Sec+ sy0-601 Study
An attacker steals personal data from a user device with an outdated Bluetooth authentication mechanism. What type of attack has occurred?
Bluesnarfing
Which of the following is NOT a scripting language?
regex
Consider the challenges with providing privileged management and authorization on an enterprise network. Which of the following would the network system administrator NOT be concerned with when configuring directory services?
Non-repudiation
A startup designs a new online service and uses a serverless approach for some business functions. With this approach, how does the startup perform these functions? (Select all that apply.)
Containers/ Orchestration
Which security related phrase relates to the integrity of data?
Modification is authorized
Which of the following is NOT a use of cryptography?
Security through obscurity
A website with many subdomains has been issued a web server certificate for domain validation. This certificate verifies the parent domain and subdomains (to a single level). This certificate is also known as which of the following?
Wildcard certificate
A secure data center has multiple alarms installed for security. Compare the features of the types of alarms that may be installed, and determine which is an example of a circuit alarm.
Windows and emergency exits along the perimeter wall sound an alarm when opened.
Evaluate the features and vulnerabilities found in medical devices and then select the accurate statements. (Select all that apply.)
"Attackers may attempt to gain access in order to kill or injure patients, or hold medical units ransom/ Many portable devices, such as cardiac monitors and insulin pumps, run on unsupported operating systems.
A Certificate Revocation List (CRL) has a publish period set to 24 hours. Based on the normal procedures for a CRL, what is the most applicable validity period for this certificate?
26 hours
Which statement best describes the purpose of an acceptable use policy (AUP)?
An AUP governs how employees may use company equipment and internet services.
Analyze the types of password cracker attacks to determine which scenario best describes a brute force attack.
An attacker attempts every possible combination in the key space in order to derive a plaintext password from a hash
An organization routinely communicates directly to a partner company via a domain name. The domain name now leads to a fraudulent site for all users. Systems administrators find incorrect host records in DNS. What do the administrators believe to be the root cause?
An attacker masquerades as an authoritative name server.
Consider the types of zones within a network's topology and locate the zone considered semi-trusted and requires hosts to authenticate to join.
Extranet
A user presents a smart card to gain access to a building. Authentication is handled through integration to a Windows server that's acting as a certificate authority on the network. Review the security processes and conclude which are valid when using Kerberos authentication. (Select all that apply.)
Inputting a correct PIN authorizes the smart card's cryptoprocessor to use its private key to create a Ticket Granting Ticket (TGT) request and The Authentication Server (AS) trusts the user's certificate as it was issued by a local certification authority.
A member of the IT team at a company launches a simulated phishing attack email to users across the organization. Which of these statements most accurately describes the purpose of such an attack?
The attack identifies those users who respond to the phishing attempt as individuals who may require more training.
A threat actor programs an attack designed to invalidate memory locations to crash target systems. Which statement best describes the nature of this attack?
The attacker programmed a null pointer dereferencing exception
An attacker uses spoofed GPS coordinates on a stolen mobile device, attempting to gain access to an enterprise network. Which statement best describes the attack vector?
The attacker uses spoofed coordinates to defeat geofencing on the target network.
Compare and evaluate the various levels and types of security found within a Trusted OS (TOS) to deduce which scenario is an example of a hardware Root of Trust (RoT).
The boot metrics and operating system files are checked, and signatures verified at logon.
A drawback of FDE is the cryptographic operations performed by the OS reduces performance/ FDE requires the secure storage of the key used to encrypt the drive contents.
The client sends a request for authentication and the server generates a challenge with the public key.
A new cloud-based application will replicate its data on a global scale, but will exclude residents of the European Union. Which concerns should the organization that provides the data to consumers take into consideration? (Select all that apply.)
Sovereignty/Location
A security expert needs to review systems information to conclude what may have occurred during a breach. The expert reviews NetFlow data. What samples does the expert review?
Statistics about network traffic
Analyze the features of a Full Disk Encryption (FDE) to select the statements that accurately reflect this type of security. (Select all that apply.)
A drawback of FDE is the cryptographic operations performed by the OS reduces performance/
Which of the following password cracker attacks are combined to create a typical hybrid password attack? (Select all that apply.)
Brute force and dictionary attack
Management of a company identifies priorities during a risk management exercise. By doing so, which risk management approach does management use?
Risk posture
An organization plans the destruction of old HDDs. In an effort to save money, the organization damages the media by impact, but they did not destroy all of the data. Which method has the organization tried?
Pulverizing
A system administrator uses a Graphical User Interface (GUI) remote administration tool over TCP port 3389 to manage a server operating Windows 2016. Evaluate the types of remote administration tools to conclude which protocol the administrator is using.
Remote Desktop
A system administrator needs secure remote access into a Linux server. Evaluate the types of remote administration to recommend which protocol should be used in this situation.
Secure Shell (SSH)
An IT manager in the aviation sector checks the industry's threat intelligence feed to keep up on the latest threats and ensure the work center implements the best practices in the field. What type of threat intelligence source is the IT manager most likely accessing?
An Information Sharing and Analysis Center (ISAC)
A large sales organization uses a cloud solution to store large amounts of data. One afternoon, the data becomes inaccessible due to an outage at a data center. Which replication service level is currently in use?
Local
Consider the life cycle of an encryption key. Which of the following is NOT a stage in a key's life cycle?
Verification
What is the purpose of a web server certificate?
Guarantee the identity of a website.
A security expert archives sensitive data that is crucial to a legal case involving a data breach. The court is holding this data due to its relevance. The expert fully complies with any procedures as part of what legal process?
Legal hold
A Redundant Array of Independent Disks (RAID) is installed with data written to two disks with 50% storage efficiency. Which RAID level has been utilized?
Level 1
A systems engineer configures a disk volume with a Redundant Array of Independent Disks (RAID) solution. Which solution does the engineer utilize when allowing for the failure of two disks?
Level 6
When using a digital envelope to exchange key information, the use of what key agreement mitigates the risk inherent in the Rivest-Shamir-Adleman (RSA) algorithm, and by what means?
Perfect forward secrecy (PFS) uses Diffie-Hellman (DH) key agreement to create ephemeral session keys without using the server's private key.
Analyze each statement and determine which describes a fundamental improvement on traditional log management that security information and event management (SIEM) offers.
SIEM can perform correlation, linking observables into meaningful indicators of risk or compromise.
An employee has arrived to work and logged into the network with their smart card. This employee now has access to the company databases, email, and shared network resources. Evaluate all of the basic authorization policies and determine the policy best illustrated in this scenario.
Single Sign-On (SSO)
A hacker is able to install a keylogger on a user's computer. What is the hacker attempting to do in this situation?
Steal confidential information
A developer considers using an API for service integration and automation. If choosing Representational State Transfer (REST) as the API, which features can the developer expect? (Select all that apply.)
The ability to submit a request as an HTTP operation/verb/ It is a looser architectural framework
A company is instituting role-based training. Which type of training will the company require the data owner to most likely complete?
Training on compliance issues and data classification systems
Compare and contrast vulnerability scanning and penetration testing. Select the true statement from the following options.
Vulnerability scanning by eavesdropping is passive, while penetration testing with credentials is active.
A network manager needs a map of the network's topology. The network manager is using Network Mapper (Nmap) and will obtain the visual map with the Zenmap tool. If the target IP address is 192.168.1.1, determine the command within Nmap that will return the necessary data to build the visual map of the network topology.
nmap -sn --traceroute 192.168.1.1
Examine each of the following statements and determine which most accurately compares an allow and block list control practices.
An allow list operates on a default-deny policy, while a block list is a default-allow policy.
Which of the following statements best describes the trade-off when considering which type of encryption cipher to use?
Asymmetric encryption requires substantially more overhead computing power than symmetric encryption. Asymmetric encryption is inefficient when transferring or encrypting large amounts of data.
When endpoint security experiences a breach, there are several classes of vector to consider for mitigation. Which type relates to exploiting an unauthorized service port change?
Configuration drift
Code developers de-conflict coding with one another during which phase of the software development life cycle (SDLC)?
Continuous integration
A systems engineer decides that security mechanisms should differ for various systems in the organization. In some cases, systems will have multiple mechanisms. Which types of diversity does the engineer practice? (Select all that apply.)
Control/ Vendor
A system administrator downloads and installs software from a vendor website. Soon after installing the software, the administrator's computer is taken over remotely. After closer investigation, the software package was modified, probably while it was downloading. What action could have prevented this incident from occurring?
Validate the software using a checksum
When a network uses Extensible Authentication Protocol (EAP) as the authentication method, what access control protocol provides the means for a client to connect from a Virtual Private Network (VPN) gateway?
IEEE802.1X
Analyze and eliminate the item that is NOT an example of a reconnaissance technique.
Initial exploitation
A company determines the mean amount of time to replace or recover a system. What has the company calculated?
MTTR
A system administrator must scan the company's web-based application to identify which ports are open and which operating system can be seen from the outside world. Determine the syntax that should be used to yield the desired information if the administrator will be executing this task from a Linux command line.
Nmap -O webapp.company.com
Successful adversarial attacks mostly depend on knowledge of the algorithms used by the target AI. In an attempt to keep an algorithm secret, which method does an engineer use when hiding the secret?
Obscurity
A cloud server has been breached. The organization realizes that data acquisition differs in the cloud when compared to on-premises. What roadblocks may the organization have to consider when considering data? (Select all that apply.)
On-demand services, Jurisdiction, Chain of custody
A network administrator regularly reviews group membership and access control lists for each resource. The administrator also looks for unnecessary accounts to disable. What is the administrator executing in this situation?
Permission auditing
An employee handling key management discovers that a private key has been compromised. Evaluate the stages of a key's life cycle and determine which stage the employee initiates upon learning of the compromise.
Revocation
There are several types of security zones on a network. Analyze network activities to determine which of the following does NOT represent a security zone.
Screened host
Which of the following solutions best addresses data availability concerns that may arise with the use of application-aware next-generation firewalls (NGFW) and unified threat management (UTM) solutions?
Secure web gateway (SWG)
Which malicious code indicator is a minimal program designed to exploit a buffer overflow?
Shellcode
Which statement best describes key differences between symmetric and asymmetric cryptographic ciphers?
Symmetric encryption is used for confidentiality, and uses the same key for encryption and decryption.
Analyze the following scenarios and determine which best simulates a content filter in action. (Select all that apply.)
"A high school student is using the school library to do research for an assignment and cannot access certain websites due to the subject matter/ A system administrator blocks access to social media sites after the CEO
An engineer plans to acquire data from a disk. The disk is connected to the forensics workstation and is ready for the engineer. Which steps indicate a correct order of acquisition as they relate to integrity and non-repudiation?
1. A hash of the disk is made 2. A bit-by-bit copy is made 3. A second hash is made 4. A copy is made of the reference image
Analyze and compare the access control models in terms of how Access Control Lists (ACL) are written and determine which statement accurately explains the Discretionary Access Control (DAC) model.
A DAC model is the most flexible and weakest access control model. The owner has full control over the resource and grants rights to others.
Which of the following options represents Two-Factor Authentication (2FA)?
A user logs in using a password and a smart card.
Which of the following are types of log collection for SIEM? (Select all that apply.)
Agent-based/ Listener/Collector
Artificial intelligence (AI) and machine learning are especially important during which security information and event management (SIEM) task?
Analysis and report review
The IT team at a company discovers that a Windows server is infected with malware. As a result, the server is not functioning properly. Which event log does the team review to find errors from failing services related to newly installed software?
Application
Analyze the features of behavioral technologies for authentication, and choose the statements that accurately depict this type of biometric authentication. (Select all that apply.)
Behavioral technologies are cheap to implement, but have a higher error rate than other technologies/ Behavior technologies may use typing as a template, which matches the speed and pattern of a user's input of a passphrase.
Which type of attack disguises the nature of malicious input, preventing normalization from stripping illegal characters?
Canonicalization
Which type of employee training utilizes gaming and/or scenario-based techniques to emphasize training objectives? (Select all that apply.)
Capture the flag (CTF) and Computer-based training (CBT)
An employee is working on a team to build a directory of systems they are installing in a classroom. The team is using the Lightweight Directory Access Protocol (LDAP) to update the X.500 directory. Utilizing the standards of an X.500 directory, which of the following distinguished names is the employee most likely to recommend?
CN=system1,CN=user,OU=Univ,DC=local
Which of the following utilizes both symmetric and asymmetric encryption?
Digital envelope
A security team suspects that sensitive systems may have physical connections that are prone to eavesdropping. Which solution does the team secure the systems with to remedy the situation?
Faraday cage
An organization plans the destruction of old flash drives. In an attempt to erase the media, an employee uses an electromagnet, only to discover that it did not destroy the data. Which method has the employee tried?
Degaussing
An engineer needs to review systems metadata to conclude what may have occurred during a breach. The first step the engineer takes in the investigation is to review MTA information in an Internet header. Which data type does the engineer review?
Compare the features of static and dynamic computing environments and then select the accurate statements. (Select all that apply.)
Embedded systems are typically static computing environments, while most personal computers are dynamic computing environments/ Dynamic computing environments are easier to update than static computing environments
A hospital must balance the need to keep patient privacy information secure and the desire to analyze the contents of patient records for a scientific study. What cryptographic technology can best support the hospital's needs?
Homomorphic encryption
A systems administrator suspects that a virus has infected a critical server. In which step of the incident response process does the administrator notify stakeholders of the issue?
Identification
An engineer utilizes digital forensics for information gathering. While doing so, the first focus is counterintelligence. Which concepts does the engineer pursue? (Select all that apply.)
Identification and analysis of specific adversary tactics / Configure and audit active logging systems
A system administrator is setting up a new Simple Mail Transfer Protocol (SMTP) configuration. Make recommendations for how the administrator should configure the ports. (Select all that apply.)
Port 25 should be used for message relay/ Port 465 should be used for message submission over implicit TLS.
Which scripting language is the preferred method of performing Windows administration tasks?
Powershell
Both Remote Access Dial-In User Service (RADIUS) and Terminal Access Controller Access-Control System (TACACS+) provide authentication, authorization, and accounting using a separate server (the AAA server). Based on the protocols' authentication processes, select the true statements. (Select all that apply.)
RADIUS uses UDP and TACACS+ uses TCP/ TACACS+ encrypts the whole packet (except the header) and RADIUS only encrypts the password/ RADIUS is primarily used for network access and TACACS+ is primarily used for device administration
Given knowledge of secure firmware implementation, select the statement that describes the difference between secure boot and measured boot.
Secure boot provisions certificates for trusted operating systems (OSes) and blocks unauthorized OSes. Measured boot stores and compares hashes of critical boot files to detect the presence of unauthorized processes.
Before leaving for lunch, an employee receives a phone call, but there is no one on the line. Distracted by the odd interruption, the employee forgets to log out of the computer. Earlier that day, a person from the building across the street watched the employee entering login credentials using high-powered binoculars. Which form of social engineering is being used in this situation?
Shoulder surfing
A Department of Defense (DoD) security team identifies a data breach in progress, based on some anomalous log entries, and take steps to remedy the breach and harden their systems. When they resolve the breach, they want to publish the cyber threat intelligence (CTI) securely, using standardized language for other government agencies to use. The team will transmit threat data feed via which protocol?
Trusted Automated eXchange of Indicator Information (TAXII)
Analyze the following statements and select the statement which correctly explains the difference between cross-site scripting (XSS) and cross-site request forgery (XSRF).
XSRF spoofs a specific request against the web application, while XSS is a means of running any arbitrary code.
A security analyst needs to review attack information on a compromised system. The analyst would be most successful using which containment approach?
Airgap
An engineer creates a set of tasks that queries information and runs some PowerShell commands to automate the identification of threats and other malicious activity on multiple servers. The engineer defines these tasks using which of the following?
Playbook
A systems administrator deploys a cloud access security broker (CASB) solution for user access to cloud services. Evaluate the options and determine which solution may be configured at the network edge and without modifying a user's system.
Reverse proxy
A company has recently started using a Platform as a Service (PaaS). Compare cloud service types to determine what is being deployed.
The company has leased a server that runs Microsoft Azure SQL Database.
The _____ requires federal agencies to develop security policies for computer systems that process confidential information.
Computer Security Act
What actions are typically recommended when securing virtualized and cloud-based resources? (Select all that apply.)
"Ensure software and hosts are patched regularly/ Configure devices to support isolated communications.
Select the explanations that accurately describe the Ticket Granting Ticket (TGT) role within the Authentication Service (AS). (Select all that apply.)
"The client sends the AS a request for a TGT that is composed by encrypting the date and time on the local computer with the user's password hash as the key and The AS responds with a TGT that contains information about the client,
Analyze the metrics governing Mission Essential Functions (MEF) and determine which example demonstrates Maximum Tolerable Downtime (MTD).
A business function relies on five hours for restoration; otherwise, there is an irrecoverable business failure.
Evaluate the typical weaknesses found in network architecture and determine which statement best aligns with a perimeter security weakness.
A company has a flat network architecture.
Analyze automation strategies to differentiate between elasticity and scalability. Which scenarios demonstrate scalability? (Select all that apply.)
A company is hired to provide data processing for 10 additional clients and has a linear increase in costs for the support and A company has a 10% increase in clients and a 5% increase in costs
Assess the features and processes within biometric authentication to determine which scenario is accurate.
A company uses a fingerprint scanner that acts as a sensor module for logging into a system.
Evaluate the following controls that have been set by a system administrator for an online retailer. Determine which statement demonstrates the identification control within the Identity and Access Management (IAM) system.
A control is set to ensure that billing and primary delivery addresses match.
Evaluate how identification and authentication are distinct in their functions. Which of the following scenarios best illustrates a user being authenticated?
A user access a system by having their face scanned.
Many access control models are rule-based. Consider how each of the following models determines how users receive rights and determine which model is NOT rule-based.
DAC
Digital certificates are based on the X.509 standard that defines the fields (or information) about a subject (or entity using the certificate) and the certificate's issuer. Which of the following fields would not be included in a standard public certificate?
Endorsement key
In which of these situations might a non-credentialed vulnerability scan be more advantageous than a credentialed scan? (Select all that apply.)
External assessments of a network perimeter and Web application scanning
Which of the following is a common solution that protects an application from behaving in an unexpected way when passing invalid data through an attack?
Input Validation
Evaluate the following choices based on their potential to lead to a network breach. Select the choice that is NOT a network architecture weakness.
Not all hosts on the network can talk to one another.
A hotel guest opens their computer and logs into the Wi-Fi without prompting the guest for a username and password. Upon opening an internet browser, a splash page appears that requests the guest's room number and last name for authentication. Which type of authentication is the hotel utilizing?
Open
Which microwave connection mode is most appropriate for forming a strong connection between two sites?
P2P
A network administrator conducts a network assessment to determine where to implement a network intrusion detection system (NIDS). Which sensor deployment option is most ideal if the admin is concerned about system overloads and resiliency in the event of power loss?
Passive test access point (TAP)
A hacker set up a Command and Control network to control a compromised host. What is the ability of the hacker to use this remote connection method as needed known as?
Persistence
The IT department head returns from an industry conference feeling inspired by a presentation on the topic of defense in depth. A meeting is scheduled with IT staff to brainstorm ideas for implementing defense in depth throughout the organization. Which of the following ideas are consistent with this industry best practice? (Select all that apply.)
Provide user training on identifying cyber threats and Align managerial and technical controls with control functions.
An engineer receives an alert from a mobile system equipped with an RFID tag. Upon investigating, the mobile system is missing from its assigned station. Which alarm type prompted the engineer to investigate?
Proximity
Which two cryptographic functions can be combined to authenticate a sender and prove the integrity of a message?
Public key cryptography and hashing
An employee handles key management and has learned that a user has used the same key pair for encrypting documents and digitally signing emails. Prioritize all actions that should be taken and determine the first action that the employee should take.
Recover the encrypted data.
Evaluate the Agile paradigm within a Software Development Lifecycle (SDLC) to determine which statement demonstrates the idea of continuous tasks.
Releasing well-tested code in smaller blocks
A network administrator wants to use a proxy server to prevent external hosts from connecting directly with application servers. Which proxy server implementation will best fit this need?
Reverse proxy server
Security specialists create a sinkhole to disrupt any adversarial attack attempts on a private network. Which solution do the specialists configure?
Routing traffic to a different network
Given that layer 2 does not recognize Time to Live, evaluate the potential problems to determine which of the following options prevents this issue.
STP
A system breach occurs at a retail distribution center. Data from a persistent disk is required as evidence. No write blocker technology is available. Which approach does a security analyst use to acquire the disk?
Snapshot
Transport layer security (TLS) version 1.3 improves upon a vulnerability in TLS1.2. Which statement correctly describes a remedy for this vulnerability?
TLS version 1.3 removes the ability to downgrade to weaker encryption ciphers and earlier versions of transport layer security.
Compare all of the functions within directory services and determine which statement accurately reflects the function of group memberships.
The key provided at authentication lists a user's group memberships, which in turn allows certain access to resources on the network.
Any external responsibility for an organization's security lies mainly with which individuals?
The owner
A system administrator has configured a security log to record unexpected behavior and review the logs for suspicious activity. Consider various types of audits to determine which type aligns with this activity.
Usage auditing
Which of the following are appropriate methods of media sanitization? (Select all that apply.)
Use random data to overwrite data on each location of a hard drive/ Reset a disk to its factory condition utilizing tools provided by the vendor/ Degauss Compact Disks (CDs) using a machine with a powerful electromagnet.
What is Open Source Intelligence (OSINT)?
Using web search tools and social media to obtain information about the target
A company is reviewing the options for installing a new wireless network. They have requested recommendations for utilizing WEP, WPA, or WPA2. Differentiate between Wired Equivalent Privacy (WEP) and Wi-Fi Protected Access (WPA). Determine which of the following statements accurately distinguishes between the options. (Select all that apply.)
"WPA and WEP use RC4, while WEP uses a 24-bit Initialization Vector (IV). WPA uses a Temporal Key Integrity Protocol (TKIP), and WPA2 uses an Advanced Encryption/ WPA2 is the strongest encryption scheme, followed by WPA, then WEP. WPA2
Evaluate the functions of a Network-Based Intrusion Detection System (NIDS) and conclude which statements are accurate. (Select all that apply.)
A NIDS will identify and log hosts and application activity that the administrator can use to analyze and take further action/ Training and tuning are complex, and there is a high chance of false positive and negative rates.
An Internet Service Provider's (ISP) customer network is under a Distributed Denial of Service (DDoS) attack. The ISP decides to use a blackhole as a remedy. How does the ISP justify their decision?
A blackhole drops packets for the affected IP address(es) and is in a separate area of the network that does not reach any other part of the network.
Evaluate the differences between stream and block ciphers and select the true statement.
A block cipher is padded to the correct size if there is not enough data in the plaintext.
A company conducts file sharing via a hosted private cloud deployment model. Which scenario accurately depicts this type of file sharing?
A cloud hosted by a third party for the exclusive use of the organization.
Select the example that provides an accurate simulation of a company engaging in the identifying threats phase of risk management.
A company conducts research to determine why vulnerabilities may be exploited.
A company performs risk management. Which action identifies a risk response approach?
A company develops a countermeasure for an identified risk
Which scenario best describes provisioning?
A developer deploys an application to the target environment.
A network manager suspects that a wireless network is undergoing a deauthentication attack. Applying knowledge of wireless network attacks, which scenario best supports the network manager's suspicion?
A group of systems suddenly disconnects from the network. When the users reconnect, they actually connect to an evil twin Access Point (AP), which gives an attacker information about authentication.
Select the statement which best describes the difference between a zero-day vulnerability and a legacy platform vulnerability.
A legacy platform vulnerability is unpatchable, while a zero-day vulnerability may be exploited before a developer can create a patch for it.
A project manager has designed a new secure data center and has decided to use multifactor locks on each door to prevent unauthorized access. Compare the following types of locks that the project manager may use to determine which example the facility is utilizing.
A lock that requires an employee to use a smart card and pin to enter
When exploring the deep web, a user will need which of the following to find a specific and hidden dark web site?
A specific URL
Analyze each scenario and determine which best describes the authentication process in an Identity and Access Management (IAM) system.
A user logs into a system using a control access card (CAC) and PIN number.
Analyze types of vulnerabilities and summarize a zero-day exploit.
A vulnerability that is capitalized on before the developer knows about it.
A security engineer encrypted traffic between a client and a server. Which security protocol does the engineer configure if an ephemeral key agreement is used?
AES 256
Identify the attack that can launch by running software such as Dsniff or Ettercap from a computer attached to the same switch as the target.
ARP poisoning attack
Compare and contrast the characteristics of the various types of firewalls and select the correct explanation of a packet filtering firewall.
An administrator configures an Access Control List (ACL) to deny access to IP addresses with specific sources
Compare and analyze the types of firewalls available to differentiate between them.
An application firewall can analyze the HTTP headers to identify code that matches a pattern, while an appliance firewall monitors all traffic passing into and out of a network segment.
A system administrator is working to restore a system affected by a stack overflow. Analyze the given choices and determine which overflow vulnerability the attacker creates.
An attacker changes the return address of an area of memory used by a program subroutine.
Compare the characteristics of a rogue Access Point (AP) in wireless networks to determine which statements correctly summarize their attributes. (Select all that apply.)
An evil twin is a rogue AP masquerading as a legitimate AP, and an attacker may form this by using a Denial of Service (DoS) to overcome the legitimate AP/ Sometimes referred to as an evil twin, a rogue AP masquerading as a legitimate AP, may have a similar name to a legitimate AP/ An attacker can set up a rogue AP with something as simple as a smartphone with tethering capabilities.
Security information and event management (SIEM) collect data inputs from multiple sources. Which of the following is NOT one of the main types of log collection for SIEM?
Artificial intelligence (AI)
An organization stores data in different geographic locations for redundancy. This data replicates so that it is the same in all locations. Engineers discover that some replicas are lagging with updates. What configuration do the engineers discover as the cause?
Asynchronous replication
Analyze the following scenarios and determine which cases call for account disablement over account lockout. (Select all that apply.)
Audit logs reveal suspicious activity on a privileged user's account/ A user's company laptop and key fob are stolen at an airport.
Compare physical access controls with network security to identify the statements that accurately connect the similarities between them. (Select all that apply.)
Authentication provides users access through the barriers, while authorization determines the barriers around a resource and An example of authentication in networking is a user logging into the network with a smart card. Similarly, authentication in physical security is demonstrated by an employee using a badge to enter a building
During a training event, an executive at a large company asks the security manager trainer why pushing automatic updates as a patch management solution is not ideal for their Enterprise network. How will the security manager most likely respond?
Automatic updates can cause performance and availability issues.
A manufacturing company hires a pentesting firm to uncover any vulnerabilities in their network with the understanding that the pen tester receives no information about the company's system. Which of the following penetration testing strategies is the manufacturing company requesting?
Black box
Which statement most accurately describes the mechanisms by which blockchain ensures information integrity and availability?
Blockchain ensures availability through decentralization, and integrity through cryptographic hashing and timestamping.
An engineer utilizes infrastructure as code to deploy and manage a network. When considering an abstract model that represents network functionality, how does the engineer make control decisions?
By prioritizing and securing traffic
Compare and contrast the modes of operation for block ciphers. Which of the following statements is true?
CTM and GCM modes allow block ciphers to behave like stream ciphers.
Which method might an attacker use to redirect login via information gained by implementing JavaScript on a webpage the user believes is legitimate?
Clickjacking
A company has many employees that work from home. The employees obtain data and post data to a shared file they access through a link on the Internet. Consider the types of virtualization and conclude which the company is most likely utilizing.
Cloud computing
An organization configures both a warm site and a hot site for disaster preparedness. Doing so poses which difficulties for the organization? (Select all that apply.)
Complexity and Budgetary
A security team is in the process of selecting a cryptographic suite for their company. Analyze cryptographic implementations and determine which of the following performance factors is most critical to this selection process if users primarily access systems on mobile devices.
Computational overhead
A systems administrator configures several subnets within a virtual private cloud (VPC). The VPC has an Internet gateway attached to it, however, the subnets remain private. What does the administrator do to make the subnets public?
Configure a default route for each subnet.
A system administrator has just entered their credentials to enter a secure server room. As the administrator is entering the door, someone is walking up to the door with their hands full of equipment and appears to be struggling to move items around while searching for their credentials. The system administrator quickly begins to assist by getting items out of the person's hands, and they walk into the room together. This person is not an employee, but someone attempting to gain unauthorized access to the server room. What type of social engineering has occurred?
Consensus/social proof
A senior administrator is teaching a new technician how to properly develop a standard naming convention in Active Directory (AD). Examine the following responses and determine which statements would be sound advice for completing this task. (Select all that apply.)
Consider grouping Organizational Units (OU) by location or department and Within each root-level organizational unit (OU) use separate child OUs for different types of objects
During weekly scans, a system administrator identifies a system that has software installed that goes against security policy. The system administrator removes the system from the network in an attempt to limit the effect of the incident on the remainder of the network. Apply the Computer Security Incident Handling Guide principles to determine which stage of the incident response life cycle the administrator has entered.
Containment, eradication and recovery
After a poorly handled security breach, a company updates its security policy to include an improved incident response plan. Which of the following security controls does this update address?
Corrective
An administrator uses data from a Security Information and Event Management (SIEM) system to identify potential malicious activity. Which feature does the administrator utilize when implementing rules to interpret relationships between datapoints to diagnose incidents?
Correlation
A document contains information about a company that is too valuable to permit any risks, and viewing is severely restricted. Analyze levels of classification and determine the appropriate classification for the document.
Critical
A security team has just added iris scanners to two access control points in a secure facility. They are in the process of making adjustments to ensure authorized users have access, while unauthorized users cannot get through. Analyze the scenario and determine what metric the team is in the process of fine-tuning.
Crossover error rate (CER)
During the planning/scoping phase of the kill chain, an attacker decides that a Distributed Denial of Service (DDoS) attack would be the best way to disrupt the target website and remain anonymous. Evaluate the following explanations to determine the reason the attacker chose a DDoS attack.
DDoS attacks utilize botnets
Where should an administrator place an internet-facing host on the network?
DMZ
Analyze and determine the role responsible for managing the system where data assets are stored, and is responsible for enforcing access control, encryption, and backup measures.
Data custodian
Data exists in several states, each requiring different security considerations. Evaluate the following items and select which data state presents the greatest encryption challenge.
Data in use
Choose which of the following items classify as Personally Identifiable Information. (Select all that apply.)
Date of birth
A systems engineer reviews recent backups for a production server. While doing so, the engineer discovers that archive bits on files are clearing and incorrect backup types have been occurring. Which backup type does the engineer look to include?
Differential
Compare and evaluate the various levels and types of platform security to conclude which option applies to a hardware Trusted Platform Module (TPM).
Digital certificates, keys, and hashed passwords are maintained in hardware-based storage.
An employee works on a small team that shares critical information about the company's network. When sending emails that have this information, what would be used to provide the identity of the sender and prove that the information has not been tampered with?
Digital signature
A systems breach occurs at a financial organization. The system in question contains highly valuable data. When performing data acquisition for an investigation, which component does an engineer acquire first?
Disk controller cache
When a company attempts to re-register their domain name, they find that an attacker has supplied false credentials to the domain registrar and redirected their host records to a different IP address. What type of attack has occurred?
Domain hijacking
Contrast vendor support for products and services at the end of their life cycle. Which of the following statements describes the difference between support available during the end of life (EOL) phase and end of service life (EOSL) phase?
During the end of life (EOL) phase, manufacturers provide limited support, updates, and spare parts. In the end of service life (EOSL), developers or vendors no longer support the product and no longer push security updates.
A company's clean desk policy will most likely feature which of the following clauses?
Employees must not leave documents unattended in their workspace.
A hurricane has affected a company in Florida. What is the first step in the order of restoration?
Enable and test power delivery systems
Which statement describes the mechanism by which encryption algorithms help protect against birthday attacks?
Encryption algorithms add salt when computing password hashes.
A user calls the help desk to report that Microsoft Excel continues to crash when used. The technician would like to review the logs in an attempt to determine the cause. Analyze the types of logs to determine which would contain the information the technician needs.
Event log
An employee has requested a digital certificate for a user to access the Virtual Private Network (VPN). It is discovered that the certificate is also being used for digitally signing emails. Evaluate the possible extension attributes to determine which should be modified so that the certificate only works for VPN access.
Extended key usage
You are asked to help design a security system. What are some methods that can be used to mitigate risks to embedded systems in such environments? (Select all that apply.)
Firmware patching/ Network Segmentation/ Wrappers
IT staff looks to provide a high level of fault tolerance while implementing a new server. With which systems configuration approach does the staff achieve this goal?
Focusing on critical components
A security professional is looking to harden systems at an industrial facility. In particular, the security specialist needs to secure an HVAC system that is part of an IoT network. Which areas does the specialist look to secure from data exfiltration exploits? (Select all that apply.)
Fog node/ Edge gateway
Which term defines the practice of collecting evidence from computer systems to an accepted standard in a court of law?
Forensics
Which of the following could be considered as an insider threat? (Select all that apply.)
Former employee and Contractor
Management has reason to believe that someone internal to the organization is committing fraud. To confirm their suspicion, and to collect evidence, they need to set up a system to capture the events taking place. Evaluate which option will best fit the organization's needs.
Honeypot
A natural disaster has resulted in a company moving to an alternate processing site. The company has operations moved within a few hours as a result of having a building with all of the equipment and data needed to resume services. Evaluate the types of recovery sites to determine which processing site the company is utilizing.
Hot site
An employee recently retired, and the employee received an exit interview, returned a company-issued laptop, and had company-specific programs and applications removed from a personal PC. Evaluate this employee's offboarding process and determine what, if anything, remains to be done.
IT needs to disable the employee's user account and privileges.
Select the phase of risk management a company has performed if they analyzed workflows and identified critical tasks that could cause their business to fail, if not performed.
Identify mission essential functions
The National Institute of Standards and Technology (NIST) provides a framework that classifies security-related functions. Which description aligns with the "respond" function?
Identify, analyze, and eradicate threats.
Which statement best explains the differences between black box, white box, and gray box attack profiles used in penetration testing?
In a black box pen test, the contractor receives no privileged information, so they must perform reconnaissance. In contrast, a white box pen tester has complete access and skips reconnaissance. A gray box tester has some, but not all information, and requires partial reconnaissance.
Which of the following statements differentiates between input validation and output encoding?
Input validation ensures that data input into an application is in a compatible format for the application, while output encoding re-encodes data that transfers between scripts
An Identity and Account Management (IAM) system has four main processes. Which of the following is NOT one of the main processes?
Integrity
One aspect of threat modeling is to identify potential threat actors and the risks associated with each one. When assessing the risk that any one type of threat actor poses to an organization, what are the critical factors to profile? (Select all that apply.)
Intent and motivation
Analyze the available detection techniques and determine which are useful in identifying a rogue system through software management. (Select all that apply.)
Intrusion detection and NAC are security suites and appliances that combine automated network scanning with defense and remediation suites to prevent rogue devices from accessing the network/ Wireless monitoring can reveal whether there are unauthorized access points.
A company security manager takes steps to increase security on Internet of Things (IoT) devices and embedded systems throughout a company's network and office spaces. What measures can the security manager use to implement secure configurations for these systems? (Select all that apply.)
Isolate hosts using legacy versions of operating systems (OSes) from other network devices through network segmentation/ Use wrappers, such as Internet Protocol Security (IPSec) for embedded systems' data in transit.
A web administrator visits a website after installing its certificate to test the SSL binding. The administrator's client computer did not trust the website's certificate. The administrator views the website's certificate from the browser to determine which certificate authority (CA) generated the certificate. Which certificate field would assist with the troubleshooting process?
Issuer
If not managed properly, certificate and key management can represent a critical vulnerability. Assess the following statements about key management and select the true statements. (Select all that apply.)
It is exponentially more difficult to ensure the key is not compromised with multiple backups of a private key and If a private key, or secret key, is not backed up, the storage system represents a single point of failure.
Evaluate the metrics associated with Mission Essential Functions (MEF) to determine which example is demonstrating Work Recovery Time (WRT).
It takes three hours to restore a system from backup, reintegrate the system, and test functionality.
A company has a critical encryption key that has an M-of-N control configuration for protection. Examine the examples and select the one that correctly illustrates the proper configuration for this type of protection of critical encryption keys.
M=3 and N=5
A hacker compromises a web browser and uses access to harvest credentials users input when logging in to banking websites. What type of attack has occurred?
Man-in-the-Browser
A client contacts a server for a data transfer. Instead of requesting TLS1.3 authentication, the client claims legacy systems require the use of SSL. What type of attack might a data transfer using this protocol facilitate?
Man-in-the-middle
How might the goals of a basic network management not be well-aligned with the goals of security?
Management focuses on availability over confidentiality.
A company has an annual contract with an outside firm to perform a security audit on their network. The purpose of the annual audit is to determine if the company is in compliance with their internal directives and policies for security control. Select the broad class of security control that accurately demonstrates the purpose of the audit.
Managerial
Examine the differences between general purpose personal computer hosts and embedded systems and select the true statements regarding embedded system constraints. (Select all that apply.)
Many embedded systems work on battery power, so they cannot require significant processing overhead/ Embedded systems often use the system on chip (SoC) design to save space and increase power efficiency.
A project manager is developing a site layout for a new facility. Consider the principles of site layout design to recommend the best plan for the project.
Minimize traffic passing between zones so that the flow of people are in and out, instead of across and between.
A system administrator wants to install a mechanism to conceal the internal IP addresses of hosts on a private network. What tool can the administrator use to accomplish this security function?
NAT gateway
Which of the following has a cyber security framework (CSF) that focuses exclusively on IT security, rather than IT service provisioning?
National Institute of Standards and Technology (NIST)
A network administrator is shopping for a security product to utilize to fine-tune existing firewall and appliance settings. Comparing product features, which type of product is most likely to satisfy the network administrator's needs?
Network-based intrusion detection system (NIDS)
A network manager assists with developing a policy to protect the company from data exfiltration. The employee devises a list of focus points to include. Which plans, when consolidated, provide the best protection for the company? (Select all that apply.)
New employees complete initial and refresher trainings on document confidentiality and the use of encryption/ Only allow removable media if it is company property, if it is required to perform a task, and if it has been cleared through the proper channels/ Encrypt all sensitive data at rest and disconnect systems that are storing archived data from the network
A security team suspects the unauthorized use of an application programming interface (API) to a private web-based service. Which metrics do the team analyze and compare to a baseline for response times and usage rates, while investigating suspected DDoS attacks? (Select all that apply.)
Number of requests/ Latency
An engineer looks to implement security measures by following the five functions in the National Institute of Standards and Technology (NIST) Cybersecurity Framework. When documenting the "detect" function, what does the engineer focus on?
Ongoing proactive monitoring
A contractor has been hired to conduct security reconnaissance on a company. The contractor browses the company's website to identify employees and then finds their Facebook pages. Posts found on Facebook indicate a favorite bar that employees frequent. The contractor visits the bar and learns details of the company's security infrastructure through small talk. What reconnaissance phase techniques does the contractor practice? (Select all that apply.)
Open Source Intelligence (OSINT) and Social engineering
Examine each attack vector. Which is most vulnerable to escalation of privileges?
Operating System (OS)
Examine the tradeoff between traditional password policy complexity requirements and updated practical suggestions from the National Institute of Standards and Technology (NIST) and select the statement that fits both practical password management and traditional complexity requirements.
Passwords should not contain dictionary words or contextual information, such as a username or the company name.
A threat analyst is asked about malicious code indicators. Which indicator allows the threat actor's backdoor to restart if the host reboots or the user logs off?
Persistence
An organization suspects that a visitor is performing data exfiltration while on the premises. The organization knows that the visitor does not have access to any computer system. Which of the following methods does the organization suspect the visitor of using? (Select all that apply.)
Phone/ Camera
Arrange the following stages of the incident response life cycle in the correct order.
Preparation; Identification; Containment, Eradication, and Recovery; Lessons Learned
Examine each statement and determine which most accurately describes a major limitation of quantum computing technology.
Presently, quantum computers do not have the capacity to run useful applications.
An employee calls IT personnel and states that they received an email with a PDF document to review. After the PDF was opened, the system has not been performing correctly. An IT admin conducted a scan and found a virus. Determine the two classes of viruses the computer most likely has. (Select all that apply.)
Program and Script
Identify the type of attack that occurs when the outcome from execution process are directly dependent on the order and timing of certain events, and those events fail to execute in the order and timing intended by the developer.
Race conditions
Compare and contrast the types of Cross-Site Scripting (XSS) attacks, and select the option that accurately distinguishes between them.
Reflected and stored XSS attacks exploit server-side scripts, while the DOM is used to exploit vulnerabilities in client-side scripts.
Select the options that can be configured by Group Policy Objects (GPOs). (Select all that apply.)
Registry settings/ Software deployment
A system compromise prompts the IT department to harden all systems. The technicians look to block communications to potential command and control servers. Which solutions apply to working with egress filtering? (Select all that apply.)
Restrict DNS lookups/ Allow only authorized application ports
Biometric authentication methods have different error rates, with some methods being easier to fool than others. An unauthorized user is unlikely to fool which of the following methods?
Retinal scan
An attacker compromises a Linux host, installing a web shell as a backdoor. If the attacker gained access to the host through a connection the host established, what type of attack has occurred?
Reverse shell
A recent systems crash prompts an IT administrator to perform recovery steps. Which mechanism does the administrator use to achieve nonpersistence?
Revert to known state
A gaming company decides to add software on each title it releases. The company's objective is to require the CD to be inserted during use. This software will gain administrative rights, change system files, and hide from detection without the knowledge or consent of the user. Consider the malware characteristics and determine which is being used.
Rootkit
A company is working to restore operations after a blizzard stopped all operations. Evaluate the order of restoration and determine the correct order of restoring devices from first to last.
Routers, firewalls, Domain Name System (DNS), client workstations
A security team desires to modify event logging for several network devices. One team member suggests using the configuration files from the current logging system with another open format that uses TCP with a secure connection. Which format does the team member suggest?
Rsyslog
Consider the role trust plays in federated identity management and determine which models rely on networks to establish trust relationships. (Select all that apply.)
SAML/OAuth and OpenID
An individual receives a text message that appears to be a warning from a well-known order fulfillment company, informing them that the carrier has tried to deliver his package twice, and that if the individual does not contact them to claim it, the package will not be delivered. Analyze the scenario and select the social engineering technique being used.
SMiShing
Which cookie attribute can a security admin configure to help mitigate a request forgery attack?
SameSite
If an administrator in an exchange server needs to send digitally signed and encrypted messages, what messaging implementation will best suit the administrator's needs?
Secure/Multipurpose Internet Mail Extensions (S/MIME)
During a penetration test, an adversary operator sends an encrypted message embedded in an attached image. Analyze the scenario to determine what security principles the operator is relying on to hide the message. (Select all that apply.)
Security by obscurity and Confidentiality
An organization plans a move of systems to the cloud. In order to identify and assign areas of risk, which solution does the organization establish to contractually specify cloud service provider responsibilities?
Service level agreement
Evaluate approaches to applying patch management updates to select the accurate statement.
Service release patch updates are known to cause problems with software application compatibility.
Which of the following depict ways a malicious attacker can gain access to a target's network? (Select all that apply.)
Shoulder surfing and Phishing
Which of the following considerations is most important when employing a signature-based intrusion detection system?
Signatures and rules must be kept up to date to protect against emerging threats.
A system administrator suspects a memory leak is occurring on a client. Determine which scenario would justify this finding.
Software does not release allocated memory when it is done with it
An attacker uses a cryptographic technology to create a covert message channel in transmission control protocol (TCP) packet data fields. What cryptographic technique does this attack strategy employ?
Steganography
A system administrator needs to implement a secure remote administration protocol and would like more information on Telnet. Evaluate and select the features of Telnet that the administrator should consider to accomplish this task. (Select all that apply.)
Telnet does not support direct file transfer/ Telnet uses TCP port 23.
A contractor has been hired to conduct penetration testing on a company's network. They have decided to try to crack the passwords on a percentage of systems within the company. They plan to annotate the type of data that is on the systems that they can successfully crack to prove the ease of access to data. Evaluate the penetration steps and determine which are being utilized for this task. (Select all that apply.)
Test security controls and Exploit vulnerabilities
A system administrator is deploying a new web server. Which hardening procedures should the administrator consider? (Select all that apply.)
The administrator should use SFTP to transfer files to and from the server remotely/ The administrator should assign a digital certificate and enable the use of TLS 1.3.
An attacker finds a way to exploit a vulnerability in a target application that allows the attacker to bypass a password requirement. Which method did the attacker most likely use?
The attacker added LDAP filters as unsanitized input by creating a condition that is always true.
An employee is attempting to install new software they believe will help them perform their duties faster. When the employee tries to install the software, an error message is received, stating they are not authorized to install the software. The employee calls the help desk for assistance. Evaluate the principles of execution control to conclude what has most likely occurred in this scenario.
The company is utilizing allow list control, and the software is not included in the list.
A user facing a tight deadline at work experiences difficulties logging in to a network workstation, so the user activates a smartphone hotspot and connects a personal laptop to save time. Which of the following vulnerabilities has the user potentially created for the enterprise environment?
The device may circumvent data loss prevention and web content filtering policies.
A company utilizing formal data governance assigns the role of data steward to an employee. Evaluate the roles within data governance and conclude which tasks the employee in this role performs.
The employee ensures data is labeled and identified with appropriate metadata.
Analyze mobile device deployment models to select the best explanation of the Corporate Owned, Personally-Enabled (COPE) deployment model.
The employee may use the mobile device to access personal email and social media accounts. The device is chosen and supplied by the company.
The first responder to a security incident decides the issue requires escalation. Consider the following and select the scenario that best describes escalation in this issue.
The first responder calls senior staff to get them involved.
Windows has several service account types, typically used to run processes and background services. Which of the following statements about service accounts is FALSE?
The local service account creates the host processes and starts Windows before the user logs on.
A network manager is installing a new switch on the network. Compare the hardening processes for servers, appliances, and applications to recommend the hardening steps that should be taken to complete the task.
The network manager should ensure all patches are applied and it is appropriately configured.
Following a data breach at a large retail company, their public relations team issues a statement emphasizing the company's commitment to consumer privacy. Identify the true statements concerning this event. (Select all that apply.)
The privacy breach may allow the threat actor to sell the data to other malicious actors and Data exfiltration by a malicious actor may have caused the data breach.
During a penetration test, systems administrators for a large company are tasked to play on the white team for an affiliated company. Examine each of the following roles and determine which role the systems admins will fill.
The systems admins will arbitrate the exercise, setting rules of engagement and guidance
A security technician needs to transfer a large file to another user in a data center. Which statement best illustrates what type of encryption the technician should use to perform the task?
The technician should use asymmetric encryption to verify the data center user's identity and agree on a symmetric encryption algorithm for the data transfer.
A systems breach occurs at a manufacturer. The system in question contains highly valuable data. An engineer plans a live acquisition, but ultimately, is not successful. What reason may be stopping the engineer?
The tools are not preinstalled or running
A user would like to install an application on a mobile device that is not authorized by the vendor. The user decides the best way to accomplish the install is to perform rooting on the device. Compare methods for obtaining access to conclude which type of device the user has, and what actions the user has taken.
The user has an Android device and has used custom firmware to gain access to the administrator account.
Considering how to mitigate password cracking attacks, how would restricting the number of failed logon attempts be categorized as a vulnerability?
The user is exposed to a DoS attack.
An employee is working on a project that contains critical data for the company. In order to meet deadlines, the employee decides to email the document containing the data to their personal email to work on at home. Consider the traits of Data Loss Prevention (DLP) and evaluate the scenario to select the DLP remediation the company should utilize.
The user should be blocked from sending the email but retain access to it. The user is alerted to the policy violation, and it is logged as an incident.
Based on the known facts of password attacks, critique the susceptibility of the password "DogHouse23" to an attack.
This is an insufficient password. The password contains words that are found in the dictionary and does not contain special characters.
A security engineer investigates a recent system breach. When compiling a report of the incident, how does the engineer classify the actor and the vector?
Threat
An IT director reads about a new form of malware that targets a system widely utilized in the company's network. The director wants to discover whether the network has been targeted, but also wants to conduct the scan without disrupting company operations or tipping off potential attackers to the investigation. Evaluate vulnerability scanning techniques and determine the best tool for the investigation.
Threat hunting
Which situation would require keyboard encryption software be installed on a computer?
To protect against spyware
Based on knowledge of the fundamentals of One-time Passwords (OTP), which of the following choices represents the problem that exists with HMAC-based One-time Password Algorithm (HOTP) and is addressed by Time-based One-time Password Algorithm (TOTP)?
Tokens can be allowed to continue without expiring in HOTP.
A technician is configuring Internet Protocol Security (IPSec) for communications over a Virtual Private Network (VPN). Evaluate the features of available modes and recommend the best option for implementation.
Tunnel mode because the whole IP packet is encrypted, and a new IP header is added.
Analyze the following scenarios and determine which accurately describes the use of an ad hoc Wi-Fi network.
Two wireless stations connect to each other on a temporary basis.
An engineer retrieves data for a legal investigation related to an internal fraud case. The data in question is from an NTFS volume. What will the engineer have to consider with NTFS when documenting a data timeline?
UTC time
A user with authorized access to systems in a software development firm installs a seemingly harmless, yet unauthorized program on a workstation without the IT department's sanction. Identify the type of threat that is a result of this user's action.
Unintentional insider threat
A system administrator is configuring a new Dynamic Host Configuration Protocol (DHCP) server. Analyze the types of attacks DHCP servers are prone to and determine which steps the system administrator should take to protect the server. (Select all that apply.)
Use scanning and intrusion detection to pick up suspicious activity/ Enable logging and review the logs for suspicious events/ Disable unused ports and perform regular physical inspections to look for unauthorized devices.
What are the most common, baseline account policies system administrators implement on a secure domain network? (Select all that apply.)
Use upper- and lower-case letters, numbers, and special characters for passwords/ Set a lockout duration period of one hour.
Analyze and select the accurate statements about threats associated with virtualization. (Select all that apply.)
VM escaping occurs as a result of malware jumping from one guest OS to another/ A timing attack occurs by sending multiple usernames to an authentication server to measure the server response times.
The security team at an organization looks to protect highly confidential servers. Which method does the team propose when protecting the servers against explosives?
Vault
A company technician goes on vacation. While the technician is away, a critical patch released for Windows servers is not applied. According to the National Institute of Standards and Technology (NIST), what does the delay in applying the patch create on the server?
Vulnerability
A team is building a wireless network, and the company has requested the team to use a Wired Equivalent Privacy (WEP) encryption scheme. The team has developed a recommendation to utilize a different encryption scheme based on the problems with WEP. Analyze the features of WEP to determine what problems to highlight in the recommendation.
WEP allows for a 256-bit key but is still not secure. The Initialization Vector (IV) is not sufficiently large, thus is not always generated using a sufficiently random algorithm.
Management of a company practices qualitative risk when assessing a move of systems to the cloud. How does the company indicate any identified risk factors?
With a classification system
A user's PC is infected with a virus that appears to be a memory resident and loads anytime an external universal serial bus (USB) thumb drive is attached. Examine the following options and determine which describes the infection type.
Written to the partition table of a disk.
Analyze and compare iOS and Android operating systems (OS) to accurately differentiate between the two. (Select all that apply.)
iOS is limited to Apple products, while Android has multiple hardware vendors/ Android is an open source OS based on Linux, unlike iOS, which is a closed and proprietary system.
Identify the command that can be used to detect the presence of a host on a particular IP address.
ping
An attacker tricks a host within a subnet into routing through an attacker's machine, rather than the legitimate default gateway, allowing the attacker to eavesdrop on communications and perform a Man-in-the-Middle (MitM) attack. Compare the types of routing vulnerabilities and conclude what the attacker is exploiting in this scenario.
ARP poisoning
Pilots in an Air Force unit utilize government-issued tablet devices loaded with navigational charts and aviation publications, with all other applications disabled. This illustrates which type of mobile device deployment?
COBO
The owner of a company asks a network manager to recommend a mobile device deployment model for implementation across the company. The owner states security is the number one priority. Which deployment model should the network manager recommend for implementation?
COBO because the company retains the most control over the device and applications.
A system has a slight misconfiguration which could be exploited. A manufacturing workflow relies on this system. The admin recommends a trial of the proposed settings under which process?
Change management
An authoritative server for a zone creates an RRset signed with a Zone Signing Key. Another server requests a secure record exchange and the authoritative server returns the package along with the public key. Evaluate the scenario to determine what the authoritative server is demonstrating in this situation.
DNS Security Extension
An attacker modifies the HOSTS file to redirect traffic. Consider the types of attacks and deduce which type of attack has likely occurred.
DNS client cache poisoning
A system administrator has received new systems to deploy within a work center. Which of the following should the system administrator implement to ensure proper hardening without impacting functionality? (Select all that apply.)
Disable any network interfaces that are not required/ Disable all unused services.
Incident management relies heavily on efficient allocation of resources. Which of the following factors should the IT manager consider to effectively triage remediation efforts? (Select all that apply.)
Downtime/ Detection time/ Recovery time
Which statement regarding attacks on media access control (MAC) addresses accurately pairs the method of protection and what type of attack it guards against? (Select all that apply.)
Dynamic Host Configuration Protocol (DHCP) snooping guards against MAC spoofing / Dynamic address resolution protocol inspection (DAI) guards against MAC flooding.
When provisioning application services in a network architecture, an engineer uses a microservices approach as a solution. Which description best fits the engineer's implementation?
Each program or tool should do one thing well
A network user calls the help desk after receiving an error message. The caller complains that the error message does not indicate whether the username or password input was incorrect but simply states there was an authentication error. What does this situation illustrate?
Effective exception handling
A network administrator uses two different automated vulnerability scanners. They regularly update with the latest vulnerability feeds. If the system regularly performs active scans, what type of error is the system most likely to make?
False positive
Consider biometric methods that are used to authenticate a user. Knowing that errors are possible, which of the following would most likely result in a security breach?
False positive
Many Internet companies, such as Google and Facebook, allow users to share a single set of credentials between multiple services providers. For example, a user could login to Amazon using their Facebook credentials. Which term correctly defines this example?
Federation
Analyze the features of Microsoft's Information Rights Management (IRM) and choose the scenarios that accurately depict IRM. (Select all that apply.)
File permissions are assigned based on the roles within a document/ A document is emailed as an attachment, but cannot be printed by the receiver/ An email message cannot be forwarded to another employee.
An outside security consultant updates a company's network, including data cloud storage solutions. The consultant leaves the manufacturer's default settings when installing network switches, assuming the vendor shipped the switches in a default-secure configuration. Examine the company's network security posture and select the statements that describe key vulnerabilities in this network. (Select all that apply.)
The network is open to third-party risks from using an outside contractor to configure cloud storage settings and The default settings in the network switches represent a weak configuration.
Select the appropriate methods for packet capture. (Select all that apply.)
Wireshark and tcpdump
Which statement best describes the difference between session affinity and session persistence?
With session affinity, when a client establishes a session, it remains with the node that first accepted its request, while an application-layer load balancer uses persistence to keep a client connected by setting up a cookie.
Which of the following is an example of the process of identifying and de-duplicating files and metadata to be stored for evidence in a trial?
eDiscovery
A critical server has a high availability requirement of 99.99%. Solve the Maximum Tolerable Downtime (MTD) in hh:mm:ss to conclude which option will meet the requirement.
0:49:23 annual downtime
A company has thirty servers that run for 125 hours, with three servers that fail. Rounding to the nearest whole number, calculate the Mean Time Between Failures (MTBF) for this scenario.
1,250
Analyze the following attacks to determine which best illustrates a pharming attack.
A customer enters the correct URL address of their bank, which should point to the IP address 172.1.24.4. However, the browser goes to 168.254.1.1, which is a fake site designed to look exactly like the real bank site.
Encryption vulnerabilities allow unauthorized access to protected data. Which component is subject to brute-force enumeration?
A weak cipher
Which statement best illustrates the importance of a strong true random number generator (TRNG) or pseudo-random number generator (PRNG) in a cryptographic implementation?
A weak number generator leads to many published keys sharing a common factor.
Which of the following statements summarizes a disadvantage to performing an active vulnerability scan? (Select all that apply.)
Active scanning consumes more network bandwidth and Active scanning runs the risk of causing an outage.
Given knowledge of load balancing and clustering techniques, which configuration provides both fault tolerance and consistent performance for applications like streaming audio and video services?
Active/Passive clustering