Architecture and Design Flashcards
A company has limited storage space available and an online presence that cannot be down for more than four hours. Which of the following backup methodologies should the company implement to allow for the FASTEST database restore time in the event of a failure, while being mindful of the limited available storage space?
Implement full backups every Sunday at 8:00 p.m. and nightly differential backups at 8:00 p.m
An organization has a growing workforce that is mostly driven by additions to the sales department. Each newly hired salesperson relies on a mobile device to conduct business. The Chief Information Officer (CIO) is wondering if the organization may need to scale down just as quickly as it scaled up. The CIO is also concerned about the organization’s security and customer privacy. Which of the following would be BEST to address the CIO’s concerns?
Implement BYOD for the sales department while leveraging the MDM
Which of the following are the MOST likely vectors for the unauthorized or unintentional inclusion of vulnerable code in a software company’s final software releases? (Choose two.)
Included third-party libraries
Vendors/supply chain
A customer service representative reported an unusual text message that was sent to the help desk. The message contained an unrecognized invoice number with a large balance due and a link to click for more details. Which of the following BEST describes this technique?
Smishing
A security analyst is concerned about traffic initiated to the dark web from the corporate LAN. Which of the following should the analyst monitor?
Tor
Which of the following should be monitored by threat intelligence researchers who search for leaked credentials?
Dark web
An employee installed a new service on the domain controller without consent or approval from the IT department and change management. What specifically describes this type of threat?
Shadow IT
Which of the following threat actors is most likely to be motivated by ideology?
Hacktivist
After a security assessment is concluded, what benefit does the CVSS score provide to a company on the list of discovered vulnerabilities?
Prioritize remediation of vulnerabilities based on the possible impact
CVSS (Common Vulnerability Scoring System) is used to assign severity scores (zero to ten) to vulnerabilities which allows responders to prioritize the responses and better manage resources. Scores are calculated by a formula that uses several metrics, including complexity and severity.
An attacker tricks a user into providing confidential information. Which of the following describes this form of malicious reconnaissance?
Social engineering
A company recently experienced a major breach. An investigation concludes that customer credit card data was stolen and exfiltrated through a dedicated business partner connection to a vendor, who is not held to the same security control standards. Which of the following is the most likely source of the breach?
Supply chain
A user is having problems accessing network shares. An admin investigates and finds the following on the user’s computer:
What attack has been performed on this computer?
ARP poisoning
Two different devices shouldn’t have the same MAC addresses. Since these are dynamically learned ARP entries, it is reasonable to believe this was an ARP poisoning. Device .1 is probably the default gateway and then device .11 is the MitM
A Chief Information Security Officer (CISO) wants to explicitly raise awareness about the increase of ransomware-as-a-service in a report to the management team. Which of the following best describes the threat actor in the CISO’s report?
Organized crime
Which of the following can be used to identify potential attacker activities without affecting production servers?
Honeypot
A security analyst notices an unusual amount of traffic hitting the edge of the network. Upon examining the logs, the analyst identifies a source IP address and blocks that address from communicating with the network. Even though the analyst is blocking this address, the attack is still ongoing and coming from a large number of different source IP addresses. Which of the following describes this type of attack?
DDoS
A company is expanding its threat surface program and allowing individuals to security test the company’s internet-facing application. The company will compensate researchers based on the vulnerabilities discovered. Which of the following best describes the program the company is setting up?
Bug bounty
A company has installed badge readers for building access but is finding unauthorized individuals roaming the hallways. Which of the following is the most likely cause?
Tailgating
A company’s Chief Information Security Officer (CISO) recently warned the security manager that the company’s Chief Executive Officer (CEO) is planning to publish a controversial opinion article in a national newspaper, which may result in new cyberattacks. Which of the following would be best for the security manager to use in a threat model?
Hacktivists
A security analyst reports a company policy violation in a case in which a large amount of sensitive data is being downloaded after hours from various mobile devices to an external site. Upon further investigation, the analyst notices that successful login attempts are being conducted with impossible travel times during the same time periods when the unauthorized downloads are occurring. The analyst also discovers a couple of WAPs are using the same SSID, but they have non-standard DHCP configurations and an overlapping channel. Which of the following attacks is being conducted?
Evil twin
A security analyst is reviewing the following logs:
Which of the following attacks is most likely occurring?
Password spraying
A company hired a consultant to perform an offensive security assessment covering penetration testing and social engineering. Which of the following teams will conduct this assessment activity?
Red
A large financial services firm recently released information regarding a security breach within its corporate network that began several years before. During the time frame in which the breach occurred, indicators show an attacker gained administrative access to the network through a file downloaded from a social media site and subsequently installed it without the user’s knowledge. Since the compromise, the attacker was able to take command and control of the computer systems anonymously while obtaining sensitive corporate and personal employee information. Which of the following methods did the attacker most likely use to gain access?
A RAT
A junior security analyst is reviewing web server logs and identifies the following pattern in the log file:
http://comptia.org/../../../etc/passwd
Which of the following types of attacks is being attempted and how can it be mitigated?
XSS; implement a SIEM
A security assessment found that several embedded systems are running unsecure protocols. These systems were purchased two years ago, and the company that developed them is no longer in business. Which of the following constraints best describes the reason the findings cannot be remediated?
Unavailable patch
A user downloaded an extension for a browser, and the user device later became infected. The analyst who is investigating the incident saw various logs where the attacker was hiding activity by deleting data. The following was observed running:
Which of the following is the malware using to execute the attack?
PowerShell
A user’s login credentials were recently compromised. During the investigation, the security analyst determined the user input credentials into a pop-up window when prompted to confirm the username and password. However, the trusted website does not use a pop-up for entering user credentials. Which of the following attacks occurred?
DNS poisoning
A systems administrator set up an automated process that checks for vulnerabilities across the entire environment every morning. Which of the following activities is the systems administrator conducting?
Scanning
An engineer is setting up a VDI environment for a factory location, and the business wants to deploy a low-cost solution to enable users on the shop floor to log in to the VDI environment directly. Which of the following should the engineer select to meet these requirements?
Thin clients
A systems administrator receives the following alert from a file integrity monitoring tool:
The hash of the cmd.exe file has changed.
The systems administrator checks the OS logs and notices that no patches were applied in the last two months. Which of the following most likely occurred?
A rootkit was deployed
When a file integrity monitoring tool detects a change in the hash of a critical system file like “cmd.exe,” it could indicate that a rootkit has been deployed. Rootkits are malicious software designed to hide their presence on a system by modifying critical files and processes, including system utilities like “cmd.exe.”
A security analyst was asked to evaluate a potential attack that occurred on a publicly accessible section of the company’s website. The malicious actor posted an entry in an attempt to trick users into clicking the following:
https://www.c0mpt1a.com/contact-us/%3Fname%3D%3Cscript%3Ealert(document.cookie)%3C%2Fscript%3E
Which of the following was most likely observed?
XSS
An analyst is concerned about data leaks and wants to restrict access to internet services to authorized users only. The analyst also wants to control the actions each user can perform on each service. Which of the following would be the best technology for the analyst to consider implementing?
CASB
CASB is a security solution that provides visibility and control over the use of cloud services by employees within an organization. It helps enforce security policies and ensures that access to internet services is restricted to authorized users only. CASB allows the organization to define granular policies to control the actions each user can perform on each cloud service.
A security engineer needs to recommend a solution to defend against malicious actors misusing protocols and being allowed through network defenses. Which of the following will the engineer most likely recommend?
A next-generation firewall
A company’s legal department drafted sensitive documents in a SaaS application and wants to ensure the documents cannot be accessed by individuals in high-risk countries. Which of the following is the most effective way to limit this access?
Geolocation policy
Several users have opened tickets with the help desk. The help desk has reassigned the tickets to a security analyst for further review. The security analyst reviews the following metrics:
Which of the following is MOST likely the result of the security analyst’s review?
Corporate PCs have been turned into a botnet
An organization suffered numerous multiday power outages at its current location. The Chief Executive Officer wants to create a disaster recovery strategy to resolve this issue. Which of the following options offer low-cost solutions? (Choose two.)
Generator
UPS
A security analyst discovers that one of the web APIs is being abused by an unknown third party. Logs indicate that the third party is attempting to manipulate the parameters being passed to the API endpoint. Which of the following solutions would best help to protect against the attack?
WAF
A Web Application Firewall (WAF) is a security solution designed to protect web applications and APIs from various attacks, including those that attempt to manipulate parameters and exploit vulnerabilities in the application layer. It sits between the clients (users or third parties) and the web server, inspecting the HTTP/HTTPS traffic and filtering out malicious requests.
An application owner reports suspicious activity on an internal financial application from various internal users within the past 14 days. A security analyst notices the following:
-Financial transactions were occurring during irregular time frames and outside of business hours by unauthorized users.
-Internal users in question were changing their passwords frequently during that time period.
-A jump box that several domain administrator users use to connect to remote devices was recently compromised.
-The authentication method used in the environment is NTLM.
Which of the following types of attacks is MOST likely being used to gain unauthorized access?
Pass-the-hash
A government organization is developing an advanced Al defense system. Developers are using information collected from third-party providers. Analysts are noticing inconsistencies in the expected progress of the Al learning and attribute the outcome to a recent attack on one of the suppliers. Which of the following is the most likely reason for the inaccuracy of the system?
Tainted training data
During an incident, an EDR system detects an increase in the number of encrypted outbound connections from multiple hosts. A firewall is also reporting an increase in outbound connections that use random high ports. An analyst plans to review the correlated logs to find the source of the incident. Which of the following tools will best assist the analyst?
A SIEM
A company recently suffered a breach in which an attacker was able to access the internal mail servers and directly access several user inboxes. A large number of email messages were later posted online. Which of the following would best prevent email contents from being released should another breach occur?
Implement S/MIME to encrypt the emails at rest
S/MIME (Secure/Multipurpose Internet Mail Extensions) is a technology used to encrypt email messages, ensuring that the contents of the messages are protected both during transmission and at rest. When S/MIME is implemented, the email messages are encrypted using the recipient’s public key, and only the recipient with the corresponding private key can decrypt and read the message.
Which of the following exercises should an organization use to improve its incident response process?
Tabletop
An attacker is attempting to harvest user credentials on a client’s website. A security analyst notices multiple attempts of random usernames and passwords. When the analyst types in a random username and password, the logon screen displays the following message:
“The username you entered does not exist.”
Which of the following should the analyst recommend be enabled?
Error handling
The error message is too specific; attackers know the username they guessed is wrong so they can try and guess another until they find one that sticks; so proper error handling should be less specific such as “Invalid credentials”
An organization disabled unneeded services and placed a firewall in front of a business-critical legacy system. Which of the following best describes the actions taken by the organization?
Compensating controls
Compensating controls are alternative security measures put in place when standard controls cannot be implemented or are not sufficient to meet security requirements.
Which of the following describes the ability of code to target a hypervisor from inside a guest OS?
VM escape
A grocery store is expressing security and reliability concerns regarding the on-site backup strategy currently being performed by locally attached disks. The main concerns are the physical security of the backup media and the durability of the data stored on these devices. Which of the following is a cost-effective approach to address these concerns?
Migrate to a cloud backup solution
A local server recently crashed and the team is attempting to restore the server from a backup. During the restore process, the team notices the file size of each daily backup is large and will run out of space at the current rate. The current solution appears to do a full backup every night.
Which of the following would use the least amount of storage space for backups?
A weekly, full backup with daily incremental backups
A security analyst discovers several jpg photos from a cellular phone during a forensics investigation involving a compromised system. The analyst runs a forensics tool to gather file metadata. Which of the following would be part of the images if all the metadata is still intact?
The GPS location
A financial analyst is expecting an email containing sensitive information from a client. When the email arrives the analyst receives an error and is unable to open the encrypted message. Which of the following is the most likely cause of the issue?
The S/MIME plug-in is not enabled