Security+ SY0-701 Domain 4: Security Operations Test #1

Ace your homework & exams now with Quizwiz!

How many network interfaces does a dual-homed gateway typically have? 2 4 3 1

3 Explanation A dual-homed gateway is a firewall device that typically has three network interfaces: one connected to the internet, one connected to the public subnet, and one connected to the private network.

The IT team of a medium-sized company plans to implement a mobile device management (MDM) solution to enhance security and streamline the management of its growing number of mobile devices. The company has employees who use various devices, such as smartphones and tablets, for work tasks in and out of the office. The IT team needs to choose the MOST appropriate deployment model for their MDM solution to ensure seamless device management and data protection. Which deployment model for MDM provides the highest level of control and security for the company's diverse mobile devices? Bring your own device (BYOD) deployment with partial control On-premises deployment with limited network access Cloud-based deployment Hybrid deployment with minimal cloud integration

A cloud based MDM deployment Explanation A cloud-based MDM deployment allows the IT team to manage mobile devices centrally from the cloud, providing a high level of control, flexibility, and security.

Which of the following accurately describes what a protocol analyzer is used for? (Select two.) A device that can simulate a large number of client connections to a website, test file downloads for an FTP site, or simulate large volumes of emails. A device that measures the amount of data that can be transferred through a network or processed by a device. A device that does NOT allow you to capture, modify, and retransmit frames (to perform an attack). A passive device that is used to copy frames and allow you to view frame contents. A device that allows you to capture, modify, and retransmit frames (to perform an attack).

A device that does NOT allow you to capture, modify, and retransmit frames (to perform an attack). A passive device that is used to copy frames and allow you to view frame contents. Explanation A protocol analyzer is a passive device that copies frames and allows you to view frame contents. However, it does not allow you to capture, modify, and retransmit frames (activities that are used to perform an attack).

Users in the sales department perform many of their daily tasks, such as emailing and creating sales presentations, on their personal tablets. The chief information officer worries that one of these users might also use their tablet to steal sensitive information from the organization's network. Your job is to implement a solution that prevents insiders from accessing sensitive information stored on the organization's network from their personal devices while still giving them access to the internet. Which of the following should you implement? An acceptable use policy (AUP) A guest wireless network that is isolated from your organization's production network A network access control (NAC) solution A mobile device management (MDM) infrastructure

A guest wireless network that is isolated from your organization's production network Explanation A guest wireless network that is isolated from your organization's production network allows user-owned devices to gain internet access, but it quarantines them from sensitive information on your organization's production network.

What is mutual authentication? Deploying CHAP and EAP on remote access connections. The use of two or more authentication factors. A process by which each party in an online communication verifies the identity of the other party. Using a certificate authority (CA) to issue certificates.

A process by which each party in an online communication verifies the identity of the other party. Explanation Mutual authentication is the process by which each party in an online communication verifies the identity of the other party. Mutual authentication is most common in VPN links, SSL connections, and e-commerce transactions. In each of these situations, both parties in the communication want to ensure that they know with whom they are interacting.

As a cybersecurity analyst, you are tasked with managing the organization's security information and event management (SIEM) system. The system is experiencing performance degradation due to the volume of historical log and network traffic data. What should you implement to manage the storage of this data effectively without compromising the system's performance? A retention policy to keep historical log and network traffic data for a defined period. Increase the storage capacity of the SIEM system. Implement a data deletion policy to remove old data. Data compression techniques to reduce the size of the stored data.

A retention policy to keep historical log and network traffic data for a defined period. Explanation A retention policy to keep historical log and network traffic data for a defined period is the correct answer. A retention policy defines how long data should be kept based on its age, type, and relevance. This ensures that only necessary data is stored, improving system performance without compromising the ability to conduct retrospective incident and threat hunting.

Which of the following could be an example of a malicious insider attack? A user has not implemented appropriate security settings. A user uses the built-in microphone to record conversations. A user has lost a company-owned device. A user's device has become infected with malware.

A user uses the built in microphone to record conversations Explanation If a user is so inclined, he or she could use their mobile device to conduct a malicious insider attack. For example, they could: Use the built-in camera, which nearly all modern mobile devices have, to take pictures of sensitive internal information. Use the built-in microphone to record conversations. Use the built-in video function to record proprietary processes and procedures. Use the device's mobile broadband connection to transfer stolen data to parties outside the organization, bypassing the organization's network security mechanisms.

Which of the following does a router acting as a firewall use to control which packets are forwarded or dropped? IPsec VNC PPP ACL RDP

ACL Explanation When you configure a router as a firewall, you configure the access control list (ACL) with statements that identify traffic characteristics, such as the direction of traffic (inbound or outbound), the source or destination IP address, and the port number. ACL statements include an action to either allow or deny the traffic specified by the ACL statement.

Which of the following switch attacks associates the attacker's MAC address with the IP address of the victim's devices? DNS poisoning MAC spoofing ARP spoofing/poisoning Cross-site scripting (XSS)

ARP spoofing/poisoning Explanation ARP spoofing/poisoning associates the attacker's MAC address with the IP address of the victim.

Which of the following switch attacks associates the attacker's MAC address with the IP address of the victim's devices? ARP spoofing/poisoning Cross-site scripting (XSS) MAC spoofing DNS poisoning

ARP spoofing/poisoning Explanation ARP spoofing/poisoning associates the attacker's MAC address with the IP address of the victim. MAC spoofing is changing the source MAC address on frames sent by the attacker.

Which of the following is the first phase of the Microsoft Intune application life cycle? Configure Deploy Add Protect

Add Explanation The first phase of the Microsoft Intune application life cycle is to add the apps that are to be managed and assigned in Intune. Deploy is the second phase. Configure is the third phase. Protect is the fourth phase.

Which of the following NAC agent types would be used for IoT devices? Agentless Dissolvable Permanent Zero-trust

Agentless Explanation An agentless agent is on the domain controller. When the user logs into the domain, it authenticates with the network. Agentless NAC is often used when there is limited disk space, such as for Internet of Things (IoT) devices.

Which of the following NAC agent types would be used for IoT devices? Dissolvable Permanent Zero-trust Agentless

Which of the following describes how access control lists can be used to improve network security? An access control list looks for patterns of traffic between multiple packets and takes action to stop detected attacks. An access control list identifies traffic that must use authentication or encryption. An access control list filters traffic based on the frame header, such as source or destination MAC address. An access control list filters traffic based on the IP header information, such as source or destination IP address, protocol, or socket number.

An access control list filters traffic based on the IP header information, such as source or destination IP address, protocol, or socket number. Explanation An access control list filters traffic based on the IP header information, such as source or destination IP address, protocol, or socket number. Access control lists are configured on routers, and they operate on Layer 3 information.

The leader of the cybersecurity team for a major e-commerce company recently encountered a major data breach that led to the exposure of customer payment details. The team has now contained the breach and is moving toward the final phase of the incident response cycle. What is the team's primary objective in this phase? Identify stakeholders and reporting requirements Restore the affected system to a secure state Analyze the incident and improve procedures or systems Eradicate the cause of the incident

Analyze the incident and improve procedures or systems Explanation The final phase of the incident response lifecycle entails "lessons learned," which allows the organization to learn from the incident and make necessary changes to prevent similar incidents in the future.

You are concerned about protecting your network from network-based attacks on the internet. Specifically, you are concerned about attacks that have not yet been identified or that do not have prescribed protections. Which type of device should you use? Antivirus scanner Anomaly-based IDS Signature-based IDS Host-based firewall Network-based firewall

Anomaly-based IDS Explanation An anomaly-based intrusion detection system (IDS) can recognize and respond to some unknown attacks. Signature recognition, also referred to as pattern matching or dictionary recognition, looks for patterns in network traffic and compares them to known attack patterns called signatures. Signature-based recognition cannot detect unknown attacks. This system can only detect attacks identified by published signature files.

You are concerned about protecting your network from network-based attacks on the internet. Specifically, you are concerned about attacks that have not yet been identified or that do not have prescribed protections. Which type of device should you use? Network-based firewall Antivirus scanner Signature-based IDS Host-based firewall Anomaly-based IDS

What is the MOST common form of host-based IDS that employs signature or pattern-matching detection methods? Honeypots Firewalls Antivirus software Motion detectors

Antivirus Software Explanation Antivirus software using signatures is the most commonly deployed form of a host-based IDS.

What is the MOST common form of host-based IDS that employs signature or pattern-matching detection methods? Honeypots Motion detectors Antivirus software Firewalls

Antivirus software Explanation Antivirus software using signatures is the most commonly deployed form of a host-based IDS.

Your organization recently purchased 20 Android tablets for use by the organization's management team. To increase the security of these devices, you want to ensure that only specific apps can be installed. Which of the following would you implement? App blacklisting Credential manager App whitelisting Application control

App whitelisting Explanation App whitelisting is the process of defining specific apps that users can have on their mobile devices. Apps not on the whitelist are not allowed to be installed.

Which tool assesses different facets of cloud services, such as network bandwidth, virtual machine status, and program health in a network environment? System monitor Data loss prevention (DLP) tool Application monitor Vulnerability scanner

Application monitor Explanation An application monitor assesses an application's health, performance, and functionality, ensuring its smooth operation and detecting any potential issues.

Which of the steps in the Network Access Control (NAC) implementation process occurs once the policies have been defined? Review Test Apply Plan

Apply Explanation The third step in implementing NAC is to apply the policies. This occurs after the policies have been defined.

Which of the steps in the Network Access Control (NAC) implementation process occurs once the policies have been defined? Plan Test Apply Review

Apply Explanation The third step in implementing NAC is to apply the policies. This occurs after the policies have been defined.

What is the purpose of a chain of custody? Retaining evidence integrity. Arriving at conclusions from the investigator's analysis. Detailing the timeline between creation and discovery of evidence. Identifying the owner of the evidence.

Arriving at conclusions from the investigators analysis The chain of custody is used to track the people who came in contact with the evidence. The chain of custody starts at the moment evidence is discovered and lists the identity of the person who discovered, logged, gathered, protected, transported, stored, and presented the evidence. The chain of custody helps to ensure the admissibility of evidence in court.

What is the purpose of a chain of custody? Arriving at conclusions from the investigator's analysis. Identifying the owner of the evidence. Detailing the timeline between creation and discovery of evidence. Retaining evidence integrity.

Arriving at conclusions from the investigators analysis. Explanation The chain of custody is used to track the people who came in contact with the evidence. The chain of custody starts at the moment evidence is discovered and lists the identity of the person who discovered, logged, gathered, protected, transported, stored, and presented the evidence. The chain of custody helps to ensure the admissibility of evidence in court.

To optimize the enterprise security information and event management (SIEM) solution, a multinational 's chief information security officer (CISO) is strategizing. The SIEM system acquires data from diverse sources, including Linux and Windows servers, advanced switches, Next Generation Firewalls (NGFWs), and routers. Which feature should the CISO prioritize improving in the SIEM solution to standardize the data and enhance its searchability? Elevating the SIEM solution's threat-hunting capabilities. Integrating additional intrusion detection systems (IDS) into the network. Augmenting the log correlation mechanism in the SIEM solution. Upgrading the network-based data collection method in the SIEM solution.

Augmenting the log correlation mechanism in the SIEM solution. Explanation The most relevant improvement is augmenting the log correlation mechanism in the SIEM solution. Log correlation standardizes and makes data from various sources more searchable, directly addressing the CISO's objective.

Which of the following defines all the prerequisites a device must meet in order to access a network? Authentication Zero-trust security Identity Services Engine (ISE) Authorization

Authentication Explanation Authentication defines all the prerequisites a device must meet in order to access a network. These criteria are detailed for such things as anti-malware, OS, and patch level.

Which of the following defines all the prerequisites a device must meet in order to access a network? Zero-trust security Authentication Identity Services Engine (ISE) Authorization

Which of the following statements about Bash is true? Bash works in the background to execute commands using environment variables. Bash is a command shell and scripting language used only in Windows operating systems. Bash cannot be used to design malware that attacks systems running on Linux's Apache platform. Bash was released in 2000 and is rarely used today.

Bash works in the background to execute commands environment variables. Explanation Bash does work in the background to execute commands using environment variables.

Which of the following terms describes a network device that is exposed to attacks and has been hardened against those attacks? Circuit proxy Bastion or sacrificial host Kernel proxy Multi-homed

Bastion or sacrificial host Explanation A bastion or sacrificial host is one that is unprotected by a firewall. The term bastion host is used to describe any device fortified against attack (such as a firewall). A sacrificial host might be a device intentionally exposed to attack, such as a honeypot.

A technician is deploying centralized web filtering techniques across the enterprise. What stems from various factors such as the website's URL, domain, IP address, content category, or even specific keywords within the web content? Block rules Reputation-based filtering URL scanning Content categorization

Block rules Explanation Block rules stem from various factors such as the website's Uniform Resource Locators (URL), domain, Internet Protocol (IP) address, content category, or even specific keywords within the web content.

In an IT environment, automation and scripting play a critical role in managing services and access. How does automation assist security analysts in their daily tasks? By helping in user and resource provisioning. By improving the efficiency of ticketing platforms. By enabling and disabling services, modifying access rights, and maintaining the lifecycle of IT resources. By facilitating the development of more complex systems such as SOAR platforms.

By enabling and disabling services, modifying access rights, and maintaining the lifecycle of IT resources. Explanation Automation and scripting are essential tools for managing services and access within an IT environment. This includes enabling or disabling services, modifying access rights, and maintaining the lifecycle of IT resources, which directly aligns with the tasks of security analysts.

An organization needs a solution for controlling and monitoring all inbound and outbound web content, analyzing web requests, blocking access based on various criteria, and offering detailed logging and reporting of web activity. Which of the following solutions is the MOST suitable in this situation? Content categorization Manual URL blocking Agent-based filtering Centralized web filtering

Centralized web filtering Explanation Implemented typically through a proxy server, centralized web filtering controls and monitors all inbound and outbound web content. It can analyze web requests and block access based on Uniform Resource Locators (URLs), Internet Protocol (IP) addresses, content categories, or specific keywords.

You have been asked to draft a document related to evidence-gathering that contains details about personnel in possession and control of evidence from the time of discovery up through the time of presentation in court. Which type of document is this? Chain of custody FIPS-140 CPS (certificate practice statement) Rules of evidence

Chain of custody Explanation The chain of custody is a document related to evidence-gathering that contains details about personnel in possession and control of evidence from the time of discovery up through the time of presentation in court.

You have been asked to draft a document related to evidence-gathering that contains details about personnel in possession and control of evidence from the time of discovery up through the time of presentation in court. Which type of document is this? FIPS-140 Rules of evidence Chain of custody CPS (certificate practice statement)

You've just deployed a new Cisco router that connects several network segments in your organization. The router is physically located in a server room that requires an ID for access. You've backed up the router configuration to a remote location in an encrypted file. You access the router configuration interface from your notebook computer using a Telnet client with a username of admin and a password of P@ssW0rd. You have used the MD5 hashing algorithm to protect the password. What should you do to increase the security of this device? (Select two.) Use TFTP to back up the router configuration to a remote location. Use a web browser to access the router configuration using an HTTP connection. Use encrypted Type 7 passwords. Change the default administrative username and password. Use an SSH client to access the router configuration.

Change the default administrative username and password. Use an SSH client to access the router configuration. Explanation In this scenario, two key security issues need to be addressed. They are: You should use an SSH client to access the router configuration. Telnet transfers data in cleartext over the network connection, exposing sensitive data to sniffing. You should change the default administrative username and password. Default usernames and passwords are readily available from websites on the internet.

You are concerned that wireless access points may have been deployed within your organization without authorization. What should you do? (Select two. Each response is a complete solution.) Check the MAC addresses of devices connected to your wired switch. Implement a network access control (NAC) solution. Implement an intrusion prevention system (IPS). Conduct a site survey. Implement an intrusion detection system (IDS).

Check the MAC addresses of devices connected to your wired switch. Conduct a site survey.

You are a security architect for a large organization that uses various cloud services. The organization wants to implement a system that allows users to authenticate once and then access multiple applications, with the system providing information about the user to the applications. The system should be able to work across multiple platforms and authentication systems. Which solution would you recommend? Claims-based identity Local authentication Network authentication Password-based authentication

Claims-based identity Explanation Claims-based identity is the correct answer. In a claims-based identity system, an identity provider issues a token containing claims about the user (such as the user's name, role, or privileges) to the user's browser. The user's browser then presents this token to applications, which use the claims to decide what the user is allowed to do. This system can work across multiple platforms and authentication systems.

You are a security architect for a large organization that uses various cloud services. The organization wants to implement a system that allows users to authenticate once and then access multiple applications, with the system providing information about the user to the applications. The system should be able to work across multiple platforms and authentication systems. Which solution would you recommend? Network authentication Local authentication Claims-based identity Password-based authentication

When designing a firewall, what is the recommended approach for opening and closing ports? Open all ports; close ports that show improper traffic or attacks in progress. Close all ports. Open all ports; close ports that expose common network attacks. Close all ports; open only ports required by applications inside the network. Close all ports; open ports 20, 21, 53, 80, and 443.

Close all ports; open only ports required by applications inside the network.

Which of the following is a password that relates to things that people know, such as a mother's maiden name or a pet's name? Passphrase Dynamic Cognitive One-time

Cognitive Explanation Cognitive passwords relate to things that people know, such as a mother's maiden name or a pet's name.

Which of the following is NOT a parameter considered for biometric authentication? Universality Color Collectability Permanence Uniqueness

Color Explanation The color of the biometric feature does not play a role in the authentication process as it does not contribute to the uniqueness or permanence of the biometric feature.

Which of the following Intune portals is used by end users to manage their own account and enroll devices? Account portal Company portal Add Intune Users Admin portal

Company portal Explanation The Company portal is used by end users to manage their own account and enroll devices.

You want to connect a laptop computer running Windows to a wireless network. The wireless network uses multiple access points and WPA2-Personal. You want to use the strongest authentication and encryption possible. SSID broadcast has been disabled. What should you do? answer Configure the connection with a pre-shared key and TKIP encryption. Configure the connection with a pre-shared key and AES encryption. Configure the connection to use 802.1x authentication and AES encryption. Configure the connection to use 802.1x authentication and TKIP encryption.

Configure the connection with a pre-shared key and use AES encryption. Explanation To connect to a wireless network using WPA2-Personal, you need to use a pre-shared key for authentication. Advanced Encryption Standard (AES) encryption is supported by WPA2 and is the strongest encryption method.

You are running a packet sniffer on your workstation so you can identify the types of traffic on your network. You expect to see all the traffic on the network, but the packet sniffer only seems to be capturing frames that are addressed to the network interface on your workstation. Which of the following must you configure in order to see all of the network traffic? Configure the network interface to enable logging. Configure the network interface to use protocol analysis mode. Configure the network interface to use port mirroring mode. Configure the network interface to use promiscuous mode.

Configure the network interface to use promiscuous mode Explanation Configure the network interface to use promiscuous mode. By default, a NIC only accepts frames addressed to itself. To enable the packet sniffer to capture frames sent to other devices, configure the NIC in promiscuous mode (sometimes called p-mode). In p-mode, the NIC processes every frame it sees.

A tech department evaluates the benefits of automation and scripting after recently acquiring new funding. What capability within automation and scripting allows developers to regularly merge their changes back to the main code branch and evaluate each merge automatically to help detect and fix integration problems? Guardrails Resource provisioning User provisioning Continuous integration and testing

Continuous integration and testing Explanation The principles of continuous integration and testing hinge heavily on automation. In this approach, developers regularly merge their changes back to the main code branch and evaluate each merge automatically to help detect and even fix integration problems.

You are a cybersecurity analyst at a tech startup. Recently, you've noticed an unusual pattern of data access requests from a competitor's IP address. The requests are specifically targeting your company's proprietary algorithms and customer databases. Based on this information, which type of security incident is MOST likely occurring? External intrusion attempts Virus and harmful code Corporate espionage Employee errors Unauthorized act by an employee

Corporate espionage Explanation Unethical gathering of competitive information (or corporate espionage) is the correct answer. The scenario describes a deliberate attempt from a competitor to access proprietary information, which is characteristic of corporate espionage.

A CEO asks the tech department to create a console that shows day-to-day incident response and summaries of information drawn from underlying data sources. What can the tech department present to the CEO as a viable option? Dashboards Network logs Metadata Log data

Dashboard Explanation An event dashboard provides a console to work from for day-to-day incident response and a summary of information drawn from the underlying data sources to support some work tasks.

Dashboards Explanation An event dashboard provides a console to work from for day-to-day incident response and a summary of information drawn from the underlying data sources to support some work tasks.

After a recent breach, an organization mandates increased monitoring of corporate email accounts. What can the organization use that mediates the copying of tagged data to restrict it to authorized media and services and monitors statistics for policy violations? Data loss prevention Simple Network Management Protocol (SNMP) trap Security content automation protocol Antivirus (A-V)

Data loss prevention Explanation Data loss prevention (DLP) mediates the copying of tagged data to restrict it to authorized media and services and monitors statistics for policy violations.

Listen to exam instructions In preparation for taking over inventory for their division, an engineer reviews the records for the previous inventory count. The engineer notes that a few items were on the previous inventory count that they could not find during their initial search. What records should they review prior to looking for the missing items? Configuration enforcement Monitoring Access control Decommissioning

Decommissioning Explanation The final step in the decommissioning process involves updating inventory records to reflect decommissioned devices. The decommissioning records explain why the property was on the previous inventory.

A security administrator reviews the network configurations of a recently deployed server. The administrator notices that certain unnecessary services have access to the server, potentially creating vulnerabilities. The administrator decides to refine the access control list (ACL) to enhance the server's security. Which action will the security administrator MOST likely take when refining the ACL to ensure that only necessary services communicate with the server, thereby reducing potential attack vectors? Permit all incoming traffic to maintain functionality by default Permit traffic only from trusted MAC addresses by default Deny all traffic by default and then allow exceptions based on requirement Implement a stateful firewall for the server

Deny all traffic by default and then allow exceptions based on requirement Explanation When securing an ACL, best practices dictate denying all traffic by default and permitting only necessary specific traffic. This "deny by default" principle ensures that only approved traffic accesses the resource.

A large financial institution recently adopted a bring your own device (BYOD) policy. It understands the cost and flexibility advantages of this approach but is concerned about the potential security implications. Specifically, the institution wants to ensure that its sensitive data remains protected even when accessed from or stored on employees' personal devices. What would be the MOST effective strategy to safeguard data in this context? Regularly update the company's firewall and antivirus software Deploy a mobile device management (MDM) solution Implement mandatory password changes every 30 days Conduct regular security training for employees

Deploy a mobile device management solution Explanation An MDM solution allows a company to manage, secure, and enforce policies on employees' mobile devices, even if they are personal devices.

An organization needs to implement web filtering to bolster its security. The goal is to ensure consistent policy enforcement for both in-office and remote workers. Which of the following web filtering methods BEST meets this requirement? Deploying agent-based web filtering Implementing manual URL blocking Relying solely on reputation-based filtering Utilizing a centralized proxy server

Deploying agent-based web filtering Explanation Agent-based web filtering involves installing a software agent on all devices. These agents communicate with a centralized server to obtain filtering policies and rules and apply them locally.

In a high-security environment, which of the following is the MOST important concern when removable media is no longer needed? Labeling Reuse Destruction Purging

Destruction Explanation The most important concern is the destruction of the media. In a high-security environment, removable media is not reused. After the media is no longer needed, it must be destroyed.

You are a network security analyst for a large corporation. The company has recently experienced a series of network attacks, and you've been tasked with hardening the network switches to prevent future attacks. You've identified several potential measures to improve security. Which of the following would be the MOST effective approach to hardening the switches? Enabling HTTP services for remote management. Changing the default credentials. Implementing Access Control Lists (ACLs). Disabling unnecessary services and interfaces.

Disabling unnecessary services and interfaces. Explanation Disabling unnecessary services and interfaces is the most effective approach. Disabling unnecessary services and interfaces reduces the attack surface of the switch, making it harder for attackers to gain access. This is a more comprehensive measure compared to the other options, making it the most effective approach to switch hardening.

Which of the following DLP implementations can be used to monitor and control access to physical devices on workstations or servers? File-level DLP Endpoint DLP Cloud DLP Network DLP

Endpoint DLP Explanation Endpoint data loss prevention (DLP) runs on end user workstations and servers. Endpoint DLP is also referred to as a Chinese Wall solution. This could be something as simple as restricting the use of USB devices. Many endpoint-based systems also provide application controls to prevent confidential information transmission and also provide some type of immediate feedback to the user. Giving feedback to the user is based on the concept that not all data leakage incidents are malicious. The employee might not realize that the security-policy violation is inappropriate. The intent is to deter the employee from a similar action in the future.

Upon receiving additional funding for the new quarter, a software team leader looks to acquire new automation and orchestration tools to enhance the IT department. What is NOT considered a benefit of automation and orchestration implementation for infrastructure management? Enforcing standardized configurations to ensure consistency Enhancing scalability and flexibility by simplifying deployment Saving time and resources by allowing configurations to deploy quickly Enforcing standardized baselines through configuration management tools

Enforcing standardized baselines through configuration management tools Explanation A benefit of automation in security operations, and not infrastructure management, is to enforce standardized baselines through configuration management tools. It overrides unauthorized endpoint changes automatically.

A cybersecurity analyst uses a security information and event management (SIEM) tool to monitor network activity in a large organization. During a shift, the analyst receives multiple alerts indicating the same user account is experiencing multiple login failures within the span of an hour. Which of the following correlation rules likely triggered this alert? Error.LoginFailure > 3 AND LoginFailure.User AND Duration < 1 hour Error.LoginFailure > 1 AND LoginFailure.User AND Duration < 1 day Error.LoginFailure > 2 AND LoginFailure.User AND Duration < 2 hours Error.LoginFailure > 5 AND LoginFailure.User AND Duration < 30 minutes

Error.LoginFailure > 3 AND LoginFailure.User AND Duration < 1 hour Explanation Error.LoginFailure > 3 AND LoginFailure.User AND Duration < 1 hour - This correlation rule accurately represents the scenario described, which involves multiple login failures from the same user account within an hour.

You want to use a tool to see packets on a network, including the source and destination of each packet. Which tool should you use? nmap OVAL Nessus Wireshark

Explanation A protocol analyzer, also called a packet sniffer, is special software that captures (records) frames that are transmitted on a network. A protocol analyzer is a passive device. It copies frames and allows you to view frame contents, but it does not allow you to capture, modify, and retransmit frames (activities that are used to perform an attack). Wireshark is a popular protocol analyzer.

Which of the following is responsible for broadcasting information and data over radio waves? Wireless bridge Wireless LAN controller Wireless interface Wireless access point

Explanation A wireless access point (WAP) broadcasts information and data over radio waves. WAPs function as wireless hubs.

As a Security Operations Center (SOC) analyst for a large financial institution that deals with high volumes of alerts and potential threats, what crucial benefit does implementing automation and orchestration in security operations provide? Automation and orchestration enable repetitive tasks to be performed quickly and consistently, minimizing human error. Automation and orchestration help to cut costs by reducing the number of cybersecurity professionals needed. Automation and orchestration simplify the nature of threats and reduce the volume of alerts. Automation and orchestration eliminate the need for human intervention in security operations.

Explanation Automation improves efficiency in security operations by quickly and consistently performing repetitive tasks, which reduces the incidence of human error often associated with such tasks.

A security specialist is drafting a memorandum on secure data destruction for the organization after a recent breach. What benefit does the certification concept offer when evaluating appropriate disposal/decommissioning? It refers to policies and practices governing the storage and preservation of information within the organization for a set period of time. It ensures that organizations maintain compliance with relevant regulations and minimize breach risks. It is often based on legal, regulatory, or operational requirements. It refers to the documentation and verification of the data sanitization or destruction process.

Explanation Certification refers to documenting and verifying the data sanitization or destruction process.

What is the primary goal of the containment phase of cybersecurity incident management during an incident response lifecycle? (Select two.) Analyze the incident and responses to identify whether procedures or systems could be improved. Notify stakeholders and identify other reporting requirements. Reintegrate the system into the business process it supports with the cause of the incident eradicated. Limit the immediate impact of the incident while securing data and notifying stakeholders. Remove all traces of the incident from affected systems.

Explanation Containment focuses on: Limiting immediate impact of the incident from spreading further and minimizing its impact on both data and business operations. The necessity of notifying stakeholders and identifying other reporting requirements.

Listen to exam instructions When cleaning out the server closet, a company discovers a box of old disk drives. When considering which disposal method to use, what are the characteristics associated with the destruction concept? (Select two.) It involves the physical or electronic elimination of information stored on media, rendering it inaccessible and irrecoverable. It refers to removing sensitive information from storage media to prevent unauthorized access or data breaches. Its process uses specialized techniques, such as data wiping, degaussing, or encryption. It refers to copying files to other media to keep in a secure safe. Its methods include shredding, crushing, or incinerating storage devices.

Explanation Destruction involves the physical or electronic elimination of information stored in media, rendering it inaccessible and irrecoverable. Destruction methods include shredding, crushing, or incinerating storage devices, while electronic destruction involves overwriting data multiple times or using degaussing techniques to eliminate magnetic fields on storage media.

A manufacturing company's security manager plans to implement corrective operational controls to mitigate potential security threats. Which of the following instances would be the appropriate control? A security camera system monitoring the premises. Enabling continuous monitoring to disable abnormal accounts. A firewall that prevents unauthorized access to the network. Regular penetration testing to uncover potential vulnerabilities.

Explanation Enabling continuous monitoring to disable abnormal accounts is a corrective operational control. When detecting abnormal behavior, this control disables the account to prevent unauthorized access.

You are the IT manager of a large multinational corporation. The company has recently decided to implement a bring your own device (BYOD) policy, allowing employees to use their personal devices for work purposes. The company has a diverse range of device platforms and application types. Your task is to ensure that the company's data is secure within applications on these devices, and that sensitive data can be managed on any device, including personal devices. Which of the following configurations would be the MOST suitable for this scenario? Intune MDM + MAM Self-service portal App catalog MAM-WE

Explanation MAM-WE is the correct answer. MAM-WE allows for the management of apps using MAM and app protection policies but with devices enrolled with third-party enterprise mobility management (EMM) providers. This means that sensitive data can be managed on any device, including personal devices, making it the most suitable option for a BYOD policy.

Which of the following statements about vulnerability scanning is true? Vulnerability scanning is a process of identifying, classifying, and ignoring vulnerabilities within a system or network. Non-credentialed scans are more intrusive and provide a more in-depth analysis than credentialed scans. Package monitoring is a critical capability in application vulnerability assessment practices as it tracks and assesses the security of third-party software packages, libraries, and dependencies. Network vulnerability scanners, such as Tenable Nessus and OpenVAS, are designed to test only servers and switches.

Explanation Package monitoring is indeed a critical capability in application vulnerability assessment practices. It tracks and assesses the security of third-party software packages, libraries, and dependencies used within an organization to ensure that they are up-to-date and free from known vulnerabilities that malicious actors could exploit.

Upon receiving new storage media drives for the department, an organization asks a software engineer to dispose of the old drives. When considering the various methods, what processes does sanitization involve? (Select two.) It involves the physical or electronic elimination of information stored in media, rendering it inaccessible and irrecoverable. Its process uses specialized techniques, such as data wiping, degaussing, or encryption. It refers to the process of removing sensitive information from storage media to prevent unauthorized access or data breaches. It involves the documentation and verification of the destruction process. Its methods include shredding, crushing, or incinerating storage devices.

Explanation Sanitization refers to removing sensitive information from storage media to prevent unauthorized access or data breaches. Sanitization uses specialized techniques, such as data wiping, degaussing, or encryption, to ensure the data becomes irretrievable. Sanitization is particularly important when repurposing or donating storage devices.

Which of the following are key areas of focus for a non-credentialed scan in a vulnerability assessment? (Select two.) Internal network access Unprivileged user access Compromised user account Privileged user access External network perimeter

Explanation The following answers are correct: The external network perimeter is a key focus of a non-credentialed scan. Non-credentialed scans are often used to assess the security of the network perimeter from an external viewpoint, simulating the perspective of an attacker who does not have specific high-level permissions or total administrative access. Unprivileged user access is a key focus of a non-credentialed scan. Non-credentialed scans simulate the view that the host exposes to an unprivileged user on the network.

A technical consultant reviews available automation and orchestration options for security operations after realizing employees' actions place the network architecture at risk. What are the benefits associated with automation and orchestration implementation? (Select three.) It coordinates automated tasks across different systems and software tools for quicker response. A single point of failure for the system. It enhances efficiency by enabling repetitive tasks to perform with mitigation of risk to human error consistently. It requires a deep understanding of an organization's systems, processes, and interdependencies. It assists staff members from experiencing fatigue and enhances opportunities for retention. Ongoing support to stay effective and secure. It assists in funding needed orchestration and automation at a higher price point.

Explanation The following are benefits associated with automation and orchestration implementation: Automation and orchestration offer many benefits to security operations. They enhance efficiency by enabling users to quickly and consistently perform repetitive tasks, reducing the burden on security teams and minimizing the likelihood of human error. Orchestration enhances the impact of automation by coordinating automated tasks across different systems and software tools, reducing detection and reaction times. Automation supports staff retention initiatives by reducing fatigue from repetitive tasks. Automation practices can free staff to perform more rewarding work and increase job satisfaction.

While investigating a potential cybercrime, a junior digital forensics specialist leaves an important hard drive in a public area overnight. A senior digital forensics specialist finds the hard drive in the morning and says that it is no longer evidence in the case. What made the hard drive unusable in court? (Select two.) The forensics team did not maintain the chain of custody. The forensics team did not maintain the provenance of the hard drive. The forensics team did not maintain the legal hold of the hard drive. The forensics team did not provide a digital forensics report. The forensics team did not maintain the order of volatility for the hard drive.

Explanation The following aspects of this situation make the hard drive unusable in court: Maintaining the proper chain of custody on any physical evidence at all times is crucial. The hard drive left overnight in a public location is suspect for compromise, rendering it inadmissible in a court of law. Provenance shows that evidence moves directly from the crime scene without tampering. Provenance is no longer provable, as the hard drive was left alone overnight.

Which of the following is the LEAST reliable means of cleaning or purging media? Degaussing Overwriting every sector with alternating 1s and 0s OS low-level formatting Drive controller hardware-level formatting

Explanation The least reliable means to clean or purge media is degaussing. Degaussing is the use of strong magnetic fields to remove stored information from a drive. Unfortunately, user error and equipment failure often results in only partially cleaned media.

Which of the following BEST describes the role of event metadata in network security? It provides the specific notification or alert the process raises. It is the source and time of the event, which can include a host or network address, a process name, and categorization/priority fields. It is used to synchronize each host to the same date, time value, and format. It is the data that is generated by processes running on network appliances and general computing hosts.

Explanation The source and time of the event is the correct answer. Event metadata provides context about the event, including its source and time. This can include a host or network address, a process name, and categorization/priority fields. This information is crucial for understanding and investigating security incidents.

Question. 99 You are a cybersecurity expert at a large corporation. Your company has just decommissioned a data center and you are tasked with ensuring the secure destruction of data on thousands of hard drives. The data includes highly sensitive information. Which of the following solutions would be BEST for destroying the data? answer Physically destroy the drives by pulverizing them. Overwrite the data on the drives and then reuse them within the company. Use a combination of overwriting and degaussing before disposing of the drives. Use a third-party service to degauss the drives.

Explanation Using a combination of overwriting and degaussing before disposing of the drives is the best solution in this scenario. This option provides a high level of security by first overwriting the data (making it unreadable) and then degaussing the drives (rendering them unusable). This two-step process reduces the chance of data recovery to near zero. While the drives cannot be reused, the level of data sensitivity and the scale of the task may warrant this approach.

A large organization's cybersecurity incident response team receives an alert indicating potential threat actor activity on one of its network servers. What should be the team's immediate action based on the incident response life cycle? Immediately disconnect the affected server from the network to isolate it. Analyze the alert and its context to determine whether a genuine incident has occurred. Notify the executive decision-maker to authorize actions before proceeding. Wait for more alerts to confirm the incident before taking any action.

Explanation When receiving an alert, the first responder's immediate action is to determine whether a genuine incident has occurred. This action involves investigating the data reported and assessing the severity of the situation before taking further action.

A user has complained about not being able to remove a program that is no longer needed on a computer. The Programs and Features page is not available in Control Panel. You suspect that a policy is enabled that hides this page from the user. But after opening the Local Group Policy Editor, you see that the Hide Programs and Features page is set to Not configured. You know that other users in this domain can access the Programs and Features page. To determine whether the policy is enabled, where should you look next? The Local Group Policy. GPOs linked to organizational units that contain this user's object. The Default Domain Policy GPO. GPOs linked to the domain that contains this user's object.

Explanation You should look at GPOs linked to organizational units that contain this user's object to see where the Hide Programs and Features page policy might be enabled.

You are the head of security at a large corporation and have recently implemented a new biometric authentication system for access to the company's facilities. After a few weeks, you notice that a significant number of employees are having trouble registering their biometric data into the system. Which metric would be most relevant to assess this issue? False acceptance rate (FAR) False rejection rate (FRR) Throughput (speed) Crossover error rate (CER) Failure to enroll rate (FER)

Failure to enroll rate (FER) Explanation Failure to enroll rate (FER) measures incidents in which a template cannot be created and matched for a user during enrollment. This is the most relevant metric to assess the issue of employees having trouble registering their biometric data into the system.

You are a network administrator for a multinational corporation that uses various cloud services. The corporation has offices in multiple countries, each with their own local directories for managing accounts and rights. The CEO wants to implement a system that allows these authorizations to be implemented across all offices and cloud services. Which solution would you recommend? Federation Network directory Single sign-on authentication Local directory

Federation Explanation Federation is the correct answer. Federation is a system that allows for the implementation of authorizations across different domains, such as multiple offices or cloud services. It uses a federated identity management solution to manage accounts and rights across these different domains.

You are a network administrator for a multinational corporation that uses various cloud services. The corporation has offices in multiple countries, each with their own local directories for managing accounts and rights. The CEO wants to implement a system that allows these authorizations to be implemented across all offices and cloud services. Which solution would you recommend? Single sign-on authentication Network directory Federation Local directory

Your financial planning company is forming a partnership with a real estate property management company. One of the requirements is that your company open up its directory services to the property management company to create and access user accounts. Which of the following authentication methods will you be implementing? Directory services Federation Single sign-on Attestation

Federation Explanation In this scenario, you would be implementing a federation authentication method. Federation is the notion that a network needs to be accessible to more than just a well-defined group of employees, such as trusting user accounts created and managed by a different network.

As a system administrator, you notice unusual network activity on a company server. Upon investigation, you discover that a PowerShell script is running in the background. What type of malware is MOST likely responsible for this activity? Trojan horse Fileless malware Macro virus Worm

Fileless malware Explanation Fileless malware is the correct answer. Fileless malware operates in the memory of the system and does not require a file to run. It is known for using legitimate tools like PowerShell to execute malicious activities. In this scenario, the PowerShell script running in the background is a typical characteristic of fileless malware.

You are a security consultant tasked with implementing a biometric authentication system for a small business. The business owner wants a system that is cost-effective, non-intrusive, and relatively simple for employees to use. Which biometric authentication method would you recommend? Facial recognition Iris recognition Vein recognition Fingerprint recognition Retina scanning

Fingerprint recognition Explanation Fingerprint recognition is cost-effective, non-intrusive, and simple to use, making it the most suitable option for a small business. The technology required for scanning and recording fingerprints is relatively inexpensive and straightforward.

Listen to exam instructions You are implementing a new application control solution. Prior to enforcing your application whitelist, you want to monitor user traffic for a period of time to discover user behaviors and log violations for later review. How should you configure the application control software to handle applications not contained in the whitelist? Block Flag Drop Tarpit

Flagged applications are allowed, but a violation is logged when they are identified.

Which fuzz testing program type defines new test data based on models of the input? Memory management Generation-based Mutation-based Code signing

Generation based Explanation Fuzz testing (also known as fuzzing) is a software-testing technique that exposes security problems by providing invalid, unexpected, or random data to the inputs of an application. Fuzzing program types are: Mutation-based programsMutate existing data samples to create data Generation-based programsDefine new test data based on models of the input Code signing is the process of digitally signing (encrypting) executables and scripts to confirm the software author and guarantee that the code has not been altered or corrupted since it was signed.

Jessica needs to set up a firewall to protect her internal network from the internet. Which of the following would be the BEST type of firewall for her to use? Software Stateful Tunneling Hardware

Hardware Explanation Hardware firewalls are physical devices that are usually placed at the junction or gateway between two networks, generally a private network and a public network like the internet. Hardware firewalls can be a standalone product or can also be built into devices like broadband routers.

Jessica needs to set up a firewall to protect her internal network from the internet. Which of the following would be the BEST type of firewall for her to use? Tunneling Software Hardware Stateful

As a security precaution, you have implemented IPsec that is used between any two devices on your network. IPsec provides encryption for traffic between devices. You would like to implement a solution that can scan the contents of the encrypted traffic to prevent any malicious attacks. Which solution should you implement? Host-based IDS VPN concentrator Protocol analyzer Network-based IDS Port scanner

Host-based IDS Explanation A host-based IDS is installed on a single host and monitors all traffic coming into the host. A host-based IDS can analyze encrypted traffic because the host operating system decrypts that traffic as it is received.

As a security precaution, you have implemented IPsec that is used between any two devices on your network. IPsec provides encryption for traffic between devices. You would like to implement a solution that can scan the contents of the encrypted traffic to prevent any malicious attacks. Which solution should you implement? Network-based IDS VPN concentrator Protocol analyzer Host-based IDS Port scanner

Which of the following is a security service that monitors network traffic in real time or reviews the audit logs on servers looking for security violations? IDS Switch Padded cell Firewall

IDS Explanation An IDS (intrusion detection system) is a security service that monitors network traffic in real time or reviews the audit logs on servers looking for security violations.

Which of the following is a security service that monitors network traffic in real time or reviews the audit logs on servers looking for security violations? Firewall Switch Padded cell IDS

IDS Explanation An IDS (intrusion detection system) is a security service that monitors network traffic in real time or reviews the audit logs on servers looking for security violations.

Which statement is true regarding the application of GPO settings? If a setting is not defined in the Local Group Policy and is defined in the GPO linked to the OU, the setting is not applied. If a setting is defined in the Local Group Policy on the computer and not defined in the GPO linked to the OU, the setting is not applied. If a setting is defined in the Local Group Policy on the computer and defined differently in the GPO linked to the OU, the Local Group Policy setting is applied. If a setting is defined in the Local Group Policy on the computer and not defined in the GPO linked to the OU, the setting is applied.

If a setting is defined in the Local Group Policy on the computer and not defined in the GPO linked to the OU, the setting is applied. Explanation GPOs are applied in the following order: 1. The Local Group Policy on the computer.2. GPOs linked to the domain that contains the User or Computer object.3. GPOs linked to the organizational unit(s) that contain(s) the User or Computer objects (from the highest-level OU to the lowest-level OU). Individual settings within all GPOs are combined to form the effective Group Policy setting as follows: If a setting is defined in one GPO and undefined in another, the defined setting is enforced (regardless of the position of the GPO in the application order). If a setting is configured in two GPOs, the setting in the last-applied GPO is used.

Which statement is true regarding the application of GPO settings? If a setting is defined in the Local Group Policy on the computer and not defined in the GPO linked to the OU, the setting is applied. If a setting is defined in the Local Group Policy on the computer and defined differently in the GPO linked to the OU, the Local Group Policy setting is applied. If a setting is defined in the Local Group Policy on the computer and not defined in the GPO linked to the OU, the setting is not applied. If a setting is not defined in the Local Group Policy and is defined in the GPO linked to the OU, the setting is not applied.

An e-commerce company recently identified suspicious activity on its web-based application suggesting a zero-day exploit. The security team suspects that a vulnerability in the application might be under active exploitation by malicious actors before the company identified and patched it. With no known fixes available for a zero-day exploit, what should be the initial course of action for the security team to minimize potential damage and safeguard the application and its users? Implement intrusion detection systems (IDS) and application firewalls. Enforce password changes for all users. Update the antivirus software on all company devices. Perform a comprehensive system backup.

Implement intrusion detection systems (IDS) and application firewalls. Explanation IDS and application firewalls provide immediate protection by identifying and blocking potentially malicious activity, thus serving as an effective response to zero-day exploits in a web-based application.

An e-commerce company recently identified suspicious activity on its web-based application suggesting a zero-day exploit. The security team suspects that a vulnerability in the application might be under active exploitation by malicious actors before the company identified and patched it. With no known fixes available for a zero-day exploit, what should be the initial course of action for the security team to minimize potential damage and safeguard the application and its users? Update the antivirus software on all company devices. Implement intrusion detection systems (IDS) and application firewalls. Perform a comprehensive system backup. Enforce password changes for all users

Implement intrusion detection systems and application firewalls Explanation IDS and application firewalls provide immediate protection by identifying and blocking potentially malicious activity, thus serving as an effective response to zero-day exploits in a web-based application.

A multinational corporation is upgrading its IT infrastructure to enhance security governance and streamline its change management process. The IT department is considering various strategies to accomplish this update. Which strategy MOST effectively achieves the corporation's goals, considering the inherent risks and benefits? Implementing automation and scripting to perform tasks quickly and efficiently Using proprietary security solutions without automation Outsourcing the entire IT operations to a third-party vendor Manual monitoring of security controls and change management protocols

Implementing automation and scripting to perform tasks quickly and efficiently Explanation Automation and scripting enhance efficiency and security, which aligns with the corporation's goals. The IT department should use automation and scripting with care to prevent potential risks.

A financial institution is evaluating its incident response plan and wants to incorporate automation to accelerate the detection and mitigation of security breaches. The security team must ensure that the automation does not inadvertently cause additional issues or conflicts. What is the BEST approach the team should employ when incorporating automation? Utilizing a manual-only approach without integrating any automation tools. Integrating automation tools with real-time monitoring and alerting capabilities. Deploying automation scripts without testing or validation. Outsourcing automation development to a non-specialized third-party vendor.

Integrating automation tools with real-time monitoring and alerting capabilities. Explanation Integrating automation tools with real-time monitoring and alerting provides timely detection and mitigation of security breaches. This approach aligns with the financial institution's goal of accelerating incident response without compromising security.

You are a security analyst at a large corporation. Your company has recently implemented an Open Authorization (OAuth) system to allow third-party applications to access company resources. One day, you notice an unusual amount of data being transferred from your company's servers to an unknown third-party application. What should be your first course of action? Ignore the situation as the OAuth system is designed to allow third-party applications to access company resources. Investigate the third-party application to understand why it is accessing a large amount of data. Immediately block all data transfers to the third-party application without further investigation. Report the situation to the company's legal department without conducting any further investigation.

Investigate the third-party application to understand why it is accessing a large amount of data. Explanation Investigating the third-party application is the correct answer. This action will help you understand why the OAuth system is accessing a large amount of data. This could reveal whether the data transfer is legitimate or if there is a potential security breach.

You are a security analyst at a large corporation. Your company has recently implemented an Open Authorization (OAuth) system to allow third-party applications to access company resources. One day, you notice an unusual amount of data being transferred from your company's servers to an unknown third-party application. What should be your first course of action? Report the situation to the company's legal department without conducting any further investigation. Immediately block all data transfers to the third-party application without further investigation. Investigate the third-party application to understand why it is accessing a large amount of data. Ignore the situation as the OAuth system is designed to allow third-party applications to access company

Which of the following BEST describes the role of event metadata in network security? It provides the specific notification or alert the process raises. It is the data that is generated by processes running on network appliances and general computing hosts. It is the source and time of the event, which can include a host or network address, a process name, and categorization/priority fields. It is used to synchronize each host to the same date, time value, and format.

It is the source and time of the event, which can include a host or network address, a process name, and categorization/priority fields. Explanation The source and time of the event is the correct answer. Event metadata provides context about the event, including its source and time. This can include a host or network address, a process name, and categorization/priority fields. This information is crucial for understanding and investigating security incidents.

You are concerned that the accountant in your organization might have the chance to modify financial information and steal from the company. You want to periodically have another person take over all accounting responsibilities to catch any irregularities. Which security principle are you implementing by periodically shifting accounting responsibilities? Need to know Separation of duties Explicit deny Job rotation Principle of least privilege

Job rotation Explanation Job rotation is a technique where users are cross-trained in multiple job positions and responsibilities are regularly rotated between personnel. Job rotation can be used for training purposes, but also allows for oversight of past transactions. As jobs rotate, personnel in new positions have the chance to review actions taken by others in that same position and catch security problems.

A cybersecurity manager is preparing to begin working when a police officer comes through the door waving a subpoena. The officer states that the company is under investigation for suspicious activities relating to recent overseas sales, and they are taking the servers with them. What gives police officers the right to take the servers? Digital forensics Data acquisition Due process Legal hold

Legal hold Explanation Legal hold refers to the maintenance of information potentially relevant to a case. Legal holds include taking papers, hard drives, CDs, workstations, and servers.

A cybersecurity manager is preparing to begin working when a police officer comes through the door waving a subpoena. The officer states that the company is under investigation for suspicious activities relating to recent overseas sales, and they are taking the servers with them. What gives police officers the right to take the servers? Due process Legal hold Data acquisition Digital forensics

Legal hold Explanation Legal hold refers to the maintenance of information potentially relevant to a case. Legal holds include taking papers, hard drives, CDs, workstations, and servers.

Your company is about to begin litigation, and you need to gather information. You need to get emails, memos, invoices, and other electronic documents from employees. You'd also like to get printed, physical copies of documents. Which tool would you use to gather this information? Timestamps Chain of custody Timeline of events Legal hold

Legal hold Explanation You would use a legal hold. The purpose behind a legal hold is to help ease the burden of the IT and legal teams as they gather evidentiary documentation. This notice instructs employees to retain any electronically stored information, or ESI.

You are a network administrator for a large multinational corporation. The corporation has offices in multiple countries and uses various software products from different vendors. The CEO wants to implement a system that stores information about users, computers, security groups/roles, and services, and allows for interoperability between different vendors' products. Which directory service would you recommend? X.500 Lightweight Directory Access Protocol (LDAP) Active Directory Novell Directory Services (NDS)

Lightweight Directory Access Protocol Explanation Lightweight Directory Access Protocol (LDAP) is the correct answer. LDAP is a protocol used to access network directory databases, which store information about authorized users and their privileges, as well as other organizational information. Most directory services, including those from different vendors, are based on LDAP, which allows for interoperability.

You are a network administrator for a large multinational corporation. The corporation has offices in multiple countries and uses various software products from different vendors. The CEO wants to implement a system that stores information about users, computers, security groups/roles, and services, and allows for interoperability between different vendors' products. Which directory service would you recommend? Novell Directory Services (NDS) X.500 Lightweight Directory Access Protocol (LDAP) Active Directory

Lightweight Directory Access Protocol (LDAP) Explanation Lightweight Directory Access Protocol (LDAP) is the correct answer. LDAP is a protocol used to access network directory databases, which store information about authorized users and their privileges, as well as other organizational information. Most directory services, including those from different vendors, are based on LDAP, which allows for interoperability.

Which of the following principles is implemented in a mandatory access control model to determine object access by classification level? Principle of least privilege Need to know Separation of duties Ownership Clearance

Need to know Explanation Need to know is used with mandatory access control environments to implement granular control over access to segmented and classified data.

DLP can be implemented as a software or hardware solution that analyzes traffic in an attempt to detect sensitive data that is being transmitted in violation of an organization's security policies. Which of the following DLP implementations analyzes traffic for data containing such things as financial documents, social security numbers, or key words used in proprietary intellectual property? Endpoint DLP Network DLP File-level DLP Cloud DLP

Network DLP Explanation Network DLP is a software or hardware solution that is typically installed near the network perimeter. Network DLP analyzes network traffic in an attempt to detect sensitive data that is being transmitted in violation of an organization's security policies.

Which of the following is the MOST likely to happen if the firewall managing traffic into the screened subnet fails? Only the servers in the screened subnet are compromised, but the LAN will stay protected. Nothing will happen - all devices will stay protected. The LAN is compromised, but the screened subnet stays protected. All devices in the screened subnet and LAN will be compromised.

Only the servers in the screened subnet are compromised, but the LAN will stay protected. Explanation If the firewall managing traffic into the screened subnet fails, only the servers in the screened subnet are subject to compromise. The LAN is protected by default.

In a company, different departments actively access various cloud-based applications and services to perform their tasks efficiently. The company's security team has concerns about the growing complexity and risks of managing user credentials across multiple platforms. To address this concern proactively, the team implements a modern authentication solution that actively provides single sign-on (SSO) capabilities, ensuring enhanced user convenience and security. In this scenario, which technology should the organization proactively employ for federation and enabling SSO capabilities effectively across the diverse range of cloud-based applications? Public key infrastructure (PKI) Correct Answer: Open Authorization (OAuth) Lightweight Directory Access Protocol (LDAP) Role-based access control (RBAC)

Open Authorization Explanation In this scenario, the organization uses Open Authorization (OAuth) for federation, allowing secure authorization and delegation of user access to third-party applications without exposing user credentials

In a company, different departments actively access various cloud-based applications and services to perform their tasks efficiently. The company's security team has concerns about the growing complexity and risks of managing user credentials across multiple platforms. To address this concern proactively, the team implements a modern authentication solution that actively provides single sign-on (SSO) capabilities, ensuring enhanced user convenience and security. In this scenario, which technology should the organization proactively employ for federation and enabling SSO capabilities effectively across the diverse range of cloud-based applications? Public key infrastructure (PKI) Open Authorization (OAuth) Lightweight Directory Access Protocol (LDAP) Role-based access control (RBAC)

Open Authorization (OAuth) Explanation In this scenario, the organization uses Open Authorization (OAuth) for federation, allowing secure authorization and delegation of user access to third-party applications without exposing user credentials.

Which of the following mechanisms can you use to add encryption to email? (Select two.) Reverse DNS PGP HTTPS Secure Shell S/MIME

PGP and S/MIME Explanation Use Pretty Good Privacy (PGP) or Secure MIME (S/MIME) to add encryption to emails.

Which of the following mechanisms can you use to add encryption to email? (Select two.) S/MIME PGP Reverse DNS Secure Shell HTTPS

PGP and S/MIME Explanation Use Pretty Good Privacy (PGP) or Secure MIME (S/MIME) to add encryption to emails.

In the context of a syslog message, which of the following components is calculated from the facility and severity level? PRI code Message Header Timestamp

PRI Code Explanation PRI code is the correct answer. The PRI code in a syslog message is calculated from the facility and severity level. The facility refers to the source of the message (like a hardware device, a protocol, or a module of the system software), and the severity level indicates how urgent or critical the message is.

In the context of a syslog message, which of the following components is calculated from the facility and severity level? Timestamp PRI code Header Message

PRI code Explanation PRI code is the correct answer. The PRI code in a syslog message is calculated from the facility and severity level. The facility refers to the source of the message (like a hardware device, a protocol, or a module of the system software), and the severity level indicates how urgent or critical the message is.

Listen to exam instructions Which of the following types of site surveys should be performed first? Active Passive Ad hoc Predictive

Passive Explanation An initial site survey performed should be a passive survey. This survey is performed without the analyzer connecting to any specific WAP and is in a listen-only mode.

The IT department at a medium-sized company is exploring ways to enhance its authentication methods to improve security. They want to choose an authentication approach that balances security and user convenience. Which authentication method eliminates the need for passwords and provides a secure way of verifying a user's identity based on the device's hardware or software characteristics? Biometric authentication Multi-factor authentication Attestation Passwordless authentication

Passwordless authentication Explanation Passwordless authentication eliminates traditional passwords and relies on other factors such as biometrics, security keys, or mobile push notifications for user verification.

A leading online retail company wants to improve user experience and security for its customers. The security team aims to eliminate the need for users to remember or input complex passwords, reducing the risk of password breaches. Instead, they propose a solution where users can access their accounts seamlessly through a secure link sent to their verified email or via a push notification on a trusted device. This approach should not involve traditional passwords, fingerprint scans, or multiple validation steps. Which authentication method is the security team planning to implement for users? Multi-factor authentication Attestation Passwordless authentication Biometric authentication

Passwordless authentication Explanation Passwordless authentication eliminates traditional passwords and relies on other factors like biometrics, security keys, or mobile push notifications for user verification.

As a digital forensics investigator, you are tasked with investigating a potential data breach in your organization. You suspect that a sophisticated malware has infiltrated the system and is deleting its traces from the hard drive after executing its operations. Which of the following steps would be the MOST effective in capturing the evidence of this malware's activity? Conducting a network traffic analysis. Performing a system memory dump. Checking the system's event logs. Running a full system antivirus scan.

Perform a system memory dump Explanation Performing a system memory dump is the correct answer. A system memory dump involves capturing the contents of the system's RAM. Since the suspected malware is running and then deleting its traces, its activities would be present in the system memory. A memory dump would provide a snapshot of the system's state at a particular point in time, including the activities of all running processes, which would provide the necessary evidence.

As a digital forensics investigator, you are tasked with investigating a potential data breach in your organization. You suspect that a sophisticated malware has infiltrated the system and is deleting its traces from the hard drive after executing its operations. Which of the following steps would be the MOST effective in capturing the evidence of this malware's activity? Performing a system memory dump. Checking the system's event logs. Running a full system antivirus scan. Conducting a network traffic analysis.

Performing a system memory dump Explanation Performing a system memory dump is the correct answer. A system memory dump involves capturing the contents of the system's RAM. Since the suspected malware is running and then deleting its traces, its activities would be present in the system memory. A memory dump would provide a snapshot of the system's state at a particular point in time, including the activities of all running processes, which would provide the necessary evidence.

An active IDS system often performs which of the following actions? (Select two.) Traps and delays the intruder until the authorities arrive. Requests a second logon test for users performing abnormal activities. Cannot be detected on the network because it takes no detectable actions. Performs reverse lookups to identify an intruder. Updates filters to block suspect traffic.

Performs reverse lookups to identify an intruder. Updates filters to block suspect traffic. Explanation An active IDS performs behaviors that can be seen by anyone watching the network. Usually, these actions are necessary to block malicious activities or discover the identity of an intruder. Updating filters and performing reverse lookups are common behaviors of an active IDS.

A multinational corporation wants to enhance its security infrastructure by deploying an intrusion detection system (IDS) across its global network. The IT manager is considering the placement of IDS sensors to ensure comprehensive network visibility. Which IDS sensor placement is the MOST effective in this scenario? Place the IDS sensors on the external network. Place the IDS sensors on the internal network. Place the IDS sensors near the network perimeter. Place the IDS sensors at network choke points.

Place the IDS sensors at network choke points. Explanation Placing the IDS sensors at network choke points ensures that they can monitor both inbound and outbound traffic, providing comprehensive visibility across the network. This helps detect malicious activity at the earliest possible stage.

A medium-sized organization is upgrading its network infrastructure to secure its enterprise infrastructure by implementing an intrusion prevention system (IPS) and an intrusion detection system (IDS). The organization has sensitive data in different security zones, and the IT manager has concerns regarding the attack surface and network connectivity. Which of the following placements of the IPS/IDS devices would be MOST effective in this scenario? Place the IPS/IDS devices near the load balancer to monitor traffic distribution. Place the IPS/IDS devices at each end of the VPN tunnel to monitor remote access. Place the IPS/IDS devices at the network perimeter to monitor inbound and outbound traffic. Place the IPS/IDS devices just inside the organization's firewall to monitor the internal network.

Place the IPS/IDS devices at the network perimeter to monitor inbound and outbound traffic. Explanation Placing the IPS/IDS devices at the network perimeter allows for monitoring of all inbound and outbound traffic, providing comprehensive visibility and enabling immediate response to potential threats.

A technician wants to implement automation within the team's workspace. How does complexity impact automation and orchestration? It can quickly erode if they do not continue the needed patches and updates. Poorly planned strategies can make systems difficult to maintain. It can impact multiple areas of the organization, causing widespread problems. It can result in poorly documented code, leading to instability and increased costs.

Poorly planned strategies can make systems difficult to maintain. Explanation While automation and orchestration provide numerous benefits, they can also present numerous challenges. A poorly planned or executed automation strategy can add complexity, making systems difficult to maintain.

You decide to use a packet sniffer to identify the type of traffic sent to a router. You run the packet sniffing software on a device that is connected to a hub with three other computers. The hub is connected to a switch that is connected to the router. When you run the software, you see frames addressed to the four workstations, but not to the router. Which feature should you configure on the switch? Port mirroring Promiscuous mode Bonding Spanning Tree Protocol

Port mirroring Explanation A switch only forwards packets to the switch port that holds a destination device. This means that when your packet sniffer is connected to a switch port, it does not see traffic sent to other switch ports. To configure the switch to send all frames to the packet sniffing device, configure port mirroring on the switch. With port mirroring, all frames sent to all other switch ports are forwarded on the mirrored port.

Which of the following statements about PowerShell is true? PowerShell scripts cannot run in the memory of the system and always need an executable to run. PowerShell is a management framework developed by Apple to replace Terminal. PowerShell uses cmdlets to execute commands. PowerShell is built on the Java framework and can only be run on Linux operating systems.

PowerShell uses cmdlets to execute commands. Explanation PowerShell uses cmdlets, which are small scripts that perform certain functions, to execute commands.

A company acquires a smaller company and has its in-house technical team review the new systems before allowing them on the existing network. During this review, the technical team discovers users with unnecessary permissions, user accounts for former employees, and no longer needed groups. These discoveries indicate the violation of what BEST practice? Configuration enforcement File system permissions Access control Principle of least privilege

Principle of least privilege Explanation The principle of least privilege dictates that users, applications, and processes have the minimum permissions necessary to complete their duties and nothing more. This best practice helps ensure the security of the entire network.

Which of the following are differences between RADIUS and TACACS+? RADIUS encrypts the entire packet contents; TACACS+ only encrypts the password. RADIUS uses TCP; TACACS+ uses UDP. RADIUS combines authentication and authorization into a single function; TACACS+ allows these services to be split between different servers. RADIUS supports more protocols than TACACS+.

RADIUS combines authentication and authorization into a single function; TACACS+ allows these services to be split between different servers.

Which of the following are the access levels that are generally granted on the directory in LDAP? (Select two.) Execute access Read-only access Read/write access Full control access Delete access

Read-only access Read-write access Explanation The following are the access levels generally granted on the directory in LDAP: Read-only access (query) - This level of access allows users to view and query the data in the directory but not modify it. It's essential for users who need to retrieve information but should not change it. Read/write access (update) - This level of access allows users to both view and modify the data in the directory. It's necessary for users who need to update or change the information in the directory.

Which of the following are the access levels that are generally granted on the directory in LDAP? (Select two.) Full control access Read-only access Delete access Execute access Read/write access

Read/Write Access Read-only access Explanation The following are the access levels generally granted on the directory in LDAP: Read-only access (query) - This level of access allows users to view and query the data in the directory but not modify it. It's essential for users who need to retrieve information but should not change it. Read/write access (update) - This level of access allows users to both view and modify the data in the directory. It's necessary for users who need to update or change the information in the directory.

An attacker has intercepted near-field communication (NFC) data and is using that information to masquerade as the original device. Which type of attack is being executed? Relay Bluesnarfing Cloning Disassociation

Relay Explanation This scenario describes a relay attack. A relay attack occurs when an attacker can capture NFC data in transit and use the information to masquerade as the original device.

Which of the following app deployment and update methods allows updates to be uploaded onto Intune where they can be pushed out to users within 24 hours? Self-service portal App catalog BYOD Remote management

Remote management Explanation With remote management, all app types (except for line-of-business apps) automatically update as needed. Updates can be uploaded onto Intune where they can be pushed out to users within 24 hours.

You are implementing security at a local high school that is concerned with students accessing inappropriate material on the internet from the library's computers. The students use the computers to search the internet for research paper content. The school budget is limited. Which content filtering option would you choose? Block all content except for content you have identified as permissible. Block specific DNS domain names. Restrict content based on content categories. Allow all content except for the content you have identified as restricted.

Restrict content based on content categories Explanation Restricting content based on categories would provide the most protection with the least amount of research and involvement.

You are a cybersecurity consultant hired by a company that has recently experienced a data breach. After an initial investigation, you discover that the breach originated from a compromised workstation where the user frequently used a web browser with multiple add-ons. What is the most effective action to take to enhance browser privacy and prevent future breaches? Turn off Remember search and form history Review and uninstall inappropriate add-ons Clear the web browser cache Disable all browser add-ons

Reviewing and uninstalling inappropriate add-ons Explanation Reviewing and uninstalling inappropriate add-ons is the correct answer. By reviewing and uninstalling inappropriate or potentially malicious add-ons, you can directly address the source of the problem and enhance the browser's security and privacy.

Which of the following is an example of rule-based access control? A subject with a government clearance that allows access to government classification labels of Confidential, Secret, and Top Secret. Router access control lists that allow or deny traffic based on the characteristics of an IP packet. A member of the accounting team that is given access to the accounting department documents. A computer file owner who grants access to the file by adding other users to an access control list.

Router access control lists that allow or deny traffic based on the characteristics of an IP packet. Explanation A router access control list that allows or denies traffic based on the characteristics of an IP packet is an example of rule-based access control.

Which of the following systems is able to respond to low-level security events without human assistance? Firewall IDS SOAR SIEM

SOAR Explanation Security orchestration, automation, and response (SOAR) systems gather and analyze data like SIEM systems, but they take the analysis to the next level. SOAR is a solution stack of compatible software programs that allow an organization to collect data about security threats from multiple sources and respond to low-level security events without human assistance.

Which type of wireless access point is generally used in a residential setting? WLC LWAP SOHO Bridge

SOHO Explanation In a small office or residential location, a Small Office Home Office (SOHO) wireless router is often used. These devices are three different devices in one: A router function connects the internal LAN to the internet. A switch portion connects the internal wired LAN devices. An access point portion allows the internal wireless devices to connect to the network.

A tech company is in the process of decommissioning a fleet of old servers. It wants to ensure that sensitive data stored on these servers is fully eliminated and are not accesible in the event of unauthorized attempts. What primary process should the company implement before disposing or repurposing these servers? Moving the servers to a secure storage location Sanitizing the servers Selling the servers immediately Deleting all the files on the servers

Sanitizing the servers

Which of the following is another name for a firewall that performs router functions? Screened-host gateway Screening router Screened subnet Dual-homed gateway

Screening router Explanation A firewall performing router functions is considered a screening router. A screening router is the router that is most external to your network and closest to the internet. It uses access control lists (ACLs) to filter packets as a form of security.

In a multinational corporation, employees across various departments regularly access many cloud-based applications to fulfill their tasks efficiently. The company's security team is grappling with managing user credentials securely and efficiently across these diverse platforms. They are actively looking to improve user authentication and streamline access to these applications while ensuring robust security measures are in place. In this scenario, what technology should the company implement to enable single sign-on (SSO) capabilities and ensure secure authentication across its diverse cloud-based applications? Remote Authentication Dial-In User Service (RADIUS) Correct Answer: Security Assertion Markup Language (SAML) Virtual private network (VPN) Lightweight Directory Access Protocol (LDAP)

Security Assertion Markup Language (SAML) Explanation Security Assertion Markup Language (SAML) enables secure SSO across various applications by exchanging authentication and authorization data between parties through an extensible markup language (XML)-based protocol.

As a cybersecurity analyst, you are tasked with improving the security posture of your organization. You are considering the implementation of a Security Information and Event Management (SIEM) system. Which component of the SIEM system would be MOST critical for monitoring and securing network endpoints, services, and other vulnerable locations? Vulnerability scan output Sensors SIEM dashboards Trends

Sensors Explanation Sensors is the correct answer. Sensors are a vital part of monitoring and securing a network. They are set up at critical endpoints, services, and other vulnerable locations and are programmed to send customized alerts to the SIEM system if specific parameters are not within the acceptable range.

Which IDS method searches for intrusion or attack attempts by recognizing patterns or identifying entities listed in a database? Stateful-inspection-based IDS Signature-based IDS Heuristics-based IDS Anomaly-analysis-based IDS

Signature based IDS Explanation A signature-based IDS, or pattern-matching-based IDS, is a detection system that searches for intrusion or attack attempts by recognizing patterns that are listed in a database.

A cybersecurity analyst for a large organization is enhancing the company's security posture. The analyst notices increased alerts related to a particular known exploit in the company's server software. The company's intrusion detection system (IDS) has a rule specifically for this exploit. In the given scenario, which detection method should the analyst modify or enhance to effectively detect and alert for this specific exploit? Anomaly-based detection Signature-based detection Trend analysis Behavioral-based detection

Signature based detection Explanation Since the exploit is known and the IDS already has a rule set for signature-based detection of this specific exploit, enhancing or focusing on signature-based detection would be the most effective method.

Which IDS method searches for intrusion or attack attempts by recognizing patterns or identifying entities listed in a database? Heuristics-based IDS Signature-based IDS Stateful-inspection-based IDS Anomaly-analysis-based IDS

Signature-based IDS Explanation A signature-based IDS, or pattern-matching-based IDS, is a detection system that searches for intrusion or attack attempts by recognizing patterns that are listed in a database.

A cybersecurity analyst for a large organization is enhancing the company's security posture. The analyst notices increased alerts related to a particular known exploit in the company's server software. The company's intrusion detection system (IDS) has a rule specifically for this exploit. In the given scenario, which detection method should the analyst modify or enhance to effectively detect and alert for this specific exploit? Trend analysis Signature-based detection Anomaly-based detection Behavioral-based detection

Signature-based detection Explanation Since the exploit is known and the IDS already has a rule set for signature-based detection of this specific exploit, enhancing or focusing on signature-based detection would be the most effective method.

An educational institution's systems administrator is responsible for securing the LDAP directory service for the organization's computing resources. Which authentication method should the systems administrator implement to ensure secure access? LDAP Secure (LDAPS) Simple Authentication and Security Layer (SASL) Simple Bind No authentication

Simple Authentication and Security Layer Explanation SASL allows the client and server to negotiate a supported authentication mechanism and provides the option to use the command STARTTLS for encryption and message integrity. This feature is a secure way to access the Lightweight Directory Access Protocol (LDAP) directory.

An educational institution's systems administrator is responsible for securing the LDAP directory service for the organization's computing resources. Which authentication method should the systems administrator implement to ensure secure access? LDAP Secure (LDAPS) No authentication Simple Authentication and Security Layer (SASL) Simple Bind

Simple Authentication and Security Layer (SASL) Explanation SASL allows the client and server to negotiate a supported authentication mechanism and provides the option to use the command STARTTLS for encryption and message integrity. This feature is a secure way to access the Lightweight Directory Access Protocol (LDAP) directory.

A tech director evaluates the benefits of implementing automation and orchestration into the organization after receiving approval and funding notification for the annual budget. Knowing several benefits tied to automation, what challenges exist when managing automation? (Select three.) Single point of failure Applying patches and updates Technical debt Cost Implementation time Staff retention Risk of human error

Single point of failure Technical debt Cost

Which of the following are examples of something you have authentication controls? (Select two.) Voice recognition Cognitive question Handwriting analysis Smart card Photo ID PIN

Smart Card Photo ID

A network administrator at an international baked goods corporation is configuring the company's security infrastructure. The company has recently had issues with raw Transmission Control Protocol (TCP) packets over open ports by malware, and the administrator needs to be able to inspect packet contents to ensure the application protocol matches the port. The company wants session-state tracking enabled and the ability to block malicious attempts to start bogus sessions. Which of the following devices should the network administrator focus on implementing? Bridged firewall Stateless packet filtering firewall Stateful multilayer inspection firewall Stateful inspection layer 4 firewall

Stateful multilayer inspection firewall Explanation A stateful inspection application-aware firewall can inspect the contents of application packets and verify the protocol-port match. It can also track the state of sessions and block bogus sessions.

A network administrator at an international baked goods corporation is configuring the company's security infrastructure. The company has recently had issues with raw Transmission Control Protocol (TCP) packets over open ports by malware, and the administrator needs to be able to inspect packet contents to ensure the application protocol matches the port. The company wants session-state tracking enabled and the ability to block malicious attempts to start bogus sessions. Which of the following devices should the network administrator focus on implementing? Stateful multilayer inspection firewall Stateless packet filtering firewall Stateful inspection layer 4 firewall Bridged firewall

In a Kerberos authentication system, how does the Ticket Granting Service (TGS) contribute to the single sign-on (SSO) process? The TGS issues service tickets to clients for accessing specific services. The TGS encrypts all data transferred between the client and the application server. The TGS generates the initial Ticket Granting Ticket (TGT) for the client. The TGS validates the client's password and username.

The TGS issues service tickets to clients for accessing specific services. Explanation The TGS issues service tickets to clients after they have been authenticated. These service tickets allow clients to access specific services without having to re-authenticate.

You are the IT security manager at a large organization that is implementing a single sign-on (SSO) solution for the first time. The SSO solution uses the Kerberos protocol. During a meeting, your team discusses the following options for the initial step in the Kerberos authentication process. Which option should be the initial step in the Kerberos authentication process? The client sends a request to the Authentication Server (AS) for a Ticket Granting Ticket (TGT). The client sends a request to the Ticket Granting Service (TGS) for a service ticket. The client sends a request to the service server for a service ticket. The client sends a request to the Key Distribution Center (KDC) for a session key.

The client sends a request to the Authentication Server (AS) for a Ticket Granting Ticket (TGT). Explanation The first step in the Kerberos authentication process is for the client to send a request to the Authentication Server (AS) for a Ticket Granting Ticket (TGT). The AS verifies the client's credentials and, if valid, issues a TGT. The TGT is then used to request service tickets from the TGS. This is the correct answer.

As a digital forensic analyst, you have completed an investigation and are now tasked with creating a report summarizing your findings. Which of the following principles should guide your report writing? The report should be biased towards the hypothesis you initially formed about the case. The report should only include conclusions and opinions formed from the direct evidence under analysis. The analysis methods used should not be repeatable by third parties. The evidence must not be changed or manipulated unless necessary. If it is changed or manipulated, the reasons why and process used must be recorded.

The evidence must not be changed or manipulated unless necessary. If it is changed or manipulated, the reasons why and process used must be recorded. Explanation The evidence in a digital forensics investigation must not be changed or manipulated unless it is necessary for the analysis. If the evidence must be manipulated, the reasons for doing so and the process of doing so must be recorded. Recording this information ensures the integrity of the evidence and the investigation process.

As a digital forensic analyst, you have completed an investigation and are now tasked with creating a report summarizing your findings. Which of the following principles should guide your report writing? answer The report should be biased towards the hypothesis you initially formed about the case. The evidence must not be changed or manipulated unless necessary. If it is changed or manipulated, the reasons why and process used must be recorded. The analysis methods used should not be repeatable by third parties. The report should only include conclusions and opinions formed from the direct evidence under analysis.

While investigating a potential cybercrime, a junior digital forensics specialist leaves an important hard drive in a public area overnight. A senior digital forensics specialist finds the hard drive in the morning and says that it is no longer evidence in the case. What made the hard drive unusable in court? (Select two.) The forensics team did not maintain the provenance of the hard drive. The forensics team did not maintain the chain of custody. The forensics team did not provide a digital forensics report. The forensics team did not maintain the legal hold of the hard drive. The forensics team did not maintain the order of volatility for the hard drive.

The forensics team did not maintain the provenance of the hard drive. The forensics team did not maintain the chain of custody. Explanation The following aspects of this situation make the hard drive unusable in court: Maintaining the proper chain of custody on any physical evidence at all times is crucial. The hard drive left overnight in a public location is suspect for compromise, rendering it inadmissible in a court of law. Provenance shows that evidence moves directly from the crime scene without tampering. Provenance is no longer provable, as the hard drive was left alone overnight.

What is the purpose of implementing the principle of least privilege in endpoint protection? To enforce mandatory security configurations on devices. To grant users, applications, and processes only the minimum necessary permissions. To restrict access to specific network resources. To manage firewall rules across an organization's network.

To grant users, applications, and processes only the minimum necessary permissions. Explanation The purpose of implementing the principle of least privilege (PoLP) in endpoint protection is to grant users, applications, and processes the minimum necessary permissions required to perform their specific duties and tasks.

An active IDS system often performs which of the following actions? (Select two.) Updates filters to block suspect traffic. Performs reverse lookups to identify an intruder. Traps and delays the intruder until the authorities arrive. Cannot be detected on the network because it takes no detectable actions. Requests a second logon test for users performing abnormal activities.

Updates filters to block suspect traffic. Performs reverse lookups to identify an intruder. Explanation An active IDS performs behaviors that can be seen by anyone watching the network. Usually, these actions are necessary to block malicious activities or discover the identity of an intruder. Updating filters and performing reverse lookups are common behaviors of an active IDS.

You've just deployed a new Cisco router that connects several network segments in your organization. The router is physically located in a locked server closet. You use an FTP client to regularly back up the router configuration to a remote server in an encrypted file. You access the router configuration interface from a notebook computer that is connected to the router's console port. You've configured the device with the username admin01 and the password P@ssW0rd. You have used the MD5 hashing algorithm to protect the password. What should you do to increase the security of this device? Use encrypted Type 7 passwords. Move the router to a secure data center. Use SCP to back up the router configuration to a remote location. Use an SSH client to access the router configuration.

Use SCP to back up the router configuration to a remote location. Explanation In this scenario, the router configuration is being copied to a remote location using an unsecure protocol (File Transfer Protocol) that transfers data in cleartext. You should instead use the Secure Copy Protocol (SCP) to transfer the backup from the router to the remote storage location.

You've just deployed a new Cisco router that connects several network segments in your organization. The router is physically located in a locked server closet. You use an FTP client to regularly back up the router configuration to a remote server in an encrypted file. You access the router configuration interface from a notebook computer that is connected to the router's console port. You've configured the device with the username admin01 and the password P@ssW0rd. You have used the MD5 hashing algorithm to protect the password. What should you do to increase the security of this device? Use SCP to back up the router configuration to a remote location. Use encrypted Type 7 passwords. Move the router to a secure data center. Use an SSH client to access the router configuration.

Use SCP to back up the router configuration to a remote location. xplanation In this scenario, the router configuration is being copied to a remote location using an unsecure protocol (File Transfer Protocol) that transfers data in cleartext. You should instead use the Secure Copy Protocol (SCP) to transfer the backup from the router to the remote storage location.

You are the head of the IT department at a large corporation. Your company has just completed a major data migration project and you now have a significant number of old hard drives that contain sensitive company data. You need to ensure this data is completely destroyed to prevent any potential data breaches. Which method would you choose and why? answer Physically destroy the drives by pulverizing them. Overwrite the data on the drives and then reuse them within the company. Incorrect answer: Overwrite the data on the drives and then sell them to a recycling company. Correct Answer: Use a third-party service to degauss the drives.

Use a third-party service to degauss the drives. Explanation Use a third-party service to degauss the drives is the correct answer. Degaussing changes the magnetic field of the drive, rendering it unusable and the data unrecoverable. This is a secure method of data destruction for highly sensitive data. However, it means the drives cannot be reused.

You've just deployed a new Cisco router that connects several network segments in your organization. The router is physically located in a server room that requires an ID for access. You've backed up the router configuration to a remote location in an encrypted file. You access the router configuration interface from your notebook computer using a Telnet client with a username of admin and a password of P@ssW0rd. You have used the MD5 hashing algorithm to protect the password. What should you do to increase the security of this device? (Select two.) Use encrypted Type 7 passwords. Use a web browser to access the router configuration using an HTTP connection. Use TFTP to back up the router configuration to a remote location. Use an SSH client to access the router configuration. Change the default administrative username and password.

Use an SSH client to access the router configuration. Correct Answer: Change the default administrative username and password. Explanation In this scenario, two key security issues need to be addressed. They are: You should use an SSH client to access the router configuration. Telnet transfers data in cleartext over the network connection, exposing sensitive data to sniffing. You should change the default administrative username and password. Default usernames and passwords are readily available from websites on the internet.

You have a company network that is connected to the internet. You want all users to have internet access, but you need to protect your private network and users. You also need to make a web server publicly available to internet users. Which solution should you use? Use firewalls to create a screened subnet. Place the web server inside the screened subnet and the private network behind the screened subnet. Use firewalls to create a screened subnet. Place the web server and the private network inside the screened subnet. Use a single firewall. Put the web server and the private network behind the firewall. Use a single firewall. Put the web server in front of the firewall and the private network behind the firewall.

Use firewalls to create a screened subnet. Place the web server inside the screened subnet and the private network behind the screened subnet. Explanation A screened subnet (or DMZ) is a buffer network (or subnet) that sits between the private network and an untrusted network such as the internet. A common configuration uses two firewalls, one connected to the public network and one connected to the private network. Publicly-accessible resources (servers) are placed inside the screened subnet. Examples of publicly-accessible resources include web, FTP, or email servers. Private resources that are not accessible from the internet are placed behind the screened subnet (behind the inner firewall).

You are a system administrator and you notice that a particular user's processes are consuming an unusually high amount of system resources, causing performance issues for other users. You decide to use the ulimit command to limit the resources available to this user's processes. Which of the following options would be the MOST effective solution and why? Use the -f option to limit the file size of files created using the shell session. Incorrect answer: Use the -u option to limit the number of concurrent processes the user can run. Use the -t option to limit the amount of CPU time a process can use. Use the -n option to limit the maximum number of files that the user can open.

Use the -t option to limit the amount of CPU time a process can use. Explanation Limiting the amount of CPU time a process can use would be the most effective solution in this case. This would prevent any single process run by the user from consuming too much CPU time and causing performance issues for other users.

As a cybersecurity expert, you are advising a company on best practices for general web browser security. \Which of the following measures is MOST crucial to prevent unauthorized file downloads? Turn off Accept third-party cookies. Use the Always ask me where to save files option. Enable the Block Pop-up windows option. Turn off Remember search and form history.

Use the always ask me where to save files option

You have just configured the password policy and set the minimum password age to 10. What is the effect of this configuration? Users cannot change the password for 10 days. The previous 10 passwords cannot be reused. The password must be entered within 10 minutes of the login prompt being displayed. Users must change the password at least every 10 days. The password must contain 10 or more characters.

User cannot change their password for 10 days Explanation The minimum password age setting prevents users from changing the password too frequently. After the password is changed, it cannot be changed again for at least 10 days.

Which of the following identification and authentication factors are often well known or easily discovered by others on the same network or system? Username Biometric reference profile PGP secret key Password

Username

You are a digital forensic analyst working on a high-profile case. You have been given access to a variety of data sources, including dashboards, log data, and host operating system logs. You need to determine the most effective way to gather evidence for your investigation. Which of the following approaches would be the MOST effective? Utilize all the data sources (dashboards, log data, and host operating system logs) to gather a comprehensive set of evidence. Focus only on the log data, as it is a critical resource for investigating security incidents. Concentrate on the host operating system logs as they record events as users and software interact with the system. Rely solely on the dashboard as it provides a summary of information drawn from the underlying data sources.

Utilize all the data sources (dashboards, log data, and host operating system logs) to gather a comprehensive set of evidence. Explanation The most effective approach would be to utilize all the data sources, such as dashboards, log data, and host operating system logs. Each of these sources provides a different type of information and can contribute to a comprehensive understanding of the events that occurred. By using all available data sources, a digital forensic analyst can gather the most complete set of evidence for their investigation.

What is the BEST definition of a security incident? Violation of a security policy Interruption of productivity Compromise of the CIA Criminal activity

Violation of a security policy

You want to be able to identify the services running on a set of servers on your network. Which tool would BEST give you the information you need? Protocol analyzer Port scanner Network mapper Vulnerability scanner

Vulnerability scanner Explanation Use a vulnerability scanner to gather information about systems such as the applications or services running on a system. A vulnerability scanner often combines functions found in other tools and can perform additional functions, such as identifying open firewall ports, missing patches, and default or blank passwords.

Which of the following operating systems does Windows Intune NOT support? Apple iOS 8.0 and later Google Android 4.0 Windows Server Windows 10

Windows Server Explanation The document clearly states that Windows Intune cannot be used to manage Windows Server.

A third-party escalation team participates in a newly contracted project with numerous cyber teams. Being unfamiliar with cyberspace, the escalation team struggles to understand concepts and naming conventions. What is automation and orchestration also known as? User provisioning Workforce multiplier Guardrail Resource provisioning

Workforce multiplier Explanation Automation and orchestration, also known as a workforce multiplier, enhances efficiency by quickly and consistently performing on enabling repetitive tasks, reduces the burden on security teams, and minimizes the likelihood of human error.

Security+ SY0-701 Domain 4: Security Operations Test #1

Related study sets

Pricing and Channels of Distribution Final

Chapter 8

Exam 2

Psych- Ch. 10: Emotion and Motivation

Műtéttan extra

Chapter 7

GI Test 2 - Evolve questions

Intro to Networks chapters 11-13

Chem unit 6

Law Test 4

Quiz 2

CNA Practice Exam Questions

Marbury v. Madison

Bio - study question on Lecture 8

Manavello vocab 2

stile

Ch. 9 SCM: Managing Inv in the Supply Chain

MACRO 19

Drug Laws and Regulations, Relevant CAMS, CAM

REVIEW OF PATHOLOGY Questions Chapter 15. The Lung