Architecture and Design Flashcards
Nicole’s organization does not have the budget or staff to conduct 24/7 security monitoring of their network. To supplement her team, she contracts with a managed SOC service. Which of the following services or providers would be best suited for this role?
A. SaaS
B. PaaS
C. MSSP
D. IaaS
C.MSSP
Which of the following cryptographic algorithms is classified as asymmetric?
A. Diffie Hellman
B. Blowfish
C. AES
D. RC4
A.Diffie-Hellman
Your organization requires the use of TLS or IPsec for all communications with an organization’s network. Which of the following is this an example of?
A. Data at Rest
B. Data in Use
C. DLP
D. Data in Transit
D. Data in Transit
You are attending a cybersecurity conference and just watched a security researcher demonstrating the exploitation of a web interface on a SCADA/ICS component. This caused the device to malfunction and be destroyed. You recognize that the same component is used throughout your company’s manufacturing plants. Which of the following mitigation strategies would provide you with the most immediate protection against this emergent threat?
A. Demand that the Manufacture
B. Elevate if the web interface
C. Replace the affected
D. Logically or Physically
B. Elevate if the web interface
Aymen is creating a procedure for the remediation of vulnerabilities discovered within his organization. He wants to ensure that any vendor patches are tested before deploying them into the production environment. What type of environment should his organization establish?
A. Honeypot
B. Staging
C. Development
D. Fuzzing
B. Staging
Fail to Pass Systems has recently moved its corporate offices from France to Westeros, a country with no meaningful privacy regulations. The marketing department believes that this move will allow the company to resell all of its customer’s data to third-party companies and shield the company from any legal responsibility. Which policy is violated by this scenario?
A. Data Minimization
B. Data Sovereignty
C. Data Enrichment
D. Data Limitation
B. Data Sovereignty
Dion Training has contracted a software development firm to create a bulk file upload utility for its website. During a requirements planning meeting, the developers asked what type of encryption is required for the project. After some discussion, Jason decides that the file upload tool should use a cipher capable of encrypting 64 bits of data at a time before transmitting the files from the web developer’s workstation to the webserver. What of the following should be selected to meet this security requirement?
A. Block Cipher
B. Stream Cipher
C. CRC
D. Hashing Algorithm
A. Block Cipher
Dion Training wants to install a new accounting system and is considering moving to a cloud-based solution to reduce cost, reduce the information technology overhead costs, improve reliability, and improve availability. Your Chief Information Officer is supportive of this move since it will be more fiscally responsible. Still, the Chief Risk Officer is concerned with housing all of the company’s confidential financial data in a cloud provider’s network that might be shared with other companies. Since the Chief Information Officer is determined to move to the cloud, what type of cloud-based solution would you recommend to account for the Chief Risk Officer’s concerns?
A. PaaS in a hybrid cloud
B. SaaS in public cloud
C. PaaS in community cloud
D. SaaS in private Cloud
D. SaaS in a Private Cloud
You have recently been hired as a security analyst at Dion Training. On your first day, your supervisor begins to explain the way their network is configured, showing you the physical and logical placement of each firewall, IDS sensor, host-based IPS installations, the networked spam filter, and the DMZ. What best describes how these various devices are placed into the network for the highest level of security?
A. Network Segmentation
B. Defense in Depth
C. UTM
D. Load Balancer
B. Defense in Depth
A cybersecurity analyst is working for a university that is conducting a big data medical research project. The analyst is concerned about the possibility of an inadvertent release of PHI data. Which of the following strategies should be used to prevent this?
A. Utilize formal methods of verification against the application processing the PHI
B. Utilize Saas model to processes the PHI data instead of an on premise solution
C. Use the DevSpecOps to build application that processes the Phi
D. Conduct tokeninzation of the PHI data before ingesting it into the big data application
D. Conduct tokeninzation of the PHI data before ingesting it into the big data application
(Sample Simulation – On the real exam for this type of question, you would drag and drop the authentication factor into the spot for the correct category.)
A. PIN, Signature, Fingerprint, Smart Card, and GPS Coordinator
B. Signature, Pin, Fingerprint, Smart Card, and GPS Coordinator
C. PIN, Smart Card, Fingerprint, Signature, GPS Coordinator
D. Smart Card, PIN, Fingerprint, Signature, GPS Coordinator
C. PIN, Smart Card, Fingerprint, Signature, GPS Coordinator
OBJ-2.4: For the exam, you need to know the different factors of authentication. If you use two or more of these factors, you are using multi-factor authentication. The five factors are something you know (knowledge), something you have (possession), something you are (biometrics), something you do (action), and somewhere you are (location).
Your company has decided to move all of its data into the cloud. Your company is concerned about the privacy of its data due to some recent data breaches that have been in the news. Therefore, they have decided to purchase cloud storage resources that will be dedicated solely for their use. Which of the following types of clouds is your company using?
A. Public
B. Hybrid
C. Community
D. Private
D. Private
What is a reverse proxy commonly used for?
A. Allowing access to a virtual private cloud
B. To obfuscate the origin of a user within the network
C. To prevent the unauthorized of the cloud service from the local network
D. Directing traffic to internal services if the contents of the traffic comply with the policy
D. Directing traffic to internal services if the contents of the traffic comply with the policy
You are developing a containment and remediation strategy to prevent the spread of an APT within your network. Your plan suggests creating a mirror of the company’s databases, routing all externally sourced network traffic to it, and gradually updating with pseudo-realistic data to confuse and deceive the APT as they attempt to exfiltrate the data. Once the attacker has downloaded the corrupted database, your company would then conduct remediation actions on the network and restore the correct database information to the production system. Which of the following types of containment strategies does the plan utilize?
A. Isolation Based Containment by disconnecting
B. Segmentation Based Containment disrupts the APT
C. Segmentation Based Containment that deceives the attack
D. Isolation Based Containment by removing
C. Segmentation Based Containment that deceives the attack
Which of the following cryptographic algorithms is classified as symmetric?
A. Blowfish
B. RSA
C. ECC
D. PGP
A. Blowfish
Which of the following hashing algorithms results in a 128-bit fixed output?
A. SHA -1
B. RIPEMD
C. SHA -2
D. MD -5
D. MD -5
You are installing Windows 2019 on a rack-mounted server and hosting multiple virtual machines within the physical server. You just finished the installation and now want to begin creating and provisioning the virtual machines. Which of the following should you utilize to allow you to create and provision virtual machines?
A. Terminal Service
B. Hypervisor
C. Device Manager
D. Disk Management
B. Hypervisor
The paparazzi have found copies of pictures of a celebrity’s new baby online. The celebrity states they were never publicly released but were uploaded to their cloud provider’s automated photo backup. Which of the following threats was the celebrity MOST likely a victim of?
A. Unauthorized Camera Activation
B. Unintended Bluetooth Pairing
C. Leaked personal files
D. Unauthorized Root Access
C. Leaked personal files
Which of the following cryptographic algorithms is classified as asymmetric?
A. DSA
B. DES
C. AES
D. RC4
A. DSA
Which protocol is paired with OAuth2 to provide authentication of users in a federated identity management solution?
A. OpenID Connect
B. SAML
C. ADFS
D. Kerberos
A. OpenID Connect
Dave’s company utilizes Google’s G-Suite environment for file sharing and office productivity, Slack for internal messaging, and AWS for hosting their web servers. Which of the following cloud models type of cloud deployment models is being used?
A. Multi-Cloud
B. Community
C. Public
D. Private
A. Multi-Cloud
You are working as part of the server team for an online retail store. Due to the upcoming holidays, your boss is worried that the current servers may not be able to handle the increased demand during a big sale. Which of the following cloud computing concepts can quickly allow services to scale upward during busy periods and scale down during slower periods based on the changing user demand?
A. Metered Service
B. On-Demand
C. Rapid Elasticity
D. Resource Pooling
C. Rapid Elasticity
Which of the following describes the overall accuracy of a biometric authentication system?
A. Crossover Error Rate
B. False Positive Rate
C. False Rejection Rate
D. False Acceptance Rate
A. Crossover Error Rate
Dion Training has added a salt and cryptographic hash to their passwords to increase the security before storing them. To further increase security, they run this process many times before storing the passwords. What is this technique called?
A. Key Stretching
B. Salting
C. Collision Resistance
D. Rainbow Table
A. Key Stretching
Dion Training has set up a lab consisting of 12 laptops for students to use outside of normal classroom hours. The instructor is worried that a student may try to steal one of the laptops. Which of the following physical security measures should be used to ensure the laptop is not stolen or moved out of the lab environment?
A. USB Lock
B. Biometric Locks
C. Cable Locks
D. Key Fob
C. Cable Locks
Your company has just finished replacing all of its computers with brand new workstations. Colleen, one of your coworkers, has asked the company’s owner if she can have the old computers that are about to be thrown away. Colleen would like to refurbish the old computers by reinstalling a new operating system and donating them to a local community center for disadvantaged children in the neighborhood. The owner thinks this is a great idea but is concerned that the private and sensitive corporate data on the old computer’s hard drives might be placed at risk of exposure. You have been asked to choose the best solution to sanitize or destroy the data while ensuring the computers will still be usable by the community center. What type of data destruction or sanitization method do you recommend?
A. Wiping
B. Shredding
C. Degaussing
D. Destroying
A. Wiping
What type of scan will measure the size or distance of a person’s external features with a digital video camera?
A. Facial Recognition Scan
B. Signature Kinetics Scan
C. Iris Scan
D. Retinal Scan
A. Facial Recognition Scan
Your company has decided to move all of its data into the cloud. Your company is small and has decided to purchase some on-demand cloud storage resources from a commercial provider (such as Google Drive) as its primary cloud storage solution. Which of the following types of clouds is your company using?
A. Hybrid
B. Community
C. Private
D. Public
D.Public
Which of the following cryptographic algorithms is classified as asymmetric?
A. ECC
B. Twofish
C. DES
D. RC4
A.ECC
Taylor needs to sanitize hard drives from some leased workstations before returning them to a supplier at the end of the lease period. The workstations’ hard drives contained sensitive corporate data. Which is the most appropriate choice to ensure that data exposure doesn’t occur during this process?
A. Clear, Validate, and document the sanitization of the drives
B. Purge, Validate, and document the santization of the drive
C. The drives must be destroyed to ensureno date loss
D. Clear the drives
B. Purge, Validate, and document the santization of the drive
You just received an email from Bob, your investment banker, stating that he completed the wire transfer of $10,000 to your bank account in Vietnam. The problem is, you do not have a bank account in Vietnam, so you immediately call Bob to ask what happened. Bob explains that he received an email from you requesting the transfer. You insist you never sent that email to Bob initiating this wire transfer. What aspect of PKI could be used to BEST ensure that a sender sent a particular email message and avoid this type of situation?
A. Recovery Agents
B. Trust Models
C. CRL
D. Non-Repudiation
D. Non-Repudiation
Which of the following cryptographic algorithms is classified as symmetric?
A. Diffie- Elleman
B. AES
C. RSA
D. ECC
B. AES
Frank and John have started a secret club together. They want to ensure that when they send messages to each other, they are truly unbreakable. What encryption key would provide the STRONGEST and MOST secure encryption?
A. ECC with a 256-bit key
B. Randomized one-time use pad
C. AES with 256-bit key
D. DES witha 56-bit key
B. Randomized one-time use pad
Which of the following would a virtual private cloud (VPC) infrastructure be classified as?
A. Infrastructure of Service
B. Function of Service
C. Platform of Service
D. Software of Service
A. Infrastructure of Service
Which of the following cryptographic algorithms is classified as asymmetric?
A. DES
B. RSA
C. AES
D. RC4
RSA
You have just completed identifying, analyzing, and containing an incident. You have verified that the company uses older unencrypted SSDs as part of their default configuration, and the manufacturer does not provide a SE utility for the devices. The storage devices contained top-secret data that would bankrupt the company if it fell into a competitor’s hands. After safely extracting the device’s data and saving it to a new self-encrypting drive, you have been asked to dispose of the SSDs securely. Which of the following methods should you use?
A. Conduct zero-fill on storage device
B. Platform cryptographic erase(CE) on storage device
C. Physically remove the storage device
D. Use a secure erase(SE) utility on storage device.
C. Physically remove the storage device
(Sample Simulation – On the real exam for this type of question, you may receive a list of different RAID types and be asked to visually display which hard drives in the RAID are used for redundant data storage as either a stripe or a mirror. You will then have to identify which RAID type is most appropriate for each type of server shown.) You are configuring a RAID drive for a Media Streaming Server. Your primary concern is the speed of delivery of the data. This server has two hard disks installed. What type of RAID should you install, and what type of data will be stored on Disk 1 and Disk 2?
A. RAID 0 - DISK 1(Stipe) and DISK 2(Stipe)
B. RAID 1 - DISK 1(Stipe) and DISK 2(Stipe)
C. RAID 0 - DISK 1(Mirror) and DISK 2(Mirror)
D. RAID 1 - DISK 1(Mirror) and DISK 2(Mirror)
A. RAID 0 - DISK 1(Stipe) and DISK 2(Stipe)
Which type of media sanitization would you classify degaussing as?
A. Destruction
B. Clearing
C. Purging
D. Erasing
C. Purging
During her login session, Sally is asked by the system for a code sent to her via text (SMS) message. Which of the following concerns should she raise to her organization’s AAA services manager?
A. SMS messages may be accessible to attackers via VoIP or other systems
B. SMS should be paired with a third factor
C. SMS should be encrypted to be secure
D. SMS is a costly method of providing a second factor of authentication
A. SMS messages may be accessible to attackers via VoIP or other systems
You want to play computer-based video games from anywhere in the world using your laptop or tablet. You heard about a new product called a Shadow PC that is a virtualized Windows 10 Home gaming PC in the cloud. Which of the following best describes this type of service?
A. DaaS
B. IaaS
C. SaaS
D. PaaS
A. DaaS
(Sample Simulation – On the real exam for this type of question, you would have to fill in the blanks by dragging and dropping them into place.)
A. FM-200,Biometric locks, Mantrap, Antivirus
B. Strong Password, Biometrics, Mantrap, Cable Lock
C. GPS Tracking, Biometrics, Proximity Badges, Remote Wipes
D. Antivirus, Mantrap, Cable Lock, GPS Tracking
A. FM-200,Biometric locks, Mantrap, Antivirus
OBJ-2.7: The best option based on your choices is FM-200, Biometric locks, Mantrap, and Antivirus. FM-200 is a fire extinguishing system commonly used in data centers and server rooms to protect the servers from fire. Biometric locks are often used in high-security areas as a lock on the access door. Additionally, biometric authentication could be used for a server by using a USB fingerprint reader. Mantraps often are used as part of securing a data center as well. This area creates a boundary between a lower security area (such as the offices) and the higher security area (the server room). Antivirus should be installed on servers since they can use signature-based scans to ensure files are safe before being executed.
Which of the following biometric authentication factors uses an infrared light shone into the eye to identify the pattern of blood vessels?
A. Iris Scan
B. Retinal Scan
C. Pupil Dilation
D. Facial Recognition
B. Retinal Scan
(Sample Simulation – On the real exam for this type of question, you would receive 3-5 pictures and be asked to drag and drop them into place next to the correct term.)
A. Multifactor Authentication
B. PAP Authentication
C. Biometric Authentication
D. One Time Password Athentication
B. PAP Authentication
OBJ-2.4: For the exam, you need to know the different authentication categories and what type of authentication methods belong to each category. A username and password are used as part of the Password Authentication Protocol (PAP) authentication system. A username and password are also considered a knowledge factor in an authentication system.
(Sample Simulation – On the real exam for this type of question, you would receive 3-5 pictures and be asked to drag and drop them into place next to the correct term.)
A. Biometric Authentication
B. PAP Authentication
C. Multifactor Authentication
D. One Time Password Athentication
C. Multifactor Authentication
OBJ-2.4: For the exam, you need to know the different authentication categories and what type of authentication methods belong to each category. This is an example of multifactor authentication because you are using both a username/password combination with an SMS code. This provides a knowledge factor (username/password) and a possession factor (your smartphone) to provide two factors of authentication, making this the best option.
(Sample Simulation – On the real exam for this type of question, you would receive 3-5 pictures and drag and drop them into place next to the correct term.) How would you appropriately categorize the authentication method displayed here?
A. One time Password Authentication
B. Biometric Authentication
C. PAP Authentication
D. Mutifactor Authentication
B. Biometric Authentication
Dion Training is concerned with students entering the server room without permission. To prevent this from occurring, the organization wants to purchase and install an access control system that will allow each instructor to have access using an RFID device. Which of the following authentication mechanisms should Dion Training use to meet this requirement?
A. Biometric Reader
B. CCTV
C. Access Control Vestibule
D. Proximity Badge
D. Proximity Badge
OBJ-2.7: The best option is to use a proximity badge. This type of badge embeds an RFID chip into the card or badge. When an authorized user swipes their card or badge over the reader, it sends an RF signal that uniquely identifies the card’s holder or badge. While some of the other options presented could be used for authentication (such as biometrics), these options do not use an RFID as stated in the requirements. Closed-circuit television is a type of video surveillance where video cameras transmit a signal to a specific place using a limited set of monitors. An access control vestibule is a physical security access control system comprising a small space with two sets of interlocking doors, such that the first set of doors must close before the second set opens. Biometrics are identifying features stored as digital data that can be used to authenticate a user. Typical features used include facial pattern, iris, retina, or fingerprint pattern, and signature recognition. This requires a relevant scanning device, such as a fingerprint reader, and a database of biometric information for authentication to occur.
Dion Training has recently opened an Internet café for students to use during their lunch break. Unfortunately, Dion Training doesn’t have any wireless networks in their building, so they have placed three laptops in the Internet café. What protection should be installed to best prevent the laptops from being stolen?
A. CCTV
B. Cable Lock
C. Proximity Badge
D. Safe
B. Cable Lock
OBJ-2.7: The best option is to use a cable lock for each laptop to ensure that they won’t get stolen from the Internet café. CCTV is useful as a detective control and could be used to find out who stole the laptops after they were taken, but a cable lock is a preventative control that would stop the theft from occurring in the first place. Proximity badges are a poor choice because students would likely not have a proximity badge, and the Internet café is an area with open access for students and instructors. Similarly, a safe may be useful to lock up the laptops at night, but during the day, the laptops would need to be available at the Internet café, so the cable locks are still a better choice.
(Sample Simulation – On the real exam for this type of question, you would receive 3-5 pictures and be asked to drag and drop them into place next to the correct term.) How would you appropriately categorize the authentication method being displayed here? (Note: the hardware token is being by itself used for authentication.)
A. Biometric Authentication
B. PAP Authentication
C.. Multifactor Authentication
D. One time Password Authentication
D. One time Password Authentication
You have been asked to scan your company’s website using the OWASP ZAP tool. When you perform the scan, you received the following warning:
“The AUTOCOMPLETE output is not disabled in HTML FORM/INPUT containing password type input. Passwords may be stored in browsers and retrieved.”
You begin to investigate further by re Based on your analysis, which of the following actions should you take?
A. This is a false positive
B. You tell the developer to review their code and implemented a bug/code fix
C. You recommend that the system admin disable SSL on server
D. You recommend that the system admin pushes GPO
B. You tell the developer to review their code and implemented a bug/code fix
OBJ-2.3: Since your company owns the website, you can require the developer to implement a bug/code fix to prevent the form from allowing the AUTOCOMPLETE function to work on this website. The code change to perform is quite simple, simply adding “autocomplete=off” to the code’s first line. The resulting code would be <form action=”authenticate.php” autocomplete=”off”>.
