Sec+ Express
What is the order of volatility?
- Data in cache memory, including the processor cache and hard drive cache - Data in RAM, including system and network processes - A paging file (sometimes called a swap file) on the system disk drive - Data stored on local disk drives - Logs stored on remote systems - Archive media
A network with two normal-working switches has several client computers connected for work and Internet access. After adding two new switches and more client computers, the new computers, as well as some of the old client computers, cannot access the network. What are most likely the cause and the solution? (Select all that apply.)
A loop in the network. A switch loop on the network will cause network connections to drop since the packet cannot make the appropriate hop to the next switch to its final destination. Switching loops also generates broadcast storms. STP STP (Spanning Tree Protocol) is a means for the bridges to organize themselves into a hierarchy and prevent loops from forming.
A developer implements a single sign-on (SSO) login standard using Security Assertion Markup Language (SAML) for logging users into an application to eliminate the need for username/password credentials. This implementation is part of which of the following?
API considerations API considerations are programming code that enables data transmission between one software product to another. It also contains the terms of this data exchange.
During a risk assessment, a company indicates the value of employee used laptops to be $1,500.00 a piece. What should the company define to come up with the annual loss expectancy in a quantitative risk assessment
ARO The annual rate of occurrence (ARO) indicates how many times a loss will occur within a year. An ARO is used in conjunction with the single loss expectancy (SLE) to figure the annual loss expectancy (ALE).
Simulate the hypertext transfer protocol secure (HTTPS) protocol in use.
An encrypted TCP connection protects sensitive banking information during online transmission. HyperText Transfer Protocol Secure (HTTPS) is used to encrypt Transmission Control Protocol (TCP) connections. Websites for banking, email, or shopping should use HTTPS to encrypt data for protection when submitting the data.
A piece of data that may or may not be relevant to the investigation or incident response such as registry keys, files, time stamps, and event logs are known as what?
Artifacts An artifact is a piece of data, such as registration keys, files, timestamps, and event logs that may or may not be important to the investigative analysis or incident response.
A government system uses Public Key Infrastructure to enable users to securely exchange data using both a public and private cryptographic key pair that is obtained and shared through a trusted authority. This process most likely describes which of the following?
Authentication application An authentication application is used to verify access to a user. Authentication applications use various means to identify a user such as static codes, token keys and Public Key Infrastructure.
Network administrators are configuring a demilitarized zone (DMZ) to provide Internet-facing services to customers. These admins will perform minimum configuration and security to rapidly deploy two web servers that are load balanced. Which of the following will most likely be configured in this DMZ? (Select all that apply.)
Bastion hosts Bastion hosts are any servers that are configured with minimal services to run in a demilitarized zone (DMZ). A bastion host would not be configured with any data that could be a security risk to the internal network. Virtual IP addresses Virtual Internet Protocol (IP) addresses are public IP addresses that are shared among a load-balanced cluster of servers. The primary node will receive traffic from the virtual IP address until the secondary node takes over. Scheduling algorithm The scheduling algorithm is the code and metrics that determine which node is selected for processing each incoming request. For example, round robin.
An attacker came within close proximity of a victim and sent the mobile device user spam of an unsolicited text message. Once the user clicked the link in the message, Trojan malware infected the user's device. What type of attack did the hacker most likely infect the mobile user with?
Bluejacking A Bluetooth-discoverable device is vulnerable to bluejacking, similar to spam, where someone sends an unsolicited text (or picture/video) message or vCard (contact details). This can also be a vector for Trojan malware.
Which boot integrity concepts utilize the trusted platform module (TPM)? (Select all that apply.)
Boot attestation Boot attestation is the capability to transmit a boot log report signed by the TPM via a trusted process to a remote server, such as a network access control server. Measured boot A trusted or measured boot process uses platform configuration registers (PCRs) in the TPM at each stage in the boot process to check whether hashes of key system state data have changed.
In a software as a service (SaaS) model, where the organization is responsible for the security and patching of the application and its components, which entity would be responsible for providing security services for the infrastructure?
CSP The cloud service provider (CSP) would be responsible for the security of the infrastructure. A shared responsibility model includes both the CSP and the customer sharing security aspects of a cloud service model.
Where might one find operating system files during acquisition? (Select all that apply.)
Cache System caches are a place likely to contain operating system files. Some of these may be relevant to the investigation. Pagefile Operating system files active during acquisition may be present in the pagefile or swap. Random-access-memory (RAM) Operating system files active during acquisition may be present in the random-access memory (RAM).
What does the process of carving refer to?
Carving Data recovery refers to the analysis of a disk (or a disk image) for file fragments retained in slack space. These fragments may represent deleted or overwritten files.
Multiple private data sources ingest pictures to a machine learning tool on Google Cloud Platform to find specific species of butterflies. The pictures are tagged by creator names in the company before being loaded onto the various data source locations. What type of security solution can the IT team implement to prevent tainted training data from getting to the machine learning tool? (Select all that apply.)
Check SOAR to check picture properties. Security orchestration, automation, and response (SOAR) and automated runbooks could effectively check saved pictures before they are ingested into the machine learning tool. This will prevent malicious data from being ingested. Keep ML algorithm a secret. Machine Learning (ML) algorithm is secrecy by obscurity. An adversarial attack can skew image data by tricking the ML tool to recognize an image as something else if the algorithm is known.
A company leases access to resources from a service provider as agreed upon in a service level agreement. The company pays only for what is used on a monthly basis. Which of the following computing concepts is being used?
Cloud computing In cloud computing, a company uses a cloud service provider to deliver computing resources. A cloud-based server utilizes virtual technology to host a company's applications offsite.
Which control types does a systems engineer implement when an initial locking mechanism does not perform as expected? (Select all that apply.)
Compensating A compensating control serves as a substitute for a principal control, as recommended by a security standard, and affords the same (or better) level of protection. Preventative A preventive control acts to eliminate or reduce the likelihood that an attack can succeed. It operates before an attack can take place. An example of this control type is a lock.
A software developer enables a security feature commonly known as stack protection but does not execute the source code. Which of the following best describes what the developer is using?
Compiler A compiler is a program that translates high-level programming language into machine code that can later be executed many times against different data. A compiler does not execute source code.
The principle of consensus or social proof refers to techniques that cause many people to act just as others would without force. The attacker can use this instinct to persuade the target that to refuse a request would be odd.
Consensus The principle of consensus or social proof refers to techniques that cause many people to act just as others would without force. The attacker can use this instinct to persuade the target that to refuse a request would be odd.
A program office provides a mock production environment where users and test agencies can persistently test application code as it is being checked in after development. This practice ensures the product meets user acceptance testing and design goals. Which Agile product does this most likely represent?
Continuous validation Continuous validation is the process in which a product is continually tested throughout the development lifecycle to ensure it is meeting the functional and security goals of a customer.
Companies often update their website links to redirect users to new web pages that may feature a new promotion or to transition to a new web experience. How would an attacker take advantage of these common operations to lead users to fake versions of the website? (Select all that apply.)
Craft phishing links in email. An attacker can craft a phishing link that might appear legitimate to a naïve user, such as: https://trusted.foo/login.php?url="https://tru5ted.foo". Add redirects to .htaccess files. The .htaccess file controls high-level configuration of a website. This file runs on an Apache server and can be edited to redirect users to other URLs.
The local operational network consists of physical electromechanical components controlling valves, motors, and electrical switches. All devices enterprise-wide trust each other in the internal network. Which of the following attacks could overwhelm the network by targeting vulnerabilities in the headers of specific application protocols?
DNS Amplification Attack Domain name system (DNS) amplification attack is an application attack that targets vulnerabilities in the headers and payloads of specific application protocols. It triggers a short request for a long response at the victim network.
Server B requests a secure record exchange from Server A. Server A returns a package along with a public key that verifies the signature. What does this scenario demonstrate?
DNS Security Extensions Domain Name System Security Extensions (DNSSEC) helps to mitigate against spoofing and poisoning attacks. The authoritative server for the zone creates a package of resource records, called an RRset, signed with a private key known as the zone signing key.
An application processes and transmits sensitive data containing personally identifiable information (PII). The development team uses secure coding techniques such as encryption, obfuscation, and code signing. Which of the following is the development team concerned with?
Data exposure Sensitive data should be protected to prevent data exposure. Secure coding techniques such as encryption, code obfuscation, and code signing can prevent data from being exposed and modified.
Which de-identification method does an administrator use when choosing to replace the contents of a data field by redacting and substituting character strings?
Data masking Data masking can mean that all or part of the contents of a field is redacted, by substituting all character strings with "x" for example.
An employee at a financial firm is responsible for ensuring that data is stored in accordance with applicable laws and regulations. What role does the employee have in terms of data governance?
Data steward The data steward is primarily responsible for data quality. This involves tasks such as ensuring data is labeled and identified with appropriate metadata, as well as ensuring the data is collected and stored in a format containing values that comply with applicable laws and regulations.
The IT team has purchased a few devices that are compatible with the Trusted Computing Group Security Subsystem Class called Opal. Which of these device specifications will take advantage of Opal's security features?
Disk encryption The Opal security subsystem class is a set of specifications that defines a management interface for a host application to activate, provision, and manage encryption of user data on self-encrypting drives (SED).
Which type of certificate does Secure Multipart Internet Message Extensions (S/MIME) use to sign a message?
Email certificate An email certificate signs and encrypts email messages, typically using Secure Multipart Internet Message Extensions (S/MIME) or Pretty Good Privacy (PGP). The user's email address must be entered as the common name (CN) or subject alternative name (SAN).
An unmanned aerial vehicle is equipped with a component to ensure position and movement sensors are aligned and relays information to a ground control. Which of the following computing devices does this best describe?
Embedded system An embedded system is a combination of hardware and software that contains a dedicated function and uses a computer component to complete the function.
A lack of which of the following measures of disorder can leave a cryptosystem vulnerable and unable to encrypt data securely?
Entropy Entropy is a measure of cryptographic unpredictability. Using high entropy sources of data provides more security than using low sources. A lack of good entropy can leave a system vulnerable.
A website uses a code generator for access to the site. Once a user enters their username, a one-time 30-second code is generated and provided through a stand-alone app. The user must enter the unique code to gain access. This is an example of which of the following cryptography methods?
Ephmeral An ephemeral key is an asymmetric cryptographic key that is generated for each individual execution of a key establishment process. The shared secret the client token and authentication server share is combined with a counter to create a one-time password when the user wants to authenticate.
A software developer created a new application, and the software company pressured the developer to release it to the public. Which of the following helps ensure the application is secure before the release? (Select all that apply.)
Error handling Some of the challenges of application development include the pressure to release a solution ahead of schedule, as well as neglecting secure development practices, such as error handling. Input validation Input validation is another secure development practice that a software developer should not neglect. Proper authentication and authorization Proper authentication and authorization is an important part of performing secure coding practices.
Security admins are evaluating Windows server vulnerabilities related to Dynamic Link Library (DLL) injections. Modern applications are running on these Windows servers. How would an attacker exploit these vulnerabilities? (Select all that apply.)
Evade detection through code refactoring. The malware must evade detection by anti-virus to be successful. This can be done through code refactoring which means the code performs the same function by using different methods, such as changing its signature. Use malware with administrator privilege. Dynamic Link Library (DLL) injection is deployed with malware that is already operating on the system with local administrator or system privileges.
Users in a company complain that they cannot reach internal servers when using WiFi. IT discovers that the SSID of the broadcasted network is similar to the company's but is not legitimate. IT plans on searching the network to remove which disruptive technologies? (Select all that apply.)
Evil twin A rogue WAP masquerading as a legitimate one is called an evil twin. An evil twin might just have a similar name (SSID) to the legitimate one. Rogue access point A rogue access point is one that has been installed on the network without authorization, whether with malicious intent or not.
A security administrator notices port scanning from an unknown entity on the company infrastructure. The administrator sets up a router to provide erroneous information to be provided in return to protect the system from breach or attack. What is the router providing in response to the scan?
Fake telemetry Fake telemetry is false, but realistic, data used to trick an attacker into believing it is legitimate information.
Utilities, such as IPFix and Netflow, export a file based on collected IP traffic flow metadata. What is the name of this exported file?
Flow record Flow analyzers generate flow records, such as IPFix and Netflow, as a history of traffic flow, including timestamps and IP addresses.
When uploading a picture to a photo web site, it automatically loads the photo onto its interactive world map. How is it possible that the website can read the location of the uploaded picture? (Select all that apply.)
GPS Tagging GPS tagging is the process of adding geographical identification metadata, such as the latitude and longitude of where the device was located at the time, to media, such as photographs, SMS messages, video, and so on. Geolocation Geolocation is the use of network attributes to identify (or estimate) the physical position of a device.
A datacenter requires an instantaneous failover power solution. Which of the following is the least likely solution for the datacenter?
Generator A generator is a device that converts mechanical energy into electrical energy for use in a peripheral circuit. Generators are an expensive option for power failover and do not immediately provide power.
A military organization is evaluating its disaster recovery plan (DRP) to assess risk and in particular identify any single points of failure. Suggest an initial action for the organizations evaluation.
Identify critical systems and mission essential functions Identifying critical systems and mission essential functions is often the first step of the risk management process, and will reveal any potential single points of failure.
When implementing a native-cloud firewall, which layer of the Open Systems Interconnection (OSI) model will require the most processing capacity to filter traffic based on content?
Layer 7 At layer 7, or the application layer of the OSI model, the firewall can parse application protocol headers and payloads (such as HTTP packets) and make filtering decisions based on their contents. This requires the most processing capacity (or load balancing), or the firewall will become a bottleneck causing network latency.
The ARP cache stores what kind of information about recent connections?
MAC addresses The ARP cache displays the MAC address of the interface corresponding with each IP address recently communicated with by the local host. This can be useful for identifying Man-in-the-Middle or other spoofing attacks.
An engineer configures a security control that oversees and monitors other controls for effectiveness. Which category of control does the engineer utilize?
Managerial A managerial control gives oversight of an information system. Examples could include risk identification or a tool allowing the evaluation and selection of other security controls.
Mobile Android operating system (OS) encryption software might allow encryption of which of the following?
MicroSD Micro Secure Digital (MicroSD) is an external media device supported by many Android devices. Built-in and third-party encryption applications on the mobile OS may encrypt these types of removable storage.
A network administrator is installing a device that uses redundant array of inexpensive disks (RAID) technologies for redundancy and provides employees remote access so that files can be accessed anywhere. The device does not require licensing and stores data at the file level. Which device is the employee likely installing in the infrastructure?
NAS Network-attached storage (NAS) is a file-level data storage server attached to a network that provides data access to a common group of clients. NAS is a single storage device that serves files over Ethernet. NAS can be accessed remotely and uses RAID technologies for hard drive failure.
What protocol alters public IP addresses to private IP addresses and vice versa, in an attempt to protect internal computers from the Internet?
NAT Network addressing protocol (NAT) translates public IP addresses to private and vice versa. By using the NAT protocol on the firewall, a company can hide assets from the public internet.
Which of the following will reduce the risk of data exposure between containers on a cloud platform? (Select all that apply.)
Namespaces In a container engine such as Docker, each container is isolated from others through separate namespaces. Namespaces prevent one container from reading or writing processes in another. Control groups Control groups ensure that one container cannot overwhelm others in a DoS-type attack. Namespaces and control groups reduce the risk of data exposure between containers.
Which of the following are examples of weak patch management for operating systems and device firmware in a classified network? (Select all that apply.)
Non-centralized deployment A non-centralized deployment process makes patch management difficult. For example, Microsoft Endpoint Configuration Manager can schedule, monitor, and auto-deploy patches to Windows systems and applications. Undocumented processes An undocumented process makes it difficult to maintain a consistent workflow for patch management in a closed or classified network. Personnel should know how to download patches from the Internet and upload them to the closed network.
After a year of vulnerability scans, a security engineer realized that there were zero false positive cases. The application logs showed no issues with the scanning tool and reports. What type of scanning tool or configuration would result in zero false positives being reported? (Select all that apply.)
Non-credentialed scan A non-credentialed scan is one that proceeds by directing test packets at a host without being able to log on to the operating system (OS) or application. Fewer vulnerabilities are detected, resulting in fewer false positives. Non-intrusive tool A non-intrusive or passive scanning tool analyzes indirect evidence, such as the types of traffic generated by a device. Fewer vulnerabilities are detected, resulting in fewer false positives.
An aviation tracking system maintains flight records for equipment and personnel. The system is a critical command and control system that must maintain an availability rate of 99% for key parameter performance. The cloud service provider (CSP) guarantees a failover to multiple zones if an outage occurs. In addition to the multi-zonal cloud failover, what other backup solution could the system invest in order to maintain data locally?
Offline An offline backup solution would be a good implementation to safeguard the systems data and have it readily available to access in the event of an outage.
Which of the following is TRUE about a certificate authority (CA) in a hierarchical model as opposed to a single CA model? (Select all that apply.)
Offline CA is a best practice Powering off the root certificate authority (CA) in a hierarchical public key infrastructure (PKI) model is a security best practice. The root CA is a high-security risk and has the potential to compromise all subordinate certificates if not powered off. Intermediate CA issues certificates The intermediate CA is a hierarchical PKI that creates and issues certificates to users. Intermediate CAs can balance their work based on areas of responsibility.
An administrator goes through regular tasks every morning at the office to quickly gather health metrics of the network and associated systems. The admin connects to a Windows jump server using a secure shell (SSH) to run health scripts which outputs the data to a .xls file on a local shared folder accessible to all employees. The most recent run of the health script failed immediately without any indication of the issue. If an Information System Security Officer (ISSO) examined these morning tasks, what would be considered a weak configuration? (Select all that apply.)
Open permissions Open permissions can allow anyone on the network with access to files and services. Although the file share is available to internal employees, only administrators should be reviewing gathered health information. Default settings Default settings are usually unsecure settings that leave the environment and data open to compromise. A shared folder that provides access to everyone on the Internal network is an example of a default setting when shared folders are created.
An organization remodels an office which results in the need for higher security during construction. Placing a security guard by the data center utilizes which control types? (Select all that apply.)
Operational Operational control is implemented primarily by people rather than systems. For example, security guards and training programs are operational controls. Preventative A preventative control acts to eliminate or reduce the likelihood that an attack can succeed. A preventative control operates before an attack can take place.
The company's current network utilizes EAP-TTLS (EAP-Tunneled TLS) for supplicant clients connecting to the network. Newer model devices and systems are deployed on the network and are not compatible with EAP-TTLS. These systems require MS-CHAPv2 for authentication. Which of the following options will support these new systems?
PEAP PEAP uses MSCHAPv2 in PEAPv0 (also known as EAP-MSCHAPv2). Where required, another iteration called PEAPv2 (also known as EAP-GTC), which is a Cisco implementation, can be used.
Evaluate the properties and determine which describes the role of a gateway in an edge computing environment.
Performs some pre-processing of data to enable prioritization Edge gateways perform some pre-processing of data to and from edge devices to enable prioritization. They also perform the wired or wireless connectivity to transfer data to and from the storage and processing networks.
An application user receives an automated message after an attempt to login to a company application to verify activity. Which form of two-factor authentication is this?
Phone call A phone call is a form of two-factor authentication (2FA). An automated service dials the registered number on file to confirm authentication of a user.
The IT team manages multiple root accounts on a spreadsheet that provides access to virtual hosts. Although only administrators have access to the share location where the spreadsheet exists, management would like to add auditing measures to these accounts. Which solution will support the requirement?
Privilege access management Enterprise privilege access management products provide a solution for storing high-risk credentials in a vault rather than a spreadsheet for auditing elevated privileges generally.
IT management wants to make it easier for users to request certificates for their devices and web services. The company has multiple intermediate certificate authorities spread out to support multiple geographic locations. In a full chain of trust, which entity would be able to handle processing certificate requests and verifying requester identity?
RA A Registration Authority (RA) is a function of certificate enrollment and its services would be combined with a Certificate Authority (CA) in a single CA hierarchy. An RA is responsible for validating and submitting a request on behalf of end users.
A connection cannot be established during a network connection test of a newly deployed WAP (Wireless Access Point) in WPA2 Enterprise (Wi-Fi Protected Access) mode. After checking the wireless controller, the 802.1x option was selected, but another configuration setting did not save. Apply knowledge of the network connection process to determine which of the following did not save.
RADIUS server settings A RADIUS (Remote Access Dial-in User Server) is required to complete the 802.1x setup. The wireless controller connects to the RADIUS server with a shared secret key, then credentials can be properly authenticated.
An attacker evaded antivirus detection in a Linux kernel, as multiple threads attempted to write an object at the same memory location. What type of vulnerability did the attacker use?
Race condition A race condition vulnerability occurs when multiple threads are attempting to write at the same memory location. Race conditions can deploy as an anti-virus evasion technique.
A capability delivery manager adds a configuration management plan, a failover plan, and a risk assessment to a program's documentation inventory. Which of the following best describes what controls the manager is addressing?
Response and recovery Response and recovery controls are a variety of policies, procedures, and resources defined to guide an entity in responding to an outage/disaster and the steps taken to recover from an outage/disaster.
A global corporation assesses risk appetite and how risks in various regions could influence mission-critical operations. They are assessing compliance with local laws and licensing requirements to prevent financial risk or resolve security risks, and changing the risk posture and implementing risk controls to compensate. Conclude what type of assessment the team is performing.
Risk control assessment Risk and control self-assessment (RCSA) is the method by which companies evaluate and analyze the operational risks and the efficacy of the controls used to manage them.
After reading an article online, a business stakeholder is concerned about a risk associated with Denial of Service (DoS) attacks. The stakeholder requests information about what countermeasures would be taken during an attack. Where would the security analyst look to find this information?
Risk register The risk register shows the results of risk assessments in a comprehensible document format. Information in the register includes impact, likelihood ratings, date of identification, description, countermeasures, owner/route for escalation, and status.
A company requires a means of managing storage centrally and the ability to share the storage with multiple hosts where users can access data quickly and with little to no latency. Which of the following storage architectures would best meet the company's needs?
SAN A storage area network (SAN) solution provides access to block-level data storage that can be accessed by multiple users. A SAN offers flexibility, availability, and performance to consumers.
A company wants to implement a control model that dictates access based on attributes. The company would like to reconfigure the network by making changes from executable files instead of physically reconfiguring. Which of the following should the company implement?
SDN A software defined network (SDN) separates data and control planes in a network. It uses an attribute-based access control (ABAC) that identifies subjects and objects within a policy.
An employee can conduct meetings using a corporate owned personally enabled mobile (COPE) device while on a company related work trip. The service for the device is provided by Verizon Wireless. What component of the device authenticates the device to the provider?
SIM A subscriber identity module (SIM) card is used to identify and authenticate subscribers on mobile and cellular devices. The SIM is issued by a cellular provider with roaming to allow use of other suppliers' tower relays.
A network uses a framework for management and monitoring that uses the Data Encryption Standard (DES) and the Advanced Encryption Standard (AES), which encrypts the contents of traps and query responses. Analyze the types of protocols available for management and monitoring, then deduce the protocol utilized.
SNMPv3 Simple Network Management Protocol (SNMP) v3 supports encryption and strong user-based authentication. Instead of community names, the agent is configured with a list of usernames and access permissions.
Finance representatives at an organization meet professional standards by providing reports that are highly detailed and designed to be restricted. As members of the American Institute of Certified Public Accountants (AICPA), which standards do the finance representatives follow?
SSAE SOC 2 Type II A Service Organization Control (SOC2) Type II report assesses the ongoing effectiveness of the security architecture over a period of 6-12 months. SOC2 reports are highly detailed and designed to be restricted.
A financial institution uses File Transfer Protocol Secure (FTPS) to transmit personally identifiable information (PII) to a receiving institution. Which encryption method would best be suitable for protecting the confidentiality of the information in transit?
SSL/TLS Secure Socket Layer/Transport Layer Security (SSL/TLS) uses certificates issued by certifying authorities (CA) to encrypt data in transit. This encryption provides confidentiality of data.
Outline possible tools or methods the team can use to acquire a disk image from a system. (Select all that apply.)
Save disk with FTK Imager FTK Imager is a data imaging tool that quickly assesses electronic evidence to determine if it requires further analysis. The FTK Imager can save an image of a hard disk in one file or in segments, to reconstruct later if needed. Copy disk with dd command The dd command can copy an entire disk as an image to a USB thumb drive. The team can then analyze the image in a sandbox environment. Create snapshots of all volumes It is possible to create snapshots of the compromised volumes, and in some cases, it can boot a virtual machine, as a full disk image can. This may not be the most efficient method, however.
Select viable methods of investigation in the case of authentication attacks. (Select all that apply.)
Search application logs for use of unauthorized applications. Even though investigating every security and network log manually would take forever, by comparing irregularities in authentication logs (such as incomplete authentication), investigators can correlate corresponding entries. Use a SIEM dashboard to identify suspicious trends in user traffic. Security Information and Event Management (SIEM) software can often visualize log information to identify trends. Compare authentication logs with security and network logs. If an intruder is utilizing an application within the network, such as Remote Desktop, the application logs may provide the evidence.
A company desires a basic protocol for email. The owner requested that a local system store and manage email for each user. Compare the various mail protocols and recommend the best solution for the company.
Secure Post Office Protocol v3 Secure Post Office Protocol v3 (POP3) is a mailbox protocol designed to allow mail to be stored on a server and downloaded to the recipient's email client at their convenience.
Routine analysis of technical security controls at an organization prompts a need for change. One such change is the addition of Network Intrusion Detection System (NIDS) technology. A firewall that supports this function is on order. Considering how the organization will implement NIDS, what other technology completes the solution?
Sensors Sensors gather information to determine if the data being passed is malicious or not. The internet-facing sensor will see all traffic and determine its intent. The sensor behind the firewall will only see filtered traffic. The sensors send findings to the NIDS console.
List methods of containment based on the concept of segmentation. (Select all that apply.)
Sinkhole Sinkhole routing means suspicious traffic that is flooding a specific IP address, routes to another network for analysis. Sinkhole routing is a form of segmentation because it maintains the connection to other networks. Honeynet A honeynet is a segmented network composed entirely of honeypots. A honeypot is a decoy node intended to draw the attention of threat actors, to trick them into revealing their presence and potentially more information.
An organization configures virtual network appliances as part of an infrastructure as code (IaC) deployment. What approach handles the near real-time collection, aggregation, and reporting of data of the implementation?
Software-defined visibility (SDV) Software-defined visibility (SDV) supports assessment and incident response functions. Visibility is the near real-time collection, aggregation, and reporting of data about network traffic.
A cloud customer prefers separating storage resources that hold different sets of data in virtual private clouds (VPCs). One of those data sets must comply with the Health Insurance Portability and Accountability Act (HIPAA) guidelines for patient data. How should the customer configure these VPCs to ensure the highest degree of network security?
Split segments between VPCs Network segmentation can assist with separating workloads for performance and load balancing, keeping data processing within an isolated segment for compliance with laws and regulations and compartmentalizing data access and processing for different departments or functional requirements.
Which of the following practices would help mitigate the oversight of applying coding techniques that will secure the code of an internal application for a company?
Static code analysis Static code analysis is the manual review of code to identify oversights, mistaken assumptions, or a lack of knowledge or experience. This may ensure security or improve the code depending on who is peer-reviewing it.
A stratum 2 time server obtains routinely updated time to ensure accuracy. Evaluate the Network Time Protocol (NTP) and conclude which device provided the updates.
Stratum 1 A stratum 2 server would obtain the time from a stratum 1 server. The higher level server must always receive the time.
A system engineer is researching backup solutions that are inexpensive and can store large amounts of data offline. The backup solution must be portable and maintainable for a certain length of time defined in the company's backup recovery plan. Which of the following is the best backup solution?
Tapes A tape backup solution is the storing of data on a magnetic tape. It is less expensive than most backup solutions. When stored properly, tape can last longer and is small and portable.
A company uses a DevSecOps approach for developing and maintaining software. In one environment, developers complete penetration and vulnerability scanning to ensure the system is free of bugs and coding errors early on. Which of the following best describes this environment?
Test --A test environment does not fully simulate a production environment. The test environment allows for vulnerability scanning, penetration testing, and functional user testing before being deployed to the staging environment.
What are the main features that differentiate the Test Access Point (TAP) from a Switched Port Analyzer (SPAN)? (Select all that apply.)
Test Access Point (TAP) is a separate hardware device. A test access point (TAP) is a hardware device that copies signals from the physical layer and the data link layer, while SPAN (switched port analyzer) is simply mirroring ports. Test Access Point (TAP) Since no network or transport logic is used with a test access point (TAP), every frame is received, allowing reliable packet monitoring.
A network tech is installing an intrusion detection system (IDS) on a corporate network. The system is intended to be a long-term monitoring solution and would ideally split or copy network signals on the physical layer to avoid frame loss. Anticipate the type of sensor the tech will install in conjunction with the IDS.
Test access point (TAP) A test access point (TAP) is a device that copies signals from the physical layer and the data link layer. Since no network or transport logic is used, every frame is received, allowing reliable packet monitoring.
Analyze the active defense solution statements and determine which best describes the purpose of a honeyfile.
The attempts to reuse can be traced if the threat actor successfully exfiltrates it. A honeyfile is convincingly useful but actually fake data. This data can be made trackable, so that when a threat actor successfully exfiltrates it, the attempts to reuse or exploit it can be traced.
A user cannot install an app from Google Play, referred to by a colleague. The user downloads the .apk file from a website and successfully installs the app. This process is known as sideloading. What are valid security concerns for installing software on a mobile device from a website rather than an app store? (Select all that apply.)
The website may have an outdated version. Official applications from companies are offered through app stores like Google Play and are usually scanned for malicious code. Installing an application by any other means is at risk of being hacked. The .apk file may be a malicious software An older version of an app installed using a download .apk file may run outdated code and use older methods or secure communication. Google Play offers the latest versions provided by companies.
Auditing SIP (Session Initiation Protocol)-based VoIP logs can reveal evidence of Man-in-the-Middle attacks. When handling requests, what do the call manager and any intermediate servers add to the SIP log file?
Their own IP address When managing requests, the call manager and all other intermediate servers add their IP address via the log header. The logs will show details of any Man-in-the-Middle attacks in which an unauthorized proxy intercepts data.
Which of the following is a computer that uses remote desktop protocol to run resources stored on a central server instead of a localized hard drive and provides minimal operating system services?
Thin client A thin client is a computer that runs from resources stored on a central server instead of a localized hard drive. Thin clients work by connecting remotely to a central server-based computing environment where all resources and data are stored.
A network administrator needs a service to easily manage Virtual Private Cloud (VPC) and edge connections. The service must have a central console for ease of monitoring all components. Which of the following is the best solution for the administrator to use in a cloud computing environment?
Transit gateway A transit gateway is a cloud network hub that allows users to interconnect virtual private clouds (VPC) and on-premises networks through a central console.
Investigators perform analysis on a breached system. When looking at data timestamps, what should be noted about any time offset? (Select all that apply.)
UTC Time Local time is the time within a particular time zone, which is offset from UTC by several hours. NTFS uses UTC "internally." It is vital to establish how a timestamp is calculated and note the offset. Daylight savings time The local time offset on a system may vary if daylight savings time is in place. Investigators must note the offset between the local system time and UTC.
Give three examples of improper or weak application patch management.
Unmanaged assets Unmanaged assets make it difficult for admins to properly patch all systems with the applicable software. No documentation Improper or no documentation may result in a confused deployment process. It can also result in an inconsistent deployment that could leave some applications unsecure without a patch. Performance degradation Patches that have not been thoroughly tested before deployment, can result in performance degradation, forcing the removal of these patches affecting the network with another maintenance window.
A threat actor logs in to a website as a free user and submits a request for a file. The request references the parent directory of the web server. This injection attack is successful by using a canonicalization attack to disguise the nature of the malicious input. How was the threat actor able to retrieve the file?
Using a directory traversal attack. A directory traversal attack is an injection attack that uses specific code to request information from a web server's root directory by submitting the directory path.
Evaluate and select the differences between WPA and WPA2. (Select all that apply.)
WPA2 supports an encryption algorithm based on the Advanced Encryption Standard (AES) rather than the version of RC4 "patched" with the Temporal Key Integrity Protocol (TKIP). WPA2 requires entering a longer password than WPA.
A brute-force attack compromises a server in a company's data center. Security experts investigate the attack type and discover which vulnerability on the server?
Weak encryption Weak encryption vulnerabilities allow unauthorized access to data. An algorithm used for encryption may have known weaknesses that allow brute-force enumeration.
Which wireless configuration provides the most up-to-date and secure way of connecting wireless devices to an office or home network? (Select all that apply.)
Wi-Fi Protected Access 3 (WPA3) Wi-Fi Protected Access 3 (WPA3) is the most up-to-date wireless specification that provides security features and mechanisms that improve the weaknesses of WPA2. SAE Simultaneous Authentication of Equals (SAE) is a feature of WPA3. It replaces WPA's 4-way handshake authentication and association mechanism with a protocol based on the Diffie-Hellman key agreement.
A cloud service provider (CSP) offers email capability, remote desktop access, and virtual class software to its consumers. Which cloud service model does this best represent?
XaaS Anything as a Service (XaaS) is a cloud model that offers a multitude of services over the internet. These can include, but are not limited to, remote desktop protocol (RDP), email services, and pre-configured software. XaaS is a mix and match of cloud services.
A consumer uses a Samsung SmartThings coordinator to turn on lights in the home and start the dishwasher. Which communications protocol is the hub using?
Zigbee Zigbee is a two-way wireless radio frequency communication between a sensor and a control system. It is an Institute of Electrical and Electronics Engineers (IEEE) 802.15.4-based specification for communication protocols and is used for home automation.
An organization moves its data to the cloud. Engineers use regional replication to protect data. Review the descriptions and conclude which apply to this configuration. (Select all that apply.)
Zone-redundant storage. Regional replication (also called zone-redundant storage) replicates data across multiple data centers within one or two regions. Available access if a single data center is destroyed. Regional replication safeguards data and access in the event a single data center is destroyed or goes offline.
A support technician wants to test a system's connectivity by examining TCP and UDP ports. If the technician requires the ability to test both Linux and Windows systems, which tools qualify? (Select all that apply.)
netstat The netstat command is useful in showing the state of TCP/UDP ports on a system. The same command is used on both Windows and Linux, though with different options for syntax. netcat Netcat is a simple but effective tool for testing connectivity. It is available for both Windows and Linux. Netcat can be used for port scanning and fingerprinting. nmap The Nmap Security Scanner is one of the most popular open-source IP scanners. Nmap can use diverse methods of host and port discovery, some of which can operate stealthily.
Select the tools that do any form of network scanning, such as port scanning, IP scanning, etc. (Select all that apply.)
nmap Nmap is a versatile tool, allowing users to perform various types of network scans. The packet-sniffing library Npcap can be added to Nmap to provide packet sniffing and injection capability. netcat The nc (or Netcat) command reads and writes data across network connections. Netcat can be used for things such as port scanning and fingerprinting. ping Ping can execute a sweep of all the IP addresses in a subnet with just a short script.
Select the tools with which an attacker can identify misconfigured DNS servers with which a zone transfer can be performed, compromising the records of all hosts in a domain. (Select all that apply.)
nslookup/dig Querying name records for a given domain using a particular DNS resolver under Windows can be done with nslookup. dig An attacker may test a network using dig on Linux systems to find out if the DNS service is misconfigured.
An Information Security Manager working for an ISP has discovered that an attacker has poisoned the DNS server cache by spamming it with recursive queries. Predict what tools the manager might use to discover whether the attacker has inserted any false records. (Select all that apply.)
nslookup/dig The nslookup (or dig tool in Linux) can query the name records and cached records held by a server to discover whether an attacker has inserted any false records. dnsenum dnsenum packages a number of tests into a single query, as well as hosting information and name records. dnsenum can try to work out the IP address ranges that are in use.
Identify which tools would be used to identify suspicious network activity. (Select all that apply.)
tcpdump tcpdump is a command-line packet capture utility for Linux. The utility will display captured packets until halted manually, and it can save frames to a .pcap file. This tool commonly uses filter expressions to reduce the number of frames captured, such as Type, Direction, or Protocol. Wireshark Wireshark is a graphical application that can capture all types of traffic by sniffing the network, and save that data to a .pcap file. tcpreplay tcpreplay is a command-line utility for Linux that can replay data from a .pcap file, for example, to analyze traffic patterns and data.