOST valuable in these logs to investigate the incident?

OBJ: 2.2 - Typosquatting is a form of cyberattack that involves registering domain names that are similar to legitimate ones but have spelling errors or variations. The goal is to trick users into visiting malicious websites that may steal their information or infect their systems with malware. Brand impersonation is a form of cyberattack that involves creating fake websites, emails, or social media accounts that mimic legitimate ones. The goal is to deceive users into trusting the fake entity and revealing their information or performing malicious actions. Watering hole is a form of cyberattack that involves compromising a legitimate website that is frequented by a specific group of users, such as employees of a certain organization. The goal is to infect the users' systems with malware when they visit the website. Business email compromise is a form of cyberattack that involves compromising an email account of a pe

You are browsing the web and you see an advertisement for a product that you have been looking for. You click on the link and it takes you to a website that looks like website of the product. However, you notice that the URL is slightly different and has a spelling error. What type of attack is this an example of?

OBJ: 2.2 - An IM (Instant messaging) threat vector uses online chat platforms to deliver malicious messages or files. A file-based threat vector uses corrupted or malicious files to infect systems or networks. A watering hole threat vector uses compromised websites that are frequented by a specific target group to deliver malware or redirect traffic. An SMS (Short Message Service) threat vector uses text messages to deliver malicious links or attachments to unsuspecting users.

You are chatting with your friend on Facebook Messenger. They send you a link to a funny video and ask you to watch it. You click on the link and it takes you to a website that looks like YouTube. However, the website then asks you to install a browser extension in order to play the video. You agree and install the extension. The extension then hijacks your browser and redirects you to malicious websites. What kind of threat vector was used for this attack?