Dion P Exam

Question 1

You are working as a wireless networking technician and running a wireless controller to aid in network administration. Your supervisor has requested that you implement a centralized authentication service. Which of the following devices should you install and configure if you want to decrease the amount of time spent administering the network while still providing a centralized authentication service for your users?

A. RADIUS Server
B. Layer 3 Switch
C. VPN Concentrator
D. Proxy Server

Answer 1

A. RADIUS Server

Explanation:
OBJ-1.5: A Remote Authentication Dial-In User Service (RADIUS) server will enable the wireless clients to communicate with a central server to authenticate users and authorize their access to the requested service or system. None of the other options presented are designed to support centralized authentication services by themselves, but instead, use a protocol like RADIUS to perform those functions.

Question 2

A small office has an Internet connection that drops out at least two times per week. It often takes until the next day for the service provider to come out and fix the issue. What should you create with the service provider to reduce this downtime in the future?

A. MOU
B. NDA
C. AUP
D. SLA

Answer 2

D. SLA

Explanation:

Question 3

What information should be recorded on a chain of custody form during a forensic investigation?

A. The list of individuals who made contact with files leading to the investigation
B. Any individual who worked with evidence during the investigation
C. The law enforcement agent who was first on the scene
D. The list of former owners/operators of the workstation involved in the investigation

Answer 3

B. Any individual who worked with evidence during the investigation

Explanation:
OBJ-2.8: Chain of custody forms list every person who has worked with or who has touched the evidence that is a part of an investigation. These forms record every action taken by each individual in possession of the evidence. Depending on the organization’s procedures, manipulation of evidence may require an additional person to act as a witness to verify whatever action is being taken. While the chain of custody would record who initially collected the evidence, it does not have to record who was the first person on the scene (if that person didn’t collect the evidence). The other options presented by the question are all good pieces of information to record in your notes, but it is not required to be on the chain of custody form.

Question 4

Dion Training is trying to define key performance indicators for their recently released voucher management system. The CIO has stated that the voucher management system must be able to detect and repair any voucher database record integrity issues within 30 seconds. To monitor this requirement, the analysts have created a metric to measure the number of record integrity issues and another metric to measure the time it took to repair those records. Which of the following types of key performance indicators would these metrics be classified as?

A. Usability
B. Reliability
C. Scalability
D. Availability

Answer 4

B. Reliability

Explanation:
OBJ-4.1: Reliability metrics measure the ability of a system to perform without error or to avoid, detect, and/or repair component or integrity failures. Scalability metrics measure the ability of a system to handle an increase in workload while maintaining a consistent level of performance. Availability metrics measure the probability that a system will be operating as expected at any given point in time. The most common availability metric used is known as uptime. Usability metrics measure the effectiveness, efficiency, and satisfaction of users working with a given system.

Question 5

As part of the reconnaissance stage of a penetration test, Kumar wants to retrieve information about an organization’s network infrastructure without causing an IPS alert. Which of the following is his best course of action?

A. Use a nmap ping sweep
B. Perform a DNS zone transfer
C. Use a nmap stealth scan
D. Perform a DNS brute force attack

Answer 5

D. Perform a DNS brute force attack

Explanation:
OBJ-2.4: The best course of action is to perform a DNS brute-force attack. The DNS brute-force attack queries a list of IPs and typically bypasses IDS/IPS systems that do not alert on DNS queries. A ping sweep or a stealth scan can be easily detected by the IPS, depending on the signatures and settings being used. A DNS zone transfer is also something that often has a signature search for it and will be alerted upon since it is a common attack technique.

Question 6

OBJ-2.4: The best course of action is to perform a DNS brute-force attack. The DNS brute-force attack queries a list of IPs and typically bypasses IDS/IPS systems that do not alert on DNS queries. A ping sweep or a stealth scan can be easily detected by the IPS, depending on the signatures and settings being used. A DNS zone transfer is also something that often has a signature search for it and will be alerted upon since it is a common attack technique.

A. Economic
B. Detection time
C. Downtime
D. Data integrity
E. Recovery time

Answer 6

A. Economic
D. Data integrity

Explanation:
While all the above options should be included in your report to management, due to the nature of your company’s work, the economic impact of the business should be your top factor. This would include any possible liability and damage that will be done to the company’s reputation. Data integrity would be the second most important factor to highlight in your report since an APT may have stolen significant amounts of money by altering your financial documentation and accounts data integrity. Downtime, recovery time and detection time are important for understanding the broader cybersecurity concern and remediation but are not going to be the primary concern for accounting firms executives

Question 7

Which of the following types of information is protected by rules in the United States that specify the minimum frequency of vulnerability scanning required for devices that process it?

A. Medical Records
B . Drivers License Number
C. Insurance Records
D. Credit Card Data

Answer 7

D. Credit Card Data

Explanation:
OBJ-4.3: The Payment Card Industry Data Security Standard (PCI DSS) is an information security standard for organizations that handle branded credit cards from the major card schemes. The PCI Standard is mandated by the card brands but administered by the Payment Card Industry Security Standards Council. As part of PCI DSS compliance, organizations must conduct internal and external scans at prescribed intervals on any devices or systems that process credit card data. HIPAA protects medical and insurance records, but this law doesn’t define a frequency for vulnerability scanning requirements. Driver’s license numbers are considered PII, but again, there is no defined frequency scanning requirement regarding protecting PII under law, regulation, or rule.

Question 8

Dion Training is developing a new digital contracting system to allow their corporate customers to create orders online. Once the customer creates their order, they will need to digitally sign the contract. The algorithm should use logarithmic and modulus math to create the digital signature, and the speed of generating the digital signature should be prioritized over the speed of verifying the digital signature. Which of the following cryptographic algorithms would best meet these requirements?

A. DSA
B. PBKDF2
C. ECDSA
D. RSA

Answer 8

A. DSA

Explanation:
OBJ-3.6: The digital signature algorithm (DSA) is a cryptographic algorithm that uses logarithmic and modulus math to generate and verify digital signatures. The DSA is faster than RSA at generating digital signatures, but it is slower than RSA when verifying them. Rivest, Shamir, and Adleman (RSA) is an asymmetric algorithm that uses the complexity of factoring large prime numbers to provide security. Elliptic-Curve Digital Signature Algorithm (ECDSA) is an asymmetric algorithm that utilizes the properties of elliptic curves to provide comparable levels of protection as RSA with a much smaller key size. Password-Based Key Derivation Function 2 (PBKDF2) is a form of key stretching that utilizes a hash-based message authentication code (HMAC), the input password, and a salt value to create a more secure derived key.

Question 9

You are searching a Linux server for a possible backdoor during a forensic investigation. Which part of the file system should you search for evidence of a backdoor related to a Linux service?

A. /etc/passwd
B/ $HOME/.ssh/
C. /etc/xinetd.conf
D. /etc/shadow 0

Answer 9

B/ $HOME/.ssh/

Explanation:
OBJ-2.9: Linux services are started by xinetd, but some new versions use sytemctl. Therefore, the /etc/xinetd.conf should be analyzed for any evidence of a backdoor being started as part of the Linux services. Both the /etc/passwd and /etc/shadow files contain configurations specifically associated with individual user accounts. The /home/.ssh directory contains SSH keys for SSH-based logins.

Question 10

Which of the following is a security concern with using a cloud service provider and could result in a data breach caused by data remnants?

A. On Demand
B. Rapid Elasticity
C. Resource Pooling
D. Metered Service

Answer 10

B. Rapid Elasticity

Explanation:
OBJ-1.2: Rapid elasticity can be a security threat to your organization’s data due to data remanences. Data remanence is the residual representation of digital data that remains even after attempts have been made to remove or erase it. So, when a cloud resource is deprovisioned and returned to the cloud service provider, it can be issued to another organization for use. If the data was not properly erased from the underlying storage, it could be exposed to the other organization. For this reason, all cloud-based storage drives should be encrypted by default to prevent data remanence from being read by others. Metered services are pre-paid, a-la-carte, pay-per-use, or committed offerings. A metered service like a database may charge its users based on the actual usage of the service resources on an hourly or monthly basis. For example, Dion Training used the AWS Lambda serverless product in some of our automation. This service charges us $0.20 for every 1 million requests processed. Resource pooling refers to the concept that allows a virtual environment to allocate memory and processing capacity for a VMs use. On-demand refers to the fact that a consumer can unilaterally provision computing capabilities, such as server time and network storage, as needed automatically without requiring human interaction with each service provider.

Question 11

Dion Training wants to transform protected data into an unreadable format before storing it in their database. The CTO wants to utilize a technology like those used to protect the local user passwords in the /etc/shadow file of a Linux system. Which of the following cryptographic techniques should the company utilize to meet this requirement?

A. Rekeying
B. Crypto shredding
C. Cryptographic obfuscation
D. Key rotation

Answer 11

C. Cryptographic obfuscation

Explanation:
OBJ-3.7: Cryptographic obfuscation is used to transform protected data into an unreadable format. For example, the Linux user passwords stored in the /etc/shadow file are obfuscated to protect them. Crypto shredding is used to destroy a decryption key to effectively destroy the data that key was used to protect. This technique ensures that the data will remain encrypted if the key is fully destroyed and the encryption algorithm itself remains secure. Key rotation is the process of purposely changing keys periodically to mitigate against brute force attacks and key disclosure compromises. During key rotation, the previous key is also revoked and invalidated. Rekeying is the process of changing an individual key during a communication session. Most communication protocols use session key rekeying to protect the data being transmitted. A rekeying is normally triggered based on the volume of data communicated or the amount of time since the last rekeying.

Question 12

Dion Training is building a secure messaging application and wants to add a security control to ensure the integrity of the messages being transmitted. Which of the following cryptographic algorithms would BEST provide integrity to the messages being sent?

A .MD5
B. SHA-256
C. AES
D. ECC

Answer 12

B. SHA-256

Explanation:
OBJ-3.6: To ensure integrity, you should always use a hashing function. SHA-256 and MD5 are both hashing functions, but SHA-256 is more secure. Secure Hashing Algorithm (SHA-256) is a one-way cryptographic function that accepts a message of any length as input and returns as output a fixed-length 256-bit hash digest value to be used for authenticating the original message. Message Digest Algorithm (MD5) is a one-way cryptographic function that accepts a message of any length as input and returns as output a fixed-length 128-bit hash digest value to be used for authenticating the original message. MD5 can be easily brute-forced and has a high chance of collision. The advanced encryption standard (AES) is a cryptographic algorithm used to perform symmetric data encryption using a 128-bit, 192-bit, or 256-bit key. Elliptic curve cryptography is a public-key cryptographic algorithm based on the algebraic structure of elliptic curves over finite fields. ECC allows smaller key sizes compared to non-elliptic curve cryptography methods while still providing the equivalent level of security. ECC is heavily used in mobile devices and low-powered device encryption.

Question 13

An independent cybersecurity researcher has contacted your company to prove a buffer overflow vulnerability exists in one of your applications. Which technique would have been most likely to identify this vulnerability in your application during development?

A. Pair programming
B. DYnamic code analysis
C. Static code analysis
D. Manual Peer Review

Answer 13

C. Static code analysis

Explanation:
OBJ-1.3: Buffer overflows are most easily detected by conducting a static code analysis. Manual peer review or pair programming methodologies might have been able to detect the vulnerability. Still, they do not have the same level of success as a static code analysis using proper tools. DevSecOps methodology would also improve the likelihood of detecting such an error but still rely on human-to-human interactions and human understanding of source code to detect the fault. Dynamic code analysis also may have detected this if the test found exactly the right condition. Still, again, a static code analysis tool is designed to find buffer overflows more effectively.

Question 14

A company wants to install a multidomain certificate to support both of its domains, diontraining.com and yourcyberpath.com. Which of the following allows a digital certificate to include multiple names to support multiple domain certificates in a PKI implementation?

A. SAN
B. OU
C. CN
D. C

Answer 14

A. SAN

Explanation:
The subject alternative name (SAN) is a digital certificate that allows a host to be identified by multiple hostnames or domains names. Certs that use a SAN are referred to as multi domain certs. The common name is the FQDN of the server that was issued a digital cert in a PKI implementation. The organizational unit describes the division or department within the organiz

Question 15

You need to determine the best way to test operating system patches in a lab environment before deploying them to your automated patch management system. Unfortunately, your network has several different operating systems in use, but you only have one machine available to test the patches on. What is the best environment to utilize to perform the testing of the patches before deployment?

A. Sandboxing
B. Purchase additional workstations
C. Virtualization
D. Bypass testing and deploy patches directly into the production environment

Answer 15

C. Virtualization

Explanation:
OBJ-3.2: When you have a limited amount of hardware resources to utilize but have a requirement to test multiple operating systems, you should set up a virtualized environment to test the patch across each operating system before deployment. You should never deploy patches directly into production without testing them first in the lab. Virtualization will allow the organization to create a lab environment without significant costs. Purchasing additional workstations would be costly and more time-consuming to configure.

Question 16

You are notified by an external organization that an IP address associated with your company’s email server has been sending spam emails requesting funds as part of a lottery collection scam. An investigation into the incident reveals the email account used was Connor from the sales department and that Connor’s email account was only used from one workstation. You analyze Connor’s workstation and discover several unknown processes running, but netflow analysis reveals no attempted lateral movement to other workstations on the network. Which containment strategy would be most effective to use in this scenario?

A. Isolate the network segment Connor is on and conduct a forensic review of all workstations in the sales department
B. Request disciplinary action for Connor for causing the incident
C. Unplug the workstations network cable and conduct a complete reimaging of the workstation
D. Isolate the workstation computer by disabling the switch port and resetting Connors username and password

Answer 16

D. Isolate the workstation computer by disabling the switch port and resetting Connors username and password

Explanation:
Isolation of Connor’s computer by deactivating the port on the switch should be performed instead of just unplugging the computer. This would guarantee that Connor wont just plug the computer back into the network as soon as you leave. While Connor won’t be able to work without his workstation, it is essential to isolate the issue quickly to prevent future attempts at lateral movement from occurring and protect the company’s data needed for continued business operations. While we are unsure of the issue’s initial root cause, we know it is currently isolated to Connor’s machine. He should receive remedial cybersecurity training, his workstation’s hard drive forensically imaged for later analysis, and then his workstation should be remediated or reimaged. It is better to isolate just Connor’s machine instead of the entire network segment in this scenario. Isolating the network segment, without evidence indicating the need to do so, would have been overkill and overly disruptive to the business. Reimaging Connor’s device may destroy data that could have otherwise been recovered and led to a successful root cause analysis. There is also insufficient evidence in this scenario to warrant disciplinary action against Connor, as he may have clicked on a malicious link by mistake.

Question 17

Which authentication mechanism does 802.1x usually rely upon?
A. RSA
B. HOTP
C. TOTP
D. EAP

Answer 17

D. EAP

Explanation:
The IEE 802.1X Port based Network Access Control framework establishes several ways for devices and users to be securely authenticated before they are permitted full access to the network. The actual authentication mechanism will be some variant of the Extensible Authentication Protocol (EAP). EAP allows lots of different authentication methods, but many use a digital certificate on the server and/or client machines. This allows the machines to establish a trust relationship and create a secure tunnel transmit the user authentication credential

Question 18

Which of the following would be used to prevent a firmware downgrade?

A. TPM
B. HSM
C. SED
D. eFUSE

Answer 18

D. eFUSE

Explanation:
OBJ-3.1: eFUSE is an Intel-designed mechanism to allow software instructions to blow a transistor in the hardware chip. One use of this is to prevent firmware downgrades, implemented on some game consoles and smartphones. Each time the firmware is upgraded, the updater blows an eFUSE. When there is a firmware update, the updater checks that the number of blown eFUSEs is not less than the firmware version number. A self-encrypting drive (SED) uses cryptographic operations performed by the drive controller to encrypt a storage device’s contents. A trusted platform module (TPM) is a specification for hardware-based storage of digital certificates, cryptographic keys, hashed passwords, and other user and platform identification information. The TPM is implemented either as part of the chipset or as an embedded function of the CPU. A hardware security module (HSM) is an appliance for generating and storing cryptographic keys. An HSM solution may be less susceptible to tampering and insider threats than software-based storage.

Question 19

Which network device can detect and alert on threats facing the network by using signatures, but cannot automatically react to the threats detected?

A. Firewall
B. Honeypot
C. IPS
D. IDS

Answer 19

D. IDS

Explanation:
An Intrusion Detection Systems (IDS) is a device or software application that monitors a network or systems for malicious activity or policy violations. An IDS can detect a threat, but it cannot react or change configurations based on those threats like an IPS can.

Question 20

An employee contacts the service desk because they cannot open an attachment they receive in their email. The service desk agent conducts a screen-sharing session with the user and investigates the issue. The agent notices that the attached file is named Invoice1043.pdf, and a black pop-up window appears and then disappears quickly when the attachment was double-clicked. Which of the following is most likely causing this issue?

A. The attachment is using a double file extension to mask its identity
B. The file contains an embedded link to a malicious website
C. The user doesnt have a PDF reader installed on their computer
D. The email is form of spam and should be deleted.

Answer 20

A. The attachment is using a double file extension to mask its identity

Explanation:
The message contains a file attachment hoping that the user will execute or open it. The attachments nature might be disguised by formatting tricks such as using a double file extension since .exe is known file type in Windows. This would explain the black popup window that appears and then disappeared, especially if the exe file was running a command line tool. This file is most likely not a PDF, so there is no need for a PDF reader. Additionally, most modern web browsers, such as Chrome and Edge, can open PDF files by default for the user. The file would not contain an embedded link since an embedded link is another popular attack vector that embeds a link to a malicious site within the email body, not within the file.

Question 21

Which of the following ensures multi threaded processing is conducted securely?

A. Processor security extensions
B. Atomic execution
C. Secure enclave
D. Trusted execution

Answer 21

B. Atomic execution

Explanation:
Atomic execution by operations and distributed their processing across the multi threaded processing environment securely. Trusted execution ensures that the attestation of the authenticity of the platform and its operating system is conducted, that the OS starts in a trusted environment, and that a trusted operating system cannot be ran on an unproved platform.

Question 22

Dion Training is developing a new e-commerce website and wants to reduce vulnerabilities that could lead to a data breach. During a recent vulnerability scan, a vulnerability analyst identified that the new website was vulnerable to a downgrade attack by using SSL stripping. You have been hired as a security analyst to provide a solution that would help secure the website from this type of attack. Which of the following solutions should you recommend to prevent a downgrade attack against the website?

A. HSTS
B. Secure Cookies
C. Certificate pinning
D. Wildcard certificate

Answer 22

A. HSTS

Explanation:
OBJ-3.5: HTTP Strict Transport Security (HSTS) is configured as a response header on a web server and notifies a browser to connect to the requested website using HTTPS only. HSTS helps prevent on-path and downgrade attacks. Certificate pinning is a deprecated method of trusting digital certificates that bypasses the CA hierarchy and chain of trust to minimize on-path (formerly man-in-the-middle) attacks. A wildcard certificate contains the wildcard character (*) in its domain name field and allows the digital certificate to be used for any number of subdomains. For example, the wildcard certificate of *.diontraining.com can be used for members.diontraining.com, cart.diontraining.com, and support.diontraining.com. Secure cookies are a type of HTTP cookie that has the Secure attribute set, which limits the scope of the cookie to secure channels. When a cookie has the Secure attribute, the user agent will include the cookie in an HTTP request only if the request is transmitted over a secure channel.

Question 23

A network administrator wants to increase the speed and fault tolerance of a connection between two network switches. To achieve this, which protocol should the administrator use?

A. LDAP
B. LACP
C. L2TP
D. LLDP

Answer 23

B. LACP

Explanation:
OBJ-1.2: The Link Aggregation Control Protocol (LACP) provides a method to control the bonding of several physical ports to form a single logical channel. The LACP is defined in the 802.3ad standard. The Link Layer Discovery Protocol (LLDP) is a vendor-neutral link layer protocol used by network devices for advertising their identity, capabilities, and neighbors on an IEEE 802 local area network, principally wired Ethernet. The Layer 2 Tunneling Protocol (L2TP) is a tunneling protocol used to support virtual private networks (VPNs) or as part of the delivery of services by ISPs. The Lightweight Directory Access Protocol (LDAP) is an open, vendor-neutral, industry-standard application protocol for accessing and maintaining distributed directory information services over an Internet Protocol network.

Question 24

Dion Training has implemented its own root CA to issue digital certificates to its users. Each digital certificate is valid for 3 years by default, but if a user’s account is disabled then their digital certificate must also be revoked. Which of the following would contain a full list of every certificate that has been revoked or suspended by the Dion Training root CA?

A. HPKP
B. CRL
C. HSTS
D. OCSP

Answer 24

B. CRL

Explanation:
A certificate revocation list (CRL) is a list of every digital certificate has been revoked before its expiration date. The online certificate status protocol (OSCP) allows clients to request the status of a digital certificate and to check whether it is revoked. Certificate pinning with HTTP Public Key Pinning (HPKP) embeds the servers certificate data into the HTTP header when sending the data to the web browser. HTTP Strict Transport Security (HSTS) is configured as a response header on a web server and notifies a browser to connect the requested website using HTTPS only. HSTS helps prevent on path attacks

Question 25

You have been contracted to perform a remote vulnerability scan of Dion’s Trainings servers to determine if they comply with the companys software baseline. Which of the following types of scans should you conduct?

A. Full scan
B. Stealth scan
C. Compliance scan
D. Discovery scan

Answer 25

C. Compliance scan

Explanation:
OBJ-2.4: Compliance scanning verifies that a network adheres to certain policy requirements, such as a corporate baseline. These policies can be corporate, industry, or governmental regulations. In this scenario, you are asked to verify the servers comply with the company’s software baseline. Therefore, a compliance scan is the best option to select. A discovery scan identifies the operating systems that are running on a network, maps those systems to IP addresses, and enumerates the open ports and services on those systems. A stealth scan performs half-open TCP scans by never completing the TCP 3-way handshake, making it difficult to detect. A full scan performs a full TCP 3-way handshake with the remote host to determine if it is online and available.

Question 26

After Hurricane Katrina, the Department of Defense deployed a Deployable Joint Command & Control Center (DJC2) to provide an alternative datacenter in the disaster area. The DJC2 is a self-contained, self-power, and network-enabled headquarters used to quickly recover communications for the military commanders and staff in that region. Which of the following recovery site strategies BEST describes the use of a DJC2 or similar type of system?

A. Hot site
B. Warm site
C. Mobile site
D. Cold site

Answer 26

C. Mobile site

Explanation:
OBJ-4.4: A mobile site is essentially a data center in a container or trailer that can be rapidly deployed to a given location. In the case of the DJC2, it is a series of large tents that come equipped with all the computers, phones, desks, chairs, servers, printers, satellite communications equipment, and HVAC systems needed to be fully remote and independent. A mobile site is best categorized as a mixture of a cold site and a warm site which can also be relocated when needed. A cold site is a predetermined alternative location where a network can be rebuilt after a disaster. A cold site does not have a pre-established information systems capability, but it is open and available for building out an alternate site after the disaster occurs. A warm site is an alternate processing location that is dormant or performs noncritical functions under normal conditions, but which can be rapidly converted to a key operations site when needed. A warm site typically includes a data center that is typically scaled down from the primary site to include the capacity and throughput needed to run critical systems and software. A hot site is a fully configured alternate processing site that can be brought online either instantly or very quickly after a disaster. A hot site requires specialized knowledge, sophisticated automation capabilities, and platforms that are designed to operate as a fully redundant and ready alternate site.

Question 27

An additional network segment is urgently needed for QA testing on the external network. A software release could be impacted if this change is not immediate. The request comes directly from management and was just approved through the emergency change management process. Which of the following should the technician do?

A. Send out a notification the company about the change
B. Wait until the maintenance window and make the requested change
C. First document the potential impacts and procedures related to the change
D. Make the change, document the requester and document all network changes

Answer 27

D. Make the change, document the requester and document all network changes

Explanation:
OBJ-1.1: The best answer is to make the change, document the requester, and document all the network changes. All changes to the enterprise network should be approved through the normal change management processes. If there is an urgent need, there is an emergency change management process that can be used for approval. This is known as an emergency change approval board (ECAB). An ECAB can be executed extremely quickly to gain approval, and then the documentation can be completed after the change is made when using the emergency change management processes.

Question 28

What is a legal contract that outlines the guidelines for any business documents and contracts between two parties?

A. MSA
B. NDA
C. SLA
D. SOW

Answer 28

A. MSA

Explanation:
A master service agreement is an agreement that establishes precedence and guidelines for nay business documents that are executed between two parties. If a company is hiring a penetration testing firm to conduct multiple engagements, they may use a master service agreement to cover each assessment commonalities and scope. Then, there would be a scope of work (SOW) for each assessment completed under the MSA. A service level agreement is a contract that outlines the detailed terms under which a service is provided, including the reasons the contract may be terminated. An NDA is a legal document that stipulates the parties will not share confidential information, knowledge or materials with unauthorized parties.

Question 29

A penetration tester has been hired to conduct an assessment, but the company wants to exclude social engineering from the list of authorized activities. Which of the following documents would include this limitation?

A. Rules of engagement
B. Memorandum of understanding
C. Acceptable User Policy
D. Service Level Agreement

Answer 29

A. Rules of engagement

Explanation:
While the contract documents network scope will define what will be tested, the rule of engagement define how that testing is to occur. Rules of engagement can state things like no social engineering is allowed, no external web scanning etc. A memorandum of understanding (MOU) is a preliminary or exploratory agreement to express an intent to work together that is not legally binding and does not involve monetary exchange. A service level agreement contains the operating procedures and standards for a service contract.

Question 30

Which of the following is the leading cause for cross-site scripting, SQL injection, and XML injection attacks?

A. Directory traversals
B. File inclusions
C. Output encoding
D. Faulty input validation

Answer 30

D. Faulty input validation

Explanation:
A primary vector for attacking applications is to exploit fault input validation. The input could be user data entered into a form or URL, passed by another application or link. This is heavily exploited by cross site scription, SQL injection and XML injection attacks