CompTIA Security+ (SY0-601) Practice Exam #6

Lakukan tugas rumah & ujian kamu dengan baik sekarang menggunakan Quizwiz!

Which of the following ports should you block at the firewall if you want to prevent a remote login to a server from occurring? 25 443 23 110

23 Explanation OBJ-3.1: Telnet is the protocol used for remote command-line administration of a host using TCP port 23. Telnet is considered insecure since it is unauthenticated and unencrypted. The simple mail transfer protocol (SMTP) is the protocol used to send mail between hosts on the Internet using TCP port 25. The post office protocol (POP3) is a TCP/IP application protocol providing a means for a client to access email messages stored in a mailbox on a remote server over port 110. The server usually deletes messages once the client has downloaded them. The hypertext transfer protocol secure (HTTPS) is a secure protocol used to provide web content to browsers using SSL/TLS encryption over port 443.

If an administrator cannot fully remediate a vulnerability, which of the following should they implement? A compensating control An engineering tradeoff A policy Access requirements

A compensating control Explanation OBJ-5.1: Based on the question's wording, a compensating control would be most accurate for the given scenario. Compensating controls may be considered when an entity cannot meet a requirement explicitly, as stated due to legitimate technical or documented business constraints but has sufficiently mitigated the risk associated with the requirement by implementing other controls. Access requirements are a form of logical controls that can be implemented to protect a system and could be a form of compensating control if used appropriately. A policy is a statement of intent and is implemented as a procedure or protocol within an organization. An engineering tradeoff is a situational decision that involves diminishing or losing one quality, quantity, or property of a set or design in return for gains in other aspects. Often, an engineering tradeoff occurs when we trade security requirements for operational requirements or vice versa.

Based on some old SIEM alerts, you have been asked to perform a forensic analysis on a given host. You have noticed that some SSL network connections are occurring over ports other than port 443. The SIEM alerts indicate that copies of svchost.exe and cmd.exe have been found in the host's %TEMP% folder. The logs indicate that RDP connections have previously connected with an IP address that is external to the corporate intranet, as well. What threat might you have uncovered during your analysis? DDoS Software vulnerability Ransomware APT

APT Explanation OBJ-1.2: The provided indicators of compromise appear to be from an Advanced Persistent Threat (APT). These attacks tend to go undetected for several weeks or months and utilize secure communication to external IPs and Remote Desktop Protocol connections to provide the attackers with access to the infected host. While an APT might use a software vulnerability to gain their initial access, the full description provided in the question that includes the files being copied and executed from the %TEMP% folder and the use of SSL/RDP connections indicates longer-term exploitation, such as one caused by an APT.

What type of threat actor is highly funded and often backed by nation-states? Hacktivist Script Kiddies APT Insider Threat

APT Explanation OBJ-1.5: Advanced Persistent Threats are a group of hackers with great capability and intent. Nation-states and other large organizations often fund them to conduct highly covert hacks over a long period of time for political or economic gain. Script kiddies are people who use existing computer scripts or code to hack into computers, lacking the expertise to write their own. An insider threat is a malicious threat to an organization from people within the organization, such as employees, former employees, contractors, or business associates, who have inside information concerning the organization's security practices, data, and computer systems. A hacktivist is someone who uses hacking to bring about political and social change.

Every new employee at Dion Training must sign a document to show they understand the proper rules for using the company's computers. This document states that the new employee has read the policy that dictates what can and cannot be done from the corporate workstations. Which of the following documents BEST describes this policy? SLA AUP MOU SOW

AUP Explanation OBJ-5.3: An acceptable use policy (AUP) is a document stipulating constraints and practices that a user must agree to for access to a corporate network or the internet. For example, an AUP may state that they must not attempt to break any computer network security, hack other users, or visit pornographic websites from their work computer. A service level agreement (SLA) is a contract that outlines the detailed terms under which a service is provided, including reasons the contract may be terminated. A statement of work (SOW), or a scope of work, is a document that outlines all the work that is to be performed, as well as the agreed-upon deliverables and timelines. A memorandum of understanding (MOU) is a preliminary or exploratory agreement to express an intent to work together that is not legally binding and does not involve monetary exchange.

Raj is working to deploy a new vulnerability scanner for an organization. He wants to verify the information he gets is the most accurate view of the configurations on the organization's traveling salespeople's laptops to determine if any configuration issues could lead to new vulnerabilities. Which of the following technologies would work BEST to collect the configuration information in this situation? Passive network monitoring Non-credentialed scanning Agent-based scanning Server-based scanning

Agent-based scanning Explanation OBJ-1.7: Using agent-based scanning, you typically get the most reliable results for systems that are not connected to the network, as well as the ones that are connected. This is ideal for traveling salespeople since their laptops are not constantly connected to the organization's network. These agent-based scans can be conducted when the laptop is offline and then sent to a centralized server the next time it is connected to the network. Server-based scanning, non-credentialed scanning, and passive network monitoring require a continuous network connection to collect the devices' configurations accurately.

Your company has created a baseline image for all of its workstations using Windows 10. Unfortunately, the image included a copy of Solitaire, and the CIO has created a policy to prevent anyone from playing the game on the company's computers. You have been asked to create a technical control to enforce the policy (administrative control) that was recently published. What should you implement? Application hardening Application block list Disable removable media Application allow list

Application block list Explanation OBJ-3.2: You should create and implement an application block list that includes the Solitaire game on it. This will prevent the application from being able to be run on any corporate workstation. Application allow lists will allow only authorized applications to be run, while application block lists will prevent any application listed from being run. Application hardening involves updating and patching your software (not applicable to this question). Disabling removable media is a good practice, but it won't prevent the game that was already installed from being run from the hard drive. Application allow lists and block lists can be deployed to hosts on the network using a GPO update.

Your company has created a baseline image for all of its workstations using Windows 10. Unfortunately, the image included a copy of Solitaire, and the CIO has created a policy to prevent anyone from playing the game on the company's computers. You have been asked to create a technical control to enforce the policy (administrative control) that was recently published. What should you implement? Application hardening Application allow list Disable removable media Application block list

Application block list Explanation OBJ-4.4: You should create and implement an application block list that includes the Solitaire game on it. This will prevent the application from being able to be run on any corporate workstation. Application allow lists will allow only authorized applications to be run, while application block lists will prevent any application listed from being run. Application hardening involves updating and patching your software (not applicable to this question). Disabling removable media is a good practice, but it won't prevent the game that was already installed from being run from the hard drive. Application allow lists and block lists can be deployed to hosts on the network using a GPO update.

What process is used to conduct an inventory of critical systems, components, and devices within an organization? Change management Vulnerability management Asset management Patch management

Asset management Explanation OBJ-5.3: An asset management process takes inventory of and tracks all the organization's critical systems, components, devices, and other valuable objects. It also involves collecting and analyzing information about these assets so that personnel can make more informed changes or otherwise work with assets to achieve business goals. Many software suites and associated hardware solutions are available for tracking and managing assets (or inventory).

You are helping to set up a backup plan for your organization. The current plan states that all of the organization's Linux servers must have a daily backup conducted. These backups are then saved to a local NAS device. You have been asked to recommend a method to ensure the backups will work when needed for restoration. Which of the following should you recommend? Create an additional copy of the backups in an off-site datacenter Set up scripts to automatically reattempt any failed backup jobs Attempt to restore to a test server from one of the backup files to verify them Frequently restore the server from backup files to test them

Attempt to restore to a test server from one of the backup files to verify them Explanation OBJ-2.5: The only way to fully ensure that a backup will work when needed is to restore the files from the backups. To do that, it is best to restore them to a test server since this will not affect your production environment.

A cybersecurity analyst at a mid-sized retail chain has been asked to determine how much information can be gathered from the store's public webserver. The analyst opens up the terminal on his Kali Linux workstation and uses netcat to gather some information. [root@kali] nc test.diontraining.com 80 HEAD / HTTP/1.1 HTTP/1.1 200 OK Date: Sun, 12 Jun 2020 14:12:45 AST Server: Apache/2.0.46 (Unix) (Red Hat/Linux) Last-modified: Thu, 16 Apr 2009 11:20:14 PST ETgag: "1986-69b-123a4bc6" Accept-Ranges: bytes Content-Length: 6485 Connection: close Content-Type: text/html What type of action did the analyst perform, based on the command and response above? SQL injection Cross-site scripting Banner grabbing Querying the Whois database

Banner grabbing Explanation OBJ-1.8: The analyst conducted banner grabbing. Banner grabbing is a technique used to learn information about a computer system on a network and the services running on its open ports. In the question, the command "nc test.diontraining.com 80" was used to establish a connection to a target web server using netcat, then send an HTTP request (HEAD / HTTP/1.1). The response contains information about the service running on the webserver. In this example, the server software version (Apache 2.0.46) and the operating system (Red Hat Linux). Cross-Site Scripting (XSS) attacks are a type of injection in which malicious scripts are injected into otherwise benign and trusted websites. XSS attacks occur when an attacker uses a web application to send malicious code, generally in a browser side script, to a different end-user. SQL injection is a code injection technique used to attack data-driven applications where malicious SQL statements are inserted into an entry field for execution, such as dumping the database contents to the attacker. A query to the WHOIS database would return information on the website owner, not the server's operating system.

What technology is NOT PKI x.509 compliant and cannot be used in various secure functions? SSL/TLS PKCS AES Blowfish

Blowfish Explanation OBJ-3.9: AES, PKCS, and SSL/TLS are all compatible with x.509 and can be used in a wide variety of functions and purposes. AES is used for symmetric encryption. PKCS is used as a digital signature algorithm. SSL/TLS is used for secure key exchange.

Your smartphone begins to receive unsolicited messages while eating lunch at the restaurant across the street from your office. What might cause this to occur? Packet sniffing Geotagging Bluejacking Bluesnarfing

Bluejacking Explanation OBJ-1.4: Bluejacking sends unsolicited messages over Bluetooth to Bluetooth-enabled devices such as smartphones and tablets. On the other hand, Bluesnarfing involves taking data from a smartphone or tablet over Bluetooth without permission. Bluetooth has a limited range, so the attacker is likely within 10 meters of the victimized device. Geotagging involves embedding the geolocation coordinates into a piece of data (normally a photo or video). Packet sniffing is a passive method of collecting network traffic for follow-on analysis at a later time.

(This is a simulated performance-based question.) You have been asked to help conduct a known environment penetration test. As part of your preparations, you have been given the source code for the organization's custom web application. Linux:~ diontraining$ cat DionCode.c void DionCode (char *varx) { char user input [20]; Strcopy (user - _input, varx); } Which type of vulnerability might be able to exploit the code shown in this image? Remote code execution SQL injection JavaScript injection Buffer overflow

Buffer overflow Explanation OBJ-1.2: The function DionCode may be subject to a buffer overflow as the user enters something over 20 characters as their input. In defining the char (character) type array, the programmer only allocated 20 characters worth of memory storage. To solve this problem, the programmer should create proper input validation to ensure that the input is less than 20 characters before passing the user_input variable to the strcpy (string copy) function.

Due to a worldwide pandemic in 2020 caused by the COVID-19 virus, Dion Training Solutions instituted teleworking for all of its employees. This was part of a preplanned response so that the company's students could continue to learn and receive support throughout the pandemic. Which of the following plans should contain the company's pandemic response plan? Incident response plan Rollback plan Business continuity plan Disaster recovery plan

Business continuity plan Explanation OBJ-4.2: The business continuity plan (BCP) contains a collection of processes that enable an organization to maintain normal business operations in the face of some adverse event. This event could be natural or man-made; as long as it affects the business operations, then the BCP should be activated. The development of the BCP is often referred to as continuity of operations planning (COOP). A disaster recovery plan focuses on procedures and steps to follow to recover a system or site to a working state. For example, if a power failure or a fire occurred, the site would have to be recovered to a working state again. In the pandemic example, the facility did not have a disaster to recover from. Still, the business operations were affected and needed to be modified to continue operations under the BCP.

(Sample Simulation - On the real exam for this type of question, you would have to fill in the blanks by dragging and dropping them into place.) Using the image provided, select four security features that you should use with a smartphone provided through a COPE policy in your organization? Remote wipe, Location tracking, Host-based firewall, Cable lock Cable lock, Network sniffer, Cellular data, Remote wipe MDM, Location tracking, Host-based firewall, Remote wipe Cellular data, Remote wipe, Location tracking, MDM

Cellular data, Remote wipe, Location tracking, MDM Explanation OBJ-3.5: Cellular data, Remote wipe, Location tracking, and MDM are all appropriate security features to use with a company-provided laptop. By using cellular data, your users will be able to avoid connecting to WiFi networks for connectivity. Remote wipe enables the organization to remotely erase the device's contents if it is lost or stolen. Location tracking uses the smart phone's GPS coordinates for certain apps, location-based authentication, and to track down a device if it is lost or stolen. Mobile device management (MDM) programs enable the administrators to remotely push software updates, security policies, and other security features to the device from a centralized server.

Which of the following elements is LEAST likely to be included in an organization's data retention policy? Minimum retention period Description of information that needs to be retained Maximum retention period Classification of information

Classification of information Explanation OBJ-4.2: Data retention policies highlight what types of information an organization will maintain and the length of time they will maintain it. Data classification would not be covered in the retention policy but would be a key part of your organization's data classification policy.

You work for a bank interested in moving some of its operations to the cloud, but it is worried about security. You recently discovered an organization called CloudBank that was formed by 15 local banks as a way for them to build a secure cloud-based environment that can be accessed by the 15 member banks. Which cloud model BEST describes the cloud created by CloudBank? Public cloud Private cloud Hybrid cloud Community cloud

Community cloud Explanation OBJ-2.2: Community Cloud is another type of cloud computing in which the cloud setup is shared manually among different organizations that belong to the same community or area. A multi-tenant setup is developed using the cloud among different organizations belonging to a particular community or group with similar computing concerns. For joint business organizations, ventures, research organizations, and tenders, a community cloud is an appropriate solution. Based on the description of 15 member banks coming together to create the CloudBank organization and its cloud computing environment, a community cloud model is most likely described. A public cloud contains services offered by third-party providers over the public Internet and is available to anyone who wants to use or purchase them. They may be free or sold on-demand, allowing customers to pay only per usage for the CPU cycles, storage, or bandwidth they consume. A private cloud contains services offered either over the Internet or a private internal network and only to select users instead of the general public. A hybrid cloud is a cloud computing environment that uses a mix of on-premises, private cloud, and third-party public cloud services with orchestration between these platforms. This typically involves a connection from an on-premises data center to a public cloud.

During a vulnerability scan of your network, you identified a vulnerability on an appliance installed by a vendor on your network under an ongoing service contract. You do not have access to the appliance's operating system as the device was installed under a support agreement with the vendor. What is your best course of action to remediate or mitigate this vulnerability? Mark the identified vulnerability as a false positive Wait 30 days, run the scan again, and determine if the vendor corrected the vulnerability Try to gain access to the underlying operating system and install the patch Contact the vendor to provide an update or to remediate the vulnerability

Contact the vendor to provide an update or to remediate the vulnerability Explanation OBJ-1.6: You should contact the vendor to determine if a patch is available for installation. Since this is a vendor-supported appliance installed under a service contract, the vendor is responsible for the appliance's management and security. You should not attempt to gain access to the underlying operating system to patch the vulnerability yourself, as this could void your warranty and void your service contract. Based on the information provided, there is no reason to believe that this is a false positive, either. You should not simply wait 30 days and rerun the scan, as this is a non-action. Instead, you should contact the vendor to fix this vulnerability. Then, you could rerun the scan to validate they have completed the mitigations and remediations.

Last week, your organization was the victim of a cyber attack. The attack's root cause was investigated and found to be due to a missing patch on your Windows 2016 server for the EternalBlue exploit. The organization's vulnerability management team has rescanned the network and identified all the machines missing this critical patch. These systems were then patched, and the network was rescanned to verify the patch was installed properly. Which of the following types of controls would you classify the installation of this patch as? Compensating Deterrent Detective Corrective

Corrective Explanation OBJ-5.1: A corrective control is one that responds to and fixes an incident. A corrective control can also help to prevent the incident's reoccurrence. A compensating control fixes the root cause of an attack but instead adds additional layers of protection if the root cause cannot be fixed to mitigate the risk. Detective control is used to identify and record any attempted or successful intrusion, not prevent or deter access. A deterrent control is used to discourage an attacker from attempting an intrusion psychologically.

Which of the following is NOT a means of improving data validation and trust? Implementing Tripwire Decrypting data at rest Encrypting data in transit Using MD5 checksums for files

Decrypting data at rest Explanation OBJ-2.1: Encrypting data in transit leads to more integrity and confidentiality of the data, and therefore trust. Hashing files using MD5 to check against known valid checksums would provide integrity, and therefore validation and trust. Implementing a file integrity monitoring program, such as Tripwire, would also improve data validation and trust. Decrypting data at rest does not improve data validation, or trust since the data at rest could be modified when decrypted.

You are working as part of a penetration testing team during an assessment of Dion Training's headquarters. Your boss has requested that you search the company's recycling bins for any information that might be valuable during the reconnaissance phase of your attack. What type of social engineering method are you performing? Impersonation Phishing Dumpster diving Whaling

Dumpster diving Explanation OBJ-1.1: Dumpster diving involves searching through publicly accessible garbage cans or recycling bins to find discarded paper, manuals, or other valuable types of information from a targeted company. This is often done as part of the reconnaissance phase before an attack is performed. Whaling is an email-based or web-based form of phishing that targets senior executives or wealthy individuals. Phishing is an email-based social engineering attack in which the attacker sends an email from a supposedly reputable source, such as a bank, to try to elicit private information from the victim. Impersonation is the act of pretending to be someone or something else. Malicious actors often couple pretexting and impersonation to craft a believable scenario and impersonate people in authority during a social engineering attack.

You have just finished running a vulnerability scan of the network and are reviewing the results. The first result in the report shows the following vulnerability: Linux:~ diontraining$ cat results.txt Vulnerability scanning results.. IP: 192.168.2.51 Service: MySQL Version: 3.1.7 Details: Versions 3.0 - 3.2 may be vulnerable to remote code execution. Recommendation: Upgrade the MySQL server to version 3.3.x or above. You log into the MySQL server and verify that you are currently running version 3.5.3. Based on the item shown on the image, what best describes how you should categorize this finding? True negative False negative True positive False positive

False positive Explanation OBJ-1.7: You should categorize the results as a false positive. Based on the scenario and output, your server is not vulnerable to a remote code execution for the identified vulnerability. You are already running MySQL v3.5.3 that is greater than v3.3.x or above. This indicates that the vulnerability scanner falsely identified your MySQL version as an earlier and more vulnerable version. The system incorrectly identified a vulnerability, but the vulnerability doesn't exist on your system. Therefore this is a false positive.

Jack is assessing the likelihood of reconnaissance activities being performed against his organization. Which of the following would best classify the likelihood of a port scan being conducted against his DMZ? High Low Medium None

High Explanation OBJ-5.4: Since Jack's DMZ would contain systems and servers exposed to the Internet, there is a high likelihood that they are constantly being scanned by potential attackers performing reconnaissance.

(Sample Simulation - On the real exam for this type of question, you would have to fill in the blanks by dragging and dropping them into place.) Using the image provided, select four security features that you should use with a workstation or laptop within your organization? Host-based firewall, Network sniffer, Cable lock, CAT5e STP Remote wipe, Location tracking, Host-based firewall, Cable lock CAT5e STP, Location tracking, Host-based firewall, Remote wipe Cable lock, Network sniffer, Host-based firewall, Remote wipe

Host-based firewall, Network sniffer, Cable lock, CAT5e STP Explanation OBJ-3.5: Host-based firewall, Network sniffer, a Cable lock, and CAT5e STP cables are appropriate security features to use with a corporate workstation or laptop. Using a host-based firewall (such as Windows Firewall), you can configure the workstation or laptop to block incoming or outgoing data from the device's network connection. If you install a network sniffer, you will be able to capture any network traffic used on the network for later analysis. If you use a cable lock, it will lock the workstation or laptop to a desk and prevent theft of the device. If you use a CAT 5e STP cable for your network connection, you will minimize EMI risk and reduce data emanations.

Which cloud computing concept is BEST described as focusing on the replacement of physical hardware at a customer's location with cloud-based resources? SECaaS IaaS PaaS SaaS

IaaS Explanation OBJ-2.2: Infrastructure as a Service (IaaS) is a cloud computing service that enables a consumer to outsource computing equipment purchases and running their own data center. If you purchase a server in the cloud and then install and manage the operating system and software, this is Iaas. Platform as a Service (PaaS) is a cloud computing service that enables consumers to rent fully configured systems that are set up for specific purposes. Software as a Service (SaaS) is a cloud computing service that enables a service provider to make applications available over the Internet to end-users. This can be a calendar, scheduling, invoicing, word processor, database, or other programs. For example, Google Docs and Office 365 are both word processing SaaS solutions. Security as a service is a business model in which a service provider integrates their security services into a corporate infrastructure on a subscription basis more cost-effectively than most individuals or corporations can provide on their own when the total cost of ownership is considered.

A supplier needs to connect several laptops to an organization's network as part of their service agreement. These laptops will be operated and maintained by the supplier. Victor, a cybersecurity analyst for the organization, is concerned that these laptops could contain some vulnerabilities that could weaken the network's security posture. What can Victor do to mitigate the risk to other devices on the network without having direct administrative access to the supplier's laptops? Scan the laptops for vulnerabilities and patch them Require 2FA (two-factor authentication) on the laptops Increase the encryption level of VPN used by the laptops Implement a jumpbox system

Implement a jumpbox system Explanation OBJ-3.3: A jumpbox is a system on a network used to access and manage devices in a separate security zone. This would create network segmentation between the supplier's laptops and the rest of the network to minimize the risk. A jump-box system is a hardened and monitored device that spans two dissimilar security zones and provides a controlled means of access between them. While the other options listed are all good security practices, they do not fully mitigate the risk that insecure systems pose since Victor cannot enforce these configurations on a supplier-provided laptop. Instead, he must find a method of segmenting the laptops from the rest of the network, either physically, logically, using an air gap, or using a jumpbox.

Which of the following secure coding best practices ensures special characters like <, >, /, and ' are not accepted from the user via a web form? Input validation Error handling Output encoding Session management

Input validation Explanation OBJ-3.2: Input validation is performed to ensure only properly formed data is entering the workflow in an information system, preventing malformed data from persisting in the database and triggering a malfunction of various downstream components. Input validation should happen as early as possible in the data flow, preferably as soon as the data is received from the user. Improper error handling can introduce various security problems where detailed internal error messages such as stack traces, database dumps, and error codes are displayed to an attacker. The session management implementation defines the exchange mechanism that will be used between the user and the web application to share and continuously exchange the session ID. Output encoding involves translating special characters into some different but equivalent form that is no longer dangerous in the target interpreter, for example, translating the < character into the &lt; string when writing to an HTML page.

A cybersecurity analyst just finished conducting an initial vulnerability scan and is reviewing their results. To avoid wasting time on results that are not related to actual vulnerabilities, the analyst wants to remove any false positives before remediating the findings. Which of the following is an indicator that something in their results would be a false positive? A finding that shows the scanner compliance plug-ins are not up-to-date An HTTPS entry that indicates the web page is securely encrypted Items classified by the system as Low or as For Informational Purposes Only A scan result that shows a version that is different from the automated asset inventory

Items classified by the system as Low or as For Informational Purposes Only Explanation OBJ-1.7: When conducting a vulnerability scan, it is common for the report to include some findings that are classified as "low" priority or "for informational purposes only." These are most likely false positives and can be ignored by the analyst when starting their remediation efforts. "An HTTPS entry that indicates the web page is securely encrypted" is not a false positive but a true negative (a non-issue). A scan result showing a different version from the automated asset inventory should be investigated and is likely a true positive. A finding that shows the scanner compliance plug-ins are not up-to-date would likely also be a true positive that should be investigated.

You want to provide controlled remote access to the remote administration interfaces of multiple servers hosted on a private cloud. What type of segmentation security solution is the best choice for this scenario? Jumpbox Bastion hosts Airgap Physical

Jumpbox Explanation OBJ-3.3: Installing a jumpbox as a single point of entry for the administration of servers within the cloud is the best choice for this requirement. The jumpbox only runs the necessary administrative port and protocol (typically SSH). Administrators connect to the jumpbox then use the jumpbox to connect to the admin interface on the application server. The application server's admin interface has a single entry in its ACL (the jumpbox) and denies any other hosts' connection attempts. A bastion host is a special-purpose computer on a network specifically designed and configured to withstand attacks. The computer generally hosts a single application. For example, a proxy server and all other services are removed or limited to reduce the threat to the computer. An airgap system is a network or single host computer with unique security requirements that may physically be separated from any other network. Physical separation would prevent a system from accessing the remote administration interface directly and require an airgap system to reach the private cloud.

Your company is adopting a cloud-first architecture model. Management wants to decommission the on-premises SIEM your analysts use and migrate it to the cloud. Which of the following is an issue with using this approach? The company will have less control over the SIEM A VM escape exploit could allow an attacker to gain access to the SIEM Legal and regulatory issues may prevent data migration to the cloud The company will be dependent on the cloud provider's backup capabilities

Legal and regulatory issues may prevent data migration to the cloud Explanation OBJ-2.2: If there are legal or regulatory requirements that require the company to host their security audit data on-premises, then moving to the cloud will not be possible without violating applicable laws. For example, some companies must host their data within their national borders, even if migrating to the cloud. The other options presented are all low risk and can be overcome with proper planning and mitigations. Most cloud providers have degrees of redundancy far above what any individual on-premises provider will be able to generate, making the concern over backups a minimal risk. If the SIEM is moved to a cloud-based server, it could still be operated and controlled in the same manner as the previous on-premise solution using a virtualized cloud-based server. While a VM or hypervisor escape is possible, they are rare and can be mitigated with additional controls.

Which analysis framework provides the most explicit detail regarding how to mitigate or detect a given threat? MITRE ATT&CK framework Diamond Model of Intrusion Analysis Lockheed Martin cyber kill chain OpenIOC

MITRE ATT&CK framework Explanation OBJ-4.2: The MITRE ATT&CK framework provides explicit pseudo-code examples for detecting or mitigating a given threat within a network and ties specific behaviors back to individual actors. The Diamond Model provides an excellent methodology for communicating cyber events and allowing an analyst to implicitly derive mitigation strategies. The Lockheed Martin cyber kill chain provides a general life cycle description of how attacks occur but does not deal with the specifics of how to mitigate them. OpenIOC contains a depth of research on APTs but does not integrate the detection and mitigation strategy.

Dion Training is in early discussions with a large university to license its cybersecurity courses as part of their upcoming semester. Both organizations have decided to enter into an exploratory agreement while negotiating the detailed terms of the upcoming contract. Which of the following documents would best serve this purpose? ISA SLA MOU NDA

MOU Explanation OBJ-5.3: A Memorandum of understanding (MOU) is used as a preliminary or exploratory agreement to express their intent for the two companies to work together. A service level agreement (SLA) is a contractual agreement setting out the detailed terms under which a service is provided. The interconnection security agreement (ISA) governs the relationship between any federal agency and a third party interconnecting their systems. A non-disclosure agreement (NDA) is the legal basis for protecting information assets.

You have been asked to write a new security policy to reduce the risk of employees working together to steal information from the Dion Training corporate network. Which of the following policies should you create to counter this threat? Acceptable use policy Mandatory vacation policy Privacy policy Least privilege policy

Mandatory vacation policy Explanation OBJ-5.3: A mandatory vacation policy requires that all users take time away from work to enjoy a break from their day to day routine of their jobs. But, there is a major side benefit to mandatory vacations regarding your company's security posture. It will require the company to have another employee fill in for the vacationing employee's normal roles and responsibilities by requiring mandatory vacations. The employee who is filling in might come across fraud, abuse, or theft that the vacationing employee is a part of. The concept of least privilege may not stop this theft from occurring since two employees could work together to steal information that they have access to as part of their job. Also, acceptable use outlines the types of activities allowed and not allowed; it won't prevent theft from occurring. A privacy policy discusses how information should be properly stored and secured, but this won't stop an employee from stealing information or detecting the stolen information.

Which security control would prevent unauthorized users from connecting to a company's wireless network? NAC Firewall Segmentation IPS

NAC Explanation OBJ-3.3: Network Access Control (NAC) prevents unauthorized users from connecting to a network. Firewalls and intrusion prevention systems (IPS) are meant to restrict access from external sources and block known attacks. They would not keep out an intruder who is already in range of the wireless network. Network segmentation would limit the access that an intruder has to network resources but would not block the connection itself.

(Sample Simulation - On the real exam for this type of question, you would receive 3-5 pictures and be asked to drag and drop them into place next to the correct term.) How would you appropriately categorize the authentication method being displayed here? (Note: the hardware token is being by itself used for authentication.) One-time password authentication PAP authentication Multifactor authentication Biometric authentication

One-time password authentication Explanation OBJ-2.4: For the exam, you need to know the different categories of authentication and what type of authentication methods belong to each category. A hardware security token like the one displayed creates a one-time use password by presenting the user with a random string of numbers that changes every 30-60 seconds. When used by itself, it is considered a one-time password authentication method. If combined with a username and password, it would become a multi-factor authentication scheme.

Which of the following cryptographic algorithms is classified as asymmetric? 3DES RC4 PGP AES

PGP Explanation OBJ-2.8: Pretty Good Privacy (PGP) is an encryption program that provides cryptographic privacy and authentication for data communication. PGP is used for signing, encrypting, and decrypting texts, emails, files, directories, and whole disk partitions and to increase the security of email communications. PGP is a public-key cryptosystem and relies on an asymmetric algorithm. AES, RC4, and 3DES are all symmetric algorithms.

Which cloud computing concept is BEST described as focusing on replacing the hardware and software required when creating and testing new applications and programs from a customer's environment with cloud-based resources? PaaS SECaaS IaaS SaaS

PaaS Explanation OBJ-2.2: Platform as a Service (PaaS) is a cloud computing service that enables consumers to rent fully configured systems that are set up for specific purposes. Platform as a Service (PaaS) provides the end-user with a development environment without all the hassle of configuring and installing it themselves. If you want to develop a customized or specialized program, PaaS helps reduce the development time and overall costs by providing a ready to use platform. Infrastructure as a Service (IaaS) is a cloud computing service that enables a consumer to outsource computing equipment purchases and running their own data center. Software as a Service (SaaS) is a cloud computing service that enables a service provider to make applications available over the Internet to end-users. This can be a calendar, scheduling, invoicing, word processor, database, or other programs. For example, Google Docs and Office 365 are both word processing SaaS solutions. Security as a service is a business model in which a service provider integrates their security services into a corporate infrastructure on a subscription basis more cost-effectively than most individuals or corporations can provide on their own when the total cost of ownership is considered.

You want to create a new mobile application and develop it in the cloud. You just signed up for a cloud-based service provider's offering to allow you to develop it using their programming environment. Which of the following best describes which type of service you have just purchased? SaaS PaaS DaaS IaaS

PaaS Explanation OBJ-2.2: Platform as a Service (PaaS) provides the end-user with a development environment without all the hassle of configuring and installing it themselves. If you want to develop a customized or specialized program, PaaS helps reduce the development time and overall costs by providing a ready to use platform. Infrastructure as a Service (IaaS) is a cloud computing service that enables a consumer to outsource computing equipment purchases and running their own data center. Software as a Service (SaaS) is ca loud computing service that enables a service provider to make applications available over the Internet to end-users. This can be a calendar, scheduling, invoicing, word processor, database, or other programs. For example, Google Docs and Office 365 are both word processing SaaS solutions. Desktop as a Service (DaaS) provides a full virtualized desktop environment from within a cloud-based service. This is also known as VDI (Virtualized Desktop Infrastructure) and is coming in large enterprise businesses focused on increasing their security and minimizing their operational expenses.

Which type of monitoring would utilize a network tap? Active Passive Router-based SNMP

Passive Explanation OBJ-3.3: Network taps are devices that allow a copy of network traffic to be captured for analysis. They conduct passive network monitoring and visibility without interfering with the network traffic itself. Active monitoring relies on scanning targeted systems, not a network tap. Router-based monitoring would involve looking over the router's logs and configuration files. SNMP is used to monitor network devices but is considered active monitoring and doesn't rely on network taps.

What technique is an attacker using if they review data and publicly available information to gather intelligence about the target organization without scanning or other technical information-gathering activities? Passive reconnaissance Patch management Vulnerability scanning Active scanning

Passive reconnaissance Explanation OBJ-1.8: Passive reconnaissance combines publicly available data from various sources about an organization and does not use active scanning or data gathering methods. Vulnerability scanning is an inspection of the potential points of exploitation on a computer or network to identify security holes. A vulnerability scan is usually conducted to detect and classify system weaknesses in computers, networks, and communications equipment and predict the effectiveness of countermeasures. Patch management is the process that helps acquire, test, and install multiple patches (code changes) on existing applications and software tools on a computer, enabling systems to stay updated on existing patches and determining which patches are the appropriate ones.

Marta's organization is concerned with the vulnerability of a user's account being vulnerable for an extended period of time if their password was compromised. Which of the following controls should be configured as part of their password policy to minimize this vulnerability? Password history Password complexity Minimum password length Password expiration

Password expiration Explanation OBJ-3.7: A password expiration control in the policy would force users to change their passwords at specific time intervals. This will then lock out a user who types in the incorrect password or create an alter that the user's account has been potentially compromised. While the other options are good components of password security to prevent an overall compromise, they are not effective against the vulnerability described in this particular scenario. It states the issue is based on time. Password history is used to determine the number of unique passwords a user must use before using an old password again. The Passwords must meet complexity requirements. The policy setting determines whether passwords must meet a series of guidelines that are considered important for a strong password. Maximum password length creates a limit to how long the password can be, but a longer password is considered stronger against a brute force attack.

A cybersecurity analyst is reviewing the logs of an authentication server and saw the following output: What type of attack was most likely being attempted by the attacker? Session hijacking Password spraying Impersonation Credential stuffing

Password spraying Explanation OBJ-1.2: Password spraying refers to the attack method that takes many usernames and loops them with a single password. We can use multiple iterations using many different passwords, but the number of passwords attempted is usually low compared to the number of users attempted. This method avoids password lockouts, and it is often more effective at uncovering weak passwords than targeting specific users. In the scenario provided, only one or two attempts are being made to each username listed. This is indicative of a password spraying attack instead of a brute force attempt against a single user. Impersonation is the act of pretending to be another person for fraud. Credential stuffing is the automated injection of breached username/password pairs to gain user accounts access fraudulently. This is a subset of the brute force attack category: large numbers of spilled credentials are automatically entered into websites until they are potentially matched to an existing account. The attacker can then hijack the account for their purposes. Session hijacking exploits a valid computer session to gain unauthorized access to information or services in a computer system.

(Sample Simulation - On the real exam for this type of question, you would receive 3-5 pictures and be asked to drag and drop them into place next to the correct term.) Based on the image provided, what type of attack is occurring? Smurf attack DDoS SYN flood Ping flood

Ping flood Explanation OBJ-1.4: A Ping flood occurs when an attacker attempts to flood the server by sending too many ICMP echo request packets (known as pings). This image is a graphical depiction of this type of attack.

You are working as a security administrator and need to respond to an ongoing spearphishing campaign against your organization. Which of the following should be used as a checklist of actions to perform to detect and respond to this particular incident? Incident response plan Disaster recovery plan Runbook Playbook

Playbook Explanation OBJ-4.4: A playbook is a checklist of actions to perform to detect and respond to a specific type of incident. Your organization will have playbooks for phishing attempts, privilege escalation, and other specific types of incidents. A runbook is an automated version of a playbook used by a SOAR to have the system conduct as many steps as possible. DRP is a disaster recovery plan focused on the response to a natural or man-made disaster, not an incident. An incident response plan is a generic document for the overall steps of incident response. Therefore, it doesn't apply to a specific type of incident. This is a hard question because all four terms are very closely related to incidents and disasters.

You are reviewing the logs in your HIDS and see that entries were showing SYN packets received from a remote host targeting each port on your web server from 1 to 1024. Which of the following MOST likely occurred? Port scan SYN flood UDP probe The remote host cannot find the right service port

Port scan Explanation OBJ-4.1: Based on the description provided, this is most likely a port scan. Using a tool like nmap, an attacker can create an SYN scan across every port in the range against the desired target. A port scan or SYN scan may trigger an alert in your IDS. While scanners support more stealthy scans, default scans may connect to each port sequentially. The other options are incorrect because a remote host will typically connect to only a single port associated with a service. An SYN flood normally sends many SYNs to a single system. Still, it doesn't send them to unused ports, and a UDP probe will not send SYN packets.

(This is a simulated performance-based question.) You are working as a help desk technician and received a call from a user who complains about their computer's performance has slowed down over the last week since they installed a new free video game on the computer. As part of your troubleshooting efforts, you enter the command prompt in Windows and run the following command: Based on the output provided, what type of malware may have been installed on this user's computer? Worm Spam RAT Keylogger

RAT Explanation OBJ-1.2: Based on the scenario and the output provided, the best choice is a RAT. A RAT is a Remote Access Trojan, and it is usually installed accidentally by a user when they install free software on their machine that has a RAT embedded into it. The first two output lines show that ports 135 and 445 are open and listening for an inbound connection (typical of a RAT). This is not an example of a worm because the user admitted to installing a free program, and worms can install themselves and continue to send data outbound across the network to continue to spread. There is no indication in the scenario that a keylogger is being used, nor that spam (unsolicited emails) has been received.

Which of the following cryptographic algorithms is classified as asymmetric? AES DES RSA RC4

RSA Explanation OBJ-2.8: RSA (Rivest-Shamir-Adleman) was one of the first public-key cryptosystems and is widely used for secure data transmission. As a public-key cryptosystem, it relies on an asymmetric algorithm. AES, RC4, and DES are all symmetric algorithms.

You have been hired as a consultant by Dion Training to review their current disaster recovery plans. The CEO has requested that the plans ensure that the company can limit downtime in the event of a disaster. Still, due to staffing concerns, he cannot approve the budget to implement or maintain a fully redundant offsite location to ensure 99.999% availability. Based on that limitation, what should you recommend to the CEO? Retain all hardware at their office building but ship their backups to an offsite facility for storage Install a set of redundant servers to another part of the company's office building Retain their backups in their office building but install redundant services in a collocated data center within a different company Redundant hardware be maintained at the offsite location and configured to be ready for the recovery of the company's backup data when needed

Redundant hardware be maintained at the offsite location and configured to be ready for the recovery of the company's backup data when needed Explanation OBJ-2.1: A warm site provides some of a hot site's capabilities, but it requires the customer to do more work to become operational. Warm sites provide computer systems and compatible media capabilities. If a warm site is used, administrators and other staff will need to install and configure systems to resume operations. For most organizations, a warm site could be a remote office, a leased facility, or another organization with which yours has a reciprocal agreement. By placing your redundant hardware at the offsite location and configuring it to be ready for recovery when needed, the company can have a higher availability level than a cold site but not have the full personnel costs involved with a hot site. A hot site would ensure that the offsite location has all the hardware, equipment, personnel, and data installed and ready to provide services at all times. Maintaining a hot site is much more expensive than a warm site. It is not recommended that your redundant servers are located within the same building since a fire, flood, or other disaster could destroy your primary and redundant capabilities. Retaining the hardware at the office building but shipping the backups offsite is more in line with a cold site description. This would also not provide high availability levels since the systems would need to be set up, configured, and made ready for use.

Which of the following type of threats did the Stuxnet attack rely on to cross an air gap between a business and an industrial control system network? Cross-site scripting Directory traversal Removable media Session hijacking

Removable media Explanation OBJ-2.7: Air gaps are designed to remove connections between two networks to create physical segmentation between them. The only way to cross an air gap is to have a physical device between these systems, such as using a removable media device to transfer files between them. A directory traversal is an HTTP attack that allows attackers to access restricted directories and execute commands outside the web server's root directory. Cross-Site Scripting (XSS) attacks are a type of injection in which malicious scripts are injected into otherwise benign and trusted websites. A session hijacking attack compromises the session token by stealing or predicting a valid session token to gain unauthorized access to the Web Server. A directory traversal, cross-site scripting, or session hijacking attack cannot by itself cross an air gap.

You have been asked to install a computer in a public workspace. Only an authorized user should use the computer. Which of the following security requirements should you implement to prevent unauthorized users from accessing the network with this computer? Issue the same strong and complex password for all users Remove the guest account from the administrator group Require authentication on wake-up Disable single sign-on

Require authentication on wake-up Explanation OBJ-3.8: To prevent the computer from being used inadvertently to access the network, the system should be configured to require authentication whenever the computer is woken up. Therefore, if an authorized user walks away from the computer and goes to sleep when another person tries to use the computer, it will ask for a username and password before granting them access to the network. A screen lock can secure the desktop with a password while leaving programs running if a user walks away, as well. Single sign-on (SSO) is a type of mutual authentication for multiple services that can accept the credential from one domain or service as authentication for other services. A guest account is a Microsoft Windows user account with limited capabilities, no privacy, and is disabled by default. Using the same password for all users is considered extremely poor security and should not be done.

Which type of method is used to collect information during the passive reconnaissance? API requests and responses Reviewing public repositories Network traffic sniffing Social engineering

Reviewing public repositories Explanation OBJ-1.8: Passive reconnaissance focuses on collecting information that is widely and openly available from publicly available sources. While network traffic sniffing is considered passive, gaining access to the network to place a sniffer in a good network tap location would not be considered passive. Of the choices provided, publicly accessible sources are the best answer to choose. Collecting API requests and responses would involve a penetration tester sending data to a given server and analyzing the responses received, which is considered an active reconnaissance method. Social engineering is also an active reconnaissance technique that uses deception to trick a user into providing information to an attacker or penetration tester.

Which of the following attacks would most likely be used to create an inadvertent disclosure of information from an organization's database? SQL injection Cross-site scripting Buffer overflow Denial of service

SQL injection Explanation OBJ-1.3: A SQL injection poses the most direct and more impactful threat to an organization's database. A SQL injection could allow the attacker to execute remote commands on the database server and lead to sensitive information disclosure. A buffer overflow attack attempts to overwrite the memory buffer to send additional data into adjacent memory locations. A buffer overflow attack might target a database server, but it isn't intended to disclose information directly. Instead, a buffer overflow attack may be used to gain initial access to a server and allow for other malicious code running. A denial of service targets the availability of the information by attempting to take the server offline. A cross-site scripting attack typically is focused on the user, not the server or database.

An analyst just completed a port scan and received the following results of open ports: Nap scan report for dion server (192.168.1.10) Host is up (0.132452s latency) Not shown: 994 closed ports PORT STATE 80/TCP OPEN 110/TCP OPEN 443/TCP OPEN 1433/TCP OPEN 3306/TCP OPEN 3389/TCP OPEN Based on these scan results, which of the following services are NOT currently operating? SSH RDP Web Database

SSH Explanation OBJ-4.3: Based on the port numbers shown as open in the nmap scan results, SSH is not currently operating. SSH operates over port 22. Web servers use port 80 for HTTP and 443 for HTTPS. Database servers run on port 1433 (Microsoft SQL) or 3306 (MySQL). Remote Desktop Protocol runs on port 3389.

What is a major security risk that could occur when you comingle hosts/servers with different security requirements in a single network? Zombie attacks Password compromises Security policy violations Privilege creep

Security policy violations Explanation OBJ-5.3: A network is only as strong as its weakest link (or host/server). When you comingle hosts/servers, there is a large risk that security policy violations could occur. This is because users may be used to following a less stringent security policy for one set of machines and carry over those procedures to a machine that should have had stronger security policies.

Which type of personnel control is being implemented if Kirsten must receive and inventory any items that her coworker, Bob, orders? Background checks Separation of duties Mandatory vacation Dual control

Separation of duties Explanation OBJ-5.3: This organization uses separation of duties to ensure that neither Kirsten nor Bob can exploit the organization's ordering processes for their gain. Separation of duties is the concept of having more than one person required to complete a particular task to prevent fraud and error. Dual control, instead, requires both people to act together. For example, a nuclear missile system uses dual control and requires two people to each turn a different key simultaneously to allow for a missile launch to occur. Mandatory vacation policies require employees to take time away from their job and detect fraud or malicious activities. A background check is a process a person or company uses to verify that a person is who they claim to be and provides an opportunity for someone to check a person's criminal record, education, employment history, and other past activities to confirm their validity.

A web developer wants to protect their new web application from an on-path attack. Which of the following controls would best prevent an attacker from stealing tokens stored in cookies? Hashing the cookie value Setting the secure attribute on the cookie Forcing the use of TLS for the web application Forcing the use of SSL for the web application

Setting the secure attribute on the cookie Explanation OBJ-3.2: When a cookie has the Secure attribute, the user agent includes the cookie in an HTTP request only if transmitted over a secure channel (typically HTTPS). Although seemingly useful for protecting cookies from active network attackers, the Secure attribute protects only the cookie's confidentiality. Forcing the web application to use TLS or SSL does not force the cookie to be sent over TLS/SSL, so you still need to set the cookie's Secure attribute. Hashing the cookie provides the cookie's integrity, not confidentiality; therefore, it will not solve the issue presented by this question.

Which of the following authentication mechanisms involves receiving a one-time use shared secret password, usually, through a token-based key fob or smartphone app, that automatically expires after a short period of time (for example, 60 seconds)? HOTP EAP TOTP Smart card

TOTP Explanation OBJ-2.4: The Time-based One-time Password Algorithm (TOTP) is a refinement of the HOTP. One issue with HOTP is that tokens can be allowed to persist unexpired, raising the risk that an attacker might obtain one and decrypt data in the future. In TOTP, the HMAC is built from the shared secret plus a value derived from the device's and server's local timestamps. TOTP automatically expires each token after a short window (60 seconds, for instance).

Which of the following categories of controls are firewalls, intrusion detection systems, and a RADIUS server classified as? Physical controls Technical controls Compensating controls Administrative controls

Technical controls Explanation OBJ-5.1: Firewalls, intrusion detection systems, and a RADIUS server are all examples of technical controls. Technical controls are implemented as a system of hardware, software, or firmware. Administrative controls involve processes and procedures. Physical controls include locks, fences, and other controls over physical access. Compensating controls are controls that are put in place to cover any gaps and reduce the risk remaining after using other controls.

An attacker has compromised a virtualized server. You are conducting forensic analysis as part of the recovery effort but found that the attacker deleted a virtual machine image as part of their malicious activity. Which of the following challenges do you now have to overcome as part of the recovery and remediation efforts? File formats used by some hypervisors cannot be analyzed with traditional forensic tools All log files are stored within the VM disk image, therefore, they are lost The attack widely fragmented the image across the host file system You will need to roll back to an early snapshot and then merge any checkpoints to the main image

The attack widely fragmented the image across the host file system Explanation OBJ-4.5: Due to the VM disk image's deletion, you will now have to conduct file carving or other data recovery techniques to recover and remediate the virtualized server. If the server's host uses a proprietary file system, such as VMFS on ESXi, this can further limit support by data recovery tools. The attacker may have widely fragmented the image across the host file system when they deleted the disk image. VM instances are most useful when they are elastic (meaning they optimally spin up when needed) and then destroyed without preserving any local data when security has performed the task, but this can lead to the potential of lost system logs. To prevent this, most VMs also save their logs to an external Syslog server or file. Virtual machine file formats are image-based and written to a mass storage device. Depending on the configuration and VM state, security must merge any checkpoints to the main image, using a hypervisor tool, not recovery from an old snapshot, and then roll forward. It is possible to load VM data into a memory analysis tool, such as Volatility. However, some hypervisors' file formats require conversion first, or they may not support the analysis tool.

You were conducting a forensic analysis of an iPad backup and discovered that only some of the information is within the backup file. Which of the following best explains why some of the data is missing? The backup is a differential backup The backup is stored in iCloud. The backup was interrupted The backup is encrypted

The backup is a differential backup Explanation OBJ-2.5: iPhone/iPad backups can be created as full or differential backups. In this scenario, the backup being analyzed is likely a differential backup containing the information that has changed since the last full backup. If the backup were encrypted, you would be unable to read any of the contents. If the backup were interrupted, the backup file would be in an unusable state. If the backup were stored in iCloud, you would need access to their iCloud account to retrieve and access the file. Normally, during an investigation, you will not have access to the user's iCloud account.

Your company explicitly obtains permission from its customers to use their email address as an account identifier in its CRM. Max, who works at the marketing department in the company's German headquarters, just emailed all their customers to let them know about a new sales promotion this weekend. Which of the following privacy violations has occurred, if any? There was no privacy violation because only corporate employees had access to their email addresses There was a privacy violation since data minimization policies were not followed properly There was a privacy violation since the customers explicitly gave permission to use the email address as an identifier and did not consent to receive marketing emails There was no privacy violation since the customers were emailed securely through the customer relationship management tool

There was a privacy violation since the customers explicitly gave permission to use the email address as an identifier and did not consent to receive marketing emails Explanation OBJ-5.2: According to the European Union's General Data Protection Regulation (GDPR), personal data collected can only be used for the exact purpose in which explicit consent was obtained. To use email addresses for marketing purposes, separate explicit consent should have been obtained. Since the company operates in Germany, it must follow the GDPR privacy standard. Even if a company doesn't operate within the European Union, its customers might be European Union citizens, and therefore the company should still optional follow the GDPR guidelines. While data minimization is a good internal policy to utilize, not following it doesn't equate to a privacy violation or breach. Data minimization is the principle that data should only be processed and stored, if necessary, to perform the purpose for which it is collected. The option concerning the customer relationship management (CRM) tool is a distractor since the issue is using the data in ways that were not consented to by the customer, not which system the email was sent through. A privacy violation can occur when corporate employees view data if those employees do not have a need to know, a valid business requirement to use the data, or consent from the customer to use the data for a specific purpose (as was the case in this scenario).

Jennifer decided that the licensing cost for a piece of video editing software was too expensive. Instead, she decided to download a keygen program to generate a license key and install a pirated version of the editing software. After she runs the keygen, a license key is created, but her system performance becomes very sluggish, and her antimalware suite begins to display numerous alerts. Which type of malware might her computer be infected with? Adware Trojan Logic bomb Worm

Trojan Explanation OBJ-1.2: A trojan is a program in which malicious or harmful code is contained inside a harmless program. In this example, the harmless program is the key generator (which does create a license key). It also has malicious code inside it causing the additional alerts from the antimalware solution. A Trojan is designed to damage, disrupt, steal, or in general, inflict some other harmful action on your data or network. The most common form of a trojan is a Remote Access Trojan (RAT), which allows an attacker to control a workstation or steal information remotely. To operate, a trojan will create numerous processes that run in the background of the system. A worm is a standalone malware computer program that replicates itself to spread to other computers. Often, it uses a computer network to spread itself, relying on security failures on the target computer to access it. A worm can spread on its own, whereas a virus needs a host program or user interaction to propagate itself. A logic bomb is a malicious program that is triggered when a logical condition is met, such as after a number of transactions have been processed, or on a specific date. Adware is software that displays unwanted advertisements on your computer.

Which of the following cryptographic algorithms is classified as symmetric? RSA Diffie-Hellman Twofish ECC

Twofish Explanation OBJ-2.8: Twofish is a symmetric key block cipher with a block size of 128 bits and key sizes up to 256 bits. ECC, RSA, and Diffie-Hellman are all asymmetric algorithms.

Your organization has recently been the target of a spearphishing campaign. You have identified the website associated with the link in the spearphishing emails and want to deny access to it. Which of the following techniques would be the MOST effective in this situation? URL filter Containment Application blocklist Quarantine

URL filter Explanation OBJ-4.4: A URL filter can be used to block a website based on its website address or universal resource locator (URL). This is not a containment technique but a blocking and filtering technique. Quarantine would be used against an infected machine, and it would not be effective against trying to block access to a given website across the entire organization. An application blocklist is used to prevent an application from running, so this cannot be used to block a single malicious or suspicious website or URL.

Karen lives in an area that is prone to hurricanes and other extreme weather conditions. She asks you to recommend an electrical conditioning device that will prevent her files from being corrupted if the building's power is unstable or lost. Additionally, she would like the computer to maintain power for up to an hour of uptime to allow for a graceful shutdown of her programs and computer. Which of the following should you recommend? Power distribution unit Uninterruptible power supply Surge protector Line conditioner

Uninterruptible power supply Explanation OBJ-2.5: An uninterruptible power supply or uninterruptible power source (UPS) is an electrical apparatus that provides emergency power to a load when the input power source becomes too low or the main power fails. A UPS provides near-instantaneous protection from input power interruptions by using a battery backup. The on-battery run-time of most uninterruptible power sources is usually short (less than 60 minutes) but sufficient to properly shut down a computer system. A line conditioner is a device that adjusts voltages in under-voltage and overvoltage conditions to maintain a 120 V output. Line conditioners raise a sag or under-voltage event back to normal levels, but they cannot protect the line from a complete power failure or power outage. A surge protector defends against possible voltage spikes that could damage your electronics, appliances, or equipment. A power strip will not protect against voltage spikes. A UPS or line conditioner could protect against voltage spikes, but they cost much more than a surge protector. A power distribution unit (PDU) is a device designed to provide power to devices that require power, and may or may not support remote monitoring and access.

Riaan's company runs critical web applications. During a vulnerability scan, Riaan found a serious SQL injection vulnerability in one of their web applications. The system cannot be taken offline to remediate the vulnerability. Which of the following compensating controls should Riaan recommend using until the system can be remediated? Vulnerability scanning IPS WAF Encryption

WAF Explanation OBJ-3.3: WAF (web application firewall) is the best option since it can serve as a compensating control and protect against web application vulnerabilities like an SQL injection until the application can be fully remediated. Vulnerability scanning could only be used to detect the issue. Therefore, it is a detective control, not a compensating control. Encryption would not be effective in stopping an SQL injection. An intrusion prevention system (IPS) is designed to protect network devices based on ports, protocols, and signatures. It would not be effective against an SQL injection and is not considered a compensating control for this vulnerability.

You are installing a new wireless network in your office building and want to ensure it is secure. Which of the following configurations would create the MOST secure wireless network? WPA and MAC filtering WEP and TKIP WPA2 and AES WPA2 and RC4

WPA2 and AES Explanation OBJ-3.4: The most secure wireless network configuration utilizes WPA2 with AES encryption. WPA2 is the most secure wireless encryption standard listed as an option and has replaced both WPA and WEP. Wi-Fi protected access version 2 (WPA2) replaced the original version of WPA after the completion of the 802.11i security standard. WPA2 features an improved method of key distribution and authentication for enterprise networks, though the pre-shared key method is still available for home and small office networks. WPA2 uses the improved AES cipher with counter mode with cipher-block chaining message authentication protocol (CCMP) for encryption. Wi-Fi protected access (WPA) is an improved encryption scheme for protecting Wi-Fi communications designed to replace WEP. WPA uses the RC4 cipher and a temporal key integrity protocol (TKIP) to overcome the vulnerabilities in the older WEP protection scheme. Wired equivalent privacy (WEP) is an older mechanism for encrypting data sent over a wireless connection. WEP is considered vulnerable to attacks that could probably break its encryption. WEP relies on the use of a 24-bit initialization vector to secure its preshared key. MAC filtering is the application of an access control list to a switch or access point so that only clients with approved MAC addresses connect.

Which of the following is the MOST secure wireless security and encryption protocol? WPA3 WPA WPA2 WEP

WPA3 Explanation OBJ-3.4: Wi-Fi protected access version 3 (WPA3) has replaced WPA2 as the most secure wireless encryption method. WPA3 uses the simultaneous authentication of equals (SAE) to increase the security of preshared keys. WPA3 provides the enhanced open mode that encrypts transmissions from a client to the access point when using an open network. WPA3 Enterprise mode supports the use of AES with the Galois/counter mode protocol (GCMP-256) for the highest levels of encryption. Wi-Fi protected access version 2 (WPA2) replaced the original version of WPA after the completion of the 802.11i security standard. WPA2 features an improved method of key distribution and authentication for enterprise networks, though the pre-shared key method is still available for home and small office networks. WPA2 uses the improved AES cipher with counter mode with cipher-block chaining message authentication protocol (CCMP) for encryption. Wi-Fi protected access (WPA) is an improved encryption scheme for protecting Wi-Fi communications designed to replace WEP. WPA uses the RC4 cipher and a temporal key integrity protocol (TKIP) to overcome the vulnerabilities in the older WEP protection scheme. Wired equivalent privacy (WEP) is an older mechanism for encrypting data sent over a wireless connection. WEP is considered vulnerable to attacks that can break its encryption. WEP relies on the use of a 24-bit initialization vector to secure its preshared key.

Dion Training wants to reduce the management and administrative costs of using multiple digital certificates for all of their subdomains of diontraining.com. Which of the following solutions would allow the company to use one digital certificate for all of its subdomains? OCSP Wildcards CRL Key escrow

Wildcards Explanation OBJ-3.9: Wildcards are certificates that allow your company unlimited subdomains on a parent domain. Object identifiers identify an object. Key escrow is for key storage. OCSP is a protocol used to query CA about the revocation status of a certificate.

What type of malicious application does not require user intervention or another application to act as a host to replicate? Trojan Worm Virus Macro

Worm Explanation OBJ-1.2: A worm is a self-replicating type of malware that does not require user intervention or another application to act as a host for it to replicate. Viruses and Macros require user intervention to spread, and Trojans are hosted within another application that appears harmless.

You are analyzing the SIEM for your company's e-commerce server when you notice the following URL in the logs of your SIEM: https://www.diontraining.com/add to cart.php?itemId-5"+per ItemPrice="0.00"+quantity="100"+/><item+id="5&quantity=0 Based on this line, what type of attack do you expect has been attempted? Session hijacking Buffer overflow SQL injection XML injection

XML injection Explanation OBJ-1.3: This is an example of an XML injection. XML injection manipulates or compromises the logic of an XML application or service. The injection of unintended XML content and/or structures into an XML message can alter an application's intended logic. XML Injection can cause the insertion of malicious content into resulting messages/documents. In this case, the URL is attempting to modify the server's XML structure. The original XML structure would be: <addToCart> <item id="5" perItemPrice="50.00" quantity="1" /> </addToCart>. By using the URL above, this would be modified to the following: <addToCart> <item id="5" perItemPrice="0.00" quantity="10" /> <item id="5" perItemPrice="50.00" quantity="0" /> </addToCart>. The result would be that a new line was added in the XML document that could be processed by the server. This line would allow 10 of the product at $0.00 to be added to the shopping cart, while 0 of the product at $50.00 is added to the cart. This defeats the integrity of the e-commerce store's add to cart functionality through this XML injection. A SQL injection occurs when data input by a user is interpreted as a SQL command rather than as normal data by the backend database. A buffer overflow is an exploit that attempts to write data to a buffer and exceed that buffer's boundary to overwrite an adjacent memory location. A session hijacking attack consists of exploiting the web session control mechanism, normally managed for a session token. The real key to answering this question is identifying the XML structured code being entered as part of the URL, shown by the bracketed data.

You have been asked to scan your company's website using the OWASP ZAP tool. When you perform the scan, you received the following warning: "The AUTOCOMPLETE output is not disabled in HTML FORM/INPUT containing password type input. Passwords may be stored in browsers and retrieved." You begin to investigate further by reviewing a portion of the HTML code from the website that is listed below: <form action="authenticate.php"> Enter your username: <BR> <input type="text" name="user" value="" autofocus><BR> Enter your Password: <BR> <input type="password" name="pass" value="" maxlength="32"›<BR> <input type="submit" value-"submit"> </ form> Based on your analysis, which of the following actions should you take? You recommend that the system administrator pushes out a GPO update to reconfigure the web browsers security settings This is a false positive and you should implement a scanner exception to ensure you don't receive this again during your next scan You tell the developer to review their code and implement a bug/code fix You recommend that the system administrator disables SSL on the server and implements TLS instead

You tell the developer to review their code and implement a bug/code fix Explanation OBJ-2.3: Since your company owns the website, you can require the developer to implement a bug/code fix to prevent the form from allowing the AUTOCOMPLETE function to work on this website. The code change to perform is quite simple, simply adding "autocomplete=off" to the code's first line. The resulting code would be <form action="authenticate.php" autocomplete="off">.

Which command is used in the Linux terminal to change the permissions of a file? chmod chown sudo pwd

chmod Explanation OBJ-4.1: The chmod command sets the permissions of files or directories on a Linux system. A set of flags associated with each file determines who can access that file and how they can access it. These flags are called file permissions or modes. The command name chmod stands for change mode and it restricts the way a file can be accessed. The chown command is used to change the owner of the file, directory, or link in Linux. The pwd command displays the present working directory (current directory) path to the terminal or display. If you are working on a Linux system and are unsure of where you are in the directory structure, type "pwd" and hit enter to display the path to the screen. The sudo command allows programs to be executed as a superuser (known as the root user) or another user. The command's name is an abbreviation of the phrase "superuser do" and works on all Unix-based operating systems.

You are analyzing the following network utilization report because you suspect one of the servers has been compromised. Based on the report above, which of the following servers do you suspect has been compromised and should be investigated further? dbsvr01 web01 marketing01 webdev02

dbsvr01 Explanation OBJ-1.6: Due to the considerable increase in network utilization on dbsvr01, it should be suspected of compromise and further investigated. The server has a historical average utilization of only 3.15 GB per month, but this month there has been an increase to 24.6 GB of usage. This increase is nearly 8x more than the previous month when all of the other servers stayed relatively constant. This indicates a possible compromise of the database server (dbsvr01) and a data breach or data exfiltration.

What command should a forensic analyst use to make a forensic disk image of a hard drive? touch rm wget dd

dd Explanation OBJ-4.1: The dd tool is used to make bit by bit copies of a disk, drive, or partition. Once the image is created using dd, a hash of the file should be made and placed into evidence to validate the integrity of the disk image that was created. This will ensure that no modification occurs between the collection and analysis of the disk image. The wget command is a command-line utility for downloading files from the Internet. The touch command is a standard command used in the UNIX/Linux operating system used to create, change, and modify timestamps of a file. The rm command is used to delete one or more files or directories.

Which of the following Wireshark filters should be applied to a packet capture to detect applications that send passwords in cleartext to a REST API located at 10.1.2.3? ip.proto==tcp http.request.method=="POST" http.request.method=="POST" && ip.dst==10.1.2.3 ip.dst==10.1.2.3

http.request.method=="POST" && ip.dst==10.1.2.3 Explanation OBJ-4.1: Filtering the available PCAP with just the http "post" methods would display any data sent when accessing a REST API, regardless of the destination IP. Filtering the available PCAP with just the desired IP address would show all traffic to that host (10.1.2.3). Combining both of these can minimize the data displayed to only show things posted to the API located at 10.1.2.3. The ip.proto==tcp filter would display all TCP traffic on a network, regardless of the port, IP address, or protocol being used. It would simply produce too much information to analyze.

Which of the following command-line tools would you use to identify open ports and services on a host along with the version of the application that is associated with them? netstat Wireshark nmap ping

nmap Explanation OBJ-4.1: Nmap sends specially crafted packets to the target host(s) and then analyzes the responses to determine the open ports and services running on those hosts. Also, nmap can determine the versions of the applications being used on those ports and services. Nmap is a command-line tool for use on Linux, Windows, and macOS systems. The netstat (network statistics) tool is a command-line utility that displays network connections for incoming and outgoing TCP packets, routing tables, and some network interface and network protocol statistics. Still, it cannot identify open ports and services on a host with their version numbers. The ping tool is used to query another computer on a network to determine whether there is a valid connection. Wireshark is an open-source packet analyzer used for network troubleshooting, analysis, software and communications protocol development, and education.

During a penetration test of your company's network, the assessor came across a spreadsheet with the passwords being used for several servers. Four of the passwords recovered are listed below. Which one is the weakest password and should be changed FIRST to increase the password's complexity? P@$$W0RD Pa55w0rd P@$$w0rd pa55word

pa55word Explanation OBJ-3.7: Password policies often enforce a mixture of standard character types, including uppercase letters, lowercase letters, numbers, and symbols. The option 'pa55word' is the weakest choice since it only includes lowercase letters and numbers. The option 'Pa55w0rd' is slightly more complex since it includes uppercase letters, lowercase letters, and numbers. The option 'P@$$W0RD is also similar in complexity since it includes uppercase letters, numbers, and special characters. The most secure option is 'P@5$w0rd' since it includes a mixture of uppercase letters, lowercase letters, numbers, and special characters.

During a penetration test of your company's network, the assessor came across a spreadsheet with the passwords being used for several servers. Four of the passwords recovered are listed below. Which one is the weakest password and should be changed FIRST to increase the password's complexity? Pa55w0rd P@$$W0RD pa55word P@$$w0rd

pa55word Explanation OBJ-3.7: Password policies often enforce a mixture of standard character types, including uppercase letters, lowercase letters, numbers, and symbols. The option 'pa55word' is the weakest choice since it only includes lowercase letters and numbers. The option 'Pa55w0rd' is slightly more complex since it includes uppercase letters, lowercase letters, and numbers. The option 'P@$$W0RD is also similar in complexity since it includes uppercase letters, numbers, and special characters. The most secure option is 'P@5$w0rd' since it includes a mixture of uppercase letters, lowercase letters, numbers, and special characters.


Set pelajaran terkait

Management 3020 Chapters 3, 4 & 5

View Set

Mankiw Brief Principals of Economics Chapter 16

View Set

prep 3 & 4: consequences of climate change

View Set

Chapter 16: Endocrine Glands & Abbreviations

View Set

Chapter 7 Positive Organizational Behavior Video Assignment

View Set

Psych 321 Ch. 4-7 Quiz Review Questions

View Set

Physiology: The Nervous System Extra Info

View Set

Prep U Chapter 34: Assessment and Management of Patients with Inflammatory Rheumatic Disorders

View Set