Dimas Security Test #6

Which of the following ports should you block at the firewall if you want to prevent a remote login to a server from occurring?

23 Telnet is the protocol used for remote command-line administration of a host using TCP port 23. Telnet is considered insecure since it is unauthenticated and unencrypted. The simple mail transfer protocol (SMTP) is the protocol used to send mail between hosts on the Internet using TCP port 25. The post office protocol (POP3) is a TCP/IP application protocol providing a means for a client to access email messages stored in a mailbox on a remote server over port 110. The server usually deletes messages once the client has downloaded them. The hypertext transfer protocol secure (HTTPS) is a secure protocol used to provide web content to browsers using SSL/TLS encryption over port 443.

If an administrator cannot fully remediate a vulnerability, which of the following should they implement?

A compensating control Based on the question's wording, a compensating control would be most accurate for the given scenario. Compensating controls may be considered when an entity cannot meet a requirement explicitly, as stated due to legitimate technical or documented business constraints but has sufficiently mitigated the risk associated with the requirement by implementing other controls. Access requirements are a form of logical controls that can be implemented to protect a system and could be a form of compensating control if used appropriately. A policy is a statement of intent and is implemented as a procedure or protocol within an organization. An engineering tradeoff is a situational decision that involves diminishing or losing one quality, quantity, or property of a set or design in return for gains in other aspects. Often, an engineering tradeoff occurs when we trade security requirements for operational requirements or vice versa.

What type of threat actor is highly funded and often backed by nation-states?

APT Advanced Persistent Threats are a group of hackers with great capability and intent. Nation-states and other large organizations often fund them to conduct highly covert hacks over a long period of time for political or economic gain. Script kiddies are people who use existing computer scripts or code to hack into computers, lacking the expertise to write their own. An insider threat is a malicious threat to an organization from people within the organization, such as employees, former employees, contractors, or business associates, who have inside information concerning the organization's security practices, data, and computer systems. A hacktivist is someone who uses hacking to bring about political and social change.

Based on some old SIEM alerts, you have been asked to perform a forensic analysis on a given host. You have noticed that some SSL network connections are occurring over ports other than port 443. The SIEM alerts indicate that copies of svchost.exe and cmd.exe have been found in the host's %TEMP% folder. The logs indicate that RDP connections have previously connected with an IP address that is external to the corporate intranet, as well. What threat might you have uncovered during your analysis?

APT The provided indicators of compromise appear to be from an Advanced Persistent Threat (APT). These attacks tend to go undetected for several weeks or months and utilize secure communication to external IPs and Remote Desktop Protocol connections to provide the attackers with access to the infected host. While an APT might use a software vulnerability to gain their initial access, the full description provided in the question that includes the files being copied and executed from the %TEMP% folder and the use of SSL/RDP connections indicates longer-term exploitation, such as one caused by an APT.

Every new employee at Dion Training must sign a document to show they understand the proper rules for using the company's computers. This document states that the new employee has read the policy that dictates what can and cannot be done from the corporate workstations. Which of the following documents BEST describes this policy?

AUP An acceptable use policy (AUP) is a document stipulating constraints and practices that a user must agree to for access to a corporate network or the internet. For example, an AUP may state that they must not attempt to break any computer network security, hack other users, or visit pornographic websites from their work computer. A service level agreement (SLA) is a contract that outlines the detailed terms under which a service is provided, including reasons the contract may be terminated. A statement of work (SOW), or a scope of work, is a document that outlines all the work that is to be performed, as well as the agreed-upon deliverables and timelines. A memorandum of understanding (MOU) is a preliminary or exploratory agreement to express an intent to work together that is not legally binding and does not involve monetary exchange.

Raj is working to deploy a new vulnerability scanner for an organization. He wants to verify the information he gets is the most accurate view of the configurations on the organization's traveling salespeople's laptops to determine if any configuration issues could lead to new vulnerabilities. Which of the following technologies would work BEST to collect the configuration information in this situation?

Agent-based scanning Using agent-based scanning, you typically get the most reliable results for systems that are not connected to the network, as well as the ones that are connected. This is ideal for traveling salespeople since their laptops are not constantly connected to the organization's network. These agent-based scans can be conducted when the laptop is offline and then sent to a centralized server the next time it is connected to the network. Server-based scanning, non-credentialed scanning, and passive network monitoring require a continuous network connection to collect the devices' configurations accurately.

Your company has created a baseline image for all of its workstations using Windows 10. Unfortunately, the image included a copy of Solitaire, and the CIO has created a policy to prevent anyone from playing the game on the company's computers. You have been asked to create a technical control to enforce the policy (administrative control) that was recently published. What should you implement?

Application block list You should create and implement an application block list that includes the Solitaire game on it. This will prevent the application from being able to be run on any corporate workstation. Application allow lists will allow only authorized applications to be run, while application block lists will prevent any application listed from being run. Application hardening involves updating and patching your software (not applicable to this question). Disabling removable media is a good practice, but it won't prevent the game that was already installed from being run from the hard drive. Application allow lists and block lists can be deployed to hosts on the network using a GPO update.

What process is used to conduct an inventory of critical systems, components, and devices within an organization?

Asset Management An asset management process takes inventory of and tracks all the organization's critical systems, components, devices, and other valuable objects. It also involves collecting and analyzing information about these assets so that personnel can make more informed changes or otherwise work with assets to achieve business goals. Many software suites and associated hardware solutions are available for tracking and managing assets (or inventory).

You are helping to set up a backup plan for your organization. The current plan states that all of the organization's Linux servers must have a daily backup conducted. These backups are then saved to a local NAS device. You have been asked to recommend a method to ensure the backups will work when needed for restoration. Which of the following should you recommend?

Attempt to restore to a test server from one of the backup files to verify them. The only way to fully ensure that a backup will work when needed is to restore the files from the backups. To do that, it is best to restore them to a test server since this will not affect your production environment.

What technology is NOT PKI x.509 compliant and cannot be used in various secure functions?

Blowfish AES, PKCS, and SSL/TLS are all compatible with x.509 and can be used in a wide variety of functions and purposes. AES is used for symmetric encryption. PKCS is used as a digital signature algorithm. SSL/TLS is used for secure key exchange.

Your smartphone begins to receive unsolicited messages while eating lunch at the restaurant across the street from your office. What might cause this to occur?

Bluejacking Bluejacking sends unsolicited messages over Bluetooth to Bluetooth-enabled devices such as smartphones and tablets. On the other hand, Bluesnarfing involves taking data from a smartphone or tablet over Bluetooth without permission. Bluetooth has a limited range, so the attacker is likely within 10 meters of the victimized device. Geotagging involves embedding the geolocation coordinates into a piece of data (normally a photo or video). Packet sniffing is a passive method of collecting network traffic for follow-on analysis at a later time.

Due to a worldwide pandemic in 2020 caused by the COVID-19 virus, Dion Training Solutions instituted teleworking for all of its employees. This was part of a preplanned response so that the company's students could continue to learn and receive support throughout the pandemic. Which of the following plans should contain the company's pandemic response plan?

Business continutiy plan The business continuity plan (BCP) contains a collection of processes that enable an organization to maintain normal business operations in the face of some adverse event. This event could be natural or man-made; as long as it affects the business operations, then the BCP should be activated. The development of the BCP is often referred to as continuity of operations planning (COOP). A disaster recovery plan focuses on procedures and steps to follow to recover a system or site to a working state. For example, if a power failure or a fire occurred, the site would have to be recovered to a working state again. In the pandemic example, the facility did not have a disaster to recover from. Still, the business operations were affected and needed to be modified to continue operations under the BCP.

Which of the following elements is LEAST likely to be included in an organization's data retention policy?

Classificaiton of information Data retention policies highlight what types of information an organization will maintain and the length of time they will maintain it. Data classification would not be covered in the retention policy but would be a key part of your organization's data classification policy.

You work for a bank interested in moving some of its operations to the cloud, but it is worried about security. You recently discovered an organization called CloudBank that was formed by 15 local banks as a way for them to build a secure cloud-based environment that can be accessed by the 15 member banks. Which cloud model BEST describes the cloud created by CloudBank?

Community cloud Community Cloud is another type of cloud computing in which the cloud setup is shared manually among different organizations that belong to the same community or area. A multi-tenant setup is developed using the cloud among different organizations belonging to a particular community or group with similar computing concerns. For joint business organizations, ventures, research organizations, and tenders, a community cloud is an appropriate solution. Based on the description of 15 member banks coming together to create the CloudBank organization and its cloud computing environment, a community cloud model is most likely described. A public cloud contains services offered by third-party providers over the public Internet and is available to anyone who wants to use or purchase them. They may be free or sold on-demand, allowing customers to pay only per usage for the CPU cycles, storage, or bandwidth they consume. A private cloud contains services offered either over the Internet or a private internal network and only to select users instead of the general public. A hybrid cloud is a cloud computing environment that uses a mix of on-premises, private cloud, and third-party public cloud services with orchestration between these platforms. This typically involves a connection from an on-premises data center to a public cloud.

During a vulnerability scan of your network, you identified a vulnerability on an appliance installed by a vendor on your network under an ongoing service contract. You do not have access to the appliance's operating system as the device was installed under a support agreement with the vendor. What is your best course of action to remediate or mitigate this vulnerability?

Contact the vendor to provide an update or to remediate the vulnerability. You should contact the vendor to determine if a patch is available for installation. Since this is a vendor-supported appliance installed under a service contract, the vendor is responsible for the appliance's management and security. You should not attempt to gain access to the underlying operating system to patch the vulnerability yourself, as this could void your warranty and void your service contract. Based on the information provided, there is no reason to believe that this is a false positive, either. You should not simply wait 30 days and rerun the scan, as this is a non-action. Instead, you should contact the vendor to fix this vulnerability. Then, you could rerun the scan to validate they have completed the mitigations and remediations.

Last week, your organization was the victim of a cyber attack. The attack's root cause was investigated and found to be due to a missing patch on your Windows 2016 server for the EternalBlue exploit. The organization's vulnerability management team has rescanned the network and identified all the machines missing this critical patch. These systems were then patched, and the network was rescanned to verify the patch was installed properly. Which of the following types of controls would you classify the installation of this patch as?

Corrective A corrective control is one that responds to and fixes an incident. A corrective control can also help to prevent the incident's reoccurrence. A compensating control fixes the root cause of an attack but instead adds additional layers of protection if the root cause cannot be fixed to mitigate the risk. Detective control is used to identify and record any attempted or successful intrusion, not prevent or deter access. A deterrent control is used to discourage an attacker from attempting an intrusion psychologically.

Which of the following is NOT a means of improving data validation and trust?

Decrypting data at rest Encrypting data in transit leads to more integrity and confidentiality of the data, and therefore trust. Hashing files using MD5 to check against known valid checksums would provide integrity, and therefore validation and trust. Implementing a file integrity monitoring program, such as Tripwire, would also improve data validation and trust. Decrypting data at rest does not improve data validation, or trust since the data at rest could be modified when decrypted.

Desktop as a Service (DaaS)

Desktop as a Service (DaaS) provides a full virtualized desktop environment from within a cloud-based service. This is also known as VDI (Virtualized Desktop Infrastructure) and is coming in large enterprise businesses focused on increasing their security and minimizing their operational expenses.

You are working as part of a penetration testing team during an assessment of Dion Training's headquarters. Your boss has requested that you search the company's recycling bins for any information that might be valuable during the reconnaissance phase of your attack. What type of social engineering method are you performing?

Dumpster Diving Dumpster diving involves searching through publicly accessible garbage cans or recycling bins to find discarded paper, manuals, or other valuable types of information from a targeted company. This is often done as part of the reconnaissance phase before an attack is performed. Whaling is an email-based or web-based form of phishing that targets senior executives or wealthy individuals. Phishing is an email-based social engineering attack in which the attacker sends an email from a supposedly reputable source, such as a bank, to try to elicit private information from the victim. Impersonation is the act of pretending to be someone or something else. Malicious actors often couple pretexting and impersonation to craft a believable scenario and impersonate people in authority during a social engineering attack.

Jack is assessing the likelihood of reconnaissance activities being performed against his organization. Which of the following would best classify the likelihood of a port scan being conducted against his DMZ?

High Since Jack's DMZ would contain systems and servers exposed to the Internet, there is a high likelihood that they are constantly being scanned by potential attackers performing reconnaissance.

Which cloud computing concept is BEST described as focusing on the replacement of physical hardware at a customer's location with cloud-based resources?

IaaS Infrastructure as a Service (IaaS) is a cloud computing service that enables a consumer to outsource computing equipment purchases and running their own data center. If you purchase a server in the cloud and then install and manage the operating system and software, this is Iaas. Platform as a Service (PaaS) is a cloud computing service that enables consumers to rent fully configured systems that are set up for specific purposes. Software as a Service (SaaS) is a cloud computing service that enables a service provider to make applications available over the Internet to end-users. This can be a calendar, scheduling, invoicing, word processor, database, or other programs. For example, Google Docs and Office 365 are both word processing SaaS solutions. Security as a service is a business model in which a service provider integrates their security services into a corporate infrastructure on a subscription basis more cost-effectively than most individuals or corporations can provide on their own when the total cost of ownership is considered.

A supplier needs to connect several laptops to an organization's network as part of their service agreement. These laptops will be operated and maintained by the supplier. Victor, a cybersecurity analyst for the organization, is concerned that these laptops could contain some vulnerabilities that could weaken the network's security posture. What can Victor do to mitigate the risk to other devices on the network without having direct administrative access to the supplier's laptops?

Implement a jumpbox system A jumpbox is a system on a network used to access and manage devices in a separate security zone. This would create network segmentation between the supplier's laptops and the rest of the network to minimize the risk. A jump-box system is a hardened and monitored device that spans two dissimilar security zones and provides a controlled means of access between them. While the other options listed are all good security practices, they do not fully mitigate the risk that insecure systems pose since Victor cannot enforce these configurations on a supplier-provided laptop. Instead, he must find a method of segmenting the laptops from the rest of the network, either physically, logically, using an air gap, or using a jumpbox.

Infrastructure as a service (IaaS)

Infrastructure as a Service (IaaS) is a cloud computing service that enables a consumer to outsource computing equipment purchases and running their own data center.

A cybersecurity analyst just finished conducting an initial vulnerability scan and is reviewing their results. To avoid wasting time on results that are not related to actual vulnerabilities, the analyst wants to remove any false positives before remediating the findings. Which of the following is an indicator that something in their results would be a false positive?

Items classified by the system as Low or as For Informational Purposes only. When conducting a vulnerability scan, it is common for the report to include some findings that are classified as "low" priority or "for informational purposes only." These are most likely false positives and can be ignored by the analyst when starting their remediation efforts. "An HTTPS entry that indicates the web page is securely encrypted" is not a false positive but a true negative (a non-issue). A scan result showing a different version from the automated asset inventory should be investigated and is likely a true positive. A finding that shows the scanner compliance plug-ins are not up-to-date would likely also be a true positive that should be investigated.

You want to provide controlled remote access to the remote administration interfaces of multiple servers hosted on a private cloud. What type of segmentation security solution is the best choice for this scenario?

Jumpbox Installing a jumpbox as a single point of entry for the administration of servers within the cloud is the best choice for this requirement. The jumpbox only runs the necessary administrative port and protocol (typically SSH). Administrators connect to the jumpbox then use the jumpbox to connect to the admin interface on the application server. The application server's admin interface has a single entry in its ACL (the jumpbox) and denies any other hosts' connection attempts. A bastion host is a special-purpose computer on a network specifically designed and configured to withstand attacks. The computer generally hosts a single application. For example, a proxy server and all other services are removed or limited to reduce the threat to the computer. An airgap system is a network or single host computer with unique security requirements that may physically be separated from any other network. Physical separation would prevent a system from accessing the remote administration interface directly and require an airgap system to reach the private cloud.

Your company is adopting a cloud-first architecture model. Management wants to decommission the on-premises SIEM your analysts use and migrate it to the cloud. Which of the following is an issue with using this approach?

Legal and regulatory issues may prevent data migration to the cloud. If there are legal or regulatory requirements that require the company to host their security audit data on-premises, then moving to the cloud will not be possible without violating applicable laws. For example, some companies must host their data within their national borders, even if migrating to the cloud. The other options presented are all low risk and can be overcome with proper planning and mitigations. Most cloud providers have degrees of redundancy far above what any individual on-premises provider will be able to generate, making the concern over backups a minimal risk. If the SIEM is moved to a cloud-based server, it could still be operated and controlled in the same manner as the previous on-premise solution using a virtualized cloud-based server. While a VM or hypervisor escape is possible, they are rare and can be mitigated with additional controls.

Which analysis framework provides the most explicit detail regarding how to mitigate or detect a given threat?

MITRE ATT&CK framework The MITRE ATT&CK framework provides explicit pseudo-code examples for detecting or mitigating a given threat within a network and ties specific behaviors back to individual actors. The Diamond Model provides an excellent methodology for communicating cyber events and allowing an analyst to implicitly derive mitigation strategies. The Lockheed Martin cyber kill chain provides a general life cycle description of how attacks occur but does not deal with the specifics of how to mitigate them. OpenIOC contains a depth of research on APTs but does not integrate the detection and mitigation strategy.

Dion Training is in early discussions with a large university to license its cybersecurity courses as part of their upcoming semester. Both organizations have decided to enter into an exploratory agreement while negotiating the detailed terms of the upcoming contract. Which of the following documents would best serve this purpose?

MOU A Memorandum of understanding (MOU) is used as a preliminary or exploratory agreement to express their intent for the two companies to work together. A service level agreement (SLA) is a contractual agreement setting out the detailed terms under which a service is provided. The interconnection security agreement (ISA) governs the relationship between any federal agency and a third party interconnecting their systems. A non-disclosure agreement (NDA) is the legal basis for protecting information assets.

You have been asked to write a new security policy to reduce the risk of employees working together to steal information from the Dion Training corporate network. Which of the following policies should you create to counter this threat?

Madatory vacation policy A mandatory vacation policy requires that all users take time away from work to enjoy a break from their day to day routine of their jobs. But, there is a major side benefit to mandatory vacations regarding your company's security posture. It will require the company to have another employee fill in for the vacationing employee's normal roles and responsibilities by requiring mandatory vacations. The employee who is filling in might come across fraud, abuse, or theft that the vacationing employee is a part of. The concept of least privilege may not stop this theft from occurring since two employees could work together to steal information that they have access to as part of their job. Also, acceptable use outlines the types of activities allowed and not allowed; it won't prevent theft from occurring. A privacy policy discusses how information should be properly stored and secured, but this won't stop an employee from stealing information or detecting the stolen information.

Which security control would prevent unauthorized users from connecting to a company's wireless network?

NAC Network Access Control (NAC) prevents unauthorized users from connecting to a network. Firewalls and intrusion prevention systems (IPS) are meant to restrict access from external sources and block known attacks. They would not keep out an intruder who is already in range of the wireless network. Network segmentation would limit the access that an intruder has to network resources but would not block the connection itself.

Which of the following cryptographic algorithms is classified as asymmetric?

PGP Pretty Good Privacy (PGP) is an encryption program that provides cryptographic privacy and authentication for data communication. PGP is used for signing, encrypting, and decrypting texts, emails, files, directories, and whole disk partitions and to increase the security of email communications. PGP is a public-key cryptosystem and relies on an asymmetric algorithm. AES, RC4, and 3DES are all symmetric algorithms.

Which cloud computing concept is BEST described as focusing on replacing the hardware and software required when creating and testing new applications and programs from a customer's environment with cloud-based resources?

PaaS Platform as a Service (PaaS) is a cloud computing service that enables consumers to rent fully configured systems that are set up for specific purposes. Platform as a Service (PaaS) provides the end-user with a development environment without all the hassle of configuring and installing it themselves. If you want to develop a customized or specialized program, PaaS helps reduce the development time and overall costs by providing a ready to use platform. Infrastructure as a Service (IaaS) is a cloud computing service that enables a consumer to outsource computing equipment purchases and running their own data center. Software as a Service (SaaS) is a cloud computing service that enables a service provider to make applications available over the Internet to end-users. This can be a calendar, scheduling, invoicing, word processor, database, or other programs. For example, Google Docs and Office 365 are both word processing SaaS solutions. Security as a service is a business model in which a service provider integrates their security services into a corporate infrastructure on a subscription basis more cost-effectively than most individuals or corporations can provide on their own when the total cost of ownership is considered.

You want to create a new mobile application and develop it in the cloud. You just signed up for a cloud-based service provider's offering to allow you to develop it using their programming environment. Which of the following best describes which type of service you have just purchased?

PaaS Platform as a Service (PaaS) provides the end-user with a development environment without all the hassle of configuring and installing it themselves. If you want to develop a customized or specialized program, PaaS helps reduce the development time and overall costs by providing a ready to use platform. Infrastructure as a Service (IaaS) is a cloud computing service that enables a consumer to outsource computing equipment purchases and running their own data center. Software as a Service (SaaS) is cloud computing service that enables a service provider to make applications available over the Internet to end-users. This can be a calendar, scheduling, invoicing, word processor, database, or other programs. For example, Google Docs and Office 365 are both word processing SaaS solutions. Desktop as a Service (DaaS) provides a full virtualized desktop environment from within a cloud-based service. This is also known as VDI (Virtualized Desktop Infrastructure) and is coming in large enterprise businesses focused on increasing their security and minimizing their operational expenses.

Which type of monitoring would utilize a network tap?

Passive Network taps are devices that allow a copy of network traffic to be captured for analysis. They conduct passive network monitoring and visibility without interfering with the network traffic itself. Active monitoring relies on scanning targeted systems, not a network tap. Router-based monitoring would involve looking over the router's logs and configuration files. SNMP is used to monitor network devices but is considered active monitoring and doesn't rely on network taps.

Marta's organization is concerned with the vulnerability of a user's account being vulnerable for an extended period of time if their password was compromised. Which of the following controls should be configured as part of their password policy to minimize this vulnerability?

Password expiration A password expiration control in the policy would force users to change their passwords at specific time intervals. This will then lock out a user who types in the incorrect password or create an alter that the user's account has been potentially compromised. While the other options are good components of password security to prevent an overall compromise, they are not effective against the vulnerability described in this particular scenario. It states the issue is based on time. Password history is used to determine the number of unique passwords a user must use before using an old password again. The Passwords must meet complexity requirements. The policy setting determines whether passwords must meet a series of guidelines that are considered important for a strong password. Maximum password length creates a limit to how long the password can be, but a longer password is considered stronger against a brute force attack.

Platform as a Service (PaaS)

Platform as a Service (PaaS) provides the end-user with a development environment without all the hassle of configuring and installing it themselves. If you want to develop a customized or specialized program, PaaS helps reduce the development time and overall costs by providing a ready to use platform.

You are working as a security administrator and need to respond to an ongoing spearphishing campaign against your organization. Which of the following should be used as a checklist of actions to perform to detect and respond to this particular incident?

Playbook A playbook is a checklist of actions to perform to detect and respond to a specific type of incident. Your organization will have playbooks for phishing attempts, privilege escalation, and other specific types of incidents. A runbook is an automated version of a playbook used by a SOAR to have the system conduct as many steps as possible. DRP is a disaster recovery plan focused on the response to a natural or man-made disaster, not an incident. An incident response plan is a generic document for the overall steps of incident response. Therefore, it doesn't apply to a specific type of incident. This is a hard question because all four terms are very closely related to incidents and disasters.

You are reviewing the logs in your HIDS and see that entries were showing SYN packets received from a remote host targeting each port on your web server from 1 to 1024. Which of the following MOST likely occurred?

Port Scan Based on the description provided, this is most likely a port scan. Using a tool like nmap, an attacker can create an SYN scan across every port in the range against the desired target. A port scan or SYN scan may trigger an alert in your IDS. While scanners support more stealthy scans, default scans may connect to each port sequentially. The other options are incorrect because a remote host will typically connect to only a single port associated with a service. An SYN flood normally sends many SYNs to a single system. Still, it doesn't send them to unused ports, and a UDP probe will not send SYN packets.

Which of the following cryptographic algorithms is classified as asymmetric?

RSA RSA (Rivest-Shamir-Adleman) was one of the first public-key cryptosystems and is widely used for secure data transmission. As a public-key cryptosystem, it relies on an asymmetric algorithm. AES, RC4, and DES are all symmetric algorithms.

You have been hired as a consultant by Dion Training to review their current disaster recovery plans. The CEO has requested that the plans ensure that the company can limit downtime in the event of a disaster. Still, due to staffing concerns, he cannot approve the budget to implement or maintain a fully redundant offsite location to ensure 99.999% availability. Based on that limitation, what should you recommend to the CEO?

Redundant Hardware be maintained at the offsite location and configured to be ready for the recovery of the company's backup data when needed. A warm site provides some of a hot site's capabilities, but it requires the customer to do more work to become operational. Warm sites provide computer systems and compatible media capabilities. If a warm site is used, administrators and other staff will need to install and configure systems to resume operations. For most organizations, a warm site could be a remote office, a leased facility, or another organization with which yours has a reciprocal agreement. By placing your redundant hardware at the offsite location and configuring it to be ready for recovery when needed, the company can have a higher availability level than a cold site but not have the full personnel costs involved with a hot site. A hot site would ensure that the offsite location has all the hardware, equipment, personnel, and data installed and ready to provide services at all times. Maintaining a hot site is much more expensive than a warm site. It is not recommended that your redundant servers are located within the same building since a fire, flood, or other disaster could destroy your primary and redundant capabilities. Retaining the hardware at the office building but shipping the backups offsite is more in line with a cold site description. This would also not provide high availability levels since the systems would need to be set up, configured, and made ready for use.

Which of the following type of threats did the Stuxnet attack rely on to cross an air gap between a business and an industrial control system network?

Removable media Air gaps are designed to remove connections between two networks to create physical segmentation between them. The only way to cross an air gap is to have a physical device between these systems, such as using a removable media device to transfer files between them. A directory traversal is an HTTP attack that allows attackers to access restricted directories and execute commands outside the web server's root directory. Cross-Site Scripting (XSS) attacks are a type of injection in which malicious scripts are injected into otherwise benign and trusted websites. A session hijacking attack compromises the session token by stealing or predicting a valid session token to gain unauthorized access to the Web Server. A directory traversal, cross-site scripting, or session hijacking attack cannot by itself cross an air gap.

You have been asked to install a computer in a public workspace. Only an authorized user should use the computer. Which of the following security requirements should you implement to prevent unauthorized users from accessing the network with this computer?

Require authentication on wake-up To prevent the computer from being used inadvertently to access the network, the system should be configured to require authentication whenever the computer is woken up. Therefore, if an authorized user walks away from the computer and goes to sleep when another person tries to use the computer, it will ask for a username and password before granting them access to the network. A screen lock can secure the desktop with a password while leaving programs running if a user walks away, as well. Single sign-on (SSO) is a type of mutual authentication for multiple services that can accept the credential from one domain or service as authentication for other services. A guest account is a Microsoft Windows user account with limited capabilities, no privacy, and is disabled by default. Using the same password for all users is considered extremely poor security and should not be done.

Which type of method is used to collect information during the passive reconnaissance?

Reviewing public repositories Passive reconnaissance focuses on collecting information that is widely and openly available from publicly available sources. While network traffic sniffing is considered passive, gaining access to the network to place a sniffer in a good network tap location would not be considered passive. Of the choices provided, publicly accessible sources are the best answer to choose. Collecting API requests and responses would involve a penetration tester sending data to a given server and analyzing the responses received, which is considered an active reconnaissance method. Social engineering is also an active reconnaissance technique that uses deception to trick a user into providing information to an attacker or penetration tester.

Which of the following attacks would most likely be used to create an inadvertent disclosure of information from an organization's database?

SQL Injection A SQL injection poses the most direct and more impactful threat to an organization's database. A SQL injection could allow the attacker to execute remote commands on the database server and lead to sensitive information disclosure. A buffer overflow attack attempts to overwrite the memory buffer to send additional data into adjacent memory locations. A buffer overflow attack might target a database server, but it isn't intended to disclose information directly. Instead, a buffer overflow attack may be used to gain initial access to a server and allow for other malicious code running. A denial of service targets the availability of the information by attempting to take the server offline. A cross-site scripting attack typically is focused on the user, not the server or database.

What is a major security risk that could occur when you comingle hosts/servers with different security requirements in a single network?

Security policy violations A network is only as strong as its weakest link (or host/server). When you comingle hosts/servers, there is a large risk that security policy violations could occur. This is because users may be used to following a less stringent security policy for one set of machines and carry over those procedures to a machine that should have had stronger security policies.

Which type of personnel control is being implemented if Kirsten must receive and inventory any items that her coworker, Bob, orders?

Separation of duties This organization uses separation of duties to ensure that neither Kirsten nor Bob can exploit the organization's ordering processes for their gain. Separation of duties is the concept of having more than one person required to complete a particular task to prevent fraud and error. Dual control, instead, requires both people to act together. For example, a nuclear missile system uses dual control and requires two people to each turn a different key simultaneously to allow for a missile launch to occur. Mandatory vacation policies require employees to take time away from their job and detect fraud or malicious activities. A background check is a process a person or company uses to verify that a person is who they claim to be and provides an opportunity for someone to check a person's criminal record, education, employment history, and other past activities to confirm their validity.

A web developer wants to protect their new web application from an on-path attack. Which of the following controls would best prevent an attacker from stealing tokens stored in cookies?

Setting the secure attribute on the cookie When a cookie has the Secure attribute, the user agent includes the cookie in an HTTP request only if transmitted over a secure channel (typically HTTPS). Although seemingly useful for protecting cookies from active network attackers, the Secure attribute protects only the cookie's confidentiality. Forcing the web application to use TLS or SSL does not force the cookie to be sent over TLS/SSL, so you still need to set the cookie's Secure attribute. Hashing the cookie provides the cookie's integrity, not confidentiality; therefore, it will not solve the issue presented by this question.

Software as a Service (SaaS)

Software as a Service (SaaS) is cloud computing service that enables a service provider to make applications available over the Internet to end-users. This can be a calendar, scheduling, invoicing, word processor, database, or other programs. For example, Google Docs and Office 365 are both word processing SaaS solutions.

Which of the following authentication mechanisms involves receiving a one-time use shared secret password, usually, through a token-based key fob or smartphone app, that automatically expires after a short period of time (for example, 60 seconds)?

TOTP The Time-based One-time Password Algorithm (TOTP) is a refinement of the HOTP. One issue with HOTP is that tokens can be allowed to persist unexpired, raising the risk that an attacker might obtain one and decrypt data in the future. In TOTP, the HMAC is built from the shared secret plus a value derived from the device's and server's local timestamps. TOTP automatically expires each token after a short window (60 seconds, for instance).

Which of the following categories of controls are firewalls, intrusion detection systems, and a RADIUS server classified as?

Technical controls Firewalls, intrusion detection systems, and a RADIUS server are all examples of technical controls. Technical controls are implemented as a system of hardware, software, or firmware. Administrative controls involve processes and procedures. Physical controls include locks, fences, and other controls over physical access. Compensating controls are controls that are put in place to cover any gaps and reduce the risk remaining after using other controls.

An attacker has compromised a virtualized server. You are conducting forensic analysis as part of the recovery effort but found that the attacker deleted a virtual machine image as part of their malicious activity. Which of the following challenges do you now have to overcome as part of the recovery and remediation efforts?

The attack widely fragmented the image across the host file system Due to the VM disk image's deletion, you will now have to conduct file carving or other data recovery techniques to recover and remediate the virtualized server. If the server's host uses a proprietary file system, such as VMFS on ESXi, this can further limit support by data recovery tools. The attacker may have widely fragmented the image across the host file system when they deleted the disk image. VM instances are most useful when they are elastic (meaning they optimally spin up when needed) and then destroyed without preserving any local data when security has performed the task, but this can lead to the potential of lost system logs. To prevent this, most VMs also save their logs to an external Syslog server or file. Virtual machine file formats are image-based and written to a mass storage device. Depending on the configuration and VM state, security must merge any checkpoints to the main image, using a hypervisor tool, not recovery from an old snapshot, and then roll forward. It is possible to load VM data into a memory analysis tool, such as Volatility. However, some hypervisors' file formats require conversion first, or they may not support the analysis tool.

You were conducting a forensic analysis of an iPad backup and discovered that only some of the information is within the backup file. Which of the following best explains why some of the data is missing?

The backup is a differential backup iPhone/iPad backups can be created as full or differential backups. In this scenario, the backup being analyzed is likely a differential backup containing the information that has changed since the last full backup. If the backup were encrypted, you would be unable to read any of the contents. If the backup were interrupted, the backup file would be in an unusable state. If the backup were stored in iCloud, you would need access to their iCloud account to retrieve and access the file. Normally, during an investigation, you will not have access to the user's iCloud account.

Your company explicitly obtains permission from its customers to use their email address as an account identifier in its CRM. Max, who works at the marketing department in the company's German headquarters, just emailed all their customers to let them know about a new sales promotion this weekend. Which of the following privacy violations has occurred, if any?

There was a policy violation since the customers explicitly gave permission to use the email address as an identifier and did not consent to receive marketing emails. According to the European Union's General Data Protection Regulation (GDPR), personal data collected can only be used for the exact purpose in which explicit consent was obtained. To use email addresses for marketing purposes, separate explicit consent should have been obtained. Since the company operates in Germany, it must follow the GDPR privacy standard. Even if a company doesn't operate within the European Union, its customers might be European Union citizens, and therefore the company should still optional follow the GDPR guidelines. While data minimization is a good internal policy to utilize, not following it doesn't equate to a privacy violation or breach. Data minimization is the principle that data should only be processed and stored, if necessary, to perform the purpose for which it is collected. The option concerning the customer relationship management (CRM) tool is a distractor since the issue is using the data in ways that were not consented to by the customer, not which system the email was sent through. A privacy violation can occur when corporate employees view data if those employees do not have a need to know, a valid business requirement to use the data, or consent from the customer to use the data for a specific purpose (as was the case in this scenario).

Jennifer decided that the licensing cost for a piece of video editing software was too expensive. Instead, she decided to download a keygen program to generate a license key and install a pirated version of the editing software. After she runs the keygen, a license key is created, but her system performance becomes very sluggish, and her antimalware suite begins to display numerous alerts. Which type of malware might her computer be infected with?

Trojan A trojan is a program in which malicious or harmful code is contained inside a harmless program. In this example, the harmless program is the key generator (which does create a license key). It also has malicious code inside it causing the additional alerts from the antimalware solution. A Trojan is designed to damage, disrupt, steal, or in general, inflict some other harmful action on your data or network. The most common form of a trojan is a Remote Access Trojan (RAT), which allows an attacker to control a workstation or steal information remotely. To operate, a trojan will create numerous processes that run in the background of the system. A worm is a standalone malware computer program that replicates itself to spread to other computers. Often, it uses a computer network to spread itself, relying on security failures on the target computer to access it. A worm can spread on its own, whereas a virus needs a host program or user interaction to propagate itself. A logic bomb is a malicious program that is triggered when a logical condition is met, such as after a number of transactions have been processed, or on a specific date. Adware is software that displays unwanted advertisements on your computer.

Which of the following cryptographic algorithms is classified as symmetric?

Two fish Twofish is a symmetric key block cipher with a block size of 128 bits and key sizes up to 256 bits. ECC, RSA, and Diffie-Hellman are all asymmetric algorithms.

Your organization has recently been the target of a spearphishing campaign. You have identified the website associated with the link in the spearphishing emails and want to deny access to it. Which of the following techniques would be the MOST effective in this situation?

URL filter A URL filter can be used to block a website based on its website address or universal resource locator (URL). This is not a containment technique but a blocking and filtering technique. Quarantine would be used against an infected machine, and it would not be effective against trying to block access to a given website across the entire organization. An application blocklist is used to prevent an application from running, so this cannot be used to block a single malicious or suspicious website or URL.

Karen lives in an area that is prone to hurricanes and other extreme weather conditions. She asks you to recommend an electrical conditioning device that will prevent her files from being corrupted if the building's power is unstable or lost. Additionally, she would like the computer to maintain power for up to an hour of uptime to allow for a graceful shutdown of her programs and computer. Which of the following should you recommend?

Uninterruptible power supply An uninterruptible power supply or uninterruptible power source (UPS) is an electrical apparatus that provides emergency power to a load when the input power source becomes too low or the main power fails. A UPS provides near-instantaneous protection from input power interruptions by using a battery backup. The on-battery run-time of most uninterruptible power sources is usually short (less than 60 minutes) but sufficient to properly shut down a computer system. A line conditioner is a device that adjusts voltages in under-voltage and overvoltage conditions to maintain a 120 V output. Line conditioners raise a sag or under-voltage event back to normal levels, but they cannot protect the line from a complete power failure or power outage. A surge protector defends against possible voltage spikes that could damage your electronics, appliances, or equipment. A power strip will not protect against voltage spikes. A UPS or line conditioner could protect against voltage spikes, but they cost much more than a surge protector. A power distribution unit (PDU) is a device designed to provide power to devices that require power, and may or may not support remote monitoring and access.

Riaan's company runs critical web applications. During a vulnerability scan, Riaan found a serious SQL injection vulnerability in one of their web applications. The system cannot be taken offline to remediate the vulnerability. Which of the following compensating controls should Riaan recommend using until the system can be remediated?

WAF WAF (web application firewall) is the best option since it can serve as a compensating control and protect against web application vulnerabilities like an SQL injection until the application can be fully remediated. Vulnerability scanning could only be used to detect the issue. Therefore, it is a detective control, not a compensating control. Encryption would not be effective in stopping an SQL injection. An intrusion prevention system (IPS) is designed to protect network devices based on ports, protocols, and signatures. It would not be effective against an SQL injection and is not considered a compensating control for this vulnerability.

You are installing a new wireless network in your office building and want to ensure it is secure. Which of the following configurations would create the MOST secure wireless network?

WPA2 and AES The most secure wireless network configuration utilizes WPA2 with AES encryption. WPA2 is the most secure wireless encryption standard listed as an option and has replaced both WPA and WEP. Wi-Fi protected access version 2 (WPA2) replaced the original version of WPA after the completion of the 802.11i security standard. WPA2 features an improved method of key distribution and authentication for enterprise networks, though the pre-shared key method is still available for home and small office networks. WPA2 uses the improved AES cipher with counter mode with cipher-block chaining message authentication protocol (CCMP) for encryption. Wi-Fi protected access (WPA) is an improved encryption scheme for protecting Wi-Fi communications designed to replace WEP. WPA uses the RC4 cipher and a temporal key integrity protocol (TKIP) to overcome the vulnerabilities in the older WEP protection scheme. Wired equivalent privacy (WEP) is an older mechanism for encrypting data sent over a wireless connection. WEP is considered vulnerable to attacks that could probably break its encryption. WEP relies on the use of a 24-bit initialization vector to secure its preshared key. MAC filtering is the application of an access control list to a switch or access point so that only clients with approved MAC addresses connect.

Which of the following is the MOST secure wireless security and encryption protocol?

WPA3 Wi-Fi protected access version 3 (WPA3) has replaced WPA2 as the most secure wireless encryption method. WPA3 uses the simultaneous authentication of equals (SAE) to increase the security of preshared keys. WPA3 provides the enhanced open mode that encrypts transmissions from a client to the access point when using an open network. WPA3 Enterprise mode supports the use of AES with the Galois/counter mode protocol (GCMP-256) for the highest levels of encryption. Wi-Fi protected access version 2 (WPA2) replaced the original version of WPA after the completion of the 802.11i security standard. WPA2 features an improved method of key distribution and authentication for enterprise networks, though the pre-shared key method is still available for home and small office networks. WPA2 uses the improved AES cipher with counter mode with cipher-block chaining message authentication protocol (CCMP) for encryption. Wi-Fi protected access (WPA) is an improved encryption scheme for protecting Wi-Fi communications designed to replace WEP. WPA uses the RC4 cipher and a temporal key integrity protocol (TKIP) to overcome the vulnerabilities in the older WEP protection scheme. Wired equivalent privacy (WEP) is an older mechanism for encrypting data sent over a wireless connection. WEP is considered vulnerable to attacks that can break its encryption. WEP relies on the use of a 24-bit initialization vector to secure its preshared key.

Dion Training wants to reduce the management and administrative costs of using multiple digital certificates for all of their subdomains of diontraining.com. Which of the following solutions would allow the company to use one digital certificate for all of its subdomains?

Wildcards Wildcards are certificates that allow your company unlimited subdomains on a parent domain. Object identifiers identify an object. Key escrow is for key storage. OCSP is a protocol used to query CA about the revocation status of a certificate.

What type of malicious application does not require user intervention or another application to act as a host to replicate?

Worm A worm is a self-replicating type of malware that does not require user intervention or another application to act as a host for it to replicate. Viruses and Macros require user intervention to spread, and Trojans are hosted within another application that appears harmless.

Which command is used in the Linux terminal to change the permissions of a file?

chmod The chmod command sets the permissions of files or directories on a Linux system. A set of flags associated with each file determines who can access that file and how they can access it. These flags are called file permissions or modes. The command name chmod stands for change mode and it restricts the way a file can be accessed. The chown command is used to change the owner of the file, directory, or link in Linux. The pwd command displays the present working directory (current directory) path to the terminal or display. If you are working on a Linux system and are unsure of where you are in the directory structure, type "pwd" and hit enter to display the path to the screen. The sudo command allows programs to be executed as a superuser (known as the root user) or another user. The command's name is an abbreviation of the phrase "superuser do" and works on all Unix-based operating systems.

What command should a forensic analyst use to make a forensic disk image of a hard drive?

dd The dd tool is used to make bit by bit copies of a disk, drive, or partition. Once the image is created using dd, a hash of the file should be made and placed into evidence to validate the integrity of the disk image that was created. This will ensure that no modification occurs between the collection and analysis of the disk image. The wget command is a command-line utility for downloading files from the Internet. The touch command is a standard command used in the UNIX/Linux operating system used to create, change, and modify timestamps of a file. The rm command is used to delete one or more files or directories.

Which of the following Wireshark filters should be applied to a packet capture to detect applications that send passwords in cleartext to a REST API located at 10.1.2.3?

http.request.method=="POST" && ip..dst==10.1.2.3 Filtering the available PCAP with just the http "post" methods would display any data sent when accessing a REST API, regardless of the destination IP. Filtering the available PCAP with just the desired IP address would show all traffic to that host (10.1.2.3). Combining both of these can minimize the data displayed to only show things posted to the API located at 10.1.2.3. The ip.proto==tcp filter would display all TCP traffic on a network, regardless of the port, IP address, or protocol being used. It would simply produce too much information to analyze.

Which of the following secure coding best practices ensures special characters like <, >, /, and ' are not accepted from the user via a web form?

input validation Input validation is performed to ensure only properly formed data is entering the workflow in an information system, preventing malformed data from persisting in the database and triggering a malfunction of various downstream components. Input validation should happen as early as possible in the data flow, preferably as soon as the data is received from the user. Improper error handling can introduce various security problems where detailed internal error messages such as stack traces, database dumps, and error codes are displayed to an attacker. The session management implementation defines the exchange mechanism that will be used between the user and the web application to share and continuously exchange the session ID. Output encoding involves translating special characters into some different but equivalent form that is no longer dangerous in the target interpreter, for example, translating the < character into the &lt; string when writing to an HTML page.

Which of the following command-line tools would you use to identify open ports and services on a host along with the version of the application that is associated with them?

nmap Nmap sends specially crafted packets to the target host(s) and then analyzes the responses to determine the open ports and services running on those hosts. Also, nmap can determine the versions of the applications being used on those ports and services. Nmap is a command-line tool for use on Linux, Windows, and macOS systems. The netstat (network statistics) tool is a command-line utility that displays network connections for incoming and outgoing TCP packets, routing tables, and some network interface and network protocol statistics. Still, it cannot identify open ports and services on a host with their version numbers. The ping tool is used to query another computer on a network to determine whether there is a valid connection. Wireshark is an open-source packet analyzer used for network troubleshooting, analysis, software and communications protocol development, and education.

During a penetration test of your company's network, the assessor came across a spreadsheet with the passwords being used for several servers. Four of the passwords recovered are listed below. Which one is the weakest password and should be changed FIRST to increase the password's complexity?

pa55word Password policies often enforce a mixture of standard character types, including uppercase letters, lowercase letters, numbers, and symbols. The option 'pa55word' is the weakest choice since it only includes lowercase letters and numbers. The option 'Pa55w0rd' is slightly more complex since it includes uppercase letters, lowercase letters, and numbers. The option 'P@$$W0RD is also similar in complexity since it includes uppercase letters, numbers, and special characters. The most secure option is 'P@5$w0rd' since it includes a mixture of uppercase letters, lowercase letters, numbers, and special characters.

What technique is an attacker using if they review data and publicly available information to gather intelligence about the target organization without scanning or other technical information-gathering activities?

passive reconnaissance Passive reconnaissance combines publicly available data from various sources about an organization and does not use active scanning or data gathering methods. Vulnerability scanning is an inspection of the potential points of exploitation on a computer or network to identify security holes. A vulnerability scan is usually conducted to detect and classify system weaknesses in computers, networks, and communications equipment and predict the effectiveness of countermeasures. Patch management is the process that helps acquire, test, and install multiple patches (code changes) on existing applications and software tools on a computer, enabling systems to stay updated on existing patches and determining which patches are the appropriate ones.