Final Exam
While designing a new wireless system for deployment, an engineer utilizes the newest security technology available. Analyze the security properties and conclude which will be used. (Select all that apply.) Advanced Encryption Standard (AES) cipher with 128-bit keys RC4 stream cipher using Temporal Key Integrity Protocol (TKIP) to make it stronger 4-way handshake authentication mechanism with a protocol based on the Diffie-Hellman key agreement Enterprise authentication methods must use 192-bit AES, while personal authentication can use either 128-bit or 192-bit
4-way handshake authentication mechanism with a protocol based on the Diffie-Hellman key agreement Enterprise authentication methods must use 192-bit AES, while personal authentication can use either 128-bit or 192-bit WHAT YOU NEED TO KNOW Simultaneous Authentication of Equals (SAE) in WPA3 uses a 4-way handshake authentication and association mechanism with a protocol based on the Diffie-Hellman key agreement. AES CCMP in earlier WPA implementations is replaced in WPA3 with the AES Galois Counter Mode Protocol (GCMP) mode of operation. Enterprise authentication methods must use 192-bit AES, while personal authentication can use either 128-bit or 192-bit. WPA2 uses the Advanced Encryption Standard (AES) cipher with 128-bit keys, deployed within the Counter Mode with Cipher Block Chaining Message Authentication Code Protocol (CCMP). WPA1 uses the RC4 stream cipher but adds a mechanism called the Temporal Key Integrity Protocol (TKIP) to make it stronger.
Companies often update their website links to redirect users to new web pages that may feature a new promotion or to transition to a new web experience. How would an attacker take advantage of these common operations to lead users to fake versions of the website? (Select all that apply.) Add redirects to .htaccess files. Craft phishing links in email. Hijack the website's domain. Ruin the company's reputation with reviews.
Add redirects to .htaccess files. Craft phishing links in email. WHAT YOU NEED TO KNOW An attacker can craft a phishing link that might appear legitimate to a naïve user, such as: https://trusted.foo/login.php?url="https://tru5ted.foo". The .htaccess file controls high-level configuration of a website. This file runs on an Apache server and can be edited to redirect users to other URLs. A domain hijacking attack involves an adversary gaining control over the registration of a domain name, allowing the host records to be configured to IP addresses of the attacker's choosing. Deliberately ruining a company's reputation via online reviews and social media platforms can reduce user visitation to the website, which is less effective at luring users to a fake website.
Describe scenarios where containment measures, such as isolation and segmentation techniques, should be taken. (Select all that apply.) A compromised host pings another host periodically. An unauthorized user accesses a server. A worm has infected a device on the network. The investigation of a recent incident is ongoing.
An unauthorized user accesses a server. A worm has infected a device on the network. The investigation of a recent incident is ongoing. WHAT YOU NEED TO KNOW Containment is a strategy that controls network access across points of entry. Isolation is the act of disconnecting an entire system or network. Isolation is a malware containment procedure. Containment is a strategy that controls access to files, data, systems, or networks across points of entry. Isolation and segmentation techniques, such as blackholes, sinkholes, or honeypots, prevent intrusions. Containment or isolation during an investigation is a best practice and is appropriate, especially when investigators are still gathering evidence. Suspicious pings to another host may indicate a trap. When the corresponding pings fail, this serves as a trigger for a malicious process. Handlers should not believe it is all clear just because they isolated the host from the network.
A gray hat hacker will perform which of the following when using hacking techniques on an organization or software? (Select all that apply.) Move laterally on the network. Use a white box Cleanup evidence Seek a bug bounty
Cleanup evidence Seek a bug bounty WHAT YOU NEED TO KNOW A gray hat hacker will try to find vulnerabilities in a product or network without seeking the approval of the owner. They often seek voluntary compensation like a bug bounty. A gray hat hacker will clean up evidence of an attack like a backdoor because an exploit will never be used as extortion. This is also true for white hat hackers. A white hat hacker is accustomed to working with a company or organization. The attack would occur in a known environment or a white box. A black hat hacker is accustomed to gaining access to one or more hosts by moving laterally on the network. This involves executing the attack tools over remote process shares or using scripting tools.
Outline possible tools or methods the team can use to acquire a disk image from a system. (Select all that apply.) Copy disk with dd command Save disk image with FTK Imager Create snapshots of all volumes Transfer file system via SMB
Copy disk with dd command Save disk image with FTK Imager Create snapshots of all volumes FTK Imager is a data imaging tool that quickly assesses electronic evidence to determine if it requires further analysis. The FTK Imager can save an image of a hard disk in one file or in segments, to reconstruct later if needed. The dd command can copy an entire disk as an image to a USB thumb drive. The team can then analyze the image in a sandbox environment. It is possible to create snapshots of the compromised volumes, and in some cases, it can boot a virtual machine, as a full disk image can. This may not be the most efficient method, however. By transferring files over the network, there is a risk of infection or compromise of other hosts.
Which attack types are client-side attacks that are impacted by malicious code? (Select all that apply.) Directory traversal Integer overflow Cross-site scripting Session replay
Cross-site scripting Session replay A session replay is a client-side attack. This means that the attack executes arbitrary code on the user's browser. A cross-site scripting (XSS) attack exploits the fact that the browser is likely to trust scripts that appear to come from a site the user has chosen to visit. Directory traversal is a type of injection attack performed against a web server. The threat actor submits a request for a file outside the web server's root directory by submitting a path to navigate to the parent directory. Integers are a data type that are commonly defined with fixed lower and upper bounds. An integer overflow attack causes the target software to calculate a value that exceeds these bounds.
A visiting consultant to a company fails at trying to copy a file from a shared drive to a USB flash drive. Which security solutions block the file from being copied? (Select all that apply.) Data loss prevention system (DLP) Endpoint protection platform (EPP) Host intrusion prevention system (HIPS) Host intrusion detection system (HIDS)
Data loss prevention system (DLP) Endpoint protection platform (EPP) WHAT YOU NEED TO KNOW Data loss prevention (DLP) is a security solution that is configured with policies to identify privileged files to prevent data from being copied or attached to a message without authorization. An endpoint protection platform (EPP) usually depends on an agent running on a local host. Agents may be installed for services such as antivirus, intrusion detection, and data loss prevention. Host-based intrusion detection systems (HIDS) provide threat and intrusion detection for systems via log and file system monitoring tools. Host-based intrusion detection systems (HIDS) come in many different forms with different capabilities, some of them are preventative (HIPS) meaning it will try to stop a threat rather than just report on it.
Which attack vector would an insider threat use to effectively install malicious tools on specific sets of servers for backdoor access? (Select all that apply.) Wireless network Direct access Social media Removable media
Direct access Removable media WHAT YOU NEED TO KNOW Direct access is a type of physical or local attack. The threat actor could exploit an unlocked workstation, use a boot disk to try to install malicious tools, or steal a device. Removable media like a USB drive or SD card can conceal malware. With direct access, a malicious USB can be inserted, and in some cases, automatically run malware to easily compromise the device. Wireless or remote network attack vectors use, for example, credential harvesting to steal account details to access the network. Social media or the web can be used as an attack vector by luring users to download files through social engineering campaigns. These files can be loaded with Trojans to compromise user devices.
Security admins are evaluating Windows server vulnerabilities related to Dynamic Link Library (DLL) injections. Modern applications are running on these Windows servers. How would an attacker exploit these vulnerabilities? (Select all that apply.) Navigate laterally using pass the hash. Evade detection through refactoring. Use malware with administrator privilege. Enable legacy mode through shimming.
Evade detection through refactoring. Use malware with administrator privilege. The malware must evade detection by anti-virus to be successful. This can be done through code refactoring which means the code performs the same function by using different methods, such as changing its signature. Dynamic Link Library (DLL) injection is deployed with malware that is already operating on the system with local administrator or system privileges. Shimming is using code that intercepts and redirects calls to enable legacy mode exploiting the Windows Application Compatibility framework for DLL injections. The servers in this case used modern applications. Pass the hash is a credential exploit technique. It harvests an account's cached credentials in a Single Sign-On (SSO) system and reuses the hash to authenticate to network protocols such as Server Message Block (SMB).
List the terms that refer to a document that guides investigators to determine priorities and remediation plans by listing the procedures, contacts, and resources available to responders for various incident categories. (Select all that apply.) Incident Response Plan Runbook Data Loss Prevention Access Control List
Incident Response Plan Runbook WHAT YOU NEED TO KNOW A SOAR system that implements a playbook with a high degree of automation is also referred to as a runbook, although the two terms are used interchangeably. Referred to as a playbook, an incident response plan (IRP) guides investigators to determine priorities and remediation plans by listing the procedures, contacts, and resources available to responders for various incident categories. The Access Control List (ACL) is a table that specifies to a computer operating system which users have access privileges to specific system resources, such as file directories or individual files. Data loss prevention (DLP) software is a collection of tools and procedures used to avoid the deletion, abuse, or access to sensitive data by unauthorized users.
Conclude which terms represent a core feature of the Diamond Model of Intrusion Analysis. (Select all that apply.) Infrastructure Capability Eradication Victim
Infrastructure Capability Victim WHAT YOU NEED TO KNOW A victim is the target of the adversary and against whom vulnerabilities and exposures are exploited and capabilities used. It is useful to define the victim in terms of both the people or organization targeted, as well as the victim's assets (i.e., the attack surface). The infrastructure feature describes the communication structures the adversary uses to utilize a capability. The capability feature describes the tools and/or techniques of the adversary used in the event. All of the vulnerabilities and exposures utilized by the individual's capability, regardless of the victim, is its capacity. Eradication is one of the six steps of implementing a structured incident response and is not directly related to the Diamond Model of Intrusion Analysis.
Which of the following is TRUE about a certificate authority (CA) in a hierarchical model as opposed to a single CA model? (Select all that apply.) Root certificate is self-signed. Intermediate CA issue certificates. PKI collapses if CA is compromised. Offline CA is a best practice.
Intermediate CA issue certificates. Offline CA is a best practice. WHAT YOU NEED TO KNOW Powering off the root certificate authority (CA) in a hierarchical public key infrastructure (PKI) model is a security best practice. The root CA is a high-security risk and has the potential to compromise all subordinate certificates if not powered off. The intermediate CA is a hierarchical PKI that creates and issues certificates to users. Intermediate CAs can balance their work based on areas of responsibility. The root certificate for a single and hierarchical PKI mode is self-signed. The root CA always becomes the start of the chain of trust. The whole PKI may collapse if the CA, in both a single and hierarchical PKI model, is compromised. CA must be protected in both cases.
Multiple private data sources ingest pictures to a machine learning tool on Google Cloud Platform to find specific species of butterflies. The pictures are tagged by creator names in the company before being loaded onto the various data source locations. What type of security solution can the IT team implement to prevent tainted training data from getting to the machine learning tool? (Select all that apply.) Prevent infiltration of external vendors. Keep ML algorithm a secret. Use SOAR to check picture properties. Use algorithms that use collision avoidance.
Keep ML algorithm a secret. Use SOAR to check picture properties. WHAT YOU NEED TO KNOW Security orchestration, automation, and response (SOAR) and automated runbooks could effectively check saved pictures before they are ingested into the machine learning tool. This will prevent malicious data from being ingested. Machine Learning (ML) algorithm is secrecy by obscurity. An adversarial attack can skew image data by tricking the ML tool to recognize an image as something else if the algorithm is known. Preventing the infiltration of external vendors is out of scope because the company owns the data sources. However, such tactics may help in preventing supply chain attacks in other cases. Encryption algorithms that can demonstrate collision avoidance, can prevent birthday attacks. A birthday attack is a brute force attack that exploits collisions in hash functions.
A security administrator protects systems passwords by hashing their related keys. The administrator discovers that this approach does not make the key any stronger or more difficult to crack. Analyze the different security properties and determine which one the administrator implemented. Key stretching Digital signatures Key exchange Key length
Key stretching takes a key that is generated from a user password and repeatedly converts it to a longer and more random key. The range of key values available to use with a particular cipher is called the keyspace. Using a longer key (256 bits rather than 128 bits, for instance) makes the encryption scheme stronger. Digital signatures combine public key cryptography with hashing algorithms to provide authentication, integrity, and non-repudiation. With key exchange, a symmetric encryption key is encrypted by the client and sent to the server. The server decrypts the key and that secret key is then used to encrypt messages sent between server and client.
An administrator goes through regular tasks every morning at the office to quickly gather health metrics of the network and associated systems. The admin connects to a Windows jump server using a secure shell (SSH) to run health scripts which outputs the data to a .xls file on a local shared folder accessible to all employees. The most recent run of the health script failed immediately without any indication of the issue. If an Information System Security Officer (ISSO) examined these morning tasks, what would be considered a weak configuration? (Select all that apply.) Open permissions Unformatted error messages Default settings Unsecure remote access
Open permissions Default settings WHAT YOU NEED TO KNOW Open permissions can allow anyone on the network with access to files and services. Although the file share is available to internal employees, only administrators should be reviewing gathered health information. Default settings are usually unsecure settings that leave the environment and data open to compromise. A shared folder that provides access to everyone on the Internal network is an example of a default setting when shared folders are created. An unsecure protocol is one that transfers data as cleartext. Secure shell (SSH) provides encrypted data communication. Weakly configured applications can sometimes display unformatted error messages. These messages can reveal vulnerabilities that a threat actor could take advantage of. No errors were revealed in this case. previousfinish review
An organization remodels an office which results in the need for higher security during construction. Placing a security guard by the data center utilizes which control types? (Select all that apply.) Preventative Operational Corrective Compensating
Preventative Operational WHAT YOU NEED TO KNOW Operational control is implemented primarily by people rather than systems. For example, security guards and training programs are operational controls. A preventative control acts to eliminate or reduce the likelihood that an attack can succeed. A preventative control operates before an attack can take place. A corrective control is used after an attack. A good example is a backup system that can restore data that was damaged during an intrusion. A compensating control serves as a substitute for a principal control, as recommended by a security standard.
A security expert uses a technical approach to configure a detective control to monitor a server. Review the descriptions and determine which controls the expert implements. (Select all that apply.) Records attempts at intrusion Psychologically discourages an attacker Implemented primarily by people The control is implemented as a system
Records attempts at intrusion The control is implemented as a system WHAT YOU NEED TO KNOW A detective control may not prevent or deter access, but it will identify and record any attempted or successful intrusion. This control operates during the progress of an attack. A technical control is implemented as a system (hardware, software, or firmware). For example, firewalls, anti-virus software, and OS access control models are technical controls. A deterrent control, such as a warning sign, may not physically or logically prevent access, but psychologically discourages an attacker from attempting an intrusion. An operational control is implemented primarily by people rather than systems. For example, security guards and training programs are operational controls.
A network with two normal-working switches has several client computers connected for work and Internet access. After adding two new switches and more client computers, the new computers, as well as some of the old client computers, cannot access the network. What are most likely the cause and the solution? (Select all that apply.) STP Flood guard Port security A loop in the network
STP A loop in the network WHAT YOU NEED TO KNOW A switch loop on the network will cause network connections to drop since the packet cannot make the appropriate hop to the next switch to its final destination. Switching loops also generates broadcast storms. STP (Spanning Tree Protocol) is a means for the bridges to organize themselves into a hierarchy and prevent loops from forming. Port security is an advanced security feature that allows a certain amount of MAC addresses to access a physical port. After a certain number, the system will block new connections. A flood guard is a feature of a circuit-level firewall that prevents maliciously open connections from forming. This is not applicable to switching loops.
A vulnerability database loaded on a scanning tool such as Tenable Nessus will commonly show which of the following properties? (Select all that apply.) Score Security data inputs Packet data Dictionary
Score Dictionary WHAT YOU NEED TO KNOW Common Vulnerabilities and Exposures (CVE) is a dictionary of vulnerabilities in published operating systems and applications software provided by cve.mitre.org. It includes CVE ID, brief descriptions, a URL reference list, and data of entry. Common Vulnerability Scoring System (CVSS) is maintained by the Forum of Incident Response and Security Teams (first.org/cvss). Scores range from 0 (low) to 9+ (critical). Security data is not manually inputted into a vulnerability database. CVEs are shared and downloaded for use with vulnerability scanners. Data from a packet capture are used for deep packet analysis when using a tool such as Wireshark, a network protocol analyzer.
Which certificate attribute describes the computer or machine it belongs to? (Select all that apply.) Subject alternate name Certificate authority name Common name Company name
Subject alternate name Common name WHAT YOU NEED TO KNOW The common name (CN) attribute identifies the computer or machine by name, usually a fully qualified domain name (FQDN), such as www.comptia.org. The subject alternate name (SAN) extension field is structured to represent different types of identifiers, including domain names. This is more commonly used as the CN attribute has been deprecated. The name of a company such as "CompTIA Development Services, LLC," is entered into the CN attribute when creating code signing certificates. This type of certificate is used to validate software code. The certificate authority (CA) name is entered into the CN attribute of the root CA certificate. This type of certificate identifies the CA itself and is the start of the certificate chain of trust.
During a risk assessment, a company indicates the value of employee used laptops to be $1,500.00 a piece. What should the company define to come up with the annual loss expectancy in a quantitative risk assessment ANSWER ALE ARO RPO RTO
THE CORRECT ANSWER ARO WHAT YOU NEED TO KNOW The annual rate of occurrence (ARO) indicates how many times a loss will occur within a year. An ARO is used in conjunction with the single loss expectancy (SLE) to figure the annual loss expectancy (ALE). The annual loss expectancy (ALE) is the single loss expectancy (SLE) times the annual rate of occurrence (ARO). It is a part of the quantitative risk assessment. The recovery point objective (RPO) identifies a point in time that data loss is acceptable. The recovery time objective (RTO) identifies the maximum time it takes to recover a system in the event of an outage.
A new company implements a datacenter that will hold proprietary data that is output from a daily workflow. As the company has not received any funding, no risk controls are in place. How does the company approach risk during operations? ANSWER Acceptance Avoidance Transference Mitigation
THE CORRECT ANSWER Acceptance WHAT YOU NEED TO KNOW Risk acceptance means that no countermeasures are put in place either because the level of risk does not justify the cost or because there will be an unavoidable delay before the countermeasures are deployed. Risk avoidance means that the activity that is risk-bearing is stopped. The discontinuation of a defective product is a form of risk avoidance. Risk mitigation is the overall process of reducing exposure to the effects of risk factors. An example is deploying a countermeasure that reduces exposure to a threat or vulnerability. Risk transference means assigning risk to a third-party, such as an insurance company or a contract with a supplier that defines liabilities.
A government system uses Public Key Infrastructure to enable users to securely exchange data using both a public and private cryptographic key pair that is obtained and shared through a trusted authority. This process most likely describes which of the following? ANSWER Something you know authentication Authentication application 2FA IAM
THE CORRECT ANSWER Authentication application WHAT YOU NEED TO KNOW An authentication application is used to verify access to a user. Authentication applications use various means to identify a user such as static codes, token keys and Public Key Infrastructure. Something you know authentication refers to confidential information such as a pin or password. Two-Factor Authentication (2FA) is a multi-factor authentication to confirm users' identities. 2FA works by using a combination of two of the three following factors: something you know, something you have, and something you are. An identity and access management (IAM) is a program that defines and manages roles and access privileges of individual users.
Which of the following is an example of a vulnerability database that a security administrator can use with Tenable Nessus to assess the security state of servers on the network? ANSWER CVE TAXII STIX Threat map
THE CORRECT ANSWER CVE WHAT YOU NEED TO KNOW Common Vulnerabilities and Exposures (CVE) is a database of information about vulnerabilities that are codified as signatures. A vulnerability scanner like Tenable Nessus uses CVE to scan the network to determine the security state of almost any device. The Structured Threat Information eXpression (STIX) is part of the OASIS Cyber Threat Intelligence (CTI) framework that describes the standard terminology for Indicators of Compromise (IoC) and ways of indicating relationships between them. The Trusted Automated eXchange of Indicator Information (TAXII) is a protocol that provides the means for transmitting CTI data between servers and clients. A threat map is an animated graphic showing the source, target, and type of attacks that have been detected by a CTI platform.
In a particular workplace, all user actions are recorded and accounted for. Any time a resource is updated, archived, or a user has their clearance level changed, it must be approved by a root user. Users that leave, arrive, or change jobs (roles) must have their user accounts regularly recertified, and any account changes must be approved by an administrator. What are these measures known as? ANSWER Change control Separation of duties Acceptable use policy Job rotation
THE CORRECT ANSWER Change control WHAT YOU NEED TO KNOW Change control of quality management systems and information technology systems is a process used to ensure that changes to the product or system are implemented in a managed and organized manner. Separation of duties is a way of maintaining checks and balances against the risk that sensitive processes or practices can be disrupted by insider attacks. Duties and responsibilities should be shared between people to avoid ethical conflict or misuse of powers. Job rotation (or rotation of duties) ensures that no one is able to continue working in the same job for an extended amount of time. An acceptable use policy is a collection of rules that are enforced by the network, website or service owner, developer or administrator, restricting the ways in which the network, platform or device should be used and setting limits for how it can be used.
Which attack vector makes it possible for a threat actor to compromise a whole platform with just one account? ANSWER Cloud E-mail Social media Supply chain
THE CORRECT ANSWER Cloud WHAT YOU NEED TO KNOW On a cloud platform, an attacker only needs to find one account, service, or host with weak credentials to gain access. The attacker is likely to target the accounts used to develop services in the cloud or manage cloud systems. A supply chain attack vector involves attacking a target by infiltrating other companies in the supply chain. On social media, an attacker will most likely target an individual person or group, rather than the whole Facebook platform. Social media can lure users into downloading Trojans onto their computer systems. E-mail is an application service and can run on any physical, virtual, or cloud platform. Individual email accounts will most likely be targeted via social engineering tactics.
An application processes and transmits sensitive data containing personally identifiable information (PII). The development team uses secure coding techniques such as encryption, obfuscation, and code signing. Which of the following is the development team concerned with? ANSWER Data exposure Data execution Public data Data exfiltration
THE CORRECT ANSWER Data exposure WHAT YOU NEED TO KNOW Sensitive data should be protected to prevent data exposure. Secure coding techniques such as encryption, code obfuscation, and signing can prevent data from being exposed and modified. Data execution prevention is a security feature built into an operating system that prevents code from being executed in the storage area marked as nonexecutable. Data exfiltration is the unauthorized transfer of protected data from an entity. It is a malicious activity that can be done remotely or manually. Public data is unclassified information that presents no risk to an organization if it is disclosed. The information is considered not sensitive.
What is it known as when a particular jurisdiction prevents or restricts processing and storage from taking place on systems that do not physically reside within that jurisdiction? Provenance E-discovery Data sovereignty Preservation
THE CORRECT ANSWER Data sovereignty WHAT YOU NEED TO KNOW Data sovereignty refers to a jurisdiction that prohibits or limits the processing, storage, and retrieval of data that do not geographically fall under that jurisdiction. If the provenance of the evidence is certain, then the threat actor, identified by analysis of the evidence, cannot deny their actions. E-discovery is a way of filtering the relevant evidence extracted from all the data obtained during a forensic investigation and storing it in a database in such a format that it can be used as evidence in a courtroom. Preservation refers to the necessity to physically protect the evidence, such as bagging using tamper-evident, anti-static bags.
A tablet uses a key-based technique for encrypting data. It focuses on a pair of public and private keys for decryption and encryption of web traffic using less power than other encryption methods. Which encryption method is this? ANSWER Ephemeral ECC Homomorphic Asymmetrical
THE CORRECT ANSWER ECC WHAT YOU NEED TO KNOW Elliptic curve cryptography (ECC) is an asymmetric public and private key-based cryptographic technique for encrypting data. ECC generates keys through the properties of the elliptic curve equation providing smaller and more efficient cryptographic key processes. An ephemeral key is an asymmetric cryptographic key that is generated for each individual execution of a key establishment process. Homomorphic encryption is an encryption method that allows computation to be performed directly on encrypted data without requiring access to a secret key. Asymmetric encryption uses matched pair public and private keys to encrypt and decrypt data.
What identifies the physical location of a device? ANSWER Geofencing Rooting Content Management Geolocation
THE CORRECT ANSWER Geolocation WHAT YOU NEED TO KNOW Geolocation is the use of network attributes to identify (or estimate) the physical position of a device. Rooting is a term associated with Android devices. Some vendors provide authorized mechanisms for users to access the root account on their device. For some devices, it is necessary to exploit a vulnerability or use custom firmware. A content management system tags corporate or confidential data and prevents it from being shared or copied to unauthorized media or channels, such as non-corporate email systems or cloud storage services. Geofencing is the practice of creating a virtual boundary based on real-world geography.
A healthcare organization was asked to share its data with an analytics company to perform research on patient well-being. Which of the following encryption methods would most likely ensure patient information during analysis? ANSWER AES Ephemeral key Symmetric Homomorphic
THE CORRECT ANSWER Homomorphic WHAT YOU NEED TO KNOW Homomorphic encryption is an encryption method that allows computation to be performed directly on encrypted data without requiring access to a secret key. Analysis can apply functions on encrypted data without needing to reveal the values of the data. An ephemeral key is an asymmetric cryptographic key that is generated for each execution of a key establishment process. Symmetric encryption is an encryption method that uses the same key for encryption and decryption of data. Advanced Encryption Standard (AES) is a symmetric block cipher that encrypts data in 128-bit blocks.
Which value is the result of a quantitative or qualitative risk analysis? ANSWER Single loss expentency Annualized loss expentancy Risk factors Inherent risk
THE CORRECT ANSWER Inherent risk WHAT YOU NEED TO KNOW The result of quantitative or qualitative analysis is a measure of inherent risk. Inherent risk is the level of risk before any type of mitigation has been attempted. Annualized loss expectancy (ALE) is the amount that would be lost over the course of a year. This amount is determined by multiplying the SLE by the annualized rate of occurrence (ARO). The single loss expectancy (SLE) is the amount that would be lost in a single occurrence of the risk factor. This amount is determined by multiplying the value of the asset by an exposure factor (EF). A risk factor is a risk item used as a risk input during quantitative or qualitative analysis.
The financial staff at an organization works with IT and management to determine the risks associated with currently deployed systems. What measure of risk results from this analysis? ANSWER Inherent risk Risk appetite Residual risk Control risk
THE CORRECT ANSWER Inherent risk WHAT YOU NEED TO KNOW The result of quantitative or qualitative analysis is a measure of inherent risk. Inherent risk is the level of risk before any type of mitigation has been attempted. Residual risk is the likelihood and impact after specific mitigation, transference, or acceptance measures have been applied. Control risk is a measure of how much less effective a security control has become over time. For example, antivirus software has become less effective as threat actors started to obfuscate code. Similar to residual risk, risk appetite is broad in scope. Where risk acceptance has the scope of a single system, risk appetite has a project-wide or institution-wide scope. previous
Which of the following, if implemented, will NOT help mitigate the threat of tailgating? ANSWER Installing non-discretionary privilege management Installing a turnstile Installing a mantrap Installing surveillance cameras
THE CORRECT ANSWER Installing non-discretionary privilege management WHAT YOU NEED TO KNOW Nondiscretionary privilege management models are aimed to mitigate the problem of regulating the access control of privileged admin accounts. Installing a turnstile (a type of gateway that only allows one person through at a time) can help mitigate the risk of tailgating. Implementing surveillance (whether by camera or guard) on the gateway can help mitigate the risk of tailgating. Where security is critical and cost is no object, employing a mantrap can help mitigate tailgating. A mantrap is where one gateway leads to an enclosed space protected by another barrier.
A threat actor can exploit an unauthenticated access to submit arbitrary directory queries using which type of attack? DLL injection LDAP injection SQL injection XML injection
THE CORRECT ANSWER LDAP injection WHAT YOU NEED TO KNOW A Lightweight Directory Access Protocol (LDAP) attack exploits either unauthenticated access or a vulnerability in a client app to submit arbitrary LDAP queries. An Extensible Markup Language (XML) injection attack takes advantage of data that is sent with no encryption and input validation to inject arbitrary code that can return contents of, for example, /etc/config as a response. A Dynamic Link Library (DLL) injection is a vulnerability in the way the operating system allows one process to attach to another. Malware can force a legitimate process to load a malicious link library. A Structured Query Language (SQL) injection modifies basic functions by adding code to some input accepted by an application to execute the attacker's own set of SQL queries.
What would be the highest concern for an e-commerce company whose top priority is to ensure customers can shop online 24/7? ANSWER Increase of data breaches Loss of reputation Increase of fines Loss of availability
THE CORRECT ANSWER Loss of availability WHAT YOU NEED TO KNOW Availability loss in this case is losing redundancy in applications and servers that host and run the e-commerce website. Service availability is important to an e-commerce company that advertises 24/7 services. Loss of reputation can be a consequence of the loss of available services. Social media makes it easy for customers to share their thoughts and concerns in real-time even in cases where e-commerce services are not available. Increases in fines can damage a company financially especially when certain regulations are not met such as consumer privacy. Data breaches and even privacy breaches are related to data protection which can lead to legal issues. Services can still be available when only data is stolen.
An employee has authorized access to the company's system and intentionally misused the data from that system. What type of attack has occurred? Impersonation Social engineering Malicious insider threat Passive reconnaissance
THE CORRECT ANSWER Malicious insider threat WHAT YOU NEED TO KNOW A malicious insider threat occurs when the perpetrator of an attack is a member of, ex-member of, or affiliated with the organization's own staff, partners, or contractors. Attackers can "cyber-stalk" their victims to discover information about them via Google Search, or by using other web or social media search tools. This information gathering is also known as passive reconnaissance. Social engineering (or "hacking the human") refers to various methods of getting users to reveal confidential information. Impersonation (pretending to be someone else) is one of the basic social engineering techniques.
A system engineer can monitor and control voltage factors in a data center. The engineer can make critical decisions on the center's energy consumption and load balancing. Which device is the engineer likely using to make these decisions? ANSWER Managed PDUs SIEM Generator UPS
THE CORRECT ANSWER Managed PDUs WHAT YOU NEED TO KNOW A managed power distribution unit (PDU) is a power protection and management system that allows a user to monitor and manage voltage and electrical current in an environment. An uninterruptible power supply (UPS) consists of a collection of batteries and their charging circuit plus an inverter to generate AC voltage from the DC voltage supplied by the batteries. A UPS can be placed at the system level to provide data availability. A generator is a machine that converts one form of energy into another. A generator can run off of fuel or batteries to provide power to an environment. A security information and event management (SIEM) is a centralized solution for collecting, analyzing, and managing data from multiple sources.
A security firm and an organization meet and agree to begin a business relationship. While a contract is not in place yet, what do the parties use to maintain confidentiality and as an intent to work together? ANSWER Memorandum of understanding (MOU) Service level agreement (SLA) Business partnership agreement (BPA) Measurement systems analysis (MSA)
THE CORRECT ANSWER Memorandum of understanding (MOU) WHAT YOU NEED TO KNOW A memorandum of understanding (MOU) is a preliminary or exploratory agreement to express an intent to work together. MOUs are usually intended to be relatively informal and not to act as binding contracts. Business partnership agreements (BPA) establish business partnerships often as a reseller of services. The most common model in IT is a partner agreement with Microsoft. Measurement systems analysis (MSA) is a quality management process and not an agreement. Six Sigma makes use of quantified analysis methods to determine the effectiveness of a system. A service level agreement (SLA) is a contractual agreement setting out the detailed terms under which a service is provided.
A multinational company has partnered with several smaller, younger companies. To protect their supply chain and improve their own risk posture, the company offers to provide network security services for their new partners. Conclude what type of risk the company is addressing. ANSWER Legacy systems Internal Multiparty External
THE CORRECT ANSWER Multiparty WHAT YOU NEED TO KNOW Multiparty risk occurs when an adverse event impacts multiple organizations. If a breach occurs for one party, all parties share the risk. External threat actors are a highly noticeable source of danger. The company will need to acknowledge broader threats than cyber attacks. Internal threats arise from assets and workflows that are owned and managed by the company. Legacy devices are a source of concern because they no longer receive software patches and because the knowledge in servicing and troubleshooting them is a finite resource.
A user at an organization reports that their mobile payment method may have been hacked. A security engineer determines that a compromise must have occurred through card skimming. Which technology was used for mobile payments? ANSWER NFC RFID Bluetooth Infrared
THE CORRECT ANSWER NFC WHAT YOU NEED TO KNOW Near field communications (NFC) is based on a particular type of radio frequency ID (RFID). NFC sensors and functionality are now commonly incorporated into smartphones. NFC is susceptible to skimming. Bluetooth is one of the most popular technologies for implementing PANs. While native Bluetooth has fairly low data rates, it can be used to pair with another device. Infrared signaling has been used for PAN in the past (IrDA), but the use of infrared in modern smartphones is featured in devices such as proximity sensors. Radio Frequency ID (RFID) is a means of encoding information into passive tags, which can be easily attached to devices, structures, clothing, or almost anything else.
Which of the following is NOT a critical profiling factor when assessing the risk that any one type of threat actor poses to an organization? ANSWER Motivation Intent Structure Non-repudiation
THE CORRECT ANSWER Non-repudiation WHAT YOU NEED TO KNOW Non-repudiation is a term that describes a property of a secure network where a sender cannot deny having sent a message. There are critical factors when assessing the risk that any one type of threat actor poses to an organization. For example, the intent could be to vandalize and disrupt a system or to steal something. There are critical factors when assessing the risk that any one type of threat actor poses to an organization. For example, greed, curiosity, or some sort of grievance can motivate an attacker. Threats can be structured or unstructured (or targeted versus opportunistic) depending on the degree to which an attacker specifically targets an organization.
A basic dictionary attack includes using which of the following? ANSWER On-path Rainbow table Collisions Plaintext
THE CORRECT ANSWER Plaintext WHAT YOU NEED TO KNOW A dictionary attack is performed when software generates hash values from a dictionary of plaintexts to match with a captured hash to gain access. A rainbow table is a precomputed lookup table of all possible passwords and their hash values. Values are computed in chains, and only the first and last values need to be stored. A rainbow table is used in more refined dictionary attacks. A collision is where a function produces the same hash value for two different plaintexts. A birthday attack exploits collisions in hash functions to perform a brute force attack called a birthday attack. A downgrade attack can be used to facilitate an On-path attack by requesting that the server use a lower specification protocol.
Describe the general function of the command echo "head" when used in conjunction with a resource pointer, such as a filename or IP address. Generates a log file Prints the first lines of the target Prints a web resource header Identifies vulnerabilities
THE CORRECT ANSWER Prints the first lines of the target WHAT YOU NEED TO KNOW The head command, by default, outputs the oldest ten lines in a file. The echo command is a command that outputs the strings passed as an argument; in this case, the first lines of the provided target. Authorization information, cookies, or information about the data type of the resource are all forms of web resource metadata. The logger command writes input to the local system log or to a remote syslog server. A vulnerability scanner, such as Nessus, scans a network and raises an alarm if it detects vulnerabilities on any device on the network that a malicious hacker could exploit.
A capability delivery manager adds a configuration management plan, a failover plan, and a risk assessment to a program's documentation inventory. Which of the following best describes what controls the manager is addressing? ANSWER Technical Change management Operational Response and recovery
THE CORRECT ANSWER Response and recovery WHAT YOU NEED TO KNOW Response and recovery controls are a variety of policies, procedures, and resources defined to guide an entity in responding to an outage/disaster and the steps taken to recover from an outage/disaster. Change management control is a process used to prevent unauthorized changes to a system baseline. Operational security controls refer to an item that can physically be touched. Operational controls are used to prevent or detect unauthorized access to physical areas, systems, and assets. Technical controls are security controls, such as hardware or software mechanisms used to protect assets.
A configuration manager creates policies and procedures for events such as power failure, network intrusion, and denial of service. These documents include step-by-step instructions to protect the application and restore it to a functional state within a certain timeframe. What has the configuration manager implemented? ANSWER Technical control Control diversity Operational security control Response and recovery control
THE CORRECT ANSWER Response and recovery control WHAT YOU NEED TO KNOW Response and recovery controls include all policies, procedures, and resources developed for incident and disaster response and recovery. These can include a configuration management plan, disaster recovery plan, and an incident response plan. Technical controls are security controls, such as hardware or software mechanisms used to protect assets. Operational security controls refer to an item that can physically be touched. Operational controls are used to prevent or detect unauthorized access to physical areas, systems, and assets. Control diversity includes the use of multiple control types such as administrative, technical and physical.
Sometimes data is archived after it is past its usefulness for purposes of security or regulatory compliance. What is this called? ANSWER Correlation Sensitivity Trends Retention
THE CORRECT ANSWER Retention WHAT YOU NEED TO KNOW When policy dictates preserving data in an archive after the date it is still being used, whether for regulatory or security purposes, this is known as a retention policy. Reducing the number of rules in a SIEM dashboard that produce events will reduce sensitivity and reduce false positives. By contrast, increasing the number of rules can increase sensitivity and reduce false negatives. SIEM (Security Information and Event Management) software collects and collates security and log data from across a network in real-time, and organizes it for efficient threat analysis, with the ability to link events and related data into alertable reports through correlation. Security Information and Event Management (SIEM) software can often visualize log information to identify trends.
Recommend an immediate response that does not require generating new certificates in a scenario where an attacker has compromised a host on a network by spoofing digital certificates. ANSWER Install a content filter Revoke the host's certificate Install a data loss prevention system Remove all root certificates from host
THE CORRECT ANSWER Revoke the host's certificate WHAT YOU NEED TO KNOW Certificate revocation must always be performed if the associated host is compromised. The Key Compromise property of the certification can allow it to be rekeyed to retain the same subject and expiry information. Removing all root certificates from the server is not necessary because they are public certificates. Revoking root certificates is also unnecessary. Data loss prevention (DLP) software is a collection of tools and procedures used to avoid the deletion, abuse, or access to sensitive data by unauthorized users. A content filter mediates user access to Internet services with the ability to block content or prevent traffic based on matching content in application layer protocol headers and payloads.
An electrical cooperative startup needs the ability to monitor energy use, collect data taken from the monitoring, and use the data to lower costs and energy waste. Which component of an industrial control system (ICS) would be the best solution for the cooperative? ANSWER MSP TACACS+ RTOS SCADA
THE CORRECT ANSWER SCADA WHAT YOU NEED TO KNOW Supervisory control and data acquisition (SCADA) is part of an industrial control system (ICS) and is used for gathering and analyzing real-time data. A SCADA aids industry in making data-driven decisions based on reporting and analytics. A real time operating system (RTOS) is in an embedded system intended to serve real-time applications that process data as it comes in. It provides a quicker reaction to external events than a typical operating system. A managed service provider (MSP)/Managed security service provider (MSSP) offers fully outsourced responsibility for information assurance to a third party. Terminal access controller access-control system Plus (TACACS+) is an authentication process that uses multiple challenges and responses between client and server.
A cellular company updates cell towers across the country. They plan to update the baseband of their mobile users, to fully support the new towers. How may the company effectively deploy this new update? ANSWER Send updates over Wi-Fi Add to next android version Via USB Send updates through OTA
THE CORRECT ANSWER Send updates through OTA WHAT YOU NEED TO KNOW OTA (over the air) refers to the process of updating basebands on mobile devices through the cellular network. This option is more effective and efficient and requires very little interaction by the user. Updates over the Wi-Fi require a user to connect to a Wi-Fi, which is not efficient nor effective. Most updates via Wi-Fi, require navigating to a website or service and then download the update. Android versions are managed and pushed by Google. New versions can be pushed alongside other updates from cellular companies. Baseband updates are not part of an Android operation system. Connecting a mobile or radio device to a computer via USB, is not an effect since it requires more manual work.
A data exfiltration attack at a well-known retail company exposes a great deal of private data to the public. A portion of the data details the CEO's political and religious affiliations. When considering data classification types, which has been exposed? ANSWER Sensitive Proprietary Critical Confidential
THE CORRECT ANSWER Sensitive WHAT YOU NEED TO KNOW A sensitive label is usually used in the context of personal data. This is privacy-sensitive information about a subject that could harm them if made public and could prejudice decisions made about them. Confidential information is highly sensitive, for viewing only by approved persons within the owner organization, and possibly by trusted third parties under NDA. Critical information is organization data that is too valuable to allow any risk of its capture. Viewing is severely restricted. Proprietary information or intellectual property (IP) is information created and owned by the company, typically about the products or services that they make or perform.
How does the General Data Protection Regulations (GDPR) classify data that can prejudice decisions, such as sexual orientation? ANSWER Confidential Sensitive Private Proprietary
THE CORRECT ANSWER Sensitive WHAT YOU NEED TO KNOW The sensitive classification is used in the context of personal data about a subject that could harm them if made public and could prejudice decisions made about them if referred to by internal procedures. Private data is information that relates to an individual identity. An example of private data can be information, such as an identification number. Proprietary information is created and owned by the company, typically about the products or services that they make or perform. Confidential information is highly sensitive, for viewing only by approved persons within the owner organization.
Select the type of incident response exercise that involves recreating system interfaces or using emulators to allow students to practice configuration tasks, or even practice with other trainees to mimic real-time attack scenarios. ANSWER Tabletop Walkthrough Simulations Capture the Flag
THE CORRECT ANSWER Simulations WHAT YOU NEED TO KNOW Simulation is an activity in which two teams replicate a scenario and play the scenario out on real hardware, with one team representing the attackers, and the other team representing the response team. In tabletop instruction, the facilitator poses a situation. Respondents describe steps to take to identify, contain, and eradicate the threat. Scenario data are mostly implemented as flashcards, making hardware unnecessary. In walkthrough sessions, the facilitator introduces the scenario as they would for a tabletop exercise, but the incident responders demonstrate what action to take in response. Capture the Flag (CTF) is an exercise where players must perform a range of activities in a virtualized environment to uncover the flag, either a threat agent or a vulnerability.
Which aspect of certificate and key management should an administrator consider when trying to mitigate or prevent the loss of private keys? ANSWER Storage OCSP Revocation Expiration
THE CORRECT ANSWER Storage WHAT YOU NEED TO KNOW Private keys or certificates must be securely stored to prevent unauthorized use and loss. The certificate authority that creates the key pair must provide strict access control to the database and maybe even data-at-rest encryption. Revocations occur if a key or certificate is compromised in production. The certificate can be revoked, and its status is recorded and stored in a certificate revocation list (CRL). Online Certificate Status Protocol (OCSP) communicates the status of the requested certificate rather than return a whole CRL. Key or certificate expiration is a part of the key management lifecycle. Key pairs are only valid for a period usually between 1 to 10 years. After which, they expire, and new key pairs are created.
Which type of service account has the most privileges? ANSWER System Network service Local service Group service
THE CORRECT ANSWER System WHAT YOU NEED TO KNOW The System account has the most privileges of any Windows account. This account creates the host processes and systems that receive full privileges to local computers. Local service accounts have the same privileges as standard user accounts. Local service accounts access network resources as an anonymous user. Network service accounts have the same privileges as the standard user account and have the authority to present the computer's credentials to access network resources. This type of account cannot control host processes. A group service account is not an official Microsoft naming convention for a service account. System accounts have the most privileges.
A system engineer is researching backup solutions that are inexpensive and can store large amounts of data offline. The backup solution must be portable and maintainable for a certain length of time defined in the company's backup recovery plan. Which of the following is the best backup solution? ANSWER Tape SAN Disk NAS
THE CORRECT ANSWER Tape WHAT YOU NEED TO KNOW A tape backup solution is the storing of data on a magnetic tape. It is less expensive than most backup solutions. When stored properly, tape can last longer and is small and portable. Network-attached storage (NAS) is a file-level data storage server attached to a network that provides data access to a common group of clients. NAS is not portable and maintained online. A disk backup solution is more expensive than a tape backup solution. A storage area network (SAN) provides access to block-level data storage. A SAN is used to access other storage devices, such as disks and tape libraries from servers.
A network administrator needs a service to easily manage Virtual Private Cloud (VPC) and edge connections. The service must have a central console for ease of monitoring all components. Which of the following is the best solution for the administrator to use in a cloud computing environment? ANSWER gateway endpoint NAT gateway Cloud storage gateway Transit gateway
THE CORRECT ANSWER Transit gateway WHAT YOU NEED TO KNOW A transit gateway is a cloud network hub that allows users to interconnect virtual private clouds (VPC) and on-premises networks through a central console. A network address translation (NAT) gateway allows cloud resources with nonpublic Internet Protocol (IP) addresses access to the internet without revealing them to incoming internet connections. A gateway endpoint is configured as a route to a service in a Virtual Private Cloud (VPC) route table to connect to Amazon Web Services (AWS) resources. A cloud storage gateway provides consumers the ability to integrate cloud-based storage repositories with on-premises servers and infrastructure.
Today's hackers are keen on knowing that security teams are actively hunting for threats on the network. Hackers may use resources to trigger a diversion to keep threat hunters busy, while another attack is initiated to carry out the primary objective of the planned penetration attack. How can a security team best circumvent this strategic hacking technique? ANSWER Monitor threat feeds from ISACs. Review security advisories. Apply intelligence fusion techniques. Use a defensive maneuver.
THE CORRECT ANSWER Use a defensive maneuver. WHAT YOU NEED TO KNOW A defense maneuver uses passive discovery techniques so that threat actors do not know they have been discovered. This gives the security team a chance to investigate the source of the attack and plan a resolution before the threat moves on to the next objective. Security bulletins and advisories from vendors and security researchers notify of new TTPs and vulnerabilities to assist security teams with threat hunting. Threat or vulnerability feeds from sources such as Information Sharing and Analysis Centers (ISACs) by industry can provide insight to other businesses on what threats are valid today. Intelligence fusion techniques involve combining threat analytics platforms with threat feeds to determine in near real-time if a threat is active on the network or system.
Which of the following represents a non-intrusive scanning type of framework? ANSWER Penetration testing Vulnerability scanning An exploitation framework Metasploit
THE CORRECT ANSWER Vulnerability scanning WHAT YOU NEED TO KNOW Whether they use purely passive techniques or some sort of active session or agent, vulnerability scanners represent a non-intrusive scanning type. The scanner identifies vulnerabilities from its database by analyzing things, such as build and patch levels or system policies. Pen testing that uses exploitation frameworks is considered "active" and "intrusive." An exploitation framework is a means of running intrusive scanning. It uses the vulnerabilities identified by a scanner and launches scripts or software to attempt to exploit selected vulnerabilities. Metasploit is an exploit code framework and comprises a database of exploit code, each targeting a particular CVE (Common Vulnerabilities and Exposures).
What are the main features that differentiate the Test Access Point (TAP) from a Switched Port Analyzer (SPAN)? (Select all that apply.) Test access point (TAP) avoids frame loss. Test access point (TAP) is a separate hardware device. Test access point (TAP) is a temporary solution. Test access point (TAP) is considered 'active' only.
Test access point (TAP) avoids frame loss. Test access point (TAP) is a separate hardware device. WHAT YOU NEED TO KNOW A test access point (TAP) is a hardware device that copies signals from the physical layer and the data link layer, while SPAN (switched port analyzer) is simply mirroring ports. Since no network or transport logic is used with a test access point (TAP), every frame is received, allowing reliable packet monitoring. Test access points (TAPs) can be either active or passive. Also, switched port analyzers (SPAN) are considered active. Test access points (TAPs) are more stable and reliable than switched port analyzers (SPAN) and considered an investment as a long term solution; whereas, SPAN is more useful for temporary solutions.
Unlike transport layer security (TLS), internet protocol security (IPSec) can use two modes. One mode encrypts only the payload of the IP packet, leaving the IP address unencrypted. The other mode encrypts the whole IP packet and adds a new IP header. What are these modes? (Select all that apply.) Stateless Tunnel Stateful Transport
Tunnel Transport WHAT YOU NEED TO KNOW IPsec uses the tunnel mode to provide encrypted communication by encrypting the entire network packet. Unsecured networks mostly use this method. IPsec uses the transport mode to provide encrypted communication by only encrypting the payload. Private networks mostly use this method. The term stateful is commonly used to describe how a firewall inspects network packets. Stateful inspections analyzes traffic data that includes previously inspected packets. The term stateless is commonly used with firewalls. A stateless inspection focuses only on the packet being analyzed at one time, to make a better decision on what firewall rule or policy to enforce.
An IT department implements a software tool between the company's network and the cloud provider to monitor network traffic and enforce security policies. What software tool was implemented? ANSWER SSL/TLS accelerator CASB Firewall Protocol analyzer
WHAT YOU NEED TO KNOW A Cloud access security broker (CASB) is a tool that is placed between an organization's resources and a cloud service provider that enforces defined security-based policies while monitoring traffic. A firewall filters traffic. It can be used for a single host or between networks. It regulates both inbound and outbound traffic using an access control list (ACL). A Secure Socket Layer (SSL)/Transport Layer Security (TLS) accelerator is a hardware device used to encrypt traffic and improve performance. A protocol analyzer is a tool used to examine the contents of network traffic.
IT management wants to make it easier for users to request certificates for their devices and web services. The company has multiple intermediate certificate authorities spread out to support multiple geographic locations. In a full chain of trust, which entity would be able to handle processing certificate requests and verifying requester identity? RA CSR CA OCSP
WHAT YOU NEED TO KNOW A Registration Authority (RA) is a function of certificate enrollment and its services would be combined with a Certificate Authority (CA) in a single CA hierarchy. An RA is responsible for validating and submitting a request on behalf of end users. A CA creates and issues certificates to users. Users and systems trust certificates issued by that CA and intermediate CAs all within the chain of trust. An Online Certificate Status Protocol (OCSP) server or OCSP responder provides up-to-date certificate status information. It only communicates the status of the requested certificate. A Certificate Signing Request (CSR) is a Base64 ASCII file containing the information that the subject wants to use in the certificate, including its public key.
Using Unified Extensible Firmware Interface (UEFI) to boot a server, the system must also provide secure boot capabilities. Part of the secure boot process requires a secure boot platform key or self-signed certificate. Determine which of the following an engineer can use to generate keys within the server using an available Peripheral Component Interconnect Express (PCIe) slot. ANSWER NFC token Hardware security module Trusted platform module Password vault
WHAT YOU NEED TO KNOW A hardware security module (HSM) is an appliance designed to perform centralized public key infrastructure (PKI) management, key generation, or key escrow for devices. HSM can also be implemented as a plug-in PCIe adapter card to operate within a device. A trusted platform module (TPM) is a specification for hardware-based storage of encryption keys, hashed passwords, and other user and platform identification information. A password vault is a software-based password manager. Most operating systems and browsers implement native password vaults, for example, Windows Credential Manager and Apple's iCloud Keychain. A near field communications (NFC) token is a password key. It can also be implemented for the use of USB or even Bluetooth media.
Which of the following describes a device that only runs administrative protocols such as secure shell (SSH) or remote desktop protocol (RDP) to securely manage application servers in a demilitarized zone (DMZ)? Jump server Reverse proxy server Hardware security module Forward proxy server
WHAT YOU NEED TO KNOW A jump server only runs the necessary administrative ports and protocols (typically SSH or RDP). Administrators connect to the jump server then use the jump server to connect to the admin interface of application servers in a demilitarized zone (DMZ). A hardware security module (HSM) is a network appliance designed to perform centralized PKI management for a network of devices. HSM can act as an archive or escrow for keys. A forward proxy provides for protocol-specific outbound traffic. It enables client computers on the LAN to connect to Internet websites. A reverse proxy server provides for protocol-specific inbound traffic. It listens for client requests, applies filtering rules, and creates the appropriate request for an application server.
An employee can conduct meetings using a corporate owned personally enabled mobile (COPE) device while on a company related work trip. The service for the device is provided by Verizon Wireless. What component of the device authenticates the device to the provider? ANSWER Token key Implied trust SIM Context aware
WHAT YOU NEED TO KNOW A subscriber identity module (SIM) card is used to identify and authenticate subscribers on mobile and cellular devices. The SIM is issued by a cellular provider with roaming to allow use of other suppliers' tower relays. Implied trust assumes that any system that has been connected to the network is authorized, under the premise that a legitimate administrator has connected it and continues to operate it. A token key is a mechanism that provides a user an automatically generated password that can be used only once. Context-aware notification is a two-factor authentication (2FA) method that uses multiple means to authenticate a user such as time of day, type of device, and geolocation.
A file system audit shows a malicious account was able to obtain a password database. The malicious account will be able to use the information without interacting with an authentication system. What type of attack will the malicious account be able to perform on systems? ANSWER Dictionary attack Online password attack Password spraying attack Offline password attack
WHAT YOU NEED TO KNOW An offline password attack means that the attacker has managed to obtain a database of password hashes from an Active Directory credential store, for example. A password cracker tool does not need to interact with the authentication system in this case. Password spraying is a horizontal brute-force online attack. This means that the attacker chooses one or more common passwords and tries them in conjunction with multiple usernames. A dictionary attack is performed when software generates hash values from a dictionary of plaintexts to match with a captured hash to gain access. An online password attack is where the threat actor interacts with the authentication service directly, a web login form, or VPN gateway, for instance.
Utilities, such as IPFix and Netflow, export a file based on collected IP traffic flow metadata. What is the name of this exported file? ANSWER Throughput record Flow record Network log DNS log
WHAT YOU NEED TO KNOW Flow analyzers generate flow records, such as IPFix and Netflow, as a history of traffic flow, including timestamps and IP addresses. Equipment, such as routers, firewalls, switches, and access points, generate network logs. The log files record the operation and status of the device plus traffic and logs that reveal network behavior. DNS servers also supply some form of query logging, which is also known as analytical logging. All requests received by the server are detailed in these logs. Throughput records can be recorded with bandwidth monitors or with flow analyzers, but throughput records do not export as a file.
A company leases access to resources from a service provider as agreed upon in a service level agreement. The company pays only for what is used on a monthly basis. Which of the following computing concepts is being used? ANSWER PaaS Cloud computing Community cloud On-premise
WHAT YOU NEED TO KNOW In cloud computing, a company uses a cloud service provider to deliver computing resources. A cloud-based server utilizes virtual technology to host a company's applications offsite. A community cloud is a collaborative effort in which infrastructure is shared between several organizations that share a common interest. Platform as a Service (PaaS) offers a consumer a configurable operating system and application to use in a cloud environment. The cloud service provider is responsible for the hardware and platform support. On-premise computing refers to a company's infrastructure and resources all maintained locally in the company. The company is responsible for managing and maintaining assets.
What protocol alters public IP addresses to private IP addresses and vice versa, in an attempt to protect internal computers from the Internet? ANSWER Firewall Proxy NAT URL Filter
WHAT YOU NEED TO KNOW Network addressing protocol (NAT) translates public IP addresses to private and vice versa. By using the NAT protocol on the firewall, a company can hide assets from the public internet. A proxy acts on behalf of another service. A proxy examines the data and makes rule-based decisions about whether the request should be forwarded or refused. It will not hide IP addresses. Universal Resource Locator (URL) filtering allows you to control access to websites by permitting or denying access to specific websites based on information contained in an URL list. A firewall filters traffic. It can be used for a single host or between networks. It regulates both inbound and outbound traffic, providing a layer of security inbound and out.
Experts at a scientific facility suspect that operatives from another government entity have planted malware and are spying on one of their top-secret systems. Based on the attacker's location and likely goals, which attacker type is likely responsible? Script kiddies State actors Criminal syndicates Hacktivists
WHAT YOU NEED TO KNOW State actors have been implicated in many attacks, particularly on energy and health network systems. They typically work at arm's length from the national government that sponsors and protects them, maintaining "plausible deniability." A criminal syndicate can operate across the internet from different jurisdictions than its victim, increasing the complexity of prosecution. Syndicates will seek any opportunity for criminal profit, but typical activities are financial fraud. A script kiddie is someone who uses hacker tools without necessarily understanding how they work or having the ability to craft new attacks. Hacktivists might attempt to obtain and release confidential information to the public domain, perform denial of service (DoS) attacks, or deface websites.
Which of the following practices would help mitigate the oversight of applying coding techniques that will secure the code of an internal application for a company? Static code analysis Input validation Dead code removal Normalization
WHAT YOU NEED TO KNOW Static code analysis is the manual review of code to identify oversights, mistaken assumptions, or a lack of knowledge or experience. This may ensure security or improve the code depending on who is peer-reviewing it. Input validation checks all input methods to mitigate the risk of malicious input that could be crafted to perform an overflow attack or SQL injection attack. Normalization in code strips the illegal characters or substrings of input data and converts it to the accepted character set. Dead code is executed but has no effect on the program flow. For example, there may be code to perform a calculation, but the result is never stored or used. Dead code should be removed.
A team lead oversees onboarding new system administrators in an IT company. Part of the process is explaining the complex IT infrastructure. Which of the following configuration management strategies would BEST help the team lead explain the infrastructure? Change management Master Image Baseline configuration Diagrams
WHAT YOU NEED TO KNOW The use of diagrams provides a visual representation of complex relationships between network topologies, workflows, internet protocols, and architecture within a system. Diagrams must be updated as system components change. Baseline configurations are documented and agreed-upon sets of specifications for information systems. Baseline configurations serve as the starting point for development, patching, and changes to information systems. The Master Image is a baseline for the system. This image includes the final product of software and security services running on a system. Change management is a process that follows a change to a system from identification to implementation. It is used for controlled identification and implementation of required changes within a computer system.
A malicious actor successfully registered a domain called support247.onmicrosoft.com. This domain will be used to send emails to users to convince them to click the included links and attached files. Which social engineering technique is the malicious actor specifically using in this case? ANSWER Hybrid warfare Prepending Reconnaissance Typosquatting
WHAT YOU NEED TO KNOW Typosquatting means that the threat actor registers a domain name that is very similar to a real one, such as connptia.org, hoping that users will not notice the difference. Reconnaissance is the overall preliminary surveying or research of an environment by any means. This may include social engineering, network scans, or brute force. Prepending means adding text that appears to have been generated by the mail system. For example, an attacker may add "RE:" to the subject line to make it appear legit. Hybrid warfare is a hostile campaign that involves a suite of techniques to influence a target usually with a political agenda. It deploys espionage, disinformation/fake news, and hacking all in one.
Evaluate and select the differences between WPA and WPA2. (Select all that apply.) WPA2 is much more secure than WEP, where WPA is not. WPA2 is a security protocol developed by the Wi-Fi Alliance for use in securing wireless networks. WPA2 supports an encryption algorithm based on the Advanced Encryption Standard (AES) rather than the version of RC4 "patched" with the Temporal Key Integrity Protocol (TKIP). WPA2 requires entering a longer password than WPA.
WPA2 supports an encryption algorithm based on the Advanced Encryption Standard (AES) rather than the version of RC4 "patched" with the Temporal Key Integrity Protocol (TKIP). WPA2 requires entering a longer password than WPA. WHAT YOU NEED TO KNOW WPA2 supports an encryption algorithm based on the Advanced Encryption Standard (AES) rather than the version of RC4 "patched" with the Temporal Key Integrity Protocol (TKIP). WPA and WPA2 are both much more secure than WEP (wired equivalent privacy). WPA and WPA2 are both security protocols developed by the Wi-Fi Alliance for use in securing wireless networks. WPA was developed in 2003 and WPA2 was developed in 2004. Another difference between WPA and WPA2 is the length of their passwords. WPA2 requires the user to enter a longer password than WPA requires. previous
A cyber security team would like to gather information regarding what type of attacks are occurring on a network. Which of the following implementations would assist in routing information on the attackers to a Honeynet? ANSWER honeypot DNS sinkhole DDoS Spear phishing
YOU WERE CORRECT DNS sinkhole WHAT YOU NEED TO KNOW Domain Name Service (DNS) sinkhole is used to intercept DNS requests attempting to connect to known malicious or unwanted domains and returning a fake IP address. A honeypot is a server that is intentionally left open or available so that an attacker will be drawn to it versus a live network. Distributed denial of service (DDoS) blackhole routing is a countermeasure to mitigate a DDoS attack in which network traffic is routed into a nothing space and lost. Spear phishing is a targeted form of phishing in which an email is sent to a specific group of users to obtain personal information.
A cloud service provider informs its consumers that Amazon Linux version 1 products will no longer be supported after 31 December. Consumers using these products must have a plan in place to upgrade to the newest Amazon Linux product, version 2. After the deadline, Amazon Linux 1 products will only receive critical patches. Which of the following best describes the degradation of the product. ANSWER EOL Legacy system Multiparty risk EOS
YOU WERE CORRECT EOL WHAT YOU NEED TO KNOW The end of life (EOL) for a software product occurs when a product will no longer be produced or sold. These products are most likely to be replaced by a newer version or model. The end of service life (EOS) occurs when a product will no longer be supported by a vendor. Updates and patches will no longer be produced. A legacy system is an outdated computing software or hardware that is still in use. Legacy systems generally receive no support or maintenance. A multiparty risk is a threat involving multiple vendors, businesses, and people.
A large business works with a consulting group to develop a business continuity plan. The goal of the plan is to provide a potentially uninterrupted workflow in the event of an incident. Examine the descriptions and determine which one matches this goal. ANSWER Recovery of primary business functions when disrupted Retention of data for a specified period Ensuring processing redundancy supports the workflow Performing mission critical functions without IT support
YOU WERE CORRECT Ensuring processing redundancy supports the workflow WHAT YOU NEED TO KNOW Business continuity planning identifies how business processes should deal with both minor and disaster-level disruption. It ensures that there is processing redundancy supporting the workflow through failover. Continuity of operation planning is used for government facilities. In some definitions, COOP refers specifically to backup methods of performing mission functions without IT support. Disaster recovery plan is an incident where the organization's primary business function is disrupted. Disaster recovery requires considerable resources, such as shifting processing to a secondary site. A retention policy is important for retrospective incident handling. A policy for historic logs and data will set the period over which these are retained. previous
A basic installation of a web server will require which of the following to allow unauthenticated access? ANSWER Guest account Service account Shared account User account
YOU WERE CORRECT Guest account WHAT YOU NEED TO KNOW A guest account is a special type of shared account with no password. It allows anonymous and unauthenticated access to a resource. Guest accounts are created when installing web services, as most web servers allow unauthenticated access. Service accounts are used by scheduled processes and application server software, such as databases. A service account follows the authentication process to run in a domain environment. A user account is defined by a unique security identifier (SID), a name, and a credential. The account goes through the standard authentication process in a domain environment. A shared account is a user or administrator account that is shared. In some cases, a shared account may be used as a service account as well.
Which of the following baseband radio technologies support higher bandwidth capacities? ANSWER Narrowband LTE-M FPGA Zigbee
YOU WERE CORRECT LTE-M WHAT YOU NEED TO KNOW LTE Machine Type Communication (LTE-M) allows Internet of Things (IoT) devices to connect directly to a 4G network, without a gateway. It is a baseband radio technology that supports higher bandwidths. Narrowband is a communication technology that uses a low-power version of the long-term evolution (LTE). Narrowband transceivers transmit and receive digital or analog data over a very narrow bandwidth. Field Programmable Gate Arrays (FPGA) are semiconductor devices that contain programmable logic blocks and interconnection circuits. These devices can be programmed and reprogrammed to meet the required functionality. Difficulty in updating and patching is often a downfall of embedded systems such as FPGAs. Zigbee is a two-way wireless radio frequency communication between a sensor and a control system.
Which system allows a user to authenticate once to a local device and to be authenticated to other servers or services without entering credentials again? ANSWER OpenID Connect Single sign-on Password vault OAuth
YOU WERE CORRECT Single sign-on WHAT YOU NEED TO KNOW A single sign-on (SSO) system allows the user to authenticate once to a local device and be authenticated to compatible application servers without having to enter credentials again. Open Authorization (OAuth) is a protocol often implemented for authentication and authorization for RESTful application programming interface (API). It is designed to facilitate sharing of information (resources) within a user profile between sites. OpenID Connect (OIDC) is an authentication protocol that can be implemented as special types of OAuth flows with precisely defined token fields. A password vault is a software-based password manager. Most operating systems and browsers implement native password vaults, for example, Windows Credential Manager and Apple's iCloud Keychain.
An organization wants to implement a certificate on a website domain. The organization prepares for a rigorous check to prove its identity using extended validation. Evaluate the options and conclude why the certificate would not be issued. ANSWER Multiple root CAs are trusted. YOU WERE CORRECT The domain uses a wildcard. A TXT record is used for verification. The root CA is offline.
YOU WERE CORRECT The domain uses a wildcard. WHAT YOU NEED TO KNOW Extended Validation (EV) is a proof of ownership process that requires rigorous checks on the subject's legal identity and control over a domain. An EV certificate cannot be issued for a wildcard domain. A TXT record is a DNS record that is used for a variety of reasons. A TXT record may provide a string of characters for verification purposes. Multiple organizations may agree to share a root CA but may cause operational difficulties that could increase as the CA is trusted by more organizations. In practice, most clients are configured to trust multiple root CAs. Because of the risk posed by compromising a root CA, a secure configuration makes the root an offline CA. The root CA is brought online to add or update intermediate CAs.
A systems administrator learns Linux commands to view log files. Which command should be used if line numbers are required to view an entire file? ANSWER head grep cat tail
YOU WERE CORRECT cat WHAT YOU NEED TO KNOW The Linux command cat allows for viewing the entire contents of one or more files. For example, to view the contents of two log files, use cat -n access.log access2.log. The -n switch adds line numbers. The head command outputs the first 10 lines of a provided file by default. This can be adjusted to output more or fewer lines using the -n switch. The grep command invokes simple string matching to search text files for specific strings. This enables searching the entire contents of a text file for a specific pattern. The tail command outputs the last 10 lines of a provided file by default. This can be adjusted to output more or fewer lines using the -n switch.
Identify which tools would be used to identify suspicious network activity. (Select all that apply.) Metasploit tcpdump tcpreplay Wireshark
tcpdump tcpreplay Wireshark WHAT YOU NEED TO KNOW tcpdump is a command-line packet capture utility for Linux. The utility will display captured packets until halted manually, and it can save frames to a .pcap file. This tool commonly uses filter expressions to reduce the number of frames captured, such as Type, Direction, or Protocol. Wireshark is a graphical application that can capture all types of traffic by sniffing the network, and save that data to a .pcap file. tcpreplay is a command-line utility for Linux that can replay data from a .pcap file, for example, to analyze traffic patterns and data. Metasploit is an exploitation framework that can identify vulnerabilities through penetration testing, but it is not useful for gathering real-time information that would identify attacks in progress.
