CompTIA SYO-701 (ET) Test Flashcards

Question

A company purchased cyber insurance to address items listed on the risk register. Which of the following strategies does this represent? ## Footnote A. Accept B. Transfer C. Mitigate D. Avoid

Answer 1

B. Transfer ## Footnote Transferring a risk involves shifting some or all of the risk to another party, such as an insurance provider, through contractual agreements or financial arrangements.

Answer 2

C. Full disk ## Footnote **Fulldisk encryption**, this encrypts the whole storage drive of the device, including OS, files, app data, etc. the reason its not the other options **partition** encryption - only encrypts the partition, meaning if there are multiple partitions then some of them could be left unencrypted and a threat actor could steal data in them. **Asymmetric** encryption - is an encryption technique using Public Key, private key methodology. **Database** encryption - is used to encrypt databases (schema) or data within the databases.

Answer 3

D. Preventive ## Footnote An acceptable use policy is designed to prevent security incidents by defining the acceptable and unacceptable behaviors and actions for users within an organization. By setting clear guidelines and expectations, it aims to prevent misuse and ensure that users adhere to security protocols, thereby reducing the risk of security breaches.

Answer 4

D. Least privilege ## Footnote **Least privilege** is a security principle that states that users should only be granted the minimum level of access or permissions necessary to perform their job functions. By restricting access to the administrator console of the help desk software to only the IT manager and the help desk lead, the IT manager is adhering to the principle of least privilege, ensuring that only those individuals who require administrative access have it, thereby reducing the risk of unauthorized access and potential misuse.

Answer 5

C. Risk register ## Footnote A **risk register** is a tool commonly used in risk management that records details of all identified risks, including descriptions, responsible parties, risk categories, likelihood and impact, mitigation measures, and thresholds for action. It serves as a central repository for all information about risks, making it easier to manage and track them.

Answer 6

D. Change management procedure ## Footnote Implementing new firewall rules is a significant change to the network security infrastructure. Adhering to change management procedures ensures these changes are made systematically, reducing the risk of errors and enhancing the security posture.

Answer 7

B. Bug bounty ## Footnote A **bug bounty** program incentivizes external security researchers to find and report vulnerabilities in a company's applications or systems. Researchers are compensated based on the severity and impact of the vulnerabilities they uncover, helping the company to improve its security posture by leveraging a wide range of expertise. Offensive Penetration Testing is also known as **Red Team**. **Penetration Testing** Actively seeks vulnerabilities and attempts to exploit them, like a real cyber attack, also Helps uncover and report vulnerabilities to improve security,

Answer 8

C. Nation-state ## Footnote **Nation-state** actors are government-backed groups or organizations that engage in cyber activities as part of national interests. They have significant financial and technical resources and often target critical infrastructure, defense systems, and other high-value targets in foreign countries. The nation-state is the most likely threat actor to use vast financial resources for international cyber attacks, aligning with the scenario's description of attacking critical systems across borders.

Answer 9

D. SQL injection ## Footnote **SQL injection** is a type of attack that involves inserting malicious SQL statements into an input field. These statements can then be executed by the database, allowing the attacker to view or manipulate the data. This can lead to unauthorized access to the database, data leakage, or even the modification and deletion of data. **Cross-Site Scripting** involves injecting malicious scripts into webpages viewed by other users, but it does not specifically involve running commands that directly view or manipulate data in a database. **Side Loading** typically refers to installing applications from unofficial sources, not related to input fields and running commands. **Buffer Overflow** involves exploiting a program by writing more data to a buffer than it can hold, potentially allowing the execution of arbitrary code, but it does not specifically use input fields to run commands on data.

Answer 10

B. Intellectual property ## Footnote Research and development teams typically handle sensitive information related to new inventions, designs, processes, and technologies. This type of data is considered intellectual property (IP) and is crucial for maintaining a competitive edge in the market. Protecting this data from unauthorized access, theft, or misuse is a primary concern, hence the extensive training provided to these employees.

Answer 11

C. Modify the content of recurring training. ## Footnote To improve the situational and environmental awareness of existing users as they transition from remote to in-office work, the best option is: C. Modify the content of recurring training. Modifying the content of recurring training to include specific topics relevant to the transition from remote to in-office work will ensure that users are aware of the new security protocols and potential threats they might face in the office environment. This approach provides a structured and comprehensive way to address the unique aspects of both environments and helps reinforce best practices.

Answer 12

D. Dashboard ## Footnote Dashboards offer a clear and intuitive way to present complex data, making it easier for board members to grasp the overall security posture and trends over time.

Answer 13

D. A rootkit was deployed. ## Footnote A change in the hash of a critical system file like cmd.exe, without any corresponding patches or updates being applied, is a strong indicator of potential malicious activity. A rootkit is a type of malware that can modify system files and hide its presence to maintain persistent and privileged access to a system. If a rootkit has altered cmd.exe, it could be an attempt to replace the legitimate command prompt with a malicious version, or to modify its behavior for nefarious purposes. This is a serious security concern and should be investigated immediately.

Answer 14

A. Client ## Footnote The client is the one who is utilizing the data, & would be responsible in the handling, & security of database within the infrastructure provided by the Cloud Provider, or Third-Party Vendor.

Answer 15

D. SOW ## Footnote The company should provide the client with a Statement of Work (SOW). A **Statement of Work** is a document that outlines the details of a project, including the scope, deliverables, timeline, and cost. It is used to ensure that both the client and the service provider have a clear understanding of the project's requirements and expectations. - **MSA (Master Service Agreement)** An overarching contract that defines the terms and conditions under which services will be provided. - **SLA (Service Level Agreement)** A contract that defines the level of service expected from the service provider. - **BPA (Business Partnership Agreement)** An agreement that defines the relationship and responsibilities between business partners.

Answer 16

C. Input validation

Answer 17

A. Ease of recovery D. Responsiveness ## Footnote Ease of recovery. This is essential for high availability because the network must be able to recover quickly from failures to minimize downtime. - Responsiveness. Ensuring that the network can handle high traffic loads and respond quickly to user requests is crucial for maintaining high availability. Other factors like physical isolation, ability to patch, attack surface, and extensible authentication are important for security and maintenance but are not primary considerations for high availability.

Answer 18

C. Create a change control request. ## Footnote Change Control is the process that management uses to identify, document and authorize changes to an IT environment. It minimizes the likelihood of disruptions, unauthorized alterations and errors. The change control procedures should be designed with the size and complexity of the environment in mind.

Answer 19

D. To prevent future incidents of the same nature ## Footnote Root cause analysis is fundamental to preventing future incidents by addressing the underlying issues rather than merely treating the symptoms. This approach helps build a more resilient security infrastructure. Also, Conducting RCA contributes to continuous improvement in security practices, policies, and technologies, enhancing the organization's overall security posture.

Answer 20

A. Capacity planning ## Footnote Capacity planning involves determining the staffing levels needed to sustain business operations during a disruption. This ensures that the organization has sufficient human resources to maintain essential functions and minimize downtime.

Answer 21

C. Geolocation policy ## Footnote Implementing a geolocation policy allows the company to configure the SaaS application to block access from IP addresses originating in high-risk countries. This is accomplished by using IP geolocation data to determine where a connection attempt is coming from. Geolocation policies are effective for preventing unauthorized access based on geographic location, ensuring that sensitive documents remain secure from individuals in regions identified as high-risk.

Answer 22

A. Firmware version ## Footnote the firmware version (option A) is directly related to the hardware and represents a potential point of vulnerability that attackers could exploit. Firmware is the software that controls the basic functionality of hardware devices, and vulnerabilities in firmware can lead to security breaches. Options B, C, and D (buffer overflow, SQL injection, and cross-site scripting) are software vulnerabilities and are not inherently tied to hardware components.

Answer 23

B. Testing the policy in a non-production environment before enabling the policy in the production network ## Footnote By testing the policy in a non-production environment, the technician can identify potential issues, such as legitimate traffic being blocked, before applying the changes to the production network. This approach allows for adjustments and troubleshooting in a safe setting, minimizing the risk of disruption to business operations.

Answer 24

D. Warm ## Footnote The primary difference between a hot site and cold site is the readiness to be up and running. With a recent backup of data and all IT systems operating, a hot site provides redundancy and is essentially a second data center that will result in minimal to no downtime. To get a cold site up and running means planning for setup time and resources.

Answer 25

B. Sanitization ## Footnote Sanitization involves securely erasing data from hard drives to ensure that it cannot be recovered or accessed by unauthorized individuals. This process is essential before decommissioned systems are sent to recycling to protect sensitive information. Enumeration, destruction, and inventory do not specifically refer to the secure erasure of data from hard drives.

Answer 26

C. Sensitive

Answer 27

A. Local data protection regulations ## Footnote When a U.S.-based cloud-hosting provider is considering expanding its data centers to new international locations, the first thing they should consider is local data protection regulations. These regulations govern how personal or sensitive data is collected, stored, processed, and transferred across borders. Different countries have different regulations, such as the GDPR in the EU or PIPEDA in Canada. Compliance with these regulations is crucial to avoid legal penalties, fines, or reputational damage

Answer 28

B. Application allow list

Answer 29

D. Red ## Footnote Offensive Penetration Testing , Known as “red teaming” Actively seeks vulnerabilities and attempts to exploit them, like a real cyber attack. Helps uncover and report vulnerabilities to improve security, & Can simulate real-world attacks and gain support for cybersecurity investments

Answer 30

B. Performing code signing on company-developed software ## Footnote **Code signing** involves applying a digital signature to software, verifying the identity of the developer and ensuring that the code has not been altered or tampered with since it was signed. This process provides assurance of the authenticity and integrity of the software. **Testing input validation**, performing static code analysis, and **ensuring secure cookies** are important security practices but do not specifically address the need to verify the authenticity of the code.

Answer 31

A. Honeypot ## Footnote **Honeypot** - a network-attached system set up as a decoy to lure cyber attackers and detect, deflect and study hacking attempts on systems. **Geofencing** - Virtual boundaries to restrict data access based on location **Zero Trust **- demands verification for every device, user, and transaction within the network, regardless of its origin

Answer 32

A. Analysis ## Footnote During an investigation, the incident response team engages in the process of understanding the source of an incident through analysis. This involves examining the data and evidence collected to determine how the incident occurred, its origin, and its impact.

Answer 33

C. Rescan the network. ## Footnote Rescanning the network is essential to verify that the previously identified vulnerabilities have been successfully remediated and to ensure that no new vulnerabilities have been introduced. This step confirms the effectiveness of the remediation efforts before moving on to further actions such as audits, penetration tests, or reporting.

Answer 34

D. Insider threat

Answer 35

B. Non-repudiation

Answer 36

A. Automation ## Footnote Automation involves using tools and scripts to regularly check and report on the security settings of servers. This method ensures consistent, real-time monitoring and can quickly detect any unauthorized changes. It is more reliable and efficient compared to manual methods, compliance checklists, or periodic attestations, which may not capture changes as promptly or consistently.

Answer 37

D. DLP ## Footnote Data Loss Prevention (DLP) solutions monitor, detect, and block sensitive data from being sent outside an organization through email, file transfers, and other communication methods. DLP can be configured to detect specific data patterns, such as social security numbers, credit card information, or other forms of PII.

Answer 38

C. Input validation ## Footnote Input validation is the process of analyzing inputs and disallowing those which are considered unsuitable. Ie: Only allowing accepted inputs based on specific criteria

Answer 39

C. Update the EDR policies to block automatic execution of downloaded programs. ## Footnote Implementing EDR policy updates directly addresses the risk posed by phishing attacks by stopping malicious code from executing, thereby reducing the potential impact of users clicking on phishing links. Endpoint Detection and Response (EDR) focuses on identifying and addressing security threats at the endpoint level, such as laptops, desktops, and mobile devices

Answer 40

A. Compensating control ## Footnote A compensating control is a security measure that is put in place to satisfy the requirements of a security policy or standard when the primary control cannot be implemented. In this case, the host-based firewall on a legacy Linux system allowing connections from only specific internal IP addresses serves as a compensating control to protect the system by limiting access to trusted sources.

Answer 41

D. User provisioning script ## Footnote A user provisioning script automates the process of creating user accounts, ensuring that each new account is set up with the correct access and permissions consistently. This helps prevent errors that can occur with manual account creation.

Answer 42

C. Detective ## Footnote A Security Information and Event Management (SIEM) system is primarily used to detect security incidents by collecting and analyzing logs from various sources.The setup of a SIEM system and regular log reviews is focused on identifying incidents, making it a classic example of a detective control, which is intended to uncover issues rather than prevent them.

Answer 43

A. Serverless framework ## Footnote A serverless framework is a cloud-based application-hosting solution that allows developers to build and run applications without managing the underlying infrastructure. It is typically a low-cost option because it charges based on the actual usage of the resources rather than requiring the provisioning of dedicated servers.

Answer 44

A. Tuning ## Footnote Tuning refers to the process of adjusting the configuration of a system, in this case, the security operations center’s detection systems, to reduce or eliminate the number of false positives. In this context, if the so-called “malicious activity” is determined to be normal and is expected to recur, the system can be tuned to ignore this activity in the future, preventing unnecessary alerts.

Answer 45

C. An attacker is attempting to brute force ismith's account. ## Footnote The log entries show multiple successful password authentications followed by multiple failed MA (Multi-Factor Authentication) attempts due tc invalid codes. This pattern suggests that the user's password has been correctly entered multiple times, but the MrA codes are consistently fallin The best explanation Tor what the security analyst nas discovered Is. C. An attacker is attempting to brute force smith's account The repeated successtul password authentications followed by tailed MA attempts indicate that an attacker may have obtained the user's password and is now tring to bypass the second laver of security, the MFA, by attempting multiple invalid codes

Answer 46

B. Geographic dispersion ## Footnote Geographic dispersion involves placing critical infrastructure in multiple, geographically distant locations. This strategy ensures that even if one si Is attected by a weather event, operations can continue at another site, minImizing downtime and maintaining avallability.

Answer 47

D. Jailbreaking ## Footnote Jailbreaking is the correct answer because it directly affects the security of personal devices used in a BYOD program. Jalibreaking removes bullt-in security controls, making devices vulnerable to various threats and is a primary concern for companies allowing personal devices to access corporate networks and data.

Answer 48

C. ARO ## Footnote MTTR = mean time to repair RTO = recovery time objective ARO = annualized rate of occurance MTBF = mean time between failures.

Answer 49

A. Reporting phishing attempts or other suspicious activIties

Answer 50

A. Preparation

Answer 51

D. Web-based administration ## Footnote **Web-based administration**, also known as remote management or HTTP/HTTPS access, is a common feature in routers that allows administrators to manage the device remotely using a web browser. However, this feature also introduces a potential vulnerability, as it opens up the router to potential web-based attacks. Disabling web-based administration would reduce the attack surface and prevent potential exploits, making the router more secure **Console access (A)** is necessary for local management, **routing protocols (B)** are essential for network operation, and **VLANs (C) **are used fol network segmentation and securit. Disabling web-based administration (D) is the most appropriate option to harden the router.

Answer 52

D. FIM (File Integrity Monitoring) ## Footnote **File Integrity Monitoring (FIM)** is a security technology that monitors and detects changes in files. FIM solutions can track modifications, access, deletions of files and notity administrators of any changes, thus ensuring data integrity and security. **Group Policy Objects (GPOs)** let system admins control and implement cybersecurity measures from a single location **Sender Policy Framework (SPF)** is an email authentication method designed to detect and prevent email spoofing **Network access control (NAC)** is a security solution that enforces policy on devices that access networks to increase network visibility and reduce risk.

Answer 53

A. Key Escrow B. ТРМ presence ## Footnote **Key escrow** This is important to ensure that encryption keys can be recovered in case they are lost or forgotten. It is a crucial consideratior for Full Disk Encryption (FDE) to maintain access to data even if issues arise with the primary encryption keys. **TPM presence:** Trusted Platform Module (TPM) is a hardware-based security feature that can store encryption keys securely. Ensuring the presence of TPM on laptops enhances the security of FDE by protecting the encryption keys being accessed or tampered with.

Answer 54

B. Setting up a VPN and placing the jump server inside the firewall ## Footnote Setting up a VPN and placing the jump server inside the firewall is the most secure approach because it reduces the attack surface and ensures only authorized users can access the remote desktop service. This solution addresses the primary security concern ot protecting sensitive production systems by ensuring that only verified users can gain access, thus minimizing the attack surface and potential vulnerabilities.

Answer 55

D. IPS (Intrusion Prevention System) ## Footnote A. **ACL (Access control List**: ACLS are used to control the flow of trattic based on rules, but they are not dynamic enough to monitor or block signature-based attacks effectively. B. **DLP (Data Loss Prevention)**: DLP systems are focused on preventing data breaches by detecting and blocking potential data leaks/exfiltration not on monitoring or blocking attacks per se. C. **IDS (Intrusion Detection Svstem)**: While an IDS can detect known sianature-based attacks. it does not block them: it only alerts the system administrators of the potential threat. D. **IPS Intrusion Prevention System)**: As mentioned, an IPS actively monitors and blocks attacks, making it the most suitable option for the scenario described

Answer 56

C. Safety controls should fail open. ## Footnote **satety controls falling open** is a critical design principle that ensures human life is prioritized in the event ot a failure. This principle applies to situations where failing open provides an immediate satety benefit, such as allowing exit doors to unlock automatically during a fire. **Fail Close**: Locks controls such as access to the perimeter. & devices to protect from exfiltration

Answer 57

B. Containers ## Footnote Containers is the correct answer because they are specifically designed to provide flexibility and scalabity in constantly changing environments. containers allow for rapid deployment and scaling. making them ideal for dynamic applications that need to adapt to frequent changes and updates. furthermore containers are particularly well-suited for microservices architectures, continuos integration continuous deplovment (CI/CD) pipelines, and environments that need to rapidly adapt to change. RTOS = Real Time Operating System Supervisory Control and Data Acquisition (SCADA)

Answer 58

B. Chain of custody ## Footnote **Chain of custody** is the process that ensures evidence is properly handled and documented throughout its lifecycle.

Answer 59

D. updating processes for sending wire transfers ## Footnote Updating the processes for sending wire transfers would most likely prevent this type of activity in the future. This could include implementing additional verification steps, such as requiring multiple levels of approval, verifying new payment instructions through a separate communication channel, or implementing a callback procedure to contirm the authenticity of the instructions.

Answer 60

B. Orchestration ## Footnote Orchestration provides a comprehensive approach to automating complex workflows, making it an excellent choice for efficiently managing account creation processes in large-scale environments.Orchestration is ideal for automating the creation of user accounts, as it can handle the sequence of tasks required to set up accounts, such as creating usernames, assigning permissIons, contIgurIng email, and setting up directory

Answer 61

C. Subject ## Footnote In this scenario, the customers are the data subjects because the sensitive information collected, modified, and stored by the marketing department pertains to them. The customers are the individuals whose data is being processed

Answer 62

D. Risk Threshold

Answer 63

B. Data is being exfiltrated. ## Footnote The scenario describes an internal system sending unusual and large amounts of DNS queries to external systems, especially during non-busines hours. This behavior Is indicative ot data exfiltration, where an attacker tries to move data out ot the network covertly.

Answer 64

D. Vulnerable software ## Footnote Vulnerable software is the correct answer because: * Direct Risk Connection: Opening firewall ports directly exposes the system's software to external threats. If the software has vulnerabilities, thes can be exploited by attackers, especially when exposed to the internet or external networks. * Exploitation Potential Known Vulnerabilities in software can be easIiy targeted by attackers using automated tooIs to scan an exploit open ports. *Immediate security concern: The primary concern with opening ports is exposing internal systems to external attacks, making any vulnerabilities in the software a direct threat.

Answer 65

B. SQL injection ## Footnote SQL injection is an attack that targets vulnerabilities in a database by injecting malicious SQL code into input fields. It takes advantage of misconfigured or improperly secured databases that do not validate or sanitize user input.

Answer 66

A. OCSP ## Footnote OCSP (Online Certification Status Protocol), is the protocol that checks a certificate for validitiy and if its been revoked by CA (Certificate Authroity).

Answer 67

B. Firmware ## Footnote BIOS update addresses vulnerabilities at the firmware level. The BIOS is an essential component of the system's firmware, and updates to it are intended to fix security vulnerabilities, improve compatibility, and enhance overall system stability.

Answer 68

B. CVSS (Common Vulnerability Scoring System) ## Footnote **CVSS** is specitically designed to quantitatively measure the criticality ot a vulnerability. **CVE (Common Vulnerabilities & Exposures)** is a dictionary of known threats **CIA (Confidentiality, Integritv & Availability)** is a security concept. **CERT (Computer Emergency Response Team)** - the title speaks for itself!

Answer 69

D. Install endpoint management software on a systems ## Footnote Install endpoint management software on all systems is the correct answer because it offers a comprehensive solution for monitoring and managing workstations and servers. Endpoint management software provides visibility into unauthorized changes, detects unapproved software installations, and enforces security policies, making it the most effective choice for ensuring system integrity and compliance.

Answer 70

B. Data in transit ## Footnote Data in transit is the correct answer because a VPN is specifically designed to protect data as it moves between two locations.

Answer 71

D. Compensating controls ## Footnote compensating controls are security measures that are implemented to mitigate risk when the primary controls are not feasible or sufficient. In this case, since the legacy system might have inherent vulnerabilities that cannot be fully addressed, the organization has implemented additional controls to reduce the risk.

Answer 72

B. Infrastructure as code (IaC) ## Footnote Infrastructure as Code (laC) is the correct answer because it provides the necessary tools and practices for automating and simplifving the deplovment of infrastructure resources in a cloud environment. laC enables efficient and repeatable resource provisioning. making it the most effective solution for the systems administrator's needs.

Answer 73

C. IPSec ## Footnote IPsec Is Ideal for establishing a secure connection between a security consultant's devIce and a clients network, ensuring contidentiality, integrity and authenticity of data transmitted over the connection. EAP (Extensible Authentication Protocol) NAT ( Network Address Translation) DHCP (Dynamic Host Configuration Protocol)

Answer 74

C. Social engineering ## Footnote SocIal engineerIng Is a manipulation technique that exploits human error to gain private intormation, access, or valuables. Executive Whaling is a type of phishing attack that specifically targets high-profile executives (also known as "whales") to steal sensitive information.

Answer 75

C. Apply classifications to the data. ## Footnote Apply classitications to the data is the correct first step because it establishes a foundational understanding of what data is sensitive and needs protection. By classifying the data, the security administrator can ensure that subsequent DLP policies are effectively tailored to prevent the exfiltration of sensitive customer data, while minimizing unnecessary restrictions on non-sensitive aata

Answer 76

B. Retention ## Footnote The administrator is tasked with ensuring that transaction data Is archived for the appropriate duration. This task involves adhering to retention schedules that dictate how long such data must be kept to meet compliance obligations.

Answer 77

A. SOW ## Footnote SOW: statement of work BPA: business partnership agreement SLA: service level agreement NDA: no disclosure agreement

Answer 78

D. Organized crime ## Footnote Ransomware Is blackmailing for monetary gain which Is a CRIME. It also does not fit the criteria for any other threat actor listed.

Answer 79

D. Peer review and approval ## Footnote Peer review and approval is a practice that involves having other developers or experts review the code before it is deployed or released. Peer review and approval can help detect and prevent malicious code, errors, bugs, vulnerabilities, and poor quality in the development process.

Answer 80

D. Application allow list ## Footnote Ву using an application allow lIst, employees cannot inadvertently install or run unauthorized software, including malware, because only approved applications are permiiied to execute.

Answer 81

C. Jailbreaking

Answer 82

C. Badge Access D. Access Control Vestibule

Answer 83

A. Segmentation ## Footnote Network segmentation involves dividing a network into subnets to control access and traffic flow.

Answer 84

D. Removable devices ## Footnote In an air-gapped network. which is physically Isolated from other networks. the most common data loss path would typicallv be through removable devices

Answer 85

C. Watering-hole ## Footnote A Watering-hole attack targets a specific group of people by compromising a website they frequently visit.

Answer 86

A. Deploying a SASE solution to remote employees ## Footnote SASE (Secure Access Service Edge) is a comprehensive networking and security approach that combines wide-area networking (WAN) capabilities with security features. It provides secure access to applications and data, including encrypted tunnel access to the data center while also offering monitoring capabilities for remote employee internet traffic. By implementing a SASE solution, the organization can reduce trattic on the VPN and internet circuit by routing trattic intelligently through the cloud, closer to the users. This approach helps optimize pertormance and security, addressing the scaling issues effectivelv.

Answer 87

A. Regulatory requirement

Answer 88

C. Confidentiality ## Footnote The primary goal of applying least privilege to HR files is to protect sensitive data from unauthorized access, aligning directly with the confidentiality aspect ot intormation security.

Answer 89

E. The device's encryption level cannot meet organizational standards. F. The device is unable to receive authorized updates ## Footnote **Encryption Level**: If a device's encryption level cannot meet the organization's standards, it poses a significant security risk and should be decommissioned **Authorized Updates**: If a device is unable to receive authorized updates, it becomes vulnerable to known exploits and cannot be maintained securely, thus it should also be decommissioned.

Answer 90

C. Recurring ## Footnote Recurring risk assessments are those that are scheduled to take place at regular intervals, such as annually, semi-annually, or quarterly.

Answer 91

B. Detective ## Footnote Detective is the correct answer because reviewing log files after a ransomware attack is an example of a detective control. It is used to identify analvze, and understand security incidents post-occurrence, providing valuable information for future prevention and response strategies

Answer 92

A. Tabletop ## Footnote Tabletop exercises are specifically desianed to evaluate and improve incident response processes by allowing teams to simulate responses to hypothetical incidents. Failover refers to switching to a computer, system, network, or hardware component that is on standby if the initial system or component fails

Answer 93

B. Off-site replication ## Footnote Off-site replication is crucial for disaster recovery plannina, particularly in areas susceptible to natural disasters.

Answer 94

C. Segmentation ## Footnote Legacy loT Devices: These devices often lack the ability to be quickly patched or replaced due to hardware limitations or operational constraints. Segmentation offers a rapid response by limiting access and isolating these devices from critical network resources.

Answer 95

D. Access control lists ## Footnote Access control lists (ACLs) should be used to restrict access to the data quickly. ACLs allow the administrator to specify which users or groups hav permission to access certain files or directories on the file server, providing a straightforward and immediate way to enforce access controls and protect contidential data.

Answer 96

D. SLA (Service Level Agreement) ## Footnote The SLA is the appropriate document to specify this uptime requirement and any associated metrics.

Answer 97

A. Certification

Answer 98

A. Geographic dispersion ## Footnote Geographic dispersion is the practice of having backup data stored in different locations that are far enough apart to minimize the risk of a single natural disaster attecting both sites.

Answer 99

D. Query the file's metadata ## Footnote Metadata is data that describes other data, such as its format, origin, creation date, author, and other attributes.

Answer 100

C. Purple ## Footnote Red = offensive Blue = Defensive Yellow = Builders Purple = mix of offensive and defensive. Also the color you get when you mix red and blue

Answer 101

A. Patch availability ## Footnote Patch availability is a critical concern for maintaining the security and integrity of systems.

Answer 102

A. A full inventory of all hardware and software ## Footnote A full inventory of all hardware and software is the correct answer because it provides the essential information needed to accurately assess the risk posed by a new vulnerability.

Answer 103

B. Scheduled downtime ## Footnote Scheduled downtime is the correct answer because it specifically involves setting a designated time for changes to occur. balancing the need for system maintenance with minimizing business impacts.

Answer 104

C. Encryption

Answer 105

D. End Of Life

Answer 106

A. Encryption at rest

Answer 107

D. Reflected denial of service

Answer 108

A. RBAC ## Footnote Role-based access control (RBAC) restricts users to only access data based on their job responsibilities

Answer 109

A. Federation C. Password complexIty ## Footnote Federation facilitates access to multiple systems using a single intranet profile, and password complexity ensures that the passwords used are strong and secure.

Answer 110

A. SIEM (Security Information Event Management) ## Footnote SIEM systems are specifically desianed to collect. centralize, and analyze logs from multiple sources, providing security alerting and monitoring capabilities essential for detecting and responsning to potential threats. DLP = Data Loss Prevention IDS = Intrusion Detection System SNMPA = Simple Network Management Protocol

Answer 111

C. Password, autnentication token, thumbprint

Answer 112

C. Hardening ## Footnote Hardening involves implementing security measures to protect the application from threats while maintaining its availability. Segmentation and isolation can also be part of a security strategy, they are more about limiting access or separating the legacy system from other network segment which might not be feasible for a critical business application that requires interaction with other systems.

Answer 113

C. Buffer overflow ## Footnote In a buffer overflow attack, the attacker might overwrite a register or a return address on the stack with a malicious address, redirecting the program's control flow to execute arbitrary code.

Answer 114

B. Retain any communications related to the security breach until further notice ## Footnote Retain any communications related to the security breach until further notice is the correct answer. This approach ensures that all relevant evidence Is preserved in compliance with the legal hold, covering the full scope of communications and documents needed for the lawsuit.

Answer 115

A. Mitigate ## Footnote when a legacy application is critical to business operations and there are preventative controls that are not yet implemented, the tirst risk management strategy an enterprise should adopt is to mitigate the risks.

Answer 116

B. Changing the default password

Answer 117

B. Access badge

Answer 118

A. Role-based ## Footnote Role-based is the correct answer because the issue arises from the engineers account not being updated to include the new role associated with the new teams shared tolders. Role-Based Access control Is the tramework in place that determines access based on roles assigned to users, making it the most relevant explanation for the engineer's access issue.

Answer 119

C. Threat vectors based on the industry in which the organization operates E. Cadence and duration of training events ## Footnote - Threat vectors based on the industry in which the organization operates (C): Understanding the specific threats that are most relevant to the industry helps tailor the training content to address the most pressing risks and vulnerabilities that employees might face. - Cadence and duration of training events (E): Establishing an appropriate schedule and duration for training ensures that employees receive regular, ongoing education to keep security top-of-mind and adapt to evolving threats.

Answer 120

D. Availability ## Footnote Availability is the correct answer because deploying a load balancer enhances the availability of applications and services by distributing traffic, providing redundancy, and ensuring continued access to resources even in the event of server failures. This project directly supports the availabil aspect of the security triad.

Answer 121

B. Pushing GPO update ## Footnote Pushing GPO (Group Policy Objects) update Is the correct answer because it allows the systems administrator to implement a new password policy across all systems quickly and etticiently through centralized management. GOs provide the necessary tools to entorce security settings consistently throughout tr enterorise environment. PAP = Password Authentication Protocol EDR = Endpoint detection and Response

Answer 122

D. ALE (Anual Loss Expectancy) ## Footnote ARO: Annual Rate of Occurrence RTO: Recover Time Obiective RPO: Recovery Point Obiective ALE: Annual Loss Expectancy SLE: Single Loss Expectancy

Answer 123

D. Salting ## Footnote Salting Is the correct answer because it involves adding a random string to a password betore hashing to strengthen security.

Answer 124

D. Conduct a site survey ## Footnote A site survey is essential to determine the best locations for camera installation. ensuring optimal coverage and siana strenath. It involves assessing the physical environment to identity any potential issues that could attect the camera's performance, such as obstructions, lighting conditions, and power source availability.

Answer 125

D. DDoS ## Footnote DDoS is the correct answer because the sudden increase in network traftic leading to a web services outage is characteristic of a Distributed Denial of Service attack.

Answer 126

C. Organized crime ## Footnote Profit is the main driver for organized crime, making them the most likely threat actor motivated by financial incentives.

Answer 127

C. DHCP E. Firewall ## Footnote Firewall logs capture network traftic and can show which internal hosts communicated with external IP addresses, including the command-and-control server. By analyzing firewall logs, you can identity the internal IP addresses that initiated or received communication with the command-and-control server, helping to pinpoint the impacted host. It you have already identified suspicIous network traffic (e.g., connections to a C2 server) in firewall or network logs, the next step is often to determine which device was responsible for that traffic. DHCP logs are necessary for this step because they map IP addresses to specifIc devices.

Answer 128

A. Symmetric ## Footnote In this type of encryption, there is only one key, and all parties involved use the same key to encrypt and decrypt intormation.

Answer 129

A. Port security ## Footnote Port Security: This is a network security feature that restricts input to an interface by limiting and identifying MAC addresses of the devices allowed to access the port.

Answer 130

B. Certification E. Sanitization

Answer 131

A. Backout Plan ## Footnote A backout plan is a predefined strategy to reverse and recover from changes made to a system if the changes produce undesirable results. It's a safety measure that ensures data integrity and system availability. See also: backup, recovery time objective, mean time to recovery.

Answer 132

C. Virtualization

Answer 133

C. File Integrity monitoring ## Footnote File Integrity Monitoring is the correct answer because it specifically addresses the need to monitor and detect unauthorized modifications to sensitive data.

Answer 134

D. Updating the categorization in the content filter ## Footnote By updating the categorization in the content filter to accurately reflect the nature of the retail website (shopping instead of gambling), the content filter will allow users to access the site.

Answer 135

B. Patch availability ## Footnote Patch availability most impacts an administrator's ability to address common Vulnerabilities and Exposures (CVES) discovered on a server. It patches are not available to fix the vulnerabilities. the administrator cannot remediate the issues, regardless of other factors.

Answer 136

B. Having a backout plan when a patch fails ## Footnote When applving patches or making system changes, there's alwavs a risk of unforeseen issues. An effective backout plan allows for a quick and organized response, ensuring that systems can be returned to their last known good state, thereby maintaining business continuity and reducing the potential impact on operations.

Answer 137

B. NGFW utilizing application inspection ## Footnote A Next-Generation Firewall (NGFW) utilizing application inspection could have identified and blocked the use of HTTP over port 53. NGFWs have advanced capabilities that allow them to inspect and identify traffic based on the application layer, not just the port and protocol, enabling them detect and prevent non-standard use of ports for malicious activities. UNI = Unified Threat Management WAF = Web Application Firewall SD-WAN = Software Defined Wide Area Network

Answer 138

B. IPSec ## Footnote IPSec is the correct answer because it provides comprehensive encryption for all IP traffic between the internal networks of both parties. ensuring secure file migration. IPsec's ability to encrypt, authenticate, and ensure the integrity of all data packets makes it the most suitable solution for protecting communications between the enterprise and the third party.

Answer 139

A. DLP (Data Loss Prevention) ## Footnote DLP Is the correct answer because it is specitically designed to detect, monitor, and prevent the unauthorized transter of sensitive data, such as fingerprinted files, outside the organization. DLP solutions provide the necessary tools to ensure data security by generating alerts and blocking unauthorized data exfiltration attempts.

Answer 140

A. Hashes ## Footnote Hashes is the correct answer because they provide a straightforward and reliable method for verifying the integrity of downloaded files. By comparing the hash of a downloaded file with the hash provided on the website, users can ensure that the file has not been altered, confirming its Integrity and authenticity.

Answer 141

B. Hashing ## Footnote Hashing Is the most likely recommendation for protecting a log-in database. By hashing passwords, the organization ensures that even it the database is breached, the actual passwords are not exposed in plaintext.

Answer 142

D. Ransomware ## Footnote Ransomware encrypts files on a victim's system and displays a message demanding payment to decrypt the files or restore access.

Answer 143

D. Mean time to repair ## Footnote Mean Time to Repair (MITR) Is the correct answer because it directly relates to calculating the time needed to resolve hardware issues and restor the server to full functionality.

Answer 144

C. DLP ## Footnote XDR = Xtended Detection and Response SPF = Sender Policy Framework DLP = Data Loss Prevention DMARC = Domain-based Message Authentication Reporting and Conformance

Answer 145

C. EDR ## Footnote IDS = Introsion Detection System ACL = Access Control List EDR = Endpoint Detection and Response NAC = Network Access Card

Answer 146

B. Confidentiality

Answer 147

D. Critical

Answer 148

B. Social engineering

Answer 149

A. SLA (Service Level Agreement)

Answer 150

C. Compensating

Answer 151

C. Due diligence

Answer 152

C. Role as controller or processor

Answer 153

B. Firewall

Answer 154

A. Business Continuity ## Footnote Business Continuity is a document that consists of the critical information an organization needs to continue operating during an unplanned event.

Answer 155

A. Virtualization and isolation of resources

Answer 156

A. End user training ## Footnote End user training is the process of educating end users (AKA customers) about how to use your products or services.

Answer 157

A. Validate the code signature.

Answer 158

B. Placing the system in an isolated VLAN

Answer 159

B. Internal audit

Answer 160

D. Shadow IT ## Footnote Shadow IT is the use of IT-related hardware or software by a department or individual without the knowledge of the IT or security group within the organization. It refers only to unsanctioned assets deployed by the network's authorized end users

Answer 161

A. Shadow IT ## Footnote Shadow IT is the use of IT-related hardware or software by a department or individual without the knowledge of the IT or security group within the organization. It refers only to unsanctioned assets deployed by the network's authorized end users

Answer 162

A. To track the status of patching installations

Answer 163

D. Load Balancer ## Footnote A **load balancer** is the device or service that sits between the user and the server group and acts as an invisible facilitator, ensuring that all resource servers are used equally. **Cloud HSM** is a cloud-hosted Hardware Security Module (HSM) service that allows you to host encryption keys and perform cryptographic operations in a cluster of FIPS 140-2 Level 3 certified HSMs.

Answer 164

A. Encrypted connection

Answer 165

A. Unidentified removable devices

Answer 166

C. MaskIng

Answer 167

C. False positive

Answer 168

A. Memory Injection ## Footnote A **memory injection** attack is a type of cyber attack that involves injecting malicious code into a computer's memory in order to execute unauthorized commands or steal sensitive information.

Answer 169

A. Asset inventory

Answer 170

A. Playbooks ## Footnote **Playbooks** are tools used by cybersecurity professionals to identify and respond to security issues **Framework** is a set of guidelines that outlines standards to define the processes and procedures that an organization must take to assess, monitor, and mitigate cybersecurity risk **Baseline** is The set of controls that are applicable to information or an information system to meet legal, regulatory, or policy requirements, as well as address protection needs for the purpose of managing risk. **Benchmarks** are best practices for securely configuring IT systems, software, networks and cloud infrastructure.

Answer 171

C. Tabletop exercise

Answer 172

B. Availability

Answer 173

B. SLA (Service Level Agreement) ## Footnote SOW = Statement of Work SLA = Service Level Agreement MOA = Memorandum of Agreement MOU= Memorandum of Understanding

Answer 174

B. Automated response actions ## Footnote **Security information and event management (SIEM)** technology supports threat detection, compliance and security incident management through the collection and analysis (both near real time and historical) of security events, as well as a wide variety of other event and contextual data sources.

Answer 175

B. Deterrent F. Detective

Answer 176

B. Port Security ## Footnote **Port Security** helps secure the network by preventing unknown devices from forwarding packets. When a link goes down, all dynamically locked addresses are freed. **Next-generation firewalls (NGFWs)** are deep-packet inspection firewalls that move beyond port/protocol inspection and blocking to add application-level inspection, intrusion prevention, and bringing intelligence from outside the firewall.

Answer 177

C. Jailbreaking ## Footnote **Sideloading **is the practice of installing mobile apps on a device that are not from the official app stores **Jailbreaking **is the process of removing software restrictions imposed by the operating system on devices, particularly smartphones and tablet **Cross-site scripting (XSS)** is an exploit where the attacker attaches code onto a legitimate website that will execute when the victim loads the website An SQL injection, sometimes abbreviated to** SQLi**, is a type of vulnerability in which an attacker uses a piece of SQL (structured query language) code to manipulate a database and gain access to potentially valuable information.

Answer 178

C. Lessons learned

Answer 179

B. Vulnerability scan

Answer 180

C. VPN ## Footnote A **VPN**, which stands for virtual private network, establishes a digital connection between your computer and a remote server owned by a VPN provider, creating a point-to-point tunnel that encrypts your personal data, masks your IP address, and lets you sidestep website blocks and firewalls on the internet. A **security zone** comprises users, applications, servers, or networks that share common trust requirements and expectations within a system A **proxy server** is a system or router that provides a gateway between users and the internet. Therefore, it helps prevent cyber attackers from entering a private network. It is a server, referred to as an “intermediary” because it goes between end-users and the web pages they visit online. A **next-generation firewall (NGFW)** is an advanced version of the traditional firewall that makes authentication decisions based on the context of the user, content and application.

Answer 181

B. Enabling malware detection through a UTM ## Footnote **Unified threat management (UTM)** refers to when multiple security features or services are combined into a single device within your network

Answer 182

D. To prevent a single point of failure

Answer 183

B. Containerization ## Footnote Containerization works by virtualizing all the required pieces of a specific application into a single unit. Under the hood, that means containers include all the binaries, libraries, and configuration an app requires. However, containers do NOT include virtualized hardware or kernel resources.

Answer 184

A. Disable default accounts C. Remove unnecessary servIces.

Answer 185

C. Internal auditing

Answer 186

B. AAA ## Footnote AAA = Authentication, Authorization, and Accounting CIA = Confidentiality, Integrity, and Availability ACL = Access Control List PEM = Privacy-Enhanced Mail

Answer 187

D. Version control

Answer 188

B. Cold site

Answer 189

C. Implement security awareness training

Answer 190

C. Red team

Answer 191

A. Trusted Devices

Answer 192

C. Honeypots E. DNS sinkhole

Answer 193

A. Hashing

Answer 194

B. SAML ## Footnote SAML = Security Assertion Markup Language (SAML) is an open federation standard that allows an identity provider (IdP) to authenticate users and then pass an authentication token to another application known as a service provider (SP). EAP = Extensible Authentication Protocol (EAP) is used to pass the authentication information between the supplicant (the Wi-Fi workstation) and the authentication server (Microsoft IAS or other). The EAP type actually handles and defines the authentication. OpenID = OpenID Connect is a popular authentication protocol. It helps standardize the process for user authentication when users try to access a browser or mobile app RADIUS = Remote Authentication Dial-In User Service (RADIUS) is a networking protocol that authorizes and authenticates users who access a remote network. A protocol is a collection of rules that control how something communicates or operates.

Answer 195

D. On-path attack ## Footnote On-path attackers place themselves between two devices (often a web browser and a web server) and intercept or modify communications between the two. The attackers can then collect information as well as impersonate either of the two agents.

Answer 196

D. There is a single point of failure

Answer 197

E. Compensating F. Technical

Answer 198

D. Containerization ## Footnote Containerization is a type of virtualization in which all the components of an application are bundled into a single container image and can be run in isolated user space on the same shared operating system. To ensure that all data on a mobile device is unrecoverable if the device is lost or stolen, a company can use containerization

Answer 199

A. Residual ## Footnote Residual risk is the level of cyber risk remaining after all your security controls are accounted for, any threats have been addressed and the organization is meeting security standards. It's the risk that slips through the cracks of your system.

Answer 200

B. Performing code obfuscation ## Footnote Code Obfuscation is the process of modifying an executable so that it is no longer useful to a hacker but remains fully functional. While the process may modify actual method instructions or metadata, it does not alter the output of the program

Answer 201

B. Something you have ## Footnote MFA = Multi factor authentication

Answer 202

A. Increasing the minimum password length to 14 characters. F. Including a requirement for at least one special character.

Answer 203

D. The software contained a backdoor.

Answer 204

B. Transitioning the platform to an laaS provider ## Footnote Logistics as a service (LaaS) falls along these same lines. LaaS solutions offer organizations a way to manage their logistics through a cloud-based platform, sometimes with the assistance of remote logistics experts. LaaS falls under the overall umbrella of managed transportation services.

Answer 205

C. A DNS sinkhole can be used to capture traffic to known-malicious domains used by attackers.

Answer 206

B. Metadata

Answer 207

D. To ensure non-repudiation ## Footnote Secure/Multipurpose Internet Mail Extensions, or S/MIME, is an internet standard to digitally sign and encrypt email messages. It ensures the integrity of email messages remains intact while being received.

Answer 208

D. Dumpster diving

Answer 209

A. Resource constraints ## Footnote Internet of Things (IoT) is a network of devices equipped with sensors, software, and other technologies to connect and exchange data with other devices and systems over the internet.

Answer 210

B. Captive portal

Answer 211

B. SOC 2 Type 2 report ## Footnote A SOC 2 Type 2 report outlines a company's internal controls and details how well they safeguard customer data, specifically for cloud service providers. Specifically, it's a third-party audit that shows if the security protocols are safe and effective.

Answer 212

C. DRP ## Footnote DRP = Disaster Recovery Plan IRP = Incident Recovery Plan BCP = Business Continuity Planning

Answer 213

D. Segregation of duties

Answer 214

B. Send the dead domain to a DNS sinkhole

Answer 215

A. Disk Encryption

Answer 216

C. Retention policy ## Footnote Retention Policy describes how long a business needs to keep a piece of information (record), where it's stored and how to dispose of the record when its time.

Answer 217

A. Code repositories ## Footnote A code repository is a storage location for code and other software development assets, such as documentation, tests, and scripts. They are often used to manage and organize a software project's codebase and collaborate with other project developers.

Answer 218

C. The organization will have the ability to create security requirements based on classification levels

Answer 219

A. Non-credentialed scan

Answer 220

A. MITRE ATT&CK ## Footnote MITRE ATT&CK (Adversarial Tactics, Techniques and Common Knowledge) is a framework, set of data matrices, and assessment tool developed by MITRE Corporation to help organizations understand their security readiness and uncover vulnerabilities in their defenses.

Answer 221

D. Microservices using API ## Footnote **Microservices** is an approach to building an application that breaks its functionality into modular components. **APIs** are part of an application that communicates with other applications. So, APIs can be used to enable microservices. As a result, you can make it easier to create software **Secure File Transfer Protocol (SFTP)** is a network protocol that enables secure and encrypted file transfers between a client and a server. **JSON (JavaScript Object Notation)** is a text-based, human-readable data interchange format used to exchange data between web clients and web servers.

Answer 222

A. GDPR ## Footnote GDPR: general data protection regulation (GDPR) is the strongest privacy and security law in the world. PCI DSS: The Payment Card Industry Data Security Standard (PCI DSS) is a widely accepted set of policies and procedures intended to optimize the security of credit, debit and cash card transactions and protect cardholders against misuse of their personal information. NIST: National Institute of Standards and Technology. The NIST Cybersecurity Framework helps businesses of all sizes better understand, manage, and reduce their cybersecurity risk and protect their networks and data. The Framework is voluntary. ISO: International Organization for Standardization

Answer 223

B. The administrator needs to install the server certiticate into the local truststore

Answer 224

B. Lack of vendor support

Answer 225

B. A packet capture tool was used to steal the password.

Answer 226

C. SSH ## Footnote **SNMPv3 Simple Network Management Protocol Version 3** is an advanced version of SNMP. Primarily used for network management, SNMPv3 ensures secure access to devices by providing enhanced security features. **SSH (Secure Shell or Secure Socket Shell) **is a network protocol that gives users -- particularly systems administrators -- a secure way to access a computer over an unsecured network. **RDP Remote Desktop Protocol**, is one of the main protocols used for remote desktop sessions, which is when employees access their office desktop computers from another device. SMTP Simple Mail Transfer Protocol

Answer 227

A. Wildcard ## Footnote A **wildcard ** certificate is a type of SSL/TLS certificate that can be used to secure multiple domains (hosts), indicated by a wildcard character (*) in the domain name field. This can be helpful if you have a lot of domains or subdomains that you need to secure, as it can save you time and money **Client certificates ** are digital certificates for users and individuals to prove their identity to a server. Client certificates tend to be used within private organizations to authenticate requests to remote servers. ** Self-signed certificate** means choosing to proceed without the support of a trusted certificate authority to guarantee the validity of the certificate details **Code signing** is the process of applying a digital signature to a software binary or file. This digital signature validates the identity of the software author or publisher and verifies that the file has not been altered or tampered with since it was signed

Answer 228

A. Nessus ## Footnote **Nessus** is a remote security scanning tool, which scans a computer and raises an alert if it discovers any vulnerabilities that malicious hackers could use to gain access to any computer you have connected to a network. **Curl** (Client URL) is a command line tool that enables data exchange between a device and a server through a terminal. **Wireshark** is a network protocol analyzer, or an application that captures packets from a network connection **Netcat** is a networking tool for reading from and writing to network connections. It's called the “Swiss Army Knife” of networking due to its range of functions. Netcat establishes TCP and UDP connections with remote hosts. This allows communication between devices over a network.

Answer 229

A. Encapsulation ## Footnote **Encapsulation** refers to a programming approach that revolves around data and functions contained, or encapsulated, within a set of operating instructions.

Answer 230

A. Serverless architecture ## Footnote **Serverless architecture** is an approach to software design that allows developers to build and run services without having to manage the underlying infrastructure A** thin client** connects to a server-based environment that hosts the majority of applications, memory, and sensitive data the user needs. ** private cloud** is defined as computing services offered either over the Internet or a private internal network and only to select users instead of the general public.

Answer 231

B. File integrity monitor

Answer 232

B. VoIP ## Footnote Voice over Internet Protocol (VoIP), is a technology that allows you to make voice calls using a broadband Internet connection instead of a regular (or analog) phone line. The Secure Real-Time Transport Protocol (SRTP) adds encryption, authentication, and replay protection to the Real-time Transport Protocol (RTP). This enables private, tamper-proof conversations over untrusted networks.

Answer 233

A. Whaling ## Footnote A whaling attack is a type of phishing attack where a particularly important person in the organization is targeted. Spear phishing is a type of phishing attack that targets a specific individual, group or organization

Answer 234

A. Updating the CRL ## Footnote A certificate revocation list (CRL) is a list of digital certificates that have been revoked by the issuing certificate authority (CA) before their actual or assigned expiration date. Public key infrastructure (PKI) governs the issuance of digital certificates to protect sensitive data, provide unique digital identities for users, devices and applications and secure end-to-end communications.

Answer 235

E. PAM software ## Footnote Privileged access management (PAM) is an identity security solution that helps protect organizations against cyberthreats by monitoring, detecting, and preventing unauthorized privileged access to critical resources. Security Assertion Markup Language (SAML) is an open federation standard that allows an identity provider (IdP) to authenticate users and then pass an authentication token to another application known as a service provider (SP). TACACS, which stands for Terminal Access Controller Access-Control System, is a network protocol that was developed by Cisco. TACACS+ is an improved version of the original TACACS protocol, which is now popularly used in the industry for Authentication, Authorization, and Accounting (AAA) in network security. Role-based access control (RBAC), also known as role-based security, is a mechanism that restricts system access. It involves setting permissions and privileges to enable access to authorized users. SSO Single Sign On

Answer 236

C. Add a quest captive portal requiring visitors to accept terms and conditions ## Footnote **802.1X** is a network authentication protocol that opens ports for network access when an organization authenticates a user's identity and authorizes them for access to the network. **Remote Authentication Dial-In User Service (RADIUS)** is a networking protocol that authorizes and authenticates users who access a remote network. **Wi-Fi Protected Setup (WPS)** is a feature supplied with many routers. It is designed to make the process of connecting to a secure wireless network from a computer or other device easier.

Answer 237

A. Owner ## Footnote A **Data Owner** is the person accountable for the classification, protection, use, and quality of one or more data sets within an organization A **Data Steward** is a subject expert with a thorough understanding of a particular data set. A **Data Custodian** is responsible for implementing and maintaining security controls for a given data set in order to meet the requirements specified by the Data Owner in the Data Governance Framework. The **Data Controller** is the entity that determines the purposes and methods for processing personal data. It makes key decisions about data handling and bears the primary responsibility for the data.

Answer 238

A. Lighting D. Sensor

Answer 239

A. Load balancer ## Footnote A **load balancer** is the device or service that sits between the user and the server group and acts as an invisible facilitator, ensuring that all resource servers are used equally

Answer 240

B. Code signing ## Footnote **Code signing** is the process of applying a digital signature to a software binary or file. This digital signature validates the identity of the software author or publisher and verifies that the file has not been altered or tampered with since it was signed. **Input validation** is performed to ensure only properly formed data is entering the workflow in an information system, preventing malformed data from persisting in the database and triggering malfunction of various downstream components. **fuzzing** is an automated software testing method that injects invalid, malformed, or unexpected inputs into a system to reveal software defects and vulnerabilities

Answer 241

A. Lack of security updates

Answer 242

A. Wireshark ## Footnote **Wireshark** is used to trace connections, view the contents of suspect network transactions and identify bursts of network traffic. **Netcat** is a networking tool for reading from and writing to network connections. It's called the “Swiss Army Knife” of networking due to its range of functions. Netcat establishes TCP and UDP connections with remote hosts. This allows communication between devices over a network. **Nessus** is a remote security scanning tool, which scans a computer and raises an alert if it discovers any vulnerabilities that malicious hackers could use to gain access to any computer you have connected to a network. **Nmap ("Network Mapper")** is a free and open source utility for network discovery and security auditing. Many systems and network administrators also find it useful for tasks such as network inventory, managing service upgrade schedules, and monitoring host or service uptime.

Answer 243

A. Fuzzing ## Footnote **fuzzing** is an automated software testing method that injects invalid, malformed, or unexpected inputs into a system to reveal software defects and vulnerabilities

Answer 244

C. Design review process

Answer 245

D. CVSS ## Footnote CVE = Common Vulnerabilities and Exposure OSINT = Open Source Intelligence SOAR = Security Orchestration Automation and Response CVSS = Common Vulnerability Scoring System

Answer 246

B. The attacker performed a pass-the-hash attack using a shared support account ## Footnote A pass the hash attack is an exploit in which an attacker steals a hashed user credential and -- without cracking it -- reuses it to trick an authentication system into creating a new authenticated session on the same network.

Answer 247

A. OWASP ## Footnote The **Open Web Application Security Project, or OWASP**, is an international non-profit organization dedicated to web application security. **Structured Threat Information eXpression (STIX)** is a standardized language that uses a JSON-based lexicon to express and share threat intelligence information in a readable and consistent format. **Open Vulnerability and Assessment Language (OVAL)** is an international, information security, community standard to promote open and publicly available security content, and to standardize the transfer of this information across the entire spectrum of security tools and services. A **threat intelligence feed** is a stream of data about potential attacks (known as "threat intelligence") from an external source

Answer 248

B. Conditional access policies D. Implementation of additional authentication factors

Answer 249

E. WAF F. SIEM ## Footnote **NIDS, or network intrusion detection systems**, provide continuous network monitoring across on-premise and cloud infrastructure to detect malicious activity like policy violations, lateral movement or data exfiltration. **Host-based Intrusion Prevention System (HIPS)** protects your system from malware and unwanted activity attempting to negatively affect your computer. **WAF or web application firewall** helps protect web applications by filtering and monitoring HTTP traffic between a web application and the Internet **SIEM, Security information and event management**, is a solution that helps organizations detect, analyze, and respond to security threats before they harm business operations.

Answer 250

C. Snapshot

Answer 251

B. Decommissioning ## Footnote **decommissioning** means the process of systematic removal and permanent shutdown of an outdated computer system, server, hardware, software, or associated infrastructure.

Answer 252

A. Santization

Answer 253

D. Time-based tokens

Answer 254

C. Phishing campaign

Answer 255

D. Supply chain

Answer 256

A. A web shell has been deployed to the server through the page

Answer 257

D. Illumination tool

Answer 258

A. Agentless solution ## Footnote Agentless network analysis involves monitoring and evaluating network traffic from a central location without deploying agents on network devices

Answer 259

D. SOW ## Footnote A **Statement of Work (SOW**) specifies the detailed scope of work, tasks, deliverables, timelines, and costs for a specific project or engagement with the vendor. A **Service-Level Agreement (SLA**) is a specific type of agreement that defines the level of service expected from the vendor, including performance metrics, response times, and other service-related terms. An **MSA** is a comprehensive contract that sets forth the general terms and conditions that will govern multiple future engagements between the parties. It may reference specific work orders or statements of work for individual projects. A **Memorandum of Agreement (MOA)** typically outlines a broader understanding or collaboration between parties, but it may not necessarily include specific services, timelines, and costs as in this context.

Answer 260

C. Hardware ## Footnote The hardware aspect of a BPA focuses on identifying the specific technological resources, like servers or data centers, that perform the processing for a mission essential function. Process flow gives a sequential description of operational steps but does not specify the hardware used in the process. Inputs pertain to the initial information sources needed for a function's execution, not the processing hardware. While staff and other resources includes the workforce and supplementary resources needed for the function, it does not refer to the technological processing equipment.

Answer 261

C. Serverless ## Footnote **Serverless** is an architecture model that allows running code without managing any underlying infrastructure. It can offer benefits such as flexibility, scalability, cost-efficiency, and security.** Virtualization** is a technology that allows creating multiple virtual machines or environments on a single physical device, not running code without managing any underlying infrastructure.** Infrastructure as code (IaC)** is a method of managing and provisioning IT infrastructure through code, not running code without managing any underlying infrastructure. **Software-defined networking (SDN)** is a network technology that involves dynamically configuring and managing network devices and services through software, not creating multiple isolated environments on a single physical device.

Answer 262

A. SPF ## Footnote **SPF (Sender Policy Framework)** helps prevent email spoofing by enabling domain owners to define which servers can send emails on their behalf. **SMTP (Simple Mail Transfer Protocol)** is the protocol used for sending emails, but it doesn't dictate server authorizations for a specific domain. **DMARC (Domain-based Message Authentication, Reporting, and Conformance)** utilizes the results from** DKIM (Domain Keys Identified Mail)** and SPF checks to determine the action to take with non-conforming messages, but it doesn't list authorized servers itself. DKIM provides a method to validate the domain name identity associated with a message through cryptographic authentication, but it doesn't specify server authorizations.