Braindumps.351-400 Flashcards
A new security engineer has started hardening systems. One of the hardening techniques the engineer is using involves disabling remote logins to the NAS. Users are now reporting the inability to use SCP to transfer files to the NAS, even though the data is still viewable from the users’ PCs. Which of the following is the MOST likely cause of this issue?
a. TFTP was disabled on the local hosts.
b. SSH was turned off instead of modifying the configuration file.
c. Remote login was disabled in the networkd.conf instead of using the sshd.conf.
d. Network services are no longer running on the NAS.
b. SSH was turned off instead of modifying the configuration file.
Here’s the reasoning:
Disabling remote logins to the NAS typically involves configuring SSH (Secure Shell) settings. SCP (Secure Copy Protocol) relies on SSH for secure file transfers. If SSH was turned off instead of properly modifying the SSH configuration file to disable remote logins while still allowing SCP transfers, users would be unable to use SCP to transfer files to the NAS.
Therefore, disabling SSH without correctly configuring the SSH configuration file to allow SCP could lead to the reported issue where users cannot use SCP for file transfers, even though they can still view data from their PCs. This aligns with the scenario described where remote logins were disabled but SCP functionality was inadvertently affected.
An enterprise has hired an outside security firm to conduct penetration testing on its network and applications. The firm has been given the documentation only available to the customers of the applications. Which of the following BEST represents the type of testing that will occur?
a. Bug bounty
b. Black-box
c. Gray-box
d. White-box
c. Gray-box testing.
Here’s why:
Black-box testing typically involves testing without any prior knowledge of the internal workings of the application or network. The tester starts with no information about the internal structure, code, or architecture. White-box testing involves testing where the tester has full knowledge of the internal workings, including access to source code, architecture diagrams, and documentation. Gray-box testing falls between black-box and white-box testing. In gray-box testing, the tester has partial knowledge of the internal workings of the application or network. In this scenario, the security firm has been provided with documentation available to customers of the applications. This partial knowledge allows the testers to conduct a more targeted and effective assessment, leveraging the information they have about the application's functionality, interfaces, and potentially some internal workings, while still simulating the perspective of an external attacker to some extent.
Therefore, the BEST representation of the type of testing that will occur in this scenario is Gray-box testing.
A network engineer and a security engineer are discussing ways to monitor network operations. Which of the following is the BEST method?
a. Disable Telnet and force SSH.
b. Establish a continuous ping.
c. Utilize an agentless monitor.
d. Enable SNMPv3 with passwords.
c. Utilize an agentless monitor.
Here’s why this is the best choice:
Agentless monitoring involves using monitoring tools that do not require the installation of agents or software on the monitored devices. This approach is generally preferred because it reduces the overhead associated with deploying and maintaining agents across numerous devices. Agentless monitoring can gather information through protocols like SNMP (Simple Network Management Protocol), WMI (Windows Management Instrumentation), SSH (Secure Shell), and others, depending on the type of devices being monitored. It can provide comprehensive visibility into network performance, availability, and security posture without the need for agents.
Let’s briefly discuss why the other options are not as optimal:
a. Disable Telnet and force SSH: This is a security recommendation rather than a method for monitoring network operations. While it enhances security by using SSH instead of Telnet for remote access, it doesn't directly relate to network monitoring. b. Establish a continuous ping: Continuous pinging can be useful for basic network connectivity testing, but it's not comprehensive enough for monitoring network operations in terms of performance, security, and other critical metrics. d. Enable SNMPv3 with passwords: SNMPv3 is a secure version of SNMP that provides authentication and encryption. While SNMP can be useful for monitoring network devices, it requires careful configuration of authentication and encryption parameters to ensure security. However, it still involves deploying agents (SNMP agents) on the network devices, which is not agentless.
A security analyst is looking for a solution to help communicate to the leadership team the severity levels of the organization’s vulnerabilities. Which of the following would BEST meet this need?
a. CVE
b. SIEM
c. SOAR
d. CVSS
d. CVSS (Common Vulnerability Scoring System)
Here’s why CVSS is the best choice:
CVSS (Common Vulnerability Scoring System) is a standardized system for assessing and communicating the severity of vulnerabilities. It assigns a score to vulnerabilities based on metrics such as exploitability, impact, and complexity, providing a numerical representation of the severity level. CVSS scores range from 0 to 10, with higher scores indicating more severe vulnerabilities. This numerical scale helps leadership teams quickly understand the relative severity of vulnerabilities across the organization's systems and infrastructure. CVE (Common Vulnerabilities and Exposures) is a dictionary of publicly known information security vulnerabilities and exposures but does not provide severity scoring directly. It lists vulnerabilities but does not quantify their severity in a standardized way. SIEM (Security Information and Event Management) and SOAR (Security Orchestration, Automation, and Response) are tools and platforms used for monitoring, managing security events, and automating responses. While they are valuable for operational security, they do not directly provide a standardized severity scoring for vulnerabilities.
Therefore, CVSS is specifically designed to meet the need of communicating severity levels of vulnerabilities effectively to the leadership team, making it the most appropriate choice in this scenario.
A company is switching to a remote work model for all employees. All company and employee resources will be in the cloud. Employees must use their personal computers to access the cloud computing environment. The company will manage the operating system. Which of the following deployment models is the company implementing?
a. CYOD
b. MDM
c. COPE
d. VDI
d. VDI (Virtual Desktop Infrastructure)
Here’s why VDI is the most appropriate choice:
VDI (Virtual Desktop Infrastructure) allows employees to access a desktop environment hosted on a centralized server or cloud platform. This environment is managed by the company and provides a consistent desktop experience regardless of the device used by the employee. In the scenario described, employees are using their personal computers (BYOD - Bring Your Own Device) to access the company's cloud computing environment. With VDI, the company manages the operating system and desktop environment centrally, ensuring security and control over corporate data and applications. CYOD (Choose Your Own Device) typically involves employees selecting a device from a set of approved options provided by the company. This model does not align with employees using their personal computers. MDM (Mobile Device Management) and COPE (Corporate-Owned, Personally-Enabled) are more focused on managing mobile devices (MDM) or company-provided devices (COPE), rather than personal computers accessing cloud resources.
Therefore, VDI is the deployment model implemented by the company in this scenario, allowing employees to securely access a managed desktop environment from their personal devices while keeping company data and applications centralized and controlled.
A security administrator needs to inspect in-transit files on the enterprise network to search for PII, credit card data, and classification words. Which of the following would be the BEST to use?
a. IDS solution
b. EDR solution
c. HIPS software solution
d. Network DLP solution
d. Network DLP (Data Loss Prevention) solution
Here’s why Network DLP is the most suitable choice:
Network DLP solutions are specifically designed to monitor and inspect data transmitted over the network in real-time. They can detect sensitive information based on predefined rules and policies, including PII and credit card numbers. These solutions can analyze network traffic, including email, web traffic, file transfers, and other communications channels, to identify and prevent the unauthorized transmission of sensitive data. IDS (Intrusion Detection System), EDR (Endpoint Detection and Response), and HIPS (Host-based Intrusion Prevention System) are important security tools but are typically focused on different aspects of security monitoring and threat detection, such as endpoint behavior, network intrusion attempts, or host-based security. For the specific requirement of inspecting in-transit files for sensitive data across the enterprise network, a Network DLP solution is designed to provide the necessary visibility and control.
Therefore, Network DLP solution is the best option for the security administrator to use in order to inspect in-transit files and detect sensitive data like PII and credit card information on the enterprise network.
The Chief Executive Officer announced a new partnership with a strategic vendor and asked the Chief Information Security Officer to federate user digital identities using SAML-based protocols. Which of the following will this enable?
a. SSO
b. MFA
c. PKI
d. DLP
a. SSO (Single Sign-On)
Here’s an explanation:
SAML (Security Assertion Markup Language) is a protocol used for exchanging authentication and authorization data between parties, particularly between an identity provider (IdP) and a service provider (SP). It allows for the creation and management of federated identities. Single Sign-On (SSO) is a user authentication process that permits a user to enter one set of credentials (such as a username and password) to access multiple applications and services. SSO relies heavily on SAML to enable this seamless authentication across different systems and organizations. MFA (Multi-Factor Authentication) is a security system that requires more than one method of authentication from independent categories of credentials to verify the user's identity. While SAML can support MFA, federating identities specifically enables SSO. PKI (Public Key Infrastructure) is a framework for creating a secure method for exchanging information based on public key cryptography. It is not directly related to federating identities with SAML. DLP (Data Loss Prevention) refers to strategies and tools used to prevent sensitive data from being lost, misused, or accessed by unauthorized users. It is not directly related to federating identities with SAML.
Therefore, federating user digital identities using SAML-based protocols primarily enables Single Sign-On (SSO).
An employee’s company account was used in a data breach. Interviews with the employee revealed:
*The employee was able to avoid changing passwords by using a previous password again.
*The account was accessed from a hostile, foreign nation, but the employee has never traveled to any other countries.
Which of the following can be implemented to prevent these issues from reoccurring? (Choose two.)
a. Geographic dispersal
b. Password complexity
c. Password history
d. Geotagging
e. Password lockout
f. Geofencing
c. Password history
Explanation: Enforcing password history ensures that users cannot reuse previous passwords, thereby enhancing password security.
f. Geofencing
Explanation: Geofencing restricts access based on geographic locations, preventing logins from unauthorized or unexpected regions, such as hostile foreign nations where the employee has never traveled.
These measures will address the problems of password reuse and unauthorized access from foreign locations.
A large industrial system’s smart generator monitors the system status and sends alerts to third-party maintenance personnel when critical failures occur. While reviewing the network logs, the company’s security manager notices the generator’s IP is sending packets to an internal file server’s IP. Which of the following mitigations would be BEST for the security manager to implement while maintaining alerting capabilities?
a. Segmentation
b. Firewall allow list
c. Containment
d. Isolation
(Community A : 81%, B : 19%)
a. Segmentation
Explanation: Network segmentation involves dividing the network into smaller, isolated segments to limit access and control traffic between different parts of the network. By segmenting the network, the security manager can ensure that the smart generator can still send alerts to third-party maintenance personnel while preventing it from communicating with internal file servers, thereby maintaining alerting capabilities and enhancing security.
Which of the following technologies is used to actively monitor for specific file types being transmitted on the network?
a. File integrity monitoring
b. Honeynets
c. Tcpreplay
d. Data loss prevention
d. Data loss prevention
Explanation: Data loss prevention (DLP) technologies are designed to monitor, detect, and block the transmission of specific types of sensitive information across a network. DLP can be configured to look for and take action on particular file types being transmitted, ensuring that sensitive data does not leave the network without proper authorization.
As part of the building process for a web application, the compliance team requires that all PKI certificates are rotated annually and can only contain wildcards at the secondary subdomain level. Which of the following certificate properties will meet these requirements?
a. HTTPS://.comptia.org, Valid from April 10 00:00:00 2021 - April 8 12:00:00 2022
b. HTTPS://app1.comptia.org, Valid from April 10 00:00:00 2021 - April 8 12:00:00 2022
c. HTTPS://.app1.comptia.org, Valid from April 10 00:00:00 2021 - April 8 12:00:00 2022
d. HTTPS://*.comptia.org, Valid from April 10 00:00:00 2021 - April 8 12:00:00 2023
c. HTTPS://*.app1.comptia.org, Valid from April 10 00:00:00 2021 - April 8 12:00:00 2022
Explanation: This certificate meets the requirement of rotating annually and contains a wildcard only at the secondary subdomain level (*.app1.comptia.org). The other options either do not have the correct wildcard level or do not adhere to the annual rotation requirement.
A global pandemic is forcing a private organization to close some business units and reduce staffing at others. Which of the following would be BEST to help the organization’s executives determine their next course of action?
a. An incident response plan
b. A communication plan
c. A disaster recovery plan
d. A business continuity plan
d. A business continuity plan
Explanation: A business continuity plan (BCP) is designed to help organizations continue operating during and after a disruption, such as a global pandemic. It provides strategies for maintaining essential functions, managing reduced staffing, and making informed decisions on business operations. An incident response plan, communication plan, and disaster recovery plan are important but are more specific in scope and do not comprehensively address the wide-ranging impacts of a pandemic on business operations.
A cybersecurity analyst reviews the log files from a web server and sees a series of files that indicate a directory traversal attack has occurred. Which of the following is the analyst MOST likely seeing?
a. http://sample.url.com/
b. http://sample.url.com/someotherpageonsite/../../../etc/shadow
c. http://sample.url.com/select-from-database-where-password-null
d. http://redirect.sameple.url.sampleurl.com/malicious-dns-redirect
b. http://sample.url.com/someotherpageonsite/../../../etc/shadow
Explanation: A directory traversal attack occurs when an attacker uses sequences like ../ to move up the directory hierarchy and access files outside of the web server’s root directory. The URL http://sample.url.com/someotherpageonsite/../../../etc/shadow shows such a pattern, indicating an attempt to access the sensitive /etc/shadow file, which typically contains hashed passwords for users on Unix-based systems. This is a classic example of a directory traversal attack.
A candidate attempts to go to http://comptia.org but accidentally visits http://comptiia.org. The malicious website looks exactly like the legitimate website. Which of the following BEST describes this type of attack?
a. Reconnaissance
b. Impersonation
c. Typosquatting
d. Watering-hole
c. Typosquatting
Explanation: Typosquatting is a type of cyber attack where an attacker registers domain names that are similar to legitimate ones, often exploiting common typing errors. In this case, the attacker registered http://comptiia.org, which closely resembles http://comptia.org, to deceive users into thinking they are visiting the legitimate site.
The marketing department at a retail company wants to publish an internal website to the internet so it is reachable by a limited number of specific, external service providers in a secure manner. Which of the following configurations would be BEST to fulfil this requirement?
a. NAC
b. ACL
c. WAF
d. NAT
b. ACL
Explanation: An Access Control List (ACL) is the best configuration for this requirement because it allows the company to specify which external service providers can access the internal website. ACLs can be configured to permit or deny traffic based on IP addresses, ensuring that only a limited number of specific, external service providers can reach the website in a secure manner
A retail executive recently accepted a job with a major competitor. The following week, a security analyst reviews the security logs and identifies successful logon attempts to access the departed executive’s accounts. Which of the following security practices would have addressed the issue?
a. A non-disclosure agreement
b. Least privilege
c. An acceptable use policy
d. Offboarding
d. Offboarding
Explanation: The issue of a departed executive’s accounts still being accessible could have been addressed through a proper offboarding process. Offboarding includes revoking access to company systems and data, ensuring that former employees can no longer log in or access sensitive information after they leave the organization. This would prevent the departed executive from logging in and protect the company from potential data breaches.
A network-connected magnetic resonance imaging (MRI) scanner at a hospital is controlled and operated by an outdated and unsupported specialized Windows OS. Which of the following is MOST likely preventing the IT manager at the hospital from upgrading the specialized OS?
a. The time needed for the MRI vendor to upgrade the system would negatively impact patients.
b. The MRI vendor does not support newer versions of the OS.
c. Changing the OS breaches a support SLA with the MRI vendor.
d. The IT team does not have the budget required to upgrade the MRI scanner.
b. The MRI vendor does not support newer versions of the OS.
Explanation: The most likely reason preventing the IT manager from upgrading the specialized OS is that the MRI vendor does not support newer versions of the operating system. Many medical devices, like MRI scanners, use specialized software that is tightly integrated with specific OS versions. If the vendor does not provide support for newer OS versions, upgrading could lead to compatibility issues, loss of functionality, and lack of vendor support for troubleshooting and maintenance. This situation is common in the medical industry, where devices often rely on specific configurations approved by regulatory bodies and the device manufacturers.
A company received a “right to be forgotten” request. To legally comply, the company must remove data related to the requester from its systems. Which of the following is the company MOST likely complying with?
a. NIST CSF
b. GDPR
c. PCI DSS
d. ISO 27001
b. GDPR
Explanation: The “right to be forgotten” is a provision under the General Data Protection Regulation (GDPR), which is a comprehensive data protection law in the European Union. GDPR gives individuals the right to request the deletion of their personal data from an organization’s systems under certain conditions. This request is also known as the right to erasure. Organizations subject to GDPR are legally required to comply with such requests, provided that no overriding lawful reason for retaining the data exists.
A security team suspects that the cause of recent power consumption overloads is the unauthorized use of empty power outlets in the network rack. Which of the following options will mitigate this issue without compromising the number of outlets available?
a. Adding a new UPS dedicated to the rack
b. Installing a managed PDU
c. Using only a dual power supplies unit
d. Increasing power generator capacity
b. Installing a managed PDU
Explanation: A managed Power Distribution Unit (PDU) allows for better monitoring and control of power usage in a network rack. It provides detailed insights into power consumption at the outlet level, enabling the identification and prevention of unauthorized use of power outlets. This solution does not compromise the number of available outlets and helps to manage and balance the power load efficiently.
An engineer wants to inspect traffic to a cluster of web servers in a cloud environment. Which of the following solutions should the engineer implement?
a. CASB
b. WAF
c. Load balancer
d. VPN
(Community B 69%, A 24%)
b. WAF (Web Application Firewall)
CASBs primarily focus on securing and controlling the use of cloud services and data, while a Web Application Firewall (WAF) is specifically designed to protect web applications and inspect traffic to web servers for security threats.
Explanation: A Web Application Firewall (WAF) is specifically designed to protect web applications by filtering and monitoring HTTP traffic between a web application and the Internet. It can inspect incoming traffic to the web servers, detect and filter out malicious requests, and provide detailed logging and monitoring capabilities. This helps ensure the security and integrity of the web servers in the cloud environment.