Security+ Quiz Questions I Got Wrong
Jamie's organization is attempting to budget for the next fiscal year. Jamie has calculated that the asset value of a database server is $120,000. Based on her analysis, she believes that a data breach to this server will occur once every four years and has a risk factor is 30%. What is the ALE for a data breach within Jamie's organization? - $360,000 - $36,000 - $90,000 - $9,000
$9,000 The single loss expectancy (SLE) is the amount that would be lost in a single occurrence (AV) times the risk factor (RF). The annual loss expectancy (ALE) is the total cost of a risk to an organization annually. This is determined by multiplying the SLE by the annual rate of occurrence (ARO).<br><br>SLE = AV x RF = $120,000 x 0.3 = $36,000<br>ALE = SLE x ARO = $36,000 x 0.25 = $9,000
A cybersecurity analyst is attempting to classify network traffic within an organization. The analyst runs the tcpdump command and receives the following output: -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- $ tcpdump -n -i eth015:01:35.170763 IP 10.0.19.121.52497 > 11.154.12.121.ssh: P 105:157(52) ack 18060 win 1654915:01:35.170776 IP 11.154.12.121.ssh > 10.0.19.121.52497: P 23988:24136(148) ack 157 win 11315:01:35.170894 IP 11.154.12.121.ssh > 10.0.19.121.52497: P 24136:24380(244) ack 157 win 113 -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- Which of the following statements is true based on this output? - 10.0.19.121 is a client that is accessing an SSH server over port 52497 - 11.154.12.121 is under attack from a host at 10.0.19.121 - 10.0.19.121 is under attack from a host at 11.154.12.121 - 11.154.12.121 is a client that is accessing an SSH server over port 52497
10.0.19.121 is a client that is accessing an SSH server over port 52497 This output from the tcpdump command is displaying three packets in a larger sequence of events. Based solely on these three packets, we can only be certain that the server (11.154.12.121) runs an SSH server over port 22. This is based on the first line of the output. The second and third lines are the server responding to the request and sending data back to the client (10.0.19.121) over port 52497. There is not evidence of an attack against either the server or the client based on this output since we can only see the headers and not the content being sent between the client and server.
Which of the following ports should you block at the firewall if you want to prevent a remote login to a server from occurring? - 143 - 21 - 80 - 22
22 Port 22 is used for SSH, which administrators use to securely connect remotely to a server and issue commands via a command-line interface. Port 21 is used by FTP, Port 80 is used by HTTP, and port 143 is used by IMAP.
Which of the following ports should you block at the firewall if you want to prevent a remote login to a server from occurring? - 443 - 25 - 23 - 110
23 Port 23 is used by telnet, which used to be used by administrators to connect remotely to a server and issue commands via a command-line interface. Telnet is not commonly used in networks anymore because all of the commands sent back and forth to the server are passed without any encryption or protection. Therefore, telnet is a security risk and has been mostly replaced by SSH (Port 22). Port 25 is used by SMTP, Port 110 is used by POP3, and port 443 is used by HTTPS.
Which of the following ports should you block at the firewall if you want to prevent a remote login to a server from occurring? - 23 - 443 - 110 - 25
23 Port 23 is used by telnet, which used to be used by administrators to connect remotely to a server and issue commands via a command-line interface. Telnet is not commonly used in networks anymore because all of the commands sent back and forth to the server are passed without any encryption or protection. Therefore, telnet is a security risk and has been mostly replaced by SSH (Port 22). Port 25 is used by SMTP, Port 110 is used by POP3, and port 443 is used by HTTPS.
Your firewall is blocking outbound email traffic that is attempting to be sent. Which port should you verify is set to ALLOW in the firewall to ensure your emails are being sent? - 143 - 80 - 22 - 25
25 (SMTP) Email servers rely on port 25 to send emails out of the network. Port 25 must be set to OPEN or ALLOW in the firewall for SMTP (sendmail transfer protocol) to function properly. Port 22 is SSH, Port 80 is HTTP, and Port 143 is IMAP.
Your company just installed a new webserver within your DMZ. You have been asked to open up the port for secure web browsing on the firewall. Which port should you set as open to allow users to access this new server? - 143 - 443 - 80 - 21
443 Port 443 is used for HTTPS traffic. Therefore, this port must be opened. This is secure web browsing over SSL or TLS. Port 21 is used for the File Transfer Protocol (FTP). Port 80 is used for insecure web browsing (HTTP). Port 143 is used for Internet Mail Application Protocol (IMAP).
What access control model will a network switch utilize if it requires multilayer switches to use authentication via RADIUS/TACACS+? - 802.1q - 802.11ac - 802.1x - 802.3af
802.1x If you are using RADIUS/TACACS+ with the switch, you will need to use 802.1x for the protocol.
Which of the following access control methods provides the most detailed and explicit type of access control over a resource? - DAC - MAC - RBAC - ABAC
ABAC (Attribute-based access control) Attribute-based access control (ABAC) provides the most detailed and explicit type of access control over a resource because it is capable of making access decisions based on a combination of subject and object attributes, as well as context-sensitive or system-wide attributes. Information such as the group membership, the OS being used by the user, and even the machine's IP address could be considered when granting or denying access.
What tool is used to collect wireless packet data? - John the Ripper - Aircrack-ng - Nessus - Netcat
Aircrack-ng Aircrack-ng is a complete suite of wireless security assessment and exploitation tools that includes monitoring, attacking, testing, and cracking of wireless networks. This includes packet capture and export of the data collected as a text file or pcap file. John the Ripper is a password cracking software tool. Nessus is a vulnerability scanner. Netcat is used to create a reverse shell from a victimized machine back to an attacker.
You are configuring the ACL for the network perimeter firewall. You have just finished adding all the proper allow and deny rules. What should you place at the end of your ACL rules? - An implicit allow statement - An implicit deny statement - A SNMP deny string - A time of day restriction
An implicit deny statement According to the best practices of firewall configurations, you should include an implicit deny at the end of your ACL rules. This will ensure that anything not specifically allowed in the rules above is blocked. Using an implicit allow is a bad security practice since it will allow anything into the network that is not specifically denied. While the time of day restrictions can be useful, they are not required for all network implementations.
Dion Training wants to implement technology within their corporate network to BEST mitigate the risk that a zero-day virus might infect their workstations. Which of the following should be implemented FIRST? - Anti-malware solution - Host-based firewall - Intrusion detection system - Application whitelisting
Application Whitelisting Application whitelisting will only allow a program to execute if it is specifically listed in the approved exception list. All other programs are blocked from running. This makes it the BEST mitigation against a zero-day virus. An intrusion detection system might detect the anomalous activity created by a piece of malware, but it will only log or alert based on the activity, not prevent it. A host-based firewall may prevent a piece of malware from establishing a network connection with a remote server. Still, again, it wouldn't prevent infection or prevent it from executing. An anti-malware solution is a good investment towards improving your security. Since the threat is a zero-day virus, an anti-malware solution will not detect it using its signature database.
RSA DSA Diffie-Hellman ECC These are examples of what type of encryption method?
Asymmetric Asymmetric encryption, also known as public-key cryptography, involves the use of a pair of keys: a public key for encryption and a private key for decryption. The public key can be freely distributed, allowing anyone to encrypt messages, but only the possessor of the private key can decrypt and access the original information. Asymmetric encryption is slower than symmetric encryption but provides a secure means for key exchange and digital signatures in secure communication environments.
Which of the following processes is concerned with validating credentials? - Auditing - Authentication - Authorization - Accountability
Authentication Authentication is the process of validating that a user's credentials are authentic, after the user has presented them through the identification process.
A security admin needs to search a storage drive to obtain email messages and browser histories. Which of the following would provide this functionality? - theHarvester - Autopsy - Nessus - dnsenum - memdump
Autopsy Autopsy is an open-source digital forensics platform used for analyzing computer systems and electronic devices. It offers tools for file system analysis, keyword search, hash analysis, and timeline analysis. Widely employed by digital forensics professionals and law enforcement, Autopsy aids in extracting relevant information to uncover evidence and reconstruct timelines for investigative purposes.
What does the CIA triad stand for?
Availability Confidentiality, Integrity and Availability.
You have been asked to determine if Dion Training's web server is vulnerable to a recently discovered attack on an older version of SSH. Which technique should you use to determine the current version of SSH running on their web server? - Vulnerability scan - Protocol analysis - Banner grabbing - Passive scan
Banner Grabbing Banner grabbing is conducted by actively connecting to the server using telnet or netcat and collecting the web server's response. This banner usually contains the operating system being run by the server and the version number of the service (SSH) being run. This is the fastest and easiest way to determine the SSH version being run on this web server. While it is possible to use a vulnerability scanner, protocol analyzer, or to conduct a passive scan to determine the SSH version, these are more time consuming and not fully accurate methods to determine the version being run.
Your smartphone begins to receive unsolicited messages while you are eating lunch at the restaurant across the street from your office. What might cause this to occur? - Bluejacking - Bluesnarfing - Geotagging - Packet sniffing
Bluejacking Bluejacking is the sending of unsolicited messages over Bluetooth to Bluetooth-enabled devices such as smartphones and tablets. Bluesnarfing, on the other hand, involves taking data from a smartphone or tablet over Bluetooth without permission. Bluetooth has a very limited range, so the attacker is likely within 10 meters of the victimized device. Geotagging involves embedded the geolocation coordinates into a piece of data (normally a photo or video). Packet sniffing is a passive method of collecting network traffic for follow-on analysis at a later time.
Your organization has been targeted by attacks, and you are seeing multiple previously unknown pieces of malware infect client machines. What can be used to keep client machines off the network unless they are free from malware?
Boot Attestation Part of the Unified Extensible Firmware Interface (UEFI) specification is to allow the reporting of the integrity of components via digital signatures. This can be used to verify that all components are running verified copies.
During your annual cybersecurity awareness training in your company, the instructor states that employees should be careful about what information they post on social media. According to the instructor, if you post too much personal information on social media, such as your name, birthday, hometown, and other personal details, it is much easier for an attacker to conduct which type of attack to break your passwords? - Birthday attack - Cognitive password attack - Rainbow table attack - Brute force attack
Cognitive password attack A cognitive password is a form of knowledge-based authentication that requires a user to answer a question, presumably something they intrinsically know, to verify their identity. If you post a lot of personal information about yourself online, this type of password can easily be bypassed. For example, during the 2008 elections, Vice Presidential candidate Sarah Palin's email account was hacked because a high schooler used the "reset my password" feature on Yahoo's email service to reset her password using the information that was publicly available about Sarah Palin (like her birthday, high school, and other such information).
You work for a bank interested in moving some of its operations to the cloud, but it is worried about security. You recently discovered an organization called CloudBank that was formed by 15 local banks as a way for them to build a secure cloud-based environment that can be accessed by the 15 member banks. Which cloud model BEST describes the cloud created by CloudBank? - Community cloud - Private cloud - Hybrid cloud - Public cloud
Community Cloud Community Cloud is another type of cloud computing in which the cloud setup is shared manually among different organizations that belong to the same community or area.
Which of the following allows for the mixing of business and personal matters? - Biometrics - Authentication - Containerization - Segmentation
Containerization Containerization divides a device into containers—one holding company information, and the other holding personal information.
During which incident response phase is the preservation of evidence performed? - Preparation - Detection and analysis - Post-incident activity - Containment, eradication and recovery
Containment, eradication and recovery A cybersecurity analyst must preserve evidence during the containment, eradication, and recovery phase. They must preserve forensic and incident information for future needs, prevent future attacks or bring up an attacker on criminal charges. Restoration and recovery are often prioritized over analysis by business operations personnel, but taking time to create a forensic image is crucial to preserve the evidence for further analysis and investigation. During the preparation phase, the incident response team conducts training, prepares their incident response kits, and researches threats and intelligence. During the detection and analysis phase, an organization focuses on monitoring and detecting any possible malicious events or attacks. During the post-incident activity phase, the organization conducts after-action reports, creates lessons learned, and conducts follow-up actions to better prevent another incident from occurring.
Which of the following actions should be done FIRST after forensically imaging a hard drive for evidence in an investigation? - Create a hash digest of the source drive and the image file to ensure they match - Encrypt the image file to ensure it maintains data integrity - Encrypt the source drive to ensure an attacker cannot modify its contents - Digitally sign the image file to provide a non-repudiation of the collection
Create a hash digest of the source drive and the image file to ensure they match. The first thing that must be done after acquiring a forensic disk image is to create a hash digest of the source drive and destination image file to ensure they match. A critical step in the presentation of evidence will be to prove that analysis has been performed on an identical image to the data present on the physical media and that neither data set has been tampered with. The standard means of proving this is to create a cryptographic hash or fingerprint of the disk contents and any derivative images made from it. When comparing hash values, you need to use the same algorithm used to create the reference value.
Which of the following describes the overall accuracy of a biometric authentication system? - False rejection rate - Crossover error rate - False acceptance rate - False positive rate
Crossover error rate The Crossover Error Rate (CER) describes the point where the False Reject Rate (FRR) and False Accept Rate (FAR) are equal. CER is also known as the Equal Error Rate (EER). The Crossover Error Rate describes the overall accuracy of a biometric system.
A financial services company wants to donate some old hard drives from their servers to a local charity. The hard drives used in the servers are self-encrypting drives. Still, they are concerned about the possibility of residual data being left on the drives. Which of the following secure disposal methods would you recommend the company use? - Zero-fill - Overwrite - Secure erase - Cryptographic erase
Cryptographic erase In a cryptographic erase (CE), the storage media is encrypted by default. The encryption key itself is destroyed during the erasing operation. CE is a feature of self-encrypting drives (SED) and is often used with solid-state devices. Cryptographic erase can be used with hard drives, as well. Zero-fill is a process that fills the entire storage device with zeroes.
Which of the following cryptographic algorithms is classified as symmetric? - DSA - ECC - GPG - DES
DES (Data Encryption Standard) The Data Encryption Standard (DES) is a symmetric-key algorithm for the encryption of digital data. Although its short key length of 56 bits makes it too insecure for applications, it was the standard used from 1977 until the early 2000s. GPG, ECC, and DSA are all asymmetric algorithms.
During a security audit, you discovered that customer service employees have been sending unencrypted confidential information to their personal email accounts via email. What technology could you employ to detect these occurrences in the future and send an automated alert to the security team? - UTM - SSL - DLP - MDM
DLP (Data Loss Prevention) Data loss prevention (DLP) software detects potential data breaches/ data exfiltration transmissions and prevents them by monitoring, detecting, and blocking sensitive data while in use, in motion, and at rest. This can be configured to detect and alert on future occurrences of this issue. Secure Socket Layer (SSL) is a distraction in this question since the questions asked about information being sent unencrypted. The connection between the client and the email server could be encrypted using SSL. However, the information is still sent to an employee's personal email account, which equates to a loss of control over the company's confidential data. Mobile Device Management (MDM) software is used for the configuration and securing of mobile devices like smartphones and tablets. Unified Threat Management (UTM) is a device that combines the functions of a firewall, anti-malware solution, and IDS into a single piece of hardware. Some UTM's may provide a DLP functionality, but DLP is a better answer to this question.
Which of the following cryptographic algorithms is classified as asymmetric? - RC4 - DES - DSA - AES
DSA (Digital Signature Algorithm) The Digital Signature Algorithm (DSA) is a Federal Information Processing Standard for digital signatures. The algorithm uses a key pair consisting of a public key and a private key. AES, RC4, and DES are all symmetric algorithms.
You want to play computer-based video games from anywhere in the world using your laptop or tablet. You heard about a new product called a Shadow PC that is a virtualized Windows 10 Home gaming PC in the cloud. Which of the following best describes this type of service? - IaaS - SaaS - PaaS - DaaS
DaaS (Desktop as a Service) DaaS provides a full virtualized desktop environment from within a cloud-based service. This is also known as VDI (Virtualized Desktop Infrastructure) and is coming in large enterprise businesses focused on increasing their security and minimizing their operational expenses. Shadow PC (shadow.tech) provides a version of DaaS for home users who want to have a gaming PC without all the upfront costs.
If a person knows a control exists, and this control keeps them from performing a malicious action, what type of control is this considered?
Deterrent control
Which of the following cryptographic algorithms is classified as asymmetric? - Blowfish - RC4 - Diffie-Hellman - AES
Diffie-Hellman The Diffie-Hellman (DH) is used to exchange cryptographic keys over a public channel securely and was one of the first public-key protocols. As a public-key protocol, it relies on an asymmetric algorithm. AES, RC4, and Blowfish are all symmetric algorithms.
Which authentication mechanism does 802.1x usually rely upon? - HOTP - RSA - EAP - TOTP
EAP (Extensible Authentication Protocol) The IEEE 802.1X Port-based Network Access Control framework establishes several ways for devices and users to be securely authenticated before they are permitted full network access. The actual authentication mechanism will be some variant of the Extensible Authentication Protocol (EAP). EAP allows lots of different authentication methods, but many use a digital certificate on the server and/or client machines. This allows the machines to establish a trust relationship and create a secure tunnel to transmit the user authentication credential.
Which of the following cryptographic algorithms is classified as asymmetric? - Twofish - ECC - RC4 - DES
ECC Elliptic-curve cryptography (ECC) is an approach to public-key cryptography based on the algebraic structure of elliptic curves over finite fields. As a public-key cryptosystem, it relies on an asymmetric algorithm. Twofish, RC4, and DES are all symmetric algorithms.
A cybersecurity analyst has deployed a custom DLP signature to alert on any files that contain numbers in the format of a social security number (xxx-xx-xxxx). Which of the following concepts within DLP is being utilized? - Document matching - Classification - Statistical matching - Exact data match
Exact Data Match (EDM) An exact data match (EDM) is a pattern matching technique that uses a structured database of string values to detect matches. For example, a company might have a list of actual social security numbers of its customers. But, since it is not appropriate to load these numbers into a DLP filter, they could use EDM to match the numbers' fingerprints instead based on their format or sequence. Document matching attempts to match a whole document or a partial document against a signature in the DLP. Statistical matching is a further refinement of partial document matching that uses machine learning to analyze various data sources using artificial intelligence or machine learning. Classification techniques use a rule based on a confidentiality classification tag or label attached to the data. For example, the military might use a classification based DLP to search for any files labeled as secret or top secret.
What regulation protects the privacy of student educational records? - HIPAA - GLBA - SOX - FERPA
FERPA (The Family Educational Rights and Privacy Act) Gramm-Leach-Bliley Act (GLBA) institutes requirements that help protect the privacy of an individual's financial information held by financial institutions and others, such as tax preparation companies. The privacy standards and rules created as part of GLBA safeguard private information and set penalties in the event of a violation. Sarbanes-Oxley Act (SOX) dictates requirements for storing and retaining documents relating to an organization's financial and business operations, including the type of documents to be stored and their retention periods. It is relevant for any publicly-traded company with a market value of at least $75 million. The Family Educational Rights and Privacy Act (FERPA) requires that educational institutions implement security and privacy controls for student educational records. The Health Insurance Portability and Accountability Act (HIPAA) establishes several rules and regulations regarding healthcare in the United States. With the rise of electronic medical records, HIPAA standards have been implemented to protect patient medical information privacy through restricted access to medical records and regulations for sharing medical records.
Which of the following proprietary tools is used to create forensic disk images without making changes to the original evidence? - dd - Memdump - Autopsy - FTK Imager
FTK Imager FTK Imager can create perfect copies or forensic images of computer data without making changes to the original evidence. The forensic image is identical in every way to the original, including file slack and unallocated space or drive free space. The dd tool can also create forensic images, but it is not a proprietary tool since it is open-source. Memdump is used to collect the content within RAM on a given host. Autopsy is a cross-platform, open-source forensic tool suite.
Which of the following are considered "unsecure" protocols? (Select all that apply) - HTTP - SSH - FTP - Telnet
HTTP, FTP and Telnet HTTP, or Hypertext Transfer Protocol, is an unencrypted web protocol. Because it is unencrypted, anyone with the ability to view/capture HTTP traffic can see everything sent and received in an HTTP session. FTP, or File Transfer Protocol, is an unencrypted file transfer protocol. Because it is unencrypted, anyone with the ability to view/capture the FTP session can see everything sent and received in that FTP session, including the files transferred and the contents of those files. Finally, Telnet is an unencrypted application protocol used to provide a bidirectional, interactive, text-oriented communication between a client and a server. Anyone one with the ability to sniff the traffic could see everything passed in the Telnet session, including passwords.
When conducting forensic analysis of a hard drive, what tool would BEST prevent changing the hard drive contents during your analysis? - Software write blocker - Degausser - Forensic drive duplicator - Hardware write blocker
Hardware write blocker Both hardware and software write blockers are designed to ensure that forensic software and tools cannot change a drive inadvertently by accessing it. But, since the question indicates that you need to choose the BEST solution to protect the drive's contents from being changed during analysis, you should pick the hardware write blocker.
Which of the following protocols would you use to encrypt VPN traffic? - IPsec - SSH - MD5 - S/MIME
IPsec IPsec provides encryption, integrity, and authentication for data tunneled over VPNs across public networks. The other answers are incorrect. S/MIME is used for encrypting email, SSH allows secure remote access, and MD5 facilitates hashes to allow for integrity.
Which role validates the user's identity when using SAML (Security Assertions Markup Language) for authentication? - IdP - RP - SP - User agent
IdP (Identity Provider) The IdP provides the validation of the user's identity. Security assertions markup language (SAML) is an XML-based framework for exchanging security-related information such as user authentication, entitlement, and attributes. SAML is often used in conjunction with SOAP. SAML is a solution for providing single sign-on (SSO) and federated identity management. It allows a service provider (SP) to establish a trust relationship with an identity provider (IdP) so that the SP can trust the identity of a user (the principal) without the user having to authenticate directly with the SP. The principal's User Agent (typically a browser) requests a resource from the service provider (SP). The resource host can also be referred to as the relying party (RP). If the user agent does not already have a valid session, the SP redirects the user agent to the identity provider (IdP). The IdP requests the principal's credentials if not already signed in and, if correct, provides a SAML response containing one or more assertions. The SP verifies the signature(s) and (if accepted) establishes a session and provides access to the resource.
During an assessment of the POS terminals that accept credit cards, a cybersecurity analyst notices a recent Windows operating system vulnerability exists on every terminal. Since these systems are all embedded and require a manufacturer update, the analyst cannot install Microsoft's regular patch. Which of the following options would be best to ensure the system remains protected and are compliant with the rules outlined by the PCI DSS? - Build a custom OS image that includes the patch - Identify, implement and document compensating controls - Remove the POS terminals from the network until a patch is released - Replace the Windows POS terminals with standard Windows systems
Identify, implement and document compensating controls Since the analyst cannot remediate the vulnerabilities by installing a patch, the next best action would be to implement some compensating controls. If a vulnerability exists that cannot be patched, compensating controls can mitigate the risk. Additionally, the analyst should document the current situation to achieve compliance with PCI DSS. The analyst will likely not remove the terminals from the network without affecting business operations, so this is a bad option. The analyst should not build a custom OS image with the patch since this could void the support agreement with the manufacturer and introduce additional vulnerabilities. Also, it would be difficult (or impossible) to replace the POS terminals with standard Windows systems due to the custom firmware and software utilized on these systems.
Dion Training allows its visiting business partners from CompTIA to use an available Ethernet port in their conference room to establish a VPN connection back to the CompTIA internal network. The CompTIA employees should obtain internet access from the Ethernet port in the conference room, but nowhere else in the building. Additionally, if a Dion Training employee uses the same Ethernet port in the conference room, they should access Dion Training's secure internal network. Which of the following technologies would allow you to configure this port and support both requirements? - Implement NAC - MAC filtering - Create an ACL to allow access - Configure a SIEM
Implement NAC (Network Access Control) Network Access Control (NAC) uses a set of protocols to define and implement a policy that describes how to secure access to network nodes whenever a device initially attempts to access the network. NAC can utilize an automatic remediation process by fixing non-compliant hosts before allowing network access. Network Access Control can control access to a network with policies, including pre-admission endpoint security policy checks and post-admission controls over where users and devices can go on a network and what they can do. In this scenario, implementing NAC can identify which machines are known and trusted Dion Training assets and provide them with access to the secure internal network. NAC could also determine unknown machines (assumed to be those of CompTIA employees) and provide them with direct internet access only by placing them onto a guest network or VLAN. While MAC filtering could be used to allow or deny access to the network, it cannot by itself control which set of network resources could be utilized from a single ethernet port. A security information and event management (SIEM) system provides real-time analysis of security alerts generated by applications and network hardware. An access control list could define what ports, protocols, or IP addresses the ethernet port could be utilized. Still, it would be unable to distinguish between a Dion Training employee's laptop and a CompTIA employee's laptop like a NAC implementation could.
A supplier needs to connect several laptops to an organization's network as part of their service agreement. These laptops will be operated and maintained by the supplier. Victor, a cybersecurity analyst for the organization, is concerned that these laptops could contain some vulnerabilities that could weaken the network's security posture. What can Victor do to mitigate the risk to other devices on the network without having direct administrative access to the supplier's laptops? - Require 2FA (two-factor authentication) on the laptops - Scan the laptops for vulnerabilities and patch them - Implement a jumpbox system - Increase the encryption level of VPN used by the laptops
Implement a jumpbox system A jumpbox is a system on a network used to access and manage devices in a separate security zone. This would create network segmentation between the supplier's laptops and the rest of the network to minimize the risk. A jump-box system is a hardened and monitored device that spans two dissimilar security zones and provides a controlled means of access between them. While the other options listed are all good security practices, they do not fully mitigate the risk that insecure systems pose since Victor cannot enforce these configurations on a supplier provided laptop. Instead, he must find a method of segmenting the laptops from the rest of the network, either physically, logically, using an airgap, or using a jumpbox.
You are asked to implement a software development lifecycle methodology (SDLM) at your organization. What key elements do you implement to ensure security is a priority in all software produced? (Select all that apply) - Input Validation - Cross-site Forgery Validation - Driver Compatibility Testing - Fuzzing
Input/Cross-Site Forgery validation and Fuzzing A software development lifecycle methodology (SDLM) includes secure coding practices, such as input validation, proper error handling and cross-site validation, as well as security testing, such as fuzzing.
What is the biggest disadvantage of using single sign-on (SSO) for authentication? - Users need to authenticate with each server as they log on - Systems must be configured to utilize the federation - The identity provider issues the authorization - It introduces a single point of failure
It introduces a single point of failure Single sign-on is convenient for users since they only need to remember one set of credentials. Unfortunately, single sign-on also introduces a single point of failure. If the identity provider is offline, then the user cannot log in to any of the resources they may wish to utilize across the web.
Why is time synchronization an important function for a SIEM system to perform?
It's important to compare events in both local time for local events and UTC.
You want to provide controlled remote access to the remote administration interfaces of multiple servers hosted on a private cloud. What type of segmentation security solution is the best choice for this scenario? - Physical - Jumpbox - Airgap - Bastion Hosts
Jumpbox Installing a jumpbox as a single point of entry for the administration of servers within the cloud is the best choice for this requirement. The jumpbox only runs the necessary administrative port and protocol (typically SSH).
You are the first forensic analyst to arrive on the scene of a data breach. You have been asked to begin evidence collection on the server while waiting for the rest of your team to arrive. Which of the following evidence should you capture first? - ARP cache - L3 cache - Backup tapes - Image of the server's SSD
L3 Cache When collecting evidence, you should always follow the order of volatility. This will allow you to collect the most volatile evidence (most likely to change) first and the least volatile (least likely to change) last. You should always begin collecting the CPU registers and cache memory (L1/L2/L3/GPU). The contents of system memory (RAM), including a routing table, ARP cache, process tables, kernel statistics, and temporary file systems/swap space/virtual memory. Next, you would move onto the collection of data storage devices like hard drives, SSDs, and flash memory devices. After that, you would move onto less volatile data such as backup tapes, external media devices (hard drives, DVDs, etc.), and even configuration data or network diagrams.
Your company is adopting a cloud-first architecture model. Management wants to decommission the on-premises SIEM your analysts use and migrate it to the cloud. Which of the following is an issue with using this approach? - The company will have less control over the SIEM - The company will be dependent on the cloud provider's backup capabilities - Legal and regulatory issues may prevent data migration to the cloud - A VM escape exploit could allow an attack to gain access to the SIEM
Legal and regulatory issues may prevent data migration to the cloud If there are legal or regulatory requirements that require the company to host their security audit data on-premises, then moving to the cloud will not be possible without violating applicable laws. For example, some companies must host their data within their national borders, even if migrating to the cloud. The other options presented are all low risk and can be overcome with proper planning and mitigations. Most cloud providers have degrees of redundancy far above what any individual on-premises provider will be able to generate, making the concern over backups a minimal risk. If the SIEM is moved to a cloud-based server, it could still be operated and controlled in the same manner as the previous on-premise solution using a virtualized cloud-based server. While a VM or hypervisor escape is possible, they are rare and can be mitigated with additional controls.
You have been asked to help design a new architecture for Dion Training's website. The current architecture involves a single server that hosts the website in its entirety. The company's newest course has been creating a lot of interest on social media. The CIO is concerned that the single server will not be able to handle the increased demand that could result from this increased publicity. What technology should you implement in the new architecture to allow multiple web servers to serve up the courses and meet this expected increase in demand from new students? - RAID - VPN concentrator - DLP - Load Balancer
Load Balancer A load balancer allows for high availability and the ability to serve increased demand by splitting the workload across multiple servers. RAID is a high availability technology that allows for multiple hard disks to act logically as one to handle more throughput, but this will not solve the higher demand on the server's limited processing power like a load balancer would. A VPN concentrator is a networking device that provides secure creation of VPN connections and delivery of messages between VPN nodes. A data loss prevention (DLP) system is focused on ensuring that intellectual property theft does not occur. Therefore, a DLP will not help meet the increased demand from new students.
Dion Training is building a new data center. The group designing the facility has decided to provide additional HVAC capacity to ensure the data center maintains a consistently low temperature. Which of the following is the most likely benefit that will be achieved by increasing the designed HVAC capacity? - Longer UPS run time due to increased airflow - Higher data integrity due to better cooling - Increase the availability of network due to higher throughput - Longer MTBF of hardware due to lower operating temperatures
Longer MTBF of hardware due to lower operating temperatures The mean time between failure (MTBF) is the measure of the anticipated rate of failure for a system or component. This is effectively a measurement of the component's expected lifespan. If the HVAC capacity is increased, the server room can maintain a cooler temperature range.
Dion Training has performed an assessment as part of their disaster recovery planning. The assessment found that the organization's RAID takes, on average, about 8 hours to repair when two drives within the RAID fail. Which of the following metrics would best represent this time period? - RTO - RPO - EER - MTTR
MTTR Mean time to repair (MTTR) is a basic measure of the maintainability of repairable items. It represents the average time required to repair a failed component or device.
Which type of system would classify traffic as malicious or benign based on explicitly defined examples of malicious and benign traffic? - Generative adversarial network - Machine learning - AI - Deep learning
Machine Learning A machine learning (ML) system uses a computer to accomplish a task without being explicitly programmed.
You are conducting an incident response and want to determine if any account-based indicators of compromise (IoC) exist on a compromised server. Which of the following would you NOT search for on the server? - Malicious processes - Unauthorized sessions - Off-hours usage - Failed logins
Malicious Processes A malicious process is one that is running on a system and is outside the norm. This is a host-based indicator of compromise (IOC) and not directly associated with an account-based IOC. Off-= hours usage, unauthorized sessions, and failed logins are all account-based examples of an IOC. Off-hours usage occurs when an account is observed to log in during periods outside of normal business hours. An attacker often uses this to avoid detection during business hours. Unauthorized sessions occur when a device or service is accessed without authorization. For example, if a limited privilege user is signed into a domain controlled. A failed login might be normal if a user forgets or incorrectly types their password, but repeated failures for one account could also be an indication of an attacked to crack a user's password.
A Security admin is gathering data from a compromised host. Which of the follow should be gathered first? - Any previous backups - Drive Image - Default Router Configuration - /tmp directory contents - Memory Dump
Memory Dump Memory dump is pulling the memory from the RAM which is the most volatile form of memory (other than the CPU cache).
Windows file servers commonly hold sensitive files, databases, passwords, and more. What common vulnerability is usually used against a Windows file server to expose sensitive files, databases, and passwords? - CRLF injection - Cross-site scripting - SQL injection - Missing patches
Missing patches Missing patches are the most common vulnerability found on both Windows and Linux systems. When a security patch is released, attackers begin to reverse engineer the security patch to exploit the vulnerability.
You received an incident response report indicating a piece of malware was introduced into the company's network through a remote workstation connected to the company's servers over a VPN connection. Which of the following controls should be applied to prevent this type of incident from occurring again? - SPF - ACL - MAC filtering - NAC
NAC Network Access Control (NAC) is an approach to computer security that attempts to unify endpoint security technology (such as anti-virus, host intrusion prevention, and vulnerability assessment), user or system authentication, and network security enforcement.
Which security control would prevent unauthorized users from connecting to a company's wireless network? - Firewall - IPS - Segmentation - NAC
NAC Network Access Control (NAC) prevents unauthorized users from connecting to a network.
Your company is required to remain compliant with PCI-DSS due to the type of information processed by your systems. If there was a breach of this data, which type of disclosure would you be required to provide during your incident response efforts?
Notification to your credit card processor Any organization that processes a credit card will be required to work with their credit card processor instead of working directly with the card issuers (Visa and Mastercard).
Which protocol is paired with OAuth2 to provide authentication of users in a federated identity management solution? - ADFS - Kerberos - SAML - OpenID Connect
OpenID Connect OAuth 2 is explicitly designed to authorize claims and not to authenticate users. The implementation details for fields and attributes within tokens are not defined. Open ID Connect (OIDC) is an authentication protocol that can be implemented as special types of OAuth flows with precisely defined token fields. Security Assertion Markup Language (SAML) is an open standard for exchanging authentication and authorization data between parties, in particular, between an identity provider and a service provider. SAML is an XML-based markup language for security assertions. Active Directory Federation Services (ADFS) is a software component developed by Microsoft that can run on Windows Server operating systems to provide users with single sign-on access to systems and applications located across organizational boundaries. Kerberos is a computer network authentication protocol that works based on tickets to allow nodes communicating over a non-secure network to prove their identity to one another in a secure manner.
Your company is setting up a system to accept credit cards in their retail and online locations. Which of the following compliance types should you be MOST concerned with dealing with credit cards?
PCI-DSS The Payment Card Industry Data Security Standard (PCI DSS) applies to companies of any size that accept credit card payments. If your company intends to accept card payment and store, process, and transmit cardholder data, you need to securely host your data and follow PCI compliance requirements.
Which cloud computing concept is BEST described as focusing on replacing the hardware and software required when creating and testing new applications and programs from a customer's environment with cloud-based resources? - SaaS - PaaS - SECaaS - IaaS
PaaS (Platform as a Service) Platform as a Service (PaaS) provides the end-user with a development environment without all the hassle of configuring and installing it themselves. If you want to develop a customized or specialized program, PaaS helps reduce the development time and overall costs by providing a ready to use platform.
A firewall administrator has configured a new DMZ to allow public systems to be segmented from the organization's internal network. The firewall now has three security zones set: Untrusted (Internet) [143.27.43.0/24]; DMZ (DMZ) [161.212.71.0/24]; Trusted (Intranet) [10.10.0.0/24]. The firewall administrator has been asked to enable remote desktop access from a fixed IP on the remote network to a remote desktop server in the DMZ for the Chief Security Officer to work from his home office after hours. The CSO's home internet uses a static IP of 143.27.43.32. The remote desktop server is assigned a public-facing IP of 161.212.71.14. What rule should the administrator add to the firewall?
Permit 143.27.43.32 (the static IP Address of the CSO) 161.212.71.14 (Assign them an IP in the DMZ from 0-24) RDP 3389
A single attacker sending ICMP Echo Request messages to a server through the internet is known as what? - Smurf attack - DDoS - SYN flood - Ping flood
Ping flood A Ping flood occurs when an attacker attempts to flood the server by sending too many ICMP echo request packets (known as pings).
Data that if disclosed to an unauthorized party would potentially cause harm or disruption to the organization should be labelled as which of the following? - Legal - Confidential - Private - Secret
Private Private information can cause harm or disruption if exposed.
Which of the following types of data breaches would require that the US Department of Health and Human Services and the media be notified if more than 500 individuals are affected by a data breach? - Credit card information - Trade secret information - Personally identifiable information - Protected health information
Protected Health Information (PHI) Protected health information (PHI) is defined as any information that identifies someone as the subject of medical and insurance records, plus their associated hospital and laboratory test results. This type of data is protected by the Health Insurance Portability and Accountability Act (HIPPA). It requires notification of the individual, the Secretary of the US Department of Health and Human Services (HHS), and the media (if more than 500 individuals are affected) in the case of a data breach. Personally identifiable information (PII) is any data that can be used to identify, contact, or impersonate an individual. Credit card information is protected under the PCI DSS information security standard. Trade secret information is protected by the organization that owns those secrets.
Which of the following hashing algorithms results in a 160-bit fixed output? - SHA-2 - NTLM - RIPEMD - MD-5
RIPEMD RIPEMD creates a 160-bit fixed output. SHA-2 creates a 256-bit fixed output. NTLM creates a 128-bit fixed output. MD-5 creates a 128-bit fixed output.
Dion Training has performed an assessment as part of their disaster recovery planning. The assessment found that the organization can only tolerate a maximum of 60 minutes worth of data loss in the event of a disaster. Therefore, the organization has implemented a system of database snapshots that are backed up every hour. Which of the following metrics would best represent this time period? - RTO - MTBF - MTTR - RPO
RPO (Recovery point objective) Recovery point objective (RPO) describes a period of time in which an enterprise's operations must be restored following a disruptive event, e.g., a cyberattack, natural disaster, or communications failure. RPO is about how much data you afford to lose before it impacts business operations. For example, at Dion Training, if 1 hour of data loss occurred, that means that any student progress within the last hour would be lost once the organization restored a server from a known good backup.
Which of the following cryptographic algorithms is classified as asymmetric? - RSA - RC4 - AES - DES
RSA RSA (Rivest-Shamir-Adleman) was one of the first public-key cryptosystems and is widely used for secure data transmission. As a public-key cryptosystem, it relies on an asymmetric algorithm. AES, RC4, and DES are all symmetric algorithms.
Which of the following terms is used to describe the period of time following a disaster that an individual IT system may remain offline? - RTO - RPO - MTBF - MTTR
RTO Recovery time objective (RTO) is when an individual IT system may remain offline following a disaster.
Dion Training has performed an assessment as part of their disaster recovery planning. The assessment found that the organization can only tolerate a maximum of 30 minutes of downtime for their public-facing webserver. Which of the following metrics would best represent this time period? - RPO - MTTR - RTO - MTBF
RTO The Recovery Time Objective (RTO) is the targeted duration of time and a service level within which a business process must be restored after a disaster (or disruption) to avoid unacceptable consequences associated with a break in business continuity. In this example, 30 minutes would be the RTO.
Which of the following terms is used to describe the period of time following a disaster that an individual IT system may remain offline? - MTTR - RPO - RTO - MTBF
RTO (Recovery time objective) Recovery time objective (RTO) is when an individual IT system may remain offline following a disaster. This represents the amount of time it takes to identify a problem and then perform recovery (restore from backup or switch in an alternative system, for instance). Recovery point objective (RPO) is the amount of data loss that a system can sustain, measured in time. That is, if a virus destroys a database, an RPO of 24 hours means that the data can be recovered (from a backup copy) to a point not more than 24 hours before the database was infected. Mean time between failure (MTBF) represents the expected lifetime of a product before it fails and must be replaced or repaired. Mean time to repair (MTTR) is a measure of the time taken to correct a fault to restore the system to full operation.
The management at Steven's work is concerned about rogue devices being attached to the network. Which of the following solutions would quickly provide the most accurate information that Steve could use to identify rogue devices on a wired network?
Router and switch-based MAC address reporting. The best option is MAC address reporting from a source device like a router or a switch. If the company uses a management system or inventory process to capture these addresses, then a report from one of these devices will show what is connected to the network even when they are not currently in the inventory. This information could then be used to track down rogue devices based on the physical port connected to a network device.
Match the following protocols to their ports: SCP POP3 SNMP Telnet - 161 - 22 - 23 - 110
SCP = 22 POP3 = 110 SNMP = 161 Telnet = 23
A company loses $1,000 dollars each time a tablet is stolen. Which of the following would would describe this information? - RPO - SLE - MTBF - RTO - ALE
SLE - Single Loss Expectancy. This determines the monetary value if an asset is stolen, lost or damaged. --------------------------------------- RPO Recovery Point Objective - The maximum acceptable amount of data loss measured in time before a system or process needs to be restored. MTBF Mean Time Between Failures - The average time that a system or component is expected to operate before experiencing a failure. RTO Recovery Time Objective - The targeted duration of time within which a business process or system must be restored after a disruption to avoid unacceptable consequences. ALE Annualized Loss Expectancy - The estimated monetary loss expected from a security incident in a year, calculated by multiplying the Single Loss Expectancy (SLE) by the Annualized Rate of Occurrence (ARO).
Which of the following categories would contain information about a French citizen's race or ethnic origin? - PHI - DLP - SPI - PII
SPI According to the GDPR, information about an individual's race or ethnic origin is classified as Sensitive Personal Information (SPI). As it cannot be used to identify somebody or make any relevant assertions about health uniquely, it is neither PII nor PHI.
What is a major security risk that could occur when you comingle hosts/servers with different security requirements in a single network? - Privilege creep - Security policy violations - Password compromises - Zombie attacks
Security policy violations A network is only as strong as its weakest link (or host/server). When you comingle hosts/servers, there is a large risk that security policy violations could occur. This is because users may be used to following a less stringent security policy for one set of machines and carry over those procedures to a machine that should have had stronger security policies.
Which of the following does a User Agent request a resource from when conducting a SAML transaction? - Single sign-on (SSO) - Identity provider (IdP) - Relying party (RP) - Service provider (SP)
Service provider (SP) Security assertions markup language (SAML) is an XML-based framework for exchanging security-related information such as user authentication, entitlement, and attributes. SAML is often used in conjunction with SOAP. SAML is a solution for providing single sign-on (SSO) and federated identity management. It allows a service provider (SP) to establish a trust relationship with an identity provider (IdP) so that the SP can trust the identity of a user (the principal) without the user having to authenticate directly with the SP. The principal's User Agent (typically a browser) requests a resource from the service provider (SP). The resource host can also be referred to as the relying party (RP). If the user agent does not already have a valid session, the SP redirects the user agent to the identity provider (IdP). The IdP requests the principal's credentials if not already signed in and, if correct, provides a SAML response containing one or more assertions. The SP verifies the signature(s) and (if accepted) establishes a session and provides access to the resource.
A web developer wants to protect their new web application from a man-in-the-middle attack. Which of the following controls would best prevent an attacker from stealing tokens stored in cookies? - Hashing the cookie value - Setting the secure attribute on the cookie - Forcing the use of SSL for the web application - Forcing TLS for the web application
Setting the secure attribute on the cookie When a cookie has the Secure attribute, the user agent includes the cookie in an HTTP request only if transmitted over a secure channel (typically HTTPS). Although seemingly useful for protecting cookies from active network attackers, the Secure attribute protects only the cookie's confidentiality. Forcing the web application to use TLS or SSL does not force the cookie to be sent over TLS/SSL, so you still need to set the cookie's Secure attribute. Hashing the cookie provides the cookie's integrity, not confidentiality; therefore, it will not solve the issue presented by this question.
You are working for a government contractor who requires all users to use a PIV device when sending digitally signed and encrypted emails. Which of the following physical security measures is being implemented? - Key fob - Smart card - Cable lock - Biometric reader
Smart card A smart card is used in applications that need to protect personal information and/or deliver fast, secure transactions, such as transit fare payment cards, government, and corporate identification cards, documents such as electronic passports and visas, and financial payment cards. Often, smart cards are used as part of a multifactor authentication system where the smart card and a PIN needs to be entered for system authentication to occur.
Which of the following types of factors could be used to describe a fingerprint-based method of logging in and authenticating to a touchscreen device? - Something you are - Something you have - Something you know - Something you do
Something you are This is an example of "something you are," like any biometric factor, such as a fingerprint or retinal eye pattern.
An independent cybersecurity researcher has contacted your company to prove a buffer overflow vulnerability exists in one of your applications. Which technique would have been most likely to identify this vulnerability in your application during development? - Dynamic Code Analysis - Static Code Analysis - Manual Peer Review - Pair Programming
Static Code Analysis Buffer overflows are most easily detected by conducting a static code analysis. Manual peer review or pair programming methodologies might have been able to detect the vulnerability. Still, they do not have the same level of success as a static code analysis using proper tools.
AES DES 3DES Blowfish Twofish These are examples of what type of encryption method?
Symmetric Symmetric encryption is a cryptographic method where the same key is used for both the encryption and decryption of data. In this approach, the communicating parties share a secret key, and the security of the system relies on keeping this key secret. Symmetric encryption is computationally efficient and fast, making it suitable for encrypting large amounts of data.
Which of the following authentication protocols was developed by Cisco to provide authentication, authorization, and accounting services? - Kerberos - RADIUS - TACACS+ - CHAP
TACACS+ TACACS+ is an extension to TACACS (Terminal Access Controller Access Control System) and was developed as a proprietary protocol by Cisco. The Remote Authentication Dial-In User Service (RADIUS) is a networking protocol that operates on port 1812 and provides centralized Authentication, Authorization, and Accounting management for users who connect and use a network service, but Cisco did not develop it. Kerberos is a network authentication protocol designed to provide strong mutual authentication for client/server applications using secret-key cryptography developed by MIT. Challenge-Handshake Authentication Protocol (CHAP) is used to authenticate a user or network host to an authenticating entity. CHAP is an authentication protocol but does not provide authorization or accounting services.
What type of organizations are the main users of an interconnection service agreement (ISA)?
Telecommunication companies
You were conducting a forensic analysis of an iPad backup and discovered that only some of the information is within the backup file. Which of the following best explains why some of the data is missing? - The backup was interrupted - The backup is encrypted - The backup is a differential backup - The backup is stored in iCloud
The backup is a differential backup iPhone/iPad backups can be created as full or differential backups. In this scenario, the backup being analyzed is likely a differential backup containing the information that has changed since the last full backup. If the backup were encrypted, you would be unable to read any of the contents. If the backup were interrupted, the backup file would be in an unusable state. If the backup were stored in iCloud, you would need access to their iCloud account to retrieve and access the file. Normally, during an investigation, you will not have access to the user's iCloud account.
You just received a notification that your company's email servers have been blacklisted due to reports of spam originating from your domain. What information do you need to start investigating the source of the spam emails? - The SMTP audit log from his company's email server - The full email header from one of the spam messages - Firewall logs showing the SMTP connections - Network flows for the DMZ containing the email servers
The full email header from one of the spam messages You should first request a copy of one of the spam messages, including the full email header. By reading through the full headers of one of the messages, you can determine where the email originated from, whether it was from your email system or external, and if it was a spoofed email or a legitimate email. Once this information has been analyzed, you can then continue your analysis based on those findings, whether that be analyzing your email server, the firewalls, or other areas of concern. If enough information cannot be found by analyzing the email headers, you will need to conduct more research to determine the best method to solve the underlying problem.
The Pass Certs Fast corporation has recently been embarrassed by several high profile data breaches. The CIO proposes improving the company's cybersecurity posture by migrating images of all the current servers and infrastructure into a cloud-based environment. What, if any, is the flaw in moving forward with this approach?
This approach only changes the location of the network and not the attack surface of it.
Why would a company want to utilize a wildcard certificate for their servers? - To secure a the certificate's private key - To extend the renewal date of the certificate - To increase the certificate's encryption key length - To reduce the certificate management burden
To reduce the certificate management burden A wildcard certificate is a public key certificate that can be used with multiple subdomains of a domain. This saves money and reduces the management burden of managing multiple certificates, one for each subdomain.
Which of the following cryptographic algorithms is classified as symmetric? - RSA - Twofish - Diffie-Hellman - ECC
Twofish Twofish is a symmetric key block cipher with a block size of 128 bits and key sizes up to 256 bits. ECC, RSA, and Diffie-Hellman are all asymmetric algorithms.
Your organization has recently been the target of a spearphishing campaign. You have identified the website associated with the link in the spearphishing emails and want to block it. Which of the following techniques would be the MOST effective in this situation? - Containment - Application blacklist - Quarantine - URL filter
URL Filter A URL filter can be used to block a website based on its website address or universal resource locator (URL).
Your company is making a significant investment in infrastructure-as-a-service (IaaS) hosting to replace its data centers. Which of the following techniques should be used to mitigate the risk of data remanence when moving virtual hosts from one server to another in the cloud? - Zero-wipe drives before moving systems - Use full-disk encryption - Use data masking - Span multiple virtual disks to fragment data
Use full-disk encryption To mitigate the risk of data remanence, you should implement full disk encryption. This method will ensure that all data is encrypted and cannot be exposed to other organizations or the underlying IaaS provider.
Which of the following functions is not provided by a TPM? - Binding - Random number generation - User authentication - Remote attestation - Secure generation of cryptographic keys - Sealing
User authentication User authentication is performed at a much higher level in the operating system. Trusted Platform Module (TPM) technology is designed to provide hardware-based, security-related functions. A TPM chip is a secure crypto-processor that is designed to carry out cryptographic operations. The chip includes multiple physical security mechanisms to make it tamper-resistant, and malicious software cannot tamper with the security functions of the TPM. The TPM provides random number generation, secure generation of cryptographic keys, remote attestation, binding, and sealing functions securely.
Which of the following vulnerabilities involves leveraging access from a single virtual machine to other machines on a hypervisor? - VM migration - VM sprawl - VM data remnant - VM escape
VM escape Virtual machine escape vulnerabilities are the most severe issue that may exist in a virtualized environment. In this attack, the attacker can access a single virtual host and then leverages that access to intrude on the resources assigned to different virtual machines. Data remnant is the residual representation of digital data that remains even after attempts have been made to remove or erase it. Virtualization sprawl is a phenomenon that occurs when the number of virtual machines on a network reaches a point where the administrator can no longer manage them effectively. Virtual machine migration is the task of moving a virtual machine from one physical hardware environment to another.
A Linux admin is downloading an updated version of their Linux distribution. The download site shows a link to the ISO and a SHA256 hash value. Which of these would describe the use of this hash value? - Verifies that the file was not corrupted during the file transfer - Provides a key for decrypting the ISO after download - Authenticates the site as an official ISO distribution site - Confirms that the file does not contain any malware
Verifies that the file was not corrupted during the file transfer The SHA256 hash is commonly used for file integrity verification. By comparing the calculated SHA256 hash of the downloaded file with the provided hash value, the Linux admin can ensure that the file has not been corrupted or tampered with during the download process. It does not provide encryption keys, authenticate the site as an official distribution site, or confirm the absence of malware in the file.
Your company just launched a new invoicing website for use by your five largest vendors. You are the cybersecurity analyst and have been receiving numerous phone calls that the webpage is timing out, and the website overall is performing slowly. You have noticed that the website received three million requests in just 24 hours, and the service has now become unavailable for use. What do you recommend should be implemented to restore and maintain the availability of the new invoicing system? - VPN - IDS - Whitelisting - MAC filtering
Whitelisting By implementing whitelisting of the authorized IP addresses for the five largest vendors, they will be the only ones who will access the webserver. This can be done by creating rules in the Access Control List (ACL) to deny ALL other users except these five vendors, thereby dropping a large number of requests from any other IP addresses, such as those from an attacker. Based on the scenario's description, it appears like the system is under some form of denial of service attack. Still, by implementing a whitelist at the edge of the network and blackholing any traffic from IP addresses that are not whitelisted, the server will no longer be overwhelmed or perform slowly to respond to legitimate requests. MAC filtering is only applicable at layer 2 of the OSI model (which would not work for traffic being sent over the internet from your vendors to your server). A VPN is a reasonable solution to secure the connection between the vendors and your systems, but it will not deal with the DoS condition being experienced. An intrusion detection system may detect the DoS condition, but an IDS cannot resolve it (whereas an IPS could).
You are analyzing the SIEM for your company's e-commerce server when you notice the following URL in the logs of your SIEM: -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- https://www.diontraining.com/add_to_cart.php?itemId=5"+perItemPrice="0.00"+quantity="100"+/> -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- Based on this line, what type of attack do you expect has been attempted? - XML injection - SQL injection - Buffer overflow - Session hijacking
XML injection This is an example of an XML injection. XML injection manipulates or compromises the logic of an XML application or service. The injection of unintended XML content and/or structures into an XML message can alter an application's intended logic, and XML Injection can cause the insertion of malicious content into resulting messages/documents. In this case, the URL is attempting to modify the server's XML structure. The original XML structure would be: <addToCart> <item id="5" perItemPrice="50.00" quantity="1" /> </addToCart>. By using the URL above, this would be modified to the following: <addToCart> <item id="5" perItemPrice="0.00" quantity="10" /> <item id="5" perItemPrice="50.00" quantity="0" /> </addToCart>. The result would be that a new line was added in the XML document that could be processed by the server. This line would allow 10 of the product at $0.00 to be added to the shopping cart, while 0 of the product at $50.00 is added to the cart. This defeats the integrity of the e-commerce store's add to cart functionality through this XML injection. A SQL injection occurs when data input by a user is interpreted as a SQL command rather than as normal data by the backend database. A buffer overflow is an exploit that attempts to write data to a buffer and exceed that buffer's boundary to overwrite an adjacent memory location. A session hijacking attack consists of exploiting the web session control mechanism, which is normally managed for a session token. The real key to answering this question is identifying the XML structured code being entered as part of the URL, shown by the bracketed data.
Which command on a macOS or Linux system is used to change the permissions of a file? - sudo - chown - chmod - pwd
chmod The chmod command is used to change a file or directory's permissions from the command line or terminal. The chown command is used to change the owner of the file, but not its permissions. The sudo command allows a command to be executed as the superuser (root) instead of the current user. The pwd is used to display the path to the present working directory (current directory) to the terminal or display.
Which tool would you use to read and write TCP/UDP network connections? - netcat - AV - SFC - tcpdump
netcat netcat is used for reading from and writing to network connections using TCP or UDP tcpdump is used to analyze network packets. Antivirus (AV) applications check files for known viruses and other malware. SFC is a Windows system file integrity checker.
