Trevor Cicala's Security+ Flash Cards
A security manager needs a solution for better management of privileged service accounts. The solution needs the ability to use but not know the password, automatic password changes, and the check-in and checkout of credentials. Which of the solutions below would best provide this functionality? A.A PAM system B.OAuth 2.0 C.OpenID Connect D.Secure Enclave
A.A PAM system PAM = Privileged Account Management. This category of software can offer all of the requirements shown above, and much more. OAuth = Open Authorization. This is used to grant one service limited permissions to interact with another service. It doesn't involve automatic password changes as this is a tool for granting authorization. OpenID Connect combines the functionality of Oauth with the functionality of a SSO (authentication) solution. Secure Enclave is a security subsystem within Apple SOC (systems on a chip). (Lesson 8)
A company's Chief Information Officer (CIO) is meeting with the Chief Information Security Officer (CISO) to plan some activities to enhance the skill levels of the company's developers. Which of the following would be MOST suitable for training the developers? A.A capture-the-flag competition B.A phishing simulation C.Physical security training D.Basic awareness training
A.A capture-the-flag competition Capture the Flag (CTF) is usually used in ethical hacker training programs and gamified competitions. Participants must complete a series of challenges within a virtualized computing environment to discover a flag. The flag will represent either threat actor activity (for blue team exercises) or a vulnerability (for red team exercises). None of the other options would enhance the "SKILL LEVELS" of the developers. (Lesson 8)
A network engineer needs to restrict access to certain network segments by using layer 2 (data-link layer) security mechanisms.Of the options below, what would best meet this need? (Pick two) A.ACL (Access Control List - Can be used on layer 2 or layer 3 to restrict the flow of traffic.) B.MAC (Is it an address or are they talking about mandatory access control?) C.BPDU (A spanning tree message. Not for restricting the follow of traffic.) D.VLAN (Configured on switches) E.ARP (Address Resolution Protocol. Used to link (dynamic) IP addresses to (static) MAC addresses.) F.DNSSEC (DNS is a layer 7 technology and is not for restricting network access.)
A.ACL D.VLAN (Lesson 8)
A web server that require both encrypted and unencrypted web traffic is utilizing default ports. Which of the follow changes should be made to the firewall below? Firewall rules: PORT 22 25 53 80 443 STATUS Open Filtered Filtered Open Open A.Allow 53 from the internet B.Block 25 from the internet C.Block 443 from the internet D.Block 22 from the internet E.Block 80 from the internet
A.Allow 53 from the internet Careful! While 25 is unencrypted and unnecessary for web traffic in general, it is already blocked. (Lesson 10)
Your wireless network has had network connectivity issues, but only in the section of your building closest to your parking lot. Users are reporting being unable to connect to certain network resources and slower speeds while accessing the internet as a whole. Occasionally, users have be reporting web pages that require credentials in order to access them. What is likely the case? A.An external access point is engaging in an evil-twin attack B.The signal on the WAP needs to be increased in that section of the building C.The certificates have expired on the devices and need to be reinstalled D.The users in that section of the building are on a VLAN that is behind a firewall
A.An external access point is engaging in an evil-twin attack (Lesson 9)
Which of the following would best describe the severity of a company's vulnerabilities? A.CVSS B.SIEM C.CVE D.SOAR
A.CVSS The Common Vulnerability Scoring System (CVSS) provides a way to capture the principal characteristics of a vulnerability and produce a numerical score reflecting its severity. CVE is a list of entries—each containing an identification number, a description, and at least one public reference—for publicly known cybersecurity vulnerabilities. SIEM (Security information and event management) is a service/software that gathers network and application logs in real-time and analyzes them, giving security experts the ability to better monitor and analyze attacks/threats. Sometimes running alongside the SIEM or built into it, SOAR (Security Orchestration, Automation, and Response) was designed to automate and improve response time when a SIEM detects a threat/anomaly on the network. Sometimes referred to as a Next Generation SIEM. (Lesson 3)
Which of the vulnerability scans below would produce the best and most accurate results? A.Credentialed B.Host discovery C.Intrusive D.Port
A.Credentialed A credentialed scan means the vulnerability scanner can access the device and see how it is configured. This gives us a very detailed and accurate scan, with minimal risk, from the point of view of an inside threat actor. (Lesson 3)
Given the following output on an Attacker's system: Status : Cracked Hash.Type : SHA-1 Hash.Target : e653c7526c3a40b47943710427dabaee71ec2267 Time.Started : Tuesday, April 21 1:45:12 2020 Progress : 26845159 / 450365879 (5.96%) hashes Time.Stopped : Tuesday, April 21 1:47:53 2020 Password found : Str0ngP@ssword1! Which of the following BEST describes the type of password attack the attacker is performing? A.Dictionary B.Pash-the-hash C.Brute-force D.Password spraying
A.Dictionary A password that long was broken in a few minutes? Must be a dictionary attack; brute force attacks could take years to crack passwords of that length. (Lesson 7)
After returning from an overseas trip with a company laptop, an employee is unable to establish a VPN on the laptop in the home office. What is the most likely explanation for why they are unable to establish a VPN connection? A.Due to foreign travel, the user's laptop was isolated from the network. B.The user's laptop was quarantined because it missed the latest patch update. C.The VPN client was blacklisted. D.The user's account was put on a legal hold.
A.Due to foreign travel, the user's laptop was isolated from the network. It is very likely that there was a policy in place where the laptop must be scanned or checked back in before it can resume using the VPN service. This type of policy is not unusual, and it may be described as a host health check. (B) is also a possibility, but it seems less likely than (A). (Lesson 9)
A technician needs to create a detailed diagram that shows where all of the company access points are located in the office. What would be the best method for creating this diagram? A.Footprinting B.White-box testing C.A drone/UAV D.Pivoting
A.Footprinting A site survey would be a great answer. Unfortunately, footprinting is the best that we have available to us. (Lesson 9)
The CEO would like employees to be able to work from home in the event of a disaster. However, they are concerned that staff might attempt to work from high risk countries or outsource their work if given the ability to work remotely. What controls could best mitigate the CEO's concerns? (pick two) A.Geolocation B.Time-of-day restrictions C.Certificates D.Tokens E.Geotagging F.Role-based access controls
A.Geolocation B.Time-of-day restrictions (Lesson 8)
Sarah, the CEO of a large bank, decided it would be a good idea to post a controversial opinion to a large public social media profile. Which of the following threat actors would best match somebody who would target Sarah because of this action? A.Hacktivists B.White-hat hackers C.Script kiddies D.Insider threats
A.Hacktivists Posting pollical or divisive opinions in a public matter, especially as an "important" individual, could lead to you being the target of hacking activists. (known as hacktivist) (Lesson 2)
Sarah, a security tech wants to implement a layer 2 solution that can leverage Active Directory for authentication, use switches as a local fallback, and do so on equipment from multiple vendors. Given those requirements, which of the following actions should be taken? A.Implement RADIUS B.Configure AA on the switch with local login as secondary C.Configure port security on the switch with the secondary login method D.Implement TACACS+ E.Enable the local firewall on the Active Directory server F.Implement a DHCP server
A.Implement RADIUS B.Configure AA on the switch with local login as secondary (Lesson 7)
With biometric devices, for the purpose of maximum security, which is best? A.Low FAR B.Low FRR C.Low CER D.High FAR
A.Low FAR (Lesson 7)
After logging into a switch, Bobby, an admin retrieves the following information: Port Fa0/0/1 MAC c6:a3:61:28:17:67, 7a:ac:da:11:b8:e9, 52:5f:a5:c2:91:f1, ae:db:11:2f:5c:29 Which of the following attacks is most likely occuring? A.MAC flooding B.DNS poisoning C.MAC cloning D.ARP poisoning
A.MAC flooding (Lesson 9)
Which of the access control mechanisms listed below uses classification labels? A.Mandatory B.Role-based C.Rule-based D.Discretionary
A.Mandatory In the MAC (mandatory access control) model: •Subjects (users/applications) are granted clearance tags/labels. •Objects (files/folders/etc) are given classification tags/labels. If you have, for example, secret clearance, you are permitted within the MAC model to see secret, confidential, and any other classifications considered to be beneath secret. You cannot see any files with classifications above your clearance level, such as top secret. (Lesson 8)
Which one of the tools below could be used to find out if the corporate server is running unnecessary services? A.Nmap B.DNSEnum C.Wireshark D.Autopsy
A.Nmap DNSEnum is a command-line tool that automatically identifies basic DNS records. Wireshark is a protocol analyzer and packet sniffer that is used for gathering, sorting, and analyzing traffic from a network. Autopsy is a tool for performing data forensics. (Lesson 3)
Before accepting credit cards on a new shopping website, what standard must a company follow? A.PCI DSS (Payment Card Industry Data Security Standard) B.NIST CSF (National Institute of Standards and Technology, Cyber Security Framework) C.ISO 22301 (security & resilience, business continuity management) D.ISO 27001 (information security rules and requirements (compliance/regulations))
A.PCI DSS (Lesson 1)
Employee tablets and phones have been losing WiFi connectivity in specific places within the sale offices. What should a network technician use to determine the source of the problem? (pick two) A.Perform a site survey B.Install a captive portal C.Deploy a FTK imager (Forensics Tool Kit imager is used to quickly assess electronic evidence.) D.Upgrade the security protocols E.Create a heat map F.Scan for rogue access points
A.Perform a site survey E.Create a heat map It sounds like we have a problem with interference or employees are walking out of range. Perform a site survey to figure out where the access points are located, what the building is made of, and which frequencies are in use. Then, create a heat map that details where the signal is strong versus where it is the weakest. We may need to change antennas, adjust the signal strength, use a different channel/frequency, or get a few more access points. (Lesson 9)
Of the control type listed below, what would a mantrap (access control vestibule) or turnstile be considered? A.Physical B.Detective C.Corrective D.Technical
A.Physical A mantrap, access control vestibule, sally port, or air lock: A physical security access control system comprising a small room with two sets of interlocking doors, such that the first set of doors must close before the second set opens. This mechanism seeks to eliminate the threat of piggybacking or tailgating. (Lesson 1)
Which of the following pen-test teams would mimic the tactics used by hackers? A.Red team (emulates attackers (offensive role)) B.White team (monitors the pen-test and sets the rules of engagement) C.Blue team (follows plans/policies to protect the company (defensive role)) D.Purple team (single team that does both the offensive and defensive roles and collaborates throughout the pen-test.)
A.Red team (Lesson 3)
An employee received a text message (SMS) on their phone that asked for them to confirm their social security number and date of birth. Of the options below, what best describes what this employee has experienced? A.Smishing B.SPIM C.Vishing D.Spear phishing
A.Smishing Smishing is text/instant message (SMS) phishing. SPIM is text/instant message spam. Vishing is VOIP (voice) phishing. It requires someone to call you. Spear phishing is a phishing attack that targets a specific individual or group. (Lesson 4)
After entering a password a user is asked to enter an authentication code. What type of MFA factors are being used in this scenario? (pick two) A.Something you know B.Something you have C.Somewhere you are D.Someone you know E.Something you are F.Something you can do
A.Something you know (the password) B.Something you have (authentication code) (Lesson 7)
After a ransomware attack, you need to review a cryptocurrency transaction made by the victim. Which of the following you MOST likely review to trace this transaction? A.The public ledger B.The NetFlow data C.A checksum D.The event log
A.The public ledger "Blockchain is a concept in which an expanding list of transactional records is secured using cryptography. The blockchain is recorded in a public ledger. This ledger does not exist as an individual file on a single computer; rather, one of the most important characteristics of a blockchain is that it is decentralized. The ledger is distributed across a peer-to-peer (P2P) network in order to mitigate the risks associated with having a single point of failure or compromise. Blockchain users can therefore trust each other equally." Page 121 (Lesson 5)
An admin wanted to better understand their company's security posture from a outsider's perspective. Examine the information they gathered below. What is true based off ofthe admin's findings? (pick two) Domain name: wolfcola.com Registry domain ID: 97531 Registrar server: whois.wolfcola.com Updated date: 2019-10-02 Created date: 2001-01-09 Registration expiration: 2022-10-12 Registrar: RegCo, LLC Registrar IANA ID: 2 Domain status: clientTransferProhibited Registry Registrant IDL Registrant name: Business corp Registrant org: Business corp Registrant street:123 Mansion lane Registrant city: Philadelphia Registrant state: PA Registrant country: US Registrant phone 1.609.867.5309 Registrant email: [email protected] Admin: Charlie Kelly Admin org: WolfCola A.They used Whois to produce this output B.They used cURL to produce this output C.They used Wireshark to produce this output. D.The organization has adequate information in public registration. E.The organization has too much information available in public registration. F.The organization has to little information available in the public registration.
A.They used Whois to produce this output E.The organization has too much information available in public registration. This is an output from a Whois search. Contact information (phone number, email, address of registrant) should not be stored in the Whois as per the GDPR. (Lesson 6)
Sales employees regularly utilize the same fantasy football website as other sales associates working for other companies. Which of the following attacks is the highest concern in this scenario? A.Watering-hole attack (involves attacking a 3rd party site in order to gain access to the real target.) B.Credential harvesting (collecting usernames and passwords.) C.Hybrid warfare (use of disinformation, hacking, and espionage.) D.Pharming (Directing someone to the wrong IP address through DNS manipulation/spoofing.)
A.Watering-hole attack (Lesson 4)
A webserver was recently overwhelmed by a sudden flood of SYN packets from multiple sources. Of the options below, which best describes this attack? A.Worm B.Botnet C.Virus D.RAT E.Logic bomb
B.Botnet To overwhelm a server with SYN packets we will need to utilize the combined bandwidth of a botnet. A botnet is a collection of compromised computers that act together in unison to perform a DDoS (Distributed Denial of Service). The individual computers are often called bots or zombies. (Lesson 9)
A smart switch has the ability to monitor electrical levels and shut off power to a building in the event of a power surge or other similar situations. The switch was installed on a wired network in a local office and is monitored via a cloud application. The switch is already isolated on a separate VLAN and set up a patching routine. Which of the following steps should also be taken to harden the smart switch? A.Set up an air gap for the switch. B.Change the default password for the switch. C.Place the switch in a Faraday cage. D.Install a cable lock on the switch.
B.Change the default password for the switch. Air gapping the device could cut it off from the cloud application, the question doesn't mention wireless so a faraday cage won't help, and a cable lock will only help prevent against physical theft which doesn't appear to be our main concern. That leaves us with (B). (Lesson 9)
After reading the user manual for a specific brand of security camera, a hacker was able to log in and disable the cameras on the company's campus. What describes the configuration that the hacker took advantage of? A.Open permissions B.Default settings C.Unsecure protocols D.Weak encryption
B.Default settings If the hacker figured out how to access (log in) and disable the cameras just from reading the manual, it is likely that there is a default password on the camera that was never changed. (Lesson 3)
An unmonitored security camera would be what type of control? A.Detective B.Deterrent C.Physical D.Preventative
B.Deterrent A security guard who was watching through the camera could be detective. However, the camera, especially one that is unmonitored, would be strictly a deterrent for would be criminals. (Lesson 1)
After connecting the laptop to the company's SSID, an employee was prompted to enter their username and password into a popup web browser. This had never happened before, but they entered their credentials anyways. Later that day they noticed they where unable to access any of the company servers and unusual transactions whereappearing on their credit card. What attack is most likely being described in this scenario? A.Rogue access point B.Evil twin C.DNS poisoning D.ARP poisoning
B.Evil twin (Lesson 9)
Employees have reported performance issues with the Wi-Fi network. A pcap provides the following information: # 1337 1338 1339 1340 Protocol 802.11 802.11 802.11 802.11 Source Foxcon_34:1C:22 Foxcon_34:1C:22 Foxcon_34:1C:22 Foxcon_34:1C:22 Destination Broadcast Broadcast Broadcast Information Deauthentication, FN=0, SN=110 Deauthentication, FN=0, SN=110 Deauthentication, FN=0, SN=111 Deauthentication, FN=0, SN=112 Time 9:51:30010 9:51:31500 9:51:33766 9:51:36402 What attack is most likely taking place considering pcap above? A.Session replay B.Evil twin C.ARP poisoning D.Bluejacking
B.Evil twin This is a deauthentication attack that ultimately results in a DOS between the original AP and the clients. Typically, this attack is performed as the first step of an evil twin attack. The goal is to disconnect the clients from the real AP, so that they will reconnect to the evil twin (imposter) AP instead. Since the deauthentication attack is not an answer, the evil twin becomes the best option available. (Lesson 9)
An international company is expanding it services and is creating several new servers to store customer data. Of the options listed below, which would likely contain an outline of roles/responsibilities for data controllers/processors that the company should follow? A.ISO 31000 (International risk management best practices) B.GDPR (The European Union's regulation that states that personal data cannot be collected or processed without the individual's informed consent.) C.PCI DSS (Outlines how credit card/bank info must be safely managed.) D.SSAE SOC2 (An audit/test that reports on an organization's controls relative to the CIA triad.)
B.GDPR The question is somewhat vague, so we will want a generalized answer. The GDPR (General Data Protection Regulation) is most likely to outline responsibilities for data controllers/processors/users. (Lesson 1)
A server certificate needs to be generated to be used for 802.1X. Which of the following is the FIRST step that will most likely accomplish this task? A.Create an OCSP. B.Generate a CSR. C.Create a CRL. D.Generate a .pfx file.
B.Generate a CSR. OCSP - Online Certificate Status Protocol: Used to quickly check that a certificate hasn't been revoked, without needing to download a complete CRL from the CA. OCSP messages are signed to provide authenticity, integrity, and non-repud. This requires an internet connection. CSR - Certificate Signing Request: This is sent to a CA to begin the process of certificate creation. The CSR should include the public key, domain/device validation (proof of ownership), common name, location, etc. CRL - Certificate Revocation List: A list (by serial number) of all revoked certificates that a CA has previously issued. These lists can become very large, which is why OCSP was created. A decent option if the computer is airgapped. PFX file - A binary format for storing the server certificate, any intermediate certificates, and the private key into a single encryptable file. This file is typically what is sent to key escrow. (Lesson 6)
A data breach was discovered after a company's usernames and password were posted to a hacker website. Afterwards, an analyst discovered the company stored credentials in plain text. Which of the following would help mitigate this type of breach in the future? A.Create DLP controls that prevent documents from leaving the network. B.Implement salting and hashing. C.Configure the web content filter to block access to the forum. D.Increase password complexity requirements.
B.Implement salting and hashing. Passwords should not be stored in plain text! We want to store passwords as hashed values, and salt them for extra security! The hashing will protect us from insiders/hackers seeing the password, while the salt will make password cracking very difficult. The salt will also make rainbow tables useless!(more salt related details in the slide notes) (Lesson 5)
A manager has decided that outsiders and corporate partners visiting the company campus need to sign a digital AUP before they will be allowed to access the isolated and complementary guest WiFi. What would a technician utilize to facilitate the manager's decision? A.Implement open PSK on the Aps B.Install a captive portal C.Deploy a WAF D.Configure WIPS on the APs
B.Install a captive portal A captive portal is a web page accessed with a web browser that is displayed to newly connected users of a Wi-Fi or wired network before they are granted broader access to network resources. (Lesson 9)
Which of the following native tools would allow a technician to view services running on system as well the associated listening ports? A.Netcat B.Netstat C.Nmap D.Nessus
B.Netstat Netstat can show you all of your active connections and open/listening ports. Furthermore, if you use "-o" it will show you which currently running processes/services opened those connections/ports. Most conventional operating systems have netstat built in (native). (Lesson 3)
A professor recently left their position at university A to take a job at a rivaling college, university B. A few months after the professor officially departed, a security analyst at university A noticed that the former professor had logged into a department server and deleted several important file shares. Of the security practices listed below, what should have been performed to prevent the important files from being deleted? A.Non-disclosure agreement B.Offboarding C.An acceptable use policy D.Least privilege
B.Offboarding (Lesson 8)
Emily has received a suspicious email that claims she won a multi-million dollarsweepstake. The email instructs her to reply with her full name, birthdate, and home address so her identity can be validated before she is given the prize. What best describes this type of social engineering attack? A.Vishing (A type of phishing but specifically over the phone. Think Voice-phishing) B.Phishing (Phishing is typically performed through email or social media.) C.Whaling (A type of spear phishing, the target must be upper management (boss, CEO, board of directors).) D.Spear phishing (A type of phishing, that targets a specific group/person and customizes its attack to match.)
B.Phishing Since this attack came through email, (A) is out. Since the attack wasn't specifically crafted for Emily, a group, or upper management, (C) and (D) are both out too. (Lesson 4)
Symmetric cryptography can efficiently: A.Perform key exchange B.Protect large amounts of data C.Hash data D.Provide non-repudiation
B.Protect large amounts of data (Lesson 5)
A company needs to detect single points of failure in their security systems. Which of the following policies or concepts would assist them in this endeavor? A.Mandatory vacation B.Separation of duties C.Awareness training D.Least privilege
B.Separation of duties Separation of duties would allow at least one other individual to identify a flaw in a process, especially when considering the risk from an insider threat. To resolve SPoFs with personnel, use job rotation. (Lesson 8)
Due to a supply shortage over the summer not all of the company campus was upgraded with the new and faster wireless access points. While the company is waiting for more to come in, a security analyst has grown concerned that employees might bring in their own access points without permission. What type of threat is the security analyst concerned about? A.Hactivist B.Shadow IT C.White-hat D.A script kiddie E.APT
B.Shadow IT (Lesson 2)
An admin logs into the domain controller and finds the following information: DATE & TIME 10/7/2019 @ 4:15:41PM 10/7/2019 @ 4:15:41PM 10/7/2019 @ 4:15:42PM KEYWORDS Authentication fail Authentication fail Authentication fail SOURCE Windows security audit Windows security audit Windows security audit NAME Joe.Jones John.Smith Steve.Brown Tyler.Wolf Mary.Stevens WRONG PW COUNTER 13 9 8 8 10 LAST ATTEMPT 10/7/2019 @ 4:15:41PM 10/7/2019 @ 4:15:41PM 10/7/2019 @ 4:15:41PM 10/7/2019 @ 4:15:42PM 10/7/2019 @ 4:15:42PM Based on the evidence gathered, what best describes this attack? A.Brute-force B.Spraying C.Keylogger D.Credential harvesting
B.Spraying It looks like a hacker is trying to gain access to one of the accounts listed below. Password spraying is a safe assumption. See the notes for more explanation. (Lesson 7)
What attack best describes the logs below: - 12.10.2020 @ 3:14:12 user admin, login failed, password: password1 12.10.2020 @ 3:14:12 user steve, login failed, password: password1 12.10.2020 @ 3:14:12 user john, login failed, password: password1 12.10.2020 @ 3:14:12 user jane, login failed, password: password1 12.10.2020 @ 3:14:12 user jill, login failed, password: password1 12.10.2020 @ 3:14:13 user user, login failed, password: password1 - 12.10.2020 @ 3:14:13 user admin, login failed, password: password12 12.10.2020 @ 3:14:13 user steve, login failed, password: password12 12.10.2020 @ 3:14:14 user john, login failed, password: password12 12.10.2020 @ 3:14:14 user jane, login failed, password: password12 12.10.2020 @ 3:14:14 user jill, login failed, password: password12 12.10.2020 @ 3:14:14 user user, login failed, password: password12 A.Brute-force B.Spraying C.Dictionary D.Rainbow table
B.Spraying Password spraying! Using common passwords against several user accounts. (Lesson 7)
During an incident, a malicious inside actor accessed the logs and deleted most records of the incident. However, you were able to confidently inform investigators that some other log files are available for analysis. Which of the following did you most likely utilize to assist investigators? A.Memory dumps. B.The syslog server. C.The application logs. D.The log retention policy. E.Nothing. This is impossible.
B.The syslog server. (Lesson 10)
Which of the following data sources would best provide real-time data on the latest malware threats? A.Advisories and bulletins B.Threat feeds C.Security news articles D.Peer-reviewed content
B.Threat feeds Threat feeds are generally going to get accurate information to you the quickest. Security news articles are a close second but wouldn't provide "real-time data". (Lesson 2)
While browsing the internet you realize that you are on "www.patpal.com" instead of "www.paypal.com". These two websites look otherwise identical. Which of the following attacks are you encountering? A.Information Elicitation B.Typo squatting C.Impersonation D.Watering-hole attack
B.Typo squatting (Lesson 4)
Of the options below, what would best increase the security of important Linux servers? A.Remove all user accounts B.Use SSH keys and remove generic passwords C.Randomize the shared credentials D.Only use guest accounts to connect
B.Use SSH keys and remove generic passwords (Lesson 8)
A company has maintained highly detailed records of all of their authorized network devices and is planning to use Wi-Fi for all laptops that need network access. What could replace a PSK on an access point and stop a script kiddie from being able to brute force the password? A.BPDU guard (A.Used to protect switches that are running Spanning Tree Protocol. Not useful in this situation.) B.WPA-EAP (Also known as enterprise mode, or 802.1x, this would require each user to have an unique username and password. With this replacing the PSK mechanism, the script kiddie would have to know the username in addition to brute forcing the password, and that would be outside the scope of their ability.) C.IP filtering (C.Not a terrible answer, but this wouldn't "replace" a PSK mechanism. Also, IP filtering isn't done on most access points. Instead they typically rely on MAC filtering.) D.A WIDS (C.A Wireless Intrusion Detection System could alert an admin if a intrusion is detected, but will not STOP anyone.)
B.WPA-EAP (Lesson 9)
An organization suffered a data breach as the result the SMB being accessible from the internet and use of NTLMv1. What best describes the cause of this breach? A.Default settings on the servers B.Weak data encryption C.Unsecured admin accounts D.Open ports and services on hosts
B.Weak data encryption We don't know what type of system this is, so we can't tell if NTLMv1 is the default. Any Window system since 2000 uses Kerberos as the default authentication mechanism, so this seems very unlikely. NTLMv1 is encrypted with DES (Data Encryption Standard) which has not been secure for a very long time. There are very few, if any, situations where NTLMv1 should be used. There is no way to tell from the question above how the admin accounts have or haven't been secured. We probably don't want to block SMB on the hosts as they will likely need it for sharing files. (Lesson 7)
Which of the following tests are provided with thorough insider documentation? A.Bug bounty B.White-box C.Gray-box D.Black-box
B.White-box (Lesson 3)
Which ISO standard is specifically designed for certifying privacy? ISO 27001 - Information Security Management Systems: Infosec rules and requirements used by many governing bodies to create compliance/regulations. ISO 27701 - Privacy Information Management: An extension to 27001 that outlines rules and regulations specifically tied to privacy. ISO 27002 - Information Security Best Practices: Guidelines and suggestions for how to start or improve infosec at an organization. ISO 31000 - Risk Management Best Practices: Generic (non specific) suggestions for managing risk response within an organization. A.31000 B.27002 C.27701 D.9001
C.27701 ISO standards 27001, 27002, 27701, 31000 are listed as exam objectives. Additional supplementary ISO numbers can be found in this slide's notes. (Lesson 1)
An admin is deploying access points that will use PKI for authentication. What needs to be configured for this to work? A.Captive portal B.WPS C.802.1x D.PSK
C.802.1x Using PKI to authenticate into the access point will require an AAA system (a RADIUS or TACACS server must be on the network and configured properly). This process is described in the standard 802.1x, and is also referred to as "enterprise authentication". (Lesson 9)
An admin sees several employees all simultaneously downloading files with the .tar.gz extension. The employees say they did not initiate any of the downloads. A closer examination of the files reveals they are PE32 files. Another admin discovers all ofthe employees clicked on an external email containing an infected MHT file with an href link at least two weeks prior. Which of the following is MOST likely occurring? A.A RAT was installed and is transferring additional exploit tools. B.The workstations are beaconing to a command-and-control server. C.A logic bomb was executed and is responsible for the data transfers. D.A fileless virus is spreading in the local network environment.
C.A logic bomb was executed and is responsible for the data transfers. The two week delay suggests logic bomb! (more info in slide notes) (Lesson 4)
From the options below, what type of threat actor would be described as highly skilled and well coordinated? A.Shadow IT B.A hacktivist C.An advanced persistent threat D.An insider threat
C.An advanced persistent threat (Lesson 2)
A new E-commerce company is interested in being PCI DSS complaint. Of the options below, what is required in order to be compliant with this standard? (Pick two) A.Using vendor-supplied default passwords for systems B.Benchmarking security awareness training for contractors C.Assigning a unique ID to everyone who has computer access D.Encrypting transmission of cardholder data across private networks E.Testing security systems and processes regularly F.Installing and maintaining a web proxy to protect cardholder data
C.Assigning a unique ID to everyone who has computer access E.Testing security systems and processes regularly PCI DSS = Payment Card Industry Data Security Standard. Requires use of specific controls whenever handling credit/debit cards, as to minimize potential fraud/crime. There are twelve very detailed rules for PCI DSS, but the ones most frequently discussed involve: •Every year the company must have a security test/audit. •All user accounts must be unique. •Never storing the CVV code. (Lesson 1)
Which of the following would MOST likely support the integrity of a banking application? A.Perfect forward secrecy B.Transport Layer Security C.Blockchain D.Asymmetric encryption
C.Blockchain (A) and (B) are designed to support confidentiality, while (C) BLOCKCHAIN is specifically used for integrity management through encryption. (D) can be used for integrity management, but not without the addition of hashing, which creates a process known as signing. More about blockchain: A blockchain is a growing list of records, called blocks, that are linked using cryptography. Each block contains a cryptographic hash of the previous block, a timestamp, and transaction data. By design, a blockchain is resistant to modification of its data. This is because once recorded, the data in any given block cannot be altered retroactively without alteration of all subsequent blocks. (Lesson 5)
While deploying TLS certificates on your air-gapped private network you determine that you need the ability to check revoked certificates quickly. Which of the following would best fit these requirements? A.RA B.OCSP C.CRL D.CSR
C.CRL While OCSP (Online Certificate Status Protocol) could certainly be faster than a CRL (Certificate Revocation List), it does require an online connection. However, our network is air gapped so this isn't possible to use. CRL it is! RA = registration authority. Company that owns the CAs (Certificate Authorities) (Lesson 6)
You are configuring a vulnerability scanner for a multinational organization. You are required by contract to scan systems on a weekly basis with admin privileges, but are concerned that hackers could gain access to the account and pivot throughout the company's networks. Which of the following BEST addresses this concern? A.Create different accounts for each region, each configured with push MFA notifications. B.Create one global administrator account and enforce Kerberos authentication. C.Create different accounts for each region, limit their logon times, and alert on risky logins. D.Create a guest account for each region, remember the last ten passwords, and block password reuse.
C.Create different accounts for each region, limit their logon times, and alert on risky logins. (Lesson 7)
Last month a company moved all of their corporate data to a private cloud and secured it with strong encryption and authentication mechanisms. Earlier this week, a sales manager had their laptop stolen. Today, enterprise data was stolen from a local database. Of the options below, what is the most likely cause of this data breach? A.Bluejacking B.Man in the browser C.Credential stuffing D.Shadow IT E.SQL injection
C.Credential stuffing If sales manager uses the same password for several services, then it is likely someone retrieved a saved password from the laptop and then successfully used that on the cloud server. Credential stuffing involves getting a valid set of credentials from one location, and then trying them elsewhere to gain access. For example, someone finds out the password for your bank account. The attacker then uses that same password to try and access your email. That would be considered credentialed stuffing and is the most likely of our options.(additional notes in the slide notes) (Lesson 7)
"WARNING: This property is protected by an automated electronic alarm system." What type of control would a sign, like the one above, be considered? A.Detective B.Compensating C.Deterrent D.Corrective
C.Deterrent While the automatic alarm system could be detective, this sign is only a deterrent to threat actors. (Lesson 1)
The following passwords were attempted to be used against the account "root": -mark, marked, marker, marsh, marshmallow, ... Which type of password attack is this? A.Rainbow table B.Password spray C.Dictionary D.keylogger
C.Dictionary A password spray attack would hit many users with the same password in attempt to gain entry without getting locked out. This however looks like one account (root) is being attacked with many passwords in alphabetical order. Dictionary attack! (Lesson 7)
HD cameras located throughout the airport are going to be used to track passengers without requiring them to enroll in a biometric system. Of the biometric options below, what would be suitable for this advanced security tracking system? (pick two) A.Voice B.Vein C.Facial D.Gait E.Fingerprint F.Retina
C.Facial D.Gait Without enrollment, the only things the cameras could reasonably use would be facial recognition and gait (how someone walks, or the distance between their steps). (Lesson 7)
Before writing a new company policy about managing customer privacy internationally, which of the following should a CISO read and understand? A.PCI DSS (Payment Card Industry Data Security Standard - how credit/debit card data should be managed) B.NIST (National Institute for Standards and Technology - US gov agency that makes standards and guidelines.) C.GDPR (General Data Protection Regulation - A prolific EU law regarding privacy protections in and out of the EU.) D.ISO 31000 (International Standards Organization - a list of risk management best practices)
C.GDPR A thorough understanding of the EU's GDPR would be important before writing any policy that deals with international privacy. (Lesson 1)
A technician has been asked to resolve several latency and connection issues throughout the company's new wireless infrastructure. Of the resources below, what would best help the technician prioritize their response? A.Wireshark B.Nmap C.Heat map D.Network diagrams
C.Heat map They didn't give us a lot of details about the problem, so we should assume these are generic issues. The most useful place to start when addressing these generic issues would be a heat map. With Wi-Fi, the most generic issues involve: •Interference (Channel overlap or from devices like microwave ovens) •Distance limitations (5Ghz doesn't have great wall penetration) •Overcrowding, as in too many devices in one area (there's only so much bandwidth a single AP can offer) •Misconfiguration (wrong antennas, or use of outdated 802.11 standards) (Additional explanation for this question can be found in the slide notes.) (Lesson 9)
An attacker used a keylogger to remotely monitor a user's input, thereby harvesting important credentials. What would best mitigate or prevent this threat in the future? A.Change default passwords B.Update cryptographic protocols C.Implement 2FA using push notifications D.Force password resets for compromised accounts E.Enforce complexity requirements through group policy
C.Implement 2FA using push notifications With 2FA (two factor authentication) the attacker can get our password (something you know) with a keylogger, as described above, and will not be able to access the system without the pin number from the push notification (something you have). (Lesson 7)
While preparing a demonstration for employees of your company, you need to identify a method for determining tactics, techniques, and procedures of threats against your network. Which of the following would you most likely use? A.A tabletop Exercise B.NIST CSF C.MITRE ATT&CK D.OWASP
C.MITRE ATT&CK MITRE ATT&CK® is a globally-accessible knowledge base of adversary tactics and techniques based on real-world observations. It is a great source of free intelligence! https://attack.mitre.org/ (Lesson 2)
An employee typical uses SSH to connect and configure a remote server. Today they got this message: xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx WARNING: REMOTE HOST ID HAS CHANGED! xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx The fingerprint for the RSA key sent by the host is SHA: 1B8104A05A243CEE3776A81BDE2EC7DAA990D0A5. Host key verification failed. Please contact your admin. What network attack is the employee most likely experiencing? A.Evil twin B.ARP poisoning C.Man-in-the-middle D.MAC cloning
C.Man-in-the-middle The remote device we are attempting to connect to does not have the proper SSH key. We are likely talking to a Man-in-the-Middle (MitM) who is impersonating our intended destination. (Lesson 5)
Due to a weakness in the company's currently implemented hashing algorithm a technician added a randomly generated value to the password before storing it. What is best description of this action? A.Predictability B.Key Stretching C.Salting D.Hashing
C.Salting In cryptography, a "salt" is pseudo-random data that is used as an additional input when hashing a password or passphrase to make them stronger/harder to crack. (Lesson 5)
An employee installed a new service on the domain controller without consent or approval from the IT department and change management. What specifically describes this type of threat? A.OSINT B.Insider threat C.Shadow IT D.Dark web
C.Shadow IT Shadow IT (also known as fake IT, stealth IT, or rogue IT) refers to information technology (IT) systems deployed by departments other than the central IT department, to work around the shortcomings of the central information system. (Lesson 2)
How could you tell from the results of a vulnerability scan if the scanner had been provided valid credentials relevant to the target it was scanning? A.The scan identified expired SSL certificates B.The scan produced a list of vulnerabilities on the target host C.The scan enumerated software versions of installed programs D.The scan results show open ports, protocols, and services exposed on the target host
C.The scan enumerated software versions of installed programs A vulnerability scanner should NOT be able to see software versions of installed programs unless it has valid credentials and can log into the device it is scanning. (Lesson 3)
A security expert is looking through logs for a specific IoC (Indicator of Compromise) that they read about online. What are they doing? A.A packet capture B.A user behavior analysis C.Threat hunting D.Credentialed vulnerability scanning
C.Threat hunting Threat hunting: a defense activity where security personnel proactively search through networks and logs to isolate and detect advanced threats that would evade existing security mechanisms. (Lesson 3)
A company would like to get one SSL certificate that can cover both of their application servers, [email protected] and www.example.com. Furthermore, this certificate should be able to cover any future application servers that the company may add of a similar naming convention, such as smtp.example.com. What type of SSL certificate would best fit their needs? A.Self-signed B.SAN C.Wildcard D.Extended validation
C.Wildcard *.example.com A wildcard certificate is capable of being used by, and protecting, several servers so long as the domain and top level domain are matching. (Lesson 6)
A public announcement is made about a newly discovered, rapidly spreading virus. The security team immediately updates and applies all its antivirus signatures. The security manager contacts the antivirus vendor support team to ask why one of the systems was infected. The vendor support team explains that the signature update is not available for this virus yet. Which of the following best describes the situation? A.Race condition B.End of life C.Zero day D.Integer overflow
C.Zero day (Lesson 3)
As part of an investigation a forensics expert has been given a massive packet capture for analysis, full of HTTP requests. They need to view the first few requests and then search for a specific string that indicates the compromise. Which of the options below would allow them to perform this action quickly and efficiently? (Pick two) A.openssl B.dd C.head D.tail E.grep F.curl G.tcpdump
C.head E.grep (Lesson 10)
You are concerned with servers running outdated applications. Which command would work BEST to help identify potential vulnerabilities? A.hping3 -S comptia.org -p 80 B.nc -1 -v comptia.org -p 80 C.nmap comptia.org -p 80 -sV D.nslookup -port=80 comptia.org
C.nmap comptia.org -p 80 -sV Since no vulnerability scanners are listed (Nessus or OpenVAS for example) then NMAP is our next best choice (As a scanning tool it has basic vulnerability scanning) (Lesson 3)
After many passwords where leaked to the dark web, an admin has decided everyone must change their password at next login. What should the admin consider to minimize the likelihood that accounts are not compromised again after the reset is issued? A.A geofencing policy based on logon history B.Encrypted credentials in transit C.Account lockout after three failed attempts D.A password reuse policy
D.A password reuse policy If the passwords have been leaked, we don't want anyone to REUSE the same password when they are prompted to change them! (Lesson 8)
A user is having problem accessing network shares. An admin investigates and finds the following on the user's computer: INTERNET ADDRESS 192.168.1.1 192.168.1.5 192.168.1.9 192.168.1.11 192.168.1.13 192.168.1.255 255.255.255.255 PHYSICAL ADDRESS 9c-3f-cf-5c-e1-c3 00-1f-88-49-32-73 3c-9c-23-2c-e8-92 9c-3f-cf-5c-e1-c3 f8-0d-fc-bb-db-85 ff-ff-ff-ff-ff-ff ff-ff-ff-ff-ff-ff TYPE dynamic dynamic dynamic dynamic dynamic static static What attack has been performed on this computer? A.Directory traversal B.Pass-the-hash C.Mac flood D.ARP poisoning E.IP conflict F.DHCP starvation attack
D.ARP poisoning Two different devices shouldn't have the same MAC addresses. Since these are dynamically learned ARP entries, it is reasonable to believe this was an ARP poisoning. Device .1 is probably the default gateway and then device .11 is the MitM. (Lesson 9)
Travis, a penetration tester, heard about a new vulnerability that affects many modern platforms. Which of the following would be BEST to consult in order to determine exactly which platforms have been affected? A.OSINT B.SIEM C.CVSS D.CVE
D.CVE Notably, we are asking about PLATFORMS here and not individual systems on a network. A platform is generally just the types of OSs that would be potentially compromised by this new vulnerability. CVEs (Common Vulnerability Enumerations) are simply lists of known vulnerabilities as well as their attributes, including affected platform. (Lesson 3)
An investigation has revealed that the worm gained access to the company SQL server using well-known credentials. It then spread throughout the network and managed to infect over a dozen systems before it was contained. What is the best preventative measure the company could take to prevent this from happening again? A.Air gap the SQL server from the network B.Block all remote access services on the network gateway C.Establish routine backups for all company servers D.Change the default application password
D.Change the default application password "Well known credentials" indicates we have a common/predictable/default password on our hands. We should change that password ASAP and then deploy IPS/antimalware tools. (Lesson 3)
After the CEO's email account was compromised, an investigation found the following: •The password the CEO used on the email account was also used on several websites, including Example.org. •Example.org was recently compromised by an APT. Considering the findings, which of the following attacks was most likely used to compromise the CEO's email account? A.Remote Access Trojan B.Password spraying C.Brute-force attack D.Credential stuffing E.Dictionary attack
D.Credential stuffing (Lesson 7)
Of the access control schemes below, which one allows an owner to determine an object's access policies? A.Role-based B.Attribute-based C.Mandatory D.Discretionary
D.Discretionary (Lesson 8)
Technicians have complained that they have had difficulties accessing the data center ever since the biometric scanner was installed. An admin investigates the scanner's logs and finds a high number of errors that correlate with the complaints. What best indicates the cause of the complaints? A.Efficacy rate B.Attestation C.Cross-over error rate D.False rejection
D.False rejection False rejection implies legitimate users are incorrectly being rejected, as they are being misidentified. (Lesson 7)
The company wants to deploy MFA on desktops in the main office. They have specified that the MFA solution must be non-disruptive and as user friendly as possible. Which of the options below would be best considering these conditions? A.One-time passwords B.Email tokens C.Push notifications D.Hardware authentication
D.Hardware authentication The most user friendly option would be hardware authentication. If the hardware provides authentication on its own through a certificates or token, it will not require any extra steps for the end user. All of the other options require a user to get a pin number and enter it in addition to a password. (Lesson 7)
Of the intelligence sources below, which should a security manager review that would allow them to remain proactive in understanding the types of threats that face their company? A.Vulnerability feeds B.Trusted automated exchange of indicator information C.Structured threat information expression D.Industry information-sharing and collaboration groups
D.Industry information-sharing and collaboration groups (A) Vulnerability feeds only show software/hardware vulnerabilities. Nothing about their human targets. (B) TAXII is a protocol for transferring Cyber Threat Intelligence from a server to client(C) STIX - Structured method of describing cyber security threats in a consistent matter. While it helps logically organize information it isn't a source of sharing information. (D) ISAC - Industry specific groups on sharing threat information (for example aviation or financial businesses) (Lesson 2)
A new solution is needed to better mitigate future threats to the business. This solution should be able to block malicious payloads and stop network-based attacks. Considering that it must also be placed in-line, which of the options below best describes this new solution? A.HIDS B.HIPS C.NIDS D.NIPS
D.NIPS Since we need to prevent network attacks, we need a network device that is preventative. A Network Intrusion Prevention System (D) is thereby the way to go. H = host-based. (Software installed on a computer) N = network-based (a network device, or installed on a proxy)IDS = Intrusion Detection System (detection and alerting only)IPS = Intrusion Prevention System (detection, alerting and prevention) ((More notes about these topics can be found in the slide notes)) (Lesson 10)
Of the options below, which one would typically utilize steganography? A.Blockchain B.Integrity C.Non-repudiation D.Obfuscation
D.Obfuscation Steganography is a technique/art that involves obscuring or hiding a message in plain sight. (Lesson 5)
Which of the following security architecture components are integral parts of implementing WPA2-Enterprise utilizing EAP-TLS? (Pick Two) A.DNSSEC B.Reverse Proxy C.VPN Concentrator D.PKI E.Active Directory F.RADIUS
D.PKI F.RADIUS (Lesson 9)
After a security assessment is concluded, what benefit does the CVSS score provide to a company on the list of discovered vulnerabilities? A.Validate the vulnerability exists in the organization's network through penetration testing. B.Research the appropriate mitigation techniques in a vulnerability database. C.Find the software patches that are required to mitigate a vulnerability. D.Prioritize remediation of vulnerabilities based on the possible impact.
D.Prioritize remediation of vulnerabilities based on the possible impact. CVSS (Common Vulnerability Scoring System) is used to assign severity scores (zero to ten) to vulnerabilities which allows responders to prioritize the responses and better manage resources. Scores are calculated by a formula that uses several metrics, including complexity and severity. (Lesson 3)
What could be used to allow for secure authentication to cloud services and third-party websites without the need to send a password? A.SSO B.PAP C.Oauth D.SAML
D.SAML PAP, typically used with point to point serial connections, sends your password as plaintext. Oauth is typically used for sending authorizations from one web service / cloud server to another, but doesn't typically handle authentication. SAML is an XML-based format used to exchange authentication information and thereby achieve identity federations (SSO). It doesn't actually send your password from one system to another in the process. Instead it tokenizes credentials across multiple parties. (Lesson 8)
Everyone on the helpdesk team shares the same credentials for troubleshooting systems. Whenever the password is changed, the new one is emailed to everyone on the team. A security manager is looking for a solution that would mitigate the risk. Of the options below, which is the best option they should suggest? A.Password vaults B.OAuth authentication C.SSH keys D.SSO authentication
D.SSO authentication Only SSO (single-sign on) would give each technician their own set of credentials, without causing much overhead. (Lesson 8)
An organization is worried that the SCADA network that controls the environmental systems could be compromised if the staff's WiFi network was breached. What would be the best option to mitigate this threat? A.Install a smart meter of the staff WiFi. B.Place the environmental systems in the same DHCP scope as the staff WiFi. C.Implement Zigbee on the staff WiFi access points. D.Segment the staff WiFi network from the environmental systems network.
D.Segment the staff WiFi network from the environmental systems network. We should isolate/separate/segment those networks! (Lesson 9)
The data center is currently protected by two factor authentication that includes a fingerprint scanner and a pin number. What item could be added to this preexisting system to allow for three factor authentication? A.Date of birth (something you know) B.Password (something you know) C.TPM (contains and manages encryption keys) D.Smart card (something you have) E.Iris scan (something you are)
D.Smart card We already have fingerprint (something you are) and pin number (something you know). We need to find something from a different category, such as something you have! (Lesson 7)
The organization's bank only calls on a predetermined landline. What best describes the MFA (multifactor authentication) attribute that the bank is attempting to utilize? A.Something you exhibit B.Something you can do C.Someone you know D.Somewhere you are
D.Somewhere you are (Lesson 7)
How would you describe a pentest where the attacker has no knowledge of the internal architecture of the systems being tested? A.Partially-known environment (grey box) B.Known environment (white box) C.Bug bounty D.Unknown environment (black box)
D.Unknown environment (black box) (Lesson 3)
Which of the following should be disabled in order to improve security? A.WPA3 B.AES C.RADIUS D.WPS
D.WPS (Lesson 9)
A penetration tester has found a domain controller using 3DES to encrypt authentication messages. What problem has the penetration tester identified? A.Unsecure protocols B.Default settings C.Open permissions D.Weak encryption
D.Weak encryption (Lesson 5)
The company's Chief Financial Officer received an email from a branch office manager who claims to have lost their company credit cards. They are requesting $12,000 be sent to a private bank account to cover various business expenses. What type of social engineer attack does this best illustrate? A.Pharming B.Phishing C.Typo squatting D.Whaling
D.Whaling Whaling: A form of spear phishing where the target is upper management. (Lesson 4)
Which of the following tools should be utilized to review a 1GB pcap? A.Nmap B.cURL C.Netcat D.Wireshark
D.Wireshark Pcap = packet captureWireshark, a protocol analyzer, would be an ideal tool for this! (Lesson 3)
A penetration tester revealed that an end of life server is using 3DES to encrypt its traffic. Unfortunately, the server which is mission critical cannot be upgraded to AES, replaced, or removed. What type of control could help reduce the risk created by this server considering the company must continue to use it? A.Corelating B.Physical C.Detective D.Preventative E.Compensation
E.Compensation (Lesson 1)
