Security+ Exam Questions (without answer choices)

What is RPO

RPO = data loss - measured in time

A company needs to implement stronger authentication by adding an authentication factor to its wireless system. The wireless system only supports WPA with pre-shared keys, but the backend authentication system supports EAP and TTLS. What should the network administrator implement? MAC address filtering with IP filtering WPA2 with a complex shared key PKI with user authentication 802.1x using EAP with MSCHAPv2

802.1x using EAP with MSCHAPv2 Explanation OBJ-3.4: Since the backend uses a RADIUS server for back-end authentication, the network administrator can install 802.1x using EAP with MSCHAPv2 for authentication. The Extensible Authentication Protocol (EAP) is a framework in a series of protocols that allows for numerous different mechanisms of authentication, including things like simple passwords, digital certificates, and public key infrastructure. Microsoft Challenge Handshake Authentication Protocol version 2 (MS-CHAP v2) is a password-based authentication protocol that is widely used as an authentication method in PPTP-based (Point to Point Tunneling Protocol) VPNs and can be used with EAP.

You are notified by an external organization that an IP address associated with your company's email server has been sending spam emails requesting funds as part of a lottery collection scam. An investigation into the incident reveals the email account used was Connor from the sales department and that Connor's email account was only used from one workstation. You analyze Connor's workstation and discover several unknown processes running, but netflow analysis reveals no attempted lateral movement to other workstations on the network. Which containment strategy would be most effective to use in this scenario? Isolate the network segment Connor is on and conduct a forensic review of all workstations in the sales department Request disciplinary action for Connor for causing this incident Isolate the workstation computer by disabling the switch port and resetting Connor's username/password Unplug the workstation's network cable and conduct a complete reimaging of the workstation

Isolate the workstation computer by disabling the switch port and resetting Connor's username/password Explanation OBJ-4.4: Isolation of Connor's computer by deactivating the port on the switch should be performed instead of just unplugging the computer. This would guarantee that Connor won't just plug the computer back into the network as soon as you leave his desk. While Connor won't be able to work without his workstation, it is essential to isolate the issue quickly to prevent future attempts at lateral movement from occurring and protect the company's data needed for continued business operations. While we are unsure of the issue's initial root cause, we know it is currently isolated to Connor's machine. He should receive remedial cybersecurity training, his workstation's hard drive forensically imaged for later analysis, and then his workstation should be remediated or reimaged. It is better to isolate just Connor's machine instead of the entire network segment in this scenario. Isolating the network segment, without evidence indicating the need to do so, would have been overkill and overly disruptive to the business. Reimaging Connor's device may destroy data that could have otherwise been recovered and led to a successful root cause analysis. There is also insufficient evidence in this scenario to warrant disciplinary action against Connor, as he may have clicked on a malicious link by mistake.

Which of the following items represents a document that includes detailed information on when an incident was detected, how impactful the incident was, how it was remediated, the effectiveness of the incident response, and any identified gaps that might require improvement?

Lessons learned report Explanation The lessons learned report provides you with the details of the incident, its severity, the remediation method, and, most importantly, how effective your response was. Additionally, it provides recommendations for improvements in the future. A forensic analysis report would not provide recommendations for future improvements, even though it provides many of the other details. A trend analysis report describes whether behaviors have increased, decreased, or stayed the same over time. The chain of custody report is the chronological documentation or paper trail that records the custody, control, transfer, analysis, and disposition of physical or electronic evidence.

You have just finished running a Nmap scan on a server are see the following output: Based on the output above, which of the following ports listed as open represents the most significant security vulnerability to your network?

Port 23 Port 23 is used by telnet and is not considered secure because it sends all of its data in cleartext, including authentication data like usernames and passwords. As an analyst, you should recommend that telnet be disabled and blocked from use. The other open ports are SSH (port 22), DNS (port 53), and HTTPS (port 443).

Dion Training has performed an assessment as part of their disaster recovery planning. The assessment found that the organization's RAID takes, on average, about 8 hours to repair when two drives within the RAID fail. Which of the following metrics would best represent this time period?

MTTR = how long it takes to fix Explanation OBJ-5.4: Mean time to repair (MTTR) is a basic measure of the maintainability of repairable items. It represents the average time required to repair a failed component or device.

A cybersecurity analyst is attempting to classify network traffic within an organization. The analyst runs the tcpdump command and receives the following output: $ topdump -n -i etho 15:01:35.170763 IP 10.0.19.121.52497 > 11.154.12.121.ssh: P 105:157(52) ack 18060 win 16549 15:01:35.170776 IP 11.154.12.121.ssh > 10.0.19.121.52497: P 23988:24136(148) ack 157 win 113 15:01:35.170894 IP 11.154.12.121.ssh > 10.0.19.121.52497: P 24136:24380(244) ack 157 win 113 Which of the following statements is true based on this output? 11.154.12.121 is under attack from a host at 10.0.19.121 11.154.12.121 is a client that is accessing an SSH server over port 52497 10.0.19.121 is under attack from a host at 11.154.12.121 10.0.19.121 is a client that is accessing an SSH server over port 52497

10.0.19.121 is a client that is accessing an SSH server over port 52497 Explanation OBJ-4.1: This output from the tcpdump command is displaying three packets in a larger sequence of events. Based solely on these three packets, we can only be certain that the server (11.154.12.121) runs an SSH server over port 22. This is based on the first line of the output. The second and third lines are the server responding to the request and sending data back to the client (10.0.19.121) over port 52497. There is no evidence of an attack against either the server or the client based on this output since we can only see the headers and not the content being sent between the client and server.

While performing a vulnerability scan, Christina discovered an administrative interface to a storage system is exposed to the internet. She looks through the firewall logs and attempts to determine whether any access attempts have occurred from external sources. Which of the following IP addresses in the firewall logs would indicate a connection attempt from an external source?

192.186.1.100 Explanation This question tests your ability to determine if an IP address is a publicly routable IP (external connection) or private IP (internal connection). During your CompTIA A+, Network+, and Security+ studies, you should have learned that private IP addresses are either 10.x.x.x, 172.16-31.x.x, or 192.168.x.x. All other IP addresses are considered publicly routable over the internet (except localhost and APIPA addresses). Therefore, the answer must be 192.186.1.100 since it is not a private IP address.

You work as the incident response team lead at Fail to Pass Systems. Sierra, a system administrator, believes an incident has occurred on the network and contacts the SOC. At 2:30 am, you are woken up by a phone call from the CEO of Fail to Pass stating an incident has occurred and that you need to solve this immediately. As you are getting dressed to drive into the office, your phone rings again. This time, the CIO starts asking you a lot of technical questions about the incident. The first you heard of this incident was 5 minutes ago from the CEO, so you don't have the answers to the CIO's questions, yet. Based on this scenario, which of the following issues needs to be documented in your lessons learned report once this incident is resolved?

A call list/escalation list Explanation To maintain a disciplined approach to incident response, the organization needs to document and follow procedures developed during the preparation phase. The SOC should have a call list or an escalation list as part of those procedures. This list should detail who should be called, what order, and how high up the organizational leadership chart a particular issue would reach. In almost every case, the incident response team lead should be contacted before the CEO or CIO is notified of the incident. When companies go "right to the top" of the leadership chart, the CEO and CIO will be acting on half-true or unverified information during the start of an incident response process. Instead, an established form for incident detail collection should be performed, the right technical leads should be notified of the incident, and the incident response team should be called in to analyze the information and provide a quick "stand up" report to leadership on what the issue is, what has already been done, and what they recommend doing from here to resolve the incident. All of the other options are best practices to consider and develop in the preparation phase. Still, they would not have solved the issue in this scenario of senior leadership being notified before the incident response team lead.

A cybersecurity analyst is working at a college that wants to increase its network's security by implementing vulnerability scans of centrally managed workstations, student laptops, and faculty laptops. Any proposed solution must scale up and down as new students and faculty use the network. Additionally, the analyst wants to minimize the number of false positives to ensure accuracy in their results. The chosen solution must also be centrally managed through an enterprise console. Which of the following scanning topologies would be BEST able to meet these requirements?

Active scanning engine installed on the enterprise console Explanation Since the college wants to ensure a centrally-managed enterprise console, an active scanning engine installed on the enterprise console would best meet these requirements. The college's cybersecurity analysts could then perform scans on any devices connected to the network using the active scanning engine at the desired intervals. Agent-based scanning would be ineffective since the college cannot force the agents' installation onto each of the personally owned devices brought in by the students or faculty. A cloud-based or server-based engine may be useful, but it won't address the centrally-managed requirement. Passive scanning is less intrusive but is subject to a high number of false positives.

Susan, a help desk technician at Dion Training, has received several trouble tickets today related to employees receiving the same email as part of a phishing campaign. She has determined that the email's malicious link is not being blocked by the company's security suite when a user clicks the link. Susan asked you what action can be performed to prevent a user from reaching the website associated with the phishing email's malicious link. What action do you recommend she utilize?

Add the malicious domain name to your content filter and web proxy's block list Explanation To prevent a user from accessing the malicious website when the link is clicked, the malicious domain name should be added to the blocklist of the company's content filter and web proxy. This will ensure that no devices on the network can reach the malicious domain name. While blocking the IP address associated with the domain name might help for a short period of time, the malicious domain's owner could quickly redirect the DNS to point to a different IP. Then the users would still be able to access the malicious domain and its contents. Enabling TLS on the mail server will only encrypt the connection between the email server and its clients. Still, it will not prevent the users from clicking on the malicious link and accessing the malicious content. While informing the users that there is an active attempt at phishing being conducted against the organization is a good idea, forwarding the phishing email with the malicious link will generally cause more users to accidentally click on the malicious link, which further exacerbates the issue.

What tool is used to collect wireless packet data? Netcat Aircrack-ng John the Ripper Nessus

Aircrack-ng Explanation Aircrack-ng is a complete suite of wireless security assessment and exploitation tools that includes monitoring, attacking, testing, and cracking of wireless networks. This includes packet capture and export of the data collected as a text file or pcap file. John the Ripper is a password cracking software tool. Nessus is a vulnerability scanner. Netcat is used to create a reverse shell from a victimized machine back to an attacker

Attackers have recently launched several attacks against servers in your organization's DMZ you are tasked with identifying a solution that will have the best chance at preventing these attacks in the future. Which of the following is the BEST choice?

An inline IPS Explanation The best solution of the given choices is an in-band intrusion prevention system (IPS). Traffic goes through the IPS, and the IPS can prevent attacks from reaching internal systems. An intrusion detection system (IDS) is passive and not inline, so it can only detect and react to the attacks, not block them. A signature-based IDS can detect known attacks based on the attack's signature, but there isn't any indication that the past attacks were known.

Dion Training has contracted a software development firm to create a bulk file upload utility for its website. During a requirements planning meeting, the developers asked what type of encryption is required for the project. After some discussion, Jason decides that the file upload tool should use a cipher capable of encrypting 64 bits of data at a time before transmitting the files from the web developer's workstation to the webserver. What of the following should be selected to meet this security requirement?

Block cipher Explanation OBJ-2.8: A block cipher is used to encrypt multiple bits at a time before moving to the next set of data. Block ciphers generally have a fixed-length block (8-bit, 16-bit, 32-bit, 64-bit, etc.). Stream ciphers encrypt a single bit (or byte) at a time during their encryption process. Hashing algorithms would not meet the requirement because the data would be encrypted using a one-way hash algorithm and be unusable once on the webserver. A cyclic redundancy check (CRC) is an error-detecting code commonly used in digital networks and storage devices to detect accidental changes to raw data. Blocks of data entering these systems get a short check value attached, based on the remainder of their contents' polynomial division

Before personnel can enter a secure area, they must first place their smartphones in one of several conductive metal lockboxes. The company implemented this policy because management is concerned about risks related to intellectual property. Which of the following represents the GREATEST risk to intellectual property that this policy will mitigate?

Bluesnarfing Explanation This policy will prevent bluesnarfing, which is the unauthorized access of information from a wireless device through a Bluetooth connection. The conductive metal lockboxes act as a small Faraday cage and will block Bluetooth signals. While the lockboxes will help prevent theft, there's no need to pay extra for conductive lockboxes if theft is the greatest risk. Hotspots are typically in public locations. A company would set up a network providing Wi-Fi access, not a hotspot. Geofencing creates a virtual fence using GPS, but devices within a Faraday cage wouldn't be able to reach GPS.

Lisa and Bart need to exchange emails over the Internet using an unsecured channel These emails need to provide non-repudiation. They decide to use certificates on each of their computer. What would they use to sign their certificates?

CA Explanation A certificate authority (CA) manages certificates and would sign certificates issued to users.Note that non-repudiation would be provided with digital signatures and each user would need a certificate assigned to them that they would use to create the digital signatures. A certificate revocation list (CRL) is a list of revoked certificates. Online Certificate Status Protocol (OCSP) is an alternative to a CRL and provides a realtime response indicating the validity of a certificate. The certificate signing request (CSR) is used to request a certificate. A Digital Signature Algorithm (DA) is used to create a digital signature. They would use digital signatures to sign their emails, and they need a certificate to create a digital signature, but they can't sign their certificates with a digital signature.

A forensic expert is preparing to analyze a hard drive. Which of the following should the expert do FIRST?

Capture an image of the disk with dd Explanation Before analyzing a hard drive, a forensic expert should capture an image of the hard drive and then analyze the image. The dd (short for data duplicator) command-line tool can be used to create an image of a disk without modifying it. This protects the original disk from accidental modifications and preserves it as usable evidence. While not available as a possible answer, a hash of the original drive should be created before capturing an image. The order of volatility identifies which data is most volatile (such as cache) and which is least volatile (such as hard drives). Although the memdump command is used to copy the contents of memory, this scenario is focused on a hard drive. A chain of custody document should be created when evidence is first collected.

(Sample Simulation - On the real exam for this type of question, you would have access to the log files to determine which server on a network might have been affected, and then choose the appropriate actions.) A cybersecurity analyst has determined that an attack has occurred against your company's network. Fortunately, your company uses a good logging system with a centralized Syslog server, so all the logs are available, collected, and stored properly. According to the cybersecurity analyst, the logs indicate that the database server was the only company server on the network that appears to have been attacked. The network is a critical production network for your organization. Therefore, you have been asked to choose the LEAST disruptive actions on the network while performing the appropriate incident response actions. Which actions do you recommend as part of the response efforts? Conduct a system restore of the database server, image the hard drive, and maintain the chain of custody Isolate the affected server from the network immediately, format the database server, reinstall from a known good backup Capture network traffic using a sniffer, schedule a period of downtime to ima

Capture network traffic using a sniffer, schedule a period of downtime to image and remediate the affected server, and maintain the chain of custody Explanation OBJ-4.3: Since the database server is part of a critical production network, it is important to work with the business to time the remediation period to minimize productivity losses. You can immediately begin to capture network traffic since this won't affect the database server or the network (least intrusive) while scheduling a period of downtime in which to take a forensic image of the database server's hard drive. All network captures and the hard drive should be maintained under the chain of custody if needed for criminal prosecution or civil action after remediation. The server should be remediated and brought back online once the hard drive image has been created.

Which of the following is required for evidence to be admissible in a court of law?

Chain of custody Explanation OBJ-4.4: Chain of custody forms list every person who has worked with or who has touched the evidence that is a part of an investigation. These forms record every action taken by each individual in possession of the evidence. Depending on the organization's procedures, manipulation of evidence may require an additional person to act as a witness to verify whatever action is being taken. A legal hold is a process that an organization uses to preserve all forms of potentially relevant information when litigation is pending or reasonably anticipated. A right to audit is a clause in a contract or service agreement that allows a company the authority to audit the systems and information processed. Order of volatility refers to the order in which you should collect evidence.

A hacker successfully modified the sale price of items purchased through your company's website. During the investigation that followed, the security analyst has verified the web server, and the Oracle database was not compromised directly. The analyst also found no attacks that could have caused this during their log verification of the Intrusion Detection System (IDS). What is the most likely method that the attacker used to change the items' sale price?

Changing hidden form values Explanation Since there are no indications in the IDS logs, the database, or the server, it is most likely that the hacker changed hidden form values to change the items' price in the shopping cart. A buffer overflow is an anomaly that occurs when a program overruns the buffer's boundary and overwrites adjacent memory locations while writing data to a buffer. Cross-Site Scripting (XSS) attacks are a type of injection in which malicious scripts are injected into otherwise benign and trusted websites. XSS attacks occur when an attacker uses a web application to send malicious code, generally in a browser side script, to a different end-user. SQL injection is a code injection technique used to attack data-driven applications. Malicious SQL statements are inserted into an entry field for execution, such as dumping the database contents to the attacker.

James, a programmer at Apple Computers, is surfing the internet on his lunch break. He comes across a rumor site focused on providing details of the upcoming iPhone being released in a few months. James knows that Apple likes to keep its product details a secret until it is publicly announced. As James is looking over the website, he sees a blog post with an embedded picture of a PDF containing detailed specifications for the next iPhone and labeled "Proprietary Information - Internal Use Only." The new iPhone is still several months away from release. What should James do next?

Contact the service desk or incident response team to determine what to do next Explanation This is an example of either a data leak or a data breach. James is not sure how the website got the details of the product's specifications. Therefore, he should follow his organizational procedures for notification that internal company information has been leaked to the internet. In most organizations, the service desk acts as the single point of contact for all IT issues (even possible data breaches), and they can refer James to the incident response team (if one is currently stood up). Since James works as a programmer, it is unlikely that his team lead is responsible for handling a data leak or data breach, so it is better to contact the service desk first. James should not contact the website directly nor reply to the blog post. Instead, he should leave the response actions to the security team and the incident response team.

A financial services company wants to donate some old hard drives from their servers to a local charity. The hard drives used in the servers are self-encrypting drives. Still, they are concerned about the possibility of residual data being left on the drives. Which of the following secure disposal methods would you recommend the company use?

Cryptographic erase Explanation In a cryptographic erase (CE), the storage media is encrypted by default. The encryption key itself is destroyed during the erasing operation. CE is a feature of self-encrypting drives (SED) and is often used with solid-state devices. Cryptographic erase can be used with hard drives, as well. Zero-fill is a process that fills the entire storage device with zeroes. For SSDs and hybrid drives, zero-fill-based methods might not be reliable because the device uses wear-leveling routines in the drive controller to communicate which locations are available for use to any software process accessing the device. A secure erase is a special utility provided with some solid-state drives that can perform the sanitization of flash-based devices. Overwrite is like zero-fill but can utilize a random pattern of ones and zeroes on the storage device. The most secure option would be a cryptographic erase (CE) for the question's scenario.

Your organization has added a hot site as shown in the following graphic.All firewalls should enforce the following requirements: - Use only secure protocols for remote management - Block cleartext web traffic Users in the hot site are unable to access websites in the Internet. The following graphic shows the current rules configured in Firewall 3 You're asked to verify the rules are configured correctly. Which rule, if any, should be changed in Firewall 3?

DNS Explanation The Domain Name System (DNS) rule should be changed because the source IP address is incorrect.It should be 10.0.3.0/24 instead of 10.0.1.0/24. All other rules are configured correctly. See

Your organization requires the use of TLS or IPsec for all communications with an organization's network. Which of the following is this an example of? Data at rest Data in transit Data in use DLP

Data in transit Explanation OBJ-2.1: Data in transit (or data in motion) occurs whenever data is transmitted over a network. Examples of types of data in transit include website traffic, remote access traffic, data being synchronized between cloud repositories, and more. In this state, data can be protected by a transport encryption protocol, such as TLS or IPsec. Data at rest means that the data is in persistent storage media using whole disk encryption, database encryption, and file- or folder-level encryption. Data in use is when data is present in volatile memory, such as system RAM or CPU registers and cache. Secure processing mechanisms such as Intel Software Guard Extensions can encrypt data as it exists in memory so that an untrusted process cannot decode the information. This uses a secure enclave and requires a hardware root of trust. Data loss prevention (DLP) products automate the discovery and classification of data types and enforce rules so that data is not viewed or transferred without proper authorization. DLP is a generic term that may include data at rest, data in transit, or data in use to function.

Dion Training is currently undergoing an audit of its information systems. The auditor wants to understand better how the PII data from a particular database is used within business operations. Which of the following employees should the auditor interview?

Data protection officer Explanation OBJ-5.5: The primary role of the data protection officer (DPO) is to ensure that her organization processes the personal data of its staff, customers, providers, or any other individuals (also referred to as data subjects) in compliance with the applicable data protection rules. They must understand how any privacy information is used within business operations. Therefore, they are the best person for the auditor to interview to get a complete picture of the data usage.

Which analysis framework provides a graphical depiction of the attacker's approach relative to a kill chain? Diamond Model of Intrusion Analysis MITRE ATT&CK framework OpenIOC Lockheed Martin cyber kill chain

Diamond Model of Intrusion Analysis Explanation OBJ-4.2: The Diamond Model provides an excellent methodology for communicating cyber events and allowing analysts to derive mitigation strategies implicitly. The Diamond Model is constructed around a graphical representation of an attacker's behavior. The MITRE ATT&CK framework provides explicit pseudo-code examples for detecting or mitigating a given threat within a network and ties specific behaviors back to individual actors. The Lockheed Martin cyber kill chain provides a general life cycle description of how attacks occur but does not deal with the specifics of how to mitigate them. OpenIOC contains a depth of research on APTs but does not integrate the detection and mitigation strategy.

Which of the following cryptographic algorithms is classified as asymmetric? AES Diffie-Hellman RC4 Blowfish

Diffie-Hellman Explanation OBJ-2.8: The Diffie-Hellman (DH) is used to exchange cryptographic keys over a public channel securely and was one of the first public-key protocols. As a public-key protocol, it relies on an asymmetric algorithm. AES, RC4, and Blowfish are all symmetric algorithms.

You are tasked with improving the overall securitv of several servers in your data center. Which of the following are preventive controls that will assist with this goal? (Choose TWO.)

Disabling unnecessary services and Closing unneeded ports Explanation Disabling unnecessary services and closing unneeded ports are steps you can take to harden a server. They are preventive controls because they help prevent an incident. Cable locks are a type of physical control and are typically used on laptops, not on servers. Monitoring logs on security information and event management (SIM) systems is a detective control. A backup plan is a corrective control. See Chapter 1.

A cybersecurity analyst has deployed a custom DLP signature to alert on any files that contain numbers in the format of a social security number (xxx-xx-xxxx). Which of the following concepts within DLP is being utilized? Statistical matching Document matching Classification Exact data match

Exact data match Explanation OBJ-4.4: An exact data match (EDM) is a pattern matching technique that uses a structured database of string values to detect matches. For example, a company might have a list of actual social security numbers of its customers. But, since it is not appropriate to load these numbers into a DLP filter, they could use EDM to match the numbers' fingerprints instead based on their format or sequence. Document matching attempts to match a whole document or a partial document against a signature in the DLP. Statistical matching is a further refinement of partial document matching that uses machine learning to analyze various data sources using artificial intelligence or machine learning. Classification techniques use a rule based on a confidentiality classification tag or label attached to the data. For example, the military might use a classification-based DLP to search for any files labeled as secret or top secret.

What regulation protects the privacy of student educational records?

FERPA Explanation The Family Educational Rights and Privacy Act (FERPA) requires that educational institutions implement security and privacy controls for student educational records. Gramm-Leach-Bliley Act (GLBA) institutes requirements that help protect the privacy of an individual's financial information held by financial institutions and others, such as tax preparation companies. The privacy standards and rules created as part of GLBA safeguard private information and set penalties in the event of a violation. Sarbanes-Oxley Act (SOX) dictates requirements for storing and retaining documents relating to an organization's financial and business operations, including the type of documents to be stored and their retention periods. It is relevant for any publicly-traded company with a market value of at least $75 million. The Health Insurance Portability and Accountability Act (HIPAA) establishes several rules and regulations regarding healthcare in the United States. With the rise of electronic medical records, HIPAA standards have been implemented to protect patient medical information privacy through restricted access to medical records and regulations for sharing medical records.

Vulnerability scans must be conducted continuously to meet regulatory compliance requirements for the storage of PHI. During the last vulnerability scan, a cybersecurity analyst received a report of 2,592 possible vulnerabilities and was asked by the Chief Information Security Officer (CISO) for a plan to remediate all the known issues. Which of the following should the analyst do next?

Filter the scan results to include only those items listed as critical in the asset inventory and remediate those vulnerabilities first Explanation PHI is an abbreviation for Personal Health Information. When attempting to remediate numerous vulnerabilities, it is crucial to prioritize the vulnerabilities to determine which ones should be remediated first. In this case, there is a regulatory requirement to ensure the security of the PHI data. Therefore, those critical assets to the secure handling or storage of PHI are of the highest risk should be prioritized for remediation first. It is impractical to resolve all 2,592 vulnerabilities at once. Therefore, you should not identify all the false positives and exceptions and then resolve any remaining items since they won't be prioritized for remediation. You should also not wait to perform additional scanning because a scan is only a snapshot of your current status. If it takes 30 days to remediate all the vulnerabilities and do not scan, new vulnerabilities may have been introduced. Placing all the PHI assets into a sandbox will not work either because you have removed them from the production environment and can no longer serve their critical business functions.

Your organization hosts a web application selling digital products. Customers can also post comments related to their purchases. Management suspects that attackers are looking for vulnerabilities that they can exploit.Which of the following will BEST test the cybersecurity resilience of this application?

Fuzzing Explanation Fuzzing is a type of dynamic code analysis, and it can test the application's cybersecurity resilience.Fuzzing sends random data to an application to verify the random data doesn't crash the application or expose the system to a data breach. Input validation and error-handling techniques protect applications but do not test them. Anti-malware protects systems from malware attacks, but it doesn't test a system.

You have been hired as a cybersecurity analyst for a privately-owned bank. Which of the following regulations would have the greatest impact on your bank's cybersecurity program?

GLBA Explanation The Gramm-Leach-Bliley Act (GLBA) is a United States federal law that requires financial institutions to explain how they share and protect their customers' private information. The Health Insurance Portability and Accountability Act (HIPAA) is a US law designed to provide privacy standards to protect patients' medical records and other health information provided to health plans, doctors, hospitals, and other health care providers. Sarbanes-Oxley (SOX) is a United States federal law that sets new or expanded requirements for all US public company boards, management, and public accounting firms. The Family Educational Rights and Privacy Act (FERPA) of 1974 is a United States federal law that governs the access to educational information and records by public entities such as potential employers, publicly funded educational institutions, and foreign governments.

Which of the following security controls provides Windows system administrators with an efficient way to deploy system configuration settings across many devices?

GPO Explanation Microsoft's Group Policy Object (GPO) is a collection of Group Policy settings that defines what a system will look like and how it will behave for a defined group of users. A Group Policy is the primary administrative tool for defining and controlling how programs, network resources, and the operating system operate for users and computers in an organization. In an active directory environment, Group Policy is applied to users or computers based on their membership in sites, domains, or organizational units. A host-based intrusion detection system (HIDS) is a device or software application that monitors a system for malicious activity or policy violations. Any malicious activity or violation is typically reported to an administrator or collected centrally using a security information and event management system. Anti-malware software is a program that scans a device or network for known viruses, Trojans, worms, and other malicious software. Patch management is the process of distributing and applying updates to the software to prevent vulnerabilities from being exploited by an attacker or malware. Proper patch management is a technical control that would prevent future outbreaks.

Network administrators are considering adding an HSM to a server in your network. What functions will this add to the server?

Generate and store keys used with servers Explanation A hardware security module (HSM) is a removable device that can generate and store RSA keys used with servers. The keys can be used to encrypt data sent to and from the server, but they wouldn't be used for full drive encryption. A Trusted Platform Module (TPM) provides full drive encryption and is included in many laptops. A data loss prevention (DLP) device is a device that can reduce the risk of employees emailing confidential information outside the organization. Software as a Service (SaaS) provides software or applications, such as webmail, via the cloud.

You are working in a doctor's office and have been asked to set up a kiosk to allow customers to check in for their appointments. The kiosk should be secured, and only customers to access a single application used for the check-in process. You must also ensure that the computer will automatically log in whenever the system is powered on or rebooted. Which of the following types of accounts should you configure for this kiosk?

Guest Explanation OBJ-3.7: A Windows guest account will let other people use your computer without being able to change PC settings, install apps, or access your private files. A Guest account is a Microsoft Windows user account with limited capabilities, no privacy, and is disabled by default. An administrator account is a Microsoft Windows user account that can perform all tasks on the computer, including installing and uninstalling apps, setting up other users, and configuring hardware and software.

Your organization maintains a data center to store data. Management has decided to move a large amount of financial data into cloud storage to reduce costs with the data center. This data is regularly accessed and sometimes manipulated by employees, customers, and vendors around the world. Management has mandated that the data always needs to be encrypted while in the cloud, Which of the following is the BEST choice to meet these requirements?

Homomorphic encryption Explanation Homomorphic encryption allows data to be accessed and manipulated while it is encrypted.Symmetric and asymmetric encryption methods require the data to be decrypted before it is manipulated.Steganography isn't truly encryption, but instead it simply hides data within data.

If you cannot ping a target because you are receiving no response or a response that states the destination is unreachable, then ICMP may be disabled on the remote end. If you wanted to elicit a response from a host using TCP, what tool would you use?

Hping Explanation Hping is a handy little utility that assembles and sends custom ICMP, UDP, or TCP packets and then displays any replies. It was inspired by the ping command but offered far more control over the probes sent. It also has a handy traceroute mode and supports IP fragmentation. Hping is particularly useful when trying to traceroute/ping/probe hosts behind a firewall that blocks attempts using the standard utilities. Hping also allows you to map out firewall rule sets. It is also great for learning more about TCP/IP and experimenting with IP protocols. Hping does not support IPv6, though, so the NMAP creators have created Nping to fill this gap and serve as an updated variant of Hping. Traceroute and tracert are computer network diagnostic commands for displaying the route and measuring packets' transit delays across an Internet Protocol network. Traceroute uses ICMP and not TCP. Broadcast ping is simply pinging the subnet's broadcast IP using the ping command, but if a regular ping does not work, neither will a broadcast ping. Ptunnel is an application that allows you to reliably tunnel TCP connections to a remote host using ICMP echo request and reply packets, commonly known as ping requests and replies. Ptunnel is used as a covert channel, not to elicit a response from a host using TCP.

Your company has decided to begin moving some of its data into the cloud. Currently, your company's network consists of both on-premise storage and some cloud-based storage. Which of the following types of clouds is your company currently using? Hybrid Community Public Private

Hybrid Explanation OBJ-2.2: A hybrid cloud is a cloud computing environment that uses a mix of on-premises, private cloud, and third-party public cloud services with orchestration between these platforms. This typically involves a connection from an on-premises data center to a public cloud. A community cloud is a collaborative effort in which infrastructure is shared between several organizations from a specific community with common concerns (security, compliance, jurisdiction, etc.), whether managed internally or by a third-party and hosted internally or externally. A public cloud contains services offered by third-party providers over the public Internet and is available to anyone who wants to use or purchase them. They may be free or sold on-demand, allowing customers to pay only per usage for the CPU cycles, storage, or bandwidth they consume. A private cloud contains services offered either over the Internet or a private internal network and only to select users instead of the general public.

Which of the protocols listed is NOT likely to trigger a vulnerability scan alert when used to support a virtual private network (VPN)?

IPsec Explanation IPsec is the most secure protocol that works with VPNs. The use of PPTP and SSL is discouraged for VPN security. Due to this, PPTP and SSL for a VPN will likely alert during a vulnerability scan as an issue to be remediated.

Administrators are designing a site-to-site VPN between offices in two different cities. Management mandated the use of certificates for mutual authentication. Additionally, they want to ensure that internal IP addresses are not revealed. Which of the following is the BEST choice to meet these requirements?

IPsec VPN using Tunnel mode Explanation Internet Protocol security (IPsec) using Tunnel mode is the best choice of the available answers.IPsec provides mutual authentication, and Tunnel mode will encrypt both the payload and the packet headers, hiding the internal IP addresses. Transport mode will encrypt the payload only, leaving the internal IP addresses exposed. A VPN using Layer 2 Tunneling Protocol (L2TP) only doesn't provide any encryption.Virtual local area networks (VLANs) provide network segmentation but can't be used as a VPN.

You want to create a website for your new technical support business. You decide to purchase an on-demand cloud-based server and install Linux, Apache, and WordPress on it to run your website. Which of the following best describes which type of service you have just purchased?

IaaS Explanation OBJ-2.2: Infrastructure as a Service (Iaas) is focused on moving your servers and computers into the cloud. If you purchase a server in the cloud and then install and manage the operating system and software on it, this is Iaas. Platform as a Service (PaaS) is a cloud computing service that enables consumers to rent fully configured systems that are set up for specific purposes. Software as a Service (SaaS) is cloud computing service that enables a service provider to make applications available over the Internet to end-users. This can be a calendar, scheduling, invoicing, word processor, database, or other programs. For example, Google Docs and Office 365 are both word processing SaaS solutions. Desktop as a Service (DaaS) provides a full virtualized desktop environment from within a cloud-based service. This is also known as VDI (Virtualized Desktop Infrastructure) and is coming in large enterprise businesses focused on increasing their security and minimizing their operational expenses.

Which of the following would a virtual private cloud (VPC) infrastructure be classified as?

Infrastructure as a Service Explanation OBJ-2.2: Infrastructure as a Service (IaaS) is a computing method that uses the cloud to provide any or all infrastructure needs. In a VPC environment, an organization may provision virtual servers in a cloud-hosted network. The service consumer is still responsible for maintaining the IP address space and routing internally to the cloud. Platform as a Service (PaaS) is a computing method that uses the cloud to provide any platform-type services. Software as a Service (SaaS) is a computing method that uses the cloud to provide users with application services. Function as a Service (FaaS) is a cloud service model that supports serverless software architecture by provisioning runtime containers to execute code in a particular programming language.

An attacker has launched several successful XSS attacks on a web application hosted by your organization.Which of the following are the BEST choices to protect the web application and prevent this attack? (Select TWO.)

Input validation and WAF Explanation Input validation and a web application firewall (WAF) are the best choices of the available answers. Both protect against cross-site scripting (XSS) attacks. Input validation validates data before using it to help prevent XSS attacks. A WAF acts as an additional firewall that monitors, filters, and/or blocks HTTP traffic to a web server. None of the other answers will directly prevent XSS attacks. Dynamic code analysis (such as fuzzing) can test code. Code obfuscation makes the code more difficult to read. Normalization refers to organizing tables and columns in a database to reduce redundant data and improve overall database performance.

In 2014, Apple's implementation of SSL had a severe vulnerability that, when exploited, allowed an attacker to gain a privileged network position that would allow them to capture or modify data in an SSL/TLS session. This was caused by poor programming in which a failed check of the connection would exit the function too early. Based on this description, what is this an example of?

Insecure error handling Explanation This is an example of an improper error handling vulnerability. A well-written application must be able to handle errors and exceptions gracefully. The main goal must be for the application not to fail and allow the attacker to execute code or perform an injection attack. One famous example of an improper error handling vulnerability is Apple's GoTo bug, as described above. For more details on this particular vulnerability, please see CVE-2014-1266. Insecure object reference refers to when a reference to an internal implementation object, such as a file or database key, is exposed to users without any other access control. Insufficient logging and monitoring allow attackers to achieve their goals without being detected due to the lack of monitoring and timely response by defenders. The use of insecure functions occurs in the C language when legacy functions like strcpy() are used. These insecure functions can lead to buffer overflow and other exploits being successful against a program.

A corporate workstation was recently infected with malware. The malware was able to access the workstation's credential store and steal all the usernames and passwords from the machine. Then, the malware began to infect other workstations on the network using the usernames and passwords it stole from the first workstation. The IT Director has directed its IT staff to develop a plan to prevent this issue from occurring again. Which of the following would BEST prevent this from reoccurring?

Install an anti-virus or anti-malware solution that uses heuristic analysis Explanation The only solution that could stop this from reoccurring would be to use an anti-virus or anti-malware solution with heuristic analysis. The other options might be able to monitor and detect the issue but not stop it from spreading. Heuristic analysis is a method employed by many computer anti-virus programs designed to detect previously unknown computer viruses and new variants of viruses already in the wild. This is behavior-based detection and prevention, so it should detect the issue and stop it from spreading throughout the network. A host-based intrusion detection system (HIDS) is a device or software application that monitors a system for malicious activity or policy violations. Any malicious activity or violation is typically reported to an administrator or collected centrally using a security information and event management system. The UTM is also acting as an IDS in this scenario based on the option presented.

Which of the following BEST describes the purpose of a risk register?

It provides a listing of risks, the risk owner, and the mitigation measures. Explanation A risk register list risks and often includes the name of the risk, the risk owner, mitigation measures, and a risk score. A risk matrix plots risks onto a graph or chart, and a heat map plots risks onto a color-coded graph or chart. While a risk register may evaluate supply chain risks, it does much more.

Administrators are deploying a new Linux server in the screened subnet. After it is installed, they want to manage it from their desktop computers located within the organization's private network. Which of the following would be the BEST choice to meet this need?

Jump server A jump server is a server placed between different security zones, such as an internal network and a screened subnet (sometimes called a demilitarized zone or DMZ) and is used to manage devices in the other security zone. In this scenario, administrators could connect to the jump server with Secure Shell (SSH) and then connect to the Linux server using SSH forwarding on the jump server. A forward proxy server (often called a proxy server) is used by internal clients to access Internet resources, not resources in the screened subnet. Reverse proxy servers accept traffic from the Internet, not the internal network, and forward the traffic to one or more internal web servers. A web application firewall (WAF) protects a web server from Internet-based attacks but isn't used to control traffic between an internal network and the screened subnet.

Dion Training has added a salt and cryptographic hash to their passwords to increase the security before storing them. To further increase security, they run this process many times before storing the passwords. What is this technique called?

Key stretching Explanation In cryptography, key stretching techniques are used to make a possibly weak key, typically a password or passphrase, more secure against a brute-force attack by increasing the resources it takes to test each possible key. The question describes one such key stretching technique.

A small business owner has asked you for advice. She wants to improve the company's security posture, but she doesn't have any security staff. Which of the following is the BEST solution to meet her needs?

MSSP Explanation A managed security service provider (MSSP) is a third-party vendor that provides security services for an organization, and it is the best solution for this scenario. A Security Orchestration, Automation, and Response (SOAR) solution automates incident response for some events, but it will augment services already provided by security staff within an organization. SOAR would not work here because the small business doesn't have any security staff. Software as a Service (SaaS) includes any software or application provided to users over a network such as the Internet. Anything as a Service (XaaS) refers to cloud services beyond Saas, laaS, and PaaS.

What is MTBF

MTBF = how long til it dies again

What is MTTF

MTTR = how long it takes to fix

Which of the following terms is used to describe the period of the time taken to correct a fault so that the system is restored to full operations after a failure or incident?

MTTR = how long it takes to fix Explanation OBJ-5.4: Mean time to repair (MTTR) is a measure of the time taken to correct a fault to restore the system to full operation. MTTR is often used to describe the average time to replace or recover a system or product. Recovery time objective (RTO) is when an individual IT system may remain offline following a disaster. This represents the amount of time it takes to identify that there is a problem and then perform recovery (restore from backup or switch in an alternative system, for instance). Recovery point objective (RPO) is the amount of data loss that a system can sustain, measured in time. That is, if a virus destroys a database, an RPO of 24 hours means that the data can be recovered (from a backup copy) to a point not more than 24 hours before the database was infected. Mean time between failure (MTBF) represents the expected lifetime of a product before it fails and must be replaced or repaired.

Which type of system would classify traffic as malicious or benign based on explicitly defined examples of malicious and benign traffic?

Machine learning Explanation A machine learning (ML) system uses a computer to accomplish a task without being explicitly programmed. In the context of cybersecurity, ML generally works by analyzing example data sets to create its own ability to classify future items presented. If the system was presented with large datasets of malicious and benign traffic, it will learn which is malicious and categorize future traffic presented to it. Artificial Intelligence is the science of creating machines to develop problem-solving and analysis strategies without significant human direction or intervention. AI goes beyond ML and can make a more complicated decision than just the classifications made by ML. A deep learning system can determine what is malicious traffic without having the prior benefit of being told what is benign/malicious. A generative adversarial network is an underlying strategy used to accomplish deep learning but is not specific to the scenario described.

Your IT department includes a subgroup of employees dedicated to cybersecurity testing. Each member of this group has knowledge of known TTs and how to use them. Additionally, each member of this group has knowledge of security controls that would be implemented to protect network resources. Which of the following BEST describes members of this team?

Members of the purple team Explanation A purple team is composed of personnel who can perform as either red team members or blue team members. A red team attacks and they often use tactics, techniques, and procedures (TTs) that attackers have used in actual attacks. A blue team defends, and they would know about various security controls used to protect network resources. The white team wasn't mentioned in the scenario, but they don't perform any testing but instead set the rules and oversee the testing.

What tool can be used as an exploitation framework during your penetration tests?

Metasploit Explanation The Metasploit Project is a computer security project that provides information about security vulnerabilities and aids in penetration testing and IDS signature development. Nessus is a very popular vulnerability scanner. It can be used to check how vulnerable your network is by using various plugins to test for vulnerabilities. Also, Nessus can perform compliance auditing, like internal and external PCI DSS audit scans. The nmap tool is a port scanner. Autopsy is used in digital forensic investigations.

Dave's company utilizes Google's G-Suite environment for file sharing and office productivity, Slack for internal messaging, and AWS for hosting their web servers. Which of the following cloud models type of cloud deployment models is being used?

Multi-cloud Explanation Multi-cloud is a cloud deployment model where the cloud consumer uses multiple public cloud services. In this example, Dave is using the Google Cloud, Amazon's AWS, and Slack's cloud-based SaaS product simultaneously. A private cloud is a cloud that is deployed for use by a single entity. A public cloud is a cloud that is deployed for shared use by multiple independent tenants. A community cloud is a cloud that is deployed for shared use by cooperating tenants.

A penetration tester has issued the following command on a victimized host: nc -l -p 8080 | nc 192.168.1.76 443. What will occur based on this command? Netcat will listen for a connection from 192.168.1.76 on port 443 and output anything received to port 8080 Netcat will listen on port 8080 and then output anything received to local interface 192.168.1.76 Netcat will listen on the 192.168.1.76 interface for 443 seconds on port 8080 Netcat will listen on port 8080 and output anything received to a remote connection on 192.168.1.76 port 443

Netcat will listen on port 8080 and output anything received to a remote connection on 192.168.1.76 port 443 Explanation OBJ-4.1: The proper syntax for netcat (nc) is -l to signify listening and -p to specify the listening port. Then, the | character allows multiple commands to execute during a single command's execution. Next, netcat sends the data to the given IP (192.168.1.76) over port 443. This is a common technique to bypass the firewall by sending traffic over port 443 (a secure SSL/TLS tunnel).

Which type of agreement between companies and employees is used as a legal basis for protecting information assets? NDA MOU ISA SLA

Non disclosure agreement Explanation OBJ-5.3: A non-disclosure agreement (NDA) is the legal basis for protecting information assets. A memorandum of understanding (MOU) is a preliminary or exploratory agreement to express intent for two companies to work together. A service level agreement (SLA) is a contractual agreement setting out the detailed terms under which a service is provided. The interconnection security agreement (ISA) governs the relationship between any federal agency and a third party interconnecting their systems.

Which of the following agreements is used between companies and employees, between companies and contractors, and between two companies to protect information assets?

Non disclosure agreement Explanation OBJ-5.3: Non-disclosure agreement (NDA) is the legal basis for protecting information assets. NDAs are used between companies and employees, between companies and contractors, and between two companies. If the employee or contractor breaks this agreement and shares such information, they may face legal consequences. NDAs are useful because they deter employees and contractors from violating the trust that an employee places in them. An interconnection security agreement (ISA) is defined by NIST's SP800-4 and is used by any federal agency interconnecting its IT system to a third party must create an ISA to govern the relationship. A service level agreement (SLA) is a contractual agreement that sets out the detailed terms under which a service is provided. A data sharing and use agreement (DSUA) states that personal data can only be collected for a specific purpose. A DSUA can specify how a dataset can be analyzed and proscribe the use of reidentification techniques.

What kind of attack is an example of IP spoofing?

On-path attack Explanation OBJ-1.4: An on-path attack (formerly known as a man-in-the-middle attack) intercepts communications between two systems. For example, in an HTTP transaction, the target is the TCP connection between client and server. Using different techniques, the attacker splits the original TCP connection into 2 new connections, one between the client and the attacker and the other between the attacker and the server. This often uses IP spoofing to trick a victim into connecting to the attack. SQL injection is a code injection technique used to attack data-driven applications. Malicious SQL statements are inserted into an entry field for execution, such as dumping the database contents to the attacker. An on-path attack is an attack where the attacker secretly relays and possibly alters the communications between two parties who believe that they are directly communicating with each other. ARP Poisoning, also known as ARP Spoofing, is a type of cyber attack carried out over a Local Area Network (LAN) that involves sending malicious ARP packets to a default gateway on a LAN to change the pairings in its IP to MAC address table. Cross-Site Scripting (XSS) attacks are a type of injection in which malicious scripts are injected into otherwise benign and trusted websites. XSS attacks occur when an attacker uses a web application to send malicious code, generally in a browser side script, to a different end-user.

Which protocol is paired with OAuth2 to provide authentication of users in a federated identity management solution?

OpenID Connect Explanation OAuth 2 is explicitly designed to authorize claims and not to authenticate users. The implementation details for fields and attributes within tokens are not defined. Open ID Connect (OIDC) is an authentication protocol that can be implemented as special types of OAuth flows with precisely defined token fields. When it comes to federated identity management and user authentication, OAuth2 is often used in combination with OpenID Connect (OIDC). OIDC is an authentication layer built on top of OAuth2 and provides the necessary components for authentication, including user identity, authentication tokens, and user information. SAML, on the other hand, is specifically designed for exchanging authentication and authorization data between an identity provider (IdP) and a service provider (SP). It's used for single sign-on (SSO) and cross-domain authentication Security Assertion Markup Language (SAML) is an open standard for exchanging authentication and authorization data between parties, in particular, between an identity provider and a service provider. SAML is an XML-based markup language for security assertions. Active Directory Federation Services (ADFS) is a software component developed by Microsoft that can run on Windows Server operating systems to provide users with single sign-on access to systems and applications located across organizational boundaries. Kerberos is a computer network authentication protocol that works based on tickets to allow nodes communicating over a non-secure network to prove their identity to one another in a secure manner.

An administrator is installing a certificate with a private key on a server. Which of the following certificate types is he MOST likely installing?

P12 Explanation P12 (PKCS #12) certificates commonly include a private key and they are used to install a private key on a server. A Distinguished Encoding Rules (DER)-based certificate is a binary encoded file and a Canonical Encoding Rules (CER)-based certificate is an ASCII encoded file. However, DER and CER are used to define the format, not the content (such as a private key). While a P12 certificate does use a DER format, not all DER certificates include private keys. A P7B (PKCS #7) certificate is used to share the public key and never includes the private key.

A firewall administrator has configured a new screened subnet to allow public systems to be segmented from the organization's internal network. The firewall now has three security zones set: Untrusted (Internet) [143.27.43.0/24]; DMZ (Screened Subnet) [161.212.71.0/24]; Trusted (Intranet) [10.10.0.0/24]. The firewall administrator has been asked to enable remote desktop access from a fixed IP on the remote network to a remote desktop server in the screened subnet for the Chief Security Officer to work from his home office after hours. The CSO's home internet uses a static IP of 143.27.43.32. The remote desktop server is assigned a public-facing IP of 161.212.71.14. What rule should the administrator add to the firewall? Permit 143.27.43.32 161.212.71.14 RDP 3389 Permit 143.27.43.0/24 161.212.71.0/24 RDP 3389 Permit 143.27.43.0/24 161.212.71.14 RDP 3389 Permit 143.27.43.32 161.212.71.0/24 RDP 3389

Permit 143.27.43.32 161.212.71.14 RDP 3389 Explanation Due to the requirement to allow a single remote IP to enter the firewall, the permit statement must start with a single IP in the Untrusted (Internet) zone. Based on the options provided, only 143.27.43.32 could be correct. Next, the destination is a single server in the DMZ (screened subnet), so only 161.212.71.14 could be correct. The destination port should be 3389, which is the port for the Remote Desktop Protocol. Combining these three facts, only "permit 143.27.43.32 161.212.71.14 RDP 3389" could be correct.

What is the lowest layer (bottom layer) of a bare-metal virtualization environment?

Physical hardware Explanation OBJ-2.2: The bottom layer is physical hardware in this environment. It is what sits beneath the hypervisor and controls access to guest operating systems. The bare-metal approach doesn't have a host operating system. A hypervisor is a program used to run and manage one or more virtual machines on a computer. A host operating system is an operating system that is running the hypervisor. A host operating system is an operating system that is running the hypervisor

After a recent attack, security investigators discovered that attackers logged on with an administrator account.They recommend implementing a solution that will thwart this type of attack in the future. The solution mustsupport the following requirements: - Allow authorized users to access the administrator account without knowing the password. - Allow authorized users to check out the credentials when needed. - Log each time the credentials are used. - Automatically change the password. Which of the following answers would meet these requirements?

Privileged access management Explanation A privileged access management system protects and limits access to privileged accounts such as administrator accounts. OpenID Connect is used for authentication and authorization on the Internet, not internal networks. A mandatory access control (MAC) scheme uses labels to control access, but it isn't used to control access to administrator accounts. Multifactor authentication (MA) uses more than one factor of authentication, but it doesn't meet any of the requirements of this scenario. See

Your company has decided to move all of its data into the cloud. Your company is small and has decided to purchase some on-demand cloud storage resources from a commercial provider (such as Google Drive) as its primary cloud storage solution. Which of the following types of clouds is your company using?

Public Explanation The public cloud is defined as computing services offered by third-party providers over the public internet, making them available to anyone who wants to use or purchase them. They may be free or sold on-demand, allowing customers to pay only per usage for the CPU cycles, storage, or bandwidth they consume. Amazon Web Services, Microsoft Azure, and Google Cloud are three popular public cloud platforms. A private cloud contains services offered either over the Internet or a private internal network and only to select users instead of the general public. A community cloud is a collaborative effort in which infrastructure is shared between several organizations from a specific community with common concerns (security, compliance, jurisdiction, etc.), whether managed internally or by a third party and hosted internally or externally. A hybrid cloud is a cloud computing environment that uses a mix of on-premises, private cloud, and third-party public cloud services with orchestration between these platforms. This typically involves a connection from an on-premises data center to a public cloud.

Taylor needs to sanitize hard drives from some leased workstations before returning them to a supplier at the end of the lease period. The workstations' hard drives contained sensitive corporate data. Which is the most appropriate choice to ensure that data exposure doesn't occur during this process?

Purge, validate, and document the sanitization of the drives Explanation Purging the drives, validating that the purge was effective, and documenting the sanitization is the best response. Purging includes methods that eliminate information from being feasibly recovered even in a lab environment. For example, performing a cryptographic erasure (CE) would sanitize and purge the drives' data without harming the drives themselves. Clearing them leaves the possibility that some tools would allow data recovery. Since the scenario indicates that these were leased drives that must be returned at the end of a lease, they cannot be destroyed.

Which of the following is a common attack model of an APT attack?

Quietly gathers information from compromised systems Explanation An APT refers to an adversary's ongoing ability to compromise network security by using various tools and techniques to obtain and maintain access. An APT is usually a highly sophisticated nation-state threat actor that quietly gathers information from compromised systems and can lay in waiting for several months during an ongoing attack. In general, an APT is primarily focused on espionage and strategic advantage, but some target companies purely for commercial gain. An APT is unlikely to conduct a DDoS attack, use worms to spread throughout the network, or use ransomware as part of their covert attacks.

Which of the following terms is used to describe the timeframe following a disaster that an individual IT system may remain offline? MTTR RPO MTBF RTO

RTO Explanation OBJ-5.4: Recovery time objective (RTO) is when an individual IT system may remain offline following a disaster. This represents the amount of time it takes to identify a problem and then perform recovery (restore from backup or switch in an alternative system, for instance). Recovery point objective (RPO) is the amount of data loss that a system can sustain, measured in time. That is, if a virus destroys a database, an RPO of 24 hours means that the data can be recovered (from a backup copy) to a point not more than 24 hours before the database was infected. Mean time between failure (MTBF) represents the expected lifetime of a product before it fails and must be replaced or repaired. Mean time to repair (MTTR) is a measure of the time taken to correct a fault to restore the system to full operation.

What is RTO

RTO = length of outage

A security analyst recently completed a BlA and defined the maximum acceptable outage time for a critical system. What does this identify?

RTO = length of outage Explanation A recovery time objective (RTO) identifies the maximum amount of time it can take to restore a system after an outage. It is directly related to the maximum acceptable outage time defined in a business impact analysis (BIA). None of the other answers are related to the maximum acceptable outage time. A recovery point objective (RPO) identifies a point in time where data loss is acceptable, and refers to databases.The mean time between failures (MTBF) provides a measure of a system's reliability and is usually represented in hours. The mean time to repair (MTT) identifies the average (the arithmetic mean) time it takes to restore a failed system.

Dion Training has just completed an assessment as part of its disaster recovery planning. The assessment found that the organization can only tolerate a maximum of 30 minutes of downtime for their public-facing webserver. Which of the following metrics would best represent this period of time?

RTO = length of outage Explanation OBJ-5.4: The Recovery Time Objective (RTO) is the targeted duration of time and a service level within which a business process must be restored after a disaster (or disruption) to avoid unacceptable consequences associated with a break in business continuity. In this example, 30 minutes would be the RTO

The management at Steven's work is concerned about rogue devices being attached to the network. Which of the following solutions would quickly provide the most accurate information that Steve could use to identify rogue devices on a wired network?

Router and switch-based MAC address reporting Explanation OBJ-1.4: The best option is MAC address reporting from a source device like a router or a switch. If the company uses a management system or inventory process to capture these addresses, then a report from one of these devices will show what is connected to the network even when they are not currently in the inventory. This information could then be used to track down rogue devices based on the physical port connected to a network device.

Lisa wants to implement a secure authentication system on a website. However, instead of collecting and storing user passwords, she wants to use a third-party system. Which of the following is the BEST choice to meet this goal?

SAML Explanation Security Assertion Markup Language (SAML) is a single sign-on SSO solution that can use third-party websites, and it provides authentication. Kerberos is an SSO solution used on internal networks such as in Microsoft Active Directory domains. Secure Shell (SSH) is used for remote administration. OAuth (think of this as Open Authorization) is used for authorization, but the scenario wants a solution for authentication.

Dion Training wants to install a new accounting system and is considering moving to a cloud-based solution to reduce cost, reduce the information technology overhead costs, improve reliability, and improve availability. Your Chief Information Officer is supportive of this move since it will be more fiscally responsible. Still, the Chief Risk Officer is concerned with housing all of the company's confidential financial data in a cloud provider's network that might be shared with other companies. Since the Chief Information Officer is determined to move to the cloud, what type of cloud-based solution would you recommend to account for the Chief Risk Officer's concerns?

SaaS in a private cloud A SaaS (Software as a Service) solution best describes an accounting system or software used as part of a cloud service. This meets the CIO's requirements. To mitigate the concerns of the Chief Risk Officer, you should use a private cloud solution. This type of solution ensures that the cloud provider does not comingle your data with other customers' data and providers dedicated servers and resources for your company's use only.

Which of the following is a best practice that should be followed when scheduling vulnerability scans of an organization's data center?

Schedule scans to run during periods of low activity Explanation OBJ-1.7: For the best results, the scans should be scheduled during periods of low activity. This will help to reduce the negative impact of scanning on business operations. The other three options all carry a higher risk of causing disruptions to the network or its business operations

You need to identify and mitigate potential single points of failure in your organization's security operations.Which of the following policies would help you?

Separation of duties Explanation A separation of duties policy is the best answer. In this context, if only one person can perform tasks within the organization's security operations, that person becomes a single point of failure. None of the other answers address a single point of failure. A disaster recovery plan (DRP) identifies how to recover critical systems and data after a disaster. A business impact analysis (BIA) helps an organization identify critical systems and components. An annualized loss expectancy (ALE) identifies the expected annual loss from a known risk.

Which of the following does a User-Agent request a resource from when conducting a SAML transaction?

Service provider (SP Explanation OBJ-3.8: Security assertions markup language (SAML) is an XML-based framework for exchanging security-related information such as user authentication, entitlement, and attributes. SAML is often used in conjunction with SOAP. SAML is a solution for providing single sign-on (SSO) and federated identity management. It allows a service provider (SP) to establish a trust relationship with an identity provider (IdP) so that the SP can trust the identity of a user (the principal) without the user having to authenticate directly with the SP. The principal's User Agent (typically a browser) requests a resource from the service provider (SP). The resource host can also be referred to as the relying party (RP). If the user agent does not already have a valid session, the SP redirects the user agent to the identity provider (IdP). The IdP requests the principal's credentials if not already signed in and, if correct, provides a SAML response containing one or more assertions. The SP verifies the signature(s) and (if accepted) establishes a session and provides access to the resource

You are working for a government contractor who requires all users to use a PIV device when sending digitally signed and encrypted emails. Which of the following physical security measures is being implemented?

Smart Card Explanation A smart card is used in applications that need to protect personal information and/or deliver fast, secure transactions, such as transit fare payment cards, government, and corporate identification cards, documents such as electronic passports and visas, and financial payment cards. Often, smart cards are used as part of a multifactor authentication system in which the smart card and a PIN need to be entered for system authentication to occur. Biometrics are identifying features stored as digital data that can be used to authenticate a user. Typical features used include facial pattern, iris, retina, or fingerprint pattern, and signature recognition. This requires a relevant scanning device, such as a fingerprint reader, and a database of biometric information for authentication to occur. The Kensington lock is a small hole found on almost every portable computer or laptop made after 2000. It allows a cable lock to be attached to a portable computer or laptop to lock it to a desk and prevent theft. These locks often use a combination lock or padlock type of locking system. These locks do not affect the user's ability to use the laptop or device. It only prevents them from moving the laptop from the area. A key fob generates a random number code synchronized to a code on the server. The code changes every 60 seconds or so. This is an example of a one-time password. A SecureID token is an example of a key fob that is produced by RSA.

An independent cybersecurity researcher has contacted your company to prove a buffer overflow vulnerability exists in one of your applications. Which technique would have been most likely to identify this vulnerability in your application during development?

Static code analysis Explanation OBJ-3.4: Buffer overflows are most easily detected by conducting a static code analysis. Manual peer review or pair programming methodologies might have been able to detect the vulnerability. Still, they do not have the same level of success as a static code analysis using proper tools. DevSecOps methodology would also improve the likelihood of detecting such an error but still rely on human-to-human interactions and human understanding of source code to detect the fault. Dynamic code analysis also may have detected this if the test found exactly the right condition. Still, again, a static code analysis tool is designed to find buffer overflows more effectively.

William would like to use full-disk encryption on his laptop. He is worried about slow performance, though, so he has requested that the laptop have an onboard hardware-based cryptographic processor. Based on this requirement, what should William ensure the laptop contains?

TPM Explanation This question is asking if you know what each acronym means. Trusted Platform Module (TPM) is a hardware-based cryptographic processing component that is a part of the motherboard. A Pluggable Authentication Module (PAM) is a device that looks like a USB thumb drive and is used as a software key in cryptography. Full Disk Encryption (FDE) can be hardware or software-based. Therefore, it isn't the right answer. The Advanced Encryption System (AES) is a cryptographic algorithm. Therefore, it isn't a hardware solution.

Your organization is planning to implement a CYOD deployment model. You're asked to provide input for the new policy. Which of the following concepts are appropriate for this policy?

Storage segmentation Explanation Storage segmentation creates separate storage areas in mobile devices and can be used with a choose your own device (COD) mobile device deployment model where users own their devices. None of the other answers are directly related to mobile devices. A supervisory control and data acquisition (SCADA) system controls industrial control systems (ICSs), such as those used in nuclear power plants or water treatment facilities, and SCADA systems should be isolated. Database security includes the use of permissions and encryption to protect data in a database but is unrelated to mobile device deployment. Some embedded systems use a real-time operating system (TOS) when the system must react within a specific time.

You are investigating a suspected compromise. You have noticed several files that you don't recognize. How can you quickly and effectively check if the files have been infected with malware?

Submit the files to an open source intelligence provider like VirusTotal Explanation The best option is to submit them to an open-source intelligence provider like VirusTotal. VirusTotal allows you to quickly analyze suspicious files and URLs to detect types of malware. It then automatically shares them with the security community, as well. Disassembly and static analysis would require a higher level of knowledge and more time to complete. Running the Strings tool can help identify text if the code is not encoded in a specific way within the malware, but you have to know what you are looking for, such as a malware signature. You should never scan the files using a local anti-virus or anti-malware engine if you suspect the workstation or server has already been compromised because the scanner may also be compromised.

You are conducting an intensive vulnerability scan to detect which ports might be open to exploitation. During the scan, one of the network services becomes disabled and impacts the production server. Which of the following sources of information would provide you with the most relevant information for you to use in determining which network service was interrupted and why?

Syslog Explanation The Syslog server is a centralized log management solution. By looking through the Syslog server's logs, the technician could determine which service failed on which server since all the logs are retained on the Syslog server from all the network devices and servers. Network mapping is conducted using active and passive scanning techniques and could help determine which server was offline, but not what caused the interruption. Firewall logs would only help determine why the network connectivity between a host and destination may have been disrupted. A network intrusion detection system (NIDS) is used to detect hacking activities, denial of service attacks, and port scans on a computer network. It is unlikely to provide the details needed to identify why the network service was interrupted.

You just received a notification that your company's email servers have been blocklisted due to reports of spam originating from your domain. What information do you need to start investigating the source of the spam emails?

The full email header from one of the spam messages Explanation You should first request a copy of one of the spam messages, including the full email header. By reading through the full headers of one of the messages, you can determine where the email originated from, whether it was from your email system or external, and if it was a spoofed email or a legitimate email. Once this information has been analyzed, you can then continue your analysis based on those findings, whether that be analyzing your email server, the firewalls, or other areas of concern. If enough information cannot be found by analyzing the email headers, you will need to conduct more research to determine the best method to solve the underlying problem.

You are reviewing a report created after a recent vulnerability scan. However, it isn't clear if the scan was run as a credentialed scan or a non-credentialed scan. Which of the following would give you the BEST indication that the scan was a credentialed scan?

The report shows software versions of installed applications. Explanation A credentialed scan will show software versions of installed applications. A credentialed scan will show fewer false positives, not more. Any scan should list IP addresses it discovered along with open ports on these hosts.

The Pass Certs Fast corporation has recently been embarrassed by several high-profile data breaches. The CIO proposes improving the company's cybersecurity posture by migrating images of all the current servers and infrastructure into a cloud-based environment. What, if any, is the flaw in moving forward with this approach?

This approach only changes the location of the network and not the networks attack surface Explanation A poorly implemented security model at a physical location will still be a poorly implemented security model in a virtual location. Unless the fundamental causes of the security issues that caused the previous data breaches have been understood, mitigated, and remediated, then migrating the current images into the cloud will change where the processing occurs without improving the network's security. While the statement concerning unrealized ROI may be accurate, it simply demonstrates the sunk cost argument's fallacy. These servers were already purchased, and the money was spent. Regardless of whether we maintain the physical servers or migrate to the cloud, that money is gone. Those servers could also be repurposed, reused, or possibly resold to recoup some of the capital invested. While the company's physical security will potentially improve in some regards, the physical security of the endpoints on-premises is still a concern that cannot be solved by this cloud migration. Additionally, the scenario never stated that physical security was an issue that required being addressed, so it is more likely that the data breach occurred due to a data exfiltration over the network. As a cybersecurity analyst, you must consider the business case and the technical accuracy of a proposed approach or plan to add the most value to your organization.

A user has reported that their workstation is running very slowly. A technician begins to investigate the issue and notices a lot of unknown processes running in the background. The technician determines that the user has recently downloaded a new application from the internet and may have become infected with malware. Which of the following types of infections does the workstation MOST likely have?

Trojan Explanation A trojan is a type of malware that looks legitimate but can take control of your computer. A Trojan is designed to damage, disrupt, steal, or in general, inflict some other harmful action on your data or network. The most common form of a trojan is a Remote Access Trojan (RAT), which allows an attacker to control a workstation or steal information remotely. To operate, a trojan will create numerous processes that run in the background of the system. Ransomware is a type of malware designed to deny access to a computer system or data until a ransom is paid. A rootkit is a clandestine computer program designed to provide continued privileged access to a computer while actively hiding its presence. A rootkit is generally a collection of tools that enabled administrator-level access to a computer or network. They can often disguise themselves from detection by the operating system and anti-malware solutions. If a rootkit is suspected on a machine, it is best to reformat and reimage the system.

Dion Training is hiring a penetration testing firm to conduct an assessment of its corporate network. As part of the contract, the company has specified that it will not provide any network details to the penetration testing firm. Instead, the company wants to see how much information about the network can be found by the penetration testers using open-source research and scanning the corporate network. What type of assessment is this considered?

Unknown environment testing Explanation An unknown environment penetration test requires no previous information and usually takes the approach of an uninformed attacker. The penetration tester has no prior information about the target system or network in an unknown environment penetration test. These tests provide a realistic scenario for testing the defenses, but they can be costlier and more time-consuming to conduct as the tester is examining a system from an outsider's perspective. A partially known environment tester has the user's access and knowledge levels, potentially with elevated privileges on a system. These partially known environment penetration testers typically have some knowledge of a network's internals, potentially including design and architecture documentation and an account internal to the network. A known environment test is known by several different names, including clear-box, open-box, auxiliary, or logic-driven testing. It falls on the opposite end of the spectrum from an unknown environment test because the penetration testers have full access to source code, architecture documentation, and so forth. A known environment penetration tester can also perform static code analysis, so familiarity with source code analyzers, debuggers, and similar tools are necessary for this type of testing. A semi-trusted environment test is made up term and is used as a distractor in this question.

IT administrators created a VPN for employees to use while working from home. The VPN is configured to provide AAA services. Which of the following would be presented to the AAA system for identification?

Username identification Explanation Users would typically enter a username as identification for an authentication, authorization, and accounting (AAA) system. Users would provide a password as proof that the claimed identity (the username) is theirs. The password provides authentication. Users are assigned permissions based on their proven identity, but the permissions do not provide authentication. The virtual private network (VPN) would encrypt trafficsent via the VPN tunnel, and this traffic may be encrypted with the use of a certificate. However, this is not called a tunneling certificate, and the certificate used for encryption does not provide identification. A hardware token is often used as an additional method of authentication, but it does not provide identification.

Some network appliances monitoring incoming data have recently started sending alerts on potentially malicious files. You discover that these are PE32 files with the tar.qz extension, and they are being downloaded to several user systems. After investigating further, you discover these users previously opened an email with an infected MHT file. Which of the following answers BEST describes this scenario?

Users installed a RAT, and it is downloading additional tools Explanation This indicates that users installed a remote access Trojan (RAT) when they opened the email containing the malicious MHT file. An MHT file (or MHTML) is a webpage archive, and it will store HTML, CSS, images, JavaScript, and anything else in the webpage. After installing the RAT, attackers later began downloading Portable Executable (PE32) files to the compromised systems. While the systems may have joined a botnet, the scenario doesn't indicate that they are part of a botnet. Ransomware would indicate that it has controlled the user's computer or data, but this isn't indicated in this scenario. Shadow information technology (IT) refers to any unauthorized systems or applications within an organization.

A customer brought in a computer that has been infected with a virus. Since the infection, the computer began redirecting all three of the system's web browsers to a series of malicious websites whenever a valid website is requested. You quarantined the system, disabled the system restore, and then perform the remediation to remove the malware. You have scanned the machine with several anti-virus and anti-malware programs and determined it is now cleaned of all malware. You attempt to test the web browsers again, but a small number of valid websites are still being redirected to a malicious website. Luckily, the updated anti-virus you installed blocked any new malware from infecting the system. Which of the following actions should you perform NEXT to fix the redirection issue with the browsers?

Verify the hosts file has not been maliciously modified Explanation Browser redirection usually occurs if the browser's proxy is modified or the hosts.ini file is modified. If the redirection occurs only for a small number of sites or occurs in all web browsers on a system, it is most likely a maliciously modified hosts.ini file. The hosts.ini file is a local file that allows a user to specify specific domain names to map to particular addresses. It works as an elementary DNS server and can redirect a system's internet connection. For example, if your children are overusing YouTube, you can change YouTube.com to resolve to YourSchool.edu for just your child's laptop.

You need to determine the best way to test operating system patches in a lab environment before deploying them to your automated patch management system. Unfortunately, your network has several different operating systems in use, but you only have one machine available to test the patches on. What is the best environment to utilize to perform the testing of the patches before deployment?

Virtualization Explanation When you have a limited amount of hardware resources to utilize but have a requirement to test multiple operating systems, you should set up a virtualized environment to test the patch across each operating system before deployment. You should never deploy patches directly into production without testing them first in the lab. Virtualization will allow the organization to create a lab environment without significant costs. Purchasing additional workstations would be costly and more time-consuming to configure.

A cybersecurity analyst is preparing to run a vulnerability scan on a dedicated Apache server that will be moved into a DMZ. Which of the following vulnerability scans is most likely to provide valuable information to the analyst? Network vulnerability scan Port scan Web application vulnerability scan Database vulnerability scan

Web application vulnerability scan Explanation OBJ-1.7: Since Apache is being run on the scanned server, this indicates a web server. Therefore, a web application vulnerability scan would be the most likely to provide valuable information. A network vulnerability scan or port scan can provide valuable information against any network-enabled server. Since an Apache server doesn't contain a database by default, running a database vulnerability scan is not likely to provide any valuable information to the analyst.

Your organization plans to implement desktops via the cloud. Each desktop will include an operating system and a core group of applications needed by employees, and the cloud provider will manage the desktops. Employees with Internet access will be able to access these desktops from anywhere and almost any device. Which of the following BEST identifies this service?

XaaS (Anything as a Service) Explanation Anything as a Service (XaaS) refers to cloud services beyond laaS, PaaS, and Saas. It would include desktops as a service. Infrastructure as a Service (laaS) is a cloud computing option where the vendor provides access to a computer. Still, customers must install the operating system and maintain the system. A cloud access security broker (CASB) is a software tool used to provide additional security for cloud resources, but it provides the underlying cloud services. Software as a Service (SaaS) provides access to specific applications such as an email application, but not entire desktops.

Security administrators have isolated a Linux server after a successful attack. A forensic analyst is tasked with creating an image of the hard drive of this system for analysis. Which of the following will the analyst MOST likely use to create the image?

dd Explanation The dd command is available on Linux systems, and it is used to copy disks and files for analysis.As an example, the dd if=/dev/sda2 of=sd2disk.img command creates an image of a disk without modifying the original disk. None of the other choices creates an image of a drive. Tcpreplay is a suite of utilities used to edit packet captures and resend them, and it includes the tcpreplay command. The chmod (short for change mode) command is used to change permissions on Linux systems. Cuckoo is an open source malware analysis system. It analyzes malware within a sandbox environment.

You have been hired to investigate a possible insider threat from a user named Terri. Which command would you use to review all sudo commands ever issued by Terri (whose login account is terri and UID=1003) on a Linux system? (Select the MOST efficient command) journalctl _UID=1003 | grep -e 1003 | grep sudo journalctl _UID=1003 | grep -e [Tt]erri | grep sudo journalctl _UID=1003 | grep sudo journalctl _UID=1003 | grep -e [Tt]erri | grep -e 1003 | grep sudo

journalctl _UID=1003 | grep sudo Explanation OBJ-4.3: journalctl is a command for viewing logs collected by systemd. The systemd-journald service is responsible for systemd's log collection, and it retrieves messages from the kernel, systemd services, and other sources. These logs are gathered in a central location, which makes them easy to review. If you specify the parameter of _UID=1003, you will only receive entries made under the authorities of the user with ID (UID) 1003. In this case, that is Terri. Using the piping function, we can send that list of entries into the grep command as an input and then filter the results before returning them to the screen. This command will be sufficient to see all the times that Terri has executed something as the superuser using privilege escalation. If there are too many results, we could further filter the results using regular expressions with grep using the -e flag. Since the UID of 1003 is only used by Terri, it is unnecessary to add [Tt]erri to your grep filter as the only results for UID 1003 (terri) will already be shown. So, while all four of these would produce the same results, the most efficient option to accomplish this is by entering "journalctl _UID=1003 | grep sudo" in the terminal. Don't get afraid when you see questions like this; walk through each part of the command step by step and determine the differences. In this question, you may not have known what journalctl is, but you didn't need to. You needed to identify which grep expression was the shortest that would still get the job done. By comparing the differences between the options presented, you could likely take your best guess and identify the right one

You are troubleshooting an issue with a Windows desktop and need to display the machine's active TCP connections. Which of the following commands should you use?

netstat Explanation The netstat command is used to display active TCP connections, ports on which the computer is listening, Ethernet statistics, the IP routing table, IPv4 statistics (for the IP, ICMP, TCP, and UDP protocols), and IPv6 statistics (for the IPv6, ICMPv6, TCP over IPv6, and UDP over IPv6 protocols) on a Windows machine. This is a useful command when determining if any malware has been installed on the system and maybe maintaining a remote connection with a command and control server. The ipconfig tool displays all current TCP/IP network configuration values on a given system. The ping command is used to test a host's reachability on an Internet Protocol network. The net use command is used to connect to, remove, and configure connections to shared resources such as mapped drives and network printers

You suspect that a Linux computer is establishing connections with a remote server on the Internet without any user interaction. You want to verify this by viewing a summary of protocol statistics on a Linux system.Which of the following commands would you use?

netstat Explanation The netstat-s command will display a summary of protocol statistics on a Linux system. You can use the dig (short for domain information groper) command on Linux systems to query Domain Name System (DNS) servers and verify if you can resolve names to IP addresses. The nslookup (short for name server lookup) command can also be used to query DNS servers. The ifconfig command is used to display information and configure network interfaces on Linux systems.