Sybex Practice Exam Book Chapter 4

John is reviewing his organization's procedures for applying security patches and is attempting to align them with best practices. Which one of the following statements is not a best practice for patching? A.Security patches should be applied as soon as possible. B.Patches should be applied to production systems first. C.Patches should be thoroughly tested for unintended consequences. D.Patches should follow a change management process.

B.Patches should be applied to production systems first. Explanation: Patches should be applied in test environments prior to deploying them in production. It is best practice to apply security patches as soon as possible and test them thoroughly. Patches should also be applied through the organization's normal change management process.

Bruce is concerned about access to the master account for a cloud service that his company uses to manage payment transactions. He decides to implement a new process for multifactor authentication to that account where an individual on the IT team has the password to the account, while an individual in the accounting group has the token. What security principle is Bruce using? A. Dual control B.Separation of duties C.Least privilege D.Security through obscurity

A. Dual control Explanation: This is an example of dual control (or two-person control) where performing a sensitive action (logging onto the payment system) requires the cooperation of two individuals. Separation of duties is related but would involve not allowing the same person to perform two actions that, when combined, could be harmful.

Several employees will need to travel with sensitive information on their laptops. Martin is concerned that one of those laptops may be lost or stolen. Which one of the following controls would best protect the data on stolen devices? A. FDE B. Strong passwords C.Cable lock D.IPS

A. FDE Explanation: Full disk encryption prevents anyone who gains possession of a device from accessing the data it contains, making it an ideal control to meet Martin's goal. Strong passwords may be bypassed by directly accessing the disk. Cable locks are not effective for devices used by travelers. Intrusion prevention systems are technical controls that would not affect someone who gained physical access to a device.

Which one of the following systems is not normally considered a component of identity management infrastructure? A. HR system B.LDAP C.Provisioning engine D.Auditing system

A. HR system Explanation: LDAP directory servers, provisioning engines, and auditing systems are all typically considered part of an identity management infrastructure. HR systems are generally considered a data source for the identity management infrastructure but not a component of the infrastructure itself.

Samantha is investigating a cybersecurity incident where an internal user used his computer to participate in a denial-of-service attack against a third party. What type of policy was most likely violated? A.AUP B.SLA C.BCP D.Information classification policy

A.AUP Explanation; This activity is almost certainly a violation of the organization's acceptable use policy, which should contain provisions describing appropriate use of networks and computing resources belonging to the organization.

Jim is helping a software development team integrate security reviews into their code review process. He would like to implement a real-time review technique. Which one of the following approaches would best meet his requirements? A.Pair programming B.Pass-around code review C.Tool-assisted review D.Formal code review

A.Pair programming Explanation: A. Pair programming is a real-time technique that places two developers at a workstation where one reviews the code that the other writes in real-time. Pass-around reviews, tool-assisted reviews, and formal code reviews are asynchronous processes.

What are the four implementation tiers of the NIST Cybersecurity Framework, ordered from least mature to most mature? A.Partial, Risk Informed, Repeatable, Adaptive B.Partial, Repeatable, Risk Informed, Adaptive C.Partial, Risk Informed, Managed, Adaptive D.Partial, Managed, Risk Informed, Adaptive

A.Partial, Risk Informed, Repeatable, Adaptive Explanation; A. The NIST Cybersecurity Framework uses four implementation tiers to describe an organization's progress toward achieving cybersecurity objectives. The first stage, tier 1, is Partial. This is followed by the Risk Informed, Repeatable, and Adaptive tiers.

Questions 51-53 refer to the following scenario: Travis is troubleshooting the firewall rulebase that appears here: Users are reporting that inbound mail is not reaching their accounts. Travis believes that rule 1 should provide this access. The organization's SMTP server is located at 10.15.1.1. What component of this rule is incorrect? A.Protocol B.Source port C.Destination IP D.Destination port

A.Protocol Explanation: The only error in this rule is the protocol. SMTP does run on port 25, and inbound connections should be accepted from any port and IP address. The destination IP address (10.15.1.1) is correct. However, SMTP uses the TCP transport protocol, not UDP.

Kyle runs the netstat command on a Linux server and sees the results shown here. Which one of the following services is being used for an active remote connection to this server? A.SSH B.HTTPS C.MySQL D.NTP

A.SSH Explanation: The netstat results show an active SSH connection on the server, as well as several active HTTP connections. The server is listening for HTTPS, MySQL, and NTP connections, but there are no active sessions.

Bruce is considering the acquisition of a software testing package that allows programmers to provide their source code as input. The package analyzes the code and identifies any potential security issues in the code based upon that analysis. What type of analysis is the package performing? A.Static analysis B.Fuzzing C.Dynamic analysis D.Fault injection

A.Static analysis Explanation: Static analysis of code involves manual or automated techniques that review the source code without executing it. Fuzzing and fault injection are examples of dynamic analysis that execute the code and attempt to induce flaws.

Which one of the following security controls is designed to help provide continuity for security responsibilities? A.Succession planning B.Separation of duties C.Mandatory vacation D.Dual control

A.Succession planning Explanation: Succession planning is designed to create a pool of reserve candidates ready to step into positions when a vacancy occurs. This is an important continuity control. The other security controls may have the incidental side effect of exposing employees to other responsibilities, but they are not designed to meet this goal.

Allan is building a database server that will provide analytics support to a data science team within his organization. The current layout of his organization's network is shown here. Which network zone would be the most appropriate location for this server? A.Internet B.Internal network C.DMZ D.New network connected to the firewall

B.Internal network Explanation: The internal network is the most appropriate zone for this server, as it serves only internal clients on the data science team. Adding an additional network for this server is costly, and there is no indication that the effort and expense would be justified. A database server should never be placed on the Internet, and there is no public access required, which would justify placing it in the DMZ.

John is planning to deploy a new application that his company acquired from a vendor. He is unsure whether the hardware he selected for the application is adequate to support the number of users that will simultaneously connect during peak periods. What type of testing can help him evaluate this issue? A.User acceptance testing B.Load testing C.Regression testing D.Fuzz testing

B.Load testing Explanation: Load testing, or stress testing, evaluates an application's performance under full load conditions. It is the best type of testing to meet John's requirements, as the other test types do not simulate a high-demand situation.

Carol is running an nmap scan and is confused by the results. It appears that nmap is not scanning a port where she expects to find a running service. What ports does nmap scan if nothing is specified on the command line? A.1-1024 B.1-65535 C.Only ports listed in the nmap-services file D.Ports from 1-1024 and those listed in the nmap-services file

D.Ports from 1-1024 and those listed in the nmap-services file Explanation: By default, nmap scans all of the low-numbered ports (1-1024) and those that are specifically listed in the nmap-services file.

After Tom initiates a connection to the website, what key is used to encrypt future communications from the web server to Tom? A.The website's public key B.The website's private key C.Tom's public key D.The session key

D.The session key Explanation: TLS uses public key cryptography to initiate an encrypted connection but then switches to symmetric cryptography for the communication that takes place during the session. The key used for this communication is known as the session key or the ephemeral key

Rule 4 is designed to allow ssh access from external networks to the server located at 10.15.1.3. Users are reporting that they cannot access the server. What is wrong? A.The protocol is incorrect. B.The rules are misordered. C.The destination port is incorrect. D.There is no error in the rule, and Travis should check for other issues.

D.There is no error in the rule, and Travis should check for other issues. Explanation; Rule 4 is correctly designed to allow SSH access from external networks to the server located at 10.15.1.3. The error is not with the firewall rulebase, and Travis should search for other causes.

The accounting department has a policy that requires the signatures of two individuals on checks valued over $5,000. What type of control do they have in place? A.Mandatory vacations B. Separation of duties C.Job rotation D.Two-person control

D.Two-person control Explanation: Two-person control is a principle that requires the concurrence of two different employees to perform a single sensitive action. Requiring two signatures on a check is an example of a two-person control.

Catherine is responding to a request for materials from auditors who will be reviewing her organization's security. She received a request for a list of physical security controls used to protect her organization's data center. Which one of the following controls does not meet this criteria? A.Fire suppression system B.Perimeter fence C.Exterior lighting D.Visitor log reviews

D.Visitor log reviews Explanation: Visitor log reviews are a procedural mechanism that an organization follows to implement sound security management practices and, therefore, are an example of an administrative control. The other controls listed are all examples of physical security controls.

What identity management protocol is typically paired with OAuth2 to provide authentication services in a federated identity management solution on the Web? A. Kerberos B.ADFS C.SAML D.OpenID

D.OpenID Explanation; While OAuth may be paired with almost any authentication provider, the most common approach is to pair OAuth and OpenID Connect to provide a complete authentication and authorization solution.

Jacob would like to standardize logging across his organization, which consists of a mixture of Windows and Linux systems as well as Cisco network devices. Which logging approach would work best for Jacob? A. Syslog B.Event Viewer C.SCCM D. Prime

A. Syslog Explanation: Syslog provides a standardized logging facility that works across a wide variety of operating systems and devices. Event Viewer and SCCM are Microsoft-specific technologies, while Prime is a Cisco-specific technology.

What is the IP address of Maddox's default gateway? A.192.168.1.1 B.10.179.1.1 C.172.30.35.33 D.10.179.160.1

A.192.168.1.1 Explanation; The address of the default gateway on Maddox's system will appear as the first hop in the traceroute results. In this case, it is 192.168.1.1.

Jeff is preparing a password policy for his organization and would like it to be fully compliant with PCI DSS requirements. What is the minimum password length required by PCI DSS? A.7 characters B.8 characters C.10 characters D.12 characters

A.7 characters Explanation: PCI DSS has a fairly short minimum password length requirement. Requirement 8.2.3 states that passwords must be a minimum of seven characters long and must include a mixture of alphabetic and numeric characters.

Patrick is reviewing the contents of a compromised server and determines that an intruder installed a tool called John the Ripper. What is the purpose of this tool? A.Stealing copyrighted media content B. Cracking passwords C.Monitoring network traffic D.Launching DDoS attacks

B. Cracking passwords Explanation: John the Ripper is a password cracking tool used to retrieve plain-text passwords from hashed password stores.

What account did the individual use to connect to the server? A.root B.ec2-user C. bash D.pam_unix

B.ec2-user Explanation: The identity of the user making the connection appears in the first log entry: accepted publickey for ec2-user. The third log entry that contains the string USER=root is recording the fact that the user issued the sudo command to create an interactive bash shell with administrative privileges. This is not the account used to create the server connection. The pam_unix entry indicates that the session was authenticated using the pluggable authentication module (PAM) facility.

Bob remotely connected to a Windows server and would like to determine the server's function. He ran the TCPView tool from the Sysinternals suite on that server and saw the results shown here. What role best describes this server? A.Web server B.File server C.Database server D.Logging server

C.Database server Explanation; All of the services shown on the TCPView results are standard Windows services that would appear on any Windows server, with one exception. sqlservr.exe is a process associated with Microsoft SQL Server and would be found only on a database server.

Sonia is investigating a server on her network that is behaving suspiciously. She used Process Explorer from the Sysinternals toolkit and found the results shown here. What service on this system is responsible for the most memory usage? A.Internet Explorer B.Process Explorer C.Database server D.Web server

C.Database server Explanation: The processes consuming the most memory on this server are the SQL Server core process and the SQL Server Management Studio application. These are all components of the database service.

Randy's organization recently adopted a new testing methodology that they find is very compatible with their agile approach to software development. In this model, one developer writes code, while a second developer reviews their code as they write it. What approach are they using? A. Pair programming B.Over-the-shoulder review C.Pass-around code reviews D.Tool-assisted reviews

A. Pair programming Explanation; Pair programming is an agile software development technique that places two developers at one workstation. One developer writes code, while the other developer reviews their code as they write it. Over-the-shoulder code review also relies on a pair of developers but rather than requiring constant interaction and hand-offs, over-the-shoulder requires the developer who wrote the code to explain the code to the other developer. Pass-around code review, sometimes known as email pass-around code review, is a form of manual peer review done by sending completed code to reviewers who check the code for issues. Tool-assisted code reviews rely on formal or informal software-based tools to conduct code reviews.

What type of malicious software might an attacker use in an attempt to maintain access to a system while hiding his or her presence on the system? A. Rootkit B.Worm C.Trojan horse D.Virus

A. Rootkit Explanation: Rootkits combine multiple malicious software tools to provide continued access to a system while hiding their own existence. Fighting rootkits requires a full suite of system security practices, ranging from proper patching and layered security design to antimalware techniques such as whitelisting, heuristic detection, and malicious software detection tools.

Questions 209-211 refer to the following scenario: Cody recently detected unusual activity on a set of servers running in his organization's data center. He discovered that these servers were running at close to 100% capacity for extended periods of time. After performing a historical analysis, he determined that this was unusual, as the servers rarely reached full utilization during the previous year. He then reviewed the processes on those servers and found that they were running cryptocurrency mining software. Which one of the following sources of information would be most useful to Cody as he seeks to determine the identity of the individual responsible for the installation of this software? A. Server logs B. Netflow records C.Kerberos logs D. IPS logs

A. Server logs Explanation: All of these information sources may provide clues to the identity of the individual who installed the software. However, the server logs are likely to contain records of software installation and associate them with a user ID. This is the source that is most likely able to provide the most direct answer to Cody's question in the shortest possible time period.

When Bob receives the message, what key can he use to verify the digital signature? A.Alice's public key B.Alice's private key C.Bob's public key D.Bob's private key

A.Alice's public key Explanation; Anyone who receives a digitally signed message may verify the digital signature by decrypting it with the signer's public key.

In the ITIL service life cycle shown here, what core activity is represented by the X? A.Continual service improvement B.Service design C.Service operation D.Service transition

A.Continual service improvement Explanation; The continual service improvement (CSI) activity in ITIL is designed to increase the quality and effectiveness of IT services. It is the umbrella activity that surrounds all other ITIL activities.

Wanda's organization uses the Acunetix tool for software testing. Which one of the following issues is Acunetix most likely to detect? A.Cross-site scripting B.Lexical scoping errors C.Buffer overflows D.Insecure data storage

A.Cross-site scripting Explanation; Acunetix is a web application vulnerability scanner. Of the flaws listed, only cross-site scripting is a web application vulnerability that the scanner would likely detect.

Thomas found himself in the middle of a dispute between two different units in his business that are arguing over whether one unit may analyze data collected by the other. What type of policy would most likely contain guidance on this issue? A.Data ownership policy B.Data classification policy C.Data retention policy D.Account management policy

A.Data ownership policy Explanation; Data ownership policies clearly state the ownership of information created or used by the organization. Data classification policies describe the classification structure used by the organization and the process used to properly assign classifications to data. Data retention policies outline what information the organization will maintain and the length of time different categories of information will be retained prior to destruction. Account management policies describe the account life cycle from provisioning through active use and decommissioning.

Which one of the following technologies is not typically used to implement network segmentation? A.Host firewall B.Network firewall C.VLAN tagging D.Routers and switches

A.Host firewall Explanation; Host firewalls operate at the individual system level and, therefore, cannot be used to implement network segmentation. Routers and switches may be used for this purpose by either physically separating networks or implementing VLAN tagging. Network firewalls may also be used to segment networks into different zones.

In a federated identity management system, what entity is responsible for creating an authentication token? A.Identity provider B.Service provider C.Federation coordinator D.Endpoint device

A.Identity provider Explanation; A. After a user authenticates to an identity provider, the identity provider creates a security token and provides it to the end user, who may then use it to authenticate to a service provider.

Veronica would like to supplement her network vulnerability scanner with a solution that can specifically identify flaws in Windows servers. Which tool would best meet her needs? A.MBSA B.Acunetix C.Nexpose D.Nikto

A.MBSA Explanation: The Microsoft Baseline Security Analyzer (MBSA) is a Microsoft-provided tool used specifically to scan the security settings on Windows devices.

Max is the security administrator for an organization that implements a remote-access VPN. The VPN depends upon RADIUS authentication, and Max would like to assess the security of that service. Which of the following is the strongest cryptographic hash function supported by RADIUS? A.MD5 B.SHA-1 C.SHA-512 D.HMAC

A.MD5 Explanation: Unfortunately, the RADIUS protocol supports only the weak MD5 hash function. This is one of the major criticisms of RADIUS.

Which one of the following is not an example of a physical security control? A.Network firewall B.Door lock C.Fire suppression system D.Biometric door controller

A.Network firewall Explanation; Physical security controls are those controls that impact the physical world. Door locks, biometric door controllers, and fire suppression systems all meet this criteria. Network firewalls prevent network-based attacks and are an example of a logical/technical control.

Which one of the following tools is the most widely used implementation of Transport Layer Security in use today? A.OpenSSL B.SecureSSL C.SecureTLS D.OpenTLS

A.OpenSSL Explanation: The OpenSSL tool, despite its name, provides both SSL and TLS implementations. It is the most widely used implementation of both SSL and TLS in use today. OpenTLS, SecureSSL, and SecureTLS are nonexistent tools.

Carol is the cybersecurity representative to a software development project. During the project kickoff meeting, the project manager used the figure shown here to illustrate their approach to development and invited Carol to contribute security requirements at each prototyping phase. Which software development methodology is this team using? A.RAD B.Waterfall C.Agile D.Spiral

A.RAD Explanation: The rapid application development (RAD) approach uses an iterative approach to software development that generates a series of evolving prototypes in each phase.

Haley is planning to deploy a security update to an application provided by a third-party vendor. She installed the patch in a test environment and would like to determine whether applying the patch creates other issues. What type of test can Haley run to best determine the impact of the change? A.Regression testing B.User acceptance testing C. Stress testing D.Vulnerability scanning

A.Regression testing Explanation: Regression testing focuses on evaluating whether a change made to an environment introduces other unintended consequences. Therefore, it would be the best way for Haley to evaluate the overall impact of applying the security patch to the application.

Mike is analyzing network traffic using Wireshark and comes across the packet shown here. Which one of the following phrases best describes the purpose of this packet? A.Requesting name resolution B.Responding to a name resolution request C.Requesting mail server access D.Responding to a mail server access request

A.Requesting name resolution Explanation; This packet uses the DNS protocol, as shown in the protocol column of the packet. This indicates that it is part of a name resolution request. The payload of the packet shows a query but not a response, so this packet is a request for name resolution.

Crystal is a security analyst for a company that hosts several web applications. She would like to identify a tool that runs within her browser and allows her to interactively modify session values during a live session. Which one of the following tools best meets Crystal's requirements? A.Tamper Data B.Acunetix C.Zap D.Burp

A.Tamper Data Explanation; All of the tools listed would allow Crystal to modify session values. However, of these tools, only Tamper Data is a browser plug-in. It works within the Firefox browser and allows the user to modify session data before it is submitted to a web server.

Based upon Maggie's review of the logs, which one of the following statements is correct? A.The server allows encrypted connections. B.The server does not allow unencrypted connections. C. The server does not allow access by web crawlers. D.The server contains network access restrictions.

A.The server allows encrypted connections. Explanation: All of the connections recorded in these log entries make use of TLS-encrypted connections. This does not, however, allow Maggie to reach the conclusion that the server prohibits unencrypted connections because Maggie is reviewing the ssl_requests_log file, which would not contain information about unencrypted connections. The server does appear to allow web crawlers, as shortly after the system from 157.55.39.18 requests the robots.txt file, another system from the same subnet requests the front page of the site. There is not enough information in this log file to draw conclusions about network access restrictions.

How can Maddox interpret the asterisk results that appear beginning with line 11 of the traceroute results? A.They are normal results of performing a traceroute. B.The network is down. C.Someone is intercepting his network traffic. D.The web server is down.

A.They are normal results of performing a traceroute Explanation; Asterisks appear in traceroute results when the remote intermediate system does not respond to the traceroute requests. This is common in traceroute results, and Maddox should not read any significance into it.

Kaela's organization recently suffered a ransomware attack that was initiated through a phishing message. She does have a content filtering system in place designed to prevent users from accessing malicious websites. Which one of the following additional controls would be most effective at preventing these attacks from succeeding? A.Training B.Intrusion detection system with threat intelligence C.Application blacklisting D.Social engineering

A.Training Explanation: User training is the most effective control against phishing attacks, as it encourages users to recognize and avoid phishing messages. An intrusion detection system may notice an attack taking place but cannot take action to prevent it. Application blacklisting would only work against ransomware if it were already known and included on the blacklist, which is not likely. Social engineering is an attack type, rather than a control.

Ty is troubleshooting a security issue with a website maintained by his organization. Users are seeing the error message shown here. What can Ty do to remediate this issue? A.Use a different CA B.Renew the certificate C.Upgrade the cipher strength D.Patch the operating system

A.Use a different CA Explanation; The error indicates that the certificate authority that signed the certificate is not trusted. This is often the result when an organization self-signs a digital certificate. Ty can resolve this error by purchasing a certificate from a trusted third-party CA.

Terrence remotely connected to a Linux system and is attempting to determine the active network connections on that system. What command can he use to most easily discover this information? A.ifconfig B.tcpdump C.iptables D.ipconfig

A.ifconfig Explanation; The ifconfig command displays information about network interfaces on a Linux system. The ipconfig command displays similar information on Windows systems. tcpdump is a packet capture tool and iptables is a Linux firewall.

What is the first IP address on the public Internet that this traffic is passing through? A. 192.168.1.1 B.172.30.35.33 C.52.95.63.195 D.68.66.73.118

D.68.66.73.118 Explanation; The first three IP addresses in the traceroute results are all private IP addresses, indicating that the systems are on Maddox's local network. The first public address that appears in the list is 68.66.73.118.

In the Sherwood Applied Business Security Architecture (SABSA), which view corresponds to the logical security architecture? A.Builder's view B.Tradesman's view C.Designer's view D.Architect's view

C.Designer's view Explanation: In the SABSA model, the Designer's view corresponds to the logical security architecture layer. The Builder's view corresponds to the physical security architecture. The Architect's view corresponds to the conceptual security architecture layer. The Tradesman's view corresponds to the component security architecture layer.

The Open Web Application Security Project (OWASP) maintains an application called Orizon. This application reviews Java classes and identifies potential security flaws. What type of tool is Orizon? A.Fuzzer B. Static code analyzer C.Web application assessor D.Fault injector

B. Static code analyzer Explanation: As stated in the question, Orizon performs a review of Java classes, indicating that it is performing a source code review. Techniques that perform source code review are grouped into the category of static code analyzers. The other testing techniques listed in this question are all examples of dynamic code analysis, where the testing application actually executes the code.

Ken would like to configure an alarm to alert him whenever an event is recorded to syslog that has a critical severity level. What value should he use for the severity in his alert that corresponds to critical messages? A.0 B.2 C.5 D.7

B.2 Explanation: Syslog severity ranges from 0 (emergency) down to 7 (debug), with lower numbers representing higher severities. The value of 2 corresponds to a critical severity error.

Questions 130-133 refer to the following scenario: Maddox ran a traceroute command to determine the network path between his system and the Amazon.com web server. He received the partial results shown here: What is the IP address of the server hosting the Amazon.com website? A.192.168.1.1 B.52.84.61.25 C.52.95.63.195 D.68.66.73.118

B.52.84.61.25 Explanation: The destination of the traceroute appears in the first line of the results: traceroute to d3ag4hukkh62yn.cloudfront.net (52.84.61.25), 64 hops max, 52 byte packets.

Rose is considering deploying the Microsoft Enhanced Mitigation Experience Toolkit (EMET) to secure systems in her organization. She would specifically like to use the tool to prevent buffer overflow attacks that rely upon knowledge of specific memory locations used by applications. Which EMET feature would best meet Rose's needs? A.DLP B.ASLR C.EMEA D.DEP

B.ASLR Explanation; Address space layout randomization (ASLR) rearranges memory locations in a randomized fashion to prevent attacks that rely upon knowledge of specific memory location use. Data execution prevention (DEP) prevents the execution of malware loaded into the data space of memory. DLP and EMEA are not EMET features.

If Cody determines that an individual installed this software for personal gain, which one of the following security policies was most likely violated? A.Information classification policy B.Acceptable use policy C.Bitcoin mining policy D. Identity management policy

B.Acceptable use policy Explanation: The unauthorized use of computing resources is normally a violation of an organization's acceptable use policy. It is quite unlikely that the organization has a specific policy that addresses the mining of Bitcoin or other cryptocurrencies. Information classification and identity management policies generally do not address misuse of resources.

Before sending the message, Alice would like to apply a digital signature to it. What key should she use to create the digital signature? A.Alice's public key B.Alice's private key C.Bob's public key D.Bob's private key

B.Alice's private key Explanation; The party creating a digital signature uses his or her own private key to encrypt the message digest. In this case, Alice should create the signature using her own private key.

Maureen would like to add technology that makes risk-based decisions about authentication complexity, requiring multifactor authentication in cases where the user's login seems unusual. What technology is Maureen seeking to add? A.Multifactor authentication B.Context-based authentication C.Dual authentication D.Biometric authentication

B.Context-based authentication Explanation: B. Context-based authentication allows authentication decisions to be made based on information about the user, the system the user is connecting from, or other information that is relevant to the system or organization performing the authentication. Maureen already added multifactor authentication to the network. Dual authentication is used to implement the dual control concept, which is not a stated objective here. There is no indication that Maureen intends to implement biometric authentication.

Miguel works for a company that has a network security standard requiring the collection and storage of NetFlow logs from all data center networks. Miguel is working to commission a new data center network but, because of technical constraints, will be unable to collect NetFlow logs for the first six months of operation. Which one of the following data sources is best suited to serve as a compensating control for the lack of NetFlow information? A.Router logs B.Firewall logs C.Switch logs D.IPS logs

B.Firewall logs Explanation: Firewall logs typically contain similar information to that contained in NetFlow records. However, the firewall does not always have the same access to network traffic as the switches and routers that generate NetFlow information. While not a complete substitute, firewall logs do offer a good compensating control for the lack of NetFlow records. Routers and switches do not typically record traffic records in their standard logs. This is the function of NetFlow, which is unavailable on this network. Intrusion prevention systems (IPS) do not record routine traffic information.

Sam recently conducted a test of a web application using the tool shown here. What type of testing did Sam perform? A.Static analysis B.Fuzzing C.Vulnerability scanning D.Peer review

B.Fuzzing Explanation: The tool shown is ZAP, a popular application proxy tool. ZAP is an interception proxy that allows many types of application testing, such as the fuzz testing (or fuzzing) shown in the image. ZAP does not perform static analysis or vulnerability scanning, and there is no indication that Sam's test was performed as a component of peer review.

Jane is working in a PCI DSS-compliant environment and is attempting to secure a legacy payment application. The application does not allow for passwords longer than six characters, in violation of PCI DSS. Which one of the following would be a reasonable compensating control in this scenario? A.Lock users out after six incorrect login attempts. B.Limit logins to the physical console. C.Require multifactor authentication. D.Require the use of both alphabetic and numeric characters in passwords.

B.Limit logins to the physical console. Explanation: Compensating controls must be above and beyond other requirements. Jane is already required to lock users out after six incorrect login attempts, deploy multifactor authentication, and require the use of alphanumeric passwords by other provisions of PCI DSS. Limiting logins to the local console would restrict network access to the system and seems to be a reasonable compensating control.

Carla is designing a new data mining system that will analyze access control logs for signs of unusual login attempts. Any suspicious logins will be automatically locked out of the system. What type of control is Carla designing? A.Physical control B.Logical control C.Administrative control D.Compensating control

B.Logical control Explanation: Logical controls are technical controls that enforce confidentiality, integrity, and availability in the digital space. This control meets that definition. Physical controls are security controls that impact the physical world. Administrative controls are procedural mechanisms that an organization follows to implement sound security management practices. There is no indication given that this control is designed to compensate for a control gap.q

What authentication technique did the user use to connect to the server? A.Password B.PKI C.Token D.Biometric

B.PKI Explanation: The first log entry indicates that the user made use of public key encryption to authenticate the connection. The user, therefore, possessed the private key that corresponded to a public key stored on the server and associated with the user.

Don is considering the deployment of a self-service password reset mechanism to reduce the burden on his organization's help desk. The solution will provide password resets for the organization's SSO system. He is concerned that attackers might use this mechanism to compromise user accounts. Which one of the following authentication approaches would best meet the business need while addressing Don's security concerns? A.Two-factor authentication combining a password and token B.Passcode sent via SMS to a cell phone C.Email link to a password reset web page D.Security questions

B.Passcode sent via SMS to a cell phone Explanation: Of the solutions presented, a passcode sent via SMS to a cell phone is the best option. The designer of the system should take care to ensure that the code is sent directly to a number controlled by a mobile carrier and not to a VoIP-enabled line to prevent man-in-the-middle attacks. Security questions are not considered strong authentication as they may often be answered by someone other than the individual. Emailing a link to a password reset web page would not work because if the user does not have access to his or her central authentication account, he or she would not likely be able to receive the email. Similarly, the two-factor authentication option presented would not work because the user has presumably forgotten his or her password.

Gina's organization recently retired their last site-to-site VPN connection because of lack of use. Gina consulted the policy repository and found that there is a standards document describing the requirements for site-to-site VPNs. How should Gina address this standard? A.Leave it in place in case the organization decides to implement a site-to-site VPN in the future. B.Retire the standard and archive it. C.Update the standard with a note that there are no current deployments. D. Place the standard on an annual review cycle.

B.Retire the standard and archive it. Explanation: If the standard is not being used, Gina should retire it so that it is not cluttering the policy repository and running the risk of becoming outdated. By archiving the standard, she can revisit it if needed in the future without investing the work of updating or reviewing the standard in the meantime.

Colin is looking for a solution that will help him aggregate the many different sources of security information created in his environment and correlate those records for relevant security issues. Which one of the following tools would assist Colin with this task? A.DLP B.SIEM C.IPS D. CRM

B.SIEM Explanation; Security information and event management (SIEM) systems aggregate security logs, configuration data, vulnerability records, and other security information and then allow analysts to correlate those entries for important results. Data loss prevention (DLP) tools and intrusion prevention systems (IPS) are sources of security information but do not perform aggregation and correlation. Customer relationship management (CRM) systems are a business application used to assist in the sales process.

Greg recently logged into a web application used by his organization. After entering his password, he was required to input a code from the app shown here. What type of authentication factor is this app providing? A.Something you know B.SOmething you have C.Something you are D.Somewhere you are

B.SOmething you have Explanation; The use of a smartphone authenticator app demonstrates possession of the device and is an example of "something you have." When combined with a password ("something you know"), this approach provides multifactor authentication

Belinda is configuring an OpenLDAP server that will store passwords for her organization. Which one of the following password storage schemes will provide the highest level of security? A.CRYPT B.SSHA C.MD5 D.SASL

B.SSHA Explanation: When using OpenLDAP, the SSHA password storage scheme uses a salted SHA hash for password storage. This is stronger than the CRYPT, MD5, SHA, and SASL schemes that OpenLDAP supports.

Questions 191-194 refer to the following scenario: Maggie is reviewing the ssl_request_log file on a web server operated by her company and sees the messages shown here: What type of user is most likely originating from the IP address 157.55.39.18? A.Malicious hacker B.Search engine crawler\ C. Normal web user D. API user

B.Search engine crawler\ Explanation: The user at this IP address is requesting the robots.txt file. This file is generally only requested by automated crawlers, such as those operated by search engines, seeking to determine whether they are permitted to browse the site.

During the design of an identity and access management authorization scheme, Katie took steps to ensure that members of the security team who can approve database access requests do not have access to the database themselves. What security principle is Katie most directly enforcing? A.Least privilege B.Separation of duties C.Dual control D.Security through obscurity

B.Separation of duties Explanation: It is sometimes difficult to distinguish between cases of least privilege, separation of duties, and dual control. Least privilege means that an employee should only have the access rights necessary to perform their job. While this may be true in this scenario, you do not have enough information to make that determination because you do not know whether access to the database would help the security team perform their duties. Separation of duties occurs when the same employee does not have permission to perform two different actions that, when combined, could undermine security. That is the case here because a team member who had the ability to both approve access and access the database may be able to grant themselves access to the database. Dual control occurs when two employees must jointly authorize the same action. Security through obscurity occurs when the security of a control depends upon the secrecy of its mechanism.

The following diagram shows the high-level design of a federated identity management system. The name of the entity that participates in steps 1 and 4 has been blacked out. What is the proper name for this entity? A.Federation manager B.Service provider C.Ticket granting server D.Domain controller

B.Service provider Explanation: The entity that operates the service requested by the end user is known as the service provider (SP).

Javier ran the shasum command two consecutive times on a file named coal.r and saw the results shown here. What conclusion can Javier draw from this result? A.The file is intact. B.The file was modified. C.The file was removed. D.Javier cannot reach any of these conclusions based upon the limited evidence available to

B.The file was modified. Explanation: The result shows a different hash value for the same file on two different runs. This means that the file was definitely modified between the two runs of shasum. If the file were intact, the two values would be identical. If the file were removed, Javier would receive an error on the second run

Val receives reports that users cannot access the CompTIA website from her network. She runs the ping command against the site and sees the results shown here. What conclusion can Val reach? A.The network is working properly, but the website is down. B.The network path between her system and the website is functioning properly. C.There is excessive network latency that may be causing the issue. D.There is excessive packet loss that may be causing the issue.

B.The network path between her system and the website is functioning properly. Explanation: From this information, the only valid conclusion that Val can reach is that there is a properly functioning network path between her system and the remote web server. She can't draw any conclusions about the functioning of the web server from this information. The latency is around 17 milliseconds, which is not excessive, and the ping results do not show any packet loss.

In a kaizen approach to continuous improvement, who bears responsibility for the improvement effort? A.The manager most directly responsible for the process being improved B.The team responsible for the process C.The continuous improvement facilitator D.The most senior executive in the organization

B.The team responsible for the process Explanation: The kaizen continuous improvement approach is often used in manufacturing and in lean programming. It places the responsibility for improvement in the hands of all employees rather than assigning it to an individual.

Ian is reviewing the security architecture shown here. This architecture is designed to connect his local data center with an IaaS service provider that his company is using to provide overflow services. What component can be used at the points marked by ?s to provide a secure encrypted network connection? A.Firewall B.VPN C.IPS D.DLP

B.VPN Explanation; The diagram already shows a firewall in place on both sides of the network connection. Ian should place a VPN at the point marked by ?s to ensure that communications over the Internet are encrypted. IPS and DLP systems do provide added security controls, but they do not provide encrypted network connections.

Sam recently installed a new security appliance on his network as part of a managed service deployment. The vendor controls the appliance, and Sam is not able to log into it or configure it. Sam is concerned about whether the appliance receives necessary security updates for the underlying operating system. Which one of the following would serve as the best control that Sam can implement to alleviate his concern? A. Configuration management B.Vulnerability scanning C.Intrusion prevention D.Automatic updates

B.Vulnerability scanning Explanation; While configuration management or automated patching would address this issue, these are not feasible approaches because Sam does not have the ability to log into the device. Intrusion prevention would add a layer of security, but it does not directly address the issue of operating system patching. Vulnerability scanning would allow Sam to detect missing patches and follow up with the vendor.

Joan is working as a security consultant to a company that runs a critical web application. She discovered that the application has a serious SQL injection vulnerability, but the company cannot take the system offline during the two weeks required to revise the code. Which one of the following technologies would serve as the best compensating control? A.IPS B.WAF C.Vulnerability scanning D.Encryption

B.WAF Explanation: Vulnerability scanning would not serve as a compensating control because it would only detect, rather than correct, security flaws. There is no indication that encryption is not in place on this server or that it would address a SQL injection vulnerability. Both an intrusion prevention system (IPS) and a web application firewall (WAF) have the ability to serve as a compensating control and block malicious requests. Of the two, a web application firewall would be the best solution in this case because it is purpose-built for protecting against the exploitation of web application vulnerabilities.

Questions 187-190 refer to the following scenario: Bill is reviewing the authentication logs for a Linux system that he operates and encounters the following log entries: What is the IP address of the system where the user was logged in when he or she initiated the connection? A.172.30.0.62 B.62.0.30.172 C.10.174.238.88 D.9.48.6.0

C.10.174.238.88 Explanation: The first entry in the log indicates that the user authenticated from the system 10.174.238.88.

Which one of the following test types typically involves an evaluation of the application by end users? A.Stress testing B.Fuzz testing C.Acceptance testing D.Regression testing

C.Acceptance testing Explanation: User acceptance testing (UAT) is typically the last type of testing performed, and it is generally the only software testing that involves end users.

Which software development methodology is shown here? A.Waterfall B.Spiral C.Agile D.RAD

C.Agile Explanation: The agile method divides work into short working sessions, called sprints, that can last from a few days to a few weeks.

Bobbi is deploying a single system that will be used to manage a sensitive industrial control process. This system will operate in a stand-alone fashion and not have any connection to other networks. What strategy is Bobbi deploying to protect this SCADA system? A.Network segmentation B.VLAN isolation C.Air gapping D.Logical isolation

C.Air gapping Explanation: Bobbi is adopting a physical, not logical, isolation strategy. In this approach, known as air gapping, the organization uses a stand-alone system for the sensitive function that is not connected to any other system or network, greatly reducing the risk of compromise. VLAN isolation and network segmentation involve a degree of interconnection that is not present in this scenario.

Lynda is a security professional consulting with her organization's software development team on the inclusion of security best practices in their SDLC. She consults the Center for Internet Security's system design recommendations. Which one of the following control categories is most likely to contain information helpful to her consulting effort? A.Inventory of authorized and unauthorized devices B.Controlled use of administrative privileges C.Application software security D.Malware defenses

C.Application software security Explanation: While all of these control documents may contain information helpful to Lynda, the application software security control is the one most likely to contain information relevant to incorporating security into the SDLC.

Questions 110-114 refer to the following scenario: Alice and Bob are both employees at the same company. They currently participate in an asymmetric cryptosystem and would like to use that system to communicate with each other securely. Alice would like to send an encrypted message to Bob. What key should she use to encrypt the message? A.Alice's public key B.Alice's private key C.Bob's public key D.Bob's private key

C.Bob's public key Explanation: The sender of a message should encrypt that message using the public key of the message recipient. In this case, Alice should encrypt the message using Bob's public key.

Which of the following parties directly communicates with the end user during a SAML transaction? A.Relying party B.SAML identity provider C.Both the relying party and the SAML identity provider D.Neither the relying party nor the SAML identity provider

C.Both the relying party and the SAML identity provider Explanation: In a SAML transaction, the user initiates a request to the relying party, who then redirects the user to the SSO provider. The user then authenticates to the SAML identity provider and receives a SAML response, which is sent to the relying party as proof of identity.

Dave is a web application developer who is working in partnership with system engineers in a DevOps environment. He is concerned about the security of a web application he is deploying and would like a reference benchmark to help secure the web server that will be hosting his application. Which one of the following sources would best meet Dave's needs? A.OWASP B.SANS C.CIS D.NSA

C.CIS Explanation: The Center for Internet Security (CIS) publishes a widely respected set of configuration standards and benchmarks for operating systems and popular applications. The CIS benchmarks would be an excellent starting point for securing Dave's web server.

Warren is working with a law enforcement agency on a digital forensic investigation and needs to perform a forensic analysis of a phone obtained from a suspect. Which one of the following tools is specifically designed for mobile forensics? A. FTK B.EnCase C.Cellebrite D.Helix

C.Cellebrite Explanation: While all of these tools may have the ability to perform forensic analysis on mobile devices, Cellebrite is a purpose-built tool designed specifically for mobile forensics.

Which one of the following requirements is often imposed by organizations as a way to achieve their original control objective when they approve an exception to a security policy? A.Documentation of scope B.Limited duration C.Compensating control D.Business justification

C.Compensating control Explanation: Organizations may require all of these items as part of an approved exception request. However, the documentation of scope, duration of the exception, and business justification are designed to clearly describe and substantiate the exception request. The compensating control, on the other hand, is designed to ensure that the organization meets the intent and rigor of the original requirement.

Which one of the following controls is useful to both facilitate the continuity of operations and serve as a deterrent to fraud? A.Succession planning B.Dual control C.Cross-training D.Separation of duties

C.Cross-training Explanation: Succession planning and cross-training both serve to facilitate continuity of operations by creating a pool of candidates for job vacancies. Of these, only cross-training encompasses actively involving other people in operational processes, which may also help detect fraud. Dual control and separation of duties are both controls that deter fraud, but they do not facilitate the continuity of operations.

Charles is assessing the security of his organization's RADIUS server. Which one of the following security controls could Charles use to best mitigate the security vulnerabilities inherent in the RADIUS authentication protocol? A.Hashing of stored passwords B.Encryption of stored passwords C.Encryption of network traffic D.Replacement of TCP with UDP

C.Encryption of network traffic Explanation: The greatest weakness inherent in RADIUS is that it uses the insecure MD5 hash function for the transmission of passwords over the network. Hashing or encryption of stored passwords does not address this risk, but tunneling RADIUS communications over an encrypted network connection does mitigate the issue.

Which one of the following approaches is an example of a formal code review process? A.Pair programming B.Over-the-shoulder C.Fagan inspection D.Pass-around code review

C.Fagan inspection Explanation: The Fagan inspection is a highly formalized, rigorous code review process that involves six phases. Pair programming, over-the-shoulder reviews, and pass-around code reviews are all examples of lightweight, fairly informal code review processes.

Ted is preparing an RFP for a vendor to supply network firewalls to his organization. Which one of the following vendors is least likely to meet his requirements? A.CheckPoint B.Palo Alto C.FireEye D.Juniper

C.FireEye Explanation; CheckPoint, Palo Alto, and Juniper are all suppliers of network firewalls. FireEye provides endpoint protection and other advanced threat mitigation tools but does not provide network firewalls.

Glenn would like to adopt a web application firewall for his company. Which one of the following products would NOT be suitable for his first round of evaluation? A.Imperva B.NAXSI C.Network General D.ModSecurity

C.Network General Explanation: Imperva, NAXSI, and ModSecurity are all web application firewall options that Glenn should consider. Network General is a former manufacturer of network analysis equipment that was acquired by NetScout in 2007. Bafflingly, Network General is still included on the CompTIA CySA+ objectives as required knowledge.

What type of user is most likely originating from the IP address 188.71.247.207? A.Malicious hacker B.Search engine crawler C.Normal web user D.API user

C.Normal web user Explanation: The requests from this IP address appear to be normal requests for a web page and two associated image files. There is no indication that this comes from any source other than a normal user.

Susan wants to provide authentication for APIs using an open standard. Which of the following protocols is best suited to her purposes if she intends to connect to existing cloud service provider partners? A. RADIUS B.SAML C.OAuth D.TACACS+

C.OAuth Explanation: OAuth is commonly used to provide authentication for APIs and allows interoperation with many service providers who support it. RADIUS and TACACS+ are more commonly used to provide AAA services for network devices, while SAML is an XML-based standard that is often used to provide single sign-on to websites.

The Open Web Application Security Project (OWASP) maintains a listing of the most important web application security controls. Which one of these items is least likely to appear on that list? A. Implement identity and authentication controls. B.Implement appropriate access controls. C.Obscure web interface locations. D.Leverage security frameworks and libraries.

C.Obscure web interface locations. Explanation: Security through obscurity is not a good practice. You should not rely upon the secrecy of the control (e.g., the location of the web interface) as a security measure. Therefore, obscuring web interface locations is not included on the OWASP security controls list.

Renee is investigating a cybersecurity breach that took place on one of her organization's Linux servers. As she analyzed the server log files, she determined that the attacker gained access to an account belonging to an administrative assistant. After interviewing the assistant, Renee determined that the account was compromised through a social engineering attack. The log files also show that the user entered a few unusual-looking commands and then began issuing administrative commands to the server. What type of attack most likely took place? A.Man-in-the-middle B.Buffer overflow C.Privilege escalation D.LDAP injection

C.Privilege escalation Explanation: The fact that the user connected with an account belonging to an administrative assistant and was then able to execute administrative commands indicates that a privilege escalation attack took place. While buffer overflows are a common method of engaging in privilege escalation attacks, there is no evidence in the scenario that this technique was used.

Ursula is a security administrator for an organization that provides web services that participate in federated identity management using the OAuth framework. Her organization's role is to operate the web service that users access once they have received authorization from their identity provider. Which type of OAuth component does Ursula's group manage? A.Clients B.Resource owners C.Resource servers D.Authorization servers

C.Resource servers Explanation; In the OAuth framework, the servers that provide services to end users are known as resource servers. The web service run by Ursula's organization would use resource servers to provide the service to end users.

Xavier is reviewing the design for his organization's security program and he is concerned about the ability of the organization to conduct malware analysis that would detect zero-day attacks. Which one of the following cloud-based service models would allow Xavier to most easily meet this requirement? A. IaaS B.PaaS C.SECaaS D.IDaaS

C.SECaaS Explanation: Xavier could address this issue by hiring an external security-as-a-service (SECaaS) provider that specializes in malware analysis. Infrastructure (IaaS), platform (PaaS) and identity management (IDaaS) services would not provide malware analysis capabilities.

Kieran is evaluating forensic tools and would like to consider the use of an open source forensic suite. Which one of the following toolkits would best meet his needs? A. FTK B.EnCase C.SIFT D.Helix

C.SIFT Explanation; FTK, EnCase, and Helix are all commercial forensic toolkits. The SANS Investigative Forensics Toolkit (SIFT) is an Ubuntu-based set of open source forensics tools.

Which of the following authentication factors did NIST recommend be deprecated in 2016? A.Retina scans B.Fingerprints C.SMS D.Application-generated tokens

C.SMS Explanation: NIST's Special Publication 800-63-3, "Digital Authentication Guideline," suggested that SMS authentication factors be deprecated in 2016 because of the number of ways in which attackers could gain access to SMS messages, including VoIP redirects, specific attacks on unencrypted SMS messages, and other means.

Which one of the following technologies is not suitable for Maureen to use as a second factor because of security issues with its implementation? A. HOTP tokens B.TOTP tokens C.SMS messages D.Soft tokens

C.SMS messages Explanation: SMS is no longer considered secure and NIST's Special Publication 800-63-3, "Digital Authentication Guideline," recommends that SMS be deprecated. Not only have successful attacks against SMS-based one-time passwords increased, but there are a number of ways that it can be successfully targeted with relative ease. HOTP tokens, TOTP tokens, and soft tokens are all acceptable alternatives.

What service did the user use to connect to the server? A. HTTPS B.PTS C.SSH D.Telnet

C.SSH Explanation: The second log entry indicates that the sshd daemon handled the connection. This daemon supports the Secure Shell (SSH) protocol.

Berta is reviewing the security procedures surrounding the use of a cloud-based online payment service by her company. She set the access permissions for this service so that the same person cannot add funds to the account and transfer funds out of the account. What security principle is most closely related to Berta's action? A.Least privilege B.Security through obscurity C.Separation of duties D.Dual control

C.Separation of duties Explanation; This is an example of separation of duties. Someone who has the ability to transfer funds into the account and issue payments could initiate a very large fund transfer, so Berta has separated these responsibilities into different roles. Separation of duties goes beyond least privilege by intentionally changing jobs to minimize the access that an individual has, rather than granting them the full permissions necessary to perform their job. This is not an example of dual control because each action may still be performed by a single individual.

Tim is a web developer and would like to protect a new web application from man-in-the-middle attacks that steal session tokens stored in cookies. Which one of the following security controls would best prevent this type of attack? A.Forcing the use of TLS for the web application B.Forcing the use of SSL for the web application C.Setting the secure attribute on the cookie D.Hashing the cookie value

C.Setting the secure attribute on the cookie D.Hashing the cookie value Explanation: Tim should set the secure attribute on the cookie to ensure that it is always sent over an encrypted connection. Merely using SSL or TLS for the web application does not ensure that the cookie itself is always sent over an encrypted connection. Hashing the cookie value would not have any effect on the security of the application.

Questions 164-166 refer to the following scenario: Maureen is designing an authentication system upgrade for her organization. The organization currently uses only password-based authentication and has been suffering a series of phishing attacks. Maureen is tasked with upgrading the company's technology to better protect against this threat. Maureen would like to achieve multifactor authentication. Which one of the following authentication techniques would be most appropriate? A.PIN B.Security questions C.Smartcard D.Password complexity

C.Smartcard Explanation; Passwords, which are already used by the organization are a "something you know" factor. Adding a PIN or security question simply adds another "something you know" factor, failing to achieve Maureen's goal of multifactor authentication. Increasing the complexity of passwords makes them stronger but does not add an additional factor. Using smartcards adds a "something you have" factor, achieving multifactor authentication.

As she continues her product selection, Veronica realizes that the organization does not have adequate network monitoring and log analysis tools. She would like to select a suite of open source tools that would provide her with comprehensive monitoring. Which one of the following tools would be the least appropriate to include in that set? A. Cacti B.MRTG C.Solarwinds D.Nagios

C.Solarwinds Explanation: Cacti, Nagios, and MRTG are all open source network monitoring tools, while Solarwinds is a commercial alternative.

Simon would like to use a cybersecurity analysis tool that facilitates searching through massive quantities of log information in a visual manner. He has a colleague who uses the tool shown here. What tool would best meet Simon's needs? A.Syslog B.Kiwi C.Splunk D.Sysinternals

C.Splunk Explanation: The interface shown in the picture is Splunk, a SIEM that specializes in visual search and allows analysts to comb through massive quantities of information in an intuitive way. Kiwi and other Syslog tools allow the collection and analysis of this information but do not provide the visual interface used in Splunk. Sysinternals does not include a log analysis tool.

Greg is designing a defense-in-depth approach to securing his organization's information and would like to select cryptographic tools that are appropriate for different use cases and provide strong encryption. Which one of the following pairings is the best use of encryption tools? A.SSL for data in motion and AES for data at rest B.VPN for data in motion and SSL for data at rest C.TLS for data in motion and AES for data at rest D. SSL for data in motion and TLS for data at rest

C.TLS for data in motion and AES for data at rest Explanation: Secure Sockets Layer (SSL), Transport Layer Security (TLS), and virtual private networks (VPNs) are all used to protect data in motion. AES cryptography may be used to protect data at rest. SSL is no longer considered secure, so it is not a good choice for Greg. The only answer choice that matches each tool with the appropriate type of information and does not use SSL is using TLS for data in motion and AES for data at rest.

Tom is concerned about the integrity of a file, so he runs the shasum utility on it. The following figure shows the results of running it on two separate days. What conclusion can Tom draw from these results? A.The file experienced significant modification between Wednesday and Friday. B.The file experienced minor modification between Wednesday and Friday. C.The file verified on Friday is identical to the file from Wednesday. D.Tom does not have enough information to draw any of these conclusions.

C.The file verified on Friday is identical to the file from Wednesday. Explanation: C. The fact that the SHA hash value from Friday is identical to the value from Wednesday indicates that the file is identical.

Laura requests DNS information about the nytimes.com domain using the nslookup command and receives the results shown here. Which one of the following conclusions can Laura reach about the domain based upon these results? A.The nytimes.com DNS server is located at 66.205.160.99. B. The nytimes.com web server has a single address. C.The nytimes.com email domain is hosted by Google. D.The nytimes.com website uses Google Analytics.

C.The nytimes.com email domain is hosted by Google. Explanation: Laura can determine that the nytimes.com domain uses Google for email services, as there is a mail exchanger (MX) record pointing to a Google address and routing mail for the domain to Google. The server located at 66.205.160.99 is the server that answered this DNS query, which is not necessarily operated by the nytimes.com domain. The results appear to show that there are multiple web servers hosting the nytimes.com domain but there is no evidence that Google Analytics is used in these results.

Which one of the following testing techniques is typically the final testing done before code is released to production? A.Unit testing B.Integration testing C.User acceptance testing D.Security testing

C.User acceptance testing Explanation; User acceptance testing (UAT) verifies that code meets user requirements and is typically the last phase of application testing before code is released to production.

After purchasing a commercial network vulnerability scanner, Veronica does not have any funds remaining to purchase a web application scanner, so she would like to use an open source solution dedicated to that purpose. Which one of the following products would best meet her needs? A.Acunetix B.OpenVAS C.nikito D.Nexpose

C.nikito Explanation: Nikto is an open source web vulnerability scanner. Acunetix is also a web vulnerability scanner, but it is a commercial product. OpenVAS is an open source vulnerability scanner, but it is not dedicated to web application scanning. Nexpose is a commercial network vulnerability scanner.

Richard would like to deploy a web application firewall in front of a vulnerable web application. Which one of the following products is least likely to meet his needs? A.CloudFlare B.FortiWeb C.NAXSI D.FTK

D.FTK Explanation; FTK is a suite of forensic tools, not a web application firewall. CloudFlare, FortiWeb, and NAXSI are all web application firewall products.

Questions 197-200 refer to the following scenario: Veronica was recently hired to develop a vulnerability management program for her organization. The organization currently does not have any tools for vulnerability scanning, and Veronica would like to build out the initial toolset. Veronica would like to select a network vulnerability scanner that is provided by a commercial vendor and widely used within the cybersecurity community. Which one of the following tools would best meet her needs? A. OpenVAS B.MBSA C.Acunetix D.Qualys

D.Qualys Explanation: The Qualys vulnerability scanner is a widely used, commercial vulnerability scanning product. OpenVAS is also a network vulnerability scanner, but it is an open source project rather than a commercial product.

Paul is selecting an interception proxy to include in his organization's cybersecurity toolkit. Which one of the following tools would not meet this requirement? A.ZAP B.Vega C.Burp D.Snort

D.Snort Explanation; ZAP, Vega, and Burp are all interception proxies useful for the penetration testing of web applications. Snort is an intrusion detection system and does not have this capability.

Julie is refreshing her organization's cybersecurity program using the NIST Cybersecurity Framework. She would like to use a template that describes how a specific organization might approach cybersecurity matters. What element of the NIST Cybersecurity Framework would best meet Julie's needs? A.Framework Scenarios B. Framework Core C.Framework D. Implementation Tiers Framework Profiles

D. Implementation Tiers Framework Profiles Explanation; Framework Profiles describe how a specific organization might approach the security functions covered by the Framework Core. The Framework Core is a set of five security functions that apply across all industries and sectors: identify, protect, detect, respond, and recover. The Framework Implementation Tiers assess how an organization is positioned to meet cybersecurity objectives.

Which one of the following characters would not signal a potential security issue during the validation of user input to a web application? A. < B.' C.> D.$

D.$ Explanation: The $ character does not necessarily represent a security issue. The greater-than/less-than brackets (<>) are used to enclose HTML tags and require further inspection to determine whether they are part of a cross-site scripting attack. The single quotation mark (') could be used as part of a SQL injection attack.

Leo is investigating a security incident and turned to the logs from his identity and access management system to determine the last time that a specific user authenticated to any system in the organization. What identity and access management function is Leo using? A. Identification B.Authentication C.Authorization D.Accounting

D.Accounting Explanation: Identities are used as part of the authentication, authorization, and accounting (AAA) framework that is used to control access to computers, networks, and services. AAA systems authenticate users by requiring credentials such as a username, a password, and possibly a biometric or token-based authenticator. Once individuals have proven who they are, they are then authorized to access or use resources or systems. Authorization applies policies based on the user's identity information and rules or settings, allowing the owner of the identity to perform actions or to gain access to systems. The accounting element of the AAA process is the logging and monitoring that goes with the authentication and authorization. Accounting monitors usage and provides information about how and what users are doing.

When Bob receives the message from Alice, what key should he use to decrypt it? A.Alice's public key B.Alice's private key C.Bob's public key D.Bob's private key

D.Bob's private key Explanation: The recipient of a message should decrypt the message using his or her own private key. In this case, Bob should decrypt the message using his own private key.

Which one of the following tools is not typically used to gather evidence in a forensic investigation? A.FTK B.EnCase C.Helix D.Burp

D.Burp Explanation; FTK, EnCase, and Helix are all examples of forensic suites. Burp is an interception proxy used in penetration testing and web application testing.

Which one of the following elements is least likely to be found in a data retention policy? A.Minimum retention period for data B.Maximum retention period for data C.Description of information to retain D.Classification of information elements

D.Classification of information elements Explanation: Data retention policies describe what information the organization will maintain and the length of time different categories of information will be retained prior to destruction, including both minimum and maximum retention periods. Data classification would be covered by the data classification policy.

Based upon his analysis, what type of control might Cody consider implementing to more quickly identify similar issues in the future? A.Intrusion prevention B.Authentication anomaly detection C.Vulnerability scanning D.Configuration management

D.Configuration management Explanation: Configuration management tools are able to detect the installation of new software, helping analysts quickly identify cases of unauthorized software installation. Authentication anomaly detection and intrusion prevention controls are unlikely to detect this issue because the employee likely does have authorization to connect to the server and is simply misusing authorized access privileges. The installation of software that does not listen on a network port, such as cryptocurrency mining software, is unlikely to be detected with vulnerability scanning.

Helen is reviewing her organization's network design, shown here. Which component shown in the diagram is a single point of failure for the organization? A.Firewall B. Upstream router C.Core switch D.Distribution router

D.Distribution router Explanation: The diagram shows that there are two nonredundant components in this network: the distribution router and the edge switches. A failure of either of those devices would cause a network outage, as there is no redundant system ready to assume the workload.

Vincent is conducting fuzz testing using Peach Fuzzer, a common input fuzzing tool. Peach Fuzzer incorporates functionality formerly included in the Untidy fuzzer project. Which one of the following sources is Vincent LEAST likely to be able to fuzz with this product? A.Web application input B.XML C.TCP/IP D.Firewall rules

D.Firewall rules Explanation: Fuzz testing works by dynamically manipulating input to an application in an effort to induce a flaw. This technique is useful in detecting places where a web application does not perform proper input validation. It can also be used against XML input, TCP/IP communications and other protocols. Fuzz testing is not commonly used against firewall rules. Note that this question mentions the Untidy fuzzer. This product was an XML fuzzer that no longer exists because it was folded into the Peach fuzzing tool. However, CompTIA included it as an exam objective for the CySA+ exam. Therefore, you should associate the name with XML fuzz testing if you see it on the exam.

Nick is designing an authentication infrastructure and wants to run an authentication protocol over an insecure network without the use of additional encryption services. Which one of the following protocols is most appropriate for this situation? A. RADIUS B.TACACS C.TACACS+ D.Kerberos

D.Kerberos Explanation: The Kerberos protocol is designed for use over insecure networks and uses strong encryption to protect authentication traffic. RADIUS, TACACS, and TACACS+ all contain vulnerabilities that require the use of additional encryption to protect their traffic.

Wanda is responsible for account life-cycle management at her organization and would like to streamline the process, which she feels is ineffective and contains too many steps. Which one of the following approaches may assist with this task? A.Regression B.Waterfall C.Agile D.Lean Six Sigma

D.Lean Six Sigma Explanation: Lean Six Sigma is a process improvement approach that includes streamlining processes to make them more effective. Regression testing is a type of software/system testing used during the QA process. Waterfall and agile are software development methodologies.

Ashley is working with software developers to evaluate the security of an application they are upgrading. She is performing testing that slightly modifies the application code to help identify errors in code segments that might be infrequently used. What type of testing is Ashley performing? A.Stress testing B.Fuzz testing C.Fault injection D.Mutation testing

D.Mutation testing Explanation: Fuzz testing involves sending invalid or random data to an application to test its ability to handle unexpected data. Fault injection directly inserts faults into error handling paths, particularly error handling mechanisms that are rarely used or might otherwise be missed during normal testing. Mutation testing is related to fuzzing and fault injection but rather than changing the inputs to the program or introducing faults to it, mutation testing makes small modifications to the program itself. Stress testing is a performance test that ensures applications and the systems that support them can stand up to the full production load.

Which one of the following conclusions can Maggie reach about the web server based upon interpreting the logs? A.The web server is using an insecure version of TLS. B.The web server is using an insecure version of SSL. C.The web server is using outdated ciphers. D.None of the above

D.None of the above Explanation: From the information presented, Maggie cannot identify any insecure or outdated components. There is no evidence in the logs that the server is running SSL, and the TLS version referenced in the logs (version 1.2) is indeed current. The fact that the file is named ssl_request_log does not mean that the server necessarily supports SSL, as TLS records are stored in that file as well. The cipher suite specified in the logs (ECDHE-RSA-AES256-SHA384 and ECDHE-RSA-AES256-GCM-SHA384) contain no insecure or outdated components.

What type of organizations are required to adopt the ISO 27001 standard for cybersecurity? A.Healthcare organizations B.Financial services firms C.Educational institutions D.None of the above

D.None of the above Explanation; ISO 27001 is a voluntary standard, and there is no law or regulation requiring that healthcare organizations, financial services firms, or educational institutions adopt it.

If Alice applies a digital signature to the message, what cryptographic goal is she attempting to achieve? A.Confidentiality B.Accountability C.Availability D.Nonrepudiation

D.Nonrepudiation Explanation: Nonrepudiation is a cryptographic goal that prevents the signer of a message from later claiming that the signature is not authentic. Digital signatures provide nonrepudiation. They do not provide confidentiality. Accountability and availability are not cryptographic goals.

Carla is consulting with a website operator on an identity management solution. She would like to find an approach that leverages federated identity management and provides service authorization. Which one of the following technologies would be best suited for her needs? A.OpenID B.Active Directory C.Kerberos D.OAuth

D.OAuth Explanation: OAuth is a federated identity service that focuses on providing authorization services and is designed for use on the web. OpenID is also a federated solution for the web, but it provides only authentication and not authorization. Kerberos and Active Directory are more suitable for enterprise use.

Which one of the following security architectural views would provide details about the flow of information in a complex system? A.Technical view B.Logical view C.Firewall view D.Operational view

D.Operational view Explanation: The operational view describes how a function is performed or what it accomplishes. This view typically shows how information flows in a system. The technical view focuses on the technologies, settings, and configurations used in an architecture. The logical view describes how systems interconnect. The firewall view is not a standard architectural view.

Robin is planning to deploy a context-based authentication system for her organization. Which one of the following factors is not normally used as part of the authentication context? A.Geolocation B.User behavior C.Time of day D.Password complexity

D.Password complexity Explanation: Context-based authentication systems commonly take location, time of day, and user behavior into account. They do not normally consider the complexity of the user's password.

hich one of the following components is not normally part of an endpoint security suite? A. IPS B.Firewall C.Antimalware D.VPN

D.VPN Explanation: Endpoint security suites typically include host firewalls, host intrusion prevention systems (IPS), and antimalware software. Virtual private network (VPN) technology is normally a core component of the operating system or uses software provided by the VPN vendor.

Which software development methodology is illustrated here? A.Spiral B.RAD C.Agile D.Waterfall

D.Waterfall Explanation; The waterfall model follows a series of sequential steps, as shown here. The agile software development methodology is characterized by multiple sprints, each producing a concrete result. The spiral model uses multiple passes through four phases, resulting in a spiral-like diagram. Rapid application development uses a five-phase approach in an iterative format.

Francine would like to assess the security of her organization's wireless networks. Which one of the following network security tools would be best suited for this task? A.Wireshark B.tcpdump C.nmap D.aircrack-ng

D.aircrack-ng Explanation: D. aircrack-ng is a suite of wireless security tools that would be perfectly suited for Francine's WiFi security assessment.

Which forensic imaging tool is already installed on most Linux operating systems? A.FTK B.OSFClone C.EnCase D.dd

D.dd Explanation; All of the tools listed have forensic imaging capabilities, but dd is a disk duplicating tool that is built into most Linux systems.

Mike is troubleshooting an issue on his Mac and believes that he may have a defective network interface. He uses the ifconfig command to determine details about the interface and receives the results shown here. Which network interface appears to have an active connection to a network? A.lo0 B.gif0 C.en0 D.en1

D.en1 Explanation; The en1 interface is the only interface that has an active, valid IP address (10.0.1.77) that may be used for network communication. The lo0 interface also has an IP address (127.0.0.1), but this is the loopback address, used to communicate with the local host, not on a network.

Consider the LDAP directory hierarchy shown here. Two of the component names have been blacked out. What is the appropriate abbreviation for the node types that have been blacked out? A.ad B.cn C.dc D.ou

D.ou Explanation; The nodes in the diagram exist between domain component (dc) and common name (cn) nodes. This is the proper location for an organizational unit (ou) node. Active Directory (ad) is a type of LDAP server.

Brenda would like to select a tool that will assist with the automated testing of applications that she develops. She is specifically looking for a tool that will automatically generate large volumes of inputs to feed to the software. Which one of the following tools would best meet her needs? A.Peach B.Burp C.ZAP D.ModSecurity

A.Peach Explanation; The type of tool that Brenda seeks is known as a fuzzer. The Peach Fuzzer is a solution that meets these requirements. Burp and ZAP are interception proxies. ModSecurity is a web application firewall tool.

Lydia worked as a database administrator for her organization for several years before being hired by another internal group to serve as a software developer. During a recent user access review, the security team discovered that Lydia still had administrative rights on the database that were not needed for her current job. Which term best describes this situation? A.Privilege creep B.Security through obscurity C.Least privilege D.Separation of duties

A.Privilege creep Explanation: The situation where a user retains unnecessary permissions from a previous role is known as privilege creep. Privilege creep is a violation of the principle of least privilege (rather than an example of least privilege) and may also be a violation of separation of duties, depending upon the specific privileges involved. Security through obscurity occurs when the security of a control depends upon the secrecy of its details, which is not the case in this example.

Gavin is tracing the activity of an attacker who compromised a system on Gavin's network. The attacker appears to have used the credentials belonging to a janitor. After doing so, the attacker entered some strange commands with very long strings of text and then began using the sudo command to carry out other actions. What type of attack appears to have taken place? A.Privilege escalation B.Phishing C.Social engineering D.Session hijacking

A.Privilege escalation Explanation: The use of very long query strings points to a buffer overflow attack that was used to compromise a local application to perform privilege escalation. The use of the sudo command confirms the elevated privileges after the buffer overflow attack. Phishing, social engineering, and session hijacking are all possible ways that the attacker compromised the janitor's account originally, but there is no evidence pointing at any of these in particular.

Gwen would like to deploy an intrusion detection system on her network but does not have funding available to license a commercial product. Which one of the following is an open source IDS? A.Sourcefire B.Bro C.TippingPoint D.Proventia

B.Bro Explanation: Bro is an open source intrusion detection and prevention system. Sourcefire is a commercial company associated with the Snort IDS, but Sourcefire is not itself an open source product. TippingPoint and Proventia are IDS/IPS solutions from HP and IBM, respectively.

Rick is assessing the security of his organization's directory services environment. As part of that assessment, he is conducting a threat identification exercise. Which one of the following attacks specifically targets directory servers? A. Man-in-the-middle B.LDAP injection C.SASL skimming D.XSS

B.LDAP injection Explanation: LDAP injection attacks use improperly filtered user input via web applications to send arbitrary LDAP queries to directory servers. SASL is a password storage scheme for directory services, but there is no attack type known as SASL skimming. Man-in-the-middle attacks may be used against directory servers, but they are not specific to directory environments. Cross-site scripting (XSS) attacks are waged against web servers.

Ryan is concerned about the possibility of a distributed denial-of-service attack against his organization's customer-facing web portal. Which one of the following types of tests would best evaluate the portal's susceptibility to this type of attack? A.Regression testing B.Load testing C.Integration testing D.User acceptance testing

B.Load testing Explanation: Load testing, also known as stress testing, places an application under a high load using simulated users. This type of testing would most closely approximate the type of activity that might occur during a denial-of-service attack.

Eric is assessing the security of a Windows server and would like assistance with identifying the users who have access to a shared file directory. What Sysinternals tool can assist him with this task? A.AutoRuns B.SDelete C.Sysmon D.AccessEnum

D.AccessEnum Explanation; The AccessEnum tool enumerates system access. It provides a view of who has permissions to files, directories, and other objects. AutoRuns shows what programs start at login or system boot. SDelete is a secure file deletion utility. Sysmon allows administrators to monitor processes and their activity in a searchable manner.

Frank's organization recently underwent a security audit that resulted in a finding that the organization fails to promptly remove the accounts associated with users who have left the organization. This resulted in at least one security incident where a terminated user logged into a corporate system and took sensitive information. What identity and access management control would best protect against this risk? A.Automated deprovisioning B.Quarterly user account reviews C.Separation of duties D.Two-person control

A.Automated deprovisioning Explanation: Automated deprovisioning ties user account removal to human resources systems. Once a user is terminated in the human resources system, the identity and access management infrastructure automatically removes the account. Quarterly user access reviews may identify accounts that should have been disabled, but they would take a long time to do so, so they are not the best solution to the problem. Separation of duties and two-person control are designed to limit the authority of a user account and would not remove access.

Laura is working on improving the governance structures for enterprise architecture in her organization in an effort to increase the communication between the architects and the security team. In the TOGAF framework, which of the four domains is Laura operating? A.Business architecture B.Applications architecture C.Data architecture D.Technical architecture

A.Business architecture Explanation; Business architecture defines governance and organization and explains the interaction between enterprise architecture and business strategy. Applications architecture includes the applications and systems that an organization deploys, the interactions between those systems, and their relation to business processes. Data architecture provides the organization's approach to storing and managing information assets. Technical architecture describes the infrastructure needed to support the other architectural domains.

Bob is considering the deployment of OpenSSL in his environment and would like to select a secure cipher suite. Which one of the following ciphers should not be used with OpenSSL? A.DES B.AES C.RSA D.ECC

A.DES Explanation: The Data Encryption Standard (DES) is an outdated encryption algorithm that should not be used for secure applications. The Advanced Encryption Standard (AES), Rivest-Shamir-Adelman (RSA), and Elliptic Curve Cryptosystem (ECC) are all secure alternatives.

Which one of the following connection status messages reported by netstat indicates an active connection between two systems? A.ESTABLISHED B.LISTENING C.LAST_ACK D.CLOSE_WAIT

A.ESTABLISHED Explanation: The ESTABLISHED status message indicates that a connection is active between two systems. LISTENING indicates that a system is waiting for a connection. LAST_ACK and CLOSE_WAIT are two status messages that appear in different stages of closing a connection.

Kaitlyn's organization recently set a new password policy that requires that all passwords have a minimum length of 10 characters and meet certain complexity requirements. She would like to enforce this requirement for the Windows systems in her domain. What type of control would most easily allow this? A.Group Policy object B.Organizational unit C.Active Directory forest D.Domain controller

A.Group Policy object Explanation; Group Policy objects (GPOs) are used to enforce security and configuration requirements within Active Directory. Active Directory forests and organizational units (OUs) are designed to organize systems and users hierarchically and do not directly allow security configurations, although GPOs may be applied to them. Domain controllers (DCs) are the servers that are responsible for providing Active Directory services to the organization and would be the point for applying and enforcing the GPO.

Suzanne is the CISO at a major nonprofit hospital group. Which one of the following regulations most directly covers the way that her organization handles medical records? A.HIPAA B.FERPA C.GLBA D.SOX

A.HIPAA Explanation: The Health Insurance Portability and Accountability Act (HIPAA) covers the handling of protected health information (PHI) by healthcare providers, insurers, and health information clearinghouses. The Gramm-Leach-Bliley Act (GLBA) includes regulations covering the cybersecurity programs at financial institutions, including banks. The Family Educational Rights and Privacy Act (FERPA) applies to educational institutions. The Sarbanes Oxley Act (SOX) applies to publicly traded companies.

Barney's organization mandates fuzz testing for all applications before deploying them into production. Which one of the following issues is this testing methodology most likely to detect? A.Incorrect firewall rules B.Unvalidated input C.Missing operating system patches D.Unencrypted data transmission

A.Incorrect firewall rules Explanation: Fuzz testing works by dynamically manipulating input to an application in an effort to induce a flaw. This technique is useful in detecting places where an application does not perform proper input validation.

Carl does not have sufficient staff to conduct 24/7 security monitoring of his network. He wants to augment his team with a managed security operations center service. Which one of the following providers would be best suited to provide this service? A.MSSP B.IaaS C.PaaS D.SaaS

A.MSSP Explanation: Managed security service providers (MSSPs) provide security as a service (SECaaS). The infrastructure as a service (IaaS), platform as a service (PaaS), and software as a service (SaaS) offerings do not include the managed security offering that Carl seeks.

Jose is concerned that his organization is falling victim to a large number of social engineering attacks. Which one of the following controls is least likely to be effective against these attacks? A.Network firewall B.Multifactor authentication C.Security awareness D.Content filtering

A.Network firewall Explanation: Network firewalls are not likely to be effective against social engineering attacks because they are designed to allow legitimate traffic, and attackers waging social engineering attacks typically steal the credentials of legitimate users who would have authorized access through the firewall. Multifactor authentication is an effective defense because it requires an additional layer of authentication on top of passwords, which may be stolen in social engineering. Security awareness raises social engineering in users' consciousness and makes them less susceptible to attack. Content filtering may block phishing messages from entering the organization and may block users from accessing phishing websites.

Colin would like to find a reputable source of information about software vulnerabilities that was recently updated. Which one of the following sources would best meet his needs? A.OWASP B.SANS C.Microsoft D.Google

A.OWASP Explanation; The Open Web Application Security Project (OWASP) maintains a listing of common application vulnerabilities. The SANS Institute maintained a similar list but stopped updating it in 2011. Microsoft and Google do not publish a similar list.

Norm is troubleshooting connectivity between a security device on his network and a remote SIEM service that is not receiving logs from the device. He runs several diagnostic commands from the security device and captures the network traffic while he is running those diagnostics. The following image shows the result of capturing some of that traffic with Wireshark. What does the currently inspected packet indicate? A.The remote server is reachable over the network. B. The remote server is not connected to the Internet. C.Norm's device is not connected to the Internet. D.Norm does not have enough information to draw one of the conclusions listed here.

A.The remote server is reachable over the network. Explanation: This is an ICMP Echo Reply packet, which is a response to a ping request. If Norm sees a response to a ping, that means the basic connectivity between the two systems is functioning properly.

Greg is investigating reports of difficulty connecting to the CompTIA website and runs a traceroute command. He receives the results shown here. What conclusion can Greg reach from these results? A.The web server appears to be up and running on the network. B.The *s in the results indicates a network failure on Greg's network. C.The *s in the results indicates a network failure on the CompTIA network. D.The *s in the results indicates a network failure between Greg's network and the CompTIA network.

A.The web server appears to be up and running on the network. Explanation: These results show an active network path between Greg's system and the CompTIA web server. The asterisks in the intermediate results do not indicate a network failure but are a common occurrence when intermediate nodes are not configured to respond to traceroute requests.

What encryption key does the certificate contain? A.The website's public key B.The website's private key C.Tom's public key D.Tom's private key

A.The website's public key Explanation; The purpose of a digital certificate is to provide the subject's public key to the world. In this case, the subject is the nd.edu website (as well as subdomains of nd.edu), and the certificate presents that site's public key.

Tammy is reviewing alerts from her organization's intrusion prevention system and finds that there are far too many alerts to review. She would like to narrow down the results to attacks that had a high probability of success. What information source might she use to correlate with her IPS records to achieve the best results? A.Vulnerability scans B.Firewall rules C.Port scans D.IDS logs

A.Vulnerability scans Explanation: Tammy can correlate the results of vulnerability scans with her IPS alerts to determine whether the systems targeted in attacks against her network are vulnerable to the attempted exploits. IDS logs would contain redundant, rather than correlated, information. Firewall rules and port scans may provide some useful information when correlated with IPS alerts, but the results of vulnerability scans would provide similar information enhanced with the actual vulnerabilities on particular systems.

Which one of the following statements about web proxy servers is incorrect? A.Web proxy servers decrease the speed of loading web pages. B.Web proxy servers reduce network traffic. C.Web proxy servers can filter malicious content. D.Web proxy servers can enforce content restrictions.

A.Web proxy servers decrease the speed of loading web pages. Explanation: Web proxy servers actually increase the speed of loading web pages by creating local caches of those pages, preventing repeated trips out to remote Internet servers. For this same reason, they reduce network traffic. Web proxies may also serve as content filters, blocking both malicious traffic and traffic that violates content policies.

Rob is an auditor reviewing the payment process used by a company to issue checks to vendors. He notices that Helen, a staff accountant, is the person responsible for creating new vendors. Norm, another accountant, is responsible for issuing payments to vendors. Helen and Norm are cross-trained to provide backup for each other. What security issue, if any, exists in this situation? A.Least privilege violation B. Separation of duties violation C. Dual control violation D.No issue

B. Separation of duties violation Explanation: This situation violates the principle of separation of duties. The company appears to have designed the controls to separate the creation of vendors from the issuance of payments, which is a good fraud-reduction practice. However, the fact that they are cross-trained to back each other up means that they have the permissions assigned to violate this principle.

Which one of the following Sysinternals tools may be used to determine the permissions that individual users have on a Windows registry key? A. Sysmon B.AccessEnum C.AutoRuns D.ProcDump

B.AccessEnum Explanation; The AccessEnum tool provides a view into which users and groups have permissions to read and modify files, directories, and registry entries. Sysmon and ProcDump are process monitoring tools that do not provide insight into the registry. AutoRuns provides a listing of the programs that start automatically when a system boots or a user logs into the system.

Questions 60-64 refer to the following scenario: Tom connects to a website using the Chrome web browser. The site uses TLS encryption and presents the digital certificate shown here. Who created the digital signature shown in the last line of this digital certificate? A.Starfield Services B.Amazon C.nd.edu D.RSA

B.Amazon Explanation: The certificate issuer is responsible for signing the digital certificate. In this case, the issuer, as shown in the certificate, is Amazon. Starfield Services is the root CA, meaning that it issued the certificate to Amazon and allows it to issue certificates to end users. nd.edu is the subject of the certificate, while RSA is an encryption algorithm used in the certificate.

Karen would also like to implement controls that would help detect potential malfeasance by existing employees. Which one of the following controls is least likely to detect malfeasance? A.Mandatory vacations B.Background investigations C.Job rotation D.Privilege use reviews

B.Background investigations Explanation: Mandatory vacations and job rotation plans are able to detect malfeasance by requiring an employee's absence from his or her normal duties and exposing them to other employees. Privilege use reviews have a manager review the actions of an employee with privileged system access and would detect misuse of those privileges. Background investigations uncover past acts and would not be helpful in detecting active fraud. They are also typically performed only for new hires.

Hank would like to deploy an intrusion prevention system to protect his organization's network. Which one of the following tools is least likely to meet his needs? A.Snort B.Burp C.Sourcefire D.Bro

B.Burp Explanation: Burp is a web interception proxy, not an intrusion prevention system. Snort, Sourcefire, and Bro are all intrusion detection and prevention systems.

Al is a cybersecurity analyst for a company that runs a website that allows public postings. Users recently began complaining that the website is showing them pop-up messages asking for their passwords that don't seem legitimate. At the same time, there has been an uptick in compromised user accounts. What type of attack is likely occurring against Al's website? A.SQL injection B.Cross-site scripting C.Cross-site request forgery D.Rootkit

B.Cross-site scripting Explanation; This scenario has all of the hallmarks of a cross-site scripting attack. The most likely case is that the site allows users to post messages containing HTML code and that it does not perform input validation to remove scripts from that code. The attacker is likely using a script to create a pop-up window that collects passwords and then using that information to compromise accounts.

Martin would like to install a network control that would block the potential exfiltration of sensitive information from the venture's facility. Which one of the following controls would be most effective to achieve that goal? A.IPS B.DLP system C.Firewall D.IDS

B.DLP system Explanation: All of the controls listed are network security controls. Of those listed, a data loss prevention system is specifically designed for the purpose of identifying and blocking the exfiltration of sensitive information and would be the best control to meet Martin's goal. Intrusion prevention systems may be able to perform this function on a limited basis, but it is not their intent. Intrusion detection systems are even more limited in that they are detective controls only and would not prevent the exfiltration of information. Firewalls are not designed to serve this purpose.

Daniel is hiring a third-party consultant who will have remote access to the organization's data center, but he would like to approve that access each time it occurs. Which one of the following solutions would meet Daniel's needs in a practical manner? A.Daniel should keep the consultant's password himself and provide it to the consultant when needed and then immediately change the password after each use. B.Daniel should provide the consultant with the password but configure his own device to approve logins via multifactor authentication. C.Daniel should provide the consultant with the password but advise the consultant that she must advise him before using the account and then audit those attempts against access logs. D.Daniel should create a new account for the consultant each time she needs to access the data center.

B.Daniel should provide the consultant with the password but configure his own device to approve logins via multifactor authentication. Explanation: The most practical approach is for Daniel to implement two-factor authentication on the account and retain the approval device himself. This allows him to approve each request but does not require modifying or re-creating the account for each use. The approach where the consultant must advise Daniel before using the account does not meet the requirement of Daniel approving each use

Tammy would like to ensure that her organization's cybersecurity team review the architecture of a new ERP application that is under development. During which SDLC phase should Tammy expect the security architecture to be completed? A. Analysis and requirements definition B.Design C.Development D.Testing and integration

B.Design Explanation: Security artifacts created during the design phase include security architecture documentation and data flow diagrams.

Which one of the following security activities is not normally a component of the operations and maintenance phase of the SDLC? A. Vulnerability scans B.Disposition C.Patching D.Regression testing

B.Disposition Explanation Disposition is a separate SDLC phase that is designed to ensure that data is properly purged at the end of an application life cycle. Operations and maintenance activities include ongoing vulnerability scans, patching, and regression testing after upgrades.

Chelsea recently accepted a new position as a cybersecurity analyst for a privately held bank. Which one of the following regulations will have the greatest impact on her cybersecurity program? A.HIPAA B.GLBA C.FERPA D.SOX

B.GLBA Explanation: The Gramm-Leach-Bliley Act (GLBA) includes regulations covering the cybersecurity programs at financial institutions, including banks. The Health Insurance Portability and Accountability Act (HIPAA) covers healthcare providers, insurers, and health information clearinghouses. The Family Educational Rights and Privacy Act (FERPA) applies to educational institutions. The Sarbanes-Oxley Act (SOX) applies to publicly traded companies.

Bryan is selecting a firewall to protect his organization's internal infrastructure from network-based attacks. Which one of the following products is not suitable to meet this need? A.Cisco NGFW B.HP.TippingPoint C.CheckPoint appliance D.Palo Alto NGFW

B.HP.TippingPoint Explanation: TippingPoint is an intrusion prevention system. Cisco's NGFW, Palo Alto's NGFW, and CheckPoint's appliances are all firewall solutions.

Arnie is required to submit evidence from systems on his network to external legal counsel as part of a court case. What technology can he use to demonstrate that the copies of evidence he is producing are genuine? A.Disk duplicator B.Hash function C.Cloud storage service D.Write blocker

B.Hash function Explanation: All of the technologies listed in this question may be used during the evidence collection and production process. However, the hash function is the only component that may be used to demonstrate the integrity of the evidence that Arnie collected.

Tim is the CIO of a midsize company and is concerned that someone on the IT team may be embezzling funds from the organization by modifying database contents in an unauthorized fashion. What group could investigate this providing the best balance between cost, effectiveness, and independence? A.Internal assessment by the IT manager B.Internal audit C.External audit D.Law enforcement

B.Internal audit Explanation: Internal audit provides the ability to perform the investigation with internal resources, which typically reduces cost. External auditors would normally be quite expensive and bring a degree of independence that is unnecessary for an internal investigation. The IT manager would not be a good candidate for performing the assessment because he may be involved in the embezzlement or may have close relationships with the affected employees. There is no need to bring in law enforcement at this point, opening the company to unnecessary scrutiny and potential business disruption.

Jean is deploying a new application that will process sensitive health information about her organization's clients. To protect this information, the organization is building a new network that does not share any hardware or logical access credentials with the organization's existing network. What approach is Jean adopting? A.Network interconnection B.Network segmentation C.Virtual LAN (VLAN) isolation D.Virtual private network (VPN)

B.Network segmentation Explanation: The strategy outlined by Jean is one of network segmentation—placing separate functions on separate networks. She is explicitly not interconnecting the two networks. VPNs and VLANs are also technologies that could assist with the goal of protecting sensitive information, but they use shared hardware and would not necessarily achieve the level of isolation that Jean requires.

Nadine works for a company that runs an e-commerce website. She recently discovered a hacking website that contains password hashes stolen from another e-commerce site. The two sites have a significant number of common users. What user behavior creates significant risk for Nadine's organization? A. Use of weak hash functions B.Reuse of passwords C.Unencrypted communications D.Use of federated identity providers

B.Reuse of passwords Explanation: The primary risk to Nadine's organization from this attack is that if the password hashes are reversed, accounts may be compromised on Nadine's site because users commonly use the same passwords on multiple sites.

Questions 74-76 refer to the following scenario: Karen is the CISO of a major manufacturer of industrial parts. She is currently performing an assessment of the firm's financial controls, with an emphasis on implementing security practices that will reduce the likelihood of theft from the firm. Karen would like to ensure that the same individual is not able to both create a new vendor in the system and authorize a payment to that vendor. She is concerned that an individual who could perform both of these actions would be able to send payments to false vendors. What type of control should Karen implement? A.Mandatory vacations B.Separation of duties C.Job rotation D.Two-person control

B.Separation of duties Explanation Separation of duties is a principle that prevents individuals from having two different privileges that, when combined, could be misused. Separating the ability to create vendors and authorize payments is an example of two-person control.

Brandy works in an organization that is adopting the ITIL service management strategy. Which ITIL core activity includes security management as a process? A.Service strategy B.Service design C.Service transition D.Service operation

B.Service design Explanation: The ITIL framework places security management into the service design core activity. The other processes in service design are design coordination, service catalog management, service-level management, availability management, capacity management, IT service continuity management, and supplier management.

Rob is planning the security testing for a new service being built by his organization's IT team. He would like to conduct rigorous testing of the finished product before it is released for use. Which environment would be the most appropriate place to conduct this testing? A.Development B.Test C.Staging D.Production

B.Test Explanation: The test environment contains a complete version of the code, as the developers intend to release it. This is the best place to conduct rigorous testing, such as security analysis. The development environment is constantly in a state of flux and not a good environment for formalized testing. Code should be released to production only when it is ready for use by clients, and security testing should take place before code is placed in a production environment. Staging environments are holding areas used as part of the code release process.

Which role in a SAML authentication flow validates the identity of the user? A.The SP B.The IDP C.The principal D.The RP

B.The IDP Explanation: B. The identity provider (IDP) provides the authentication in a SAML-based authentication flow. A service provider (SP) provides services to a user, while the user is typically the principal. A relying party (RP) leverages an IDP to provide authentication services.

The firewall rule creators intended to block access to a website hosted at 10.15.1.2 except from hosts located on the 10.20.0.0/16 subnet. However, users on that subnet report that they cannot access the site. What is wrong? A.The protocol is incorrect. B.The rules are misordered. C.The source port is not specified. D.There is no error in the rule, and Travis should check for other issues.

B.The rules are misordered. Explanation: Travis can correct this error by switching the positions of rules 2 and 3. Rule 3, which permits access from the 10.20.0.0/16 subnet, will never be triggered because any traffic from that subnet also matches rule 2, which blocks it.

Roger is the CISO for a midsize manufacturing firm. His boss, the CIO, recently returned from a meeting of the board of directors where she had an in-depth discussion about cybersecurity. One member of the board, familiar with ISO standards in manufacturing quality control, asked if there was an ISO standard covering cybersecurity. Which standard is most relevant to the director's question? A.ISO 9000 B.ISO 17799 C. ISO 27001 D.ISO 30170

C. ISO 27001 Explanation: ISO 27001 is the current standard governing cybersecurity requirements. ISO 9000 is a series of quality management standards. ISO 17799 covered information security issues but is outdated and has been withdrawn. ISO 30170 covers the Ruby programming language.

Jay is the CISO for his organization and is responsible for conducting periodic reviews of the organization's information security policy. The policy was written three years ago and has undergone several minor revisions after audits and assessments. Which one of the following would be the most reasonable frequency to conduct formal reviews of the policy? A. Monthly B.Quarterly C.Annually D.Every five years

C.Annually Explanation: Annual reviews of security policies are an industry standard and are sufficient unless there are special circumstances, such as a new policy or major changes in the environment. Monthly or quarterly reviews would occur too frequently, while waiting five years for the review is likely to miss important changes in the environment.

Angela wants to implement multifactor authentication for her organization and has been offered a number of choices. Which of the following choices is not an example of multifactor authentication? A.Password and retina scan B. PIN and SMS token C.Password and security questions D.Password and SMS token

C.Password and security questions Explanation: Angela should not select the password and security questions option since they are both examples of knowledge-based factors. Each of the other answers includes different factors, providing a greater level of security.

Questions 24-26 refer to the following scenario: Martin is developing the security infrastructure for a new business venture that his organization is launching. The business will be developing new products that are considered trade secrets, and it is of the utmost importance that the plans for those products not fall into the hands of competitors. Martin would like to take steps to confirm the reliability of employees and avoid situations where employees might be susceptible to blackmail attempts to obtain the plans. Which one of the following controls would be most effective to achieve that goal? A.Firewall B.DLP System C.Background investigation D.Nondisclosure agreement

C.Background investigation Explanation: All of these controls would be effective ways to prevent the loss of information. However, only a background investigation is likely to uncover information that might make a potential employee susceptible to blackmail.

Gerry would like to find a physical security control that will protect his organization against an attack where an individual drives a vehicle through the glass doors on the front of the building. Which one of the following would be the most effective way to protect against this type of attack? A. Mantraps B.Security guards C.Bollards D.Intrusion alarm

C.Bollards Explanation: Bollards are physical barriers designed to prevent vehicles from crossing into an area. Mantraps are designed to prevent piggybacking by individuals and would not stop a vehicle. Security guards and intrusion alarms may detect an intruder but would not be able to stop a moving vehicle.

In the Sherwood Applied Business Security Architecture (SABSA), which view corresponds to the physical security architecture layer? A.Architect's view B.Designer's view C.Builder's view D.Tradesman's view

C.Builder's view Explanation; In the SABSA model, the Builder's view corresponds to the physical security architecture. The Designer's view corresponds to the logical security architecture layer. The Architect's view corresponds to the conceptual security architecture layer. The Tradesman's view corresponds to the component security architecture layer.

Which one of the following events is least likely to trigger the review of an organization's information security program? A.Security incident B.Changes in compliance obligations C.Changes in team members D>Changes in business processes

C.Changes in team members Explanation: Changes in team members may cause someone to initiate a review, but it is more likely that a review would be initiated based upon changes in the processes protected by the security program, control requirements (such as compliance obligations), or a control failure (such as a security incident).

Under the U.S. government's data classification scheme, which one of the following is the lowest level of classified information? A.Private B.Top Secret C.Confidential D.Secret

C.Confidential Explanation: The classification levels under the U.S. government information classification scheme are, in ascending order, Confidential, Secret, and Top Secret. Private is not a government classification.

Which one of the following is not one of the four domains of COBIT control objectives? A.Plan and Organize B.Acquire and Implement C.Design and Secure D.Deliver and Support

C.Design and Secure Explanation: There is no explicit security domain in the COBIT standard. The four COBIT domains are Plan and Organize, Acquire and Implement, Deliver and Support, and Monitor and Evaluate.

Ursula is considering redesigning her network to use a dual firewall approach, such as the one shown here. Which one of the following is an advantage of this approach over a triple-homed firewall? A.increased redundancy B.Decreased costs C.Hardware diversity D.Simplied administration

C.Hardware diversity Explanation: C. The dual firewall approach allows an organization to achieve hardware diversity by using firewalls from different vendors. This approach typically increases, rather than decreases, both the cost and complexity of administration. There is no indication that the proposed design would increase redundancy over the existing environment.

Tim is tasked with implementing multifactor authentication to bring his organization into compliance with an industry security regulation. Which one of the following combinations of systems would make the strongest multifactor authentication solution? A.Password and security question answers B. Fingerprint and retinal scan C.ID badge and PIN D.Password and PIN

C.ID badge and PIN Explanation: Of the choices listed, only the combination of an ID badge and PIN is a multifactor solution. ID badges are "something you have," and a PIN is "something you know." Passwords, PINs, and security question answers are all "something you know" factors, so combining them does not create multifactor authentication. Fingerprints and retinal scans are both examples of "something you are.

Emily is charged with the security of her organization's website. After a conversation with her manager, Emily learned that the organization's highest priority for her work is the availability of the website in the event of an equipment failure. Which one of the following controls would be most effective in meeting this objective? A.RAID B.Web application firewall C.Load balancing D.Intrusion prevention systems

C.Load balancing Explanation: Load balancing technology helps protect the web site from disruption caused by the failure of a single server. If one server goes down, the other servers in the load balanced pool will continue to serve the site. RAID technology protects a server against a disk failure and would be an effective availability control, but would not be as effective as load balancing multiple servers. Web application firewalls and intrusion prevention systems may provide effective defenses against manmade availability threats, but would not protect against equipment failure.

Which one of the following vulnerability scanning tools is limited to collecting information from systems running a specific operating system? A. Nikto B.OpenVAS C.MBSA D.Qualys

C.MBSA Explanation: The Microsoft Baseline Security Analyzer (MBSA) works only with Microsoft operating systems. The other products listed are all capable of scanning systems running any operating system.

Glenn is conducting a security assessment of his organization's Active Directory-based identity and access management infrastructure. Which of the following services/protocols represents the greatest security risk to Glenn's organization if used in conjunction with Active Directory? A.LDAPS B.ADFS C.NTLMv1 D.Kerberos

C.NTLMv1 Explanation: NT LAN Manager (NTLM) version 1 contains serious vulnerabilities and exposes hashed passwords to compromise. LDAPS is an encrypted, secure version of the Lightweight Directory Access Protocol (LDAP). Active Directory Federation Services (ADFS) and Kerberos are both secure components of Active Directory.

Roberta is designing a password policy for her organization and wants to include a control that will limit the length of exposure of an account with a compromised password. Which one of the following controls would best meet Roberta's goal? A.Minimum password length B.Password history C.Password expiration D.Password complexity

C.Password expiration Explanation: The primary control used to limit the length of exposure of compromised passwords is a password expiration policy. This policy would force a password change at a defined interval and would either lock out the intruder (if the legitimate user changes the password) or alert the legitimate user to the compromise (if the intruder changes the password). Password history would arguably prevent the future reuse of a compromised password, but this is not as direct a control for the given scenario as password expiration. Password length and complexity requirements are designed to prevent the compromise of a password and are not effective controls once the password has already been compromised.

Which one of the following items is not normally included in a request for an exception to security policy? A. Description of a compensating control B.Description of the risks associated with the exception C.Proposed revision to the security policy D.Business justification for the exception

C.Proposed revision to the security policy Explanation: Requests for an exception to a security policy would not normally include a proposed revision to the policy. Exceptions are documented variances from the policy because of specific technical and/or business requirements. They do not alter the original policy, which remains in force for systems not covered by the exception.

In the TOGAF Architecture Development Model, shown here, what element should occupy the blank line in the center circle? A.Security B.Architecture C.Requirements D.Controls

C.Requirements Explanation: The TOGAF Architecture Development Model is centered on requirements. The requirements inform each of the other phases of the model.

Alvin is working with a new security tool, as shown here. This tool collects information from a variety of sources and allows him to correlate records to identify potential security issues. What type of tool is Alvin using? A.IPS B.IDS C.SIEM D.DLP

C.SIEM Explanation: The image is a dashboard from AlienVault, a security information and event management (SIEM) solution. SIEMs correlate security information gathered from other sources and provide a centralized analysis interface.

Roger is a cybersecurity analyst at a bank. He recently conducted a forensic analysis of the workstation belonging to an IT staff member who was engaged in illicit activity. Roger discovered that the employee was capturing and storing cookies from user sessions as they were sent between backend systems. What type of attack might the employee have been conducting? A.Privilege escalation B.Covert channel C.Session hijacking D.SQL injection

C.Session hijacking Explanation: The most likely reason that an employee would be storing cookies is to use the session IDs stored in those cookies to engage in a session hijacking attack, allowing him to impersonate the user and conduct financial transactions.

Lorissa is investigating a potential DNS poisoning attack and uses the dig command to look up the IP address associated with the CompTIA.org website. She receives the results shown here. Which statement is true about these results? A.The DNS query was answered by a server located at 198.134.5.6, which is not authoritative for the domain. B.The DNS query was answered by a server located at 198.134.5.6, which is authoritative for the domain. C.The DNS query was answered by a server located at 172.30.25.8, which is not authoritative for the domain. D.The DNS query was answered by a server located at 172.30.25.8, which is authoritative for the domain.

C.The DNS query was answered by a server located at 172.30.25.8, which is not authoritative for the domain. Explanation: Analyzing these dig results, you see that the DNS server (identified in the SERVER line) is 172.30.25.8. 198.134.5.6 is the query response, indicating that it is the CompTIA.org web server. The AUTHORITY value in this result is 0, indicating that the DNS server is not authoritative for the CompTIA.org domain.

Johann is troubleshooting a network connectivity issue and would like to determine the path that packets follow from his system to a remote host. Which tool would best assist him with this task? A.ping B.netstat C.tracert D.ipconfig

C.tracert Explanation; The tracert (or traceroute) command identifies the path of packet flow between two systems over a network. It would help Johann identify potential trouble points requiring further investigation.

Which one of the following websites would not be covered by this certificate? A.nd.edu B.www.nd.edu C.www.business.nd.edu D.All of these sites would be covered

C.www.business.nd.edu Explanation: This is a wildcard certificate, meaning that it is valid for the subject domain (nd.edu) as well as any subdomains of that domain (e.g., www.nd.edu). It would not, however, be valid for subsubdomains. A wildcard certificate for *.business.nd.edu would cover www.business.nd.edu

What policy should contain provisions for removing user access upon termination? A.Data ownership policy B.Data classification policy C.Data retention policy D.Account management policy

D.Account management policy Explanation: Account management policies describe the account life cycle from provisioning through active use and decommissioning, including removing access upon termination. Data ownership policies clearly state the ownership of information created or used by the organization. Data classification policies describe the classification structure used by the organization and the process used to properly assign classifications to data. Data retention policies outline what information the organization will maintain and the length of time different categories of information will be retained prior to destruction.

Eric leads a team of software developers and would like to help them understand the most important security issues in web application development. Which one of the following sources would provide Eric with the most useful resource? A.CVE B.CPE C.CCE D.OWASP

D.OWASP Explanation: The Open Web Application Security Project (OWASP) provides developer-friendly descriptions of the top web application security issues. The Common Vulnerability Enumeration (CVE), Common Platform Enumeration (CPE), and Common Configuration Enumeration (CCE) tools provide a taxonomy for describing vulnerabilities, platforms, and configurations, but they are not educational tools and do not focus on web application security.

Amy is creating application accounts for her company's suppliers to use to access an inventory management website. She is concerned about turnover at the vendor. Which one of the following approaches would provide a good balance of security and usability for Amy? A.Amy should create a single account for the vendor and require the password be changed whenever an employee with knowledge of the password leaves the vendor. B.Amy should create individual accounts for each vendor employee and require that the vendor inform her when an employee leaves. C. Amy should create individual accounts for each vendor employee and require that the vendor immediately change the password for the account of any employee who leaves. D.Amy should create a master account for a responsible individual at the vendor and allow them to create and manage individual user accounts.

D.Amy should create a master account for a responsible individual at the vendor and allow them to create and manage individual user accounts. Explanation; In this situation, the best case for Amy would be to delegate management of the individual user accounts to the vendor. Amy should avoid a situation where she must create the individual accounts to reduce the burden on her. Using a single account violates many principles of security and eliminates accountability for individual user actions. If Amy implements the delegated account approach, she may want to supplement it with auditing to verify that accounts are properly managed.

Ian is designing an authorization scheme for his organization's deployment of a new accounting system. He is considering putting a control in place that would require that two accountants approve any payment request over $100,000. What security principle is Ian seeking to enforce? A.Security through obscurity B.Least privilege C.Separation of duties D.Dual control

D.Dual control Explanation: D. It is sometimes difficult to distinguish between cases of least privilege, separation of duties, and dual control. Least privilege means that an employee should only have the access rights necessary to perform their job. That is not the case in this scenario because accountants need to be able to approve payments. Separation of duties occurs when the same employee does not have permission to perform two different actions that, when combined, could undermine security. That is not the case here because both employees are performing the same action: approving the payment. Dual control occurs when two employees must jointly authorize the same action. That is the case in this scenario. Security through obscurity occurs when the security of a control depends upon the secrecy of its mechanism.

Alec is a cybersecurity analyst working on analyzing network traffic. He is using Wireshark to analyze live traffic, as shown here. He would like to reassemble all of the packets associated with the highlighted connection. Which one of the following options from the drop-down menu in the figure should he choose first in order to most easily achieve his goal? A.Apply As A Filter B.Prepare A Filter C.Conversation Filter D.Follow

D.Follow Explanation: The Follow option will allow Alec to follow the TCP stream, reassembling the payloads from all of the packets in the stream in an easy-to-view manner.

Roland received a security assessment report from a third-party assessor, and it indicated that one of the organization's web applications is susceptible to an OAuth redirect attack. What type of attack would this vulnerability allow an attacker to wage? A.Privilege escalation B.Cross-site scripting C.SQL Injection D.Impersonation

D.Impersonation Explanation: OAuth redirects are an authentication attack that allows an attacker to impersonate another user.

Kyle is developing a web application that uses a database backend. He is concerned about the possibility of a SQL injection attack against his application and is consulting the OWASP proactive security controls list to identify appropriate controls. Which one of the following OWASP controls is least likely to prevent a SQL injection attack? A.Parameterize queries B.Validate all input. C.Encode data. D.Implement logging and intrusion detection.

D.Implement logging and intrusion detection. Explanation: Query parameterization, input validation, and data encoding are all ways to prevent the database from receiving user-supplied input that injects unwanted commands into a SQL query. Logging and intrusion detection are important controls, but they would detect, rather than prevent, a SQL injection attack.

What cryptographic algorithm is used to protect communications between Tom and the web server that take place using the key identified in question 63? A.RSA B.SHA-256 C.AES D.It is not possible to determine this information.

D.It is not possible to determine this information. Explanation: The symmetric algorithm used to communicate between the client and server is negotiated during the TLS session establishment. This information is not contained in the digital certificate.

Which of the following protocols is best suited to provide authentication on an open network? A.TACACS B.RADIUS C.TACACS+ D.Kerberos

D.Kerberos Explanation: Kerberos is the only answer that provides automatic protection for authentication traffic. TACACS is outdated, and TACACS+ is considered unsafe in most circumstances, meaning that it should be used on secure networks only if it must be used. RADIUS can be secured but is not secure by default.

Colin would like to implement a security control in his accounting department that is specifically designed to detect cases of fraud that are able to occur despite the presence of other security controls. Which one of the following controls is best suited to meet Colin's need? A.Separation of duties B.Least privilege C. Dual control D.Mandatory vacations

D.Mandatory vacations Explanation: Mandatory vacations are designed to force individuals to take time away from the office to allow fraudulent activity to come to light in their absence. The other controls listed here (separation of duties, least privilege, and dual control) are all designed to prevent, rather than detect, fraud.

Mike's organization adopted the COBIT standard, and Mike would like to find a way to measure their progress toward implementation. Which one of the following COBIT components is useful as an assessment tool? A. Process descriptions B.Control objectives C.Management guideline D.Maturity models

D.Maturity models Explanation: While all the COBIT components are useful to an organization seeking to implement the COBIT framework, only the maturity models offer an assessment tool that helps the organization assess its progress.

Lou would like to deploy a SIEM in his organization, but he does not have the funding available to purchase a commercial product. Which one of the following SIEMs uses an open source licensing model? A.AlienVault B.QRadar C.ArcSight D.OSSIM

D.OSSIM Explanation: OSSIM is an open source SIEM made by AlienVault. It is capable of pulling together information from a wide variety of open source security tools. QRadar, ArcSight, and AlienVault are all examples of commercial SIEM solutions.