Categories & Types of security controls

Question 1

Technology-based measures such as firewalls and encryption

Answer 1

Technical Controls

Question 2

Policies, procedures, and guidelines for security management

Answer 2

Managerial controls

Question 3

Day-to-day security practices such as monitoring and access management

Answer 3

Operational controls

Question 4

Measures to safeguard physical assets and premises

Answer 4

Physical controls

Question 5

Intended to discourage potential attackers

Answer 5

Deterrent controls

Question 6

Aimed at preventing security incidents

Answer 6

Preventive controls

Question 7

Focused on identifying and detecting security incidents

Answer 7

Detective controls

Question 8

Implemented after an incident to mitigate the impact

Answer 8

Corrective controls

Question 9

Alternative measures to compensate for inadequate primary controls

Answer 9

Compensating controls

Question 10

Policies or regulations providing specific guidance

Answer 10

Directive controls

Question 11

After conducting a vulnerability scan of her network, Wendy discovered the issue shown here on several servers. What is the most significant direct impact of this vulnerability?

A. Attackers may eavesdrop on network communications.
B. Attackers may use this information to gain administrative privileges.
C. Encryption will not protect credentials for this account.
D. Automated attacks are more likely to succeed.

Answer 11

D. Automated attacks are more likely to succeed.

D. Most automated attacks assume that a Windows system still contains a default account named Administrator and try to exploit that account. Changing the name makes it less likely that these attacks will stumble upon the account.

Question 12

Which one of the following characters is the most important to restrict when performing input validation to protect against XSS attacks?

A. <
B. !
C. $
D. ‘

Answer 12

A. <

A. Cross-site scripting relies upon embedding HTML tags in stored or reflected input. The < and > characters are used to denote HTML tags and should be carefully managed when seen in user input.

Question 12

During forensic analysis, Drew discovered that an attacker intercepted traffic headed to networked printers by modifying the printer drivers. His analysis revealed that the attacker modified the code of the driver to transmit copies of printed documents to a secure repository. What type of attack took place?

A. Refactoring
B. Shimming
C. Swapping
D. Recoding

Answer 12

A. Refactoring

A. The two major categories of attack against device drivers are shimming and refactoring. In a shimming attack, the attacker wraps his or her own malicious code around the legitimate driver. Shimming attacks do not require access to the driver’s source code. In a refactoring attack, such as this one, the attacker actually modifies the original driver’s source code.

Question 13

Pete is investigating a domain hijacking attack against his company that successfully redirected web traffic to a third-party website. Which one of the following techniques is the most effective way to carry out a domain hijacking attack?

A. ARP poisoning
B. Network eavesdropping
C. DNS poisoning
D. Social engineering

Answer 13

D. Social engineering

D. In a domain hijacking attack, the attacker changes the registration of a domain with the registrar. DNS and ARP poisoning attacks may redirect web traffic, but they would do so by providing bogus address information, not by hijacking the domain. Network eavesdropping could theoretically be used to steal credentials that are used to alter information with a registrar, but this is unlikely. The most likely source of a domain hijacking attack is using social engineering with the registrar to gain access to the account being used to manage registration information.

Question 14

Which one of the following technologies must be enabled on a wireless network for a Pixie Dust attack to succeed?

A. SSID broadcasting
B. WPS
C. WPA
D. WEP

Answer 14

B. WPS

B. Pixie Dust attacks are a specialized attack that’s used to retrieve the Wi-Fi Protected Setup (WPS) PIN code for a network. Pixie Dust attacks will not work if WPS is not enabled on the network.

Question 15

Darren is investigating an attack that took place on his network. When he visits the victim’s machine and types www.mybank.com into the address bar, he is directed to a phishing site designed to look like a legitimate banking site. He then tries entering the IP address of the bank directly into the address bar and the legitimate site loads. What type of attack is likely taking place?

A. IP spoofing
B. DNS poisoning
C. ARP spoofing
D. Typosquatting

Answer 15

B. DNS poisoning

B. The fact that the legitimate server responds to requests made by an IP address indicates that the attacker is not performing IP spoofing or ARP spoofing. There is no indication that the URL is incorrect, so Darren can rule out typosquatting. The most likely attack in this scenario is DNS poisoning. Darren can verify this by manually changing the system to a different DNS server, clearing the system’s DNS cache, and attempting to resolve the name again.

Question 16

What type of scan can best help identify cases of system sprawl in an organization?

A. Database scan
B. Web application scan
C. Detailed scan
D. Discovery scan

Answer 16

D. Discovery scan

D. Discovery scans are designed to identify systems on the network and can be used to detect undocumented assets that are the result of system sprawl.

Question 17

Scott is a security administrator for a federal government agency. He recently learned of a website that advertises jobs for former government employees. When he accessed the site, the site launched code in his browser that attempted to install malicious software on his system. What type of attack took place?

A. Denial of service
B. Watering hole
C. Spyware
D. Trojan horse

Answer 17

B. Watering hole

B. This is an example of a watering hole attack. These attacks place malicious code on a website frequented by members of the target audience. There is not sufficient information to determine whether the malicious code was spyware or a Trojan horse, or whether it delivered a denial of service payload.

Question 17

Scott is reviewing a list of cryptographic cipher suites supported by his organization’s website. Which one of the following algorithms is not secure and may expose traffic to eavesdropping attacks?

A. ECC
B. 3DES
C. AES
D. DES

Answer 17

D. DES

The Data Encryption Standard (DES) is an outdated, insecure algorithm that should not be used in modern applications. Triple DES (3DES) is a secure alternative that uses three rounds of DES encryption. The Advanced Encryption Standard (AES) and Elliptic Curve Cryptosystem (ECC) are also modern, secure cipher suites.

Question 18

Brenda is selecting the tools that she will use in a penetration test and would like to begin with passive techniques. Which one of the following is not normally considered a passive reconnaissance technique?

A. Social engineering
B. Wireless network eavesdropping
C. Open source intelligence
D. Domain name searches

Answer 18

A. Social engineering

A. Social engineering is an active technique because it involves interaction with the target organization. Attackers may conduct open source intelligence gathering, including domain name searches, using only external resources that will not alert the target organization. Wireless network eavesdropping may also be conducted from a location outside of the organization’s facilities without alerting the organization to their presence or interacting with target systems.

Question 19

Kristen conducts a vulnerability scan against her organization’s network and discovers a file server with the vulnerability shown here. Which one of the following actions is the best way to remediate this vulnerability?

FTP Supports Cleartext Authentication
Description
The remote FTP server allows the user’s name and password to be transmitted in cleartext, which could be intercepted by a network sniffer or a man-in-the-middle attack.

Figure 1.2

A. Discontinue the file transfer service
B. Require strong passwords
C. Switch to SFTP
D. Require multifactor authentication

Answer 19

C. Switch to SFTP

C. The root cause of this issue is that FTP is an insecure protocol and Kristen can resolve this problem by replacing it with a secure alternative, such as SFTP. Requiring strong passwords or multifactor authentication would not resolve this problem as an attacker could still eavesdrop on those connections and obtain user passwords. Discontinuing the file transfer service would resolve the vulnerability, but it is not a good solution because it would unnecessarily disrupt whatever business processes take place on this server.

Question 19

Paul received an email warning him that a new virus is circulating on the internet and that he needs to apply a patch to correct the problem. The message is branded with a Microsoft header. The virus message is actually a hoax and the patch contains malicious code. What principle of social engineering best describes what the attacker is trying to exploit by including the Microsoft header?

A. Consensus
B. Scarcity
C. Trust
D. Intimidation

Answer 19

C. Trust

C. The social engineer is using the Microsoft header in an attempt to exploit the trust that the recipient has for Microsoft. This attack also exploits the principles of authority, familiarity, and urgency. There is no note of scarcity or consensus in the message. The attacker is indeed trying to intimidate the recipient, but the intimidation is contained within the virus hoax message, not the Microsoft header.

Question 20

Frank is the new CISO at a mid-sized business. Upon entering his role, he learns that the organization has not conducted any security training for their sales team. Which one of the following attacks is most likely to be enabled by this control gap?

A. Buffer overflow
B. Social engineering
C. Denial of service
D. ARP poisoning

Answer 20

B. Social engineering

B. Social engineering attacks depend on user error, and training can dramatically reduce the success rate of these attacks. Buffer overflow attacks, denial of service attacks, and ARP poisoning attacks are not generally preventable by end users and, therefore, training the sales team would not be an effective defense against them.

Question 21

After conducting security testing, Bruce identifies a memory leak issue on one of his servers that runs an internally developed application. Which one of the following team members is most likely able to correct this issue?

A. Developer
B. System administrator
C. Storage administrator
D. Security analyst

Answer 21

A. Developer

A. A memory leak is a software flaw and, since this is an internally developed application, the developer is the person who’s the most likely to be able to correct it. If the issue were in a commercially purchased application, a system administrator may be able to correct the issue by applying a patch, but that is not the case in this scenario.

Question 22

Greg recently detected a system on his network that occasionally begins sending streams of TCP SYN packets to port 80 at a single IP address for several hours and then stops. It later resumes, but directs the packets to a different address. What type of attack is taking place? A. Port scanning B. DDoS C. IP scanning D. SQL injection

Answer 22

**B. DDoS** B. This is a clear example of a **distributed denial of service (DDoS)** attack. The system is flooding the target with connection requests, hoping to overwhelm it. The port and IP address are not changing, so this is not indicative of a scanning attack. There is no indication that the connection is completed, so it cannot be a SQL injection attack.

Question 23

During a security assessment, Ryan learns that the Accounts Receivable department prints out records containing customer credit card numbers and files them in unlocked filing cabinets. Which one of the following approaches is most appropriate for resolving the security issues this situation raises? A. Physically secure paper records B. Encrypt sensitive information C. Modify business process D. Monitor areas containing sensitive records

Answer 23

**C. Modify business process** C. All of the controls mentioned in this question would improve the security of this scenario. However, the best way to handle sensitive information is to not retain it in the first place. It is unlikely that there is a valid business reason for storing copies of records containing customer credit card information. Therefore, the most appropriate solution would be to modify the business process to avoid this inappropriate data retention.

Question 24

Jaime is concerned that users in her organization may fall victim to DNS poisoning attacks. Which one of the following controls would be most helpful in protecting against these attacks? A. DNSSEC B. Redundant DNS servers C. Off-site DNS servers D. Firewall rules

Answer 24

**A. DNSSEC** A. DNS poisoning works by injecting false information into a user's local DNS servers. Adding redundant or off-site DNS servers would not reduce the likelihood of a successful attack. Blocking DNS traffic with firewall rules would disrupt the service for legitimate users. The DNSSEC protocol adds a verification layer to ensure that DNS updates come from trusted sources, reducing the likelihood of a successful DNS poisoning attack.

Question 25

Irene is reviewing the logs from a security incident and discovers many entries in her database query logs that appear similar to the ones shown here. What type of attack was attempted against her server? SELECT CASE WHEN SUBSTRING (password) = 'a' THEN WAITEOR DELAY ' 00:00:10' ELSE NULL END FROM users WHERE id = 1928; SELECT CASE WHEN SUBSTRING (password) = 'b' THEN WAITEOR DELAY' 00:00:10' ELSE NULL END FROM users WHERE id = 1928 ; SELECT CASE WHEN SUBSTRING (password) = 'c' THEN WAITFOR DELAY'00:00:10' ELSE NULL END FROM users WHERE id = 1928 ; SELECT CASE WHEN SUBSTRING (password) = 'd' THEN WAITOR DELAY'00:00:10' ELSE NULL END FROM users WHERE id = 1928 : Figure 1.3 A. Error-based SQL injection B. Timing-based SQL injection C. TOC/TOU D. LDAP injection

Answer 25

**B. Timing-based SQL injection** B. This is an example of a SQL injection attack because the attacker is inserting his or her own commands into a SQL database query. This particular example is slowing down responses when the answer is correct to ferret out the characters of a password, one by one. That is an example of a timing-based SQL injection attack.

Question 26

Carl is concerned that his organization's public DNS servers may be used in an amplification attack against a third party. What is the most effective way for Carl to prevent these servers from being used in an amplification attack? A. Disable open resolution B. Block external DNS requests C. Block internal DNS requests D. Block port 53 at the firewall

Answer 26

**A. Disable open resolution** A. All of the possible answers have the effect of blocking some DNS requests. The most effective technique to prevent DNS amplification is to disable open resolution so that external users may not make arbitrary recursive requests against the server. Blocking internal requests would have no effect on the attack. Blocking all external requests or blocking port 53 at the firewall would prevent all external requests, preventing the server from fulfilling its purpose as a public DNS server.

Question 27

What is the purpose of a DNS amplification attack? A. Resource exhaustion B. Host redirection C. Record poisoning D. Man-in-the-middle attack

Answer 27

**A. Resource exhaustion** A. DNS amplification is a denial of service technique that sends small queries with spoofed source addresses to DNS servers, generating much larger, amplified responses back to the spoofed address. The purpose is to consume all of the bandwidth available to the target system, resulting in a resource exhaustion denial of service attack.

Question 28

Which one of the following threat sources is likely to have the highest level of sophistication? A. Organized crime B. Hacktivist C. APT D. Script kiddie

Answer 28

C. APT **C. Advanced persistent threats (APTs)** are characterized by a high level of sophistication and significant financial and technical resources. Other attackers, including script kiddies, criminals, and hacktivists, are not likely to have anywhere near the same sophistication as an APT attacker (such as a national government).

Question 29

Angie is investigating a piece of malware found on a Windows system in her organization. She determines that the malware forced a running program to load code stored in a library. What term best describes this attack? A. DLL injection B. SQL injection C. Pointer dereference D. Buffer overflow

Answer 29

**A. DLL injection** A. This attack is a DLL injection attack. In a DLL injection, the attacker forces an existing process to load a dynamically linked library that contains unauthorized code.

Question 29

In which of the following types of penetration test does the attacker not have any access to any information about the target environment prior to beginning the attack? A. Grey box B. White box C. Red box D. Black box

Answer 29

**D. Black box** D. In a black box attack, the attacker does not have access to any information about the target environment before beginning the attack. In a grey box attack, the attacker has limited information. In a white box attack, the attacker has full knowledge of the target environment before beginning the attack.

Question 30

Bill is securing a set of terminals that are being used to access a highly sensitive web application. He would like to protect against a man-in-the-browser attack. Which one of the following actions would be most effective in meeting Bill's goal? A. Disabling browser extensions B. Requiring multifactor authentication C. Requiring TLS encryption D. Disabling certificate pinning

Answer 30

**A. Disabling browser extensions** A. In a man-in-the-browser attack, the attacker manages to gain a foothold inside the user's browser, normally by exploiting a browser extension. This gives him or her access to all of the information that's accessed with the browser, regardless of whether the site uses strong authentication or transport encryption (such as TLS). Certificate pinning is a technique that's used to protect against inauthentic digital certificates and would not protect against a man-in-the-browser attack.

Question 30

Kevin runs a vulnerability scan on a system on his network and identifies a SQL injection vulnerability. Which one of the following security controls is likely not present on the network? A. TLS B. DLP C. IDS D. WAF

Answer 30

**D. WAF** D. **A web application firewall (WAF)**, if present, would likely block SQL injection attack attempts, making SQL injection vulnerabilities invisible to a vulnerability scanner. **A data loss prevention system (DLP)** does not protect against web application vulnerabilities such as SQL injection. **An intrusion detection system (IDS)** might identify a SQL injection exploit attempt, but it is not able to block the attack. **Transport layer security (TLS) encrypts** web content but encryption would not prevent an attacker from engaging in SQL injection attacks.

Question 30

Maureen is implementing TLS encryption to protect transactions that are being run against her company's web services infrastructure. Which one of the following cipher suites would not be an appropriate choice? A. AES256-CCM B. ADH-RC4-MD5 C. ECDHE-RSA-AES256-SHA384 D. DH-RSA-AES256-GCM-SHA384

Answer 30

**B. ADH-RC4-MD5** B. The key to this question is focusing on the encryption algorithms used by each option. Three of the four options use AES 256-bit encryption, which provides strong cryptography. One uses RC4 encryption, which is a weak implementation of cryptography and should be avoided.

Question 31

Barry would like to identify the mail server being used by an organization. Which one of the following DNS record types identifies a mail server? A. MX B. A C. CNAME D. SOA

Answer 31

A. MX A. The MX record identifies the mail server for a domain. A records are used to identify domain names associated with IP addresses, while CNAMES are used to create aliases. **Start of Authority (SOA)** records contain information about the authoritative servers for a DNS zone.

Question 31

Val runs a vulnerability scan of her network and finds issues similar to the one shown here on many systems. What action should Val take? SSL Certificate - Self-Signed Certificate port 443/tcp over SSL **THREAT**: An SSL Certificate associates an entity (person, organization, host, etc.) with a Public Key. In an SSL connection, the client authenticates the remote server using the server's Certificate and extracts the Public Key in the Certificate to establish the secure connection. The client can trust that the Server Certificate belongs the server only if it is signed by a mutually trusted third-party Certificate Authority (CA). Self-signed certificates are created generally for testing purposes or to avoid paying third-party CAs. These should not be used on any production or critical servers. By exploiting this vulnerability, an attacker can impersonate the server by presenting a fake self-signed certificate. If the client knows that the server does not have a trusted certificate, it will accept this spoofed certificate and communicate with the remote server. Figure 1.4 A. Immediately replace all certificates B. Conduct a risk assessment C. No action is necessary D. Replace certificates as they expire

Answer 31

B. Conduct a risk assessment B. The use of self-signed certificates is not, by itself, cause for alarm. It is acceptable to use self-signed certificates for internal use. Val should conduct a risk assessment to identify whether this use is appropriate and replace any certificates used by external users.

Question 32

Gina runs a vulnerability scan of a server in her organization and receives the results shown here. What corrective action could Gina take to resolve these issues without disrupting the service? - 3 Birthday attacks against TLS ciphers with 64bit block size vulnerability (Sweet32) 3 SSL/TLS Server supports TLSv1.0 port 3389/tcp over SSL CVSS: - CVSS3: - New - 3 SSL/TLS Server supports TLSv1.0 port 3389/tcp over SSL CVSS: - CVSS3: - Active Figure 1.5 A. Update RDP encryption B. Update HTTPS encryption C. Disable the network port D. No action is necessary

Answer 32

**A. Update RDP encryption** A. These vulnerabilities both relate to the encryption of the service running on port 3389, which is used by the Remote Desktop Protocol (RDP). Upgrading this encryption should resolve these vulnerabilities. There is no indication that an HTTPS service is running on this device. Disabling the network port would disrupt the service. Gina should take action because this is an easily corrected vulnerability.

Question 33

Carl is a help desk technician and received a call from an executive who received a suspicious email message. The content of the email appears as follows. What type of attack most likely took place? Claim Your Tax Refund Online We identified an error in the calculation of your tax from the last payment, amounting to $ 419.95. In order for us to return the excess payment, you need to create a e-Refund account after which the funds will be credited to your specified bank account. Please click "Get Started" below to claim your refund: Get Started We are here to ensure the correct tax is paid at the right time, whether this relates to payment of taxes received by the department or entitlement to benefits paid. Figure 1.6 A. Whaling B. Spear phishing C. Vishing D. Phishing

Answer 33

**D. Phishing** D. This is most likely a straightforward phishing attack. The message is generic and not targeted at a specific user, as you would find in a spear phishing attack. Although the user is an executive, there is no indication that the message was specifically sent to this user because of his status as an executive, so it is not likely to be a whaling attack. The attack was sent over email, not the telephone, so it is not an example of vishing.

Question 34

Dan is a cybersecurity analyst. Each day, he retrieves log files from a wide variety of security devices and correlates the information they contain, searching for unusual patterns of activity. What security control is likely lacking in Dan's environment? A. Firewall management tools B. IPS C. SIEM D. NAC

Answer 34

**C. SIEM** C. If Dan's organization used a security information and event management (SIEM) solution, Dan would not need to gather information from this wide variety of sources. Instead, the SIEM would collect and correlate this information, providing Dan with a single place to review correlated data.

Question 35

Which one of the following security controls would be MOST effective in combatting buffer overflow attacks? A. IDS B. VPN C. DLP D. ASLR

Answer 35

**D. ASLR** D. **Address space layout randomization (ASLR)** is a security technique that randomizes the location of objects in memory, making a buffer overflow attack less likely to succeed. **Virtual private networks (VPN)** provide transport encryption and **data loss prevention (DLP)** systems provide protection against data exfiltration. Neither would be effective against buffer overflow attacks. Intrusion detection systems (IDS) may identify a buffer overflow attack but would not prevent it from succeeding.

Question 36

Gary is concerned about the susceptibility of his organization to phishing attacks. Which one of the following controls will best defend against this type of attack? A. Encryption B. User training C. Firewall D. Background checks

Answer 36

**B. User training** B. Phishing is a form of social engineering, and its effectiveness depends upon the susceptibility of users to this type of attack. While some technical controls, such as email content filtering, may be useful against phishing attacks, the most effective defense is user awareness training.

Question 36

Mary believes that her network was the target of a wireless networking attack. Based upon the Wireshark traffic capture shown here, what type of attack likely took place? - Frame 981: 26 bytes on wire (208 bits), 26 bytes captures (208 bits) - # 802.11 radio information - + IEBE 802.11 Deauthentication, Flags: ........ C IERE 802.11 - wireless LAN management frame Figure 1.7 A. Disassociation B. IV accumulation C. Replay D. Bluesnarfing

Answer 36

**A. Disassociation** A. The message shown in the capture is a deauthentication message. These messages are often used in disassociation attacks, where the attacker attempts to force the disconnection of a client from a legitimate access point. IV attacks use cryptanalysis on the initialization vectors (IVs) that are used in establishing a Wi-Fi session. Replay attacks attempt to reuse credentials captured during a legitimate session to establish unauthorized wireless connections. Bluesnarfing attacks leverage Bluetooth technology, which is not in use in this scenario.

Question 37

Rob is conducting a penetration test against a wireless network and would like to gather network traffic containing successful authentication attempts, but the network is not heavily trafficked and he wants to speed up the information gathering process. What technique can he use? A. Replay B. Brute force C. Rainbow table D. Disassociation

Answer 37

**D. Disassociation** D. Disassociation attacks intentionally disconnect a wireless user from their access point to force a reauthentication that the attacker may collect with a wireless eavesdropping tool. Brute force attacks, rainbow table attacks, and replay attacks do not gather network traffic and, therefore, would not be useful in this scenario.

Question 37

In which one of the following types of spoofing attack is the attacker often able to establish two-way communication with another device? A. Email spoofing B. MAC spoofing C. IP spoofing D. RFID spoofing

Answer 37

**B. MAC spoofing** B. In a MAC spoofing attack, the local switch is normally fooled into believing the spoofed address and will route reply traffic back to the device spoofing an address. IP spoofing and email spoofing work at the application layer and, in most cases, the attacker will not receive any responses to spoofed messages. RFID spoofing is not a common type of attack.

Question 37

Joe considers himself a hacker but generally does not develop his own exploits or customize exploits that have been developed by others. Instead, he downloads exploits from hacker sites and attempts to apply them to large numbers of servers around the internet until he finds one that is vulnerable. What type of hacker is Joe? A. 31337 h4x0r B. APT C. Script kiddie D. Penetration tester

Answer 37

**C. Script kiddie** C. Joe is a script kiddie because he does not leverage his own knowledge but merely applies tools written by others. Advanced persistent threats or elite hackers (31337 h4x0r) use sophisticated, customized tools. Joe is not a penetration tester because he does not have authorization to perform the scans.

Question 38

Jake is responsible for the security of his organization's digital certificates and their associated keys. Which one of the following file types is normally shared publicly? A. PEM file B. CRT file C. CSR file D. KEY file

Answer 38

**B. CRT file** B. Jake may safely share the CRT file, which contains a copy of the organization's public X.509 certificate. The KEY and PEM files contain copies of the organization's private keys, which must be kept secret and secure. The CSR file is a certificate signing request, which is sent to the CA when requesting a signed digital certificate. There is no need to share this file publicly.

Question 38

Julie is beginning a penetration test against a client and would like to begin with passive reconnaissance. Which one of the following tools may be used for passive reconnaissance? A. Metasploit B. Nmap C. Nessus D. Aircrack-ng

Answer 38

**D. Aircrack-ng** D. Nmap, Nessus, and Metasploit are all active reconnaissance tools that interact with their target environments. Aircrack-ng may be used to passively gather information about a wireless network and crack a pre-shared key.

Question 39

Which one of the following malware tools is commonly used by attackers to escalate their access to administrative privileges once they have already compromised a normal user account on a system? A. Bot B. Rootkit C. RAT D. Logic bomb

Answer 39

**B. Rootkit** B. Rootkits are specialized attack tools that allow an attacker to escalate privileges. They exploit system vulnerabilities to leverage a normal user account to gain administrative privileges on the system.