CertMaster Security +

A company has an annual contract with an outside firm to perform a security audit on their network. The purpose of the annual audit is to determine if the company is in compliance with their internal directives and policies for security control. Select the broad class of security control that accurately demonstrates the purpose of the audit. A. Managerial B. Technical C. Physical D. Compensating

A. Managerial Managerial is the control that gives oversight of the information system including selection of other security controls. An example of this type of control is regular scans and audits. Technical control is implemented as a system (hardware, software, or firmware). For example, firewalls, antivirus software, and OS access control models are technical controls. Technical controls may also be described as logical controls. Physical controls deter access to premises and hardware. Examples include alarms, gateways, and locks. A compensating control serves as a substitute for a principal control, as recommended by a security standard, and affords the same (or better) level of protection but uses a different methodology or technology.

A contractor has been hired to conduct penetration testing on a company's network. They have decided to try to crack the passwords on a percentage of systems within the company. They plan to annotate the type of data that is on the systems that they can successfully crack to prove the ease of access to data. Evaluate the penetration steps and determine which are being utilized for this task. (Select all that apply.) A. Test security controls B. Bypass security controls C. Verify a threat exists D. Exploit vulnerabilities

A. Test security controls D. Exploit vulnerabilities Two penetration test steps are being utilized by actively testing security controls and exploiting the vulnerabilities. Identifying weak passwords is actively testing security controls. In addition, exploiting vulnerabilities is being used by proving that a vulnerability is high risk. The list of critical data obtained will prove that the weak passwords can allow access to critical information. Bypassing security controls can be accomplished by going around controls that are already in place to gain access. Verifying that a threat exists would have consisted of using surveillance, social engineering, network scanners, and/or vulnerability assessment tools to identify vulnerabilities.

A contractor has been hired to conduct security reconnaissance on a company. The contractor browses the company's website to identify employees and then finds their Facebook pages. Posts found on Facebook indicate a favorite bar that employees frequently visit. The contractor visits the bar and learns details of the company's security infrastructure through small talk. What reconnaissance phase techniques does the contractor practice? (Select all that apply.) A.Open Source Intelligence (OSINT) B.Scanning C.Social engineering D.Persistence

A.Open Source Intelligence (OSINT) C.Social engineering OSINT refers to using web search tools and social media to obtain information about the target. The contractor used this technique by identifying employees and the local restaurant they go to after work. Social engineering was used at the restaurant by learning about the vacant positions and the shortfall in information security. This could be successful due to the attacker being charismatic and also social norms of people wanting to be friendly. The scenario also mentioned it was the popular location for after work drinks, meaning that alcohol was also likely involved. Scanning would be conducted if the contractor used software tools to obtain the information. Persistence refers to the tester's ability to reconnect to a compromised host.

Select the statement which best describes the difference between a zero-day vulnerability and a legacy platform vulnerability. A. A legacy platform vulnerability is typically unpatchable, while a zero-day vulnerability may be exploited before a developer can create a patch for it. B. A zero-day vulnerability is unpatchable, while a legacy platform vulnerability can always be patched, once detected. C. A zero-day vulnerability can be mitigated by responsible patch management, while a legacy platform vulnerability cannot likely be patched. D. A legacy platform vulnerability can always be mitigated by responsible patch management, while a zero-day vulnerability does not yet have a patch solution.

A. A legacy platform vulnerability is typically unpatchable, while a zero-day vulnerability may be exploited before a developer can create a patch for it. A zero-day vulnerability is exploited before the developer knows about it or can release a patch. These can be extremely destructive, as it can take the vendor some time to develop a patch, leaving systems vulnerable in the interim. A legacy platform is no longer supported with security patches by its developer or vendor. By definition, legacy platforms are not patchable. Legacy systems are highly likely to be vulnerable to exploits and must be protected by security controls other than patching, such as isolating them to networks that an attacker cannot physically connect to. Even if effective patch management procedures are in place, attackers may still be able to use zero-day software vulnerabilities, before a vendor develops a patch.

Which of the following statements summarizes a disadvantage to performing an active vulnerability scan? (Select all that apply.) A. Active scanning consumes more network bandwidth. B. Active scanning runs the risk of causing an outage. C. Active scanning will identify all of a system's known vulnerabilities. D. Active scanning techniques do not use system login

A. Active scanning consumes more network bandwidth. B. Active scanning runs the risk of causing an outage. Scan intrusiveness is a measure of how much the scanner interacts with the target. Active scanning consumes more network bandwidth than passive scanning. Active scanning means probing the device's configuration using some type of network connection with the target. This type of scanning runs the risk of crashing the target of the scan or causing some other sort of outage. Active scanning has the possibility of failing due to any security settings that may prevent certain scans. A non-credentialed scan proceeds by directing test packets at a host without being able to log on to the OS or application. A non-credentialed scan provides a view of what the host exposes to an unprivileged user on the network.

A manufacturing company hires a pentesting firm to uncover any vulnerabilities in their network with the understanding that the pen tester receives no information about the company's system. Which of the following penetration testing strategies is the manufacturing company requesting? A. Black box B. Sandbox C. Gray box D. White bo

A. Black box Black box (or blind) is when the pen tester receives no privileged information about the network and its security systems. Black box tests are useful for simulating the behavior of an external threat. A sandbox is a test environment that accurately simulates a production environment. It is not a penetration testing strategy. Gray box describes the penetration strategy where the pen tester receives some information. Typically, this would resemble the knowledge of junior or non-IT staff to model particular types of insider threats. White box (or full disclosure) is when the pen tester receives complete access to information about the network. White box tests are useful for simulating the behavior of a privileged insider threat.

The IT department head returns from an industry conference feeling inspired by a presentation on the topic of cybersecurity frameworks. A meeting is scheduled with IT staff to brainstorm ideas for deploying security controls by category and function throughout the organization. Which of the following ideas are consistent with industry definitions? (Select all that apply.) A. Deploy a technical control to enforce network access policies. B. Deploy an operational control to monitor compliance with external regulations. C. Schedule quarterly security awareness workshops as a preventive control to mitigate social engineering attacks. D. Deploy agents to file servers to perform continuous backups to cloud storage as a corrective control to mitigate the impact of malware.

A. Deploy a technical control to enforce network access policies. C. Schedule quarterly security awareness workshops as a preventive control to mitigate social engineering attacks. D. Deploy agents to file servers to perform continuous backups to cloud storage as a corrective control to mitigate the impact of malware. A technical control is enforced by computer hardware and software, such as an access control list (ACL) configured on a network firewall. Monitoring of risk and compliance is a type of managerial control, not an operational control. Operational controls are categorized as those performed by people, such as security guards. A preventive control such as user education and training is one that eliminates or reduces the likelihood of an attack before it can take place. A corrective control such as backup is used following an attack to eliminate or mitigate its impact.

A network administrator uses an automated vulnerability scanner. It regularly updates with the latest vulnerability feeds. If the system regularly performs active scans and returns the presence of vulnerabilities when they do not exist, what type of error is the system most likely making? A. False positive B. False negative C. Validation error D. Configuration error

A. False positive A false positive is something that is identified by a scanner or other assessment tool as being a vulnerability, when in fact it is not. False negatives are potential vulnerabilities that are not identified in a scan. This risk can be mitigated somewhat by running repeat scans periodically and by using scanners from more than one vendor. Reviewing related system and network logs can enhance the vulnerability report validation process. Using relevant data, such as event logs, can help confirm the validity of vulnerabilities identified in a scan. Some scanners measure systems and configuration settings against best practice frameworks. This is called a compliance scan, which might be necessary for regulatory compliance or voluntary conformance.

Analyze and eliminate the item that is NOT an example of a reconnaissance technique. A. Initial exploitation B. Open Source Intelligence (OSINT) C. Social engineering D. Scanning

A. Initial exploitation The initial exploitation phase (also referred to as weaponization) is not a reconnaissance technique. It is an exploit that is used to gain some sort of access to the target's network. Open Source Intelligence (OSINT) refers to using web search tools and social media to obtain information about the target. Social engineering refers to obtaining information, physical access to premises, or even access to a user account through the art of persuasion. Scanning refers to using software tools to obtain information about a host or network topology. Scans may be launched against web hosts or against wired or wireless network segments, if the attacker can gain physical access to them.

An outside security consultant updates a company's network, including data cloud storage solutions. The consultant leaves the manufacturer's default settings when installing network switches, assuming the vendor shipped the switches in a default-secure configuration. Examine the company's network security posture and select the statements that describe key vulnerabilities in this network. (Select all that apply.) A. The network is open to third-party risks from using an outside contractor to configure cloud storage settings. B. The default settings in the network switches represent a weak configuration. C. The use of network switches leaves numerous unused ports open. D. The recommended setti

A. The network is open to third-party risks from using an outside contractor to configure cloud storage settings. B. The default settings in the network switches represent a weak configuration. Weaknesses in products or services in a supply chain can impact service availability and performance, or lead to data breaches. Suppliers and vendors in the chain rely on each other to perform due diligence. Relying on the manufacturer default settings when deploying an appliance or software applications is a weak configuration. Although many vendors ship products in secure default configurations, it is insufficient to rely on default settings. Default settings may leave unsecure interfaces enabled that allow an attacker to compromise the device. Weak settings on network appliances can allow attackers to move through the network unhindered and snoop on traffic. An unsecure protocol transfers data across a network as cleartext. Having secure protocols on a managed switch hardens the level of network security.

Any external responsibility for an organization's security lies mainly with which individuals? A. The senior executives B. Tech staff C. Managers D. Public relations

A. The senior executives External responsibility for security (due care or liability) lies mainly with owners or senior executives. It is important to note that all employees share some measure of responsibility. Technical and specialist staff have the direct responsibility for implementing, maintaining, and monitoring the policy. Security might be made a core competency of systems and network administrators, or there may be dedicated security administrators. Managers at an organization may have responsibility for a specific domain or unit, such as building control, ICT, or accounting. Non-technical staff have the responsibility of complying with policy and with any relevant legislation. Public relations is responsible for media communications.

During a penetration test, systems administrators for a large company are tasked to play on the white team for an affiliated company. Examine each of the following roles and determine which role the systems admins will fill. A. The systems admins will arbitrate the exercise, setting rules of engagement and guidance. B. The systems admins will try to infiltrate the target system. C. The systems admins will operate monitoring and alerting controls to detect and prevent the infiltration. D. The systems admins will collaborate with attackers and defenders to promote constructive developments.

A. The systems admins will arbitrate the exercise, setting rules of engagement and guidance. A white team sets the rules of engagement and monitors the exercise, providing arbitration and guidance, and if necessary, halt the exercise. If the red team is third party, the white team will include a representative of the consultancy company. The red team acts offensively to try to infiltrate the target system. The blue team performs the defensive role by operating monitoring and alerting controls to detect and prevent the infiltration. The confrontational structure in a typical red team/blue team test does not always promote constructive development and improvement. In a purple team exercise, the red and blue teams meet for regular debriefs while the exercise is ongoing.

Select the appropriate methods for packet capture. (Select all that apply.) A. Wireshark B. Packet analyzer C. Packet injection D. tcpdump

A. Wireshark D. tcpdump Wireshark and tcpdump are packet sniffers. A sniffer is a tool that captures packets, or frames, moving over a network. Wireshark is an open source graphical packet capture and analysis utility. Wireshark works with most operating systems, where tcpdump is a command line packet capture utility for Linux. A packet analyzer works in conjunction with a sniffer to perform traffic analysis. Protocol analyzers can decode a captured frame to reveal its contents in a readable format, but they do not capture packets. A packet injection involves sending forged or spoofed network traffic by inserting (or injecting) frames into the network stream. Packets are not captured with packet injection.

A Certificate Revocation List (CRL) has a publish period set to 24 hours. Based on the normal procedures for a CRL, what is the most applicable validity period for this certificate? A.26 hours B.1 hour C.23 hours D.72 hours

A.26 hours One or two hours over the publish period is considered normal thus making 26 hours within the window. The validity period is the period during which the CRL is considered authoritative. This is usually a bit longer than the publish period, giving a short window to update and keep the CRL authoritative. The validity period would not be less than the publish period as it would make the CRL nonauthoritative prior to the next publishing. If the validity period was set to 72 hours this would be much too long after the publish period. The CRL would be published two additional times prior to the validity period ending.

Which statement best illustrates the importance of a strong true random number generator (TRNG) or pseudo-random number generator (PRNG) in a cryptographic implementation? A.A weak number generator leads to many published keys sharing a common factor. B.A weak number generator creates numbers that are never reused. C.A strong number generator creates numbers that are never reused. D.A strong number generator adds salt to encryption values.

A.A weak number generator leads to many published keys sharing a common factor. A cryptanalyst can test for the presence of common factors and derive the whole key much more easily. The TRNG or PRNG module in the cryptographic implementation is critical to its strength. Predictability is a weakness in either the cipher operation or within particular key values that make a ciphertext more vulnerable to cryptanalysis. Reuse of the same key within the same session can cause this weakness. The principal characteristic of a nonce is that it is never reused ("number used once") within the same key value. A nonce can be a random, pseudo-random, or counter value. Salt is a random or pseudo-random number or string. The term salt is used specifically in conjunction with hashing password values.

Analyze the features of behavioral technologies for authentication, and choose the statements that accurately depict this type of biometric authentication. (Select all that apply.) A.Behavioral technologies are cheap to implement, but have a higher error rate than other technologies. B.Signature recognition is popular within this technology because everyone has a unique signature that is difficult to replicate. C.Obtaining a voice recognition template for behavioral technologies is rather easy and can be obtained quickly. D.Behavior technologies may use typing as a template, which matches the speed and pattern of a user's input of a passphrase

A.Behavioral technologies are cheap to implement, but have a higher error rate than other technologies. D.Behavior technologies may use typing as a template, which matches the speed and pattern of a user's input of a passphrase Behavioral technologies are sometimes classified as "something you do." These technologies often have a lower cost to implement than other types of biometric cryptosystems, but they have a higher error rate. Typing is used as a behavioral technology, and the template is based on the speed and pattern of a user's input of a passphrase. Signature recognition is not based on the actual signature due to it being easy to replicate. Instead, it is based on the process of applying a signature such as stroke, speed, and pressure of the stylus. Obtaining a voice recognition template is not a fast process, and can be difficult. Background noise and other environmental factors can also interfere with authentication.

Which of the following password cracker attacks are combined to create a typical hybrid password attack? (Select all that apply.) A.Brute force B.Dictionary C.Salt D.PT

A.Brute force B.Dictionary A typical hybrid password attack uses a combination of dictionary and brute force attacks. A dictionary attack is a type of password attack that compares encrypted passwords against a predetermined list of possible password values. A brute force attack attempts every possible combination in the key space in order to derive a plaintext password from a hash. Salt is a random or pseudo-random number or string. The term salt is used specifically in conjunction with hashing password values. A pass the hash (PTH) attack occurs when an attacker obtains the hash of a user's password and presents the hash (without cracking it) to authenticate to network protocols.

A security team has just added iris scanners to two access control points in a secure facility. They are in the process of making adjustments to ensure authorized users have access, while unauthorized users cannot get through. Analyze the scenario and determine what metric the team is in the process of fine-tuning. A.Crossover error rate (CER) B.False rejection rate (FRR) C.False acceptance rate (FAR) D.Type II error

A.Crossover error rate (CER) The process of fine-tuning a biometric system involves adjusting the crossover error rate, the point at which the false rejection rate and false acceptance rate meet. The false rejection rate (FRR) is also known as a type I error, which rejects authorized templates. The false acceptance rate (FAR) is the rate at which the system lets in unauthorized users, which constitutes a security breach. A type II error is a false positive, measured by the false acceptance rate (FAR). This is the rate at which unauthorized personnel gain access to the secure facility.

Which of the following utilizes both symmetric and asymmetric encryption? A.Digital envelope B.Digital certificate C.Digital evidence D.Digital signature

A.Digital envelope A digital envelope is a type of key exchange system that utilizes symmetric encryption for speed and asymmetric encryption for convenience and security. A digital certificate is an electronic document that associates credentials with a public key. This only involves asymmetric encryption. Digital evidence or Electronically Stored Information (ESI) is evidence that cannot be seen with the naked eye; rather, it must be interpreted using a machine or process. There is no encryption involved. A digital signature is a message digest encrypted with a user's private key. It uses only asymmetric encryption to prove the identity of the sender of a message and to show a message has not been tampered with.

Which of the following can be a true insider threat? (Select all that apply.) A.Former employee B.Contractor C.Customer D.White hat hacker

A.Former employee B.Contractor Anyone who has or had authorized access to an organization's network, system, or data is considered an insider threat. In this example, a former employee and a contractor fit the criteria. Current employees, business partners, and contractors also qualify as insider threats. A customer does not have authorized access and is unlikely to be affiliated with an organization's staff. A white hat hacker is given complete access to information about the network, which is useful for simulating the behavior of a privileged insider threat, but they are not an insider threat.

A user presents a smart card to gain access to a building. Authentication is handled through integration to a Windows server that's acting as a certificate authority on the network. Review the security processes and conclude which are valid when using Kerberos authentication. (Select all that apply.) A.Inputting a correct PIN authorizes the smart card's cryptoprocessor to use its private key to create a Ticket Granting Ticket (TGT) request. B.The smart card generates a one-time use Ticket Granting Service (TGS) session key and certificate. C.The Authentication Server (AS) trusts the user's certificate as it was issued by a local certification authority. D.The Authentication Server (AS) is able to decrypt the request because it has a matching certificate

A.Inputting a correct PIN authorizes the smart card's cryptoprocessor to use its private key to create a Ticket Granting Ticket (TGT) request. C.The Authentication Server (AS) trusts the user's certificate as it was issued by a local certification authority. Inputting a correct PIN authorizes the smart card's cryptoprocessor to use its private key to create a Ticket Granting Ticket (TGT) request to an Authentication Server (AS). The AS can place trust when the user's certificate is issued by a local or third-party root certification authority. An AS responds with a TGT and Ticket Granting Service (TGS) session key, not the smart card. An AS would be able to decrypt the request because it has a matching public key and trusts the user's smart-card certificate.

When using a digital envelope to exchange key information, the use of what key agreement mitigates the risk inherent in the Rivest-Shamir-Adleman (RSA) algorithm, and by what means? A.Perfect forward secrecy (PFS) uses Diffie-Hellman (DH) key agreement to create ephemeral session keys without using the server's private key. B.The Cipher Block Chaining (CBC) key agreement mode uses an initialization vector (IV) to create ephemeral session keys without using the server's private key. C.Counter mode in key agreement makes the advanced encryption standard (AES) algorithm work as a stream cipher, by applying an initialization vector to issue a security certificate. D.A certificate authority (CA) validates the public key's owner and creates an initialization vector to protect the exchange from snooping.

A.Perfect forward secrecy (PFS) uses Diffie-Hellman (DH) key agreement to create ephemeral session keys without using the server's private key. Perfect forward secrecy (PFS) mitigates the risk from RSA key exchange, using Diffie-Hellman (DH) key agreement to create ephemeral session keys without using the server's private key. Modes of operation refer to AES use in a cipher suite. Cipher Block Chaining (CBC) mode applies an initialization vector (IV) to a chain of plaintext data and uses padding to fill out blocks of data. Counter mode makes the AES algorithm work as a stream cipher. Each block of data can be processed individually and in parallel, improving performance. A certificate authority (CA), validates the owner of a public key, issuing a signed certificate. The process of issuing and verifying certificates is called public key infrastructure (PKI).

Examine each statement and determine which most accurately describes a major limitation of quantum computing technology. A.Presently, quantum computers do not have the capacity to run useful applications. B.Quantum computing is not yet sufficiently secure to run current cryptographic ciphers. C.Quantum computing is not sufficiently agile to update the range of security products it most frequently uses. D.Attackers may exploit a crucial vulnerability in quantum computing to covertly exfiltrate data.

A.Presently, quantum computers do not have the capacity to run useful applications. Presently, the most powerful quantum computers have about 50 qubits. A quantum computer will need about a million qubits to run useful applications. Quantum computing could put the strength of current cryptographic ciphers at risk, but it also has the promise of underpinning more secure cryptosystems in the future. Cryptographic agility refers to an organization's ability to update the specific algorithms used in security products without affecting the business workflows that those products support. Quantum computing could pose a threat to cryptographic agility. Steganography obscures the presence of a message and can be used for data exfiltration. The quantum computing properties of entanglement, superposition, and collapse suit the design of a tamper-evident communication system that would allow secure key agreement.

An individual receives a text message that appears to be a warning from a well-known order fulfillment company, informing them that the carrier has tried to deliver his package twice, and that if the individual does not contact them to claim it, the package will not be delivered. Analyze the scenario and select the social engineering technique being used. A.SMiShing B.Phishing C.Vishing D.Prepending

A.SMiShing SMiShing attempts use short message service (SMS) text communications as the vector. Phishing is a combination of social engineering and spoofing. It persuades or tricks the target into interacting with a malicious resource disguised as a trusted one, traditionally using email as the vector. Vishing is a phishing attack conducted through a voice channel, such as telephone or VoIP. Vishing attempts may succeed when a target finds it more difficult to refuse a request made in a phone call compared to one made in an email. Prepending can make a phishing or hoax email more convincing. Used offensively, prepending means adding text that appears to have been generated by the mail system.

During a penetration test, an adversary operator sends an encrypted message embedded in an attached image. Analyze the scenario to determine what techniques the operator is relying on to hide the message. (Select all that apply.) A.Security by obscurity B.Integrity C.Prepending D.Confidentiality

A.Security by obscurity D.Confidentiality When used to conceal information, steganography amounts to "security by obscurity," which is usually deprecated. A message can be encrypted by some mechanism before embedding it in a covertext, providing confidentiality. Steganography technology can also provide integrity or non-repudiation; for example, it can show that something was printed on a particular device at a particular time, which could demonstrate that it was genuine or a fake. A phishing or hoax email can be made more convincing by using prepending. In an offensive sense, prepending means adding text that appears legitimate and to have been generated by the mail system such as "MAILSAFE:PASSED."

Which statement best describes key differences between symmetric and asymmetric cryptographic ciphers? A.Symmetric encryption is used for confidentiality, and uses the same key for encryption and decryption. B.Asymmetric encryption is primarily used for confidentiality, and uses different keys for encryption and decryption. C.Symmetric encryption is used for authentication, and is the most efficient method of encryption for large data transfers. D.Asymmetric encryption is used for non-repudiation and is the most efficient method of encryption for large data transfers.

A.Symmetric encryption is used for confidentiality, and uses the same key for encryption and decryption. Symmetric encryption is used for confidentiality. Symmetric encryption is very fast and useful for bulk encryption of large amounts of data. Symmetric encryption cannot be used for authentication or integrity because both parties know the same key. Asymmetric encryption uses two different but related public and private keys to perform operations. Asymmetric encryption can be used to prove identity, authentication, non-repudiation, and key agreement and exchange. Symmetric encryption is very fast and useful for bulk encryption of large amounts of data. Symmetric encryption cannot be used for authentication or integrity, because both parties know the same key. Asymmetric encryption involves substantial computing overhead compared to symmetric encryption. Asymmetric encryption is inefficient for encrypting or transporting large amounts of data.

Select the explanations that accurately describe the Ticket Granting Ticket (TGT) role within the Authentication Service (AS). (Select all that apply.) A.The client sends the AS a request for a TGT that is composed by encrypting the date and time on the local computer with the user's password hash as the key. B.The AS responds with a User Ticket that contains information about the client. This includes the name and IP address of the client, plus a timestamp and validity period. C.The AS responds with a TGT key for use in communications between the client and the Ticket Granting Service (TGS). D.The TGT responds with a service session key for use between the client and the application server.

A.The client sends the AS a request for a TGT that is composed by encrypting the date and time on the local computer with the user's password hash as the key. B.The AS responds with a User Ticket that contains information about the client. This includes the name and IP address of the client, plus a timestamp and validity period. The Authentication Service (AS) is responsible for authenticating user logon requests. The first step within AS is when the client sends the AS a request for a Ticket Granting Ticket (TGT). This is composed by encrypting the date and time on the local computer with the user's password hash as a key. A User Ticket contains information about the client and includes a timestamp and validity period. The information is encrypted using the KDC's secret key. This occurs after the user is found in the database and the request is valid. The AS does not respond back with a TGT key but with a Ticket Granting Service (TGS) key that is used in communications between the client and the TGS. The TGS is the service that responds with a service session key for use between the client and the application server

A security engineer is investigating a potential system breach. When compiling a report of the incident, how does the engineer classify the actor and the vector? A.Threat B.Vulnerability C.Risk D.Exploit

A.Threat A threat is the potential for something to exploit a vulnerability. The thing that poses the threat is called an actor, while the path used can be referred to as the vector. A vulnerability is a weakness that could be triggered accidentally or exploited intentionally to cause a security breach. Risk is the likelihood and impact (or consequence) of a threat actor exploiting a vulnerability. An exploit is a method that is used to expose and compromise a vulnerability.

An unknowing user with authorized access to systems in a software development firm installs a seemingly harmless, yet unauthorized program on a workstation without the IT department's sanction. Identify the type of threat that is a result of this user's action. A.Unintentional insider threat B.Malicious insider threat C.Intentional attack vector D.External threat with insider knowledge

A.Unintentional insider threat Anyone who has or had authorized access to an organization's network, system, or data is considered an insider threat. Installing unauthorized software is negligent, but the user is an unintentional attack vector. A malicious insider intentionally exceeds or misuses his or her access for purposes of sabotage, financial gain, or business advancement. An attack vector is the path through which a threat actor gains access to a secure system; in this case, the path is through an employee's negligent software installation, which in all likelihood is not intentional. An external threat with insider knowledge usually refers to former insiders, such as ex-employees now working at another company or who have been dismissed and now harbor a grievance. This is not the case with this situation.

A system administrator downloads and installs software from a vendor website. Soon after installing the software, the administrator's computer is taken over remotely. After closer investigation, the software package was modified, probably while it was downloading. What action could have prevented this incident from occurring? A.Validate the software using a checksum B.Validate the software using a private certificate C.Validate the software using a key signing key D.Validate the software using Kerberos

A.Validate the software using a checksum The administrator should have validated the software with a checksum, which uses a cryptographic algorithm to generate a unique hash value based on the file contents. If the file is changed, the checksum of the modified file will not match the original. A private certificate does not validate software. A key signing key is associated with Domain Name System Security Extensions (DNSSEC), which validates DNS responses to help mitigate spoofing and poisoning attacks. It does not apply to software. Kerberos is an authentication service based on a time-sensitive ticket-granting system. It is used to validate users, not software.

An IT manager in the aviation sector checks the industry's threat intelligence feed to keep up on the latest threats and ensure the work center implements the best practices in the field. What type of threat intelligence source is the IT manager most likely accessing? A. Open Source Intelligence (OSINT) B. An Information Sharing and Analysis Center (ISAC) C.A vendor website, such as Microsoft's Security Intelligence blog D.A closed or proprietary threat intelligence platform

B. An Information Sharing and Analysis Center (ISAC) ISACs are set up to share industry-specific threat intelligence and best practices in critical sectors, such as the aviation industry. OSINT includes any publicly available intelligence, in addition to threat intelligence services companies operate on an open source basis. Vendors often post proprietary intelligence on their websites and blogs, free of cost, as a general benefit to their consumers. Proprietary or closed threat intelligence platforms operate on a paid subscription basis. The security solution provider will also make the most valuable research available early to platform subscribers in the form of blogs, white papers, and webinars.

The _____ requires federal agencies to develop security policies for computer systems that process confidential information. A. Sarbanes-Oxley Act (SOX) B. Computer Security Act C. Federal information Security Management Act (FISMA) D. Gramm-Leach-Bliley Act (GLBA)

B. Computer Security Act The Computer Security Act (1987) specifically requires federal agencies to develop security policies for computer systems that process confidential information. The Sarbanes-Oxley Act (2002) mandates the implementation of risk assessments, internal controls and audit procedures. This act is not for any specific entity. The Federal Information Security Management Act (2002) governs the security of data processed by federal government agencies. This act requires agencies to implement an information security program. The Gramm-Leach-Bliley Act (1999) is a United States federal law that requires financial institutions to explain how they share and protect their customers' private information.

A system administrator must scan the company's web-based application to identify which ports are open and which operating system can be seen from the outside world. Determine the syntax that should be used to yield the desired information if the administrator will be executing this task from a Linux command line. A. netstat -a B. nmap -O C. nmap -sS 10.1.0.0/24 D. netstat -n

B. nmap -O The correct syntax is nmap -O. When the -O switch is used with nmap, it displays open ports and the installed operating system, but does not show the version. The netstat command checks the state of ports on the local machine. In Linux, the -a switch displays ports in the listening state, it does not enable software and version detection. Using nmap -sS 10.1.0.0/24 is a fast technique also referred to as half-open scanning, as the scanning host requests a connection without acknowledging it. Netstat shows the state of TCP/UDP ports on the local machine. Netstat -n suppresses name resolution, so host IP addresses and numeric ports are shown in the output.

In which of these situations might a non-credentialed vulnerability scan be more advantageous than a credentialed scan? (Select all that apply.) A. When active scanning poses no risk to system stability B. External assessments of a network perimeter C. Detection of security setting misconfiguration D. Web application scanning

B. External assessments of a network perimeter D. Web application scanning Non-credentialed scanning is often the most appropriate technique for external assessment of the network perimeter or when performing web application scanning. A non-credentialed scan proceeds by directing test packets at a host without being able to log on to the OS or application. A non-credentialed scan provides a view of what the host exposes to an unprivileged user on the network. A passive scan has the least impact on the network and on hosts but is less likely to identify vulnerabilities comprehensively. Configuration reviews investigate how system misconfigurations make controls less effective or ineffective, such as antivirus software not being updated, or management passwords left configured to the default. Configuration reviews generally require a credentialed scan.

Which security related phrase relates to the integrity of data? A. Availability B. Modification C. Confidentiality D. Risk

B. Modification Any modification is authorized and is stored and transferred as intended when referring to the integrity of data. Integrity is part of the CIA triad. Availability means that any information is accessible to those authorized to view or modify it. Availability is part of the CIA triad. Confidentiality means that certain information should only be known to certain people. Confidentiality is part of the CIA triad. Risk is the likelihood and impact (or consequence) of a threat actor exploiting a vulnerability.

Examine each attack vector. Which is most vulnerable to escalation of privileges? A. Software B. Operating System (OS) C. Applications D. Ports

B. Operating System (OS) A vulnerability in an OS kernel file or shared library can allow privilege escalation, where the malware code runs with higher access rights (system or root). Root or system accounts are considered superuser accounts with administrative privileges. Software exploitation means an attack that targets a vulnerability in software code. An application vulnerability is a design flaw that can cause the security system to be circumvented or that will cause the application to crash. Security best practice for network configurations dictates that open ports should be restricted to only necessary services. Running unnecessary open ports and services increases the attack surface.

A hacker set up a Command and Control network to control a compromised host. What is the ability of the hacker to use this remote connection method as needed known as? A. Weaponization B. Persistence C. Reconnaissance D. Pivoting

B. Persistence Persistence refers to the hacker's ability to reconnect to the compromised host and use it as a Remote Access Tool (RAT) or backdoor. To do this, the hacker must establish a Command and Control (C2 or C&C) network. Weaponization is an exploit used to gain some sort of access to a target's network, but it doesn't involve being able to reconnect. Reconnaissance is the process of gathering information, it is not related to Command and Control networks. Pivoting follows persistence. It involves a system and/or set of privileges that allow the hacker to compromise other network systems (lateral spread). The hacker likely has to find some way of escalating the privileges available to him/her.

Following a data breach at a large retail company, their public relations team issues a statement emphasizing the company's commitment to consumer privacy. Identify the true statements concerning this event. (Select all that apply.) A. The data breach must be an intentional act of corporate sabotage. B. The privacy breach may allow the threat actor to sell the data to other malicious actors. C. The data breach can cause data to be exfiltrated. D. The data breach event may compromise data integrity, but not information availability.

B. The privacy breach may allow the threat actor to sell the data to other malicious actors. C. The data breach can cause data to be exfiltrated. A privacy breach may allow the threat actor to perform identity theft or to sell the data to other malicious actors. Malicious actors may obtain account credentials or use personal details and financial information to make fraudulent credit applications and purchases. A data breach can cause a data exfiltration event to occur. A data exfiltration event is always intentional and malicious. A data breach event is where confidential data is read or transferred without authorization. A data breach, unlike data exfiltration, can be intentional/malicious or unintentional/accidental. Availability means that information is accessible to those authorized to view or modify it. If a data breach brings down processing systems, a company may not be able to perform crucial workflows like order processing and fulfillment, compromising information availability.

Compare and contrast vulnerability scanning and penetration testing. Select the true statement from the following options. A. Vulnerability scanning is conducted by a "white hat" and penetration testing is carried out by a "black hat." B. Vulnerability scanning by eavesdropping is passive, while penetration testing with credentials is active. C. Penetration testing and vulnerability scanning are considered "black hat" practices. D. Vulnerability scanning is part of network reconnaissance, but penetration testing is not.

B. Vulnerability scanning by eavesdropping is passive, while penetration testing with credentials is active. Vulnerability scanning and penetration testing can use passive or active reconnaissance techniques. A passive approach tries to discover issues without causing an impact to systems, whereas an active approach may cause instability on a scanned system. Penetration testing is non-malicious; therefore, it is a "white hat" activity, not "black hat." Penetration testing is considered "ethical hacking," but vulnerability scanning is not. Vulnerability scanning is used to uncover system weaknesses, not to try to hack into the system. Both vulnerability scanning and penetration testing are forms of reconnaissance, or information gathering. The hacker likely has to find some way of escalating the privileges available to them.

Which of the following options represents Two-Factor Authentication (2FA)? A.A user logs in using a password and a PIN. B.A user logs in using a password and a smart card. C.A user logs in using a fingerprint and retina scanner. D.A user logs in using a smart card and a key fob.

B.A user logs in using a password and a smart card. In Two-Factor Authentication (2FA), a user must possess two of the three authentication types of "something you know", "something you have", or "something you are". Using a password and a smart card would be 2FA since it combines "something you know" (password) with "something you have" (smart card). Using a password and a PIN is not 2FA since they both are "something you know." Using a fingerprint and facial recognition is not 2FA since they both are "something you are." Using a smart card and a key fob is not 2FA since they both are "something you have."

Which of the following statements best describes the trade-off when considering which type of encryption cipher to use? A.Asymmetric encryption is the strongest hashing algorithm, which produces longer and more secure digests than symmetric encryption. B.Asymmetric encryption requires substantially more overhead computing power than symmetric encryption. Asymmetric encryption is inefficient when transferring or encrypting large amounts of data. C.Symmetric encryption requires substantially more overhead computing power than asymmetric encryption. Symmetric encryption is inefficient when transferring or encrypting large amounts of data. D.Symmetric encryption is not considered as safe as asymmetric encryption, but it might be required for compatibility between security products.

B.Asymmetric encryption requires substantially more overhead computing power than symmetric encryption. Asymmetric encryption is inefficient when transferring or encrypting large amounts of data. Asymmetric encryption involves substantially more computing overhead than symmetric encryption. Asymmetric encryption is inefficient when encrypting a large amount of data on a disk or transporting it over a network. Secure Hash Algorithm (SHA) is considered the strongest hashing algorithm. The most popular variant, SHA-256, produces a 256-bit digest. Other variants produce different-sized outputs; longer digests are considered more secure. Symmetric encryption is fast and used for bulk encryption of large amounts of data. The Message Digest Algorithm #5 (MD5) hashing algorithm produces a 128-bit digest. MD5 is not considered to be quite as safe for use as SHA-256, but it might be required for compatibility between security products.

Which statement most accurately describes the mechanisms by which blockchain ensures information integrity and availability? A.Blockchain ensures availability by cryptographically linking blocks of information, and integrity through decentralization. B.Blockchain ensures availability through decentralization, and integrity through cryptographic hashing and timestamping. C.Blockchain ensures availability through cryptographic hashing and timestamping, and integrity through decentralization. D.Blockchain ensures both availability and integrity through decentralization and peer-to-peer (P2P) networking.

B.Blockchain ensures availability through decentralization, and integrity through cryptographic hashing and timestamping. The blockchain ledger is decentralized and distributed across a peer-to-peer (P2P) network to mitigate the risks of a single point of failure or compromise. Each block in a blockchain validates the hash of the previous block, all the way through to the beginning of the chain, ensuring that each historical transaction has not been tampered with. Blockchain is open. It may ensure the integrity and transparency of financial transactions, among other potential applications. Each block typically includes a timestamp of transactions, as well as the data involved in the transactions themselves, helping ensure data integrity. One of the most important characteristics of a blockchain is decentralization. Being distributed across a peer-to-peer (P2P) network ensures availability, but integrity is achieved through cryptographic hashing and timestamping.

60.0% complete Question A user's PC is infected with a virus that appears to be memory resident and loads anytime it is booted from an external universal serial bus (USB) thumb drive. Examine the following options and determine which describes the infection type. A.Script virus B.Boot virus C.Worm D.Spyware

B.Boot virus With a boot virus, code is written to the disk boot sector or the partition table of a fixed disk or USB media. The code executes as a memory resident process when the OS starts. Script and macro viruses use the programming features available in local scripting engines for the OS and/or browser, such as PowerShell. A computer worm is memory-resident malware that can run without user intervention and replicate over network resources. Spyware is malware that can perform adware-like tracking, but also monitor local application activity, take screenshots, and activate recording devices.

Compare and contrast the modes of operation for block ciphers. Which of the following statements is true? A.ECB and CBC modes allow block ciphers to behave like stream ciphers. B.CTM mode allows block ciphers to behave like stream ciphers. C.ECB allows block ciphers to behave like stream ciphers. D.CBC and CTM modes allow block ciphers to behave like stream ciphers.

B.CTM mode allows block ciphers to behave like stream ciphers. Counter Mode (CTM) combines each block with a counter value. This allows each block to be processed individually and in parallel, improving performance. Electronic Code Book (ECB) mode applies the same key to each plaintext block, which means identical plaintext blocks can output identical ciphertexts. This is not how a stream cipher behaves. Counter Mode (CTM) allows block ciphers to behave like stream ciphers, which are faster than block ciphers. Cipher Block Chaining (CBC) mode applies an Initialization Vector (IV) to the first plaintext block to ensure that the key produces a unique ciphertext from any given plaintext and repeating as a "chain." This is not how a stream cipher behaves.

A system administrator has just entered their credentials to enter a secure server room. As the administrator is entering the door, someone is walking up to the door with their hands full of equipment and appears to be struggling to move items around while searching for their credentials. The system administrator quickly begins to assist by getting items out of the person's hands, and they walk into the room together. This person is not an employee, but someone attempting to gain unauthorized access to the server room. What type of social engineering has occurred? A.Familiarity/liking B.Consensus/social proof C.Authority and intimidation D.Identity fraud

B.Consensus/social proof Consensus/social proof revolves around the belief that without an explicit instruction to behave in a certain way, people will follow social norms. It is typically polite to assist someone with their hands full. Familiarity/Liking is when an attacker uses charisma to persuade others to do as requested. They downplay their requests to make it seem like their request is not out of the ordinary. Authority and Intimidation can be used by an attacker by pretending to be someone senior. The person receiving the request would feel the need to take action quickly and without questioning the attacker. Identity fraud is a specific type of impersonation where the attacker uses specific details (such as personal information) of someone's identity.

An employee works on a small team that shares critical information about the company's network. When sending emails that have this information, what would be used to provide the identity of the sender and prove that the information has not been tampered with? A.Private key B.Digital signature C.Public key D.RSA algorithm

B.Digital signature A digital signature proves the identity of the sender of a message and to show that a message has not been tampered with since the sender posted it. This provides authentication, integrity, and non-repudiation. A private key will encrypt the message. Encrypting the message will scramble the data to protect it during transmission. The public key is what the recipient will use to decrypt the message. The decryption will allow the recipient to read the data upon receipt. An RSA Algorithm is what many of the public key cryptography products are based on.

An employee has requested a digital certificate for a user to access the Virtual Private Network (VPN). It is discovered that the certificate is also being used for digitally signing emails. Evaluate the possible extension attributes to determine which should be modified so that the certificate only works for VPN access. A.Valid from/to B.Extended key usage C.Serial number D.Public key

B.Extended key usage Set the Extended Key Usage (EKU) field of a certificate to define its usage. Applications such as virtual private network (VPN) or email clients may require specific requirements for key usage configuration. The validity field displays the date and time during which the certificate is valid. Certificates are issued with a limited duration, as set by the certificate authority (CA) policy for the certificate type. The serial number is a number uniquely identifying the certificate within the domain of its CA. This prevents a CA from generating duplicate certificates. The public key field displays the public key and algorithm used by the certificate holder. This key can be shared with other clients and users on the public network.

Regarding the various tools of biometric authentication and their capabilities/limitations, which statement is accurate? A.Retinal scanning is less intrusive than iris scanning. B.Fingerprint scanners are the most widely used biometric authentication method. C.Fingerprint scanners are more expensive but use a straightforward process. D.Sensor modules are the most preferred biometric authentication method

B.Fingerprint scanners are the most widely used biometric authentication method. Regarding biometric authentication, Fingerprint scanning is the most widely implemented biometric authentication method.To the contrary, Iris scanning is less intrusive than retinal scanning and matches patterns on the surface of the eye using near-infrared imaging.Contrary to having more costs, the technology required for scanning and recording fingerprints is relatively inexpensive and the process quite straightforward.A sensor module acquires the biometric sample fro

If not managed properly, certificate and key management can represent a critical vulnerability. Assess the following statements about key management and select the true statements. (Select all that apply.) A.If a key used for signing and encryption is compromised, it can be easily destroyed with a new key issued. B.It is exponentially more difficult to ensure the key is not compromised with multiple backups of a private key. C.If a private key, or secret key, is not backed up, the storage system represents a single point of failure. D.A compromised private key that encrypts data is of no concern if the same key signs documents.

B.It is exponentially more difficult to ensure the key is not compromised with multiple backups of a private key. C.If a private key, or secret key, is not backed up, the storage system represents a single point of failure. A problem with key storage is the difficulty associated with multiple backups of a private key. It is exponentially more difficult to ensure the key is not compromised in this situation. If a key is not backed up, it represents a single point of failure. Key recovery is a process for backing up keys and/or recovering data encrypted with a lost key. If a key is compromised and is used for signing only, it can be destroyed, and a new key issued. A key used for encryption cannot be destroyed so easily. The encrypted data has to be recovered first. If the private key used to both encrypt and sign a document is compromised, both uses of the key are of great security risk and may provide external threats more access to private data.

A company has a critical encryption key that has an M-of-N control configuration for protection. Examine the examples and select the one that correctly illustrates the proper configuration for this type of protection of critical encryption keys. A.M=1 and N=5 B.M=3 and N=5 C.M=6 and N=5 D.M=0 and N=5

B.M=3 and N=5 A correct configuration for an M-of-N control is M=3 and N=5. M stands for the number of authorized administrators that must be present to access the critical encryption keys and N is the total number of authorized administrators. In this scenario, 3 of the 5 administrators must be present for access. M is always greater than 1 for this type of configuration making M=1 and N=5 not a valid choice. If only 1 administrator must be present, this configuration would be unnecessary. M=6 and N=5 is not possible as this configuration is asking for more administrators to be present than is authorized. The final option of M=0 is not viable because M must always equal more than 1.

An employee calls IT personnel and states that they received an email with a PDF document to review. After the PDF was opened, the system has not been performing correctly. An IT admin conducted a scan and found a virus. Determine the two classes of viruses the computer most likely has. (Select all that apply.) A.Boot sector B.Macro C.Script D.Non-resident

B.Macro C.Script Both a macro and script virus can use a PDF as a vector. The user stated that a PDF file was recently opened. A macro virus is executed when an application is executed. Executable objects can also be embedded or attached within other file types such as Microsoft Word and Rich Text Format. A script virus typically targets vulnerabilities in an interpreter. Scripts are powerful languages used to automate operating system functions and add interactivity to web pages and are executed by an interpreter rather than self-executing. PDF documents have become a popular vector for script viruses. A boot sector virus is one that attacks the disk boot sector information, the partition table, and sometimes the file system. The virus is contained within a host executable file and runs with the host process. The virus will try to infect other process images on persistent storage and perform other payload actions.

Which of the following depict ways a malicious attacker can gain access to a target's network? (Select all that apply.) A.Ethical hacking B.Phishing C.Shoulder surfing D.Influence campaign

B.Phishing C.Shoulder surfing Phishing and shoulder surfing are social engineering attacks. Phishing occurs when an attacker sends a legitimate-looking, spoofed email to a user of the spoofed site to trick the user into revealing private information. Shoulder surfing is used to obtain someone's password or PIN by observing a user typing it on the keyboard. Social engineering is malicious behavior meant to get users to reveal confidential information. Ethical hacking is trying to identify weaknesses in a network. It is done with permission and is not malicious in intent. An influence campaign is a program launched by an adversary with a high level of capability. The goal of an influence campaign is to shift public opinion on some topic.

Both Remote Access Dial-In User Service (RADIUS) and Terminal Access Controller Access-Control System (TACACS+) provide authentication, authorization, and accounting using a separate server (the AAA server). Based on the protocols' authentication processes, select the true statements. (Select all that apply.) A.TACACS+ is open source and RADIUS is a proprietary protocol from Cisco. B.RADIUS uses UDP and TACACS+ uses TCP. C.TACACS+ encrypts the whole packet (except the header) and RADIUS only encrypts the password. D.RADIUS is primarily used for network access and TACACS+ is primarily used for device administration.

B.RADIUS uses UDP and TACACS+ uses TCP. C.TACACS+ encrypts the whole packet (except the header) and RADIUS only encrypts the password. D.RADIUS is primarily used for network access and TACACS+ is primarily used for device administration. RADIUS uses TCP or UDP by default over ports 1812 and 1813 and TACACS+ uses TCP on port 49. TACACS+ encrypts the whole packet (except the header, which identifies the packet as TACACS+ data) and RADIUS only encrypts the password portion of the packet using MD5. RADIUS is primarily used for network access for a remote user and TACACS+ is primarily used for device administration. TACACS+ provides centralized control for administrators to manage routers, switches, and firewall appliances, as well as user privileges. RADIUS is an open-source protocol, not TACACS+. TACACS+ is a Cisco proprietary protocol.

An employee handles key management and has learned that a user has used the same key pair for encrypting documents and digitally signing emails. Prioritize all actions that should be taken and determine the first action that the employee should take. A.Revoke the keys. B.Recover the encrypted data. C.Generate a new key pair. D.Generate a new certificate.

B.Recover the encrypted data. The first step is to recover any data encrypted with the key so the data can be decrypted. Once the data is recovered, the key can be revoked and an administrator can issue a new key pair. After the data has been recovered, the keys should be revoked. They are compromised and should not be used for any future tasks. After the compromised keys are revoked, the user can be issued new keys. The user requires two sets of keys, one for encrypting messages and the other for digitally signing documents. Certificate generation is used to identify the public part of a key pair as belonging to a subject and will occur after the user's new keys have been generated.

Biometric authentication methods have different error rates, with some methods being easier to fool than others. An unauthorized user is unlikely to fool which of the following methods? A.Fingerprint scan B.Retinal scan C.Facial recognition D.Voice recognition

B.Retinal scan Biometric authentication based on a retinal scan is the hardest method to fool. Retinal scanning is used to identify the patterns of blood vessels with the eye, whereas an iris scan only uses the surface of the eye. It is possible to obtain a copy of a user's fingerprint and create a mold of it that will fool a fingerprint scanner. Facial recognition suffers from relatively high false acceptance and rejection rates, and as a result is vulnerable to spoofing. Voice recognition is subject to impersonation. It is also sensitive to background noise and other environmental factors which can interfere with authentication.

A security technician needs to transfer a large file to another user in a data center. Which statement best illustrates what type of encryption the technician should use to perform the task? A.The technician should use symmetric encryption for authentication and data transfer. B.The technician should use asymmetric encryption to verify the data center user's identity and agree on a symmetric encryption algorithm for the data transfer. C.The technician should use asymmetric encryption for authentication and data transfer. D.The technician should use symmetric encryption to verify the data center user's identity and agree on an asymmetric encryption algorithm for the data transfer.

B.The technician should use asymmetric encryption to verify the data center user's identity and agree on a symmetric encryption algorithm for the data transfer. Asymmetric encryption is used for authentication, non-repudiation, and key agreement and exchange. Symmetric encryption is more efficient for bulk encryption of large amounts of data for transfer. Symmetric encryption is very fast and used for bulk encryption of large amounts of data. Symmetric encryption cannot be used for authentication or integrity, because both parties know the same key. Asymmetric encryption can be used to prove identity. Asymmetric encryption involves substantial computing overhead compared to symmetric encryption, so it is inefficient for large data transfers. Key agreement/exchange refers to settling on a secret symmetric key to use for bulk encryption without anyone else discovering it.

Consider the life cycle of an encryption key. Which of the following is NOT a stage in a key's life cycle? A.Storage B.Verification C.Expiration and renewal D.Revocation

B.Verification Verification is not a stage in a key's life cycle. It is part of the software development life cycle. The stages are: key generation, certificate generation, storage, revocation, and expiration and renewal. Storage is the stage where a user must take steps to store the private key securely. It is also important to ensure that the private key is not lost or damaged. The expiration and renewal stage addresses that a key pair expires after a certain period. Giving the key a "shelf-life" increases security. Certificates can be renewed with new key material. Revocation is the stage that concerns itself with the event of a private key being compromised; it can be revoked before it expires.

A website with many subdomains has been issued a web server certificate for domain validation. This certificate verifies the parent domain and all subdomains (to a single level). This certificate is also known as which of the following? A.SAN certificate B.Wildcard certificate C.Root certificate D.Code signing certificate

B.Wildcard certificate A wildcard certificate with a field entry of a wildcard domain such as *.comptia.org, means that the certificate issued to the parent domain will be accepted as valid for all subdomains (to a single level). A subject alternative name (SAN) certificate list different identifiers including domain names which are specific for each certificate. This becomes a wildcard certificate when a wildcard domain is listed. The root certificate is the one that identifies the certificate authority (CA) itself. The root certificate is self-signed. A root certificate would normally use a key size of at least 2048 bits. A code signing certificate is issued to a software publisher by the CA. The publisher signs the executables or DLLs to guarantee the validity of a software application or browser plug-in.

After a poorly handled security breach, a company updates its security policy to include an improved incident response plan. Which of the following security controls does this update address? A. Compensating B. Deterrent C .Corrective D. Detective

C .Corrective An incident response plan is corrective. It responds to and fixes an incident. It may also prevent its recurrence. Compensating is a security control that serves as a substitute for a principal control, as recommended by a security standard. A deterrent is the control that may not physically or logically prevent access, but psychologically discourages an attacker from attempting an intrusion. A detective is the control that may not prevent or deter access but will identify and record any attempted or successful intrusion.

Encryption vulnerabilities allow unauthorized access to protected data. Which component is subject to brute-force enumeration? A. An unsecured protocol B. A software vulnerability C. A weak cipher D. A lost decryption key

C. A weak cipher An unsecured protocol is one that transfers data as cleartext—that is, the protocol does not use encryption for data protection. Software vulnerabilities affect all types of code. Operating system and firmware vulnerabilities may allow escalated permissions and unauthorized access. Software and security researchers discover most vulnerabilities and release patches to remedy them. Weak encryption vulnerabilities allow unauthorized access to data. An algorithm or cipher used for encryption has known weaknesses that allow brute-force enumeration. If a decryption key is not distributed securely, it can easily fall into the hands of people who are not authorized to decrypt the data.

Which statement best explains the differences between black box, white box, and gray box attack profiles used in penetration testing? A. A black box pen tester acts as a privileged insider and must perform no reconnaissance. A white box pen tester has no access, and reconnaissance is necessary. A gray box actor is a third-party actor who mediates between a black box and white box pen tester. B. A black box pen tester acts as the adversary in the test, while the white box pen tester acts in a defensive role. A gray box pen tester is a third-party actor who mediates between a black box pen tester and a white box pen tester. C. In a black box pen test, the contractor receives no privileged information, so they must perform reconnaissance. In contrast, a white box pen tester has complete access and skips reconnaissance. A gray box tester has some, but not all information, and requires partial reconnaissance. D. In a white box pen test, the contractor receives no privileged information, so they must perform reconnaissance. In contrast, a black box pen tester has complete access and skips reconnaissance. A gray box tester has some, but not all information, and requires partial reconnaissance.

C. In a black box pen test, the contractor receives no privileged information, so they must perform reconnaissance. In contrast, a white box pen tester has complete access and skips reconnaissance. A gray box tester has some, but not all information, and requires partial reconnaissance. A black box penetration tester receives no privileged information, while a white box tester has complete access. A white box test may follow up on a black box test. In a black box pen test, the consultant receives no privileged information about the network and its security systems. A gray box pen tester has partial access and must perform some reconnaissance. A red team performs an offensive role to try to infiltrate the target. A blue team defends a target system by operating monitoring and alerting controls to detect and prevent the infiltration. White box tests are useful for simulating the behavior of a privileged insider threat. Gray box tests are useful for simulating the behavior of an unprivileged insider threat.

An engineer looks to implement security measures by following the five functions in the National Institute of Standards and Technology (NIST) Cybersecurity Framework. When documenting the "detect" function, what does the engineer focus on? A. Evaluate risks and threats B. Install, operate, and decommission assets C. Ongoing proactive monitoring D. Restoration of systems and data

C. Ongoing proactive monitoring Detect refers to performing ongoing proactive monitoring to ensure that controls are effective and capable of protecting against new types of threats. Identify covers developing security policies and capabilities, and evaluating risks, threats, and vulnerabilities and recommend security controls to mitigate them. Protect and procure covers the processes to install, operate, and decommission IT hardware and software assets with security as an embedded requirement of every stage of an operations life cycle. Recovery deals with the implementation of cybersecurity resilience to restore systems and data if other controls are unable to prevent attacks.

A network manager needs a map of the network's topology. The network manager is using Network Mapper (Nmap) and will obtain the visual map with the Zenmap tool. If the target IP address is 192.168.1.1, determine the command within Nmap that will return the necessary data to build the visual map of the network topology. A. nmap -sn --ipconfig 192.168.1.1 B. nmap -sn --ifconfig 192.168.1.1 C. nmap -sn --traceroute 192.168.1.1 D. nmap -sn --nslookup 192.168.1.1

C. nmap -sn --traceroute 192.168.1.1 The traceroute command is used to probe a path from one end system to another, and lists the intermediate systems providing the link. The Nmap combined with Zenmap tools will give a visual of the network topology. The ipconfig and ifconfig commands are used for looking at the configuration of a system's network adapter. The primary difference between the ipconfig and ifconfig commands are the type of systems the network is using. The ipconfig is designed for Windows, while the ifconfig is designed for use on Linux systems. The nslookup command is used to query the Domain Name System (DNS).

Evaluate the differences between stream and block ciphers and select the true statement. A.A block cipher is suitable for communication applications. B.A stream cipher is subjected to complex transposition and substitution operations, based on the value of the key used. C.A block cipher is padded to the correct size if there is not enough data in the plaintext. D.A stream cipher's plaintext is divided into equal-sized blocks.

C.A block cipher is padded to the correct size if there is not enough data in the plaintext. In a block cipher, if there is not enough data in the plaintext, it's padded to the correct size. Padding is not an issue with streaming, where each byte or bit of data in the plaintext is encrypted one at a time, but it is problematic in dealing with block size. A block cipher is not suitable to communications, but a stream cipher is, since each byte or bit of data in the plaintext is encrypted one at a time. Based on the value of the key used, a stream cipher is not subjected to complex transposition and substitution operations. In a stream cipher, the plaintext is not divided into equal-size blocks.

A security team is in the process of selecting a cryptographic suite for their company. Analyze cryptographic implementations and determine which of the following performance factors is most critical to this selection process if users primarily access systems on mobile devices. A.Speed B.Latency C.Computational overhead D.Cost

C.Computational overhead Some technologies or ciphers configured with longer keys require more processing cycles and memory space, which makes them slower and consume more power. This makes them unsuitable for handheld devices and embedded systems that work on battery power. Speed is most impactful when processing large amounts of data. For some use cases, the time required to obtain a result is more important than a data rate. Latency issues may negatively affect performance when an operation or application times out before the authentication handshake. Cost issues may arise in any decision-making process, but for mobile device cryptography, computing overhead is a primary limiting factor.

A system analyst is tasked with searching the dark web for harvested customer data. Because these sites cannot be found in a standard website search, what must the analyst have in order to search for the harvested information? A.The Onion Router (TOR) B.Dark web search engine C.Dark Website URL D.Open Source Intelligence (OSINT)

C.Dark Website URL Access to deep web sites, especially those hidden from search engines, are accessed via the website's URL. These are often only available via "word of mouth" bulletin boards. The Onion Router (TOR) is software used to establish a network overlay to the Internet infrastructure to create the dark net. TOR, along with other software like Freenet or I2P, anonymizes the usage of the dark net. A dark web search engine can be used to find dark web website collections, which constitute roughly 1% of the deep web. Some dark web websites have hidden IP addresses and cannot be found by search engines or require additional software to gain access to the site. Open-source intelligence (OSINT) is cybersecurity-relevant information harvested from public websites and data records.

Which statement describes the mechanism by which encryption algorithms help protect against birthday attacks? A.Encryption algorithms utilize key stretching. B.Encryption algorithms use secure authentication of public keys. C.Encryption algorithms add salt when computing password hashes. D.Encryption algorithms must utilize a blockchain.

C.Encryption algorithms add salt when computing password hashes. A salt is an additional value stored with the hashed data field. The purpose of salt is to frustrate attempts to crack the hashes of passwords in this case. This will protect against birthday attacks. Key stretching takes a key that is generated from a user password, and repeatedly converts it to a longer and more random key. The initial key is put through thousands of rounds of hashing to slow down attackers. Securely authenticating public keys, such as associating the keys with certificates, helps protect against man-in-the-middle attacks. Blockchain is a concept in which an expanding list of transactional records is secured using cryptography. Each record is referred to as a block and is run through a hash function.

Digital certificates are based on the X.509 standard that defines the fields (or information) about a subject (or entity using the certificate) and the certificate's issuer. Which of the following fields would not be included in a standard public certificate? A.Extensions B.Public key C.Endorsement key D.Subject

C.Endorsement key An endorsement key is not required for a digital certificate. It is part of a Trusted Platform Module (TPM) and used to create subkeys for key storage, signature, and encryption operations. The Extensions field defines which extended attributes a certificate supports. V3 certificates can be defined with extended attributes, such as friendly subject or issuer names, contact email addresses, and intended key usage. The Public key field denotes the public key and algorithm used by the certificate holder. This key is distributed to the public to initiate a secure connection with a website or remote server. The Subject field names the certificate holder, expressed as a distinguished name (DN). Within this, the common name (CN) usually matches either the fully qualified domain name (FQDN) of a server or a user email address.

An Identity and Access Management (IAM) system has four main processes. Which of the following is NOT one of the main processes? A.Accounting B.Identification C.Integrity D.Authentication

C.Integrity Integrity is the fundamental security goal of keeping organizational information accurate, free of errors, and without unauthorized modifications. However, it is not part of the IAM system. IAM defines the attributes that comprise an entity's identity. The four processes include Authorization, Accounting, Identification, and Authentication. Accounting is tracking authorized usage of a resource or use of rights by a subject and alerting when unauthorized use is detected or attempted. Identification is creating an account or ID identifying the user, device, or process on the network. Authentication is proving that a subject is who or what it claims to be when attempting to access the resource.

One aspect of threat modeling is to identify potential threat actors and the risks associated with each one. When assessing the risk that any one type of threat actor poses to an organization, what are the most critical factors to profile? (Select all that apply.) A.Education B.Socioeconomic status C.Intent D.Motivation

C.Intent D.Motivation From the choices provided, the two most critical factors to profile for a threat actor are intent and motivation. Greed, curiosity, or grievance may motivate an attacker. The intent could be to vandalize and disrupt a system or to steal something. While education and socioeconomic traits could potentially be considered in a threat actor profile, they are inferior to intent and motivation. Malicious intents and motivations can be contrasted with accidental or unintentional threat actors and agents. Unintentional threat actors represent accidents, oversights, and other mistakes. In this sense, training is crucial to ensuring employees are educated about security measures.

A web administrator visits a website after installing its certificate to test the SSL binding. The administrator's client computer did not trust the website's certificate. The administrator views the website's certificate from the browser to determine which certificate authority (CA) generated the certificate. Which certificate field would assist with the troubleshooting process? A.Subject alternative name B.Signature algorithm C.Issuer D.Subject

C.Issuer The Issuer field provides the name of the certificate authority (CA) that generated and issued the certificate for the web server. The subject alternative name (SAN) displays the extension field to identify the domain name system (DNS) name or names by which a host is identified. The Signature algorithm field displays the algorithm used by the certificate authority to sign the certificate. The Subject field displays the name of the certificate holder, expressed as a distinguished name (DN). The common name (CN) in this part would match the fully qualified domain name (FQDN) of the server or a user email address.

A malicious party adds malware to a popular video game and offers free copies to users. The party's objective is to require the CD to be inserted during use. This software will gain administrative rights, change system files, and may hide from detection without the knowledge or consent of the user. Consider the malware characteristics and determine which may be used. (Select all that apply) A.Spyware B.Keylogger C.Rootkit D.Trojan

C.Rootkit D.Trojan A rootkit is characterized by its ability to hide itself by changing core system files and programming interfaces and to escalate privileges. The gaming company accomplished this. Trojans cannot conceal their presence entirely and will surface as a running process or service. While a rootkit is a type of Trojan, it differs in its ability to hide itself. Spyware monitors user activity and may be installed with or without the user's knowledge, but it cannot gain administrative privileges or hide itself. A keylogger is also a type of spyware that records a user's keystrokes. It occurs without a user's knowledge, but it cannot hide itself or gain privileges.

Which of the following is NOT a use of cryptography? A.Non-repudiation B.Obfuscation C.Security through obscurity D.Resiliency

C.Security through obscurity Security through obscurity involves keeping something a secret by hiding it, but not necessarily encrypting it. While this can fool the unwitting observer, it is easily detectable by those involved in cybersecurity and their tools. Non-repudiation is when the sender cannot deny sending the message. If the message has been encrypted in a way known only to the sender, logic follows the sender must have composed it. Obfuscation is the art of making a message difficult to understand. Cryptography is a very effective way of obfuscating a message by encrypting it. Resiliency occurs when the compromise of a small part of the system is prevented from allowing compromise of the whole system. Cryptography ensures the authentication and integrity of messages delivered over the control system.

An employee is having coffee at an outdoor coffee shop and is not taking precautions against someone watching their screen while working on a company project. A person a few tables over watches the employee enter their credentials and then takes photos of the work they are completing with their smartphone. Which form of social engineering is being used in this situation? A.Vishing B.Lunchtime attack C.Shoulder surfing D.Man-in-the-middle attack

C.Shoulder surfing Shoulder surfing is stealing a password by watching the user type it. Although the attacker was not looking over the employee's shoulder, the login credentials were obtained through observation. Vishing is a phishing attack conducted through a voice channel. With no clue about the nature of the call received by the employee, it cannot be assumed to be part of an attack and would not be the best answer. While a lunchtime attack involves leaving a workstation unattended, it does not involve obtaining a password. Rather, physical access to the system is gained through a logged-in computer. A man-in-the-middle attack occurs when an attacker sits between two communicating hosts to intercept information. It is not social engineering.

An attacker uses a cryptographic technology to create a covert message channel in transmission control protocol (TCP) packet data fields. What cryptographic technique does this attack strategy employ? A.Homomorphic encryption B.Blockchain C.Steganography D.Key stretching

C.Steganography Steganography obscures the presence of a message and can be used to encode messages within TCP packet data fields to create a covert message channel for data exfiltration. Homomorphic encryption is used to share privacy-sensitive data sets. It allows a recipient to perform statistical calculations on data fields while keeping the data set as a whole encrypted. Blockchain uses cryptography to secure an expanding list of transactional records. Each record, or block, goes through a hash function. Each block's hash value links to the hash value of the previous block. Key stretching takes a key that is generated from a user password and repeatedly converts it to a longer and more random key, through thousands of rounds of hashing.

A Department of Defense (DoD) security team identifies a data breach in progress, based on some anomalous log entries, and take steps to remedy the breach and harden their systems. When they resolve the breach, they want to publish the cyber threat intelligence (CTI) securely, using standardized language for other government agencies to use. The team will transmit threat data feed via which protocol? A.Structured Threat Information eXpression (STIX) B.Automated Indicator Sharing (AIS) C.Trusted Automated eXchange of Indicator Information (TAXII) D.A code repository protocol

C.Trusted Automated eXchange of Indicator Information (TAXII) The TAXII protocol provides a means for transmitting CTI data between servers and clients. Subscribers to the CTI service obtain updates to the data to load into analysis tools over TAXII. While STIX provides the syntax for describing CTI, the TAXII protocol transmits CTI data between servers and clients. The Department of Homeland Security's (DHS) Automated Indicator Sharing (AIS) is especially aimed at Information Sharing and Analysis Centers (ISACs), but private companies can join too. AIS is based on the STIX and TAXII standards and protocols. A file/code repository holds signatures of known malware code.

What is Open Source Intelligence (OSINT)? A.Obtaining information, physical access to premises, or even access to a user account through the art of persuasion B.The means the organization will take to protect the confidentiality, availability, and integrity of sensitive data and resources C.Using web search tools and social media to obtain information about the target D.Using software tools to obtain information about a host or network topology

C.Using web search tools and social media to obtain information about the target OSINT is using web search tools and social media to obtain information about the target. It requires almost no privileged access as it relies on finding information that the company makes publicly available, whether intentionally or not. Obtaining information, physical access to premises, or access to a user account through the art of persuasion is social engineering. The means the organization will take to protect the confidentiality, availability, and integrity of sensitive data and resources is considered a security policy. Using software tools to obtain information about a host or network topology is considered scanning.

The National Institute of Standards and Technology (NIST) provides a framework that classifies security-related functions. Which description aligns with the "respond" function? A. Evaluate risks, threats, and vulnerabilities. B. Perform ongoing, proactive monitoring. C. Implement resilience to restore systems. D. Identify, analyze, and eradicate threats.

D. Identify, analyze, and eradicate threats. The identify function is to develop security policies and capabilities. This function is used to evaluate risks, threats, and vulnerabilities and recommend security controls to mitigate them. The detect function is to perform ongoing, proactive monitoring to ensure that controls are effective and capable of protecting against new types of threats. The recover function is to implement cybersecurity resilience to restore systems and data if other controls are unable to prevent attacks. The respond function is to identify, analyze, contain, and eradicate threats to systems and data security.

How might the goals of basic network management not align with the goals of security? A. Management focuses on confidentiality and availability. B. Management focuses on confidentiality over availability. C. Management focuses on integrity and confidentiality. D. Management focuses on availability over confidentiality.

D. Management focuses on availability over confidentiality. Security is increasingly thought of as a dedicated function. The goals of a network manager are not always well-aligned with the goals of security; network management focuses on availability over confidentiality. System security may be a dedicated business unit with its own management structure. As a result, network management might only concern itself with availability. The goals of a basic network management are not always well-aligned with the goals of security; network management would not focus on confidentiality, but rather availability. Network management would encompass the responsibility for systems up-time and availability. Security administrators would focus on integrity and confidentiality.

An IT director reads about a new form of malware that targets a system widely utilized in the company's network. The director wants to discover whether the network has been targeted, but also wants to conduct the scan without disrupting company operations or tipping off potential attackers to the investigation. Evaluate vulnerability scanning techniques and determine the best tool for the investigation. A. Credentialed scan B. Configuration review C. Penetration testing D. Threat hunting

D. Threat hunting Where a pen test attempts to demonstrate a system's weakness or achieve intrusion, threat hunting is based only on analysis of data within the system. It is potentially less disruptive than pen testing. A credentialed scan has a user account with logon rights to hosts and permissions appropriate for the testing routines. Credentialed scans are intrusive and allow in-depth analysis and insight to what an insider attack might achieve. A configuration review assesses the configuration of security controls and application settings & permissions compared to established benchmarks. Penetration testing, an intrusive, active scanning technique, does not stop at detection, but attempts to gain access to a system.

Identify the command that can be used to detect the presence of a host on a particular IP address. A. ipconfig B. ifconfig C. ip D. ping

D. ping The ping command can be used to detect the presence of a host on a particular IP address or that responds to a particular host name. This command is a fast and easy way to determine if a system can communicate over the network with another system. The ipconfig command is used to report the configuration assigned to the network adapter in Windows. The ifconfig command can be used to report the adapter configuration in Linux. The ip command is a more powerful command in Linux and gives options for managing routes as well as the local interface configuration.

Analyze the following attacks to determine which best illustrates a pharming attack. A.A customer gets an email that appears to be from their insurance company. The email contains a link that takes the user to a fake site that looks just like the real insurance company site. B.An employee gets a call from someone claiming to be in the IT department. The caller says there was a problem with the network, so they need the employee's password in order to restore network privileges. C.A company's sales department often has after-hour training sessions, so they order dinner delivery online from the restaurant across the street. An attacker is able to access the company's network by compromising the restaurant's unsecure website. D.A customer enters the correct URL address of their bank, which should point to the IP address 172.1.24.4. However, the browser goes to 168.254.1.1, which is a fake site designed to look exactly like the real bank site.

D.A customer enters the correct URL address of their bank, which should point to the IP address 172.1.24.4. However, the browser goes to 168.254.1.1, which is a fake site designed to look exactly like the real bank site. Pharming is a means of redirecting users from a legitimate website to a malicious one that relies on corrupting the way the victim's computer performs IP address resolution. This is illustrated in the bank customer scenario. Phishing is a type of email-based social engineering attack, in which the attacker sends email from a supposedly reputable source to try to elicit private information from the victim. This is exhibited in the insurance customer scenario. Vishing is a phishing attack conducted through a voice channel. This is seen in the IT department scenario. A watering hole attack relies on the circumstance that a group of targets may use an unsecure third-party website. This is shown in the sales department scenario.

What is the purpose of a web server certificate? A.Sign and encrypt email messages. B.Guarantee the validity of a browser plug-in. C.Provide identification of the certificate authority. D.Guarantee the identity of a website.

D.Guarantee the identity of a website. A web server certificate guarantees the identity of the server that provides web services like a website or e-commerce sites. The web server's public certificate allows users to submit data securely to the web server. Signing and encrypting email messages is done with an email certificate, typically using Secure/Multipurpose Internet Mail Extensions (SMIME) or Pretty Good Privacy (PGP). A code signing certificate is issued to a software publisher following an identity check and validation process to guarantee the validity of a software application or browser plug-in. A root certificate identifies the certificate authority (CA) and is self-signed. The operating system or browser mark self-signed certificates as untrusted, but an administrative user can choose to override this.

A hospital must balance the need to keep patient privacy information secure and the desire to analyze the contents of patient records for a scientific study. What cryptographic technology can best support the hospital's needs? A.Blockchain B.Quantum computing C.Perfect forward security (PFS) D.Homomorphic encryption

D.Homomorphic encryption Homomorphic encryption is used to share privacy-sensitive data sets. It allows a recipient to perform statistical calculations on data fields, while keeping the data set as a whole encrypted, thus preserving patient privacy. Blockchain uses cryptography to secure an expanding list of transactional records. Each record, or block, goes through a hash function. Each block's hash value links to the hash value of the previous block. Quantum computing could serve as a secure foundation for secure cryptosystems and tamper-evident communication systems that would allow secure key agreement. Perfect forward security (PFS) mitigates the risks from RSA key exchanges through the use of ephemeral session keys to maintain confidentiality.

A client contacts a server for a data transfer. Instead of requesting TLS1.3 authentication, the client claims legacy systems require the use of SSL. What type of attack might a data transfer using this protocol facilitate? A.Credential harvesting B.Key stretching C.Phishing D.Man-in-the-middle

D.Man-in-the-middle A downgrade attack can be used to facilitate a man-in-the-middle attack by requesting that the server use a lower specification protocol with weaker ciphers and key lengths, making it easier for a malicious actor to forge the trusted certificate authority's signature. Credential harvesting is a campaign specifically designed to steal account credentials. Key stretching takes a key that is generated from a user password and repeatedly converts it to a longer and more random key, adding extra layers of processing to a potential attacker's task. Phishing is a combination of social engineering and spoofing. It persuades or tricks the target into interacting with a malicious resource disguised as a trusted one, traditionally using email as the vector.

Which two cryptographic functions can be combined to authenticate a sender and prove the integrity of a message? A.Hashing and symmetric encryption B.Public key cryptography and digital enveloping C.Hashing and digital enveloping D.Public key cryptography and hashing

D.Public key cryptography and hashing Public key cryptography (public and private keys) can be used to authenticate a sender. Combine this with a hash output of the message and a secret (or private) key to create a message authentication code (MAC) to validate the integrity of the message. A key exchange system known as a digital envelope or hybrid encryption combines the bulk encryption capabilities of symmetric encryption with the authentication capability of public key cryptography. Asymmetric encryption is also called public key cryptography. A digital envelope allows the sender and recipient to exchange a symmetric encryption key securely by using public key cryptography. Hashing proves integrity by computing a unique checksum from input. Digital envelope is another term for the hybrid encryption that combines public key encryption and symmetric encryption.

An employee handling key management discovers that a private key has been compromised. Evaluate the stages of a key's life cycle and determine which stage the employee initiates upon learning of the compromise. A.Certificate generation B.Key generation C.Expiration and renewal D.Revocation

D.Revocation Upon learning of a compromise, the current key should be revoked, and a new key can then be generated. Certificate generation identifies the public part of a key pair as belonging to a subject, and the subject submits it for signing by the CA as a digital certificate with the appropriate key usage. Key generation occurs during the initial distribution of the key, or after having revoked one. Expiration and renewal are used for a key pair that has not been revoked or expired after a certain period. A given shelf-life increases security.

A hacker is able to install a keylogger on a user's computer. What is the hacker attempting to do in this situation? A.Key management B.Encryption C.Obfuscation D.Steal confidential information

D.Steal confidential information Keyloggers actively attempt to steal confidential information by recording the keystrokes of a user. Key management is the process of administering cryptographic keys and managing their usage, storage, expiration, renewal, revocation, recovery, and escrow. It does not describe something that a hacker would install. Encryption is a way of encoding data into ciphertext, which is unreadable unless it is decoded. Keyloggers are only interested in recording keystrokes, not decrypting data. Obfuscation is a technique that essentially "hides" or "camouflages" code or other information so that it is harder to read by unauthorized users. Keyloggers do not want to hide anything, they want to steal useful information by capturing keystrokes.

Based on the known facts of password attacks, critique the susceptibility of the password "DogHouse23" to an attack. A.This is a sufficient password. It is ten characters and contains uppercase characters, lowercase characters, and numbers. B.This is an insufficient password. There are not enough uppercase characters within the password. C.This is a sufficient password. The password is easy for the user to remember yet long enough to meet character requirements. D.This is an insufficient password. The password contains words that are found in the dictionary and does not contain special characters.

D.This is an insufficient password. The password contains words that are found in the dictionary and does not contain special characters. The password does not contain special characters, and also contains words that are found in the dictionary. Both of these attributes make the password vulnerable. The length of the password may be sufficient based on the rules set forth by the system administrator and company policy. The company policy may or may not require the use of special characters, and this is unknown from the scenario. The password is insufficiently complex. The inclusion of uppercase letters alone does not make a password complex. While it is correct that the user may be able to remember this password easily, that also makes it susceptible to attack. Dictionary words make it that much easier for an attacker to crack the password.

Which situation would require keyboard encryption software be installed on a computer? A.To set up single sign-on privileges B.To comply with input validation practices C.For the purpose of key management D.To protect against spyware

D.To protect against spyware Keyboard encryption software is used to protect against keyloggers, which record keystrokes for the purpose of stealing data. Keyloggers are spyware. Single sign-on is a technology that enables a user to authenticate once and receive authorizations for multiple services. It does not require keyboard encryption. Input validation involves limiting the type of data a user can enter into specific fields, such as not allowing special characters in a user name field. Encryption is not a concern. Key management is the process of administering cryptographic keys and is performed by a Certificate Authority. It is not applicable to keyboard encryption.

A company technician goes on vacation. While the technician is away, a critical patch released for Windows servers is not applied. According to the National Institute of Standards and Technology (NIST), what does the delay in applying the patch create on the server? A.Control B.Risk C.Threat D.Vulnerability

D.Vulnerability NIST defines vulnerability as a weakness that could be triggered accidentally or exploited intentionally to cause a security breach. In addition to delays in applying patches, other examples of vulnerabilities include improperly installed hardware, untested software, and inadequate physical security. Control is a system or procedure put in place to mitigate a risk. An example of control is policies or network monitoring to identify unauthorized software. Risk is the likelihood and impact of a threat actor exercising a vulnerability. Threat is the potential for a threat agent to exercise a vulnerability.