Domain 4

Jeff is preparing a password policy for his organization and would like it to be fully compliant with PCI DSS requirements. What is the minimum password length required by PCI DSS?

7 characters. PCI DSS has a fairly short minimum password length requirement. Requirement 8.2.3 states that passwords must be a minimum of seven characters long and must include a mixture of alphabetic and numeric characters.

Sonia is investigating a server on her network that is behaving suspiciously. She used Process Explorer from the Sysinternals toolkit and found the results shown here. What service on this system is responsible for the most memory usage?

Database server The processes consuming the most memory on this server are the SQL Server core process and the SQL Server Management Studio application. These are all components of the database service.

What cryptographic algorithm is used to protect communications between Tom and the web server that take place using the key identified in question 63?

It is not possible to determine this information. The symmetric algorithm used to communicate between the client and server is negotiated during the TLS session establishment. This information is not contained in the digital certificate.

Tammy is reviewing alerts from her organization's intrusion prevention system and finds that there are far too many alerts to review. She would like to narrow down the results to attacks that had a high probability of success. What information source might she use to correlate with her IPS records to achieve the best results?

Vulnerability scans. Tammy can correlate the results of vulnerability scans with her IPS alerts to determine whether the systems targeted in attacks against her network are vulnerable to the attempted exploits. IDS logs would contain redundant, rather than correlated, information. Firewall rules and port scans may provide some useful information when correlated with IPS alerts, but the results of vulnerability scans would provide similar information enhanced with the actual vulnerabilities on particular systems.

Which one of the following Sysinternals tools may be used to determine the permissions that individual users have on a Windows registry key?

AccessEnum. The AccessEnum tool provides a view into which users and groups have permissions to read and modify files, directories, and registry entries. Sysmon and ProcDump are process monitoring tools that do not provide insight into the registry. AutoRuns provides a listing of the programs that start automatically when a system boots or a user logs into the system.

Carol is running an nmap scan and is confused by the results. It appears that nmap is not scanning a port where she expects to find a running service. What ports does nmap scan if nothing is specified on the command line?

Ports from 1-1024 and those listed in the nmap-services file

Which one of the following items is not normally included in a request for an exception to security policy?

Proposed revision to the security policy. Requests for an exception to a security policy would not normally include a proposed revision to the policy. Exceptions are documented variances from the policy because of specific technical and/or business requirements. They do not alter the original policy, which remains in force for systems not covered by the exception.

Paul is selecting an interception proxy to include in his organization's cybersecurity toolkit. Which one of the following tools would not meet this requirement?

ZAP, Vega, and Burp are all interception proxies useful for the penetration testing of web applications. Snort is an intrusion detection system and does not have this capability.

Tammy would like to ensure that her organization's cybersecurity team review the architecture of a new ERP application that is under development. During which SDLC phase should Tammy expect the security architecture to be completed?

Design Security artifacts created during the design phase include security architecture documentation and data flow diagrams.

In the Sherwood Applied Business Security Architecture (SABSA), which view corresponds to the logical security architecture?

Designer's view. In the SABSA model, the Designer's view corresponds to the logical security architecture layer. The Builder's view corresponds to the physical security architecture. The Architect's view corresponds to the conceptual security architecture layer. The Tradesman's view corresponds to the component security architecture layer.

Which one of the following security activities is not normally a component of the operations and maintenance phase of the SDLC?

Disposition is a separate SDLC phase that is designed to ensure that data is properly purged at the end of an application life cycle. Operations and maintenance activities include ongoing vulnerability scans, patching, and regression testing after upgrades.

Kyle is developing a web application that uses a database backend. He is concerned about the possibility of a SQL injection attack against his application and is consulting the OWASP proactive security controls list to identify appropriate controls. Which one of the following OWASP controls is least likely to prevent a SQL injection attack?

Query parameterization, input validation, and data encoding are all ways to prevent the database from receiving user-supplied input that injects unwanted commands into a SQL query. Logging and intrusion detection are important controls, but they would detect, rather than prevent, a SQL injection attack.

Alec is a cybersecurity analyst working on analyzing network traffic. He is using Wireshark to analyze live traffic, as shown here. He would like to reassemble all of the packets associated with the highlighted connection. Which one of the following options from the drop-down menu in the figure should he choose first in order to most easily achieve his goal?

Follow. The Follow option will allow Alec to follow the TCP stream, reassembling the payloads from all of the packets in the stream in an easy-to-view manner.

Chelsea recently accepted a new position as a cybersecurity analyst for a privately held bank. Which one of the following regulations will have the greatest impact on her cybersecurity program?

GLBA. The Gramm-Leach-Bliley Act (GLBA) includes regulations covering the cybersecurity programs at financial institutions, including banks. The Health Insurance Portability and Accountability Act (HIPAA) covers healthcare providers, insurers, and health information clearinghouses. The Family Educational Rights and Privacy Act (FERPA) applies to educational institutions. The Sarbanes-Oxley Act (SOX) applies to publicly traded companies.

In the TOGAF Architecture Development Model, shown here, what element should occupy the blank line in the center circle?

Requirements. The TOGAF Architecture Development Model is centered on requirements. The requirements inform each of the other phases of the model.

Rob is an auditor reviewing the payment process used by a company to issue checks to vendors. He notices that Helen, a staff accountant, is the person responsible for creating new vendors. Norm, another accountant, is responsible for issuing payments to vendors. Helen and Norm are cross-trained to provide backup for each other. What security issue, if any, exists in this situation?

Separation of duties violation. This situation violates the principle of separation of duties. The company appears to have designed the controls to separate the creation of vendors from the issuance of payments, which is a good fraud-reduction practice. However, the fact that they are cross-trained to back each other up means that they have the permissions assigned to violate this principle.

Brandy works in an organization that is adopting the ITIL service management strategy. Which ITIL core activity includes security management as a process?

Service design The ITIL framework places security management into the service design core activity. The other processes in service design are design coordination, service catalog management, service-level management, availability management, capacity management, IT service continuity management, and supplier management.

Bruce is considering the acquisition of a software testing package that allows programmers to provide their source code as input. The package analyzes the code and identifies any potential security issues in the code based upon that analysis. What type of analysis is the package performing?

Static analysis. Static analysis of code involves manual or automated techniques that review the source code without executing it. Fuzzing and fault injection are examples of dynamic analysis that execute the code and attempt to induce flaws.

Rob is planning the security testing for a new service being built by his organization's IT team. He would like to conduct rigorous testing of the finished product before it is released for use. Which environment would be the most appropriate place to conduct this testing?

Test. The test environment contains a complete version of the code, as the developers intend to release it. This is the best place to conduct rigorous testing, such as security analysis. The development environment is constantly in a state of flux and not a good environment for formalized testing. Code should be released to production only when it is ready for use by clients, and security testing should take place before code is placed in a production environment. Staging environments are holding areas used as part of the code release process.

Which role in a SAML authentication flow validates the identity of the user?

The IDP The identity provider (IDP) provides the authentication in a SAML-based authentication flow. A service provider (SP) provides services to a user, while the user is typically the principal. A relying party (RP) leverages an IDP to provide authentication services.

Which one of the following statements about web proxy servers is incorrect?

Web proxy servers decrease the speed of loading web pages. Web proxy servers actually increase the speed of loading web pages by creating local caches of those pages, preventing repeated trips out to remote Internet servers. For this same reason, they reduce network traffic. Web proxies may also serve as content filters, blocking both malicious traffic and traffic that violates content policies.

Samantha is investigating a cybersecurity incident where an internal user used his computer to participate in a denial-of-service attack against a third party. What type of policy was most likely violated?

AUP. This activity is almost certainly a violation of the organization's acceptable use policy, which should contain provisions describing appropriate use of networks and computing resources belonging to the organization.

Eric is assessing the security of a Windows server and would like assistance with identifying the users who have access to a shared file directory. What Sysinternals tool can assist him with this task?

AccessEnum The AccessEnum tool enumerates system access. It provides a view of who has permissions to files, directories, and other objects. AutoRuns shows what programs start at login or system boot. SDelete is a secure file deletion utility. Sysmon allows administrators to monitor processes and their activity in a searchable manner.

Amy is creating application accounts for her company's suppliers to use to access an inventory management website. She is concerned about turnover at the vendor. Which one of the following approaches would provide a good balance of security and usability for Amy?

Amy should create a master account for a responsible individual at the vendor and allow them to create and manage individual user accounts. In this situation, the best case for Amy would be to delegate management of the individual user accounts to the vendor. Amy should avoid a situation where she must create the individual accounts to reduce the burden on her. Using a single account violates many principles of security and eliminates accountability for individual user actions. If Amy implements the delegated account approach, she may want to supplement it with auditing to verify that accounts are properly managed.

Lorissa is investigating a potential DNS poisoning attack and uses the dig command to look up the IP address associated with the CompTIA.org website. She receives the results shown here. Which statement is true about these results?

Analyzing these dig results, you see that the DNS server (identified in the SERVER line) is 172.30.25.8. 198.134.5.6 is the query response, indicating that it is the CompTIA.org web server. The AUTHORITY value in this result is 0, indicating that the DNS server is not authoritative for the CompTIA.org domain.

Gerry would like to find a physical security control that will protect his organization against an attack where an individual drives a vehicle through the glass doors on the front of the building. Which one of the following would be the most effective way to protect against this type of attack?

Bollards. Bollards are physical barriers designed to prevent vehicles from crossing into an area. Mantraps are designed to prevent piggybacking by individuals and would not stop a vehicle. Security guards and intrusion alarms may detect an intruder but would not be able to stop a moving vehicle.

Gwen would like to deploy an intrusion detection system on her network but does not have funding available to license a commercial product. Which one of the following is an open source IDS?

Bro. Bro is an open source intrusion detection and prevention system. Sourcefire is a commercial company associated with the Snort IDS, but Sourcefire is not itself an open source product. TippingPoint and Proventia are IDS/IPS solutions from HP and IBM, respectively.

Hank would like to deploy an intrusion prevention system to protect his organization's network. Which one of the following tools is least likely to meet his needs?

Burp Burp is a web interception proxy, not an intrusion prevention system. Snort, Sourcefire, and Bro are all intrusion detection and prevention systems.

Laura is working on improving the governance structures for enterprise architecture in her organization in an effort to increase the communication between the architects and the security team. In the TOGAF framework, which of the four domains is Laura operating?

Business architecture. Business architecture defines governance and organization and explains the interaction between enterprise architecture and business strategy. Applications architecture includes the applications and systems that an organization deploys, the interactions between those systems, and their relation to business processes. Data architecture provides the organization's approach to storing and managing information assets. Technical architecture describes the infrastructure needed to support the other architectural domains.

Warren is working with a law enforcement agency on a digital forensic investigation and needs to perform a forensic analysis of a phone obtained from a suspect. Which one of the following tools is specifically designed for mobile forensics?

Cellebrite. While all of these tools may have the ability to perform forensic analysis on mobile devices, Cellebrite is a purpose-built tool designed specifically for mobile forensics.

Ian is designing an authorization scheme for his organization's deployment of a new accounting system. He is considering putting a control in place that would require that two accountants approve any payment request over $100,000. What security principle is Ian seeking to enforce?

Dual control. It is sometimes difficult to distinguish between cases of least privilege, separation of duties, and dual control. Least privilege means that an employee should only have the access rights necessary to perform their job. That is not the case in this scenario because accountants need to be able to approve payments. Separation of duties occurs when the same employee does not have permission to perform two different actions that, when combined, could undermine security. That is not the case here because both employees are performing the same action: approving the payment. Dual control occurs when two employees must jointly authorize the same action. That is the case in this scenario. Security through obscurity occurs when the security of a control depends upon the secrecy of its mechanism.

Several employees will need to travel with sensitive information on their laptops. Martin is concerned that one of those laptops may be lost or stolen. Which one of the following controls would best protect the data on stolen devices?

FDE. Full disk encryption prevents anyone who gains possession of a device from accessing the data it contains, making it an ideal control to meet Martin's goal. Strong passwords may be bypassed by directly accessing the disk. Cable locks are not effective for devices used by travelers. Intrusion prevention systems are technical controls that would not affect someone who gained physical access to a device.

Kaitlyn's organization recently set a new password policy that requires that all passwords have a minimum length of 10 characters and meet certain complexity requirements. She would like to enforce this requirement for the Windows systems in her domain. What type of control would most easily allow this?

Group Policy object. Group Policy objects (GPOs) are used to enforce security and configuration requirements within Active Directory. Active Directory forests and organizational units (OUs) are designed to organize systems and users hierarchically and do not directly allow security configurations, although GPOs may be applied to them. Domain controllers (DCs) are the servers that are responsible for providing Active Directory services to the organization and would be the point for applying and enforcing the GPO.

Bryan is selecting a firewall to protect his organization's internal infrastructure from network-based attacks. Which one of the following products is not suitable to meet this need?

HP TippingPoint TippingPoint is an intrusion prevention system. Cisco's NGFW, Palo Alto's NGFW, and CheckPoint's appliances are all firewall solutions.

Ursula is considering redesigning her network to use a dual firewall approach, such as the one shown here. Which one of the following is an advantage of this approach over a triple-homed firewall?

Hardware diversity. The dual firewall approach allows an organization to achieve hardware diversity by using firewalls from different vendors. This approach typically increases, rather than decreases, both the cost and complexity of administration. There is no indication that the proposed design would increase redundancy over the existing environment.

Roger is the CISO for a midsize manufacturing firm. His boss, the CIO, recently returned from a meeting of the board of directors where she had an in-depth discussion about cybersecurity. One member of the board, familiar with ISO standards in manufacturing quality control, asked if there was an ISO standard covering cybersecurity. Which standard is most relevant to the director's question?

ISO 27001. ISO 27001 is the current standard governing cybersecurity requirements. ISO 9000 is a series of quality management standards. ISO 17799 covered information security issues but is outdated and has been withdrawn. ISO 30170 covers the Ruby programming language.

Roland received a security assessment report from a third-party assessor, and it indicated that one of the organization's web applications is susceptible to an OAuth redirect attack. What type of attack would this vulnerability allow an attacker to wage?

Impersonation. OAuth redirects are an authentication attack that allows an attacker to impersonate another user.

In the Sherwood Applied Business Security Architecture (SABSA), which view corresponds to the physical security architecture layer?

In the SABSA model, the Builder's view corresponds to the physical security architecture. The Designer's view corresponds to the logical security architecture layer. The Architect's view corresponds to the conceptual security architecture layer. The Tradesman's view corresponds to the component security architecture layer.

Which of the following protocols is best suited to provide authentication on an open network?

Kerberos is the only answer that provides automatic protection for authentication traffic. TACACS is outdated, and TACACS+ is considered unsafe in most circumstances, meaning that it should be used on secure networks only if it must be used. RADIUS can be secured but is not secure by default.

Rick is assessing the security of his organization's directory services environment. As part of that assessment, he is conducting a threat identification exercise. Which one of the following attacks specifically targets directory servers?

LDAP injection. LDAP injection attacks use improperly filtered user input via web applications to send arbitrary LDAP queries to directory servers. SASL is a password storage scheme for directory services, but there is no attack type known as SASL skimming. Man-in-the-middle attacks may be used against directory servers, but they are not specific to directory environments. Cross-site scripting (XSS) attacks are waged against web servers.

Carl does not have sufficient staff to conduct 24/7 security monitoring of his network. He wants to augment his team with a managed security operations center service. Which one of the following providers would be best suited to provide this service?

MSSP Managed security service providers (MSSPs) provide security as a service (SECaaS). The infrastructure as a service (IaaS), platform as a service (PaaS), and software as a service (SaaS) offerings do not include the managed security offering that Carl seeks.

Colin would like to implement a security control in his accounting department that is specifically designed to detect cases of fraud that are able to occur despite the presence of other security controls. Which one of the following controls is best suited to meet Colin's need?

Mandatory vacations. Mandatory vacations are designed to force individuals to take time away from the office to allow fraudulent activity to come to light in their absence. The other controls listed here (separation of duties, least privilege, and dual control) are all designed to prevent, rather than detect, fraud.

Mike's organization adopted the COBIT standard, and Mike would like to find a way to measure their progress toward implementation. Which one of the following COBIT components is useful as an assessment tool?

Maturity models While all the COBIT components are useful to an organization seeking to implement the COBIT framework, only the maturity models offer an assessment tool that helps the organization assess its progress.

Glenn is conducting a security assessment of his organization's Active Directory-based identity and access management infrastructure. Which of the following services/protocols represents the greatest security risk to Glenn's organization if used in conjunction with Active Directory?

NTLMv1. NT LAN Manager (NTLM) version 1 contains serious vulnerabilities and exposes hashed passwords to compromise. LDAPS is an encrypted, secure version of the Lightweight Directory Access Protocol (LDAP). Active Directory Federation Services (ADFS) and Kerberos are both secure components of Active Directory.

Jose is concerned that his organization is falling victim to a large number of social engineering attacks. Which one of the following controls is least likely to be effective against these attacks?

Network firewall. Network firewalls are not likely to be effective against social engineering attacks because they are designed to allow legitimate traffic, and attackers waging social engineering attacks typically steal the credentials of legitimate users who would have authorized access through the firewall. Multifactor authentication is an effective defense because it requires an additional layer of authentication on top of passwords, which may be stolen in social engineering. Security awareness raises social engineering in users' consciousness and makes them less susceptible to attack. Content filtering may block phishing messages from entering the organization and may block users from accessing phishing websites.

Lou would like to deploy a SIEM in his organization, but he does not have the funding available to purchase a commercial product. Which one of the following SIEMs uses an open source licensing model?

OSSIM. OSSIM is an open source SIEM made by AlienVault. It is capable of pulling together information from a wide variety of open source security tools. QRadar, ArcSight, and AlienVault are all examples of commercial SIEM solutions.

Tim is tasked with implementing multifactor authentication to bring his organization into compliance with an industry security regulation. Which one of the following combinations of systems would make the strongest multifactor authentication solution?

Of the choices listed, only the combination of an ID badge and PIN is a multifactor solution. ID badges are "something you have," and a PIN is "something you know." Passwords, PINs, and security question answers are all "something you know" factors, so combining them does not create multifactor authentication. Fingerprints and retinal scans are both examples of "something you are."

Martin would like to install a network control that would block the potential exfiltration of sensitive information from the venture's facility. Which one of the following controls would be most effective to achieve that goal?

Of those listed, a data loss prevention system is specifically designed for the purpose of identifying and blocking the exfiltration of sensitive information and would be the best control to meet Martin's goal. Intrusion prevention systems may be able to perform this function on a limited basis, but it is not their intent. Intrusion detection systems are even more limited in that they are detective controls only and would not prevent the exfiltration of information. Firewalls are not designed to serve this purpose.

What identity management protocol is typically paired with OAuth2 to provide authentication services in a federated identity management solution on the Web?

OpenID While OAuth may be paired with almost any authentication provider, the most common approach is to pair OAuth and OpenID Connect to provide a complete authentication and authorization solution.

Jim is helping a software development team integrate security reviews into their code review process. He would like to implement a real-time review technique. Which one of the following approaches would best meet his requirements?

Pair programming Pair programming is a real-time technique that places two developers at a workstation where one reviews the code that the other writes in real-time. Pass-around reviews, tool-assisted reviews, and formal code reviews are asynchronous processes

What are the four implementation tiers of the NIST Cybersecurity Framework, ordered from least mature to most mature?

Partial, Risk Informed, Repeatable, Adaptive. The NIST Cybersecurity Framework uses four implementation tiers to describe an organization's progress toward achieving cybersecurity objectives. The first stage, tier 1, is Partial. This is followed by the Risk Informed, Repeatable, and Adaptive tiers.

Brenda would like to select a tool that will assist with the automated testing of applications that she develops. She is specifically looking for a tool that will automatically generate large volumes of inputs to feed to the software. Which one of the following tools would best meet her needs?

Peach The type of tool that Brenda seeks is known as a fuzzer. The Peach Fuzzer is a solution that meets these requirements. Burp and ZAP are interception proxies. ModSecurity is a web application firewall tool.

After Tom initiates a connection to the website, what key is used to encrypt future communications from the web server to Tom?

The session key. TLS uses public key cryptography to initiate an encrypted connection but then switches to symmetric cryptography for the communication that takes place during the session. The key used for this communication is known as the session key or the ephemeral key.

Greg is investigating reports of difficulty connecting to the CompTIA website and runs a traceroute command. He receives the results shown here. What conclusion can Greg reach from these results?

The web server appears to be up and running on the network. These results show an active network path between Greg's system and the CompTIA web server. The asterisks in the intermediate results do not indicate a network failure but are a common occurrence when intermediate nodes are not configured to respond to traceroute requests.

Which one of the following is not one of the four domains of COBIT control objectives?

There is no explicit security domain in the COBIT standard. The four COBIT domains are Plan and Organize, Acquire and Implement, Deliver and Support, and Monitor and Evaluate.

Which one of the following websites would not be covered by this certificate?

This is a wildcard certificate, meaning that it is valid for the subject domain (nd.edu) as well as any subdomains of that domain (e.g., www.nd.edu). It would not, however, be valid for subsubdomains. A wildcard certificate for *.business.nd.edu would cover www.business.nd.edu.

Bruce is concerned about access to the master account for a cloud service that his company uses to manage payment transactions. He decides to implement a new process for multifactor authentication to that account where an individual on the IT team has the password to the account, while an individual in the accounting group has the token. What security principle is Bruce using?

This is an example of dual control (or two-person control) where performing a sensitive action (logging onto the payment system) requires the cooperation of two individuals. Separation of duties is related but would involve not allowing the same person to perform two actions that, when combined, could be harmful.