LESSON ONE
On a subnet with limited physical security, you're worried about ARP poisoning and DHCP spoofing attacks. What switch feature could help prevent both? DHCP snooping 802.1AE/MACsec Port security MAC filtering
802.1AE/MACsec
Sarbanes-Oxley Act of 2002 (SOX)
A federal designed to protect investrs from faudulent corporate accounting practices
Cloud Security Alliance Cloud Controls Matrix (CSA CCM)
A security framework that details 133 security controls for cloud services
World Wide Web Consortium (W3C)
A standards organization founded to develop and maintain interoperable standards for the World Wide Webd (WWW) used by web browsers, servers and other technologies
fault tolerance
A system designed to continue functioning if a hardware or software component fails
Which of the following statements is true regarding virtualization? It's difficult to create a snapshot of a VM. It's reasonably easy to maintain low availability for services hosted on a VM. A test VM is also useful for testing an operating system or application patches to make sure they don't introduce any problems. Virtual test environments are an ideal place to thoroughly test security controls after deploying them on the "real" network.
A test VM is also useful for testing an operating system or application patches to make sure they don't introduce any problems.
A company configures workstations only to run software on an approved list. What is this an example of? Block listing Hardening Sandboxing Allow listing
Allow listing
Which one of the following statements is not true about compensating controls under PCI DSS? Encrypt transmission of cardholder data across open public networks. Use and regularly update antivirus software or programs. Do not use vendor-supplied defaults for system passwords and other security parameters. Allow physical access to cardholder data.
Allow physical access to cardholder data
You have a lingering problem with mobile users who connect to untrusted Wi-Fi networks without enabling their VPN, out of forgetfulness or lack of technical knowledge. What technology might help solve the problem? ESP Full tunneling Secure shell Always-on VPN
Always-on VPN
Internet Engineering Task Force (IETF)
An open standards organization under the management of the Internet Society, consisting of voluneer contributors
When performing a penetration test, how would OSINT be classified as a resource? As a form of passive reconnaissance As a technique for identifying the operating systems and applications in use As an agreement among testing teams As a form of active reconnaissance
As a form of passive reconnaissance
A third-party team is going to formally examine your organization's overall security practices to make sure they meet regulatory compliance goals. Your organization may be fined if it fails. What would this verification process be called? Assessment Audit Certification Evaluation
Audit
Camilla wants to create an agreement defining the general relationship between business partners that defines how each organization shares profits, losses, property, and liability. What type of agreement should Camilla use? MOU NDA ISA BPA
BPA
What document specifically covers moving operations to a temporary site? DRP COOP BCP BIA
COOP
Assuming that all four roles exist separately at your company, who oversees strategic security needs, with a focus on organizational risk management? CCO CIO CPO CSO
CSO
Someone stole thousands of customer records from your organization's database. What aspect of security was primarily attacked? Availability Portability Confidentiality Integrity
Confidentiality
You're configuring a router and want it to check the properties of incoming traffic before passing it on. What will this require, at a minimum? Configuring routing tables Replacing the router with a firewall Removing default management credentials Configuring ACLs
Configuring ACLs
Which automated application-development process primarily reduces manual requirements during the auditing process? Continuous integration Continuous monitoring Continuous validation Continuous deployment Continuous delivery
Continuous validation
What are the mobile deployment models? Describe each
Corporate Owned, Business Only (COBO): Devices are purchased by the organization and only used for business purposes Corporate Owned, Personally Enabled (COPE): Devices are company-issued and supported, but employees can use them for personal reasons too Bring Your Own Device (BYOD): Employees can use personal devices for work purposes or within the company network Choose Your Own Device (CYOD): Employees can choose between a list of devices the company has approved for security features and support Virtual Desktop Infrastructure (VDI): A client for mobile devices that connects to a cloud-based virtual environment under company control
You've taken up a contract helping to upgrade the existing industrial control network for an oil refinery. What network type should you expect to work with? IoT DCS VoIP SCADA
DCS
Your internal network is protected from Internet attacks by a Cisco firewall. To improve security, your supervisor suggests installing a Fortinet firewall between the Cisco firewall and the trusted LAN, then using the space between as a perimeter network. Which security principles does this promote? Each correct answer represents a complete solution. Choose all that apply. Availability Defense-in-depth Security by design Security by obscurity Vendor diversity
Defense-in-deph Vendor diversity
A new privacy law demands more robust protection for your customer database. First, you researched database security products to find which would reliably meet your needs. Now that you've selected and installed one, you're currently training administrators to perform integrity checks, update the software, and review logs for suspicious activities. What are you practicing? Due care Availability Negligence Regulatory compliance
Due Care
The US government agency plans to migrate some of its internally hosted data to a cloud-based service. You need to make sure the proposed vendor can meet the same security requirements as the current solution. What are you currently practicing? Each correct answer represents a complete solution. Choose all that apply. Due care Due diligence FISMA compliance GDPR compliance GLBA compliance
Due Diligence FISMA compliance
Which of the following are examples of threat vectors? Each correct answer represents a complete solution. Choose two. Passwords that are difficult to guess Email attachments Removable storage media A mantrap that only allows one person to pass through at a time A wireless LAN using AES for encryption
Email attachments Removable storage media
Your company has received an email that contained a virus attached. Later, you have realized that no alarm is raised as the email security solution that your company uses didn't detect the threat. Which of the following has occurred? False negative True positive True negative False positive
False negative
A security program alerts you of a failed login attempt to a secure system. On investigation, you learn the system's regular user accidentally had caps lock turned on. What kind of alert was it? False positive False negative True negative True positive
False positive
After finishing a full antimalware scan on all drives in a server, a technician is convinced an infection of some sort persists. Which of the following malware variants would have evaded the scan that was performed? Spyware RAT Trojan Fileless virus
Fileless virus
What is the EU regulation called that protects privacy and limits the transfer of personal data outside of the EU? GDPR ISO 27701 ISO 31000 CIS
GDPR
In the area of threat hunting, what is meant by intelligence fusion? Combining threat feeds from multiple sources into a single feed Considering threat advisories in addition to threat bulletins Gathering intelligence from multiple sources to feed advanced analytics Applying common threat intelligence to multiple disparate systems for greater efficiency
Gathering intelligence from multiple sources to feed advanced analytics
Your company is developing an application in which a private US-based hospital will allow patients to access their medical records online. Regardless of what other data the application handles, what kind of compliance do you already know you need to research? FERPA FISMA HIPAA PCI DSS
HIPAA
Which of the following key management solutions would be best for a multinational organization with a strong multi-cloud presence? HSMaaS HSM KMS Key escrow
HSMaaS
Your department just deployed some fake DNS servers which only interact with automated scripts, never legitimate clients. When they receive unexpected requests, they send an alert to the SIEM. What technique is being used? IPS NGFW Sinkhole Honeypot
Honeypot
Which of the following statements concerning hybrid warfare is a false statement? Hybrid warfare requires human-to-human interaction. Hybrid warfare can include conventional warfare. Hybrid warfare may include the use of social media. Hybrid warfare includes acts of terrorism and insurgencies.
Hybrid warfare requires human-to-human interaction.
IP Spoofing
IP spoofing is the act to mask a computer's IP address so that it appears to be authentic. IP spoofing is also referred to as a process of connection hijacking through any fake Internet Protocol (IP) address.
You're receiving many unauthorized network scans using methods carefully designed to bypass existing firewall rules. What device or feature would be the best way to recognize and block those scans? IDS Application layer firewall IPS Stateful firewall
IPS
Which of the following uses machine-readable definition files to generate and deploy service components in an automated process? IaC VPC EBS IoT
IaC
On a security forum, you learned that a competitor suffered a data breach when an industrial spy bypassed cloud-security policies by downloading sensitive data from a company Google Docs account and sharing it on a personal Google Docs account. Your organization commonly shares sensitive information internally using Google Docs on corporate accounts, and you also share less sensitive data with customers and partners using the service. What security control could prevent this same fate from befalling your organization with minimal disruption to business practices? Instance awareness Security groups Containerization API inspection
Instance awareness
MAC spoofing
It alters the source MAC address that is used to identify physical devices on local networks.
MAC flooding
It is used to compromise the security of a network switch by overwriting its MAC table cache.
MAC cloning
It is used to impersonate another device on the same network by copying its MAC address.
Caller ID spoofing
It spoofs the origin of a telephonic conversation.
An attacker with a fraudulent certificate for your bank is planning to intercept your transactions in an on-path (MitM) attack. The certificate hasn't been revoked yet, but what technology could still let you know something is wrong? OCSP stapling OCSP Key escrow Key pinning
Key pinning
What VPN type is very secure, compatible with nearly any application, and supported by most operating systems? L2TP/IPsec PPTP SSH SSL/TLS
L2TP/IPsec
What are the OSI model layers? Describe each
Layer 1 (Physical): Represents the physical infrastructure of the CSP's data center, including servers that run cloud services Layer 2 (Data Link): Includes not only physical switching but also the hypervisor or container engine layer on servers, which defines virtual networks, VMs, and containers Layer 3 (Network): Includes cloud accounts, logical networks, and other infrastructure that allow the cloud to function Layer 4 (Transport): Includes the underlying services and resources used by cloud workloads as well as the APIs used to connect to them: databases, load balancers, notification tools, and other middleware Layer 5 (Application): Includes cloud applications accessed by SaaS customers or deployed by IaaS and PaaS customers
What would happen if you lowered the account-lockout threshold?
Lowering the threshold would lead to more legitimate users being locked out of their own accounts. This inconvenience may be deemed acceptable or necessary by security policymakers in order to minimize the effectiveness of online password-cracking attempts.
Which of the following is an office-productivity device that may be a common fixture around the enterprise, but from a security perspective frequently slips through the cracks because no one configured existing security controls or added external ones? MFP HVAC RTOS VoIP
MFP
How could its integrity be compromised?
Mail could be altered when you send or receive it.
Which of the following statements is correct regarding threat vector? Malware is a common example of a threat vector. The mechanism of minimizing vulnerabilities is called a threat vector. A threat vector is an unintentional threat. A threat vector refers to the pathway that organization takes to find the attackers.
Malware is a common example of a threat vector
During a discussion of user account policies, someone suggests lowering the account-lockout threshold on the Windows domain. What would be the net effect of this change? Less security and more convenience for users Less security and less convenience for users More security and more convenience for users More security and less convenience for users
More security and less convenience for users
Which of the following is a US government agency charged with developing and supporting standards used by other government organizations? NIST ISOC OWASP W3C
NIST
What is seen as the most modern and flexible way to find out if a certificate has been revoked? ASN.1 CRL CSR OCSP
OCSP
Consider a network service you regularly use, such as email. How could its confidentiality be compromised?
One example could be someone reading or intercepting it.
Which weak configuration concern is responsible for allowing an attacker's port scan traffic that targets HTTP to reach an intranet server from the Internet? Open permissions Unsecured protocols Weak encryption Open ports and services
Open ports and services
Which of the following controls primarily protect data availability? Patch management Hashing Version control Digital signatures
Patch management
Bollards have recently been installed as a corrective control right outside your corporate office building. Under which category or type of control do bollards fall? Physical Operational Logical Technical
Physical
Which of the following is the correct order of the Deming cycle? Act > Check > Do > Plan Check > Act > Do > Plan Act > Check > Plan> Do Plan > Do > Check > Act
Plan > Do > Check > Act
What kind of tool, often called a sniffer, is used to capture network traffic, allowing the operator to visualize the various processes involved in the communication? Network mapper Wireless analyzer Protocol analyzer Database vulnerability tester
Protocol analyzer
Which privacy-enhancing technology performs a reversible substitution of PII, storing the private data elsewhere, reducing the likelihood that a breach of the records containing the non-private substituted information will lead to legal jeopardy for the organization entrusted with the PII? Data minimization Full Anonymization Data masking Pseudo-anonymization
Pseudo-anonymization
What makes Python a good choice for crafting malicious scripts for an attack? The Python programming language has specific instructions explicitly for the purpose of hacking. Python scripts can be executed with the bash command in all versions of UNIX and Linux published since 1990. Python is included by default on Windows since Vista. Python is installed by default on the majority of Linux distributions and is available to install on the rest.
Python is installed by default on the majority of Linux distributions and is available to install on the rest.
Redundant Array of Independent/Inexpensive Disks (RAID) levels
RAID 0: Spreads the contents of files in roughly even parts across two or more drives, also called disk striping RAID 1: Writes identical data to two or more hard drives, also called drive mirroring RAID 5: Uses disk striping across at least three drives and includes parity data RAID 6: Requires at least four disks and includes twice the parity data
What kind of attack is most likely when you're doing sensitive work on your laptop at a coffee shop? Shoulder surfing Piggybacking Dumpster diving Tailgating
Shoulder surfing
You have noticed that someone read your password from the room beyond you as you log in. What type of technique is used? Smurfing Piggybacking Dumpster diving Shoulder surfing
Shoulder surfing
Which of the following is usually targeted by nature where the emails are exclusively designed to target any exact user? Algo-based phishing Smishing Vishing Spear phishing
Spear phishing
You've set a stronger passcode and added a security alarm. How does this affect the vulnerability, threat, and risk of the situation?
Strengthened or added security measures reduce vulnerabilities, which in turn reduces risk. In this case, the threat is unchanged: the burglars are still out there, just less likely to get in unnoticed.
Joe is tuning her organization's firewall rules to prevent IP spoofing. What type of control is Joe implementing? Technical Physical Managerial Operational
Technical
Which of the following statements about environments for software development, deployment, and automation are correct? Each correct answer represents a complete solution. Choose two. The QA environment is aimed less at testing for functionality than the other environments. All environments must be built identically to one another. Except for the production environment, all others must be available at the same time. The production environment acts as a sandbox to avoid impacting other systems. Each environment has a distinct purpose in the process.
The QA environment is aimed less at testing for functionality than the other environments. Each environment has a distinct purpose in the process.
There's been a rash of burglaries in your area, and you notice that one door into a part of the building with valuable equipment has a keypad lock set to "12345." Identify the asset, the vulnerability, the threat, and the risk in the situation.
The asset is valuable equipment in the building. The vulnerability is that a lock with an easily-guessed access code is simple to bypass. The threat is burglars in the area. The risk is the combination of how likely you are to be burglarized, how hard stolen equipment would be to replace, and how much its loss would otherwise affect your business.
Why might an administrator decide to employ an enterprise MDM solution to deny support for USB OTG on mobile devices? USB OTG supports the attachment of devices that block remote-wipe signals. USB OTG can drain the mobile devices by allowing them to charge other devices. The connector on the mobile devices is used simultaneously for charging and for data transfer. Geolocation is unable to track devices running USB OTG.
The connector on the mobile devices is used simultaneously for charging and for data transfer.
Which of the following are best practice considerations when using fences as a security control? Each correct answer represents a complete solution. Choose two. Fences must have a K-rating to resist forceful impact, such as by speeding vehicles. Use a material on top, such as barbed wire, to prevent or discourage climbing over. Consider emergency entry and escape when designing secure gates and fencing. Fences of four feet or less in height have no security value.
Use a material on top, such as barbed wire, to prevent or discourage climbing over. Consider emergency entry and escape when designing secure gates and fencing.
Shoulder Surfing
Watching someone who is viewing or entering sensitive information, or eavesdropping on confidential conversations
What kind of malware replicates itself by exploiting system vulnerabilities? Logic bomb Worm Virus Trojan horse
Worm
Worm
Worm replicates itself by exploiting system vulnerabilities. A worm might infect application files, but once it's running, it can spread through the network unassisted, exploiting vulnerable protocols or services. Just connecting to the Internet could infect a PC in moments without any other human action. Today, they include browser attacks that can infect your system even if you don't knowingly download or run executable files. Because of how they spread, worms are typically considered network attacks, as well as malware.
How could its availability be compromised?
You could be unable to access your mail when you need to.
benchmark
a checklist of potential vulnerabilities in a piece of software along with configuration settings you can use to mitigate them
Online Certificate Status Protocol (OCSP)
a request/response protocol used over HTTP. A client uses OCSP to contact the CA directly and ask about the revocation status of a particular certificate. Since an OCSP request is much smaller than a full CRL, this can save significantly on network resources, and since it doesn't rely on publication periods, it can always be up to date. For these reasons, OCSP is generally seen as a more flexible and modern alternative to CRL.
NIST Risk Management Framework (RMF)
a risk-management framework defined by SP 800-37, using the controls described in SP 800-53
Key pinning
a technique where clients store a copy or hash of a known certificate or public key. Then, on each new connection, the browser verifies the certificate offered by the server against its stored copy. Any change to the certificate is detected.
A business partnership agreement (BPA)
a written agreement defining the general relationship between business partners. At the least, it defines how each organization shares profits, losses, property, and liability; it also defines partners' responsibilities to each other, and a dissolution process for if and when any partner leaves the agreement.
Continuous validation
adds a validation package as an output to a CI/CD time line. It contains evidence that mandated development practices were followed during the development process, reducing the need for manual auditing steps.
Network access control lists (ACLs)
allow or deny traffic based on its properties, such as source or destination address. Router ACLs are useful both for performance- and security-based traffic control.
USB On-the-Go (OTG)
allows users to connect external storage devices and peripherals to a mobile device, making malware transmission or data exfiltration easier in secure environments.
incident
an event or series of events that are unexpected, unusual, and that poses some meaningful threat to the system's functions, performance, or security
Allow listing/whitelisting
an implicit-deny strategy where a program or action is allowed only when explicitly permitted. It provides higher security than block listing, or blacklisting, but requires more work to maintain.
Intrusion prevention systems (IPSs)
evaluate and allow or block traffic like firewalls, but they have rules focused on recognizing threat activity, such as attack signatures, non-standard use of protocols, or heuristic evaluation to detect unusual traffic. They are frequently configured to recognize and react to network scans.
Honeypots
fake systems and services that are designed to detect threat activities without giving an attacker access to useful resources.
Bollards
heavily reinforced posts that stand three or four feet tall, are spaced closer than the width of a small motor vehicle, and are placed directly in front of the entrance to a store or office building to prevent a vehicle from being able to ram into the foot-traffic entrance to the lobby of the building.
continuity of operations plan (COOP)
includes procedures for moving critical operations to a temporary site during disaster recovery. It can apply to general business functions as well as IT systems in particular.
Hardware Security Module as a Service (HSMaaS)
is a cloud service which gives the hardware-backed security of a HSM, but provided through a CSP so that it can be accessed from one or more public clouds.
Threat vectors
pathways through which threats are able to exploit security vulnerabilities. Removable storage media provides an attacker with a mechanism to exfiltrate data from computer systems or to trick a user into inserting the media, inadvertently installing malicious processes onto these same systems. Attaching malicious files, including executable software, to email messages is a threat vector that leads to users potentially becoming unwitting agents in an attack when they open the attachments.
spear phishing
sends tailored content to a specific person or group of people—most commonly employees or customers of a specific company.
A threat hunter wants to research a new threat that's rumored to be in development by a renowned group of hackers. Which source should the hunter use if the goal is to consult a source most likely to be shared by malicious threat agents? AIS OSINT Vulnerability databases The dark web
the dark web
Account-lockout threshold
the number of unsuccessful login attempts at which the associated account is locked for a period of time or until an administrator unlocks it.
Infrastructure as Code (IaC)
uses machine-readable definition files to generate and deploy service components in an automated process. In general, IaC tools can create either mutable infrastructure, which can be modified and updated after it is provisioned, or immutable infrastructure, which can only be changed by deprovisioning it and creating a new instance with the desired changes. Mutable infrastructure is more accessible for developers accustomed to conventional environments, but immutable infrastructure allows easier scaling and prevents security problems due to configuration drift.
