Security Principles & Policies Exam Guide

Which of the following sequences properly orders forensic data acquisition by volatility priority? 1. Data on persistent mass storage devices 2. System memory caches 3. Remote monitoring data 4. Archival media 1. System memory caches 2. Remote monitoring data 3. Data on mass storage devices 4. Archival media 1. System memory caches 2. Data on mass storage devices 3. Remote monitoring data 4. Archival media 1. Remote monitoring data 2. Data on mass storage devices 3. System memory caches 4. Archival media

1. System memory caches 2. Data on mass storage devices 3. Remote monitoring data 4. Archival media

Select the correct simulation of a Virtual Desktop Infrastructure (VDI) deployment. A company installs a platform that uses a Type 1 hypervisor to manage access to the host hardware outside of the host operating system. A company deploys Citrix XenApp on a server for the client to access for local processing. A company replaces all desktop computers with thin clients the employees use to log into VMs stored on the company server. A company enforces resource separation at the operating system level without the use of a hypervisor.

A company replaces all desktop computers with thin clients the employees use to log into VMs stored on the company server.

A penetration tester directs test packets to the host using a variety of default passwords against service and device accounts, gaining a view of the vulnerabilities the network exposes to unprivileged users. Given this situation, what type of test did the penetration tester use? A credentialed scan A non-credentialed scan A topology discovery scan A host discovery scan

A non-credentialed scan

Analyze the following scenarios and determine which constitutes an external threat. Naomi practices poor password management, and through her negligence, an outsider gains access to her company's server. Raul, a security contractor, installs antivirus software for a small company. He uses his temporary access to gain the company's banking information. Abram uses a quiz on a popular social media platform to solicit answers to online banking consumers' login security questions. Chelsea uses her coworker's unattended workstation to exploit her coworker's elevated account permissions.

Abram uses a quiz on a popular social media platform to solicit answers to online banking consumers' login security questions.

The Human Resources department issues a policy at an organization to govern the use of company owned computer equipment. Which behavior type does this policy address? Code of conduct Clean desk Bring your own device Acceptable use

Acceptable use

A threat actor infiltrates a company's server. Engineers fail while trying to stop the attacker from stealing data. The attacker achieves which final phase of the Lockheed Martin kill chain? Command and control Reconnaissance Exploitation Actions on objectives

Actions on objectives

A systems administrator realizes the need to scale a server for high availability purposes. Which approaches does the administrator utilize to scale out the virtual system? (Select all that apply.) Add an additional CPU Give important processes higher priority Free up CPU usage by eliminating services Add additional RAM

Add an additional CPU Add additional RAM

Which statement describes a key distinction between an intentional and unintentional threat actor? An intentional threat actor attacks a target from inside its network; whereas, an unintentional threat actor conducts opportunistic attacks. An intentional threat actor has intent and motivation to attack; whereas, an unintentional threat actor acts out of negligence. An intentional threat actor actively undermines a target system; whereas an unintentional threat actor passively undermines the target system. An intentional threat actor has permissions on the target system; whereas, an unintentional threat actor does not have permissions.

An intentional threat actor has intent and motivation to attack; whereas, an unintentional threat actor acts out of negligence.

The IT team at a company discovers that a Windows server is infected with malware. As a result, the server is not functioning properly. Which event log does the team review to find errors from failing services related to newly installed software? Setup Security System Application

Application

Systems administrators configure an application suite that uses a collection of single hash functions and symmetric ciphers to protect sensitive communication. While the suite uses these security features collectively, how is each instance recognized? As non-repudiation As a cryptographic system As a cryptographic primitive As a key pair

As a cryptographic primitive

Which statement best illustrates the advantages and disadvantages of using asymmetric encryption? Asymmetric encryption is ideal for bulk encryption, but it is not suitable for proving a user's identity. Asymmetric encryption provides non-repudiation, but it is not ideal for secure distribution and storage of a private key. Asymmetric encryption is ideal for encrypting communications where the total length of the message is not known, but it requires significant overhead computing. Asymmetric encryption is ideal for proving identity, but it requires significant computing overhead and is inefficient for bulk encryption.

Asymmetric encryption is ideal for proving identity, but it requires significant computing overhead and is inefficient for bulk encryption.

A long-time employee has worked on numerous projects, for which the company granted access to the employee and never revoked it. Over time, the employee has amassed permissions to more and more company assets. What term best describes what has occurred? Permissions auditing Authorization creep Insider attack Discretionary access control (DAC)

Authorization creep

An intrusion prevention system (IPS) generates an incident report for some suspicious user activity, which prompts a system administrator to investigate a possible insider attack. Analyze the scenario and determine what type of IPS profile led to this discovery. Signature-based detection Behavioral-based detection Host-based intrusion detection Web application firewall (WAF) detection

Behavioral-based detection

A geographically dispersed corporation wants to expand its IT capabilities by allowing employees to use personal devices on the corporate network. If employees are not comfortable using their own devices on the corporate network, they will offer them a device from a pre-approved list. Which two types of models will the company be deploying? (Select all that apply.) Corporate-owned, business only (COBO) Bring your own device (BYOD) Corporate-owned, personally-enabled (COPE) Choose your own device (CYOD)

Bring your own device (BYOD) Choose your own device (CYOD)

Attacker 2 Technique Description: Attacker attempts every possible combination in the output space in order to match a captured hash and guess the plaintext Password attack: __________ Tool Used: __________ Password Discovered: H!ghEntrOpy&R@nd0m Application/Service: Oracle Database 19c, Amazon Linux

Brute Force Attack Hashcat

A server administrator configures digital signatures for secure communications. By doing so, the administrator accomplishes which secure method of communication? (Select all that apply.) Configuring encryption so no two hashes are the same Combining public key cryptography with hashing algorithms Using the same secret key to perform both encryption and decryption Providing authentication, integrity, and non-repudiation

Combining public key cryptography with hashing algorithms Providing authentication, integrity, and non-repudiation

The company has an additional website with a fake storefront used for testing. This site is on the same web server. When browsing the test site, the certificate is not working properly. What part of the web server certificate does the fully qualified domain name have to match? Key Management Pinning Online Certificate Status Protocol Individual Certificates Extended Verification Common name

Common name

An organization installs embedded systems throughout a manufacturing plant. When planning the install, engineers had to consider system constraints related to identification. As a result, which areas of the systems are impacted? (Select all that apply.) PC Network Compute resources Authentication

Compute resources Authentication

During a cyber incident response exercise, a blue team takes steps to ensure the company and its affiliates can still use network systems while managing a simulated threat in real-time. Based on knowledge of incident response procedures, what stage of the incident response process is the blue team practicing? Containment Identification Eradication Recovery

Containment

Proposed Data Acquisition Procedure: High Priority -------> Low Priority Config. Settings SSD GPU Cache Controller Cache RAM Dump Files HDD Cache Memory

Controller Cache -> Cache Memory -> RAM -> HDD -> Dump Files -> SSD -> Config. Settings -> GPU Cache

The IT staff at a large company review numerous security logs and discover that the SAM database on Windows workstations is being accessed by a malicious process. What does the staff determine the issue to be? Shellcode Persistence Credential dumping Lateral movement

Credential dumping

A hacker remotely gains unauthorized access to a company's system and makes a copy of proprietary business data. Which of the following summarizes the event that has taken place? Data exfiltration Data loss Identity theft Financial loss

Data exfiltration

An IT team looks into secure data access and file encryption solutions. During planning, the team researches the different states of data and decides on a way to handle data that is in memory but not used, such as a forgotten open file. Which data state is the team addressing? Data in use Data at rest Data in transit Data in motion

Data in use

A user at a realtor's office contacts their IT department to report that they are not able to copy contract files to a USB flash drive to take home. Which explanation does the IT representative share with the user? Data loss prevention prevents file copying. Mobile device management restricts the use of a portable USB device. A compromised private key has created a trust issue. The file copy process has been allow-listed.

Data loss prevention prevents file copying.

A new security technician is tasked with sanitizing data on solid state drives (SSD). The technician first uses a degaussing magnet and then smashes the drives with a hammer. What is the likely result of this sanitization attempt? The drives are now sufficiently sanitized. The degaussing magnet failed to destroy media on the SSD, but smashing the drives with a hammer makes data permanently irrecoverable. Degaussing fails to destroy media on the SSD, and smashing by hammer may leave a significant amount of data recoverable. The degaussing magnet successfully destroyed media on the SSD, but smashing by hammer is an ineffective physical sanitization measure.

Degaussing fails to destroy media on the SSD, and smashing by hammer may leave a significant amount of data recoverable.

A network administrator is preparing a strategy for backing up company data. Which of the following is NOT a main backup type? Full Incremental Discretionary Differential

Discretionary

A hacker places a false name:IP address mapping in an operating system's HOSTS file, redirecting traffic from a legitimate IP address to a malicious IP address. What type of attack did the hacker perform? Domain hijacking Domain name system client cache (DNS) poisoning Rogue dynamic host configuration protocol (DHCP) Address Resolution Protocol (ARP) poisoning

Domain name system client cache (DNS) poisoning

Post Data acquisition Analysis: Had the system been functioning properly, the _________ would not have had to be considered for data acquisition. Which component would you acquire differently if there were no special requirements? _________

Dump Files GPU Cache

A company hires a security consultant to help them perform a business process analysis (BPA) and reduce dependencies. The consultant asks a manager at the company to walk through the typical process each salesperson makes when processing order requests. Examine the consultant's methods and determine which factor in the BPA the consultant is evaluating. Identify process inputs Identify process outputs Examine the process flow Identify staff and other resources performing the function

Examine the process flow

Proof of domain ownership and legal identity is important to the company for enhanced security. The company would prefer a website certificate issued with rigorous verification. Which web server certificate type would fulfill this request? Key Management Pinning Online Certificate Status Protocol Individual Certificates Extended Verification Common name

Extended Verification

Which statement correctly differentiates between file transfer protocol (FTP), secure shell file transfer protocol (SFTP), and file transfer protocol over secure socket layer (FTPS)? FTP has no encryption. FTPS adds transport layer security (TLS), and SFTP is an entirely different protocol based on the network protocol SSH (secure shell). FTP uses only basic encryption, while SFTP adds a layer of security with secure shell (SSH). FTPS uses an entirely different protocol, using secure port 990. FTP has no encryption. SFTP adds a layer of security with secure shell (SSH), and FTPS uses an entirely different protocol, using secure port 990. FTP uses only basic encryption, while FTPS adds transport layer security (TLS), and SFTP is an entirely different protocol based on the network protocol SSH (secure shell).

FTP has no encryption. FTPS adds transport layer security (TLS), and SFTP is an entirely different protocol based on the network protocol SSH (secure shell).

An organization considers installing fingerprint scanners at a busy entry control point to a secure area. What concerns might arise with the use of this technology? (Select all that apply.). Fingerprint scanning is relatively easy to spoof. Installing equipment is cost-prohibitive. Surfaces must be clean and dry. The scan is highly intrusive.

Fingerprint scanning is relatively easy to spoof. Surfaces must be clean and dry.

An administrator plans a backup and recovery implementation for a server. The goal is to have a full backup every Sunday followed by backups that only include changes every other day of the week. In the event of a catastrophe, the restore time needs to be as quick as possible. Which scheme does the administrator use? Full followed by incrementals Image followed by incrementals Full followed by differentials Snapshot followed by differentials

Full followed by differentials

An organization receives notification from an actor that vulnerabilities have been found in an onsite firewall. While the actor does not exploit the vulnerability, a bounty is requested for the work and discovery. What type of actor is the organization dealing with? Gray hat White hat Script Kiddie Black hat

Gray hat

Evaluate the differences between hardware- and software-based key storage and select the true statement. In hardware-based storage, the key is stored on a server. Software-based storage and distribution is typically implemented using removable media or a smart card. HSM may be less susceptible to tampering and insider threats than software-based storage. In hardware-based storage, security is provided by the operating system Access Control List (ACL).

HSM may be less susceptible to tampering and insider threats than software-based storage.

Evaluate which of the following solutions would most effectively mitigate vulnerabilities that might arise when outsourcing code development. Have one vendor develop the code, and a different vendor perform vulnerability and penetration testing. Outsource coding to multiple vendors at once, compare the results each vendor produces, and select the most secure implementations. Outsource all coding to a single vendor, limiting the number of vendors in the workflow. Trust system integration to the third-party contractor and their contacts.

Have one vendor develop the code, and a different vendor perform vulnerability and penetration testing.

A company deploys an active defense strategy designed to detect insider malpractice. To record the malicious insider's actions, the security team creates a convincing, yet fake, data file with a tracker that records any data exfiltration attempts. Analyze the security tool and determine what method the security team employed. Honeypot Honeynet Subnet Honeyfile

Honeyfile

Attacker 3 Technique Description: Attacker uses a combination of dictionary and brute-force attacks to obtain a password. Password attack: __________ Tool Used: __________ Password Discovered: Targetsto$rescrss@le$ Application/Service: Enterprise Azure AD

Hybrid password attack pwned passwords list

Which statement draws a true comparison between full, differential, and incremental backups? (Select all that apply.) A system can combine incremental and differential backup methods for faster restoration than using a full backup. If a system performs backups every day, an incremental backup includes only files changed that day, while a differential backup includes all files changed since the last full backup. Compared to a differential backup, both full backups and incremental backups clear the archive attribute. A differential backup combines elements of full and incremental backups and only includes data since the last incremental backup.

If a system performs backups every day, an incremental backup includes only files changed that day, while a differential backup includes all files changed since the last full backup. Compared to a differential backup, both full backups and incremental backups clear the archive attribute.

A company is researching data redundancy solutions for local systems. An executive manager has heard to never use redundant array of independent disks (RAID) level 0. Which configuration use case justifies the use of a RAID level 0 configuration? A system should use RAID level 0 alone to improve system performance. RAID level 0 uses striping with parity, so a system can use it alone to improve performance and redundancy. RAID level 0 uses mirroring to provide redundancy, but at a reduced rate of efficiency. In a nested configuration, the use of RAID level 0 can improve system performance.

In a nested configuration, the use of RAID level 0 can improve system performance.

The company's website and subdomains will be continuously at risk to hackers and a certificate could become compromised. Which certificate type would minimize risk for all sites? Key Management Pinning Online Certificate Status Protocol Individual Certificates Extended Verification Common name

Individual Certificates

Security solutions providers and academics conduct primary research to produce outputs on threat intelligence that takes three main forms. Which of these selections is NOT one of the three main outputs? Behavioral threat research Information Sharing and Analysis Centers (ISACs) Reputational threat intelligence Threat data

Information Sharing and Analysis Centers (ISACs)

A web server receives data from an application. It appears that passing this data causes an issue that evolves into an overflow at the destination. What process on the receiving server should be investigated? Normalization Output encoding Error handling Input validation

Input validation

A retail establishment experiences an attack where whole number values have been exploited. As a result, some credit values are manipulated from positive values to negative values. Which type of attack is the establishment dealing with? Integer overflow Buffer overflow Stack overflow Race condition

Integer overflow

A junior engineer suspects there is a breached system based on an alert received from a software monitor. The use of the alert provides which information to the engineer? TTP CTI IoC ISAC

IoC

The company will rely on third-party certificate authority (CA) services that streamline the process of securing websites and web servers for e-commerce. However, what process in PKI is the ultimate and final responsibility of the company in this scenario? Key Management Pinning Online Certificate Status Protocol Individual Certificates Extended Verification Common name

Key Management

Which of the following statements most accurately describes the function of key stretching? Key stretching makes the password key stronger. Key stretching prevents brute force attacks. Key stretching adds a random value when creating the password hash. Key stretching adds entropy to a user-generated password.

Key stretching adds entropy to a user-generated password.

Apply knowledge of load balancing technologies to select the statement that best explains an advantage of a layer 7 load balancer over a layer 4 load balancer. Layer 7 load balancers require less computing power than layer 4 load balancers. Layer 4 can only check connectivity and layer 7 can test an application's state. Layer 7 load balancers provide fault tolerance and authentication, while layer 4 load balancers provide fault tolerance only. Layer 4 load balancers use affinity, while layer 7 load balancers use persistence.

Layer 4 can only check connectivity and layer 7 can test an application's state.

A company tells the IT department that user access needs to be changed so privileges are only granted when needed, then revoked as soon as the task is finished or the need has passed. Based on Account Management practices, what is the company asking the IT department to implement? Onboarding Identity and Access Management (IAM) Offboarding Least privilege

Least privilege

Management at a financial firm is assembling an incident response team that will be responsible for handling certain aspects of recovery and remediation following a security incident. What internal offices should provide a representative to serve as a member of this team? (Select all that apply.) Sales Legal HR PR

Legal HR PR

Analyze the following security information and event management (SIEM) functions and determine which event is NOT conducted during data aggregation. Normalize time zones to a single timeframe. Use plug-ins to parse data from different vendors and sensors. Identify attributes and content that can be mapped to standard fields. Link observables into a meaningful indicator of risk, or Indicator of Compromise (IOC)

Link observables into a meaningful indicator of risk, or Indicator of Compromise (IOC).

Management looks to IT for a solution to identify successful and failed login attempts. Which solution will IT provide to management? Logs Network monitors Packet capture Sniffer

Logs

A new IT administrator accidentally causes a fire in the IT closet at a small company. Consider the disaster types and conclude which types this event might classify as. (Select all that apply.) External Man-made Internal Environmental

Man-made Internal

An unauthorized person gains access to a restricted area by blending in with a crowd of employees as they approach the security desk and show their badges to the guard. While walking down a long hallway, the group is stopped at a turnstile and the unauthorized person is discovered. What type of policy prevented this type of social engineering attack? CCTV policy Mantrap policy ID badge policy Skimming policy

Mantrap policy

Which features distinguish a next-generation endpoint detection and response (EDR) product from traditional EDR solutions? (Select all that apply.) Next-generation endpoint agents use cloud management, rather than reporting to an on-premises server. Next-generation endpoint detection systems use artificial intelligence (AI) and machine learning to perform user and entity behavior analysis (UEBA). Next-generation endpoint agents report baseline configuration deviations, whereas legacy systems report threats based on signature-detection. The primary purpose of next-generation endpoint agents is to stop initial threat execution, while traditional systems aim to detect and report attacks.

Next-generation endpoint agents use cloud management, rather than reporting to an on-premises server. Next-generation endpoint detection systems use artificial intelligence (AI) and machine learning to perform user and entity behavior analysis (UEBA).

Which term best describes a root certificate authority (CA) in a secure configuration? Online Single Hierarchical Offline

Offline

Attacker 1 Technique Description: Attacker obtains a database of password hashes for later use Password attack: __________ Tool Used: __________ Password Discovered: Sh@red(redent!als Application/Service: Windows Active Directory

Offline Attack Mimikatz

Since security is paramount, the company will conduct regular vulnerability assessment, security checks, and audits. The third-party CA will provide the certificate management platform. As part of regular security audits of digital certificate infrastructure, for example. what service can the company's security engineers check to validate the status of specific digital certificates? Key Management Pinning Online Certificate Status Protocol Individual Certificates Extended Verification Common name

Online Certificate Status Protocol

The Human Resources department works with the IT department at an organization to develop employee security training. Which security control type and function describes the training program? (Select all that apply.) Operational Managerial Deterrent Compensating

Operational Deterrent

Users at a company report that web browsing to their own website is not working. Upon further investigation, it is found that HTTP sessions are being hijacked. Any requests to replace a resource during a TCP connection are being altered. Which HTTP method is not working properly? GET PUT DELETE POST

PUT

A customer responds to an email advertisement that appears to link to mystore.com. The customer logs into the website with their username and password. The website has the same homepage the customer is familiar with, but it is actually a page set up by an attacker to gain credentials. The attacker can then login to mystore.com with the user's credentials, and shop using the saved credit card on file. Which type of attack has occurred in this scenario? Denial of Service (DoS) DNS client cache poisoning Pharming Pollution

Pharming

The company is concerned about hacking attempts that will attempt to break the chain of trust between the company's e-commerce web servers and associated intermediate and root CAs. Which set of techniques is available to the company to prevent malicious certificates from entering the chain of trust? Key Management Pinning Online Certificate Status Protocol Individual Certificates Extended Verification Common name

Pinning

An organization hires a pen tester. The tester achieves a connection to a perimeter server. Which technique allows the tester to bypass a network boundary from this advantage? Persistence Privilege escalation Pivoting Lateral movement

Pivoting

The recovery phase of an incident response involves several steps. Which of the following is NOT a step in the recovery phase? Reaudit security controls. Reconstitute affected systems. Prepare a lessons learned report. Notify affected parties with instructions to remediate affected systems.

Prepare a lessons learned report.

The IT director at a financial institution grants account permissions using an access control list (ACL). This illustrates what type of security control? Preventative Deterrent Corrective Detective

Preventative

A banking institution is considering the use of cloud computing across multiple locations. Comparing the various cloud deployment models, which model will likely allow optimal control over privacy and security? Public Hosted private Private Community

Private

A security engineer implements a secure wireless network. In doing so, the engineer decides to use EAP with Flexible Authentication via Secure Tunneling (EAP-FAST). Which authentication approach does the engineer implement? Protected Access Credential (PAC) instead of a certificate Any inner authentication protocol such as PAP or CHAP Only requiring a server-side public key certificate The supplicant and server are configured with certificates.

Protected Access Credential (PAC) instead of a certificate

While preparing a disaster recovery plan, management at a company considers how far back it can allow for the loss of data. Which metric does management use to describe this business essential data in terms of recovery? Recovery point objective Work recovery time Maximum tolerable downtime Mean time to repair

Recovery point objective

A company located in the western United States that uses cloud computing relies on redundant systems in adjacent availability zones for data backup and storage. Analyze the configuration and determine which level of high availability service the company utilizes. Local replication Regional replication Geo-redundant storage (GRS) Cloud service replication

Regional replication

A company without an internal IT team hires a service provider to monitor a computer network for security issues. Before the service provider is given access, which agreement is put in place to establish expectations? NDA SLA ISA PII

SLA

Which of the following statements best contrasts between a service-oriented architecture (SOA) model and a microservices-based model? SOA can build services from other services, while an implementation of microservices develops, tests, and deploys microservices independently. Microservices are loosely decoupled, while SOA services are considered highly decoupled. SOA focuses on making a single, discrete task easily repeatable, while microservices perform a sequence of automated tasks. Microservices help to make a network's design architecture fit a business's requirements, rather than accommodating the business workflow to the platform requirements, as in SOA.

SOA can build services from other services, while an implementation of microservices develops, tests, and deploys microservices independently.

A systems administrator uses a disk image to provision new workstations. After installing several workstations, it is found that they no longer boot. It is possible that the disk image in use included malicious code. Which specific method has stopped the systems from starting? UEFI Measured boot Secure boot Boot attestation

Secure boot

A guard station deploys a new security device to use to access a classified data station. The installation technician tests the device's sensitivity to speed and pressure. Which type of behavioral technology is the technician testing for? Voice recognition Gait analysis Typing Signature recognition

Signature recognition

What exploitation method targets near field communication (NFC) devices? Juice jacking Bluesnarfing Remote wipe Skimming

Skimming

A user enters a card equipped with a secure processing chip into a reader and then enters a PIN for Kerberos authentication. What authentication method is described here? (Select all that apply.) Trusted Platform Module (TPM) authentication Smart-card authentication Multifactor authentication One-time password (OTP) token authentication

Smart-card authentication Multifactor authentication

As part of updating a company's compliance documentation, you are classifying security controls used by the company. The company's app uses an IP geolocation database to determine whether to trigger a secondary authentication method. What type of authentication design should this be categorized as? Something you can do authentication. Something you exhibit authentication. Something you have authentication. Somewhere you are authentication.

Somewhere you are authentication.

An end-user has enabled cookies for several e-commerce websites and has started receiving targeted ads. The ads do not trouble the user until, when trying to access an e-commerce site, the user gets several pop-up ads that automatically redirect the user to suspicious sites the user did not intend to visit. What is the most likely explanation for this phenomenon? Tracking cookies have infected the user's computer. Ransomware has infected the user's computer. Spyware has infected the user's computer. Crypto-malware has infected the user's computer.

Spyware has infected the user's computer.

A technology firm suffers a large-scale data breach, and the company suspects a disgruntled former IT staff member orchestrated the breach to exfiltrate proprietary data. During the forensic investigation, a hard disk was not signed out when handled. Examine the scenario and determine what issue this oversight is most likely to cause in the investigative process. The chain of custody is under question. A timeline of events is under question. Retrospective network analysis (RNA) cannot occur. Relevant evidence was not properly disclosed to the defendant.

The chain of custody is under question.

Analyze the factors associated with performing a Business Process Analysis (BPA) and select the statement that aligns with the output factors. The data or resources a function produces The source of information for performing a function The resources supporting a function A description of how a function is performed

The data or resources a function produces

An employee suspected of storing illicit content on a company computer discovers a plan to investigate, so the employee tries to hide evidence of wrongdoing. The employee deletes the illicit files and attempts to overwrite them. If a forensics investigation can discover the lost files, which statement best describes how? The forensics investigation will not be able to locate the lost files. The forensics investigator can retrieve fragments of deleted or overwritten files. The forensics investigator must use a live acquisition tool to retrieve files in recent memory. The forensics investigation can uncover the lost data using a cache acquisition tool.

The forensics investigator can retrieve fragments of deleted or overwritten files.

An individual contacts a company's IT department, threatening to exploit a vulnerability found in its security infrastructure if the company does not pay a bounty. Upon further investigation, the IT team discovered that the individual threatening the company easily managed to use crude scripts in the hacking attempt. Which statement best describes the disparity between the hacker's claim and real capability? The hacker presents as a black hat, but the individual's capabilities indicate the hacker is a script kiddie. The hacker claims to be a white hat, but the threatening demeanor and capabilities represent those of a black hat hacker. The hacker presents as a script kiddie, but the threatening demeanor and capabilities indicate a black hat hacker. The hacker presents as a gray hat hacker, but the individual's capabilities indicate a script kiddie.

The hacker presents as a black hat, but the individual's capabilities indicate the hacker is a script kiddie.

After a break-in at a government laboratory, some proprietary information was stolen and leaked. Which statement best summarizes how the laboratory can implement security controls to prevent future breaches? The laboratory needs to take detective action and should implement physical and deterrent controls in the future. The laboratory needs to take detective action and should implement corrective controls in the future. The laboratory needs to take compensatory action and should implement physical controls in the future. The laboratory needs to take corrective action and should implement both physical and preventative controls in the future.

The laboratory needs to take corrective action and should implement both physical and preventative controls in the future.

Which of the following defines key usage with regard to standard extensions? The purpose for which a certificate was issued The ability to create a secure key pair Configuring the security log to record key indicators To archive a key with a third party

The purpose for which a certificate was issued

An attack at a company renders a network useless after a switch is impacted. Engineers review network traffic and determine that the switch is behaving like a hub. What do the engineers conclude is happening? (Select all that apply.) The switch's memory is exhausted. The switch is flooding unicast traffic. The switch MAC table has invalid entries. The switch is using MAC-based forwarding.

The switch's memory is exhausted. The switch is flooding unicast traffic.

During weekly scans, a system administrator identifies a system that has software installed that goes against security policy. The system administrator removes the system from the network in an attempt to limit the effect of the incident on the remainder of the network. After the system administrator removes the unauthorized software and completes additional scans, the system administrator places the system back on the network. Applying information from the Computer Security Incident Handling Guide, determine the next step the system administrator should take to mitigate the effects of the incident and restore the network to optimal functionality. The system administrator should put controls in place to prevent the software from being installed. The system administrator should complete an initial scan to determine if unauthorized software is installed, then fully document the incident. The system administrator should remove the system from the network, remove the unauthorized software, and then place the system back into operation. The system administrator should determine how the unauthorized software was installed and identify what security to modify to prevent future incidents, then fully document the incident.

The system administrator should determine how the unauthorized software was installed and identify what security to modify to prevent future incidents, then fully document the incident.

A banking firm's IT team discovers a possible man-in-the-middle attack. Which of the following statements describes an assessment tool, built into the operating system, that would result in this discovery? (Select all that apply.) This tool is an open-source graphical packet capture and analysis utility, with installer packages for most operating systems. This tool sends probes to report the round trip time (RTT) for hops between the local host and a host on a remote network. This tool will repair the boot sector. This tool displays the local machine's Address Resolution Protocol (ARP) cache.

This tool sends probes to report the round trip time (RTT) for hops between the local host and a host on a remote network. This tool displays the local machine's Address Resolution Protocol (ARP) cache.

A data analytics company compiles reports based on patient health information for a regional patient call center, which will later use the data to contact patients for follow-up appointments. All sensitive information is digitally modified to contain randomly generated letters that can be returned to its original value by using the correct tool. Based on this requirement, which de-identification method is the data analytics company using to protect patient data? Data masking Data minimization Tokenization Full anonymization

Tokenization

An engineer configures a proxy to control access to online content for all users in an organization. Which proxy type does the engineer implement by using an inline network appliance? (Select all that apply.) Non-transparent Transparent Intercepting Application

Transparent Intercepting

An engineer considers blockchain as a solution for record-keeping. During planning, which properties of blockchain does the engineer document for implementation? (Select all that apply.) Using a peer-to-peer network Obscuring the presence of a message Partially encrypting data Using cryptographic linking

Using a peer-to-peer network Using cryptographic linking

A security investigator compiles a report for an organization that lost data in a breach. Which ethical approach does the investigator apply while collecting data for the report? Search for relevant information Apply standard tags to files Disclosing of evidence Using repeatable methods

Using repeatable methods

A company follows a bring your own device (BYOD) mobile implementation. What is an ideal solution the company can use to overcome some of the security risks involved with employee-supplied devices? Virtual desktop infrastructure (VDI) Location services Remote wipe Carrier unlocking

Virtual desktop infrastructure (VDI)

What type of phishing attack targets upper-level management? Pharming Credential harvesting Whaling Typosquatting

Whaling

In the containment phase of incident response, the Cyber Incident Response Team (CIRT) faces complex issues that need to be addressed quickly. During this phase, a member of the CIRT would be concerned about all EXCEPT which of the following issues? What damage has already occurred? Which password policy will prevent this in the future? What actions could alert the attacker that the attack has been detected? What countermeasures are available?

Which password policy will prevent this in the future?

Which of the following key storage solutions exercises M-of-N control? Security administrators log and audit access to critical encryption keys. While four administrators have access to the system, it takes two administrators to access the system at any given time. A third party safely stores the encryption key. One administrator has access to the system, and that administrator can delegate access to two others.

While four administrators have access to the system, it takes two administrators to access the system at any given time.

Which statements describe why devices on an enterprise network should disable Wi-Fi tethering? (Select all that apply.) Wi-Fi tethering functionality can circumvent data loss prevention measures. Wi-Fi tethering functionality can circumvent web content filtering policies. Wi-Fi tethering functionality can enable a Trojan to install apps through the device's charging plug. Wi-Fi tethering functionality can enable a nearby attacker to skim information from the device.

Wi-Fi tethering functionality can circumvent data loss prevention measures. Wi-Fi tethering functionality can circumvent web content filtering policies.

An engineer configures hosts on a network to use IPSEC for secure communications. The engineer is deciding between Encapsulation Security Payload (ESP) or Authentication Header (AH). If the engineer chooses transport mode over tunnel mode, which specifics of operation should be expected? (Select all that apply.) With ESP the whole IP packet (header and payload) is encrypted With ESP the IP header for each packet is not encrypted AH has no real use in this mode AH can provide integrity for the IP header

With ESP the IP header for each packet is not encrypted AH can provide integrity for the IP header

An engineer implements a security solution to protect a domain. The engineer decides on DNS Security Extensions (DNSSEC) to prevent spoofing. Which features does the engineer rely on for protection? (Select all that apply.) Zone Signing Key RRset package Access Control List Key Signing Key

Zone Signing Key RRset package Key Signing Key

A company performing a risk assessment calculates how much return the company has saved by implementing a security measure. Which formula will they use to calculate this metric? Asset value x EF [(ALE-ALEm)-Cost of Solution]/Cost of Solution SLE x ARO (ALE-SLE)/Cost of Solution

[(ALE-ALEm)-Cost of Solution]/Cost of Solution

Which command can help a security professional conducting an organizational security assessment identify a spoofing attack? arp ipconfig/ifconfig route pathping/mtr

arp

A suspected network breach prompts an engineer to investigate. The engineer utilizes a set of command line tools to collect network routing data. While doing so, the engineer discovers that UDP communications is not working as expected. Which tool does the engineer experience difficulty with? route tracert pathping traceroute

traceroute