C178 JD
Difference between SCADA and BAS
#SCADA (supervisory control and data acquisition) networks is a type of network that works off of an ICS (industry control system) and is used to maintain sensors and control systems over large geographic areas. #A building automation system (BAS) for offices and data centers ("smart buildings") can include physical access control systems, but also heating, ventilation, and air conditioning (HVAC), fire control, power and lighting, and elevators and escalators.
Jamie's organization is attempting to budget for the next fiscal year. Jamie has calculated that the asset value of the data is $120,000. Based on her analysis, she believes that a data breach will occur once every four years and have a risk factor is 30%. What is the ALE for a data breach within Jamie's organization? a) $9,000 b) $36,000 c) $90,000 d) $360,000
a) $9,000 #The single loss expectancy (SLE) is the amount that would be lost in a single occurrence (AV) times the risk factor (RF). The annual loss expectancy (ALE) is the total cost of a risk to an organization on an annual basis. This is determined by multiplying the SLE by the annual rate of occurrence (ARO). Here, AV = 120,000 RF = 30% SLE = 120,000 x 30% /100 = 36,000 ALE = 36,000/4 = 9,000
An analyst is reviewing the configuration of a triple-homed firewall that connects to the internet, a private network, and one other network. Which of the following would best describe the third network connected to this firewall? a) DMZ b) Subnet c) NIDS d) GPO
a) DMZ #A triple-homed firewall connects to three networks internal (private), external (internet/public), and the demilitarized zone (DMZ). The demilitarized zone (DMZ) network hosts systems that require access from external hosts
Your home network is configured with a long, strong, and complex pre-shared key for its WPA2 encryption. You noticed that your wireless network has been running slow, so you checked the list of "connected clients" and see that "Bob's Laptop" is connected to it. Bob lives downstairs and is the maintenance man for your apartment building. You know that you never gave Bob your password, but somehow he has figured out how to connect to your wireless network. Which of the following actions should you take to prevent anyone from connecting to your wireless network without the WPA2 password? a) Disable WPS b) Enable WPA c) Disable SSID broadcast d) Disable WPA2
a) Disable WPS #WPS was created to ease the setup and configuration of new wireless devices by allowing the router to automatically configure them after a short eight-digit PIN was entered. Unfortunately, WPS is vulnerable to a brute-force attack and is easily compromised. Therefore, WPS should be disabled on all wireless networks.
Which of the following cryptographic algorithms is classified as asymmetric? a) ECC b) RC4 c) Twofish d) DES
a) ECC #Elliptic-curve cryptography (ECC) is an approach to public-key cryptography based on the algebraic structure of elliptic curves over finite fields. As a public-key cryptosystem, it relies on an asymmetric algorithm. Twofish, RC4, and DES are all symmetric algorithms.
You have just received some unusual alerts on your SIEM dashboard and want to collect the payload associated with it. Which of the following should you implement to effectively collect these malicious payloads that the attackers are sending towards your systems without impacting your organization's normal business operations? a) Honeypot b) Jumpbox c) Containerization d) Sandbox
a) Honeypot #A honeypot is a host set up with the purpose of luring attackers away from the actual network components and/or discovering attack strategies and weaknesses in the security configuration. #A jumpbox is a hardened server that provides access to other hosts. #A sandbox is a computing environment that is isolated from a host system to guarantee that the environment runs in a controlled, secure fashion. #Containerization is a type of virtualization applied by a host operating system to provision an isolated execution environment for an application.
Which of the protocols listed is NOT likely to be a trigger for a vulnerability scan alert when it is used to support a virtual private network (VPN)? a) IPSec b) SSLv2 c) PPTP d) SSLv3
a) IPSec #IPSec is the most secure protocol that works with VPNs. The use of PPTP and SSL is discouraged for VPN security. Due to this, the use of PPTP and SSL for a VPN will likely alert during a vulnerability scan as an issue to be remediated.
Which of the following would a virtual private cloud infrastructure be classified as? a) IaaS b) PaaS c) SaaS d) Function as a Service
a) IaaS #Infrastructure as a Service (IaaS) is a computing method that uses the cloud to provide any or all infrastructure needs. In a VPC environment, an organization may provision virtual servers in a cloud-hosted network. The service consumer is still responsible for maintaining the IP address space and routing internally to the cloud.
An analyst is reviewing the logs from the network and notices that there have been multiple attempts from the open wireless network to access the networked HVAC control system. The open wireless network must remain openly available so that visitors are able to access the internet. How can this type of attack be prevented from occurring in the future? a) Implement a VLAN to separate the HVAC control system from the open wireless network b) Install an IDS to protect the HVAC system c) Enable NAC on the open wireless network d) Enable WPA2 security on the open wireless network.
a) Implement a VLAN to separate the HVAC control system from the open wireless network #A VLAN is useful to segment out network traffic to various parts of the network, and can stop someone from the open wireless network from being able to attempt to login to the HVAC controls.
Which type of threat actor can accidentally or inadvertently cause a security incident in your organization? a) Insider threat b) Hacktivist c) Organized Crime d) APT
a) Insider threat #An insider threat is a type of threat actor who is assigned privileges on the system that cause an intentional or unintentional incident. Insider threats can be used as unwitting pawns of external organizations or may make crucial mistakes that can open up exploitable security vulnerabilities.
In an effort to increase the security of their passwords, Dion Training has added a salt and cryptographic hash to their passwords prior to storing them. To further increase security, they run this process many times before storing the passwords. What is this technique called? a) Key stretching b) Rainbow table c) Salting d) Collision resistance
a) Key stretching #In cryptography, key stretching techniques are used to make a possibly weak key, typically a password or passphrase, more secure against a brute-force attack by increasing the resources it takes to test each possible key. The question describes one such key stretching technique.
Windows file servers commonly hold sensitive files, databases, passwords, and more. What common vulnerability is usually used against a Windows file server to expose sensitive files, databases, and passwords? a) Missing patches b) SQL injection c) CRLF injection d) Cross-site scripting
a) Missing patches #Missing patches are the most common vulnerability found on both Windows and Linux systems. When a security patch is released, attackers begin to reverse engineer the security patch to exploit the vulnerability. If your servers are not patched against the vulnerability, they can become victims of the exploit, and the server's data can become compromised.
Dave's company utilizes Google's G-Suite environment for file sharing and office productivity, Slack for internal messaging, and AWS for hosting their web servers. Which of the following cloud models type of cloud deployment models is being used? a) Multi-cloud b) Community c) Private d) Public
a) Multi-cloud #Multi-cloud is a cloud deployment model where the cloud consumer uses multiple public cloud services. In this example, Dave is using the Google Cloud, Amazon's AWS, and Slack's cloud-based SaaS product simultaneously. #A private cloud is a cloud that is deployed for use by a single entity. #A public cloud is a cloud that is deployed for shared use by multiple independent tenants. #A community cloud is a cloud that is deployed for shared use by cooperating tenants.
Several users have contacted the help desk to report that they received an email from a well-known bank stating that their accounts have been compromised and they need to "click here" to reset their banking password. Some of these users are not even customers of this particular bank, though. Which of the following best describes this type of attack? a) Phishing b) Spear phishing c) Whaling d) Brute force
a) Phishing #This is an example of a phishing attack. Phishing is the fraudulent practice of sending emails and pretending to be from a reputable company in order to trick users into revealing personal information, such as passwords and credit card numbers. This email appears to be untargeted since it was sent to both customers and non-customers of this particular bank; it is best classified as phishing. Spear phishing requires the attack to be more targeted and less widespread.
In which type of attack does the attacker begin with a normal user account and then seeks to gain additional access rights? a) Privilege escalation b) Cross-site scripting c) Spear phishing d) Remote code execution
a) Privilege escalation #Privilege escalation attacks seek to increase the level of access that an attacker has to a target system. Privilege escalation is the act of exploiting a bug, design flaw, or configuration oversight in an operating system or software application to gain elevated access to resources that are normally protected from an application or user.
You are configuring a RAID drive for a Media Streaming Server. Your primary concern is speed of delivery of the data. This server has two hard disks installed. What type of RAID should you install, and what type of data will be stored on Disk 1 and Disk 2? a) RAID 0 - Disk 1 (Stripe) and Disk 2 (Stripe) b) RAID 0 - Disk 1 (Mirror) and Disk 2 (Mirror) c) RAID 1 - Disk 1 (Stripe) and Disk 2 ( Stripe) d) RAID 1 - Disk 1 (Mirror) and Disk 2 (Mirror)
a) RAID 0 - Disk 1 (Stripe) and Disk 2 (Stripe) #Since this is a Media Streaming Server, you should implement a RAID 0 which provides disk stripping across both drives. This will increase the speed of the data delivery, but provides no redundancy. #If you were concerned with redundancy, then you should choose a RAID 1 which uses a mirror of the data on both hard disks. #You cannot use a RAID 5, since this requires a minimum of 3 disk drives and stripes the data across the hard disks. #You also can not use a RAID 6 since this requires at least 4 hard disks with dual parity and disk stripping. NOTE: Parity bit used by RAID 5 is used for the reconstruction of the missing data in the event of a complete loss of a drive.
Which of the following categories would contain information about a French citizen's race or ethnic origin? a) SPI b) PII c) PHI d) DLP
a) SPI #According to the GDPR, information about an individual's race or ethnic origin is classified as Sensitive Personal Information (SPI). Sensitive personal information (SPI) is information about a subject's opinions, beliefs, and nature afforded specially protected status by privacy legislation.
Which of the following types of attacks are usually used as part of a man-in-the-middle attack? a) Spoofing b) DDoS c) Tailgating d) Brute force
a) Spoofing #MITM) is an attack where the attacker secretly relays and possibly alters the communications between two parties who believe they are directly communicating with each other. One example of a MITM attack is active eavesdropping, in which the attacker makes independent connections with the victims and relays messages between them to make them believe they are talking directly to each other over a private connection, when in fact the entire conversation is controlled by the attacker. The attacker must be able to intercept all relevant messages passing between them.
A company has recently experienced a data breach and has lost nearly 1 GB of personally identifiable information about its customers. You have been assigned as part of the incident response team to identify how the data was leaked from the network. Your team has conducted an extensive investigation, and so far, the only evidence of a large amount of data leaving the network is from the email server. There is one user that has sent numerous large attachments out of the network to their personal email address. Upon closer inspection, those emails only contain pictures of that user's recent trip to Australia. What is the most likely explanation for how the data left the network? a) Steganography was used to hide the leaked data inside the user's photos b) The files were downloaded from home while connected to the corporate VPN c) The data was hashed and then emailed to their personal email account d) The data was encrypted and emailed it to their spouse's email account.
a) Steganography was used to hide the leaked data inside the user's photos #The most likely explanation is that the user utilized steganography to hide the leaked data inside the photos from their trip. Steganography is the process of hiding one message inside another. By hiding the customer's information within the digital photos, the incident response team would not be able to see the data being hidden without knowing to look for it inside the seemingly benign pictures from the trip.
You are conducting an intensive vulnerability scan to detect which ports might be open to exploitation. During the scan, one of the network services becomes disabled and causes an impact on the production server. Which of the following sources of information would provide you with the most relevant information for you to use in determining which network service was interrupted and why? a) Syslog b) Network mapping c) Firewall logs d) NIDS
a) Syslog #The syslog server is a centralized log management solution. By looking through the logs on the syslog server, the technician could determine which service failed on which server, since all the logs are retained on the syslog server from all of the network devices and servers.
Which of the following methods is used to replace all or part of a data field with a randomly generated number used to reference the original value stored in another vault or database? a) Tokenization b) Data masking c) Anonymization d) Data minimization
a) Tokenization #Tokenization means that all or part of data in a field is replaced with a randomly generated token. The token is stored with the original value on a token server or token vault, separate from the production database.An authorized query or app can retrieve the original value from the vault, if necessary, so tokenization is a reversible technique.
Which of the following authentication protocols was developed by Cisco to provide authentication, authorization, and accounting services? a) RADIUS b) CHAP c) TACACS+ d) Kerberos
c) TACACS+ #TACACS+ is an extension to TACACS (Terminal Access Controller Access Control System) and was developed as a proprietary protocol by Cisco. The Remote Authentication Dial-In User Service (RADIUS) is a networking protocol that operates on port 1812 and provides centralized Authentication, Authorization, and Accounting management for users who connect and use a network service, but it was not developed by Cisco.
Which of the following programs was designed to secure the manufacturing infrastructure for information technology vendors providing hardware to the military? a) Trusted Foundry (TF) b) Supplies Assured (SA) c) Supply Secure (SS) d) Trusted Access Program (TAP)
a) Trusted Foundry (TF) #The Trusted Foundry program, also called the trusted suppliers program, is a United States Department of Defense program designed to secure the manufacturing infrastructure for information technology vendors providing hardware to the military. Trusted Foundry was created to provide a chain of custody for classified/unclassified integrated circuits, ensure there is no reasonable threat related to supply disruption, prevent intentional/unintentional modification of integrated circuits, and protect integrated circuits from reverse engineering and vulnerability testing.
Which of the following vulnerabilities involves leveraging access from a single virtual machine to other machines on a hypervisor? a) VM escape b) VM migration c) VM sprawl d) VM data remnant
a) VM escape #Virtual machine escape vulnerabilities are the most severe issue that may exist in a virtualized environment. In this attack, the attacker has access to a single virtual host and then leverages that access to intrude on the resources assigned to different virtual machines.
You are installing a new wireless network in your office building and want to ensure it is secure. Which of the following configurations would create the MOST secure wireless network? a) WPA2 and AES b) WPA and MAC filtering c) WEP and TKIP d) WPA2 and RC4
a) WPA2 and AES
A cybersecurity analyst is attempting to classify network traffic within an organization. The analyst runs the tcpdump command and receives the following output:-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-$ tcpdump -n -i eth0 15:01:35.170763 IP 10.0.19.121.52497 > 11.154.12.121.ssh: P 105:157(52) ack 18060 win 16549 15:01:35.170776 IP 11.154.12.121.ssh > 10.0.19.121.52497: P 23988:24136(148) ack 157 win 113 15:01:35.170894 IP 11.154.12.121.ssh > 10.0.19.121.52497: P 24136:24380(244) ack 157 win 113-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-Which of the following statements is true based on this output? a) 10.0.19.121 is under attack from a host at 11.154.12.121 b) 10.0.19.121 is a client that is accessing an SSH server over port 52497 c) 11.154.12.121 is under attack from a host at 10.0.19.121 d) 11.154.12.121 is a client that is accessing an SSH server over port 52497
b) 10.0.19.121 is a client that is accessing an SSH server over port 52497 #This output from the tcpdump command is displaying three packets in a larger sequence of events. Based solely on these three packets, we can only be certain that the server (11.154.12.121) is running an SSH server over port 22. This is based on the first line of the output. The second and third lines are the server responding to the request and sending data back to the client (10.0.19.121) over port 52497. #There is not evidence of an attack against either the server or the client based on this output since we can only see the headers and not content being sent between the client and server.
Which of the following cryptographic algorithms is classified as symmetric? a) Diffie-Hellman b) AES c) RSA d) ECC
b) AES #AES was established as an electronic data encryption standard by NIST in 2001. AES can use a 128-bit, 192-bit, or 256-bit key, and uses a 128-bit block size.
The digital certificate on the Dion Training web server is about to expire. Which of the following should Jason submit to the CA in order to renew the server's certificate? a) OCSP b) CSR c) Key escrow d) CRL
b) CSR #A CSR (certificate signing request) is what is submitted to the CA (certificate authority) to request a digital certificate. Key escrow stores keys, CRL (Certificate Revoked List) is a list of revoked certificate, and the OCSP (Online Certificate Status Protocol) is a status of certificates that provides validity such as good, revoked, or unknown.
A user reports that every time they try to access https://www.diontraining.com, they receive an error stating "Invalid or Expired Security Certificate". The technician attempts to connect to the same site from other computers on the network, and no errors or issues are observed. Which of the following settings needs to be changed on the user's workstation to fix the "Invalid or Expired Security Certificate" error? a) Logon times b) Date and time c) User access control d) UEFI boot mode
b) Date and time #There are two causes of the "Invalid or Expired Security Certificate". The first is a problem with your computer, and the second occurs when the certificate itself has an issue. Since the technician can successfully connect to the website from other computers, it shows that the error is on the user's computer. One of the common causes of an Invalid or Expired Security Certificate error is the clock on the user's computer being wrong since the website security certificates are issued to be valid within a given date range.
Which of the following security controls provides Windows system administrators with an efficient way to deploy system configuration settings across a large number of devices? a) Patch management b) GPO c) HIPS d) Anti-malware
b) GPO #Microsoft's Group Policy Object (GPO) is a collection of Group Policy settings that defines what a system will look like and how it will behave for a defined group of users. It allows an administrator to create a policy and deploy it across a large number of devices in the domain or network. Patch management, host intrusion prevention systems (HIPS), and anti-malware software are different types of host security controls, but only GPOs have the ability to configure settings across multiple Windows devices efficiently.
What control provides the best protection against both SQL injection and cross-site scripting attacks? a) Hypervisors b) Input validation c) CSRF d) Network layer firewalls
b) Input validation #Input validation prevents the attacker from sending invalid data to an application and is a strong control against both SQL injection and cross-site scripting attacks.
You work for Dion Training as a physical security manager. You are concerned that the physical security at the entrance to the company is not sufficient. To increase your security, you are determined to prevent piggybacking. What technique should you implement first? a) Install CCTV to monitor the entrance b) Install a mantrap at the entrance c) Require all employees to wear security badges when entering the building d) Install a RFID badge reader at the entrance
b) Install a mantrap at the entrance #A mantrap is a device that only allows a single person to enter per authentication. This authentication can be done by RFID, a pin number, or other methods. Once verified, the mantrap lets a single person enter through a system, such as a turnstile or rotating door. #CCTV will not stop piggybacking, but it could be used as a detective control after an occurrence happened. Wearing security badges is useful, but it won't stop piggybacking by a skilled social engineer. #RFID badges may be used as part of your entry requirements, but it won't stop a determined piggyback who follows an employee in.
You are the first forensic analyst to arrive on the scene of a data breach. You have been asked to begin evidence collection on the server while waiting for the rest of your team to arrive. Which of the following evidence should you capture first? a) Image of the server's SSD b) L3 cache c) Backup tapes d) ARP cache
b) L3 cache #When collecting evidence, you should always follow the order of volatility. This will allow you to collect the most volatile evidence (most likely to change) first, and the least volatile (least likely to change) last. #You should always begin the collection with the CPU registers and cache memory (L1/L2/L3/GPU). The contents of system memory (RAM), including a routing table, ARP cache, process tables, kernel statistics, and temporary file systems/swap space/virtual memory. Next, you would move onto the collection of data storage devices like hard drives, SSDs, and flash memory devices.
Keith wants to validate the application file that he downloaded from the vendor of the application. Which of the following should he compare against the file to verify the integrity of the downloaded application? a) File size and file creation date b) MD5 or SHA1 hash digest of the file c) Private key of the file d) Public key of the file
b) MD5 or SHA1 hash digest of the file #Keith should conduct a hash of the downloaded file and compare it against the MD5 hash digest listed on the server of this file. This file needs to be a verifiable MD5 hash file in order to validate the file integrity has not been compromised during the download. This is an important step to ensure the file was not modified in transit during the download. The other options are insufficient to guarantee the integrity of the downloaded file since integrity checking relies on the comparison of the two hash digests.
Which type of system would classify traffic as malicious or benign based on explicitly defined examples of malicious and benign traffic? a) Artificial intelligence b) Machine learning c) Deep learning d) Generative adversarial network
b) Machine learning #A machine learning (ML) system uses a computer to accomplish a task without ever being explicitly programmed to do it. In the context of cybersecurity, ML generally works by analyzing example data sets to create its own ability to classify future items presented. If the system was presented with large datasets of malicious and benign traffic, it will learn which is malicious and use that to categorize future traffic presented to it.
Which of the following command-line tools would you use to identify open ports and services on a host along with the version of the application that is associated with them? a) Ping b) Nmap c) Netstat d) Wireshark
b) Nmap #Nmap sends specially crafted packets to the target host(s) and then analyzes the responses to determine the open ports and services running on those hosts. In addition, nmap can determine the versions of the applications being used on those ports and services. Nmap is a command-line tool for use on Linux, Windows, and macOS systems.
Your company is setting up a system to accept credit cards in their retail and online locations. Which of the following compliance types should you be MOST concerned within dealing with credit cards? a) PHI b) PCI-DSS c) GDPR d) PII
b) PCI-DSS #he Payment Card Industry Data Security Standard (PCI DSS) applies to companies of any size that accept credit card payments. If your company intends to accept card payment and store, process, and transmit cardholder data, you need to host your data securely and follow PCI compliance requirements. #PHI : Protected Health Information #GDPR : General Data Protection Regulation #PII : Personal Identifiable Information
Tim, a help desk technician, receives a call from a frantic executive who states that their company-issued smartphone was stolen during their lunch meeting with a rival company's executive. Tim quickly checks the MDM administration tool and identifies that the user's smartphone is still communicating with the MDM and displays the location of the device on a map. What should Tim do next to ensure the data on the stolen device remains confidential and inaccessible to the thief? a) Reset the device's password b) Perform a remote wipe c) Remotely encrypt the device d) Identify the IP address of the device.
b) Perform a remote wipe #To ensure the data remains confidential and is not accessed by the thief, Tim should perform a remote wipe of the device from the MDM. This will ensure any and all corporate data is erased prior to anyone accessing it. Additionally, Tim could reset the device's password, but if the thief is able to guess or crack the password, then they would have access to the data. Identifying the IP address of the smartphone is not a useful step in protecting the data on the device. Additionally, devices should be encrypted BEFORE they are lost or stolen, not after.
Which of the following access control methods utilizes a set of organizational roles in which users are assigned to gain permissions and access rights? a) MAC b) RBAC c) DAC d) ABAC
b) RBAC #Role-based access control (RBAC) is a modification of DAC that provides a set of organizational roles that users may be assigned in order to gain access rights. The system is non-discretionary since the individual users cannot modify the ACL of a resource. Users gain their access rights implicitly based on the groups to which they are assigned as members.
David noticed that port 3389 was open on one of the POS terminals in a store during a scheduled PCI compliance scan. Based on the scan results, what service should he expect to find enabled on this terminal? a) MySQL b) RDP c) LDAP d) IMAP
b) RDP #Port 3389 is an RDP port used for the Remote Desktop Protocol. If this port isn't supposed to be opened, then an incident response plan should be the next step since this can be used for remote access by an attacker. MySQL runs on port 3306. LDAP runs on port 389. IMAP over SSL runs on port 993.
Which type of method is used to collect information during the passive reconnaissance? a) Network traffic sniffing b) Reviewing public repositories c) API requests and responses d) Social engineering
b) Reviewing public repositories #Passive reconnaissance focuses on collecting information that is widely and openly available from publicly available sources. #Of the choices provided, publicly accessible sources are the best answer to choose.
Which of the following hashing algorithms results in a 160-bit fixed output? a) MD5 b) SHA-1 c) NTLM d) SHA-2
b) SHA-1 #SHA-1 creates a 160-bit fixed output. SHA-2 creates a 256-bit fixed output. NTLM creates a 128-bit fixed output. MD-5 creates a 128-bit fixed output.
Which security tool is used to facilitate incident response, threat hunting, and security configuration by orchestrating automated runbooks and delivering data enrichment? a) SIEM b) SOAR c) MDM d) DLP
b) SOAR #A security orchestration, automation, and response (SOAR) is used to facilitate incident response, threat hunting, and security configuration by orchestrating automated runbooks and delivering data enrichment. A SOAR may be implemented as a standalone technology or integrated within a SIEM as a next-gen SIEM. A SOAR can scan the organization's store of security and threat intelligence, analyze it using machine/deep learning techniques, and then use that data to automate and provide data enrichment for the workflows that drive incident response and threat hunting.
Question 1: You are reviewing the IDS logs and notice the following log entry:-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-(where [email protected] and password=' or 7==7')-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-What type of attack is being performed? a) XML injection b) SQL injection c) Header manipulation d) Cross-site scripting
b) SQL injection #SQL injection is a code injection technique that is used to attack data-driven applications. SQL injections are conducted by inserting malicious SQL statements into an entry field for execution. For example, an attacker may try to dump the contents of the database by using this technique. A common technique in SQL injection is to insert a statement that is always true, such as 1 == 1, or in this example, 7 == 7.
Your organization has been receiving many phishing emails recently, and you are trying to determine why they are effective in getting your users to click on their links. The latest email consists of what looks like an advertisement that is offering an exclusive early access opportunity to buy a new iPhone at a discounted price. Still, there are only 5 phones available at this price. What type of social engineering principle is being exploited here? a) Familiarity b) Scarcity c) Trust d) Intimidation
b) Scarcity
Which attack method is MOST likely to be used by a malicious employee or insider who is trying to obtain another user's passwords? a) Man-in-the-middle b) Shoulder surfing c) Tailgating d) Phishing
b) Shoulder surfing #While all of the methods listed could be used by a malicious employee or insider to obtain another user's passwords, shoulder surfing is the MOST likely to be used. Shoulder surfing is a type of social engineering technique used to obtain information such as personal identification numbers (PINs), passwords, and other confidential data by looking over the victim's shoulder.
The Pass Certs Fast corporation has recently been embarrassed by a number of high profile data breaches. The CIO proposes improving the cybersecurity posture of the company by migrating images of all the current servers and infrastructure into a cloud-based environment. What, if any, is the flaw in moving forward with this approach? a) This approach assumes that the cloud will provide better security than is currently done on-site b) This approach only changes the location of the network and not the attack surface of it c) The company has already paid for the physical servers and will not fully realize their ROI on them due to the migration d) This is a reasonable approach that will increase the security of the servers and infrastructure.
b) This approach only changes the location of the network and not the attack surface of it #A poorly implemented security model at a physical location will still be a poorly implemented security model in a virtual location. Unless the fundamental causes of the security issues that caused the previous data breaches have been understood, mitigated, and remediated, then migrating the current images into the cloud will simply change the location of where the processing occurs without improving the security of the network. While the statement concerning unrealized ROI may be accurate, it simply demonstrates the fallacy of the sunk cost argument.
Dion Training is concerned with the possibility of a data breach causing a financial loss to the company. After performing a risk analysis, the COO decides to purchase data breach insurance to protect the company in the event of an incident. Which of the following best describes the company's risk response? a) Avoidance b) Transference c) Acceptance d) Mitigation
b) Transference #Transference (or sharing) means assigning risk to a third party (such as an insurance company or a contract with a supplier that defines liabilities). #Avoidance means that the company stops doing the activity that is risk-bearing. Risk mitigation is the overall process of reducing exposure to or the effects of risk factors, such as by patching a vulnerable system. #Acceptance means that no countermeasures are put in place either because the level of risk does not justify the cost or because there will be an unavoidable delay before the countermeasures are deployed.
A user has reported that their workstation is running very slowly. A technician begins to investigate the issue and notices a lot of unknown processes running in the background. The technician determines that the user has recently downloaded a new application from the internet and may have become infected with malware. Which of the following types of infections does the workstation MOST likely have? a) Rootkit b) Trojan c) Keylogger d) Ransomware
b) Trojan #A trojan is a type of malware that looks legitimate but can take control of your computer. A Trojan is designed to damage, disrupt, steal, or in general, inflict some other harmful action on your data or network. The most common form of a trojan is a Remote Access Trojan (RAT), which is used to allow an attacker to remotely control a workstation or steal information from it. To operate, a trojan will create numerous processes that run in the background of the system.
You need to determine the best way to test operating system patches in a lab environment prior to deploying them to your automated patch management system. Unfortunately, your network has several different operating systems in use, but you only have one machine available to test the patches on. What is the best environment to utilize to perform the testing of the patches prior to deployment? a) Sandboxing b) Virtualization c) Purchase additional workstations d) Bypass testing and deploy patches directly into the production environment
b) Virtualization #When you have a limited amount of hardware resources to utilize but have a requirement to test multiple operating systems, you should set up a virtualized environment to test the patch across each operating system prior to deployment. You should never deploy patches directly into production without testing them first in the lab.
Your company has created a baseline image for all of its workstations using Windows 10. Unfortunately, the image included a copy of Solitaire, and the CIO has created a policy to prevent anyone from playing the game on the company's computers. You have been asked to create a technical control to enforce the policy (administrative control) that was recently published. What should you implement? a) Application whitelist b) Disable removable media c) Application blacklist d) Application hardening
c) Application blacklist #You should create and implement an application blacklist that includes the Solitaire game on it. This will prevent the application from being able to be run on any corporate workstation. Application whitelists will allow only authorized applications to be run, while application blacklists will prevent any application listed from being run.
Nick is participating in a security exercise as part of the network defense team for his organization. Which team is Nick playing on? a) Red team b) White team c) Blue team d) Yellow team
c) Blue team #Penetration testing can form the basis of functional exercises. One of the best-established means of testing a security system for weaknesses is to play "war game" exercises in which the security personnel split into teams: red, blue, and white. #The red team acts as the adversary. The blue team acts as the defenders. #The white team acts as the referees and sets the parameters for the exercise. #The yellow team is responsible for building tools and architectures in which the exercise will be performed.
Your smartphone begins to receive unsolicited messages while you are eating lunch at the restaurant across the street from your office. What might cause this to occur? a) Packet sniffing b) Bluesnarfing c) Bluejacking d) Geotagging
c) Bluejacking #Bluejacking is the sending of unsolicited messages over Bluetooth to Bluetooth-enabled devices such as smartphones and tablets. Bluesnarfing, on the other hand, involves taking data from a smartphone or tablet over Bluetooth without permission. Bluetooth has a very limited range, so the attacker is likely within 10 meters of the victimized device. Geotagging involves embedded the geolocation coordinates into a piece of data (normally a photo or video). Packet sniffing is a passive method of collecting network traffic for follow-on analysis at a later time.
Which of the following physical security controls would be the most effective in preventing an attacker from driving a vehicle through the glass doors at the front of the organization's headquarters? a) Mantraps b) Security guards c) Bollards d) Intrusion alarm
c) Bollards #Bollards are a physical security control that is designed to prevent a vehicle-ramming attack. #Bollards are typically designed as a sturdy, short, vertical post. Some organizations have installed more decorative bollards that are created out of cement and are large enough to plant flowers or trees inside. #Mantraps are designed to prevent individuals from tailgating into the building. Security guards and intrusion alarms could detect this from occurring, but not truly prevent them.
The public library has had a recent issue with their laptops being stolen from their computer lab. Since this is a public library, it is not a high security area and is fully accessible by patrons during the day. What is the best way to prevent the theft of the laptops? a) Motion Sensors b) MDM (Mobile Device Management) c) Cable Locks d) CCTV
c) Cable Locks #Cable locks are the best solution, as it will allow the laptops to be physically connected to the desks in the computer lab and can prevent theft. #CCTV is a deterrent or detective control, but will require someone monitoring it to detect the theft. Mobile device management is focused on tablets or phones, not laptops. #Motion sensors are not useful during the library's open hours, since authorized patrons are allowed into the lab during the day. Therefore, if a laptop is being stolen during the day, motion senors will be useless to stop them.
Which of the following is required for evidence to be admissible in a court of law? a) Order of volatility b) Legal hold c) Chain of custody d) Right to audit
c) Chain of custody #The chain of custody is used to document the collection and preservation of evidence from its initial acquisition, throughout the handling leading up to a trial, and during its preservation in case of an appeal or retrial.
Following a root cause analysis of the unexpected failure of an edge router, a cybersecurity analyst discovered that the system administrator had purchased the device from an unauthorized reseller. The analyst suspects that the router may be a counterfeit device. Which of the following controls would have been most effective in preventing this issue? a) Increase network vulnerability scan frequency b) Ensure all anti-virus signatures are up to date c) Conduct secure supply chain management training d) Verify that all routers are patched to the latest release
c) Conduct secure supply chain management training #Anti-counterfeit training is part of the NIST 800-53r4 control set (SA-19(1)) and should be a mandatory part of your supply chain management training within your organization. All other options may produce security gains in the network. They are unlikely to reliably detect a counterfeit item or prevent its introduction into the organization's supply chain. Training on detection methodologies (i.e., simple visual inspections) and training for acquisition personnel will better prevent recurrences.
During which incident response phase is the preservation of evidence performed? a) Preparation b) Detection and analysis c) Containment, eradication and recovery d) Post-incident activity
c) Containment, eradication and recovery #A cybersecurity analyst must preserve evidence during the containment, eradication, and recovery phase. They must preserve forensic and incident information for future needs, to prevent future attacks, or to bring up an attacker on criminal charges. Restoration and recovery are often prioritized over analysis by business operations personnel, but taking time to create a forensic image is crucial to preserve the evidence for further analysis and investigation.
Which term is used in software development to refer to the method in which app and platform updates are committed to a production environment rapidly? a) Continuous delivery b) Continuous integration c) Continuous deployment d) Continuous monitoring
c) Continuous deployment #Continuous deployment is a software development method in which app and platform updates are committed to production rapidly. #Continuous delivery is a software development method in which app and platform requirements are frequently tested and validated for immediate availability. #Continuous integration is a software development method in which code updates are tested and committed to a development or build server/code repository rapidly. #Continuous monitoring is the technique of constantly evaluating an environment for changes so that new risks may be more quickly detected.
Which of the following BEST describes when a third-party takes components produced by a legitimate manufacturer and assembles an unauthorized replica that is sold in the general marketplace? a) Recycling b) Capitalism c) Counterfeiting d) Entrepreneurship
c) Counterfeiting #While the unauthorized third-party may assemble a component that was legitimately made from OEM parts, the fact remains that those parts were never intended for distribution under the manufacturer's legitimate label. Therefore, this is considered counterfeiting. As a cybersecurity analyst, you need to be concerned with your organization's supply chain management. There have been documented cases of counterfeit hardware (like switches and routers) being sold with malware or lower mean time between failures, both of which affect the security of your network.
During a security audit, you discovered that customer service employees have been sending unencrypted confidential information to their personal email accounts via email. What technology could you employ to detect these occurrences in the future and send an automated alert to the security team? a) SSL b) UTM c) DLP d) MDM
c) DLP #DLP software detects potential data breaches/data exfiltration transmissions and prevents them by monitoring, detecting, and blocking sensitive data while in-use, in-motion, and at-rest. This can be configured to detect and alert on future occurrences of this issue.
Richard attempted to visit a website and received a DNS response from the DNS cache server pointing to the wrong IP address. Which of the following attacks has occurred? a) DNS brute forcing b) ARP spoofing c) DNS poisoning d) MAC spoofing
c) DNS poisoning #DNS poisoning (also known as DNS cache poisoning or DNS spoofing) is a type of attack which uses security gaps in the Domain Name System (DNS) protocol to redirect internet traffic to malicious websites.
Which of the following is a senior role with the ultimate responsibility for maintaining confidentiality, integrity, and availability in a system? a) Data custodian b) Data Steward c) Data owner d) Privacy officer
c) Data owner #A data owner is a person responsible for the confidentiality, integrity, availability, and privacy of information assets. They are usually senior executives and somebody with authority and responsibility. A data owner is responsible for labeling the asset and ensuring that it is protected with appropriate controls. The data owner typically selects the data steward and data custodian and has the authority to direct their actions, budgets, and resource allocations.
Dion Training is currently undergoing an audit of its information systems. The auditor wants to understand better how the PII data from a particular database is used within business operations. Which of the following employees should the auditor interview? a) Data controller b) Data steward c) Data protection officer d) Data owner
c) Data protection officer #The primary role of the data protection officer (DPO) is to ensure that her organization processes the personal data of its staff, customers, providers, or any other individuals (also referred to as data subjects) in compliance with the applicable data protection rules. They must understand how any privacy information is used within business operations. Therefore, they are the best person for the auditor to interview to get a complete picture of the data usage.
Your organization has recently suffered a data breach due to a server being exploited. As a part of the remediation efforts, the company wants to ensure that the default administrator password on each of the 1250 workstations on the network is changed. What is the easiest way to perform this password change requirement? a) Revoke the digital certificate b) Create a new security group c) Deploy a new group policy d) Utilize the key escrow process
c) Deploy a new group policy #A group policy is used to manage Windows systems in a Windows network domain environment utilizing a Group Policy Object (GPO). GPOs can include many settings related to credentials, such as password complexity requirements, password history, password length, and account lockout settings. You can force a reset of the default administrator account password by using a group policy update.
A cybersecurity analyst has deployed a custom DLP signature to alert on any files that contain numbers in the format of a social security number (xxx-xx-xxxx). Which of the following concepts within DLP is being utilized? a) Document matching b) Statistical matching c) Exact data match d) Classification
c) Exact data match #An exact data match (EDM) is a pattern matching technique that uses a structured database of string values to detect matches. For example, a company might have a list of actual social security numbers of its customers. But, since it is not appropriate to load these numbers into a DLP filter, they could use EDM to match the numbers' fingerprints instead based on their format or sequence.
Your company is expanding its operations in the European Union and is concerned about additional governmental regulations that may apply. Which of the following regulations applies when processing personal data within the European Union? a) PHI b) PCI-DSS c) GDPR d) PII
c) GDPR #GDPR (General Data Protection Regulation) is a regulation that applies to companies that do business in the European Union. The four forms of regulated data covered by the CompTIA A+ (220-1002) exam are PII (Personally Identifiable Information), PCI (Payment Card Industry), GDPR (General Data Protection Regulation), and PHI (Protected Health Information).
What should administrators perform to reduce the attack surface of a system and to remove unnecessary software, services, and insecure configuration settings? a) Harvesting b) Windowing c) Hardening d) Stealthing
c) Hardening #Hardening is usually the process of securing a system by reducing its surface of vulnerability, which is larger when a system performs more functions; in principle, a single-function system is more secure than a multipurpose one. Reducing available ways of attack typically includes changing default passwords, the removal of unnecessary software, unnecessary usernames or logins, and the disabling or removal of unnecessary services.
The local electric power plant contains both business networks and ICS/SCADA networks to control their equipment. Which technology should the power plant's security administrators look to implement first as part of configuring better defenses for the ICS/SCADA systems? a) Automated patch deployment b) Log consolidation c) IPS d) Anti-virus software
c) IPS #ICS/SCADA machines utilize very specific commands to control the equipment and to prevent malicious activity. You could set up strict IPS rules to prevent unknown types of actions from being allowed to occur. NOTE: Log consolidation won't prevent an issue and therefore isn't the most critical thing to add first. Automated patch management should not be conducted, as ICS/SCADA systems must be tested before conducting any patches, because those patches could break functionality of ICS/SCADA. (ICS/SCADA often don't rely on standard OS like windows, so anti-virus may or may not run.)
Which of the following utilizes a well-written set of carefully developed and tested scripts to orchestrate runbooks and generate consistent server builds across an enterprise? a) SaaS b) IaaS c) IaC d) SDN
c) IaC #IaC is designed with the idea that a well-coded description of the server/network operating environment will produce consistent results across an enterprise, and significantly reduce IT overhead costs through automation while precluding the existence of security vulnerabilities. #SDN uses software to define networking boundaries, but does not necessarily handle server architecture in the same way that IaC can. Infrastructure as a Service (IaaS) is a computing method that uses the cloud to provide any or all infrastructure needs.
A supplier needs to connect several laptops to an organization's network as part of their service agreement. These laptops will be operated and maintained by the supplier. Victor, a cybersecurity analyst for the organization, is concerned that these laptops could potentially contain some vulnerabilities that could weaken the security posture of the network. What can Victor do to mitigate the risk to other devices on the network without having direct administrative access to the supplier's laptops? a) Scan the laptops for vulnerabilities and patch them b) Increase the encryption level of VPN used by the laptops c) Implement a jumpbox system d) Require 2FA (two-factor authentication) on the laptops
c) Implement a jumpbox system #Jumpbox is a system on a network used to access and manage devices in a separate security zone. This would create network segmentation between the supplier's laptops and the rest of the network to minimize the risk. A jump-box system is a hardened and monitored device that spans two dissimilar security zones and provides a controlled means of access between them. While the other options listed are all good security practices, they do not fully mitigate the risk that insecure systems pose since Victor cannot enforce these configurations on a supplier provided laptop.
Julie was just hired to conduct a security assessment of Dion Training's security policies. During her assessment, she noticed that there were many group accounts being shared by users to conduct their work roles. Julie recommended that the group accounts be eliminated and instead have an account created for each user. What improvement will this recommended action provide for the company? a) More routing auditing b) Increase password security c) Increase individual accountability d) More efficient baseline management
c) Increase individual accountability #To adequately provide accountability, the use of shared or group accounts should be disabled. This allows you to log and track individual user actions based on their individual user accounts. This enables the organization to hold users accountable for their actions, too.
Keith wants to validate the application file that he downloaded from the vendor of the application. Which of the following should he compare against the file to verify the integrity of the downloaded application? a) File size and file creation date b) Private key of the file c) MD5 or SHA1 hash digest of the file d) Public key of the file.
c) MD5 or SHA1 hash digest of the file #This file needs to be a verifiable MD5 hash file to validate the file integrity has not been compromised during the download. NOTE: The other options are insufficient to guarantee the integrity of the downloaded file since integrity checking relies on comparing hash digests. Public and private keys are used to ensure data confidentiality.
Dion Training has performed an assessment as part of their disaster recovery planning. The assessment found that the organization's RAID takes, on average, about 8 hours to repair when two drives within the RAID fail. Which of the following metrics would best represent this time period? a) RTO b) RPO c) MTTR d) MTBF
c) MTTR #Mean time to repair (MTTR) is a basic measure of the maintainability of repairable items. It represents the average time required to repair a failed component or device.
Marta's organization is concerned with the vulnerability of a user's account being vulnerable for an extended period of time if their password was compromised. Which of the following controls should be configured as part of their password policy to minimize this vulnerability? a) Minimum password length b) Password history c) Password expiration d) Password complexity
c) Password expiration #A password expiration control in the policy would force users to change their password at specific intervals of time. This will then locks out a user who types in the incorrect password or create an alter that the user's account has been potentially compromised. While the other options are good components of password security to prevent an overall compromise, they are not effective against the vulnerability described in this particular scenario, as it states the issue is based on time.
Syed is developing a vulnerability scanner program for a large network of sensors that are used to monitor his company's transcontinental oil pipeline. What type of network is this? a) SoC b) CAN c) SCADA d) BAS
c) SCADA #SCADA (supervisory control and data acquisition) networks is a type of network that works off of an ICS (industry control system) and is used to maintain sensors and control systems over large geographic areas. A building automation system (BAS) for offices and data centers ("smart buildings") can include physical access control systems, but also heating, ventilation, and air conditioning (HVAC), fire control, power and lighting, and elevators and escalators.
An analyst just completed a port scan and received the following results of open ports:-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-TCP: 80 TCP: 110 TCP: 443 TCP: 1433 TCP: 3306 TCP: 3389 -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-Based on these scan results, which of the following services are NOT currently operating? a) Web b) Database c) SSH d) RDP
c) SSH #Database servers run on port 1433 (Microsoft SQL) or 3306 (MySQL). Remote Desktop Protocol runs on port 3389.
A web developer wants to protect their new web application from a man-in-the-middle attack. Which of the following controls would best prevent an attacker from stealing tokens stored in cookies? a) Forcing the use of TLS on the application b) Forcing the use of SSL on the application c) Setting the secure attribute on the cookie d) Hashing the cookie value
c) Setting the secure attribute on the cookie #When a cookie has the Secure attribute, the user agent includes the cookie in an HTTP request only if the request is transmitted over a secure channel (typically HTTPS). Although seemingly useful for protecting cookies from active network attackers, the Secure attribute protects only the cookie's confidentiality. Forcing the web application to use TLS or SSL does not force the cookie to be sent over TLS/SSL, so you still would need to set the Secure attribute on the cookie. Hashing the cookie provides integrity of the cookie, not confidentiality.
Karen lives in an area that is prone to hurricanes and other extreme weather conditions. She asks you to recommend an electrical conditioning device that will prevent her files from being corrupted if the power to the building is unstable or lost. Additionally, she would like the computer to maintain power for up to an hour of uptime to allow for a graceful shutdown of her programs and computer. Which of the following should you recommend? a) Surge protector b) PDU c) UPS d) LC (Line conditioner)
c) UPS #An uninterruptible power supply or uninterruptible power source (UPS) is an electrical apparatus that provides emergency power to a load when the input power source becomes too low, or the main power fails. A UPS provides near-instantaneous protection from input power interruptions by using a battery backup. The on-battery run-time of most uninterruptible power sources is usually short (less than 60 minutes) but sufficient to properly shut down a computer system.
You have been investigating how a malicious actor was able to exfiltrate confidential data from a web server to a remote host. After an in-depth forensic review, you determine that the web server's BIOS had been modified by the installation of a rootkit. After you remove the rootkit and reflash the BIOS to a known good image, what should you do in order to prevent the malicious actor from affecting the BIOS again? a) Install an anti-malware application b) Install a host-based IDS c) Utilize secure boot d) Utilize file integrity monitoring
c) Utilize secure boot #Since you are trying to protect the BIOS, utilizing secure boot is the best choice. Secure boot is a security system offered by UEFI. It is designed to prevent a computer from being hijacked by a malicious OS. Under secure boot, UEFI is configured with digital certificates from valid OS vendors. The system firmware checks the operating system boot loader using the stored certificate to ensure that it has been digitally signed by the OS vendor. This prevents a boot loader that has been changed by malware (or an OS installed without authorization) from being used.
You have been asked to choose the best solution to sanitize or destroy the data while ensuring the computers will still be usable by the community center. What type of data destruction or sanitization method do you recommend? a) Purging b) Shredding c) Wiping d) Degaussing
c) Wiping #Data wiping or clearing occurs by using a software tool to overwrite the data on a hard drive to destroy all electronic data on a hard disk or other media. Data wiping may be performed with a 1x, 7x, or 35x overwriting, with a higher number of times being more secure. This allows the hard drive to remain functional and allows for hardware reuse.
You are analyzing the SIEM for your company's ecommerce server when you notice the following URL in the logs of your SIEM: -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- https://www.diontraining.com/add_to_cart.php?itemId=5"+perItemPrice="0.00"+quantity="100"+/><item+id="5&quantity=0 -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- Based on this line, what type of attack do you expect has been attempted? a) SQL injection b) Buffer overflow c) XML injection d) Session hijacking
c) XML injection #This is an example of a XML injection. XML injection manipulates or compromises the logic of an XML application or service. The injection of unintended XML content and/or structures into an XML message can alter the intended logic of an application, and XML Injection can cause the insertion of malicious content into resulting messages/documents. In this case, the URL is attempting to modify the server's XML structure. The real key to answering this question is identifying the XML structured code being entered as part of the URL, which is shown by the bracketed data.
What should be done NEXT if the final set of security controls does not eliminate all of the risks in a given system? a) You should continue to apply additional controls until there is zero risk b) You should remove the current controls since they are not completely effective c) You should accept the risk if the residual risk is low enough d) You should ignore any remaining risk
c) You should accept the risk if the residual risk is low enough # In most cases, you will be unable to remove all risks. Instead, it would be best to mitigate the risk to a low enough level to accept the residual risk. Removing the controls would add to the risk, which is a bad course of action to select. Ignoring the remaining risk is unacceptable; instead, you should acknowledge what risk remains and accept it if it is low enough. If it is not low enough, you should continue to mitigate the risk by adding additional control measures. It is unlikely you will ever be able to get all risk down to zero, but mitigating to a lower level and then accepting the residual risk is a common industry practice.
Your company just installed a new webserver within your DMZ. You have been asked to open up the port for secure web browsing on the firewall. Which port should you set as open to allow users to access this new server? a) 21 b) 80 c) 143 d) 443
d) 443 #Port 443 is used for HTTPS traffic. Therefore, this port must be opened. This is secure web browsing over SSL or TLS. Port 21 is used for the File Transfer Protocol (FTP). Port 80 is used for unsecured web browsing (HTTP). Port 143 is used for Internet Mail Application Protocol (IMAP).
What access control model will a network switch utilize if it requires multilayer switches to use authentication via RADIUS/TACACS+? a) 802.1q b) 802.3af c) 802.11ac d) 802.1x
d) 802.1x #If you are using RADIUS/TACACS+ with the switch, you will need to use 802.1x for the protocol.
A cybersecurity analyst in your company notices that an attacker is trying to crack the WPS pin associated with a wireless printer. The device logs show that the attacker tried 00000000, 00000001, 00000002, and continued to increment by 1 number each time until they found the correct PIN of 13252342. Which of the following type of password cracking was being performed by the attacker? a) Rainbow table b) Dictionary c) Hybrid d) Brute-force
d) Brute-force #A brute-force attack when an attacker uses a set of predefined values to attack a target and analyze the response until he succeeds. Success depends on the set of predefined values. If it is larger, then it will take more time, but there is a better probability of success. In a traditional brute-force attack, the passcode or password is incrementally increased by one letter/number each time until the right passcode/password is found.
Following a root cause analysis of an edge router's unexpected failure, a cybersecurity analyst discovered that the system administrator had purchased the device from an unauthorized reseller. The analyst suspects that the router may be a counterfeit device. Which of the following controls would have been most effective in preventing this issue? a) Increase network vulnerability scan frequency b) Verify that all routers are patched to the latest release c) Ensure all anti-virus signatures are up to date d) Conduct secure supply chain management training
d) Conduct secure supply chain management training #Anti-counterfeit training is part of the NIST 800-53r4 control set (SA-19(1)) and should be a mandatory part of your supply chain management training within your organization. All other options may produce security gains in the network. They are unlikely to reliably detect a counterfeit item or prevent its introduction into the organization's supply chain.
Dion Training allows its visiting business partners from CompTIA to use an available Ethernet port in their conference room to establish a VPN connection back to the CompTIA internal network. The CompTIA employees should be able to obtain internet access from the Ethernet port in the conference room, but nowhere else in the building. Additionally, if a Dion Training employee uses the same Ethernet port in the conference room, they should be able to access Dion Training's secure internal network. Which of the following technologies would allow you to configure this port and support both requirements? a) Create an ACL to allow access b) Configure a SIEM c) MAC filtering d) Implement NAC
d) Implement NAC #NAC uses a set of protocols to define and implement a policy that describes how to secure access to network nodes whenever a device initially attempts to access the network. NAC can utilize an automatic remediation process by fixing non-compliant hosts before allowing network access. Network Access Control can control access to a network with policies, including pre-admission endpoint security policy checks and post-admission controls over where users and devices can go on a network and what they can do.
A supplier needs to connect several laptops to an organization's network as part of their service agreement. These laptops will be operated and maintained by the supplier. Victor, a cybersecurity analyst for the organization, is concerned that these laptops could contain some vulnerabilities that could weaken the network's security posture. What can Victor do to mitigate the risk to other devices on the network without having direct administrative access to the supplier's laptops? a) Require 2 FA(two-factor authentication) on the laptops b) Increase the encryption level of VPN used by the laptops c) Scan the laptops for vulnerabilities and patch them d) Implement a jumpbox system
d) Implement a jumpbox system #A jumpbox is a system on a network used to access and manage devices in a separate security zone. This would create network segmentation between the supplier's laptops and the rest of the network to minimize the risk. A jump-box system is a hardened and monitored device that spans two dissimilar security zones and provides a controlled means of access between them.
Julie was just hired to conduct a security assessment of Dion Training's security policies. During her assessment, she noticed that many users were sharing group accounts to conduct their work roles. Julie recommended that the group accounts be eliminated and instead have an account created for each user. What improvement will this recommended action provide for the company? a) Increase password security b) More efficient baseline management c) More routing auditing d) Increase individual accountability
d) Increase individual accountability #To adequately provide accountability, the use of shared or group accounts should be disabled. This allows you to log and track individual user actions based on individual user accounts. This enables the organization to hold users accountable for their actions, too.
During a penetration test, you find a hash value related to malware associated with an APT. What best describes what you have found? a) XSRF b) Botnet c) SQL injection d) Indicator of compromise
d) Indicator of compromise #An indicator of compromise is an artifact observed on a network or in an operating system that, with high confidence, indicates a computer intrusion. Typical IOCs are virus signatures and IP addresses, MD5 hashes of malware files or URLs, or botnet command and control servers' domain names. NOTE: Cross-site request forgery (CSRF or XSRF) is a malicious exploit of a website where unauthorized commands are transmitted from a user that the web application trusts. There are many ways in which a malicious website can transmit commands, such as specially-crafted image tags, hidden forms, and JavaScript XMLHttpRequests can all work without the user's interaction or even knowledge.
Which of the following is NOT considered part of the Internet of Things? a) SCADA b) ICS c) Smart television d) Laptop
d) Laptop #Supervisory control and data acquisition (SCADA) systems, industrial control systems (ICS), internet-connected televisions, thermostats, and many other things examples of devices classified as the Internet of Things (IoT). #A laptop would be better classified as a computer or host than as part of the Internet of Things. The Internet of things (IoT) is a system of interrelated computing devices, mechanical and digital machines provided with unique identifiers (UIDs) and the ability to transfer data over a network without requiring human-to-human or human-to-computer interaction.
You just received an email from Bob, your investment banker, stating that he completed the wire transfer of $10,000 to your bank account in Vietnam. The problem is, you do not have a bank account in Vietnam!, so you immediately call Bob to ask what happened. Bob explains that he received an email from you requesting the transfer. You insist you never sent that email to Bob initiating this wire transfer. What aspect of PKI could be used to BEST ensure that a sender actually sent a particular email message and avoid this type of situation? a) CRL b) Trust models c) Recovery agents d) Non-repudiation
d) Non-repudiation #Non-repudiation occurs when a sender cannot claim they didn't send an email when they did. A digital signature should be attached to each email sent to achieve non-repudiation. This digital signature is comprised of a digital hash of the email's contents, and then encrypting that digital hash using the sender's private key. The receiver can then unencrypt the digital hash using the sender's public key to verify the integrity of the message. #CRL is Certificate Revoked Lists.
What is the lowest layer (bottom layer) of a bare-metal virtualization environment? a) Hypervisor b) Host operating system c) Guest operating system d) Physical hardware
d) Physical hardware #The bottom layer is physical hardware in this environment. It is what sits beneath the hypervisor and controls access to guest operating systems. The bare-metal approach doesn't have a host operating system.
After completing an assessment, you create a chart listing the associated risks based on the vulnerabilities identified with your organization's privacy policy. The chart contains listings such as high, medium, and low. It also utilizes red, yellow, and green colors based on the likelihood and impact of a given incident. Which of the following types of assessments did you just complete? a) Quantitative risk assessment b) Privacy assessment c) Supply chain assessment d) Qualitative risk assessment
d) Qualitative risk assessment #This describes a qualitative risk assessment since it categorizes things based on the likelihood and impact of a given incident using non-numerical terms, such as high, medium, and low. #If the risk assessment provided exact numbers or percentages of risk, then it would be a quantitative risk assessment.
Frank and John have started a secret club together. They want to ensure that when they send messages to each other, they are truly unbreakable. What encryption key would provide the STRONGEST and MOST secure encryption? a) DES with a 56-bit key b) AES with a 256-bit key c) ECC with a 256-bit key d) Randomized one-time use pad
d) Randomized one-time use pad #The only truly unbreakable encryption is one that uses a one-time use pad. This ensures that every message is encrypted with a different shared key that only the two owners of the one-time use pad would know. This technique ensures that there is no pattern in the key for an attacker to guess or find. Even if one of the messages could be broken, all of the other messages would remain secure since they use different keys to encrypt them. Unfortunately, one-time use pads require that two identical copies of the pad are produced and distributed securely before they can be used.
Which of the following protocols is commonly used to collect information about CPU utilization and memory usage from network devices? a) NetFlow b) SMTP c) MIB d) SNMP
d) SNMP #Simple Network Management Protocol (SNMP) is commonly used to gather information from routers, switches, and other network devices. It provides information about a device's status, including CPU and memory utilization, as well as many other useful details about the device. NetFlow provides information about network traffic. A management information base (MIB) is a database used for managing the entities in a communication network. The Simple Mail Transfer Protocol (SMTP) is a communication protocol for electronic mail transmission.
You are attempting to prioritize your vulnerability scans based on the data's criticality. This will be determined by the asset value of the data contained in each system. Which of the following would be the most appropriate metric to use in this prioritization? a) The cost of hardware replacement of the system b) The cost of acquisition of the system c) The depreciated hardware cost of the system d) The type of data processed by the system
d) The type of data processed by the system #The data's asset value is a metric or classification that an organization places on data stored, processed, and transmitted by an asset. Different data types, such as regulated data, intellectual property, and personally identifiable information, can determine its value. NOTE: The cost of acquisition, cost of hardware replacement, and depreciated costs refer to the financial value of the hardware or system itself. This can be significantly different from the value of the information and data that the system stores and processes.
Assuming that Dion Training trusts Thor Teaches, and Thor Teaches trusts Udemy, then we can assume Dion Training also trusts Udemy. What concept of PKI does the previous statement represent? a) Domain level trust b) Certificate authority trust c) Public key trust d) Transitive Trust
d) Transitive Trust #Transitive trust occurs when X trusts Y, and Y trusts Z, therefore X trusts Z. This is because the trust flows from the first part (Dion Training) through the second party (Thor Teaches) to the third party (Udemy).
Which of the following is the LEAST secure wireless security and encryption protocol? a) AES b) WPA c) WPA2 d) WEP
d) WEP #WEP is a security protocol, specified in the IEEE Wireless Fidelity (Wi-Fi) standard, 802.11b, that is designed to provide a wireless local area network (WLAN) with a level of security and privacy comparable to what is usually expected of a wired LAN. It is the oldest form of wireless security and the weakest form. WEP can be cracked with brute force techniques in less than 5 minutes with a normal end-user computer.
