CySA + Measure Up #1 Flashcards by Brandon Hibner

An anomaly-based NIDS is installed on a company’s network. During end-of-quarter accounting activities, the NIDS generates multiple alerts related to network bandwidth and database server activity. The database server is running a signature-based HIDS. What is the MOST likely cause of the alerts?
A. False positive
B. Database server failure
C. DDoS attack
D. Malware infection

The alerts are most likely to be the result of a false positive. An anomaly-based Intrusion Detection System (IDS) generates alerts based on variations from an established activity baseline. End-of-quarter accounting activities would generate additional network traffic and database activity.
This is not likely to be the result of a database server failure. A server failure would more likely result in the inability to access the server or other server performance problems.
This is not likely to be a distributed denial-of-service (DDoS) attack. It is more likely that the alerts are the result of valid, temporary variations in network activity.
This is not likely to be the result of a malware infection. The host-based intrusion detection systems (HIDS) running on the database server would probably detect this and generate alerts from the infection.

How well did you know this?

Not at all

Perfectly

Which command should be used to create a forensic image of a hard drive?
A. dd
B. tar
C. mv
D. cp

You should use the dd command to create a forensic image of a hard disk. A forensic image is a bit-by-bit image copy of the entire source disk, including space may contain pieces of files that have been deleted and can be used to hide data. The dd command was originally a UNIX/Linux command, but it is also available for Windows operating systems.
You should not use the cp or mv commands. These are both-file-by-file commands and do not create a full disk image. The cp command is used to copy files, and mv command is sued to move files to a different location. You should not use the tar command. This is an archive (backup) command and cannot be used to create an image copy.

How well did you know this?

Not at all

Perfectly

A company works with a cybersecurity consultant to complete a risk assessment profile for network vulnerabilities. The assessment will be used to determine the best actions to take to mitigate risks and set remediation priorities. Which is NOT a factor in determining the likelihood of a potential risk?
A. Awareness
B. Threat actor motivation
C. Ease of exploit
D. Financial impact

Financial impact is not a factor in determining the likelihood of risk. It is a factor in determining risk impact.
Risk assessment ranks based on likelihood and impact. The ranking is commonly broken down as:
*Low likelihood/low impact: This is a low priority risk and is typically considered safe to ignore.
*High likelihood/low impact: This is a medium priority risk and it is recommended that you take action to reduce the risk.
*Low likelihood/high impact: This is a medium priority risk and it is recommended contingency plans in place if it occurs before mediation.
High likelihood/high impact: This is a high priority risk and should be remediated as quickly as possible.
Factors for determining likelihood include:
* Threat actor skill level
* Threat actor opportunity and resources
* Threat actor motivation
* Ease of discovering the vulnerability
* Awareness of the vulnerability by threat actors
* Likelihood of detecting an attempted exploit
Factors for determining impact include:
* Loss of confidentiality
* Loss of integrity
* Loss of availability
* Loss of reputation
* Financial impact
* Forced non-compliance
Factors should be rated individually, then combined to get a risk assessment value.

How well did you know this?

Not at all

Perfectly

A company uses NetFlow analysis to provide real-time information about bandwidth usage by protocol and by application. The outgoing TCP traffic from one application rapidly increases to the point that it is using most of the available bandwidth. Incoming traffic levels have not changed by a significant amount. What type of attack does this MOST likely indicate?
A. DDOS
B. Data exfiltration
C. Eavesdropping
D. Sniffing

These traffic patterns most likely indicate that there has been a data exfiltration attack. Data exfiltration is, in simple terms, the theft or unauthorized transfer of data. The large amount of outgoing traffic indicates that a large amount of data is being extracted from the network. There are various ways to detect and help prevent data exfiltration, including implementing data loss prevention (DLP) tools, strengthening authentication requirements and access controls, and closely monitoring sensitive data.
A NetFlow analyzer collects network traffic data and it can perform real-time display and analysis, sorting the data in different categories. A common use of the NetFlow analyzer is to verify traffic statistics by protocol and by application in order to determine how available bandwidth is being used.
The traffic does not indicate a distributed denial-of-service (DDoS) attack. A DDoS attack can cause an increase in outgoing traffic; however, it would also be accompanied by an increase in incoming traffic being sent to the target network or device.
The traffic detected is not representative of what you would see during an eavesdropping attack.
Eavesdropping is a primarily passive data collection activity and it would not cause an increase in traffic.
Eavesdropping typically targets specific computers or specific types of traffic.
The traffic does not indicate a sniffing attack. Sniffing is also a primarily passive data collection activity; however, it is usually a general collection activity that is used as a way to detect patterns, identify hosts, or collect useful data such as passwords sent in clear text.

How well did you know this?

Not at all

Perfectly

A hospital plans to deploy a patient management app that will be used on tablets supplied to doctors and nurses. The hospital’s security team needs to ensure that data entered on the tablets is protected while in transit. Which solution does not require any special configuration on the tablets, while still meeting this requirement?
A. Deploy a VPN concentrator to support tablet connections.
B. Deploy a firewall and place the app server behind the firewall.
C. Deploy PKI and configure the app server to require TLS.
D. Configure federated authentication for all app users.

Deploying Public Key Infrastructure (PKI) and configuring the app server to require Transport Layer Security
(TLS) do not require any special configuration on the tables. PKI provides a framework for creating, managing, and deploying X.509 certificates. Certificates are used on app and web servers to facilitate encrypted communications, such as with Hypertext Transfer Protocol Secure (HTTPS). Certificates can also be used to ensure data authenticity and integrity.
Deploying a Virtual Private Network (VPN) concentrator to support table connections requires special configuration on the tables. VPN concentrators facilitate secure access to internal network resources by requiring authentication and transport encryption.
Configuring federated authentication for all app users does not meet the requirements. Federated authentication allows a user to access a resource while being authenticated by another entity. For example, a shopping site may allow users to authenticate using their Google account.
Deploying a firewall and placing the app server behind the firewall does not meet the requirements. A firewall enhances network security but does not protect data in transit.

How well did you know this?

Not at all

Perfectly

A company contracts with a cybersecurity firm to perform a detailed security review of the company network and procedures. After its initial review, the firm recommends that the company perform an internal review of its operational controls.
Which actions should the company include in this review? (Select Two)
A. Check user passwords to determine whether they are being changed on a regular basis.
B. Check all acceptable use policies to determine if they are accurate and appropriate.
C. Review the personnel who have permission to apply patches and updates.
D. Verify that users are aware of security policies and that they are being followed.
E. Verify that locks on the server room are engaging automatically.

A review of acceptable use policies and user awareness of security policies are both examples of operational control. Operational controls refer to policies and procedures such as:
• General written security policies
• Acceptable use policy
• Clean desk policy
• Disaster recovery and business continuity plans
• Adherence to compliance requirements and standards
× +
Reviewing the personnel who have permission to apply patches and updates and checking user passwords to determine if they are being changed are both types of technical controls. Other technical controls include:
• File and firewall access control lists
• Management and administrative permissions
• Use and administration of routers, firewalls, switches, and other network devices
• Network access controls
Verifying that locks on the server room are engaging automatically is an example of a physical control.
Physical controls include:
• Locks and other physical security devices
• Fences
• Lighting
• Cameras and motion sensors
It is recommended that all security controls be reviewed on a periodic basis, especially after a security incident.

How well did you know this?

Not at all

Perfectly

A cyber consultant determines that sensitive information relating to company employees has been inappropriately released. The recommendation is made that access to this information should be limited to senior management and personnel in the human resources department. What type of access control should the company implement?
A. Rule-based
B. Location-based
C. Role-based
D. Context-based

The company should implement role-based access control. Role-based access control is based on user identity, job function, authority, or responsibility and would limit access based on recommendations.
The company should not implement rule-based access control. Rule-based access control limits authorization and access based on conditions such as patches, operating system type, and so forth, but not user.
The company should not implement location-based access control. This refers the physical location of the device. For example, location-based access control could set different access levels when accessing network resources from the internal network versus access from outside the network.
The company should not implement context-based access control. This is a firewall software feature in which access is based on protocol session information. This is typically implemented as a type of location-based access control.

How well did you know this?

Not at all

Perfectly

A user notifies a security administrator about being prompted with an invalid certificate warning when connecting to the corporate intranet. Upon inspection, the administrator discovers an invalid ARP entry.
Which attack was most likely being perpetrated against the user?
A. Command injection
B. Buffer overflow
C. MITM
D. DNS spoofing

A man-in-the-middle (MITM) attack is most likely being perpetrated. An MITM occurs when an attacker intercepts communications between two nodes. Depending on the sophistication of the attack, the attacker may be able to read and even modify data in transit between the nodes. By modifying, or poisoning, the Address Resolution Protocol (ARP) cache, the attacker redirects messages destined for another node to a compromised machine.
A Domain Name System (DNS) spoofing attack is not being perpetrated. A DNS spoofing attack adds new or overwrites an existing cached hostname to IP address entries. For example, an attacker could add an invalid DNS cache entry for comptia.org such that when a user navigates to comptia.org, they are directed to a malicious website instead.
A command injection attack is not being perpetrated. Command injection attacks attempt to embed operating system commands in URLs or web forms in an attempt to execute the command on the hosting server.
A buffer overflow attack is not being perpetrated. In a buffer overflow attack, an attacker supplies excess information in an attempt to write outside of a process’s memory buffer. This can cause the process to crash or even allow malicious code to run.

How well did you know this?

Not at all

Perfectly

A security administrator is concerned that sensitive data could be vulnerable to sniffing attacks. Which technology can the administrator use to mitigate this risk?
A. IPsec
B. Hashing
C. NAT
D. BitLocker

The administrator can use IPsec to mitigate the risk of a sniffing attack. When data in motion/transit is encrypted, it is secure from sniffing and eavesdropping while it is transferred between network nodes.
Transport Layer Security (TLS) is widely used to encrypt data in motion between user browsers and web servers. Other protocols such as IPsec encrypt all data between two nodes, regardless of the application being used.
Hashing does not mitigate the risk of a sniffing attack. Hashing algorithms or functions create fixed-length outputs from source data. Hashing is a form of encryption. However, hashes are meant to be universally unique as well as irreversible.
BitLocker does not mitigate the risk of a sniffing attack. BitLocker is a built-in encryption tool for Windows systems. BitLocker can be used to encrypt fixed and portable drives, including USB drives. BitLocker does not protect data in transit.
Network Address Translation (NAT) does not mitigate the risk of a sniffing attack. NAT is often used to enhance network privacy by hiding a network behind one or more public Internet Protocol (IP) addresses.

How well did you know this?

Not at all

Perfectly

A cybersecurity analyst is responding to a ticket from a user regarding a PDF attachment to an email.
Although the email appears to be from a known contact, the user did not expect it to contain an attachment and wants to be sure it is legitimate. Which two of the following tools or techniques should the analyst use to safely determine whether or not the attachment is malicious? (Select TWO)
A. VirusTotal
B. EDR
C. Shodan
D. Sandboxing

The cybersecurity analyst should use VirusTotal or sandboxing to safely determine if the attachment is malicious. VirusTotal will allow the analyst to submit a file’s hash and then provide a detailed summary of any known information about the attachment, including whether or not it is a known malicious file. The hashes supported for use in this process are MD5, SHA1 and SHA256. Please note, VirusTotal also offers the option of uploading files for analysis, but analysts should generally choose the hash method as this removes any concerns of accidentally sharing sensitive or confidential information that may be present in the file and does not involve any legal or regulatory data processing requirements that may apply to the upload feature depending on factors like the industry and country that the analyst is working in. Sandboxing, which can be accomplished with a paid tool or using an isolated system or virtual machine, is a way to analyze the results of actually opening the attachment and seeing what happens. This is a great solution if the attachment is a novel malicious file that VirusTotal might not yet have detections or indicators of compromise for.
The cybersecurity analyst should not use Shodan to safely determine if the attachment is malicious. Shodan is a tool that allows its users, for both legitimate and potentially malicious purposes, to search and monitor internet-facing assets. The analyst may use Shodan to monitor their organization’s web servers for vulnerabilities but not analyze the PDF file.
The cybersecurity analyst would not use EDR to safely determine if the attachment is malicious. Endpoint Detection and Response (EDR) is a valuable tool to protect the organization’s endpoints in case a user opens the attachment, but it would not be considered a safe practice to open the attachment on a system just to see if EDR detects anything malicious. It is possible the attachment could be malicious, not be detected by the EDR, and then result in a compromised system. EDR would be used as a last line of defense against attachments like this, but it would not be a tool used to initially assess whether or not a file is malicious.

How well did you know this?

Not at all

Perfectly

An anomaly-based NIDS is installed on a company’s network. During end-of-quarter accounting activities, the NIDS generates multiple alerts related to network bandwidth and database server activity. The database server is running a signature-based HIDS. What is the MOST likely cause of the alerts?
A. DDoS attack
B. Malware infection
C. Database server failure
D. False positive

How well did you know this?

Not at all

Perfectly

A company contracts with a cyber security analyst as part of a risk identification exercise. The analyst plans to interview individuals from each department in order to assess the risks each of them perceives related to the systems they own.
Which of the following is the analyst planning to perform?
A. Quantitative risk analysis
B. Threat modeling
C. Risk prioritization
D. Qualitative risk analysis

The analyst is planning to perform qualitative risk analysis. Risk analysis aims to identify, evaluate, and prioritize the risks that an organization faces. A qualitative risk analysis is more subjective and uses input from system owners, data custodians, and others. Generally speaking, qualitative risk analysis is less precise but also takes less time and costs less than quantitative risk analysis.
The analyst is not planning to perform threat modeling. Threat modeling is the process of identifying and evaluating threats. Threat modeling is an important part of risk analysis.
The analyst is not planning to perform quantitative risk analysis. Quantitative risk analysis is more objective than qualitative risk analysis and uses formulas to calculate the financial impact of a realized risk. This analysis results in the calculation of an annualized loss expectancy (ALE) for each system or process.
The analyst is not planning to perform risk prioritization. Risk prioritization occurs after risk analysis and implies that the organization decides which risks should be mitigated first.

How well did you know this?

Not at all

Perfectly

A user returns from a sales trip and reports that their laptop seems to be running slowly. The security administrator runs malware scan and they do not detect any issues. However, the administrator discovers the following PowerShell script in the user’s Recycle Bin:
$PrintSetup = “HKIM: \Software\Microsoft\Windows\CurrentVersion\RunOnce”
set-itemproperty $PrintSetup “PrintProcess”
(‘C: \Windows\System32\WindowsPowerShell\v1. 0\Powershell.exe - executionPolicy Unrestricted -File ‘ + “C: \Temp\PrinterSetup.ps1”)
Which of the following should be the administrator’s primary concern?
A. Unauthorized changes have been made to the system registry.
B. The PowerShell execution policy has been compromised.
C. The malware scanner is missing critical signature updates.
D. An unapproved, hidden printer has been installed on the laptop.

The administrator’s primary concern should be that unauthorized changes have been made to the system registry. The Windows registry stores operating system, application, and service configuration settings.
Attackers frequently target the Run and RunOnce keys in the registry because the scripts or applications referenced in those two keys are executed automatically when a user logs on.
The administrator’s primary concern should not be that the malware scanner is missing critical signature updates. In signature-based intrusion detection, detection is based on a database of known attacks which are referred to as signatures or Indicators of Compromise (loC). As attack methods are ever changing, signatures must be updated frequently in order for these to be effective.
The administrator’s primary concern should not be that an unapproved, hidden printer has been installed on the laptop. The reference to PrintSetup and PrintProcess in the script is likely an obfuscation technique, which is meant to make the script appear important and harmless.
The administrator’s primary concern should not be that the PowerShell execution policy has been compromised. The Power Shell execution policy is meant to prevent accidental execution of PowerShell scripts. The fact that a PowerShell script could run on the system is a concern, but the primary concern is that a breach has likely occurred.

How well did you know this?

Not at all

Perfectly

A company completes a careful review of IDS reports, device logs, and operating system logs. It determines that activity which was originally thought to be due to transient conditions is actually being caused by an ongoing attempt to infiltrate the network. The activities it has detected include network mapping, port scanning, attempts to hack passwords, and attempts to remotely administer servers. This has been occurring for six months.
Employee interviews indicate increased attempts at social media attacks and at least one attempt at a watering hole exploit.
The target appears to be the company’s database servers.
What is this an example of?
A. ATD
B. APT
C. Zero-day

This is an example of an attack based on an advanced persistent threat (APT). The attack can be categorized as such because of the length of time that the attack has been occurring and the sophistication indicated by the broad base of the attack. The fact that the attacker has proceeded gradually, making the attack harder to identify, is also a feature of an APT attack. The source of such attacks is usually a business competitor or a group sponsored by a government entity.
This is not an example of advanced threat detection (ATD). ATD is not an attack type but rather a method for detecting sophisticated attacks. ATD methods would likely be used to collect detailed information about an
АРТ.
This is not an example of a zero-day attack. A zero-day attack is an attack on a previously unknown vulnerability. Attacks of this type do not target previously known vulnerabilities, and they can use a combination of known attack types.

How well did you know this?

Not at all

Perfectly

A company is moving to a cloud-based CRM solution. A security analyst recommends to the company that they ensure that customer PIl is protected. The analyst suggests that data should be protected using the method shown below:
Original Data
Tina Doe
Account Num: 404-1121
SSN: 123-34-4321

Secured Data
Tina Doe
Account Num: 158-7413
SSN: 901-33-7647

Which method is the analyst proposing?
Choose the correct answer
A. Masking
B. Tokenization
C. Hashing
D. Encryption

analyst is recommending tokenizing the data. Tokenization is designed to protect Personally Identifying Information (Pil) by replacing the original data with data in the same format. Most tokenization methods use random character replacement and store the original-to-tokenized data mapping in an encrypted database or file. If the tokenized data is compromised, it is of little use to an attacker.
The analyst is not recommending masking the data. Masking would permanently replace the original data.
The new data may be in the same format as the original data; however, this is not a requirement. For example, a Social Security number could be masked with symbols in the following manner: *******
The analyst is not recommending encrypting the data. Encryption uses a reversible algorithm, unlike tokenization, which is meant to be random. Encrypted output would not retain the same data structure.
The analyst is not recommending hashing the data. Hashing algorithms produce fixed-length, irreversible output. Hashes are often used to verify data integrity.

How well did you know this?

Not at all

Perfectly

requirement to support mobile devices and access from home-office based devices has increased recently. The corporate security team will implement a policy-based endpoint security management system to protect the network and company resources. The team needs to audit external and mobile devices that require network access to develop the policy. Which elements are typically required for an endpoint security management policy? (Select THREE.)
A. Operating system version
B. Anti-malware support
C. Client hoft firewall configuration
D. VPN support
E. Communication bandwidth

Typical required elements for an endpoint security system include:
• Operating system version
• VPN support
• Anti-malware support
An endpoint security management policy will specify supported operating systems, including version requirements. This often also includes minimum patch levels. It also specifies requirements for VPN connections to the network and client anti-malware support. Devices are checked when they attempt to connect to the network in order to verify that they meet minimum requirements. Endpoint security can be configured to either deny access or to allow limited access to facilitate endpoint device remediation to bring it up to minimum levels.
Endpoint security policy elements do not include communication bandwidth requirements. Support is usually provided at various bandwidths when it is necessary to support device connections.
VLAN support is not a required element of an endpoint policy. However, a VLAN might be used as a connection destination for devices that do not meet minimum security configuration requirements, and as a location from which to perform remediation tasks.
Client host firewall configuration is not a required element of an endpoint policy. However, use of a host firewall is typically recommended as a way to help reduce the potential risk to client computers when connecting to, and through, the Internet. Use of a host firewall can be required through an endpoint security policy.

How well did you know this?

Not at all

Perfectly

The incidence response team collects a hard disk at an incident site and it may be used as evidence in a trial. The team needs to be able to show that the drive contents have not changed since collection.
What should the team use?
A. Hash utility
B. Forensic disk image
C. Chain of custody form
D. Write blocker

The team should use a hash utility to create a hash of the drive immediately after taking possession of it.
Another hash can be taken later. If both hash values are the same, it proves that the drive data has not changed.
The team could use a write blocker to protect the drive, but they should not rely on it as proof that the drive has not been modified. The write blocker could be removed, changes could be made, and then the write blocker could be replaced on the hard drive.
The chain of custody form does not provide proof that the drive content has not changed. It provides a record of who had possession of the drive and when, as well as when and where the drive was stored, but it does not provide proof that nothing was done to modify the drive.
A forensic disk image should be made, but it does not prove that the source drive has not been modified.
The same change could be made to both images so that they still would match. The primary purpose of creating a forensic image is so it can be used for analysis instead of the source drive.

How well did you know this?

Not at all

Perfectly

A bank’s website was recently hacked and encryption keys were stolen. The bank has upgraded the web and database servers but it wants to ensure encryption keys are stored as securely as possible. Which is the best method for securely storing encryption keys?
A. Use AES on all servers to encrypt keys.
B. Install a TPM on all web and database servers.
C. Use an HSM to generate and store all keys.
D. Offload encryption functions to an SSL accelerator.

Using Hardware Security Modules (HSMs) to generate and store all keys is the best method for securely storing encryption keys. An HSM may be a dedicated compute device that is located in a data center, or a card that plugs into a server’s motherboard. An HSM stores and manages digital keys and performs cryptographic operations related to creating digital signatures and certificates. By using an HSM, the bank can ensure that the encryption keys are stored in a highly secure manner, reducing the risk of unauthorized key access and potential compromise.
Installing Trusted Platform Modules (TPMs) on all web and database servers is not the best method for securely storing encryption keys. A TPM is a cryptographic component that protects encryption keys. TPMs are embedded in devices like computers and provide a range of security features for that single device only, while HSMs is a standalone device focused on secure key management and cryptographic operations for the entire environment. In this scenario, TPM would provide additional security for a single server itself but it may not provide the same level of dedicated key management features as an HSM for the entire environment. As such, using an HSM to generate and store all keys, is the most suitable choice for securely storing encryption keys after a security breach.
Using Advanced Encryption Standard (AES) on all servers to encrypt keys is not the best method for securely storing encryption keys. AES is a symmetric encryption algorithm. However, an AES implementation is only as secure as the system it is used on. An HSM offers additional security mechanisms that AES alone cannot provide.
Offloading encryption functions to a Secure Sockets Layer (SSL) accelerator is not the best method for securely storing encryption keys. An SSL accelerator is typically a dedicated device used to offload CPU-intensive encryption processing.

How well did you know this?

Not at all

Perfectly

Several users browse multiple websites each day and document the results. The company needs the ability to analyze any malware downloaded to users’ computers and quickly restore computers to a clean state.
Which technology should the company use?
A. IDS
B. Hash function
C. Host firewall
D. WAF
E. Sandbox application

The company should use a sandbox for users to run their web browser from inside the sandbox application.
This isolates the browser from the rest of the computer, including malware that might be downloaded through the browser. After any analysis, the sandbox software can be used to remove the malware and return the computer to its initial state.
The company should not use an intrusion detection system (IDS). An IDS could monitor activity and issue an alert when a potentially hazardous condition is detected. It would not do anything to isolate the malware or quickly restore the computer.
The company should not use a web application firewall (WAF). A WAF is a device designed to protect web servers and web applications, not client browsers.
The company should not use a host firewall. A host firewall provides a way to control traffic into or out of a computer, but it does nothing to isolate activity internal to the computer. Because users must navigate to different websites as a job responsibility, they would not use a firewall to block communication paths.
The company should not use a hash function. A hash function is used to generate a value based on a file that can later be used for comparison to see if the file has changed. It would do nothing to meet the requirements.

Following a defense in depth approach, an organization has deployed the following systems: SIEM, an anti-spam system, and an NGFW. However, the security administrator spends too much time manually creating signatures.
What should the administrator do to address this issue?
A. Add reputation block lists to the firewall configuration.
B. Configure blocklist rules on the anti-spam system.
C. Submit suspicious files to the Cuckoo API for automated analysis.
D. Configure the SIEM system to support multiple TI feeds.

The administrator should configure the security information and event management (SIEM) system to support multiple threat intelligence (TI) feeds. SIEM solutions are designed to ingest data from a variety of network components, such as user workstations or laptops, network routers and switches, firewalls, servers, and other appliances. The SIEM then analyzes the data to identify trends, pending security issues, and security breaches. To be able to detect a specific type of security event or attack, SIEM systems utilize rules or patterns called signatures. A SIEM signature is typically defined using a combination of keywords, patterns, and logic. For example, a signature might look for a specific string of characters in network traffic, or it might detect an unusual pattern of behavior on a particular server. When the SIEM system detects a security event that matches a specific signature, it can generate an alert or perform another appropriate action, such as blocking traffic or quarantining a system.
SIEM analysis can be enhanced using free and purchased TI feeds. A TI feed can provide real-time or near-real-time intelligence gleaned from other organizations, dedicated security systems, and intelligence gathering networks. By combining threat feeds, the SIEM can detect a broader range of attacks.
The administrator should not configure blocklist rules on the anti-spam system. Blocklists are typically Internet Protocol (IP), domain name, or email address rules that block email sent from a specified source.
The administrator should not add reputation block lists (RBLs) to the firewall configuration. RBLs are a form of threat intelligence. However, in this scenario the administrator is manually creating signatures, which is typically done on a SIEM, not a firewall.
The administrator should not submit suspicious files to the Cuckoo API for automated analysis. Cuckoo is an open source malware analysis system. Cuckoo provides a submission Application Programming Interface (API) that can be used to automate the submission/analysis process.

A company’s security team needs to validate the results of a vulnerability scan. They want to compare the results with historic log data from network routers, switches, and firewalls.
What should they use to do this?
Choose the correct answer
A. SIEM
B. SABSA
C. SCAP
D. SCADA

The security team should use security information and event management (SIEM). SIEM provides a way to collect, aggregate, and analyze data from multiple sources, including most network devices. It can be used to supply additional information to validate vulnerability scan results. Vulnerability scan reports can also be collected in SIEM and used in the analysis.
The security team should not use the Security Content Automation Protocol (SCAP). SCAP provides a means for automating vulnerability management, measurement, and policy compliance evaluation based on a standards checklist.
The security team should not use supervisory control and data acquisition (SCADA). SCADA refers to a standard for industrial process control networks. SCADA provides guidelines for data acquisition, monitoring, and processing.
The security team should not use Sherwood Applied Business Security Architecture (SABSA). SABSA is a framework for developing and delivering enterprise information security architectures. SABSA provides a matrix for evaluating assets, motivations, processes, locations, people, and time constraints.

A traveling salesperson’s laptop was recently returned in an anonymously addressed package. Upon inspection, a security analyst is able to recover a malware executable that was attached to an email sitting in the salesperson’s outbox. The analyst plans to perform executable process analysis.
What should the analyst use for this task?
Choose the correct answer
A. Captive portal
B. Detonation chamber
C. Mantrap

The analyst should use a detonation chamber. A detonation chamber is a type of sandbox where malware analysis can take place. The physical implementations may differ, but a detonation chamber typically consists of a virtual environment where malware can be activated and its behavior monitored, including file system changes, configuration changes, and network connections. A detonation chamber is also known as a dynamic execution environment.
The analyst should not use a captive portal. Captive portals are often deployed on guest wireless networks to facilitate user access.
The analyst should not use a mantrap. A mantrap is like a vestibule with locking doors on each end. The mantrap enhances physical security by “trapping” an individual while identity verification is performed.

The volume of sensitive data that a company is responsible for has increased significantly. A security consultant was contracted out of fear that the company might be under some form of APT. The consultant recommends implementing a policy of proactive threat hunting.
What is the first step in proactive threat hunting?
Choose the correct answer
Analyze executable processes.
Implement network segmentation.
Develop a hypothesis.
Deploy additional monitoring tools.

The first step in proactive threat hunting is to develop a hypothesis. This enables you to move past common and expected threats into the realm of advanced threat hunting to identify other threats and development mitigation and remediation actions. Proactive threat hunting is used to identify threats that make their way past traditional security safeguards, such as advanced persistent threats (APTs). Threat hunting is used to find cyber attacks that have penetrated your network without raising any alerts.
Analysis of executable processing is part of the treat hunting process but not the first step in the process.
This is done to help identify previously overlooked attack vectors and potential vulnerabilities.
Extensive monitoring, especially watching for possible anomalies, is a key part of the threat hunting process, but it is not the first step in the process. Monitoring cannot only help identify active threats, but it can also help identify potential attackers probing for weaknesses.
Network segmentation is one way of protecting your network by reducing the attack surface and making your network less vulnerable to attacks. This is an action you might take based on what you discover during your threat hunt.

A critical database server is experiencing intermittent performance issues; however, it does not exhibit any other symptoms of a possible malware infection. All applications, services, and data on the server are scanned for potential problems. A signature-based analysis scan does not report any problems. A heuristic-based analysis scan reports three possible malware infections. Which statement BEST describes what is evident from the scan reports?
Choose the correct answer
The possible infections should be further investigated.
The malware infections are definitely false positives.
The server should be taken offline immediately to protect the network.
The signature-based scanner is likely out-of-date.

The statement that best describes what is evident from the reports is that the possible infections should be further investigated. Either the signature-based scan reported false negatives or the heuristics-based scan reported false positives, or possibly even both. However, there is currently not enough information available to make this determination. There needs to be further investigation to determine if the positives are false positives, possibly isolating the files for extensive analysis.
There is nothing to indicate that the signature-based scanner is out-of-date. If it has reported false negatives, this could be due to threats for which signatures have not been identified.
You cannot make the statement that the malware infections reported are false positives without additional research and analysis.
There is nothing to indicate a need to take the server offline. It does not exhibit any symptoms that indicate a risk to the network.

An organization is expanding its operations to the European Union and it needs to ensure compliance with the GDPR. A security analyst informs the organization that according to the GDPR, collected data must be adequate and relevant. What should the organization do to comply with this requirement?
Choose the correct answer
Employ proper data retention methods.
Require that all PIl be tokenized.
Implement data minimization practices.
Encrypt all data in motion or at rest.

The organization should implement data minimization practices to comply with this requirement. The General Data Protection Regulation (GDPR) aims to protect the privacy of all European Union (EU) citizens and it is applicable to any organization that does business in the EU, or with EU citizens, even if the organization is not located in the EU. Data minimization, which is one of the requirements of the GDPR, stipulates that only necessary data should be collected from individuals. For example, a streaming music site probably does not need to collect passport ID from its customers.
The organization should not encrypt all data in motion or at rest to comply with this requirement.
Encryption is not required by the GDPR; however, data security is, and encryption is suggested as a method to achieve this.
The organization should not require that all Personally Identifiable Information (PIl) be tokenized to comply with this requirement. Tokenization is designed to protect PlI by replacing the original data with data in the same format. Most tokenization methods use random character replacement and store the original-to-tokenized data mapping in an encrypted database or file. If the tokenized data is compromised, it is of little use to an attacker.
The organization should not employ proper data retention methods to comply with this requirement. The GDPR stipulates that PIl should only be kept as long as reasonably necessary.

A company is deploying a server that is to be used as a development server for security applications.
Access to the server must be strictly limited to designated developers. Physical access to the server should be restricted. As well as having no access to the internet, the server should be as isolated as possible. What technology should the company employ?
Choose the correct answer
CASB
Sandbox
DMZ
Air gap

The company should deploy the server in an air gap. An air gap is a deployment method that is used to physically and electronically isolate a device from the network. Access to an air gapped device normally requires you to be physically within the proximity of the device. A faraday cage or other isolation method may be used to electronically isolate the device.
The company should not deploy the server in a demilitarized zone (DMZ), also known as a perimeter network. This does not provide the protection needed for the server. A DMZ is used to provide a layer of protection between your internal network and the internet. The DMZ will have one or more firewalls directly facing the internet.
The company should not use a sandbox to deploy the server. A sandbox is a somewhat specialized security environment. It is isolated from the internal network but it is used to test or investigate suspicious files, applications, or URLs. A sandbox is usually configured with internet access to facilitate testing.
You should not use a cloud access security broker (CASB). A CASB is used to manage access between users and cloud-based devices. This type of device would have no role because the server should not have any access to the internet.

security analyst is using email headers to determine whether or not malicious activity has occurred. Which of the following is the BEST potential indicator of a phishing attempt found in the email header analysis process?
Choose the correct answer
The inclusion of an encrypted attachment
A long list of unknown recipients in the To field
A mismatch from the domain that the email is expected to come from
A message sent with a high priority level

Email headers contain a lot of information that can be helpful in determining the validity of an email and whether or not that email could potentially be a phishing attempt. In this scenario, the best potential indicator of a phishing attempt would be a mismatch from the domain that the email is expected to come from. For example, if you know that you normally get official Microsoft emails from microsoft|..com and instead you get an email from microsoft tech supportl.lorg.
A message sent with a high priority level is not the best potential indicator of a phishing attempt. Although urgency can be a trademark of phishing attempts, it is also common for legitimately urgent emails to use this function. A mismatched domain has a much higher likelihood of being phishing.
A long list of unknown recipients in the To field is not the best potential indicator of a phishing attempt.
Although a phishing email may target large groups across many organizations, SPAM emails are much more likely to fit this description.
The inclusion of an encrypted attachment is not the best potential indicator of a phishing attempt. Although encrypted attachments can be used as a method to deliver malware and evade email scanning solutions, business professionals commonly use encrypted attachments to include documents with sensitive information. A mismatched domain has a much higher likelihood of being phishing.

A company’s perimeter network includes a secure web server, a NAT server, an FTP server, and a DNS server. The network is connected to the internet by a firewall.
Several remote clients access the internal network through the perimeter network. Remote clients have recently been the target of man-in-the-middle attacks. The company wants to require remote client connections through encrypted VPN connections only. Clients need to connect with multiple server types.
Changes to firewall configurations must be kept to a minimum. What type of VPN should the company use?
Choose the correct answer
SSL portal VPN
L2TP
PPTP
SSL tunnel VPN

The company should use an SSL tunnel VPN. An SSL tunnel VPN provides the encryption needed and lets users connect to both web and non-web services. The connection port is 443, the same port as the secure web server, so there are no changes required to the firewall.
The company should not use an SSL portal VPN. Although the solution meets the configuration and encryption requirements, it only supports web services.
The company should not use a PPTP VPN. Although the solution meets the encryption requirements, it requires additional firewall ports to be opened. A PPTP VPN uses ports 47 and 1723.
The company should not use an L2TP VPN. This solution requires an additional encryption protocol, such as IPSec, because it does not have native support for encryption. It also requires ports 50, 500, and 4500.

A company wants to implement an authentication system that supports authentication using the same user identities across organizations and security domains. What type of authentication should the company implement?
Choose the correct answer
SSO
Proxy
Federation
MFA

The company should implement federation (federated authentication). Federation allows for authentication using the same authentication credentials, known as a federated identity, across security boundaries.
Security is based on trust relationships with the identity maintained in one central location.
Single-sign on (SSO) is similar to federation in that authentication gives the user access across multiple systems and service providers. However, it does not provide support across multiple security domains.
Multifactor authentication (MFA) refers to the criteria that is required for authentication, not to the access supported through authentication. MFA is based on requiring two or more authentication factors from different authentication categories. The most common authentication categories are:
• Something you know (such as a username and password or PIN)
• Something you are (biometric factors such as fingerprint or retina scan)
• Something you have (such as a hardware token or smart card)
MA can be required in a federated authentication system but it does not provide federation support in itself.
Proxy authentication is where one application or network appliance acts as the intermediary for authentication for other resources. A common example is the use of a proxy server to manage authentication for a website or web application.

Which policy identifies the person or group responsible for determining who has access to view or modify data and for setting guidelines for data disposal?
Choose the correct answer
Data classification
Acceptable use
Data ownership
Data retention

The data ownership policy defines the legal ownership of data. This can be a single person, in a small company, or it can be a responsibility divided between different groups in a larger organization. The data owner has ultimate control over data access and restriction and data retention. This person should be involved in data classification too. However, there are data regulations that can supersede the owner’s rights to controlling the data.
The acceptable use policy (AUP) describes how data and other resources may be used. The data owner is typically responsible for defining at least general guidelines which the AUP is based on.
The data retention policy deals with data storage, archival, and disposal. This is another area ultimately under the data owner’s responsibility, but the data retention policy does not usually specify the data owner.
Data retention policy must be set in accordance with any applicable regulatory requirements.
The data classification policy identifies data according to risk or access levels. Data classification helps to identify data security needs, acceptable use policies, and details about when and to whom the data may be released.

employee attempts to forward an email to a consumer cloud storage service. The email includes an employee telephone list as an attachment. The email is blocked from delivery.
What type of policy control is this an example of?
Choose the correct answer
DRM
DLP
IDS
NAC

This is an example of data loss policy (DLP) in action. DLP is designed to prevent insiders from accidentally or intentionally exposing network data. Business rules are used to classify and protect confidential and critical information. DLP is used to prevent insider threats and to meet regulatory compliance requirements.
This is not an example of digital rights management (DRM). DRM refers to controls and policies that are used to restrict the use of proprietary hardware and copyrighted materials.
This is not an example of network access control (NAC). NAC provides a way to test and verify that devices meet policy requirements before allowing access.
This is not an example of an intrusion detection system (IDS). An IDS is used to collect information about intrusion attempts, usually operating as a passive monitoring device to make it less likely that the attacker will notice the device.

How is bus encryption used in PCs?
Choose the correct answer
To assist with data encryption before storage to improve performance.
To provide a secure communication path between PCs and internet resources.
To help enforce DRM.
To prevent rootkit or bootkit malware infections.

One use of bus encryption in PCs is to help enforce digital rights management (DRM), which are access control techniques that are used to protect copyrighted materials and proprietary hardware. Bus encryption uses encrypted program instructions on a computer data bus. Bus encryption is used on PCs that are running Microsoft operating systems to help protect certificates, passwords, and program authenticity. Bus encryption is also used in electronic systems that need high security, such as automated teller machines.
Bus encryption does not assist with data encryption before storage to improve performance. Different encryption methods are used, depending on the encryption requirements, but these do not use bus encryption to improve performance.
Bus encryption does not provide a secure communication path between PCs and internet resources. This is accomplished through the use of secure protocols like HTTPS and the use of virtual private network (VPN)
connections.
Bus encryption does not prevent rootkit or bootkit malware infections. This is accomplished through other mechanisms, such as requiring secure boot and using anti-malware software.

What is the role of Tactics, Techniques and Procedures (TTPs) in threat hunting?
Choose the correct answer
Uncovering anomalies that identify previously unknown attack vectors
Mapping networks to identify attack surfaces
Identifying potential threats through the use of open source intelligence
Assessing the level of threat represented by a threat actor

Tactics, Techniques and Procedures (TTPs) provide a way of assessing the level of threat represented by a threat actor. This is part of the process of creating a threat actor profile. A threat actor is a person or a group of people with malicious intent and a mission to compromise an organization’s security or data. TTPs are considered semantic indicators and provide value in determining a threat’s maturity level.
TTPs are not used for uncovering anomalies that identify previously unknown attack vectors. Much of this process is done through detailed analysis of available monitoring data, often with the assistance of machine intelligence tools.
TTPs do not identify potential threats through the use of open source intelligence (OSINT). OSINT is one of the data sources used for gathering information and is most commonly used in national security, law enforcement, and business intelligence functions. OSINT analysis can include active analysis, passive analysis, or both.
TTPS are not used to map networks to identify attack surfaces. Several standard tools and utilities can be used for this purpose. There are also tools available that are designed specifically for this purpose.

A security consultant determines that recent instances of data exfiltration occurred when employees accessed network servers from remote locations. A security policy is set into place to limit employees accessing the network from outside the network. Access is restricted to the email server and public-facing websites only. Which access control is this security policy applying?
Choose the correct answer
Location-based
Discretionary
Rule-based
Role-based

This is an example of a location-based access control policy. These are controls based on the location from which a device accesses the network. There could be limits imposed when connecting from a Wi-Fi hot spot, from home, or from a remote office.
This is not an example of rule-based access control. Rule-based access control limits authorization and access based on conditions such as patches, operating system type, and so forth.
This is not an example of role-based access control. Role-based access control is based on user identity, job function, authority, or responsibility. An example of this would be controls based on group membership.
This is not an example of discretionary access control. With discretionary access control, users can manage their own access and change or override access control limits. The type of control here would be implemented through mandatory access control, where control can be applied or changed by administrators only.

company brings in a cybersecurity consultant to improve network security. The consultant explains that the way client computers are used to remotely manage high value servers is a potential risk. Currently, administrators use client computers to access servers that are deployed on a VLAN through an internal firewall. What technology should the consultant recommend to help ensure secure administration?
Choose the correct answer
Screened subnet
Endpoint security
Sinkhole
Jump box

The consultant should recommend using a jump box jump server) for secure server administration. A jump box is a secure administrative host computer used to administer devices deployed in a secure zone, such as a VLAN set up for that purpose. This means that there is no need to use network clients to administer the servers.
The consultant should not recommend using a sinkhole (DNS sinkhole). A sinkhole is a DNS server configured to provide a false IP address when queried for the address of a potentially malicious or dangerous site.
The consultant should not recommend a screened subnet. A screened subnet is a way of segmenting a network, but the secure servers have already been segmented through use of a VLAN. A screened subnet uses a firewall with three network adapters with one connected to the Internet, one of a Demilitarized Zone (DMZ), and one to the internal network.
The consultant should not recommend implementing endpoint security. Endpoint security refers to securing devices that access the network, such as desktops, laptops, and mobile devices, as part of any overall network security design.

A hardware supplier plans to bid for a government contract. The contract stipulates that bidders must provide evidence to show that component authenticity and integrity are closely monitored. What should the supplier do to meet this requirement?
Choose the correct answer
Deploy TEMPEST at all supply chain source locations.
Ensure that processes are compliant with Trusted Foundry.
Ensure that all communications are protected with S/MIME.
Configure all IDS and IPS systems to utilize TAXII feeds.

supplier should ensure that processes are compliant with Trusted Foundry. The Trusted Foundry program is a US Defense Department initiative that aims to ensure that microelectronic components are securely sourced. The program defines trusted sources as those that can secure their supply chains, mitigate the risk of supply chain disruption, and protect integrated circuits (ICs) from reverse engineering.
For example, the electronic components sourced to build a fighter jet would fall under Trusted Foundry requirements.
The supplier should not deploy TEMPEST at all supply chain source locations. TEMPEST is a government program for gathering information from and protecting systems that emit electronic signals. A Faraday cage is a component in a TEMPEST system.
The supplier should not ensure that all communications are protected with Secure/Multipurpose Internet Mail Extensions (S/MIME). S/MIME uses Public Key Infrastructure (PKI) to ensure the integrity, authenticity, and confidentiality of email.
The supplier should not configure all intrusion detection systems (IDS) and intrusion prevention systems
(IPS) systems to utilize Trusted Automated Exchange of Intelligence Information (TAXII) feeds. TAXII is a protocol that can be used to share cyberthreat intelligence (CTI) over Hypertext Transfer Protocol Secure (HTTPS).

A company lowers its restrictions on BYOD and connections to and through the company network. The company determines that it should update its AUP before allowing personal devices. What should be included in an AUP?
Choose the correct answer
Limits on deleting archived emails
Guidelines regarding restrictions to web sites that can be accessed from the company network
Specifications for who can classify data files as company confidential
Minimum limits for password length and complexity

BYOD stands for Bring Your Own Device, a policy by which employees can use their personal devices for work purposes.
Guidelines regarding restrictions to websites that can be accessed from the company network would be included as part of the Acceptable Use Policy (AUP). The AUP defines how you can use the network and resources and what activities are limited or restricted. Internet service providers (ISPs) often require subscribers to agree to an AUP.
Minimum limits for password length and complexity would be included in the password policy. This can be a written policy, enforced through technical controls, or both.
Limits on deleting archived emails should be specified in data retention policies. Data retention policies can be used to control data retention and deletion for various types of data, including when and how data can be deleted and destroyed.
Specifications for who can classify data files as company confidential should be specified in a company’s data classification policy. Data classification is typically a function of data ownership.

An organization processes and stores PHI. The organization’s management is concerned that employees will breach regulatory requirements regarding this PHI.
Which type of administrative safeguard should the organization employ?
Choose the correct answer
Require employees to sign confidentiality agreements.
Implement MFA on all Internet-facing servers.
Require all users to use VPN for remote access.
Require employees to use full disk encryption.

organization should require employees to sign confidentiality agreements. Security controls can be physical, technical, or administrative. Administrative controls are considered soft controls, and include concepts like disaster recovery plans, user training, and policies. A confidentiality agreement is an administrative control that aims to prevent disclosure of certain types of information. This can be used to encourage employees not to share a client’s Personal Health Information (PHI).
The organization should not require employees to use full disk encryption. Full disk encryption is a technical control that secures data at rest and mitigates the risks presented by a lost or stolen hard drive.
The organization should not implement Multifactor Authentication (MFA) on all Internet-facing servers.
Systems that implement MFA require two or more successful authentication methods before access is granted. MFA is a technical control.
The organization should not require all users to use Virtual Private Network (VPN) for remote access. A VPN is a technical control designed to provide authenticated, secure communications between networks and clients.

A company is developing a new application for processing patient records. The company is using external resources to develop the application. Initial testing will take place outside of the company. The company has decided to supply developers with data that is structurally similar to live data but that is an inauthentic version of the data. What is this an example of?
Choose the correct answer
Data masking
De identification
Encryption
Tokenization

The testing process described uses data masking to protect personal health information (PHI) from accidental disclosure. Data masking uses inauthentic data that is structured like the actual data for testing or for user training. Many companies use data masking to prevent the accidental disclosure of real data.
This is not an example of tokenization. Tokenization is the process of replacing sensitive data with a non-sensitive equivalent that has no exploitable meaning or value, which is referred to as a token. The token is mapped back to the original value through a tokenization system.
This is not an example of encryption. Encryption is the process of scrambling or substituting clear text with a new value based on an encryption key. A decryption key is required to access the data in a clear text format.
This is not an example of de-identification. De-identification refers to data from which all personally identifiable information (PIl), including PHI, has been removed. In this scenario, the data is replaced with different values rather than just being removed.

A security administrator is analyzing the data provided in the exhibit below:
IP packet size distribution (46255 total packets) :
1-32 64 96 128 160 192 224 256 288 320 352 384 416 448
480
.000 .009.000.002.000 .000.000.003.000 .000 .000 .000.000.000. 000
512 544 576 1024 1536 2048 2560 3072 3584 4096 4608
. 00
2
. 000.000.008.931 . 000 . 000 .000 .000 .000 . 000
Which technology or tool most likely generated this output?
Choose the correct answer
Stateful firewall
vulnerability scanner
NetFlow
tcpdump

The output in the exhibit was most likely generated by NetFlow. NetFlow is a network protocol used to capture packets and analyze traffic statistics on network nodes. In most NetFlow implementations, network devices are configured with the Internet Protocol (IP) address of a NetFlow collector, a dedicated system that collects NetFlow data. The NetFlow collector may have advanced analytical, reporting, and alerting functionality. The example in the exhibit is the partial output of the show ip cache flow command on a Cisco router. This command shows NetFlow statistics on a device.
It is not likely that tepdump generated the output in the exhibit. tepdump is a popular command-line protocol analyzer used on *nix (also known as Unix-like) operating systems.
It is not likely that a stateful firewall generated the output in the exhibit. Stateful firewalls offer traditional packet filtering capabilities, but they can also track session states, which means that they track the entire conversation between two nodes.
It is not likely that a vulnerability scanner generated the output in the exhibit. Vulnerability scanners scan nodes for known vulnerabilities, including missing patches and system misconfigurations.

An ecommerce auction site allows clients to post auctions using a REST API. A security analyst is concerned about API key security.
Which two methods should the analyst recommend for securing API keys? (Choose two.)
Choose the correct answers
Store keys in the API configuration.
Require TLS for all connections.
Require clients to hash API keys.
Restrict key usage to known IPs.

The analyst should recommend that key usage be restricted to known Internet Protocol (IP) addresses and require Transport Layer Security (TLS) for all connections. Representational State Transfer (REST) Application Programming Interfaces (AP|s) often use keys as a means of authentication. Keys are like passwords and should be treated as such. TLS will ensure that keys cannot be sniffed while in transit, and restricting access to known IPs will limit which nodes can attempt to connect to the API.
The analyst should not recommend that keys be stored in the API configuration. API keys should be stored in environment variables, not in application code or configuration files.
The analyst should not recommend that clients hash API keys. Hashing keys will make the keys unrecoverable, but it does not solve the issue created when clients use their keys to authenticate with the API.

A security provider has implemented a process that automatically scans incoming files and compares them to known malware signatures to identify possible new infections.
This is an example of which of the following?
Choose the correct answer
Automated malware signature creation
Continuous integration
Proactive threat hunting
Continuous delivery

This is an example of automated malware signature creation. This process generates new signatures by identifying probable malware based primarily on its similarity to known malware. Streamed files go through an initial static analysis to identify possible malware.
This is not an example of continuous integration or continuous delivery. These both deal with development, update, and distribution of software. Continuous integration deals with merging gradual changes back into the main development branch. Continuous delivery is an automated release process to get changes into production as quickly as possible.
This is not an example of proactive threat hunting. Proactive threat hunting is used to identify threats that make their way past traditional security safeguards, such as advanced persistent threats (APTs). Threat hunting is used to find cyber attacks that have penetrated your network without raising any alerts.

A network engineer is tasked with reducing device management overhead. The engineer has been given the following requirements:
• Devices must support automation using YANG models.
• Devices must be manageable using HTTPS.
• Devices should accept and return configuration information in a format similar to that shown below:
“Cisco-IOS-XE-interfaces-oper: interface”: f
“name” : “GigabitEthernetl”,
“interface-type”: “iana-iftype-ethernet-csmacd”,
“admin-status”: “if-state-up”,
“oper-status”: “if-oper-state-ready”,
“last-change”: “2020-08-1518: 30: 00.123+00:00”,
“if-index”: 1,
“phys-address”: “00:ba: 56 :bb: e2: 9a”
“speed”: “1024000000”,
“vrf”: “”,
“ipv4”: “10.10.10.11”,
“ipv4-subnet-mask”: “255.255.255. 0”,
“description”: “MGMT INT”,
“mtu”: 1500,
“input-security-acl”: “”
“output-security-acl”: “”.
}
What should the engineer do to meet these requirements?

Choose the correct answer
Enable the RESTCONF API and use Python to set and retrieve configuration information.
Implement the CKC Model and perform actions defined in phase 7, actions on objectives.
Configure a syslog server and forward syslog information from endpoints.
Deploy an SNMP management system and configure SNMP agents on endpoints.

The engineer should enable the Representational State Transfer Configuration Protocol (RESTCONF)
Application Programming Interface (API) and use Python to set and retrieve configuration information.
RESTCONF is designed to provide REST-like API access to network device configurations using Hypertext Transfer Protocol (HTTP) or Hypertext Transfer Protocol Secure (HTTPS). When a controller or other network management system interacts with a device using RESTCONF, queries can be sent, responses received, and configuration information supplied using Extensible Markup Language (XML) encoded or JavaScript Object Notation (JSON) encoded data. The information in the exhibit is a JSON-formatted response from a Cisco IOS XE router.
The engineer should not deploy a Simple Network Management Protocol (SNMP) management system and configure SNMP agents on endpoints. SNMP can collect performance and event information from network devices and modify device configurations. Many SNMP management systems can also be configured to alert on performance thresholds and system availability. SNMP does not use HTTPS, it runs over User Datagram Protocol (UDP) port 161.
The engineer should not configure a syslog server and forward syslog information from endpoints. Syslog is a standardized protocol that is used widely on network devices and servers. A syslog agent or process runs on these devices and it can be configured to send syslog messages to a centralized server.
The engineer should not implement the Cyber Kill Chain (CKC) Model and perform actions defined in phase 7, actions on objectives. The CKC Model outlines the seven steps an attacker takes to compromise a target.

During a security audit, an analyst performs a full packet capture. The analyst is surprised to discover the packet payload displayed below.
Message-ID: <000d01cf001a5$15ea$abefa8c119kay>
From: “J Doe” <j. doe@does. j .net>
To: <L Welk@home.net>
Subject: Info
Date: Tue, 9 Sep 2020 22:30:00 - 0000
MIME-Version: 1. 0
Content-Type: multipart/alternative;
X-Priority: 3
X-MSMail-Priority: Normal
X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2900
This is a multi-part message in MIME format.
<! DOCTYPE HTML PUBLIC “-//W3C//DTD HTML 4.0 Transitional//EN”>

<html> <head>
‹META http-equiv=3DContent-Type content=3D"text/html ">
‹META content=3D"MSHTML 6.00.2900.2180" name=3DGENERATOR>
<style>

</ STYLE>
</ HEAD>
<BODY bColor=3D#ffffff>
<DIV><FONT face=3DArial size=3D2>The numbers are: </FONT></DIV> <DIV><FONT face=3DArial size=3D2></FONT>&nbsp; </DIV>
<DIV><FONT face=3DArial size=3D2>123-32-4567</FONT></DIV>
<DIV><FONT face=3DArial size=3D2>4231-4444-3214-3212</FONT></ DIV> ‹DIV> <FONT face=3DArial size=3D2>4111-4000-4321-3210</FONT></DIV>
</ BODY >

What two concerns would the analyst have?
Choose the correct answers
\+
PHI exposure
Transport encryption
Server update status
DLP functionality

</style></head></html>

The analyst is concerned with the functionality of the Data Loss Prevention measures and with transport encryption. The final lines of the capture seem to include a Social Security number and two credit card numbers. DLP is designed to prevent the exiltration of an organization’s sensitive or proprietary data, which includes Personally Identifiable Information (PIl). DLP is usually configured on email servers and firewalls.
This packet capture appears to be an email, likely in transit from an email client to an email server. Security best practices stipulate that these communications should be protected with Transport Layer Security (TLS).
Simple Mail Transfer Protocol (SMTP) does not inherently protect email content.
The analyst is not concerned with Personal Health Information (PHI) exposure. PHI includes any information related to a person’s health that is individually identifiable, which means that the information could be used to identify an individual. Examples of PHI include physical or mental health conditions, prescriptions, or other diagnoses.
The analyst is not concerned with server update status. The payload does not expose a server status.
However, keeping systems up to date is an important part of a patch management program.

What is the role of Measured Boot in the Windows 10 boot process?
Choose the correct answer
To force the computer to load only trusted operating system bootloaders.
To test drivers before loading, and prevent loading of unapproved drivers.
To log the boot process to the computer’s UEFI and load the information to a trusted server.
To check the integrity of each component in the startup process before loading the component.

Measured Boot logs the boot process to the computer’s Unified Extensible Firmware Interface (UEFI) and it can load the information to a trusted server, which is known as an attestation server. Measured Boot requires the computer to have Trusted Platform Module (TPM) and UEFI installed.
Measured Boot is one of the four Windows features that help prevent rootkits and bootkits. These features are:
• Secure Boot
• Trusted Boot
• Early Launch Anti-Malware (ELAM)
• Measured Boot
Secure Boot forces the computer to load only trusted operating system bootloaders. Secure Boot also requires TPM and UEFl as prerequisites.
Trusted Boot checks the integrity of each component in the startup process before loading the component.
There are no special hardware prerequisites for Trusted boot.
Early Launch Anti-Malware (ELAM) tests drivers before loading and prevents loading of unapproved drivers.
There are no special hardware prerequisites for ELAM.

Brainscape's Knowledge GenomeTM

CySA + Measure Up #1 Flashcards

Pass the First Time

Brainscape's Knowledge Genome^TM