Certmaster practice questions Flashcards

Question 1

Q

5

A multinational company has partnered with several smaller, younger companies. To protect their supply chain and improve their own risk posture, the company offers to provide network security services for their new partners. Conclude what type of risk the company is addressing.

External
Legacy systems
Multiparty
Internal

Answer

A

Multiparty

Multiparty risk occurs when an adverse event impacts multiple organizations. If a breach occurs for one party, all parties share the risk.

Question 2

Q

1

A vulnerability database loaded on a scanning tool such as Tenable Nessus will commonly show which of the following properties?

Select all that apply.

Score
Dictionary
Security data inputs
Packet data

Answer

A

Score
Dictionary

Score-Common Vulnerability Scoring System (CVSS) is maintained by the Forum of Incident Response and Security Teams (first.org/cvss). Scores range from 0 (low) to 9+ (critical).
Dictionary-Common Vulnerabilities and Exposures (CVE) is a dictionary of vulnerabilities in published operating systems and applications software provided by cve.mitre.org. It includes CVE ID, brief descriptions, a URL reference list, and data of entry.

Question 3

Q

3

A company provides smartphones to their employees. IT administrators have the ability to deploy, secure, and remove specific applications and data from the employees’ smartphones. Analyze the selections and determine how IT can perform this type of control.

Push notifications
Content management
Baseband update
Storage segmentation

Answer

A

Storage segmentation

Storage segmentation is personal data segmented from organizational data on a mobile device. It gives IT administrators control over corporate assets on employees’ mobile devices.

Question 4

Q

1

Experts at a scientific facility suspect that operatives from another government entity have planted malware and are spying on one of their top-secret systems. Based on the attacker’s location and likely goals, which attacker type is likely responsible?

Hacktivists
Script kiddies
State actors
Criminal syndicates

Answer

A

State actors

State actors have been implicated in many attacks, particularly on energy and health network systems. They typically work at arm’s length from the national government that sponsors and protects them, maintaining “plausible deniability.” A criminal syndicate can operate across the internet from different jurisdictions than its victim, increasing the complexity of prosecution. Syndicates will seek any opportunity for criminal profit, but typical activities are financial fraud. A script kiddie is someone who uses hacker tools without necessarily understanding how they work or having the ability to craft new attacks. Hacktivists might attempt to obtain and release confidential information to the public domain, perform denial of service (DoS) attacks, or deface websites.

Question 5

Q

1

What would be the highest concern for an e-commerce company whose top priority is to ensure customers can shop online 24/7?

Increase of data breaches
Loss of reputation
Loss of availability
Increase of fines

Answer

A

Loss of availability

Availability loss in this case is losing redundancy in applications and servers that host and run the e-commerce website. Service availability is important to an e-commerce company that advertises 24/7 services.

Question 6

Q

1

Today’s hackers are keen on knowing that security teams are actively hunting for threats on the network. Hackers may use resources to trigger a diversion to keep threat hunters busy, while another attack is initiated to carry out the primary objective of the planned penetration attack. How can a security team best circumvent this strategic hacking technique?

Monitor threat feeds from ISACs.
Review security advisories.
Apply intelligence fusion techniques.
Use a defensive maneuver.

Answer

A

Use a defensive maneuver.

A defense maneuver uses passive discovery techniques so that threat actors do not know they have been discovered. This gives the security team a chance to investigate the source of the attack and plan a resolution before the threat moves on to the next objective.

Question 7

Q

5

A severe tropical storm devastates an island where a small company stores data. Which disaster types have impacted the company?

Select all that apply

External
Internal
Environmental
Person-made

Answer

A

External
Environmental

An environmental or natural disaster is one that could not be prevented through human agency. Environmental disasters include floods, earthquakes, storms, or disease.

External disaster events are caused by threat actors who have no privileged access and includes disasters that have an impact on the organization through wider environmental or social impacts.

Question 8

Q

2

A cardiovascular patient is sent home with a monitoring device that records and sends data to a healthcare provider when triggered by abnormal cardiac activity. Response time to the data is critical to patient health. Which embedded platform is the medical device using?

Real-time
Standalone
Distributed
Networked

Answer

A

Real-time

A real-time operating system (RTOS) is in an embedded system intended to serve real-time applications that process data as it comes in. It provides a quicker reaction to external events than a typical operating system.

Question 9

Q

3

A network administrator can conduct a site survey to find potential placement locations of wireless access points (WAP) using which of the following?

Select all that apply

Wi-Fi Protected Setup (WPS)
Wi-Fi analyzer
Wireless controller
Heat map

Answer

A

Wi-Fi analyzer
Heat map

A Wi-Fi analyzer is software on a laptop or mobile device with a wireless network adapter. Information about the signal is obtained at regularly spaced points as the surveyor moves around.
A heat map is a visual of the information gathered from a Wi-Fi analyzer. It can show where a signal is strong (red) or weak (green/blue), and which channel is being used.

Question 10

Q

5

An employee at a financial firm is responsible for ensuring that data is stored in accordance with applicable laws and regulations. What role does the employee have in terms of data governance?

Data steward
Data processor
Data owner
Data custodian

Answer

A

Data steward

The data steward is primarily responsible for data quality. This involves tasks such as ensuring data is labeled and identified with appropriate metadata, as well as ensuring the data is collected and stored in a format containing values that comply with applicable laws and regulations.

Question 11

Q

3

A small company has set up the domain environment to prevent the installation of a list of prohibited software. Employees received this same list via email. What type of method prevents the installation of specific software on workstations?

Whitelisting
Blacklisting
Anti-malware
Application hardening

Answer

A

Blacklisting

Execution control, to prevent the use of unauthorized software, can be implemented as a blacklist. This control means that anything not on the prohibited blacklist can run.

Question 12

Q

3

Which certificate attribute describes the computer or machine it belongs to?

Select all that apply

Certificate authority name
Common name
Company name
Subject alternate name

Answer

A

Common name
Subject alternate name

The common name (CN) attribute identifies the computer or machine by name, usually a fully qualified domain name (FQDN), such as www.comptia.org.
The subject alternative name (SAN) extension field is structured to represent different types of identifiers, including domain names. This is more commonly used as the CN attribute has been deprecated.

Question 13

Q

3

Evaluate and select the differences between WPA and WPA2.

Select all that apply

WPA2 supports an encryption algorithm based on the Advanced Encryption Standard (AES) rather than the version of RC4 “patched” with the Temporal Key Integrity Protocol (TKIP).
WPA2 is a security protocol developed by the Wi-Fi Alliance for use in securing wireless networks.
WPA2 is much more secure than WEP, where WPA is not.
WPA2 requires entering a longer password than WPA.

Answer

A

WPA2 supports an encryption algorithm based on the Advanced Encryption Standard (AES) rather than the version of RC4 “patched” with the Temporal Key Integrity Protocol (TKIP).
WPA2 requires entering a longer password than WPA.

WPA2 supports an encryption algorithm based on the Advanced Encryption Standard (AES) rather than the version of RC4 “patched” with the Temporal Key Integrity Protocol (TKIP).
WPA and WPA2 are both much more secure than WEP (wired equivalent privacy).

Question 14

Q

3

IT management wants to make it easier for users to request certificates for their devices and web services. The company has multiple intermediate certificate authorities spread out to support multiple geographic locations. In a full chain of trust, which entity would be able to handle processing certificate requests and verifying requester identity?

OCSP
RA
CA
CSR

Answer

A

RA

A Registration Authority (RA) is a function of certificate enrollment and its services would be combined with a Certificate Authority (CA) in a single CA hierarchy. An RA is responsible for validating and submitting a request on behalf of end users.

Question 15

Q

1

IT discovers a flaw in a web application where it allows queries without encryption. As a result, requests are being spoofed and directories containing private files are viewable. What is happening?

Structured Query Language (SQL) injection
Dynamic Link Library (DLL) injection
Lightweight Directory Access Protocol (LDAP) injection
Extensible Markup Language (XML) injection

Answer

A

Extensible Markup Language (XML) injection

Extensible Markup Language (XML) can be used for data exchange. Without encryption, it is vulnerable to spoofing, request forgery, and injection of arbitrary code. For example, an XML External Entity (XXE) attack embeds a request for a local resource.

Question 16

Q

2

A test team performs an in-depth review of completed code and analyzes its compatibility with the environment it will be deployed to. Which of the following environments is the test occurring in?

Development
Test
Staging
Production

Answer

A

Staging

A staging environment mimics that of a production environment. It is used for dynamic analysis of an application in a complete but separate production-like environment.

Question 17

Q

2

A consumer uses a Samsung SmartThings coordinator to turn on lights in the home and start the dishwasher. Which communications protocol is the hub using?

Baseband
Bluetooth
Narrowband
Zigbee

Answer

A

Zigbee

Zigbee is a two-way wireless radio frequency communication between a sensor and a control system. It is an Institute of Electrical and Electronics Engineers (IEEE) 802.15.4-based specification for communication protocols and is used for home automation.

Question 18

Q

3

A company stages its computing power in a centralized environment. All workstations run off of one desktop hosted in the data center. When the admin makes changes at individual workstations, the changes only get saved locally, until a user signs off, and the system then reverts back to the previous state. What technology does this represent?

Type 1 hypervisor
Persistent VDE
Snapshot
Non-persistent VDE

Answer

A

Non-persistent VDE

Non-persistent Virtual Desktop Environments (VDE) utilizes a central desktop through a remote server. When a user accesses logs on to the desktop, changes and work completed are not saved locally long term. As soon as the user logs off, the desktop reverts back to the image on the central location.

Question 19

Q

2

A logistics facility provides transportation services globally for many clients. Clients require their planning information to be kept in a secure environment not connected to a network until the needs have been fulfilled. Which of the following solutions would be the most ideal method of meeting this requirement for the company?

Air gap
Faraday cage
Container
Mantrap

Answer

A

Air gap

An air gap is a host that is not physically connected to any network. Air gaps are secure areas that protect resources against unauthorized users and spillage of information.

Question 20

Q

2

A systems administrator plans to protect a data center with various security controls and safety mechanisms. Which solution does the administrator plan based on a “triangle” principle?

Noise detection
Industrial camouflage
Motion detection
Fire suppression

Answer

A

Fire suppression

The fire triangle works on the principle that fire requires heat, oxygen, and fuel to ignite and burn. Removing any one of those elements provides fire suppression.

Question 21

Q

4

List methods of containment based on the concept of segmentation.

Select all that apply

Honeynet
Sandboxing
Blackhole
Sinkhole

Answer

A

Honeynet
Sinkhole

Sinkhole routing means suspicious traffic that is flooding a specific IP address, routes to another network for analysis. Sinkhole routing is a form of segmentation because it maintains the connection to other networks.
A honeynet is a segmented network composed entirely of honeypots. A honeypot is a decoy node intended to draw the attention of threat actors, to trick them into revealing their presence and potentially more information.

Question 22

Q

4

A Security Information Event System (SIEM) parses network traffic and log data from multiple sensors, appliances, and hosts to implement correlation rules on metrics derived from data sources. SIEM assists the systems admin to detect events that may be potential incidents. Define the term for notifications passed upon detection of a potential incident.

Correlation
Sensitivity
Alerts
Trends

Answer

A

Alerts

SIEM dashboards are one of the main sources of automated alerts. The event is listed on a dashboard or incident handling system for an agent to assess. Then, the SIEM dashboard will automatically notify the staff in charge of security.

Question 23

Q

2

In which environment can multiple developers check out software code and include change management processes?

Production
Test
Development
Staging

Answer

A

Development

A development environment is where developers create a product. Developers check out code for editing or updating. Version control and change management occur in the development environment to track development.

Question 24

Q

4

Identify types of metadata that would be associated with CDR (call detail records) of mobile devices

Select all that apply

List of towers connected to
Call durations
SMS text timestamps
GPS location data

Answer

A

Call durations
SMS text timestamps
GPS location data

Call detail records (CDR) routinely contain times and durations of incoming, outgoing, and attempted calls, as well as the phone numbers of said calls.
By examining the** list of towers **a device has connected to in the call detail records (CDR), it is possible to ascertain the general vicinity of locations in which the device has been present.
SMS text time, duration, and phone number of origin are recorded in the call detail records (CDR) metadata associated with mobile devices.

Question 25

Q

5

An organization that is planning a move to the cloud checks to see that the chosen CSP uses a standard method for creating and following security competencies. Which method does the CSP likely implement?

Cloud controls matrix
Reference architecture
Service Organization Control (SOC2)
National, territory, or state laws

Answer

A

Cloud controls matrix

Cloud controls consists of specific controls and assessment guidelines that should be implemented by CSPs. A matrix acts as a starting point for agreements as it provides a baseline level of security competency that the CSP should meet.

Question 26

Q

1

Which of the following are deployed similarly to a credit card skimmer?

Card cloner
Malicious USB plug
Keyloggers
Malicious flash drive

Answer

A

Malicious USB plug

A malicious Universal Serial Bus (USB) charging cable and plug are deployed similar to card skimmers. The device may be placed over a public charging port at airports and other transit locations. The device can then access a smartphone when connected.

Question 27

Q

5

Which resource can help for a cloud consumer to evaluate a cloud service provider as services relate to integrating on-premise controls?

Reference architecture
Security guidance
Cloud control matrix
Service Organization Control

Answer

A

Security guidance

Security guidance offers a best practice summary analyzing the unique challenges of cloud environments and how on-premises controls can be adapted to them.

Question 28

Q

4

Investigators perform analysis on a breached system. When looking at data timestamps, what should be noted about any time offset?

Select all that apply

Daylight savings time
Valid time source
Clock synchronization
UTC time

Answer

A

Daylight savings time
UTC time

Local time is the time within a particular time zone, which is offset from UTC by several hours. NTFS uses UTC “internally.” It is vital to establish how a timestamp is calculated and note the offset.

The local time offset on a system may vary if daylight savings time is in place. Investigators must note the offset between the local system time and UTC.

Question 29

Q

2

An unmanned aerial vehicle is equipped with a component to ensure position and movement sensors are aligned and relays information to a ground control. Which of the following computing devices does this best describe?

Embedded system
SoC
Microprocessor
Microcontroller

Answer

A

Embedded system

An embedded system is a combination of hardware and software that contains a dedicated function and uses a computer component to complete the function.

Question 30

Q

5

A global corporation assesses risk appetite and how risks in various regions could influence mission-critical operations. They are assessing compliance with local laws and licensing requirements to prevent financial risk or resolve security risks, and changing the risk posture and implementing risk controls to compensate. Conclude what type of assessment the team is performing.

Penetration testing
Vulnerability assessment
Risk control assessment
Site risk assessment

Answer

A

Risk control assessment

Risk and control self-assessment (RCSA) is the method by which companies evaluate and analyze the operational risks and the efficacy of the controls used to manage them.

Question 31

Q

4

A systems administrator learns Linux commands to view log files. Which command should be used if line numbers are required to view an entire file?

grep
tail
cat
head

Answer

A

cat

The Linux command cat allows for viewing the entire contents of one or more files. For example, to view the contents of two log files, use cat -n access.log access2.log. The -n switch adds line numbers.

Question 32

Q

1

Which attack is a brute-force type that mixes common passwords with usernames?

Dictionary
Skimming
Rainbow
Spraying

Answer

A

Spraying

Password spraying is a horizontal brute-force online attack. The attacker chooses one or more common passwords (for example, password) and tries them in conjunction with multiple usernames.

Question 33

Q

4

Flow analysis tools, such as IPFIX or Netflow, collect metadata about network traffic without capturing each frame. Evaluate the type of analysis that uses these tools.

Vulnerability analysis
Trend analysis
Log analysis
Packet analysis

Answer

A

Trend analysis

Since flow analyzers gather metadata and statistics about network traffic, they are commonly used to visualize traffic statistics in order to assist in identifying trends.

Question 34

Q

3

The RADIUS server is down, and employees need immediate access to Wi-Fi routers in the office building. The WAPs (Wireless Access Points) service smartphones and tablets. After disabling Enterprise mode, how will users connect to the WAPs?

Use company credentials
Use 5 GHz band
Use a pre-shared key
Set devices to 802.11n

Answer

A

Use a pre-shared key

PSK (Pre-shared Key) is the password needed to gain access to a WAP (Wireless Authentication Protocol) that is WPA2 enabled, for example.

Question 35

Q

2

A network administrator needs a service to easily manage Virtual Private Cloud (VPC) and edge connections. The service must have a central console for ease of monitoring all components. Which of the following is the best solution for the administrator to use in a cloud computing environment?

Transit gateway
NAT gateway
Cloud storage gateway
gateway endpoint

Answer

A

Transit gateway

A transit gateway is a cloud network hub that allows users to interconnect virtual private clouds (VPC) and on-premises networks through a central console.

Question 36

Q

4

A large business works with a consulting group to develop a business continuity plan. The goal of the plan is to provide a potentially uninterrupted workflow in the event of an incident. Examine the descriptions and determine which one matches this goal.

Retention of data for a specified period
Ensuring processing redundancy supports the workflow
Performing mission critical functions without IT support
Recovery of primary business functions when disrupted

Answer

A

Ensuring processing redundancy supports the workflow

Business continuity planning identifies how business processes should deal with both minor and disaster-level disruption. It ensures that there is processing redundancy supporting the workflow through failover.

Question 37

Q

5

After reading an article online, a business stakeholder is concerned about a risk associated with Denial of Service (DoS) attacks. The stakeholder requests information about what countermeasures would be taken during an attack. Where would the security analyst look to find this information?

Risk regulations
Risk heat map
Risk register
Risk and Control Assessmen

Answer

A

Risk register

The risk register shows the results of risk assessments in a comprehensible document format. Information in the register includes impact, likelihood ratings, date of identification, description, countermeasures, owner/route for escalation, and status.

Question 38

Q

4

The NIST Computer Security Incident Handling Guide describes six stages of the incident response lifecycle. Indicate in which stage of the incident response lifecycle the incident response team would review and analyze their response and possibly integrate changes into the team’s Incident Response Plan.

Preparation
Recovery
Lessons learned
Identification

Answer

A

Lessons learned

The “lessons learned” phase occurs when the team’s response is evaluated. It is for this reason that it is important to document the entire response process.

Question 39

Q

1

Security content automation protocol (SCAP) allows compatible scanners to compare computers with which of the following?

Log collector
Common Vulnerability Scoring System
Configuration baseline
Security bulletin

Answer

A

Configuration baseline

Security content automation protocol (SCAP) allows compatible scanners to determine whether a computer meets a configuration baseline. The Extensible Configuration Checklist Description Format (XCCDF) audits for best-practice configuration checklists and rules.

Question 40

Q

1

A user notices several new icons for unknown applications after downloading and installing a free piece of software. IT support determines that the applications are not malicious but are classified as which type of software?

PUPs
Fileless viruses
Worms
Trojans

Answer

A

PUPs

Potentially unwanted programs (PUP) are software installed alongside a package selected by the user, or perhaps bundled with a new computer system.

Question 41

Q

5

Which value is the result of a quantitative or qualitative risk analysis?

Annualized loss expentancy
Single loss expentency
Inherent risk
Risk factors

Answer

A

Inherent risk

The result of quantitative or qualitative analysis is a measure of inherent risk. Inherent risk is the level of risk before any type of mitigation has been attempted.

Question 42

Q

5

Conclude what type of data has high trade values in black markets, is often anonymized or deidentified for use in scientific research, and when compromised, can lead to its use in blackmail or insurance fraud, as well as cause reputational damage to the responsible organization.

Government Data
Customer Data
Financial Information
Personal health information (PHI)

Answer

A

Personal health information (PHI)

Personal health information (PHI), such as medical and insurance records, laboratory test results, etc., has a high value in black markets because of its potential use for blackmail and insurance fraud. It is often anonymized and used for research.

Question 43

Q

4

An enterprise has recently experienced a severe malware attack. Admin has identified and removed the cause, and they are now checking the systems and bringing them back online. How would one categorize the cause with respect to incident response procedures?

Recovery
Eradication
Containment
Preparation

Answer

A

Eradication

Eradication is an incident response lifecycle phase requiring the identification of the root cause of an incident. For instance, a user clicking on a suspicious attachment in an email is a root cause of a potentially larger problem.

Question 44

Q

2

An application requires continuity of operations within a 24 hour period due to the command and control capabilities it maintains. The failover site must be physically separated from the program office and be available within the required timeframe with live data. Which of the following redundancy solutions best meets the failover requirement?

Recovery time objective
Geographical dispersal
Failover clusters
Meantime between failure

Answer

A

Geographical dispersal

Geographical dispersal is a failover consideration that replicates data in hot and warm sites physically distanced from one another in the event of a catastrophe.

Question 45

Q

1

Which of the following are examples of weak patch management for operating systems and device firmware in a classified network?

Select all that apply

Answer

A

non-centralized deployment
undocumented process

A non-centralized deployment process makes patch management difficult. For example, Microsoft Endpoint Configuration Manager can schedule, monitor, and auto-deploy patches to Windows systems and applications.
An undocumented process makes it difficult to maintain a consistent workflow for patch management in a closed or classified network. Personnel should know how to download patches from the Internet and upload them to the closed network.

Question 46

Q

1

An attacker launches a vishing social engineering attack by impersonating a police officer. The attacker calls the victims and tries to exploit this behavior by demanding the victims give the attacker their name and address immediately. This type of attack does NOT demonstrate what type of social engineering principle?

Urgency
Authority
Intimidation
Familiarity/liking

Answer

A

Familiarity/liking

One of the basic tools of a social engineer is simply to be affable, likable, and persuasive, and to present the requests they make as completely reasonable and unobjectionable.

Question 47

Q

5

Information security and cybersecurity tasks can be classified into five functions. Which regulatory concept or entity relates to these functions?

Center for Internet Security (CIS)
Payment Card Industry Data Security Standard (PCI DSS)
General Data Protection Regulation (GDPR)
National Institute of Standards and Technology (NIST)

Answer

A

National Institute of Standards and Technology (NIST)

Information security and cybersecurity tasks can be classified as five functions (Identify, Protect, Detect, Respond, Recover), following the framework developed by the National Institute of Standards and Technology.

Question 48

Q

5

How might responsibilities be divided among individuals to prevent abuse of power in an organization?

Separation of duties
Least privilege
Job rotation
Clean desk space

Answer

A

Separation of duties

Separation of duties is a means of establishing checks and balances against the possibility that critical systems or procedures can be compromised by insider threats. Divided duties among individuals prevent ethical conflicts or abuses of power.

Question 49

Q

1

Which of the following is TRUE about false negatives in relation to vulnerability scanning tools?

Select all that apply

Is identified
Is not high risk
Is a high risk
Is not identified

Answer

A

Is a high risk
Is not identified

False negatives are the potential vulnerabilities that are not identified by the scanning tool. It is possible the vulnerability has not been discovered, or a hacker may have spoofed the vulnerability as if nothing is wrong.
A false negative is a high security risk because a possible threat could go unnoticed for long periods. This can be mitigated by running repeat scans and by using scanning tools from other vendors.

Question 50

Q

4

A piece of data that may or may not be relevant to the investigation or incident response such as registry keys, files, time stamps, and event logs are known as what?

Artifacts
Cache
Checksums
Tags

Answer

A

Artifacts

An artifact is a piece of data, such as registration keys, files, timestamps, and event logs that may or may not be important to the investigative analysis or incident response.

Question 51

Q

5

A small department at a company manages a server, separate from IT, for data access and backup purposes. What role does the department fulfill?

Data owner
Data processor
Data controller
Data custodian

Answer

A

data custodian

The data custodian role handles managing the system on which the data assets are stored. This includes responsibility for enforcing access control, encryption, and backup/recovery measures.

Question 52

Q

2

Devices deployed in a network and that send data to the local area network (LAN) level and process it with an Internet of things (IoT) sensor are which of the following?

Fog computing
On-premise computing
Cloud computing
Edge computing

Answer

A

Fog computing

Fog computing provides decentralized local access by deploying fog nodes throughout the network. Fog computing analyzes data on the network edge to avoid the need to transfer unnecessary data back to the LAN.

Question 53

Q

5

A new company implements a datacenter that will hold proprietary data that is output from a daily workflow. As the company has not received any funding, no risk controls are in place. How does the company approach risk during operations?

Mitigation
Avoidance
Transference
Acceptance

Answer

A

Acceptance

Risk acceptance means that no countermeasures are put in place either because the level of risk does not justify the cost or because there will be an unavoidable delay before the countermeasures are deployed.

Question 54

Q

1

Choose the components a threat actor may use to set up a distributed denial of service attack (DDoS) on a local network.

Select all that apply

Remote access trojan
Botnet
Command and control
Spyware

Answer

A

Remote access trojan
Botnet
Command and control

A botnet is a group of bots that are all under the control of the same malware instance. A bot is an automated script or tool that performs some malicious activity.
A command and control (C2 or C&C) host or network controls the bots or botnet to carry out remote tasks on the local network.
A remote access trojan (RAT) is backdoor malware that mimics the functionality of legitimate remote control programs but is designed specifically to operate covertly.

Question 55

Q

4

Identify security control options that can be categorized as “corrective.”

Select all that apply

Firewall rules
Quarantine of infected hosts
Digital Loss Prevention (DLP) software configurations
Containment of the threat

Answer

A

Quarantine of infected hosts
Containment of the threat

Corrective controls act to eliminate or reduce the impact of an intrusion event. During an attack, for instance, a corrective control can eliminate the threat.
Quarantining infected or compromised machines is a corrective control.

Question 56

Q

1

Where should a systems administrator search for more information on how to fix a CPU vulnerability on a Dell rack server?

Best Buy Geek Squad
Facebook
Vendor support page
Black Hat conference

Answer

A

Vendor support page

Vendors will provide guides, templates, and tools for configuring and securing operating systems, applications, and physical devices like a rack server. CPU vulnerabilities may require firmware updates that may only be available from the vendor. Conferences are hosted and sponsored by various institutions and provide an opportunity for presentations on the latest threats and technologies. The Black Hat conferences showcase the latest threats and hacker techniques in the industry. Social media platforms, such as Facebook, can showcase “How to” videos and posts, but they are limited. Support files are only available on vendor support pages. A local industry group or company like Best Buy’s Geek Squad helps with smaller commercial and consumer products and is not ideal for rack server related items.

Question 57

Q

4

Identify which tools would be used to identify suspicious network activity.

Select all that apply

tcpdump
tcpreplay
Wireshark
Metasploit

Answer

A

tcpdump
tcpreplay
Wireshark

tcpdump is a command-line packet capture utility for Linux. The utility will display captured packets until halted manually, and it can save frames to a .pcap file. This tool commonly uses filter expressions to reduce the number of frames captured, such as Type, Direction, or Protocol.
Wireshark is a graphical application that can capture all types of traffic by sniffing the network, and save that data to a .pcap file.
tcpreplay is a command-line utility for Linux that can replay data from a .pcap file, for example, to analyze traffic patterns and data.

Question 58

Q

4

An IT technician at a London-based company is setting up a new VoIP system in the CEO’s office. The CEO has asked the technician to set up encryption for calls and informs the CEO that session-to-session encryption is implemented at the endpoints. The CEO wants not only the session encrypted but also the call data itself. Recommend a protocol that will encrypt VoIP call data.

SIPS
SRTP
SFTP
HTTPS

Answer

A

SRTP

SRTP, which stands for Secure Real-time Transport Protocol, provides encryption and authentication for RTP (Real-Time Protocol) data in unicast and multicast data flows. SRTP will encrypt all data sent and received by each SIP endpoint for the entire journey.

Question 59

Q

5

Systems administrators rely on ACLs to determine access to sensitive network data. What control type do the administrators implement?

Preventative
Corrective
Detective
Deterrent

Answer

A

Preventative

Preventative controls act to eliminate or reduce the likelihood that an attack can succeed. A preventative control operates before an attack can take place. An ACL is an example of this control type.

Question 60

Q

1

Companies often update their website links to redirect users to new web pages that may feature a new promotion or to transition to a new web experience. How would an attacker take advantage of these common operations to lead users to fake versions of the website?

Select all that apply

Ruin the company’s reputation with reviews.
Add redirects to .htaccess files.
Hijack the website’s domain.
Craft phishing links in email.

Answer

A

Add redirects to .htaccess files.
Craft phishing links in email.

An attacker can craft a phishing link that might appear legitimate to a naïve user, such as: https://trusted.foo/login.php?url=”https://tru5ted.foo”.
The .htaccess file controls high-level configuration of a website. This file runs on an Apache server and can be edited to redirect users to other URLs.

Question 61

Q

2

A lack of which of the following measures of disorder can leave a cryptosystem vulnerable and unable to encrypt data securely?

Integrity
Longevity
Nonce
Entropy

Answer

A

Entropy

Entropy is a measure of cryptographic unpredictability. Using high entropy sources of data provides more security than using low sources. A lack of good entropy can leave a system vulnerable.

Question 62

Q

4

Cuckoo is a software package that provides a system configuration allowing the system to be completely isolated from its host. It provides a safe environment for potentially dangerous research, such as on malware, while recording file system and registry changes, as well as network activity. What is this type of isolated system called?

Vulnerability test
Sandbox
Exploitation framework
ARP cache

Answer

A

Sandbox

A sandbox, such as Cuckoo, is an isolated environment created to safely analyze malware and exploits. Sandboxing is an isolation technique commonly used in cybersecurity research, particularly malware research.

Question 63

Q

2

After software testing activities have been completed, a system administrator moves the .war file to an environment that allows end users to access the application. Which environment is the completed software being deployed to?

Test
Production
Staging
Development

Answer

A

Production

A production environment is where the final product is placed. All testing and development are complete at this point.

Question 64

Q

5

A European company that offers subscription services has recently experienced a data breach wherein private data, including personally identifiable information (PII), was compromised. What step should be taken by the company to avoid regulatory fines or lawsuits?

Identify the vulnerability that led to the breach.
Hide the occurrence of the breach.
Fix the vulnerability that led to the breach.
Notify those affected by the breach.

Answer

A

Notify those affected by the breach.

Many laws and regulations require immediate notification of all third parties affected by a breach, including the GDPR in the EU. Failing to do so could lead to fines and potential reputation damage.

Answer 65

A

MicroSD

Micro Secure Digital (MicroSD) is an external media device supported by many Android devices. Built-in and third-party encryption applications on the mobile OS may encrypt these types of removable storage.

Answer 66

A

Vulnerability scanning

Whether they use purely passive techniques or some sort of active session or agent, vulnerability scanners represent a non-intrusive scanning type. The scanner identifies vulnerabilities from its database by analyzing things, such as build and patch levels or system policies.

Answer 67

A

Cache

System cache is one of the most volatile data, similar to the CPU. This data should be captured before powering a device off.

Answer 68

A

SAE
WPA3

Wi-Fi Protected Access 3 (WPA3) is the most up-to-date wireless specification that provides security features and mechanisms that improve the weaknesses of WPA2.
Simultaneous Authentication of Equals (SAE) is a feature of WPA3. It replaces WPA’s 4-way handshake authentication and association mechanism with a protocol based on the Diffie-Hellman key agreement.

Answer 69

A

Jump server

A jump server only runs the necessary administrative ports and protocols (typically SSH or RDP). Administrators connect to the jump server then use the jump server to connect to the admin interface of application servers in a demilitarized zone (DMZ).

Answer 70

A

Intranet

An intranet is an internal company zone established to allow employees the ability to share content and communicate more effectively. Only authorized individuals can access the intranet.

Answer 71

A

Identify critical systems and mission essential functions

Identifying critical systems and mission essential functions is often the first step of the risk management process, and will reveal any potential single points of failure.

Answer 72

A

Change control

Change control of quality management systems and information technology systems is a process used to ensure that changes to the product or system are implemented in a managed and organized manner.

Answer 73

A

Live boot media

Live boot media is a non-persistent operating system on a compact disk or USB. Live boot media can be run on any computer to provide the user a complete operating system while the computer is on.

Answer 74

A

RRset, Signing key

DNS Security Extensions (DNSSEC) help to mitigate spoofing and poisoning attacks. When enabled, a “package” of resource records (called an RRset) is signed with a private key (the Zone Signing Key).

Answer 75

A

Prints the first lines of the target

The head command, by default, outputs the oldest ten lines in a file. The echo command is a command that outputs the strings passed as an argument; in this case, the first lines of the provided target.

Answer 76

A

Cloud computing

In cloud computing, a company uses a cloud service provider to deliver computing resources. A cloud-based server utilizes virtual technology to host a company’s applications offsite.

Answer 77

A

HTTP Strict Transport Security (HSTS)
Cache-Control
Content Security Policy (CSP)

HTTP Strict Transport Security (HSTS) is a header option that forces the browser to connect using HTTPS only, mitigating downgrade attacks, such as SSL stripping.
Content Security Policy (CSP) is a header option that mitigates clickjacking, script injection, and other client-side attacks.
Cache-Control is a header option that sets whether the browser can cache responses. Preventing data caching protects confidential and personal information where the client device is shared by multiple users.

Answer 78

A

Weak encryption

Weak encryption vulnerabilities allow unauthorized access to data. An algorithm used for encryption may have known weaknesses that allow brute-force enumeration.

Answer 79

A

Access policy

Access policies determine things such as the right to log on to a computer locally or via remote desktop, install software, change the network configuration, and so on.

Answer 80

A

Data masking

Data masking is a secure coding technique used to hide sensitive or private data from disclosure. All or part of the data fields are altered by substituting character strings with a random character.

Answer 81

A

The provider is responsible for the availability of the software.

In a Software as a Service (SaaS) plan, the provider is responsible for the availability of the software. The software may include an appliance with Windows Server 2016 already installed and available to use.

Answer 82

A

RADIUS

Remote Authentication Dial-in User Service (RADIUS) is made up of an Authentication, Authorization, and Account (AAA) server, a Network Access Control (NAC) or RADIUS client, and the supplicant. A supplicant is any device that is trying to access the local network remotely.

Answer 83

A

When to report compliance incidents
Incident categories and definitions
Query strings to identify incident types

Specific query strings and signatures easily scan and detect specific types of incidents. These strings improve response and resolution time.
How to address compliance incidents with, for example, Health Insurance Portability and Accountability Act (HIPAA) laws should be outlined. It may include a list of contacts and their information, how to contact them, and when.
Incident categories and descriptions help ensure that all management and operational staff have a shared framework for interpreting the meaning of terms, concepts, and definitions.

Answer 84

A

nmap
netstat
netcat

The netstat command is useful in showing the state of TCP/UDP ports on a system. The same command is used on both Windows and Linux, though with different options for syntax.
Netcat is a simple but effective tool for testing connectivity. It is available for both Windows and Linux. Netcat can be used for port scanning and fingerprinting.
The Nmap Security Scanner is one of the most popular open-source IP scanners. Nmap can use diverse methods of host and port discovery, some of which can operate stealthily.

Answer 85

A

Geographical considerations

Amazon Web Services (AWS) is taking into account geographical considerations. The agreement mandates the system will stay within the United States.

Answer 86

A

Crypto-malware

Ransomware is a type of Trojan malware that extorts money from the victim. The computer remains locked until the user pays the ransom. Crypto-malware is ransomware that attempts to encrypt data files. The user will be unable to access the files without the private encryption key.

Answer 87

A

Container

Containers decouple services and applications from a host operating system. Containers run within isolated cells and do not have their own kernel. They allow for continuous integration and continuous delivery.

Answer 88

A

Revoke the host’s certificate

Certificate revocation must always be performed if the associated host is compromised. The Key Compromise property of the certification can allow it to be rekeyed to retain the same subject and expiry information.

Answer 89

A

The attempts to reuse can be traced if the threat actor successfully exfiltrates it.

A honeyfile is convincingly useful but actually fake data. This data can be made trackable, so that when a threat actor successfully exfiltrates it, the attempts to reuse or exploit it can be traced.

Answer 90

A

Reuse

The practice of reusing a cryptographic key can make a system vulnerable to cyber attacks. The longer a key is in use, the easier it is for an attacker to compromise it. Randomly generated, unique keys provide better security.

Answer 91

A

A loop in the network
STP

A switch loop on the network will cause network connections to drop since the packet cannot make the appropriate hop to the next switch to its final destination. Switching loops also generates broadcast storms.
STP (Spanning Tree Protocol) is a means for the bridges to organize themselves into a hierarchy and prevent loops from forming.

Answer 92

A

Phishing

Phishing is a combination of social engineering and spoofing, where the attacker sets up a spoof website to imitate a trusted one. The attacker then emails users of the genuine website, informing them that their account must be updated, supplying a disguised link that leads to their spoofed site. When users authenticate with the spoofed site, their logon credentials are captured.

Answer 93

A

Continuous validation

Continuous validation is the process in which a product is continually tested throughout the development lifecycle to ensure it is meeting the functional and security goals of a customer.

Answer 94

A

Test access point (TAP)

A test access point (TAP) is a device that copies signals from the physical layer and the data link layer. Since no network or transport logic is used, every frame is received, allowing reliable packet monitoring.

Answer 95

A

DNS amplification attack

Domain name system (DNS) amplification attack is an application attack that targets vulnerabilities in the headers and payloads of specific application protocols. It triggers a short request for a long response at the victim network.

Answer 96

A

Consensus

The principle of consensus or social proof refers to techniques that cause many people to act just as others would without force. The attacker can use this instinct to persuade the target that to refuse a request would be odd.

Answer 97

A

Evade detection through refactoring
Use malware with administrator privilege

The malware must evade detection by anti-virus to be successful. This can be done through code refactoring which means the code performs the same function by using different methods, such as changing its signature.
Dynamic Link Library (DLL) injection is deployed with malware that is already operating on the system with local administrator or system privileges.

Answer 98

A

Retention

When policy dictates preserving data in an archive after the date it is still being used, whether for regulatory or security purposes, this is known as a retention policy.

Answer 99

A

TLS 1.2

Transport Layer Security (TLS) 1.2 added support for the strong Secure Hash Algorithm (SHA)-256 cipher along with improvements to the cipher suite negotiation process and protection against known attacks.

Answer 100

A

A Man-in-the-Browser (MitB) attack

A MitB attack compromises the web browser by installing malicious plug-ins, scripts, or intercepting API calls. Vulnerability exploit kits installed on a website can actively try to exploit vulnerabilities in clients browsing the site.

Answer 101

A

Compliance/Licensing

Software compliance and licensing is a legally binding agreement that means only using a software in accordance with the software developers’ conditions of usage.

Answer 102

A

MicroSD HSM

Micro Secure Digital (MicroSD) Hardware Security Module (HSM) is designed to store cryptographic keys, such as a key-pair certificate, in a secure manner. It requires no extra drivers or uncommon hardware components to use.

Answer 103

A

MSSP

A managed service provider (MSP)/Managed security service provider (MSSP) offers fully outsourced responsibility for information assurance to a third party.

Answer 104

A

SNMPv3

Simple Network Management Protocol (SNMP) v3 supports encryption and strong user-based authentication. Instead of community names, the agent is configured with a list of usernames and access permissions.

Answer 105

A

VBA

Microsoft Office uses the Visual Basic for Applications (VBA) languages to script macros, for example, in a Word document to carry out multiple tasks automatically.

Answer 106

A

Red team

The red team performs the offensive role to try to infiltrate the target. This team is one of two competing teams in a penetration testing exercise.

Answer 107

A

Keep ML algorithm a secret.
Use SOAR to check picture properties.

Security orchestration, automation, and response (SOAR) and automated runbooks could effectively check saved pictures before they are ingested into the machine learning tool. This will prevent malicious data from being ingested.
Machine Learning (ML) algorithm is secrecy by obscurity. An adversarial attack can skew image data by tricking the ML tool to recognize an image as something else if the algorithm is known.

Answer 108

A

Pivot

A pivot bypasses a network boundary and compromises servers on an internal network. A pivot is normally accomplished using remote access and tunneling protocols.

Answer 109

A

Single sign-on

A single sign-on (SSO) system allows the user to authenticate once to a local device and be authenticated to compatible application servers without having to enter credentials again.

Answer 110

A

Victim
Capability
Infrastructure

Victim-A victim is the target of the adversary and against whom vulnerabilities and exposures are exploited and capabilities used. It is useful to define the victim in terms of both the people or organization targeted, as well as the victim’s assets (i.e., the attack surface).
Infrastructure-The infrastructure feature describes the communication structures the adversary uses to utilize a capability.
Capability-The capability feature describes the tools and/or techniques of the adversary used in the event. All of the vulnerabilities and exposures utilized by the individual’s capability, regardless of the victim, is its capacity.

Answer 111

A

Non-repudiation

Non-repudiation is a term that describes a property of a secure network where a sender cannot deny having sent a message.

Answer 112

A

Disk encryption

The Opal security subsystem class is a set of specifications that defines a management interface for a host application to activate, provision, and manage encryption of user data on self-encrypting drives (SED).

Answer 113

A

Data Privacy Officer (DPO)

The data privacy officer is responsible for the oversight of assets handled by the organization containing personally identifiable information (PII). The Privacy Officer maintains consistency with legislative and regulatory frameworks of the collection, disclosure, and protection of PII.

Answer 114

A

Weak keys

Weak keys are poor or short algorithms in cryptographic keys used with a specific cipher. They are vulnerable to cybersecurity attacks. Stretching keys can strengthen the algorithm to make it more secure.

Answer 115

A

Lightweight

Lightweight cryptography is an encryption method that provides a small footprint and/or low computational complexity for resource-constrained systems such as an Internet of Things (IoT) device.

Answer 116

A

API consideration

API considerations are programming code that enables data transmission between one software product to another. It also contains the terms of this data exchange.

Answer 117

A

Provides privilege management and authorization

Directory services are the principal means of providing privilege management and authorization on an enterprise network. The Lightweight Directory Access Protocol (LDAP) is a protocol used with X.500 format directories.

Answer 118

A

Namespaces
Control groups

In a container engine such as Docker, each container is isolated from others through separate namespaces. Namespaces prevent one container from reading or writing processes in another.
Control groups ensure that one container cannot overwhelm others in a DoS-type attack. Namespaces and control groups reduce the risk of data exposure between containers.

Answer 119

A

File metadata

File metadata includes information about when a file was created, accessed, and modified; access control lists defining who is authorized to read or modify the file; copyright information; or tags for indexing are all possible file metadata.

Answer 120

A

Hardware security module

A hardware security module (HSM) is an appliance designed to perform centralized public key infrastructure (PKI) management, key generation, or key escrow for devices. HSM can also be implemented as a plug-in PCIe adapter card to operate within a device.

Answer 121

A

Open permissions
Default settings

Open permissions can allow anyone on the network with access to files and services. Although the file share is available to internal employees, only administrators should be reviewing gathered health information.
Default settings are usually unsecure settings that leave the environment and data open to compromise. A shared folder that provides access to everyone on the Internal network is an example of a default setting when shared folders are created.

Answer 122

A

Code reuse

Code reuse is the copying of code from one location into another. Careless or mismanaged code reuse can introduce instances of dead code.

Answer 123

A

Simulations

Simulation is an activity in which two teams replicate a scenario and play the scenario out on real hardware, with one team representing the attackers, and the other team representing the response team.

Answer 124

A

A race condition

A race condition vulnerability occurs when multiple threads are attempting to write at the same memory location. Race conditions can deploy as an anti-virus evasion technique.

Answer 125

A

Split segments between VPCs.

Network segmentation can assist with separating workloads for performance and load balancing, keeping data processing within an isolated segment for compliance with laws and regulations and compartmentalizing data access and processing for different departments or functional requirements.

Answer 126

A

Geolocation

Geolocation is the use of network attributes to identify (or estimate) the physical position of a device.

Answer 127

A

Concealing messages or information within other data

Steganography obscures data by embedding it in another format. Messages can be covertly inserted into TCP packets in images by modifying specific pixels and even possibly to embed images or other data into audio files.

Answer 128

A

Guest account

A guest account is a special type of shared account with no password. It allows anonymous and unauthenticated access to a resource. Guest accounts are created when installing web services, as most web servers allow unauthenticated access.

Answer 129

A

Data exposure

Sensitive data should be protected to prevent data exposure. Secure coding techniques such as encryption, code obfuscation, and signing can prevent data from being exposed and modified.

Answer 130

A

Diagrams

The use of diagrams provides a visual representation of complex relationships between network topologies, workflows, internet protocols, and architecture within a system. Diagrams must be updated as system components change. Baseline configurations are documented and agreed-upon sets of specifications for information systems.

Answer 131

A

Network range
Cryptography capability
Compute power

Compute power is a common constraint of an embedded system. Embedded systems are relatively small and do not have the average computing capabilities as a standard computer.
Authentication is a common constraint for embedded systems. Because they lack compute capacity, embedded systems cannot match the authentication technologies of a standard network.
The lack of size and computing power also diminishes choices for network connectivity. Transmission Control Protocol/Internet Protocol (TCP/IP)-based networking is not up to standards with embedded systems using relatively low processing power.

Answer 132

A

User Account Control (UAC)
Sudo restrictions

Conditional access is an example of rule-based access control where policies are determined by system-enforced rules. The User Account Control (UAC) is an example of conditional access.
A conditional access system monitors account or device behavior throughout a session. An example is sudo restrictions on privileged accounts.

Answer 133

A

Phone call

A phone call is a form of two-factor authentication (2FA). An automated service dials the registered number on file to confirm authentication of a user.

Answer 134

A

Cloud

On a cloud platform, an attacker only needs to find one account, service, or host with weak credentials to gain access. The attacker is likely to target the accounts used to develop services in the cloud or manage cloud systems.

Answer 135

A

Servers are incompatible.
Vendor lacks expertise.

Devices or software that are incompatible with other devices or software make them difficult to manage. Companies often seek compatibility factors to ensure full integration with existing assets.
A vendor that lacks expertise is also unable to support deployment and other activities required for using a rack server in the environment. Customer experience is vital to future purchases.

Answer 136

A

Bluejacking

WHAT YOU NEED TO KNOW
A Bluetooth-discoverable device is vulnerable to bluejacking, similar to spam, where someone sends an unsolicited text (or picture/video) message or vCard (contact details). This can also be a vector for Trojan malware.

Answer 137

A

EAP

802.1x, which is the Port-based Network Access Control framework, establishes several ways for devices and users to be securely authenticated before they are permitted full network access. EAP or extensible authentication protocol is the actual authentication mechanism.

Answer 138

A

DNS Security Extensions

Domain Name System Security Extensions (DNSSEC) helps to mitigate against spoofing and poisoning attacks. The authoritative server for the zone creates a package of resource records, called an RRset, signed with a private key known as the zone signing key.

Answer 139

A

Application design flaw

An application design flaw is a vulnerability in the software. It can cause the security system to be circumvented or will cause the application to crash. For this reason, proper patch management processes are required to ensure service availability of the application.

Answer 140

A

Backdoor

A backdoor is any type of access method to a host that circumvents the usual authentication method and gives the remote user administrative control.

Answer 141

A

Time-based login policy

A time-based login policy establishes the maximum amount of time an account may be logged in for. For example, a user with no activity will be logged off after 6 hours.

Answer 142

A

session replay
cross-site scripting (XSS)

A session replay is a client-side attack. This means that the attack executes arbitrary code on the user’s browser.
A cross-site scripting (XSS) attack exploits the fact that the browser is likely to trust scripts that appear to come from a site the user has chosen to visit.

Answer 143

A

Fake telemetry

Fake telemetry is false, but realistic, data used to trick an attacker into believing it is legitimate information.

Answer 144

A

NAT

Network addressing protocol (NAT) translates public IP addresses to private and vice versa. By using the NAT protocol on the firewall, a company can hide assets from the public internet.

Answer 145

A

ARO

The annual rate of occurrence (ARO) indicates how many times a loss will occur within a year. An ARO is used in conjunction with the single loss expectancy (SLE) to figure the annual loss expectancy (ALE).

Brainscape's Knowledge GenomeTM

Certmaster practice questions Flashcards

Brainscape's Knowledge Genome^TM