Dion practice tests Flashcards

Question

Which of the following cryptographic algorithms is classified as asymmetric? AES RC4 DES RSA

Answer 1

RSA OBJ-6.2: RSA (Rivest–Shamir–Adleman) was one of the first public-key cryptosystems and is widely used for secure data transmission. As a public-key cryptosystem, it relies on an asymmetric algorithm. AES, RC4, and DES are all symmetric algorithms.

Answer 2

Aircrack-ng OBJ-2.2: Aircrack-ng is a complete suite of wireless security assessment and exploitation tools that includes monitoring, attacking, testing, and cracking of wireless networks. This includes packet capture and export of the data collected as a text file or pcap file. John the Ripper is a password cracking software tool. Nessus is a vulnerability scanner. Netcat is used to create a reverse shell from a victimized machine back to an attacker.

Answer 3

Evaluate if the web interface must remain open for the system to function; if it isn’t needed, block the web interface Explanation OBJ-3.5: The most immediate protection against this emergent threat would be to block the web interface from being accessible over the network. Before doing this, though, you must evaluate whether the interface needs to remain open for the system to function properly. If it is not needed, you should block it to minimize the attack surface of the SCADA/ICS component. Ideally, your SCADA/ICS components should already be logically or physically isolated from the enterprise network. Since the question doesn’t mention the networks as an area of concern, we can assume they are already following the industry best practice of logical or physical segmentation between the SCADA/ICS network and the enterprise network. On the exam, make sure you focus on the question being asked. In this case, the question focuses on the web interface. Developing a patch can be a time-consuming process, therefore waiting for the manufacturer to provide a patch will not provide immediate protection to your components. The same holds true with replacing the affected components. Even if you could get the company to authorize the funding for such a purchase, it would take time to order, ship, receive, and install the new components. Additionally, you would cause unwanted downtime in the factory during the installation of the components, making it an ineffective option when simply blocking the web interface is free, quick, and effective.

Answer 4

172.16.1.3, 192.168.1.12, 445, TCP, ALLOW OBJ 2.1: The ACL should be created with 172.16.1.3 as the Source IP, 192.168.1.12 as the Destination IP, 445 as the port number operating over TCP, and the ALLOW condition set. This is the most restrictive option presented (only the HR and Files server are used), and the minimal number of ports are opened to accomplish our goal (only port 445 for the SMB service).

Answer 5

RAT OBJ 1.1: Based on the scenario and the output provided, the best choice is a RAT. A RAT is a Remote Access Trojan and it is usually installed accidentally by a user when they install free software on their machine that has a RAT embedded into it. The first two lines of the output show that ports 135 and 445 are open and listening for an inbound connection (which is typical of a RAT). This is not an example of a worm because the user admitted to installing a free program, and worms can install themselves and continue to send data outbound across the network to continue to spread. There is no indication in the scenario that a keylogger is being used, nor that spam (unsolicited emails) have been received.

Answer 6

XML OBJ-4.2: Security Assertion Markup Language (SAML) is an open standard that allows identity providers (IdP) to pass authorization credentials to service providers (SP). SAML transactions use Extensible Markup Language (XML) for standardized communications between the identity provider and service providers. SAML is the link between the authentication of a user’s identity and the authorization to use a service.

Answer 7

Active scanning engine installed on the enterprise console OBJ-2.2: Since the college wants to ensure there is a centrally-managed enterprise console, using an active scanning engine installed on the enterprise console would best meet these requirements. Then, the college’s cybersecurity analysts could perform scans on any devices that are connected to the network using the active scanning engine at the desired intervals. Agent-based scanning would be ineffective since the college cannot force the installation of the agents onto each of the personally owned devices brought in by the students or faculty. A cloud-based or server-based engine may be useful, but it won't address the centrally-managed requirement. Passive scanning is less intrusive but is subject to a high number of false positives.

Answer 8

Directory traversal OBJ-1.2: A directory traversal attack aims to access files and directories that are stored outside the webroot folder. By manipulating variables or URLs that reference files with “dot-dot-slash (../)” sequences and its variations or by using absolute file paths, it may be possible to access arbitrary files and directories stored on the file system, including application source code or configuration and critical system files. The example output provided comes from a remote code execution vulnerability being exploited in which a directory traversal is used to access the files. XML Injection is an attack technique used to manipulate or compromise the logic of an XML application or service. SQL injection is the placement of malicious code in SQL statements via web page input. Password spraying attempts to crack various user's passwords by attempting a compromised password against multiple user accounts.

Answer 9

Utilize secure boot OBJ-3.3: Since you are trying to protect the BIOS, utilizing secure boot is the best choice. Secure boot is a security system offered by UEFI. It is designed to prevent a computer from being hijacked by a malicious OS. Under secure boot, UEFI is configured with digital certificates from valid OS vendors. The system firmware checks the operating system boot loader using the stored certificate to ensure that it has been digitally signed by the OS vendor. This prevents a boot loader that has been changed by malware (or an OS installed without authorization) from being used. The TPM can also be invoked to compare hashes of key system state data (boot firmware, boot loader, and OS kernel) to ensure they have not been tampered with by a rootkit. The other options are all good security practices, but they only apply once you have already booted into the operating system. This makes them ineffective against boot sector or rootkit attacks.

Answer 10

Metasploit OBJ-1.4: The Metasploit Project is a computer security project that provides information about security vulnerabilities and aids in penetration testing and IDS signature development. Nessus is a very popular vulnerability scanner. It can be used to check how vulnerable your network is by using various plugins to test for vulnerabilities. Also, Nessus can be used to perform compliance auditing, like internal and external PCI DSS audit scans. The nmap tool is a port scanner. BeEF is short for The Browser Exploitation Framework. It is a penetration testing tool that focuses on the web browser.

Answer 11

Data masking OBJ-5.8: Data masking can mean that all or part of the contents of a field is redacted, by substituting all character strings with x, for example. Tokenization means that all or part of data in a field is replaced with a randomly generated token. The token is stored with the original value on a token server or token vault, separate from the production database. An authorized query or app can retrieve the original value from the vault, if necessary, so tokenization is a reversible technique. Data minimization involves limiting data collection to only what is required to fulfill a specific purpose. By reducing what information is collected, it reduces the amount and type of information that must be protected. Data anonymization is the process of removing personally identifiable information from a data set so that the people whom the data describe remain anonymous.

Answer 12

Capture network traffic using a sniffer, schedule a period of downtime to image and remediate the affected server, and maintain the chain of custody OBJ-5.4: Since the database server is part of a critical production network, it is important to work with the business to time the period of remediation to minimize productivity losses. You can immediately begin to capture network traffic since this won't affect the database server or the network (least intrusive) while scheduling a period of downtime in which to take a forensic image of the database server's hard drive. All network captures and the hard drive should be maintained under the chain of custody in case it is needed for criminal prosecution or civil action after remediation. The server should be remediated and brought back online once the hard drive image has been created.

Answer 13

WPA2 OBJ-6.3: WPA2 is the most secure wireless security and encryption protocol. WPA2 uses a pre-shared key (PSK) for authentication and is designed to secure both home and enterprise wireless networks.

Answer 14

set type=ns OBJ-2.2: The "set type=ns" tells nslookup to only report information on name servers. If you used "set type=mx" instead, you would receive information only about mail exchange servers.

Answer 15

22, 110, 161, 23 OBJ 2.6: For the exam, you need to know your ports and protocols. The Secure Copy (SCP) operates over port 22. Telnet operates over port 23. The Simple Network Management Protocol (SNMP) operates over port 161. The Post Office Protocol 3 (POP3) operates over port 110.

Answer 16

Vulnerability scanning OBJ-3.3: The best option here is vulnerability scanning, as this allows the IT team to know what risks their network is taking on and where subsequent mitigations may be possible. Configuration management, automatic updates, and patching could be a possible solution. These are not viable options without gaining administrative access to the appliance. Therefore, it is best for the analyst to continue to conduct vulnerability scanning of the device to understand the risks associated with it, and then make recommendations to add additional compensating controls like firewall configurations, adding a WAF, providing segmentation, and other configurations outside the appliance to minimize the vulnerabilities it presents.

Answer 17

Purging OBJ-5.7: Degaussing is classified as a form of purging. Purging eliminates information from being feasibly recovered even in a laboratory environment. Purging includes degaussing, encryption of the data with the destruction of its encryption key, and other non-destructive techniques. Some generic magnetic storage devices can be reused after the degaussing process has occurred, such as VHS tapes and some older backup tapes. For this reason, though, the technique of degaussing is classified as purging and not destruction, even though hard drives are rendered unusable after being degaussed. Clearing data prevents data from being retrieved without the use of state of the art laboratory techniques. Clearing often involves overwriting data one or more times with repetitive or randomized data. Destroying data is designed not merely to render the information unrecoverable, but also to hinder any reuse of the media itself. Destruction is a physical process that may involve shredding media to pieces, disintegrating it to parts, pulverizing it to powder, or incinerating it to ash. Erasing or deleting is considered a normal operation of a computer, which erases the pointer to the data file on a storage device. Erasing and deleting are easily reversed, and the data can be recovered with commercially available or open-source tools.

Answer 18

IPSec OBJ-2.1: IPSec is the most secure protocol that works with VPNs. The use of PPTP and SSL is discouraged for VPN security. Due to this, the use of PPTP and SSL for a VPN will likely alert during a vulnerability scan as an issue to be remediated.

Answer 19

FM-200, Biometric locks, Mantrap, Antivirus OBJ 3.9: The best option based on your choices is FM-200, Biometric locks, Mantrap, and Antivirus. FM-200 is a fire extinguishing system that is commonly used in data centers and server rooms to protect the servers from fire. Biometric locks are often used in high-security areas as a lock on the access door. Additionally, biometric authentication could be used for a server by using a USB fingerprint reader. Mantraps often are used as part of securing a data center as well. This area creates a boundary between a lower security area (such as the offices) and the higher security area (the server room). Antivirus should be installed on servers since they can use signature-based scans to ensure files are safe before being executed.

Answer 20

WPA2, Multifactor OBJ-4.1: Since everything is being stored within a cloud-based SaaS application, the doctor's office needs to ensure their network connection is using the highest level of encryption (WPA2), and their desktop authentication should use a multifactor authentication system. Multifactor authentication relies on using at least 2 of the following factors: something you know (password or pin), something you have (smart card or key fob), something you are (fingerprint or retinal scan), or something you do (draw a pattern or how you sign your name).

Answer 21

GLBA OBJ-5.8: The Gramm-Leach-Bliley Act (GLBA) is a United States federal law that requires financial institutions to explain how they share and protect their customers’ private information. The Health Insurance Portability and Accountability Act (HIPPA) is a US law designed to provide privacy standards to protect patients’ medical records and other health information provided to health plans, doctors, hospitals, and other health care providers. Sarbanes-Oxley (SOX) is a United States federal law that set new or expanded requirements for all US public company boards, management, and public accounting firms. The Family Educational Rights and Privacy Act (FERPA) of 1974 is a United States federal law that governs the access to educational information and records by public entities such as potential employers, publicly funded educational institutions, and foreign governments.

Answer 22

IPv6 OBJ-2.1: IPv6 includes IPSec built into the protocol by default. Additionally, IPv6 also provides an extended IP address range for networks, which eliminates the need for using NAT. IPv4 does not include IPSec or extended IP address ranges by default. WPA2 is the most modern and secure version of wireless encryption for WiFi networks, but it doesn't include IPSec or extended IP address ranges by default. WEP is an older version of wireless encryption for WiFi networks and doesn't provide these features by default, either.

Answer 23

MAC filtering OBJ-6.3: Since the instructors need to keep the wireless network open, the BEST option is to implement MAC filtering to prevent the students from connecting to the network while still keeping the network open. Since the instructors would most likely use the same devices to connect to the network, it would be relatively easy to implement a MAC filtering based whitelist of devices that are allowed to use the open network and reject any other devices not listed by the instructors (like the student's laptops or phones). Reducing the signal strength would not solve this issue since students and instructors are both in the same classrooms. Using Network Address Translation and Quality of Service will not prevent the students from accessing or using the open network.

Answer 24

Passive information gathering OBJ-1.4: Passive information gathering consists of numerous activities where the penetration tester gathers information that is open-source or publicly available, without the organization under investigation being aware that the information has been accessed. Active information gathering instead starts to probe the organization using techniques like DNS Enumeration, Port Scanning, and OS Fingerprinting. Vulnerability assessments are another form of active information gathering. Information reporting occurs after the penetration test is complete, and it involves writing a final report with the results, vulnerabilities, and lessons learned during the assessment.

Answer 25

Whitelisting OBJ-2.4: By implementing whitelisting of the authorized IP addresses for the five largest vendors, they will be the only ones who will be able to access the webserver. This can be done by creating rules in the Access Control List (ACL) to deny ALL other users except these five vendors, thereby dropping a large number of requests from any other IP addresses, such as those from an attacker. Based on the description in the scenario, it appears like the system is under some form of denial of service attack, but by implementing a whitelist at the edge of the network and blackholing any traffic from IP addresses that are not whitelisted, the server will no longer be overwhelmed or perform slowly to respond to legitimate requests. MAC filtering is only applicable at layer 2 of the OSI model (which would not work for traffic being sent over the internet from your vendors to your server). A VPN is a reasonable solution to help secure the connection between the vendors and your systems, but it will not deal with the DoS condition being experienced. An intrusion detection system may detect the DoS condition, but an IDS cannot resolve the condition (whereas an IPS could).

Answer 26

PaaS OBJ-3.7: Platform as a Service (PaaS) provides the end-user with a development environment without all the hassle of configuring and installing it themselves. If you want to develop a customized or specialized program, PaaS helps reduce the development time and overall costs by providing a ready to use platform.

Answer 27

nmap OBJ-2.2: The world's most popular open-source port scanning utility is nmap. The Services console (services.msc) allows an analyst to disable or enable Windows services. The dd tool is used to copy files, disk, and partitions, and it can also be used to create forensic disk images. Nessus is a proprietary vulnerability scanner developed by Tenable. While Nessus does contain the ability to conduct a port scan, its primary role is as a vulnerability scanner, and it is not an open-source tool.

Answer 28

URL filter OBJ-2.3: A URL filter can be used to block a website based on its website address or universal resource locator (URL). This is not a containment technique, but a blocking and filtering technique. Quarantine would be used against an infected machine, and it would not be effective against trying to block access to a given website across the entire organization. An application blacklist is used to prevent an application from running, so this cannot be used to block a single malicious or suspicious website or URL.

Answer 29

Rules of engagement OBJ-1.4: While the network scope given in the contract documents will define what will be tested, the rules of engagement defines how that testing is to occur. Rules of engagement can state things like no social engineering is allowed, no external website scanning, etc. A memorandum of understanding (MOU) is a preliminary or exploratory agreement to express an intent to work together that is not legally binding and does not involve the exchange of money. A service level agreement contains the operating procedures and standards for a service contract. An acceptable use policy is a policy that governs employees' use of company equipment and internet services.

Answer 30

Changing hidden form values OBJ-2.4: Since there are no indications in the IDS logs, the database, or the server, it is most likely that the hacker changed hidden form values to change the price of the items in the shopping cart. A buffer overflow is an anomaly that occurs when a program overruns the buffer's boundary and overwrites adjacent memory locations while writing data to a buffer. Cross-Site Scripting (XSS) attacks are a type of injection, in which malicious scripts are injected into otherwise benign and trusted websites. XSS attacks occur when an attacker uses a web application to send malicious code, generally in the form of a browser side script, to a different end-user. SQL injection is a code injection technique used to attack data-driven applications in which malicious SQL statements are inserted into an entry field for execution, such as dumping the database contents to the attacker.

Answer 31

Change all devices and servers that support it to port 636 since encrypted services run by default on port 636 OBJ-2.6: LDAP can be run on either port 389 or port 636. Port 389 is the standard port for LDAP but typically runs unencrypted LDAP services over this port. Instead, you should change all devices and servers that can technically support the change to port 636, since LDAP services over port 636 are encrypted by default.

Answer 32

Hardware write blocker OBJ-5.5: Both hardware and software write blockers are designed to ensure that forensic software and tools cannot change a drive inadvertently by accessing it. But, since the question indicates that you need to choose the BEST solution to protect the contents of the drive from being changed during analysis, you should pick the hardware write blocker. The primary purpose of a hardware write blocker is to intercept and prevent (or 'block') any modifying command operation from ever reaching the storage device. A forensic drive duplicator simply copies a drive and validates that it matches the original drive, but cannot be used by itself during analysis. A degausser is used to wipe magnetic media. Therefore, it should not be used on the drive since it would erase the contents of the hard drive.

Answer 33

TACACS+ OBJ-4.2: TACACS+ is an extension to TACACS (Terminal Access Controller Access Control System) and was developed as a proprietary protocol by Cisco. The Remote Authentication Dial-In User Service (RADIUS) is a networking protocol that operates on port 1812 and provides centralized Authentication, Authorization, and Accounting management for users who connect and use a network service, but it was not developed by Cisco. Kerberos is an open-source network authentication protocol designed by Matte Challenge-Handshake Authentication Protocol (CHAP) is used to authenticate a user or network host to an authenticating entity. CHAP is an authentication protocol but does not provide authorization or accounting services

Answer 34

MD-5 OBJ-6.2: MD-5 creates a 128-bit fixed output. SHA-1 creates a 160-bit fixed output. SHA-2 creates a 256-bit fixed output. RIPEMD creates a 160-bit fixed output.

Answer 35

Blowfish OBJ-6.4: AES, PKCS, and SSL/TLS are all compatible with x.509 and can be used in a wide variety of functions and purposes. AES is used for symmetric encryption. PKCS is used as a digital signature algorithm. SSL/TLS is used for the secure key exchange.

Answer 36

Blowfish OBJ-6.2: Blowfish is a symmetric-key block cipher, designed in 1993 by Bruce Schneier and included in many cipher suites and encryption products. ECC, PGP, and RSA are all asymmetric algorithms.

Answer 37

HOTP OBJ-4.3: HMAC-based One-time Password Algorithm (HOTP) is an algorithm for token-based authentication. The authentication server and client token are configured with the same shared secret. The token could be a fob-type device or implemented as a smartphone app. The token does not have an expiration under HOTP, but an improved version known as TOTP does include token expirations.

Answer 38

Intrusion prevention system OBJ-3.5: Since this question is focused on the ICS/SCADA network, the best solution would be to implement an Intrusion Prevention System on the network. ICS/SCADA machines utilize very specific commands to control the equipment and to prevent malicious activity. You could set up strict rules in the IPS to prevent unknown types of actions from being allowed to occur. Log consolidation is a good idea, but it won't prevent an issue and therefore isn't the most critical thing to add first. Automated patch management should not be conducted, as ICS/SCADA systems must be tested prior to conducting any patches. Often, patches will break ICS/SCADA functionality. Anti-virus software may or may not be able to run on the equipment, as well, since some ICS/SCADA systems often do not rely on standard operating systems like Windows.

Answer 39

SQL injection OBJ-1.2: Based on the log entries, it appears the attack was successful in conducting a SQL injection. Notice the escape character (') used in the log. In the script, a connection to the MySQL database is being used, which could be exploited since no input validation is being performed. Command injection is an attack in which the goal is the execution of arbitrary commands on the host operating system via a vulnerable application. SQL injection is a specific type of command injection. LDAP injection is a code injection technique used to exploit web applications that could reveal sensitive user information or modify information represented in the LDAP (Lightweight Directory Access Protocol) data stores. Directory traversal or Path Traversal is an HTTP attack that allows attackers to access restricted directories and execute commands outside of the web server's root directory.

Answer 40

Security policy violations OBJ-2.3: A network is only as strong as its weakest link (or host/server). When you comingle hosts/servers, there is a large risk that security policy violations could occur. This is because users may be used to follow a less stringent security policy for one set of machines, and carry over those procedures to a machine that should have had stronger security policies.

Answer 41

Preparation, Identification, Containment, Eradication, Recovery, and Lessons Learned OBJ-5.4: The proper order of the Incident Response process is Preparation, Identification, Containment, Eradication, Recovery, and Lessons Learned. Concepts with lists of steps are common questions asked as an ordering or a drag and drop question on the exam. For example, the steps of an incident response, the order of volatility, or the strength of encryption schemes could be asked using this question format.

Answer 42

EAP OBJ-4.3: The IEEE 802.1X Port-based Network Access Control framework establishes several ways for devices and users to be securely authenticated before they are permitted full network access. The actual authentication mechanism will be some variant of the Extensible Authentication Protocol (EAP). EAP allows lots of different authentication methods, but many of them use a digital certificate on the server and/or client machines. This allows the machines to establish a trust relationship and create a secure tunnel to transmit the user authentication credential.

Answer 43

Port scan targeting 10.10.3.6 OBJ-2.2: Port Scanning is the name for the technique used to identify open ports and services available on a network host. Based on the logs, you can see a sequential scan of some commonly used ports (20, 21, 22, 23, 25, 80, 135, 443, 445) with a two-second pause between each attempt. The source of the scan is 10.10.3.2, and the destination of the scan is 10.10.3.6, making “Port scan targeting 10.10.3.6” the correct choice. IP fragmentation attacks are a common form of denial of service attack, in which the perpetrator overbears a network by exploiting datagram fragmentation mechanisms. A denial-of-service (DoS) attack occurs when legitimate users are unable to access information systems, devices, or other network resources due to the actions of a malicious cyber threat actor.

Answer 44

http.request.methd=="POST" && ip.dst=10.1.2.3 OBJ-2.2: Filtering the available PCAP with just the http "post" methods would display any data sent when accessing a REST API, regardless of the destination IP. Filtering the available PCAP with just the desired IP address would show all traffic to that host (10.1.2.3). By combining both of these, you can minimize the data displayed to only show things posted to the API located at 10.1.2.3. The ip.proto=tcp filter would display all TCP traffic on a network, regardless of the port, IP address, or protocol being used. It would simply produce too much information to analyze.

Answer 45

OpenID Connect OBJ-4.2: OAuth 2 is explicitly designed to authorize claims and not to authenticate users. The implementation details for fields and attributes within tokens are not defined. Open ID Connect (OIDC) is an authentication protocol that can be implemented as special types of OAuth flows with precisely defined token fields. Security Assertion Markup Language (SAML) is an open standard for exchanging authentication and authorization data between parties, in particular, between an identity provider and a service provider. SAML is an XML-based markup language for security assertions. Active Directory Federation Services (ADFS) is a software component developed by Microsoft that can run on Windows Server operating systems to provide users with single sign-on access to systems and applications located across organizational boundaries. Kerberos is a computer network authentication protocol that works on the basis of tickets to allow nodes communicating over a non-secure network to prove their identity to one another in a secure manner.

Answer 46

The beacon's protocol OBJ-1.4: The beacon's protocol is not typically a means of identifying a malware beacon. A beacon can be sent over numerous protocols, including ICMP, DNS, HTTP, and numerous others. Unless you specifically knew the protocol being used by the suspected beacon, filtering out beacons by the protocol seen in the logs could lead you to eliminate malicious behavior prematurely. Other factors like the beacon's persistence (if it remains after a reboot of the system) and the beacon's interval (how much time elapses between beaconing)are much better indicators for fingerprinting a malicious beacon. The removal of known traffic by the script can also minimize the amount of data the cybersecurity analyst needs to analyze, therefore making it easier to detect the malicious beacon without wasting their time reviewing non-malicious traffic.

Answer 47

Credentialed scan OBJ-1.5: Credentialed scans log into a system and retrieve their configuration information. Therefore, it should provide you with the best results. Non-credentialed scans rely on external resources for configuration settings that can be altered or incorrect. The network location of the scanner does not have a direct impact on the ability to read the configuration information, so it would not make a difference if you conducted an external or internal scan.

Answer 48

Port scan OBJ-2.2: Based on the description provided, this is most likely a port scan. Using a tool like nmap, an attacker can create a SYN scan across every port in a range against the desired target. A port scan or SYN scan may trigger an alert in your IDS. While scanners support more stealthy scans, default scans may connect to each port sequentially. The other options are incorrect because a remote host will typically connect to only a single port associated with a service, a SYN flood normally sends many SYNs to a single system but doesn’t send them to unused ports, and a UDP probe will not send SYN packets.

Answer 49

The attack widely fragmented the image across the host file system OBJ-5.5: Due to the deletion of the VM disk image, you will now have to conduct file carving or other data recovery techniques to recover and remediate the virtualized server. If the server's host uses a proprietary file system, such as VMFS on ESXi, this can further limit support by data recovery tools. The attacker may have widely-fragmented the image across the host file system when they deleted the disk image. VM instances are most useful when they are elastic (meaning they optimally spin up when needed) and then destroyed without preserving any local data when security has performed the task, but this can lead to the potential of lost system logs. To prevent this, most VMs also save their logs to an external syslog server or file. Virtual machine file formats are image-based and written to a mass storage device. Depending on the configuration and VM state, security must merge any checkpoints to the main image, using a hypervisor tool, not recovery from an old snapshot, and then roll forward. It is possible to load VM data into a memory analysis tool, such as Volatility, although the file formats used by some hypervisors require conversion first, or it may not support the analysis tool.

Answer 50

Performing packet capture and analysis on a network OBJ-2.2: Wireshark is a free and open-source packet analyzer. It is used for network troubleshooting, analysis, software and communications protocol development, and education. It cannot perform any of the other three options.

Answer 51

Bluejacking OBJ-1.2: Bluejacking is the sending of unsolicited messages over Bluetooth to Bluetooth-enabled devices such as smartphones and tablets. Bluesnarfing, on the other hand, involves taking data from a smartphone or tablet over Bluetooth without permission. Bluetooth has a very limited range, so the attacker is likely within 10 meters of the victimized device. Geotagging involves embedded the geolocation coordinates into a piece of data (normally a photo or video). Packet sniffing is a passive method of collecting network traffic for follow-on analysis at a later time.

Answer 52

DaaS OBJ-3.7: Desktop as a Service (DaaS) provides a full virtualized desktop environment from within a cloud-based service. This is also known as VDI (Virtualized Desktop Infrastructure) and is coming in large enterprise businesses that are focused on increasing their security and minimizing their operational expenses. Shadow PC (shadow.tech) provides a version of DaaS for home users who want to have a gaming PC without all the upfront costs.

Answer 53

Implement NAC OBJ-2.1: Network Access Control (NAC) uses a set of protocols to define and implement a policy that describes how to secure access to network nodes whenever a device initially attempts to access the network. NAC can utilize an automatic remediation process by fixing non-compliant hosts before allowing network access. Network Access Control can control access to a network with policies, including pre-admission endpoint security policy checks and post-admission controls over where users and devices can go on a network and what they can do. In this scenario, implementing NAC can identify which machines are known and trusted Dion Training assets, and provide them with access to the secure internal network. NAC could also determine which are unknown machines (assumed to be those of CompTIA employees), and provide them with direct internet access only by placing them onto a guest network or VLAN. While MAC filtering could be used to allow or deny access to the network, it cannot by itself control which set of network resources could be utilized from a single ethernet port. A security information and event management (SIEM) system provides real-time analysis of security alerts generated by applications and network hardware. An access control list could define what ports, protocols, or IP addresses the ethernet port could be utilized, but it would be unable to distinguish between a Dion Training employee's laptop and a CompTIA employee's laptop like a NAC implementation could.

Answer 54

Trojan OBJ-1.1: A trojan is a program in which malicious or harmful code is contained inside an apparently harmless program. In this example, the harmless program is the key generator (which does create a license key), but it also has malicious code inside of it (causing the additional alerts from the antimalware solution). Likely, this keygen has an embedded virus or remote access trojan (RAT) in its programming.

Answer 55

IaaS OBJ-3.7: Infrastructure as a Service (Iaas) is focused on moving your servers and computers into the cloud. If you purchase a server in the cloud and then install and manage the operating system and software on it, this is Iaas.

Answer 56

SHA-256 OBJ-5.5: SHA-256 is the Secure Hash Algorithm with a 256-bit length output. This is one of the most common hash algorithms in use and is employed in many applications and protocols. SHA-256 and other hashing algorithms are used to ensure the data integrity of a file has not been altered. RSA, 3DES, and AES are all encryption algorithms. These algorithms can ensure confidentiality but not integrity.

Answer 57

Malicious processes OBJ-2.4: A malicious process is one that is running on a system and is outside the norm. This is a host-based indicator of compromise (IOC) and is not directly associated with an account-based IOC. Off-hours usage, unauthorized sessions, and failed logins are all account-based examples of an IOC. Off-hours usage occurs when an account is observed to log in during periods outside of normal business hours. This is often used by an attacker to avoid detection during business hours. Unauthorized sessions occur when a device or service is accessed without authorization. For example, if a limited privilege user is signed into a domain controlled. A failed login might be normal if a user forgets or incorrectly types their password, but repeated failures for one account could also be an indication of an attacked to crack a user's password.

Answer 58

Defense in depth OBJ-3.1: Defense in depth is the concept of layering various network appliances and configurations to create a more secure and defensible architecture. Dion Training appears to be using various host-based and network-based devices to help ensure there are multiple layers of security in the network.

Answer 59

Disable WPS OBJ-6.3: WPS was created to ease the setup and configuration of new wireless devices by allowing the router to automatically configure them after a short eight-digit PIN was entered. Unfortunately, WPS is vulnerable to a brute-force attack and is easily compromised. Therefore, WPS should be disabled on all wireless networks. If Bob was able to enter your apartment and press the WPS button, he could have configured his laptop to use your wireless network without your WPA2 password.

Answer 60

RADIUS OBJ-6.3: Captive portals usually rely on 802.1x, and 802.1x uses RADIUS for authentication.

Answer 61

3389, 1701, 389, 88 OBJ 2.6: For the exam, you need to know your ports and protocols. The Remote Desktop Protocol (RDP) operates over port 3389. Layer 2 Tunneling Protocol (L2TP) operates over port 1701. The Lightweight Directory Access Protocol (LDAP) operates over port 389. Kerberos operates over port 88.

Answer 62

Passwords OBJ-2.2: John the Ripper is a free, open-source password cracking software tool. It is utilized to test the strength of passwords during a technical assessment. John the Ripper supports both dictionary and brute force attacks.

Answer 63

A buffer overflow that is known to allow remote code execution OBJ-1.6: The most serious vulnerability discovered is one that could allow remote code execution to occur. Since this buffer overflow vulnerability is known to allow remote code execution, it must be mitigated first to most effectively prevent a security breach. While the other issues all should be addressed eventually, you need to prioritize the most critical one (remote code execution) on a public-facing IP address. A public-facing IP address means the device is accessible from the internet.

Answer 64

Syslog OBJ-2.1: The syslog server is a centralized log management solution. By looking through the logs on the syslog server, the technician could determine which service failed on which server, since all the logs are retained on the syslog server from all of the network devices and servers. Network mapping is conducted using active and passive scanning techniques and could assist in determining which server was offline, but not what caused the interruption. Firewall logs would only assist in determining why the network connectivity between a host and destination may have been disrupted. A network intrusion detection system (NIDS) is used to detect hacking activities, denial of service attacks, and port scans on a computer network. It is unlikely to provide the details needed to identify why the network service was interrupted.

Answer 65

Any security flaws present in the library will also be present in the developed application OBJ-3.6: Any security flaws present in a commercial or open-source library will also be present in the developed application. A library is vulnerable, just as any other application or code might be. There are both known (discovered) and unknown vulnerabilities that could exist in the libraries being integrated into the project. Therefore, the software development team needs to ensure that they are monitoring the applicable libraries for additional CVEs that might be uncovered at a later date, that they have plans for how to distribute appropriate patches to their customers and a plan for integrating subsequent updates into their own codebase. Open-source libraries are not more vulnerable or insecure than commercial available or in-house developed libraries. In fact, most open-source software is more secure because it is widely analyzed and reviewed by programmers all around the world. While ensuring the most up to date versions of the libraries is a valid concern, as a cybersecurity analyst, you should be more concerned with current security flaws in the library so you can conduct risk management and implement controls to mitigate these vulnerabilities, and determine the method for continuing updates and patch support.

Answer 66

Configure a virtual switch on the physical server and create VLANs OBJ-3.2: A virtual switch is a software application that allows communication between virtual machines. A virtual local area network (VLAN) is a hardware-imposed network segmentation created by switches. This solution provides logical separation of each virtual machine through the use of VLANs on the virtual switch.

Answer 67

A behavior-based analysis tool OBJ-2.1: A behavior-based analysis tool can be used to capture/analyze normal behavior and then alert when an anomaly occurs. Configuring a behavior-based analysis tool requires more effort to properly set up, but it requires less work and manual monitoring once it is running. Signature-based detection is a process where a unique identifier is established about a known threat so that the threat can be identified in the future. Manual analysis requires a person to read all the output and determine if it is erroneous. A log analysis tool would only be useful to analyze the logs, but it would not be able to detect unexpected output by itself. Instead, the log analysis tool would need to use a behavior-based or signature-based detection system.

Answer 68

NAC OBJ-2.1: Network Access Control (NAC) is an approach to computer security that attempts to unify endpoint security technology (such as anti-virus, host intrusion prevention, and vulnerability assessment), the user or system authentication, and network security enforcement. When a remote workstation connects to the network, NAC will place it into a segmented portion of the network (sandbox), scan it for malware and validate its security controls, and then based on the results of those scans, either connect it to the company’s networks or place the workstation into a separate quarantined portion of the network for further remediation. An access control list (ACL) is a type of network traffic filter that can control incoming or outgoing traffic. An ACL alone would not have prevented this issue. MAC Filtering refers to a security access control method whereby the MAC address assigned to each network card is used to determine access to the network. MAC filtering operates at layer 2 and is easy to bypass. Sender Policy Framework (SPF) is an email authentication method designed to detect forging sender addresses during the delivery of the email.

Answer 69

RDP OBJ-2.6: Port 3389 is an RDP port used for the Remote Desktop Protocol. If this port isn’t supposed to be opened, then an incident response plan should be the next step since this can be used for remote access by an attacker. MySQL runs on port 3306. LDAP runs on port 389. IMAP over SSL runs on port 993.

Answer 70

Physical hardware OBJ-3.7: The bottom layer is physical hardware in this environment. It is what sits beneath the hypervisor and controls access to guest operating systems. The bare-metal approach doesn’t have a host operating system.

Answer 71

Directing traffic to internal services if the contents of the traffic comply with the policy OBJ-2.1: A reverse proxy is positioned at the cloud network edge and directs traffic to cloud services if the contents of that traffic comply with the policy. This does not require the configuration of the users' devices. This approach is only possible if the cloud application has proxy support. You can deploy a reverse proxy and configure it to listen for client requests from a public network, like the internet. The proxy then creates the appropriate request to the internal server on the corporate network and passes the response from the server back to the external client. They are not generally intended to obfuscate the source of communication, nor are they necessarily specific to the cloud. A cloud access security broker (CASB) can be used to prevent unauthorized use of cloud services from the local network.

Answer 72

Missing patches OBJ-3.3: Missing patches are the most common vulnerability found on both Windows and Linux systems. When a security patch is released, attackers begin to reverse engineer the security patch to exploit the vulnerability. If your servers are not patched against the vulnerability, they can become a victim of the exploit, and the data contained on the server can become compromised. Cross-Site Scripting (XSS) attacks are a type of injection, in which malicious scripts are injected into otherwise benign and trusted websites. Cross-site scripting focuses on exploiting a user’s workstation, not a server. CRLF injection is a software application coding vulnerability that occurs when an attacker injects a CRLF character sequence where it is not expected. SQL injection is the placement of malicious code in SQL statements, via web page input. SQL is commonly used against databases, but they are not useful when attacking file servers.

Answer 73

Shibboleth OBJ-4.2: Shibboleth is a standards-based, open-source software package for single sign-on across or within organizational boundaries on the web. It allows sites to make informed authorization decisions for individual access of protected online resources in a privacy-preserving manner. Shibboleth utilizes SAML to provide this federated single sign-on and attribute exchange framework.

Answer 74

Hybrid attack OBJ 1.2: Based on the passwords found in the example, Jason’s new password cracker is most likely using a hybrid approach. All of the passwords found are dictionary words with some additional characters added to the end. For example, Jason’s password of rover123 is made up of the dictionary word “rover” and the number 123. It is likely that the cracker attempted to use a dictionary word (like rover) and the attempted variations on it using brute force (such as adding 000, 001, 002, …122, 123) to the end of the password until found. Combining the dictionary and brute force methods into a single tool is known as a hybrid password cracking approach.

Answer 75

Managerial OBJ-5.7: Managerial or administrative controls are used to determine the way people act. These include policies, procedures, and guidance. Mandatory vacation policies, job rotation policies, and separation of duties policies are great examples of managerial controls.

Answer 76

XML injection OBJ-1.2: This is an example of a XML injection. XML injection manipulates or compromises the logic of an XML application or service. The injection of unintended XML content and/or structures into an XML message can alter the intended logic of an application, and XML Injection can cause the insertion of malicious content into resulting messages/documents. In this case, the URL is attempting to modify the server's XML structure. The original XML structure would be: . By using the URL above, this would be modified to the following: . The result would be that a new line was added to the XML document that could be processed by the server. This line would allow 10 of the product at $0.00 to be added to the shopping cart, while 0 of the product at $50.00 is added to the cart. This defeats the integrity of the e-commerce store's add to cart functionality through this XML injection. A SQL injection occurs when data input by a user is interpreted as a SQL command rather than as normal data by the backend database. A buffer overflow is an exploit that attempts to write data to a buffer and exceed that buffer's boundary to overwrite an adjacent memory location. A session hijacking attacks consists of the exploitation of the web session control mechanism, which is normally managed for a session token. The real key to answering this question is identifying the XML structured code being entered as part of the URL, which is shown by the bracketed data.

Answer 77

Blue team OBJ-5.4: Penetration testing can form the basis of functional exercises. One of the best-established means of testing a security system for weaknesses is to play "war game" exercises in which the security personnel split into teams: red, blue, and white. The red team acts as the adversary. The blue team acts as the defenders. The white team acts as the referees and sets the parameters for the exercise. The yellow team is responsible for building tools and architectures in which the exercise will be performed.

Answer 78

His email account requires multifactor authentication OBJ-4.1: If a user or system has configured their email accounts to require two-factor authentication (2FA) or multifactor authentication, then even if they enter their username and password correctly in the third-party email client, they will receive the "Invalid credentials" error message. Some email servers will allow the user to create an Application Specific Password to bypass the multifactor authentication requirement to overcome this, or the user will have to use an email client that supports multifactor authentication.

Answer 79

A smurf attack occurs when an attacker sends a ping to a subnet broadcast address and devices reply to spoofed IP (victim server), using up bandwidth and processing power. This image is a graphical depiction of this type of attack.

Answer 80

Static code analyzer OBJ-3.6: DeepScan is an example of a static code analysis tool. It inspects the code for possible errors and issues without actually running the code. Fuzzing is an automated software testing technique that involves providing invalid, unexpected, or random data as inputs to a computer program through the use of a fuzzer. A decompiler is a computer program that takes an executable file as input and attempts to create a high-level source file that can be recompiled successfully. Fault injection is a testing technique that aids in understanding how a system behaves when stressed in unusual ways. A fuzzer, decompiler, and fault injector are all dynamic analysis tools because they require the program being tested to be run in order to be analyzed

Answer 81

WPA2 and AES OBJ-6.3: The most secure wireless network configuration utilizes WPA2 with AES encryption. WPA2 is the most secure wireless encryption standard, as it has replaced both WPA and WEP. AES is an extremely strong encryption algorithm that is used by default in the WPA2 standard.

Answer 82

dbsvr01 OBJ-2.3: Due to the very large increase in network utilization on dbsvr01, it should be suspected of compromise and be investigated further. The server has a historical average utilization of only 3.15 GB per month, but this month there has been an increase to 24.6 GB of usage. This increase is nearly 8x more than the previous month when all of the other servers stayed relatively constant. This is indicative of a possible compromise of the database server (dbsvr01) and a data breach or data exfiltration.

Answer 83

CSR OBJ-6.4: A CSR (certificate signing request) is what is submitted to the CA (certificate authority) to request a digital certificate. Key escrow stores keys, CRL is a list of revoked certificate, and the OCSP is a status of certificates that provides validity such as good, revoked, or unknown.

Answer 84

Wiping OBJ-5.7: Data wiping or clearing occurs by using a software tool to overwrite the data on a hard drive in an effort to destroy all electronic data on a hard disk or other media. Data wiping may be performed with a 1x, 7x, or 35x overwriting, with a higher number of times being more secure. This allows the hard drive to remain functional and allows for hardware reuse. Degaussing a hard drive involves demagnetizing a hard drive to erase its stored data. You cannot reuse a hard drive once it has been degaussed. Therefore, it is a bad solution for this scenario. Purging involves the removal of sensitive data from a hard drive using the device's own electronics or an outside source (like a degausser). A purged device is generally not reusable. Shredding involves physical destruction of the hard drive. This is a secure method of destruction but doesn’t allow for device reuse.

Answer 85

Removable media OBJ-3.5: Airgaps are designed to remove connections between two networks in order to create a physical segmentation between them. The only way to cross an airgap is to have a physical device between these systems, such as using a removable media device to transfer files between them. A directory traversal is an HTTP attack that allows attackers to access restricted directories and execute commands outside of the web server's root directory. Cross-Site Scripting (XSS) attacks are a type of injection, in which malicious scripts are injected into otherwise benign and trusted websites. A session hijacking attack compromises the session token by stealing or predicting a valid session token to gain unauthorized access to the Web Server. A directory traversal, cross-site scripting, or session hijacking attack cannot by itself cross an airgap.

Answer 86

Block all unused ports on the switch, router, and firewall / Logically place the Windows 2019 server into the network's DMZ OBJ-2.1: To best secure the server, you should logically place the Windows 2019 server into the network's DMZ and block all unused ports on the switch, router, and firewall. Since the server will be used to allow remote connections from across the internet to access the server directly, the server must be placed into the De-Militarized Zone (DMZ) of the network and not in the internal trusted portion of the network. Additionally, any server or services that are going to be forward-facing to the internet (like a Remote Desktop Services server) should have all of the unused ports blocked on the switch, router, and firewall to minimize the footprint of the network. By blocking unused ports, there are fewer ways for an attacker to get into the network and to attack the server.

Answer 87

Smart card OBJ-4.1: A smart card is used in applications that need to protect personal information and/or deliver fast, secure transactions, such as transit fare payment cards, government, and corporate identification cards, documents such as electronic passports, visas, and financial payment cards. Often, smart cards are used as part of a multifactor authentication system where the smart card and a PIN needs to be entered for system authentication to occur.

Answer 88

3DES OBJ-6.2: Triple DES (3DES) is a symmetric-key block cipher that applies the DES cipher algorithm three times to each data block to increase its security over DES. RSA, PGP, and ECC are all symmetric algorithms.

Answer 89

RADIUS OBJ-4.2: Remote Authentication Dial-In User Service (RADIUS) is a networking protocol, operating on port 1812 that provides centralized Authentication, Authorization, and Accounting (AAA or Triple A) management for users who connect and use a network service. The RADIUS protocol utilizes an obfuscated password that is created from the shared secret and creates a MD5 hash of the authentication request to protect the communications.

Answer 90

443 OBJ-2.6: Port 443 is used for HTTPS traffic. Therefore, this port must be opened. This is secure web browsing over SSL or TLS. Port 21 is used for the File Transfer Protocol (FTP). Port 80 is used for unsecured web browsing (HTTP). Port 143 is used for Internet Mail Application Protocol (IMAP).

Answer 91

The attachment is using a double file extension to mask its identity OBJ-1.2: The message contains a file attachment in the hope that the user will execute or open it. The nature of the attachment might be disguised by formatting tricks such as using a double file extension, such as Invoice1043.pdf.exe, where the user only sees the first extension since .exe is a known file type in Windows. This would explain the black pop-up window that appears and then disappeared, especially if the exe file was running a command-line tool. This file is most likely not a PDF, so there is no need for a PDF reader. Additionally, most modern web browsers, such as Chrome and Edge, can open PDF files by default for the user. The file would not contain an embedded link since an embedded link is another popular attack vector that embeds a link to a malicious site within the email body, not within the file. This email is likely not spam and would be better categorized as a phishing attempt instead.

Answer 92

VLAN OBJ-3.2: A virtual local area network (VLAN) is a type of network segmentation that is configured in your network switches that prevent communications between different VLANs without using a router. This allows two virtually separated networks to exist on one physical network and separates the two virtual network's data. A virtual private network (VPN) is a type of remote access capability to connect a trusted device over an untrusted network back to the corporate network. A VPN would not create the desired effect. WPA2 is a type of wireless encryption, but it will not create two different segmented networks on the same physical hardware. MAC filtering is used to allow or deny a device from connecting to a network, but it will not create two network segments, as desired

Answer 93

SQL injection OBJ-1.2: A SQL injection poses the most direct and more impactful threat to an organization's database. A SQL injection could allow the attacker to execute remote commands on the database server and lead to the disclosure of sensitive information. A buffer overflow attack attempts to overwrite the memory buffer in order to send additional data into adjacent memory locations. A buffer overflow attack might target a database server, but it isn't intended to cause a disclosure of information directly. Instead, a buffer overflow attack may be used to gain initial access to a server and allow for the running of other malicious code. A denial of service targets the availability of the information by attempting to take the server offline. A cross-site scripting attack typically is focused against the user, not the server or database.

Answer 94

802.1x OBJ-6.3: If you are using RADIUS/TACACS+ with the switch, you will need to use 802.1x for the protocol.

Answer 95

Web application cryptography vulnerability OBJ-1.6: This vulnerability should be categories as a web application cryptographic vulnerability. This is shown by the weak SSLv3.0/TLSv1.0 protocol being used in cipher block chaining (CBC) mode. Specifically, the use of the 3DES and DES algorithms during negotiation is a significant vulnerability. A stronger protocol should be used, such as forcing the use of AES.

Answer 96

ECC OBJ-6.2: Elliptic-curve cryptography (ECC) is an approach to public-key cryptography based on the algebraic structure of elliptic curves over finite fields. As a public-key cryptosystem, it relies on an asymmetric algorithm. Twofish, RC4, and DES are all symmetric algorithms.

Answer 97

Application whitelisting OBJ-3.3: Application whitelisting will only allow a program to execute if it is specifically listed in the approved exception list. All other programs are blocked from running. This makes it the BEST mitigation again a zero-day virus. An intrusion detection system might detect the anomalous activity created by a piece of malware, but it will only log or alert based on the activity, not prevent it. A host-based firewall may prevent a piece of malware from establishing a network connection with a remote server, but again, it wouldn't prevent an infection or prevent it from executing. An anti-malware solution is a good investment towards improving your security, but since the threat is a zero-day virus, an anti-malware solution will not be able to detect it using its signature database.

Answer 98

SSH OBJ-2.2: Based on the port numbers shown as open in the nmap scan results, SSH is not currently operating. SSH operates over port 22. Web servers use port 80 for HTTP and 443 for HTTPS. Database servers run on port 1433 (Microsoft SQL) or 3306 (MySQL). Remote Desktop Protocol runs on port 3389.

Answer 99

10.0.19.121 is a client that is accessing an SSH server over port 52497 OBJ-2.2: This output from the tcpdump command is displaying three packets in a larger sequence of events. Based solely on these three packets, we can only be certain that the server (11.154.12.121) is running an SSH server over port 22. This is based on the first line of the output. The second and third lines are the server responding to the request and sending data back to the client (10.0.19.121) over port 52497. There is not evidence of an attack against either the server or the client based on this output since we can only see the headers and not the content being sent between the client and server.

Answer 100

RIPEMD OBJ-6.2: RIPEMD creates a 160-bit fixed output. SHA-2 creates a 256-bit fixed output. NTLM creates a 128-bit fixed output. MD-5 creates a 128-bit fixed output.

Answer 101

Router and switch-based MAC address reporting OBJ-2.2: The best option is MAC address reporting coming from a source device like a router or a switch. If the company uses a management system or inventory process to capture these addresses, then a report from one of these devices will show what is connected to the network even when they are not currently in the inventory. This information could then be used to track down rogue devices based on the physical port it is connected to on a network device.

Answer 102

Passive OBJ-3.2: Network taps are devices that allow a copy of network traffic to be captured for analysis. They conduct passive network monitoring and visibility without interfering with the network traffic itself. Active monitoring relies on the scanning of targeted systems, not a network tap. Router-based monitoring would involve looking over the router's logs and configuration files. SNMP is used to monitor network devices, but is considered a form of active monitoring and doesn't rely on network taps.

Answer 103

Cross-site scripting OBJ-1.2: This scenario is a perfect example of the effects of a cross-site scripting (XSS) attack. If your website's HTML code does not perform input validation to remove scripts that may be entered by a user, then an attacker can create a pop-up window that collects passwords and uses that information to further compromise other accounts. A cross-site request forgery (CSRF) is an attack that forces an end-user to execute unwanted actions on a web application in which they are currently authenticated. An XSS will allow an attacker to execute arbitrary JavaScript within the browser of a victim user (such as creating pop-ups). A CSRF would allow an attack to induce a victim to perform actions that they do not intend to perform. A rootkit is a set of software tools that enable an unauthorized user to gain control of a computer system without being detected. SQL injection is the placement of malicious code in SQL statements, via web page input. None of the things described in this scenario would indicate a CSRF, rootkit, or an SQL injection.

Answer 104

Install an anti-virus or anti-malware solution that uses heuristic analysis OBJ-2.1: The only solution provided that could STOP this from reoccurring would be to use an anti-virus or anti-malware solution with heuristic analysis. The other options might be able to monitor and detect the issue, but not stop it from spreading. Heuristic analysis is a method employed by many computer anti-virus programs designed to detect previously unknown computer viruses, as well as new variants of viruses already in the wild. This is behavior-based detection and prevention, so it should be able to detect the issue in the scenario provided and stop it from spreading throughout the network.

Answer 105

IdP OBJ-4.2: The IdP provides the validation of the user's identity. Security assertions markup language (SAML) is an XML-based framework for exchanging security-related information such as user authentication, entitlement, and attributes. SAML is often used in conjunction with SOAP. SAML is a solution for providing single sign-on (SSO) and federated identity management. It allows a service provider (SP) to establish a trust relationship with an identity provider (IdP) so that the identity of a user (the principal) can be trusted by the SP without the user having to authenticate directly with the SP. The principal's User Agent (typically a browser) requests a resource from the service provider (SP). The resource host can also be referred to as the relying party (RP). If the user agent does not already have a valid session, the SP redirects the user agent to the identity provider (IdP). The IdP requests the principal's credentials if not already signed in and, if correct, provides a SAML response containing one or more assertions. The SP verifies the signature(s) and (if accepted) establishes a session and provides access to the resource.

Answer 106

Banner grabbing OBJ-2.2: Banner grabbing is conducted by actively connecting to the server using telnet or netcat and collecting the response from the webserver. This banner usually contains the operating system being run by the server as well as the version number of the service (SSH) being run. This is the fastest and easiest way to determine the version of SSH being run on this web server. While it is possible to use a vulnerability scanner, protocol analyzer, or to conduct a passive scan to determine the version of SSH, these are more time consuming and not fully accurate methods to determine the version being run.

Answer 107

Agent-based scanning OBJ-1.5: Using agent-based scanning, you typically get the most reliable results for systems that are not connected to the network, as well as the ones that are connected. This is ideal for traveling salespeople since their laptops are not constantly connected to the organization’s network. These agent-based scans can be conducted when the laptop is offline, and then sent to a centralized server the next time the laptop is connected to the network. Server-based scanning, non-credentialed scanning, and passive network monitoring all require a continuous network connection in order for them to accurately collect the configurations of the devices.

Answer 108

PGP OBJ-6.2: Pretty Good Privacy (PGP) is an encryption program that provides cryptographic privacy and authentication for data communication. PGP is used for signing, encrypting, and decrypting texts, emails, files, directories, and whole disk partitions and to increase the security of email communications. PGP is a public-key cryptosystem and relies on an asymmetric algorithm. AES, RC4, and 3DES are all symmetric algorithms.

Answer 109

FTK Imager OBJ-5.5: FTK Imager can create perfect copies or forensic images of computer data without making changes to the original evidence. The forensic image is identical in every way to the original, including file slack and unallocated space or drive free space. The dd tool can also be used to create forensic images, but it is not a proprietary tool since it is open-source. Memdump is used to collect the content within RAM on a given host. Autopsy is a cross-platform, open-source forensic tool suite.

Answer 110

Cross-site scripting OBJ-1.2: This is a form of Cross-Site Scripting (XSS). Cross-site scripting (XSS) is a type of computer security vulnerability typically found in web applications. XSS enables attackers to inject client-side scripts into web pages viewed by other users. A cross-site scripting vulnerability may be used by attackers to bypass access controls such as the same-origin policy. Cross-site request forgery (CSRF or XSRF) is a type of malicious exploit of a website where unauthorized commands are transmitted from a user that the web application trusts. There are many ways in which a malicious website can transmit commands such as specially-crafted image tags, hidden forms, and JavaScript XMLHttpRequests can all work without the user's interaction or even knowledge. SQL injection is a code injection technique used to attack data-driven applications in which malicious SQL statements are inserted into an entry field for execution, such as dumping the database contents to the attacker. Command injection is an attack in which the goal is the execution of arbitrary commands on the host operating system via a vulnerable application. Command injection attacks are possible when an application passes unsafe user-supplied data (forms, cookies, HTTP headers, etc.) to a system shell.

Answer 111

Diffie-Hellman OBJ-6.2: The Diffie-Hellman (DH) is used as a method of securely exchanging cryptographic keys over a public channel and was one of the first public-key protocols. As a public-key protocol, it relies on an asymmetric algorithm. AES, RC4, and Blowfish are all symmetric algorithms.

Answer 112

SNMP OBJ-2.6: SNMP is used to monitor and manage networks, both physical and virtual. SMTP is used for email. BGP and EIGRP are used for routing network data.

Answer 113

Require authentication on wake-up OBJ-4.1: To prevent the computer from being used inadvertently to access the network, the system should be configured to require authentication whenever the computer is woken up. Therefore, if an authorized user walks away from the computer and it goes to sleep, when another person tries to use the computer, it will ask for a username and password prior to granting them access to the network.

Answer 114

This appears to be normal network traffic OBJ-2.2: This appears to be normal network traffic. The first line shows that a DNS lookup was performed for a website (test.diontraining.com). The second line shows the response from the DNS server with the IP address of the website. The third line begins a three-way handshake between an internal host and the website. The fourth line is the SYN-ACK response from the website to the internal host as part of this handshake. The fifth line is a standard Windows NetBIOS query that occurs within the local area network to translate human-readable names to local IP addresses. The sixth and seventh lines appear to be inbound requests to port 443 and port 8080, both of which were sent the RST by the firewall of the internal host since it is not running those services on the host. None of this network traffic appears to be suspicious.

Answer 115

Implement a VLAN to separate the HVAC control system from the open wireless network OBJ-3.2: A VLAN is useful to segment out network traffic to various parts of the network, and can stop someone from the open wireless network from being able to attempt to login to the HVAC controls. By utilizing NAC, each machine connected to the open wireless network could be checked for compliance and determine if it is a 'known' machine, but they would still be given access to the entire network. Also, since this is a publicly usable network, using NAC would prevent users from accessing all the network features, possibly. An IDS would be a good solution to detect the attempted logins, but it won't be able to prevent them. Instead, an IPS would be required to prevent logins.

Answer 116

RADIUS OBJ-6.3: With RADIUS and SSO configured, users on the network can provide their user credentials one time (when they initially connect to the wireless access point or another RADIUS client), and they are automatically authenticated to all of the network's resources.

Answer 117

Host-based firewall, Network sniffer, Cable lock, CAT5e STP OBJ 3.9: Host-based firewall, Network sniffer, a Cable lock, and CAT5e STP cables are all appropriate security features to use with a corporate workstation or laptop. By using a host-based firewall (such as Windows Firewall), you can configure the workstation or laptop to block incoming or outgoing data from the network connection of the device. If you install a network sniffer, you will be able to capture any network traffic that is being used on the network for later analysis. If you use a cable lock, it will lock the workstation or laptop to a desk and prevent theft of the device. If you use a CAT 5e STP cable for your network connection, you will minimize the risk of EMI and reduce data emanations.

Answer 118

Any malicious inbound TCP packet OBJ-2.4: The rule header is set to alert only on TCP packets based on the first line of this IDS rule. The flow condition is set as "to_client, established", which means that only inbound traffic will be analyzed against this rule and only inbound traffic for connections that are already established. Therefore, this rule will alert on an inbound malicious TCP packet only when the packet matches all the conditions listed in this rule. This rule is an example of a Snort IDS rule. For the exam, you do not need to be able to create your own IDS rules, but you should be able to read them and pick out generic content like the type of protocol covered by the signature, the port be analyzed, and the direction of flow.

Answer 119

DES OBJ-6.2: The Data Encryption Standard (DES) is a symmetric-key algorithm for the encryption of digital data. Although its short key length of 56 bits makes it too insecure for applications, it was the standard used from 1977 until the early 2000s. GPG, ECC, and DSA are all asymmetric algorithms.

Answer 120

23 OBJ-2.2: Port 23 is used by telnet and is not considered secure because it sends all of its data in cleartext, including authentication data like usernames and passwords. As an analyst, you should recommend that telnet is disabled and blocked from use. The other ports that are open are for SSH (port 22), DNS (port 53), and HTTPS (port 443).

Answer 121

SPI OBJ-5.8: According to the GDPR, information about an individual's race or ethnic origin is classified as Sensitive Personal Information (SPI). Sensitive personal information (SPI) is information about a subject's opinions, beliefs, and nature that is afforded specially protected status by privacy legislation. As it cannot be used to uniquely identify somebody, or make any relevant assertions about health, it is neither PII nor PHI. Data loss prevention (DLP) is a software solution that detects and prevents sensitive information from being stored on unauthorized systems or transmitted over unauthorized networks.

Answer 122

Use SCCM to validate patch status for each machine on the domain OBJ-2.4: The Microsoft System Center Configuration Manager (SCCM) provides remote control, patch management, software distribution, operating system deployment, network access protection, and hardware and software inventory. In an Azure environment, you can also use the Update Compliance tool to monitor your device's Windows updates, Windows Defender anti-virus status, and the up to date patching status across all of your Windows 10 workstations. In previous versions of Windows, you could use the Microsoft Baseline Analyzer (MSBA), but that is no longer supported when Windows 10 was introduced. A PowerShell script may be a reasonable option, but it would take a knowledgeable analyst to create the script and scan the network, whereas using SCCM is easier and quicker. Manually checking the Update History or registry of each system could also work, but that is very time consuming and inefficient, especially if Ryan is supporting a large network.

Answer 123

ABAC OBJ-4.3: Attribute-based access control (ABAC) provides the most detailed and explicit type of access control over a resource because it is capable of making access decisions based on a combination of subject and object attributes, as well as context-sensitive or system-wide attributes. Information such as the group membership, the OS being used by the user, and even the IP address of the machine could be considered when granting or denying access.

Answer 124

Virtualization OBJ-3.3: When you have a limited amount of hardware resources to utilized but have a required to test multiple operating systems, you should set up a virtualized environment to test the patch across each operating system prior to deployment. You should never deploy patches directly into production without testing them first in the lab.

Answer 125

User and entity behavior analytics OBJ-3.5: Since ICS, SCADA, and IoT devices often run proprietary, inaccessible, or unpatchable operating systems, the traditional tools used to detect the presence of malicious cyber activity in normal enterprise networks will not function properly. Therefore, the use of user and entity behavior analytics (UEBA) is best suited to detect and classify known-good behavior from these systems to create a baseline. Once a known-good baseline is established, deviations can be detected and analyzed. UEBA may be heavily dependent on advanced computing techniques like artificial intelligence and machine learning, and may have a higher false positive rate. As the name suggests, the analytics software tracks user account behavior across different devices and cloud services. Entity refers to machine accounts, such as client workstations or virtualized server instances, and to embedded hardware, such as Internet of Things (IoT) devices. Traditional technologies include anti-virus tools, host-based IDS and IPS, and endpoint protection platforms.

Answer 126

DAC OBJ-4.3: Discretionary access control (DAC) stresses the importance of the owne. The original creator of the resource is considered the owner and can then assigned permissions and ownership to others. The owner has full control over the resource and the ability to modify its ACL to grant rights to others. This is the most flexible model and is currently implemented widely in Windows, Unix, Linux, and macOS systems.

Answer 127

Netcat will listen on port 8080 and output anything received to a remote connection on 192.168.1.76 port 443 OBJ-2.2: The proper syntax for netcat (nc) is -l to signify listening and -p to specify the listening port. Then, the | character allows multiple commands to be run during a single command execution. Next, netcat is being told to send the data to the given IP (192.168.1.76) over port 443. This is a common technique to try to bypass the firewall by sending traffic over port 443 (a secure SSL/TLS tunnel).

Answer 128

Insecure direct object reference OBJ-1.2: Insecure direct object references (IDOR) are a cybersecurity issue that occurs when a web application developer uses an identifier for direct access to an internal implementation object but provides no additional access control and/or authorization checks. In this scenario, an attacker could simply change the userid number and directly access any user's profile page. A race condition is a software vulnerability when the resulting outcome from execution processes is directly dependent on the order and timing of certain events, and those events fail to execute in the order and timing intended by the developer. Weak or default configurations are commonly a result of incomplete or ad-hoc configurations, open cloud storage, misconfigured HTTP headers, unnecessary HTTP methods, permissive Cross-Origin resource sharing (CORS), and verbose error messages containing sensitive information. Improper handling of errors can reveal implementation details that should never be revealed, such as detailed information that can provide hackers important clues on potential flaws in the system.

Answer 129

User authentication OBJ-3.3: User authentication is performed at a much higher level in the operating system. Trusted Platform Module (TPM) technology is designed to provide hardware-based, security-related functions. A TPM chip is a secure crypto-processor that is designed to carry out cryptographic operations. The chip includes multiple physical security mechanisms to make it tamper-resistant, and malicious software is unable to tamper with the security functions of the TPM. The TPM provides random number generation, secure generation of cryptographic keys, remote attestation, binding, and sealing functions securely.

Answer 130

NAC OBJ-2.1: Network Access Control (NAC) prevents unauthorized users from connecting to a network. Firewalls and intrusion prevention systems (IPS) are meant to restrict access from external sources and block known attacks. They would not keep out an intruder who is already in range of the wireless network. Network segmentation would limit the access that an intruder has to network resources but would not block the connection itself.

Answer 131

RC4 OBJ-6.2: RC4, or Rivest Cipher 4, is a symmetric stream cipher that was used in WEP and TLS. ECC, RSA, and Diffie-Hellman are all asymmetric algorithms.

Answer 132

netstat OBJ-2.2: The netstat command is used to display active TCP connections, ports on which the computer is listening, Ethernet statistics, the IP routing table, IPv4 statistics (for the IP, ICMP, TCP, and UDP protocols), and IPv6 statistics (for the IPv6, ICMPv6, TCP over IPv6, and UDP over IPv6 protocols) on a Windows machine. This is a useful command when trying to determine if any malware has been installed on the system and maybe maintaining a remote connection with a command and control server.

Answer 133

AES OBJ-6.2: The Advanced Encryption Standard (AES) is a symmetric block cipher with a fixed block size of 128 bits. It can utilize a 128-bit, 192-bit, or 256-bit symmetric key. RSA, Diffie-Hellman, and ECC are all asymmetric algorithms.

Answer 134

ECC OBJ-6.2: Elliptic curve cryptography (ECC) is an approach to public-key cryptography based on the algebraic structure of elliptic curves over finite fields. One of the main benefits of ECC over non-ECC cryptography is an application that can achieve the same level of security provided by non-ECC cryptography while using a shorter key length. For example, an ECC algorithm using a 256-bit key length is just as strong as a RSA or Diffie-Hellman algorithm using a 3072-bit key length.

Answer 135

SHA-1 OBJ-6.2: SHA-1 creates a 160-bit fixed output. SHA-2 creates a 256-bit fixed output. NTLM creates a 128-bit fixed output. MD-5 creates a 128-bit fixed output.

Answer 136

Clear OBJ-5.8: Clear applies logical techniques to sanitize data in all user-addressable storage locations for protection against simple non-invasive data recovery techniques. Clearing involves overwriting data once (and seldom more than three times) with repetitive data (such as all zeros) or resetting a device to factory settings. Purging data is meant to eliminate information from being feasibly recovered even in a laboratory environment. Destroy requires physical destruction of the media, such as pulverization, melting, incineration, and disintegration. Degaussing is the process of decreasing or eliminating a remnant magnetic field. Degaussing is an effective method of sanitization for magnetic media, such as hard drives and floppy disks.

Answer 137

Cain and Abel OBJ-2.2: Cain and Abel is a popular password cracking tool. It can recover many kinds of passwords using methods such as network packet sniffing, cracking various password hashes by using methods such as dictionary attacks, brute force, and cryptanalysis attacks. It also includes a module to conduct Cisco VPN Client Password Decoding, too. CUPP is used to create password lists. Nessus is a vulnerability scanner. The netcat tool is used to create reverse shells for remote access.

Answer 138

Measured boot OBJ-3.3: Measured boot is a feature where a log of all boot actions is taken and stored in a trusted platform module for later retrieval and analysis by anti-malware software on a remote server. Master boot record analysis is used to capture the required information of the hard disk to support a forensic investigation and would not detect malware during the system's boot-up process. Startup control would be used to determine which programs will be loaded when the operating system is initially booted, but this would be too late to detect malware loaded during the pre-startup and boot process. Advanced anti-malware solutions are programs that are loaded within the operating system. Therefore, they are loaded too late in the startup process to be effective against malicious boot sector viruses and other BIOS/UEFI malware variants.

Answer 139

Implement a jumpbox system OBJ-3.2: A jumpbox is a system on a network used to access and manage devices in a separate security zone. This would create network segmentation between the supplier's laptops and the rest of the network to minimize the risk. A jump-box system is a hardened and monitored device that spans two dissimilar security zones and provides a controlled means of access between them. While the other options listed are all good security practices, they do not fully mitigate the risk that insecure systems pose since Victor cannot enforce these configurations on a supplier provided laptop. Instead, he must find a method of segmenting the laptops from the rest of the network, either physically, logically, using an airgap, or using a jumpbox.

Answer 140

MAC OBJ-4.3: Mandatory Access Control (MAC) requires all access to be predefined based on system classification, configuration, and authentication. MAC is commonly used in highly centralized environments and usually relies on a series of labels, such as classification levels of the data.

Answer 141

SQL injection OBJ-1.2: SQL injection is a code injection technique that is used to attack data-driven applications. SQL injections are conducted by inserting malicious SQL statements into an entry field for execution. For example, an attacker may try to dump the contents of the database by using this technique. A common technique in SQL injection is to insert a statement that is always true, such as 1 == 1, or in this example, 7 == 7. Header manipulation is the insertion of malicious data, which has not been validated, into a HTTP response header. XML Injection is an attack technique used to manipulate or compromise the logic of an XML application or service. The injection of unintended XML content and/or structures into an XML message can alter the intended logic of the application. Cross-Site Scripting (XSS) attacks are a type of injection, in which malicious scripts are injected into otherwise benign and trusted websites. XSS attacks occur when an attacker uses a web application to send malicious code, generally in the form of a browser side script, to a different end-user.

Answer 142

RC4 OBJ-6.2: RC4, or Rivest Cipher 4, is a symmetric stream cipher that was used in WEP and TLS. AES, Blowfish, and DES are all block ciphers.

Answer 143

Cryptographic erase OBJ-3.3: In a cryptographic erase (CE), the storage media is encrypted by default. The encryption key itself is destroyed during the erasing operation. CE is a feature of self-encrypting drives (SED) and is often used with solid-state devices. Cryptographic erase can be used with hard drives, as well. Zero-fill is a process that fills the entire storage device with zeroes. For SSDs and hybrid drives, zero-fill-based methods might not be reliable because the device uses wear-leveling routines in the drive controller to communicate which locations are available for use to any software process accessing the device. A secure erase is a special utility provided with some solid-state drives that can perform the sanitization of flash-based devices. Overwrite is like zero-fill but can utilize a random pattern of ones and zeroes on the storage device. The most secure option would be a cryptographic erase (CE) for the scenario provided in the question.

Answer 144

Single quote OBJ-1.2: The single quote character (') is used because this is the character limiter in SQL. With a single quote,' you delimit strings, and therefore you can test whether the strings are properly escaped in the targeted application or not. If they are not escaped directly, you can end any string supplied to the application and add other SQL code after that, which is a common technique for SQL injections. A semicolon is a commonly used character at the end of a line of code or command in many programming languages. An exclamation mark is often used to comment a line of code in several languages. Double quotes are often used to contain a string being passed to a variable.

Answer 145

Smart card OBJ-4.3: Smart cards, PIV, and CAC devices are used as an identity and access management control. These devices contain a digital certificate embedded within the smart card (PIV/CAC) that is presented to the system when it is inserted into the smart card reader. When combined with a PIN, the smart card can be used as a multi-factor authentication mechanism. The PIN unlocks the card and allows the digital certificate to be presented to the system.

Answer 146

Ping flood OBJ 1.2: A Ping flood occurs when an attacker attempts to flood the server by sending too many ICMP echo request packets (which are known as pings).

Answer 147

White team OBJ-5.4: Jason is assigned to the white team. The white team acts as the judges, enforces the rules of the exercise, observes the exercise, scores teams, resolves any problems that may arise, handles all requests for information or questions, and ensures that the competition runs fairly and does not cause operational problems for the defender's mission. A red team is a group of people authorized and organized to emulate a potential adversary’s attack or exploitation capabilities against an enterprise’s security posture. A blue team is a group of people responsible for defending an enterprise’s use of information systems by maintaining its security posture against a group of mock attackers. The purple team made up of members of both the blue and red teams in order to work together to maximize their cyber capabilities through continuous feedback and knowledge transfer between attackers and defenders.

Answer 148

Nessus OBJ-2.2: Nessus is a very popular vulnerability scanner. It can be used to check how vulnerable your network is by using various plugins to test for vulnerabilities. Also, Nessus can be used to perform compliance auditing, like internal and external PCI DSS audit scans. The nmap tool is a port scanner. The Metasploit Project is a computer security project that provides information about security vulnerabilities and aids in penetration testing and IDS signature development. BeEF is short for The Browser Exploitation Framework. It is a penetration testing tool that focuses on the web browser.

Answer 149

Cellular data, Remote wipe, Location tracking, MDM OBJ 2.5: Cellular data, Remote wipe, Location tracking, and MDM are all appropriate security features to use with a company-provided laptop. By using cellular data, your users will be able to avoid connecting to WiFi networks for connectivity. Remote wipe enables the organization to remotely erase the contents of the device if it is lost or stolen. Location tracking uses the smart phone’s GPS coordinates for certain apps, location-based authentication, and to track down a device if it is lost or stolen. A mobile device management (MDM) program enables the administrators to remotely push software updates, security policies, and other security features to the device from a centralized server.

Answer 150

tracert OBJ-2.2: The TRACERT (spoken out loud as trace route) diagnostic utility determines the route to a destination by sending Internet Control Message Protocol (ICMP) echo packets to the destination. In these packets, TRACERT uses varying IP Time-To-Live (TTL) values. When the TTL on a packet reaches zero (0), the router sends an ICMP "Time Exceeded" message back to the source computer. The ICMP "Time Exceeded" messages that intermediate routers send back show the route. The ipconfig tool displays all current TCP/IP network configuration values on a given system. The netstat tool is a command-line network utility that displays network connections for Transmission Control Protocol, routing tables, and a number of network interface and network protocol statistics on a single system. The nbtstat command is a diagnostic tool for NetBIOS over TCP/IP used to troubleshoot NetBIOS name resolution problems.

Answer 151

RP OBJ-4.2: Relying parties (RPs) provide services to members of a federation. An identity provider (IdP) provides identities, makes assertions about those identities, and releases information about the identity holders. The Security Assertion Markup Language (SAML) is an open standard for exchanging authentication and authorization data between parties between an identity provider and a service provider (SP) or relaying party (RP). Single sign-on (SSO) is an authentication scheme that allows a user to log in with a single ID and password to any of several related yet independent software systems across a federation. SAML and SSO are not parties. Therefore, they cannot possibly be the right answer to this question.

Answer 152

Dictionary attack OBJ-1.2: A dictionary attack is a technique for defeating a cipher or authentication mechanism by trying to determine its decryption key or passphrase by trying hundreds or sometimes millions of likely possibilities, such as words in a dictionary. The key to answering this question is that they were using passwords from a list. In cryptography, a brute-force attack consists of an attacker submitting many passwords or passphrases with the hope of eventually guessing correctly. A dictionary attack is a specific form of a brute-force attack that uses a list. A session hijacking attack compromises the session token by stealing or predicting a valid session token to gain unauthorized access to the webserver. A man-in-the-middle attack (MITM), also known as a hijack attack, is an attack where the attacker secretly relays and possibly alters the communications between two parties who believe that they are directly communicating with each other.

Answer 153

Context-based authentication OBJ-4.1: Context-based authentication can take a number of factors into consideration before permitting access to a user, including their location (e.g., country, GPS location, etc.), the time of day, and other key factors to minimize the threat of compromised credentials from being utilized by an attacker. A self-service password reset is defined as any process or technology that allows users who have either forgotten their password or triggered an intruder lockout to authenticate with an alternate factor and repair their own problem without calling the help desk. While helpful, this alone would not help prevent an attacker from using the compromised credentials. Single sign-on (SSO) is an authentication scheme that allows a user to log in with a single ID and password to any of several related yet independent software systems. Again, this is helpful since it will minimize the number of usernames and passwords that a user must remember, but if their credentials are stolen, then the attacker can now access every system the user had access too, extending the problem. Password complexity is also a good thing to use, but it won't address the challenge presented in the question of how to prevent the use of compromised credentials. If the password complexity is increased, this will prevent a brute force credential compromise, but if the credentials are compromised any other way, then the attacker could still log in to our systems and cause trouble for us.

Answer 154

Dumpster diving OBJ-1.2: Dumpster diving involves searching through publically accessible garbage cans or recycling bins to find discarded paper, manuals, or other valuable types of information from a targeted company. This is often done as part of the reconnaissance phase before an attack is performed.

Answer 155

AUP OBJ-5.1: An acceptable use policy (AUP) is a document stipulating constraints and practices that a user must agree to for access to a corporate network or the internet. For example, it may state that they must not attempt to break the security of any computer network or user, or that they cannot visit pornographic websites from their work computer.

Answer 156

Deterrent OBJ-3.9: A deterrent control is designed to discourage the violation of a security policy. Since the cameras are clearly visible, they are acting as a deterrent control. A corrective control is one that is used to fix or eliminate a vulnerability. A compensating control is used to minimize a vulnerability when it is deemed too difficult or impractical to fully correct the vulnerability. An administrative control is used to create a policy or procedure to minimize or eliminate a vulnerability.

Answer 157

The full email header from one of the spam messages OBJ-1.2: You should first request a copy of one of the spam messages that include the full email header. By reading through the full headers of one of the messages, you can determine where the email originated from, whether it was from your email system or if it was external, and if it was a spoofed email or a legitimate email. Once this information has been analyzed, you can then continue your analysis further based on those findings, whether that be analyzing your email server, the firewalls, or other areas of concern. If enough information cannot be found by analyzing the email headers, then you will need to conduct more research to determine the best method to solve the underlying problem.

Answer 158

Memdump OBJ-2.2: Memdump is a memory capture tool for forensic use. The dd tool is used to conduct forensic disk images. Wireshark is used for packet capture and analysis. Nessus is a commonly used vulnerability scanner.

Answer 159

FISMA OBJ-5.8: The Federal Information Security Management Act (FISMA) is a United States federal law that defines a comprehensive framework to protect government information, operations, and assets against natural or man-made threats. FISMA requires that government agencies and other organizations that operate systems on behalf of government agencies comply with security standards. The Health Insurance Portability and Accountability Act (HIPPA) is a United States federal law designed to provide privacy standards to protect patients' medical records and other health information provided to health plans, doctors, hospitals, and other health care providers. The Children's Online Privacy Protection Act (COPPA) is a United States federal law that imposes certain requirements on operators of websites or online services directed to children under 13 years of age, and on operators of other websites or online services that have actual knowledge that they are collecting personal information online from a child under 13 years of age. Sarbanes–Oxley (SOX) is a United States federal law that set new or expanded requirements for all U.S. public company boards, management, and public accounting firms.

Answer 160

Shoulder surfing OBJ-1.2: While all of the methods listed could be used by a malicious employee or insider to obtain another user's passwords, shoulder surfing is the MOST likely to be used. Shoulder surfing is a type of social engineering technique used to obtain information such as personal identification numbers (PINs), passwords, and other confidential data by looking over the victim's shoulder. Since a malicious employee or insider can work in close proximity to their victims (other users), they could easily use this technique to collect the passwords of the victimized users.

Answer 161

LDAP OBJ-4.2: LDAP can be used for single sign-on but is not a shared authentication protocol. OpenID, OAuth, and Facebook Connect are all shared authentication protocols. Open ID Connect (OIDC) is an authentication protocol that can be implemented as special types of OAuth flows with precisely defined token fields. OAuth is designed to facilitate the sharing of information (resources) within a user profile between sites.

Answer 162

25 OBJ-2.6: Email servers rely on port 25 to send emails out of the network. Port 25 must be set to OPEN or ALLOW in the firewall in order for SMTP (sendmail transfer protocol) to function properly. Port 22 is SSH, Port 80 is HTTP, and Port 143 is IMAP.

Answer 163

Discretionary access control model Correct Answer: Discretionary access control enables a user who has created or owns an object, such as a file or folder, the discretion to assign permissions for that object to anyone they choose. Incorrect Answers: Mandatory access control models use labels and security clearances to grant access to objects. Rule-based access control models use a specific set of rules that control the interaction between users and objects. Role-based access control models use defined roles with specific rights and permissions assigned to those roles to control access to objects.

Answer 164

EAP-TLS needs server and client certifcates; EAP-TTLS only needs server certifcates. Correct Answer: EAP-TLS needs server and client certifcates; EAP-TTLS only needs server certifcates. Incorrect Answers: The EAP standard does not define the use of signed or unsigned certificates, although most implementations require signed certificates.

Answer 165

Supervisory control and data acquisition Correct Answer: Supervisory control and data acquisition (SCADA) systems are used to control and manage heating, ventilation, air-conditioning, and other types of industrial and environmental systems. Incorrect Answers: Minicomputers are antiquated computers that performed advanced tasks in the place of mainframe systems and are no longer widely in use. Although some SCADA systems could be embedded, embedded hosts normally refer to systems that have operating systems burned into their computer chips. Mainframe systems normally do not control industrial types of systems, such as heating, ventilation, and air-conditioning.

Answer 166

Deterrent control Correct Answer: A deterrent control keeps someone from performing a malicious act, provided that he or she knows the control is there and is aware of the consequences for violating it. Incorrect Answers: The difference between a deterrent control and a preventive control is that it is necessary for a potential attacker to have knowledge of the deterrent control for it to be effective. Users do not have to have knowledge of a preventative control for it to function. A corrective control is used to correct a condition when there is either no control at all, or when the existing control is ineffective. Normally, a corrective control is temporary until a more permanent solution is put into place. A compensating control assists and mitigates the risk when an existing control is unable to do so.

Answer 167

Impact, Probability Correct Answers: Probability and impact values are evaluated and assessed during a risk assessment. Incorrect Answers: Threats and vulnerabilities do not have defined values.

Answer 168

HTML attachment Correct Answer: Any form of attachment is a risk. An HTML attachment is basically an HTML file that comes attached to an e-mail message. When a user clicks this attachment, it automatically spawns a browser session and could connect to a malicious Web site. Once the user is connected to the site, malicious code can be downloaded onto the user's browser. Incorrect Answers: Neither cookies, locally shared objects, nor cross-site scripts are attached to e-mail messages.

Answer 169

Jamming Correct Answer: Jamming is an intentional interference with the signal of a wireless network. It is often part of a DoS attack. Incorrect Answers: An evil twin attack is a rogue wireless access point set up to be nearly identical to a legitimate access point. SSID cloaking is a weak security measure designed to hide the broadcasting of a wireless network's service set identifier. MAC spoofing is an attempt to impersonate another host by using its MAC address.

Answer 170

Clickjacking Correct Answer: Clickjacking is almost never seen anymore as it's easy to detect this type of attack. incorrect Answers: Header manipulation means to add malicious information to HTTP headers. A man-in-the-browser attack means to add malicious information or code, often by using a Trojan horse. Buffer overflows attempt to access privilege escalation by forcing a buffer to cause an error.

Answer 171

TCP port 1701 Correct Answer: L2TP aligns to TCP port 1701, allowing secure remote access to a system through a VPN connection. Incorrect Answer: UDP port 53 aligns to the Domain Name Service (DNS), UDP port 123 is used by Network Time Protocol (NTP) services, and TCP port 443 is used by HTTP over SSL.

Answer 172

Patch management Correct Answer: Patch management is the formal effort designed to remediate vulnerabilities and other software flaws on a regular basis. Incorrect Answers: Managing upgrades is part of a formal change and configuration management process. Account management is the process of provisioning and maintaining user accounts on the system. Change management is a formalized process that involves both long-term and short-term infrastructure changes, as well as configuration changes to hosts and networks.

Answer 173

PGP Correct Answer: Pretty good privacy, or PGP, is commonly used between individuals or small groups of people, and it normally does not require a public key infrastructure. It uses a web of trust model, which means that each individual has to be able to trust every other individual who uses PGP to encrypt and decrypt data sent and received by them. Incorrect Answers: RSA is the de-facto key generation protocol used in public key cryptography, and it is normally used in a public key infrastructure type of environment. Diffie-Hellman Exchange (DHE) is a key negotiation and agreement protocol that is used to exchange keys and establish a secure communications session. AES is a symmetric key protocol not used in public key cryptography.

Answer 174

Logic bomb Correct Answer: A logic bomb is simply a script that is set to execute at a certain time. Logic bombs are usually created by rogue administrators or disgruntled employees. Incorrect Answers: A virus is a piece of malicious software that must be propagated through a definite user action. A Trojan horse is a piece of software that seems to be of value to the user, but in reality is malware. Adware is usually annoying advertisements that come in the form of pop-up messages in a user?s browser.

Answer 175

Session cookies Correct Answer: Session cookies are used for a single Web browsing session only and are generally not carried across Web sessions. Incorrect Answers: Persistent cookies are saved and used between various Web sessions. Locally shared objects, also called flash cookies, are used for Web sites that use Adobe Flash content, and they can be persistent.

Answer 176

Codebook Correct Answer: Codes are representations of an entire phrase or sentence, where ciphers are encrypted on a character-by-character basis. A codebook is needed to translate coded phrases into their true plaintext meanings. Incorrect Answers: A symmetric key is used to encrypt ciphers, not codes, as are algorithms and asymmetric keys.

Answer 177

Deauthentication attack Correct Answer: A deauthentication attack involves sending specially-crafted traffic to both a wireless client and an access point, in the hopes of causing them to deauthenticate with each other and disconnect. Incorrect Answers: A spoofing attack involves impersonating a wireless client or access point, either through its IP or MAC address. A replay attack involves the reuse of intercepted non-secure credentials to gain access to a system or network. Initialization vector (IV) attacks involve attempting to break WEP keys by targeting their weak IVs.

Answer 178

As resources decrease, both functionality and security decrease. As security increases, functionality decreases. Correct Answers: The relationship between security and functionality is inversely proportional. As one increases, the other decreases. The relationship between resources and both security and functionality is directly proportional. As resources increase, so do both functionality and security. If resources decrease, so do functionality and security. Incorrect Answers: If functionality increases, security generally decreases. If resources increase, both security and functionality increase as well.

Answer 179

Snapshot Correct Answer: A snapshot is a quick backup of critical configuration files, used by the hypervisor to restore the virtual machine back to its point-in-time status should it become unstable or suffer any other issues. Incorrect Answers: Differential and incremental backups apply to entire systems and are used to back up only files that have changed since the last full backup. The system state backup is a Microsoft Windows type of backup that backs up critical files used by the operating system to restore it in the event of a system crash or other issue. Virtual machines can make use of all of these other types of backups, but they are not used by the hypervisor to restore the VM itself.

Answer 180

Authentication Correct Answer: Authentication is the process of validating that a user?s credentials are authentic, after the user has presented them through the identification process. Incorrect Answers: Authorization is the process of controlling access to resources through methods that include permissions, rights, and privileges. Auditing is the process of reviewing logs and other audit trails to determine what actions have been performed on systems and data. Accountability uses auditing to ensure that users are traced to and held responsible for their actions.

Answer 181

Detection and analysis Correct Answer: Detection and analysis is the second step of the incident response life cycle. Incorrect Answers: In order, the steps of the incident response life cycle are preparation; detection and analysis; containment, eradication, and recovery; and post-incident activity.

Answer 182

Notifying and coordinating with senior management and law enforcement officials Correct Answer: Notifying and coordinating with senior management and law enforcement officials is normally the job of a senior leader within the incident response team. Incorrect Answers: The primary job of a first responder is to secure the scene. They are also responsible for notifying the incident response team and initially determining the scope, seriousness, and impact of the incident.

Answer 183

Documentation review Correct Answer: The documentation review is the simplest form of test. In this type of test, the business continuity plan, disaster recovery plan, and associated documents are reviewed by relevant personnel including managers, recovery team members, and anyone else who may have responsibilities directly affecting plans. Incorrect Answers: A tabletop exercise is a type of group review. In a full-scale test, all personnel are usually involved and may actually conduct activities as they would during a real incident. This type of test is more complex and normally requires extensive resources, such as people and equipment, so it is typically conducted infrequently. In a walkthrough test, team members go through the motions of fulfilling the responsibilities and conducting the activities required during an incident or disaster.

Answer 184

ECDH Correct Answer: Elliptic Curve Diffie-Hellman (ECDH) is a key exchange protocol used in public key cryptography. It is used to negotiate, agree upon, and establish a secure session between two parties. Incorrect Answers: RSA (Rivest-Shamir-Adleman) is the most common public-private key generation algorithm used in public key cryptography. It is used to generate a public and private key pair. AES is the Advanced Encryption Standard, and it is not used in public key cryptography; it is a symmetric key cryptography algorithm. SHA-2 is the second iteration of the Secure Hashing Algorithm and is used to generate message digests for plaintext. It is not used in public key cryptography to exchange keys or establish secure sessions.

Answer 185

Mean time to failure Correct Answer: The mean time to failure (MTTF) is the length of time a device is expected to last in operation. In MTTF, only a single, definitive failure will occur and will require that the device be replaced rather than repaired. Incorrect Answer: Mean time between failures (MTBF) represents the manufacturer's best guess (based on historical data) regarding how much time will pass between major failures of that component. This assumes that more than one failure will occur, which means that the component will be repaired, rather than replaced. Mean time to recovery (MTTR) is the amount of time it takes for a hardware component to recover from failure. Mean time to replace is not a valid term.

Answer 186

64-bit Correct Anwer: WEP key sizes are 64-bits (40-bit key and 24-bit initialization vector) or 128-bit (104-bit key and 24-bit initialization vector). The 802.11b standard called for a 64-bit key. Incorrect Answers: Neither 512-bit nor 256-bit are valid WEP key sizes. The original 802.11b standard called for a 64-bit key; the 128-bit key was developed after this standard was issued.

Answer 187

MAC filtering logs Correct Answers: MAC addresses can be spoofed, so examining MAC address on filtering logs may not provide any indication of whether a host is authorized or not. Incorrect Answers: All of these are valid methods of detecting rogue hosts that connect to the network.

Answer 188

Credential validation Correct Answer: Validating credentials is an important aspect of authentication, not authorization. incorrect Answers: All of these elements directly support authorization.

Answer 189

Coercion Correct Answer: Coercion attacks generally require direct confrontation with the victim, so they are usually detected. Incorrect Answers: All of these attacks may go undetected by the victim, because they may not require any direct interaction with the target and can be performed subtly by the attacker without the victim noticing.

Answer 190

Rijindael Correct Answer: Rijindael was selected as the winner of the NIST competition and became the U.S. government?s Advanced Encryption Standard (AES). Incorrect Answers: Twofish, another symmetric algorithm, was one of the five finalists for the competition, but it did not win. Blowfish is also symmetric algorithm, but was not considered in the competition to be the AES. RC4 is a symmetric streaming cipher commonly seen in WEP and SSL implementations. It was not one of the finalists involved in the AES competition.

Answer 191

User-dependent security Correct Answer: The organization should not depend solely upon the users to manage security and static devices, because these devices can be managed just as traditional hosts and network devices are. Incorrect Answers: These are all valid methods of securing static hosts in an organization.

Answer 192

ECB Correct Answer: With ECB mode, a given piece of plaintext will always produce the same corresponding piece of ciphertext. This predicability makes it weak. Incorrect Answers: While CBC, OFB, and CTR mode go about the processes in different ways, these modes lack ECB's predicability, adding strength to the underlying cryptosystem.

Answer 193

Ipsec Correct Answers: IPsec provides encryption, integrity, and authentication for data tunneled over VPNs across public networks. Incorrect Answers: S/MIME is used for encrypting e-mail SSH allows secure remote access MD5 facilitates hashes to allow for integrity.

Answer 194

Ciphertext Correct Answer: Ciphertext is a result of the encryption process; it is encrypted text. Incorrect Answers: Plaintext is unencrypted text. A hash or message digest is a cryptographic representation of variable length text, but it is not the text itself.

Answer 195

Information classification Correct Answer: An organization's information classification policy not only outlines what level of security protections certain data receives, but it also serves to instruct employees on how to treat sensitive data. Incorrect Answers: Clean desk policies, which instruct employees to not leave sensitive data unattended, as well as data disposal policies, can be included in the information and data handling policies, but these are very specific instances and don't cover all information or all scenarios where an employee would be in a position to treat data with care. Protection of personally identifiable information on social media would be part of an organization's social media policy.

Answer 196

48-bit Correct Answer: The IV size for TKIP is 48-bit. Incorrect Answers: The only valid IV size for TKIP is 48-bit.

Answer 197

Kerberos Correct Answer: Kerberos is an authentication protocol used in Windows Active Directory. It uses a series of tickets and timestamps to authenticate individuals and prevent replay attacks. Incorrect Answers: MS-CHAP is a Microsoft version of the Challenge Handshake Authentication Protocol, used in earlier versions of Windows. It uses challenges and password hashes to authenticate individuals. EAP, the Extensible Authentication Protocol, is an authentication framework that can use several other protocols for secure access across both wired and wireless networks. SESAME (Secure European System for Applications in a Multivendor Environment) is a European-developed authentication protocol that can provide for single sign-on capability. It is not widely used and does not use tickets for authentication.

Answer 198

The RPO is the maximum allowable amount of data (measured in terms of time) that the organization can afford to lose during a disaster or an incident. Correct Answers: The RPO is the maximum allowable amount of data (measured in terms of time) that the organization can afford to lose during a disaster or an incident. Incorrect Answers: The RPO is the maximum amount of data, not the minimum, that can be lost during a disaster or an incident. RPO refers to data that can be lost, not time itself. RPO is measured in time, not gigabytes.

Answer 199

Security testing Correct Answer: During the secure testing phase of the secure software development model, software is measured or tested against security, functional, and performance requirements. This may include secure code review, application fuzzing, and vulnerability assessments, as well as penetration testing. Incorrect Answers: In the secure design stage, different security functionality is designed into the application. In the security requirements stage, requirements for different security functions are determined. During secure implementation of software, security requirements are validated as implemented in the application.

Answer 200

FTPS Correct Answer: FTPS is a secure version of the non-secure FTP protocol and is used over SSL or TLS connections to ensure security when transferring files to or from an Internet-based host. Incorrect Answers: FTP is a non-secure protocol used to copy files to and from Internet-based hosts. SCP is a secure copy protocol used to copy files securely to and from a networked host, and it uses SSH. SFTP is a secure file transfer protocol used to copy files to and from an Internet-based host, and it also uses SSH.

Answer 201

Blacklisting Correct Answer: Blacklisting is a technique that involves an administrator adding undesirable or restricted software or applications to a list on content filtering devices, in group policy, or through some other type of mechanism. This ensures that users are not allowed to download, install, or execute these particular applications. Incorrect Answers: Whitelisting is the opposite of blacklisting; applications that users are allowed to download, install, and execute are added to a whitelist. There is no such term as graylisting. Filtering typically involves checking traffic on a network device based upon specific characteristics. The term normally does not apply to software or applications.

Answer 202

99.99 percent availability Correct Answers 99.99 percent availability accounts for 52 minutes of downtime per year. Incorrect Answers: 99.999 percent availability allows only 5.26 minutes of downtime per year, which may not be enough if the server requires almost an hour of maintenance time. 99.9 percent availability equates to more than 8 hours of downtime per year and exceeds the stated requirement. 99 percent availability is more than 3 days of downtime per year, far exceeding the requirement for no more than 1 hour of downtime.

Answer 203

Public Correct Answer: A public cloud is operated by a third-party provider who leases space in the cloud to anyone who needs it. Incorrect Answers: An external cloud is not a valid type of cloud and could be a public, private, or community cloud. A private cloud is for use only by one organization and is usually hosted by that organization?s infrastructure. A community cloud is for use by similar organizations or communities, such as universities or hospitals, that need to share common data.

Answer 204

Dawn's public key Correct Answer: To encrypt information that Dawn can decrypt, using public and private key pairs, Bobby would need Dawn's public key to encrypt data that only her private key can decrypt. Incorrect Answers: Encrypting with Bobby's public key would allow only Bobby's private key to decrypt the data, and only he would possess that. Bobby would not possess Dawn's private key to encrypt data to her, and then only her public key, which everyone would have, would be able to decrypt it, so there would be no confidentiality involved. Bobby would not use his private key to encrypt data, because only his public key can decrypt it, and everyone could have that key, so no confidentiality would be assured.

Answer 205

MAC address filtering Correct Answer: Filtering by the MAC address ensures that only specific systems can access the wireless network based on the MAC address generally presented by the network card. That address is added into a list of systems that can connect (or not). Incorrect Answers: Encryption technologies cannot stop specific systems from entering the network on its own. Disabling the SSID broadcast cannot stop systems from connecting if they determine the SSID through other means.

Answer 206

16 Correct Answer: DES uses 16 rounds of encryption. Incorrect Answers: DES does not use 32,64, or 128 rounds of encryption or decryption processes.

Answer 207

SNMP Correct Answers: The Simple Network Management Protocol (SNMP) uses SNMP agents that respond to queries to report their status to a central program manager. Incorrect Answers: These protocols are not used to manage network devices.

Answer 208

Content filter Correct Answer: Content filters can scan content as it leaves the network, checking for certain types of content that has been pre-specified within the software. Incorrect Answers: The other choices are incorrect because those technologies will not content-filter messages. Antispam filters are used to catch and quarantine spam messages. Caching proxy servers are used to cache, or store, messages for speedy retrieval in the future. Firewalls help control and block (when necessary) network traffic at the ingress and egress points.

Answer 209

Round robin Correct Answer: Round robin is a turn-based scheduling method where jobs are assigned to servers in sequential order. Incorrect Answers: Affinity scheduling means that the load balancer keeps a client's sessions connected to the server that's keeping the session. On demand and First come are meaningless terms created from the depths of your test writer's mind.

Answer 210

Telecommunication companies Correct Answer: Telecoms use Interconnection Service Agreements. Incorrect Answers: Government entities use MOUs because contracts are not the primary method of agreements between entities of the same government but they do not use Interconnection Service Agreements because they don't run or manage Internet or Telecom traffic..

Answer 211

53 Correct Answers: DNS uses TCP and UDP port 53, so this port should be left open. Incorrect Answers: All other unnecessary ports should be closed. Port 22 is used by SSH. Port 25 is used by SMTP. Port 80 is used by HTTP.

Answer 212

Sandboxing Correct Answer: Sandboxing separates applications from one another and does not allow them to share execution, user, or data space. Incorrect Answers: Whitelisting enables an administrator to determine which applications and other software the user is allowed to install and execute. Containerization is a technique used to separate different sensitivities of data, such as corporate and personal data on a mobile device. Blacklisting is a method that enables administrators to restrict users from installing and executing certain applications.

Answer 213

Threats exploit vulnerabilities. Correct Answer: Threats exploit vulnerabilities.The relationship between the elements of risk are as follows: threat actors initiate threats, which in turn exploit vulnerabilities. Incorrect Answers: All other answers are incorrect.

Answer 214

Lack of control Correct Answer: Lack of control over data and the infrastructure is probably the greatest risk to cloud computing. Incorrect Answers: Accountability and responsibility can be established through effective security controls and well-written service-level agreements. Cloud computing usually increases availability of data for users, since it is typically built on highly available, redundant infrastructures.

Answer 215

WEP Correct Answer: WEP is a legacy wireless encryption protocol that has been determined to be very weak and easily broken. It uses the RC4 streaming protocol and weak initialization vectors (24-bit) to encrypt data on wireless networks. Incorrect Answers: WPA2 is an advanced encryption protocol that uses AES. WPA was an interim protocol used to correct some of WEP's weaknesses. It uses the TKIP protocol. 802.1X is a port-based authentication method, not a wireless encryption protocol.

Answer 216

Acceptable-use policy Correct Answer: An acceptable-use policy details what is (and is not) acceptable for users to do during their working hours, including personal use and unacceptable activities on the company network, such as gambling and pornography. Incorrect Answers: Due care is an act performed by the company itself, and is not a user policy. Service level agreements are made between a company and a third party, such as a contractor or a supplier. Access control policies help protect against unauthorized access, both physical and logical, but they don't discuss how users can and cannot use systems.

Answer 217

LDAP Correct Answer: The Lightweight Directory Application Protocol (LDAP) uses TCP port 389. Incorrect Answers: SQL is a query language for directories. HTTPS is the secure HTTP protocol for Web pages. TLS is an authentication/encryption protocol.

Answer 218

Hashes are decrypted using the same algorithm and key that encrypted them. Correct Answer: Hashes are produced from one-way mathematical functions and cannot be decrypted. Incorrect Answers: All of these are characteristics of hashing.

Answer 219

Risk likelihood and impact Correct Answer: The risk likelihood and impact should directly determine how much you budget for controls to prevent the occurrence of risk. Incorrect Answers: Asset identification does not require analysis of cost. Risk likelihood and impact are more accurate than threat of natural disaster and qualitative costs in determining how much a solution will actually cost.

Answer 220

Anomaly-based system Correct Answers: Anomaly-based systems detect unusual network traffic patterns based upon a baseline of normal network traffic. Incorrect Answers: Rule-based systems use predefined rule sets. Signature-based systems use predefined traffic signatures that are typically downloaded from a vendor. Filter-based systems, such as routers and firewalls, base detection on access control lists that specify traffic that is permitted and denied.

Answer 221

Double-blind test Correct Answer: In a double-blind test, testers have no prior knowledge of the network they are testing, and network defenders have no prior knowledge of the test and aren't aware of any attacks unless they can detect and defend against them. This test is designed to test the defenders' abilities to detect and respond to attacks and to test and exploit vulnerabilities on the network. Incorrect Answers: In a black box test, only the testers have no knowledge of details about this network configuration. This type of test is also referred to as a blind test. In a gray box test, the penetration tester may have some limited knowledge of the network or systems, gained from the organization that wants the test.

Answer 222

Security requirements Correct Answer: In the security requirements stage, requirements for different security functions are determined. Iterations of interviews and surveys might be developed and gathered and diagrams developed to show project milestones. Incorrect Answers: During the secure testing phase of the secure software development model, software is measured or tested against security, functional, and performance requirements. This may include secure code review, application fuzzing, and vulnerability assessments, as well as penetration testing. In the secure design stage, different security functionality is designed into the application. During the secure implementation of software, security requirements are validated as implemented in the application.

Answer 223

SELinux Correct Answer: SELinux is the only example, from the answers given, of a trusted operating system. Incorrect Answers: These operating systems are not considered trusted operating systems, although they can be hardened to varying degrees.

Answer 224

Signage should indicate security checkpoints to report to in the event of an emergency requiring evacuation. Correct Answer: Signage should indicate the location and route to emergency evacuation exits, not security checkpoints, in the event of an emergency requiring evacuation. Incorrect Answers: All of these are valid characteristics of good signage.

Answer 225

RADIUS uses TCP port 1812. Correct Answer: RADIUS does not use TCP. Incorrect Answers: All of these are characteristics of the RADIUS protocol.

Answer 226

Halon Correct Answer: Halon is a dangerous chemical that was previously used in data centers to suppress fires. However, it was banned in 1987 because it is also dangerous to human beings. Incorrect Answers: Water is still used to combat certain classes of fires. Carbon dioxide is used to combat both liquid and electrical fires. FM-200 has generally replaced Halon in data center fire suppression systems.

Answer 227

Tailgating Correct Answer: A tailgating person might use some sort of creative pretext to convince someone to open the door and allow him or her to enter without proper identification. Incorrect Answers: Neither shoulder surfing nor dumpster diving are attempts to enter a facility. Impersonation could be used to enter a facility, but it is not being used to do so in this case.

Answer 228

Minimum password age Correct Answer: The minimum password age setting is used to force users to use a password for a minimum amount of time before they are allowed to change it. This prevents them from rapidly cycling through the password history to reuse an older password. Incorrect Answers: Password history simply records a previous number of passwords, so that they cannot be reused in the system. The maximum password age is used to expire a password after a certain time period. Password complexity enforces the use of longer password lengths and character spaces, increasing password strength.

Answer 229

SSL, TLS Correct Answers: Both Transport Layer Security (TLS) and Secure Sockets Layer (SSL) protocols are used to encrypt traffic sent over untrusted networks, such as the Internet. Incorrect Answers: Both use TCP port 443.SCP is part of the SSH protocol suite and is used to copy files securely from one host to another. SSH is a protocol used to connect to and administer hosts remotely. Both SCP and SSH use TCP port 22. UDP uses UDP port 69 and is totally unsecure.

Answer 230

The error caused from rejecting someone who is in fact an authorized user Type I error Correct Answer: A false reject rate (FRR) is the error caused from rejecting an authorized user; it is also called a Type I error. Incorrect Answer: A false acceptance rate (FAR) is the error caused when an unauthorized user is validated as authorized, also referred to as a Type II error.

Answer 231

Access control list Correct Answer: An access control list (ACL) is a physical or logical list that details specific access levels individuals or entities may have when interacting with objects. An ACL is also used on network devices to determine how traffic from various users can enter and exit a network device and access internal hosts. Incorrect Answers: Access approval lists and metadata tables are distractors and are not valid terms. Rule-based access control is an access control model based upon various access control rules that apply to users, objects, and actions.

Answer 232

Near-field communication (NFC) Correct Answer: Near-field communication is enables devices to send very low-power radio signals to each other by using a special chip implanted in the device. This technology requires that the devices be extremely close or even touching each other. This technology is used for a wide variety of applications, including payments through NFC-enabled smartphones. Incorrect Answers: Neither 802.11 wireless nor Bluetooth technologies are used in this manner. Infrared does not use radio frequency technology; it enables communications between devices using a beam of light.

Answer 233

Flood attack Correct Answer: A flood is a type of network attack based upon confusing a switch with ICMP traffic. Incorrect Answers: Malware would not cause a large volume of ICMP segments to be sent to a host. A man-in-the-middle attack attempts to break into an existing communications session, and is not a denial-of service attack. A phishing attack is a form of social engineering attack using e-mail.

Answer 234

OCSP Correct Answer: The Online Certificate Status Protocol (OCSP) is used to obtain the revocation status of digital certificates. It is used as an alternative to certificate revocation lists and enables clients to request and receive the electronic status of digital certificates automatically and in real-time. Incorrect Answers: Diffie-Hellman Exchange (DHE) is a key negotiation and agreement protocol used in public key cryptography. RSA is the de facto standard used to generate public and private key pairs in a PKI. Elliptic curve cryptography (ECC) is a public key cryptography protocol used on small mobile devices, due to its low power and computing requirements.

Answer 235

dig, nslookup Correct Answers: Both dig and nslookup are designed to query DNS servers. Incorrect Answers: One might argue that Nmap and ping might be used to diagnose DNS, but neither of them are specifically for DNS queries. Kali is a Linux distro, not a utility.

Answer 236

PAP Correct Answer: The Password Authentication Protocol (PAP) is an older authentication method that passes usernames and passwords in clear text. For this reason, it is no longer used. Incorrect Answers: CHAP, the Challenge Handshake Authentication Protocol, uses password hashes and challenge methods to authenticate to the system. Passwords are not passed in clear text with this protocol. MS-CHAP (Microsoft CHAP) is a Microsoft proprietary version of CHAP, native to Windows systems. The Extensible Authentication Protocol (EAP) is a modern authentication framework that can use various authentication methods. It also does not pass username and password information in clear text.

Answer 237

Refactoring Correct Answer: A refactored driver will work correctly, but might also perform other, malicious actions. Incorrect Answers: Man-in-the-middle might be a result of the refactor, but is not the threat itself. Version control refers to formally tracking different versions of the baseline configuration. Shimming is a library that responds to inputs that the original device driver isn?t designed to handle and would require a separate file.

Answer 238

IMAPS Correct Answer: IMAPS (secure IMAP) is a secure version of the IMAP4 protocol used over SSL or TLS connections to provide for client e-mail security. Incorrect Answers: SMTP is a server-side e-mail protocol and is not used over SSL or TLS. SMTP uses TCP port 25. POP3 is a non-secure client-side e-mail protocol that uses TCP port 110. IMAP4 is a non-secure client-side e-mail protocol that uses TCP port 143.

Answer 239

Decentralized Correct Answers: Decentralized log management means that logs are managed and reviewed on a host-by-host basis, rather than as a centralized, consolidated group. Incorrect Answers: Centralized log management involves collecting logs from across the network into a system and reviewing then as a group. Security Information Event Management (SIEM) is a centralized method of obtaining logs and other data from disparate devices across a network. Syslog is a logging tool found in UNIX and Linux systems, which can be used either on a centralized or decentralized basis.

Answer 240

An attack that exceeds the memory allocated to an application for a particular function, causing it to crash. Correct Answer: CoA buffer overflow attack is an attack that exceeds the memory allocated to an application for a particular function, causing it to crash. Incorrect Answers: While similar to a buffer overflow attack, an integer overflow attack uses unexpected numerical results from a mathematical operation to overflow a buffer. An SQL injection attack is an attack on a database through vulnerabilities in the Web application, usually in user input fields. An XML injection attack involves sending malicious XML content to a Web application, taking advantage of any lack of input validation and XML parsing.

Answer 241

Geotagging Correct Answers: Geotagging is the practice of marking media files, such as pictures and video, with relevant information such as geographic location (using the GPS features of the mobile device) and time. This information can be used by security professionals to track where and how a mobile device has been used. Incorrect Answers: Remote management is the overall process of remotely managing and monitoring mobile devices that are used to connect to the corporate infrastructure. Geolocation is the use of a device's GPS features to determine device location, to locate points of interest, and to gather other useful information. Although it can be used to geotag media, it is not the same as geotagging. Geofencing is the use of geolocation features to ensure that a mobile device does not leave specific areas of corporate property.

Answer 242

Lack of input validation Correct Answer: A lack of input validation in the Web form field may allow certain types of attacks to take place when a user enters malicious or incorrect characters in the form. Incorrect Answers: Permissions do not affect the quality or type of input in the field, only who can access and perform actions on the form. Adequate memory in a buffer cannot perform input validation functions. Properly formatted HTML cannot perform input validation on a form field.

Answer 243

Key stretching Correct Answer: Key stretching is a technique used to change weak keys into stronger ones by feeding them into an algorithm to produce enhanced keys. Incorrect Answers: Key streaming involves sending individual characters of the key through an algorithm and using mathematical XOR function to change the output. Key repetition is not a valid answer or term. Key exchange involves generating and exchanging a asymmetric key used for a particular communications session, or exchanging public keys in order to use them for public key cryptography.

Answer 244

Hypervisor Correct Answer: A hypervisor, also called a virtual machine monitor, is application software responsible for creating and managing virtual machines and their associated files on a host. Incorrect Answers: The host operating system does not create or manage virtual machines; it merely shares resources with them. The guest operating system is the virtual machine itself and is managed by a hypervisor. A load balancer is other software or a hardware appliance responsible for balancing user requests and network traffic among several different physical or virtualized hosts.

Answer 245

Vulnerability assessment Correct Answer: A vulnerability assessment looks for weaknesses in systems. Incorrect Answers: A threat assessment looks at events that could exploit vulnerabilities. A risk assessment is a combination of assessments and is designed to assess factors, including likelihood and impact, that affect an asset. A penetration test actually attempts to exploit any found weaknesses (usually after a vulnerability assessment) to gain access to systems

Answer 246

Whaling Correct Answer: Whaling is a social engineering attack that targets people in high-value positions, such as senior executives. It is a form of a phishing attack. Incorrect Answers: Spear phishing involves targeting a particular type of user, regardless of rank in the organization, and basing the attack on more detailed, in-depth information in order to convince the target that the phishing e-mail is actually valid. Vishing is a form of phishing attack that takes place over Voice-over-IP (VoIP) telephone systems. Pharming is a form of DNS attack.

Answer 247

SNMP Correct Answer: The Simple Network Management Protocol (SNMP) uses a management information base, or MIB, specific to each device and from which device information can be obtained. Incorrect Answers: SMTP, the Simple Mail Transport Protocol, is responsible for sending e-mail. Syslog is a log server found in UNIX and Linux systems. An access control list (ACL) resides on network devices and filters traffic coming into and out of a device.

Answer 248

Password length Use of additional character space Correct Answer: Password length and the use of additional character space are two important characteristics of password strength and complexity. Incorrect Answers: Neither authentication methods nor encryption strength directly affects password strength.

Answer 249

Single sign-on Correct Answer: Single sign-on is a method of authentication that enables a user to provide one set of credentials and use them throughout an interconnected network. Both Kerberos and Sesame protocols allow single sign-on. Incorrect Answers: Multifactor authentication refers to the use of several different factors to authenticate to a system, such as something you know, something you are, and something you have. Multifactor authentication can be used in a single sign-on environment but is not necessarily required. Single-factor authentication uses only one factor, such as something you know, to authenticate to a system. It can also be used in a single sign-on environment but is not required. Pass-through authentication can appear to be similar to single sign-on, but it requires all individual systems simply to accept credentials passed from another system without a unified approach.

Answer 250

Something you are Correct Answer: This is an example of "something you are," like any biometric factor, such as a fingerprint or retinal eye pattern. Incorrect Answers: An example of "something you know" would be a password or PIN. "Something you have" would include a token or smart card. "Something you do" would be considered swiping a pattern like a pattern unlock on a cell phone.

Answer 251

Physically Logically Correct Answer: Networks are typically separated for security purposes either physically, logically, or both. Physical separation involves separating network hosts by connecting them to different devices. Logical separation involves separating them through segmented IP subnetworks. Incorrect Answers: Separating network hosts either geographically or functionally does not contribute to security.

Answer 252

RSA Correct Answer: RSA (Rivest-Shamir-Adleman) is the most common public-private key generation algorithm used in public key cryptography. Incorrect Answers: Elliptic Curve Diffie-Hellman (ECDH) is a key exchange protocol used in public key cryptography. It is used to initially negotiate, agree upon, and establish a secure session between two parties. AES is the Advanced Encryption Standard, and it is not used in public key cryptography; it is an asymmetric key cryptography algorithm. SHA-2 is the second iteration of the Secure Hashing Algorithm and is used to generate message digests for plaintext. It is not used in public key cryptography to exchange keys or establish secure sessions.

Answer 253

RSA Correct Answer: RSA (Rivest-Shamir-Adleman) is the most common public-private key generation algorithm used in public key cryptography. Incorrect Answers: Elliptic Curve Diffie-Hellman (ECDH) is a key exchange protocol used in public key cryptography. It is used to initially negotiate, agree upon, and establish a secure session between two parties. AES is the Advanced Encryption Standard, and it is not used in public key cryptography; it is an asymmetric key cryptography algorithm. SHA-2 is the second iteration of the Secure Hashing Algorithm and is used to generate message digests for plaintext. It is not used in public key cryptography to exchange keys or establish secure sessions.

Answer 254

Something you know Correct Answer: A password is memorized, therefore you know it. Incorrect Answer: Something you do would be an action unique to you like a written signature. Something you have is an item on your person like an ID card. Something you are is an aspect of your physical person that's unique to you like a fingerprint.

Answer 255

Log analysis Correct Answer: A log analysis can't identify patterns alone and requires other data and event sources to identify trends and patterns. Incorrect Answers: Trend analysis involves looking at data from various sources, including device logs, to identify patterns over a period of time. Both qualitative and quantitative analyses are risk assessment techniques.

Answer 256

The company's account policy Correct Answer: The company's account policy. Incorrect Answers: Microsoft best practices as well as FIPS might give some good ideas, but there is no law (such as Sarbanes-Oxley) requiring a certain naming convention for user accounts.

Answer 257

Cloud services Correct Answer: Cloud services can enable users to perform their work via a browser, from anywhere they have Internet connectivity. This can be configured either to allow a local copy along with the cloud copy of the data, or the data can be edited directly within the cloud. Incorrect Answers: Virtualization allows multiple virtual machines to run on the same piece of hardware. Subnetting and network address translation (NAT) are important, but incorrect, security concepts.

Answer 258

HIPAA Correct Answer: HIPAA regulates the protection of patient data in the healthcare and health insurance industry. Incorrect Answers: RMF covers the risk management of U.S. Department of Defense systems; Sarbanes-Oxley and PCI are involved with financial data.

Answer 259

Symmetric Correct Answer: When using symmetric encryption, both the sender and receiver use the same key. Incorrect Answers: Steganography hides data within photos or another piece of data. Hashing is used to verify data integrity. Asymmetric cryptography uses a public and private key pair for encryption, so it does not use the same key for both parties.

Answer 260

Generator Correct Answer: To provide continuous power, you will need a generator, often gas-powered, that can provide power continuously until electrical power is restored. Be sure that you have enough gas! For very critical systems, multiple generators (tested regularly) are a common control. Incorrect Answers: A power conditioner helps provide clean power that is less likely to harm systems; it has nothing to do with power outages. UPSes and battery backups are incorrect because they provide backup power for only a short period of time and are often used to allow a graceful shutdown of less critical systems.

Answer 261

Evil twin Correct Answers: An evil twin attack is a rogue wireless access point set up to be nearly identical to a legitimate access point.SSID cloaking is a weak security measure designed to hide the broadcasting of a wireless network's Service Set Identifier. Incorrect Answers: MAC spoofing is an attempt to impersonate another host by using its MAC address. Jamming is an intentional interference with the signal of a wireless network. It is often part of a DoS attack.

Answer 262

802.1X Correct Answer: 802.1X is a port-based authentication method, not a wireless encryption protocol. Incorrect Answers: WPA2 is an advanced encryption protocol, which uses AES. WEP is a legacy wireless encryption protocol, which has been determined to be very weak and easily broken. It uses the RC4 streaming protocol and weak initialization vectors (24-bit) to encrypt data on wireless networks. WPA was an interim protocol used to correct some of WEP's weaknesses. It uses the TKIP protocol.

Answer 263

ACL Correct Answer: An access control list (ACL) resides on network devices and filters traffic coming into and out of the device. Incorrect Answers: SMTP, the Simple Mail Transport Protocol, is responsible for sending e-mail. The Simple Network Management Protocol (SNMP) uses a Management Information Base, or MIB, specific to each device to obtain device information from. Syslog is a log server found in UNIX and Linux systems.

Answer 264

Infrared Correct Answer: Infrared enables communications between devices using a beam of light. Incorrect Answers: Neither 802.11 wireless nor Bluetooth technologies perform in this manner. Near Field Communication is a newer technology in which devices send very low power radio signals to each other by using a special chip implanted in the device. It requires that the devices be extremely close or touching and is used for a variety of applications, including payments through NFC-enabled smartphones.

Answer 265

Rule-based system Correct Answer: Rule-based systems use predefined rule sets. Incorrect Answers: An anomaly-based system detects unusual network traffic patterns based upon a baseline of normal network traffic. Signature-based systems use predefined traffic signatures, typically downloaded from a vendor. Filter-based systems, such as routers and firewalls, base detection on access control lists that specify traffic that is permitted and denied.

Answer 266

Containment, eradication, and recovery Correct Answer: Containment, eradication, and recovery is the third step of the incident response lifecycle. Incorrect Answers: In order, the steps of the incident response life cycle are preparation; detection and analysis; containment, eradication, and recovery; and post-incident activity.

Answer 267

Hashes produce fixed-length digests for variable-length text. Hashing can be used to protect data integrity. Hashes are cryptographic representations of plaintext. Correct Answers: Hashes are cryptographic representations of plaintext, hashes produce fixed-length digests for variable-length text, and hashing can be used to protect data integrity are all characteristics of hashing. Incorrect Answers: Hashes are decrypted using the same algorithm and key that encrypted them is incorrect. Hashes are produced from one-way mathematical functions and cannot be decrypted.

Answer 268

Syslog Correct Answer: Syslog is a logging facility found in UNIX and Linux systems, which can be used on either a centralized or decentralized basis. Incorrect Answers: Centralized log management involves collecting logs from across the network into on system and being able to review them as a group. Security Information Event Management (SIEM) is a centralized method of obtaining logs and other data from disparate devices across the network. Decentralized log management means that logs are managed and reviewed on a host-by-host basis, rather than as a centralized, consolidated group.

Answer 269

Rule-based access control Correct Answer: Rule-based access control is an access control model based upon various access control rules that apply to users, objects, and actions. Incorrect Answers: An access control list (ACL) is a physical or logical list that details specific access levels individuals have to access objects. It is also used on network devices to determine which traffic from various users can enter and exit network devices and access internal hosts. Access approval lists and metadata tables are distractors and are not valid terms.

Answer 270

FM-200 Correct Answer: FM-200 generally replaced halon in data center fire suppression systems. Incorrect Answers: Water is still used to combat certain classes of fires, but it did not replace halon. Shalon doesn't exist. Carbon dioxide is used to combat both liquid and electrical fires, but it did not replace halon.

Answer 271

WPA2 Correct Answer: WPA2 (Wi-Fi Protected Access version 2) currently provides the strongest available encryption for wireless networks. Incorrect Answers: WPA and WEP are weaker protocols. HTTPS is a secure protocol for connecting on the Web, but not within your own network.

Answer 272

Privilege creep Correct Answer: Privilege creep. Bradley keeps getting new privileges, yet nothing is turned off. Incorrect Answers: Authentication failure implies something has gone wrong. There has been no failure in authentication. The principle of least privilege means that administrators never give a user account more rights and permissions than is needed for the user to do his or her job. False acceptance rate indicates the level of errors that the system may generate indicating that unauthorized users are identified and authenticated as valid users in a biometric system.

Answer 273

Monitor traffic from that specific computer with a protocol analyzer. Correct Answer: A protocol analyzer can intercept, log, and allow analysis to be conducted on network traffic, to include source and destination of the traffic. Incorrect Answers: None of these options will help track down the information that might be transmitted by a backdoor tool.

Answer 274

Load balancer Correct Answer: A load balancer is a piece of application software or a hardware appliance that is responsible for balancing user requests and network traffic among several different physical or virtualized hosts. Incorrect Answers: The host operating system does not create or manage virtual machines; it merely shares resources with them. The hypervisor, also called a virtual machine monitor, is a piece of application software that is responsible for creating and managing virtual machines and their associated files on a host. The guest operating system is the virtual machine itself and is managed by a hypervisor.

Answer 275

Availability Correct Answer: Availability is the most likely attribute gained through potential redundancy and continuity of operations planning that's (hopefully) inherent within the cloud environment. Cloud computing usually increases availability of data for users, since it is typically built on highly available, redundant infrastructures. Incorrect Answers: Accountability and responsibility can be established through effective security controls and well-written service-level agreements. Users lose a large measure of control by moving to the cloud.

Answer 276

Whitelisting Correct Answers: Applications that users are allowed to download, install, and execute are added to a whitelist by an administrator; whitelisting is the opposite of blacklisting. Incorrect Answers: Blacklisting involves an administrator adding undesirable or restricted software or applications to a list on content filtering devices, in group policy, or through some other type of mechanisms. This ensures that users are not allowed to download, install, or execute these particular applications. There is no such term as graylisting. Filtering typically involves checking traffic on a network device, based upon specific characteristics. The term normally does not apply to software or applications.

Answer 277

Operating system Correct Answer: Containerization is the process of virtualizing the operating system. Containers often use storage segmentation to separate sensitive and personal data. Incorrect Answers: Virtual machines are not virtualized. Traditional virtualization, not containerization, virtualizes hardware; and while it can be argued that both traditional virtualizations as well as containerization virtualize a system's interface, that is not the best answer of the choices given.

Answer 278

Black box test Blind test Correct Answers: In a black box test, the testers have no knowledge of details about the network configuration, but system defenders are aware of their presence. This type of test is also referred to as a blind test. Incorrect Answers: In a double-blind test, testers have no prior knowledge of the network they are testing, and network defenders also have no knowledge of the test and aren't aware of any attacks unless they can detect and defend against them. This test is designed to test the defenders' abilities to detect and respond to attacks, as much is it is to test and exploit vulnerabilities on the network. In a gray box test, the penetration tester may have some limited knowledge of the network or systems, gained from the organization that wants the test. Unlimited test is not a real test in the Security+ arena.

Answer 279

Password complexity Correct Answer: Password complexity enforces the use of longer password lengths and character spaces to increase password strength. Incorrect Answers: Password history records previous passwords so they cannot be reused in the system. The maximum password age is used to expire a password after a certain time period. The minimum password age setting is used to force users to use a password for a minimum amount of time before they are allowed to change it. This prevents them from rapidly cycling through the password history in order to reuse an older password.

Answer 280

Plaintext Correct Answer: Plaintext is unencrypted text. Incorrect Answers: Ciphertext is a result of the encryption process and is encrypted text. A hash, or message digest, is a cryptographic representation of variable length text, but it is not the text itself.

Answer 281

TACACS+ is completely encrypted. Correct Answer: TACACS+ encrypts everything between all connection points. Incorrect Answers: Kerberos is an open standard as is TACACS+. Open standards are considered more safe than proprietary. T ACACS+ doesn't define what encryption to use, but RC4 is dated and insecure.

Answer 282

Mean time between failures Correct Answer: Mean time between failures (MTBF) represents the manufacturer's best guess (based on historical data) regarding how much time will pass between major failures of that component. This is assuming that more than one failure will occur, which means that the component will be repaired, rather than replaced. Incorrect Answers: Mean time to recovery (MTTR) is the amount of time it takes for a hardware component to recover from a failure. The mean time to failure (MTTF) is the length of time a device is expected to last in operation. In MTTF, only a single, definitive failure will occur and will require that the device be replaced rather than repaired. Mean time to replace is not a valid term.

Answer 283

Responsibility Accountability Correct Answer: Accountability and responsibility can be established through effective security controls and well-written service-level agreements. Incorrect Answers: Lack of control over data and the infrastructure is probably the greatest risk to cloud computing and cannot be completely managed through agreements. Cloud computing usually increases the availability of data for users, since it is typically built on highly available, redundant infrastructures.

Answer 284

Twofish Correct Answer: Twofish, a symmetric algorithm, was one of the five finalists for the competition, but it did not win. Incorrect Answer: Rijindael was selected as the winner of the NIST competition and became the U.S. government's Advanced Encryption Standard (AES). Blowfish is also a symmetric algorithm, but it was not considered in the competition to be the AES. RC4 is a symmetric streaming cipher commonly seen in WEP and SSL implementations. It was not one of the finalists involved in the AES competition.

Answer 285

Full-scale test Correct Answer: In a full-scale test, all personnel are usually involved and may actually conduct activities as they would during a real incident. This type of test is more complex and normally requires extensive resources, such as people and equipment, so it is typically conducted infrequently. Incorrect Answers: A tabletop exercise is a type of group review. The documentation review is the simplest form of test, in which the business continuity plan, disaster recovery plan, and associated documents are reviewed by relevant personnel including managers, recovery team members, and anyone else who may have responsibilities directly affecting plans. In a walkthrough test, team members go through the motions of fulfilling the responsibilities and conducting the activities required during an actual incident or disaster.

Answer 286

deny source all destination 192.168.21.0 tcp port 23 Correct Answer: The ACL should deny all traffic using TCP port 23. Ports 80, 21, and 123 are not related to telnet. Incorrect Answers: You should also note that we want to "deny source all," not permit traffic or deny source 0.0.0.0.

Answer 287

Key exchange Correct Answer: Key exchange involves generating and exchanging asymmetric keys used for a particular communication session, exchanging public keys in order to use them for public key cryptography. Incorrect Answers: Key stretching is a technique used to change weak keys to stronger ones by feeding them into an algorithm to produce an enhanced key. Key streaming involves sending individual characters of the key through an algorithm and using mathematical XOR function to change the output. Key repetition is not a valid answer or term.

Answer 288

Data disposal Correct Answer: Data disposal guidelines explain how different classifications of data should be properly disposed of to ensure that data is not later pieced together or recovered and exploited. Incorrect Answers: Clean desk policies often dictate how sensitive information should be stored after hours and while uncleared visitors are near the area. Protection of personally identifiable information on social media would be part of an organization's social media policy. An organization's information classification policy not only outlines what level of security protections certain data receives, but it also serves to instruct employees on how to treat sensitive data.

Answer 289

ICMP Correct Answers: ICMP is the protocol used by the ping and traceroute utilities for network diagnostics, and it should be disabled unless it's being used for important purposes. Incorrect Answers: NTP is used by time services, DNS is used for IP/host name resolution, and SNMP enables network monitoring.

Answer 290

White hat hacker Correct Answers: White hat hackers use their skills to assist in securing systems. They are usually penetration testing professionals or ethical hackers. Incorrect Answers: A gray hat hacker uses his or her skills for both good and evil purposes. A black box tester tests a system without any prior knowledge of the network or infrastructure. A black hat hacker uses his or her skills for malicious purposes.

Answer 291

Spear phishing Correct Answer: Spear phishing involves sending e-mail to a particular type of user, regardless of rank in the organization, and basing the attack on more detailed, in-depth information to convince the target that the phishing e-mail is actually valid. Incorrect Answers: Whaling is a social engineering attack that targets people in high-value positions, such as senior executives. It is a form of a phishing attack. Vishing is a form of phishing attack that takes place over Voice-over-IP (VoIP) telephone systems. Pharming is a form of DNS attack.

Answer 292

RSA Correct Answer: RSA (Rivest-Shamir-Adleman) is the most common public-private key generation algorithm used in public key cryptography. It is used to generate a public and private key pair. Incorrect Answers: Elliptic Curve Diffie-Hellman (ECDH) is a key exchange protocol used in public key cryptography. It is used to negotiate, agree upon, and establish a secure session between two parties. AES is the Advanced Encryption Standard, which is not used in public key cryptography; it is a symmetric key cryptography algorithm. SHA-2 is the second iteration of the Secure Hashing Algorithm and is used to generate message digests for plaintext. It is not used in public key cryptography to exchange keys or establish secure sessions.

Answer 293

POP3 Correct Answer: POP3 is a non-secure client-side e-mail protocol that uses TCP port 110. Incorrect Answers: SMTP is a server-side e-mail protocol and is not used over SSL or TLS. SMTP uses TCP port 25. IMAPS is a secure version of the IMAP4 protocol and is used over SSL or TLS connections on TCP port 993. IMAP4 is a non-secure client-side e-mail protocol that uses TCP port 143.

Answer 294

Proxy Correct Answer: A proxy is typically not used as a traffic-filtering device based upon port or protocol, but it makes requests on behalf of internal clients. Incorrect Answers: A firewall is a more complex device, most often seen placed behind the border router. A switch does not filter traffic based upon port or protocol, since it works at a lower level in the OSI model. A router should be used as a first-level filtering device, because it has the ability to filter on basic characteristics of traffic such as port and protocol.

Answer 295

Compensating control Correct Answer: A compensating control assists and mitigates the risk an existing control is unable to mitigate. Incorrect Answers: The difference between a deterrent control and a preventive control is that it is necessary to have knowledge of the deterrent control for it to work. Users do not need to have knowledge of a preventative control for it to function. A corrective control is used to correct a condition when there is either no control at all, or the existing control is ineffective. Normally, a corrective control is temporary until a more permanent solution is put into place. A deterrent control keeps someone from performing a malicious act, provided that they know the control is there and are aware of the consequences for violating it.

Answer 296

Key escrow Correct Answer: Key escrow involves a third party that holds a special third key in addition to your private and public key pair. Incorrect Answers: A CRL (certificate revocation list) is not valid in this scenario, as certificate authorities and registrars are used during the certificate life cycle to publish digital certificates.

Answer 297

ARP poisoning attack Correct Answer: ARP poisoning is an attempt to send unsolicited ARP messages to a client to add false entries to its ARP cache. Incorrect Answers: A session hijacking attack is an attempt to hijack a user's Web browsing session by stealing cookies or using other network attack methods. A SYN flood uses TCP SYN segments in its attack, not ICMP. A smurf attack uses ICMP.

Answer 298

Preventative control Correct Answer: A preventative control keeps someone from performing a malicious act, provided that she doesn?t know the control is there and is not aware of the consequences for violating it. incorrect Answers: A corrective control is used to correct a condition when there is either no control at all of the existing control is ineffective. Normally, a corrective control is temporary until a more permanent solution is put into place. The difference between a deterrent control and a preventive control is that a deterrent control requires the person to have knowledge of the control in order for it to work. Users do not have to have knowledge of a preventative control for it to function. A compensating control assists and mitigates the risk an existing control is unable to mitigate.

Answer 299

Key streaming Correct Answer: Key streaming involves sending individual characters of the key through an algorithm and using a mathematical XOR function to change the output. Incorrect Answers: Key repetition is not a valid answer or term. Key exchange involves generating and exchanging an asymmetric key used for a particular communications session, or exchanging public keys in order to use them for public key cryptography. Key stretching is a technique used to change a weak key to a stronger key by feeding it into an algorithm to produce an enhanced key.

Answer 300

Layer 3 switch Correct Answer: A layer 3 switch supports inter VLAN routing to interconnect disparate VLANs. Incorrect Answers: A layer 2 switch could interconnect VLAN via trunk ports, but only to interconnect to other layer 2 switches. A router could interconnect two VLANs, but this would take substantial configuration. A firewall is not capable of interconnecting VLANs.

Answer 301

Mandatory access control model Correct Answers: Mandatory access control models use labels and security clearances to grant access to objects. Incorrect Answers: Rule-based access control models use a specific set of rules that control the interaction between users and objects. Role-based access control models use defined roles with specific rights and permissions assigned to those roles to control access to objects. Discretionary access control allows a user who has created or owns an object, such as a file or folder, the discretion to assign permissions for that object to anyone they choose.

Answer 302

Mean time to recovery Correct Answer: Mean time to recovery (MTTR) is the amount of time it takes for a hardware component to recover from failure. Incorrect Answers: Mean time between failures (MTBF) represents the manufacturer's best guess (based on historical data) regarding how much time will pass between major failures of that component. This is assuming that more than one failure will occur, which means that the component will be repaired, rather than replaced. The mean time to failure (MTTF) is the length of time a device is expected to last in operation. In MTTF, only a single, definitive failure will occur and will require that the device be replaced rather than repaired. Mean time to replace is not a valid term.

Answer 303

CHAP Correct Answer: Challenge-Handshake Authentication Protocol (CHAP) uses password hashes and challenge methods to authenticate to the system. Incorrect Answers: The Password Authentication Protocol (PAP) is an older authentication method that passes usernames and passwords in clear text. For this reason, it is no longer used. Passwords are not passed in clear text with this protocol. MS-CHAP (Microsoft CHAP) is a Microsoft proprietary version of CHAP, native to Windows systems. The Extensible Authentication Protocol (EAP) is a modern authentication framework that can use various authentication methods. It also does not pass user name and password information in clear text.

Answer 304

Geofencing Correct Answer: Geofencing is the use of geolocation features to ensure that a mobile device does not leave specific areas of corporate property. Incorrect Answers: Remote management is the overall process of remotely managing and monitoring mobile devices that are used to connect to the corporate infrastructure. Geolocation is the use of a device's GPS features to determine device location, locate points of interest, and find other useful information. Geotagging is the practice of marking media files, such as pictures and video, with relevant information such as geographic location (using the GPS features of the mobile device) and time. This information can be used by security professionals to track where and how a mobile device has been used.

Answer 305

Federated trust Correct Answer: A federated system involves the use of a common authentication system and credentials database that multiple entities use and share. Incorrect Answers: A web of trust isn't a trust relationship, it is a method to handle trust for certificates. A one-way trust shows one party trusts another but not the reverse. A transitive trust is where if entity B trusts entity A and entity C trusts entity B than entity C trusts entity A.

Answer 306

Allows physical segmentation of hosts by IP subnet Correct Answer: VLANS do not physically segment hosts; they logically segment them. Incorrect Answers: VLANs break up broadcast domains from a single large one into smaller, logically separated ones. VLANS allow different segments to receive different security policies.

Answer 307

DHE Correct Answers: Diffie-Hellman Exchange (DHE) is a key negotiation and agreement protocol used in public key cryptography. Incorrect Answers: RSA is the de facto standard used to generate public and private key pairs in a PKI. The Online Certificate Status Protocol (OCSP) is used to obtain the revocation status of digital certificates. It is used as an alternative to certificate revocation lists, enabling clients to request and receive the electronic status of digital certificates automatically in real-time. Elliptic curve cryptography (ECC) is a public key cryptography protocol used on small mobile devices because of its low power and computing requirements.

Answer 308

Adware Correct Answers: Adware is usually annoying advertisements that come in the form of pop-up messages in a user's browser. Incorrect Answers: A virus is a piece of malicious software that must be propagated through a definite user action. A Trojan is a piece of software that seems to be of value to the user, but in reality is malware. A logic bomb is a script set to execute at a certain time, which is usually created by rogue administrators or disgruntled employees.

Answer 309

An attack that involves sending malicious XML content to a Web application, taking advantage of any lack of input validation and XML parsing. Correct Answer: An XML injection attack involves sending malicious XML content to a Web application, taking advantage of any lack of input validation and XML parsing. Incorrect Answers: A buffer overflow attack exceeds the memory allocated to an application for a particular function, causing it to crash. Although similar to a buffer overflow attack, it describes an integer overflow attack, which uses unexpected numerical results from a mathematical operation to overflow a buffer. A SQL injection attacks a database through vulnerabilities in the Web application, usually in user input fields.

Answer 310

SQL injection attack Correct Answer: A SQL injection attack targets relational databases that reside behind Web applications. Incorrect Answers: An LDAP injection attack targets directory services databases, such as those used in X.500 implementations. A directory traversal attack targets non-secure directory structures on the host, such as folder structures. An integer overflow attack is similar to a buffer overflow attack and results in mathematical operations that the host or application cannot handle, causing them to fail.

Answer 311

TPM Correct Answer: A Trusted Platform Module (TPM) is installed on an individual device, usually as a chip on the system motherboard. Incorrect Answers: A hardware security module (HSM) is usually a hardware appliance or standalone device used to provide hardware encryption services for specific hosts. A SAN is a storage area network and is not typically a security device. A NAS, network attached storage, is not a security device.

Answer 312

Post-incident activity Correct Answer: Post-incident activity is the last step of the incident response life cycle. Incorrect Answers: In order, the steps of the incident response life cycle are preparation; detection and analysis; containment, eradication, and recovery; and post-incident activity.

Answer 313

Install and configure SAMBA on the Linux systems to access the AD. Configure access to the resource on the file server. Correct Answers: Install and configure SAMBA on the Linux systems to access the AD and then set up access to the resources on the sharing sysytem (in this case the file server). Incorrect Answers: Linux user groups are useless for accessing Windows resources. One should rarely create local users on a Windows server.

Answer 314

Disable SSID broadcasting. Correct Answer: Disable Service Set Identifier (SSID) broadcasting if you're not actively broadcasting your network name. When this control is implemented, a user must know the name of the network before he or she can connect to it. Incorrect Answers: None of these options will control access with regard to the SSID.

Answer 315

FTP Correct Answer: FTP is a non-secure protocol used to copy files to and from Internet-based hosts. Incorrect Answers: FTPS is a secure version of the non-secure FTP protocol, which is used over SSL or TLS connections to ensure security when transferring files to or from an Internet-based host. SCP is a secure copy protocol used to copy files securely to and from a networked host, and it uses SSH. SFTP is a secure file transfer protocol used to copy files to and from an Internet-based host, and it uses SSH.

Answer 316

Accountability Correct Answer: Accountability uses auditing to ensure that users are traced to and held responsible for their actions. Incorrect Answers: Authorization is the process of controlling access to resources through methods that include permissions, rights, and privileges. Authentication is the process of validating that a user?s credentials are authentic, after they have presented them through the identification process. Auditing is the process of reviewing logs and other audit trails to determine what actions have been performed on systems and data.

Answer 317

Small text files stored on a browser that contain information about the Web sites you visit. Correct Answer: Small text files stored on a browser that contains information about the Web sites you visit are called cookies. In some cases, they are used to retain user preferences for the site, but they can contain sensitive information, such as user credentials or financial data (credit card information, for example) as well. Incorrect Answers: HTTP request and response messages are sent back and forth between the Web application and the browser so the client can access content in the Web application. These HTTP requests and responses have headers that contain information such as commands, directives, and so on. An HTML file that comes attached to the e-mail is an HTTP attachment. Locally shared objects (also called flash cookies) are objects that are particular to Web sites that use the Adobe Flash player for certain content.

Answer 318

Security identifier (SID) Correct Answer: A security identifier (SID) is a unique number assigned to each individual user account. It's never used, even when an account is deleted and re-created. Incorrect Answers: Both a UID and GID refer to unique numbers in Linux and UNIX-based systems that identify users and groups. An access control entry (ACE) is a unique entry in an access control list (ACL) that describes a user's permissions for accessing objects.

Answer 319

NAT with a firewall Correct Answer: Using network address translation (NAT) in conjunction with a firewall enables you to share one external address with multiple internal hosts that require external addresses for their connectivity. Incorrect Answers: A DMZ can contain servers behind a firewall, allowing public access, but it does not inherently offer NAT services. DHCP is used to allocate internal IP addresses, and a router still requires NAT to perform address translation.

Answer 320

Demonstrative evidence Correct Answer: Demonstrative evidence, which can be in the form of charts, graphs, drawings, and so fort, is used to help non-technical people, such as the members of a jury, understand an event. Incorrect Answers: Exculpatory evidence proves innocence. Inculpatory evidence proves guilt. Documentary evidence directly supports or proves a definitive assertion.

Answer 321

Threat assessment Correct Answer: A threat assessment looks at events that could exploit vulnerabilities. Incorrect Answers: A vulnerability assessment looks for weaknesses in systems. A risk assessment is a combination of assessments and is designed to assess factors, including likelihood and impact that affect an asset. A penetration test attempts to exploit actual vulnerabilities found within the systems.

Answer 322

Incremental backup Differential backup Correct Answers: Differential and incremental backups apply to entire systems and are used to back up files that have changed since the last full backup. Incorrect Answers: A snapshot is a quick backup of critical configuration files, used by the hypervisor to restore the virtual machine back to its point-in-time status should it become unstable or suffer other issues. The system state backup is a Microsoft Windows type of backup that backs up critical files used by the operating system to restore the system in the event of a system crash or other issue.

Answer 323

Notifying and coordinating with senior management and law enforcement officials Correct Answer: Notifying and coordinating with senior management and law enforcement officials is normally the job of a senior leader within the incident response team. Incorrect Answers: The primary job of a first responder is to secure the scene. They are also responsible for notifying the incident response team and initially determining the scope, seriousness, and impact of the incident.

Answer 324

PGP/GPG Correct Answer: Pretty Good Privacy (or GNU Privacy Guard) is a low-cost solution that enables encrypted e-mail messages. Incorrect Answers: HTTPS provides encryption for Web communications, not e-mail. POP/IMAP are unencrypted mail client access protocols. WPA2 provides encryption for wireless networks, not e-mail.

Answer 325

Walkthrough test Correct Answer: In a walkthrough test, team members go through the motions of fulfilling the responsibilities and conducting the activities required during an actual incident or disaster. Incorrect Answers: A tabletop exercise is a type of group review. The documentation review is the simplest form of test, in which the business continuity plan, disaster recovery plan, and associated documents are reviewed by relevant personnel including managers, recovery team members, and anyone else who may have responsibilities directly affecting plans. In a full-scale test, all personnel are usually involved and may actually conduct activities as they would during a real incident. This type of test is more complex and normally requires extensive resources, such as people and equipment, so it is typically conducted infrequently.

Answer 326

Hash Message digest Correct Answers: A hash or message digest is a cryptographic representation of variable length text, but it is not the text itself. Incorrect Answers: Plaintext is unencrypted text. Ciphertext is a result of the encryption process and is encrypted text.

Answer 327

Deauthentication attack Correct Answer: A deauthentication attack involves sending specially crafted traffic to a wireless client and an access point, in the hopes of causing them to deauthenticate with each other and disconnect. Incorrect Answers: A spoofing attack involves impersonating a wireless client or access point through either its IP or its MAC address. A replay attack involves the reuse of intercepted non-secure credentials to gain access to a system or network. Initialization vector (IV) attacks involve attempting to break WEP keys by targeting their weak IVs.

Answer 328

Multifactor authentication Correct Answer: Multifactor authentication refers to the use of several different factors to authenticate to a system, such as something you know, something you are, and something you have. Multifactor authentication can be used in a single sign-on environment, but is not necessarily required. Incorrect Answers: Single-factor authentication uses only one factor, such as something you know, to authenticate to a system. It can also be used in a single sign-on environment but is not required. Single sign-on is a method of authentication that enables a user to provide one set of credentials and use them throughout an interconnected network. Both Kerberos and SESAME protocols allow single sign-on. Pass-through authentication can appear to be similar to single sign-on, but it requires all individual systems to accept credentials passed from another system without a unified approach.

Answer 329

Cookies Correct Answers: Cookies are saved and used by load balancers to maintain a connection between a specific client and a specific server, i.e. session affinity. Incorrect Answers: TLS is an encryption method and session lock is an imaginary term. Client-based code could be used, but is not common.

Answer 330

Private Correct Answer: A private cloud is for use by only one organization and is usually hosted by that organization's infrastructure. Incorrect Answers: An external cloud is not a valid type of cloud and could be a public, private, or community cloud. A community cloud is for use by similar organizations or communities, such as universities or hospitals, that need to share common data. A public cloud is usually operated by a third-party provider that sells or rents "pieces" of the cloud to different entities, such as small businesses or large corporations.

Answer 331

Black hat hacker Correct Answer: A black hat hacker is someone who uses her skills for malicious purposes and often shares that information with others. Incorrect Answers: A gray hat hacker uses her skills for both altruistic and malicious purposes, breaking into and exploiting a system without permission, but without sharing that information with others. A black box tester is someone who tests a system without any prior knowledge of the network or infrastructure; this person tests the system with the owner's permission. A white hat hacker uses her skills to assist in securing systems; this type of hacker is usually a penetration testing professional or ethical hacker.

Answer 332

Blacklisting Correct Answer: Blacklisting allows you to restrict users from installing and executing certain applications on their mobile devices. Incorrect Answers: Whitelisting allows an administrator to determine which applications and other software the user is allowed to install and execute. Containerization is a technique used to separate different sensitivities of data, such as corporate and personal data, on a mobile device. Sandboxing separates applications from each other and does not allow them to share execution, user, or data space.

Answer 333

Integer overflow attack Correct Answer: An integer overflow attack is similar to a buffer overflow attack and results in mathematical operations that the host or application cannot handle, causing them to fail. Incorrect Answers: A SQL injection attack targets relational databases that reside behind Web applications. An LDAP injection attack targets directory services databases, such as those used in X.500 implementations. A directory traversal attack targets non-secure directory structures on the host, such as folder structures.

Answer 334

Change the "public" community name. Correct Answer: Changing the community name for SNMP is the single most important thing you can do to ensure that any user cannot access your SNMP device. Incorrect Answer: A firewall will not help protect the clients. Disabling SNMP on the client will cripple the SNMP functionality, and ICMP is unrelated.

Answer 335

Documentary evidence Correct Answer: Documentary evidence directly supports or proves a definitive assertion. Incorrect Answers: Exculpatory evidence proves innocence. Inculpatory evidence proves guilt. Demonstrative evidence, which can be in the form of charts, graphs, drawings, and so forth, is used to help nontechnical people, such as the members of a jury, understand an event.

Answer 336

COBO Correct Answer: Company Owned, Business Only (COBO) devices are owned and controlled completely by the organization. Incorrect Answers: Bring your own device (BYOD) means the employee owns the device. Choose your own device (CYOD) means the organization retains ownership, but employees may install personal apps on the device. Company-issued, personally-enabled (COPE) is similar to CYOD, but employees are limited to installing only white-listed apps.

Answer 337

WEP Correct Answer: WEP is a legacy wireless encryption protocol that has been determined to be very weak and easily broken. It uses the RC4 streaming protocol and weak initialization vectors (24-bit) to encrypt data on wireless networks. Incorrect Answers: WPA2 is an advanced encryption protocol that uses AES. WPA was an interim protocol used to correct some of WEP?s weaknesses. It uses the TKIP protocol. 802.1X is a port-based authentication method, not a wireless encryption protocol.

Answer 338

SQL injection Correct Answer: SQL injections insert unanticipated SQL commands to try to break the application. Incorrect Answers: MySQL is one of many forms of SQL tools. Relational injection and Hierarchical injection are nonsense terms.

Answer 339

Type II error The error caused when an unauthorized user is validated as authorized Correct Answers: A false acceptance rate (FAR) is the error caused when an unauthorized user is validated as authorized; it is also referred to as a Type II error. Incorrect Answers: A false reject rate (FRR) is the error caused from rejecting an authorized user; it is also called a Type I error.

Answer 340

CAC card Correct Answer: CAC (common access control) card. RSA is a popular asymetric encryption. Incorrect Answers: HOTP (HMAC-based one-time password) is an algorithm used to generate one-time passwords and a physical access control (PAC) describes the mechanisms for admitting and denying user access to your space.

Answer 341

Watering hole attack Correct Answer: A watering hole attack is designed to compromise a site that certain users are likely to use, rewarding them with malware for their visit. incorrect Answers: The other attacks are incorrect because they are not valid attacks in this situation.

Answer 342

TACACS encrypts only passwords between the client and server. Correct Answer: TACACS encrypts all information between the client and server, whereas RADIUS only encrypts the passwords. Incorrect Answers All of these are accurate descriptions of differences between RADIUS and TACACS.

Answer 343

Sue's public key Correct Answer: Sue's public key is used to encrypt a message from Bob to Sue, as only Sue's private key can decrypt it. Incorrect Answers: Sue's private key can only decrypt the message, and Bob does not possess it. Neither of Bob's keys can be used to encrypt a confidential message to Sue.

Answer 344

Smartcard and PIN Correct Answer: The use of a smartcard and PIN involves the use of two factors: something you have and something you know. Incorrect Answers: All of the other answers involve the use of only one factor: something you are or something you know, but not used together.

Answer 345

hosts Correct Answer: The hosts file on a local machine provides for fully qualified domain name (FQDN) resolution in the absence of DNS and can be used to redirect users to the wrong web site. Incorrect Answers: The lmhosts file is a Windows-specific file that maps computer names to IP addresses. The services file lists well-known services, such as HTTP and FTP. The ARP cache contains recently resolved local network IP addresses to MAC addresses.

Answer 346

netstat Correct Answer: netstat is a tool found on both Unix/Linux and Windows hosts that can give network statistics and connection information, including port usage. This would help determine if a host is listening on an unexpected or unwanted port. Incorrect Answers: None of the other choices give information on open ports. nbtstat is a command found only on Windows hosts and gives NetBIOS usage information. Ping is found on both Unix/Linux and Windows hosts but only sends simple ICMP requests to a host. ifconfig is found only on Unix and Linux hosts and only gives network interface configuration information.

Answer 347

SHA-1 Correct Answer: SHA-1 (secure hashing algorithm) generates a 160-bit hash. Incorrect Answers; MD5 is a hashing algorithm that generates a 128-bit hash, which is weaker than SHA-1. 3DES and AES-256 are symmetric encryption algorithms, not hashing algorithms.

Answer 348

Threat Correct Answer: A threat is defined as an entity or event that has the potential to cause harm or damage to an asset. A threat could cause the organization to suffer a financial loss. Incorrect Answers: Risk is the possibility that a threat could harm an asset. A vulnerability is a weakness in the system. A loss is what damage occurs when a vulnerability is exploited by a threat.

Answer 349

Brute force Correct Answer: A brute-force attack is typically a password attack. It may be used separately to break wireless passwords but is not unique to wireless attacks. Incorrect Answers: All of these are attack methods that a rogue access point could attempt to engage in, resulting in a denial-of-service condition on the wireless network (as in the case of intentional interference), or by spoofing valid access points to entice an unsuspecting client to connect to it.

Answer 350

500 Correct Answer: IKE uses UDP port 500. Incorrect Answers: Port 443 is used by SSL, 22 is used by SSH, and 8080 does not fall into the range of well-known ports (0?1023) but is frequently used by proxy servers and other security devices.

Answer 351

Firewalls and other security devices are not required. Correct Answer: Even when using NAT, firewalls and security devices are required on a network boundary. Incorrect Answers: All of these are advantages to using NAT.

Answer 352

HIDS Correct Answer: A host-based intrusion detection system (HIDS) monitors local system activity and logs for indications of an attack. Correct Answers: A NIDS is a network-based intrusion detection system and does not monitor host log files. A NIPS is a network-based intrusion prevention system and works on the network instead of the host. An ACL is an access control list and is used to allow or deny traffic through a router or grant/deny permissions to resources.

Answer 353

Validate the input into a web site for illegal characters in a particular field Correct Answer: Validating the input into a web site form for illegal characters in a field is the best choice for preventing cross-site scripting (XSS) attacks. Incorrect Answers: Blocking ports 443 and 80 will make the site unusable, as these are the typical ports used to access web sites. Requiring certificate-based authentication will not prevent cross-site scripting attacks and is an unnecessary measure. CGI is not a method used for cross-site scripting attacks.

Answer 354

L2TP Correct Answer: IPSec provides encryption services for L2TP when used in a VPN implementation. Incorrect Answers: None of these protocols use IPSec for encryption services.

Answer 355

Smurf attack Correct Answers: A smurf attack is a type of ICMP attack where large amounts of ping packets are sent from a spoofed IP address on the network to the network broadcast address, causing many replies back to the victim and possibly bringing about a denial of service. A smurf attack is an example of a DDoS attack. Incorrect Answers: A remote access Trojan (RAT) is malicious software that the user typically installs without knowing it, such as by installing a game from the Internet or by running a program that was e-mailed to them that is malicious software. The RAT program then opens a back door for the hacker to gain access to the system remotely at a later time. A botnet is a group of compromised systems that the hacker has control over and uses to attack a victim's system. A watering hole attack is when the hacker determines sites you may want to visit and then compromises those sites by planting viruses or malicious code on them. When you visit the site (which you trust), you are then infected with the virus.

Answer 356

Bluebugging Correct Answers: Bluebugging, the most serious of the various Bluetooth attacks, involves an attacker attempting to take control of or use a Bluetooth-enabled cell phone to place calls. Incorrect Answers: Bluejacking is the act of sending unsolicited messages or files to a Bluetooth device. Bluesnarfing is a more serious attack than Bluejacking and involves unauthorized access to information on a Bluetooth-enabled device. Bluesniffing is a false, nonexistent term.

Answer 357

Kerberos Correct Answer: Kerberos uses a key distribution center (KDC), which consists of an authentication server and a ticket-granting service. Incorrect Answers: None of these choices is associated with these terms.

Answer 358

Identification Correct Answer: Identification is the first step in the process and involves the user presenting his or her credentials to the server. Incorrect Answers: Authentication occurs after identification and involves the user?s credentials being authenticated by the server. Authorization refers to granting an authenticated user the correct access to an object. Impersonation is an invalid term in this context.

Answer 359

Switch Correct Answer: Switches natively help reduce collision domains and, when VLANs are implemented on them, help reduce broadcast domains. Incorrect Answers: Routers can help reduce or eliminate broadcast domains, and bridges can help reduce collision domains, but neither of these devices use VLANs. Hubs do not reduce collision or broadcast domains.

Answer 360

Rootkit Correct Answer: A rootkit is very difficult to detect and often replaces key operating system files with compromised versions, allowing an attacker to access administrative-level functions. Incorrect Answers: A worm is a self-propagating piece of malware that can spread without user intervention. A Trojan is a piece of malware that disguises itself as useful software. A logic bomb is a malicious script that typically activates after a certain date or event.

Answer 361

VLAN Correct Answer: VLANs (virtual LANs) provide for local area network segmentation and separation and are implemented on switches. Incorrect Answers: RADIUS is a remote access authentication technology. Virtualization refers to the creation and management of virtual hosts running in a virtualized environment. VPN is a secure remote access technology.

Answer 362

Fuzzing Correct Answer: Fuzzing is an application vulnerability testing technique that sends invalid or unexpected data to the application, with the intent to see if any security vulnerabilities exist. Incorrect Answers: Cracking typically involves passwords, not applications. Scanning usually means network port or service scanning. Spoofing means to masquerade as another entity, usually by spoofing an IP address, MAC address, or user.

Answer 363

Passwords must include the userid. Correct Answer: Passwords should not be created that includes the user's userid. Incorrect Answers: All of these practices contribute to a secure password.

Answer 364

RAM Correct Answer: RAM is the most volatile source of information and is easily lost. It must be collected first during a computer forensics investigation. Incorrect Answers: The order of volatility, and order of evidence collection, is RAM, swap file, hard disk, and CD/DVDs.

Answer 365

SQL injection Correct Answer: SQL injection is a common attack on databases through a web-based form, where the attacker injects SQL commands into the form input. Incorrect Answers: Cross-site scripting allows client-side scripts to be run on a web site. XML injection is an attack that injects faulty or malicious XML code into an XML statement. Directory traversal is the ability to search a web server?s directories and files.

Answer 366

NAC Correct Answer: Network access control (NAC) can be used to enforce logon or connection banners that will require users to agree to terms of use before being allowed to connect to the network. Incorrect Answers; None of these other technologies can be used to enforce logon warning banners requiring users to agree to terms of use before being allowed to access the network.

Answer 367

Fewer systems to physically secure Correct Answer: Virtualization results in fewer physical systems (and less hardware) that must be secured. Incorrect Answers: None of the other choices offer any benefits, security or otherwise, of virtualization.

Answer 368

TLS Correct Answer: Transport Layer Security (TLS) is considered a strong replacement for SSL. Correct Answers: SSH is a secure replacement for Telnet and other nonsecure protocols. AES is a symmetric algorithm that replaces DES. RSA is an asymmetric algorithm used in public key cryptography.

Answer 369

Cross-site scripting Correct Answer: Cross-site scripting (XSS) enables attackers to inject client-side scripts into web pages viewed by others. Incorrect Answers: XML injection occurs when malicious XML code is inserted into an XML statement. SQL injection involves inserting faulty SQL input commands into a site that connects to a database, producing unintended results or returning privileged information. A buffer overflow takes advantage of programming flaws that occur when data overwrites a program?s allocated memory address and enables arbitrary code to be executed in that address.

Answer 370

443 Correct Answer: TCP port 443 must be opened on the firewall to allow SSL traffic to pass. Incorrect Answers: None of these ports are used by SSL.

Answer 371

Wireless network access by persons outside the building Correct Answer: Because of the placement near the outer wall, the wireless access point's signals could be detected outside the building and could allow an unauthorized user to eavesdrop on or use the connection. Incorrect Answers: Damage due to falling is a concern, but not the most immediate security concern. Interference could happen only if other wireless devices are nearby that transmit on frequencies close to the one that the access point uses. This is a performance concern, but not typically a security concern unless it is malicious in nature and seeks to cause a denial-of-service condition. Signal degradation for the rest of the facility would not be caused by the placement of the access point next to the outer wall.

Answer 372

MS-CHAP Correct Answer: Microsoft CHAP (MS-CHAP) uses Microsoft Point-to-Point Encryption (MPPE) protocol to encrypt all traffic from the client to the server. Incorrect Answers: Neither EAP nor Kerberos uses MPPE. CHAP is the nonproprietary version and uses MD5 as its hashing algorithm.

Answer 373

Offline password audit Correct Answer: If the goal is to prevent user account lockout, then offline password auditing is the correct method. Incorrect Answers: Online auditing would definitely lock out user accounts as soon as the account lockout threshold is reached. An account lockout audit is an invalid type of audit, and a white-box penetration test involves full system or network testing and is incorrect in this context.

Answer 374

Private key Correct Answer: The private key, when used for nonrepudiation, is used to encrypt text that anyone who possesses the public key can decrypt. This assures that only the person owning the private key could have encrypted it, ensuring that he or she is the one who performed the action. Incorrect Answers: Used in this scenario, this does not guarantee confidentiality, but it does provide for nonrepudiation. Symmetric keys and hashes do not provide for nonrepudiation, because they cannot be used to guarantee who sent a message or performed an action. Public keys can be in the possession of anyone and are used in this case to verify that the private key was used to encrypt the text for nonrepudiation.

Answer 375

Vishing Correct Answer: Vishing (a combination of the terms voice and phishing) refers to social engineering attacks that make use of VoIP systems to spoof phone numbers, hide caller IDs, and so forth, to obtain personal or account information from unsuspecting users. Incorrect Answers: Phishing involves the use of e-mail targeted to users with a malicious web site link embedded in the e-mail. Whaling involves specifically targeting senior-level executives of an organization for social engineering attacks. VoIP hijacking is a nonexistent term in this context.

Answer 376

Integrity Correct Answer: Integrity is concerned with ensuring that data is not modified. Incorrect Answers: Confidentiality protects information from unauthorized access. Availability provides for information and systems to be online and ready for users at any time. Nonrepudiation means that a user cannot deny that he or she took an action.

Answer 377

Users must wait a certain amount of time before they are allowed to change passwords. Correct Answer: A minimum password age requires that users must wait a certain amount of time before they are allowed to change passwords. Incorrect Answers: A maximum password age setting requires that users must change passwords after a certain amount of time. Passwords are typically good only for a certain amount of time, not through a certain date. Passwords typically cannot be reused until a certain number of password changes have occurred, preventing the use of the last specified number of passwords.

Answer 378

Mutual authentication Correct Answer: Mutual authentication requires both sides of a communications session to authenticate to each other. Incorrect Answers: Single sign-on (SSO) is a concept that provides for one authentication to be used for multiple resources. Nonrepudiation ensures that a party cannot deny that it took an action. Hashing involves a one-way function that produces a message digest from a piece of text.

Answer 379

AES 3DES Correct Answers: AES and 3DES are considered encryption standards and use symmetric algorithms. Incorrect Answers: SHA and MD5 are hashing algorithms, and RSA is an asymmetric algorithm.

Answer 380

Business impact analysis Correct Answer: The business impact analysis (BIA) is a critical first step in developing the business continuity plan (BCP). It involves determining what risks are present and their effects on the business and its assets. Incorrect Answers: The BCP is the overall and final product that the BIA contributes to. The BIA must be completed as one of the first steps, as it essentially is the risk assessment for the BCP. The disaster recovery plan (DRP) concerns itself with recovering the assets and operations of the business immediately following a disaster. A system backup plan is but one element of the DRP and may or may not be one of the first things accomplished for that plan.

Answer 381

Honeypot Correct Answer: A honeypot is a host that has been left with some vulnerabilities open to lure a hacker away from attacking the network and to observe his or her attack methods. Incorrect Answers: A bastion host is a secure host outside the network. An intrusion detection system (IDS) is used to detect network attacks. An intrusion prevention system (IPS) is used to detect attacks and attempt to prevent them by rerouting traffic, blocking ports, etc.

Answer 382

Bypass security controls Correct Answer: Rogue wireless routers could be used by unauthorized individuals to access the network and bypass security controls such as firewalls. Incorrect Answers: These issues may affect performance and can be important to security, but do not have a direct impact on securing the wireless network.

Answer 383

Anything that is not specifically allowed is denied by default. Correct Answer: Anything that is not specified as allowed is typically denied, with no deny rules necessary. Incorrect Answers: It is implicitly denied, versus explicitly denied. These statements would describe an explicit deny, an explicit allow, and an implicit allow, respectively.

Answer 384

Documentary evidence Correct Answer: Documentary evidence is usually a printed form of evidence, a recording, or photograph. Incorrect Answers: Real (or physical) evidence is a tangible object presented in court (such as a weapon). Direct evidence is testimony from someone who actually witnessed the event. Demonstrative evidence is presenting a physical object that displays the results of an event that occurred.

Answer 385

False rejection rate Correct Answer: A false rejection rate (FRR) is a Type I error in biometrics. Incorrect Answers: This also equates to a false negative. A false acceptance rate (FAR) is a Type II error and referred to sometimes as a false positivve. The crossover error rate (CER) is the point where the FRR and FAR are equal.

Answer 386

Risk elimination Correct Answer: Risk can never be completely eliminated, only dealt with. Incorrect Answers: These are all valid 5.0 Risk Management strategies.

Answer 387

SSH Correct Answer: Secure Shell (SSH) is considered a secure replacement for Telnet. Incorrect Answers: TLS and SSL are secure session protocols used in HTTPS traffic. RLOGIN is an older, nonsecure protocol.

Answer 388

VPN concentrator Correct Answer: A VPN concentrator serves as a centralized authentication point for virtual private network connections. Incorrect Answers: None of these devices are used to provide centralized authentication services for secure remote access connections.

Answer 389

Insurance Correct Answer: Insurance is a method of risk transference where the organization pays a premium for the insurance company to assume the risk. If a disaster or event occurs, the organization is paid for its losses. Incorrect Answers: Separation of duties transfers key duties to another individual but does not transfer the risk away from the organization. A service-level agreement between two parties specifies levels of service and support, but the organization still maintains risk. An alternate site is used to transfer operations from a primary site in the event of a disaster, but the risk is still borne by the organization.

Answer 390

Collision Correct Answer: A collision occurs when two pieces of plaintext are hashed and produce identical hashes. Incorrect Answers: A crossover error is a reference to biometric authentication factors. Interference refers to wireless networks, and disruption is an invalid term in this context.

Answer 391

A fail-safe device responds by not doing anything to cause harm when the failure occurs. A fail-secure device responds by making sure the device is using a secure state when a failure occurs. Correct Answers: A fail-safe device responds by not doing anything to cause harm when the failure occurs. A fail-secure device responds by making sure the device is using a secure state when a failure occurs. Incorrect Answers: The fail-secure answer is the definition of fail-safe, and the fail-safe answer is the definition of fail-secure, not the other way around.

Answer 392

Residual risk Correct Answer: Residual risk is what risk remains after all mitigation and reduction strategies have been implemented. Incorrect Answers: Low risk is a level that may be accepted without mitigation or requires little mitigation. Accepted risk is what risk the management authority chooses to accept with or without mitigations in place. Mitigated risk is that risk that has been reduced to a lower level.

Answer 393

Clustering Correct Answer: Although it is part of high availability design, clustering is not typically used in the design and implementation of a secure network architecture. Incorrect Answers: DMZs are used as a security buffer zone to separate internal networks and resources from externally accessible ones. VLANs are used to segregate local networks, providing a secure internal infrastructure. VPNs provide for secure remote access solutions.

Answer 394

At the bottom of the ruleset. Correct Answer: A "deny any-any" rule denies all traffic from all sources, so it should be the last rule in the ruleset. Incorrect Answers: Placement of the "deny-any-any" rule anywhere else in the ruleset would prevent any other rules that follow it from processing.

Answer 395

Protocol analyzer Correct Answer: In order to view network traffic, it must be sniffed or captured using a protocol analyzer (sometimes called a sniffer). Incorrect Answers: These devices cannot be used to capture and view network traffic.

Answer 396

Least privilege Correct Answer: The principle of least privilege allows users to have only the privileges necessary to perform their duties and no more. Incorrect Answers: Separation of duties requires critical roles to be split among personnel so no one user has the privileges to commit fraud or to abuse his or her role. Role-based access control and discretionary access control are access control models.

Answer 397

Logic bomb Correct Answer: A logic bomb is a type of malware, usually very difficult to detect, that is designed to activate only after a specific time has passed or a specific date or event has occurred. Incorrect Answers: These other types of malware are not tied to specific dates or events.

Answer 398

Integrity Correct Answer: Integrity provides for detection of data modification. Incorrect Answers: Confidentiality deals with protecting data from unauthorized access, not modification. Availability ensures data and systems are available to authorized users whenever needed. Nonrepudiation involves preventing a user from denying that he or she performed an action.

Answer 399

System hardening Correct Answer: System hardening involves disabling unnecessary services and protocols on a host, as well as uninstalling software that is not needed. Incorrect Answers: System reduction, network hardening and application restriction are incorrect. These are nonexistent terms used as distractors.

Answer 400

CRL Correct Answer: The certificate revocation list (CRL) is used to identify invalid certificates. Incorrect Answers: A CAL is a client access license. PKS is a cryptographic file standard, and a CA is a certificate authority, which issues certificates.

Answer 401

Faraday cage Correct Answer: A Faraday cage can be used to shield devices from sending or receiving electronic signals. Incorrect Answers: A protocol analyzer is used to capture and view network traffic. A spectrum analyzer is used for site surveys when designing wireless networks. A signal reducer is not a device used in this context.

Answer 402

Obtain permission for the test Correct Answer: Before beginning any type of penetration test or vulnerability assessment, you must first obtain permission from the responsible system owner to avoid legal or liability issues. Incorrect Answers: Although these are all valid steps to take during a penetration test or vulnerability assessment, none of these should be started without obtaining permission from the responsible system owner.

Answer 403

443 Correct Answer: TCP port 443 is used by HTTPS protocol, which uses SSL as its secure session protocol. Both are associated with port 443. Incorrect Answers: Port 80 is used by HTTP, port 22 by SSH, and port 8080 by some proxy server implementations.

Answer 404

Back doors Correct Answer: Back doors are a security risk due to the possibility that an attacker could use them to gain unauthorized access to the program. Incorrect Answers: All of these are considered secure coding and application development practices.

Answer 405

Hot site Correct Answer: A hot site is an alternate processing site that can function almost immediately after a disaster and has equipment and data prepositioned, as well as full utilities. Incorrect Answers: Cold sites have only space and utilities available and take longer to activate. Warm sites have space, utilities, and possibly some equipment and furniture, but still need equipment, personnel, and data transferred, so they cannot be activated instantly. Reciprocal sites are alternate locations provided by and in agreement with another organization and are typically co-located with that organization.

Answer 406

Mantrap Correct Answer: A mantrap, an area between two locked doors from which the second door cannot be opened until the first door is locked, is designed to allow only one person at a time to enter a facility, effectively preventing tailgating. Incorrect Answers: Separation of duties and least privilege are two security principles designed to prevent collusion and elevated privileges, respectively. Multifactor authentication is designed to positively identify and authenticate an individual but does not prevent tailgating.

Answer 407

Host-based firewall Correct Answer: A host-based firewall should be used when connecting to untrusted networks, such as one in a hotel. Incorrect Answers: Having an unencrypted drive and null password are not security recommendations. Although full disk encryption (FDE) can help if the laptop is lost or stolen, it will not help you in situations when you are making connections to an unknown and potentially unsecure network. You could potentially be infected with a virus by connecting to an unknown network without having a firewall enabled, or be vulnerable to an attack.

Answer 408

NAC Correct Answer: Network access control (NAC) can be used to prevent hosts from connecting to the network unless they meet certain security requirements, such as patch level, up-to-date antivirus signatures, and so forth. Incorrect Answers: None of these other technologies are concerned with enforcing host security requirements prior to connecting to the network.

Answer 409

A hardware module that performs cryptographic functions Correct Answer: A Trusted Platform Module (TPM) is a hardware device, usually in the form of an embedded chip, that performs cryptographic functions, such as encrypting an entire hard drive. Incorrect Answers: None of these are valid choices to describe a Trusted Platform Module.

Answer 410

Certificate revocation list Correct Answer: A certificate revocation list (CRL) contains a list of all invalid or revoked certificates. Incorrect Answers: A certificate denial list and certificate invalidation list are false choices and do not exist. A certificate authority is responsible for issuing certificates.

Answer 411

Maximum tolerable downtime (MTD) Correct Answer: The maximum tolerable downtime (MTD) indicates how long an asset may be down or offline without seriously impacting the organization. Incorrect Answers: The mean time between failures is an estimate of how long a piece of equipment will perform before failure. The recovery point objective and recovery time objective refer to how much data may be lost during a failure or disaster and the maximum amount of time it must take to recover the system or data, respectively, before the organization is seriously impacted.

Answer 412

Message digest Correct Answer: A message digest, or hash, can be used to verify the integrity of a message by comparing the original hash to one generated after receipt of the message. If the two match, then integrity is assured. If they do not match, then the message was altered between transmission and receipt. Incorrect Answers: Digital certificates contain public keys that are distributed to users. Digital signatures provide for authentication. Symmetric keys are not used to provide for integrity, but confidentiality.

Answer 413

Malware Correct Answer: Malware is a security issue, but not specific to any applications. Incorrect Answers: All of these are potential application security issues that could affect both web-based and client-server applications.

Answer 414

Opening unused ports Correct Answer: Opening unused ports would increase the attack surface on a host. Closing unused ports is considered a good hardening practice. Incorrect Answers: All of the other choices are considered good security measures to use when hardening a host.

Answer 415

Remote wiping Correct Answer: Remote drive or disk wiping is used to ensure data protection and confidentiality on a mobile device in the event it is lost or stolen. Incorrect Answers: Remote destruction and remote encryption are invalid terms in this context. Remote access enables a remote user to authenticate to and access an organization's private network.

Answer 416

Blue box Correct Answer: Blue box testing is not a type of penetration testing.Black box testing involves a penetration test where the test team has no knowledge of the network. Incorrect Answers: In gray box testing, the tester may have some knowledge given to them, such as an infrastructure diagram or IP address list. I n a white box test, the test team has full and detailed knowledge of the network, its design, functions, and applications.

Answer 417

WEP Correct Answer: WEP (Wired Equivalent Privacy) uses a faulty implementation of the RC4 protocol, in addition to weak initialization vectors, making it an unsecure wireless protocol and as a result should never be used. Incorrect Answers: None of these other protocols use RC4.

Answer 418

Acceptable usage policy Correct Answer: An acceptable use policy (AUP) defines what users may and may not do with regard to information systems, including e-mail. Incorrect Answers: These policies apply to a wide range of security issues but do not define what actions users may perform on information systems.

Answer 419

ARP poisoning Correct Answer: ARP poisoning involves introducing false entries into the host's ARP cache, essentially spoofing MAC addresses. Incorrect Answers: DNS poisoning involves introducing false entries into a DNS server's cache or its zone files. DHCP and VLAN poisoning are invalid answers.

Answer 420

SMTP, port 25 Correct Answer: Simple Mail Transport Protocol (SMTP) uses TCP port 25 and is used to send e-mail and should not be running on an Internet-facing server that only provides a web site. Incorrect Answers: HTTP (port 80) must be allowed to run on the server to provide web content to users. SMTP uses port 25, not port 110. Port 110 is used by POP3 to receive e-mail messages. HTTPS uses port 443, not HTTP.

Answer 421

Public key Correct Answer: Bob's public key is used to encrypt a message for him. Bob would then decrypt the message with his private key. Incorrect Answers: Symmetric keys and hashes are not used to encrypt a message to an individual in a PKI environment. The private key would be used to decrypt, not encrypt, the message in this scenario.

Answer 422

Implement MAC filtering Correct Answer: MAC address filtering, although not an effective security measure by itself, can be used to limit which clients, by hardware address, can connect to the wireless network. Incorrect Answers: WEP is a wireless security protocol. NAC prevents clients from connecting that do not meet specified security requirements, such as patch level or antivirus signature. SSID cloaking merely prevents potential wireless clients from seeing the wireless network name by stopping it from being broadcast.

Answer 423

Iris scan Correct Answer: Out of the choices given, an iris scan is the strongest method of authentication, as these patterns are very unique to individuals. Of all of the biometric authentication methods, including voiceprint and fingerprints, iris scans are most accurate. Incorrect Answers: Username and password combinations are not considered strong methods of authentication, as would be a PIN by itself. These are all considered single-factor forms of authentication. Fingerprints are not considered as strong a method of biometric authentication as iris scans.

Answer 424

Users should have a normal user account for routine tasks, and an administrative account for tasks that require higher privileges. Correct Answer: Users should have a normal user account for routine tasks, and an administrative account for tasks that require higher privileges. Incorrect Answers: None of these choices are considered to be good security practices. User accounts should not be directly granted administrative privileges, and ordinary user-level accounts should not be placed in the Administrators group. Additionally, no one should be given the Domain Administrator's username and password to use on a routine basis.

Answer 425

RAID Correct Answer: Redundant Array of Independent Disks (RAID) is used to provide for fault tolerance and recovery against disk failures. Incorrect Answers: Striping is used to improve performance but offers no fault tolerance unless used with parity bits. Clustering is used to provide server fault tolerance. Network load balancing is used to enhance network performance through balancing network traffic among servers.

Answer 426

Role-based access control Correct Answer: Role-based access control grants access to groups performing specific functions, or roles, but not to individuals. Incorrect Answers: Discretionary access control allows data owners/creators to grant access to individuals or groups. Mandatory access control permits only administrators to grant access, based upon security labels. Rule-based access control grants access to resources based upon specific rules associated with the resource.

Answer 427

DNS poisoning Correct Answer: DNS poisoning involves introducing false entries into a DNS server's zone file, or a server's hostname-to-IP address cache, both with the intent of misdirecting a DNS resolution request to a different server or site. Incorrect Answer: ARP poisoning involves introducing false entries into a host's ARP cache, which maps MAC addresses to IP addresses. DHCP poisoning is a false term, although there are several known DHCP network attacks. Session hijacking involves intercepting and taking over an in-progress communications session between two hosts.

Answer 428

Password sharing Correct Answer: Password sharing typically will be in the acceptable use policy (AUP), as a directive to users about what they can and cannot do. Incorrect Answers: Password history, aging, and complexity will all typically be found in a password policy, as technical elements that describe how passwords should be constructed, implemented, and managed by administrators.

Answer 429

ARP Correct Answer: Address Resolution Protocol (ARP) resolves IP addresses to MAC addresses. Incorrect Answers: RARP, the Reverse Address Resolution Protocol, resolves MAC addresses to IP addresses' the exact opposite of ARP. DNS, the Domain Name System, resolves fully qualified domain names (FQDN) to IP addresses. DHCP, the Dynamic Host Configuration Protocol, dynamically issues IP addressing information to hosts.

Answer 430

Penetration test Correct Answer: A penetration test is considered an active test because you are actually interacting with the target system and trying to bypass the security controls. Incorrect Answers: A vulnerability scan is considered a passive test because it only involves reviewing the configuration of a system to determine if there are any vulnerabilities. A risk assessment helps identify risks for each asset. A code review involves reviewing the code of an application to look for flaws.

Answer 431

Integer overflow attack OBJ-1.3: Integer overflows and other integer manipulation vulnerabilities frequently result in buffer overflows. An integer overflow occurs when an arithmetic operation results in a large number to be stored in the space allocated for it. Integers are stored in 32 bits on the x86 architecture; therefore, if an integer operation results in a number greater than 0xffffffff, an integer overflow occurs, as was the case in this example. SQL injection is an attack that injects a database query into the input data directed at a server by accessing the application's client-side. Password spraying is a type of brute force attack in which multiple user accounts are tested with a dictionary of common passwords. Impersonation is the act of pretending to be another person or system for fraud.

Answer 432

Items classified by the system as Low or as For Informational Purposes Only OBJ-1.7: When conducting a vulnerability scan, it is common for the report to include some findings that are classified as “low” priority or “for informational purposes only.” These are most likely false positives and can be ignored by the analyst when starting their remediation efforts. "An HTTPS entry that indicates the web page is securely encrypted" is not a false positive but a true negative (a non-issue). A scan result showing a different version from the automated asset inventory should be investigated and is likely a true positive. A finding that shows the scanner compliance plug-ins are not up-to-date would likely also be a true positive that should be investigated.

Answer 433

Phishing OBJ-1.1: This is an example of a phishing attack. Phishing is the fraudulent practice of sending emails and pretending to be from a reputable company to trick users into revealing personal information, such as passwords and credit card numbers. This email appears to be untargeted since it was sent to both customers and non-customers of this particular bank; it is best classified as phishing. Spear phishing requires the attack to be more targeted and less widespread.

Answer 434

Submit the files to an open-source intelligence provider like VirusTotal OBJ-1.5: The best option is to submit them to an open-source intelligence provider like VirusTotal. VirusTotal allows you to quickly analyze suspicious files and URLs to detect types of malware. It then automatically shares them with the security community, as well. Disassembly and static analysis would require a higher level of knowledge and more time to complete. Running the Strings tool can help identify text if the code is not encoded in a specific way within the malware, but you have to know what you are looking for, such as a malware signature. You should never scan the files using a local anti-virus or anti-malware engine if you suspect the workstation or server has already been compromised because the scanner may also be compromised.

Answer 435

Capture network traffic using a sniffer, schedule a period of downtime to image and remediate the affected server, and maintain the chain of custody OBJ-1.7: Since the database server is part of a critical production network, it is important to work with the business to time the remediation period to minimize productivity losses. You can immediately begin to capture network traffic since this won't affect the database server or the network (least intrusive) while scheduling a period of downtime in which to take a forensic image of the database server's hard drive. All network captures and the hard drive should be maintained under the chain of custody if needed for criminal prosecution or civil action after remediation. The server should be remediated and brought back online once the hard drive image has been created.

Answer 436

Smurf attack OBJ-1.4: A smurf attack occurs when an attacker sends a ping to a subnet broadcast address and devices reply to spoofed IP (victim server), using up bandwidth and processing power. This image is a graphical depiction of this type of attack.

Answer 437

Agent-based scanning OBJ-1.7: Using agent-based scanning, you typically get the most reliable results for systems that are not connected to the network, as well as the ones that are connected. This is ideal for traveling salespeople since their laptops are not constantly connected to the organization’s network. These agent-based scans can be conducted when the laptop is offline and then sent to a centralized server the next time it is connected to the network. Server-based scanning, non-credentialed scanning, and passive network monitoring all require a continuous network connection to collect the configurations of the devices accurately.

Answer 438

Logic bomb OBJ-1.2: This short log shows a logic bomb on the Linux server. The first two lines show a crontab job is scheduled to run the backup script every 5 minutes. The cat command used in this example (line three) reads data from the file and displays it to the screen. In this case, we can see what actions the backupscript.sh files will take when it is run every five minutes as scheduled in the first two lines of this output. The script is shown as a bash shell script, and it will first determine if the string “jdion.usr” is found in the /etc/passwd file. Based on the context, you can assume jdion.usr is a possible user account on the system. If jdion.usr is NOT found in the passwd file, it will run the command “rm –rf” to recursively remove (rm) all the files and folders.

Answer 439

Blue team OBJ-1.8: Penetration testing can form the basis of functional exercises. One of the best-established means of testing a security system for weaknesses is to play "war game" exercises in which the security personnel split into teams: red, blue, and white. The red team acts as the adversary. The blue team acts as the defenders. The white team acts as the referees and sets the parameters for the exercise. The yellow team is responsible for building tools and architectures in which the exercise will be performed.

Answer 440

Banner grabbing OBJ-1.8: The analyst conducted banner grabbing. Banner grabbing is a technique used to learn information about a computer system on a network and the services running on its open ports. In the question, the command “nc test.diontraining.com 80” was used to establish a connection to a target web server using netcat, then send an HTTP request (HEAD / HTTP/1.1). The response contains information about the service running on the webserver. In this example, the server software version (Apache 2.0.46) and the operating system (Red Hat Linux). Cross-Site Scripting (XSS) attacks are a type of injection in which malicious scripts are injected into otherwise benign and trusted websites. XSS attacks occur when an attacker uses a web application to send malicious code, generally in a browser side script, to a different end-user. SQL injection is a code injection technique used to attack data-driven applications where malicious SQL statements are inserted into an entry field for execution, such as dumping the database contents to the attacker. A query to the WHOIS database would return information on the website owner, not the server's operating system.

Answer 441

Shoulder surfing OBJ-1.1: While a malicious employee or insider could use all of the methods listed to obtain another user's passwords, shoulder surfing is the MOST likely to be used. Shoulder surfing is a type of social engineering technique used to obtain personal identification numbers (PINs), passwords, and other confidential data by looking over the victim's shoulder. Since a malicious employee or insider can work close to their victims (other users), they could easily use this technique to collect the victimized users' passwords.

Answer 442

Privilege escalation OBJ-1.3: The use of long query strings points to a buffer overflow attack, and the sudo command confirms the elevated privileges after the attack. This indicates a privilege escalation has occurred. While the other three options may have been used as an initial access vector, they cannot be confirmed based on the question's details. Only a privilege escalation is currently verified within the scenario due to the use of sudo.

Answer 443

Missing patches OBJ-1.6: Missing patches are the most common vulnerability found on both Windows and Linux systems. When a security patch is released, attackers begin to reverse engineer the security patch to exploit the vulnerability. If your servers are not patched against the vulnerability, they can become victims of the exploit, and the server's data can become compromised. Cross-Site Scripting (XSS) attacks are a type of injection in which malicious scripts are injected into otherwise benign and trusted websites. Cross-site scripting focuses on exploiting a user’s workstation, not a server. CRLF injection is a software application coding vulnerability that occurs when an attacker injects a CRLF character sequence where it is not expected. SQL injection is the placement of malicious code in SQL statements via web page input. SQL is commonly used against databases, but they are not useful when attacking file servers.

Answer 444

Directory traversal OBJ-1.3: A directory traversal attack aims to access files and directories stored outside the webroot folder. By manipulating variables or URLs that reference files with “dot-dot-slash (../)” sequences and its variations or using absolute file paths, it may be possible to access arbitrary files and directories stored on the file system, including application source code or configuration and critical system files. The example output provided comes from a remote code execution vulnerability being exploited in which a directory traversal is used to access the files. XML Injection is an attack technique used to manipulate or compromise an XML application or service's logic. SQL injection is the placement of malicious code in SQL statements via web page input. Password spraying attempts to crack various user's passwords by attempting a compromised password against multiple user accounts.

Answer 445

Trojan OBJ-1.2: A trojan is a type of malware that looks legitimate but can take control of your computer. A Trojan is designed to damage, disrupt, steal, or in general, inflict some other harmful action on your data or network. The most common form of a trojan is a Remote Access Trojan (RAT), which allows an attacker to control a workstation or steal information remotely. To operate, a trojan will create numerous processes that run in the background of the system.

Answer 446

Cognitive password attack OBJ-1.2: A cognitive password is a form of knowledge-based authentication that requires a user to answer a question, presumably something they intrinsically know, to verify their identity. If you post a lot of personal information about yourself online, this type of password can easily be bypassed. For example, during the 2008 , Vice Presidential candidate Sarah Palin's email account was hacked because a high schooler used the "reset my password" feature on Yahoo's email service to reset her password using the information that was publically available about Sarah Palin (like her birthday, high school, and other such information).

Answer 447

Race condition OBJ-1.6: Race conditions occur when the outcome from execution processes is directly dependent on the order and timing of certain events. Those events fail to execute in the order and timing intended by the developer. In this scenario, the hacker's exploit is racing to modify the configuration file before the application reads the number of lives from it. Sensitive data exposure is a fault that allows privileged information (such as a token, password, or PII) to be read without being subject to the proper access controls. Broken authentication refers to an app that fails to deny access to malicious actors. Dereferencing attempts to access a pointer that references an object at a particular memory location.

Answer 448

The full email header from one of the spam messages OBJ-1.1: You should first request a copy of one of the spam messages, including the full email header. By reading through the full headers of one of the messages, you can determine where the email originated from, whether it was from your email system or external, and if it was a spoofed email or a legitimate email. Once this information has been analyzed, you can then continue your analysis based on those findings, whether that be analyzing your email server, the firewalls, or other areas of concern. If enough information cannot be found by analyzing the email headers, you will need to conduct more research to determine the best method to solve the underlying problem.

Answer 449

Buffer overflow OBJ-1.2: The function DionCode may be subject to a buffer overflow as the user enters something over 20 characters as their input. In defining the char (character) type array, the programmer only allocated 20 characters worth of memory storage. To solve this problem, the programmer should create proper input validation to ensure that the input is less than 20 characters before passing the user_input variable to the strcpy (string copy) function.

Answer 450

Input validation OBJ-1.3: Input validation prevents the attacker from sending invalid data to an application and is a strong control against both SQL injection and cross-site scripting attacks. A network layer firewall is a device that is designed to prevent unauthorized access, thereby protecting the computer network. It blocks unauthorized communications into the network and only permits authorized access based on the IP address, ports, and protocols in use. Cross-site request forgery (CSRF) is another attack type. A hypervisor controls access between virtual machines.

Answer 451

This approach only changes the location of the network and not the attack surface of it OBJ-1.5: A poorly implemented security model at a physical location will still be a poorly implemented security model in a virtual location. Unless the fundamental causes of the security issues that caused the previous data breaches have been understood, mitigated, and remediated, then migrating the current images into the cloud will change where the processing occurs without improving the security of the network. While the statement concerning unrealized ROI may be accurate, it simply demonstrates the sunk cost argument's fallacy. These servers were already purchased, and the money was spent. Regardless of whether we maintain the physical servers or migrate to the cloud, that money is gone. Those servers could also be repurposed, reused, or possibly resold to recoup some of the capital invested. While the company's physical security will potentially improve in some regards, the physical security of the endpoints on-premises is still a concern that cannot be solved by this cloud migration. Additionally, the scenario never stated that physical security was an issue that required being addressed, so it is more likely that the data breach occurred due to a data exfiltration over the network. As a cybersecurity analyst, you must consider the business case and the technical accuracy of a proposed approach or plan to add the most value to your organization.

Answer 452

AES OBJ-2.8: The Advanced Encryption Standard (AES) is a symmetric block cipher with a fixed block size of 128 bits. It can utilize a 128-bit, 192-bit, or 256-bit symmetric key. RSA, Diffie-Hellman, and ECC are all asymmetric algorithms.

Answer 453

Private OBJ-2.2: Private cloud refers to a cloud computing model where IT services are provisioned over private IT infrastructure for the dedicated use of a single organization. A private cloud is usually managed via internal resources. The terms private cloud and virtual private cloud (VPC) are often used interchangeably.

Answer 454

Smartcard and PIN OBJ-2.4: Multi-factor authentication (MFA) creates multiple security layers to help increase the confidence that the user requesting access is who they claim to be by requiring two distinct factors for authentication. These factors can be something you know (knowledge factor), something you have (possession factor), something you are (inheritance factor), something you do (action factor), or somewhere you are (location factor). By selecting a smartcard (something you have) and a PIN (something you know), you have implemented multi-factor authentication. Choosing a fingerprint and retinal scan would instead use only one factor (inheritance). Choosing a username, password, and security question would also be only using one factor (knowledge). For something to be considered multi-factor, you need items from at least two different authentication factor categories: knowledge, possession, inheritance, location, or action.

Answer 455

Hardware write blocker OBJ-2.7: Both hardware and software write blockers are designed to ensure that forensic software and tools cannot change a drive inadvertently by accessing it. But, since the question indicates that you need to choose the BEST solution to protect the drive's contents from being changed during analysis, you should pick the hardware write blocker. A hardware write blocker's primary purpose is to intercept and prevent (or 'block') any modifying command operation from ever reaching the storage device. A forensic drive duplicator copies a drive and validates that it matches the original drive but cannot be used by itself during analysis. A degausser is used to wipe magnetic media. Therefore, it should not be used on the drive since it would erase the hard drive contents.

Answer 456

Hypervisor OBJ-2.2: A hypervisor, also known as a virtual machine monitor, is a process that creates and runs virtual machines (VMs). A hypervisor allows one host computer to support multiple guest VMs by virtually sharing its resources, like memory and processing. To create and provision virtual machines within the Windows 2016 operating system, you can use a Type II hypervisor like VM Ware or VirtualBox.

Answer 457

You tell the developer to review their code and implement a bug/code fix OBJ-2.3: Since your company owns the website, you can require the developer to implement a bug/code fix to prevent the form from allowing the AUTOCOMPLETE function to work on this website. The code change to perform is quite simple, simply adding "autocomplete=off" to the first line of the code. The resulting code would be .

Answer 458

SaaS OBJ-2.2: Software as a Service (SaaS) is used to provide web applications to end-users. This can be a calendar, scheduling, invoicing, word processor, database, or other programs. For example, Google Docs and Officer 365 are both word processing SaaS solutions. QuickBooks Online is one example of a SaaS solution for accounting.

Answer 459

False acceptance rate OBJ-2.4: False acceptance rate (FAR), or Type II, is the measure of the likelihood that the biometric security system will incorrectly accept an access attempt by an unauthorized user. The false rejection rate is calculated based upon the number of times an authorized user is denied access to the system.

Answer 460

The backup is a differential backup OBJ-2.5: iPhone/iPad backups can be created as full or differential backups. In this scenario, the backup being analyzed is likely a differential backup containing the information that has changed since the last full backup. If the backup were encrypted, you would be unable to read any of the contents. If the backup were interrupted, the backup file would be in an unusable state. If the backup were stored in iCloud, you would need access to their iCloud account to retrieve and access the file. Normally, during an investigation, you will not have access to the user's iCloud account.

Answer 461

MSSP OBJ-2.2: A managed security service provider (MSSP) provides security as a service (SECaaS). IaaS, PaaS, and SaaS (infrastructure, platform, and software as a service) do not include security monitoring as part of their core service offerings. Security as a service or a managed service provider (MSP) would be better suited for this role.

Answer 462

Infrastructure as a Service OBJ-2.2: Infrastructure as a Service (IaaS) is a computing method that uses the cloud to provide any or all infrastructure needs. In a VPC environment, an organization may provision virtual servers in a cloud-hosted network. The service consumer is still responsible for maintaining the IP address space and routing internally to the cloud. Platform as a Service (PaaS) is a computing method that uses the cloud to provide any platform-type services. Software as a Service (SaaS) is a computing method that uses the cloud to provide users with application services. Function as a Service (FaaS) is a cloud service model that supports serverless software architecture by provisioning runtime containers to execute code in a particular programming language.

Answer 463

RSA OBJ-2.8: RSA (Rivest–Shamir–Adleman) was one of the first public-key cryptosystems and is widely used for secure data transmission. As a public-key cryptosystem, it relies on an asymmetric algorithm. AES, RC4, and DES are all symmetric algorithms.

Answer 464

Wiping OBJ-2.7: Data wiping or clearing occurs by using a software tool to overwrite the data on a hard drive to destroy all electronic data on a hard disk or other media. Data wiping may be performed with a 1x, 7x, or 35x overwriting, with a higher number of times being more secure. This allows the hard drive to remain functional and allows for hardware reuse. Degaussing a hard drive involves demagnetizing a hard drive to erase its stored data. You cannot reuse a hard drive once it has been degaussed. Therefore, it is a bad solution for this scenario. Purging involves removing sensitive data from a hard drive using the device's own electronics or an outside source (like a degausser). A purged device is generally not reusable. Shredding involves the physical destruction of the hard drive. This is a secure method of destruction but doesn’t allow for device reuse.

Answer 465

Infrastructure as Code (IaC) OBJ-2.2: IaC is designed with the idea that a well-coded description of the server/network operating environment will produce consistent results across an enterprise and significantly reduce IT overhead costs through automation while precluding the existence of security vulnerabilities. SDN uses software to define networking boundaries but does not necessarily handle server architecture in the same way that IaC can. Infrastructure as a Service (IaaS) is a computing method that uses the cloud to provide any or all infrastructure needs. Software as a Service (SaaS) is a computing method that uses the cloud to provide users with application services.

Answer 466

SHA-2 OBJ-2.8: SHA-2 creates a 256-bit fixed output. SHA-1 creates a 160-bit fixed output. NTLM creates a 128-bit fixed output. MD-5 creates a 128-bit fixed output.

Answer 467

Install an anti-virus or anti-malware solution that uses heuristic analysis OBJ-3.3: The only solution that could STOP this from reoccurring would be to use an anti-virus or anti-malware solution with heuristic analysis. The other options might be able to monitor and detect the issue but not stop it from spreading. Heuristic analysis is a method employed by many computer anti-virus programs designed to detect previously unknown computer viruses and new variants of viruses already in the wild. This is behavior-based detection and prevention, so it should detect the issue and stop it from spreading throughout the network.

Answer 468

MAC filtering OBJ-3.4: Since the instructors need to keep the wireless network open, the BEST option is to implement MAC filtering to prevent the students from connecting to the network while still keeping the network open. Since the instructors would most likely use the same devices to connect to the network, it would be relatively easy to implement a MAC filtering based whitelist of devices that are allowed to use the open network and reject any other devices not listed by the instructors (like the student's laptops or phones). Reducing the signal strength would not solve this issue since students and instructors are in the same classrooms. Using Network Address Translation and Quality of Service will not prevent the students from accessing or using the open network.

Answer 469

Fuzzing OBJ-3.2: Fuzzing or fuzz testing is an automated software testing technique that involves providing invalid, unexpected, or random data as inputs to a computer program. The program is then monitored for exceptions such as crashes, failing built-in code assertions, or potential memory leaks. User Acceptance Testing is the process of verifying that a created solution/software works for the user. Security regression testing ensures that changes made to a system do not harm its security, are therefore of high significance, and the interest in such approaches has steadily increased. Stress testing verifies the system's stability and reliability by measuring its robustness and error handling capabilities under heavy load conditions.

Answer 470

Cryptographic erase OBJ-3.2: In a cryptographic erase (CE), the storage media is encrypted by default. The encryption key itself is destroyed during the erasing operation. CE is a feature of self-encrypting drives (SED) and is often used with solid-state devices. Cryptographic erase can be used with hard drives, as well. Zero-fill is a process that fills the entire storage device with zeroes. For SSDs and hybrid drives, zero-fill-based methods might not be reliable because the device uses wear-leveling routines in the drive controller to communicate which locations are available for use to any software process accessing the device. A secure erase is a special utility provided with some solid-state drives that can perform the sanitization of flash-based devices. Overwrite is like zero-fill but can utilize a random pattern of ones and zeroes on the storage device. The most secure option would be a cryptographic erase (CE) for the question's scenario.

Answer 471

VLAN OBJ-3.3: A virtual local area network (VLAN) is a type of network segmentation configured in your network switches that prevent communications between different VLANs without using a router. This allows two virtually separated networks to exist on one physical network and separates the two virtual network's data. A virtual private network (VPN) is a remote access capability to connect a trusted device over an untrusted network back to the corporate network. A VPN would not create the desired effect. WPA2 is a type of wireless encryption, but it will not create two different segmented networks on the same physical hardware. MAC filtering is used to allow or deny a device from connecting to a network, but it will not create two network segments, as desired.

Answer 472

RADIUS | OBJ-3.8: Captive portals usually rely on 802.1x, and 802.1x uses RADIUS for authentication.

Answer 473

Jumpbox OBJ-3.3: Installing a jumpbox as a single point of entry for the administration of servers within the cloud is the best choice for this requirement. The jumpbox only runs the necessary administrative port and protocol (typically SSH). Administrators connect to the jumpbox then use the jumpbox to connect to the admin interface on the application server. The application server's admin interface has a single entry in its ACL (the jumpbox) and denies any other hosts' connection attempts. A bastion host is a special-purpose computer on a network specifically designed and configured to withstand attacks. The computer generally hosts a single application. For example, a proxy server and all other services are removed or limited to reduce the threat to the computer. An airgap system is a network or single host computer with unique security requirements that may physically be separated from any other network. Physical separation would prevent a system from accessing the remote administration interface directly and require an airgap system to reach the private cloud.

Answer 474

Input validation OBJ-3.2: Input validation is performed to ensure only properly formed data is entering the workflow in an information system, preventing malformed data from persisting in the database and triggering a malfunction of various downstream components. Input validation should happen as early as possible in the data flow, preferably as soon as the data is received from the user. Improper error handling can introduce various security problems where detailed internal error messages such as stack traces, database dumps, and error codes are displayed to an attacker. The session management implementation defines the exchange mechanism that will be used between the user and the web application to share and continuously exchange the session ID. Output encoding involves translating special characters into some different but equivalent form that is no longer dangerous in the target interpreter, for example, translating the < character into the < string when writing to an HTML page.

Answer 475

Require authentication on wake-up OBJ-3.8: To prevent the computer from being used inadvertently to access the network, the system should be configured to require authentication whenever the computer is woken up. Therefore, if an authorized user walks away from the computer and goes to sleep when another person tries to use the computer, it will ask for a username and password before granting them access to the network.

Answer 476

RDP OBJ-3.1: Port 3389 is an RDP port used for the Remote Desktop Protocol. If this port isn’t supposed to be opened, then an incident response plan should be the next step since this can be used for remote access by an attacker. MySQL runs on port 3306. LDAP runs on port 389. IMAP over SSL runs on port 993.

Answer 477

Incorrect security settings in the email client OBJ-3.1: This is a security setting in the mail client to prevent malicious malware and viruses from entering your environment. If the images are not downloaded on a received email, they will display as a red X within the reply email. If the email was forwarded, then the images will be displayed as a white box with a black border. This can be seen in the source code as 'Image Removed by Sender' next to where the Images should be. For example, in the Microsoft Outlook email client, the security settings for hosted images can be changed within the mail client's Trust Center (Outlook Options -> Trust Center -> Trust Center Settings).

Answer 478

ABAC OBJ-3.8: Attribute-based access control (ABAC) provides the most detailed and explicit type of access control over a resource because it is capable of making access decisions based on a combination of subject and object attributes, as well as context-sensitive or system-wide attributes. Information such as the group membership, the OS being used by the user, and even the machine's IP address could be considered when granting or denying access.

Answer 479

Cloud services OBJ-3.6: The on-demand nature of cloud services means that instances are often created and destroyed again, with no real opportunity for forensic recovery of any data. Cloud providers can mitigate this to some extent by using extensive logging and monitoring options. A CSP might also provide an option to generate a file system and memory snapshots from containers and VMs in response to an alert condition generated by a SIEM. Employee workstations are often the easiest to conduct forensics on since they are a single-user environment for the most part. Mobile devices have some unique challenges due to their operating systems, but good forensic tool suites are available to ease the forensic acquisition and analysis of mobile devices. On-premise servers are more challenging than a workstation to analyze, but they do not suffer from the same issues as cloud-based services and servers.

Answer 480

NAC OBJ-3.3: Network Access Control (NAC) is an approach to computer security that attempts to unify endpoint security technology (such as anti-virus, host intrusion prevention, and vulnerability assessment), user or system authentication, and network security enforcement. When a remote workstation connects to the network, NAC will place it into a segmented portion of the network (sandbox), scan it for malware and validate its security controls, and then based on the results of those scans, either connect it to the company’s networks or place the workstation into a separate quarantined portion of the network for further remediation. An access control list (ACL) is a network traffic filter that can control incoming or outgoing traffic. An ACL alone would not have prevented this issue. MAC Filtering refers to a security access control method whereby the MAC address assigned to each network card is used to determine access to the network. MAC filtering operates at layer 2 and is easy to bypass. Sender Policy Framework (SPF) is an email authentication method designed to detect forging sender addresses during the email delivery.

Answer 481

L3 cache OBJ-4.5: When collecting evidence, you should always follow the order of volatility. This will allow you to collect the most volatile evidence (most likely to change) first and the least volatile (least likely to change) last. You should always begin collecting the CPU registers and cache memory (L1/L2/L3/GPU). The contents of system memory (RAM), including a routing table, ARP cache, process tables, kernel statistics, and temporary file systems/swap space/virtual memory. Next, you would move onto the collection of data storage devices like hard drives, SSDs, and flash memory devices. After that, you would move onto less volatile data such as backup tapes, external media devices (hard drives, DVDs, etc.), and even configuration data or network diagrams.

Answer 482

Scan the network for additional instances of this vulnerability and patch the affected assets OBJ-4.2: All of the options listed are the best security practices to implement before and after a detected intrusion, but scanning for additional instances of this vulnerability should be performed first. Often, an enterprise network uses the same baseline configuration for all servers and workstations. Therefore, if a vulnerability is exploited on one device (such as an insecure configuration), that same vulnerability could exist on many other assets across the network. During your recovery, you must identify if any other network systems share the same vulnerability and mitigate them. If you don't, the attacker could quickly reinfect your network by simply attacking another machine using the same techniques used during this intrusion. The other options listed are all examples of additional device hardening that should be conducted during recovery after you have identified the exploited vulnerability across the rest of the network.

Answer 483

Permit 143.27.43.32 161.212.71.14 RDP 3389 OBJ-4.4: Due to the requirement to allow a single remote IP to enter the firewall, the permit statement must start with a single IP in the Untrusted (Internet) zone. Based on the options provided, only 143.27.43.32 could be correct. Next, the destination is a single server in the DMZ, so only 161.212.71.14 could be correct. The destination port should be 3389, which is the port for the Remote Desktop Protocol. Combining these three facts, only "permit 143.27.43.32 161.212.71.14 RDP 3389" could be correct.

Answer 484

Syslog OBJ-4.3: The Syslog server is a centralized log management solution. By looking through the logs on the Syslog server, the technician could determine which service failed on which server since all the logs are retained on the Syslog server from all of the network devices and servers. Network mapping is conducted using active and passive scanning techniques and could help determine which server was offline, but not what caused the interruption. Firewall logs would only help determine why the network connectivity between a host and destination may have been disrupted. A network intrusion detection system (NIDS) is used to detect hacking activities, denial of service attacks, and port scans on a computer network. It is unlikely to provide the details needed to identify why the network service was interrupted.

Answer 485

nmap OBJ-4.1: Nmap sends specially crafted packets to the target host(s) and then analyzes the responses to determine the open ports and services running on those hosts. Also, nmap can determine the versions of the applications being used on those ports and services. Nmap is a command-line tool for use on Linux, Windows, and macOS systems. The netstat (network statistics) tool is a command-line utility that displays network connections for incoming and outgoing TCP packets, routing tables, and some network interface and network protocol statistics. Still, it cannot identify open ports and services on a host with their version numbers. The ping tool is used to query another computer on a network to determine whether there is a valid connection. Wireshark is an open-source packet analyzer used for network troubleshooting, analysis, software and communications protocol development, and education.

Answer 486

Processor Cache, Random Access Memory, Swap File, Hard Drive or USB Drive OBJ-4.5: The correct order for evidence collection based on the order of volatility is the Processor Cache, Random Access Memory, Swap File, and then the Hard Drive or USB Drive. Since the Processor Cache is the most volatile and changes the most frequently, it should be captured first. Random Access Memory (RAM) is temporary storage on a computer. It can quickly change or be overwritten, and the information stored in RAM is lost when power is removed from the computer, so it should be collected second. Swap files are temporary files on a hard disk used as virtual memory, and therefore, they should be collected third. The files on a hard disk or USB drive are the least volatile of the four options presented since they are used for long-term storage of data and are not lost when the computer loses power.

Answer 487

.ps1 OBJ-4.1: If you want to save a series of PowerShell commands in a file to rerun them later, you effectively create a PowerShell script. This is simply a text file with a .ps1 extension. The file contains a series of PowerShell commands, with each command appearing on a separate line.

Answer 488

Port scan targeting 10.10.3.6 OBJ-4.1: Port Scanning is the name for the technique used to identify open ports and services available on a network host. Based on the logs, you can see a sequential scan of some commonly used ports (20, 21, 22, 23, 25, 80, 135, 443, 445) with a two-second pause between each attempt. The scan source is 10.10.3.2, and the destination of the scan is 10.10.3.6, making “Port scan targeting 10.10.3.6” the correct choice. IP fragmentation attacks are a common form of denial of service attack, in which the perpetrator overbears a network by exploiting datagram fragmentation mechanisms. A denial-of-service (DoS) attack occurs when legitimate users cannot access information systems, devices, or other network resources due to a malicious cyber threat actor's actions.

Answer 489

Isolating affected systems OBJ-4.4: Isolation involves removing an affected component from whatever larger environment it is a part of. This can be everything from removing a server from the network after it has been the target of a DoS attack, placing an application in a sandbox virtual machine (VM) outside of the host environments it usually runs on. Segmentation-based containment is a means of achieving the isolation of a host or group of hosts using network technologies and architecture. Segmentation uses VLANs, routing/subnets, and firewall ACLs to prevent a host or group of hosts from communicating outside the protected segment. Removal is not an industry term used but would be a synonym for isolation. Enumeration is defined as the process of extracting user names, machine names, network resources, shares, and services from a system. Isolating the attacker would only stop their direct two-way communication and control of the affected system. However, it would not be the strongest possible response since there could be malicious code still running on your victimized machine.

Answer 490

``` Cain and Abel OBJ-4.1: Cain and Abel is a popular password cracking tool. It can recover many password types using methods such as network packet sniffing, cracking various password hashes by using methods such as dictionary attacks, brute force, and cryptanalysis attacks. It also includes a module to conduct Cisco VPN Client Password Decoding too. CUPP is used to create password lists. Nessus is a vulnerability scanner. The netcat tool is used to create reverse shells for remote access. ```

Answer 491

Netcat will listen on port 8080 and output anything received to a remote connection on 192.168.1.76 port 443 OBJ-4.1: The proper syntax for netcat (nc) is -l to signify listening and -p to specify the listening port. Then, the | character allows multiple commands to execute during a single command execution. Next, netcat sends the data to the given IP (192.168.1.76) over port 443. This is a common technique o bypass the firewall by sending traffic over port 443 (a secure SSL/TLS tunnel).

Answer 492

192.186.1.100 OBJ-4.3: This question tests your ability to determine if an IP address is a publicly routable IP (external connection) or private IP (internal connection). Private IP addresses are either 10.x.x.x, 172.16-31.x.x, or 192.168.x.x. All other IP addresses are considered publicly routable over the internet (except localhost and APIPA addresses). Therefore, the answer must be 192.186.1.100 since it is not a private IP address.

Answer 493

Identify, implement, and document compensating controls OBJ-5.1: Since the analyst cannot remediate the vulnerabilities by installing a patch, the next best action would be to implement some compensating controls. If a vulnerability exists that cannot be patched, compensating controls can mitigate the risk. Additionally, the analyst should document the current situation to achieve compliance with PCI DSS. The analyst will likely not remove the terminals from the network without affecting business operations, so this is a bad option. The analyst should not build a custom OS image with the patch since this could void the support agreement with the manufacturer and introduce additional vulnerabilities. Also, it would be difficult (or impossible) to replace the POS terminals with standard Windows systems due to the custom firmware and software utilized on these systems.

Answer 494

Conduct a data criticality and prioritization analysis OBJ-5.4: While the payroll server could be assumed to holds PII, financial information, and corporate information, the analyst would only be making that assumption based on its name. Even before an incident response occurs, it would be a good idea to conduct a data criticality and prioritization analysis to determine what assets are critical to your business operations and need to be prioritized for protection. After an intrusion occurs, this information could be used to better protect and defend those assets against an attacker. Since the question states the analyst is trying to determine which server to look at based on their names, it is clear this organization never performed a data criticality and prioritization analysis and should do that first. After all, with names like FIREFLY, DEATHSTAR, THOR, and Dion, the analyst has no idea what is stored on those systems. For example, how do we know that DEATHSTAR doesn’t contain their credit card processing systems that would be a more lucrative target for APT 38 than the PAYROLL_DB. The suggestions of hardening, logically isolating, or conducting a vulnerability scan of a particular server are random guesses by the analyst since they don’t know which data they should focus on protecting or where the attacker is currently.

Answer 495

NDA OBJ-5.3: This is the definition of a non-disclosure agreement (NDA). There may be two NDAs in use: One from the organization to the pentester and another from the pentester to the organization. The Scope of Work is a formal document stating what will and will not be performed during a penetration test. It should also contain the assessment's size and scope and a list of the assessment's objectives. A master service agreement, or MSA, is a contract reached between parties, in which the parties agree to most of the terms that will govern future transactions or future agreements. The MSA is used when a pentester will be on retainer for a multi-year contract, and an individual SOW will be issued for each assessment to define the individual scopes for each one. Corporate policy is a documented set of broad guidelines, formulated after analyzing all internal and external factors that can affect an organization’s objectives, operations, and plans.

Answer 496

Conducting a brute force login attempt of a remote service on 192.168.1.142 OBJ-1.2: The penetration tester is attempting to conduct a brute force login attempt of a remote service on 192.168.1.142, as shown by the multiple login attempts with common usernames and passwords. A brute force attack attempts to crack a password or username or find a hidden web page, or find the key used to encrypt a message, using a trial and error approach and hoping, eventually, to guess correctly. Port Scanning is the name for the technique used to identify open ports and services available on a network host. A denial-of-service (DoS) attack occurs when legitimate users cannot access information systems, devices, or other network resources due to a malicious cyber threat actor's actions. A ping sweep is a basic network scanning technique used to determine which range of IP addresses map to live hosts.

Answer 497

Explanation OBJ-2.8: The Data Encryption Standard (DES) is a symmetric-key algorithm for encrypting digital data. Although its short key length of 56 bits makes it too insecure for applications, it was the standard used from 1977 until the early 2000s. GPG, ECC, and DSA are all asymmetric algorithms.