1-50

Question 1

A user is attempting to navigate to a website from inside the company network using a desktop. When the user types in the URL, https://www.site.com, the user is presented with a certificate mismatch warning from the browser. The user does not receive a warning when visiting http://www.anothersite.com. Which of the following describes this attack?

a. on-path
b. Domain hijacking
c. DNS poisoning
d. Evil twin

Answer 1

c. DNS poisoning

Here’s how DNS poisoning fits the scenario:

DNS Poisoning (or DNS Spoofing): This attack involves corrupting the DNS resolution process in order to redirect domain name lookups to malicious IP addresses. In this case, when the user tries to access https://www.site.com, the DNS responses could have been tampered with to redirect the user to a different (potentially malicious) IP address that does not match the expected SSL certificate for www.site.com. This causes the browser to display a certificate mismatch warning because the certificate presented by the server does not match the domain name requested by the user (www.site.com).

HTTP vs HTTPS: The lack of warnings for http://www.anothersite.com suggests that the DNS poisoning is specifically targeting HTTPS (SSL/TLS) connections (https://www.site.com). HTTP connections (http://www.anothersite.com) do not use SSL/TLS and thus do not trigger certificate mismatch warnings.

Here’s why the other options are less likely:

On-path: While an on-path attack involves intercepting and manipulating traffic between two parties, it typically does not specifically cause SSL certificate mismatch warnings unless combined with DNS poisoning or other techniques to redirect traffic.

Domain hijacking: Domain hijacking involves unauthorized changes to domain registration records, leading to control over the domain itself. While related, it does not directly cause certificate mismatch warnings as described.

Evil twin: An evil twin attack involves setting up a rogue Wi-Fi access point with the same name (SSID) as a legitimate one to intercept wireless communications. It is not directly related to DNS poisoning or causing certificate mismatch warnings in the context of accessing websites.

Question 2

Which of the following tools is effective in preventing a user from accessing unauthorized removable media?

a. USB data blocker
b. Faraday cage
c. Proximity reader
d. Cable lock

Answer 2

a. USB data blocker

Explanation:

USB data blocker: This device is specifically designed to allow charging of a device while blocking data transfer through the USB port. This prevents unauthorized access to removable media by ensuring that data cannot be transferred to or from the USB port.

Other Options:

Faraday cage: This is a shield used to block electromagnetic fields. It is not designed for preventing access to removable media and is generally used for different purposes, such as preventing wireless communication.

Proximity reader: This is used for access control, such as securing physical entry to a location. It does not prevent access to removable media.

Cable lock: This is used to physically secure a device to prevent theft but does not control access to removable media.

Therefore, the USB data blocker is the most suitable tool for the specified purpose.

Question 3

A Chief Security Officer is looking for a solution that can provide increased scalability and flexibility for back-end infrastructure, allowing it to be updated and modified without disruption to services. The security architect would like the solution selected to reduce the back-end server resources and has highlighted that session persistence is not important for the applications running on the back-end servers. Which of the following would BEST meet the requirements?

a. Reverse proxy
b. Automated patch management
c. snapshots
d. NIC teaming

Answer 3

a. Reverse proxy

Here’s how a reverse proxy aligns with the specified needs:

Increased scalability and flexibility: A reverse proxy can distribute client requests across multiple back-end servers, allowing for easier scaling by adding or removing servers as needed. It can also provide flexibility by routing requests based on various criteria (e.g., URL, headers).

Updating and modifying back-end infrastructure without disruption: A reverse proxy can route traffic to different versions of back-end servers seamlessly during updates or modifications, ensuring continuous service availability without interruptions.

Reducing back-end server resources: By offloading tasks like SSL termination, caching, and load balancing, a reverse proxy can optimize the usage of back-end server resources.

Session persistence not important: Reverse proxies can handle session management and load balancing without requiring session persistence on the back-end servers, which aligns with the stated preference.

Let’s briefly consider why the other options are less suitable:

Automated patch management: While important for security and maintenance, automated patch management primarily focuses on keeping servers up to date with the latest patches and updates. It doesn't directly address scalability, flexibility, or resource reduction.

Snapshots: Snapshots are a feature used for data protection and recovery but do not inherently provide scalability, flexibility, or resource reduction for back-end infrastructure.

NIC teaming: NIC teaming (or network bonding) is used to increase network bandwidth and provide redundancy, primarily at the network interface level. It does not directly address the scalability, flexibility, or resource reduction needs of back-end infrastructure in the context described.

Question 4

Which of the following describes a social engineering technique that seeks to exploit a person’s sense of urgency?

a. A phishing email stating a cash settlement has been awarded but will expire soon
b. A smishing message stating a package is scheduled for pickup
c. A vishing call that requests a donation to be made to a local charity
d. A SPIM notification claiming to be undercover law enforcement investigating a cybercrime

Answer 4

a. A phishing email stating a cash settlement has been awarded but will expire soon

The social engineering technique that seeks to exploit a person’s sense of urgency is described in option A. By stating that a cash settlement has been awarded but will expire soon, the attacker creates a sense of urgency and tries to manipulate the recipient into taking immediate action without thoroughly considering the authenticity or legitimacy of the email. This technique aims to pressure the target into making a hasty decision or divulging sensitive information.

Question 5

A security analyst is reviewing application logs to determine the source of a breach and locates the following log: https://www.comptia.com/login.php?id=’%20or%20’1’1=’1
Which of the following has been observed?

a. DLL Injection
b. API attack
c. SQL injection
d. XSS

Answer 5

c. SQL injection

The log entry provided (https://www.comptia.com/login.php?id=’%20or%20’1’1=’1) indicates a type of attack where a malicious actor is trying to manipulate the SQL query used by the application. This pattern matches the characteristics of a SQL injection attack.

SQL injection (SQLi) involves inserting or “injecting” SQL queries via the input data from the client to the application. This can allow attackers to bypass authentication, access, modify, or delete data, and execute administrative operations on the database.

The specific part of the log entry id=’%20or%20’1’1=’1 is a classic example of an SQL injection attempt. The attacker is trying to manipulate the SQL query logic to always evaluate to true (e.g., 1=1), which can potentially bypass login authentication or retrieve unauthorized information.

Question 6

An audit identified PII being utilized in the development environment of a critical application. The Chief Privacy Officer (CPO) is adamant that this data must be removed; however, the developers are concerned that without real data they cannot perform functionality tests and search for specific data. Which of the following should a security professional implement to BEST satisfy both the CPO’s and the development team’s requirements?

a. Data anonymization
b. Data encryption
c. Data masking
d. Data tokenization

Answer 6

(Community C 54%, A 45% )

c. Data masking
Explanation:

Data masking: This technique involves creating a structurally similar but inauthentic version of an organization's data that can be used for purposes such as software testing and user training. It allows the developers to use data that appears real but doesn't contain actual sensitive information, thus satisfying the Chief Privacy Officer's (CPO) requirement to remove Personally Identifiable Information (PII) while still allowing the developers to perform functionality tests and search for specific data.

Why other options are less suitable:

Data anonymization: This method removes or modifies PII so that it can no longer be attributed to a specific individual. While it ensures privacy, it might alter the data to an extent that makes it less useful for testing specific functions or searches.

Data encryption: Encryption protects data by converting it into a coded format that is unreadable without a decryption key. While it secures the data, it doesn't help developers who need to interact with and test the functionality of the data in its original form.

Data tokenization: This process replaces sensitive data with unique identification symbols (tokens) that retain essential information without compromising security. Although it can be useful, tokenized data might not always be suitable for all types of functionality testing or specific searches needed by developers.

Therefore, data masking is the best option to meet both the privacy concerns of the CPO and the functional needs of the development team.

Question 7

A company is implementing a DLP solution on the file server. The file server has PII, financial information, and health information stored on it. Depending on what type of data that is hosted on the file server, the company wants different DLP rules assigned to the data. Which of the following should the company do to help accomplish this goal?

a. Classify the data.
b. Mask the data.
c. Assign the application owner.
d. Perform a risk analysis.

Answer 7

a. Classify the data.

Classifying the data involves identifying and categorizing the types of data stored on the file server. This classification process allows the company to apply specific DLP rules tailored to each category of data. For example, different DLP policies can be enforced for PII, financial information, and health information once they are properly classified.

Here’s why the other options are less suitable in this context:

Mask the data: Data masking is a method of protecting sensitive information by replacing it with fictitious but realistic data. While it can enhance security, it does not help in creating and applying different DLP rules based on the data type.
Assign the application owner: While assigning ownership can help with accountability and management, it does not directly address the need to apply different DLP rules to different types of data.
Perform a risk analysis: Risk analysis helps identify potential threats and vulnerabilities, which is important for overall security strategy, but it does not directly assist in applying specific DLP rules based on the type of data.

Question 8

A forensics investigator is examining a number of unauthorized payments that were reported on the company’s website. Some unusual log entries show users received an email for an unwanted mailing list and clicked on a link to attempt to unsubscribe. One of the users reported the email to the phishing team, and the forwarded email revealed the link to be:

<a>Click here to unsubscribe</a>

Which of the following will the forensics investigator MOST likely determine has occurred?

a. SQL injection
b. Broken authentication
c. XSS
d. XSRF

Answer 8

d. XSRF

The forensics investigator will most likely determine that a Cross-Site Request Forgery (CSRF) attack has occurred. In a CSRF attack, an attacker tricks a user into performing an unintended action on a website or application by forging a request that appears to come from a trusted source. In this case, the users were directed to a website where they unknowingly made unauthorized payments by clicking on a link in a phishing email. The link appears to be harmless, but actually contains code that instructs the user’s browser to make a payment on the company’s website. The unauthorized payments were made because the website accepted the forged request without verifying the authenticity of the request.

Question 9

A report delivered to the Chief Information Security Officer (CISO) shows that some user credentials could be exfiltrated. The report also indicates that users tend to choose the same credentials on different systems and applications. Which of the following policies should the CISO use to prevent someone from using the exfiltrated credentials?

a. MFA
b. Lockout
c. Time-based logins
d. Password history

Answer 9

a. MFA (Multi-Factor Authentication)

Multi-Factor Authentication (MFA) significantly enhances security by requiring users to provide two or more verification factors to gain access to a resource such as an application, online account, or VPN. Even if an attacker obtains user credentials, they would still need the additional factor(s) to successfully log in, thus preventing unauthorized access.

Here’s why the other options are less suitable in this context:

Lockout: This policy locks an account after a certain number of failed login attempts, which helps to prevent brute force attacks but does not address the issue of stolen credentials being used successfully.
Time-based logins: Restricting logins to specific times can add a layer of security, but it does not prevent the use of stolen credentials outside of those times.
Password history: Enforcing password history prevents users from reusing recent passwords, but it does not prevent the use of current stolen credentials.

Question 10

A company wants to simplify the certificate management process. The company has a single domain with several dozen subdomains, all of which are publicly accessible on the internet. Which of the following BEST describes the type of certificate the company should implement?

a. Subject alternative name
b. Wildcard
c. Self-signed
d. Domain validation

Answer 10

b. Wildcard

A wildcard certificate allows you to secure a single domain and all its subdomains with a single certificate. This greatly simplifies management because you don’t need a separate certificate for each subdomain. For example, a wildcard certificate for *.example.com would cover example.com, sub1.example.com, sub2.example.com, etc.

Here’s why the other options are less suitable:

Subject Alternative Name (SAN): SAN certificates can cover multiple specific domain names and subdomains, but they require each name to be listed explicitly in the certificate, which can be less efficient and more cumbersome to manage if the number of subdomains is large or if subdomains change frequently.
Self-signed: Self-signed certificates are not trusted by default by users' browsers and operating systems, making them unsuitable for public-facing websites.
Domain validation (DV): DV certificates indicate that the certificate authority has verified the domain ownership, but they do not simplify the management of multiple subdomains any more than any other type of certificate.

Question 11

Which of the following is an effective tool to stop or prevent the exfiltration of data from a network?

a. DLP
b. NIDS
c. TPM
d. FDE

Answer 11

a. DLP (Data Loss Prevention)

Data Loss Prevention (DLP) solutions are specifically designed to detect and prevent unauthorized data transmissions or leaks outside of the network. DLP can monitor and control data transfers, enforce encryption, and block unauthorized sharing of sensitive information such as PII, financial data, and intellectual property.

Here’s why the other options are less suitable:

NIDS (Network Intrusion Detection System): NIDS can detect suspicious activities and potential intrusions on the network but doesn't specifically prevent data exfiltration. It is more about detection rather than prevention.
TPM (Trusted Platform Module): TPM is a hardware-based security feature used to secure hardware through integrated cryptographic keys, but it does not directly prevent data exfiltration from a network.
FDE (Full Disk Encryption): FDE protects data at rest by encrypting the entire contents of a disk. While it secures data on a device, it does not prevent data from being exfiltrated over the network.

Question 12

Several attempts have been made to pick the door lock of a secure facility. As a result, the security engineer has been assigned to implement a stronger preventative access control. Which of the following would BEST complete the engineer’s assignment?

a. Replacing the traditional key with an RFID key
b. Installing and monitoring a camera facing the door
c. Setting motion-sensing lights to illuminate the door on activity
d. Surrounding the property with fencing and gates

Answer 12

a. Replacing the traditional key with an RFID key

To implement a stronger preventative access control for a secure facility, replacing the traditional key with an RFID key would be the best solution. This change enhances security by using a more modern and harder-to-pick locking mechanism.

Here’s why the other options are less suitable:

Installing and monitoring a camera facing the door: This is more of a detective control than a preventative control. It helps in monitoring and recording any attempts but does not prevent the attempts themselves.
Setting motion-sensing lights to illuminate the door on activity: This is also a deterrent and detection measure rather than a preventative one. It may discourage attempts but does not physically prevent access.
Surrounding the property with fencing and gates: While this can be part of a comprehensive security strategy, it does not directly strengthen the specific access control of the door itself. It addresses perimeter security rather than the point of entry that is being targeted.

Question 13

Which of the following can be used by a monitoring tool to compare values and detect password leaks without providing the actual credentials?

a. Hashing
b. Tokenization
c. Masking
d. Encryption

Answer 13

a. Hashing

Hashing is a process where a cryptographic hash function is applied to data (in this case, passwords) to produce a fixed-size string of characters, which is often referred to as the hash value or hash code. This hash value is unique to the input data and is deterministic, meaning the same input will always produce the same hash output.

In the context of detecting password leaks without exposing actual credentials, a monitoring tool can hash passwords (either locally or using a secure protocol) and then compare these hashed values against known leaked hashes from breached databases. If a match is found, it indicates that a password has been compromised without the monitoring tool needing access to the actual plaintext passwords.

Here’s why the other options are not correct in this context:

Tokenization: Tokenization involves substituting sensitive data with a non-sensitive equivalent (token). It is used to protect data but does not inherently involve comparison or detection of password leaks.
Masking: Masking is the process of partially or completely hiding sensitive data (like passwords) by replacing it with placeholder characters. It does not facilitate the comparison or detection of password leaks.
Encryption: Encryption involves transforming data (plaintext) into a form (ciphertext) that is unreadable without the correct decryption key. While encryption secures data, it does not typically facilitate comparison for detecting password leaks unless the encrypted values are compared directly, which is less common in such monitoring scenarios.

Question 14

A security engineer is building a file transfer solution to send files to a business partner. The users would like to drop off the files in a specific directory and have the server send the file to the business partner. The connection to the business partner is over the internet and needs to be secure. Which of the following can be used?

a. S/MIME
b. LDAPS
c. SSH
d. SRTP

Answer 14

c. SSH

SSH provides a secure, encrypted connection between two systems, typically used for remote access and file transfer. Here’s how it aligns with the requirements:

Secure connection: SSH encrypts the data transmitted between the client (where the files are dropped off) and the server (which sends the files to the business partner), ensuring confidentiality and integrity of the transferred files.

File transfer capability: SSH includes utilities like SCP (Secure Copy Protocol) or SFTP (SSH File Transfer Protocol) which allow secure file transfers over SSH connections. Users can drop off files in a specific directory on the server using SFTP or SCP commands.

Let’s briefly consider why the other options are less suitable in this context:

S/MIME: S/MIME (Secure/Multipurpose Internet Mail Extensions) is used for securing email messages, not directly for file transfer scenarios where files need to be stored in a directory and sent automatically to a business partner.

LDAPS: LDAPS (LDAP over SSL/TLS) is used for securing LDAP directory communications, not for file transfer scenarios as described.

SRTP: SRTP (Secure Real-time Transport Protocol) is used for securing VoIP (Voice over IP) communications, not for file transfer scenarios over the internet.

Question 15

An administrator needs to protect user passwords and has been advised to hash the passwords. Which of the following BEST describes what the administrator is being advised to do?

a. Perform a mathematical operation on the passwords that will convert them into unique strings.
b. Add extra data to the passwords so their length is increased, making them harder to brute force.
c. Store all passwords in the system in a rainbow table that has a centralized location.
d. Enforce the use of one-time passwords that are changed for every login session.

Answer 15

a. Perform a mathematical operation on the passwords that will convert them into unique strings.

In the context of protecting user passwords, hashing is a cryptographic technique where passwords (or any other data) are converted into fixed-length strings of characters (hash values) using a mathematical algorithm. Hashing ensures that the original password cannot be easily derived from the hash value, providing a layer of security in case the hashed data is exposed or compromised.

Let’s briefly explain why the other options are not correct:

b. Add extra data to the passwords so their length is increased, making them harder to brute force: This describes password salting, not hashing. Salting involves adding a random value (salt) to each password before hashing to ensure that even identical passwords produce different hashes. While salting is an important technique, it's not the same as hashing itself.

c. Store all passwords in the system in a rainbow table that has a centralized location: Rainbow tables are precomputed tables used to crack hashed passwords through reverse lookup. Storing passwords in a rainbow table would defeat the purpose of hashing for security.

d. Enforce the use of one-time passwords that are changed for every login session: One-time passwords are not related to hashing passwords. They are temporary passwords that are valid for a single login session and are typically used for two-factor authentication (2FA) or multi-factor authentication (MFA).

Question 16

Which of the following would be indicative of a hidden audio file found inside of a piece of source code?

a. Steganography
b. Homomorphic encryption
c. Cipher suite
d. Blockchain

Answer 16

a. Steganography

Steganography is the practice of concealing a file, message, image, or video within another file, message, image, or video. In the context of a hidden audio file found inside of a piece of source code, steganography would be the technique used to embed the audio file within the source code without altering the functionality or appearance of the source code itself. This allows the audio file to remain hidden unless someone knows how to extract it using specific tools or methods designed for steganographic detection.

Here’s why the other options are not correct:

b. Homomorphic encryption: Homomorphic encryption is a form of encryption that allows computations to be performed on encrypted data without decrypting it first. It is not related to embedding audio files within source code.

c. Cipher suite: A cipher suite is a set of cryptographic algorithms used for securing network connections. It is not related to hiding audio files within source code.

d. Blockchain: Blockchain is a decentralized digital ledger technology used for recording transactions across multiple computers. It does not relate to embedding audio files within source code.

Question 17

A user enters a username and a password at the login screen for a web portal. A few seconds later the following message appears on the screen:
Please use a combination of numbers, special characters, and letters in the password field.
Which of the following concepts does this message describe?

a. Password complexity
b. Password reuse
c. Password history
d. Password age

Answer 17

a. Password complexity

Password complexity refers to the requirements and rules imposed on passwords to ensure they are sufficiently strong and resistant to various forms of attack. Common complexity requirements include using a combination of uppercase letters, lowercase letters, numbers, and special characters. These requirements aim to increase the difficulty of guessing or brute-forcing passwords.

Here’s a brief overview of the other options:

b. Password reuse: This concept relates to using the same password across multiple accounts or systems, which can pose security risks if one account is compromised.

c. Password history: Password history refers to a security feature that prevents users from reusing previous passwords, enhancing security by ensuring passwords are not reused consecutively.

d. Password age: Password age refers to the length of time a password has been in use before it needs to be changed as part of a password policy.

Question 18

A company recently experienced an inside attack using a corporate machine that resulted in data compromise. Analysis indicated an unauthorized change to the software circumvented technological protection measures. The analyst was tasked with determining the best method to ensure the integrity of the systems remains intact and local and remote boot attestation can take place. Which of the following would provide the BEST solution?

a. HIPS
b. FIM
c. TPM
d. DLP

Answer 18

c. TPM (Trusted Platform Module)

TPM (Trusted Platform Module) is a hardware-based security feature that provides a secure area within the system for storing cryptographic keys, certificates, and measurements. It enables several security functions, including secure boot attestation, which verifies the integrity of system components during the boot process. Here’s how TPM aligns with the requirements:

Integrity of systems: TPM ensures the integrity of the system by securely storing measurements (hashes) of boot components and providing these measurements for verification during the boot process. Any unauthorized changes to the software or system configurations can be detected through these measurements.

Local and remote boot attestation: TPM supports both local and remote attestation mechanisms. Local attestation verifies the integrity of the system components locally, while remote attestation allows external entities (like a remote server or security service) to verify the system's integrity before allowing access or exchanging sensitive information.

Here’s why the other options are less suitable in this context:

a. HIPS (Host-based Intrusion Prevention System): HIPS monitors and analyzes the internals of a computing system, but it does not inherently provide the cryptographic capabilities or secure storage necessary for boot attestation.

b. FIM (File Integrity Monitoring): FIM detects changes to files and system configurations, but it primarily focuses on monitoring file changes rather than providing the comprehensive security features required for boot attestation and ensuring the integrity of the entire system.

d. DLP (Data Loss Prevention): DLP solutions focus on protecting data from unauthorized access and exfiltration rather than ensuring the integrity of system components and supporting boot attestation.

Question 19

Which of the following is a reason to publish files’ hashes?

a. To validate the integrity of the files
b. To verify if the software was digitally signed
c. To use the hash as a software activation key
d. To use the hash as a decryption passphrase

Answer 19

a. To validate the integrity of the files

Publishing files’ hashes allows users to verify the integrity of downloaded files by comparing the hash provided by the publisher with the hash computed from the downloaded file. If the hashes match, it indicates that the file has not been tampered with or corrupted during transmission.

Here’s why the other options are not correct:

b. To verify if the software was digitally signed: Digital signatures are used to verify the authenticity and integrity of software, not hashes. Digital signatures include a hash of the signed content, but the primary purpose of publishing a digital signature is to verify the signer's identity and ensure the software has not been tampered with since it was signed.

c. To use the hash as a software activation key: Hashes are not used as activation keys for software. Activation keys typically are alphanumeric codes that are used to activate or validate software licenses.

d. To use the hash as a decryption passphrase: Hashes are not used directly as decryption passphrases. Passphrases are typically longer and more complex strings used to decrypt encrypted data.

Question 20

A security manager has tasked the security operations center with locating all web servers that respond to an unsecure protocol. Which of the following commands could an analyst run to find the requested servers?

a. nslookup 10.10.10.0
b. nmap -p 80 10.10.10.0/24
c. pathping 10.10.10.0 -p 80
d. ne -l -p 80

Answer 20

b. nmap -p 80 10.10.10.0/24

Here’s how this command works:

nmap: Nmap (Network Mapper) is a network scanning tool used for discovering hosts and services on a computer network.
-p 80: This option specifies that Nmap should scan for hosts that have port 80 (HTTP) open.
10.10.10.0/24: This is the network range in CIDR notation (Classless Inter-Domain Routing), which specifies a range of IP addresses to scan. /24 indicates that it's scanning all IP addresses from 10.10.10.0 to 10.10.10.255.

Explanation of why the other options are incorrect:

a. nslookup 10.10.10.0: nslookup is used to query DNS servers for domain name information. It does not scan for open ports on servers.

c. pathping 10.10.10.0 -p 80: pathping is used to trace the route packets take to a network host, not to scan for open ports.

d. ne -l -p 80: There is no commonly known command ne with options -l and -p 80. It does not appear to be a valid command for the intended purpose.

Question 21

Which biometric error would allow an unauthorized user to access a system?

a. False acceptance
b. False entrance
c. False rejection
d. False denial

Answer 21

a. False acceptance

False acceptance occurs when the biometric system incorrectly identifies an unauthorized user as an authorized one. In other words, the system mistakenly accepts an impostor’s biometric data (such as fingerprints, facial features, iris patterns, etc.) as belonging to an authorized user, granting access when it should not.

Here’s a brief explanation of the other options:

b. False entrance: This term is not commonly used in the context of biometrics. It does not describe a recognized biometric error.

c. False rejection: This occurs when the biometric system incorrectly rejects an authorized user, denying access to someone who should be allowed in. It's the opposite error to false acceptance.

d. False denial: This term is also not commonly used in the context of biometrics. It does not describe a recognized biometric error.

Question 22

A company is auditing the manner in which its European customers’ personal information is handled. Which of the following should the company consult?

a. GDPR
b. ISO
c. NIST
d. PCI DSS

Answer 22

a. GDPR (General Data Protection Regulation)

GDPR is the European Union regulation that governs the handling of personal data of individuals within the EU and European Economic Area (EEA). It outlines specific requirements and standards for the protection and processing of personal data. Since the company is auditing the handling of personal information of its European customers, GDPR compliance is crucial to ensure that they are meeting the legal obligations regarding data protection.

Here’s a brief explanation of the other options:

b. ISO (International Organization for Standardization): ISO standards cover various aspects of business operations, including information security (e.g., ISO/IEC 27001). While ISO standards provide frameworks for best practices, they do not specifically address legal requirements for data protection like GDPR.

c. NIST (National Institute of Standards and Technology): NIST provides cybersecurity and privacy frameworks and guidelines, primarily used in the United States. While NIST frameworks can be beneficial for enhancing security practices, they are not specific to GDPR compliance.

d. PCI DSS (Payment Card Industry Data Security Standard): PCI DSS is a security standard for organizations that handle credit card information. It does not apply to the broader scope of personal data handling regulated by GDPR.

Question 23

Which of the following are common VoIP-associated vulnerabilities? (Choose two.)

a. SPIM
b. Vishing
c. Hopping
d. Phishing
e. Credential harvesting
f. Tailgating

Answer 23

(Braindump)
a. SPIM
b. Vishing

SPIM (Spam over Internet Messaging) is a type of VoIP-associated vulnerability that involves sending unsolicited or
fraudulent messages over an internet messaging service, such as Skype or WhatsApp. It can trick users into clicking on
malicious links, downloading malware, providing personal or financial information, etc., by impersonating a legitimate
entity or creating a sense of urgency or curiosity. Vishing (Voice Phishing) is a type of VoIP-associated vulnerability
that involves making unsolicited or fraudulent phone calls over an internet telephony service, such as Google Voice or
Vonage. It can trick users into disclosing personal or financial information, following malicious instructions,
transferring money, etc., by using voice spoofing, caller ID spoofing, or interactive voice response systems.

vlan hopping one was of the choices on my exam, but credential harvesting was not! IDK which one is correct besides vishing, but cred harvesting wasn’t there. This would mean SPIM was the other answer.

(Community BE 43%, AB 42%)
ChatGPT
b. Vishing
e. Credential harvesting

Explanation:

Vishing (Voice Phishing): This is a type of phishing attack that uses phone calls to trick users into revealing sensitive information. It's a common vulnerability in VoIP systems because attackers can spoof caller IDs to appear as legitimate sources, making it easier to deceive victims.

Credential Harvesting: This involves the theft of login credentials, such as usernames and passwords, which can be used to gain unauthorized access to VoIP systems and services. Attackers may use various techniques, including social engineering and malware, to harvest credentials.

Why the other options are not correct:

a. SPIM (Spam over Instant Messaging): This is related to instant messaging services rather than VoIP specifically.

c. Hopping: This is not a commonly recognized term associated with VoIP vulnerabilities.

d. Phishing: While phishing is a common cybersecurity threat, it typically involves email or text messages rather than VoIP-specific methods like vishing.

f. Tailgating: This is a physical security breach where an unauthorized person follows an authorized person into a secure area, not related to VoIP vulnerabilities.

Question 24

Which of the following describes the exploitation of an interactive process to gain access to restricted areas?

a. Persistence
b. Buffer overflow
c. Privilege escalation
d. Pharming

Answer 24

c. Privilege escalation

Privilege escalation refers to the exploitation of a vulnerability or design flaw in an interactive process to gain elevated privileges that are normally not allowed for an attacker. This could involve escalating from a regular user account to an administrator or root level access, thereby gaining access to restricted areas or resources.

Here’s how the other options differ:

a. Persistence: Persistence refers to techniques used by attackers to maintain access to a system or network after initial access has been achieved, often through means like installing backdoors or modifying system configurations.

b. Buffer overflow: A buffer overflow is a type of software vulnerability where an attacker overwrites memory adjacent to a buffer to execute malicious code or gain control of the program's execution flow.

d. Pharming: Pharming is a cyber attack intended to redirect a website's traffic to a fake website controlled by the attacker, typically through DNS hijacking or poisoning.

Question 25

An organization is planning to open other data centers to sustain operations in the event of a natural disaster. Which of the following considerations would BEST support the organization’s resiliency?

a. Geographic dispersal
b. Generator power
c. Fire suppression
d. Facility automation

Answer 25

a. Geographic dispersal

Geographic dispersal involves establishing data centers in different geographical locations that are not likely to be affected simultaneously by the same natural disaster. This strategy ensures that if one data center is impacted by a disaster (such as a hurricane, earthquake, or flood), operations can continue from another location without significant interruption.

Here’s how the other options compare:

b. Generator power: Generator power is important for providing backup electricity in case of power outages, but it alone does not ensure resiliency across different locations.

c. Fire suppression: Fire suppression systems are crucial for protecting equipment and data from fire damage within a single data center but do not address resiliency across multiple locations.

d. Facility automation: Facility automation can improve operational efficiency and response times but does not directly address the geographic dispersal needed for resiliency against natural disasters.

Question 26

A security engineer is deploying a new wireless network for a company. The company shares office space with multiple tenants. Which of the following should the engineer configure on the wireless network to ensure that confidential data is not exposed to unauthorized users?

a. EAP
b. TLS
c. HTTPS
d. AES

Answer 26

(Community D 51%, A 48%)
d. AES
EAP is an AUTHENTICATION protocol, and authentication does not provide confidentiality. Authentication encompasses processes that allows systems and networks to determine if a user is who they say they are. That provides integrity, not confidentiality. Confidentiality ensures that secret information is protected from UNAUTHORIZED disclosure.

The question also ends with “unauthorized users”.

HTTPS is just HTTP that uses TLS to encrypt network traffic that is in-transit.

A stated above, TLS encrypts in-transit data.

This question specifically states preventing exposed data to unauthorized users. TLS and HTTPS only encrypt in-transit data. Data-at-rest in a network is insecure, though.

Only AES meets the criteria of providing confidentiality to both data-at-rest and data-in-transit, preventing unauthorized users from seeing either.

(ChatGPT)
d. AES
Explanation:

AES (Advanced Encryption Standard) is a symmetric encryption algorithm that provides strong encryption for data. When deploying a wireless network, configuring the wireless encryption protocol to use AES ensures that the data transmitted over the network is encrypted and protected from unauthorized access.
Why the other options are not the best choice for this scenario:

a. EAP (Extensible Authentication Protocol): EAP is a framework for authentication, often used in wireless networks. While important for ensuring that only authorized users can connect to the network, it does not itself provide data encryption.

b. TLS (Transport Layer Security): TLS is a cryptographic protocol designed to provide secure communication over a computer network. While it is used in many applications, including HTTPS, it is not specifically used to secure wireless networks at the data link layer.

c. HTTPS (HyperText Transfer Protocol Secure): HTTPS is used to secure communications over the internet, specifically for web traffic. It ensures that data sent between the browser and the web server is encrypted. However, it is not directly related to securing wireless network communications.

By configuring the wireless network to use AES encryption, the security engineer ensures that all data transmitted over the wireless network is encrypted and protected from eavesdropping and unauthorized access, which is crucial in a shared office space environment.

(Brain dump : D)

Question 27

The Chief Compliance Officer from a bank has approved a background check policy for all new hires. Which of the following is the policy MOST likely protecting against?

a. Preventing any current employees’ siblings from working at the bank to prevent nepotism
b. Hiring an employee who has been convicted of theft to adhere to industry compliance
c. Filtering applicants who have added false information to resumes so they appear better qualified
d. Ensuring no new hires have worked at other banks that may be trying to steal customer information

Answer 27

b. Hiring an employee who has been convicted of theft to adhere to industry compliance

Background checks are commonly implemented to screen prospective employees for criminal records, including convictions related to theft or fraud. This helps banks comply with industry regulations that require employees to be trustworthy and maintain high standards of integrity, especially when handling sensitive financial information and transactions.

Here’s a brief explanation of the other options:

a. Preventing any current employees' siblings from working at the bank to prevent nepotism: This scenario relates to nepotism policies rather than criminal background checks.

c. Filtering applicants who have added false information to resumes so they appear better qualified: This relates more to verifying qualifications and honesty rather than criminal background checks.

d. Ensuring no new hires have worked at other banks that may be trying to steal customer information: While it's important to prevent insider threats and ensure data security, this is not typically the primary focus of background checks. Instead, it may be addressed through other security measures and employment history checks.

Question 28

An engineer recently deployed a group of 100 web servers in a cloud environment. Per the security policy, all web-server ports except 443 should be disabled.
Which of the following can be used to accomplish this task?

a. Application allow list
b. SWG
c. Host-based firewall
d. VPN

Answer 28

(Community : C 73%, B 26%)

c. Host-based firewall

Explanation:

Host-based firewall: This type of firewall runs on individual servers (in this case, the 100 web servers deployed in the cloud). It allows administrators to define and enforce rules regarding which network traffic is allowed to enter or leave the server. By configuring the host-based firewall on each web server to block all ports except 443 (HTTPS), you effectively restrict access to only HTTPS traffic while blocking other ports that are not necessary according to the security policy.

Here’s why the other options are less suitable:

a. Application allow list: An application allow list typically specifies which applications are allowed to run on a system or network, rather than controlling which ports are open or closed.

b. SWG (Secure Web Gateway): SWG is a security solution that provides visibility and control over web traffic, typically focusing on web content filtering, URL filtering, and malware protection. It does not directly control firewall rules on individual servers.

d. VPN (Virtual Private Network): VPN provides secure access to a private network over a public network, but it does not control firewall rules on servers or restrict specific ports on individual servers.

(Braindump) b. SWG

Question 29

A technician was dispatched to complete repairs on a server in a data center. While locating the server, the technician entered a restricted area without authorization. Which of the following security controls would BEST prevent this in the future?

a. Use appropriate signage to mark all areas.
b. Utilize cameras monitored by guards.
c. Implement access control vestibules.
d. Enforce escorts to monitor all visitors.

Answer 29

c. Implement access control vestibules

Access control vestibules are physical security measures designed to restrict access to sensitive areas. They typically consist of a small enclosed space with two sets of doors: one leading to the outside or less secure area, and another leading to the restricted area. Access is granted through electronic authentication (such as badge readers or biometric scanners) before the inner door is unlocked, ensuring only authorized individuals can proceed.

Here’s how the other options compare:

a. Use appropriate signage to mark all areas: While signage is important for indicating restricted areas, it alone may not prevent unauthorized access if someone disregards the signage.

b. Utilize cameras monitored by guards: Cameras can provide surveillance and monitoring, but they are reactive and may not prevent unauthorized access in real-time.

d. Enforce escorts to monitor all visitors: Escorts can accompany visitors to ensure they only access authorized areas, but this may not be practical for all situations and can be resource-intensive.

Question 30

Which of the following would BEST provide a systems administrator with the ability to more efficiently identify systems and manage permissions and policies based on location, role, and service level?

a. Standard naming conventions
b. Domain services
c. Baseline configurations
d. Diagrams

Answer 30

b. Domain services

Explanation:

Domain services (such as Active Directory in Windows environments) provide centralized management of network resources, including user accounts, computers, groups, and policies. They allow administrators to implement and enforce security policies, manage permissions, and organize systems based on organizational units (OUs), which can reflect location, role, or service level.

Here’s how the other options compare:

a. Standard naming conventions: While important for consistency and organization, naming conventions alone do not provide the centralized management and policy enforcement capabilities that domain services offer.

c. Baseline configurations: Baseline configurations help ensure that systems meet security and operational standards but do not inherently provide the ability to manage permissions and policies based on location, role, and service level.

d. Diagrams: Diagrams (such as network diagrams or system architecture diagrams) provide visual representations of systems and networks but do not directly facilitate the management of permissions and policies.

Question 31

Which of the following would detect intrusions at the perimeter of an airport?

a. Signage
b. Fencing
c. Motion sensors
d. Lighting
e. Bollards

Answer 31

c. Motion sensors

Explanation:

Motion sensors are designed to detect movement within their range. Placing motion sensors along the perimeter of an airport can help alert security personnel to any unauthorized attempts to breach the perimeter fence or other barriers.

Here’s how the other options compare:

a. Signage: While signage can indicate restricted areas and deter unauthorized access, it does not actively detect intrusions.

b. Fencing: Fencing provides a physical barrier to restrict access but does not detect intrusions on its own.

d. Lighting: Lighting enhances visibility and deters intrusions by making it harder for unauthorized individuals to approach undetected, but it does not detect intrusions in itself.

e. Bollards: Bollards are used to restrict vehicle access and enhance security against vehicular attacks but do not detect intrusions at the perimeter.

Question 32

A security analyst is concerned about critical vulnerabilities that have been detected on some applications running inside containers. Which of the following is the BEST remediation strategy?

a. Update the base container Image and redeploy the environment.
b. Include the containers in the regular patching schedule for servers.
c. Patch each running container individually and test the application.
d. Update the host in which the containers are running.

Answer 32

a. Update the base container image and redeploy the environment.

Explanation:

Updating the base container image: Containers are typically built from base images that include the operating system and necessary dependencies. If critical vulnerabilities are found in these base images, the first step is to update the base image to a version that includes patches for these vulnerabilities.

Redeploy the environment: Once the base image is updated, the affected containers should be rebuilt using the patched base image and redeployed. This ensures that all containers running the vulnerable applications are replaced with new instances based on the updated image.

Here’s why the other options are less optimal:

b. Include the containers in the regular patching schedule for servers: While it's important to have a regular patching schedule for servers and their containers, critical vulnerabilities often require more immediate attention than waiting for the next scheduled patch cycle.

c. Patch each running container individually and test the application: Patching each running container individually can be time-consuming and error-prone. It also may not address vulnerabilities in the base image or underlying dependencies.

d. Update the host in which the containers are running: Updating the host is important for security but does not directly address vulnerabilities within the containers themselves.

Question 33

An organization has decided to purchase an insurance policy because a risk assessment determined that the cost to remediate the risk is greater than the five- year cost of the insurance policy. The organization is enabling risk:

a. avoidance.
b. acceptance.
c. mitigation.
d. transference.

Answer 33

d. Transference

Explanation:

Transference: Transferring risk involves shifting the financial consequences of a risk to another party, typically through mechanisms such as insurance policies. By purchasing insurance, the organization transfers the potential costs of certain risks (such as financial losses due to specific events) to the insurance provider. This allows the organization to mitigate the financial impact of those risks while paying a predictable premium over time.

Here’s how the other options differ:

a. Avoidance: Avoidance involves taking actions to eliminate the risk entirely, such as ceasing certain activities or not pursuing certain projects to avoid potential risks.

b. Acceptance: Acceptance involves acknowledging the existence of a risk and deciding not to take any proactive measures to mitigate or transfer it. The organization is willing to bear the potential consequences of the risk.

c. Mitigation: Mitigation involves taking proactive measures to reduce the likelihood or impact of a risk. It typically involves implementing controls or safeguards to minimize the risk's effect.

Question 34

A security analyst receives an alert from the company’s SIEM that anomalous activity is coming from a local source IP address of 192.168.34.26. The Chief Information Security Officer asks the analyst to block the originating source. Several days later, another employee opens an internal ticket stating that vulnerability scans are no longer being performed properly. The IP address the employee provides is 192.168.34.26. Which of the following describes this type of alert?

a. True negative
b. True positive
c. False positive
d. False negative

Answer 34

c. False positive

Explanation:

False positive: This occurs when a security system incorrectly identifies normal or benign activity as malicious or anomalous. In this case, the SIEM alert incorrectly flagged the legitimate vulnerability scans as anomalous activity, leading the analyst to block the IP address 192.168.34.26. This action resulted in a disruption of normal operations (vulnerability scans not being performed properly), which was an unintended consequence of responding to a false alert.

Here’s how the other options compare:

a. True negative: This would describe a situation where the security system correctly identifies normal activity as benign or not malicious.

b. True positive: This would describe a situation where the security system correctly identifies malicious or anomalous activity as such.

d. False negative: This would describe a situation where the security system fails to detect actual malicious activity, incorrectly identifying it as normal or benign.

Question 35

A security analyst wants to reference a standard to develop a risk management program. Which of the following is the BEST source for the analyst to use?

a. SSAE SOC 2
b. ISO 31000
c. NIST CSF
d. GDPR

Answer 35

b. ISO 31000

ISO 31000 is an international standard that provides guidelines and principles for risk management. It offers a comprehensive framework that organizations can adapt to develop their risk management processes, including risk assessment, risk treatment, and risk communication.

Here’s why ISO 31000 is a strong choice:

Comprehensive framework: ISO 31000 provides a systematic approach to risk management that can be applied broadly across different types of risks and organizations.

Internationally recognized: It is widely recognized and used globally, making it easier to communicate and align risk management practices across borders and industries.

Flexibility: ISO 31000 is adaptable to various organizational contexts and can be integrated with other standards and frameworks.

While the other options also play important roles in security and privacy management, they are more specific to certain areas:

a. SSAE SOC 2: Focuses on controls relevant to security, availability, processing integrity, confidentiality, and privacy, primarily for service organizations.

c. NIST CSF (Cybersecurity Framework): Developed by NIST, it focuses specifically on improving cybersecurity risk management for critical infrastructure sectors in the United States.

d. GDPR (General Data Protection Regulation): Focuses on data protection and privacy for individuals within the European Union and European Economic Area.

Question 36

The Chief Information Security Officer (CISO) requested a report on potential areas of improvement following a security incident. Which of the following incident response processes is the CISO requesting?

a. Lessons learned
b. Preparation
c. Detection
d. Containment
e. Root cause analysis

Answer 36

a. Lessons learned

Explanation:

Lessons learned: This process involves reviewing the incident response to identify strengths and weaknesses in the organization's response capabilities. It focuses on understanding what went well, what could have been improved, and recommendations for enhancing incident response procedures in the future.

Here’s how the other options relate to incident response processes:

b. Preparation: Refers to activities and measures taken before an incident occurs to enhance readiness, such as developing incident response plans and conducting training.

c. Detection: Involves identifying and confirming that an incident has occurred or is in progress, often through monitoring and analysis of security alerts.

d. Containment: Involves actions taken to limit the impact and spread of an incident once detected, aiming to prevent further damage or exposure.

e. Root cause analysis: Focuses on determining the underlying cause or causes of an incident to prevent recurrence.

Question 37

A company is providing security awareness training regarding the importance of not forwarding social media messages from unverified sources. Which of the following risks would this training help to prevent?

a. Hoaxes
b. SPIMs
c. Identity fraud
d. Credential harvesting

Answer 37

a. Hoaxes

Explanation:

Hoaxes: These are false messages or information spread with the intention to deceive or mislead recipients. They often propagate through social media platforms and messaging apps, relying on users forwarding them without verification. Hoaxes can cause confusion, panic, or unnecessary concern among users.

Here’s how the other options relate:

b. SPIMs (Spam over Instant Messaging): Refers to unsolicited messages sent over instant messaging platforms. While related to unwanted messages, SPIM typically involves spam rather than hoaxes.

c. Identity fraud: Involves the theft of personal information to impersonate someone else for financial gain or other malicious purposes. While forwarding messages could potentially contribute to identity fraud indirectly (e.g., phishing attacks), it's not the primary risk addressed by avoiding forwarding hoaxes.

d. Credential harvesting: Involves malicious attempts to obtain usernames, passwords, or other sensitive information from users. While forwarding messages could be a vector for spreading phishing attacks aimed at credential harvesting, it's not directly related to the act of forwarding hoaxes from unverified sources.

Question 38

A security analyst is receiving numerous alerts reporting that the response time of an internet-facing application has been degraded. However, the internal network performance was not degraded. Which of the following MOST likely explains this behavior?

a. DNS poisoning
b. MAC flooding
c. DDoS attack
d. ARP poisoning

Answer 38

c. DDoS attack

Explanation:

DDoS attack (Distributed Denial of Service): This type of attack overwhelms a targeted system (in this case, the internet-facing application) with a flood of traffic or requests from multiple sources, aiming to exhaust its resources and make it inaccessible to legitimate users. DDoS attacks can cause significant degradation in the performance and availability of internet-facing services without necessarily impacting the internal network, which operates separately and may have different levels of resilience or protection.

Here’s how the other options compare:

a. DNS poisoning: Typically affects DNS resolution, redirecting users to malicious or incorrect IP addresses. It does not directly cause performance degradation in an application.

b. MAC flooding: This attack floods the switch with packets, potentially causing it to enter into a fail-open mode, but it typically affects network devices rather than specific applications.

d. ARP poisoning: Involves manipulation of ARP (Address Resolution Protocol) cache entries to associate a malicious MAC address with an IP address, leading to traffic redirection. While it can cause network issues, it is not typically associated with application-specific performance degradation.

Question 39

Which of the following will increase cryptographic security?

a. High data entropy
b. Algorithms that require less computing power
c. Longer key longevity
d. Hashing

Answer 39

a. High data entropy

Explanation:

High data entropy: Entropy in this context refers to randomness or unpredictability of data. Higher data entropy means that the data contains more randomness, making it harder for attackers to predict or analyze. Cryptographic algorithms rely on high entropy to ensure that encrypted data is secure and resistant to brute-force attacks.

Here’s how the other options relate:

b. Algorithms that require less computing power: While efficient algorithms are desirable for performance reasons, cryptographic strength is not solely determined by computational requirements. Strong cryptographic algorithms are designed to withstand attacks regardless of computational power.

c. Longer key longevity: This refers to how long cryptographic keys remain valid or secure before needing to be updated or rotated. While longer key lengths are important for security, longevity itself does not directly increase cryptographic security beyond ensuring keys are not compromised over time.

d. Hashing: Hashing is a cryptographic process that generates a fixed-size output (hash value) from input data. While important for data integrity and authentication, hashing alone does not provide encryption or directly increase cryptographic security in the context of encrypting data.

Question 40

Which of the following statements BEST describes zero-day exploits?

a. When a zero-day exploit is discovered, the system cannot be protected by any means.
b. Zero-day exploits have their own scoring category in CVSS.
c. A zero-day exploit is initially undetectable, and no patch for it exists.
d. Discovering zero-day exploits is always performed via bug bounty programs.

Answer 40

c. A zero-day exploit is initially undetectable, and no patch for it exists.

Explanation:

Undetectable and no patch: A zero-day exploit refers to a vulnerability in software or hardware that is unknown to the vendor and for which no patch or fix is available. It is called "zero-day" because it occurs on the same day that the vulnerability is discovered by attackers, meaning the developers have zero days to fix it before it can potentially be exploited.

Here’s why the other options are less accurate:

a. When a zero-day exploit is discovered, the system cannot be protected by any means: While zero-day exploits are initially unknown and pose a significant risk, security measures such as intrusion detection systems and behavior analysis can sometimes mitigate their impact even before a patch is available.

b. Zero-day exploits have their own scoring category in CVSS: While CVSS (Common Vulnerability Scoring System) includes metrics for assessing the severity of vulnerabilities, including those that are zero-day, the scoring itself is not specific to zero-day exploits as a category.

d. Discovering zero-day exploits is always performed via bug bounty programs: Zero-day exploits can be discovered through various means, including security research, threat intelligence, and unfortunately, by malicious actors. Bug bounty programs are one method to incentivize researchers to responsibly disclose vulnerabilities, including zero-days, but they are not the sole source.

Question 41

A company wants to restrict emailing of PHI documents. The company is implementing a DLP solution. In order to restrict PHI documents, which of the following should be performed FIRST?

a. Retention
b. Governance
c. Classification
d. Change management

Answer 41

c. Classification

Explanation:

Classification: This involves identifying and categorizing data based on its sensitivity and regulatory requirements. In the context of PHI documents, classification helps to distinguish which documents contain PHI and need to be protected. Once classified, appropriate policies and controls can be applied, including restrictions on emailing such documents.

Here’s why the other options are less suitable as the first step:

a. Retention: Refers to policies and practices related to storing and retaining data for a specified period. While retention policies are important, they come after classification and governance in the context of data protection.

b. Governance: Involves establishing policies, procedures, and controls to manage and protect data. Governance frameworks help to ensure that data handling practices align with organizational goals and regulatory requirements. Governance typically builds upon classification to enforce policies effectively.

d. Change management: Involves processes and procedures for managing changes to systems, processes, or policies. While important for implementing DLP solutions, change management is typically part of the broader implementation process after classification and governance are established.

Question 42

A security analyst is investigating some users who are being redirected to a fake website that resembles www.comptia.org. The following output was found on the naming server of the organization:

Name Type Data
www A 192,168.1.10
server1 A 10.10.10.10
server2 A 10.10.10.11
file A 10.10.10.12

Which of the following attacks has taken place?

a. Domain reputation
b. Domain hijacking
d. Disassociation
d. DNS poisoning

Answer 42

d. DNS poisoning

Explanation:

DNS poisoning: Also known as DNS spoofing or DNS cache poisoning, this attack involves compromising the Domain Name System (DNS) to redirect domain name resolutions to malicious IP addresses. In this scenario:
    The legitimate domain www.comptia.org has its DNS record (www) pointing to an IP address of 192.168.1.10.
    However, users are being redirected to a fake website that resembles www.comptia.org, indicating that the DNS records have been maliciously altered.

This alteration could be achieved through various means, such as compromising the organization's DNS server or using techniques to inject false DNS records (poisoning) into the DNS cache of intermediate DNS servers.

Let’s address why the other options are incorrect:

a. Domain reputation: This term typically refers to the trustworthiness and reliability of a domain in the context of email deliverability and reputation management. It is not directly related to DNS attacks.

b. Domain hijacking: Refers to unauthorized changes made to the registration of a domain name, often to redirect traffic or gain control over the domain. While related to DNS manipulation, it typically involves administrative control rather than DNS record alteration directly.

c. Disassociation: This term does not have a specific security context related to DNS attacks. It generally means the act of disconnecting or separating something.

Question 43

Which of the following describes the continuous delivery software development methodology?

a. Waterfall
b. Spiral
c. V-shaped
d. Agile

Answer 43

d. Agile

Explanation:

Continuous delivery: This methodology focuses on automating and streamlining the software delivery process to enable frequent and reliable releases of software into production. It emphasizes shorter development cycles, continuous integration, and continuous deployment, where software changes are delivered frequently (often daily) and reliably.

Here’s how the other options relate:

a. Waterfall: A traditional software development methodology characterized by sequential phases (requirements, design, implementation, testing, deployment) where each phase must be completed before the next begins. It does not support continuous delivery.

b. Spiral: An iterative software development methodology where development cycles progress through planning, risk analysis, engineering, and evaluation. It focuses on risk management but does not inherently support continuous delivery.

c. V-shaped: Also known as the V-model, it is a sequential software development model where testing is emphasized in parallel with each stage of development. It does not inherently support continuous delivery.

Question 44

Which of the following is the BEST example of a cost-effective physical control to enforce a USB removable media restriction policy?

a. Putting security/antitamper tape over USB ports, logging the port numbers, and regularly inspecting the ports
b. Implementing a GPO that will restrict access to authorized USB removable media and regularly verifying that it is enforced
c. Placing systems into locked, key-controlled containers with no access to the USB ports
d. Installing an endpoint agent to detect connectivity of USB and removable media

Answer 44

(Community A57%, B 31%)

a. Putting security/antitamper tape over USB ports, logging the port numbers, and regularly inspecting the ports
Explanation:

This option involves a physical method that is cost-effective and straightforward to implement. It does not require additional software or complex configuration and provides a clear visual indication if someone has attempted to use a USB port. Regular inspections can ensure compliance with the USB removable media restriction policy.
Why other options may be less suitable:

Implementing a GPO that will restrict access to authorized USB removable media and regularly verifying that it is enforced: While this is an effective software-based control, it is not a physical control. Additionally, managing and verifying GPO enforcement can be time-consuming and may require more resources compared to physical methods.

Placing systems into locked, key-controlled containers with no access to the USB ports: This method is a strong physical control but may not be cost-effective, especially for a large number of systems. It also reduces the accessibility and usability of the systems.

Installing an endpoint agent to detect connectivity of USB and removable media: This option involves a software-based control that can be effective but might not be considered a physical control. It may also involve additional costs for software licenses and management.

Thus, putting security/antitamper tape over USB ports, logging the port numbers, and regularly inspecting the ports is the best example of a cost-effective physical control to enforce a USB removable media restriction policy.

(Braindump) b. Implementing a GPO that will restrict access to authorized USB removable media and regularly verifying that it is enforced

Question 45

A company suspects that some corporate accounts were compromised. The number of suspicious logins from locations not recognized by the users is increasing.
Employees who travel need their accounts protected without the risk of blocking legitimate login requests that may be made over new sign-in properties. Which of the following security controls can be implemented?

a. Enforce MFA when an account request reaches a risk threshold.
b. Implement geofencing to only allow access from headquarters.
c. Enforce time-based login requests that align with business hours.
d. Shift the access control scheme to a discretionary access control.

Answer 45

a. Enforce MFA when an account request reaches a risk threshold.

Explanation:

Enforcing MFA (Multi-Factor Authentication): By implementing MFA, especially when an account request reaches a risk threshold (such as suspicious login attempts from unrecognized locations), the system adds an additional layer of security beyond just a username and password. This helps verify the identity of the user more securely, even if the credentials have been compromised. Legitimate users, including traveling employees accessing from new locations, can still authenticate using MFA, ensuring security while maintaining usability.

Here’s why the other options may not be as effective:

b. Implement geofencing to only allow access from headquarters: While geofencing restricts access based on geographic location, it can be overly restrictive for legitimate users who may need to access accounts from various locations during travel. It does not dynamically adjust to new sign-in locations and may hinder legitimate access.

c. Enforce time-based login requests that align with business hours: This control limits access based on time of day, which may not be flexible enough for employees who work outside regular business hours or travel across time zones.

d. Shift the access control scheme to a discretionary access control: This refers to a different access control model that grants users discretion over access permissions, which does not directly address the issue of compromised accounts and suspicious logins.

Question 46

An organization wants to participate in threat intelligence information sharing with peer groups. Which of the following would MOST likely meet the organization’s requirement?

a. Perform OSINT investigations.
b. Subscribe to threat intelligence feeds.
c. Submit RFCs.
d. Implement a TAXII server.

Answer 46

d. Implement a TAXII server.

Explanation:

TAXII (Trusted Automated eXchange of Indicator Information): TAXII is a protocol designed to facilitate the sharing of threat intelligence. It enables organizations to exchange cyber threat information in a structured and automated manner. Organizations can publish threat intelligence data to a TAXII server and subscribe to feeds from other organizations or peer groups. This allows for real-time or near-real-time sharing of threat indicators, such as malicious IP addresses, domain names, and malware signatures.

Here’s why the other options are less likely to meet the requirement:

a. Perform OSINT (Open Source Intelligence) investigations: OSINT involves gathering information from publicly available sources. While it can provide valuable threat intelligence, it is not specifically designed for structured information sharing with peer groups.

b. Subscribe to threat intelligence feeds: Subscribing to threat intelligence feeds is beneficial for receiving updated information about threats, but it is a passive approach compared to actively participating in information sharing through a dedicated protocol like TAXII.

c. Submit RFCs (Request for Comments): RFCs are documents that describe new protocols or protocols that need to be updated. They are not directly related to threat intelligence sharing with peer groups.

Question 47

Which of the following is the MOST effective control against zero-day vulnerabilities?

a. Network segmentation
b. Patch management
c. Intrusion prevention system
d. Multiple vulnerability scanners

Answer 47

b. Patch management

Explanation:

Patch management: Zero-day vulnerabilities are security flaws that are unknown to the software vendor and therefore do not have a patch available to fix them. Patch management involves regularly updating and applying patches to software and systems as soon as patches become available. While patch management cannot prevent zero-day vulnerabilities from being exploited initially, it is crucial because once a patch is released for a zero-day vulnerability, applying it promptly can mitigate the risk of exploitation.

Here’s why the other options are less effective against zero-day vulnerabilities:

a. Network segmentation: While network segmentation helps contain and mitigate the impact of security incidents, including those exploiting zero-day vulnerabilities, it does not directly address the vulnerability itself.

c. Intrusion prevention system (IPS): IPS can detect and block known attacks based on signatures or behavioral anomalies but may not detect or prevent zero-day exploits until signatures or detection mechanisms are updated.

d. Multiple vulnerability scanners: While using multiple vulnerability scanners can enhance visibility into potential vulnerabilities, including zero-day vulnerabilities, it relies on the scanners having updated signatures or detection capabilities to identify zero-day exploits, which may not always be the case.

Question 48

Which of the following is the GREATEST security concern when outsourcing code development to third-party contractors for an internet-facing application?

a. Intellectual property theft
b. Elevated privileges
c. Unknown backdoor
d. Quality assurance

Answer 48

c. Unknown backdoor

Explanation:

An unknown backdoor is a significant security risk because it can provide unauthorized access to the application and potentially the entire network. If a third-party contractor inserts a backdoor into the code, it can be exploited by malicious actors to bypass authentication mechanisms, steal data, or execute further attacks. This kind of vulnerability is particularly dangerous because it can go undetected for a long time, compromising the security of the application and its users.

Other Options:

a. Intellectual property theft: While serious, this concern primarily affects the ownership and competitive advantage of the company rather than the immediate security of the application.
b. Elevated privileges: This is a concern, but it can be mitigated through proper access control and monitoring.
d. Quality assurance: Ensuring high-quality code is important, but security risks from poor quality can be managed through thorough testing and code review processes.

Therefore, the possibility of an unknown backdoor being inserted into the code poses the greatest security risk when outsourcing code development for an internet-facing application.

Question 49

An organization has hired a red team to simulate attacks on its security posture. Which of the following will the blue team do after detecting an IoC?

a. Reimage the impacted workstations.
b. Activate runbooks for incident response.
c. Conduct forensics on the compromised system.
d. Conduct passive reconnaissance to gather information.

Answer 49

b. Activate runbooks for incident response.

Explanation:

Activate runbooks for incident response: Upon detecting an IoC, the blue team will initiate predefined procedures outlined in their incident response plan (runbooks). These procedures are designed to handle security incidents effectively, including containing the threat, investigating the scope of the compromise, mitigating further damage, and restoring affected systems.

Here’s why the other options are less likely to be the immediate response:

a. Reimage the impacted workstations: Reimaging workstations may be part of the incident response process, especially if the compromise is severe, but it typically comes after initial containment and investigation steps.

c. Conduct forensics on the compromised system: Forensic analysis is important for understanding how the compromise occurred and gathering evidence for potential legal or compliance purposes. However, it is usually conducted after containing the incident to prevent further damage.

d. Conduct passive reconnaissance to gather information: Passive reconnaissance is typically done as part of proactive security measures or during the initial stages of threat hunting, not immediately after detecting an IoC.

Question 50

An amusement park is implementing a biometric system that validates customers’ fingerprints to ensure they are not sharing tickets. The park’s owner values customers above all and would prefer customers’ convenience over security. For this reason, which of the following features should the security team prioritize
FIRST?

a. Low FAR
b. Low efficacy
c. Low FRR
d. Low CER

Answer 50

c. Low FRR (False Rejection Rate)

Explanation:

False Rejection Rate (FRR): This metric indicates the rate at which the biometric system incorrectly rejects valid attempts by customers. In other words, it measures how often legitimate customers are not recognized by the system, potentially causing inconvenience and frustration. For an amusement park focusing on customer convenience, minimizing the FRR is crucial to ensure that customers can quickly and reliably access the park using their fingerprints without encountering frequent rejections.

Here’s why the other options are not as suitable in this scenario:

a. Low FAR (False Acceptance Rate): While a low FAR is important for security reasons (to prevent unauthorized access), prioritizing it over customer convenience might lead to more stringent authentication requirements, which could increase the likelihood of legitimate customers being falsely accused of sharing tickets.

b. Low efficacy: Efficacy typically refers to the overall effectiveness of the biometric system in correctly identifying users. Prioritizing low efficacy would mean the system is less accurate in general, which is counterproductive for both security and convenience.

d. Low CER (Crossover Error Rate): CER is the point where the FAR and FRR are equal. While CER is an important metric in biometric system evaluation, it doesn't directly address the immediate concern of customer convenience in this context.