Security + Practice Test Combined 1-4
RDP, L2TP, LDAP, Kerberos
3380, 1701, 389, 88 The Remote Desktop Protocol (RDP) operates over port 3389. Layer 2 Tunneling Protocol (L2TP) operates over port 1701. The Lightweight Directory Access Protocol (LDAP) operates over port 389. Kerberos operates over port 88.
Which of the following cryptographic algorithms is classified as symmetric?
3DES.
Your company just installed a new webserver within your DMZ. You have been asked to open up the port for secure web browsing on the firewall. Which port should you set as open to allow users to access this new server?
443.
Kristi is setting up database servers on their own subnet. She has placed them on 10.10.3.3/29. How many nodes can be allocated in this subnet?
6
What access control model will a network switch utilize if it requires multilayer switches to use authentication via RADIUS/TACACS+?
802.1x
A company needs to implement stronger authentication by adding an authentication factor to its wireless system. The wireless system only supports WPA with pre-shared keys, but the backend authentication system supports EAP and TTLS. What should the network administrator implement?
802.1x using EAP with MSCHAPv2
If an administrator cannot fully remediate a vulnerability, which of the following should they implement?
A compensating control.
A company's NetFlow collection system can handle up to 2 Gbps. Due to excessive load, this has begun to approach full utilization at various times of the day. If the security team does not have additional money in their budget to purchase a more capable collector, which of the following options could they use to collect useful data?
Enable sampling of the data.
Several users have contacted the help desk to report that they received an email from a well-known bank stating that their accounts have been compromised and they need to "click here" to reset their banking password. Some of these users are not even customers of this particular bank, though. Which of the following best describes this type of attack?
Phishing.
What is the lowest layer (bottom layer) of a bare-metal virtualization environment?
Physical hardware.
You are reviewing the logs in your IDS and see that entries were showing SYN packets received from a remote host targeting each port on your web server from 1 to 1024. Which of the following MOST likely occurred?
Port scan.
Consider the following snippet from a log file collected on the host with the IP address of 10.10.3.6. -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-Time: Jun 12, 2020 09:24:12 Port:20 Source: 10.10.3.2 Destination:10.10.3.6 Protocol:TCP Time: Jun 12, 2020 09:24:14 Port:21 Source: 10.10.3.2 Destination:10.10.3.6 Protocol:TCP Time: Jun 12, 2020 09:24:16 Port:22 Source: 10.10.3.2 Destination:10.10.3.6 Protocol:TCP Time: Jun 12, 2020 09:24:18 Port:23 Source: 10.10.3.2 Destination:10.10.3.6 Protocol:TCP Time: Jun 12, 2020 09:24:20 Port:25 Source: 10.10.3.2 Destination:10.10.3.6 Protocol:TCP Time: Jun 12, 2020 09:24:22 Port:80 Source: 10.10.3.2 Destination:10.10.3.6 Protocol:TCP Time: Jun 12, 2020 09:24:24 Port:135 Source: 10.10.3.2 Destination:10.10.3.6 Protocol:TCP Time: Jun 12, 2020 09:24:26 Port:443 Source: 10.10.3.2 Destination:10.10.3.6 Protocol:TCP Time: Jun 12, 2020 09:24:26 Port:445 Source: 10.10.3.2 Destination:10.10.3.6 Protocol:TCP
Port scanning targeting 10.10.3.6.
Buddy is the security manager for a bank and has recently been reading about malware that accesses system memory modules. He would like to find a solution that keeps programs from utilizing system memory. Which of the options would be the best solution?
(Data Execution Prevention) DEP
You are setting up the Remote Desktop Services on a Windows 2019 server. To increase the security of the server, which TWO of the following actions should you take?
- Logically place the Windows 2019 server into the networks DMZ - Block all unused ports on the switch, router, and firewall.
You are working as part of a cyber incident response team. An ongoing attack has been identified on your web server. Your company wants to take legal action against the criminals who have hacked your server, so they have brought in a forensic analyst from the FBI to collect the evidence from the server. What order should the digital evidence be collected based on the order of volatility?
1. Processor Cache 2. RAM 3. Swap File 4. Hard Drive or USB Drive
A cybersecurity analyst is attempting to classify network traffic within an organization. The analyst runs the tcpdump command and receives the following output: -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- $ tcpdump -n -i eth0 15:01:35.170763 IP 10.0.19.121.52497 > 11.154.12.121.ssh: P 105:157(52) ack 18060 win 16549 15:01:35.170776 IP 11.154.12.121.ssh > 10.0.19.121.52497: P 23988:24136(148) ack 157 win 113 15:01:35.170894 IP 11.154.12.121.ssh > 10.0.19.121.52497: P 24136:24380(244) ack 157 win 113 -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- Which of the following statements is true based on this output?
10.0.19.121 is a client that is accessing an SSH server over port 52497.
Which of the following tools could be used to detect unexpected output from an application being managed or monitored?
A behavior-based analysis tool.
A recent vulnerability scan found several vulnerabilities on an organization's public-facing IP addresses. To reduce the risk of a breach, which of the following vulnerabilities should be prioritized for remediation?
A buffer overflow that is known to allow remote code execution.
Josh manages security at a power plant. The facility is sensitive, and security is very important. He would like to incorporate two-factor authentications with physical security. Which of the options below is the best way to meet this requirement?
A mantrap with a smart card at one door and a pin keypad at the other door.
Shannon works for a security company that performs pen tests for clients. She's currently conducting a test of an e-commerce company and discovers that after compromising the web server, she can use the web server to launch a second attack into the company's internal network. What type of attack is this considered?
A pivot.
Smurf Attack
A smurf attack occurs when an attacker sends a ping to a subnet broadcast address and devices reply to spoofed IP (victim server), using up bandwidth and processing power. This image is a graphical depiction of this type of attack.
You are a security analyst and you have just successfully removed malware from a virtual server. Which could you use to return the virtual server to its last known good state?
A snapshot.
As the security director, you identify a security risk to a planned network migration. You decide to continue with the current migration plan anyway since you deem it to be low risk. What type of response technique has been demonstrated?
Accept.
Matt manages database security for a university and he's concerned about ensuring that appropriate security measures are implemented. Which is the most important to database security?
Access Control Policies.
Which of the following policies should contain the requirements for removing a user's access when an employee is terminated?
Account management policy.
Of the listed principles, which one is the most important in managing account permissions?
Account recertification.
Raj is working to deploy a new vulnerability scanner for an organization. He wants to verify the information he gets is the most accurate view of the configurations on the organization's traveling salespeople's laptops to determine if any configuration issues could lead to new vulnerabilities. Which of the following technologies would work BEST to collect the configuration information in this situation?
Agent-based scanning.
You are configuring the ACL for the network perimeter firewall. You have just finished adding all the proper allow and deny rules. What should you place at the end of your ACL rules?
An implicit deny statement.
Dion Training wants to implement technology within their corporate network to BEST mitigate the risk that a zero-day virus might infect their workstations. Which of the following should be implemented FIRST?
Application whitelisting.
You work as a cybersecurity analyst at a software development firm. The software developers have begun implementing commercial and open source libraries into their codebase to minimize the time it takes to develop and release a new application. Which of the following should be your biggest concern as a cybersecurity analyst?
Any security flaws present in the library will also be present in the developed application.
What process is used to conduct an inventory of critical systems, components, and devices within an organization?
Asset management.
Laura manages the physical security for her company. She's especially concerned about an attacker driving a vehicle into the building. Which option below would protect against this threat?
Bollards.
Michael is analyzing strange behavior by some of the computers on his network. He believes the machines contain some malware. The symptoms include strange behavior that continues even if they boot to a Linux Live CD. What is the most probable cause?
Boot sector virus.
The web server administrator at your e-commerce company is concerned about someone using netcat to connect to the company web server to retrieve detailed information. What best describes this concern?
Banner Grabbing.
Jason has created a new password cracking tool using some Python code. When he runs the program, the following output is displayed:
Based on the passwords found in the example, Jason's new password cracker is most likely using a hybrid approach. All of the passwords found are dictionary words with some additional characters added to the end. For example, Jason's password of rover123 is made up of the dictionary word "rover" and the number 123. The cracker likely attempted to use a dictionary word (like rover) and the attempted variations on it using brute force (such as adding 000, 001, 002, ...122, 123) to the end of the password until found. Combining the dictionary and brute force methods into a single tool is known as a hybrid password cracking approach.
Of the following terms, which one refers to the process of establishing a standard for security?
Baselining.
You've been asked to conduct a penetration test for a small company and for the test, you were only given a company name, the domain name of their website, and the IP address of their gateway router. What describes the type of test?
Black-box Test.
What technology is NOT PKI x.509 compliant and cannot be used in various secure functions?
Blowfish.
Which of the following cryptographic algorithms is classified as symmetric?
Blowfish. ECC, PGP, and RSA are all asymmetric algorithms.
Nick is participating in a security exercise as part of the network defense team for his organization. Which team is Nick playing on?
Blue team.
Your smartphone begins to receive unsolicited messages while you are eating lunch at the restaurant across the street from your office. What might cause this to occur?
Bluejacking.
Of the following, which best describes a compromised collection of computers being controlled from one central point?
Botnet.
Your company's Security Operations Center (SOC) is currently detecting an ongoing DDoS attack against your network's file server. A cybersecurity analyst has identified forty internal workstations on the network conducting the attack against your network's file server. The cybersecurity analyst believes these internal workstations are infected with malware and places them into a quarantined network area. The analyst then submits a service desk ticket to have the workstations scanned and cleaned of the infection. What type of malware was the workstation likely a victim of based on the scenario provided?
Botnet.
A cybersecurity analyst notices that an attacker is trying to crack the WPS pin associated with a wireless printer. The device logs show that the attacker tried 00000000, 00000001, 00000002 and continued to increment by 1 number each time until they found the correct PIN of 13252342. Which of the following type of password cracking was being performed by the attacker?
Brute-force.
Lamont is in the process of debugging a software program. As he examines the code, he discovers that it is miswritten. Due to the error, the code does not validate a variable's size before allowing the information to be written into memory. Based on Lamont's discovery, what type of attack might occur?
Buffer Overflow.
You have been asked to help conduct a white box penetration test. As part of your preparations, you have been given the source code for the organization's custom web application.
Buffer overflow.
What protection should be installed to best prevent the laptops from being stolen?
Cable locks.
Laura manages DLP for a large company where some employees have COPE and some have BYOD. What DLP issue could these devices present?
COPE and BYOD can be used as a USB OTG resource.
Steven is constantly receiving calls from wireless users who are being redirected to a login page when they connect to the network. The login page comes up whenever the users first connect to the network and attempt to access any website outside of the local area network from within their web browsers. Which of the following is causing this to happen?
Captive Portal.
What four security features should you use with a smart phone provided through a COPE policy in your organization?
Cellular Data, Remote Wipe, Location Tracking, and Cable Lock
The digital certificate on the Dion Training web server is about to expire. Which of the following should Jason submit to the CA in order to renew the server's certificate?
Certificate Signing Request (CSR).
As the security administrator, you're concerned about a variety of attacks that could affect your company's web server. You've recently heard about an attack where an attacker sends more data to a target than the target is expecting. If done correctly, this can cause the target to crash. What type of action can best prevent this type of attack?
Checking buffer boundaries.
A cybersecurity analyst is working for a university that is conducting a big data medical research project. The analyst is concerned about the possibility of an inadvertent release of PHI data. Which of the following strategies should be used to prevent this?
Conduct tokenization of the PHI data before ingesting it into the big data application.
Jason has installed multiple virtual machines on a single physical server. He needs to ensure that the traffic is logically separated between each virtual machine. How can Jason best implement this requirement?
Configure a virtual switch on a physical server and create VLANs.
James, a programmer at Apple Computers, is surfing the internet on his lunch break. He comes across a rumor site focused on providing details of the upcoming iPhone being released in a few months. James knows that Apple likes to keep its product details a secret until it is publicly announced. As James is looking over the website, he sees a blog post with an embedded picture of a PDF containing detailed specifications for the next iPhone and labeled "Proprietary Information - Internal Use Only." The new iPhone is still several months away from release. What should James do next?
Contact the service desk or incident response team to determine what to do next.
Which of the following vulnerability scans would provide the best results if you want to determine if the target's configuration settings are correct?
Credentialed scan.
Which of the following BEST describes when a third-party takes components produced by a legitimate manufacturer and assembles an unauthorized replica sold in the general marketplace?
Counterfeiting.
You want to play computer-based video games from anywhere in the world using your laptop or tablet. You heard about a new product called a Shadow PC that is a virtualized Windows 10 Home gaming PC in the cloud. Which of the following best describes this type of service?
DaaS.
Neil, a network administrator for a small firm, has discovered several machines on his network are infected with malware. The malware is sending a flood of packets to an external target. What describes this attack?
DDoS
Dawn is a network administrator where the company network is segmented into zones of high security, medium security, low security, and the DMZ. She's concerned about external intruders and would like to install a honeypot. Which is the most important zone to put the honeypot in?
DMZ.
Your organization requires the use of TLS or IPSec for all communications with an organization's network. Which of the following is this an example of?
Data in transit.
Name a process of deleting data by sending an eraser to clear the instruction in an address of nonvolatile memory.
Data-at-rest.
A user reports that every time they try to access https://www.diontraining.com, they receive an error stating "Invalid or Expired Security Certificate." The technician attempts to connect to the same site from other computers on the network, and no errors or issues are observed. Which of the following settings needs to be changed on the user's workstation to fix the "Invalid or Expired Security Certificate" error?
Date and time.
Lonnie noticed that attackers have breached his WiFi network and have gained access via a wireless access point administrative panel and logged in with the credentials the WAP was shipped with. What best describes this issue?
Default Configuration
You have recently been hired as a security analyst at Dion Training. On your first day, your supervisor begins to explain the way their network is configured, showing you the physical and logical placement of each firewall, IDS sensor, host-based IPS installations, the networked spam filter, and the DMZ. What best describes how these various devices are placed into the network for the highest level of security?
Defense in Depth.
Courtney manages data security on BYOD and COPE devices. She's specifically concerned about the data being exposed should a device be lost or stolen. Which item would the best to alleviate this concern?
Device encryption.
What is a reverse proxy commonly used for?
Directing traffic to internal services if the contents of the traffic comply with the policy.
Your home network is configured with a long, strong, and complex pre-shared key for its WPA2 encryption. You noticed that your wireless network has been running slow, so you checked the list of "connected clients" and see that "Bob's Laptop" is connected to it. Bob lives downstairs and is the maintenance man for your apartment building. You know that you never gave Bob your password, but somehow he has figured out how to connect to your wireless network. Which of the following actions should you take to prevent anyone from connecting to your wireless network without the WPA2 password?
Disabled WPS.
In mobile devices, which of the following algorithms is typically used??
ECC
Which of the following cryptographic algorithms is classified as asymmetric?
ECC.
Which authentication mechanism does 802.1x usually rely upon?
Extensible Authentication Protocol (EAP).
Jack manages security devices in his network. He's implemented a robust NIDS in his network, however, on two occasions the NIDS has missed a breach. What condition does this describe?
False Negative.
Your intrusion detection system has produced an alert based on its review of a series of network packets. After analysis, it is determined that the network packets did not contain any malicious activity. How should you classify this alert?
False-positive.
Olivia manages wireless security in her company and wants completely different WiFi access (ie different SSID, different security levels, different authentication methods) in different parts of the company. What's the best choice for Olivia to select in WAPs?
Fat.
Choose an example of PHI?
Fingerprints.
Which of the following authentication mechanisms involves receiving a one-time use shared secret password, usually through a token-based key fob or smartphone app, that does not expire?
HMAC-based One-time Password (HOTP).
Ashley is attempting to increase security at her company. She's currently creating an outline of all aspects of security that will need to be evaluated and acted on. Of the following terms, which one describes the process of improving security in a trusted OS?
Hardening
What should administrators perform to reduce a system's attack surface and remove unnecessary software, services, and insecure configuration settings?
Hardening.
When conducting forensic analysis of a hard drive, what tool would BEST prevent changing the hard drive contents during your analysis?
Hardware write blocker.
Chris just downloaded a new third-party email client for his smartphone. When Chris attempts to log in to his email with his username and password, the email client generates an error messaging stating that "Invalid credentials" were entered. Chris assumes he must have forgotten his password, so he resets his email username and password and then reenters them into the email client. Again, Chris receives an "Invalid credentials" error. What is MOST likely causing the "Invalid credentials" error regarding Chris's email client?
His email account requires multi-factor authentication.
Jamie recently downloaded a program from an unknown website and now his client files have had their file extensions changed and he cannot open them. He received a popup window that informed him that his files were now encrypted and he must pay some bitcoins to get them decrypted. What has happened?
His machine has ransomware.
Dion Training allows its visiting business partners from CompTIA to use an available Ethernet port in their conference room to establish a VPN connection back to the CompTIA internal network. The CompTIA employees should obtain internet access from the Ethernet port in the conference room, but nowhere else in the building. Additionally, if a Dion Training employee uses the same Ethernet port in the conference room, they should access Dion Training's secure internal network. Which of the following technologies would allow you to configure this port and support both requirements?
Implement Network Access Control (NAC).
In 2014, Apple's implementation of SSL had a severe vulnerability that, when exploited, allowed an attacker to gain a privileged network position that would allow them to capture or modify data in an SSL/TLS session. This was caused by poor programming in which a failed check of the connection would exit the function too early. Based on this description, what is this an example of?
Improper error handling.
Your email client has been acting strangely recently. Every time you open an email with an image embedded within it, the image is not displayed on your screen. Which of the following is the MOST likely cause of this issue?
Incorrect security settings in the email client.
Julie was just hired to conduct a security assessment of Dion Training's security policies. During her assessment, she noticed that many users were sharing group accounts to conduct their work roles. Julie recommended that the group accounts be eliminated and instead have an account created for each user. What improvement will this recommended action provide for the company?
Increase individual accountability.
You want to create a website for your new technical support business. You decide to purchase an on-demand cloud-based server and install Linux, Apache, and WordPress on it to run your website. Which of the following best describes which type of service you have just purchased?
Infrastructure as a service (IaaS).
While investigating a data breach, you discover that the account credentials used belonged to an employee who was fired several months ago for misusing company IT systems. Apparently, the IT department never deactivated the employee's account upon their termination. Which of the following categories would this breach be classified as?
Insider Threat.
You work for Dion Training as a physical security manager. You are concerned that the physical security at the entrance to the company is not sufficient. To increase your security, you are determined to prevent piggybacking. What technique should you implement first?
Install a mantrap at the entrance.
Rachel manages security for a small bank and has a firewall at the gateway as well as one at each network segment. Each firewall logs all accepted and rejected traffic. Rachel checks each of these logs regularly. What's the first step that should be taken to improve this firewall configuration?
Integrate with SIEM.
You are trying to select the best device to install to detect an outside attacker trying to reach into your internal network. The device should log the event, but it should not take any action to stop it. Which of the following devices would be the BEST for you to select?
Intrusion Detection System (IDS)
The local electric power plant contains both business networks and ICS/SCADA networks to control their equipment. Which technology should the power plant's security administrators look to implement first as part of configuring better defenses for the ICS/SCADA systems?
Intrusion prevention system (IPS).
Why might it not be advisable to conduct penetration tests on your corporate network?
It can be disruptive for the business activities.
The paparazzi have found copies of pictures of a celebrity's new baby online. The celebrity states they were never publicly released but were uploaded to their cloud provider's automated photo backup. Which of the following threats was the celebrity MOST likely a victim of?
Leaked personal files.
A new corporate policy dictates that all access to network resources will be controlled based on the user's job functions and tasks within the organization. For example, only people working in Human Resources can access employee records, and only the people working in finance can access customer payment histories. Which of the following security concepts is BEST described by this new policy?
Least privilege.
You have noticed your company lacks deterrent controls. As the new security administrator, which of the following would you install that satisfies your needs?
Lighting.
Scott is the CISO for a bank. In recent readings, he read about an attack where the attacker was able to enumerate all the network resources and was able to make some resources unavailable. All of this was done by exploiting a single protocol. Which protocol would need to be secured to mitigate this attack?
Lightweight Directory Access Protocol (LDAP)
You have been asked to help design a new architecture for Dion Training's website. The current architecture involves a single server that hosts the website in its entirety. The company's newest course has been creating a lot of interest on social media. The CIO is concerned that the single server will not be able to handle the increased demand that could result from this increased publicity. What technology should you implement in the new architecture to allow multiple web servers to serve up the courses and meet this expected increase in demand from new students?
Load balancer.
Your company has implemented a clean desk policy and you were asked to secure physical documents every night. What is the best solution?
Locking Cabinets and drawers.
You are working as a security analyst and are reviewing the logs from a Linux server. Based on the portion of the logs displayed here, what type of malware might have been installed on the server?
Logic Bomb
The Security Operations Center Director for Dion Training received a pop-up message on his workstation that said, "You will regret firing me; just wait until Christmas!" He suspects the message came from a disgruntled former employee who may have set up a piece of software to create this pop-up on his machine. The director is now concerned that other code might be lurking within the network that could negatively affect Christmas. He directs his team of cybersecurity analysts to begin searching the network for this suspicious code. What type of malware should they be searching for?
Logic Bomb.
Which of the following hashing algorithms results in a 128-bit fixed output?
MD-5.
You are conducting an incident response and want to determine if any account-based indicators of compromise (IoC) exist on a compromised server. Which of the following would you NOT search for on the server?
Malicious processes.
Dion Training has implemented a new mandatory vacation policy to help identify any malicious insiders or employees. Which of the following control types would this policy be categorized?
Managerial.
Grady is seeking access control methods that enforce authorization rules by the OS. Users cannot override authentication or access control policies. Which of the following best suits these needs?
Mandatory Access Control (MAC)
Windows file servers commonly hold sensitive files, databases, passwords, and more. What common vulnerability is usually used against a Windows file server to expose sensitive files, databases, and passwords?
Missing patches.
You're responsible for server room security. You're concerned about physical theft of computers. Of the following, which would best be able to detect theft or attempted theft?
Motion-sensor activated cameras.
Derrick is a security administrator for a medium-sized mortgage company. He needs to verify that the network is using the most secure login/authentication scheme possible. Which of the following options is the best choice for that?
Multi-factor Authentication.
You received an incident response report indicating a piece of malware was introduced into the company's network through a remote workstation connected to the company's servers over a VPN connection. Which of the following controls should be applied to prevent this type of incident from occurring again?
Network Access Control (NAC)
You work for an insurance company as their security administrator. You've noticed that there are a few accounts still active of employees who have been left the company for at least a year. You are worried that someone might attempt to access these accounts. What administrative control could be enabled to help prevent these accounts from remaining online and accessible after an employee leaves the company?
Offboarding procedures.
Hardware token being used alone is an example of?
One-time password authentication. It creates a one time use password.
Natalie is responsible for the security of web servers and is configuring the WAF to allow only encrypted traffic to and from the web server, including from administrators using the command-line interface. What should she do?
Open port 443 and 22 and block 80 and 23. Port 443 is used for HTTPS. HTTP is encrypted via TLS and port 22 is used for SSH and port 23 for telnet. All other options are incorrect because they are not proper ports to block or to open.
Which protocol is paired with OAuth2 to provide authentication of users in a federated identity management solution?
OpenID connect.
Kaye works for a large insurance company and manages their cybersecurity. She's concerned about insiders and wants to be able to detect malicious activity but wants the detection process to be invisible to the attacker. What technology best fits these needs?
Out-of-band Network Intrusion Detection Systems (NIDS).
Cheyenne is doing a penetration test for a client's network and is currently gathering information from sources such as archive.org, netcraft.com, social media, and other information websites. What stage has just been described?
Passive Reconnaissance.
What technique is an attacker using if they review data and publicly available information to gather intelligence about the target organization without scanning or other technical information-gathering activities?
Passive Reconnaissance.
How would you appropriately categorize the authentication method being displayed here?
Password Authentication Protocol (PAP) Authentication.
Marta's organization is concerned with the vulnerability of a user's account being vulnerable for an extended period of time if their password was compromised. Which of the following controls should be configured as part of their password policy to minimize this vulnerability?
Password expiration.
Which of the following is an example of an authentication factor that includes something you know?
Password.
What type of weakness is John the Ripper used to test during a technical assessment?
Passwords.
What problem can you solve by using Wireshark?
Performing packet capture and analysis on a network.
A firewall administrator has configured a new DMZ to allow public systems to be segmented from the organization's internal network. The firewall now has three security zones set: Untrusted (Internet) [143.27.43.0/24]; DMZ (DMZ) [161.212.71.0/24]; Trusted (Intranet) [10.10.0.0/24]. The firewall administrator has been asked to enable remote desktop access from a fixed IP on the remote network to a remote desktop server in the DMZ for the Chief Security Officer to work from his home office after hours. The CSO's home internet uses a static IP of 143.27.43.32. The remote desktop server is assigned a public-facing IP of 161.212.71.14. What rule should the administrator add to the firewall?
Permit 143.27.43.32, 161.212.71.14 RDP 3389
(Sample Simulation - On the real exam for this type of question, you would have to rearrange the steps into the proper order by dragging and dropping them into place.) What is the correct order of the Incident Response process?
Preparation, Identification, Containment, Eradication, Recovery, and Lessons Learned.
Your security policy is set to include system testing and security awareness training guidelines. Which of the following types of control is this?
Preventative administrative control.
You have an email that you are sending to a friend. You want to ensure it retains its integrity during transit, so you decide to digitally sign the email. When using a PKI system, what is used to encrypt the hash digest of the email to create a digital signature?
Private Key.
A penetration tester is using a known vulnerability to compromise an Apache webserver. After they gain access to the server, what is their next step to pivot to a protected system behind the DMZ?
Privilege escalation.
In which type of attack does the attacker begin with a normal user account and then seek additional access rights?
Privilege escalation.
Dion Training is concerned with students entering the server room without permission. To prevent this from occurring, the organization wants to purchase and install an access control system that will allow each instructor to have access using an RFID device. Which of the following authentication mechanisms should Dion Training use to meet this requirement?
Proximity badge.
Which listed technique attempts to predict the likelihood of a threat occurrence and assigns monetary values in the event of a loss?
Quantitative Risk Assessment.
Users connecting to an SSID appear to be unable to authenticate to the captive portal. Which of the following is the MOST likely cause of the issue?
RADIUS.
Of the following RAID levels, which one is considered a "stripe of mirrors"?
RAID 1+0
David noticed that port 3389 was open on one of the POS terminals in a store during a scheduled PCI compliance scan. Based on the scan results, what service should he expect to find enabled on this terminal?
RDP.
Which of the following hashing algorithms results in a 160-bit fixed output?
RIPEMD.
A hospital's file server has become infected with malware. The files on the server all appear to be encrypted and cannot be opened. The network administrator receives an email from the attacker asking for 20 bitcoin in exchange for the decryption key. Which type of malware MOST likely infected these computers?
Ransomware.
Dion Training uses an authentication protocol to connect a network client to a networked file server by providing its authentication credentials. The file server then uses the authentication credentials to issue an authentication request to the server running this protocol. The server can then exchange authentication messages with the file server on behalf of the client. Throughout this process, a shared secret is used to protect the communication. Which of the following technologies relies upon the shared secret?
Remote Authentication Dial-in User Service (RADIUS)
Which of the following type of threats did the Stuxnet attack rely on to cross an airgap between a business and an industrial control system network?
Removable media.
Dion Training is concerned with the possibility of employees accessing another user's workstation in secured areas without their permission. Which of the following would BEST be able to prevent this from happening?
Require biometric identification.
David, a programmer, is using the waterfall method for application development. Using this method, at which phase of the SDLC can he stop implementing security measures?
Retirement.
A local competitor is offering a new service that is predicted to sell strong. After much research, your company has decided not to launch a competing service due to the uncertainty of the market and the large investment required. Which best describes your company's decision?
Risk Avoidance.
Dion Training is concerned with the possibility of a data breach causing a financial loss to the company. After performing a risk analysis, the COO decides to purchase data breach insurance to protect the company in an incident. Which of the following best describes the company's risk response?
Risk transference.
The management at Steven's work is concerned about rogue devices being attached to the network. Which of the following solutions would quickly provide the most accurate information that Steve could use to identify rogue devices on a wired network?
Router and switch-based MAC address reporting.
Syed is developing a vulnerability scanner program for a large network of sensors used to monitor his company's transcontinental oil pipeline. What type of network is this?
SCADA.
Dion Training has just suffered a website defacement of its public-facing webserver. The CEO believes the company's biggest competitor may have done this act of vandalism. The decision has been made to contact law enforcement so that evidence can be collected properly for use in a potential court case. Laura is a digital forensics investigator assigned to collect the evidence. She creates a bit-by-bit disk image of the web server's hard drive as part of her evidence collection. What technology should Laura use after creating the disk image to verify the copy's data integrity matches that of the original web server's hard disk?
SHA-256.
Which of the following attacks would most likely be used to create an inadvertent disclosure of information from an organization's database?
SQL Injection.
[12Nov2020 10:07:23] "GET /logon.php?user=test'+oR+7>1%20—HTTP/1.1" 200 5825 [12Nov2020 10:10:03] "GET /logon.php?user=admin';%20—HTT{/1.1" 200 5845
SQL Injection.
An analyst just completed a port scan and received the following results of open ports: -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- TCP: 80 TCP: 110 TCP: 443 TCP: 1433 TCP: 3306 TCP: 3389 -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- Based on these scan results, which of the following services are NOT currently operating?
SSH; SSH operates over port 22.
You are in the recovery steps of an incident response. Your analysis revealed that the attacker exploited an unpatched vulnerability on a public-facing web server as the initial intrusion vector in this incident. Which of the following mitigations should be implemented first during the recovery?
Scan the network for additional instances of this vulnerability and patch the affected assets.
Which of the following is a best practice that should be followed when scheduling vulnerability scans of an organization's data center?
Schedule scans to run during periods of low activity.
Kevin manages security for a large university and has just successfully performed a threat analysis for the network. Based on past incidents and studies from similar setups, he has determined that the most prevalent threat is low-skilled attackers who wish to breach the system, simply because they can, for some low-level crime, or even changing a grade. Which term describes this attacker?
Script Kiddie.
What is a major security risk that could occur when you comingle hosts/servers with different security requirements in a single network?
Security policy violations.
Christina is auditing the security procedures related to the use of a cloud-based online payment service. She notices that the access permissions are set so that a single person can not add funds to the account and transfer funds out of the account. What security principle is most closely related to this scenario?
Separation of duties.
The company you work for is considering moving its email server to a hosting company. This will help reduce the cost of hardware and server administration at your local site. Which document formally states the reliability and recourse if reliability isn't met?
Service Level Agreements (SLA)
Which of the following authentication methods is an open-source solution for single sign-on across organizational boundaries on the web?
Shibboleth. Shibboleth is a standards-based, open-source software package for single sign-on across or within organizational boundaries on the web. It allows sites to make informed authorization decisions for individual access of protected online resources in a privacy-preserving manner. Shibboleth utilizes SAML to provide this federated single sign-on and attribute exchange framework.
Which of the following is an example of an authentication factor that includes something you do?
Signing your name.
Maria is trying to log in to her company's webmail and is asked to enter her username and password. Which type of authentication method is Maria using?
Single-factor.
Walter is working to implement Type II authentication. Which would be the best example of type II authentication?
Smart Cards.
You are working for a government contractor who requires all users to use a PIV device when sending digitally signed and encrypted emails. Which of the following physical security measures is being implemented?
Smart card.
As the manager for network operations at his company, Shane saw an accountant in the hall who thanks him for keeping the antivirus software up to date. When asked what he means, he mentions one of the IT staff members named Michael called him yesterday and remotely connected to his PC to update the antivirus...but there's no employee named Michael. What happened?
Social Engineering.
Dion Training wants to install a new accounting system and is considering moving to a cloud-based solution to reduce cost, reduce the information technology overhead costs, improve reliability, and improve availability. Your Chief Information Officer is supportive of this move since it will be more fiscally responsible. Still, the Chief Risk Officer is concerned with housing all of the company's confidential financial data in a cloud provider's network that might be shared with other companies. Since the Chief Information Officer is determined to move to the cloud, what type of cloud-based solution would you recommend to account for the Chief Risk Officer's concerns?
Software as a Service (Saas) in a private cloud.
DeepScan supports data-flow analysis and understands the execution flow of a program. It allows you to see possible security flaws without executing the code. Which of the following types of tools would DeepScan be classified as?
Static code analyzer.
You are conducting an intensive vulnerability scan to detect which ports might be open to exploitation. During the scan, one of the network services becomes disabled and impacts the production server. Which of the following sources of information would provide you with the most relevant information for you to use in determining which network service was interrupted and why?
Syslog.
Which of the following authentication protocols was developed by Cisco to provide authentication, authorization, and accounting services?
TACACS+.
Jeff is the network administrator and sometimes needs to run a packet sniffer so he can view the network traffic. He would like to find a well-known packet sniffer that works on Linux. Which of the following is the best choice?
Tcpdump
An employee contacts the service desk because they cannot open an attachment they receive in their email. The service desk agent conducts a screen sharing session with the user and investigates the issue. The agent notices that the attached file is named Invoice1043.pdf, and a black pop-up window appears and then disappears quickly when the attachment was double-clicked. Which of the following is most likely causing this issue?
The attachment is using a double file extension to mask it's identity.
An attacker has compromised a virtualized server. You are conducting forensic analysis as part of the recovery effort but found that the attacker deleted a virtual machine image as part of their malicious activity. Which of the following challenges do you now have to overcome as part of the recovery and remediation efforts?
The attack widely fragmented the image across the host file system.
You were conducting a forensic analysis of an iPad backup and discovered that only some of the information is within the backup file. Which of the following best explains why some of the data is missing?
The backup is a differential backup.
You are creating a script to filter some logs so that you can detect any suspected malware beaconing. Which of the following is NOT a typical means of identifying a malware beacons behavior on the network?
The beacon's protocol.
Rhonda manages account security for her company. She's noticed a receptionist who has an account with a six-character password that hasn't been changed in two years and her password history isn't maintained. What is the most significant problem with this account?
The password length is the most significant problem.
Ashley is the network administrator for a company. She proceeds to delete the account for a user who left the company last week. The user's files were encrypted with a private key. How can Ashley view these files?
They can be decrypted using a recovery agent.
Which of the following authentication mechanisms involves receiving a one-time use shared secret password, usually through a token-based key fob or smartphone app, that automatically expires after a short period of time (for example, 60 seconds)?
Time based one-time password (TOTP).
Why would a company want to utilize a wildcard certificate for their servers?
To reduce the certificate management burden.
Assuming that Dion Training trusts Thor Teaches, and Thor Teaches trusts Udemy, then we can assume Dion Training also trusts Udemy. What concept of IAM does the previous statement represent?
Transitive trust.
Tracie has been using a packet sniffer to observe traffic in the company network and has noticed that traffic between the web server and the database server is sent in clear text. She would like a solution that will encrypt traffic and also leverage the existing digital certificate infrastructure the company has. Which of the following is the best solution?
Transport Layer Security (TLS)
Jennifer decided that the licensing cost for a piece of video editing software was too expensive. Instead, she decided to download a keygen program to generate her own license key and install a pirated version of the editing software. After she runs the keygen, a license key is created, but her system performance becomes very sluggish, and her antimalware suite begins to display numerous alerts. Which type of malware might her computer be infected with?
Trojan.
One of the following items automatically updates browsers with a list of root certificates from an online web source used to track which certificates can be trusted, which one is it?
Trust Model.
William would like to use full-disk encryption on his laptop. He is worried about slow performance, though, so he has requested that the laptop have an onboard hardware-based cryptographic processor. Based on this requirement, what should William ensure the laptop contains?
Trusted Platform Module (TPM)
You're responsible for an always-on VPN connection for your company and have been told that it must utilize the most secure mode for IPSec possible. Which of the following is best?
Tunneling.
Choose the type of hypervisor known as "bare metal"?
Type 1.
You are attempting to prioritize your vulnerability scans based on the data's criticality. This will be determined by the asset value of the data contained in each system. Which of the following would be the most appropriate metric to use in this prioritization?
Type of data processes by the system.
Paul is the web security administrator for a website that does online auctions. A few users are complaining that when they log in to the website, they get a message stating it's down to try again later. Paul checks and he can visit the site without any problem, even from outside of the network. He also checks the web server log but there is no entry of these users ever connecting. Of the following, which best explains this situation?
Typosquatting.
You are working as a network administrator for Dion Training. The company has decided to allow employees to connect their devices to the corporate wireless network under a new BYOD policy. You have been asked to separate the corporate network into an administrative network (for corporate-owned devices) and an untrusted network (for employee-owned devices). Which of the following technologies should you implement to achieve this goal?
VLAN.
Which of the following vulnerabilities involves leveraging access from a single virtual machine to other machines on a hypervisor?
VM escape.
Which of the following types of attacks occurs when an attacker calls up people over the phone and attempts to trick them into providing their credit card information?
Vishing.
You are installing a new wireless network in your office building and want to ensure it is secure. Which of the following configurations would create the MOST secure wireless network?
WPA2 and AES.
Which of the standards below was developed by the WiFi Alliance and is used to implement the requirements of IEEE 802.11i??
WPA2.
You have run a vulnerability scan and received the following output: -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-CVE-2011-3389 QID 42366 - SSLv3.0/TLSv1.0 Protocol weak CBC mode Server side vulnerability Check with: openssl s_client -connect login.diontraining.com:443 - tls -cipher "AES:CAMELLISA:SEED:3DES:DES"-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- Which of the following categories should this be classified as?
Web application cryptography vulnerability.
A cybersecurity analyst is preparing to run a vulnerability scan on a dedicated Apache server that will be moved into a DMZ. Which of the following vulnerability scans is most likely to provide valuable information to the analyst?
Web application vulnerability scan.
What type of attack is focused on targeting a specific individual like the CEO of a company?
Whaling.
Which of the following types of attacks occurs when an attacker specifically targets the CEO, CFO, CIO, and other board members during their attack?
Whaling.
Neil is given the task of creating a wireless network for his company. The wireless network needs to implement a wireless protocol that provides the maximum level of security while providing support for older wireless devices, simultaneously. Which protocol should be used?
Wi-Fi Protected Access (WPA)
You work for a company that hired a pen testing firm to test the network. For the test, you gave them details on operating systems you use, applications you run and network devices. What describes this type of test?
White-box Test.
Of the following, which item is a list of applications approved for use on your network?
Whitelist.
Your company has just finished replacing all of its computers with brand new workstations. Colleen, one of your coworkers, has asked the company's owner if she can have the old computers that are about to be thrown away. Colleen would like to refurbish the old computers by reinstalling a new operating system and donate them to a local community center for disadvantaged children in the neighborhood. The owner thinks this is a great idea but is concerned that the private and sensitive corporate data on the old computer's hard drives might be placed at risk of exposure. You have been asked to choose the best solution to sanitize or destroy the data while ensuring the computers will still be usable by the community center. What type of data destruction or sanitization method do you recommend?
Wiping.
You are analyzing the SIEM for your company's e-commerce server when you notice the following URL in the logs of your SIEM: -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- https://www.diontraining.com/add_to_cart.php?itemId=5"+perItemPrice="0.00"+quantity="100"+/><item+id="5&quantity=0 -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- Based on this line, what type of attack do you expect has been attempted?
XML Injection.
You have noticed some unusual network traffic outbound from a certain host. The host is communicating with a known malicious server over port 443 using an encrypted TLS tunnel. You ran a full system anti-virus scan of the host with an updated anti-virus signature file, but the anti-virus did not find any infection signs. Which of the following has MOST likely occurred?
Zero-day attack.
What kind of security vulnerability would a newly discovered flaw in a software application be considered?
Zero-day vulnerability.
You are working as a penetration tester and have discovered a new method of exploiting a vulnerability within the Windows 10 operating system. You conduct some research online and discover that a security patch against this particular vulnerability doesn't exist yet. Which type of threat would this BEST be categorized as?
Zero-day.
A small business recently experienced a catastrophic data loss due to flooding from a recent hurricane. The customer had no backups, and all of the hardware associated with the small business was destroyed during the flooding. As part of the rebuilding process, the small business contracts with your company to help create a disaster recovery plan to ensure this never reoccurs again. Which of the following recommendations should you include as part of the disaster recovery plan?
backups should be conducted to a cloud-based storage solution.
You are analyzing the following network utilization report because you suspect one of the servers has been compromised. -=-=-=-=-=--=-=-=-=-=--=-=-=-=-=--=-=-=-=-=--=-=-=-=-=--=-=-=-=-=- IP Address Name Uptime Historical Current 192.168.20.2 web01 7D 12H 32M 06S 42.6 GB 44.1 GB 192.168.20.3 webdev02 4D 07H 12M 45S 1.95 GB 2.13 GB 192.168.20.4 dbsvr01 12D 02H 46M 14S 3.15 GB 24.6 GB 192.168.20.5 marketing01 2D 17H 18M 41S 5.2 GB 4.9 GB -=-=-=-=-=--=-=-=-=-=--=-=-=-=-=--=-=-=-=-=--=-=-=-=-=--=-=-=-=-=- Based on the report above, which of the following servers do you suspect has been compromised and should be investigated further?
dbsvr01.
Which of the following Wireshark filters should be applied to a packet capture to detect applications that send passwords in cleartext to a REST API located at 10.1.2.3?
http.request.methd=="POST'&& ip.dst=10.1.2.3
Which is the best choice for naming the account of John Smith - domain admin?
jsmith
Kevin is going over his company's recertification policy. Which is the best reason to recertify?
to audit permissions.