501-550 Flashcards
A government organization is developing an advanced Al defense system. Developers are using information collected from third-party providers. Analysts are noticing inconsistencies in the expected progress of the Al learning and attribute the outcome to a recent attack on one of the suppliers. Which of the following is the most likely reason for the inaccuracy of the system?
A. Improper algorithms security
B. Tainted training data
C. Fileless virus
D. Cryptomalware
B. Tainted training data
Explanation:
The inconsistencies in the expected progress of the AI learning are likely due to tainted training data from a recent attack on one of the suppliers. When the training data used to train AI systems is compromised or manipulated (often inadvertently through attacks like data breaches or supply chain attacks), it can lead to inaccurate AI model outputs and behaviors. Therefore, in this scenario, the most likely reason for the inaccuracies in the AI defense system is the tainted training data resulting from the attack on the supplier.
A company’s help desk has received calls about the wireless network being down and users being unable to connect to it. The network administrator says all access points are up and running. One of the help desk technicians notices the affected users are working in a building near the parking lot. Which of the following is the most likely reason for the outage?
A. Someone near the building is jamming the signal.
B. A user has set up a rogue access point near the building.
C. Someone set up an evil twin access point in the affected area.
D. The APs in the affected area have been unplugged from the network.
A. Someone near the building is jamming the signal.
Explanation:
The symptoms described — users near a specific area (building near the parking lot) unable to connect to the wireless network while the access points (APs) appear operational — suggest that the wireless signal in that area is being jammed. Jamming refers to intentional interference with wireless signals, which can disrupt or block connectivity.
Here’s why the other options are less likely:
B. A user has set up a rogue access point near the building: While possible, rogue access points usually affect connectivity differently, often by causing conflicts or interference due to overlapping signals. They do not necessarily cause complete outages unless they are disrupting the network significantly. C. Someone set up an evil twin access point in the affected area: An evil twin AP mimics a legitimate AP to trick users into connecting to it, but it typically does not cause a complete outage unless users connect to it and are subjected to some form of attack or redirection. D. The APs in the affected area have been unplugged from the network: If APs were unplugged, they would not be operational at all, and users would not detect them as available networks.
Therefore, given the symptoms described (partial outage in a specific area despite APs being up), the most likely cause is deliberate signal jamming affecting the wireless network in that area.
Which of the following can best protect against an employee inadvertently installing malware on a company system?
A. Host-based firewall
B. System isolation
C. Least privilege
D. Application allow list
D. Application allow list
Explanation:
Application allow list: This security measure restricts the applications that can be installed and run on a system to a predefined list of approved applications. By doing so, it prevents employees from inadvertently installing malware or unauthorized software, as only the applications on the allow list can be executed. Host-based firewall: While useful for controlling network traffic to and from the host, a firewall does not prevent the installation of malware. It can block malicious traffic but doesn't address the issue of unauthorized software installation. System isolation: This involves separating systems or segments of a network to limit the spread of malware. While helpful for containing an infection, it does not prevent the initial installation of malware. Least privilege: This principle involves giving users the minimum level of access necessary to perform their job functions. While it reduces the risk of malware installation by limiting what users can do, it is not as direct or effective as an application allow list in preventing the installation of unauthorized software.
Therefore, an application allow list provides the most direct and effective protection against the inadvertent installation of malware by employees.
An information security officer at a credit card transaction company is conducting a framework-mapping exercise with the internal controls. The company recently established a new office in Europe. To which of the following frameworks should the security officer map the existing controls? (Choose two.)
A. ISO
B. PCIDSS
C. SOC
D. GDPR
E. CSA
F. NIST
B. PCIDSS (Payment Card Industry Data Security Standard): PCIDSS is essential for any organization handling credit card transactions, ensuring secure handling of cardholder information.
D. GDPR (General Data Protection Regulation): GDPR is crucial for compliance with data protection and privacy regulations in the European Union, especially since the company has established an office in Europe.
Explanation:
PCIDSS: Since the company deals with credit card transactions, compliance with PCIDSS is mandatory to secure cardholder data and ensure secure payment processing. GDPR: With the new office in Europe, compliance with GDPR is necessary to protect personal data and ensure privacy rights of individuals within the EU.
These frameworks address specific regulatory requirements related to data protection, privacy, and secure payment processing, which are critical for the company’s operations in Europe.
A customer called a company’s security team to report that all invoices the customer has received over the last five days from the company appear to have fraudulent banking details. An investigation into the matter reveals the following:
The manager of the accounts payable department is using the same password across multiple external websites and the corporate account. One of the websites the manager used recently experienced a data breach. The manager’s corporate email account was successfully accessed in the last five days by an IP address located in a foreign country.
Which of the following attacks has most likely been used to compromise the manager’s corporate account?
A. Remote access Trojan
B. Brute-force
C. Dictionary
D. Credential stuffing
E. Password spraying
E. Password spraying.
Here’s why:
Password Reuse: The manager used the same password across multiple external websites and the corporate account. This practice is risky because if one site is compromised, attackers can use the same credentials to access other accounts. Data Breach: One of the external websites the manager used recently experienced a data breach. This means that the manager's credentials used on that site could have been exposed. Successful Access from Foreign IP: The manager's corporate email account was accessed successfully from an IP address located in a foreign country. This suggests unauthorized access likely gained through compromised credentials.
Password Spraying involves using a single password across multiple accounts or services, rather than attempting to brute-force a single account. Attackers try common or previously exposed passwords against multiple accounts, leveraging the likelihood that users reuse passwords across different services. In this scenario, the compromised credentials from the breached external website were likely used in a password spraying attack against the corporate email account, resulting in unauthorized access.
Therefore, the most likely attack used to compromise the manager’s corporate account, given the details provided, is E. Password spraying.
Let’s review why the other answers are not as suitable as Password spraying for describing the attack that compromised the manager’s corporate account:
Remote access Trojan (A): A Remote Access Trojan (RAT) is malicious software that allows an attacker to control a system remotely. While RATs can be used to gain unauthorized access to systems, they are typically not directly linked to the compromise of a corporate account through password reuse or exposure in a data breach. Brute-force (B): Brute-force attacks involve systematically trying all possible combinations of passwords until the correct one is found. This method is less likely in this scenario because the attack did not involve trying many different passwords against a single account, but rather using a known compromised password across multiple accounts. Dictionary (C): Dictionary attacks involve using a list of commonly used passwords or words from a dictionary to attempt to gain unauthorized access. This approach is similar to brute-force attacks but focuses on commonly used or easily guessable passwords. It does not directly fit the scenario where a specific compromised password is reused across accounts. Credential stuffing (D): Credential stuffing involves using large sets of known username and password pairs to gain unauthorized access to accounts. It is typically used against a specific service or website, leveraging credentials obtained from previous data breaches. While similar in concept to password spraying, credential stuffing usually involves automated attempts against a single service, not multiple services.
In contrast, Password spraying specifically fits the scenario where the manager reused the same password across multiple accounts, including an external website that was breached. Attackers took advantage of this password reuse to gain unauthorized access to the manager’s corporate account, which aligns with the details provided in the scenario.
Therefore, E. Password spraying remains the most appropriate answer given the context provided in the question.
An organization’s corporate offices were destroyed due to a natural disaster, so the organization is now setting up offices in a temporary work space. Which of the following will the organization most likely consult?
A. The business continuity plan
B. The risk management plan
C. The communication plan
D. The incident response plan
A. The business continuity plan
Business continuity plans (BCP) are designed to ensure that critical business functions can continue during and after a disaster or disruption. They typically include strategies for relocating operations to alternative facilities, maintaining essential services, and recovering from the disruption. Given that the organization needs to resume its operations in a temporary workspace after the destruction of its corporate offices, consulting the business continuity plan will provide guidance on how to maintain continuity and minimize the impact of the disaster on business operations.
The other options:
B. The risk management plan: While important for assessing and mitigating risks, it doesn't directly address the immediate need to resume operations after a disaster. C. The communication plan: Important for internal and external communications during incidents, but doesn't address the overall operational recovery. D. The incident response plan: Focuses on responding to and managing specific incidents as they occur, rather than on long-term operational continuity after a major disaster.
Therefore, A. The business continuity plan is the most appropriate plan for the organization to consult in this situation.
Security analysts notice a server login from a user who has been on vacation for two weeks. The analysts confirm that the user did not log in to the system while on vacation. After reviewing packet capture logs, the analysts notice the following:
username : ….smithJA….
Password: 944d369d8880ed401b5ba2c77811
Which of the following occurred?
A. A buffer overflow was exploited to gain unauthorized access.
B. The user’s account was compromised, and an attacker changed the login credentials.
C. An attacker used a pass-the-hash attack to gain access.
D. An insider threat with username smithJA logged in to the account.
C. An attacker used a pass-the-hash attack to gain access.
Explanation:
Pass-the-hash attack: In this type of attack, an attacker captures the hashed version of a password and uses it to authenticate to a server without needing to know the actual plaintext password. The packet capture logs showing the password as a hash (944d369d8880ed401b5ba2c77811) suggest that the attacker used this hash to gain access. Buffer overflow: This type of attack typically involves exploiting software vulnerabilities to execute arbitrary code or cause unintended behavior. The information given does not indicate a buffer overflow. User account compromise: While the user's account was indeed compromised, there is no evidence from the packet capture logs that the login credentials were changed. The hash being used for authentication points more specifically to a pass-the-hash attack. Insider threat: This would involve someone within the organization using the username smithJA to log in. The details suggest unauthorized external access rather than an insider threat, especially given the hash usage.
Therefore, the most likely scenario is a pass-the-hash attack.
A security analyst is taking part in an evaluation process that analyzes and categorizes threat actors of real-world events in order to improve the incident response team’s process. Which of the following is the analyst most likely participating in?
A. MITRE ATT&CK
B. Walk-through
C. Red team
D. Purple team
E. TAXII
A. MITRE ATT&CK
MITRE ATT&CK (Adversarial Tactics, Techniques, and Common Knowledge) is a knowledge base of adversary tactics and techniques based on real-world observations. It categorizes and describes various techniques used by threat actors during cyber attacks. Security analysts often use MITRE ATT&CK to understand and classify these tactics, which helps in improving incident response strategies and defenses.
A network manager wants to protect the company’s VPN by multifactor authentication that uses:
Something you know
Something you have
Somewhere you are
Which of the following would accomplish the manager’s goal?
A. Domain name. PKI, GeoIP lookup
B. VPN IP address, company ID. partner site
C. Password, authentication token, thumbprint
D. Company URL, TLS certificate, home address
C. Password, authentication token, thumbprint
Explanation:
Password: Something you know. Authentication token: Something you have. Thumbprint: This could refer to biometric data like a fingerprint, which could be considered as part of "somewhere you are" if it implies physical presence (though this interpretation may vary).
Option C covers two out of the three factors explicitly mentioned (something you know and something you have). For the “somewhere you are” factor, typically GeoIP lookup or GPS location would be used, but it’s not directly covered in the provided options.
Which of the following terms should be included in a contract to help a company monitor the ongoing security maturity of a new vendor?
A. A right-to-audit clause allowing for annual security audits
B. Requirements for event logs to be kept for a minimum of 30 days
C. Integration of threat intelligence in the company’s AV
D. A data-breach clause requiring disclosure of significant data loss
A. A right-to-audit clause allowing for annual security audits
Explanation:
A "right-to-audit" clause in a contract allows the company to conduct regular security audits of the vendor's systems and processes. This helps the company monitor the ongoing security maturity of the vendor by assessing their adherence to security policies, procedures, and controls. It ensures transparency and accountability in the vendor's security practices, which is crucial for maintaining trust and ensuring compliance with security standards.
Options B, C, and D are not directly related to monitoring the ongoing security maturity of the vendor. While they are important considerations for security in general, they do not specifically address the need to continuously assess and improve the vendor’s security posture over time.
Which of the following cloud models provides clients with servers, storage, and networks but nothing else?
A. SaaS
B. PaaS
C. IaaS
D. DaaS
C. IaaS
Explanation:
IaaS (Infrastructure as a Service) provides clients with virtualized computing resources over the internet. This includes servers, storage, and networking infrastructure, allowing clients to run their own applications, operating systems, and software. With IaaS, clients are responsible for managing applications, data, runtime, middleware, and operating systems. The cloud provider manages the infrastructure components such as virtualization, servers, storage, and networking. This model gives clients flexibility and control over their IT resources without the burden of managing physical hardware.
A marketing coordinator is trying to access a social media application on a company laptop but is getting blocked. The coordinator opens a help desk ticket to report the issue. Which of the following documents should a security analyst review to determine whether accessing social media applications on a company device is permitted?
A. Incident response policy
B. Business continuity policy
C. Change management policy
D. Acceptable use policy
D. Acceptable use policy
Explanation:
An Acceptable Use Policy (AUP) outlines what is considered acceptable behavior by users of a company's IT resources, including computers, networks, and the internet. AUPs typically define which applications and websites employees are allowed to access while using company-owned devices and networks. Reviewing the AUP will help determine whether accessing social media applications on a company device is permitted or prohibited.
Law enforcement officials sent a company a notification that states electronically stored information and paper documents cannot be destroyed. Which of the following explains this process?
A. Data breach notification
B. Accountability
C. Legal hold
D. Chain of custody
C. Legal hold
Explanation:
Legal hold is a process in which an organization is instructed to preserve all relevant electronic and paper documents related to a legal matter or investigation. This process ensures that potentially relevant information is not destroyed or altered, which could be critical in legal proceedings. It is common for law enforcement or legal authorities to issue a legal hold notice to ensure preservation of evidence or information pertinent to an ongoing investigation or legal case.
Legal hold and chain of custody are both important concepts in the context of legal proceedings and investigations, but they serve different purposes:
Legal Hold: Purpose: Legal hold (also known as litigation hold or preservation order) is a directive issued to an organization to preserve all relevant documents and information related to a legal matter. Scope: It applies broadly to all potentially relevant electronic and paper documents, data, and information. Timing: It is typically issued at the onset of legal proceedings or when a legal matter is anticipated, requiring immediate action to prevent spoliation (destruction or alteration) of evidence. Chain of Custody: Purpose: Chain of custody refers to the chronological documentation or paper trail that records the handling, transfer, and location of physical evidence or digital data during an investigation or legal proceeding. Scope: It specifically tracks the movement and possession of evidence from the moment it is collected until it is presented in court. Documentation: It includes detailed records of who had custody of the evidence, when and where it was transferred, and any actions taken while in possession.
Key Differences:
Focus: Legal hold focuses on the preservation of information and documents that might be relevant to a legal matter, ensuring they are not destroyed. Documentation: Chain of custody focuses on documenting the handling and movement of physical evidence or digital data to maintain its integrity and admissibility in court. Legal Implications: Legal hold is about compliance with legal directives to preserve information, while chain of custody ensures the integrity and reliability of evidence for legal proceedings.
In summary, legal hold ensures preservation of information, while chain of custody ensures the integrity and reliability of evidence used in legal proceedings. Both are crucial in different stages of handling legal matters and investigations.
A company wants to deploy decoy systems alongside production systems in order to entice threat actors and to learn more about attackers. Which of the following best describes these systems?
A. DNS sinkholes
B. Honeypots
C. Virtual machines
D. Neural networks
B. Honeypots
Explanation:
Honeypots are decoy systems or resources intentionally deployed within a network to attract and deceive attackers. They appear to be legitimate systems but are isolated and monitored separately from production systems. The goal of honeypots is to gather information about attackers’ methods, tools, and motives without exposing critical infrastructure or data. This information can then be used to enhance threat intelligence and improve overall security posture by understanding potential attack vectors and vulnerabilities. Therefore, deploying honeypots aligns with the company’s objective to learn more about attackers while protecting their production systems.
A company’s help desk received several AV alerts indicating Mimikatz attempted to run on the remote systems. Several users also reported that the new company flash drives they picked up in the break room only have 512KB of storage. Which of the following is most likely the cause?
A. The GPO prevents the use of flash drives, which triggers a false positive AV indication and restricts the drives to only 512KB of storage.
B. The new flash drives need a driver that is being blocked by the AV software because the flash drives are not on the application’s allow list, temporarily restricting the drives to 512KB of storage.
C. The new flash drives are incorrectly partitioned, and the systems are automatically trying to use an unapproved application to repartition the drives.
D. The GPO blocking the flash drives is being bypassed by a malicious flash drive that is attempting to harvest plaintext credentials from memory.
D. The GPO blocking the flash drives is being bypassed by a malicious flash drive that is attempting to harvest plaintext credentials from memory.
Explanation:
Mimikatz is a tool commonly used to extract plaintext passwords from memory. If users received new flash drives that are potentially malicious (not from the company or tampered with), they could be attempting to bypass Group Policy Object (GPO) restrictions and exploit vulnerabilities to gather sensitive information like plaintext credentials. This scenario aligns with the AV alerts indicating Mimikatz activity, suggesting a potential security breach involving unauthorized or compromised flash drives attempting to bypass security controls.
A company has installed badge readers for building access but is finding unauthorized individuals roaming the hallways. Which of the following is the most likely cause?
A. Shoulder surfing
B. Phishing
C. Tailgating
D. Identity fraud
C. Tailgating
Explanation:
Tailgating refers to the practice of unauthorized individuals following closely behind an authorized person to gain entry into a restricted area. In this scenario, despite badge readers being in place for building access, unauthorized individuals are able to enter the premises by closely following behind authorized personnel as they pass through controlled entry points. This is a common physical security issue where the effectiveness of access controls like badge readers is undermined by individuals not properly verifying their own access.
An organization routes all of its traffic through a VPN. Most users are remote and connect into a corporate data center that houses confidential information. There is a firewall at the internet border, followed by a DLP appliance, the VPN server, and the data center itself. Which of the following is the weakest design element?
A. The DLP appliance should be integrated into a NGFW.
B. Split-tunnel connections can negatively impact the DLP appliance’s performance.
C. Encrypted VPN traffic will not be inspected when entering or leaving the network.
D. Adding two hops in the VPN tunnel may slow down remote connections.
C. Encrypted VPN traffic will not be inspected when entering or leaving the network.
Explanation:
In the given network design, the weakest element is that encrypted VPN traffic bypasses inspection by the DLP (Data Loss Prevention) appliance. VPNs typically encrypt traffic to secure it from eavesdropping and tampering, which is a security benefit. However, this encryption also prevents deep packet inspection (DPI) by devices like DLP appliances unless they are specifically configured to decrypt and inspect traffic, which can be complex and resource-intensive. This lack of inspection for encrypted VPN traffic means that potential data leaks or policy violations within the encrypted traffic may go undetected, weakening the overall security posture of the network.
Which of the following is the best method for ensuring non-repudiation?
A. SSO
B. Digital certificate
C. Token
D. SSH key
B. Digital certificate
Non-repudiation ensures that a party cannot deny the authenticity or integrity of a message or transaction that they have sent or received. Digital certificates play a crucial role in achieving non-repudiation by providing a trusted means to verify the identity of the sender or recipient in electronic communications. When digital signatures are used, which rely on digital certificates, they provide strong evidence of who sent a message and that the message content has not been altered since it was signed. This helps to ensure non-repudiation in digital transactions.
Which of the following methods is the most effective for reducing vulnerabilities?
A. Joining an information-sharing organization
B. Using a scan-patch-scan process
C. Implementing a bug bounty program
D. Patching low-scoring vulnerabilities first
B. Using a scan-patch-scan process
Using a scan-patch-scan process is the most effective method for reducing vulnerabilities among the options provided. Here’s why:
Scan: Conducting regular vulnerability scans helps identify vulnerabilities in systems and applications. Patch: Applying patches promptly to fix known vulnerabilities is crucial to prevent exploitation by attackers. Scan again: After patching, conducting another scan ensures that the vulnerabilities have been effectively mitigated and no new issues have been introduced.
This process ensures a systematic approach to vulnerability management, reducing the window of opportunity for attackers to exploit known vulnerabilities. It is a proactive approach that focuses on maintaining the security posture of systems and networks.
An organization is struggling with scaling issues on its VPN concentrator and internet circuit due to remote work. The organization is looking for a software solution that will allow it to reduce traffic on the VPN and internet circuit, while still providing encrypted tunnel access to the data center and monitoring of remote employee internet traffic. Which of the following will help achieve these objectives?
A. Deploying a SASE solution to remote employees
B. Building a load-balanced VPN solution with redundant internet
C. Purchasing a low-cost SD-WAN solution for VPN traffic
D. Using a cloud provider to create additional VPN concentrators
(Community A 93%)
A. Deploying a SASE (Secure Access Service Edge) solution to remote employees
A SASE solution is designed to address the exact needs described in the scenario:
Reducing VPN and internet circuit traffic: SASE solutions can optimize traffic by routing it through the closest point of presence (PoP), reducing the load on the VPN concentrator and internet circuit. Providing encrypted tunnel access: SASE solutions include built-in encryption and secure tunnels to ensure data remains protected during transit between remote employees and the data center. Monitoring remote employee internet traffic: SASE solutions often include comprehensive visibility and monitoring capabilities, allowing organizations to monitor and manage internet traffic from remote employees effectively.
Therefore, deploying a SASE solution aligns well with the organization’s objectives of reducing VPN and internet circuit traffic while maintaining secure and monitored access for remote employees.