CompTia practice questions Flashcards

Question 1

Q

An attacker sends a targeted email with a malicious attachment to a user in
your company. This attacker researched public information about the user to
send a “more personal” and targeted email to the user. Which of the following
is this type of attack?
a. Spear phishing
b. Typo squatting
c. Pharming
d. None of these answers are correct.

Answer

A

A. Spear phishing is one of the most common social engineering attacks
where the attacker searches for public information about the victim to
send a targeted email to steal information. Typo squatting (or typosquatting) is a technique used by adversaries that leverages human error when
typing a URL in their web browser. Pharming is the term used to describe
a threat actor redirecting a victim from a valid website or resource to
a malicious one that could be made to appear as a valid site to the user.
From there, an attempt is made to extract confidential information from
the user or to install malware in the victim’s system.

Question 2

Q

2. Which of the following is an example of a tool that can be used specifically to
perform social engineering attacks?
a. Maltego
b. SET
c. The Harvester
d. Recon-NG

Answer

A

B. The Social Engineering Toolkit (SET) is an example of a tool that can
be used specifically to perform social engineering attacks.

Question 3

Q

Which of the following best describes the difference between smishing and
vishing?
a. Vishing is a social engineering attack in which the attacker calls the user
over the phone and then persuades the user to reveal sensitive information or perform a given action. Smishing is a type of phishing campaign
using SMS text messages instead of email.
b. Vishing is a social engineering attack in which the attacker leaves a
voicemail and then persuades the user to reveal sensitive information or
perform a given action. Smishing is a type of typo squatting and pharming campaign using Bluetooth.
c. Vishing is a social engineering attack in which the attacker leaves a
voicemail and then persuades the user to reveal sensitive information or
perform a given action. Smishing is a type of typo squatting and pharming campaign using short Internet messaging systems.
d. None of these answers are correct.

Answer

A

A. Vishing is social engineering attack in which the attacker calls the user
over the phone and then persuades the user to reveal sensitive information
or perform a given action. Smishing is a type of phishing campaign using
SMS text messages instead of email.

Question 4

Q

A(n) ______ is a small space that can usually only fit one person, used to combat tailgating.
a. tunnel-gap
b. tunnel-trap
c. piggyback
d. access control vestibule

Answer

A

D. An access control vestibule is a small space that can usually fit only one
person, used to combat tailgating. Tunnel-gap or tunnel-traps are not correct social engineering terms. Piggyback is the act of following someone
while opening a door to enter a building or a room.

Question 5

Q

Which of the following best describes pretexting?

a. Impersonation
b. Social engineering
c. Whaling
d. Pharming

Answer

A

A. Pretexting is the act of impersonating someone else.

Question 6

Q

Which of the following refers to the act of incorporating malicious ads on
trusted websites, which results in users’ browsers being inadvertently redirected to sites hosting malware?
a. Malvertising
b. Pharming
c. Active ad exploitation
d. Whaling

Answer

A

B. Pharming is a social engineering technique where an attacker incorporates malicious ads on trusted websites, which results in users’ browsers
being inadvertently redirected to sites hosting malware.

Question 7

Q

Which of the following is true about spear phishing?
a. Spear phishing attacks use the Windows Administrative Center.
b. Spear phishing attacks are phishing attempts that are constructed
in a very specific way and directly targeted to specific individuals or
companies.
c. Spear phishing, whaling, and phishing are the same type of attack.
d. Spear phishing attacks use the Windows PowerShell.

Answer

A

B. Spear phishing is phishing attempts that are constructed in a very specific way and directly targeted to specific individuals or companies.

Question 8

Q

Derek is the CEO of a Fortune 500 company. He received an email with a
malicious attachment. Once Derek clicked on the attachment, malware was
installed on his system. Which of the following best describes this attack?
a. Smishing
b. Vishing
c. Whaling
d. Pretexting

Answer

A

C. Whaling is a social engineering attack similar to phishing and spear phishing. However, in whaling attacks the attacker targets executives and key personnel of an organization (aka the “big fish”).

Question 9

Q

Which of the following is true about social engineering motivation
techniques?
a. Social proof can be used to create a feeling of urgency in a decisionmaking context. It is possible to use specific language in an interaction to
present a sense of urgency and manipulate the victim.
b. Scarcity can be used to create a feeling of urgency in a decision-making
context. It is possible to use specific language in an interaction to present
a sense of urgency and manipulate the victim.
c. Scarcity cannot be used to create a feeling of urgency in a decisionmaking context. It is possible to use specific language in an interaction to
present a sense of urgency and manipulate your victim.
d. Social proof cannot be used in an interrogation because it is illegal. It is
not legal to use specific language in an interaction to present a sense of
urgency and manipulate your victim.

Answer

A

B. Attackers use the social engineering scarcity technique to create a feeling of
urgency in a decision-making context. It is possible to use specific language in
an interaction to present a sense of urgency and manipulate the victim.

Question 10

Q

Which of the following recommendations can be used in user security
awareness education?
a. Adhere to the organization’s clean desk policy, which states that all documents, electronics, personally owned devices, and other items be put
away (or locked away) when the user is not at his or her desk, or other
work area.
b. Always screen your email and phone calls carefully and keep a log of
events. This is also known as communications vetting.
c. Use encryption when possible to protect emails, phone calls, and data.
d. All of these answers are correct.

Answer

A

D. All of the available answers can be used as recommendations for user security awareness training and education.

Question 11

Q

You logged in to your laptop and noticed a message saying that all your files
have been encrypted and to recover them you need to pay $1,000 in Bitcoins.
What has your system been infected with?
a. Ransomware
b. Worm
c. Keylogger
d. None of these answers are correct.

Answer

A

A. Ransomware is a type of malware that restricts access to a computer system and demands that a ransom be paid. It informs the user that in order to
decrypt the files or unlock the computer to regain access to the files, a payment would have to be made to one of several banking services (typically
crypto currencies like Bitcoin).

Question 12

Q

What type of malware can look like legitimate software but then performs
negative actions to manipulate your system?
a. Trojan
b. Ransomware
c. Worm
d. None of these answers are correct

Answer

A

A. Trojans appear to perform desirable functions but are actually performing
malicious functions behind the scenes.

Question 13

Q

Which malware type can allow an attacker to gain administrator privileges?

a. Keylogger
b. Rootkit
c. Ransomware
d. All of these answers are correct.

Answer

A

B. Rootkit is a type of malware designed to gain administrator-level control
over a computer system without being detected.

Question 14

Q

What type of malware does not reside on the hard drive of a computer?

a. Ransomware
b. Botnets
c. Fileless malware
d. None of these answers are correct.

Answer

A

C. Fileless malware works differently from traditional malware that puts malicious executables within the file system; instead, it works in a memory-based
environment.

Question 15

Q

Bots in a botnet typically receive instructions from which of the following?

a. A command-and-control (C2) server
b. A zombie system
c. A malvertising site
d. All of these answers are correct.

Answer

A

A. A group of compromised computers (bots), known as a botnet, is typically
controlled by a command-and-control (C2) server/system.

Question 16

Q

An attacker using John the Ripper, which uses a wordlist, is an example of
which of the following?
a. Social engineering attack
b. Dictionary password attack
c. Buffer overflow attack
d. Cross-site request forgery attack

Answer

A

B. A dictionary password attack pulls words from the dictionary or word lists
to attempt to discover a user’s password. A dictionary attack uses a predefined
dictionary to look for a match between the encrypted password and the
encrypted dictionary word

Question 17

Q

An attacker using a large number of usernames with a few commonly used
passwords is considered what kind of attack?
a. Password spraying
b. Credential harvesting
c. Password cracking
d. None of these answers are correct

Answer

A

A. In password spraying an attacker attempts to compromise a system using a
large number of usernames with a few commonly used passwords.

Question 18

Q

What type of attack occurs when an attacker captures credit card information
or information from other similar cards (gift cards, loyalty cards, identification
cards, and so on)?
a. Skimming
b. Shimming
c. SIM cloning
d. None of these answers are correct

Answer

A

A. Skimming is a type of attack in which an attacker captures credit card
information or information from other similar cards (gift cards, loyalty cards,
identification cards, and so on) from a cardholder surreptitiously. Attackers use
a device called a skimmer that can be installed at strategic locations such as
ATMs and gas pumps to collect card data.

Question 19

Q

Which of the following techniques are used to attack machine learning (ML)
implementations?
a. Tainting of data to cause errors in the outcome of the ML solution
b. Overfitting attacks
c. ML transfer attacks
d. All of these answers are correct.

Answer

A

D. Tainting, overfitting, and transfer attacks are types of adversarial techniques
against machine learning (ML) implementations.

Question 20

Q

You purchased a brand-new Internet of Things (IoT) device and noticed that
it started collecting personal information (PI) and attempted to send your data
by communicating with random IP addresses. You noticed that an implant
could have been installed during the manufacturing of the product. What type
of attack might this be?
a. Supply-chain attack
b. Cross-site scripting
c. Return to libc attack
d. Masquerading attack

Answer

A

A. A supply-chain attack occurs when attackers target security weaknesses in
the supply network and install malicious software or hardware implants to perform different nefarious activities.

Question 21

Q

Which of the following attacks are made against cloud implementations?

a. API attacks
b. DNS attacks
c. VM escape attacks
d. All of these answers are correct.

Answer

A

D. Attackers can perform virtual machine (VM) escape, API, and DNS attacks
to compromise cloud-hosted applications and services.

Question 22

Q

An attacker attempts to force an application to roll back the version of TLS
(from TLS version 1.3 to 1.0). What is the name of this type of attack?
a. Privilege escalation
b. Downgrade attack
c. Cracking
d. Fuzzing

Answer

A

B. A downgrade attack is a type of cryptographic attack that forces the rollback
of a strong algorithm in favor of an older, lower-quality algorithm or mode of
operation.

Question 23

Q

What type of privilege escalation attack occurs when a user accesses functions
or content reserved for other normal users—for example, if one user reads
another’s email?
a. Horizontal
b. Vertical
c. Sudo abuse
d. None of these answers are correct.

Answer

A

A. The two types of privilege escalation attacks are vertical and horizontal. A
horizontal privilege escalation attack occurs when a user accesses functions or
content reserved for other users. Vertical privilege escalation occurs when a
lower-privileged user accesses functions reserved for higher-privileged users—
for example, if a standard user can access functions of an administrator. This
is also known as privilege elevation and is the most common description. To
protect against this type of situation, you should update the network device
firmware. In the case of an operating system, it should again be updated, and
use of some type of access control system is also advisable—for example, User
Account Control (UAC).

Question 24

Q

Which vulnerability can lead to stealing of cookies or redirecting users to
malicious sites and where the malicious code or script is permanently stored
on a vulnerable system?
a. DOM-based XSS
b. Stored XSS
c. Reflected XSS
d. All of these answers are correct.

Answer

A

B. Stored, or persistent, XSS attacks occur when the malicious code or script
is permanently stored on a vulnerable or malicious server, using a database.
These attacks are typically carried out on websites hosting blog posts (comment forms), web forums, and other permanent storage methods. An example
of a stored XSS attack is a user requesting the stored information from the
vulnerable or malicious server, which causes the injection of the requested
malicious script into the victim’s browser. In this type of attack, the vulnerable
server is usually a known or trusted site.

Question 25

Q

Which type of injection attack occurs when code is run within the address
space of another process, forcing it to load another library?
a. DLL injection
b. LDAP injection
c. SQL injection
d. None of these answers are correct.

Answer

A

A. DLL injection occurs when code is run within the address space of another
process by forcing it to load a dynamic link library (DLL). Ultimately, this
type of attack can influence the behavior of a program that was not originally
intended. This attack can be uncovered through penetration testing.

Question 26

Q

Which condition occurs when a program dereferences a pointer that it expects to
be valid but is null, which can cause the application to exit or the system to crash?
a. Address space layout randomization
b. Tunnel-trap
c. Format string
d. Null pointer dereferences

Answer

A

D. A null pointer dereference occurs when a program dereferences a pointer
that it expects to be valid but is null, which can cause the application to exit
or the system to crash. From a programmatical standpoint, the main way to
prevent this situation is to use meticulous coding. Programmers can use special memory error analysis tools to enable error detection for a null pointer
dereference.

Question 27

Q

Which type of attack occurs when an attacker tries to escape the web root
folder and access arbitrary files by using ../../ in an URL?
a. Directory traversal
b. Path traversal
c. Dot-dot-slash
d. All of these answers are correct.

Answer

A

D. Directory traversal, path traversal, and the ../ (“dot-dot-slash”) attack are
methods of accessing unauthorized parent (or worse, root) directories. They
are often used on web servers that have PHP files and are Linux or UNIXbased but can also be perpetrated on Microsoft operating systems (in which
case, it would be ..\ or the “dot-dot-backslash” attack).

Question 28

Q

What occurs when arithmetic operations attempt to create a numeric value
that is too big for the available memory space?
a. Stack overruns
b. Integer overflows
c. Format strings
d. Heap underruns

Answer

A

B. A dictionary password attack pulls words from the dictionary or word lists
to attempt to discover a user’s password. A dictionary attack uses a predefined
dictionary to look for a match between the encrypted password and the
encrypted dictionary word.

Question 29

Q

Race conditions are also known as ________ attacks.

a. Heap overflows
b. Time-of-check (TOC) or time-of-use (TOU)
c. Stack overflows
d. Buffer overflows

Answer

A

B. Race conditions are also known as time-of-check (TOC) or time-of-use
(TOU) attacks.

Question 30

Q

_______________code should be checked thoroughly so that a malicious user
can’t find out any additional information about the system.
a. Regression
b. Patched
c. Error exception handling
d. Remote code execution

Answer

A

C. Error handling or error exception handling code should be checked thoroughly so that a malicious user can’t find out any additional information about
the system. These error handling methods are sometimes referred to technically as pseudocodes.

Question 31

Q

Input validation vulnerabilities can be found by using which of the following
techniques?
a. A python debugger
b. Fuzzing
c. Heap flags
d. All of these answers are correct.

Answer

A

B. A fuzzer is a program that can send crafted messages to a vulnerable application or system to find input validation vulnerabilities.

Question 32

Q

Which type of attack occurs when an attacker might use a packet sniffer to
intercept data and retransmit it later?
a. Overflow
b. DLL injection
c. XSS
d. Replay

Answer

A

D. A replay attack is a network attack in which a valid data transmission is
maliciously or fraudulently repeated or delayed. It differs from session hijacking in that the original session is simply intercepted and analyzed for later use.
In a replay attack, an attacker might use a packet sniffer to intercept data and
retransmit it later. In this way, the attacker can impersonate the entity that
originally sent the data.

Question 33

Q

A web session ID is typically represented in a cookie. Which type of attack
occurs when an attacker could steal a valid user’s session ID and reuse it to
perform malicious transactions?
a. Session replay
b. Session fuzzing
c. SQL injection
d. All of these answers are correct.

Answer

A

A. Session replay attacks occur when an attacker steals a user’s valid session ID
and reuses that ID to perform malicious transactions and activities with a web
application.

Question 34

Q

__________ attacks leverage the trust that the application has in the targeted
user. For example, the attacker could inherit the privileges of the user to perform an undesired action, such as stealing sensitive information, creating users,
or downloading malware.
a. XSS
b. SQLi
c. XML injection
d. XSRF

Answer

A

D. Cross-site request forgery (XSRF) attacks leverage the trust that the application has in the targeted user. For example, the attacker could inherit the
privileges of the user to perform an undesired action, such as stealing sensitive
information, creating users, or downloading malware.

Question 35

Q

Which of the following are general best practices to protect APIs?
a. Secure API services to provide only HTTPS endpoints with a strong
version of TLS.
b. Validate parameters in the application and sanitize incoming data from
API clients.
c. Explicitly scan for common attack signatures; injection attacks often
betray themselves by following common patterns.
d. All of these answers are correct.

Answer

A

D. All of the available answers are best practices to help protect application
programming interfaces (APIs).

Question 36

Q

Which of the following is a type of denial-of-service (DoS) attack?

a. C2
b. Botnet
c. Resource exhaustion
d. None of these answers are correct.

Answer

A

C. Resource exhaustion is an attack against availability that is designed to
bring the network, or access to a particular TCP/IP host/server, to its knees
by flooding it with useless traffic. Resource exhaustion attacks are a form of
denial-of-service (DoS) attacks. They can also leverage software vulnerabilities
such as memory leaks and file descriptor leaks.

Question 37

Q

Which of the following attacks can reduce the performance of a computer,
especially in systems with shared memory or limited memory?
a. Heap underrun
b. Format string
c. XSS
d. Memory leak

Answer

A

D. A memory leak is a type of resource leak caused when a program does not
release memory properly. The lack of freed-up memory can reduce the performance of a computer, especially in systems with shared memory or limited
memory. A kernel-level leak can lead to serious system stability issues. The
memory leak might happen on its own due to poor programming, or it could
be that code resides in the application that is vulnerable and is later exploited
by an attacker who sends specific packets to the system over the network.

Question 38

Q

Which of the following is a common way to launch an SSL strip attack?

a. Creating a rogue wireless access point (hotspot)
b. Launching Metasploit
c. Fuzzing an application
d. Leveraging a memory leak

Answer

A

A. An attacker can launch an SSL strip attack in different ways. One of the
most common ways is to create a wireless hotspot and lure the victims to connect to it.

Question 39

Q

Which of the following is a driver manipulation attack where an attacker adds
a small library that intercepts API calls?
a. Kernel module attack
b. Request forgery
c. Refactoring
d. Shimming

Answer

A

D. Attackers can potentially modify drivers through the use of driver shimming (the adding of a small library that intercepts API calls) and driver refactoring (the restructuring of driver code).

Question 40

Q

Pass the hash are attacks usually performed in which of the following operating systems?

a. Apple iOS
b. macOS
c. Linux
d. Windows

Answer

A

D. Pass the hash attacks leverage deficiencies in Windows NTLM
implementations.

Question 41

Q

Which of the following is a type of related-key attack, which occurs when an
attacker observes the operation of a cipher using several different keys and
finds a mathematical relationship between those keys, allowing the attacker to
ultimately decipher data?
a. IV attack
b. Evil twin
c. WPA attack
d. None of these answers are correct.

Answer

A

A. An initialization vector (IV) attack is a type of related-key attack, which
occurs when an attacker observes the operation of a cipher using several different keys and finds a mathematical relationship between those keys, allowing
the attacker to ultimately decipher data.

Question 42

Q

Which of the following can be used to perform an on-path attack?

a. SQL injection
b. ARP cache poisoning
c. Buffer overflow
d. All of these answers are correct

Answer

A

B. ARP cache poisoning (also known as ARP spoofing) is an example of an
attack that leads to a man-in-the-middle scenario. An ARP spoofing attack can
target hosts, switches, and routers connected to a Layer 2 network by poisoning the ARP caches of systems connected to the subnet and by intercepting
traffic intended for other hosts on the subnet.

Question 43

Q

Which of the following describes when an attacker must first infect the
victim’s computer with a Trojan or a malicious browser extension or plug-in
to intercept transactions from a web browser?
a. On-path attack
b. LDAP injection
c. SQL injection
d. Keylogger injection

Answer

A

A. With an on-path attack, the attacker must first infect the victim’s computer
with a Trojan. The attacker usually gets the malware onto the victim’s computer through some form of trickery or deceit.

Question 44

Q

Which of the following describes when an attacker must first infect the
victim’s computer with a Trojan or a malicious browser extension or plug-in
to intercept transactions from a web browser?
a. On-path attack
b. LDAP injection
c. SQL injection
d. Keylogger injection

Answer

A

A. With an on-path attack, the attacker must first infect the victim’s computer
with a Trojan. The attacker usually gets the malware onto the victim’s computer through some form of trickery or deceit.

Question 45

Q

Which of the following attacks occurs when the threat actor sends numerous
unknown MAC addresses to a network switch to cause a DoS condition or to
sniff network connections over a switched network while disrupting network
performance?
a. CAM memory leak attack
b. MITM
c. ARP cache poisoning
d. MAC flooding attacks

Answer

A

D. Attackers launch MAC flooding attacks by sending numerous unknown
MAC addresses to a network switch to cause a DoS condition. In addition,when the Layer 2 forwarding table limit is exceeded, packets are flooded
to all ports in a virtual LAN (VLAN). This, in turn, enables the attacker to
sniff network connections over a switched network while disrupting network
performance.

Question 46

Q

Which of the following attacks occurs when the attacker changes the
registration of a domain name without the permission of the original owner/
registrant?
a. Directory traversal
b. Path traversal
c. Dot-dot-slash
d. Domain hijacking

Answer

A

D. Domain hijacking is a type of hijacking attack in which the attacker changes
the registration of a domain name without the permission of the original
owner/registrant. One of the most common methods to perform a domain
hijacking is using social engineering.

Question 47

Q

Which of the following protocols has been used for amplification attacks?

a. IPX
b. DNS
c. NetFlow
d. None of these answers are correct.

Answer

A

B. One specific type of DDoS attack is the DNS amplification attack. Amplification attacks generate a high volume of packets ultimately intended to flood a
target website.

Question 48

Q

Which of the following has been used by attackers to create malicious macros
in applications such as Excel or Word?
a. Keyloggers
b. VBA
c. DNS
d. NTP

Answer

A

B. Visual Basic for Applications (VBA) is an event-driven programming capability in Microsoft operating systems and applications. Attackers have used
VBA to create malicious macros in applications such as Excel or Word.

Question 49

Q

Which of the following threat actors typically aims to cause denial-of-service
conditions or deface websites due to a political or social belief?
a. Hacktivists
b. Semi-authorized hackers
c. Script kiddies
d. Nation state actors

Answer

A

A. The name hacktivist is often applied to different kinds of activities—from
hacking for social change, to hacking to promote political agendas, to fullblown cyberterrorism. Due to the ambiguity of the term, a hacktivist could be
inside a company or attack from the outside and will have varying amounts of
resources and funding. However, a hacktivist is usually far more competent
than a script kiddie.

Question 50

Q

Which of the following threat actors is typically motivated by money? (Choose
the best answer.)
a. Authorized hackers
b. Criminal syndicates and organized crime
c. Exploit groups
d. None of these answers are correct.

Answer

A

B. Cybercriminals might work on their own, or they might be part of criminal
syndicates and organized crime—a centralized enterprise run by people motivated mainly by money.

Question 51

Q

Which of the following attributes make threat actors different?

a. Level of sophistication
b. Resources
c. Funding
d. All of these answers are correct.

Answer

A

D. The level of sophistication/capability, resources, and funding are all attributes of threat actors that put them into different categories (that is, statesponsored actors, script kiddies, hacktivists, criminals).

Question 52

Q

Which incident response concept is designed to represent a cybersecurity incident and is made up of four parts?

a. FIRST
b. InfraGard
c. Diamond Model of Intrusion
d. All of these answers are correct.

Answer

A

C. The Diamond Model is designed to represent a cybersecurity incident
and is made up of four parts. Active intrusions start with an adversary who
targets a victim. The adversary will use various capabilities along some form
of infrastructure to launch an attack against the victim. Capabilities can be
various forms of tools, techniques, and procedures, while the infrastructure
is what connects the adversary and victim. The lines connecting each part of
the model depict a mapping of how one point reached another. This mapping helps you understand the motives, intent, sophistication, capabilities, and
resources that a threat actor may have.

Question 53

Q

Which of the following is an effective attack vector where an attacker could
modify or tamper hardware or software from a vendor to perform mass
compromise attacks?
a. Supply chain
b. Removable media
c. Wireless
d. Direct access

Answer

A

A. One of the most effective attacks for mass compromise is to attack the supply
chain of a vendor to tamper with hardware and/or software. This tampering might
occur in-house or earlier, while in transit through the manufacturing supply chain.

Question 54

Q

Which of the following elements could an attacker leverage to perform a
cloud-based attack?
a. Misconfigured VMs
b. Unpatched applications and operating systems
c. Misconfigured storage buckets
d. All of these answers are correct.

Answer

A

D. Attackers can leverage misconfigured and insecure cloud deployments
including unpatched applications, operating systems, and storage buckets.

Question 55

Q

Which term refers to the knowledge about an existing or emerging threat to
assets, including networks and systems?
a. Threat intelligence
b. Threat feed
c. Threat model
d. None of these answers are correct.

Answer

A

A. Threat intelligence refers to knowledge about an existing or emerging
threat to assets, including networks and systems. Threat intelligence includes
context, mechanisms, indicators of compromise (IoCs), implications, and
actionable advice.

Question 56

Q

Which technique is used when you leverage public information from DNS
records, social media sites, websites, search engines, and other sources for
reconnaissance?
a. OSINT
b. Threat maps
c. Threat models
d. Threat analysis

Answer

A

A. Open-source intelligence (OSINT) applies to offensive security (ethical hacking/penetration testing) and defensive security. In offensive security,
OSINT enables you to leverage public information from DNS records, social
media sites, websites, search engines, and other sources for reconnaissance—in
other words, to obtain information about a targeted individual or an organization. When it comes to threat intelligence, OSINT refers to public and free
sources of threat intelligence.

Question 57

Q

Which of the following could be threat and vulnerability research sources?

a. Vendor websites
b. Threat feeds
c. Vulnerability feeds
d. All of these answers are correct.

Answer

A

D. Vendor websites, threat feeds, and vulnerability feeds could all be used for
threat and vulnerability research.

Question 58

Q

Which framework was created by MITRE to describe adversary tactics and
techniques?
a. InfraGard
b. CVE
c. ATT&CK
d. CWE

Answer

A

C. The MITRE ATT&CK framework (https://attack.mitre.org) is a collection of different matrices of tactics and techniques. InfraGard is a collaborative
effort between the FBI and the private sector. The Common Vulnerability
and Exposure (CVE) is a standard to identify vulnerabilities created and maintained by MITRE. The Common Weakness Enumeration (CWE) is a standard to identify the weaknesses (root cause) of security vulnerabilities. CWE
was also created by MITRE

Question 59

Q

Which cloud service model offers computer networking, storage, load
balancing, routing, and VM hosting?
a. IaaS
b. PaaS
c. SaaS
d. None of these answers are correct.

Answer

A

A. Infrastructure as a service (IaaS) is a type of cloud service that offers computer networking, storage, load balancing, routing, and VM hosting. Platform
as a service (PaaS) provides various software solutions to organizations, especially the capability to develop applications in a virtual environment without
the cost or administration of a physical platform. Software as a service (SaaS)
is a cloud service model where the cloud provider offers the complete infrastructure and the application. Examples of SaaS include Gmail, Office 365,
Webex, Zoom, Dropbox, Google Drive, and many other applications you use
every day

Question 60

Q

Which of the following is a security concern in cloud deployments?

a. Encryption
b. Authentication methods
c. Identity management
d. All of these answers are correct.

Answer

A

D. Encryption, authentication methods, and identity management are all security concerns in cloud deployments and environments.

Question 61

Q

Which type of vulnerability is disclosed by an individual or exploited by an
attacker before the creator of the software can create a patch to fix the underlying issue?
a. Cross-site scripting
b. Zero-day
c. Information disclosure
d. None of these answers are correct.

Answer

A

B. A zero-day vulnerability is a type of vulnerability that is disclosed by an
individual or exploited by an attacker before the creator of the software can
create a patch to fix the underlying issue. Attacks leveraging zero-day vulnerabilities can cause damage even after the creator knows of the vulnerability
because it may take time to release a patch to prevent the attacks and fix damage caused by them.

Question 62

Q

Which of the following can be considered a weak configuration that can allow
attackers to perform an attack and compromise systems?
a. Default settings and passwords
b. Weak encryption
c. Open permissions
d. All of these answers are correct.

Answer

A

D. Default settings and passwords, weak encryption, and open permissions are
examples of the most prevalent types of weak configurations that can be leveraged by an attacker to perform malicious activities and compromise systems.

Question 63

Q

Which of the following is a weak protocol that should be avoided?

a. HTTP without encryption
b. Telnet
c. FTP without encryption
d. All of these answers are correct.

Answer

A

D. Protocols such as Telnet, FTP (without encryption), and HTTP without encryption should be avoided at all times because they are considered
unsecure.

Question 64

Q

Which of the following should be considered when assessing third-party risks?

a. Vendor management
b. Supply chain
c. Outsourced code development
d. All of these answers are correct.

Answer

A

D. Vendor management, system integration, lack of vendor support, supply
chain, and outsourced code development should all be assessed when performing an analysis of third-party risks.

Answer 65

A

A. A security update is a broadly released fix for a product-specific securityrelated vulnerability or group of vulnerability. Security vulnerabilities are rated
based on their severity, which is indicated in the Microsoft Security Bulletin as
critical, important, moderate, or low.

Answer 66

A

D. Legacy platforms and products that have passed the end of support date are
often affected by unfixed security vulnerabilities and do not have modern security features. When a device is past the last day of support, vendors will not
investigate or patch security vulnerabilities in those devices.

Answer 67

A

. D. A security breach could have direct financial impact to a corporation (such
as fines and lawsuits). The brand and reputation of a company can also be
damaged by major cybersecurity incidents and breaches. Cybersecurity incidents can also lead to outages and availability loss.

Answer 68

A

D. Attackers can leverage different types of obfuscation and evasion techniques
to go undetected (including encoding of data, tunneling, and encryption).

Answer 69

A

B. Threat hunting is the act of proactively and iteratively looking for threats in
your organization.

Answer 70

A

A. The MITRE ATT&CK is a collection of matrices that outline adversary
tactics, techniques, and procedures (TTPs) that modern attackers use.

Answer 71

A

A. Most of the vulnerabilities disclosed to the public are assigned Common
Vulnerability and Exposure (CVE) identifiers. CVE is a standard created by
MITRE (www.mitre.org) that provides a mechanism to assign an identifier
to vulnerabilities so that you can correlate the reports of those vulnerabilities
among sites, tools, and feeds.

Answer 72

A

C. A false positive is a broad term that describes a situation in which a security device triggers an alarm, but no malicious activity or actual attack is taking place. In other words, false positives are false alarms, and they are also
called benign triggers.

Answer 73

A

A. A true positive is a successful identification of a security attack or a malicious event. A true negative occurs when the intrusion detection device identifies an activity as acceptable behavior and the activity is actually acceptable.
False positives are false alarms, and false negative is the term used to describe a
network intrusion device’s inability to detect true security events under certain
circumstances—in other words, a malicious activity that is not detected by the
security device.

Answer 74

A

A. Vulnerability scanners can often log in to the targeted system to perform
deep analysis of the operating system, running applications, and security misconfigurations. This technique is called a credentialed scan.

Answer 75

A

D. SIEMs can provide log collection, normalization, and correlation.

Answer 76

A

A. NetFlow is a technology invented by Cisco to collect network metadata
about all the different “flows” of traffic on your network.

Answer 77

A

A. Security Orchestration, Automation, and Response (SOAR) systems extend
beyond traditional SIEMs to allow organizations to collect security threat data
and alerts from multiple sources and to perform many different automated
response capabilities.

Answer 78

A

D. Unlike traditional SIEM platforms, SOAR solutions can also be used for
threat and vulnerability management, security incident response, and security
operations automation (including playbook and runbook automation, as well as
orchestration of multiple SOC tools).

Answer 79

A

D. Ethical hacking, pen testing, and penetration testing are all terms used to
define the process of finding vulnerabilities and mimicking what an attacker
could do against your systems and networks. Penetration testing is done after
obtaining permission from the system or network owner.

Answer 80

A

A. In the known environment pen testing type, the pen tester starts out with
a significant amount of information about the organization and its infrastructure. The tester would normally be provided network diagrams, IP addresses,
configurations, and a set of user credentials, for example. If the scope includes
an application assessment, the tester might also be provided the source code of
the target application. The idea of this type of test is to identify as many security holes as possible.

Answer 81

A

D. The pre-engagement tasks include items such as contract negotiations, the
statement of work (SOW), scoping, and the rules of engagement.

Answer 82

A

D. The rules of engagement document typically includes the testing timeline,
location of the testing, time window of the testing, preferred method of communication, the security controls that could potentially detect or prevent testing, IP addresses or networks from which testing will originate, and the scope
of the engagement.

Answer 83

A

A. Open-source intelligence (OSINT) gathering is the term used when a penetration tester uses public records to perform passive reconnaissance.

Answer 84

A

D. Active reconnaissance is carried out mostly by using network and vulnerability scanners. Nmap is an open-source network and port scanner. Nessus is
a vulnerability scanner sold by Tenable. Nikto is an open-source web application vulnerability scanner.

Answer 85

A

C. Purple teams integrate the defensive capabilities of a blue team with the
adversarial techniques used by the red team. Often the purple team is not a
separate team, but a solid dynamic between the blue and red teams.

Answer 86

A

A. White teams are individuals who are focused on governance, management,
risk assessment, and compliance.

Answer 87

A

A. Configuration management is an ongoing process created with the goal of
maintaining computer systems, servers, network infrastructure, and software
in a desired, consistent state. One of the primary goals of configuration management is to ensure that your infrastructure performs as it’s expected to as
changes are made over time.

Answer 88

A

C. After a minimum desired state of security is defined, baselines should
be taken to assess the current security state of computers, servers, network devices, and the network in general. Baseline configurations should
be properly documented and reviewed to include a set of specifications for
information systems or configuration items within those systems. Baseline
configurations are used by security professionals, along with network and system administrators, as a basis for future deployments, releases, or changes to
information systems and applications.

Answer 89

A

A. You should make sure that your organization has appropriate naming conventions for describing IT infrastructure, applications, and users. Appropriate
naming conventions are used to avoid conflicts and to be able to correlate data
among disparate systems.

Answer 90

A

B and C. The General Data Protection Regulation (GDPR) is a regulation
in the European Union and the European Economic Area focused on data
protection and privacy. Another example is the California Consumer Privacy
Act (CCPA). These regulations give consumers the right to know what personal information is being collected by companies, government, and any other
organizations.

Answer 91

A

D. Data loss prevention (DLP) systems can be software or hardware-based
solutions and are categorized in three general types: endpoint, network, and
storage DLP systems

Answer 92

A

D. You should always encrypt data at rest, in use, and in motion in order to
protect sensitive data.

Answer 93

A

C. Hashes are used in digital signatures, in file and message authentication,
and as a way to protect the integrity of sensitive data—for example, data
entered into databases or perhaps entire hard drives. A hash is generated
through the use of a hash function to verify the integrity of the file or message,
most commonly after transit over a network.

Answer 94

A

A. A hot site is a near duplicate of the original site of the organization that
can be up and running within minutes (in some cases longer). Computers and
phones are installed and ready to go, a simulated version of the server room
stands ready, and the vast majority of the data is replicated to the site on a
regular basis in the event that the original site is not accessible to users for
whatever reason.

Answer 95

A

B. A honeypot is generally a single computer but could also be a file, group of
files, or an area of unused IP address space, whereas a honeynet is a group of
computers, servers, or an area of a network; a honeynet is used when a single
honeypot is not sufficient. Either way, the individual computers, or group of
servers, will usually not house any important company information. Various
analysis tools are implemented to study the attacker; these tools, along with
a centralized group of honeypots (or a honeynet), are known collectively as a
honeyfarm.

Answer 96

A

D. Honeyfiles are used as bait files intended to lure adversaries to access them
and then send alarms to a security analyst to potentially learn the tactics and
techniques used by the attacker.

Answer 97

A

A. In a DNS sinkhole you configure one or more DNS servers to provide false
results to attackers and redirect them to areas in the network where you can
observe their tactics and techniques. DNS sinkholes have been used to contain
different types of malware such as the infamous WannaCry ransomware and to
disrupt certain malicious DNS operations in denial-of-service (DoS) and other
attacks.

Answer 98

A

A. IaaS is a service that offers computer networking, storage, load balancing,
routing, and VM hosting. More and more organizations are seeing the benefits
of offloading some of their networking infrastructure to the cloud.

Answer 99

A

A. A community cloud is a mix of public and private cloud deployments where
multiple organizations can share the public portion.

Answer 100

A

A. A community cloud is a mix of public and private cloud deployments where
multiple organizations can share the public portion.

Answer 101

A

A. Google Drive, Office 365, and Dropbox are examples of the software as a
service (SaaS) cloud service model.

Answer 102

A

C. A managed security service provider (MSSP) provides services to manage your security devices and can also help monitor and respond to security
incidents.

Answer 103

A

D. Managed service providers (MSPs) can deliver network, application, system,
and management services using a pay-as-you-go model. An MSP is an organization that can manage your network infrastructure, servers, and in some cases
your security devices. Companies that provide services to manage your security
devices and can also help monitor and respond to security incidents are called
managed security service providers (MSSPs).

Answer 104

A

C. The term edge computing describes an ecosystem of resources and applications in new network services (including 5G and IoT). One of the main benefits is to provide greater network speeds, low latency, and computational power
near the user.

Answer 105

A

A. Thin clients are computer systems that run from resources stored on a central server or from the cloud instead of a local (on-premises) system. When
you use a thin client, you connect remotely to a server-based computing environment where the applications, sensitive data, and memory are stored.

Answer 106

A

D. Docker Swarm, Apache Mesos, and Kubernetes are technologies and solutions to manage, deploy, and orchestrate containers.

Answer 107

A

A. VM sprawl (otherwise known as virtualization sprawl) occurs when an organization can no longer effectively control and manage all the VMs on a network or in the cloud.

Answer 108

A

A. In a VM escape attack, the guest VM breaks out of its isolated environment
and attacks the hypervisor or compromises other VMs hosted and controlled
by the hypervisor.

Answer 109

A

A. The traditional software development methodology is the waterfall model,
which is a software and hardware development and project management methodology that has at least five to seven phases that follow in strict linear order.
Each phase cannot start until the previous phase has been completed.

Answer 110

A

B. You can integrate with log aggregation tools to maintain and analyze logs
of every element that goes into the provisioning. This allows you to respond
quickly and deprovision the application in the event that something went
wrong. When you go back, you can check the logs and accurately find and fix
the root cause of the error.

Answer 111

A

D. Unit testing, integration testing, and identifying a code integrity manager
can help software (code) integrity.

Answer 112

A

C. Threat modeling enables you to prioritize threats to an application based
on their potential impact. This modeling process includes identifying assets
to the system or application, uncovering vulnerabilities, identifying threats, documenting threats, and rating those threats according to their potential
impact. The more risk, the higher the rating. Threat modeling is often incorporated into the software development lifecycle (SDLC) during the design,
testing, and deployment phases.

Answer 113

A

D. Input validation, principle of least privilege, and failing securely are all
important security principles that should be incorporated into the SDLC.

Answer 114

A

D. Compile time refers to the duration of time during which the statements
written in any programming language are checked for errors. Compile-time
errors might include syntax errors in the code and type-checking errors. A
programmer can check these errors without actually running the program and
instead check it in the compile stage when it is converted into machine code.

Answer 115

A

D. One of the most popular OWASP projects is the Top 10 Web Application
Security Risks. You can find the latest Top 10 Web Application Security Risks
at https://owasp.org/www-project-top-ten. All of these answers are top web
application security risks.

Answer 116

A

C. In an example of software diversity, a compiler is modified to generate
variants of a binary (target application) that operates in the same way when
processing benign input; however, it may operate in a different manner when
given malicious input. This new aspect of software diversity is handled by generating variants of a program by building a binary with a diversifying compiler
that can randomize the code layout, stack variables, and random allocations of
heap objects at different locations in each variant.

Answer 117

A

A. Continuous integration (CI) is a software development practice in which
programmers merge code changes in a central repository multiple times a day.
Continuous delivery (CD) sits on top of CI and provides a way for automating
the entire software release process. When you adopt CI/CD methodologies,
each change in code should trigger an automated build-and-test sequence.
This automation should also provide feedback to the programmers who made
the change.

Answer 118

A

C. Elasticity is the ability of an underlying infrastructure to react to a sudden
increase in demand by provisioning more resources in an automated way. Elasticity and scalability are often achieved by deploying technologies such as load
balancers and by deploying applications and resources in multiple geographical
locations (data centers around the world). Other technologies such as enabling
concurrent processing (parallel processing) and automated container deployments (that is, using Kubernetes) allow organizations to auto-scale.

Answer 119

A

D. Microsoft Active Directory (AD) allows administrators to organize elements of a network, such as users, computers, and devices, into a hierarchical
containment structure.

Answer 120

A

D. Microsoft Active Directory (AD) allows administrators to organize elements of a network, such as users, computers, and devices, into a hierarchical
containment structure.

Answer 121

A

D. Users authenticate against a directory service to ensure that it is highly
available at all times. A best practice requires that it be distributed in multiple
locations.

Answer 122

A

C. In biometrics, facial recognition is the most common and least accurate way
to identify a user; it has higher false rejection and higher false acceptance rates
than other biometric security methods.

Answer 123

A

B. Speaker verification is a 1:1 match where one speaker’s voice is matched to
one template, also called a voice print or voice model.

Answer 124

A

B. You must have this physical item with you—something you have such as a
crypto card, token, or key fob that is used as a method to authenticate you as a
user.

Answer 125

A

A. Physical movements such as the way you walk, typing patterns, and mouse
movements are examples of a personality trait, behavior, or observable biometric that can be used to authenticate you as a person.

Answer 126

A

A. Authentication, authorization, and accounting (AAA) is a framework for
intelligently controlling access to computer resources, enforcing policies, and
auditing usage. These processes working in concert are important for effective
network management and security.

Answer 127

A

A. Authentication provides a method of identifying a user, typically by having
the user enter a valid username and password before access to the network is
granted. Authentication is based on each user having a unique set of login credentials for gaining network access.

Answer 128

A

C. Enterprises that elect to use a cloud computing model need to pay only for
the resources that they use, with none of the maintenance and upkeep costs.
The price adjusts up or down depending on how much is consumed.

Answer 129

A

B. On-premises authentication is preferred. Many companies these days operate under some form of regulatory control, regardless of the industry. The
most common one is the Health Insurance Portability and Accountability Act
(HIPAA) for private health information, but there are other government and
industry regulations. For companies that are subject to such regulations, it is
imperative that they remain compliant and know where their data is at all times.

Answer 130

A

A. Geographic dispersal of computing and data assets if a disaster, natural or
person-made, occurs ensures the company can continue to function. In such
cases, the company relies on infrastructure in another city, state, or country to
be available.

Answer 131

A

A. RAID 5 writes the parity over all disks, making it possible to continue to
run even if one disk fails. Recovery is done by removing the failed drive and
executing the recovery process, where the drive is rebuilt and added to the
array once completed.

Answer 132

A

A. RAID 0 is known as disk striping; it is the process of dividing data into
blocks and spreading the data blocks across multiple storage devices, such as
hard disks or solid-state drives (SSDs). In a Redundant Array of Independent
Disks (RAID) group, there is no parity. The more hard drives in a RAID 0
array, the higher probability of array failure.

Answer 133

A

B. By deploying NIC teaming on your server, you can maintain a connection to multiple physical switches and use a single IP address. Load balancing
becomes readily available, fault tolerance becomes instant instead of waiting
for DNS records to time out or update, and management becomes simpler.

Answer 134

A

B. Redundant power is a critical component in high-availability systems. In the
simplest solution, two power supplies can drive a load through bused (vertical
line shared among equipment) or N+1 configuration, where two power supply outputs are load-shared together or have one active and one or more in
standby mode.

Answer 135

A

B. SAN-connected servers contain special fiber interface cards called host
bus adapters (HBAs). They are configured as pairs, typically called HBA1 and
HBA2. The fiber is then connected to a pair of SAN network switches.

Answer 136

A

A. Azure Active Directory is a fully managed multi-tenant cloud-based offering
from Microsoft that offers identity and access capabilities for applications
running in an on-premises environment. It is not a replacement for on-premises
Active Directory Services but could be, or it can be used with it to extend
on-prem directory services and sync the directories to cloud applications.

Answer 137

A

D. Cloud-based backups are a model of data storage in which the data can be
accessed, managed, and stored in a remote cloud server via the Internet. Cloud
backups are maintained and supported by a cloud storage provider responsible
for keeping the user’s data available and accessible at any time.

Answer 138

A

C. Backups to a cloud services backup (IaaS) provider can be slower than
on-premises backups where they are connected at gigabit speeds. Depending
on the amount of data being backed up, restoring data from them could take
many hours or even days to complete.

Answer 139

A

D. A highly available system should be able to quickly recover from any sort
of failure state to minimize interruptions for the end user. Best practice for
achieving high availability is to eliminate single points of failure or any node
that would impact the system as a whole if it becomes dysfunctional. The highest level of uptime is considered “five nines,” or 99.999 percent, which refers to
a standard of reliability. Five nines is equivalent to downtime of only 5 minutes
and 15 seconds per year (1 minute and 18 seconds in a quarter, or 26 seconds
monthly). These are very high standards to meet.

Answer 140

A

D. Without the network, systems will be unable to communicate with each
other. When building the restore order for your organization, do not forget
this critical step, and make sure you add it to your desktop exercises.

Answer 141

A

A, B, C. These are all steps that can be taken to enhance an organization’s
resilience and provide fault tolerance and diversity

Answer 142

A

A. A field-programmable gate array (FPGA) is an integrated circuit designed
to be configured by a customer or designer after manufacturing—hence the
term field-programmable

Answer 143

A

A. SCADA systems are capable of managing parts inventories for just-in-time
manufacturing, regulate industrial automation and robots, and monitor processes and quality control.

Answer 144

A

A. A SCADA programmable logic controller (PLC) is an industrial computer
control system that continuously monitors the state of input devices and makes
decisions based on a custom program to control the state of output devices.

Answer 145

A

B. Smart watches can monitor your pulse, heart, blood pressure, exercises,
calories, and sleep patterns to help you become more fit.

Answer 146

A

A. Lighting and air conditioning controls are part of building automation and
can be controlled to help reduce the overexpense of energy use by properly
implementing sensors to know when people are in the building.

Answer 147

A

D. Users should utilize the strongest encryption method available on devices,
always create and rotate very complex passwords, set up a continuous method
to log and audit access to the devices, and finally, ensure use of the latest manufacturer updates.

Answer 148

A

D. Today’s modern surveillance systems are capable of performing facial recognition, monitoring data center access, and if exploited, pivoting to and compromising other systems in the network.

Answer 149

A

D. Zigbee creates flexibility for developers and end users while delivering stellar interoperability. It was created on the IEEE’s 802.15.4 standard, using the
2.4-GHz band and a self-healing true mesh network, and has a defined rate of
250 kbps. It is best suited for intermittent data transmissions from a sensor or
input device.

Answer 150

A

C. Cryptography constraints for building secure embedded systems hardware
and software have to do with the amount of code required to implement a
secure algorithm and the processing power required to crunch the number.

Answer 151

A

C and D. A system on a chip (SoC) is essentially an integrated circuit or an IC
that takes a single platform and integrates an entire electronic or computer
system onto it.

Answer 152

A

A. Nucleus RTOS from Mentor is a real-time operating system (RTOS) software component that rapidly switches between tasks, giving the impression
that multiple programs are being executed at the same time on a single processing core. In fact, the processing core can execute only one program at any
one time.

Answer 153

A

B. Embedded computers used in unmanned system applications are often characterized by their low SWaP-C (size, weight, power, and cost) profiles, small
form factor (SFF), and rugged operating ranges, which are vital components
for unmanned aerial vehicles (UAVs),

Answer 154

A

A. An access control vestibule, formerly known as a mantrap, allows security
guards to see visitors before they are allowed through the second door. Guards
can use cameras and voice communication to ascertain identity.

Answer 155

A

C. Vestibules are an excellent access control addition. Entries with panels built
from prefabricated composite or metal are used as a way for companies to control the heat and airflow in their facilities.

Answer 156

A

B. Optical detectors convert incoming optical energy into electrical signals.
The two main types of optical detectors are photon detectors and thermal
detectors. Photon detectors produce one electron for each incoming photon of
optical energy. The electron is then detected by the electronic circuitry

Answer 157

A

D. Robot sentries act as 24/7/365 guards, continuously monitoring and alerting on differentials. Robot sentries report anything out of the ordinary to the
appropriate personnel, who then can take additional action.

Answer 158

A

D. The reception desk plays a front-line role in the physical security program
of a company. Receptionists do this by creating a buffer between the corporate offices, employees, and contractors. Visitors are unable to pass until the
employees meeting them come and pick them up. This reduces loitering and
inquisitive visitors.

Answer 159

A

D. Biometric locks provide a unique way of making sure people are who they
say they are by monitoring or matching human characteristics such as a fingerprint, retina, or voice prior to unlocking and granting access.

Answer 160

A

A. A skeleton key normally work with warded or lever locks. With a warded
lock, a skeleton key lacks interior notches to interfere with or correspond with
the wards, or obstructions, thereby allowing it to open the lock.

Answer 161

A

C. A proximity reader is capable of reading a prox card that is within a few millimeters of the reader/pad; it does this through induction.

Answer 162

A

C. A vault can consist of an entire room or even multiple rooms. Vaults allow
everything inside to be protected through multiple layers of security measures,
including guards, alarms, cameras, locks, gates, and secure doors.

Answer 163

A

D. Pulverizing grinds devices down to bare-metal scraps. There is nothing left
that would allow recovery, unlike shredding and degaussing.

Answer 164

A

A. A key generation algorithm that selects a private key uniformly at random
from a set of possible private keys is one of three digital signature scheme
algorithms. This algorithm outputs the private key and a corresponding
public key.

Answer 165

A

D. Cryptographic hash functions have many information-security applications,
notably in digital signatures, message authentication codes (MACs), and other
forms of authentication.

Answer 166

A

D. Quantum cryptography, or quantum key distribution (QKD), uses a series
of photons (light particles) to transmit data from one location to another over
a fiber-optic cable. By comparing measurements of the properties of a fraction
of these photons, the two endpoints can determine what the key is and if it is
safe to use.

Answer 167

A

B. Photons travel to a receiver, which uses two beam splitters (horizontal/vertical and diagonal) to “read” the polarization of each photon.

Answer 168

A

A. A blockchain is essentially a digital ledger of transactions that are duplicated and distributed across the entire network of computer systems on the
blockchain.

Answer 169

A

B. Cipher suites usually contain a set of algorithms that include a key exchange
algorithm, bulk encryption algorithm, and message authentication code (MAC)
algorithm. The key exchange algorithm is used to exchange a key between two
devices.

Answer 170

A

D. Steghide, Foremost, Xiao, Stegais, and Concealment are tools that can be
used to conceal data in images and audio files.

Answer 171

A

A. The most common use cases are mobile devices and portable systems.
Because of the low-power draw requirements, you may use smaller symmetric
key sizes and elliptic-curve asymmetric encryption.

Answer 172

A

C. Time is used in generating keys used in cryptography. They have been
mostly replaced with more randomness.

Answer 173

A

D. Key stretching runs a password through an algorithm to produce an
enhanced key.

Answer 174

A

C and D. Bcrypt and Password-Based Key Derivation Function 2 (PBKDF2)
are key derivation functions (KDFs) that are primarily used for key stretching,
which provides a means to “stretch” a key or password, making an existing key
or password stronger and protecting against brute-force attacks.

Answer 175

A

D. DNSSEC is used in securing the chain of trust that exists between the
Domain Name System (DNS) records that are stored at each domain level.

Answer 176

A

B. You can enable LDAPS by installing a properly formatted certificate from a
certificate authority (CA) according to the guidelines.

Answer 177

A

B. SSH uses asymmetric (public key) RSA cryptography for both connection
and authentication.

Answer 178

A

B. S/MIME is based on asymmetric cryptography that uses a pair of mathematically related keys to operate: a public key and a private key

Answer 179

A

C. AH is an optional packet header used to guarantee connectionless integrity
and data origin authentication for IP packets.

Answer 180

A

C. IMAPS downloads a message only when you click on it, and attachments
aren’t automatically downloaded. IMAPS operates on port 993 (SSL/TLS).

Answer 181

A

D. HTTPS uses an encryption protocol to encrypt communications. The protocol is called Transport Layer Security (TLS).

Answer 182

A

D. Enterprises looking to deploy time synchronization should utilize three
public servers, set up a local internal NTP server that is used for all internal
hosts as a reference timekeeper, and only have the internal NTP server make
requests to the public servers. You should ensure that you are standardizing on
UTC time across all systems; it will make researching attacks and issues more
relevant.

Answer 183

A

A. A virtual private network (VPN) provides privacy and security to users by
creating a private network connection across a public network connection.
VPNs are used to access company networks protected by firewalls that deny
inbound and outbound access to/from systems on the network.

Answer 184

A

A, B, C, D. All the responses are correct. You should use caching-only DNS
servers, use DNS forwarders, use DNS advertisers and resolvers, protect DNS
from cache pollution, enable DDNS for secure connections only, disable zone
transfers, and use firewalls to control communication to and from the DNS
servers.

Answer 185

A

A. According a report published by Cybersecurity Ventures in May 2019, damages from ransomware cost businesses an astonishing $11 billion in lost revenue, productivity, and remediation.

Answer 186

A

B. Antimalware software that uses behavior-based malware detection can
detect previously unknown threats by identifying malware based on characteristics and behaviors.

Answer 187

A

C. One of the primary functions of endpoint detection and response (EDR) is
providing forensics and analysis tools to research identified threats and search
for suspicious activities (similar to threat hunting).

Answer 188

A

A. Data loss prevention (DLP) software and tools monitor and control endpoint activities, filter data streams on corporate networks, and monitor data in
the cloud to protect data at rest and in motion.

Answer 189

A

B. The newer specification addresses several limitations of the BIOS, including
restrictions on hard disk partition size and the amount of time the BIOS takes
to perform its tasks.

Answer 190

A

D. Database tokenization is the process of turning sensitive data into nonsensitive data called tokens that can be used in a database or internal system without
bringing it into scope.

Answer 191

A

D. The secure session cookies store information about a user session after the
user logs in to an application. This information is very sensitive because an
attacker can use a session cookie to impersonate the victim.

Answer 192

A

A. Patch management is a process that helps acquire, test, and install multiple
patches (code changes) on existing applications and software tools on a computer, enabling systems to stay updated on existing patches and determining
which patches are the appropriate ones.

Answer 193

A

C. When a self-encrypting drive (SED) is installed into a mixed-disk configuration or a configuration containing unencrypted drives, it operates as an
unencrypted disk. Likewise, a pool consisting of all SEDs might replicate to a
pool with only a few SEDs or no SEDs at all.

Answer 194

A

C. Code from the outside needs to be validated prior to running it on a secure
CPU. This tamper resistance can be implemented in many ways—for example,
using a dedicated ROM that can only be accessed by the hardware root of trust.

Answer 195

A

D. The TPM uses a unique key to digitally sign the log recorded by the UEFI.

Answer 196

A

A. Sandboxing is a strategy that isolates a test environment for applications. It
provides an extra layer of security that prevents malware or harmful applications from negatively affecting your system.

Answer 197

A

A. If you migrate some of these low-resource servers to a virtual environment,
you could end up spending more on licensing but less on hardware, due to the
nature of virtualization. In fact, the goal is to have the gains of hardware savings outweigh the losses of licensing. Load balancing and clustering deal with
an operating system utilizing the hardware of multiple servers. This will not be
the case when you go virtual, nor would it have been the case anyway, because
clustering and load balancing are used in environments where the server
is very resource-intensive. Baselining, unfortunately, will remain the same;
you should analyze all of your servers regularly, whether they are physical or virtual. These particular servers should not encounter latency or lowered
throughput because they are low-resource servers in the first place. If, however, you considered placing a Windows Server that supports 5000 users into a
virtual environment, you should definitely expect latency

Answer 198

A

B. You can defend against pivoting by providing proper access control, network segmentation, DNS security, reputation security, and proper patch
management.

Answer 199

A

C. A remote-access VPN is typically used for client access to a headend device,
which connects them to the corporate network. Most remote access VPNs use
IPsec or SSL/TLS connections.

Answer 200

A

D. One specific type of DDoS is the DNS amplification attack. Amplification
attacks generate a high volume of packets ultimately intended to flood a target
website. In the case of a DNS amplification attack, the attacker initiates DNS
requests with a spoofed source IP address. The attacker relies on reflection;
responses are not sent back to the attacker but are instead sent “back” to the
victim server. Because the DNS response is larger than the DNS request (usually), it amplifies the amount of data being passed to the victim. An attacker
can use a small number of systems with little bandwidth to create a sizable
attack. However, a DNS amplification attack can also be accomplished with
the aid of a botnet, which has proven to be devastating to sections of the Internet during the period when the attack was carried out.

Answer 201

A

D. Domain hijacking is a type of hijacking attack in which the attacker changes
the registration of a domain name without the permission of the original
owner/registrant. One of the most common methods used to perform a
domain hijacking is using social engineering.

Answer 202

A

B. Some companies (such as Cisco) offer hardware-based NAC solutions,
whereas other organizations offer paid software-based NAC solutions and
free ones such as PacketFence (https://packetfence.org), which is open source.
The IEEE 802.1X standard, known as port-based network access control, or
PNAC, is a basic form of NAC that enables the establishment of authenticated
point-to-point connections, but NAC has grown to include software; 802.1X is
now considered a subset of NAC.

Answer 203

A

B. As administrator, you might need to take an alternate path to manage network devices. In this case, you might require out-of-band management. This
is common for devices that do not have a direct network connection, such as
UPSs, PBX systems, and environmental controls.

Answer 204

A

D. Port security is a security feature present in most routers and switches, and
it is used to provide access control by restricting the Media Access Control
(MAC) addresses that can be connected to a given port. This differs from a MAC access list because it works only on the source MAC address without
matching the MAC destination.

Answer 205

A

D. IP proxy secures a network by keeping machines behind it anonymous; it
does this through the use of NAT. For example, a basic four-port router can
act as an IP proxy for the clients on the LAN it protects. An IP proxy can
be the victim of many network attacks, especially DoS attacks. Regardless of
whether the IP proxy is an appliance or a computer, it should be updated regularly, and its log files should be monitored periodically and audited according
to organization policies.

Answer 206

A

D. A Layer 2 access control list (ACL) operates at the data link layer of the
OSI model and implements filters based on Layer 2 information. An example
of this type of access list is a MAC access list, which uses information about
MAC addresses to create the filter.

Answer 207

A

D. There are different route manipulation attacks, but one of the most common is the Border Gateway Protocol (BGP) hijacking attack. BGP is a
dynamic routing protocol used to route Internet traffic. An attacker can launch
a BGP hijacking by configuring or compromising an edge router to announce
prefixes that have not been assigned to his or her organization. If the malicious
announcement contains a route that is more specific than the legitimate advertisement or presents a shorter path, the victim’s traffic may be redirected to
the attacker. In the past, threat actors have leveraged unused prefixes for BGP
hijacking to avoid attention from the legitimate user or organization.

Answer 208

A

D. As administrator, you can use QoS capabilities to control application prioritization. Protocol discovery features in Cisco AVC show the mix of applications currently running on the network. This information helps you define
QoS classes and policies, such as how much bandwidth to provide to missioncritical applications and how to determine which protocols should be policed.
Per protocol bidirectional statistics are available, such as packet and byte
counts, as well as bit rates. After you classify the network traffic, you can apply
class-based weighted fair queuing (CBWFQ) for guaranteed bandwidth.

Answer 209

A

D. An anycast address is assigned to a group of interfaces on multiple nodes.
Packets are delivered to the “first” interface only. Anycast is structured like
unicast addresses.

Answer 210

A

A. To capture packets and measure throughput, you need a tap on the network
before you can start monitoring. Most tools that collect throughput leverage
a single point configured to provide raw data, such as pulling traffic from a
switch or router. If the access point for the traffic is a switch, typically a network port is configured as a Switched Port Analyzer (SPAN) port, sometimes
also called port mirroring or port spanning. The probe capturing data from a SPAN port can be either a local probe or data from a SPAN port that is routed
to a remote monitoring tool.

Answer 211

A

A. Baselining is the process of measuring changes in networking, hardware,
software, applications, and so on. The process of documenting and accounting
for changes in a baseline is known as baseline reporting. Baseline reporting
enables you to identify the security posture of an application, system, or network. The security posture can be defined as the risk level to which a system,
or other technology element, is exposed. Security posture assessments (SPAs)
use baseline reporting and other analyses to discover vulnerabilities and weaknesses in systems.

Answer 212

A

C. File integrity is important when securing log files, and File Integrity
Monitoring (FIM) helps you maintain this integrity. Encrypting the log files
through the concept known as hashing is a good way to verify the integrity of
the log files if they are moved and/or copied. You could also flat-out encrypt
the entire contents of the file so that other users cannot view it. Integrity
means that data has not been tampered with. Authorization is necessary
before data can be modified in any way; this is done to protect the data’s
integrity.

Answer 213

A

A. WPA3 includes a more robust authentication mechanism than WPA2. It
also provides a higher level of encryption capabilities. It enables a very robust
authentication based on passwords by utilizing a technology called Simultaneous Authentication of Equals (SAE). This innovation in Wi-Fi security
replaces the preshared key (PSK). SAE helps protect against brute-force password attacks and offline dictionary attacks.

Answer 214

A

B. Counter-mode/CBC-MAC protocol or CCMP is based on the Advanced
Encryption Standard (AES). It provides a stronger mechanism for securing
privacy and integrity over Temporal Key Integrity Protocol (TKIP), which was
previously used with WPA. An advantage to CCMP is that it utilizes 128-bit
keys as well as a 48-bit initialization vector. This enhancement greatly reduces
the possibility of replay attacks. One drawback to using CCMP over TKIP is
that it requires additional processing power. That is why you will typically see
it supported on newer hardware.

Answer 215

A

A. 802.1X is an IEEE standard that defines port-based network access control
(PNAC). Not to be confused with 802.11X WLAN standards, 802.1X is a
data link layer authentication technology used to connect hosts to a LAN or
WLAN. 802.1X allows you to apply a security control that ties physical ports
to end-device MAC addresses, and prevents additional devices from being connected to the network. It is a good way of implementing port security, much
better than simply setting up MAC filtering.

Answer 216

A

D. Following are the three components to an 802.1X connection:
■ Supplicant: A software client running on a workstation. This is also known
as an authentication agent.
■ Authenticator: A wireless access point or switch.
■ Authentication server: An authentication database, most likely a RADIUS
server.

Answer 217

A

D. The supplicant is a software client running on a workstation. It is also
known as an authentication agent.

Answer 218

A

D. The Protected Extensible Authentication Protocol (PEAP) uses MSCHAPv2, which supports authentication via Microsoft Active Directory
databases. It competes with EAP-TTLS and includes legacy password-based
protocols. It creates a TLS tunnel by acquiring a public key infrastructure (PKI)certificate from a server known as a certificate authority (CA). The TLS tunnel
protects user authentication much like EAP-TTLS.

Answer 219

A

B. EAP-FAST uses a protected access credential instead of a certificate to
achieve mutual authentication. FAST stands for Flexible Authentication via
Secure Tunneling.

Answer 220

A

C. The preshared key (PSK) used to enable connectivity between wireless
clients and the WAP is a complex passphrase. PSK is automatically used when
you select WPA-Personal in the Security Mode section. The other option is
WPA-Enterprise, which uses a RADIUS server. So, if you ever see the term
WPA2-PSK, this means that the WAP is set up to use the WPA2 protocol with
a preshared key, and not an external authentication method such as RADIUS.

Answer 221

A

B. Wi-Fi Protected Setup (WPS) is a security vulnerability. Created originally
to give users easy connectivity to a wireless access point, later all major manufacturers suggested that it be disabled (if possible). In a nutshell, the problem
with WPS was the eight-digit code. It effectively worked as two separate smaller
codes that collectively could be broken by a brute-force attack within hours.

Answer 222

A

D. Strategic wireless access point (WAP) placement is vital. That is why it is
essential to perform a site survey before deploying wireless equipment. A site
survey is typically performed using Wi-Fi Analyzer tools to produce a heat
map of all wireless activity in the area.

Answer 223

A

A. Near-field communication (NFC) has obvious benefits for contactless payment systems or any other non-contact-oriented communications between
devices. However, for optimal security, you should use contact-oriented readers and cards.

Answer 224

A

B. Geofencing is an excellent way to be alerted to users entering and exiting an
organization’s physical premises. It can provide security for wireless networks
by defining the physical borders and allowing or disallowing access based on
the physical location of the user, or more accurately, the user’s computer or
mobile device.

Answer 225

A

A. You should encrypt data communication between a device and the organization and enable full device encryption of data stored on the device or in
removable storage.

Answer 226

A

D. One of the characteristics of an MDM solution is the use of over-the-air
(OTA) device management updates. OTA historically refers to the deployment
and configuration performed via a messaging service, such as Short Message
Service (SMS), Multimedia Messaging Service (MMS), or Wireless Application
Protocol (WAP). Now it’s used to indicate remote configuration and deployment of mobile devices.

Answer 227

A

D. Insecure user configurations such as rooting and jailbreaking can be
blocked from MDM, as can sideloading—the art of loading third-party apps
from a location outside the official application store for that device. Note that
sideloading can occur in several ways: by direct Internet connection (usually
disabled by default), by connecting to a second mobile device via USB OTG
(USB On-The-Go) or Bluetooth, by copying apps directly from a microSD
card, or by tethering to a PC or Mac.

Answer 228

A

B. Bluejacking is the sending of unsolicited messages to Bluetooth-enabled
devices such as mobile phones. You can stop bluejacking by setting the affected
Bluetooth device to undiscoverable or by turning off Bluetooth altogether.

Answer 229

A

B. Encryption is one of the best ways to ensure that data is secured and that
applications work properly without interference from potential attackers.
However, you should consider whole device encryption, which encrypts the
internal memory and any removable (SD) cards.

Answer 230

A

B. Companies may implement strategies such as choose your own device
(CYOD), where employees select a device from a company-approved list, or
corporate-owned, personally enabled (COPE), where the company supplies
employees with phones that can also be used for personal activities.

Answer 231

A

. A. Resource policies in cloud computing environments are meant to control
access to a set of resources. A policy is deployed to manage the access to the
resource itself.

Answer 232

A

B. In cloud computing environments, the management of things like API keys,
passwords, and certificates is typically handled by some kind of secrets management tool. It provides a mechanism for managing the access and auditing
the secrets used in the cloud environment

Answer 233

A

A. In cloud computing environments, storage is referred to as buckets. The
access to these buckets is controlled by an Identity and Access Management
(IAM) policy.

Answer 234

A

D. In cloud computing environments, the concept of a public subnet is one
that has a route to the Internet. A private subnet would be a subnet in the
cloud environment that does not have a route to the Internet.

Answer 235

A

D. A cloud access security broker (CASB) is a tool that organizations utilize
to control access to and use of cloud-based computing environments and
resources. Many cloud-based tools are available for corporate and personal
use. The flexible access nature of these tools makes them a threat to data leak
prevention and the like. It is very easy to make the mistake of copying a file
that contains sensitive data into the wrong folder and making it available to the
world. This is the type of scenario that CASB solutions help mitigate.

Answer 236

A

B. The concept of a Secure Web Gateway (SWG) is top of mind these days.
At the time of this writing, we are currently in a global pandemic that has
forced millions to work from home. For many years, the solution for providing
employees a way to work from home was simply a remote-access VPN back
into the office. This solution allowed all of the traffic from the employees’
computers to flow back through the corporate network, which would in turn
traverse the same security controls that were in place if the employees were
plugged into the corporate network. With the advent of cloud-based access to applications and storage, this solution is no longer the most efficient way of
securing remote workers. This is where the SWG comes into play. A Secure
Web Gateway enables you to secure your remote workers’ Internet access
while not overloading the corporate Internet pipe. This approach is sometimes
thought of as a cloud firewall. However, an SWG typically has many other
protection mechanisms in place, including things like CASB. One example of
an SWG is Cisco Umbrella.

Answer 237

A

B. Cloud-based firewalls can work at all layers of the OSI model. However, in
many cloud computing environments, the firewall is used at the application
layer to control access and mitigate threats to applications being hosted by the
cloud environment.

Answer 238

A

B. A cloud native control is typically provided by the actual cloud-computing
environment vendor. A non-cloud native control is provided by a third-party
vendor. For instance, each cloud computing environment has security controls
built into its platform. However, these controls might not be sufficient for all
use cases. That is where third-party solutions come into play. Many companies
out there today provide these third-party solutions to supplement those areas
where cloud native controls are lacking. Of course, most virtual machine–based
controls can be deployed in any cloud computing environment. However, for
it to be native, it must go through various integration, testing, and certification
efforts. Because each cloud computing environment is built differently and
on different platforms, the controls must be adapted to work as efficiently as
possible with the specifications of the environment. Many times, the decision
between utilizing cloud native versus third-party solutions comes down to the
actual requirements of the use case and the availability of the solution that fits
those requirements.

Answer 239

A

B. An identity provider (IdP) is a service provider that also manages the
authentication and authorization process on behalf of other systems in the
federation.

Answer 240

A

B. Authentication is the process of proving the identity of a subject or user.
Once a subject has identified itself in the identification step, the enforcer
has to validate the identity—that is, be sure that the subject (or user) is the
one it is claiming to be. This is done by requesting that the subject (or user)
provide something that is unique to the requestor. This could be something
known only by the user, usually referred to as authentication by knowledge, or
owned only by the user, usually referred to as authentication by ownership, or it
could be something specific to the user, usually referred to as authentication by
characteristic.

Answer 241

A

A. Most certificates are based on the X.509 standard, which is a common PKI
standard developed by the ITU-T that often incorporates the single sign-on
(SSO) authentication method.

Answer 242

A

D. SAML is an open standard for exchanging authentication and authorization
data between identity providers. SAML is used in many single sign-on (SSO)
implementations.

Answer 243

A

D. A service account is typically used on a server to provide a separate set of
credentials and permissions to an application or service that is running. For
instance, a server that is running Apache web server might have an apache_
user account. That account would then be provided with only the access it
needs to be able to perform the functions that services provide.

Answer 244

A

B. A tool you can use to validate who is logged in to a Windows system is the
PsLoggedOn application. For this application to work, it has to be downloaded
and placed somewhere on your local computer that will be remotely checking hosts. After it’s installed, simply open a command prompt and execute the
command C:\PsTools\psloggedon.exe\HOST_TO_CONNECT.

Answer 245

A

C. For Linux machines, various commands can show who is logged in to a system, such as the w, who, users, whoami, and last “user name” commands.

Answer 246

A

B. Geolocation is the actual method of determining the physical location of
the user trying to authenticate.

Answer 247

A

C. A time-based attribute can be used when authenticating and authorizing
a user. When a user logs in and provides his or her identity, that user can be
given specific access based on the time he or she connects. For instance, if you do not expect that someone should be connecting to your wireless network at
3 a.m., then you can set a policy that blocks access between specific hours of
operation.

Answer 248

A

B. Geotagging is the process of attaching location information in the metadata
of files, such as pictures taken from a smartphone.

Answer 249

A

A. Password keys are a technology typically deployed by corporations when
implementing two-factor authentication. The primary use case is remote
access to the organization’s environment. However, many organizations also
use them internally. These keys are especially important to use for access to
highly sensitive data or applications that serve that data—for instance, financial
applications or anything involving intellectual property, such as source code.
Many types of password keys are on the market these days. They come in various form factors and are utilized in different ways. For instance, some are used
by inserting into a computer USB port. Some are simply one-time password
tokens used as a second factor when authenticating, whereas others are a combination of different functions.

Answer 250

A

B. A password vault is also often referred to as a password manager. It is simply a piece of software that is utilized to store and manage credentials. Typically, the credentials are stored in an encrypted database. Having an encrypted
database protects the credentials from being compromised if the database is
obtained by a threat actor through the compromise of a system holding the
database.

Answer 251

A

A. NIST defines knowledge-based authentication (KBA) as authentication of
an individual based on knowledge of information associated with his or her
claimed identity in public databases. Knowledge of such information is considered to be private rather than secret, because it may be used in contexts other than authentication to a verifier, thereby reducing the overall assurance
associated with the authentication process. A popular use case for this type of
authentication is to recover a username or reset a password. Typically, a set
of predetermined questions is asked of the user. These questions must have
already been provided by the end user at the time of account setup or provided
as an authenticated user at a later time. The idea is that the information that
was provided is something that only the user would know. That is why it is
important to utilize a set of questions that cannot be easily guessed or are not
public knowledge.

Answer 252

A

D. Using single sign-on (SSO), a user can log in once but gain access to multiple systems without being asked to log in again. This system is complemented
by single sign-off, which is basically the reverse; logging off signs off a person
from multiple systems. SSO is meant to reduce password fatigue or password
chaos, which occurs when a person can become confused and possibly even disoriented when having to log in with several different usernames and passwords.
This system is also meant to reduce IT help desk calls and password resets.

Answer 253

A

D. Single sign-on (SSO) is a derivative of federated identity management (also
called FIM or FIdM). In this system, a user’s identity and attributes are shared
across multiple identity management systems. These various systems can be
owned by one organization; for example, Microsoft offers the Forefront Identity Manager software, which can control user accounts across local and cloud
environments.

Answer 254

A

B. Security Assertion Markup Language (SAML) is an open standard for
exchanging authentication and authorization data between identity providers.
SAML is used in many single sign-on (SSO) implementations.
The OASIS Security Assertion Markup Language standard is currently the
most-used standard for implementing federated identity processes. SAML
is an XML-based framework that describes the use and exchange of SAML
assertions in a secure way between business entities. The standard describes
the syntax and rules to request, create, use, and exchange these assertions.

Answer 255

A

B. Discretionary access control (DAC) is an access control policy generally
determined by the owner. Objects such as files and printers can be created
and accessed by the owner. Also, the owner decides which users are allowed to
have access to the objects and what level of access they may have. The levels of
access, or permissions, are stored in access control lists (ACLs).

Answer 256

A

B. Mandatory access control (MAC) is an access control policy determined by
a computer system, not by a user or owner, as it is in DAC. Permissions are
predefined in the MAC model. Historically, it has been used in highly classified government and multilevel military systems, but you can find lesser implementations of it in today’s more common operating systems as well. The
MAC model defines sensitivity labels that are assigned to subjects (users) and
objects (files, folders, hardware devices, network connections, and so on).

Answer 257

A

B. Least privilege is a security principle in which users are given only the privileges needed to do their job and not one iota more. A basic example would be
the Guest account in a Windows computer. This account (when enabled) can
surf the web and use other basic applications but cannot make any modifications to the computer system. However, least privilege as a principle goes much
further. One of the ideas behind the principle is to run the user session with
only the processes necessary, thus reducing the amount of CPU power needed.

Answer 258

A

B. Role-based access control (RBAC) is an access model that, like MAC, is
controlled by the system, and, unlike DAC, not by the owner of a resource.
However, RBAC is different from MAC in the way that permissions are configured. RBAC works with sets of permissions instead of individual permissions that are label-based. A set of permissions constitutes a role. When users
are assigned to roles, they can then gain access to resources.

Answer 259

A

A. Users need a private key to encrypt the digital signature of a private email.
The difference in type of key is the level of confidentiality. A public key certificate obtained by a web browser is public and might be obtained by thousands of individuals. The private key used to encrypt the email is not to be shared
with anyone.

Answer 260

A

B. A public key certificate obtained by a web browser is public and might be
obtained by thousands of individuals. A private key used to encrypt email is not
to be shared with anyone.

Answer 261

A

A. Most certificates are based on the X.509 standard, which is a common PKI
standard developed by the ITU-T that often incorporates the single sign-on
(SSO) authentication method.

Answer 262

A

D. Components of an X.509 certificate include the following:
■ Owner (user) information, including public key
■ Certificate authority information, including name, digital signature, serial
number, issue and expiration dates, and version

Answer 263

A

D. Many companies have subdomains for their websites. Generally, if you connect to a secure website that uses subdomains, a single certificate allows for connections to the main website and the subdomains. This is known as a wildcard
certificate; for example, *.h4cker.org, meaning all subdomains of h4cker.org.

Answer 264

A

B. By modifying the Subject Alternative Name (SAN) field, an organization
can specify additional hostnames, domain names, IP addresses, and so on.

Answer 265

A

B. Canonical Encoding Rules (CER) is a restricted version of BER in that it
allows the use of only one encoding type; all others are restricted.

Answer 266

A

B. If a root CA is compromised, all of its certificates are then also compromised, which could affect an entire organization and beyond. The entire
certificate chain of trust can be affected. One way to add a layer of security
to avoid root CA compromise is to set up an offline root CA. Because it is
offline, it cannot communicate over the network with the subordinate CAs, or
any other computers for that matter. Certificates are transported to the subordinate CAs physically using USB flash drives or other removable media. Of
course, you would need to have secure policies regarding the use and transport
of media, and would need to incorporate data loss prevention (DLP), among
other things. But the offline root CA has some obvious security advantages
compared to an online root CA. Consider this offline mindset when dealing
with critical data and encryption methods.

Answer 267

A

B. One way to add security to a certificate validation process is to use certificate pinning, also known as SSL pinning or public key pinning. It can help
detect and block many types of on-path attacks by adding an extra step beyond
normal X.509 certificate validation. Essentially, a client obtains a certificate
from a CA in the normal way but also checks the public key in the server’s certificate against a hashed public key used for the server name. This functionality must be incorporated into the client side, so it is important to use a secure and
up-to-date web browser on each client in order to take advantage of certificate
pinning.

Answer 268

A

A. Using the Linux traceroute command enables you to document hosts’
locations on your local network and map out the current location/configuration and connected devices. A baseline network diagram should be used and
continuously updated to document systems.

Answer 269

A

B. nslookup is a simple but practical command-line tool. It is principally used
to find the IP address that corresponds to a host or the domain name that corresponds to an IP address (a process called reverse DNS lookup).

Answer 270

A

C. The Linux-centric head command reads the first 10 lines of a given
filename

Answer 271

A

B. The cat command is a widely used and universal tool. It copies standard
input to standard output. The command supports scrolling if the text file
doesn’t fit the current screen.

Answer 272

A

B. A shell can have two types of variables: environment variables that are
exported to all processes spawned by the shell and shell (local) variables.

Answer 273

A

D. The environment is an area that the shell builds every time it starts a session. This area contains variables that define system properties.

Answer 274

A

C. Wireshark is available on Windows, Linux, and macOS. There are both
command-line and GUI versions.

Answer 275

A

D. The pps-multi command sets the number of packets to send for each time
interval. This option must appear in combination with the following option:
pps. This option takes an integer number as its argument. The value of the
number is constrained to being greater than or equal to one. The default number for this option is one; therefore, you should use –pps-multi=# to set pps.

Answer 276

A

B. You can use the dd tool to create a complete image of the hard disk /dev/hda
by using # dd if = /dev/hda of = ~/hdadisk.img. This image can be used to
preserve forensic evidence of a computer system that was attacked or used to
exploit other systems.

Answer 277

A

D. Three of the most notable exploitation frameworks are Metasploit, Core
Impact, and Immunity Canvas, although there are a number of less famous
frameworks.

Answer 278

A

C. Hashcat is one of the most popular and widely used password crackers in
existence. It is available on every operating system and supports more than
300 different types of hashes. It enables highly parallelized password-cracking
capabilities, enabling you to crack multiple different passwords on multiple
different devices at the same time and to support a distributed hash-cracking
system via overlays. Cracking is optimized with integrated performance tuning
and temperature monitoring.

Answer 279

A

C. There are three methods to achieve data sanitization: physical destruction,
cryptographic erasure, and data erasure. However, the downside of these techniques is that they damage the storage media and do not allow it to be sold or
reused. The only real method to ensure the data is unrecoverable is to shred
the hard drive or data as it is.

Answer 280

A

A. Playbook documents are step-by-step procedures and should be high level
and focused on specific areas such as malware, insider threats, unauthorized
access, ransomware, and phishing.

Answer 281

A

D. Data breach notification laws are becoming more common: the European
Union’s General Data Protection Regulation (GDPR), for instance, requires
that companies report data security incidents within 72 hours of discovery

Answer 282

A

C. A triage matrix provides an understanding of the severity of an incident so
that it can be prioritized quickly and correctly.

Answer 283

A

C. The lessons learned phase of the incident response process should be performed no later than two weeks from the end of the incident. A Post Incident
Response (PIR) meeting ensures information is fresh on the team’s mind.

Answer 284

A

A. The tabletop exercise is often used to validate and/or improve an organization’s incident response (IR) plan. Real-life scenarios are used to put the
response plan to the test, highlighting areas where your team excels and areas
to be addressed.

Answer 285

A

C and D. The Diamond Model places the basic components of malicious activity at one of the four points on a diamond shape: adversary, infrastructure,
capability, and victim. The model provides for analysis of threats related to
intrusion.

Answer 286

A

B. Procedures describe the way adversaries implement a technique. A procedure concerns the particular instance use and can be useful for understanding exactly how the technique is used and for replication of an incident
with adversary emulation as well for specifics on how to detect the instance
in use.

Answer 287

A

D. There are five key stakeholders for any IR team; they are IT Services, Security Management, Legal, Human Resources, and Public Relations.

Answer 288

A

C. When your team is engaged with an incident, you should have them set up
proactive alerting. They don’t need to call everyone every time, but your handlers need to plan ahead. Your incident response team needs to keep key contacts up to date so that when they have to notify contacts, it doesn’t come as a
surprise. Notifying key contacts with only incident-relevant data as it becomes
available reduces overcommunication of nonimportant data.

Answer 289

A

C. A disaster recovery (DR) plan is a formal document created by organizations that contains detailed instructions on how to respond to unplanned
incidents such as natural disasters, power outages, cyber attacks, or other disruptive events.

Answer 290

A

C. Disruptions lead to lost revenue, brand damage, and dissatisfied customers.
The longer the recovery time, the greater the adverse impact to the business.

Answer 291

A

C. Many people think a disaster recovery (DR) plan is the same as a business
continuity plan (BCP), but a DR plan focuses mainly on restoring an IT infrastructure and operations after a crisis. It’s actually just one part of a complete
business continuity plan, because a BCP looks at the continuity of the entire
organization.

Answer 292

A

A. A continuity of operations plan (COOP) ensures the restoration of organizational functions in the shortest possible time, even if services resume at a
reduced level of effectiveness or availability.

Answer 293

A

A, B, D. An incident response team is a group of people who prepare for and
respond to any emergency incident, such as a natural disaster or an interruption of business operations.

Answer 294

A

B. NIST SP 800-53 outlines the requirements that contractors and federal
agencies need to take to meet the Federal Information Security Management
Act (FISMA). It requires data retention for a minimum of three years.

Answer 295

A

A. Historical vulnerability scans can provide significant insight after an incident. By comparing the previous scans with the most recent, you can also look
for variances in devices and systems that may have been changed

Answer 296

A

D. Network vulnerability scans should include all devices with an IP address
(workstations, laptops, printers and multifunction printers, IoT devices, routers, switches, hubs, IDS/IPS, servers, wireless networks, and firewalls) and all
the software running on them.

Answer 297

A

B. Sensors should be deployed before an incident. Sensor placement around
the network allows for greater visibility and can aid in forensic investigation by
quickly identifying the depths of the spread

Answer 298

A

C. SIEMs can tune sensitivity to what is considered suspect behavior or suspicious files (risk-based prioritization) to help reduce or increase the amount of
data/matches during an investigation.

Answer 299

A

D. The log data you collect from your systems and devices may seem pretty
routine. These logs could contain the precise evidence needed to investigate
and successfully eradicate incidents from your network.

Answer 300

A

D. Session Initiation Protocol (SIP) is a signaling protocol used to establish,
maintain, and tear down a call when terminated. SIP allows the calling parties’
called user agents to locate one another using the network.

Answer 301

A

A, B, C. Syslog is available on most network devices (for example, routers,
switches, and firewalls), as well as printers and Linux-based systems. A syslog
server listens for and then logs data messages coming from syslog clients. Rsyslog and syslog-ng build on syslog capabilities by adding support for advanced
filtering and configuration. Event Viewer is a Windows-based tool that enables
users or administrators to view event logs on Windows-based remote or local
systems.

Answer 302

A

C. If you need to access logs for a specific time window—for instance, journalctl -since 2021-03-15 15:05:00—the time format is YYYY-MM-DD
HH:MM:SS. journalctl is a valuable tool used to collect logs and sort through
mountains of data to help you find a needle in a haystack.

Answer 303

A

A. NXLog can process high volumes of event logs from many different
sources. Log processing includes rewriting, correlating, alerting, filtering, pattern matching, log file rotation buffering, and prioritized processing. Application, system, and security logs are Windows-specific Event Viewer logs.

Answer 304

A

C. Bandwidth monitors track bandwidth use over all areas of the network,
including devices, applications, servers, WAN, and Internet links. One benefit
of deploying bandwidth monitors is that they map out historical trends for
capacity planning. With bandwidth monitors, you can quickly identify abnormal bandwidth usage, top talkers, and unique communications, all useful in
finding infected systems that may be exfiltrating data or scanning the network
looking to spread to other hosts.

Answer 305

A

A. Metadata is created from every activity you perform, whether it’s on your
personal computer or online, every email, web search, and social or public
application. Metadata is defined as “data that provides information about other
data.” On its own, it might not seem like much, but when combined with additional context can lead to a break in a case.

Answer 306

A

C. A flow is a unidirectional set of packets sharing common session attributes,
such as source and destination, IP, TCP/UDP ports, and type of service. NetFlow statefully tracks flows or sessions, aggregating packets associated with
each flow into flow records, which are bidirectional flows.

Answer 307

A

D. Protocol analyzers allow network engineers and security teams to capture
network traffic and perform analysis of the captured data to identify potential
malicious activity or problems with network traffic. The network traffic data
can be observed in real time for troubleshooting purposes, monitored by an alerting tool such as a SIEM to identify active network threats, and/or retained
to perform forensic analysis.

Answer 308

A

A. You spend time up front building a whitelist of approved applications for
the application approved list. Then with your central management or endpoint
security solution, you roll out the whitelist enterprisewide to all endpoints.

Answer 309

A

B. An application block list or deny list is a basic access control mechanism
that denies specific applications or code on the list from being installed or run.

Answer 310

A

D. The main action of the quarantine function is to safely store reported
objects such as malware, infected files, or potentially unwanted applications.
During an investigation, this storage log should be one of the places investigators check for evidence and history of suspect files.

Answer 311

A

D. With mobile device management (MDM), it is important to establish a
baseline understanding of the changes that are common to specific types of mobile devices. Mobile platforms have several attack vectors that you need
to consider: hardware, firmware, mobile OS, applications, and the device
combination.

Answer 312

A

D. Data loss prevention (DLP) is an end-to-end goal that ensures users do
not send sensitive or critical information outside the corporate network. The
term routinely describes software products that help a network administrator
control the data that users can view or transfer. Intellectual property, corporate
data, and customer data are some of the types of data you would use DLP to
help protect against exfiltration.

Answer 313

A

A. Once a compromised endpoint has been infected because malware, a virus,
or a Trojan was detected, or it is part of a much wider attack, it should be quarantined and isolated.

Answer 314

A

C. When you know where the issue is and what systems have been affected,
you should contain those systems so that threats cannot spread through the
network. To do this, you disable network access for the affected computers and
devices, or you place them in a sandbox network. You also should change passwords so intruders no longer have access.

Answer 315

A

D. Network segmentation is an architectural approach that divides a network
into multiple networks, subnets, or segments. It allows network administrators to control the flow of traffic between these networks based on a granular
policy.

Answer 316

A

A. A SOAR system alerts for suspected phishing emails, endpoint attacks, failed
user logins, malware, and other threat information that come from a variety
of detection sources, such as SIEMs, systems, switches, and logging services.
IT operations use a SOAR runbook for reference for routine procedures that
administrators perform. A SOAR playbook provides manual orchestration of
incident response. Web content filtering is the practice of blocking access to
web content that may be deemed offensive or inappropriate, or even contain
dangerous items.

Answer 317

A

D. Data preservation is the first step when litigation has been filed or will be
soon filed, with a focus on the preservation of data in its current state, such as
emails, SMS, MMS, and deleted messages (still on disk and not destroyed) on
all devices including cell phones, PCs, and mobile devices.

Answer 318

A

B. File formats can vary, as well as settings for recording video, such as frames
per second (FPS) and video resolution. These features can all factor into how
and what video information is stored.

Answer 319

A

B. It has become imperative that evidence collection standards and procedures
are consistent, documented, and coherent in the chain of custody. Strict guidelines are to be followed, and accurate documentation must be kept.

Answer 320

A

B. Evidence tagging helps identify collected items. A tag can consist of something as little as a sticker with the date, time, control number, and name or
initials of the investigator. Using a control number is an easy way to identify a
piece of evidence in documentation, such as a chain of custody. The combination of a tag and photographs can provide the exact location and condition in
which the item was collected.

Answer 321

A

A. The collection of evidence should start with the most volatile item and end
with the least volatile. The order of volatility is the order in which the digital
evidence is collected.

Answer 322

A

D. Forensic artifacts are objects that have forensic value. They are not behaviorally driven; they do not necessarily reflect the behavior or intent of a threat
actor or adversary. Some of the artifacts that can be extracted from suspect
hosts are logs, the registry, the browser history, the RDP cache, and Windows
Error Reporting (WER).

Answer 323

A

B. RAM is considered volatile memory. It is perceived to be more trusted than
nonvolatile memory, like ROM, disk, magnetic, or optical storage. Investigations using live forensic techniques require special handling because the volatile data in RAM can contain code used by attackers.

Answer 324

A

D. Checksums may also be called hashes. Small changes in a file produce different-looking checksums. You can use checksums to check files and other data
for errors that occur during transmission or storage, as well as for evidence in a
forensic investigation to ensure it hasn’t been tampered with

Answer 325

A

B. Cloud-based and on-premises are simply terms that describe where systems
store data. Many of the same vulnerabilities that affect on-premises systems
also affect cloud-based systems.

Answer 326

A

D. A copy of digital evidence must be properly preserved and collected in
accordance with forensic best practices. Otherwise, the digital evidence may be
inadmissible in court, or spoliation sanctions may be imposed.

Answer 327

A

A. Organizations should have a legal hold process to perform e-discovery to
preserve and gather such information.

Answer 328

A

C. Forensic data recovery is the extraction of data from damaged, deleted, or
purposely destroyed evidence sources in a forensically sound manner. This
method of recovering data means that any evidence resulting from it can later
be relied on in a court of law.

Answer 329

A

D. Nonrepudiation makes it difficult to successfully deny who and where
a message came from as well as the authenticity and integrity of that message. Digital signatures can offer nonrepudiation when it comes to online
transactions.

Answer 330

A

A. Counterintelligence is information gathered and activities conducted to
protect against espionage, other intelligence activities, or sabotage conducted
by or on behalf of other elements. The intelligence is designed to quickly direct
resources to the most significant problems first and address them head on.

Answer 331

A

A. Managerial controls are techniques and concerns addressed by an organization’s management (managers and executives). Generally, these controls
focus on decisions and the management of risk. They also concentrate on
procedures, legal and regulatory policies, the software development lifecycle
(SDLC), the computer security lifecycle, information assurance, and vulnerability management/scanning. In short, these controls focus on how the security
of your data and systems is managed.

Answer 332

A

B. Operational controls are the controls executed by people. They are
designed to increase individual and group system security. They include user
awareness and training, fault tolerance and disaster recovery plans, incident
handling, computer support, baseline configuration development, and environmental security. The people who carry out the specific requirements of these
controls must have technical expertise and understand how to implement what
management desires of them

Answer 333

A

A. Technical controls are the logical controls executed by the computer system.
Technical controls include authentication, access control, auditing, and cryptography. The configuration and workings of firewalls, session locks, RADIUS
servers, or RAID 5 arrays would be within this category, as well as concepts
such as least privilege implementation.

Answer 334

A

D. Preventative controls are employed before an event and are designed to
prevent an incident. Examples include biometric systems designed to keep
unauthorized persons out, network intrusion prevention systems (NIPSs) to
prevent malicious activity, and RAID 1 to prevent loss of data. They are also
sometimes referred to as deterrent controls. Preventative controls enforce security policy and should prevent incidents from happening. The only way to
bypass a preventative control is to find a flaw in its implementation or logic.
These controls are usually not optional. Examples of preventative controls are
access lists, passwords, and fences

Answer 335

A

D. Detective controls aim at monitoring and detecting any unauthorized
behavior or hazard. These types of controls are generally used to alert of a
failure in other types of controls such as preventative, deterrent, and compensating controls. Detective controls are very powerful while an attack is taking
place, and they are useful in the post-mortem analysis to understand what
has happened. Audit logs, intrusion detection systems, motion detection, and
Security Information and Event Management (SIEM) systems are examples of
detective controls.

Answer 336

A

B. Corrective controls are used after an event. They limit the extent of damage
and help the company recover from damage quickly. Tape backup, hot sites,
and other fault tolerance and disaster recovery methods are also included here.
They are sometimes referred to as compensating controls. Corrective controls include all the controls used during an incident to correct the problem.
Quarantining an infected computer, sending a guard to block an intruder, and
terminating an employee for not having followed the security policy are all
examples of corrective controls.

Answer 337

A

B. Compensating controls, also known as alternative controls, are mechanisms
put in place to satisfy security requirements that are either impractical or too
difficult to implement. For example, instead of using expensive hardwarebased encryption modules, an organization might opt to use network access
control (NAC), data loss prevention (DLP), and other security methods. Or,
on the personnel side, instead of implementing separation of duties, an organization might opt to do additional logging and auditing. You should approach
compensating controls with great caution. They do not give the same level of
security as their replaced counterparts.

Answer 338

A

A. The General Data Protection Regulation is a European Union (EU) law
that was enacted in 2018. Its overall focus is on data protection and privacy
for individuals. Although it is a law enacted in the EU, it applies to any organization collecting information about people in the EU. This means that if
your organization collects and handles the personal data of EU citizens, then
this regulation applies to you. For instance, if you run a business that offers
goods or services in the EU and that business requires you to collect information about your customers, then you would be required to follow the GDPR
requirements. Not following them could result in large fines. This is one of the
factors that makes GDPR a larger concern to organizations than many other
laws that have been in place for many years. GDPR penalties can be very high.
For additional information on GDPR, refer to https://gdpr.eu/.

Answer 339

A

B. The Sarbanes–Oxley Act (SOX), enacted in 2002, governs the disclosure of
financial and accounting information.

Answer 340

A

A. The Health Insurance Portability and Accountability Act (HIPAA), enacted
in 1996, governs the disclosure and protection of health information.

Answer 341

A

D. The Center for Internet Security (CIS) is a nonprofit organization that was
established in 2000. Its overall goal is to provide security best practice guidance for enhancing the security of cyberspace.

Answer 342

A

C. The National Institute of Standards and Technology (NIST) developed the
Risk Management Framework (RMF) in 2017 as a result of an executive order
from the president, which required all federal agencies to comply with it. For
mor information about the NIST RMF, visit www.nist.gov/cyberframework/
risk-management-framework.

Answer 343

A

C. The National Institute of Standards and Technology (NIST) developed the
Cybersecurity Framework (CSF) in 2014 as a result of executive order 13636
from the president. The NIST CSF is made of five core functions: Identify,
Protect, Detect, Respond, and Recover. For more information about the NIST
CSF, visit www.nist.gov/cyberframework.

Answer 344

A

A. The Cloud Security Alliance (CSA) is a nonprofit organization established
in 2008 with the goal of promoting security best practices in cloud computing environments. The Cloud Controls Matrix is a framework established by
the CSA for cloud computing. This organization also developed the reference architecture to help cloud providers with guidance on developing secure
interoperability best practices. For more information related to CSA, visit
https://cloudsecurityalliance.org/.

Answer 345

A

C. Security Content Automation Protocol (SCAP) was created to provide
a standardized solution for security automation. The SCAP mission is to
maintain system security by ensuring security configuration best practices are
implemented in the enterprise network, verifying the presence of patches, and
maintaining complete visibility of the security posture of systems and the organization at all times.

Answer 346

A

A. The Privacy Act of 1974 sets many standards when it comes to the security
of personally identifiable information (PII). However, most organizations
will go further and define their own privacy policy, which explains how users’
identities and other similar information will be secured. For example, if an
organization has an Internet-based application that internal and external users
access, the application will probably retain some of their information—possibly details of their identity. Not only should this information be secured,
but the privacy policy should state in clear terms what data is allowed to be
accessed, and by whom, as well as how the data will be retained and distributed
(if at all). An organization might also enact a policy that governs the labeling
of data to ensure that all employees understand what data they are handling
and to prevent the mishandling of confidential information. Before any system
administrators or other personnel gather information about these users, they
should consult the privacy policy.

Answer 347

A

B. Acceptable use policies (AUPs) define the rules that restrict how a computer, network, or other system may be used. They state what users are and are
not allowed to do when it comes to the technology infrastructure of an organization. Often, employees must sign an AUP before they begin working on any
systems. This policy protects the organization but also defines to employees
exactly what they should and should not be working on.

Answer 348

A

A. Separation of duties defines when more than one person is required to
complete a particular task or operation. This distributes control over a system,
infrastructure, or particular task.

Answer 349

A

D. When it comes to information security, due diligence means ensuring that
IT infrastructure risks are known and managed. An organization needs to
spend time assessing risk and vulnerabilities and might state in a policy how it
will give due diligence to certain areas of its infrastructure.

Answer 350

A

D. Due care is the mitigation action that an organization takes to defend
against the risks that have been uncovered during due diligence.

Answer 351

A

B. Due process is the principle that an organization must respect and safeguard
personnel’s rights. The purpose is to protect the employee from the state and
from frivolous lawsuits.

Answer 352

A

A. All employees should be trained on personally identifiable information
(PII). This information is used to uniquely identify, contact, or locate a person.
This type of information could be a name, birthday, Social Security number,
biometric information, and so on. Employees should know what identifies
them to the organization and how to keep that information secret and safe
from outsiders. Another key element of user education is the dissemination of
the password policy. Employees should understand that passwords need to be
complex and know the complexity requirements. They should also understand
that they should never give out their password or ask for another person’s password to any resource.

Answer 353

A

C. A memorandum of understanding (MOU) is not an agreement at all, but
an understanding between two organizations or government agencies. It does
not specify any security controls either. However, a memorandum of agreement
(MOA) does constitute a legal agreement between two parties wishing to work
together on a project but still does not detail any security controls.

Answer 354

A

B. A business partnership agreement (BPA) is a type of contract that can establish the profits each partner will get, what responsibilities each partner will have, and exit strategies for partners. Often this type of agreement applies to
supply chain and business partners.

Answer 355

A

B. Top secret means the highest sensitivity of data; few people should have
access, and security clearance may be necessary. Information is broken into
sections on a need-to-know basis.

Answer 356

A

B. When you’re discussing policies for systems internal to your organization
or devices that are owned by your organization, such as servers and laptops, it
is also important to detail policies regarding how they should be deployed. For
instance, service accounts should follow a specific credential policy. Often service accounts have higher-level permissions to enable the specific service. That
means these accounts can cause more damage if they are compromised. They
should always be configured using the least privilege approach. There should
also be a service account for each service.

Answer 357

A

B. Change management is a structured way of changing the state of a computer system, network, or IT procedure. The idea behind this is that change
is necessary, but that an organization should adapt with change and be knowledgeable of it. Any change that a person wants to make must be introduced
to the heads of each department that it might affect. They must approve the
change before it goes into effect. Before this happens, department managers
will most likely make recommendations and/or give stipulations. When the
necessary people have signed off on the change, it should be tested and then
implemented. During implementation, it should be monitored and documented carefully.

Answer 358

A

A. Risks to your organization or environment can come in many shapes and
forms. The primary concern of most organizations is external risk. This is,
of course, the biggest concern to most because it is risk that comes from an
external entity who could have many different motivations and therefore
targets the inside of your organization. Many imagine an external “hacker”
as someone sitting in a basement hammering away at the keyboard in front
of 10 different monitors in a black hoodie. That, of course, is usually not the
case. External risk most likely is from an organized threat actor or an organization of threat actors who have various motivations. To carry out their
attacks, they will use many different methods. The primary goal of external
attackers is to gain access to your organization’s computing environment,
gain a foothold, and keep it as long as possible to carry out their objectives,
whatever they may be.

Answer 359

A

B. Many organizations tend to overlook internal risks. The majority of internal risk stems from employees or those internal to the organization such as
contractors. While the motivation of external cybercriminals may be to gain
and keep access, the internal threat actor already has access to the organization’s environment. This person’s motivations are usually different from those
of external threat actors—although the goal may be the same in the end. Most
internal attacks result in the exfiltration or destruction of sensitive data that
belongs to the organization. The theft of intellectual property (IP) is a primary
goal of internal and external threat actors.

Answer 360

A

A. Risk management can be defined as the identification, assessment, and prioritization of risks, and the mitigating and monitoring of those risks. Specifically, when we talk about computer hardware and software, risk management
is also known as information assurance (IA). The two common models of IA
include the well-known CIA, and the DoD’s “Five Pillars of IA,” which comprise the concepts of the CIA triad (confidentiality, integrity, and availability)
but also include authentication and nonrepudiation.

Answer 361

A

D. Some organizations opt to avoid risk. Risk avoidance usually entails not carrying out a proposed plan because the risk factor is too great. An example of
risk avoidance: If a high-profile organization decided not to implement a new
and controversial website based on its belief that too many attackers would
attempt to exploit it.

Answer 362

A

C. An example of risk transference (also known as risk sharing) would be an
organization that purchases cybersecurity insurance for a group of servers in
a data center. The organization still takes on the risk of losing data in the case
of server failure, theft, and disaster, but transfers the risk of losing the money
those servers are worth in case they are lost.

Answer 363

A

B. Risk assessment is the attempt to determine the number of threats or hazards that could possibly occur in a given amount of time to your computers
and networks.

Answer 364

A

B. Qualitative risk assessment is an assessment that assigns numeric values to
the probability of a risk and the impact it can have on the system or network.

Answer 365

A

C. NIST defines risk mitigation as “prioritizing, evaluating, and implementing
the appropriate risk-reducing controls/countermeasures recommended from
the risk management process.”

Answer 366

A

A. Person-made disasters can be defined as being caused by the influence of
humans.

Answer 367

A

A. Mean time between failures (MTBF) defines the average number of failures
per million hours of operation for a product in question.

Answer 368

A

A. Although it’s impossible to predict the future accurately, it can be quantified on an average basis using concepts such as mean time between failures
(MTBF).

Answer 369

A

A. Regardless of what industry you are responsible for protecting, the ultimate
goal is to protect your intellectual property. This is, of course, the crown jewels
and can be in many different forms. For a company that develops software, the
crown jewels are the source code of the product it is selling. Even a company
that produces food products has intellectual property that it is trying to protect, such as a secret recipe

Answer 370

A

B. The US Securities and Exchange Commission (SEC) requires that any
publicly traded company provide a public notification and disclosure of a data
breach.

Answer 371

A

A. Unauthorized access to top secret information would cause grave damage to
national security.

Answer 372

A

D. Unauthorized access to unclassified information would cause no damage to
national security

Answer 373

A

D. Unauthorized access to private information could cause severe damage to
the organization. Examples of information or assets that could receive this type
of classification are human resources (HR) information (for example, employee
salaries) and medical records.

Answer 374

A

B. According to the Executive Office of the President, Office of Management
and Budget (OMB) and the U.S. Department of Commerce, Office of the
Chief Information Officer, personally identifiable information, or PII, refers to
“information which can be used to distinguish or trace an individual’s identity.”

Answer 375

A

B. Data minimization is a term used to explain a concept or approach to privacy design. The overall concept of data minimization is simply to minimize
the amount of your personal information that is consumed by online entities.
Data minimization is a privacy tool that is used in many different ways. For
instance, a website may choose to not store your personal information if it is
not needed—as opposed to many that store it and even resell it for a profit.
Additionally, it can be used to develop policies regarding the amount of time
the data that is collected about you is actually maintained before being permanently deleted. Individuals can also use tools that will clear information from
applications such as web browsers. As you know, web browsers collect a large
amount of data, which could in turn be compromised. Minimizing this data
reduces the risk of such a compromise.

Answer 376

A

C. Another privacy enhancing technology concept is data masking. The goal
of data masking is to protect or obfuscate sensitive data. This goal must be
achieved while not rendering the data unusable in any way. An example of data
masking being used in a real-world environment would be data that is displayed on terminal screens in banks or doctors’ offices. Social Security numbers can be masked to show only the last four digits so that they can be used
for verification purposes while not exposing the full Social Security number.

Answer 377

A

B. The data owner, also called the information owner, is usually part of the
management team and maintains ownership of and responsibility over a
specific piece or subset of data. Part of the responsibility of this role is to
determine the appropriate classification of the information, ensure that the
information is protected with controls, to periodically review classification and
access rights, and to understand the risk associated with the information.

Answer 378

A

D. The General Data Protection Regulation (GDPR) in the European Union
(EU) defines the information lifecycle in four different phases. It is sometimes
named differently based on the source; however, the phases themselves are still
the same. Starting with the collection of data, this is obviously the phase where
the data is consumed by the data processor. GDPR states that when collecting data there must be a defined consent from the data owner as well as a clear
definition of how the data will be used. The overall intent is to follow the principle of collecting only data that is necessary and not overcollecting.

Answer 379

A

A. Before data is collected, stored, secured, and disposed of throughout the
information lifecycle, it is important to understand how that data, if compromised, could impact the privacy of the individuals whose data it holds. To
accomplish this, an organization should complete an impact assessment on any
new projects that are to be instated where data will be collected as well as any
time the scope of the data use will change. These impact assessments are also
sometimes called Privacy Impact Assessments (PIAs) or Data Privacy Impact
Assessments (DPIAs). The result of an impact assessment should produce
some kind of report that will identify specific high risks to the data subjects
and provide recommendations on how that risk can be minimized. A PIA or
DPIA is also something that is required in the GDPR.

Answer 380

A

D. Another privacy concept that has been adopted by the General Data Protection Regulation (GDPR) in the European Union (EU) is the terms of
agreement. In many cases, this is called the data processing agreement. The
overall purpose of the data processing agreement is to protect the personal
information and the individuals the data is about. The agreement is actually a
legal contract that is agreed upon by any entities that will fit the role of data
processor in the information lifecycle. This is one of the basic requirements of
GDPR and will lead to fines if not followed by an organization collecting data.

Answer 381

A

D. Along with the agreement of how data will be collected, utilized, and processed by an organization, the organization must also provide notification to
the individuals it is collecting data from or about. Again, this is a requirement
for the General Data Protection Regulation (GDPR) in the European Union
(EU). GDPR ensures that individuals are notified about how their data is
being used. This is done via a privacy notice. The notice itself is a document
sent from the collecting organization stating how it is conforming to data
privacy principles.

Brainscape's Knowledge GenomeTM

CompTia practice questions Flashcards

Brainscape's Knowledge Genome^TM