Security Plus SY0-601

Which of the following describes the overall accuracy of a biometric authentication system? A. False acceptance rate B. False positive rate C. Crossover error rate D. False rejection rate

Crossover error rate OBJ-2.4: The Crossover Error Rate (CER) describes the point where the False Reject Rate (FRR) and False Accept Rate (FAR) are equal. CER is also known as the Equal Error Rate (EER). The Crossover Error Rate describes the overall accuracy of a biometric system.

Tim, a help desk technician, receives a call from a frantic executive who states that their company-issued smartphone was stolen during their lunch meeting with a rival company's executive. Tim quickly checks the MDM administration tool and identifies that the user's smartphone is still communicating with the MDM, and displays its location on a map. What should Tim do next to ensure the stolen device's data remains confidential and inaccessible to the thief? A. Reset the device's password B. Perform a remote wipe of the device C. Identify the IP address of the smartphone D. Remotely encrypt the device

Perform a remote wipe of the device OBJ-3.5: To ensure the data remains confidential and is not accessed by the thief, Tim should perform a remote wipe of the device from the MDM. This will ensure any corporate data is erased before anyone accesses it. Additionally, Tim could reset the device's password, but if the thief could guess or crack the password, they would have access to the data. Identifying the smartphone's IP address is not a useful step in protecting the data on the device. Additionally, devices should be encrypted BEFORE they are lost or stolen, not after. Therefore, the option to remotely encrypt the device is provided as a wrong answer and a distractor.

Consider the following snippet from a log file collected on the host with the IP address of 10.10.3.6. BEGIN LOG Time: Jun 12, 2020 09:24:12 Port:20 Source: 10.10.3.2 Destination:10.10.3.6 Protocol:TCP Time: Jun 12, 2020 09:24:14 Port:21 Source: 10.10.3.2 Destination:10.10.3.6 Protocol:TCP Time: Jun 12, 2020 09:24:16 Port:22 Source: 10.10.3.2 Destination:10.10.3.6 Protocol:TCP Time: Jun 12, 2020 09:24:18 Port:23 Source: 10.10.3.2 Destination:10.10.3.6 Protocol:TCP Time: Jun 12, 2020 09:24:20 Port:25 Source: 10.10.3.2 Destination:10.10.3.6 Protocol:TCP Time: Jun 12, 2020 09:24:22 Port:80 Source: 10.10.3.2 Destination:10.10.3.6 Protocol:TCP Time: Jun 12, 2020 09:24:24 Port:135 Source: 10.10.3.2 Destination:10.10.3.6 Protocol:TCP Time: Jun 12, 2020 09:24:26 Port:443 Source: 10.10.3.2 Destination:10.10.3.6 Protocol:TCP Time: Jun 12, 2020 09:24:26 Port:445 Source: 10.10.3.2 Destination:10.10.3.6 Protocol:TCP END LOG What type of activity occurred based on the output above? A. Port scan targeting 10.10.3.2 B. Denial of service attack targeting 10.10.3.6 C. Fragmentation attack targeting 10.10.3.6 D. Port scan targeting 10.10.3.6

Port scan targeting 10.10.3.6 OBJ-4.1: Port Scanning is the name for the technique used to identify open ports and services available on a network host. Based on the logs, you can see a sequential scan of some commonly used ports (20, 21, 22, 23, 25, 80, 135, 443, 445) with a two-second pause between each attempt. The scan source is 10.10.3.2, and the destination of the scan is 10.10.3.6, making "Port scan targeting 10.10.3.6" the correct choice. IP fragmentation attacks are a common form of denial of service attack, in which the perpetrator overbears a network by exploiting datagram fragmentation mechanisms. A denial-of-service (DoS) attack occurs when legitimate users cannot access information systems, devices, or other network resources due to a malicious cyber threat actor's actions.

David noticed that port 3389 was open on one of the POS terminals in a store during a scheduled PCI compliance scan. Based on the scan results, what service should he expect to find enabled on this terminal? A. IMAP B. RDP C. MySQL D. LDAP

RDP OBJ-3.1: Port 3389 is an RDP port used for the Remote Desktop Protocol. If this port isn't supposed to be opened, then an incident response plan should be the next step since this can be used for remote access by an attacker. MySQL runs on port 3306. LDAP runs on port 389. IMAP over SSL runs on port 993.

Jamie's organization is attempting to budget for the next fiscal year. Jamie has calculated that the asset value of a database server is $120,000. Based on her analysis, she believes that a data breach to this server will occur once every four years and has a risk factor is 30%. What is the ALE for a data breach within Jamie's organization? A. $360,000 B. $90,000 C. $9,000 D. $36,000

$9,000 OBJ-5.4: The single loss expectancy (SLE) is the amount that would be lost in a single occurrence (AV) times the exposure factor (EF). The annual loss expectancy (ALE) is the total cost of a risk to an organization annually. This is determined by multiplying the SLE by the annual rate of occurrence (ARO). SLE = AV x RF = $120,000 x 30% = $36,000 ALE = SLE x ARO = $36,000 x 0.25 = $9,000

A cybersecurity analyst is attempting to classify network traffic within an organization. The analyst runs the tcpdump command and receives the following output: $ tcpdump -n -i eth0 15:01:35.170763 IP 10.0.19.121.52497 > 11.154.12.121.ssh: P 105:157(52) ack 18060 win 16549 15:01:35.170776 IP 11.154.12.121.ssh > 10.0.19.121.52497: P 23988:24136(148) ack 157 win 113 15:01:35.170894 IP 11.154.12.121.ssh > 10.0.19.121.52497: P 24136:24380(244) ack 157 win 113 Which of the following statements is true based on this output? A. 10.0.19.121 is a client that is accessing an SSH server over port 52497 B. 11.154.12.121 is under attack from a host at 10.0.19.121 C. 11.154.12.121 is a client that is accessing an SSH server over port 52497 D. 10.0.19.121 is under attack from a host at 11.154.12.121

10.0.19.121 is a client that is accessing an SSH server over port 52497 OBJ-4.1: This output from the tcpdump command is displaying three packets in a larger sequence of events. Based solely on these three packets, we can only be certain that the server (11.154.12.121) runs an SSH server over port 22. This is based on the first line of the output. The second and third lines are the server responding to the request and sending data back to the client (10.0.19.121) over port 52497. There is no evidence of an attack against either the server or the client based on this output since we can only see the headers and not the content being sent between the client and server.

While performing a vulnerability scan, Christina discovered an administrative interface to a storage system is exposed to the internet. She looks through the firewall logs and attempts to determine whether any access attempts have occurred from external sources. Which of the following IP addresses in the firewall logs would indicate a connection attempt from an external source? A. 10.15.1.100 B. 192.168.1.100 C. 172.16.1.100 D. 192.186.1.100

192.186.1.100 OBJ-1.7: This question tests your ability to determine if an IP address is a publicly routable IP (external connection) or private IP (internal connection). During your CompTIA A+, Network+, and Security+ studies, you should have learned that private IP addresses are either 10.x.x.x, 172.16-31.x.x, or 192.168.x.x. All other IP addresses are considered publicly routable over the internet (except localhost and APIPA addresses). Therefore, the answer must be 192.186.1.100 since it is not a private IP address.

Which of the following ports should you block at the firewall if you want to prevent a remote login to a server from occurring? A. 143 B. 80 C. 21 D. 22

22 OBJ-3.1: Secure shell (SSH) is the protocol used for remote administration and file copying using TCP port 22. SSH is considered secure since it uses authenticated and encrypted sessions for communication. The file transfer protocol (FTP) is the protocol used to transfer files across the internet over ports 20 and 21. The hypertext transfer protocol (HTTP) is a protocol used to provide web content to browsers using port 80. The internet message access protocol (IMAP) is a TCP/IP application protocol that provides a means for a client to access email messages stored in a mailbox on a remote server using TCP port number 143. Unlike POP3, messages persist on the server after the client has downloaded them. IMAP also supports mailbox management functions, such as creating subfolders and access to the same mailbox by more than one client at the same time.

Which of the following cryptographic algorithms is classified as symmetric? A. PGP B. RSA C. ECC D. 3DES

3DES OBJ-2.8: Triple DES (3DES) is a symmetric-key block cipher that applies the DES cipher algorithm three times to each data block to increase its security over DES. RSA, PGP, and ECC are all asymmetric algorithms.

What access control model will a network switch utilize if it requires multilayer switches to use authentication via RADIUS/TACACS+? A. 802.1x B. 802.3af C. 802.1q D. 802.11ac

802.1x OBJ-3.8: If you are using RADIUS/TACACS+ with the switch, you will need to use 802.1x for the protocol. The IEEE 802.1x standard is a network authentication protocol that opens ports for network access when an organization authenticates a user's identity and authorizes them for access to the network. This defines port security. The user's identity is determined based on their credentials or certificate, which is confirmed by the RADIUS server.

A company needs to implement stronger authentication by adding an authentication factor to its wireless system. The wireless system only supports WPA with pre-shared keys, but the backend authentication system supports EAP and TTLS. What should the network administrator implement? A. MAC address filtering with IP filtering B. 802.1x using EAP with MSCHAPv2 C. PKI with user authentication D. WPA2 with a complex shared key

802.1x using EAP with MSCHAPv2 OBJ-3.4: Since the backend uses a RADIUS server for back-end authentication, the network administrator can install 802.1x using EAP with MSCHAPv2 for authentication. The Extensible Authentication Protocol (EAP) is a framework in a series of protocols that allows for numerous different mechanisms of authentication, including things like simple passwords, digital certificates, and public key infrastructure. Microsoft Challenge Handshake Authentication Protocol version 2 (MS-CHAP v2) is a password-based authentication protocol that is widely used as an authentication method in PPTP-based (Point to Point

Which of the following tools could be used to detect unexpected output from an application being managed or monitored? A. A signature-based detection tool B. A behavior-based analysis tool C. A log analysis tool D. Manual analysis

A behavior-based analysis tool OBJ-3.3: A behavior-based analysis tool can capture/analyze normal behavior and then alert when an anomaly occurs. Configuring a behavior-based analysis tool requires more effort to set up properly, but it requires less work and manual monitoring once it is running. Signature-based detection is a process where a unique identifier is established about a known threat so that the threat can be identified in the future. Manual analysis requires a person to read all the output and determine if it is erroneous. A log analysis tool would only be useful to analyze the logs, but it would not detect unexpected output by itself. Instead, the log analysis tool would need to use a behavior-based or signature-based detection system.

You are reviewing a rule within your organization's IDS. You see the following output: alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME NET any msg: "BROWSER-IE Microsoft Internet Explorer CacheSize exploit attempt"; flow: toclient,established; file data; content: "recordset"; offset:14; depth: 9; content: "CacheSize"; distance:0; within:100; pcre:"/CacheSize\s*=\s*/"; byte_test:10,>,0x3ffifffe,0,relative,string; max-detect-ips drop, service http; reference:cve,2016-8077; classtype: attempted-user; sid:65535;rev:1; Based on this rule, which of the following malicious packets would this IDS alert on? A. Any malicious inbound packets B. Any malicious outbound packets C.A malicious outbound TCP packet D. A malicious inbound TCP packet

A malicious inbound TCP packet OBJ-3.3: The rule header is set to alert only on TCP packets based on this IDS rule's first line. The flow condition is set as "to_client, established," which means that only inbound traffic will be analyzed against this rule and only inbound traffic for connections that are already established. Therefore, this rule will alert on an inbound malicious TCP packet only when the packet matches all the conditions listed in this rule. This rule is an example of a Snort IDS rule. For the exam, you do not need to create your own IDS rules, but you should be able to read them and pick out generic content like the type of protocol covered by the signature, the port to be analyzed, and the direction of flow.

Which of the following access control methods provides the most detailed and explicit type of access control over a resource? A. ABAC B. RBAC C. DAC D. MAC

ABAC OBJ-3.8: Attribute-based access control (ABAC) provides the most detailed and explicit type of access control over a resource because it is capable of making access decisions based on a combination of subject and object attributes, as well as context-sensitive or system-wide attributes. Information such as the group membership, the OS being used by the user, and even the machine's IP address could be considered when granting or denying access.

Your organization is updating its Acceptable User Policy (AUP) to implement a new password standard that requires a guest's wireless devices to be sponsored before receiving authentication. Which of the following should be added to the AUP to support this new requirement? A. All guests must provide valid identification when registering their wireless devices for use on the network B. Sponsored guest passwords must be at least 14 alphanumeric characters containing a mixture of uppercase, lowercase, and special characters C. Network authentication of all guest users should occur using the 802.1x protocol as authenticated by a RADIUS server D. Open authentication standards should be implemented on all wireless infrastructure

All guests must provide valid identification when registering their wireless devices for use on the network OBJ-5.3: Sponsored authentication of guest wireless devices requires a guest user to provide valid identification when registering their wireless device for use on the network. This requires that an employee validates the guest's need for access, known as sponsoring the guest. While setting a strong password or using 802.1x are good security practices, these alone do not meet the question's sponsorship requirement. An open authentication standard only requires that the guest know the Service-Set Identifier (SSID) to gain access to the network. Therefore, this does not meet the sponsorship requirement.

As a cybersecurity analyst conducting vulnerability scans, you have just completed your first scan of an enterprise network comprising over 10,000 workstations. As you examine your findings, you note that you have less than 1 critical finding per 100 workstations. Which of the following statement does BEST explain these results? A. An uncredentialed scan of the network was performed B. The network has an exceptionally strong security posture C. The scanner failed to connect with the majority of workstations D. The scanner was not compatible with the devices on your network

An uncredentialed scan of the network was performed OBJ-1.7: Uncredentialed scans are generally unable to detect many vulnerabilities on a device. When conducting an internal assessment, you should perform an authenticated (credentialed) scan of the environment to most accurately determine the network's vulnerability posture. In most enterprise networks, if a vulnerability exists on one machine, it also exists on most other workstations since they use a common baseline or image. If the scanner failed to connect to the workstations, an error would have been generated in the report.

Dion Training wants to ensure that none of its computers can run a peer-to-peer file-sharing program on its office computers. Which of the following practices should be implemented to achieve this? A. Enable NAC B. MAC filtering C. Application blocklisting D. Application allow listing

Application blocklisting OBJ-4.4: Application blocklisting is the most appropriate practice to implement to block a limited number of known programs. Application allow listing could be used to achieve this purpose, but it would require much more work and block every program not specifically allowed by the allow list or approve list policy.

You have been asked to determine if Dion Training's web server is vulnerable to a recently discovered attack on an older version of SSH. Which technique should you use to determine the current version of SSH running on their web server? A. Passive scan B. Vulnerability scan C. Protocol analysis D. Banner grabbing

Banner grabbing OBJ-1.7: Banner grabbing is conducted by actively connecting to the server using telnet or netcat and collecting the web server's response. This banner usually contains the server's operating system and the version number of the service (SSH) being run. This is the fastest and easiest way to determine the SSH version being run on this web server. While it is possible to use a vulnerability scanner, protocol analyzer, or to conduct a passive scan to determine the SSH version, these are more time-consuming and not fully accurate methods to determine the version being run.

Alexa is an analyst for a large bank that has offices in multiple states. She wants to create an alert to detect if an employee from one bank office logs into a workstation located at an office in another state. What type of detection and analysis is Alexa configuring? A. Heuristic B. Behavior C. Anomaly D. Trend

Behavior OBJ-1.7: This is an example of behavior-based detection. Behavior-based detection (or statistical- or profile-based detection) means that the engine is trained to recognize baseline traffic or expected events associated with a user account or network device. Anything that deviates from this baseline (outside a defined level of tolerance) generates an alert. The heuristic analysis determines whether several observed data points constitute an indicator and whether related indicators make up an incident depending on a good understanding of the relationship between the observed indicators. Human analysts are typically good at interpreting context but work painfully slowly, in computer terms, and cannot hope to cope with the sheer volume of data and traffic generated by a typical network. Anomaly analysis is the process of defining an expected outcome or pattern to events and then identifying any events that do not follow these patterns. This is useful in tools and environments that enable you to set rules. Trend analysis is not used for detection but instead to better understand capacity and the system's normal baseline. Behavioral-based detection differs from anomaly-based detection. Behavioral-based detection records expected patterns concerning the entity being monitored (in this case, user logins). Anomaly-based detection prescribes the baseline for expected patterns based on its observation of what normal looks like.

Dion Training has contracted a software development firm to create a bulk file upload utility for its website. During a requirements planning meeting, the developers asked what type of encryption is required for the project. After some discussion, Jason decides that the file upload tool should use a cipher capable of encrypting 64 bits of data at a time before transmitting the files from the web developer's workstation to the webserver. What of the following should be selected to meet this security requirement? A. CRC B. Block cipher C. Stream cipher D. Hashing algorithm

Block cipher OBJ-2.8: A block cipher is used to encrypt multiple bits at a time before moving to the next set of data. Block ciphers generally have a fixed-length block (8-bit, 16-bit, 32-bit, 64-bit, etc.). Stream ciphers encrypt a single bit (or byte) at a time during their encryption process. Hashing algorithms would not meet the requirement because the data would be encrypted using a one-way hash algorithm and be unusable once on the webserver. A cyclic redundancy check (CRC) is an error-detecting code commonly used in digital networks and storage devices to detect accidental changes to raw data. Blocks of data entering these systems get a short check value attached, based on the remainder of their contents' polynomial division.

The digital certificate on the Dion Training web server is about to expire. Which of the following should Jason submit to the CA to renew the server's certificate? A. Key escrow B. OCSP C. CRL D. CSR

CSR OBJ-3.9: A CSR (certificate signing request) is what is submitted to the CA (certificate authority) to request a digital certificate. Key escrow stores keys, CRL is a list of revoked certificates, and the OCSP is a status of certificates that provide validity such as good, revoked, or unknown.

You conducted a security scan and found that port 389 is being used when connecting to LDAP for user authentication instead of port 636. The security scanning software recommends that you remediate this by changing user authentication to port to 636 wherever possible. What should you do? A. Change all devices and servers that support it to port 636 since port 389 is a reserved port that requires root access and can expose the server to privilege escalation attacks B. Mark this as a false positive in your audit report since the services that typically run on ports 389 and 636 are identical C. Conduct remediation actions to update encryption keys on each server to match port 636 D. Change all devices and servers that support it to port 636 since encrypted services run by default on port 636

Change all devices and servers that support it to port 636 since encrypted services run by default on port 636 OBJ-3.1: LDAP can be run on either port 389 or port 636. Port 389 is the standard port for LDAP but typically runs unencrypted LDAP services over this port. Instead, you should change all devices and servers that can technically support the change to port 636 since LDAP services over port 636 are encrypted by default.

Jason has installed multiple virtual machines on a single physical server. He needs to ensure that the traffic is logically separated between each virtual machine. How can Jason best implement this requirement? A. Conduct system partitioning on the physical server to ensure the virtual disk images are on different partitions B. Configure a virtual switch on the physical server and create VLANs C. Create a virtual router and disable the spanning tree protocol D. Install a virtual firewall and establish an access control list

Configure a virtual switch on the physical server and create VLANs OBJ-3.3: A virtual switch is a software application that allows communication between virtual machines. A virtual local area network (VLAN) is a hardware-imposed network segmentation created by switches. This solution provides a logical separation of each virtual machine through the use of VLANs on the virtual switch.

During which incident response phase is the preservation of evidence performed? A. Containment, eradication, and recovery B. Post-incident activity C. Preparation D. Explanation

Containment, eradication, and recovery OBJ-4.2: A cybersecurity analyst must preserve evidence during the containment, eradication, and recovery phase. They must preserve forensic and incident information for future needs, prevent future attacks or bring up an attacker on criminal charges. Restoration and recovery are often prioritized over analysis by business operations personnel, but taking time to create a forensic image is crucial to preserve the evidence for further analysis and investigation. During the preparation phase, the incident response team conducts training, prepares their incident response kits, and researches threats and intelligence. During the detection and analysis phase, an organization focuses on monitoring and detecting any possible malicious events or attacks. During the post-incident activity phase, the organization conducts after-action reports, creates lessons learned, and conducts follow-up actions to better prevent another incident from occurring.

Hilda needs a cost-effective backup solution that would allow for the restoration of data within a 24 hour RPO. The disaster recovery plan requires that backups occur during a specific timeframe each week, and then the backups should be transported to an off-site facility for storage. What strategy should Hilda choose to BEST meet these requirements? A. Configure replication of the data to a set of servers located at a hot site B. Create a daily incremental backup to tape C. Conduct full backups daily to tape D. Create disk-to-disk snapshots of the server every hour

Create a daily incremental backup to tape OBJ-5.4: Since the RPO must be within 24 hours, daily or hourly backups must be conducted. Since the requirement is for backups to be conducted at a specific time each week, hourly snapshots would not meet this requirement and are not easily transported since they are being conducted as a disk-to-disk backup. Replication to a hot site environment also doesn't allow for transportation of the data to an off-site facility for storage, and replication would continuously occur throughout the day. Therefore, a daily incremental backup should be conducted since it will require the least amount of time to conduct. The tapes could be easily transported for storage and restored incrementally from tape since the last full backup was conducted.

Which of the following access control models is the most flexible and allows the resource owner to control the access permissions? A. RBAC B. MAC C. DAC D. ABAC

DAC OBJ-3.8: Discretionary access control (DAC) stresses the importance of the owner. The original creator of the resource is considered the owner and can then assign permissions and ownership to others. The owner has full control over the resource and can modify its ACL to grant rights to others. This is the most flexible model and is currently implemented widely in Windows, Unix, Linux, and macOS systems.

Your company recently suffered a small data breach caused by an employee emailing themselves a copy of the current customer's names, account numbers, and credit card limits. You are determined that something like this shall never happen again. Which of the following logical security concepts should you implement to prevent a trusted insider from stealing your corporate data? A. Firewall B. MDM C. Strong passwords D. DLP

DLP OBJ-2.1: Data loss prevention software detects potential data breaches/data ex-filtration transmissions and prevents them by monitoring, detecting, and blocking sensitive data while in use (endpoint actions), in-motion (network traffic), and at rest (data storage). Since the user was an authorized user (employee), changing your password policy, reconfiguring the firewall, or setting up an MDM solution would not solve this problem. Instead, a DLP solution must be implemented.

Which of the following cryptographic algorithms is classified as asymmetric? A. RC4 B. DSA C. DES D. AES

DSA OBJ-2.8: The Digital Signature Algorithm (DSA) is a Federal Information Processing Standard for digital signatures. The algorithm uses a key pair consisting of a public key and a private key. AES, RC4, and DES are all symmetric algorithms.

You are conducting threat hunting for an online retailer. Upon analyzing their web server, you identified that a single HTML response returned as 45 MB in size, but an average response is normally only 275 KB. Which of the following categories of potential indicators of compromise would you classify this as? A. Unauthorized privilege B. Introduction of new accounts C. Beaconing D. Data exfiltration

Data exfiltration OBJ-1.6: If attackers use SQL injection to extract data through a Web application, the requests issued by them will usually have a larger HTML response size than a normal request. For example, if the attacker extracts the full credit card database, then a single response for that attacker might be 20 to 50 MB, where a normal response is only 200 KB. Therefore, this scenario is an example of a data exfiltration indicator of compromise. Based on the scenario, there is no evidence that a user is conducting a privilege escalation or using unauthorized privileges. There is also no evidence of a new account having been created or beaconing occurring over the network.

Dion Training is currently undergoing an audit of its information systems. The auditor wants to understand better how the PII data from a particular database is used within business operations. Which of the following employees should the auditor interview? A. Data controller B. Data steward C. Data owner D. Data protection officer

Data protection officer OBJ-5.5: The primary role of the data protection officer (DPO) is to ensure that her organization processes the personal data of its staff, customers, providers, or any other individuals (also referred to as data subjects) in compliance with the applicable data protection rules. They must understand how any privacy information is used within business operations. Therefore, they are the best person for the auditor to interview to get a complete picture of the data usage.

Fail to Pass Systems has recently moved its corporate offices from France to Westeros, a country with no meaningful privacy regulations. The marketing department believes that this move will allow the company to resell all of its customer's data to third-party companies and shield the company from any legal responsibility. Which policy is violated by this scenario? A. Data enrichment B. Data sovereignty C. Data limitation D. Data minimization

Data sovereignty OBJ-2.1: While the fictitious Westeros may have no privacy laws or regulations, the laws of the countries where the company's customers reside may still retain sovereignty over the data obtained from those regions during the company's business there. This is called Data Sovereignty. Data sovereignty refers to a jurisdiction (such as France or the European Union) preventing or restricting processing and storage from taking place on systems that do not physically reside within that jurisdiction. Data sovereignty may demand certain concessions on your part, such as using location-specific storage facilities in a cloud service. Fail to Pass Systems will likely face steep fines from different regions if they go through with their plan to sell all of their customer's data to the highest bidders. Fail to Pass Systems may even be blocked from communicating with individual regions. Although data minimization and data limitation policies may be violated depending on the company's internal policies, these policies are not legally binding like the provisions of GDPR are. Data enrichment means that the machine analytics behind the view of a particular alert can deliver more correlating and contextual information with a higher degree of confidence, both from within the local network's data points and from external threat intelligence.

Which of the following cryptographic algorithms is classified as asymmetric? A. AES B. Diffie-Hellman C. Blowfish D. RC4

Diffie-Hellman OBJ-2.8: The Diffie-Hellman (DH) is used to exchange cryptographic keys over a public channel securely and was one of the first public-key protocols. As a public-key protocol, it relies on an asymmetric algorithm. AES, RC4, and Blowfish are all symmetric algorithms.

A cybersecurity analyst is reviewing the logs of a Citrix NetScaler Gateway running on a FreeBSD 8.4 server and saw the following output: BEGIN LOG 10.1.1.1 [10/Jan/2020:13:23:51 +0000] "POST /vpn/../vpnsiportallscripts/newbm.pl HTTP/1.1" 200 143 "https://10.1.1.2/" "USERAGENT " 10.1.1.1 - [10/Jan/2020:13:23:53 +0000] "GET /vpn/ ../vpns/portal/backdoor.xml HTTP/1.1" 200 941 "-" "USERAGENT" 10.1.1.1 - [10/Jan/2020:16:12:31 +0000] "POST /vpns/portal/scripts/newbm.p1 HTTP/1.1" 200 143 "https://10.1.1.2/" "USERAGENT" END LOG What type of attack was most likely being attempted by the attacker? A. Password spraying B. XML injection C. Directory traversal D. SQL injection

Directory traversal OBJ-1.3: A directory traversal attack aims to access files and directories stored outside the webroot folder. By manipulating variables or URLs that reference files with "dot-dot-slash (../)" sequences and its variations or using absolute file paths, it may be possible to access arbitrary files and directories stored on the file system, including application source code or configuration and critical system files. The example output provided comes from a remote code execution vulnerability being exploited in which a directory traversal is used to access the files. XML Injection is an attack technique used to manipulate or compromise an XML application or service's logic. SQL injection is the placement of malicious code in SQL statements via web page input. Password spraying attempts to crack various users' passwords by attempting a compromised password against multiple user accounts.

Your home network is configured with a long, strong, and complex pre-shared key for its WPA2 encryption. You noticed that your wireless network has been running slow, so you checked the list of "connected clients" and see that "Bob's Laptop" is connected to it. Bob lives downstairs and is the maintenance man for your apartment building. You know that you never gave Bob your password, but somehow he has figured out how to connect to your wireless network. Which of the following actions should you take to prevent anyone from connecting to your wireless network without the proper WPA3 password? A. Enable WEP B. Disable WPA3 C. Disable SSID broadcast D. Disable WPS

Disable WPS OBJ-3.4: WPS was created to ease the setup and configuration of new wireless devices by allowing the router to automatically configure them after a short eight-digit PIN was entered. Unfortunately, WPS is vulnerable to a brute-force attack and is easily compromised. Therefore, WPS should be disabled on all wireless networks. If Bob could enter your apartment and press the WPS button, he could have configured his laptop to use your wireless network without your WPA3 password. While disabling the SSID broadcast could help prevent someone from seeing your network, the issue was someone connecting to your network without having the password. Disabling the SSID broadcast would not solve this issue.

Which of the following cryptographic algorithms is classified as asymmetric? A. DES B. ECC C. Twofish D. RC4

ECC OBJ-2.8: Elliptic-curve cryptography (ECC) is an approach to public-key cryptography based on the algebraic structure of elliptic curves over finite fields. As a public-key cryptosystem, it relies on an asymmetric algorithm. Twofish, RC4, and DES are all symmetric algorithms.

A company's NetFlow collection system can handle up to 2 Gbps. Due to excessive load, this has begun to approach full utilization at various times of the day. If the security team does not have additional money in their budget to purchase a more capable collector, which of the following options could they use to collect useful data? A. Enable full packet capture B. Enable NetFlow compression C. Enable sampling of the data D. Enable QoS

Enable sampling of the data OBJ-3.3: The organization should enable sampling of the data collected. Sampling can help them capture network flows that could be useful without collecting everything passing through the sensor. This reduces the bottleneck of 2 Gbps and still provides useful information. Quality of Service (QoS) is a set of technologies that work on a network to guarantee its ability to run high-priority applications and traffic dependably, but that does not help in this situation. Compressing NetFlow data helps save disk space, but it does not increase the capacity of the bottleneck of 2 Gbps during collection. Enabling full packet capture would take even more resources to process and store and not minimize the bottleneck of 2 Gbps during collection.

Select four security features that you should use to best protect your servers in the data center. This can include physical, logical, or administrative protections. A. Strong passwords, Biometrics, Mantrap, Cable lock B. FM-200, Biometric locks, Mantrap, Antivirus C. Antivirus, Mantrap, Cable lock, GPS tracking D. GPS tracking, Biometrics, Proximity badges, Remote wipe

FM-200, Biometric locks, Mantrap, Antivirus OBJ-2.7: The best option based on your choices is FM-200, Biometric locks, Mantrap, and Antivirus. FM-200 is a fire extinguishing system commonly used in data centers and server rooms to protect the servers from fire. Biometric locks are often used in high-security areas as a lock on the access door. Additionally, biometric authentication could be used for a server by using a USB fingerprint reader. Mantraps often are used as part of securing a data center as well. This area creates a boundary between a lower security area (such as the offices) and the higher security area (the server room). Antivirus should be installed on servers since they can use signature-based scans to ensure files are safe before being executed.

Several users have contacted the help desk to report that they received an email from a well-known bank stating that their accounts have been compromised and they need to "click here" to reset their banking password. Some of these users are not even customers of this particular bank, though. Which of the following social engineering principles is being utilized as a part of this phishing campaign? A. Intimidation B. Familiarity C. Consensus D. Urgency

Familiarity OBJ-1.1: Familiarity is a social engineering technique that relies on assuming a widely known organization's persona. For example, in the United States, nearly 25% of Americans have a Bank of America account. For this reason, phishing campaigns often include emails pretending to be from Bank of America since 1 in 4 people who receive the email in the United States are likely to have an account. This makes them familiar with the bank name and is more likely to click on the email link. This email appears to be untargeted since it was sent to both customers and non-customers of this particular bank; it is best classified as phishing. Spear phishing requires the attack to be more targeted and less widespread. Urgency is focused on the element of time. An attacker encourages the victim to act quickly, which often leads to them making security mistakes. Urgency is related to scarcity, and the two are often effectively used together. Social proof and consensus rely on the fact that people want to fit in and conform. If a victim sees or believes others are performing some action, they will believe it is okay for them to do it.

Chris just downloaded a new third-party email client for his smartphone. When Chris attempts to log in to his email with his username and password, the email client generates an error messaging stating that "Invalid credentials" were entered. Chris assumes he must have forgotten his password, so he resets his email username and password and then reenters them into the email client. Again, Chris receives an "Invalid credentials" error. What is MOST likely causing the "Invalid credentials" error regarding Chris's email client? A. His smartphone has full device encryption enabled B. His email account requires a strong password to be used C. His email account requires multi-factor authentication D. His email account is locked out

His email account requires multi-factor authentication OBJ-3.7: If a user or system has configured their email accounts to require two-factor authentication (2FA) or multifactor authentication, then even if they enter their username and password correctly in the third-party email client, they will receive the "Invalid credentials" error message. Some email servers will allow the user to create an application-specific password to bypass the multifactor authentication requirement to overcome this. If not, then the user will have to use an email client that supports multifactor authentication. His email account is not locked out or requiring a stronger password, otherwise, those issues would have been solved when he reset the password. Full device encryption on the smartphone would not affect the use of the email client since the device is unencrypted once a user enters their PIN, password, TouchID, or FaceID as authentication.

If you cannot ping a target because you are receiving no response or a response that states the destination is unreachable, then ICMP may be disabled on the remote end. If you wanted to elicit a response from a host using TCP, what tool would you use? A. Hping B. Traceroute C. Broadcast ping D. Ptunnel

Hping OBJ-4.1: Hping is a handy little utility that assembles and sends custom ICMP, UDP, or TCP packets and then displays any replies. It was inspired by the ping command but offered far more control over the probes sent. It also has a handy traceroute mode and supports IP fragmentation. Hping is particularly useful when trying to traceroute/ping/probe hosts behind a firewall that blocks attempts using the standard utilities. Hping also allows you to map out firewall rule sets. It is also great for learning more about TCP/IP and experimenting with IP protocols. Hping does not support IPv6, though, so the NMAP creators have created Nping to fill this gap and serve as an updated variant of Hping. Traceroute and tracert are computer network diagnostic commands for displaying the route and measuring packets' transit delays across an Internet Protocol network. Traceroute uses ICMP and not TCP. Broadcast ping is simply pinging the subnet's broadcast IP using the ping command, but if a regular ping does not work, neither will a broadcast ping. Ptunnel is an application that allows you to reliably tunnel TCP connections to a remote host using ICMP echo request and reply packets, commonly known as ping requests and replies. Ptunnel is used as a covert channel, not to elicit a response from a host using TCP.

Jason has created a new password cracking tool using some Python code. When he runs the program, the following output is displayed: Linux:~ diontaining$ ./CrackPWD.py Password cracking in progress... Passwords found for 4 users: 1) jason:rover123 1) tamera:Purple6! 1) sahra:123Password 1) tim:cupcakes2 Based on the output, what type of password cracking method does Jason's new tool utilize? A. Brute force attack B. Rainbow attack C. Dictionary attack D. Hybrid attack

Hybrid attack OBJ-1.2: Based on the passwords found in the example, Jason's new password cracker is most likely using a hybrid approach. All of the passwords found are dictionary words with some additional characters added to the end. For example, Jason's password of rover123 is made up of the dictionary word "rover" and the number 123. The cracker likely attempted to use a dictionary word (like rover) and the attempted variations on it using brute force (such as adding 000, 001, 002, ...122, 123) to the end of the password until found. Combining the dictionary and brute force methods into a single tool is known as a hybrid password cracking approach.

Which role validates the user's identity when using SAML for authentication? A. User agent B. RP C. SP C. IdP

IdP OBJ-3.8: The IdP provides the validation of the user's identity. Security assertions markup language (SAML) is an XML-based framework for exchanging security-related information such as user authentication, entitlement, and attributes. SAML is often used in conjunction with SOAP. SAML is a solution for providing single sign-on (SSO) and federated identity management. It allows a service provider (SP) to establish a trust relationship with an identity provider (IdP) so that the SP can trust the identity of a user (the principal) without the user having to authenticate directly with the SP. The principal's User Agent (typically a browser) requests a resource from the service provider (SP). The resource host can also be referred to as the relying party (RP). If the user agent does not already have a valid session, the SP redirects the user agent to the identity provider (IdP). The IdP requests the principal's credentials if not already signed in and, if correct, provides a SAML response containing one or more assertions. The SP verifies the signature(s) and (if accepted) establishes a session and provides access to the resource.

Your company just launched a new invoicing website for use by your five largest vendors. You are the cybersecurity analyst and have been receiving numerous phone calls that the webpage is timing out, and the website overall is performing slowly. You have noticed that the website received three million requests in just 24 hours, and the service has now become unavailable for use. What do you recommend should be implemented to restore and maintain the availability of the new invoicing system? A. MAC filtering B. Intrusion Detection System C. VPN D. Implement an allow list

Implement an allow list OBJ-3.2: By implementing an allow list of the authorized IP addresses for the five largest vendors, they will be the only ones who can access the webserver. This can be done by creating rules in the Access Control List (ACL) to deny ALL other users except these five vendors, thereby dropping a large number of requests from any other IP addresses, such as those from an attacker. Based on the scenario's description, it appears like the system is under some form of denial of service attack. Still, by implementing an allow list at the edge of the network and sinkholing any traffic from IP addresses that are not allow listed, the server will no longer be overwhelmed or perform slowly to respond to legitimate requests. MAC filtering is only applicable at layer 2 of the OSI model (which would not work for traffic being sent over the internet from your vendors to your server). A VPN is a reasonable solution to secure the connection between the vendors and your systems, but it will not deal with the DoS condition being experienced. An intrusion detection system may detect the DoS condition, but an IDS cannot resolve it (whereas an IPS could).

A cybersecurity analyst is reviewing the logs of a proxy server and saw the following URLs: BEGIN LOG ---------------- http://test.diontesting.com/profile.php?userid=1546 http://test.diontesting.com/profile.php?userid=5842 http://test.diontesting.com/profile.php?userid=3618 ---------------- END LOG What type of vulnerability does this website have? A. Insecure direct object reference B. Weak or default configurations C. Race condition D. Improper error handling

Insecure direct object reference OBJ-1.3: Insecure direct object references (IDOR) are a cybersecurity issue that occurs when a web application developer uses an identifier for direct access to an internal implementation object but provides no additional access control and/or authorization checks. An attacker could change the userid number and directly access any user's profile page in this scenario. A race condition is a software vulnerability when the resulting outcome from execution processes is directly dependent on the order and timing of certain events. Those events fail to execute in the order and timing intended by the developer. Weak or default configurations are commonly a result of incomplete or ad-hoc configurations, open cloud storage, misconfigured HTTP headers, unnecessary HTTP methods, permissive Cross-Origin resource sharing (CORS), and verbose error messages containing sensitive information. Improper handling of errors can reveal implementation details that should never be revealed, such as detailed information that can provide hackers important clues on the system's potential flaws.

A corporate workstation was recently infected with malware. The malware was able to access the workstation's credential store and steal all the usernames and passwords from the machine. Then, the malware began to infect other workstations on the network using the usernames and passwords it stole from the first workstation. The IT Director has directed its IT staff to develop a plan to prevent this issue from occurring again. Which of the following would BEST prevent this from reoccurring? A. Install an anti-virus or anti-malware solution that uses heuristic analysis B. Install a host-based intrusion detection system on all of the corporate workstations C. Install a Unified Threat Management system on the network to monitor for suspicious traffic D. Monitor all workstations for failed login attempts and forward them to a centralized SYSLOG server

Install an anti-virus or anti-malware solution that uses heuristic analysis OBJ-3.3: The only solution that could stop this from reoccurring would be to use an anti-virus or anti-malware solution with heuristic analysis. The other options might be able to monitor and detect the issue but not stop it from spreading. Heuristic analysis is a method employed by many computer anti-virus programs designed to detect previously unknown computer viruses and new variants of viruses already in the wild. This is behavior-based detection and prevention, so it should detect the issue and stop it from spreading throughout the network. A host-based intrusion detection system (HIDS) is a device or software application that monitors a system for malicious activity or policy violations. Any malicious activity or violation is typically reported to an administrator or collected centrally using a security information and event management system. The UTM is also acting as an IDS in this scenario based on the option presented.

The local electric power plant contains both business networks and ICS/SCADA networks to control their equipment. Which technology should the power plant's security administrators look to implement first as part of configuring better defenses for the ICS/SCADA systems? A. Intrusion prevention system B. Anti-virus software C. Automated patch deployment D. Log consolidation

Intrusion prevention system OBJ-2.6: Since this question is focused on the ICS/SCADA network, the best solution would be implementing an Intrusion Prevention System. ICS/SCADA machines utilize very specific commands to control the equipment and to prevent malicious activity. You could set up strict IPS rules to prevent unknown types of actions from being allowed to occur. Log consolidation is a good idea, but it won't prevent an issue and therefore isn't the most critical thing to add first. Automated patch management should not be conducted, as ICS/SCADA systems must be tested before conducting any patches. Often, patches will break ICS/SCADA functionality. Antivirus software may or may not be able to run on the equipment, as well, since some ICS/SCADA systems often do not rely on standard operating systems like Windows.

You are notified by an external organization that an IP address associated with your company's email server has been sending spam emails requesting funds as part of a lottery collection scam. An investigation into the incident reveals the email account used was Connor from the sales department and that Connor's email account was only used from one workstation. You analyze Connor's workstation and discover several unknown processes running, but netflow analysis reveals no attempted lateral movement to other workstations on the network. Which containment strategy would be most effective to use in this scenario? A. Request disciplinary action for Connor for causing this incident B. Isolate the network segment Connor is on and conduct a forensic review of all workstations in the sales department C. Isolate the workstation computer by disabling the switch port and resetting Connor's username/password D. Unplug the workstation's network cable and conduct a complete reimaging of the workstation

Isolate the workstation computer by disabling the switch port and resetting Connor's username/password OBJ-4.4: Isolation of Connor's computer by deactivating the port on the switch should be performed instead of just unplugging the computer. This would guarantee that Connor won't just plug the computer back into the network as soon as you leave his desk. While Connor won't be able to work without his workstation, it is essential to isolate the issue quickly to prevent future attempts at lateral movement from occurring and protect the company's data needed for continued business operations. While we are unsure of the issue's initial root cause, we know it is currently isolated to Connor's machine. He should receive remedial cybersecurity training, his workstation's hard drive forensically imaged for later analysis, and then his workstation should be remediated or reimaged. It is better to isolate just Connor's machine instead of the entire network segment in this scenario. Isolating the network segment, without evidence indicating the need to do so, would have been overkill and overly disruptive to the business. Reimaging Connor's device may destroy data that could have otherwise been recovered and led to a successful root cause analysis. There is also insufficient evidence in this scenario to warrant disciplinary action against Connor, as he may have clicked on a malicious link by mistake.

What containment technique is the strongest possible response to an incident? A. Isolating affected systems B. Segmentation C. Isolating the attacker D. Enumeration

Isolating affected systems OBJ-4.4: Isolation involves removing an affected component from whatever larger environment it is a part of. This can be everything from removing a server from the network after it has been the target of a DoS attack, placing an application in a sandbox virtual machine (VM) outside of the host environments it usually runs on. Segmentation-based containment is a means of achieving the isolation of a host or group of hosts using network technologies and architecture. Segmentation uses VLANs, routing/subnets, and firewall ACLs to prevent a host or group of hosts from communicating outside the protected segment. Removal is not an industry term used but would be a synonym for isolation. Enumeration is defined as the process of extracting usernames, machine names, network resources, shares, and services from a system. Isolating the attacker would only stop their direct two-way communication and control of the affected system. However, it would not be the strongest possible response since there could be malicious code still running on your victimized machine.

Dion Training has added a salt and cryptographic hash to their passwords to increase the security before storing them. To further increase security, they run this process many times before storing the passwords. What is this technique called? A. Collision resistance B. Salting C. Rainbow table D. Key stretching

Key stretching OBJ-2.8: In cryptography, key stretching techniques are used to make a possibly weak key, typically a password or passphrase, more secure against a brute-force attack by increasing the resources it takes to test each possible key. The question describes one such key stretching technique.

Which protocol relies on mutual authentication of the client and the server for its security? A. CHAP B. Two-factor authentication C. RADIUS D. LDAPS

LDAPS OBJ-3.1: The Lightweight Directory Access Protocol (LDAP) uses a client-server model for mutual authentication. LDAP is used to enable access to a directory of resources (workstations, users, information, etc.). TLS provides mutual authentication between clients and servers. Since Secure LDAP (LDAPS) uses TLS, it provides mutual authentication.

The paparazzi have found copies of pictures of a celebrity's new baby online. The celebrity states they were never publicly released but were uploaded to their cloud provider's automated photo backup. Which of the following threats was the celebrity MOST likely a victim of? A. Unauthorized root access B. Unintended Bluetooth pairing C. Unauthorized camera activation D. Leaked personal files

Leaked personal files OBJ-2.5: When authorized users access devices through unintended connections or unauthorized users get their hands on absconded devices, they can access data on the device(s) that they were never intended to see. Every firm should have a policy for protecting data (encryption) and dealing with leaks when they occur.

Which of the following items represents a document that includes detailed information on when an incident was detected, how impactful the incident was, how it was remediated, the effectiveness of the incident response, and any identified gaps that might require improvement? A. Chain of custody report B. Forensic analysis report C. Trends analysis report D. Lessons learned report

Lessons learned report OBJ-4.2: The lessons learned report provides you with the details of the incident, its severity, the remediation method, and, most importantly, how effective your response was. Additionally, it provides recommendations for improvements in the future. A forensic analysis report would not provide recommendations for future improvements, even though it provides many of the other details. A trend analysis report describes whether behaviors have increased, decreased, or stayed the same over time. The chain of custody report is the chronological documentation or paper trail that records the custody, control, transfer, analysis, and disposition of physical or electronic evidence.

Dion Training has an open wireless network called "InstructorDemos" for its instructors to use during class, but they do not want any students connecting to this wireless network. The instructors need the "InstructorDemos" network to remain open since some of their IoT devices used during course demonstrations do not support encryption. Based on the requirements provided, which of the following configuration settings should you use to satisfy the instructor's requirements and prevent students from using the "InstructorDemos" network? A. MAC filtering B. Signal strength C. NAT D. QoS

MAC filtering OBJ-3.4: Since the instructors need to keep the wireless network open, the BEST option is to implement MAC filtering to prevent the students from connecting to the network while still keeping the network open. Since the instructors would most likely use the same devices to connect to the network, it would be relatively easy to implement a MAC filtering based on the list of devices that are allowed to use the open network and reject any other devices not listed by the instructors (like the student's laptops or phones). Reducing the signal strength would not solve this issue since students and instructors are in the same classrooms. Using Network Address Translation and Quality of Service will not prevent the students from accessing or using the open network.

What type of wireless security measure can easily be defeated by a hacker by spoofing their network interface card's hardware address? A. MAC filtering B. Disable SSID broadcast C. WEP D. WPS

MAC filtering OBJ-3.3: Wireless access points can utilize MAC filtering to ensure only known network interface cards are allowed to connect to the network. If the hacker changes their MAC address to a trusted MAC address, they can easily bypass this security mechanism. MAC filtering is considered a good security practice as part of a larger defense-in-depth strategy, but it won't stop a skilled hacker for long. MAC addresses are permanently burned into the network interface card by the manufacturer and serve as the device's physical address. WEP is the Wired Equivalent Privacy encryption standard, which is considered obsolete in modern wireless networks. WEP can be broken using a brute force attack within just a few minutes by an attacker. Another security technique is to disable the SSID broadcast of an access point. While this prevents the SSID broadcast, a skilled attacker can still find the SSID using discovery scanning techniques. WPS is the WiFi Protected Setup. WPS is used to connect and configure wireless devices to an access point easily.

Which operating system feature is designed to detect malware that is loaded early in the system startup process or before the operating system can load itself? A. Startup Control B. Measured boot C. Advanced anti-malware D. Master Boot Record analytics

Measured boot OBJ-3.2: Measured boot is a feature where a log of all boot actions is taken and stored in a trusted platform module for later retrieval and analysis by anti-malware software on a remote server. Master boot record analysis is used to capture the hard disk's required information to support a forensic investigation. It would not detect malware during the system's boot-up process. Startup control would be used to determine which programs will be loaded when the operating system is initially booted, but this would be too late to detect malware loaded during the pre-startup and boot process. Advanced anti-malware solutions are programs that are loaded within the operating system. Therefore, they are loaded too late in the startup process to be effective against malicious boot sector viruses and other BIOS/UEFI malware variants.

When you are managing a risk, what is considered an acceptable option? A. Initiate B. Reject C. Deny D. Mitigate

Mitigate OBJ-5.4: Mitigating a risk makes the effect of a risk a little less unpleasant, harmful, or serious. The majority of risk management is focused on mitigating risks down to an acceptable level of loss or risk. The risk response actions are accept, avoid, mitigate, or transfer.

You received an incident response report indicating a piece of malware was introduced into the company's network through a remote workstation connected to the company's servers over a VPN connection. Which of the following controls should be applied to prevent this type of incident from occurring again? A. SPF B. MAC filtering C. ACL D. NAC

NAC OBJ-3.3: Network Access Control (NAC) is an approach to computer security that attempts to unify endpoint security technology (such as anti-virus, host intrusion prevention, and vulnerability assessment), user or system authentication, and network security enforcement. When a remote workstation connects to the network, NAC will place it into a segmented portion of the network (sandbox), scan it for malware and validate its security controls, and then based on the results of those scans, either connect it to the company's networks or place the workstation into a separate quarantined portion of the network for further remediation. An access control list (ACL) is a network traffic filter that can control incoming or outgoing traffic. An ACL alone would not have prevented this issue. MAC Filtering refers to a security access control method whereby the MAC address assigned to each network card is used to determine access to the network. MAC filtering operates at layer 2 and is easy to bypass. Sender Policy Framework (SPF) is an email authentication method designed to detect forging sender addresses during email delivery.

A new smartphone supports users' ability to transfer a photograph by simply placing their phones near each other and "tapping" the two phones together. What type of technology does this most likely rely on? A. IR B. BT C. RF D. NFC

NFC OBJ-1.4: Near-field communication (NFC) is a set of communication protocols that enable two electronic devices, one of which is usually a portable device such as a smartphone, to establish communication by bringing them within 4 cm of each other. This is commonly used for contactless payment systems, transferring contacts, or transferring a file from one device to another. Bluetooth (BT) is a wireless technology standard used for exchanging data between fixed and mobile devices over short distances using UHF radio waves in the industrial, scientific, and medical radio bands from 2.402 GHz to 2.480 GHz and building a personal area network (PAN). Bluetooth is commonly used when connecting wireless devices like mice, trackpads, headphones, and other devices. Infrared (IR) was a wireless networking standard supporting speeds up to about 4 Mbps with a direct line of sight for communications. Infrared sensors are used in mobile devices and with IR blasters to control appliances. While infrared (IR) used to be commonly used to connect wireless mice and keyboards to a laptop in the 1990s, it has fallen out of favor in the last 10-15 years since Bluetooth is more reliable and does not require a direct line of sight between the device and the laptop. Radio frequency (RF) is the propagation of radio waves at different frequencies and wavelengths. For example, Wi-Fi network products use a frequency of either 2.4 GHz or 5 GHz.

A penetration tester has issued the following command on a victimized host: nc -l -p 8080 | nc 192.168.1.76 443. What will occur based on this command? A. Netcat will listen on the 192.168.1.76 interface for 443 seconds on port 8080 B. Netcat will listen on port 8080 and output anything received to a remote connection on 192.168.1.76 port 443 C. Netcat will listen on port 8080 and then output anything received to local interface 192.168.1.76 D.Netcat will listen for a connection from 192.168.1.76 on port 443 and output anything received to port 8080

Netcat will listen on port 8080 and output anything received to a remote connection on 192.168.1.76 port 443 OBJ-4.1: The proper syntax for netcat (nc) is -l to signify listening and -p to specify the listening port. Then, the | character allows multiple commands to execute during a single command's execution. Next, netcat sends the data to the given IP (192.168.1.76) over port 443. This is a common technique to bypass the firewall by sending traffic over port 443 (a secure SSL/TLS tunnel).

Your company is required to remain compliant with PCI-DSS due to the type of information processed by your systems. If there was a breach of this data, which type of disclosure would you be required to provide during your incident response efforts? A. Notification to local law enforcement B. Notification to federal law enforcement C. Notification to Visa and Mastercard D. Notification to your credit card processor

Notification to your credit card processor OBJ-4.5: Any organization that processes a credit card will be required to work with their credit card processor instead of working directly with the card issuers (Visa and Mastercard). Conducting notification to your bank or credit card processor is one of the first steps in the incident response effort for a breach of this type of data. Typically, law enforcement does not have to be notified of a data breach at a commercial organization.

You have just completed identifying, analyzing, and containing an incident. You have verified that the company uses older unencrypted SSDs as part of their default configuration, and the manufacturer does not provide a SE utility for the devices. The storage devices contained top-secret data that would bankrupt the company if it fell into a competitor's hands. After safely extracting the device's data and saving it to a new self-encrypting drive, you have been asked to dispose of the SSDs securely. Which of the following methods should you use? A. Physically destroy the storage devices B. Perform a cryptographic erase (CE) on the storage devices C. Use a secure erase (SE) utility on the storage devices D. Conduct zero-fill on the storage devices

Physically destroy the storage devices OBJ-2.7: Physical destruction is the only option that will meet the requirements of this scenario. Sanitizing a hard drive can be done using cryptographic erase (CE), secure erase (SE), zero-fill, or physical destruction. In this scenario, the SSDs were not self-encrypting drives (SED) and did not have a SE utility available, so the CE or SE methods cannot be used. The cryptographic erase (CE) method sanitizes a self-encrypting drive by erasing the media encryption key and then reimaging the drive. A secure erase (SE) is used to perform the sanitization of flash-based devices (such as SSDs or USB devices) when cryptographic erase is not available. The zero-fill method relies on overwriting a storage device by setting all bits to the value of zero (0), but this is not effective on SSDs or hybrid drives. The best option is to conduct physical destruction since the scenario states that the storage device was already replaced with a new self-encrypting drive (SED). The old SSD contained top-secret data crucial to maintaining a corporate advantage over the company's competitors. Physical destruction occurs by mechanical shredding, incineration, or degaussing magnetic hard drives.

What is the correct order of the Incident Response process? A. Containment, Eradication, Identification, Lessons learned, Preparation, and Recovery B. Preparation, Identification, Containment, Eradication, Recovery, and Lessons Learned C. Lessons Learned, Recovery, Preparation, Identification, Containment, and Eradication D. Identification, Containment, Eradication, Preparation, Recovery, and Lessons Learned

Preparation, Identification, Containment, Eradication, Recovery, and Lessons Learned OBJ-4.2: The proper order of the Incident Response process is Preparation, Identification, Containment, Eradication, Recovery, and Lessons Learned. Concepts with lists of steps are common questions asked as an ordering or a drag and drop question on the exam. For example, the steps of incident response, the order of volatility, or the strength of encryption schemes could be asked using this question format.

Your company has decided to move all of its data into the cloud. Your company is small and has decided to purchase some on-demand cloud storage resources from a commercial provider (such as Google Drive) as its primary cloud storage solution. Which of the following types of clouds is your company using? A. Private B. Public C. Hybrid D. Community

Public OBJ-2.2: The public cloud is defined as computing services offered by third-party providers over the public internet, making them available to anyone who wants to use or purchase them. They may be free or sold on-demand, allowing customers to pay only per usage for the CPU cycles, storage, or bandwidth they consume. Amazon Web Services, Microsoft Azure, and Google Cloud are three popular public cloud platforms. A private cloud contains services offered either over the Internet or a private internal network and only to select users instead of the general public. A community cloud is a collaborative effort in which infrastructure is shared between several organizations from a specific community with common concerns (security, compliance, jurisdiction, etc.), whether managed internally or by a third party and hosted internally or externally. A hybrid cloud is a cloud computing environment that uses a mix of on-premises, private cloud, and third-party public cloud services with orchestration between these platforms. This typically involves a connection from an on-premises data center to a public cloud.

Taylor needs to sanitize hard drives from some leased workstations before returning them to a supplier at the end of the lease period. The workstations' hard drives contained sensitive corporate data. Which is the most appropriate choice to ensure that data exposure doesn't occur during this process? A. The drives must be destroyed to ensure no data loss B. Purge, validate, and document the sanitization of the drives C. Clear the drives D. Clear, validate, and document the sanitization of the drives

Purge, validate, and document the sanitization of the drives OBJ-2.7: Purging the drives, validating that the purge was effective, and documenting the sanitization is the best response. Purging includes methods that eliminate information from being feasibly recovered even in a lab environment. For example, performing a cryptographic erasure (CE) would sanitize and purge the drives' data without harming the drives themselves. Clearing them leaves the possibility that some tools would allow data recovery. Since the scenario indicates that these were leased drives that must be returned at the end of a lease, they cannot be destroyed.

Which type of media sanitization would you classify degaussing as? A. Purging B. Clearing C. Destruction D. Erasing

Purging OBJ-2.7: Degaussing is classified as a form of purging. Purging eliminates information from being feasibly recovered even in a laboratory environment. Purging includes degaussing, encryption of the data with the destruction of its encryption key, and other non-destructive techniques. Some generic magnetic storage devices can be reused after the degaussing process has finished, such as VHS tapes and some older backup tapes. For this reason, though, the technique of degaussing is classified as purging and not destruction, even though hard drives are rendered unusable after being degaussed. Clearing data prevents data from being retrieved without the use of state-of-the-art laboratory techniques. Clearing often involves overwriting data one or more times with repetitive or randomized data. Destroying data is designed not merely to render the information unrecoverable but also to hinder any reuse of the media itself. Destruction is a physical process that may involve shredding media to pieces, disintegrating it into parts, pulverizing it to powder, or incinerating it to ash. Erasing or deleting is considered a normal operation of a computer, which erases the data file's pointer on a storage device. Erasing and deleting are easily reversed, and the data can be recovered with commercially available or open-source tools.

Which of the following is a common attack model of an APT attack? A. Holds an organization's data hostage using encryption B. Relies on worms to spread laterally C. Quietly gathers information from compromised systems D. Involves sophisticated DDoS attacks

Quietly gathers information from compromised systems OBJ-1.5: An APT refers to an adversary's ongoing ability to compromise network security by using various tools and techniques to obtain and maintain access. An APT is usually a highly sophisticated nation-state threat actor that quietly gathers information from compromised systems and can lay in waiting for several months during an ongoing attack. In general, an APT is primarily focused on espionage and strategic advantage, but some target companies purely for commercial gain. An APT is unlikely to conduct a DDoS attack, use worms to spread throughout the network, or use ransomware as part of their covert attacks.

Users connecting to an SSID appear to be unable to authenticate to the captive portal. Which of the following is the MOST likely cause of the issue? A. RADIUS B. WPA2 security key C. CSMA/CA D. SSL certificates

RADIUS OBJ-3.8: Captive portals usually rely on 802.1x, and 802.1x uses RADIUS for authentication. The IEEE 802.1x standard is a network authentication protocol that opens ports for network access when an organization authenticates a user's identity and authorizes them for access to the network. This defines port security. The user's identity is determined based on their credentials or certificate, which is confirmed by the RADIUS server. The Remote Authentication Dial-in User Service (RADIUS) is used to manage remote and wireless authentication infrastructure. Users supply authentication information to RADIUS client devices, such as wireless access points. The client device then passes the authentication data to an AAA (Authentication, Authorization, and Accounting) server that processes the request. Secure Sockets Layer (SSL) is a security protocol developed by Netscape to provide privacy and authentication over the Internet. SSL is application independent that works at layer 5 [Session] and can be used with a variety of protocols, such as HTTP or FTP. Client and server set up a secure connection through PKI (X.509) certificates. Carrier-sense multiple access with collision avoidance (CSMA/CA) is a network multiple access method in which carrier sensing is used, but nodes attempt to avoid collisions by beginning transmission only after the channel is sensed to be idle. CSMA/CA occurs in the background when communicating with a wireless access point and would not prevent the user from authenticating to the captive portal. A WPA2 security key is a preshared password used to authenticate and connect to a wireless access point. If the user connected to the SSID, then the WPA2 security key was valid.

Dion Training uses an authentication protocol to connect a network client to a networked file server by providing its authentication credentials. The file server then uses the authentication credentials to issue an authentication request to the server running this protocol. The server can then exchange authentication messages with the file server on behalf of the client. Throughout this process, a shared secret is used to protect the communication. Which of the following technologies relies upon the shared secret? A. Kerberos B. LDAP C. PKI D. RADIUS

RADIUS OBJ-3.8: Remote Authentication Dial-In User Service (RADIUS) is a networking protocol operating on port 1812 that provides centralized Authentication, Authorization, and Accounting (AAA or Triple-A) management for users who connect and use a network service. The RADIUS protocol utilizes an obfuscated password created from the shared secret and creates an MD5 hash of the authentication request to protect the communications.

(Sample Simulation - On the real exam for this type of question, you may receive a list of different RAID types and be asked to visually display which hard drives in the RAID are used for redundant data storage as either a stripe or a mirror. You will then have to identify which RAID type is most appropriate for each type of server shown.) You are configuring a RAID drive for a Media Streaming Server. Your primary concern is the speed of delivery of the data. This server has two hard disks installed. What type of RAID should you install, and what type of data will be stored on Disk 1 and Disk 2? A. RAID 1 - Disk 1 (Mirror) and Disk 2 (Mirror) B. RAID 0 - Disk 1 (Stripe) and Disk 2 (Stripe) C. RAID 0 - Disk 1 (Mirror) and Disk 2 (Mirror) D. RAID 1 - Disk 1 (Stripe) and Disk 2 (Stripe)

RAID 0 - Disk 1 (Stripe) and Disk 2 (Stripe) OBJ-2.5: Since this is a Media Streaming Server, you should implement a RAID 0, which provides disk stripping across both drives. This will increase the speed of the data delivery but provides no redundancy. If you were concerned with redundancy, then you should choose a RAID 1, which uses a mirror of the data on both hard disks. You cannot use a RAID 5 since it requires a minimum of 3 disk drives and stripes the data across the hard disks. You also can not use a RAID 6 since this requires at least 4 hard disks with dual parity and disk stripping. A RAID 10 also requires 4 hard disks and is a mirror of striped drives (combining the benefits of RAID 1 and RAID 0).

Which of the following hashing algorithms results in a 160-bit fixed output? A. RIPEMD B. MD-5 C. SHA-2 D. NTLM

RIPEMD OBJ-2.8: RIPEMD creates a 160-bit fixed output. SHA-2 creates a 256-bit fixed output. NTLM creates a 128-bit fixed output. MD-5 creates a 128-bit fixed output.

Which party in a federation provides services to members of the federation? A. SAML B. IdP C. SSO D. RP

RP OBJ-2.4: Relying parties (RPs) provide services to members of a federation. An identity provider (IdP) provides identities, makes assertions about those identities, and releases information about the identity holders. The Security Assertion Markup Language (SAML) is an open standard for exchanging authentication and authorization data between parties between an identity provider and a service provider (SP) or a relying party (RP). Single sign-on (SSO) is an authentication scheme that allows a user to log in with a single ID and password to any of several related yet independent software systems across a federation. SAML and SSO are not parties. Therefore, they cannot possibly be the right answer to this question.

Dion Training has just completed an assessment as part of its disaster recovery planning. The assessment found that the organization can only tolerate a maximum of 30 minutes of downtime for their public-facing webserver. Which of the following metrics would best represent this period of time? A. RPO B. RTO C. MTBF D. MTTR

RTO OBJ-5.4: The Recovery Time Objective (RTO) is the targeted duration of time and a service level within which a business process must be restored after a disaster (or disruption) to avoid unacceptable consequences associated with a break in business continuity. In this example, 30 minutes would be the RTO.

You are working as part of the server team for an online retail store. Due to the upcoming holidays, your boss is worried that the current servers may not be able to handle the increased demand during a big sale. Which of the following cloud computing concepts can quickly allow services to scale upward during busy periods and scale down during slower periods based on the changing user demand? A. Resource pooling B. Rapid elasticity C. Metered services D. On-demand

Rapid elasticity OBJ-2.3: Rapid elasticity is used to describe scalable provisioning or the capability to provide scalable cloud computing services. Rapid elasticity is very critical to meet the fluctuating demands of cloud users. The downside of rapid elasticity implementations is that they can cause significant loading of the system due to the high resource number of allocation and deallocation requests. Resource pooling refers to the concept that allows a virtual environment to allocate memory and processing capacity for a VMs use. On-demand refers to the fact that a consumer can unilaterally provision computing capabilities, such as server time and network storage, as needed automatically without requiring human interaction with each service provider. Metered services are pre-paid, a-la-carte, pay-per-use, or committed offerings. A metered service like a database may charge its users based on the actual usage of the service resources on an hourly or monthly basis. For example, Dion Training used the AWS Lambda serverless product in some of our automation. This service charges us $0.20 for every 1 million requests processed.

A macOS user is browsing the internet in Google Chrome when they see a notification that says, "Windows Enterprise Defender: Your computer is infected with a virus, please click here to remove it!" What type of threat is this user experiencing? A. Phishing B. Worm C. Pharming D. Rogue anti-virus

Rogue anti-virus OBJ-1.1: Rogue anti-virus is a form of malicious software and internet fraud that misleads users into believing there is a virus on their computer and to pay money for a fake malware removal tool (that actually introduces malware to the computer). It is a form of scareware that manipulates users through fear and a form of ransomware. Since the alert is being displayed on a macOS system but appears to be meant for a Windows system, it is obviously a scam or fake alert and most likely a rogue anti-virus attempting to infect the system. Phishing is an email-based social engineering attack in which the attacker sends an email from a supposedly reputable source, such as a bank, to try to elicit private information from the victim. Phishing attacks target an indiscriminate large group of random people. A worm is a standalone malware computer program that replicates itself to spread to other computers. Often, it uses a computer network to spread itself, relying on security failures on the target computer to access it. A worm can spread on its own, whereas a virus needs a host program or user interaction to propagate itself. Pharming is a type of social engineering attack that redirects a request for a website, typically an e-commerce site, to a similar-looking, but fake, website. The attacker uses DNS spoofing to redirect the user to the fake site.

Which of the following protocols is commonly used to collect information about CPU utilization and memory usage from network devices? A. SNMP B. SMTP C. NetFlow D. MIB

SNMP OBJ-3.1: Simple Network Management Protocol (SNMP) is commonly used to gather information from routers, switches, and other network devices. It provides information about a device's status, including CPU and memory utilization, and many other useful details about the device. NetFlow provides information about network traffic. A management information base (MIB) is a database used for managing the entities in a communication network. The Simple Mail Transfer Protocol (SMTP) is a communication protocol for electronic mail transmission.

Which of the following categories would contain information about a French citizen's race or ethnic origin? A. PII B. PHI C. DLP D. SPI

SPI OBJ-5.5: According to the GDPR, information about an individual's race or ethnic origin is classified as Sensitive Personal Information (SPI). Sensitive personal information (SPI) is information about a subject's opinions, beliefs, and nature afforded specially protected status by privacy legislation. As it cannot be used to identify somebody or make any relevant assertions about health uniquely, it is neither PII nor PHI. Data loss prevention (DLP) is a software solution that detects and prevents sensitive information from being stored on unauthorized systems or transmitted over unauthorized networks.

You are reviewing the IDS logs and notice the following log entry: (where [email protected] and password=' or 7==7') What type of attack is being performed? A. XML injection B. Header manipulation C. SQL injection D. Cross-site scripting

SQL injection OBJ-1.3: SQL injection is a code injection technique that is used to attack data-driven applications. SQL injections are conducted by inserting malicious SQL statements into an entry field for execution. For example, an attacker may try to dump the contents of the database by using this technique. A common SQL injection technique is to insert an always true statement, such as 1 == 1, or in this example, 7 == 7. Header manipulation is the insertion of malicious data, which has not been validated, into an HTTP response header. XML Injection is an attack technique used to manipulate or compromise an XML application or service's logic. The injection of unintended XML content and/or structures into an XML message can alter the application's intended logic. Cross-Site Scripting (XSS) attacks are a type of injection in which malicious scripts are injected into otherwise benign and trusted websites. XSS attacks occur when an attacker uses a web application to send malicious code, generally in a browser side script, to a different end-user.

Christina is auditing the security procedures related to the use of a cloud-based online payment service. She notices that the access permissions are set so that a single person can not add funds to the account and transfer funds out of the account. What security principle is most closely related to this scenario? A. Security through obscurity B. Dual control authentication C. Least privilege D. Separation of duties

Separation of duties OBJ-5.3: Separation of duties is the concept of having more than one person required to complete a task. In business, the separation by sharing more than one individual in a single task is an internal control intended to prevent fraud and error. In this case, one person can transfer money in, while another must transfer money out. Dual control authentication is used when performing a sensitive action and requires two different users to log in. Least privilege is the concept and practice of restricting access rights for users, accounts, and computing processes to only those resources required to perform routine, legitimate activities. Security through obscurity is the reliance on security engineering in design or implementation by using secrecy as the main method of providing security to a system or component.

Which of the following does a User-Agent request a resource from when conducting a SAML transaction? A. Relying party (RP) B. Single sign-on (SSO) C. Service provider (SP) D. Identity provider (IdP)

Service provider (SP) OBJ-3.8: Security assertions markup language (SAML) is an XML-based framework for exchanging security-related information such as user authentication, entitlement, and attributes. SAML is often used in conjunction with SOAP. SAML is a solution for providing single sign-on (SSO) and federated identity management. It allows a service provider (SP) to establish a trust relationship with an identity provider (IdP) so that the SP can trust the identity of a user (the principal) without the user having to authenticate directly with the SP. The principal's User Agent (typically a browser) requests a resource from the service provider (SP). The resource host can also be referred to as the relying party (RP). If the user agent does not already have a valid session, the SP redirects the user agent to the identity provider (IdP). The IdP requests the principal's credentials if not already signed in and, if correct, provides a SAML response containing one or more assertions. The SP verifies the signature(s) and (if accepted) establishes a session and provides access to the resource.

Ping request SRC IP: 10.1.1.2 DEST IP: 192.168.1.255 ---> 192.168.1.0/24 subnet on web ---> many pings to Server 10.1.1.2 Which of the following best describes this type of attack? A. Smurf B. Man in the Middle C. XMAS tree attack D. Ping of death

Smurf Attack OBJ-1.4: A smurf attack uses a single ping with a spoofed source address sent to the broadcast address of a network. This causes every device within the network to receive a single ping, which appears to come from the device with the spoofed source address. Each network device then responds to the spoofed address, causing the victim (whose address was spoofed) to be overwhelmed with the responses to the initial ping.

Which of the following types of attacks are usually used as part of an on-path attack? A. Brute force B. DDOS C. Spoofing D. Tailgating

Spoofing OBJ-1.4: Spoofing is often used to inject the attacker into the conversation path between the two parties. Spoofing is the act of disguising a communication from an unknown source as being from a known, trusted source. An on-path attack is an attack where the attacker secretly relays and possibly alters the communications between two parties who believe they are directly communicating with each other. The attacker makes independent connections with the victims and relays messages between them to make them believe they are talking directly to each other over a private connection. The attacker will intercept all relevant messages passing between the two victims and inject new ones. A Distributed Denial of Service (DDoS) attack is an attempt to make an online service unavailable by overwhelming it with traffic from multiple sources. Tailgating is a social engineering technique to gain access to a building by following someone unaware of their presence. A brute-force attack consists of an attacker submitting many passwords or passphrases with the hope of eventually guessing correctly.

Aymen is creating a procedure for the remediation of vulnerabilities discovered within his organization. He wants to ensure that any vendor patches are tested before deploying them into the production environment. What type of environment should his organization establish? A. Staging B. Honeypot C. Honeynet D. Development

Staging OBJ-2.3: Deploying changes in a staging or sandbox environment provides the organization with a safe, isolated place for testing changes without interfering with production systems. Staging environments can mimic the actual production environment, leading to a realistic test environment that minimizes the risk of failure during a push to the production environment. Honeypots/Honeynets are not considered a testing environment. Instead, they are designed to attract attackers. The organization should not use the development environment to test the patches since a development environment does not mimic the real production environment.

An independent cybersecurity researcher has contacted your company to prove a buffer overflow vulnerability exists in one of your applications. Which technique would have been most likely to identify this vulnerability in your application during development? A. Pair programming B. Dynamic code analysis C. Static code analysis D. Manual Peer Review

Static code analysis OBJ-3.4: Buffer overflows are most easily detected by conducting a static code analysis. Manual peer review or pair programming methodologies might have been able to detect the vulnerability. Still, they do not have the same level of success as a static code analysis using proper tools. DevSecOps methodology would also improve the likelihood of detecting such an error but still rely on human-to-human interactions and human understanding of source code to detect the fault. Dynamic code analysis also may have detected this if the test found exactly the right condition. Still, again, a static code analysis tool is designed to find buffer overflows more effectively.

You are conducting a routine vulnerability scan of a server when you find a vulnerability. You locate a patch for the vulnerability on the software vendor's website. What should you do next? A. Establish continuous monitoring B. Submit a Request for Change using the change management process C. Download and install the patch immediately D. Start the incident response process

Submit a Request for Change using the change management process OBJ-5.3: Before any change to a baseline occurs, a Request for Change should be submitted. This submission will start the change management process within your organization. Once approved, the patch should be tested in a staging environment, installed on the production server, and then the server should be rescanned to ensure the vulnerability no longer exists. In this scenario, no incident response is being performed since this vulnerability is found during a routine vulnerability scan.

You are investigating a suspected compromise. You have noticed several files that you don't recognize. How can you quickly and effectively check if the files have been infected with malware? A. Disassemble the files and conduct static analysis on them using IDA Pro B. Run the Strings tool against each file to identify common malware identifiers C. Submit the files to an open-source intelligence provider like VirusTotal D. Scan the files using a local anti-virus/anti-malware engine

Submit the files to an open-source intelligence provider like VirusTotal OBJ-1.5: The best option is to submit them to an open-source intelligence provider like VirusTotal. VirusTotal allows you to quickly analyze suspicious files and URLs to detect types of malware. It then automatically shares them with the security community, as well. Disassembly and static analysis would require a higher level of knowledge and more time to complete. Running the Strings tool can help identify text if the code is not encoded in a specific way within the malware, but you have to know what you are looking for, such as a malware signature. You should never scan the files using a local anti-virus or anti-malware engine if you suspect the workstation or server has already been compromised because the scanner may also be compromised.

Which of the following authentication protocols was developed by Cisco to provide authentication, authorization, and accounting services? A. Kerberos B. TACACS+ C. RADIUS D. CHAP

TACACS+ OBJ-3.8: TACACS+ is an extension to TACACS (Terminal Access Controller Access Control System) and was developed as a proprietary protocol by Cisco. The Remote Authentication Dial-In User Service (RADIUS) is a networking protocol that operates on port 1812 and provides centralized Authentication, Authorization, and Accounting management for users who connect and use a network service, but Cisco did not develop it. Kerberos is a network authentication protocol designed to provide strong mutual authentication for client/server applications using secret-key cryptography developed by MIT. Challenge-Handshake Authentication Protocol (CHAP) is used to authenticate a user or network host to an authenticating entity. CHAP is an authentication protocol but does not provide authorization or accounting services.

While working as a security analyst, you have been asked to monitor the SIEM. You observed network traffic going from an external IP to an internal host's IP within your organization's network over port 443. Which of the following protocols would you expect to be in use? A. SSH B. HTTP C. TFTP D. TLS

TLS OBJ-3.1: Transport Layer Security (TLS) is used to secure web connections over port 443. Since port 443 was in use, you should expect either HTTPS, SSL, or TLS to be used as the protocol. If not, this would be suspicious activity and should be investigated. In fact, since this was a connection from the external IP to an internal host over port 443, this is suspicious and could be indicative of a remote access trojan on your host.

Which of the following protocols is considered insecure and should never be used in your networks? A. SSH B. Telnet C. SFTP D. HTTPS

Telnet OBJ-3.1: Telnet is an application protocol used on the internet or local area network to provide a bidirectional interactive text-oriented communication facility using a virtual terminal connection. It is considered insecure and should never be used in secure networks because it transmits everything in clear text, including your authentication credentials. Telnet should be replaced with a more secure option, such as the secure shell (SSH) protocol. SSH performs the same functions as telnet but uses an encrypted tunnel to maintain the data's confidentiality before being sent over it. SSH File Transfer Protocol (SFTP) is a network protocol that provides file access, file transfer, and file management over any reliable data stream. Hypertext Transfer Protocol Secure (HTTPS) is an extension of HTTP used for secure communication over a computer network by encrypting data being transferred over it with either TLS or SSL.

An employee contacts the service desk because they cannot open an attachment they receive in their email. The service desk agent conducts a screen-sharing session with the user and investigates the issue. The agent notices that the attached file is named Invoice1043.pdf, and a black pop-up window appears and then disappears quickly when the attachment was double-clicked. Which of the following is most likely causing this issue? A. The user doesn't have a PDF reader installed on their computer B. The email is a form of spam and should be deleted C. The file contains an embedded link to a malicious website D. The attachment is using a double file extension to mask its identity

The attachment is using a double file extension to mask its identity OBJ-1.1: The message contains a file attachment hoping that the user will execute or open it. The attachment's nature might be disguised by formatting tricks such as using a double file extension, such as Invoice1043.pdf.exe, where the user only sees the first extension since .exe is a known file type in Windows. This would explain the black popup window that appears and then disappeared, especially if the exe file was running a command-line tool. This file is most likely not a PDF, so there is no need for a PDF reader. Additionally, most modern web browsers, such as Chrome and Edge, can open PDF files by default for the user. The file would not contain an embedded link since an embedded link is another popular attack vector that embeds a link to a malicious site within the email body, not within the file. This email is likely not spam and would be better categorized as a phishing attempt instead.

You are conducting threat hunting on your organization's network. Every workstation on the network uses the same configuration baseline and contains a 500 GB HDD, 4 GB of RAM, and the Windows 10 Enterprise operating system. You know from previous experience that most of the workstations only use 40 GB of space on the hard drives since most users save their files on the file server instead of the local workstation. You discovered one workstation that has over 250 GB of data stored on it. Which of the following is a likely hypothesis of what is happening, and how would you verify it? A. The host might be used as a command and control node for a botnet -- you should immediately disconnect the host from the network B. The host might be offline and conducted backups locally -- you should contact a system administrator to have it analyzed C. The host might use as a staging area for data exfiltration -- you should conduct volume-based trend analysis on the host's storage device D. The host might be the victim of a remote access trojan -- you should reimage the machine immediately

The host might use as a staging area for data exfiltration -- you should conduct volume-based trend analysis on the host's storage device OBJ-1.6: Based on your previous experience, you know that most workstations only store 40 GB of data. Since client workstations don't usually need to store data locally, and you noticed that a host's disk capacity has suddenly diminished, you believe it could indicate that it is used to stage data for exfiltration. To validate this hypothesis, you should configure monitoring and conduct volume-based trend analysis to see how much data is added over the next few hours or days. If you suspect the machine is the victim of a remote access trojan, you should not reimage it immediately. By reimaging the host, you would lose any evidence or the ability to confirm your hypothesis. Based on the scenario, you have no evidence that the system is offline or conducting backups locally. If you did suspect this, you could confirm this by checking the network connectivity or analyzing the files stored on the system. If you suspect the host used as a command and control (C2) node for a botnet, you should conduct network monitoring to validate your hypothesis before disconnecting the host from the network. If the host were a C2 node, that would not explain the excessive use of disk space observed.

An electronics store was recently the victim of a robbery where an employee was injured, and some property was stolen. The store's IT department hired an external supplier to expand its network to include a physical access control system. The system has video surveillance, intruder alarms, and remotely monitored locks using an appliance-based system. Which of the following long-term cybersecurity risks might occur based on these actions? A. There are no new risks due to the install and the company has a stronger physical security posture B. These devices are insecure and should be isolated from the internet C. These devices should be scanned for viruses before installation D. These devices should be isolated from the rest of the enterprise network

These devices should be isolated from the rest of the enterprise network OBJ-2.6: While the physical security posture of the company has been improved by adding the cameras, alarms, and locks, this appliance-based system may pose additional risks to the store's network. Specialized technology and appliance-based systems rarely receive security updates at the same rate as regular servers or endpoints. These devices need to be on a network to ensure that their network functions can continue, but they don't necessarily need to be on the enterprise production network. A good option would be to set up a parallel network that is physically or logically isolated from the enterprise network and install the video cameras, alarms, and lock on that one. These devices cannot be isolated from the internet without compromising their functions, such as allowing remote monitoring of the system and locks. The devices should be scanned for viruses before installation, but that is a short-term consideration and doesn't protect them long-term.

What is the utilization of insights gained from threat research and threat modeling to proactively discover evidence of an adversarial TTP within a network or system called? A. Penetration testing B. Threat hunting C. Information assurance D. Incident response

Threat hunting OBJ-1.7: Threat hunting is the utilization of insights gained from threat research and threat modeling to proactively discover evidence of an adversarial TTP within a network or system. Penetration testing uses active tools and security utilities to evaluate security by simulating an attack on a system. A penetration test verifies that a threat exists, actively tests and bypasses security controls, and finally exploits vulnerabilities on the system. Information assurance (IA) is the practice of assuring information and managing risks related to the use, processing, storage, and transmission of information or data and the systems and processes used for those purposes. Incident response is an organized approach to addressing and managing the aftermath of a security breach or cyberattack, also known as an IT incident, computer incident, or security incident. The goal is to handle the situation to limit damage and reduce recovery time and costs.

Which of the following features is supported by Kerberos but not by RADIUS? A. Services for authentication B. Tickets used to identify authenticated users C. XML for cross-platform interoperability D. Single sign-on capability

Tickets used to identify authenticated users OBJ-3.8: Whether you learned the in-depth details of each of these protocols during your studies or not, you should be able to answer this question by remembering that Kerberos is all about 'tickets.' Kerberos uses a system of tickets to allow nodes to communicate over a non-secure network and securely prove their identity. Kerberos is a computer network authentication protocol that works based on tickets to allow nodes communicating over a non-secure network to prove their identity to one another in a secure manner. Kerberos is used in Windows Active Directory domains for authentication. Single sign-on (SSO) is a type of mutual authentication for multiple services that can accept the credential from one domain or service as authentication for other services. The Remote Authentication Dial-in User Service (RADIUS) is used to manage remote and wireless authentication infrastructure. Users supply authentication information to RADIUS client devices, such as wireless access points. The client device then passes the authentication data to an AAA (Authentication, Authorization, and Accounting) server that processes the request.

Which of the following methods is used to replace all or part of a data field with a randomly generated number used to reference the original value stored in another vault or database? A. Tokenization B. Data masking C. Anonymization D. Data minimization

Tokenization OBJ-5.5: Tokenization means that all or part of data in a field is replaced with a randomly generated token. The token is stored with the original value on a token server or token vault, separate from the production database. An authorized query or app can retrieve the original value from the vault, if necessary, so tokenization is a reversible technique. Data masking can mean that all or part of a field's contents is redacted, by substituting all character strings with x, for example. Data minimization involves limiting data collection to only what is required to fulfill a specific purpose. Reducing what information is collected reduces the amount and type of information that must be protected. Data anonymization is the process of removing personally identifiable information from data sets so that the people whom the data describe remain anonymous.

You have just received a phishing email disguised to look like it came from [email protected] asking you to send your username and password because your account has been locked out due to inactivity. Which of the following social engineering principles is being used in this email? A. Consensus B. Trust C. Urgency D. Intimidation

Trust OBJ-1.1: Trust is a commonly used social engineering technique during a social engineering campaign. It relies on making the email appear to have come from a trusted source, such as your IT support department or a company you frequently utilize. Often, the "display name" of the email is set to something like [email protected] or [email protected] to trick you into replying. Trust can also be used by pretending to be someone you know and trust in real life, such as a coworker or family member.

Which of the following functions is not provided by a TPM? A. Secure generation of cryptographic keys B. Sealing C. Random number generation D. User authentication E. Remote attestation F. Binding

User authentication OBJ-3.2: User authentication is performed at a much higher level in the operating system. Trusted Platform Module (TPM) technology is designed to provide hardware-based, security-related functions. A TPM chip is a secure crypto-processor that is designed to carry out cryptographic operations. The chip includes multiple physical security mechanisms to make it tamper-resistant, and malicious software cannot tamper with the security functions of the TPM. The TPM provides random number generation, secure generation of cryptographic keys, remote attestation, binding, and sealing functions securely.

Your organization has just migrated to provisioning its corporate desktops as virtual machines and accessing them using thin clients. The organization believes this will enhance security since the desktop can be rewritten with a new baseline image every time the user logs into it. Based on this scenario, which of the following technologies has the organization adopted? A. VPC B. VDI C. UEBA D. VPN

VDI OBJ-3.5: Virtual desktop infrastructure (VDI) is a virtualization implementation that separates the personal computing environment from a user's physical computer. Virtual private cloud (VPC) is a private network segment made available to a single cloud consumer on a public cloud. A virtual private network (VPN) is a secure tunnel created between two endpoints connected via an insecure network, typically the internet. User and entity behavior analytics (UEBA) is a system that can provide automated identification of suspicious activity by user accounts and computer hosts.

Which of the following must be combined with a threat to create risk? A. Exploit B. Vulnerability C. Malicious actor D. Mitigation

Vulnerability OBJ-1.6: A risk results from the combination of a threat and a vulnerability. A vulnerability is a weakness in a device, system, application, or process that might allow an attack to take place. A threat is an outside force that may exploit a vulnerability. Remember, a vulnerability is something internal to your organization's security goals. Therefore, you can control, mitigate, or remediate a vulnerability. A threat is external to your organization's security goals. A threat could be a malicious actor, a software exploit, a natural disaster, or other external factors. In the case of an insider threat, they are considered an external factor for threats and vulnerabilities since their goals lie outside your organization's security goals.

You are trying to find a rogue device on your wired network. Which of the following options would NOT help find the device? A. Site surveys B. War walking C. MAC validation D. Port scanning

War walking OBJ-1.8: War walking is conducted by walking around a build while locating wireless networks and devices. War walking will not help find a wired rogue device. Checking valid MAC addresses against a known list, scanning for new systems or devices, and physically surveying for unexpected systems can be used to find rogue devices on a wired network.

An organization is conducting a cybersecurity training exercise. What team is Jason assigned to if he has been asked to monitor and manage the defenders' and attackers' technical environment during the exercise? A. Purple team B. Red team C. Blue team D. White team

White team OBJ-1.8: Jason is assigned to the white team. The white team acts as the judges, enforces the rules of the exercise, observes the exercise, scores teams, resolves any problems that may arise, handles all requests for information or questions, and ensures that the competition runs fairly and does not cause operational problems for the defender's mission. A red team is a group of people authorized and organized to emulate a potential adversary's attack or exploitation capabilities against an enterprise's security posture. A blue team is a group of people responsible for defending an enterprise's use of information systems by maintaining its security posture against a group of mock attackers. The purple team is made up of both the blue and red teams to work together to maximize their cyber capabilities through continuous feedback and knowledge transfer between attackers and defenders.