TEST02
1. C. Nation-state actors are typically advanced persistent threats (APTs) and their motivations commonly include espionage, data exfiltration,disruption/chaos, and war. Financial gain is more commonly associated with organized crime, blackmail with insider threats, and ethical with hacktivists.
1. Brent's organization is profiling threat actors that may target their infrastructure and systems. Which of the following is most likely a motivation for a nation-state actor? A.Financial gain B.Blackmail C.Espionage D.Blackmail
10.B. On-path attacks that route traffic through a system or device that the attacker controls allow the attacker to both receive and modify traffic, making replay attacks more likely to succeed. SQL injection attacks are associated with web applications and databases. Brute-force and distributed denial-of-service (DDoS) attacks are not typically associated with replay attacks.
10. Julie wants to conduct a replay attack. What type of attack is most commonly associated with successful replay attacks? A.SQL injection B. An on-path attack C.Brute force D.A DDoS
55. B. While dated, NTLM was historically one of the most common targets of credential relay attacks. RDP, SQL, and TLS are less commonly associated with credential relay attacks. Modern protocols implement encryption, session, IDs, and one-time passwords to prevent this type of attack
55. Which of the following protocols is most commonly associated with credential relaying attacks? A.RDP B. NTLM C. SQL D. TLS
56. A. Encryption is the appropriate solution to prevent data loss if a system is stolen. A HIPs, disabling ports and protocols, and changing default passwords will not prevent data acquisition from a drive.
56. After a recent laptop theft, Jaime's organization is worried about data breaches driven by lost devices. What endpoint hardening technique is best suited to preventing this? A.Encryption B. Host-based IPS C. Disabling ports and protocols D. Changing default passwords
57.D.Derek knows that attacking a digital signature requires that hashes match for both an original document and a malicious document.He will modify the malicious document until he finds a way to convey the changes he needs while retaining the matching hash. This type of attack is why hashing algorithms needs to be resistant to birthday attacks.
57. Derek wants to conduct a birthday attack against a digital signature. Which of the following best describes the process he would need to take to achieve his goal? A.He needs to prepare both a correct and a malicious document and find ways to modify the correct document until its encryption matches the malicious document. B. He needs to make sure all dates match in both a correct and a malicious document C. He needs to ensure that the file length and creation date match for both a correct document and a malicious document. D. He needs to prepare both a correct and a malicious document, then find ways to modify the malicious document until its hash matches the hash of the correct document.
58. A. Ashley's organization was the target of a reflected (and amplified) DDoS where attackers took advantage of DNS queries to make small amounts of spoofed traffic into very large amounts of data sent to her servers. DNS floods. mirrored DDoSs, and supersized query attacks were made up for this question.
58. Ashley's organization has recently come under attack and has suffered a DNS outage. As she investigated, she found that requests to her DNS servers were sent to open DNS resolvers using spoofed IP addresses with requests that would result in very large responses from the DNS resolvers to the IP addresses that appeared to be making the request. What type of attack targeted Ashley's organization? A. A reflected DDoS B.A DNS flood C. A mirrored DDoS D.A supersized query attack
59. B. Collisions occur when two files have the same hash. Secure hashing solutions are collision resistant, meaning that collision-based hash attacks should be unlikely unless an insecure or outdated hash algorithm like MD5 is selected. Birthday attacks leverage the likelihood of collisions in a random set of attacks rather than by progressing linearly through the solution set. Bingo attacks and match-the-hash are both made up for this question.
59. What term is used to describe the problem when two files have the same hash? A.A birthday attack B. A collision C.A bingo D. A match-the-hash attack
6. B. Endpoint protection software like an endpoint detection and response (EDR) or extended detection and response (XDR) tool will provide the greatest protection against ransomware. Firewalls and intrusion prevention systems (IPSs) are less likely to prevent ransomware from being installed, and removing unnecessary software may reduce the attack surface but most ransomware is installed via attacks that leverage users.
6. Helen is concerned about ransomware attacks against workstations that she is responsible for. Which of the following hardening options is best suited to protecting her organization from ransomware? A. Installing host-based firewalls B. Installing endpoint protection software C. Installing a host-based IPS software D. Removing unnecessary software
60. C. Firmware is typically not encrypted, but it is commonly digitally signed. Using input validation and code review both help to keep firmware secure
60. Kara wants to protect against the most common means of firmware-based exploits. Which of the following is not a common firmware defense mechanism for the vendors of devices that use firmware? A. Using signed firmware updates B. Using input validation for user input C. Encrypting firmware D. Code review processes for firmware
70. B. DLL injection forces a process to load and run code from a dynamically linked library (DLL) that was not originally used by the application or software. This can be used to modify behaviors of the program or to perform malicious actions through the application.WinBuff, SYRINGE,and memory traversal were all made up for this question.
70. Pete uses a technique that injects code into memory used by another process to allow him to control what the host program does. What is this technique called for Windows dynamically linked libraries? A. WinBuff attacks B. DLL injection C. A SYRINGE attack D. A memory traversal attack
8. C. Cross-site scripting (Xss) involves entering a script into text areas that other users will view. SQL injection (SQLi) is not about entering scripts but rather SQL commands. Clickjacking is about tricking users into clicking on the wrong thing. Bluejacking is a Bluetooth attack.
8. What type of attack depends on the attacker entering JavaScript into a text area that is intended for users to enter text that will be viewed by other users? A.SQL injection B. Clickjacking C. Cross-site scripting D.Bluejacking
80. B. Security groups are used like firewall rules in Amazon Web Services (Aws), and since Amanda's system administrators are not effectively managing security groups, this is most likely to create a misconfiguration issue. Application programming interfaces (APIs) are provided by the vendor, and thus their security is typically a vendor issue or a misconfiguration issue. Malicious insiders are not mentioned, and security group misconfiguration does not drive multifactor authentication (MFA)-based attacks.
80. Amanda is assessing the potential for issues with her organization's recently adopted IaaS vendor. What cloud vulnerability should she worry about if her system administrators do not effectively manage security groups in AWS? A. Insecure APIs B.Misconfigurations C. Malicious insiders D. MFA-based attacks
100. B. This is an example of ransomware, which demands payment to return your data. A rootkit provides access to administrator/root privileges. A logic bomb executes its malicious activity when some condition is met. This scenario does not describe whaling, which is a type of phishing attack aimed at leaders in an organization
100.Mike is a network administrator with a small financial services company. He has received a pop-up window that states his files are now encrypted and he must pay .5 bitcoins to get them decrypted. He tries to check the files in question, but their extensions have changed, and he cannot open them. What best describes this situation? A. Mike's machine has a rootkit. B. Mike's machine has ransomware. C. Mike's machine has a logic bomb D. Mike's machine has been the target of whaling
11. A. Since Valerie is investigating an incident, she should immediately consider the potential that the logs were wiped. That likely means that the intruder has gained privileged access to the system, which should worry her even more! Reboots do not wipe audit. log, and Valerie should have permissions appropriate to perform her function. System errors could explain an empty audit. log, but are unlikely, and an empty log found during an investigation is a cause for concern.
11. Valerie is investigating a recent incident and checks / var/log on a Linux system. She finds the audit. log file empty despite the system uptime showing over a month of uptime. What has she most likely encountered? A. A wiped log B. A recent reboot C.A system error D. Incorrect permissions to view the log
12. B. Jack has attempted a watering hole attack that leverages a frequently visited site to target a specific group of people. In this case, he is targeting his penetration testing target's users. Misinformation and disinformation are used to change opinions or to provide false information, and while business email compromise attacks are part of the Security+ exam outline, business website compromise attacks are not.
12. Jack purchases ads on a site that staff members of his target organization frequently visit in preparation for a penetration test. Once his ads start to display, he replaces the underlying code with attack code that redirects visitors to a login page that matches the organization's own internal website. What type of attack has Jack attempted? A. A misinformation attack B. A watering hole attack C. A disinformation attack D. A business website compromise attack
13.C.While malware, modified firmware, and lack of availability are common concerns with the hardware supply chain, hardware modifications remain relatively uncommon.
13. Which of the following is not a common concern related to the hardware vendor supply chain? A. Malware preinstalled on hardware B. Lack of availability of hardware C. Third-party hardware modifications D. Malicious firmware modifications
14. B. On-path attacks are used to capture, then replay valid credentials for attackers to use. Session tokens are used to counter this type of attack in some cases. Phishing email and brute-force password attacks can help obtain credentials but do not involve credential replay. Injection attacks are typically conducted against database servers.
14. Ben wants to conduct a credential replay attack.What should he do first to enable the attack? A. Create a phishing email. B.Conduct an on-path attack C. Use a brute-force password attack. D. Conduct an injection attack.
15.B.Common motivations for internal threat actors include blackmail, financial gain, and ethical reasons. Nation-state threats are more likely to be interested in espionage and war, and hacktivists in political beliefs
15. Nick is assessing internal threat actors and considering what motivations are likely to drive them. Which of the following is the most likely motivation for an internal threat actor? A.Espionage B.Blackmail C. War D.Political beliefs
16. B. These are all common examples of bloatware, unwanted but typically not harmful software installed by manufacturers and as part of the installation processes for desired applications. MSPs are managed service providers, ransomware is malware that attempts to hold files for ransom, and rootware was made up for this question.
16. Yasmine is reviewing the software installed on a client's computer and notices that multiple browser toolbars, weather applications, and social media applications were preinstalled. What term is most commonly used tc describe this software? A.MSPs B.Bloatware C.Ransomware D.Rootware
17. C. Impossible travel describes scenarios where logins or other actions occur from separate physical locations that are too far apart to travel between before the action occurs. Here it is impossible to travel from China to the UK in an hour, and Ilya may need to check in with the employee since no VPN usage was described. It is possible the employee's account is compromised or some other questionable activity is occurring.
17. Ilya is reviewing logs and notices that one of his staff has logged in from his home location in China at 2 p.m., and then logged in from the United Kingdom an hour later. What indicator of compromise should he flag this as? A. Concurrent session usage B. Resource inaccessibility C. Impossible travel D.Segmentation
18.D.Radio frequency identification (RFID) badges can be cloned, but adding an additional factor like a PIN means the badge alone is not sufficient to gain access Piggybacking involves following an authorized user through a security door or gate.On-path attacks inject an attacker into the middle of a transaction or network connection, allowing them to view and potentially modify traffic. Concurrent session usage or access is an indicator of compromise (IoC) that focuses on multiple systems or users using the same credentials.
18. Adam's organization has deployed RFID badges as part of their access control system. Adam is required to enter a 6-digit PIN when he uses his RFID badge and dislikes the additional step. What type of attack is the PIN intended to stop? A.Piggybacking B.On-path C. Concurrent access D. Badge cloning
19. B. Business email compromise (BEC) scams appear to come from legitimate sources and make requests that may seem reasonable like a payment change to a different wire transfer method. Vishing is done via voice, smishing via SMS, and pretexting uses excuses or reasons that the requested action must be taken.
19. Jen recently received an email that appeared to be from one of her vendors asking for a change in the method of payment to another account. She normally works with [email protected], but noticed that the email was [email protected] on further review. What type of social engineering attack is this? A.Vishing B. Business email compromise C. Smishing D.Pretexting
2. C. Spear phishing is targeted to a specific group, in this case insurance professionals. Although this is a form of phishing, the more specific answer is the one you will need to choose on questions like this. Phishing uses social engineering techniques to succeed but is once again a broader answer than spear phishing and thus is not the correct choice. Finally, a Trojan horse pretends to be a legitimate or desirable program or file, which this scenario doesn't describe.
2. Ahmed is a sales manager with a major insurance company. He has received an email that is encouraging him to click on a link and fill out a survey. He is suspicious of the email, but it does mention a major insurance association, and that makes him think it might be legitimate. Which of the following best describes this attack? A. Phishing B. Social engineering C. Spear phishing D. Trojan horse
20. B. The primary concern for security professionals around legacy hardware is their lack of patches and updates, meaning that security fixes and updates will not exist. While the hardware could fail, that would typically lead tc replacement with more modern, supportable options and is a concern for the system administrators and owners. Lack of vendor support and inability to support modern protocols are primarily concerns for owners and system administrators.
20. What is the primary concern for security professionals about legacy hardware? A. Its likelihood of failure B. Lack of patches and updates C. Lack of vendor support D. Inability to support modern protocols
21. A.From the description it appears that they are not connecting to the real web server but rather a fake server. That indicates typo squatting: having a URL that is named very similarly to a real site so that when users mistype the real site's URL they will go to the fake site.
21. Coleen is the web security administrator for an online auction website. A small number of users are complaining that when they visit the website it does not appear to be the correct site. Coleen checks and she can visit the site without any problem, even from computers outside the network. She also checks the web server log and there is no record of those users ever connecting. Which of the following might best explain this? A.Typo squatting B. SQL injection C. Cross-site scripting D.Cross-site request forgery
22. C. Domain hijacking, or domain theft, occurs when the registration or other information for the domain is changed without the original registrant's permission. This may occur because of a compromised account or due to a breach of the domain registrar's security. A common issue is a lapsed domain being purchased by a third party, and this can look like a hijacked domain, but it is a legitimate occurrence if the domain is not renewed! DNS hijacking inserts false information into a DNS server, on-path (man- in-the-middle) attacks capture or modify traffic by causing the traffic to pass through a compromised midpoint, and zero-day attacks are unknown to product vendors and therefore, no patches are available to correct them
22. The organization that Mike works in finds that one of their domains is directing traffic to a competitor's website When Mike checks, the domain information has been changed, including the contact and other administrative details for the domain. If the domain had not expired. what has most likely occurred? A. DNS hijacking B. An on-path attack C. Domain hijacking D.A zero-day attack
23. C. Open source software dependencies are a primary challenge when considering open source supply chain concerns. In this case, Lucia is using a third-party vendor who can provide support, open source code is auditable, and updates are likely to occur with a vendor involved.
23. Lucia's organization has adopted open source software provided by a third-party vendor as part of their web application. What concern should she express about her software supply chain? A. Lack of vendor support B. Lack of code auditability C. Lack of control over open source dependencies D. Lack of updates
24.A.Server-side request forgery (SsRF) attempts typically attempt to get HTTP data passed through and will not include SQL injection.Blocking sensitive hostnames, IP addresses, and URLs are all valid ways to prevent SSRF, as is the use of allow list-based input filters
24. Alice wants to prevent server-side request forgery (SSRF) attacks. Which of the following will not be helpful for preventing them? A. Removing all SQL code from submitted HTTP queries B. Blocking hostnames like 127.0.01 and localhost C. Blocking sensitive URLs like /admin D. Applying allow list-based input filters
25.D.A host-based intrusion prevention system (HIPS) can monitor, identify, and stop network traffic that displays network traffic to identify attacks, suspicious behavior and known bad patterns using signatures. A firewall stops traffic based on rules; antimalware tools are specifically designed to stop malware, not attacks and suspicious network behavior; and a host-based intrusion detection system (HIDs) can only detect, not stop, these behaviors.
25. Tracy wants to protect desktop and laptop systems in her organization from network attacks. She wants to deploy a tool that can actively stop attacks based on signatures, heuristics, and anomalies. What type of tool should she deploy? A. A firewall B.Antimalware C. HIDS D.HIPS
26. D.Unskilled attackers, often called script kiddies, tend to use premade tools in unsophisticated ways. Hacktivists take action based on political motivation, insiders operate from inside of an organization, and nation-state actors are typically highly capable and well resourced.
26. Mahmoud is responsible for managing security at a large university. He has just performed a threat analysis for the network, and based on past incidents and studies of similar networks, he has determined that the most prevalent threat to his network are attackers who wish to breach the system, simply to prove they can or for some low-level crime, such as changing a grade. Which term best describes this type of attacker? A.Hacktivist B.Nation-state C. Insider D.Unskilled attacker
27. B. Phishing is intended to acquire data, most often credentials or other information that will be useful to the attacker. Spam is a broader term for unwanted email although the term is often generally used to describe unwanted communications. Spear phishing targets specific individuals, whereas whaling targets higher- ups such as CEOs in an organization. Smishing is sent via SMS (text message). Malware can be sent in any of these instances, but there is not a specific related term that means "spam with malware in it."
27. How is phishing different from general spam? A. It is sent only to specific targeted individuals B. It is intended to acquire credentials or other data C. It is sent via SMS. D. It includes malware in the message.
28. B. Systems and software that no longer have vendor support can be a significant security risk, and ensuring that a vendor will continue to exist and provide support is an important part of many procurement processes. Selah's questions are intended to assess the longevity and viability of the company and whether buying from them will result in her organization having a usable product for the long term.
28. Selah includes a question in her procurement request-for proposal process that asks how long the vendor has been in business and how many existing clients the vendor has. What common issue is this practice intended to help prevent? A. Supply chain security issues B.Lack of vendor support C. Outsourced code development issues D. System integration problems
29. B. His machines are part of a distributed denial-of-service (DDoS) attack. This scenario describes a generic DDoS, not a specific one like SYN flood, which would involve many SYN packets being sent without a full three-way TCP handshake. These machines could be part of a botnet or they may just have a trigger that causes them to launch the attack at a specific time. The real key in this scenario is the DDoS attack. Finally, a backdoor gives an attacker access to the target system.
29. Frank is a network administrator for a small college. He discovers that several machines on his network are infected with malware. That malware is sending a flood of packets to a target external to the network. What best describes this attack? A. SYN flood B.DDoS C.Botnet D.Backdoor
3.B.A logic bomb is malware that performs its malicious activity when some condition is met. A worm is malware that self-propagates. A Trojan horse is malware attached to a legitimate program, and a rootkit is malware that gets root or administrative privileges.
3. You are a security administrator for a medium-sized bank You have discovered a piece of software on your bank's database server that is not supposed to be there. It appears that the software will begin deleting database files if a specific employee is terminated. What best describes this? A.Worm B.Logic bomb C. Trojan horse D.Rootkit
30. B. A Trojan attaches a malicious program to a legitimate program. When the user downloads and installs the legitimate program, they get the malware. A logic bomb is malware that does its misdeeds when some condition is met. A rootkit is malware that gets administrative, or root, access. A macro virus is a virus that is embedded in a document as a macro.
30.A sales manager at your company is complaining about slow performance on his computer. When you thoroughly investigate the issue, you find spyware on his computer He insists that the only thing he has downloaded recently was a freeware stock trading application. What would best explain this situation? A. Logic bomb B. Trojan C.Rootkit D. Macro virus
31. A. Hacktivists are defined by their political motivation. Organized crime is most frequently associated with financial gain as a motivation. While unskilled attackers and insider threats may have political motivations hacktivists remain the most likely of this list.
31. What threat actor is most likely to be motivated by political beliefs? A. Hacktivists B. Organized crime C. Unskilled attackers D. Insider threats
32.D.Organized crime may produce, sell, and support malware tools, or may deploy them themselves. Crypto malware and other packages are examples of tools often created and used by criminal syndicates. State actors are more likely to be associated with advanced persistent threats (APTs) aimed at accomplishing goals of the nation state that supports them. Hacktivists typically have political motivations, whereas unskilled attackers (script kiddies) may simply be in it for recognition or fun.
32. What type of threat actors are most likely to have a profit motive for their malicious activities? A. State actors B.Hacktivists C. Unskilled attackers D.Organized crime
33. A. Bluejacking involves sending unsolicited messages to Bluetooth devices when they are in range. Bluesnarfing involves getting data from the Bluetooth device. An evil twin attack uses a rogue access point whose name is similar or identical to that of a legitimate access point.
33. You have noticed that when in a crowded area, you sometimes get a stream of unwanted text messages. The messages end when you leave the area. What describes this attack? A. Bluejacking B.Bluesnarfing C. Evil twin D. Rogue access point
34.A.An on-path attack redirects all traffic through an attacker's system that would normally pass through a network gateway. Dennis will be able to see all traffic bound for remote systems, but some of it may be encrypted
34. Dennis uses an on-path attack to cause a system to send traffic to his system and then forwards it to the actual server the traffic is intended for. what information will be visible from his system as it passed through it? A. All traffic meant for remote systems B. All traffic meant for local systems C. Only unencrypted traffic D. Only unencrypted traffic meant for his system
35. B. When malicious actors claim to represent a company or organization to accomplish their goals, it is an example of a brand impersonation attack. Here, this is a combination of a vishing attack and a brand impersonation attack Smishing occurs via SMS, watering hole attacks target sites that their intended victims commonly visit, and business email compromise attempts to gain access to or leverages email accounts.
35. Andrea recently received a phone call claiming to be from her bank. The caller asked for information including her account number and Social Security number to validate her identity. What type of social engineering attack was Andrea the target of? A. Smishing B. Brand impersonation C.A watering hole attack D. A business email compromise attack
36.A.Cryptographic downgrade attacks like POODLE,FREAK, and Logjam all rely on flaws that cause software to use weaker encryption options. This could allow attackers to capture traffic encrypted with weaker encryption, potentially allowing them to decrypt the traffic and read it They do not allow hashing changes to recover passwords, reversion to old versions of software, or encryption to be entirely turned off.
36. Jake's vulnerability scanner reports that the software his organization is running is vulnerable to a cryptographic downgrade attack. What concern should Jake have about this potential issue? A. Attackers may be able to force use of a weaker encryption algorithm, making data easier to access B. Attackers may be able to force use of weaker hashing, making it easier to recover passwords. C. Attackers may be able to force use of older versions of the software, including previously patched vulnerabilities. D. Attackers may be able to force encryption to be turned off, causing information to be sent in plain text
37.D. Segmentation can be used to separate systems and applications of different sensitivity levels. A breach of one segmented group should not automatically mean that the other groupings are in immediate danger. Application allow lists control what applications can be installed but do not introduce separation between systems and applications. Monitoring would allow visibility but does not meet the goal Rick has. Least privilege is an effective practice to ensure only the rights required are in place, but again this does not meet the goal.
37. Rick has three major categories of data and applications in use in his virtualization environment: highly sensitive; business sensitive; and unclassified, or public information. He wants to ensure that data and applications of different sensitivity are not compromised in the event of a breach What mitigation technique is best suited to this type of requirement? A. Application allow lists B. Monitoring C. Least privilege D.Segmentation
38. B. This is vishing, or using voice calls for phishing. Spear phishing is targeting a small, specific group. War dialing is dialing numbers hoping a computer modem answers. Robocalling is used to place unsolicited telemarketing calls.
38.Users in your company report someone has been calling their extension and claiming to be doing a survey for a large vendor. Based on the questions asked in the survey, you suspect that this is a scam to elicit information from your company's employees. What best describes this? A. Spear phishing B.Vishing C. War dialing D.Robocalling
39. C. This is an example of a least privilege implementation where only the privileges required are issued. The checkout process is a modern addition to least privilege environments where even privileges needed are only issued temporarily, making least privilege even more secure. Segmentation and isolation are used to separate systems or environments, and configuration enforcement is used to ensure that configurations continue to be set as expected.
39. As part of a zero-trust environment, Quentin is given rights that he needs only when he needs them through a checkout process and they are then removed when he is done. What mitigation technique best describes this solution? A. Segmentation B. Isolation C. Least privilege D. Configuration enforcement
4. C. Using appropriate contractual terms is usually the best available option for handling third-party vendor risk. The terms can include things like security practices, such as pentesting, incident response exercises, and vulnerability scanning, and can also have sufficient penalties to ensure ongoing compliance from responsible companies.
4. The company that Yarif works for uses a third-party IT support company to manage their cloud-hosted web application infrastructure. How can Yarif best address concerns about potential threat vectors via the managed service provider (MSP)? A. Conduct regular vulnerability scans B. Use shared incident response exercises to prepare. C. Ensure appropriate contractual coverage for issues. D. Require the MSP to have an annual pentest.
40.A. An insecure,unencrypted, unprotected wireless network will have all of its traffic exposed. If the network is not using WPA-2 or WPA-3,it is trivial to observe network traffic even if an old protocol like WEP was in use
40. While performing a scan for wireless networks, Lisa discovers a network that does not use WPA-2 or WPA-3. What network traffic information can she recover from devices using this network? A. All network traffic B. Network packet headers, but not packet data C. Network packet data, but not headers D. DNS and DHCP queries, but not network packet data
41. B. Zero-day exploits are new, and they are not in the virus definitions for the antivirus (AV) programs. This makes them difficult to detect, except by their behavior. Remote- access Trojans (RATs), worms, and rootkits are more likely to be detected by AV programs.
41. Jared is responsible for network security at his company He has discovered behavior on one computer that certainly appears to be a virus. He has even identified a file he thinks might be the virus. However, using three separate antivirus programs, he finds that none can detect the file. Which of the following is most likely to be occurring? A. The computer has a RAT B. The computer has a zero-day exploit C. The computer has a worm. D. The computer has a rootkit.
42. C. Brute force tries every possible combination with small changes each time. Dictionary attacks use a list of words that are believed to be likely passwords. A rainbow table is a precomputed table of hashes. Session hijacking is when the attacker takes over an authenticated session.
42. John has discovered that an attacker is trying to get network passwords by using software that attempts a series of passwords with a minor change each time the password is tried. What type of attack is this? A. Dictionary B.Rainbow table C.Brute force D. Session hijacking
43.C. A nation-state advanced persistent threat (APT) involves sophisticated (i.e., advanced) attacks over a period of time (i.e., persistent). A distributed denial-of-service (DDoS) could be a part of an APT, but in and of itself is unlikely to be an APT. Brute force attempts every possible random combination to get the password or encryption key. In a disassociation attack, the attacker attempts to force the victim into disassociating from a resource.
43. Fares is the network security administrator for a company that creates advanced routers and switches. He has discovered that his company's networks have been subjected to a series of advanced attacks by an attacker sponsored by a government over a period of time. What best describes this attack? A. DDoS B.Brute force C.Nation-state D.Disassociation attack
44.B.Phishing is not commonly used to acquire email addresses. Phishing emails target personal information and sensitive information like passwords and credit card numbers in most cases.
44. What type of information is phishing not commonly intended to acquire? A.Passwords B. Email addresses C. Credit card numbers D.Personal information
45. B. A keylogger is a software or hardware tool used to capture keystrokes. Keyloggers are often used by attackers to capture credentials and other sensitive information A rootkit is used to obtain and maintain administrative rights on a system, and a worm is a self-spreading form of malware that frequently targets vulnerable services on a network to spread.
45. Scott discovers that malware has been installed on one of the systems he is responsible for. Shortly afterward passwords used by the user that the system is assigned to are discovered to be in use by attackers. What type of malicious program should Scott look for on the compromised system? A.A rootkit B. A keylogger C.A worm D. None of the above
46. D. Acquisition via the gray market can lead to lack of vendor support, lack of warranty coverage, and the inability to validate where the devices came from. Nick should express concerns about the supply chain, and if his devices need to be from a trusted source or supplier with real support he may need to change his organization's acquisition practices.
46. Nick purchases his network devices through a gray market supplier that imports them into his region without an official relationship with the network device manufacturer. What risk should Nick identify when he assesses his supply chain risk? A. Lack of vendor support B.Lack of warranty coverage C. Inability to validate the source of the devices D. All of the above
47. B. A host-based firewall is an excellent first line of defense for systems that will be deployed to untrusted networks. EDR and XDR are useful for preventing malicious software installs like ransomware, but they do not directly protect against network-based attacks, and disk encryption is a confidentiality control, not a useful tool to prevent network-based attacks.
47.Naomi is preparing a laptop for a traveling salesperson who frequently needs to connect to untrusted hotel networks. What hardening technique can she use to provide the greatest protection against network-based attacks on untrusted networks? A. Install an endpoint detection and response tool. B. Install a host-based firewall C. Install an extended detection and response tool. D. Install a disk encryption tool.
48. C. The marketing team has created a shadow IT solution a solution put in place without central or formal IT support, typically done without IT's assistance or awareness. This creates a risk to the organization due to lack of support and may bring additional risks like licensing and compliance risks. The team did not intend to create an issue and is not actively working against the organization, meaning that they are not unskilled attackers, insider threats, or hacktivists
48. While conducting a vulnerability scan of her network Susan discovers that a marketing staff member has set up their own server running a specialized marketing tool After inquiring about the server, which is vulnerable due to missing patches, Susan discovers that the team set it up themselves because of a need that was not met by existing tools. What type of threat actor has Susan encountered? A. An unskilled attacker B. An insider threat C. Shadow IT D.A hacktivist
49. A. Resource inaccessibility is a common symptom of a denial-of-service attack. Impossible travel is typically found in log events through correlation. Missing logs are frequently indicators of compromised accounts deleting logs, and blocked content is most likely due to reputation service usage.
49. Which of the following indicators is most commonly associated with a denial-of-service attack? A. Resource inaccessibility B. Impossible travel C. Missing logs D. Blocked content
5. B. This is an example of a virtual machine (VM) escape vulnerability. Jailbreaking and sideloading are terms used to describe mobile device-related means of violating security, and resource reuse is a VM concern if data is not properly removed before a resource is given to another VM.
5. Jill's organization has received an advisory about a flaw that could allow software running on a virtual machine to execute code on the system that is running the VM hypervisor. What type of vulnerability is this? A. A resource reuse issue B.A VM escape issue C.A jailbreaking issue D. A sideloading issue
5O. B. Since the drives stored sensitive data and no mention of encryption was made, the drives should be physically destroyed to ensure that no data leakage can occur. It is not necessary to destroy the entire system to ensure this. Reformatting drives does not wipe data, and simply removing the system from inventory is typically part of the process but does not protect organizational data.
50. Henry wants to decommission a server that was used to store sensitive data. What step should he take to ensure the decommissioning process protects the organization's data? A. Reformat the drives as part of the decommissioning process. B. Physically destroy the drives as part of the decommissioning process. C. Remove the system from organizational inventory as part of the decommissioning process. D. Physically destroy the entire system as part of the decommissioning process.
51.B. A security information and event management tool (SIEM) is designed to ingest and analyze large volumes of logs and then alert on issues and events. Centralized logging is useful but needs additional tools to alert on issues. An IPS is used to detect and potentially respond to network-based attacks, not to gather and analyze logs, and EDR tools are useful for monitoring endpoints, not for large-scale log ingestion and analysis
51. Renee has a large number of workstations and servers in her corporate environment and wants to more effectively monitor logs for them. What solution from the following list is best suited to identifying and alerting on issues in a large-scale environment? A. Centralized logging B.A SIEM C. An IPS D.An EDR
52. C. Patrick knows that the first thing he should do is change the administrator password. Any further security changes, including updating firmware and disabling unnecessary services, can be made once the administrative account has been properly secured. Changing the default IP address does not necessarily improve security for the device
52. Patrick is reviewing potential attack surfaces for his smal business and recently deployed new networked printers for each of his three locations. What should his first action be to begin to properly secure their web management interfaces? A. Update the firmware. B. Change their default IP address C. Change the default administrator password D. Disable unnecessary services.
53. B. Paul knows that SSH typically uses port 22, HTTP uses port 80, and HTTPS uses port 443. HTTP is the only unencrypted protocol from that list, and thus he should disable port 80.
53. Paul has performed an nmap scan of a new network connected device.He notices TCP ports 22,80, and 443 are open. If his hardening guidelines only allow encrypted management interfaces, what port or ports should he disable from this list? A.22 B.80 C.22 and 80 D.80 and 443
54. C. An on-path attack redirects traffic to allow an attacker to see and potentially modify the traffic as shown in the graphic. SQL injection is accomplished by inserting SQL into web queries or application traffic, denial-of-service will target a service and no indication of that is shown,and a directory traversal attack will typically show directory manipulation like../../.
54. The following graphic shows a network connection between two systems, and then a network-based attack What type of attack is shown? A. A denial-of-service attack B. A SQL injection attack C. An on-path attack D. A directory traversal attack
61. D. Annie's company is facing a disinformation campaign If users were simply getting facts wrong, this would be misinformation, but since bots are intentionally misstating information, it is disinformation. Pretexting would attempt to exploit human behaviors to explain why something needed to occur or why an attacker was asking for something. Impersonation occurs when an attacker pretends to be someone they are not.
61. Annie's organization has been facing negative social media campaigns for months and is struggling to address them. Numerous bot posts about the company are providing incorrect information about the company. What type of attack is Annie's company facing? A. A misinformation campaign B. A pretexting campaign C. An impersonation campaign D. A disinformation campaign
62. B. In many cases, the best option to limit the attack surface of messaging applications is to use a trusted, internally managed organizational instance rather than public tools or instances. EDR, firewalls, and IPS are not as effective with messaging-based attacks.
62. Ines is concerned about messaging through tools like Discord and Slack as attack vectors. What can she do to most effectively limit the attack surface for threats like this? A. Deploy EDR tools to all workstations and devices. B. Deploy an organizational communication tool or instance instead of using public tools C. Deploy messaging-aware firewalls. D. Deploy messaging-aware IPS systems.
63.C. End-of-life announcements typically mean that the equipment is no longer being produced or sold. The equipment will typically have a longer supported life, sc Ana can continue to use it but should plan for what to do when end-of-support occurs. At that time, replacing it, isolating it, or purchasing third-party support are all possible solutions depending on Ana's needs
63. Ana's vendor has informed her that the hardware her organization uses is considered end-of-life. What should Ana do? A. Identify replacement hardware and purchase it immediately. B. Purchase an extended support contract from a third. party vendor. C. Begin plans to phase out the equipment before it reaches end-of-support. D. Install final patches and then isolate the hardware from the network.
64. A. Removable devices like USB thumb drives, digital picture frames, and even keyboards and mice with onboard storage rely on autorun.inf files to automatically run software they provide. While that functionality typically focuses on printing, opening folders, or running media players, it can also be leveraged to automatically run malware. For this reason, many organizations ban removable drives or prohibit autorun from working. Open service ports are commonly associated with applications and services, and autorun doesn't set up or run these, nor does it impact Wi-Fi. Watering hole attacks require attackers to compromise or gain access to a site that targets commonly visit so that they deliver malware to their targets.
64. What threat vector is most impacted by how Windows handles autorun. inf files? A. Removable devices B. Open service ports C. Unsecure Wi-Fi D.Watering hole attacks
65.C. Raj knows that removing unnecessary software reduces a system's attack surface and also means that he won't have to patch and maintain the software he removes. Encrypting a drive, installing EDR, and changing default passwords won't reduce patch management, but EDR and changing default passwords could help with remote exploit prevention.
65. Raj wants to reduce the attack surface for a newly purchased laptop. What hardening technique will help him reduce the possibility of remote exploits while also decreasing the amount of ongoing patch management he needs to do for the system? A. Encrypt the system's boot drive. B. Install EDR software. C. Remove unnecessary software. D.Change any default passwords.
66. C. A race condition can occur when multiple threads in an application are using the same variable and the situation is not properly handled. A buffer overflow is attempting to put more data in a buffer than it is designed to hold. A logic bomb is malware that performs its misdeed when some logical condition is met. As the name suggests, improper error handling is the lack of adequate or appropriate error handling mechanisms within software.
66. Mary has discovered that a web application used by her company does not always handle multithreading properly, particularly when multiple threads access the same variable. This could allow an attacker who discovered this vulnerability to exploit it and crash the server. What type Of error has Mary discovered? A.Buffer overflow B. Logic bomb C. Race conditions D. Improper error handling
67. A. A monitored camera system will detect the broadest range of attacks. Guards will only detect brute-force attacks when they are in the area, and cameras can cover more spaces at once. Inspections may miss attacks where camera recordings and monitoring can show failed and successful attacks. An alarm system won't detect attacks by insiders, who may access spaces they have access to in order to perform malicious actions.
67. Allan wants to detect brute-force physical attacks. What should he do if he wants to detect the broadest range of physical attacks? A. Deploy a monitored security camera system B. Hire a guard to patrol the facility. C. Conduct regular inspections of the facility. D. Set up an alarm system.
68. C. Images are not a common threat vector via SMS. Malicious links, phishing via text, and multifactor authentication (MFA) exploits, including sending MFA notices until the recipient approves an MFA request, are all common SMS-related threat vectors
68. Which of the following is not a common threat vector associated with SMs-based attacks? A. Malicious links B. SMS-based phishing C. SMS-delivered images D. MFA exploits
69. B. Jennifer should note this as out-of-cycle logging. It could simply indicate a flaw in the script or another innocuous issue, or it could indicate an attacker exploring scripts to identify what information can be obtained Concurrent session use occurs when a session is in use from multiple browsers or systems, missing logs are when logs are entirely missing or empty rather than occurring with more frequency than expected, and impossible travel occurs when events or logins occur from different locations by the same user who could not have traveled that distance in the time between the events.
69. During a regular review of logs, Jennifer notices that a regularly scheduled script that copies files to another server every hour has run multiple times within the last hour. What indicator of compromise should she categorize this as? A. Concurrent session use B.Out-of-cycle logging C. Missing logs D. Impossible travel
7. B.Wi-Fi Protected Access 3 (wPA-3) is the most modern most secure option from the list. WPA-4 does not currently exist as of this writing. WPA-2 Enterprise requires an authentication server and is less secure than WPA-3,while WPA-2 Personal allows for a single, set password.
7. The company that Gary works for has deployed a wireless network. Which of the following network options is the most secure? A.WPA-2 Personal B.WPA-3 C.WPA-2 Enterprise D.WPA-4
71. B. Access control lists (ACLs) allow or deny traffic based on rules that include protocol, IP addresses, ports, and other details. They do not understand packet content and simply assess traffic based on these basic rules. A HIPS is a host-based intrusion prevention system and is not installed between subnets. Least privilege is a concept, not an application or security tool, and VLANs are used to segment traffic but do not themselves control traffic this way. Instead, VLANs are often combined with ACLs to control network traffic and ensure segmentation.
71. Kathleen wants to control network traffic between subnets using her Cisco network devices. What built-in capability can she use to allow or deny traffic based on port, protocol. and IP address? A. A HIPS B.ACLs C. Least privilege lists D.VLANs
72. D. Encryption is used to preserve confidentiality. Availability controls work to ensure that assets remain accessible and usable, and encryption can actually work against this in some circumstances, such as if a key is lost or the encrypted file becomes corrupted. Encryption is not used directly to preserve least privilege, nor does it preserve physical security.
72. What is the primary purpose of encryption as a control in enterprise environments? A. To preserve availability B. To support physical security C. To preserve least privilege D. To preserve confidentiality
73.B.Cross-site request forgery (XSRF or CSRF) sends fake requests to a website that purport to be from a trusted, authenticated user. Cross-site scripting (Xss) exploits the trust the user has for the website and embeds scripts into that website. Bluejacking is a Bluetooth attack. Nothing in this scenario requires or describes an evil twin, which is an attack that uses a malicious access point that duplicates a legitimate AP.
73. What type of attack exploits the trust that a website has for an authenticated user to attack that website by spoofing requests from the trusted user? A. Cross-site scripting B. Cross-site request forgery c. Bluejacking D.Evil twin
74. A. Both commercial and private threat feeds can be used by security tools like SIEM, EDR, and XDR systems to provide them with current information about indicators of compromise. A real-time blackhole list (RBL) and an IP reputation feed are examples of specific threat feeds but are not as broad as threat feeds.Vulnerability definitions are typically integrated with vulnerability scanners, but again are a narrower option than a threat feed.
74. Dana wants to use documented and published IoCs as part of her threat-hunting activities. What should she look for to integrate with her SIEM or other security tools? A. Threat feeds B. A real-time blackhole list C. A vulnerability feed D. An IP reputation feed
75. B. Joseph is most likely fighting a virus, which is capable of copying itself to new locations. A Trojan is malware that is disguised to look like desirable software, a keylogger captures keystrokes, and a rootkit is intended to allow attackers to retain access to compromised systems
75. The malware that Joseph is working to counter has copied itself to workstations across his environment due to a central, shared fileshare. What type of malware is Joseph most likely fighting? A.A Trojan B. A virus C.A keylogger D.A rootkit
76. D. Placing a larger integer value into a smaller integer variable is an integer overflow. Memory overflow is not a term used, and memory leak is about allocating memory and not deallocating it. Buffer overflows often involve arrays. Variable overflow is not a term used in the industry
76. You are responsible for software testing at Acme Corporation. You want to check all software for bugs tha might be used by an attacker to gain entrance into the software or your network. You have discovered a web application that would allow a user to attempt to put a 64. bit value into a 4-byte integer variable.What is this type of flaw? A. Memory overflow B. Buffer overflow C. Variable overflow D. Integer overflow
77. A. Until more is known, the best route for security administrators is to review the authentication logs in order to gather more information that can indicate whether an issue or security event has occurred. While Keith didn't indicate that he had failed login attempts, it's possible another user mistyped a user ID or that something else happened. Interviewing Keith might help but would provide less information if something malicious or accidental is happening, and the interview process would delay that analysis. Changing his password isn't immediately necessary as failed logins increase the time, not successful logins. Without more information, starting the incident response (IR) process may not be appropriate. If it can be shown that an attack occurred and was successful, the IR process should be started
77. The company that Keith works for uses a backoff algorithm that increases the time between when login attempts are allowed after each failed login. Keith has recently attempted to log in and found that his account is not able to log in again for 15 minutes. What should the security administrators at Keith's organization do to find potential indicators of malicious activity? A. Review authentication logs. B. Interview Keith about his recent logins. C. Change Keith's password and check error logs D. Report an incident and start the incident response process.
78. C. Environmental monitoring involves things like temperature, water or flood sensors, and other detection capabilities that help organizations know if a natural disaster or other environmental issue has occurred. Video cameras cannot detect many of these and are not typically deploved to places where they would detect things like under-floor leaks or floods. Intrusion alarm systems do not provide this type of detection, and log analysis would require environmental monitoring sensors.
78. Grayson's organization is concerned about environmental attacks against their datacenter. What type of monitoring is best suited to detecting environmental attacks in a scenario like this? A. Video cameras B. Intrusion alarm systems C. Temperature monitoring sensors D. Log analysis
79.A. Jack's team has created a shadow IT scenario by purchasing and using software without the awareness or engagement of central IT. They may be an inadvertent threat, but the term is not used to describe threat actors. They're not an intentional threat, and thus aren't an insider threat, and internal espionage actors is not a term used for the Security+ exam.
79. Jack's team in HR is paying for an SaaS tool using their HR expense account credit cards without the knowledge of central IT. What type of threat actor does this make Jack's HRteam? A. Shadow IT B. An inadvertent threat C. Internal espionage actors D. An insider threat
81. D. The Linux kernel is part of the operating system and needs to be handled with an OS patch. There is no application to patch, installing a HIPS might help, but the issue is dated 2018, meaning that a patch likely exists. If there wasn't a patch and this was a new vulnerability, segmentation might be a useful immediate response to reduce risk.
81. Jared's organization runs Linux servers, and recent vulnerability scans show that the servers are vulnerable to an issue that is described as follows: CVE-2018-5703: tcp_v6_syn_recv_sock function in net/ipv6/tcp_ipv6.c in the Linux kernel through 4.14.11 allows attackers to cause a denial of service (slab out-of-bounds write) What is Jared's best option to remediate a kernel vulnerability like this? A. Patch the application B. Install a HIPs with appropriate rules. C. Segment the systems away from the Internet to reduce risk. D.Patch the operating system.
82. C. Collision attacks target hashes and attempt to produce a file that results in the same hash algorithm output but with different content that they can control.
82. What is the likely outcome of a cryptographic collision attack? A. Attackers can decrypt a file without the private key B. Two files that have the same encrypted output but are different files. C. Two files that both have the same hash but have different contents. D. Attackers can decrypt the file without the public key.
83. C. The first step in securing a consumer-grade router is to change the default password. Once that has been completed, updating the firmware, turning off unneeded services, and running a vulnerability scan are all common steps. Routers typically do not have unnecessary software running.
83. Sarah is working with a small business and noticed that they have a consumer-grade wireless router serving their business. What common hardening checklist item should she validate first as part of securing the device? A. Removing unnecessary software B. Running a vulnerability scan C. Ensuring the default password has been changed D. Ensuring that unneeded ports have been disabled
84. B. Ensuring that any volume that is used in a virtual environment is encrypted when created will prevent reuse concerns because data will be unrecoverable even if encrypted data was accessible when drive space was reallocated. Firmware updates, cluster sizes, and reformatting do not properly address this issue
84. What technique most effectively prevents resource reuse concerns for storage in a virtual environment? A.Firmware updates B.Volume encryption C. Minimizing cluster size D.Reformatting drives
85. C. Data exfiltration, blackmail, and financial gain are all common motivations for ransomware actors. Revenge is not a common ransomware actor motivation.
85. Michelle is modeling threat actor motivation for her organization and wants to describe ransomware actors. What motivation is not commonly associated with ransomware? A. Data exfiltration B. Blackmail C. Revenge D.Financial gain
86. C. Botnets are often used to launch DDoS attacks, with the attack coming from all the computers in the botnet simultaneously. Phishing attacks attempt to get the user to give up information, click on a link, or open an attachment. Adware consists of unwanted pop-up ads. A Trojan horse attaches malware to a legitimate program
86. Which of the following is commonly used in a distributed denial-of-service (DDoS) attack? A.Phishing B. Adware C.Botnet D.Trojan
87. B. Amanda has discovered an insider threat. Insider threats can be difficult to discover, as a malicious administrator or other privileged user will often have the ability to conceal their actions or may actually be the person tasked with hunting for threats like this! This is not a zero-day attack-no vulnerability was mentioned, there was no misconfiguration since this was an intentional action, and encryption is not mentioned or discussed
87. Amanda discovers that a member of her organization's staff has installed a remote-access Trojan on their accounting software server and has been accessing it remotely. What type of threat has she discovered? A. Zero-day B.Insider threat C.Misconfiguration D.Weak encryption
88.B.Disinformation campaigns seek to achieve the goals of the attacker or owner of the campaign. They leverage social media using bots and groups of posters to support the ideas, concepts, or beliefs that align with the goals of the campaign. Impersonation is a type of social engineering attack where the attacker pretends to be someone else.A watering hole attack places malware or malicious code on a site or sites that are frequently visited by a targeted group. Asymmetric warfare is warfare between groups with significantly different power or capabilities.
88. Postings from Russian agents during the 2016 U.S presidential campaign to Facebook and Twitter are an example of what type of effort? A. Impersonation B. Disinformation C. Asymmetric warfare D. A watering hole attack
89.B. Nation-state actors often have greater resources and skills, making them a more significant threat and far more likely to be associated with an advanced persistent threat actor. Unskilled attackers, also known as script kiddies. hacktivists, and insider threats, tend to be less capable and are all far less likely to be associated with an APT
89. Which of the following threat actors is most likely to be associated with an advanced persistent threat (APT)? A. Hacktivists B. Nation-state actors C. Unskilled attacker D. Insider threats
9. C. There are many indicators of compromise (IoCs) including unusual outbound network traffic, geographical irregularities like logins from a country where the person normally does not work, or increases in database read volumes beyond normal traffic patterns.Predictive analysis is analysis work done using datasets to attempt to determine trends and likely attack vectors so that analysts can focus their efforts where they will be most needed and effective. OsINT is open source intelligence, and threat maps are often real-time or near-real-time visualizations of where threats are coming from and where they are headed.
9. Unusual outbound network traffic, geographical irregularities, and increases in database read volumes are all examples of what key element of threat intelligence? A. Predictive analysis B.OSINT C. Indicators of compromise D. Threat maps
99. A. In order to deliver a malicious update that uses a signing certificate, Eric will need to gain access to the private key for the signing certificate. The public key is exactly that public-and having it will not allow Eric to sign the update. Hashes and collisions are not needed for this type of exploit.
99. Eric is conducting a penetration test and wants to release a malicious update for an organization's application. The organization uses public key encryption to sign updates. What does Eric need to deliver an update that systems will accept? A. The private key for the signing certificate B. A collision with the hashed value of a legitimate update C. The public key for the signing certificate D. A collision with the hashed value of a malicious update
90. B. Amplification attacks typically use spoofed User Datagram Protocol (UDP) queries sent to servers to increase the volume of traffic sent in response to the target. Erica's process might involve identifying large DNS responses she can get with a small query, then spoofing a target system's IP address in the packets she sends to DNS servers. They would then respond with the large responses, amplifying her requests and creating a distributed denial-of-service attack by using many servers to amplify her traffic. This doesn't require reversing an IP address, conducting an on-path attack, or spoofing the responses from the servers.
90. Erica wants to conduct an amplified DDoS attack against a system. What key step is required as part of her attack? A. Reversing the target's IP address B. Spoofing the target's IP address C. Conducting an on-path attack to send traffic to the target D. Spoofing responses from the amplification system to thetarget
91.D.The fact that the website is defaced in amanner related to the company's public indicates that the attackers were most likely engaging in hacktivism to make a political or belief-based point. Scripts, nation-state actors, and organized crime actors don't account for the statements adverse to the company's policies, which is why hacktivism is the real cause.
91. Daryl is investigating a recent breach of his company's web server. The attacker used sophisticated techniques and then defaced the website, leaving messages that were denouncing the company's public policies. He and his team are trying to determine the type of actor who most likely committed the breach. Based on the information provided, who was the most likely threat actor? A.A script B.A nation-state C. Organized crime D.Hacktivists
92. B. Pretexting and impersonation are common elements in voice call-based attacks. Watering hole attacks leverage commonly visited websites, disinformation is when incorrect information is intentionally provided to change public opinion and could be part of a voice campaign but is not the most common element, and business email compromise (BEC) requires an email to be used, not a voice call.
92. Which of the following human vectors are most likely to be part of a voice call-based attack? A.A watering hole attack B.Pretexting C. Disinformation D.BEC
93. C. Agentless software does not have an agent installed that can be targeted. That means that the server or control system is the only target for attackers. Agentless software can still consume resources as queries and actions are taken by the server or control plane. Client-based software often has better insights into systems, and may offer additional security features if it is a security tool. Client- based software and agentless software can both be patched to address security issues.
93. What is the primary difference in threat vectors between agent client-based and agentless software deployments? A. Agentless software does not consume resources and thus cannot result in a resource consumption-based denial-of-service condition. B. Client-based software provides a better view of system resources and is able to manage its resource consumption better to avoid issues. C. Agentless software does not have an agent that may be potentially vulnerable to attack. D. Client-based software allows for greater security because it can be patched.
94. B. Password spraying is a specific type of brute-force attack that uses a smaller list of common passwords for many accounts to attempt to log in. Although brute forcing is technically correct, the best match here is password spraying. When you encounter questions like this on the exam, make sure you provide the most accurate answer, rather than one that fits but that may not be the best answer. Limited login attacks is a made-up answer, and spinning an account refers to changing the password for an account, often because of a compromise or to prevent a user from logging back into it while preserving the account
94. Angela reviews the authentication logs for her website and sees attempts from many different accounts using the same set of passwords. What is this attack technique called? A. Brute forcing B. Password spraying C. Limited login attacks D. Account spinning
. B. A privilege escalation attack can occur horizontally, where attackers obtain similar levels of privilege but for other users, or vertically where they obtain more advanced rights. In this case, Charles has discovered a vertical privilege escalation attack that has allowed the attacker to obtain administrative rights. Cross-site scripting and SQL injection are both common types of web application attacks, and a race condition occurs when data can be changed between when it is checked and when it is used
95. Charles discovers that an attacker has used a vulnerability in a web application that his company runs and has then used that exploit to obtain root privileges on the web server. What type of attack has he discovered? A. Cross-site scripting B. Privilege escalation C. A SQL injection D. A race condition
96. A. A zero-day exploit or attack occurs before the vendor has knowledge of it. The remainder of the answers don't accurately describe a zero-day attack-just because it has not yet been breached does not make it a zero-day, nor is a zero-day necessarily quickly exploitable. Finally, a zero-day attack does not specify how long the attacker may have access.
96. Which of the following best describes a zero-day vulnerability? A. A vulnerability that the vendor is not yet aware of B. A vulnerability that has not yet been breached C. A vulnerability that can be quickly exploited (i.e., in zero days) D. A vulnerability that will give the attacker brief access (i.e., zero days)
97. C. DNS poisoning occurs when false DNS information is inserted into legitimate DNS servers, resulting ir traffic being redirected to unwanted or malicious sites. A backdoor provides access to the system by circumventing normal authentication. An APT is an advanced persistent threat. A Trojan horse ties a malicious program to a legitimate program
97. You have discovered that there are entries in your network's domain name server that point legitimate domains to unknown and potentially harmful IP addresses. What best describes this type of attack? A. A backdoor B. An APT C. DNS poisoning D. A Trojan horse
98. D. Images can have data, including malware or exfiltrated organizational information using a technique called steganography that embeds data into images without losing the integrity of the image. Encryption, hashing, and forgery are not the direct driver of image-based threat vectors, although encryption is likely to be used as an additional layer to protect data from more advanced threat actors wishing to conceal what they are hiding.
98. What technique drives image-based threat vectors? A. Encryption B.Hashing C.Forgery D.Steganography
