SEC+ Total Seminar

Which of the following are block ciphers? (Choose two.) A. AES B. Blowfish C. RC4 D. A5

A and B are correct. AES (Advanced Encryption Standard) and Blowfish are block ciphers, which encrypt data in blocks at a time versus bits or bytes at a time. C and D are incorrect. RC4 and A5 are stream ciphers.

What can be done to prevent on-path attacks? A. Authentication B. Availability C. Authorization D. Fault tolerance

A is correct. Because an attacker computer sits between two conversing hosts, authenticating the two conversing computers to each other will prevent man-in-the-middle attacks. For example, authentication may require that each host prove its identity via a trusted PKI certificate. B is incorrect. Availability ensures a resource is always available. C is incorrect. Authorization verifies that an entity has access to a resource. D is incorrect. Fault tolerance removes single points of failure.

How can cross-site request forgery be mitigated? (Choose two.) A. Disable JavaScript in the web browser. B. Do not allow web applications to save credentials. C. Developers can validate user input on web forms. D. Web server administrators can enable TLS.

A and B are correct. Cross-site request forgery attacks often use a client-side scripting language such as JavaScript to execute code, which then sends data to a trusting web site without the user knowing. Disabling JavaScript reduces this likelihood; however, some web sites may not function properly as a result. Web sites that allow user credentials to be saved enable attackers to exploit the trust a web site has for an authenticated user at any time. C is incorrect. Validating input on web forms can prevent cross-site scripting and SQL injection attacks, but not cross-site request forgeries. D is incorrect. Enabling TLS on a web site encrypts traffic between the web browser and the web server. Cross-site request forgeries exploit user connections to trusted servers, which normally use TLS. TLS does nothing to prevent cross-site request forgeries.

Your boss asks you to calculate the ALE value related to database server downtime. Which two numeric values do you need? A. Annual rate of occurrence B. Return on investment C. Single loss expectancy D. Total cost of ownership

A and C are correct. ALE (annual loss expectancy) is used for quantitative risk analysis to assign a cost to a probable risk. The ARO (annual rate of occurrence) is a derived figure multiplied by the SLE (single loss expectancy) dollar value, resulting in the ALE. The ALE is then used to budget funds for dealing with the risk. B is incorrect. The return on investment (ROI) determines the benefits of an asset over time compared to resources invested. D is incorrect. The total cost of ownership (TCO) focuses only on costs related to assets and related expenses over time, not the benefits derived from the use of that assets.

In the near future your company will be using a PKI for IT systems and for building access. As the IT security director, you must decide where user PKI information will be stored. Which two storage options from the following list are valid? A. File B. USB mouse C. Smart card D. TPM

A and C are correct. User PKI information, potentially including the private key, could be stored in a password-protected file or written to the chip in a smart card using the proper hardware. B is incorrect. USB mice cannot store data, although the use of wireless keyboards and mice should be limited to increase security. D is incorrect. TPM chips store keys for encrypting hard disks, not PKI user information, which can be conveniently carried with the user to enable access to a building, for example.

Which situation describes how a company can install a virtual machine on a bare metal virtual platform? A type 1 hypervisor is installed directly onto a host machine and manages access to the host hardware directly. An office has all desktop computers replaced with low specification and low power thin client computers that boot a minimal operating system. The client accesses an application hosted on a server or streams the application from the server to the client for local processing. A client enforces resource separation at the operating system level without a hypervisor.

A bare metal virtual platform means that a type 1 hypervisor is installed directly onto a host machine and manages access to the host hardware directly without going through a host Operating System (OS) like Windows Server. Virtual Desktop Infrastructure (VDI) is achieved by replacing desktop computers with low specification and low power thin client computers. Application virtualization is a more limited type of VDI. Rather than run the whole client desktop as a virtual platform, the client accesses an application hosted on a server or streams the application from the server to the client for local processing. An application cell dispenses the idea of a hypervisor, and instead enforces resource separation at the operating system level.

A network administrator needs to implement a firewall between nodes on the same subnet, without reconfiguring subnets and reassigning IP addresses across the network. Considering firewall configurations, which implementation is the best choice? Routed firewall Router firewall Transparent firewall Virtual firewall

A bridged or transparent firewall inspects traffic passing between two nodes, such as a router and a switch. It typically deploys without having to reconfigure subnets and reassign IP addresses on other devices. A routed firewall appliance forwards between subnets. Each interface on the firewall connects to a different subnet and represents a different security zone. A router firewall or firewall router appliance implements filtering functionality as part of the router firmware, with a firewall as a secondary feature. Virtual firewalls often enact east-west security and zero-trust microsegmentation design paradigms. Virtual firewalls can inspect traffic as it passes from host-to-host or between virtual networks, rather than requiring that traffic be routed up to a firewall appliance and back.

Your manager asks you to identify the amount of time and personnel required to address a worm virus infection on the corporate WAN. You estimate it would take six technicians two days to remove the infection, at a total cost of $2800. Which type of analysis would this dollar figure best relate to? A. Business impact analysis B. Quantitative risk analysis C. ALE analysis D. ARO analysis

A is correct. A business impact analysis studies the impact (financial in this case) that an incident presents to a business. B is incorrect. Quantitative risk analysis uses ALE (annual loss expectancy) values to prioritize risks. The ALE is calculated by multiplying the ARO by the SLE value. The $2,800 is an SLE value, but the scenario does not offer an ARO value; thus, B is incorrect. C and D are incorrect because there is no such thing as an ALE or ARO analysis; they are used to perform a risk analysis.

A junior developer creates a custom database application. During testing, she discovers that unexpected conditions cause her application to crash. What did she forget to implement? A. Error trapping B. Function parameters C. Input validation D. Variable declarations

A is correct. Application developers employ error trapping to capture unanticipated behaviors to prevent the application from crashing. B, C, and D are incorrect. Error trapping would capture the incorrect use of all listed items: function parameters, input validation, or problems with variable declarations.

An organic food retail chain is adding six new stores within the next month. Each retail store outlet will accept cash, debit, and credit card payments. To satisfy the board of directors, the IT staff is asked to provide a solution that will ensure data transfers to unauthorized locations can be monitored and/or blocked. What kind of solutions should the IT staff investigate? A. DLP B. HSM C. ARP D. TLS

A is correct. Data loss prevention (DLP) ensures that private data stays private. This can be done with deep packet inspection such as data (e-mail messages, attachments) leaving an intranet or entering or leaving the cloud, data copied to media, data sent to printers, and so on. B is incorrect. HSMs perform cryptographic duties, thus eliminating the need for a host computer to perform these duties. While this can protect data, it not as all-encompassing a solution as DLP. C is incorrect. ARP is a TCP/IP protocol that often uses broadcasts to resolve IP addresses such as 192.168.1.1 to hardware MAC addresses such as 00-24-D6-9B-08-8C. SSL is an application-specific network encryption solution, but it does nothing for data at rest (stored files). D is incorrect. TLS is a network security protocol commonly used to secure web application connections using HTTPS.

A technician has captured network traffic using a protocol analyzer on her station. When she views the captured packets, she sees only her own TCP and UDP transmissions despite the fact that she knows there are other active stations on the same network. Other technicians in her office experience the same packet-capturing results when capturing from their stations (they see only their own TCP and UDP traffic). What is the most likely cause of the problem? A. The technician was plugged into a switch. B. The technician was plugged into a hub. C. The technician enabled a TCP traffic filter. D. The technician enabled a UDP traffic filter.

A is correct. Each switch port is a collision domain, which means protocol analyzers will see only traffic sent from or going to the machine plugged into that switch port. B is incorrect. Being plugged into a hub would have enabled the packet capture to include all traffic for all stations plugged into the hub. C and D are incorrect. TCP or UDP filters are not as likely the problem, because all technicians experienced the same result on the same network when capturing network traffic.

File hashing addresses which security concern? A. Integrity B. Encryption C. Confidentiality D. Authentication

A is correct. File hashing generates a unique value (message digest) that is unique to a file. Any change to the file will result in a different unique message digest. The message digest can be used to determine if files have changed. B is incorrect. Encryption addresses the confidentiality security concern. C is incorrect. Confidentiality is addressed by encryption. D is incorrect. Authentication requires proof of identity.

Which type of SOC report focuses on the efficacy of security controls required to meet trust principles? A. SOC 2 Type 1 B. SOC 2 Type 2 C. SOC 2 Type 3 D. SOC 2 Type 4

A is correct. SOC 2 Type 1 documents IT systems and business processes to ensure compliance with security trust requirements. B is incorrect. SOC 2 Type 2 documents the operation efficacy of IT systems within a specified time frame. C and D are incorrect. Both of these are invalid SOC 2 report types.

There are a variety of methods for indicating a potential security breach during the identification and detection phase of incident response. Two examples are Intrusion Detection System (IDS) alerts and firewall alerts. Evaluate the following evidence and select the alternate methods that would be of most interest to the IT department during this phase. (Select all that apply.) A daily industry newsletter reports on a new vulnerability in the software version that runs on the company's server. An anonymous employee uses an "out of band" communication method to report a suspected insider threat. The marketing department contacts the IT department because they cannot post a company document to the company's social media account. An employee calls the help desk because the employee is working on a file and is unable to save it to a USB to work on at home.

A media report of a newly discovered vulnerability in the version of software that's currently running would be valuable information that should be addressed immediately. A whistleblower with information about a potential insider threat would be worthy of pursuit. "Out of band" is an authenticated communications channel separate from the company's primary channel. If the marketing department is trying to post a document that has been identified as confidential data, the IT department would not be concerned since the company's data loss prevention mechanisms are working. If an employee is trying to save a document that has been identified as confidential data to USB and it fails, the IT department would not be concerned since the company's data loss prevention mechanisms are working. 4.2

Which of the following key storage solutions exercises M-of-N control? Security administrators log and audit access to critical encryption keys. While four administrators have access to the system, it takes two administrators to access the system at any given time. A third party safely stores the encryption key. One administrator has access to the system, and that administrator can delegate access to two others.

Access to critical encryption keys is typically subject to M-of-N control, meaning that of N number of administrators permitted to access the system, M must be present to access the system. M must be greater than 1, and N must be greater than M. Administrators must log and audit access to critical keys, such as the private key of a root CA. In key management, escrow refers to archiving a key (or keys) with a third party. This helps some organizations store keys securely, but it invests a great deal of trust in the third party. In the hierarchical model, a single CA (called the root) issues certificates to several intermediate CAs, who issue certificates to subjects. 3.9

A company's IT department allows all team members to know passwords/credentials for shared accounts. Which statement best describes how this practice is problematic? This practice relies on a single point of failure. This practice breaks data integrity. This practice breaks non-repudiation. This practice fails to properly separate duties among users.

Admin should replace the default superuser with named accounts that have sufficient elevated privileges for a given job role. This ensures that admin can audit administrative activity and the system conforms to non-repudiation. Password changes to a shared account represent a risk. Passwords need to change often, and distributing new passwords to shared account users poses a challenge to password security. A shared account breaks the principle of non-repudiation and makes an accurate audit trail difficult to establish. Separation of duties is a means of establishing checks and balances against the possibility that critical systems or procedures can be compromised by insider threats. The company should divide duties and responsibilities among individuals to prevent ethical conflicts or abuse of powers. 3.7

Analyze the following scenarios and determine which one involves an external threat actor carrying out a direct attack. Naomi practices poor password management, and through her negligence, an outsider gains access to her company's server. Raul, a security contractor, installs antivirus software for a small company. He uses his temporary access to gain the company's banking information. Abram uses a quiz on a popular social media platform to solicit answers to online banking consumers' login security questions. Chelsea uses her coworker's unattended workstation to exploit her coworker's elevated account permissions.

An external actor may perpetuate an attack remotely or on-premises. The threat actor, rather than the attack method, is defined as external. An unintentional or inadvertent insider threat is a vector for an external actor or a separate—malicious—internal actor to exploit, rather than a threat actor in its own right. An external actor has to break into the system without having any legitimate permission. An insider threat actor has some sort of access. A malicious insider is a current or former employee, contractor, or business partner with authorized access who exceeds permissions or misuses an organization's network, system, or data to negatively affect the organization's information or information systems.

Consider the Public Key Infrastructure (PKI) Trust Model. Which of the following best protects against compromise? Single CA Intermediate CA Self-signed CA Offline CA

An offline Certificate Authority (CA) is where the root CA has been disconnected from the network to protect it from compromise. Therefore, it is not a single point of failure. A single CA issues certificates to users, but is very exposed. If it is compromised, the whole PKI collapses. In a hierarchical model, the root CA issues certificates to several intermediate CAs, diluting risk. However, the root is still a single point of failure. A self-signed certificate is a type of digital certificate that is owned by the entity that signs it, which makes it a single CA, or root.

The Human Resources department works with the IT department at an organization to develop employee security training. Which security control type and function describes the training program? (Select all that apply.) Operational Managerial Deterrent Compensating

An operational control is implemented primarily by people rather than systems. For example, policies and training programs are operational controls. A deterrent psychologically discourages an attacker from attempting an intrusion. This includes insider threats. Training materials may contain warnings and descriptions of legal action as part of a systems use policy. A managerial control gives oversight of the information system. Examples could include risk identification or a tool allowing for evaluation of other controls. A compensating control serves as a substitute for a principal control (when not available), as recommended by a security standard. 5.1

A security investigator compiles a report for an organization that lost data in a breach. Which ethical approach does the investigator apply while collecting data for the report? Search for relevant information Apply standard tags to files Disclosing of evidence Using repeatable methods

Analysis methods should follow strong ethical principles and must be repeatable by third parties with access to the same evidence. This can indicate that any evidence has not been changed or manipulated. Searching information through e-discovery allows investigators to locate files of interest to the case. As well as keyword search, software might support semantic search. Applying standardized keywords or tags to files and metadata helps to organize evidence. Tags might be used to indicate relevancy to a case or part of a case. Disclosure is an important part of trial procedure. Disclosure states that the same evidence be made available to both plaintiff and defendant. 4.5

Which statement draws a true comparison between full, differential, and incremental backups? (Select all that apply.) A system can combine incremental and differential backup methods for faster restoration than using a full backup. If a system performs backups every day, an incremental backup includes only files changed that day, while a differential backup includes all files changed since the last full backup. Compared to a differential backup, both full backups and incremental backups clear the archive attribute. A differential backup combines elements of full and incremental backups and only includes data since the last incremental backup.

Assuming a system performs a backup every working day, an incremental backup only includes files changed during that day, while a differential backup includes all files changed since the last full backup. The archive attribute is set whenever a user modifies a file. This allows backup software to determine which files have changed, and therefore, need to be copied. Incremental and full backups clear the archive attribute, while differential backups do not. Do not combine differential and incremental backups. Use full backups interspersed with differential backups or full backups interspersed with incremental backup. A differential backup takes a moderate amount of time to back up and restore, using two tape sets (full backup and differential backup) when restoration is required.

The public and private keys for user Moustapha are stored on a smart card. He encrypts and digitally signs files and e-mail messages using his smart card. Which keys are used to perform the secured actions? (Choose two.) A. The public key is used to create digital signatures. B. The public key is used to encrypt data. C. The private key is used to create digital signatures. D. The private key is used to encrypt data.

B and C are correct. Public keys of recipients are used to encrypt data, which is decrypted by the related private key. Private keys generate digital signatures, which can then be verified with the related public key. A is incorrect. Public keys do not create digital signatures; they verify them. D is incorrect. Private keys do not encrypt e-mail messages; they decrypt them.

Which of the following statements regarding TPM disk encryption are true? (Choose two.) A. Disk contents are protected while the system is running. B. Disk contents are not protected while the system is running. C. Disk contents are protected when the system is shut down. D. Disk contents are not protected when the system is shut down.

B and C are correct. TPM is a firmware chip-storing cryptographic key used to encrypt and decrypt disk volume contents. Once the disk content is decrypted (for fixed disks, this normally happens upon bootup and can be configured to require an entered PIN code), the disk contents are no longer protected. Disk data is protected when the system is shut down, which protects data in case disks are physically stolen and used in other computers. Windows EFS (Encrypting File System) protects encrypted files and folders whether the machine is running or not. A and D are incorrect. TPM disk encryption protects disk contents when the system is not running.

What benefit does elliptic-curve cryptography provide over RSA? A. Less security, larger key size B. Higher security, smaller key size C. Quicker calculation using larger key sizes D. Longer calculation using larger key sizes

B is correct. Elliptic-key cryptography (ECC) can provide more security per bit. For example, a 1024-bit RSA key is the security equivalent of a 163-bit ECC key. A, C, and D are incorrect. ECC keys are more secure than bit-equivalent RSA keys due to the implementation of the algorithm. Fewer bits mean less calculation, which means quicker calculations without sacrificing security.

A lawyer for a dismissed employee notifies the IT department that for evidence admissibility reasons, the employee's laptop must be securely stored and all connectivity and modifications related to the machine must be strictly prohibited. Which term does this scenario most closely relate to? A. Order of volatility B. Legal hold C. Data sovereignty D. Chain of custody

B is correct. Legal hold is a preservation order sometimes issued during e-discovery to ensure that potential evidence is immutable, meaning that it cannot be modified. A is incorrect. The order of volatility describes the fragility of digital evidence and as a result the order in which it should be gathered. For example, acquiring the contents of a machine's RAM memory should be done before obtaining the data from its hard drive, because the RAM contents will be erased when the target machine is powered off. C is incorrect. Data sovereignty refers to applicable laws and regulations based on the physical location of digital data. D is incorrect. The chain of custody requires the gathering of potential evidence to be done legally while ensuring the secure documentation and storage of that evidence.

A network consists of Windows, macOS, and Linux workstations. All regular network users must authenticate to the same source before accessing network resources. Which network service provides this functionality? A. DNS B. LDAP C. DHCP D. SSH

B is correct. Lightweight Directory Access Protocol (LDAP) is a standard authentication data source using TCP port 389 for clear-text transmissions and TCP port 636 for encrypted transmissions. Common directory services such as Microsoft Active Directory and Sun ONE Directory Server are all LDAP-compliant. A is incorrect. DNS most commonly resolves names such as www.disney.com to the corresponding IP address. It is not related to authentication. C is incorrect. DHCP pushes IP configuration parameters to clients when they request it. D is incorrect. SSH enables administrators (and not regular users) to gain encrypted command line access to an SSH host.

What type of policy outlines how customer data is acquired, used, and stored? A. Acceptable use B. Privacy C. Secret D. Encryption

B is correct. Privacy policies outline how data is gathered, managed, and stored. Regional and industry laws may also influence privacy policies. A is incorrect. Acceptable use policies state how company assets and computer systems are to be properly used to conduct business. C and D are incorrect. Secrecy and encryption policies are not industry-standard terms, although they may be defined within a policy.

Your server hard disks are configured with RAID 1. To which security principle does this apply? A. Least privilege B. Availability C. Confidentiality D. Authentication

B is correct. RAID (Redundant Array of Inexpensive Disks) level 1 mirrors data written on one disk to a second disk. In the event of a single disk failure, the other disk is available with up-to-date data, thus making the data highly available. A is incorrect. Least privilege grants only rights needed to perform a task. C is incorrect. Confidentiality ensures that only authorized parties can access data. D is incorrect. Authentication involves proving one's identity.

You are analyzing captured network traffic and notice SIP traffic. What type of activity results in SIP traffic? A. Port scanning B. Voice over IP C. Router table sharing D. Connecting to an HTTPS web server

B is correct. The Session Initiation Protocol (SIP) is used to establish and maintain network sessions related to voice and video, such as with VoIP. A, C, and D are incorrect. None of these activities would result in SIP traffic.

Which key is used when you send an encrypted e-mail message? A. Your public key B. Recipient's public key C. Your private key D. Recipient's private key

B is correct. You must possess the recipient's public key to encrypt messages. Decryptions occur with the related private key. A is incorrect. Your public key would be needed by a sender to encrypt messages sent to you. C is incorrect. Your private key is used to digitally sign outgoing messages or to decrypt encrypted messages sent to you by others. D is incorrect. Only the recipient should have access to his private key.

Which term best describes a root certificate authority (CA) in a secure configuration? Online Single Hierarchical Offline

Because of the high risk posed by compromising the root CA, a secure configuration involves making the root an offline CA, disconnected from any network, and usually kept in a powered-down state. An online CA is available to accept and process certificate signing requests, publish certificate revocation lists and perform other certificate management tasks. In a single CA model, one CA issues certificates to users; users trust certificates issued only by that CA. The single CA server is very exposed, and if compromised, the whole PKI collapses. In the hierarchical model, a single CA (root) issues certificates to several intermediate CAs, who issue certificates to subjects. This is also referred to as certificate chaining or a chain of trust. 3.9

A network administrator discusses digitally signing client queries to resolve names to IP addresses. Which technology is he discussing? A. S/MIME B. HTTPS C. DNSSEC D. SRTP

C is correct. DNS security extensions (DNSSEC) sign DNS zone records. Clients check DNS server responses to ensure the responses have not been tampered with. Clients must first have connectivity to the DNS server, which can be verified using the nslookup and dig commands. A is incorrect. Secure/Multipurpose Internet Mail Extensions (S/MIME) is used to sign and encrypt messages. B is incorrect. Hypertext Transfer Protocol Secure (HTTPS) secures communications between web clients and web servers. D is incorrect. The Secure Real-Time Transfer Protocol (SRTP) provides encryption, integrity, and message authentication for RTP applications such as those related to Voice over IP (VoIP).

Which of the following centrally authenticates connecting wireless LAN users? A. IPSec B. TLS C. RADIUS D. PKI

C is correct. RADIUS (Remote Authentication Dial-In User Service) uses a server to authenticate user credentials centrally; various endpoint network devices can forward authentication requests from supplications to this central host. A is incorrect. IPSec encrypts and digitally signs network traffic but cannot centrally authenticate users. B is incorrect. Transport Layer Security (TLS) is a network security protocol that uses one or more PKI certificates to encrypt and/or sign network data. D is incorrect. A Public Key Infrastructure (PKI) is a hierarchy of digital security certificates.

Rachelle is a server administrator. During her required monthly server maintenance duties, Rachelle clears all server logs to increase usable disk space. Her job also requires her to create user accounts and grant permissions to network shared folders and printers. What is the security violation in this scenario? A. Least privilege B. Acceptable use C. Separation of duties D. Incident management

C is correct. Rachelle is a server admin, and she has the ability to erase all server logs—the potential exists for Rachelle to abuse server administrative privileges and clear any audit trails. A is incorrect. Least privilege ensures that users have only the rights they need. B is incorrect. Acceptable use policies state how employees are to use corporate assets properly. D is incorrect. Incident management is a structured approach to handling incidents. None of these items is violated in the example.

What will prevent users from immediately cycling through passwords in an attempt to reuse an old password? A. Minimum password length B. Maximum password length C. Minimum password age D. Maximum password age

C is correct. Setting a minimum password age to three days, for example, will prevent users from, upon password change, immediately cycling through the number of passwords remembered to reuse a familiar password they have already used. A and B are incorrect. Minimum and maximum password lengths relate to password strength, not reuse of old passwords. D is incorrect. The maximum password age determines when users must change their current password.

Your disaster recovery plan requires the quickest possible data restoration from backup tape. Which strategy should you employ? A. Weekly full backup, daily incremental backup B. Daily full backup, weekly incremental backup C. Daily full backup D. Daily differential backup

C. Daily full backup C is correct. Daily full backups archive all data, even if it has not changed since the last full backup. This requires more storage capacity and time to perform the backup, but restoration is the quickest, since it is a single backup set. A, B, and D are incorrect. Incremental backups only archive data changed since the last full or incremental backup. Differential backups include new and changed data since the last full backup. Incremental and differential backups minimize backup time but take longer to restore than full backups.

(Sample Simulation - On the real exam for this type of question, you would have access to the log files to determine which server on a network might have been affected, and then choose the appropriate actions.) A cybersecurity analyst has determined that an attack has occurred against your company's network. Fortunately, your company uses a good logging system with a centralized Syslog server, so all the logs are available, collected, and stored properly. According to the cybersecurity analyst, the logs indicate that the database server was the only company server on the network that appears to have been attacked. The network is a critical production network for your organization. Therefore, you have been asked to choose the LEAST disruptive actions on the network while performing the appropriate incident response actions. Which actions do you recommend as part of the response efforts?

Capture network traffic using a sniffer, schedule a period of downtime to image and remediate the affected server, and maintain the chain of custody

Sal, an IT specialist for a large tech firm, pays for a subscription to a threat data feed to stay updated on the latest blogs, white papers, and webinars in his field. What term(s) best describes this type of feed? (Select all that apply.) Closed Proprietary Open source Vendor-specific

Closed or proprietary research and cyber threat intelligence (CTI) data are available through a paid subscription to a commercial threat intelligence platform. Closed/proprietary security solution providers also publish blogs, white papers, and webinars, making the most valuable research available early to platform subscribers. Some companies operate threat intelligence services on an open-source basis, earning income from consultancy rather than directly from the platform or research effort. Security, hardware, and software vendors may also make proprietary threat intelligence available at no cost, as a customer benefit, publishing threat data on their websites, such as Microsoft's Security Intelligence blog.

Which of the following types of digital forensic investigations is the most challenging due to the on-demand nature of the analyzed assets? On-premise servers Mobile devices Cloud services Employee workstations

Cloud Services OBJ-3.6: The on-demand nature of cloud services means that instances are often created and destroyed again, with no real opportunity for forensic recovery of any data. Cloud providers can mitigate this to some extent by using extensive logging and monitoring options. A CSP might also provide an option to generate a file system and memory snapshots from containers and VMs in response to an alert condition generated by a SIEM. Employee workstations are often the easiest to conduct forensics on since they are a single-user environment for the most part. Mobile devices have some unique challenges due to their operating systems, but good forensic tool suites are available to ease the forensic acquisition and analysis of mobile devices. On-premise servers are more challenging than a workstation to analyze, but they do not suffer from the same issues as cloud-based services and servers.

David noticed that port 3389 was open on one of the POS terminals in a store during a scheduled PCI compliance scan. Based on the scan results, what service should he expect to find enabled on this terminal?

RDP

You are modifying the backup schedule for the thirteen Windows and seven Unix servers in your server room. Full backups will occur Saturdays at 9:00 A.M. and incremental backups will occur every weekday starting at 7:00 P.M. Each server contains an average of 400GB of data. Backup tapes are stored in a safe down the hall in the IT manager's office. What problems exist with this scenario? A. Incremental backups must be used with differential backups. B. There is not enough time to perform incremental backups if the start time is 7:00 P.M. C. Differential backups can be used only with full backups. D. Backup tapes should be stored offsite.

D is correct. Backup tapes (or a verified copy of them) must be stored at an alternate location in case of fire or flood damage, to name just a few possibilities. Organizational data files as well as virtual machine snapshots are often stored on backup media, including in the cloud. A, B, and C are incorrect. Incremental backups work with full backups just as differential backups do, but they should not be used together. In the scenario, we are not given specifics as to backup speeds, but given that incremental backups are being used for a relatively small amount of data, there should be plenty of time for the backups to complete. Question ID: 34611

A technician is researching new rack mount servers to determine the maximum BTU value of all servers in the server room. Which related item should the technician consider? A. Required server processing speed B. Network bandwidth requirements C. Fire suppression D. HVAC

D is correct. HVAC (heating, ventilation, air conditioning) must be considered when discussing server BTUs (British thermal units). BTUs measure thermal energy (heat), and your server room air conditioning must be able to displace the BTUs generated by your computing equipment; otherwise, the server room will be much too warm for your equipment. A is incorrect. BTUs are not related to the server processing speed. B is incorrect. BTUs are not related to network bandwidth. C is incorrect. Fire suppression systems are critical to minimize fire and smoke damage; they are directly related to climate control.

To increase response time to your public web site, you decide to purchase three network load-balancing appliances to match your three web servers. Your web site is registered with the name www.faroutwidets.com using IP address 216.76.0.55. What IP addresses should the public interface of each load balancer assume? A. 216.76.0.56, 216.76.0.57, 216.76.0.58 B. 216.76.0.52, 216.76.0.53, 216.76.0.54 C. 216.76.0.55, 216.76.0.56, 216.76.0.57 D. 216.76.0.55, 216.76.0.55, 216.76.0.55

D is correct. Network load balancers (NLBs) should accept client requests to the requested service (216.76.0.55); thus, they must all be configured to listen on the same virtual IP address. Incoming client requests are then distributed to the least busy backend web servers. When multiple load balancers are used, active/active configurations mean all load balancers are active simultaneously. Active/passive means only one load balancer is active; the passive node becomes active when the active node goes down. A, B, and C are incorrect. These addresses should not be used; 216.76.0.55 should be used for all three NLB public interfaces.

Which of the following authentication methods is considered the least secure? A. Kerberos B. CHAP C. RADIUS D. PAP

D is correct. Password Authentication Protocol (PAP) is the least secure because it sends usernames and passwords across the network in clear text. A, B, and C are incorrect. Kerberos, CHAP, and RADIUS are more secure authentication methods than PAP because they do not transmit credentials across the network in clear text.

Which type of risk analysis uses ALE figures to prioritize risks? A. Inverted B. Subverted C. Qualitative D. Quantitative

D is correct. Quantitative risk analysis uses dollar values (quantities) to prioritize threats. The ALE value represents a cost should the risk occur. A is incorrect. Inverted analysis is an invalid term. B is incorrect. Subverted risk analysis is an invalid term. C is incorrect. Qualitative risk analysis uses a relative ranking system, and not dollar values, to organize risks.

You must determine which TCP port a custom seismic activity application uses in order to configure a firewall rule allowing access to the program. The application is running on a host named ROVER that also runs other custom network applications. Users connect to an internal web site, which in turn connects to ROVER to use the custom application. How can you find out which TCP port the custom application uses? A. Run a port scan against ROVER. B. Run the NETSTAT -P TCP command. C. Ping ROVER. D. Generate activity to the seismic activity app and capture the traffic.

D is correct. Using a protocol analyzer (packet sniffer) such as Wireshark or the Linux tcpdump command to capture the relevant network traffic from the web site to ROVER will reveal the TCP port being used by examining the TCP packet header. This enables technicians to use the port number to configure application or network-based firewall rules correctly. A is incorrect. Running a port scan against ROVER will show all listening port numbers and will not isolate the seismic activity custom application. B is incorrect. The listed NETSTAT command will show connections for all TCP ports but again will not isolate the seismic activity custom application. C is incorrect. The ping command is useful in determining if a target host is up and running, or more specifically, responding to ICMP echo requests. Ping has nothing to do with port numbers.

While working over the telephone with a network technician, you mention that your wireless network is using layer 2 filtering. What type of filtering is this? A. IP Addresses B. Computer name C. PKI certificate D. MAC address

D. MAC Address D is correct. Network cards have a built-in physical hardware hexadecimal address composed of 48 bits—for example, 00-24-D6-9B-08-8C. This address applies to layer 2 (Data Link layer) of the OSI (Open Systems Interconnect) model. When technicians refer to layer 2 filtering, they are talking about filtering access based on MAC addresses. A is incorrect. IP addresses apply to layer 3 (Network layer) of the OSI model. B is incorrect. Computer names apply to layer 5 (Session layer). C is incorrect. PKI certificate is not a type of filtering.

An IT team looks into secure data access and file encryption solutions. During planning, the team researches the different states of data and decides on a way to handle data that is in memory but not used, such as a forgotten open file. Which data state is the team addressing? Data in use Data at rest Data in transit Data in motion

Data in use is the state when data is present in volatile memory, such as system RAM or CPU cache. A document that is open in a word processing application is an example of data in use. Data at rest means that the data is in some sort of persistent storage media. Examples of types of data that may be at rest include information stored in databases or archived files. Data in transit is the state when data is transmitted over a network. An example of data in transit is website traffic. Data in motion (data in transit) is the state when data is transmitted over a network. An example of data in transit is a file copy process.

An employee suspected of storing illicit content on a company computer discovers a plan to investigate, so the employee tries to hide evidence of wrongdoing. The employee deletes the illicit files and attempts to overwrite them. If a forensics investigation can discover the lost files, which statement best describes how? The forensics investigation will not be able to locate the lost files. The forensics investigator can retrieve fragments of deleted or overwritten files. The forensics investigator must use a live acquisition tool to retrieve files in recent memory. The forensics investigation can uncover the lost data using a cache acquisition tool.

Data recovery refers to analyzing a disk (or image of a disk) for file fragments stored in slack space, which might represent deleted or overwritten files. Carving is the process of recovering them. Carving is the process of extracting data from a computer when that data has no associated file system metadata. Live acquisition copies data while the host is still running. Disk image acquisition obtains data from non-volatile storage. Data recovery can use a disk image. Cache can refer either to hardware components or software. Software-based cache is stored in the file system and can be acquired as part of a disk image. Contents of a hardware cache (CPU registers and disk controller read/write cache, for instance) are not generally recoverable.

Which scenario best illustrates effective use of industrial camouflage as a security control? Security guards protect a well-lit entry point to a top secret processing facility. Conspicuous warning signs warn unauthorized personnel against entering a fenced-off security zone. Entry control measures for a secure facility begin inside a main entry point, rather than outside the building. Entry to secure zones proceeds in an in-and-out manner, rather than an across-and-between traffic flow.

Discreet entry points to secure zones impede an intruder from inspecting the security mechanisms protecting such zones (or even to know where they are). The use of industrial camouflage makes buildings and gateways protecting high-value assets unobtrusive. Human security guards can guard entry to and around an asset. The visible presence of guards is a very effective intrusion detection and deterrence mechanism, but is expensive and conspicuous. Signage and warnings enforce the idea that security is tightly controlled and may convince intruders to stay away, but they are not discreet. Minimizing traffic passing between zones enhances security. The flow of people should be "in and out" rather than "across and between."

A security engineer implements a secure wireless network. In doing so, the engineer decides to use EAP with Flexible Authentication via Secure Tunneling (EAP-FAST). Which authentication approach does the engineer implement? Protected Access Credential (PAC) instead of a certificate Any inner authentication protocol such as PAP or CHAP Only requiring a server-side public key certificate The supplicant and server are configured with certificates.

EAP with Flexible Authentication via Secure Tunneling (EAP-FAST) is similar to PEAP, but instead of using a certificate to set up the tunnel, it uses a Protected Access Credential (PAC). EAP-Tunneled TLS (EAP-TTLS) is similar to PEAP. It uses a server-side certificate and can use any inner authentication protocol (PAP or CHAP, for instance). In Protected Extensible Authentication Protocol (PEAP), an encrypted tunnel is established between the supplicant and authentication server and only requires a server-side public key certificate. EAP-TLS is one of the strongest types of authentication and the supplicant and server are configured with certificates. 1.4

A company hires a security consultant to help them perform a business process analysis (BPA) and reduce dependencies. The consultant asks a manager at the company to walk through the typical process each salesperson makes when processing order requests. Examine the consultant's methods and determine which factor in the BPA the consultant is evaluating. Identify process inputs Identify process outputs Examine the process flow Identify staff and other resources performing the function

For mission essential functions, it is important to reduce the number of dependencies between components. Performing a business process analysis (BPA) for each mission critical function identifies dependencies for each function. The BPA should identify the process flow, a step-by-step description of how the function is performed. Inputs are the sources of information for performing the function (including the impact if delayed or out of sequence). Outputs are the data or resources the function produces. Staff and other resources support the function, but a process flow examines how each person and resource supports the function.

What phases of the Incident Response Process involves determining if an attack happened and mitigating its effects? (Select all that apply.) Eradication Identification Containment Preparation

Identification is the step where information from an alert or report is used to determine whether an incident has taken place, assess how severe it might be (triage), and notify stakeholders. Containment is the step to limit the scope and magnitude of the incident. The principal aim of incident response is to secure data while limiting the immediate impact. Eradication is the step to remove the cause and restore the affected system to a secure state by wiping a system and applying secure configuration settings. Preparation is the precursor step to make the system resilient to attack in the first place. This includes hardening systems, writing policies and procedures, and setting up confidential lines of communication.

A user enters the web address of a favorite site and the browser returns the following: "There is a problem with this website's security certificate." The user visits this website frequently and has never had a problem before. Applying knowledge of server certificates, select the circumstances that could cause this error message. (Select all that apply.) The system's time setting is incorrect. The certificate is pinned. The browser needs updated. The certificate expired.

If the date and time settings on the system are not synchronized with the server's setting, the server's certificate will be rejected. An expired server certificate would cause the browser to return an error message. Certificate pinning ensures that when a client inspects the certificate presented by a server, it is inspecting the proper certificate. This is mostly done to prevent a Man-in-the-Middle attack and would not generate an error message. Though browsers often do need updating, this likely would not be the issue with accessing a web site. There may be specific functionality lost if the browser is extremely outdated, but it would still attempt to pull up the site in most cases and not receive this error.

An organization hires a pen tester. The tester achieves a connection to a perimeter server. Which technique allows the tester to bypass a network boundary from this advantage? Persistence Privilege escalation Pivoting Lateral movement

If the pen tester achieves a foothold on a perimeter server, a pivot allows them to bypass a network boundary and compromise servers on an inside network. Persistence is the tester's ability to reconnect to the compromised host and use it as a remote access tool (RAT) or backdoor. A pen tester enumerates running services and accounts associated in an attempt to escalate privileges and gain further access. Lateral movement is the action of gaining control over other hosts. This is done partly to discover more opportunities to widen access, partly to identify where valuable data assets might be located, and partly to evade detection.

An organization requires that a file transfer occurs on a nightly basis from an internal system to a third-party server. IT for both organizations agree on using FTPS. Which configurations does IT need to put in place for proper file transfers? (Select all that apply.) Configure the use of port 990 Configure the use of port 22 Negotiate a tunnel prior to any exchanged commands Using Secure Shell (SSH) between client and server

Implicit TLS (FTPS) mode FTPS is tricky to configure when there are firewalls between the client and server, and it uses the secure port 990 for the control connection. Implicit TLS (FTPS) negotiates an SSL/TLS tunnel before the exchange of any FTP commands. SSH FTP (SFTP) uses a secure link that is created between the client and server using Secure Shell (SSH) over TCP port 22. With SFTP, which uses SSH, a secure link is created between the client and server. Ordinary FTP commands and data transfer can then be sent over the secure link without risk of eavesdropping or man-in-the-middle attacks.

A company hires a security consultant to train the IT team in incident response procedures. The consultant facilitates a question and answer session, and the IT team practices running scans. Determine which type of incident response exercise the consultant facilitates in this scenario. Tabletop exercise Walkthrough Simulation Forensics

In a walkthrough, a facilitator presents a scenario and the incident responders demonstrate what actions they would take. Responders may run scans and analyze sample files, typically on sandboxed versions of the company's actual response and recovery tools. The facilitator in a tabletop exercise presents a scenario and the responders explain what action they would take to manage the threat—without the use of computer systems. Simulations are team-based exercises, where the red team attempts an intrusion, the blue team operates response and recovery controls, and a white team moderates and evaluates the exercise. Digital forensics describes techniques to collect and preserve evidence. Forensics procedures are detailed and time-consuming, where the purpose of incident responses are usually urgent.

An intrusion prevention system (IPS) generates an incident report for some suspicious user activity, which prompts a system administrator to investigate a possible insider attack. Review the options and determine what type of IPS profile led to this discovery. Signature-based detection Behavioral-based detection Host-based intrusion detection Web application firewall (WAF) detection

In behavioral-based detection, the engine recognizes deviations from a baseline of "normal" traffic or events, which can help identify zero-day attacks, insider threats, and other malicious activity. Signature-based detection (or pattern-matching) means that the engine is loaded with a database of attack patterns or signatures. If traffic matches a pattern, then the engine generates an incident. A host-based IDS (HIDS) captures information from a single host, such as a server, router, or firewall. HIDS software produces a log that shows which process initiated the event and what resources on the host were affected. A web application firewall (WAF) is designed specifically to protect software running on web servers and their backend databases from code injection and DoS attacks.

Security solutions providers and academics conduct primary research to produce outputs on threat intelligence that takes three main forms. Which of these selections is NOT one of the three main outputs? Behavioral threat research Information Sharing and Analysis Centers (ISACs) Reputational threat intelligence Threat data

Information Sharing and Analysis Centers (ISACs) are sector-specific resources for companies and agencies working in critical industries, such as power supply, financial markets, or aviation. ISACs are platforms used to share threat intelligence data. Behavioral threat research is a narrative commentary describing examples of attacks and TTPs gathered through primary research sources. Reputational threat intelligence includes lists of IP addresses and domains associated with malicious behavior, plus signatures of known file-based malware. Computer data that can correlate events observed on a customer's own networks and logs with known TTP and threat actor indicators is called threat data, which can package as feeds that integrate with security information and event management (SIEM) platform.

A security analytics team is threat hunting on a Windows network. What type of activity is most likely to alert the team to an insider attack? A user without privileged access executes PowerShell Invoke-Command cmdlet. A privileged user account executes PowerShell Invoke-Command cmdlet. A user without privileged access uses a Bash command whoami to locate users on the local network. A privileged user account uses Constrained Language Mode (CLM) and signed scripts.

Lateral movement or an insider attack uses access to execute a process remotely, using a tool such as psexec or PowerShell. These commands can blend in with ordinary network operations, though they could be anomalous behavior for a non-privileged account. Cmdlets, such as Invoke-Expression, can indicate an attempt to run some type of binary shellcode. Privileged users' use of PowerShell is far less suspicious than a non-privileged user executing the same commands. A malicious script running on a Linux host might attempt to use commands, such as whoami and ifconfig/ip/route to establish the local context. The use of CLM and signed scripts indicate legitimate behavior and can limit the ability to exploit code to run on high-value target systems.

Management looks to IT for a solution to identify successful and failed login attempts. Which solution will IT provide to management? Logs Network monitors Packet capture Sniffer

Logs are one of the most valuable sources of security information. A system log can be used to diagnose availability issues. A security log can record both authorized and unauthorized uses of a resource or privilege. A network monitor collects data about network appliances, such as switches, access points, routers, firewalls, and servers. A monitor is used to monitor load status for CPU/memory, state tables, disk capacity, and more. Data captured from network packet capture provides both summary statistics about bandwidth and protocol usage. Sensors/sniffers are used for packet capture and provide summary of statistics along with protocol usage and the opportunity for detailed frame analysis.

A hacker places a false name:IP address mapping in an operating system's HOSTS file, redirecting traffic from a legitimate IP address to a malicious IP address. What type of attack did the hacker perform? Domain hijacking Domain name system client cache (DNS) poisoning Rogue dynamic host configuration protocol (DHCP) Address Resolution Protocol (ARP) poisoning

Most operating systems still check the HOSTS file for a recorded name:IP mapping before using DNS. If an attacker can place a false name:IP address mapping in the HOSTS file, poisoning the DNS cache, the attacker can redirect traffic. In domain hijacking (or brandjacking), the attacker steals a domain name by altering its registration information and then transferring the domain name to another entity. The Dynamic Host Configuration Protocol (DHCP) facilitates automatic network address allocation. If an attacker establishes a rogue DHCP, it can perform DoS or snoop on network information. ARP poisoning occurs when an attacker with access to the network redirects an IP address to the MAC address of a computer that is not the intended recipient.

A security team uses passive scanning to gather information and data related to a suspected rogue system on a network. By using passive scanning, what type of information does the team gather? Credentialed Indirect evidence Embedded Report

Non-intrusive (or passive) scanning means analyzing indirect evidence, such as the types of traffic generated by a device. A credentialed scan (whether passive or active) is given a user account with logon rights to various hosts, plus whatever other permissions are appropriate. These credentials allow access to protected information. Embedded refers to a system type, such as VoIP phones, where the OS is built in to the system. This system types are prone to crashing if being scanned. Report data is available from many scanning systems which use databases of known software and configuration vulnerabilities. Reports may include information about each vulnerability in the database.

Nicole's organization does not have the budget or staff to conduct 24/7 security monitoring of their network. To supplement her team, she contracts with a managed SOC service. Which of the following services or providers would be best suited for this role?

OBJ-2.2: A managed security service provider (MSSP) provides security as a service (SECaaS). IaaS, PaaS, and SaaS (infrastructure, platform, and software as a service) do not include security monitoring as part of their core service offerings. Security as a service or a managed service provider (MSP) would be better suited for this role. This question may seem beyond the exam scope. Still, the objectives allow for "other examples of technologies, processes, or tasks about each objective may also be included on the exam although not listed or covered" in the objectives' bulletized lists. The exam tests the equivalent of 4 years of hands-on experience in a technical cybersecurity job role. The content examples listed in the objectives are meant to clarify the test objectives and should not be construed as a comprehensive listing of this examination's content. Therefore, questions like this are fair game on test day. That said, your goal isn't to score 100% on the exam; it is to pass it. Don't let questions like this throw you off on test day. If you aren't sure, take your best guess and move on!

What type of wireless security measure can easily be defeated by a hacker by spoofing their network interface card's hardware address? WEP Disable SSID broadcast WPS MAC filtering

OBJ-3.3: Wireless access points can utilize MAC filtering to ensure only known network interface cards are allowed to connect to the network. If the hacker changes their MAC address to a trusted MAC address, they can easily bypass this security mechanism. MAC filtering is considered a good security practice as part of a larger defense-in-depth strategy, but it won't stop a skilled hacker for long. MAC addresses are permanently burned into the network interface card by the manufacturer and serve as the device's physical address. WEP is the Wired Equivalent Privacy encryption standard, which is considered obsolete in modern wireless networks. WEP can be broken using a brute force attack within just a few minutes by an attacker. Another security technique is to disable the SSID broadcast of an access point. While this prevents the SSID broadcast, a skilled attacker can still find the SSID using discovery scanning techniques. WPS is the WiFi Protected Setup. WPS is used to connect and configure wireless devices to an access point easily.

Your home network is configured with a long, strong, and complex pre-shared key for its WPA2 encryption. You noticed that your wireless network has been running slow, so you checked the list of "connected clients" and see that "Bob's Laptop" is connected to it. Bob lives downstairs and is the maintenance man for your apartment building. You know that you never gave Bob your password, but somehow he has figured out how to connect to your wireless network. Which of the following actions should you take to prevent anyone from connecting to your wireless network without the proper WPA3 password?

OBJ-3.4: WPS was created to ease the setup and configuration of new wireless devices by allowing the router to automatically configure them after a short eight-digit PIN was entered. Unfortunately, WPS is vulnerable to a brute-force attack and is easily compromised. Therefore, WPS should be disabled on all wireless networks. If Bob could enter your apartment and press the WPS button, he could have configured his laptop to use your wireless network without your WPA3 password. While disabling the SSID broadcast could help prevent someone from seeing your network, the issue was someone connecting to your network without having the password. Disabling the SSID broadcast would not solve this issue.

Which of the following access control models is the most flexible and allows the resource owner to control the access permissions? MAC ABAC DAC RBAC

OBJ-3.8: Discretionary access control (DAC) stresses the importance of the owner. The original creator of the resource is considered the owner and can then assign permissions and ownership to others. The owner has full control over the resource and can modify its ACL to grant rights to others. This is the most flexible model and is currently implemented widely in Windows, Unix, Linux, and macOS systems.

An attacker is searching in Google for Cisco VPN configuration files by using the filetype:pcf modifier. The attacker located several of these configuration files and now wants to decode any connectivity passwords that they might contain. What tool should the attacker use? Cain and Abel Netcat Nmap Nessus

OBJ-4.1: Cain and Abel (often abbreviated to Cain) is a popular password cracking tool. It can recover many password types using methods such as network packet sniffing, cracking various password hashes by using methods such as dictionary attacks, brute force, and cryptanalysis attacks. It also includes a module to conduct Cisco VPN Client Password Decoding too. CUPP is used to create password lists. Nessus is a vulnerability scanner. The netcat tool is used to create reverse shells for remote access.

Which analysis framework provides a graphical depiction of the attacker's approach relative to a kill chain? OpenIOC Diamond Model of Intrusion Analysis Lockheed Martin cyber kill chain MITRE ATT&CK framework

OBJ-4.2: The Diamond Model provides an excellent methodology for communicating cyber events and allowing analysts to derive mitigation strategies implicitly. The Diamond Model is constructed around a graphical representation of an attacker's behavior. The MITRE ATT&CK framework provides explicit pseudo-code examples for detecting or mitigating a given threat within a network and ties specific behaviors back to individual actors. The Lockheed Martin cyber kill chain provides a general life cycle description of how attacks occur but does not deal with the specifics of how to mitigate them. OpenIOC contains a depth of research on APTs but does not integrate the detection and mitigation strategy.

Dion Training has just suffered a website defacement of its public-facing webserver. The CEO believes the company's biggest competitor may have done this act of vandalism. The decision has been made to contact law enforcement so that evidence can be collected properly for use in a potential court case. Laura is a digital forensics investigator assigned to collect the evidence. She creates a bit-by-bit disk image of the web server's hard drive as part of her evidence collection. What technology should Laura use after creating the disk image to verify the copy's data integrity matches that of the original web server's hard disk?

OBJ-4.5: SHA-256 is the Secure Hash Algorithm with a 256-bit length output. This is one of the most common hash algorithms in use and is employed in many applications and protocols. SHA-256 and other hashing algorithms are used to ensure the data integrity of a file has not been altered. RSA, 3DES, and AES are all encryption algorithms. These algorithms can ensure confidentiality but not integrity.

Which of the following terms is used to describe the period of the time taken to correct a fault so that the system is restored to full operations after a failure or incident?

OBJ-5.4: Mean time to repair (MTTR) is a measure of the time taken to correct a fault to restore the system to full operation. MTTR is often used to describe the average time to replace or recover a system or product. Recovery time objective (RTO) is when an individual IT system may remain offline following a disaster. This represents the amount of time it takes to identify that there is a problem and then perform recovery (restore from backup or switch in an alternative system, for instance). Recovery point objective (RPO) is the amount of data loss that a system can sustain, measured in time. That is, if a virus destroys a database, an RPO of 24 hours means that the data can be recovered (from a backup copy) to a point not more than 24 hours before the database was infected. Mean time between failure (MTBF) represents the expected lifetime of a product before it fails and must be replaced or repaired.

Hilda needs a cost-effective backup solution that would allow for the restoration of data within a 24 hour RPO. The disaster recovery plan requires that backups occur during a specific timeframe each week, and then the backups should be transported to an off-site facility for storage. What strategy should Hilda choose to BEST meet these requirements?

OBJ-5.4: Since the RPO must be within 24 hours, daily or hourly backups must be conducted. Since the requirement is for backups to be conducted at a specific time each week, hourly snapshots would not meet this requirement and are not easily transported since they are being conducted as a disk-to-disk backup. Replication to a hot site environment also doesn't allow for transportation of the data to an off-site facility for storage, and replication would continuously occur throughout the day. Therefore, a daily incremental backup should be conducted since it will require the least amount of time to conduct. The tapes could be easily transported for storage and restored incrementally from tape since the last full backup was conducted.

A technician is tasked with developing an implementation guide on embedded systems communications considerations after budgeting for new systems in the upcoming year. What are NOT true statements regarding these communication considerations?(Select all that apply.) A cellular network enables long-distance communication over the same system that supports mobile and smartphones. Z-Wave and Zigbee are wired communications protocols used primarily for home automation. Any LTE-based cellular radio uses a subscriber identity module (SIM) card as an identifier. A cabled network for industrial applications is referred to as an organizational technology (OT) network.

Opposite of using a wired communication protocol, Z-Wave and Zigbee are wireless communications protocols used primarily for home automation. Both create a mesh network topology, using low-energy radio waves to communicate from one appliance to another. A cabled network for industrial applications is referred to as an operational technology (OT) network and not as an organizational technology network. These typically use either serial data protocols or industrial Ethernet. It is true statement in that a cellular network does enable long-distance communication over the same system that supports mobile and smartphones. It is also a true statement that any LTE-based cellular radio uses a subscriber identity module (SIM) card as an identifier.

An engineering firm provisions microwave technology for a wide area communications project. When using point-to-multipoint (P2M) mode, which technologies does the firm put in place? (Select all that apply.) Directional antennas Sectoral antennas Multiple sites connected to a single hub High gain link between two sites

Point-to-multipoint (P2M) microwave links multiple sites and uses smaller sectoral antennas than P2P, each covering a separate quadrant. P2M links multiple sites or subscriber nodes to a single hub. This can be more cost-efficient in high density urban areas and requires less radio spectrum. A high gain connection means that the antennas used between sites are highly directional. Each antenna is pointed directly at the other. Point-to-point (P2P) microwave uses high gain antennas to link two sites. The satellite modems or routers are also normally paired to one another. 3.5

The recovery phase of an incident response involves several steps. Which of the following is NOT a step in the recovery phase? Reaudit security controls. Reconstitute affected systems. Prepare a lessons learned report. Notify affected parties with instructions to remediate affected systems.

Preparing a "lessons learned" report is part of the lessons learned phase, which is after the recovery phase. Reauditing security controls is part of the recovery phase and ensures the controls are not vulnerable to another attack. The attacker gained information about the network in the current attack, which could be used to launch a second attempt. Reconstituting affected systems means either removing malicious files or tools from affected systems or restoring the systems from secure backups. This is part of the recovery phase. Ensure that affected parties are notified and provided with the means to remediate their own systems is part of the recovery phase.

A banking institution is considering the use of cloud computing across multiple locations. Comparing the various cloud deployment models, which model will likely allow optimal control over privacy and security? Public Hosted private Private Community

Private cloud infrastructure is completely private to and owned by the organization, allowing greater control over privacy and security. This method suits banking and governmental services that require strict access control in their operations. With the public model, businesses can offer subscriptions or pay-as-you-go financing, while at the same time providing free lower-tier services. As a shared resource, there are numerous performance and security risks. A hosted private cloud, hosted by a third-party for the organization's exclusive use, offers better performance and security than a public cloud model. Several organizations share the costs of either a hosted private or fully private cloud in a cloud community. Organizations can pool resources for a common concern, like standardization and security policies.

While preparing a disaster recovery plan, management at a company considers how far back it can allow for the loss of data. Which metric does management use to describe this business essential data in terms of recovery? Recovery point objective Work recovery time Maximum tolerable downtime Mean time to repair

Recovery Point Objective (RPO) is the amount of data loss that a system can sustain, measured in time. If data is not recoverable (such as the last five working days of data), there is significant impact to operations of the business. Work Recovery Time (WRT) follows systems recovery. During this time there may be additional work to reintegrate different systems and test overall functionality. Maximum tolerable downtime (MTD) is the longest period of time that a business function outage may occur for without causing irrecoverable business failure. Mean time to repair (MTTR) is a measure of the time taken to correct a fault so that the system is restored to full operation. 5.4

A company performing a risk assessment calculates how much return the company has saved by implementing a security measure. Which formula will they use to calculate this metric? Asset value x EF [(ALE-ALEm)-Cost of Solution]/Cost of Solution SLE x ARO (ALE-SLE)/Cost of Solution

Return on Security Investment (ROSI) calculates a new ALE, based on reduction in loss by new security controls. ROSI is: [(ALE - ALEm) - Cost of Solution] / Cost of Solution, where ALE is before controls and ALEm is after controls. Single Loss Expectancy (SLE) is the potential loss from a single event. Multiplying the value of the asset by an Exposure Factor (EF), where EF is the percentage of an asset lost, gives the SLE. Annualized Loss Expectancy (ALE) is the potential for loss over the course of a year. Multiplying the SLE by the Annualized Rate of Occurrence (ARO) gives the ALE. Annualized Loss Expectancy (ALE) is a yearly figure, while Single Loss Expectancy (SLE) measures a single event. 5.4

While configuring IPSec to secure internal LAN traffic, you must specify an integrity algorithm. Which of the following would be valid choices? (Choose two.) A. SHA-1 B. 3DES C. RSA D. MD5

SHA-1 MD5 SHA-1 and MD5 are used to ensure that messages come from who they say they came from and have not been tampered with. B and C are incorrect. These are both encryption algorithms.

Which of the following statements best contrasts between a service-oriented architecture (SOA) model and a microservices-based model? SOA can build services from other services, while an implementation of microservices develops, tests, and deploys microservices independently. Microservices are loosely decoupled, while SOA services are considered highly decoupled. SOA focuses on making a single, discrete task easily repeatable, while microservices perform a sequence of automated tasks. Microservices help to make a network's design architecture fit a business's requirements, rather than accommodating the business workflow to the platform requirements, as in SOA.

SOA allows a service to build from other services. By contrast, each microservice should be capable of being developed, tested, and deployed independently. The microservices can be described as highly decoupled rather than just loosely decoupled. Services and clients requesting services do not have as many compatibility restraints with SOA as with monolithic applications; the independence between the client and service is referred to as loose coupling. Where automation focuses on making a single, discrete task easily repeatable, orchestration performs a sequence of automated tasks. Virtualization helps to make the design architecture fit to the business requirement rather than accommodate the business workflow to the platform requirement.

Which statement best describes the purpose of the spanning tree protocol (STP)? STP enforces a network health policy. STP allows a server to assign clients IP address information when they connect to the network. STP prevents loops and network broadcast storms. STP prevents the attachment of unauthorized client devices at unsecured wall ports.

STP is principally designed to prevent broadcast storms, which loops cause. Spanning tree is a means for bridges to organize themselves into a hierarchy and prevent loops from forming. Network access control (NAC) products can extend the scope of authentication to allow administrators to devise policies or profiles describing a minimum security configuration that devices must meet for admin to grant them network access. This is a health policy. Dynamic Host Configuration Protocol (DHCP) is the protocol that allows a server to assign IP address information to a client when it connects to the network. 3.1

A systems administrator realizes the need to scale a server for high availability purposes. Which approaches does the administrator utilize to scale out the virtual system? (Select all that apply.) Add an additional CPU Give important processes higher priority Free up CPU usage by eliminating services Add additional RAM

Scalability is the capacity to increase resources to meet demand within similar cost ratios. Scaling out adds more resources in parallel to a system. Adding an additional CPU is an example of scaling out. Scalability means that if service demand doubles, costs do not more than double. Adding more resources such as RAM is an example of scaling out. Giving important processes higher priority in a system is not scaling out, but more so scaling up. Scaling up is done by increasing existing resources. Freeing up CPU resources in a system by eliminating services is not scaling out, but more so scaling up. Scaling up is done by increasing existing resources.

A systems administrator uses a disk image to provision new workstations. After installing several workstations, it is found that they no longer boot. It is possible that the disk image in use included malicious code. Which specific method has stopped the systems from starting? UEFI Measured boot Secure boot Boot attestation

Secure boot is designed to prevent a computer from being hijacked by a malicious OS. UEFI is configured with digital certificates from valid OS vendors to verify legitimacy. Unified extensible firmware interface (UEFI) provides code that allows the host to boot to an OS. UEFI can enforce a number of boot integrity checks. A measured boot process uses the trusted platform module (TPM) at each stage in the boot process to check whether hashes of key system state data have changed. This does not usually prevent booting. Boot attestation is the capability to transmit a boot log report signed by the TPM via a trusted process to a remote server.

A security information and event management (SIEM) manager analyzes logs from a network RADIUS server. When the SIEM manager analyzes this data, what is the manager looking for as an indicator of possible malicious activity? Unauthorized network traffic Suspicious metadata entries Communication with suspect IP addresses Authentication attempt errors

Security logs may record authentication attempts for hosts, as well as authentication servers, such as Remote Authentication Dial-in User Service (RADIUS) servers. Authentication errors may indicate suspicious activity. Routers, firewalls, switches, and access points generate network logs. Log files record the operation and status of the appliance itself, plus traffic and access logs recording network behavior. Metadata contains information about the data's properties, such as when an application creates data, when media stores data, or when data transmits over a network. Metadata sources can establish timelines for forensic evidence. A DNS server may log an event each time it handles a request to convert between a domain name and an IP address. DNS event logs can hold a variety of information that may supply useful security intelligence.

As part of updating a company's compliance documentation, you are classifying security controls used by the company. The company's app uses an IP geolocation database to determine whether to trigger a secondary authentication method. What type of authentication design should this be categorized as? Something you can do authentication. Something you exhibit authentication. Something you have authentication. Somewhere you are authentication.

Something you can do refers to physical behavioral characteristics, such as the way you walk (gait). Something you exhibit authentication refers to profiling behavioral patterns. Something you have authentication tests ownership or possession of a trusted device. Somewhere you are authentication measures the subject's current location, using various services.

In a protocol, such as Transport Layer Security (TLS), the server and client negotiate mutually compatible cipher suites as part of the TLS handshake. Which of the following components is NOT part of the encryption cipher suite? Signature algorithm A key exchange/agreement algorithm Bulk encryption cipher Stream cipher

The Advanced Encryption Standard (AES) is the default symmetric (block) encryption cipher for most products. A block cipher divides plaintext into equal-size blocks, adding padding if there is not enough data in the plaintext to fill out the block. TLS protocol uses a signature algorithm to assert the identity of the server's public key and facilitate authentication. In TLS, the server and client derive the same bulk encryption symmetric key through the use of a key exchange/agreement algorithm. The final part of a cipher suite determines the bulk encryption cipher. When advanced encryption standard (AES) is the symmetric cipher, it has to be in a mode of operation that supports a stream of network data.

Users at a company report that web browsing to their own website is not working. Upon further investigation, it is found that HTTP sessions are being hijacked. Any requests to replace a resource during a TCP connection are being altered. Which HTTP method is not working properly? GET PUT DELETE POST

The PUT method creates a new resource or replaces a current resource (at a target URL) on a web server. The GET method is used to retrieve a resource from a server. This is the principle method used. It retrieves content such as a web page. The DELETE method can be used to remove a resource from the web server as identified by the Request-URL. The POST method is used to send data to the server for processing by the requested resource. This is a method that submits data to a server. 1.3

Compare and evaluate the main components in an Extensible Authentication Protocol (EAP). Which scenarios accurately differentiate between these components? (Select all that apply.) An authenticator performs the authentication and the authentication server establishes a channel. An authenticator establishes a channel for the supplicant and the authentication server to exchange credentials using EAP. A supplicant requests authentication and the authentication server performs the authentication. A supplicant requests authentication and the authenticator performs the authentication.

The authenticator provides the channel while the authentication server provides the authentication. An authenticator is the device that receives the authentication request such as a remote access server or wireless point. The authenticator establishes a channel for the supplicant and the authentication server to exchange credentials using the EAP over LAN protocol. A supplicant is the client requesting the authentication. The authentication server is the server that performs the authentication and is typically an AAA server. The supplicant is the client that requests authentication but the authentication server actually provides the authentication while the authenticator provides the channel for the exchange of credentials.

During a cyber incident response exercise, a blue team takes steps to ensure the company and its affiliates can still use network systems while managing a simulated threat in real-time. Based on knowledge of incident response procedures, what stage of the incident response process is the blue team practicing? Containment Identification Eradication Recovery

The goal of the containment stage is to secure data while limiting the immediate impact on customers and business partners. Based on an alert or report, identification determines whether an incident has taken place, how severe it might be (triage), and notifies stakeholders. Once the security admin contains the incident, eradication removes the cause and restores the affected system to a secure state. When security admin eradicates the cause of the incident, they can reintegrate the system into the business process that it supports. This recovery phase may involve restoration of data from backup and security testing.

Analyze the factors associated with performing a Business Process Analysis (BPA) and select the statement that aligns with the output factors. The data or resources a function produces The source of information for performing a function The resources supporting a function A description of how a function is performed

The output factors are data or resources produced by a function. This is one of five factors that should be identified when performing a Business Process Analysis (BPA). A BPA is performed to identify dependencies, which should be reduced as much as possible between critical components. The input factors are the sources of information for performing a function, including the resulting impact if these are delayed or out of sequence. This can include data entered into a system, or data flowing from other systems or sites. The staff support the function and may also include other resources. BPAs are all encompassing, including the staff that monitor, maintain, and repair the systems that process data. Process flow is a step by step description of how a function is performed. For example, a flow chart showing the process from start to end. This chart can show dependencies and the results of failures within the process.

A suspected network breach on a Linux-based system prompts an engineer to investigate. The engineer utilizes a set of command line tools to collect network routing data. While doing so, the engineer discovers that UDP communications is not working as expected. Which tool does the engineer experience difficulty with? route tracert pathping traceroute

The traceroute command performs route discovery from a Linux host. This command uses UDP probes rather than ICMP, by default. The route command displays and modifies a system's local routing table. This command does not collect network data. The tracert command uses ICMP probes to report the round trip time (RTT) for hops between the local host and a host on a remote network. This command is a Windows based tool. The pathping command is a Windows tool that provides statistics for latency and packet loss along a route over a measuring period. 4.1

An engineer configures hosts on a network to use IPSEC for secure communications. The engineer is deciding between Encapsulation Security Payload (ESP) or Authentication Header (AH). If the engineer chooses transport mode over tunnel mode, which specifics of operation should be expected? (Select all that apply.) With ESP the whole IP packet (header and payload) is encrypted With ESP the IP header for each packet is not encrypted AH has no real use in this mode AH can provide integrity for the IP header

Transport mode is used to secure communications between hosts on a private network. When ESP is applied, the IP header for each packet is not encrypted, just the payload data. If AH is used in transport mode, it can provide integrity for the IP header as it performs a cryptographic hash on the whole packet. With ESP in tunnel mode, the whole IP packet (header and payload) is encrypted and encapsulated as a datagram with a new IP header. AH has no real use case in tunnel mode, as confidentiality will usually be required. 4.1

Which of the following statements most accurately describes the function of key stretching? Key stretching makes the password key stronger. Key stretching prevents brute force attacks. Key stretching adds a random value when creating the password hash. Key stretching adds entropy to a user-generated password.

Users tend to select low entropy passwords. Key stretching helps compensate for this by running the initial key through thousands of rounds of hashing. This creates ever-longer, more random keys. Key stretching does not actually make the key stronger, but it slows an attack down, as the attacker has to perform additional processing for each possible key value. A brute force attack runs through every possible combination of letters, numbers, and symbols. Key stretching increases the amount of operations the attacker must perform, slowing attacks. Adding a salt value to a password keeps an attacker from using pre-computed tables of hashes. Salt values are not secret, but an attacker must recompile hash values with the specific salt value for each password.

Select the correct simulation of a Virtual Desktop Infrastructure (VDI) deployment. A company installs a platform that uses a Type 1 hypervisor to manage access to the host hardware outside of the host operating system. A company deploys Citrix XenApp on a server for the client to access for local processing. A company replaces all desktop computers with thin clients the employees use to log into VMs stored on the company server. A company enforces resource separation at the operating system level without the use of a hypervisor.

Virtual Desktop Infrastructure (VDI) refers to using a Virtual Machine (VM) as a means of provisioning corporate desktops. This can be accomplished by replacing desktops with thin clients that are low specifications and low power. The thin client will boot a minimal Operating System (OS) and then allow the user to log on to a VM stored on the company server. A bare metal virtual platform uses a Type 1 hypervisor installed directly onto the computer and manages access to the host hardware without going through a host OS. Application virtualization is a more limited type of VDI. Rather than run the whole client desktop as a virtual platform, the client may access an application (Citrix XenApp) hosted on a server to the client for local processing. Application cell does not use a hypervisor and instead enforces resource separation at the operating system level.

A cybersecurity analyst is preparing to run a vulnerability scan on a dedicated Apache server that will be moved into a DMZ. Which of the following vulnerability scans is most likely to provide valuable information to the analyst? Database vulnerability scan Port scan Network vulnerability scan Web application vulnerability scan

Web application vulnerability scan

Analyze the following security information and event management (SIEM) functions and determine which event is NOT conducted during data aggregation. Normalize time zones to a single timeframe. Use plug-ins to parse data from different vendors and sensors. Identify attributes and content that can be mapped to standard fields. Link observables into a meaningful indicator of risk, or Indicator of Compromise (IOC).

Where collection and aggregation produce inputs, a SIEM is for reporting, a critical function of which is correlation. SIEM software can link individual events or data points (observables) into a meaningful indicator of risk, or Indicator of Compromise (IOC). SIEM can use correlation to drive an alerting system. Log aggregation involves normalizing date/time zone differences to a single timeline. SIEM aggregation uses connectors or plug-ins to parse data from distinct types of systems and to account for differences between vendor implementations. Aggregation normalizes data from different sources so that it is consistent and searchable, identifying attributes and content that can map to standard fields in the SIEM's reporting and analysis tools. 3.3

Which features distinguish a next-generation endpoint detection and response (EDR) product from traditional EDR solutions? (Select all that apply.) Next-generation endpoint agents use cloud management, rather than reporting to an on-premises server. Next-generation endpoint detection systems use artificial intelligence (AI) and machine learning to perform user and entity behavior analysis (UEBA). Next-generation endpoint agents report baseline configuration deviations, whereas legacy systems report threats based on signature-detection. The primary purpose of next-generation endpoint agents is to stop initial threat execution, while traditional systems aim to detect and report attacks.

Where earlier endpoint protection suites report to an on-premises management server, next-generation endpoint agents are more likely to be managed from a cloud portal. Next-generation endpoint agents use artificial intelligence (AI) and machine learning to perform user and entity behavior analysis as part of the security service provider's offering. Baseline deviation reporting means testing the actual configuration of hosts to ensure that their configuration settings match the baseline template. An endpoint detection and response (EDR) product's aim is not to prevent initial execution, but to provide real-time and historical visibility into the compromise, contain the malware within a single host, and facilitate remediation of the host to its original state.

After attending a security seminar, management inquired about ways to secure directory services. If the company uses Microsoft's Active Directory, which of the following implementations is the IT team most likely to suggest? Simple Authentication and Security Layer (SASL) Simple Network Management Protocol (SNMP) Lightweight Directory Access Protocol Secure (LDAPS) Simple bind authentication

With SASL, the client and server negotiate which supported authentication mechanism to use, such as Kerberos. The STARTTLS (transport layer security (TLS) as part of SASL) command mandates encryption (sealing) and message integrity (signing). Microsoft's Active Directory (AD) prefers this LDAP implementation. The Simple Network Management Protocol (SNMP) is a widely used management and monitoring framework that, if not in use, network managers should disable SNMP to secure the port. With LDAP Secure (LDAPS), admin installs the server with a digital certificate, which it uses to set up a secure tunnel for the user credential exchange. LDAPS uses port 636. In simple bind authentication, the client must supply its distinguished name (DN) and password, but these are passed as plaintext. 3.1

IT staff reviews security alerts received for a monitoring system and discovers that uncommon firewall ports on several Windows workstations and a server have been opened and are being accessed by a malicious process. What does the staff determine the issue to be? Shellcode Persistence Credential dumping Lateral movement

With lateral movement, the attacker might be seeking data assets or may try to widen access through systems by changing the system security configuration. Shellcode is a minimal program designed to exploit a buffer overflow or similar vulnerability to gain privileges to a system. Persistence is a mechanism that maintains a connection if the threat actor's backdoor is restarted if the host reboots or the user logs off. Credential dumping is a method used to access the credentials file (SAM on a local Windows workstation) or sniff credentials held in memory by the lsass.exe system process.

Which command can help a security professional conducting an organizational security assessment identify a spoofing attack? arp ipconfig/ifconfig route pathping/mtr

arp displays the local machine's Address Resolution Protocol (ARP) cache, which shows the media access control (MAC) address associated with each IP address the local host communicated with recently. This is useful for investigating suspected spoofing attacks. ipconfig/ifconfig shows the configuration assigned to a network interface(s), including the hardware or media access control (MAC) address, IPv4 and IPv6 addresses, and other configurations. Route views and configures the host's local routing table. If the host is not a router, additional entries in the routing table could be suspicious. pathping (Windows)/mtr (Linux) provides statistics for latency and packet loss along a route over a longer measuring period. High latency at the various hops could indicate man-in-the-middle attacks, denial of service, or network congestion.