CASP Flashcards
A company plans to build an entirely remote workforce that utilizes a cloud-based infrastructure. The Chief information Security Officer asks the security engineer to design connectivity to meet the following requirements:
- Only users with corporate-owned devices can directly access servers hosted by the cloud provider.
- The company can control what SaaS applications each individual user can access.
- User browser activity can be monitored.
Which of the following solutions would BEST meet these requirements?
A. IAM gateway, MDM, and reverse proxy
B. VPN, CASB, and secure web gateway
C. SSL tunnel, DLP, and host-based firewall.
D. API gateway, UEM, and forward proxy
B. VPN, CASB, and secure web gateway
VPN
During a system penetration test, a security engineer successfully gained access to a shell on a Linux host as a standard user and wants to elevate the privilege levels. Which of the following is a valid Linux post-exploitation method to use to accomplish this goal?
A. Spawn a shell using sudo and an escape string such as sudo vim -c ‘!sh’.
B. Perform ASIC password cracking on the host
C. Read the /etc/passwd file to extract the usernames.
D. Initiate unquoted service path exploits.
E. Use the UNION operator to extract the database schema.
C. Read the /etc/passwd file to extract the usernames.
/etc/passwd
A systems administrator is in the process of hardening the host systems before connecting to the network. The administrator wants to add protection to the boot loader to ensure the hosts are secure before the OS fully boots.
Which of the following would provide the BEST boot loader protection?
A. TPM
B. HSM
C. PKI
D. UEFI/BIOS
D. UEFI/BIOS
UEFI/BIOS
A developer is creating a new mobile application for a company. The application uses REST API and TLS 1.2 to communicate securely with the external back-end server. Due to this configuration, the company is concerned about HTTPS interception attacks. Which of the following would be the BEST solution against this type of attack?
A. Cookies
B. Wildcard certificates
C. HSTS
D. Certificate pinning
D. Certificate pinning
A threat hunting team receives a report about possible APT activity in the network. Which of the following threat management frameworks should the team implement?
A. NIST SP 800-53
B. MITRE ATT&CK
C. The Cyber Kill Chain
D. The Diamond Model of Intrusion Analysis
A. NIST SP 800-53
NIST
Device event logs sources from MDM software as follows:
Device - ANDROID_1022 Date/Time - 01JAN21 0255 Location - 39N, 77W Event - Push Description - Application 1220 Install Queued
Which of the following security concerns and response actions would BEST address the risks posed by the device in the logs?
A. Malicious installation of an application; change the MDM configuration to remove application ID 1220.
B. Resource leak; recover the device for analysis and clean up the local storage.
C. Impossible travel; disable the device’s account and access while investigating.
D. Falsified status reporting; remotely wipe the device.
A. Malicious installation of an application; change the MDM configuration to remove application ID 1220.
Install
An energy company is required to report the average pressure of natural gas used over the past quarter. A PLC sends data to a historian server that creates the required reports.
Which of the following historian server locations will allow the business to get he required reports in an OT and IT environment?
A. In the OT environment, use a VPN from the IT environment into the OT environment.
B. In the OT environment, allow IT traffic into the OT environment.
C. In the IT environment, allow PLC’s to send data from the OT environment to the IT environment.
D. Use a screened subnet between the OT and IT environments.
A. In the OT environment, use a VPN from the IT environment into the OT environment.
VPN
Which of the following is a benefit of using steganalysis techniques in forensic response?
A. Breaking a symmetric cipher used in secure voice communications.
B. Determining the frequency of unique attacks against DRM-protected media.
C. Maintaining chain of custody for acquired evidence.
D. Identifying least significant bit encoding of data in a .wav file.
D. Identifying least significant bit encoding of data in a .wav file.
WAV file
A new web server must comply with new secure-by-design priciples and PCI DSS. This includes mitigating the risk of an on-path attack. A security analyst is reviewing the following web server configuration:
TLS_AES_256_GCM_SHA384 TLS_CHACHA20_POLY1305_SHA256 TLS_AES_128_GCM_SHA256 TLS_AES_128_CCM_8_SHA256 TLS_RSA_WITH_AES_128_CBC_SHA256 TLS_DHE-DSS_WITH_RC4_128_SHA RSA_WITH_AES_128_CCM
Which of the following ciphers should the security analyst remove to support the business requirements?
A. TLS_AES_128_CCM_8_SHA256
B. TLS_DHE_DSS_WITH_RC4_128_SHA
C. TLS_CHACHA20_POLY1305_SHA256
D. TLS_AES_128_GCM_SHA256
C. TLS_CHACHA20_POLY1305_SHA256.
Poly
A security analyst notices a number of SIEM events that show the following activity:
10/30/2020
- 168.1.1 - sc stop WinDefend
- 168.1.2 - c:\program files\games\comptiacasp.exe
- 168.1.1 - c:\windows\system32\cmd.exe /c powershell https://content.comptia.com/content.exam.ps1
- 168.1.1 - powershell –> 40.90.23.154:443
Which of the following response actions should the analyst take FIRST?
A. Disable powershell.exe on all Microsoft Windows endpoints.
B. Restart Microsoft Windows Defender.
C. Configure the forward proxy to block 40.90.23.154.
D. Disable local administrator privileges on the endpoints.
A. Disable powershell.exe on all Microsoft Windows endpoints.
powershell
A company hired a third party to develop software as part of its strategy to be quicker to market. The company’s policy outlines the following requirements:
- The credentials used to publish production software to the container registry should be stored in a secure location.
- Access should be restricted to the pipeline service account, without the ability for the third-party developer to read the credentials directly.
Which of the following would be the BEST recommendation for storing and monitoring access to these shared credentials?
A. TPM
B. Local secure password file
C. MFA
D. Key vault
A. TPM
Storing shared credentials - TPM
A junior developer is informed about the impact of new malware on an Advanced RISC Machine (ARM) CPU, and the code must be fixed accordingly. Based on the debug, the malware is able to insert itself in another process memory location.
Which of the following technologies can the developer enable on the ARM architecture to prevent this type of malware?
A. Execute never
B. No-execute
C. Total memory encryption
D. Virtual memory encryption
A. Execute never
ARM never
A company is implementing SSL inspection. During the next six months, multiple web applications that will be separated out with subdomains will be deployed. Which of the following will allow the inspection of the data without multiple certificate deployments?
A. Include all available cipher suites.
B. Create a wildcard certificate.
C. Use a third-party CA
D. Implement certificate pinning.
D. Implement certificate pinning.
pinning prevents multiple certificate deployments
A small business requires a low-cost approach to theft detection for the audio recordings it produces and sells. Which of the following techniques will MOST likely meet the business’s needs?
A. Performing deep-packet inspection of all digital audio files.
B. Adding identifying filesystem metadata to the digital audio files.
C. Implementing steganography
D. Purchasing and installing DRM suite.
C. Implementing steganography
Steganography for all things audio. Cheaper than DRM.
Clients are reporting slowness when attempting to access a series of load-balanced APIs that do not require authentication. The servers that host the APIs are showing heavy CPU utilization. No alerts are found on the WAFs sitting in front of the APIs.
Which of the following should a security engineer recommend to BEST remedy the performance issues in a timely manner?
A. Implement rate limiting on the API.
B. Implement geoblocking on the WAF.
C. Implement OAuth 2.0 on the API.
D. Implement input validation on the API.
C. Implement OAuth 2.0 on the API.
API’s do not require authorization - OAuth
An organization is considering a BYOD standard to support remote working. The first iteration of the solution will utilize only approved collaboration applications and the ability to move corporate data between those applications. The security team has concerns about the following:
- Unstructured data being exfiltrated after an employee leaves the organization.
- Data being exfiltrated as a result of compromised credentials.
- Sensitive information in emails being exfiltrated.
Which of the following solutions should the security team implement to mitigate the risk of data loss?
A. Mobile device management, remote wipe, and data loss detection.
B. Conditional access, DoH, and full disk encryption.
C. Mobile application management, MFA, and DRM
D. Certificates, DLP, geofencing
A. Mobile device management, remote wipe, and data loss detection.
BYOD - Mobile device management and remote wipe
A Chief Information Officer is considering migrating all company data to the cloud to save money on expensive SAN storage. Which of the following is a security concern that will MOST likely need to be addressed during migration?
A. Latency
B. Data exposure
C. Data loss
D. Data dispersion
A. Latency
On-prem SAN is quicker than off-prem cloud storage.
Due to locality and budget constraints, an organization’s satellite office has a lower bandwidth allocation than other offices in the organization. As a result, the local security infrastructure staff is assessing architectural options that will help preserve network bandwidth and increase speed to both internal and eternal resources while not sacrificing threat visibility. Which of the following would be the BEST option to implement?
A. Distributed connection allocation
B. Local caching
C. Content delivery network
D. SD-WAN vertical heterogeneity
C. Content delivery network
A security analyst is concerned that a malicious piece of code was downloaded on a Linux system. After some research, the analyst determines that the suspected piece of code is performing a lot of input/output (I/O0 on the disk drive.
PID 83 - IO 304023 PID 65 - IO 300 PID 87 - IO 400020 PID 77 - IO 10 PID 85 - IO 0
A. 65
B. 77
C. 83
D. 87
D. 87
Pick the PID with the highest IO.
Which of the following are risks associated with vendor lock-in? (Choose two.)
A. The client can seamlessly move data.
B. The vendor can change product offerings.
C. The client receives a sufficient level of service.
D. The client experiences decreased quality of service.
E. The client can leverage a multicloud approach.
F. The client experiences increased interoperability.
B and D.
B - The vendor can change product offerings.
D - The client experiences decreased quality of service.
Think “what would Juniper do?”
An organization recently experienced a ransomware attack. The security team leader is concerned about the attack reoccurring. However, no further security measures have been implemented. Which of the following processes can be used to identify potential prevention recommendations?
A. Detection
B. Remediation
C. Preparation
D. Recovery
A. Detection
Detection the first step towards prevention.
A security architect is implementing a web application that uses a database back end. Prior to the production, the architect is concerned about the possibility of XSS attacks and wants to identify security controls that could be put in place to prevent these attacks. Which of the following sources could the architect consult to address this security concern?
A. SDLC
B. OVAL
C. IEEE
D. OWASP
B. OVAL
Open Vulnerability and Assessment Language
A security engineer was auditing an organization’s current software development practice and discovered that multiple open-source libraries were integrated into the organization’s software.
The organization currently performs SAST and DAST on the software it develops.
Which of the following should the organization incorporate into the SDLC to ensure the security of the open-source libraries?
A. Perform additional SAST/DAST on the open-source libraries.
B. Implement the SDLC security guidelines.
C. Track the library versions and monitor the CVE website for related vulnerabilities.
D. Perform unit testing of the open-source libraries.
B. Implement the SDLC security guidelines.
SDLC to SDLC
A security analyst is investigating a possible buffer overflow attack. The following output was found on a user’s workstation:
graphic.linux_randomization.prg
Which of the following technologies would mitigate the manipulation of memory segments?
A. NX bit
B. ASLR
C. DEP
D. HSM
B. ASLR
Address Space Layout Randomization prevents buffer overflow
An e-commerce company is running a web server on premises, and the resource utilization is usually less than 30%. During the last two holiday seasons, the server experienced performance issues because of too many connections, and several customers were not able to finalize purchase orders. The company is looking to change the server configuration to avoid this kind of performance issue. Which of the following is the MOST cost-effective solutions?
A. Move the server to a cloud provider.
B. Change the operating system.
C. Buy a new server and create and active-active cluster.
D. Upgrade the server with a new one.
A. Move the server to a cloud provider.
A company has decided to purchase a license for software that is used to operate a mission-critical process. The third-party developer is new to the industry but is delivering what the company needs at this time.
Which of the following BEST describes the reason why utilizing a source code escrow will reduce the operational risk to the company if the third party stops supporting the application?
A. The company will have access to the latest version to continue development.
B. The company will be able to force the third-pary developer to continue support.
C. The company will be able to manage the third-party developer’s development process.
D. The company will be paid by the third-party developer to hire a new development team.
B. The company will be able to force the third-party developer to continue support.
Tricky question. While A is true, B is the best answer. Look for FORCE.
A security analyst is researching containerization concepts for an organization. The analyst is concerned about potential resource exhaustion scenarios on the Docker host due to a single application that is overconsuming available resources. Which of the following core Linux concepts BEST reflects the ability to limit resource allocation to containers?
A. Union filesystem overlay
B. Cgroups
C. Linux namespaces
D. Device mapper
B. Cgroups
Containers - Cgroups
A developer wants to maintain integrity to each module of a program and ensure the code cannot be altered by malicious users. Which of the following would be BEST for the developer to perform? (Choose two.)
A. Utilize code signing by a trusted third party.
B. Implement certificate-based authentication.
C. Verify MD5 hashes.
D. Compress the program with a password.
E. Encrypt with 3DES.
F. Make the DACL read-only.
A and B.
A. Utilize code signing by a trusted third party.
B. Implement certificate-based authentication.
Code and Certificate
A company is moving most of its customer-facing production systems to the cloud-facing production systems to the cloud. IaaS is the service model being used. The Chief Executive Officer is concerned about the type of encryption available and requires the solution must have the highest level of security.
Which of the following encryption methods should the cloud security engineer select during the implementation phase?
A. Instance-based
B. Storage-based
C. Proxy-based
D. Array controller-based
A. Instance-based
A vulnerability analyst identified a zero-day vulnerability in a company’s internally developed software. Since the current vulnerability management system does not have any checks for this vulnerability, an engineer has been asked to create one. Which of the following would be BEST suited to meet these requirements?
A. ARF
B. ISACs
C. Node.js
D. OVAL
D. OVAL
Open Vulnerability and Assessment Language
An organization recently started processing, transmitting, and storing its customers’ credit card information. Within a week of doing so, the organization suffered a massive breach that resulted in the exposure of the customers’ information.
Which of the following provides the BEST guidance for protecting such information while it is at rest and in transit?
A. NIST
B. GDPR
C. PCI DSS
D. ISO
C. PCI DSS
Payment Card Industry Data Security Standard
Which of the following is the MOST important security objective when applying cryptography to control messages that tell an ICS how much electrical power to output?
A. Importing the availability of messages.
B. Ensuring non-repudiation of messages.
C. Enforcing protocol conformance for messages.
D. Assuring the integrity messages.
D. Assuring the integrity of messages.
INTEGRITY
A company wants to protect its intellectual property from theft. The company has already applied ACLs and DACs.
Which of the following should the company use to prevent data theft?
A. Watermarking
B. DRM
C. NDA
D. Access Logging
D. Access Logging
A satellite communications ISP frequently experiences outages and degraded modes of operation over one of its legacy satellite links due to the use of deprecated hardware and software. Three days per week, on average, a contracted company must follow a checklist of 16 different high-latency commands that must be run in serial to restore nominal performance. The ISP wants this process to be automated.
Which of the following techniques would be BEST suited for this requirement?
A. Deploy SOAR utilities and runbooks.
B. Replace the associated hardware.
C. Provide the contractors with direct access to satellite telemetry data.
D. Reduce link latency on the affected ground and satellite segments.
A. Deploy SOAR utilities and runbooks.
Security Operation, Automation, and Response
A company processes data subject to NDAs with partners that define the processing and storage constraints for the covered data. The agreements currently do not permit moving the covered data to the cloud, and the company would like to renegotiate the terms of the agreements. Which of the following would MOST likely help the company gain consensus to move the data to the cloud?
A. Designing data protection schemes to mitigate the risk of loss due to multitenancy.
B. Implementing redundant stores and services across diverse CSPs for high availability.
C. Emulating OS and hardware architectures to blur operations from CSP view.
D. Purchasing managed FIM services to alert on detected modifications to covered data.
A. Designing data protection schemes to mitigate the risk of loss due multitenancy.
MULTITENANCY
Ransomware encrypted the entire human resources fileshare for a large financial institution. Security operations personnel were unaware of the activity until it was too late to stop it. The restoration will take approximately four hours, and the last backup occurred 48 hours ago. The management team has indicated that the RPO for a disaster recovery event for this data classification is 24 hours. Based on RPO requirements, which of the following recommendations should the management team make?
A. Leave the current backup schedule intact and pay the ransom to decrypt the data.
B. Leave the current backup schedule intact and make the human resources fileshare read-only.
C. Increase the frequency of backups and SIEM alerts for IOCs.
D. Decrease the frequency of backups and pay the ransom to decrypt the data.
C. Increase the frequency of backups and SIEM alerts for IOCs.
Only answer that makes sense. INCREASE frequency of backups.
A company undergoing digital transformation is reviewing the resiliency of a CSP and is concerned about meeting SLA requirements in the event of a CSP incident. Which of the following would be BEST to proceed with the transformation?
A. An on-premises solution as a backup
B. A load balancer with a round-robin configuration.
C. A multicloud provider solution
D. An active-active solution within the same tenant.
D. An active-active solution within the same tenant.
ACTIVE-ACTIVE
A company has hired a security architect to address several service outages on the endpoints due to new malware. The Chief Executive Officer’s laptop was impacted while working from home. The goal is to prevent further endpoint disruption. The edge network is protected by a web proxy. Which of the following solutions should the security architect recommend?
A. Replace the current antivirus with an EDR solution.
B. Remove the web proxy and install a UTM appliance.
C. Implement a deny list feature on the endpoints.
D. Add a firewall module on the current antivirus solution.
C. Implement a deny list feature on the endpoints.
IMPLEMENT
All staff at a company have started working remotely due to a global pandemic. To transition to remote work, the company has migrated to SaaS collaboration tools. The human resources department wants to use these tools to process sensitive information but is concerned the data could be:
- Leaked to the media via printing of the documents.
- Sent to a personal email address.
- Accessed and viewed by systems administrators.
- Uploaded to file storage site.
Which of the following would mitigate the department’s concerns?
A. Data loss detection, reverse proxy, EDR, and PGP
B. VDI, proxy, CASB, DRM
C. Watermarking, forward proxy, DLP, and MFA
D. Proxy, secure VPN, endpoint encryption, and AV
B. VDI, proxy, CASB, DRM
VDI
A home automation company just purchased and installed tools for its SOC to enable incident identification and response on software the company develops. The company would like to prioritize defenses against the following attack scenarios:
- Unauthorized insertions into application development environments.
- Authorized insiders making unauthorized changes to environment configurations.
Which of the following actions will enable the data feeds needed to detect these types of attacks on development environments? (Choose two.)
A. Perform static code analysis of committed code and generate summary reports.
B. Implement an XML gateway and monitor for violations.
C. Monitor dependency management tools and report on susceptible third-party libraries.
D. Install an IDS on the development subnet and passively monitor for vulnerable services.
E. Model user behavior and monitor for deviations from normal.
F. Continuously monitor code commits to repositories and generate summary logs.
C and D.
C. Monitor dependency management tools and report on susceptible third-party libraries.
D. Install an IDS on the development subnet and passively monitor for vulnerable services.
MONITOR and INSTALL
An enterprise is deploying APIs that utilize a private key and a public key to ensure the connection string is protected. To connect to the API, customers must use the private key. Which of the following would BEST secure the REST API connection to the database while preventing the use of a hard-coded string in the request string?
A. Implement a VPN for all APIs.
B. Sign the key with DSA.
C. Deploy MFA for the service accounts.
D. Utilize HMAC for the keys.
D. Utilize HMAC for the keys
Hash Message Authentication Code
An application server was recently upgraded to prefer TLS 1.3, and now users are unable to connect their clients to the server. Attempts to reproduce the error are confirmed, and clients are reporting the following:
ERR_SSL_VERSION_OR_CIPHER_MISMATCH
Which of the following is MOST likely the root cause?
A. The client application is testing PFS.
B. The client application is configured to use ECDHE.
C. The client application is configured to use RC4.
D. The client application is configured to use AES-256 in GCM
C. The client application is configured to use RC4.
App is using old RC4.
An organization is designing a network architecture that must meet the following requirements:
-Users will only be able to access predefined services.
-Each user will have a unique allow list defined for access.
-The system will construct one-to-one subject/object access paths dynamically.
Which of the following architectural designs should the organization use to meet these requirements?
A. Peer-to-peer secure communications enabled by mobile applications.
B. Proxied application data connections enabled by API gateways.
C. Microsegmentation enabled by software-defined-networking.
D. VLANs enable by network infrastructure devices.
C. Microsegmentation enabled by software-defined-networking.
SDN for one-to-one dynamic access paths.
A company’s claims processed department has a mobile workforce that receives a large number of email submissions from personal email addresses. An employee recently received an email that appeared to be a claim form, but it installed malicious software on the employee’s laptop when was opened.
A. Implement application whitelisting and add only the email client to the whitelist for laptop in the claims processing department.
B. Require all laptops to connect to the VPN before accessing email.
C. Implement cloud-based content filtering with sandboxing capabilities.
D. Install a mail gateway to scan incoming messages and strip attachments before they reach the mailbox.
C. Implement cloud-based content filtering with sandboxing capabilities.
SANDBOXING, like WildFire.
A company suspects a web server may have been infiltrated by a rival corporation. The security engineer reviews the web server logs and finds the following:
ls -l -a /usr/heinz/public; cat ./config/db.yml
The security engineer looks at the code with a developer, and they determine the log entry is created when the following line is run:
system (“ls -l -a #{path}”)
Which of the following is an appropriate security control the company should implement?
A. Restrict directory permission to read-only access.
B. Use server-side processing to avoid XSS vulnerabilities in path input.
C. Separate the items in the system call to prevent command injection.
D. Parameterize a query in the path variable to prevent SQL injection.
C. Separate the items in the system call to prevent command injection.
COMMAND INJECTION
A company that uses AD is migrating services from LDAP to secure LDAP. During the pilot phase, services are not connecting properly to secure LDAP. Block is an except of output from the troubleshooting session:
openssl s_client -host dap.comptia.com -port 636 CONNECTED Begin Certificate End Certificate Subject=/CN-*.comptia.com Issues-/DC-com/DC-danville/CN-chicago
Which of the following BEST explains why secure LDAP is not working? (Select TWO.)
A. The clients may not trust ldap by default.
B. The secure LDAP service is not started, so no connections can be made.
C. Danville.com is under a DDoS-inator ttack and cannot respond to OCSP requests.
D. Secure LDAP should be running on UDP rather than TCP.
E. The company is using the wrong port. It should be using port 389 for secure LDAP.
F. Secure LDAP does not support wildcard certificates.
G. The clients may not trust Chicago by default.
B and E.
B. The secure LDAP service is not started, so no connections can be made.
E. The company is using the wrong port. It should be using port 389 for secure LDAP.
Start the service and use the right port.
A threat analyst notices the following URL while going through the HTTP logs.
http://www.safebrowsing~~~/search.asp?q=x=newimage;x.src=”http://baddomain~~~/session;
Which of the following attack types is the threat analyst seeing?
A. SQL injection
B. CSRF
C. Session Hijacking
D. XSS
D. XSS
Cross-Site Scripting
The Chief Information Officer (CIO) of a large bank, which uses multiple third-party organizations to deliver a service, is concerned about the handling and security of customer data by the parties. Which of the following should be implemented to BEST manage the risk?
A. Establish a review committee that assesses the importance of suppliers and ranks them according to contract renewals. At the time of contract renewal, incorporate designs and operational controls into the contracts and a right-to-audit clause. Regularly assess the supplier’s post-contract renewal with a dedicated risk management team.
B. Establish a team using members from first line risk, the business unit, and vendor management to assess only design security controls of all suppliers. Store findings from the reviews in a database for all other business units and risk teams to reference.
C. Establish an audit program that regularly reviews all suppliers regardless of the data they access, how they access the data, and the type of data. Review all design and operational controls based on best practice standard and report the finding back to upper management.
D. Establish a governance program that rates suppliers based on their access to data, they type of data, and how they access the data. Assign key controls that are received and managed based on the supplier’s rating. Report finding units that rely on the suppliers and the various risk teams.
A. Establish a review committee that assesses the importance of suppliers and ranks them according to contract renewals. At the time of contract renewal, incorporate designs and operational controls into the contracts and a right-to-audit clause. Regularly assess the supplier’s post-contract renewal with a dedicated risk management team.
ESTABLISH A REVIEW COMMITTEE
Company A is establishing a contractual with Company B. The terms of the agreement are formalized in a document covering the payment terms, limitation of liability, and intellectual property rights. Which of the following documents will MOST likely contain these elements.
A. Company A-B SLA v2.docx B. Company A OLA v1b.docx C. Company A MSA v3.docx D. Company A MOUT v1.docx E. Company A-B NDA v03.docx
A. Company A-B SLA v2.docx
SLA
A company requires a task to be carried out by more than one person concurrently. This is an example of:
A. Separation of duties
B. Dual control
C. Least privilege
D. Job rotation
A. Separation of duties
A health company has reached the physical and computing capabilities in its datacenter, but the computing demand continues to increase. The infrastructure is fully virtualized and runs custom and commercial healthcare application that process sensitive health and payment information. Which of the following should the company implement to ensure it can meet the computing demand while complying with healthcare standard for virtualization and cloud computing?
A. Hybrid IaaS solution in a single-tenency cloud
B. Pass solution in a multi-tenency cloud
C. SaaS solution in a community cloud
D. Private SaaS solution in a single tenancy cloud
D. Private SaaS solution in a single tenancy cloud.
PRIVATE
A cybersecurity analyst created the following tables to help determine the maximum budget amount the business can justify spending on an improved email filtering system:
Which of the following meets the budget needs of the business?
ABC - $18,000
XYZ - $16,000
GHI - $22,000
TUV - $19,000
A. Filter ABC
B. Filter XYZ
C. Filter GHI
D. Filter TUV
C. Filter GHI
Maximum budget. Pick the highest number, GHI / $22,000.
Ann, a CIRT member, is conducting incident response activities on a network that consists of several hundred virtual servers and thousands of endpoints and users. The network generates more than 10,000 log messages per second. The enterprise belongs to a large, web-based cryptocurrency startup. Ann has distilled the relevant information into an easily digestible report fo executive management. However, she still needs to collect evidence of the intrusion that caused the incident.
Which of the following should Ann use to gather the required information?
A. Traffic interceptor log analysis
B. Log reduction and visualization tools
C. Proof of work analysis
D. ledger analysis software
B. Log reduction and visualization tools
log REDUCTION
A security engineer is troubleshooting an issue in which an employee is getting an IP address in the range on the wired network. The engineer plus another PC into the same port, and that PC gets an IP address in the correct range. The engineer then puts the employee’s PC on the wireless network and finds the PC still does not get an IP address in the proper range. The PC is up to date on all software and antivirus definitions, and the IP address is not an APIPA address. Which of the following is MOST likely the problem?
A. The company is using 802.1x for VLAN assignment, and the user or computer is in the wrong group.
B. The DHCP server has a reservation for the PC’s MAC address for the wired interface.
C. The WiFi network is using WPA2 Enterprise, and the computer certificate has the wrong IP address in the SAN field.
D. The DHCP server is unavailable, so no IP address is being sent back to the PC.
A. The company is using 802.1x for VLAN assignment, and the user or computer is in the wrong group.
802.1x
Immediately following the report of a potential breach, a security engineer creates a forensic image of the server in question as part of the organization incident response procedure. Which of these must occur to ensure the integrity of the image?
A. The image must be password protected against changes.
B. A hash value of the image must be computed.
C. The disk containing the image must be placed in a sealed container.
D. A duplicate copy of the image must be maintained.
B. A hash value of the image must be computed.
HASH
A company in the financial sector receives a substantial number of customer transaction requests via email. While doing a root-cause analysis conceding a security breach, the CIRT correlates and unusual spike in port 80 traffic from the IP address of a desktop used by a customer relations employee who has access to several of the compromised accounts. Subsequent antivirus scans of the device do not return findings, but the CIRT finds undocumented services running on the device. Which of the following controls would reduce the discovery time for similar in the future.
A. Implementing application blacklisting
B. Configuring the mail to quarantine incoming attachment automatically.
C. Deploying host-based firewalls and shipping the logs to the SIEM.
D. Increasing the cadence for antivirus DAT updates to twice daily.
C. Deploying host-based firewalls and shipping the logs to the SIEM
Host-based Firewall
A system administrator at a medical imaging company discovers protected health information (PHI) on a general-purpose file server. Which of the following steps should the administrator take NEXT?
A. Isolate all of the PHI on its own VLAN and keep it segregated at Layer 2.
B. Take an MD5 hash of the server.
C. Delete all PHI from the network until the legal department is consulted.
D. Consult the legal department to determine the legal requirements.
A. Isolate all of the PHI on its own VLAN nd keep it segregated at layer 2.
VLAN
A security analyst is reading the results of successful exploit that was recently conducted by third-party penetration testers. The testers reverse engineered a privileged executable. In the report, the planning and execution of the xploit is detailed using logs and outputs from the test. However, the attack vector of the exploit is missing, making it harder to recommend remediation’s. Given the following output:
A. A TOC/TOU vulnerability
B. A plain-text password disclosure
C. An integer overflow vulnerability
D. A buffer overflow vulnerability
A. A TOC/TOU vulnerability
TOC/TOU
A financial institution has several systems that currently employ the following controls:
- The servers follow a monthly patching cycle.
- All changes must go through a change management process.
- Developers and systems administrators must log into a jumpbox to access the servers hosting the data using two-factor authentication.
- The servers are on an isolated VLAN and cannot be directly accessed from the internal production network.
An outage recently occurred and lasted several days due to an upgrade that circumvented the approval process. Once the security team discovered an unauthorized patch was installed, they were able to resume operations within an hour. Which of the following should the security administrator recommend to reduce the time to resolution if a similar incident occurs in the future?
A. Require more than one approver for all change management requests.
B. Implement file integrity monitoring with automated alerts on the servers.
C. Disable automatic patch update capabilities on the servers.
D. Enhanced audit logging on the jump servers and ship the logs to the SIEM.
B. Implement file integrity monitoring with automated alerts on the servers.
IMPLEMENT file integrity
Over the last 90 days, many storage services have been exposed in the cloud services environments, and the security team does not have the ability to see what is creating these instances. Shadow IT is creating data services and instances faster than the small security team can keep up with them. The Chief Information security Officer (CIASO) has asked the security officer (CISO) has asked the security lead architect to architect to recommend solutions to this problem. Which of the following BEST addresses the problem with the least amount of administrative effort?
A. Compile a list of firewall requests and compare than against interesting cloud services.
B. Implement a CASB solution and track cloud service use cases for greater visibility.
C. Implement a user-behavior system to associate user events and cloud service creation events.
D. Capture all logs and feed them to a SIEM and then for cloud service events.
C. Implement a user-behavior system to associate user events and cloud service creation events.
IMPLEMENT USER
An analyst executes a vulnerability scan against an internet-facing DNS server and receives the following report:
- Vulnerabilities in Kernel-Mode Driver Could Allow Elevation of Privilege
- SSL Medium Strength Cipher Suites Supported
- Vulnerability in DN Resolution Could Allow Remote Code Execution
- SMB Host SIDs allows Local User Enumeration
Which of the following tools should the analyst use FIRST to validate the most critical vulnerability?
A. Password cracker
B. Port scanner
C. Account enumerator
D. Exploitation framework
A. Password cracker
Internet facing - Password Cracker
The Chief Information Officer (CIO) wants to establish a non-banding agreement with a third party that outlines the objectives of the mutual arrangement dealing with data transfers between both organizations before establishing a formal partnership.
Which of the following would MOST likely be used?
A. MOU
B. OLA
C. NDA
D. SLA
A. MOU
Memorandum of Understanding.
Like SDN Zone D to OSS Zone C
A security analyst is trying to identify the source of a recent data loss incident. The analyst has reviewed all the identified assets on the network at the time of the data loss. The analyst suspects the key to finding the source was obfuscated in an application. Which of the following tools should the analyst use NEXT?
A. Software Decompiler
B. Network Enumerator
C. Log reduction and analysi tool
D. Static code analysis
D. Static code analysis
Obfuscation - Static Code Analysis
Which of the following controls primarily detects abuse of privilege but does not prevent it?
A. Off-boarding
B. Separation of duties
C. Least privilege
D. Job rotation
A. Off-boarding
Not sure this is correct.
A company provides guest WiFi access to the internet and physically separates the guest network from the company’s internal WiFi, the company plans to configure WPA2 Enterprise in an EAP-TLS configuration. Which of the following must be installed on authorized hosts for this new configuration to work properly?
A. Active Directory OPOs
B. PKI certificates
C. Host-based firewall
D. NAC persistent agent
B. PKI Certificates
TLS requires certs…
The goal of a Chief Information Security Officer (CISO) providing up-to-date metrics to a bank’s risk committee is to ensure:
A. Budgeting for cybersecurity increases year over year.
B. The committee knows how much work is being done.
C. Business units are responsible for their own mitigation.
D. The bank is aware of the status of cybersecurity risks.
A. Budgeting for cybersecurity increases year over year.
CISO cares about BUDGET
A cybersecurity engineer analyst scans a system for vulnerabilities. The tool created an OVAL results document as output. Which of the following would enable the engineer to interpret the results in a human readable form? (Select TWO.)
A. Text editor B. OOXML editor C. Event Viewer D. XML style sheet E. SCAP tool F. Debugging utility
A and E.
A. Text editor
E. SCAP tool
TEXT and SCAP reads OVAL
A Chief Information Security Officer (CISO) is developing corrective-action plans based on the following from a vulnerability scan of internal hosts:
High finding, Summary, and Impact.
Which of the following is the MOST appropriate corrective action to document for this finding?
A. The product owner should perform a business impact assessment regarding the ability to implement a WAF.
B. The application developer should use a static code analysis tool to ensure any application code is not vulnerable to buffer overflows.
C. The system administrator should evaluate dependencies and perform upgrades as necessary.
D. The security operations center should develop a custom IDS rule to prevent attacks buffer overflows against this server.
A. The product owner should perform a business impact assessment regarding the ability to implement a WAF.
Web Application Firewall
The Chief Information Security Officer (CISO) of a small local bank has a compliance requirement that a third-party penetration test of the core banking application must be conducted annually. Which of the following services would fulfil the compliance requirement with the LOWEST resource usage?
A. Black-box testing B. gray-box testing C. Red-team hunting D. White-box testing E. Blue-team exercises
C. Red-team hunting
HUNT for RED October
Red team is offense, blue team is defense. Box testing is irrelevant to this scenario.
An application developer is including third-party background security fixes in an application. The fixes seem to resolve a currently identified security issue. However, when the application is released to the public, a report came in that a previous vulnerability has returned. Which of the following should the developer integrate into the process to BEST prevent this type of behavior?
A. Peer review
B. Regression testing
C. User acceptance
D. Dynamic analysis
A. Peer Review
A company’s employees are not permitted to access company systems while travelling internationally. The company email system is configured to block logins based on geographic location, but some employees report their mobile phones continue to sync email while travelling. Which of the following is the MOST likely explanation? (Select TWO.)
A. Outdated escalation attack B. Privilege escalation attack C. VPN on the mobile device D. Unrestricted email administrator accounts E. Chief use of UDP protocols F. Disabled GPS on mobile devices
C and F.
C. VPN on the mobile device
F. Disabled GPS on mobile devices
The usual tricks to get around region blocked services (streaming, sportsbooks, etc)
A Chief Information Security Officer (CISO) has launched to create a BCP/DR plan for the entire company. As part of the initiative, the security team must gather data supporting operational importance for the applications used by the business and determine the order in which the application must be back online. Which of the following be the FIRST step taken by the team?
A. Perform a review of all policies and procedures related to BGP and DR and create an educational module that can be assigned to employees to provide BCP/DR events.
B. Create an SLA for each application that states when the application will come back online and distribute this information to the business units.
C. Have each business unit conduct a BIA and categorize the application according to the cumulative data gathered.
D. Implement replication of all servers nd application data to back up datacenters that are geographically from the central datacenter and release an updated BPA to all clients.
C. Have each business unit conduct a BIA and categorize the application according to the cumulative data gathered.
BIA - Business Impact Analysis
BCP - Business Continuity Planning
DR - Disaster Recovery
Match each finding to each host:
1 - A natural disaster may disrupt operations at Site A, which would then cause an evacuation. Users are unable to log into the domain from their workstations after relocated to Site B.
2 - A natural disaster may disrupt operations at Site A, which would then cause the pump room at Site B to become inoperable.
3 - A natural disaster may disrupt operations at Site A, which would then cause unreliable Internet connectivity at Site B due to route flapping.
Site A: VPN Concentrator Directory Server Application Server PLC HVAC Pumps SCADA Controller Web Server
1 - VPN Concentrator
2 - Pumps
3 - Directory server
An organization is referencing NIST best practices for BCP creation while reviewing current internal organizational processes for mission-essential items.
Which of the following phases establishes the identification and prioritization of critical systems and functions?
A. Review a recent gap analysis.
B. Perform a cost-benefit analysis.
C. Conduct a business impact analysis.
D. Develop an exposure factor matrix.
C. Conduct a business impact analysis.
BCPs need BIAs.
An organization is preparing to migrate its production environment systems from an on-premises environment to a cloud service. The lead security architect is concerned that the organization’s current methods for addressing risk may not be possible in the cloud environment.
Which of the following BEST describes the reason why traditional methods of addressing risk may not be possible in the cloud?
A. Migrating operations assumed the acceptance of all risk
B. Cloud providers are unable to avoid risk
C. Specific risks cannot be transferred to the cloud provider.
D. Risks to data in the cloud cannot be mitigated.
C. Specific risks cannot be transferred to the cloud provider.
Only answer that isn’t ridiculous…
A company created an external application for its customers. A security researcher now reports that the application has a serious LDAP injection vulnerability that could be leveraged to bypass authentication and authorization.
Which of the following actions would best resolve the issue (Choose two.)
A. Conduct input sanitization. B. Deploy a SIEM. C. Use containers. D. Patch the OS. E. Deploy a WAF. F. Deploy a reverse proxy. G. Deploy an IDS.
B and D.
B. Deploy a SIEM
D. Patch the OS
SPLUNK AND PATCH
In preparation for the holiday season, a company redesigned the system that manages retail sales and moved it to a cloud service provider. The new infrastructure di not meet the company’s availability requirements. During a postmortem analysis, the following issues were highlighted.
1. International users reported latency when images on the web page were initially loading.
2. During times of report processing, users reported issues with inventory when attempting to place orders.
3. Despite the fact that ten new API servers were added the load across servers was heavy at peak times.
Which of the following infrastructure design changes would be BEST for the organization to implement to avoid these issues in the future?
A. Serve static ontent via distributed CDNs, create a read replica of the central database and pull reports from there, and auto-scale API servers based on performance.
B. Increase the bandwidth for the server that delivers images, use a CDN, change the database to a non-relational database, and split the ten API servers across two load balancers.
C. Serve images from the object storage bucket with infrequent read times, replicate the database across different regions, and dynamically create API servers based on load.
D. Server static-content object storage across different regions, increase the instance size on the managed relational database, and distribute the ten API servers across multiple regions.
A. Serve static content via distributed CDNs, create a read replica of the central database and pull reports from there, and auto-scale API servers based on performance.
CDN, DB, Auto-Scale
During a remodel, a company’s computer equipment was moved to a secure storage room with cameras positioned on both sides of the door. The door is locked using a card reader issued by the security team, and only the security team and department managers have access to the room.
The company wants to be able to identify any unauthorized individuals who enter the storage room by following an authorized employee.
Which of the following processes would BEST satisfy this requirement?
A. Monitor camera footage corresponding to a valid access request.
B. Require both security and management to open the door.
C. Require department managers to review denied-access requests.
D. Issue new entry badges on a weekly basis.
A. Monitor camera footage corresponding to a valid access request.
A company is preparing to deploy a global service.
Which of the following must he company do to ensure DGPR compliance? (Choose two.)
A. Inform users regarding what data is stored.
B. Provide opt-in/out for marketing messages.
C. Provide data deletion capabilities.
D. Provide optional data encryption.
E. Grant data access to third parties.
F. Provide alternative authentication techniques.
A and B.
A. Inform users regarding what data is stored.
B. Provide opt-in/out for marketing messages.
General Data Protection Regulation, an EU regulation.
A SOC analyst is reviewing malicious activity on an external, exposed web server. During the investigation, the analyst determines specific traffic is not being logged, and there is no visibility from the WAF for the web application.
Which of the following is the MOST likely cause?
A. The user agent client is not compatible with the WAF.
B. A certificate on the WAF is expired.
C. HTTP traffic is not forwarding to HTTPS to decrypt.
D. Old, vulnerable cipher suites are still being used.
B. A certificate on the WAF is expired.
WAF Expired
