Dion udemy video course Flashcards
Fail to Pass Systems has recently moved its corporate offices from France to Westeros, a country with no meaningful privacy regulations. The marketing department believes that this move will allow the company to resell all of its customer’s data to third-party companies and shield the company from any legal responsibility. Which policy is violated by this scenario?
A. Data Limitation
B. Data Minimization
C. Data Sovereignty
D. Data enrichment
C. Data Sovereignty
Explanation:
While the fictitious Westeros may have no privacy laws or regulations, the laws of the countries where the company’s customers reside may still retain sovereignty over the data obtained from those regions during the course of the company’s business there. This is called Data Sovereignty. Data sovereignty refers to a jurisdiction (such as France or the European Union) preventing or restricting processing and storage from taking place on systems that do not physically reside within that jurisdiction.
You are applying for a job at a cybersecurity firm. The application requests you enter your social security number, date of birth, and email address to conduct a background check as part of the hiring process. Which of the following types of information has you been asked to provide?
A. PHI
B. IP
C. PII
D. CUI
C. PII
Explanation:
Personally identifiable information (PII) is data used to identify, contact, or locate an individual. Information such as social security number (SSN), name, date of birth, email address, telephone number, street address, and biometric data is considered PII.
Which of the following elements is LEAST likely to be included in an organization’s data retention policy?
A. Minimum retention period
B. Maximum retention period
C. Description of information that needs to be retained
D. Classification of information
D. Classification of information
Explanation:
Data retention policies highlight what types of information an organization will maintain and the length of time they will maintain it. Data classification would not be covered in the retention policy but would be a key part of your organization’s data classification policy.
Dion Training is concerned with the possibility of a data breach causing a financial loss to the company. After performing a risk analysis, the COO decides to purchase data breach insurance to protect the company in an incident. Which of the following best describes the company’s risk response?
A. Avoidance
B. Transference
C. Acceptance
D. Mitigation
B. Transference
Explanation:
Transference (or sharing) means assigning risk to a third party (such as an insurance company or a contract with a supplier that defines liabilities). Avoidance means that the company stops doing the activity that is risk-bearing. Risk mitigation is the overall process of reducing exposure to or the effects of risk factors, such as patching a vulnerable system. Acceptance means that no countermeasures are put in place either because the risk level does not justify the cost or because there will be an unavoidable delay before the countermeasures are deployed.
Jamie’s organization is attempting to budget for the next fiscal year. Jamie has calculated that the asset value of a database server is $120,000. Based on her analysis, she believes that a data breach to this server will occur once every four years and has a risk factor is 30%. What is the ALE for a data breach within Jamie’s organization?
A. $9,000
B. $36,000
C. $90,000
D. $360,000
A. $9,000
Explanation:
The single loss expectancy (SLE) is the amount that would be lost in a single occurrence (AV) times the exposure factor (EF). The annual loss expectancy (ALE) is the total cost of a risk to an organization annually. This is determined by multiplying the SLE by the annual rate of occurrence (ARO). SLE = AV x RF = $120,000 x 30% = $36,000 and ALE = SLE x ARO = $36,000 x 0.25 = $9,000.
Which of the following terms is used to describe the period of the time taken to correct a fault so that the system is restored to full operations after a failure or incident?
A. RPO
B. MTTR
C. RTO
D. MTBF
B. MTTR
Explanation:
Mean time to repair (MTTR) is a measure of the time taken to correct a fault to restore the system to full operation. MTTR is often used to describe the average time to replace or recover a system or product.
Which of the following agreements is used between companies and employees, between companies and contractors, and between two companies to protect information assets?
A. ISA
B. NDA
C. SLA
D. DSUA
B. NDA
Explanation:
Non-disclosure agreement (NDA) is the legal basis for protecting information assets. NDAs are used between companies and employees, between companies and contractors, and between two companies. If the employee or contractor breaks this agreement and shares such information, they may face legal consequences. NDAs are useful because they deter employees and contractors from violating the trust that an employee places in them.
You have been hired as a cybersecurity analyst for a privately-owned bank. Which of the following regulations would have the greatest impact on your bank’s cybersecurity program?
A. HIPAA
B. GLBA
C. FERPA
D. SOX
B. GLBA
Explanation:
The Gramm-Leach-Bliley Act (GLBA) is a United States federal law that requires financial institutions to explain how they share and protect their customers’ private information.
Your company explicitly obtains permission from its customers to use their email address as an account identifier in its CRM. Max, who works at the marketing department in the company’s German headquarters, just emailed all their customers to let them know about a new sales promotion this weekend. Which of the following privacy violations has occurred, if any?
A. There was no privacy violation because only corporate employees had access to their email addresses
B. There was a privacy violation since the customers explicitly gave permission to use the address as an identifier and did not consent to receiving marketing emails
C. There was no privacy violation since the customers were emailed securely through the customer relationship management tool
D. There was a privacy violation since data minimization policies were not followed properly
B. There was a privacy violation since the customers explicitly gave permission to use the address as an identifier and did not consent to receiving marketing emails
Explanation:
According to the European Union’s General Data Protection Regulation (GDPR), personal data collected can only be used for the exact purpose in which explicit consent was obtained. To use email addresses for marketing purposes, separate explicit consent should have been obtained. Since the company operates in Germany, it must follow the GDPR privacy standard. Even if a company doesn’t operate within the European Union, its customers might be European Union citizens, and therefore the company should still optional follow the GDPR guidelines.
Dion Training is considering moving its headquarters and data center to Florida, but they are worried about hurricanes disrupting their business operations. To mitigate this risk, Dion Training has signed a contract with a vendor located in a different state to provide hardware, software, and the procedures necessary for the company to recover quickly in the case of a catastrophic event, like a hurricane causing a power loss for up to 10 days. As the owner, Jason is a little concerned that this contract isn’t sufficient to mitigate enough of the risk since it only provides a solution for the first 10 days. Jason wonders, “what will we do if a major outage occurs, and our offices are not able to be used for 6-12 months?” Jason has hired you to help develop Dion Training’s long-term strategy for recovering from such an event. What type of plan should you create?
A. incident Response Plan
B. Disaster Recovery Plan
C. Business Continuity Plan
D. Risk Management Plan
C. Business Continuity Plan
Explanation:
A business continuity plan (BCP) is a plan to help ensure that business processes can continue during a time of emergency or disaster. Such emergencies or disasters might include a fire or any other case where business cannot occur under normal conditions. A disaster recovery plan is useful (and usually a piece of the large business continuity plan), but it is insufficient for the long-term strategy which is needed to support business operations during an extended outage.
Dion Training has just acquired Small Time Tutors and ordered an analysis to determine the sensitivity level of the data contained in their databases. In addition to determining the sensitivity of the data, the company also wants to determine exactly how they have collected, used, and maintained the data throughout its data lifecycle. Once this is fully identified, Dion Training intends to update the terms and conditions on their website to inform their customers and prevent any possible legal issues from any possible mishandling of the data. Based on the information provided, which of the following types of analysis is the team at Dion Training going to perform?
A. Gap Analysis
B. Tradeoff analysis
C. Business impact analysis
D. Privacy impact analysis
D. Privacy impact analysis
Explanation:
A privacy impact assessment is conducted by an organization in order for it to determine where privacy data is stored and how that privacy data moves throughout an information system. It evaluates the impacts that may be realized by a compromise to the confidentiality, integrity, and/or availability of the data.
Dion Training wants to update their business continuity and disaster recovery plans since they recently moved their headquarters to a hurricane prone area. To begin the process, Jason has asked all of the department heads to create a collaborative list of all of the company’s essential functions and tasks. These will then be used to determine which systems, dependencies, and interactions must be prioritized in the business continuity and disaster recovery plans. Based on the information provided, which of the following types of analysis is the team at Dion Training going to perform?
A. Gap analysis
B. Tradeoff analysis
C. Business impact analysis
D. Privacy impact analysis
C. Business impact analysis
Explanation:
A business impact analysis describes the collaborative effort to identify those systems and software that perform essential functions, meaning the organization cannot run without them. A tradeoff analysis compares potential benefits to potential risks and determining a course of action based on adjusting factors that contribute to each area.
Dion Training’s new COO is reviewing the organization’s current information security policy. She notices that it was first created three years ago. Since that time, the organization has undergone multiple audits and assessments that required revisions to the policy. Which of the following is the most reasonable frequency to conduct a formal review of the organization’s policies to ensure they remain up to date?
A. Monthly
B. Quarterly
C. Annually
D. Every five years
C. Annually
Explanation:
Annual reviews are an industry standard and are typically sufficient unless circumstances happen that might require an update or revision sooner. Waiting five years between policy reviews is too long and would leave the organization with constantly outdated policies. Similarly, conduct quarterly or monthly reviews is too frequent, and there will not be enough time for substantial changes to have occurred. Additionally, most formal audits and assessments are undertaken annually. Therefore, this is a reasonable frequency to use without overburdening your staff.
Dion Training is conducting an analysis of their student practice exam experience. During the analysis, the staff measured the current resiliency of the system by calculating the MTTR and MTBF for the system. The MTTR was measured at 9.1 hours and the MTBF was measured at 3.2 years. Susan, the Chief Operations Officer, stated that the MTTR should be at most 4 hours and the MTBF should be at least 4 years. The team at Dion Training will use all of these measurements and goals to create a technical implementation plan to reach the Susan’s requirements. Based on the measurements and goals provided, which of the following types of analysis has the team at Dion Training just performed?
A. Gap Analysis
B. Tradeoff analysis
C. Business impact analysis
D. Privacy impact analysis
A. Gap Analysis
Explanation:
A gap analysis measures the difference between the current state and desired state in order to assess the scope of work included in a project. By measuring ALE, MTTR, MTBF, TCO, and other factors, the organization can identify how closely it is performing in relation to the desired outcomes or requirements.
Dion Training is trying to define key performance indicators for their recently released voucher management system. The CIO has stated that the voucher management system must be able to provide at least a 99.999% uptime as one of the KPIs. To monitor this requirement, the analysts have created a metric to measure the uptime for the system and will generate a report weekly with the average uptime maintained. Which of the following types of key performance indicators would this metric be classified as?
A. Scalability
B. Reliability
C. Availability
D. Usability
C. Availability
Explanation:
Availability metrics measure the probability that a system will be operating as expected at any given point int time. The most common availability metric used is known as uptime. Scalability metrics measure the ability of a system to handle an increase in workload while maintaining a consistent level of performance. Reliability metrics measure the ability of a system to perform without error or to avoid, detect, and/or repair component or integrity failures. Usability metrics measure the effectiveness, efficiency, and satisfaction of users working with a given system.
Dion Training is accepting request for proposals from three cloud hosting providers to outsource the hosting of their learning management systems. In reviewing the proposals, Jason identified that one of the cloud providers offer free data transfer into the cloud but charges high rates for data transfer out of their cloud. Which of the following vendor risks does this data transfer pricing policy represent?
A. Vendor Lock In
B. Vendor Visibility
C. Vendor Lockout
D. Vendor visibility
A. Vendor Lock In
Explanation:
This pricing policy represents a vendor lock-in risk since it could become cost-prohibitive to migrate to another cloud provider in the future due to the large outbound data transfer costs. Vendor Lock-in occurs when a customer is dependent on a vendor for products or services because switching is either impossible or would result in substantial complexity and costs.
Following a root cause analysis of an edge router’s unexpected failure, a cybersecurity analyst discovered that the system administrator had purchased the device from an unauthorized reseller. The analyst suspects that the router may be a counterfeit device. Which of the following controls would have been most effective in preventing this issue?
A. Increase network vulnerability scan frequency
B. Ensure all anti virus signatures are up to date
C. Conduct secure supply chain management training
D. Verify that all routers are patched to the latest release
C. Conduct secure supply chain management training
Explanation:
Anti-counterfeit training is part of the NIST 800-53r4 control set (SA-19(1)) and should be a mandatory part of your supply chain management training within your organization. All other options may produce security gains in the network. They are unlikely to reliably detect a counterfeit item or prevent its introduction into the organization’s supply chain. Training on detection methodologies (i.e., simple visual inspections) and training for acquisition personnel will better prevent recurrences.
Dion Training is using a cloud service provider under an Infrastructure as a Service (IaaS) model. Assuming there is a shared responsibility model between the two organizations, which of the following is MOST likely the security responsibility of Dion Training under this IaaS model?
A. Physical security of the infrastructure
B. Data and application security configuration
C. Managing the data centers across regions
D. Tenant resource identity and access control
B. Data and application security configuration
Explanation:
The shared responsibility model identifies that responsibility for the implementation of security as applications, data, and workloads are moved to a cloud platform and shared between the customer and the cloud service provider (CSP). Using an IaaS model provides hardware hosted at a provider facility using the provider’s physical security controls and utilities. The cloud customer is responsible for the data and application security configurations, while the cloud service provider will be responsible for the physical data centers, equipment, and the access control to the tenant resources.
What is a reverse proxy commonly used for?
A. Allowing access to a virtual private cloud
B. To prevent the unauthorized use of cloud services from local network
C. Directing traffic to internal services if the contents of the traffic comply with the policy
D. To obfuscate the origin of a user within a network
C. Directing traffic to internal services if the contents of the traffic comply with the policy
Explanation:
A reverse proxy is positioned at the cloud network edge and directs traffic to cloud services if the contents of that traffic comply with the policy. This does not require the configuration of the users’ devices. This approach is only possible if the cloud application has proxy support. You can deploy a reverse proxy and configure it to listen for client requests from a public network, like the internet. The proxy then creates the appropriate request to the internal server on the corporate network and passes the server’s response back to the external client.
You received an incident response report indicating a piece of malware was introduced into the company’s network through a remote workstation connected to the company’s servers over a VPN connection. Which of the following controls should be applied to prevent this type of incident from occurring again?
A. ACL
B. NAC
C. SPF
D. MAC Filtering
B. NAC
Explanation:
Network Access Control (NAC) is an approach to computer security that attempts to unify endpoint security technology (such as anti-virus, host intrusion prevention, and vulnerability assessment), user or system authentication, and network security enforcement. When a remote workstation connects to the network, NAC will place it into a segmented portion of the network (sandbox), scan it for malware and validate its security controls, and then based on the results of those scans, either connect it to the company’s networks or place the workstation into a separate quarantined network portion.
A new piece of malware attempts to exfiltrate user data by hiding the traffic and sending it over a TLS-encrypted outbound traffic over random ports. What technology would be able to detect and block this type of traffic?
A. Intrusion Detection System
B. Application Aware Firewall
C. Stateful Packet Inspection
D. Stateless Packet Inspection
B. Application Aware Firewall
Explanation:
A web application firewall (WAF) or application-aware firewall would detect both the accessing of random ports and TLS encryption and identify it as suspicious. An application-aware firewall can make decisions about what applications are allowed or blocked by a firewall, and TLS connections are created and maintained by applications.
Your network has been the victim of a data breach. Your company has hired an incident response team to help control the breach’s damage and restore the network to its full functionality. The incident response team wants to connect a packet capture device to the switch that connects your servers to the DMZ. Which of the following should be configured to ensure the packet capture device can receive all the network traffic going to and from the servers?
A. 802.1q
B. 802.1x
C. Port mirroring
D. Port security
C. Port mirroring
Explanation:
Port mirroring, also known as SPAN (Switched Port Analyzer), is a method of monitoring network traffic. With port mirroring enabled, the switch sends a copy of all network packets seen on one port (or an entire VLAN) to another port, where the packet can be analyzed. In this case, you can connect the packet capture device to the SPAN port (mirrored port) to collect all the network traffic for later analysis.
Dion Training wants to implement a software-defined network when installing a new enterprise network. The company prefers to use open-source software to reduce the risk of vendor lock-in. Which of the following approaches to implementing a software-defined network should Dion Training utilize?
A. SDN Overlay
B. Hybrid SDN
C. Open SDN
D. Peering SDN
C. Open SDN
Explanation:
Open SDN uses open standards and open-source software as a strategy to reduce the risks of vendor lock-in.
During a security audit, you discovered that customer service employees have been sending unencrypted confidential information to their personal email accounts via email. What technology could you employ to detect these occurrences in the future and send an automated alert to the security team?
A. SSL
B. UTM
C. DLP
D. MDM
C. DLP
Explanation:
Data loss prevention software detects potential data breaches/data ex-filtration transmissions and prevents them by monitoring, detecting and blocking sensitive data while in use, in motion, and at rest.
During a vulnerability scan, you notice that the hostname www.diontraining.com is resolving to www.diontraining.com.akamized.net instead. Based on this information, which of the following do you suspect is true?
A. The server assumes you are conducting a DDoS attack
B. You are scanning a CDN hosted copy of the site
C. The scan will not produce any useful information
D. Nothing can be determined about this site with the information provided
B. You are scanning a CDN hosted copy of the site
Explanation:
This result is due to the company using a distributed server model that hosts content on Edge servers worldwide as part of a CDN. A content delivery network (CDN) is a geographically distributed network of proxy servers and their data centers that provide high availability and performance by distributing the service spatially relative to end-users. The requested content may be served from the Edge server’s cache or pull the content from the main diontraining.com servers.
You are working as part of the server team for an online retail store. Due to the upcoming holidays, your boss is worried that the current servers may not be able to handle the increased demand during a big sale. Which of the following cloud computing concepts can quickly allow services to scale upward during busy periods and scale down during slower periods based on the changing user demand?
A. Resource pooling
B. On Demand
C. Rapid Elasticity
D. Metered service
C. Rapid Elasticity
Explanation:
In cloud computing, the term rapid elasticity is used to describe the scalable provisioning or the capability to provide scalable cloud computing services. Rapid elasticity is very critical to meet the fluctuating demands of cloud users. The downside of rapid elasticity implementations is that they can cause significant loading of the system due to the high resource number of allocation and deallocation requests.
Which of the following refers to using virtual machines as a method of provisioning workstations for corporate users?
A. SaaS
B. IaaS
C. VDI
D. PaaS
C. VDI
Explanation:
Virtual Desktop Infrastructure (VDI) refers to using a VM as a means of provisioning corporate desktops. In a typical VDI, desktop computers are replaced by low-spec, low- power thin client computers. When the thin client starts, it boots a minimal OS, allowing the user to log on to a VM stored on the company server or cloud infrastructure. The user connects to the VM using some remote desktop protocol (Microsoft Remote Desktop or Citrix ICA, for instance). The thin client has to find the correct image and use an appropriate authentication mechanism.
Your company is adopting a cloud-first architecture model. Management wants to decommission the on-premises SIEM your analysts use and migrate it to the cloud. Which of the following is an issue with using this approach?
A. Legal and regulatory issues may prevent data migration to the cloud
B. A VM escape exploit could allow an attacker to gain access to the SIEM
C. The company will be dependent on the cloud provider’s backup capabilities
D., The company will have less control over the SIEM
A. Legal and regulatory issues may prevent data migration to the cloud
Explanation:
If there are legal or regulatory requirements that require the company to host their security audit data on-premises, then moving to the cloud will not be possible without violating applicable laws. For example, some companies must host their data within their national borders, even if migrating to the cloud. The other options presented are all low risk and can be overcome with proper planning and mitigations.
Which of the following would a virtual private cloud (VPC) infrastructure be classified as?
A. IaaS
B. PaaS
C. SaaS
D. FaaS
A. IaaS
Explanation:
Infrastructure as a Service (IaaS) is a computing method that uses the cloud to provide any or all infrastructure needs. In a VPC environment, an organization may provision virtual servers in a cloud-hosted network. The service consumer is still responsible for maintaining the IP address space and routing internally to the cloud.
Your company has decided to begin moving some of its data into the cloud. Currently, your company’s network consists of both on-premise storage and some cloud-based storage. Which of the following types of clouds is your company currently using?
A. Hybrid
B. Private
C. Public
D. Community
A. Hybrid
Explanation:
A hybrid cloud is a cloud computing environment that uses a mix of on-premises, private cloud, and third-party public cloud services with orchestration between these platforms. This typically involves a connection from an on-premises data center to a public cloud.
A software assurance test analyst performs a dynamic assessment on an application by automatically generating random data sets and inputting them in an attempt to cause an error or failure condition. Which technique is the analyst utilizing?
A. Fuzzing
B. Sequential data sets
C. Static Code Analysis
D. Know bad data injection
A. Fuzzing
Explanation:
Fuzzing is an automated software assessment technique that involves providing invalid, unexpected, or random data as inputs to a computer program. The program is then monitored for exceptions (crashes), failing built-in code assertions, or finding potential memory leaks.
Which software development model emphasizes individuals and interactions over processes and tools, customer collaboration over contract negotiation, and working software over comprehensive documentation?
A. Waterfall
B. Spiral
C. Agile
D. RAD
C. Agile
Explanation:
The principles of the Agile Manifesto characterize agile software development. The Agile Manifesto emphasizes individuals and interactions over the processes and tools that Spiral and Waterfall rely on. It also focuses on working software, customer collaboration, and responding to change as key elements of the Agile process.
After 9 months of C++ programming, the team at Whammiedyne systems has released their new software application. Within just 2 weeks of release, though, the security team discovered multiple serious vulnerabilities in the application that must be corrected. To retrofit the source code to include the required security controls will take 2 months of labor and will cost $100,000. Which development framework should Whammiedyne use in the future to prevent this situation from occurring in other projects?
A. Agile Model
B. DevSecOps
C. DevOps
D. Waterfall Model
B. DevSecOps
Explanation:
DevSecOps is a combination of software development, security operations, and systems operations and refers to the practice of integrating each discipline with the others. DevSecOps approaches are generally better postured to prevent problems like this because security is built-in during the development instead of retrofitting the program afterward. The DevOps development model incorporates IT staff but does not include security personnel.
Which type of RAID should be used for a virtualization server that must have the fastest speed and highest redundancy level?
A. RAID 0
B. RAID 1
C. RAID 5
D. RAID 10
D. RAID 10
Explanation:
RAID 10 offers the fastest speed, best reliability, and highest redundancy but is more costly as the overall disk storage will be greatly reduced. A RAID 10 uses at least four disks to create a mirror of striped arrays.
Marta’s organization is concerned with the vulnerability of a user’s account being vulnerable for an extended period of time if their password was compromised. Which of the following controls should be configured as part of their password policy to minimize this vulnerability?
A. Minimum password length
B. Password history
C. Password expiration
D. Password complexity
C. Password expiration
Explanation:
A password expiration control in the policy would force users to change their password at specific time intervals. This will then locks out a user who types in the incorrect password or create an alter that the user’s account has been potentially compromised. While the other options are good components of password security to prevent an overall compromise, they are not effective against the vulnerability described in this particular scenario.
Which of the following authentication protocols was developed by Cisco to provide authentication, authorization, and accounting services?
A. RADIUS
B. CHAP
C. TACAS+
D. Kerberos
C. TACAS+
Explanation:
TACACS+ is an extension to TACACS (Terminal Access Controller Access Control System) and was developed as a proprietary protocol by Cisco. The Remote Authentication Dial-In User Service (RADIUS) is a networking protocol that operates on port 1812 and provides centralized Authentication, Authorization, and Accounting management for users who connect and use a network service, but Cisco did not develop it.
Which of the following types of access control provides the strongest level of protection?
A. RBAC
B. MAC
C. DAC
D. ABAC
B. MAC
Explanation:
Mandatory Access Control (MAC) requires all access to be predefined based on system classification, configuration, and authentication. MAC is commonly used in highly centralized environments and usually relies on a series of labels, such as classification levels of the data.
Which of the following identity and access management controls relies upon using a certificate-based authentication mechanism?
A. HOTP
B. Smart card
C. TOTP
D. Proximity Card
B. Smart card
Explanation:
Smart cards, PIV, and CAC devices are used as an identity and access management control. These devices contain a digital certificate embedded within the smart card (PIV/CAC) presented to the system when it is inserted into the smart card reader. When combined with a PIN, the smart card can be used as a multi-factor authentication mechanism. The PIN unlocks the card and allows the digital certificate to be presented to the system.
Your organization requires the use of TLS or IPsec for all communications with an organization’s network. Which of the following is this an example of?
A. Data at rest
B. Data in transit
C. Data in use
D. DLP
B. Data in transit
Explanation:
Data in transit (or data in motion) occurs whenever data is transmitted over a network. Examples of types of data in transit include website traffic, remote access traffic, data being synchronized between cloud repositories, and more. In this state, data can be protected by a transport encryption protocol, such as TLS or IPsec.
You just received an email from Bob, your investment banker, stating that he completed the wire transfer of $10,000 to your bank account in Vietnam. The problem is, you do not have a bank account in Vietnam, so you immediately call Bob to ask what happened. Bob explains that he received an email from you requesting the transfer. You insist you never sent that email to Bob initiating this wire transfer. What aspect of PKI could be used to BEST ensure that a sender actually sent a particular email message and avoid this type of situation?
A. CRL
B. Trust models
C. Recovery agents
D. Non repudiation
D. Non repudiation
Explanation:
Non-repudiation occurs when a sender cannot claim they didn’t send an email when they did. A digital signature should be attached to each email sent to achieve non-repudiation. This digital signature is comprised of a digital hash of the email’s contents, and then encrypting that digital hash using the sender’s private key. The receiver can then unencrypt the digital hash using the sender’s public key to verify the message’s integrity.
Which type of system would classify traffic as malicious or benign based on explicitly defined examples of malicious and benign traffic?
A. Artificial intelligence
B. Machine learning
C. Deep learning
D. Generative adversarial network
B. Machine learning
Explanation:
A machine learning (ML) system uses a computer to accomplish a task without being explicitly programmed. In the context of cybersecurity, ML generally works by analyzing example data sets to create its own ability to classify future items presented. If the system was presented with large datasets of malicious and benign traffic, it will learn which is malicious and categorize future traffic presented to it.
Your Security Operations Center is experiencing a backlog of threat intelligence to analyze. The SOC Director has recommended that you investigate using emerging technologies to perform accurate correlations between various threat intelligence sources and traffic being observed on the production network. Which of the following emerging technologies should you select?
A. Machine Learning
B. Natural Language Processing
C. Artificial Intelligence
D. Deep fakes
C. Artificial Intelligence
Explanation:
Artificial Intelligence is the science of creating machines to develop problem-solving and analysis strategies without significant human direction or intervention.
You are working for a large internet search engine provider that needs to collect and process the search history of your users. You have found that the volume and type of data exceeds the capability of a traditional SQL database. Which of the following emergent technologies should you implement to work with the data collected?
A. Blockchain
B. Natural language processing
C. Distributed consensus
D. Big data
D. Big data
Explanation:
Big data refers to data collections that are too large and complex for a traditional database to manage. Distributed consensus is used in a distributed or decentralized system to solve a particular computation to maintain the overall integrity of the distributed system or blockchain. The blockchain is an expanding list of transactional records listed in a public ledger is secured using cryptography. Natural language processing (NLP) is a type of deep learning focused on understanding and responding to human language.
Dion Training wants to implement a new wireless network using WPA3 in their offices. Which of the following features of WPA3 is used to provide a password-based authentication using the dragonfly handshake instead of the older WPA 4-way handshake?
A. AES GCMP
B. Management protection frames
C. Enhanced open
D. SAE
D. SAE
Explanation:
Simultaneous Authentication of Equals (SAE) is a password-based authentication and password-authenticated key agreement method used in WPA3 that replaced the 4-way handshake used in WPA-based wireless networks. The SAE handshake is also known as the dragonfly handshake.
Dion Training wants to implement DNS protection on their mobile devices. Which of the following implementations would allow the device’s DNS requests to be tunneled within TLS traffic to aid in the privacy protection of the user?
A. Custom DNS
B. Token based access
C. DoH
D. Profiles
C. DoH
Explanation:
DNS over HTTPS (DoH) allows the DNS requests to be tunneled within the TLS traffic over port 443. This allows most of the DNS protocol traffic over port 53 to be eliminated after the first DNS request to the DoH provider is made. DoH is used mainly to provide privacy protection for the user and their web browsing activities.
Which mobile device strategy is most likely to introduce vulnerable devices to a corporate network?
A. COPE
B. BYOD
C. MDM
D. CYOD
B. BYOD
Explanation:
The BYOD (bring your own device) strategy opens a network to many vulnerabilities. People can bring their personal devices to the corporate network, and their devices may contain vulnerabilities that could be allowed to roam free on a corporate network.
Michelle has just finished installing a new database application on her server. She then proceeds to uninstall the sample configuration files, properly configure the application settings, and update the software to the latest version according to her company’s policy. What best describes the actions Michelle just took?
A. Patch management
B. Application hardening
C. Input validation
D. Vulnerability scanning
B. Application hardening
Explanation:
Application hardening involves taking actions to best secure the application from attack. This involves removing any default or sample configurations, properly configuring settings, and updating the application to the latest and more secure version.
You have been investigating how a malicious actor could exfiltrate confidential data from a web server to a remote host. After an in-depth forensic review, you determine that a rootkit’s installation had modified the web server’s BIOS. After removing the rootkit and reflashing the BIOS to a known good image, what should you do to prevent the malicious actor from affecting the BIOS again?
A. Install an anti malware application
B. Install a host based IDS
C. Utilize a secure boot
D. Utilize file integrity monitoring
C. Utilize a secure boot
Explanation:
Since you are trying to protect the BIOS, utilizing secure boot is the best choice. Secure boot is a security system offered by UEFI. It is designed to prevent a computer from being hijacked by a malicious OS. Under secure boot, UEFI is configured with digital certificates from valid OS vendors. The system firmware checks the operating system boot loader using the stored certificate to ensure that the OS vendor has digitally signed it. This prevents a boot loader that has been changed by malware (or an OS installed without authorization) from being used.
William would like to use full-disk encryption on his laptop. He is worried about slow performance, though, so he has requested that the laptop have an onboard hardware-based cryptographic processor. Based on this requirement, what should William ensure the laptop contains?
A. AES
B. FDE
C. PAM
D. TPM
D. TPM
Explanation:
This question is asking if you know what each acronym means. Trusted Platform Module (TPM) is a hardware-based cryptographic processing component that is a part of the motherboard. A Pluggable Authentication Module (PAM) is a device that looks like a USB thumb drive and is used as a software key in cryptography. Full Disk Encryption (FDE) can be hardware or software-based. Therefore, it isn’t the right answer. The Advanced Encryption System (AES) is a cryptographic algorithm. Therefore, it isn’t a hardware solution.
Dion Training wants to implement a software-defined network when installing a new enterprise network. The company prefers to use open-source software to reduce the risk of vendor lock-in. Which of the following approaches to implementing a software-defined network should Dion Training utilize?
A. SDN Overlay
B. Hybrid SDN
C. Open SDN
D. Peering SDN
C. Open SDN
Explanation:
Open SDN uses open standards and open-source software as a strategy to reduce the risks of vendor lock-in. Hybrid SDN uses a combination of traditional and software-defined networks in the same environment to achieve its objectives
Your company is making a significant investment in infrastructure-as-a-service (IaaS) hosting to replace its data centers. Which of the following techniques should be used to mitigate the risk of data remanence when moving virtual hosts from one server to another in the cloud?
A. Zero wipe drives before moving systems
B. Use full disk encryption
C. Use data masking
D. Span multiple virtual disks to fragment data
B. Use full disk encryption
Explanation:
To mitigate the risk of data remanence, you should implement full disk encryption. This method will ensure that all data is encrypted and cannot be exposed to other organizations or the underlying IaaS provider.
Jeff has been contacted by an external security company and told that they had found a copy of his company’s proprietary source code on GitHub. Upon further investigation, Jeff has determined that his organization owns the repository where the source code is located. Which of the following mitigations should Jeff apply immediately?
A. Change the repository from public to private
B. Delete the repository
C. Reevaluate the organizations information management policies
D. Investigate if the source code was downloaded
A. Change the repository from public to private
Explanation:
Jeff should immediately change the repository from public to private to prevent further exposure of the source code. Deleting the repository would also fix the issue but could compromise the company’s ongoing business operations. Reevaluation of the company’s information management policies should be done, but this is not as time-critical as changing the repository’s public/private setting. Once the repository is configured to be private, then Jeff should investigate any possible compromises that may have occurred and reevaluate their policies.
Syed is developing a vulnerability scanner program for a large network of sensors to monitor his company’s transcontinental oil pipeline. What type of network is this?
A. SoC
B. CAN
C. BAS
D. SCADA
D. SCADA
Explanation:
SCADA (supervisory control and data acquisition) networks work off an ICS (industry control system) and maintain sensors and control systems over large geographic areas.
Which of the following types of operational technologies is designed to be used for a single purpose or function and cannot be patched when a flaw or defect is identified?
A. ASIC
B. FFGA
C. SoC
D. IoT
A. ASIC
Explanation:
An application-specific integrated circuit (ASIC) is a type of processor designed to perform a specific function. ASICs are expensive to design and only work for a single application or function, such as the ASICs used to conduct switching in an Ethernet switch. ASICs cannot be rewritten, flashed, or updated once they are created and installed. If a flaw or defect is discovered in the ASIC, it must be replaced to patch the vulnerability.
Dion Automation Group specializes in installing ICS and SCADA systems. You have been asked to program a PLC to open the fill valve when the level of liquid in a tank reaches a sensor located at 1 foot above the bottom of the tank. Also, the value should shut again once the level reaches another sensor at 9 feet above the bottom of the tank. Which of the following would you use to create the control sequence used by the PLC?
A. Human machine interface
B. Safety instrumented system
C. Ladder logic
D. Data historian
C. Ladder logic
Explanation:
Ladder Logic is a graphical, flowchart-like programming language used to program the special sequential control sequences used by a programmable logic controller (PLC).
Keith wants to validate the application file that he downloaded from the vendor of the application. Which of the following should he compare against the file to verify the integrity of the downloaded application?
A. File size and file creation date
B. MD5 or SHA1 hash digest of the file
C. Private key of the file
D. Public key of the file
B. MD5 or SHA1 hash digest of the file
Explanation:
Keith should conduct a hash of the downloaded file and compare it against the MD5 hash digest listed on the server of this file. This file needs to be a verifiable MD5 hash file to validate the file integrity has not been compromised during the download. This is an important step to ensure the file was not modified in transit during the download. The other options are insufficient to guarantee the integrity of the downloaded file since integrity checking relies on comparing hash digests.
Dion Training has contracted a software development firm to create a bulk file upload utility for its website. During a requirements planning meeting, the developers asked what type of encryption is required for the project. After some discussion, Jason decides that the file upload tool should use a cipher capable of encrypting 64 bits of data at a time before transmitting the files from the web developer’s workstation to the webserver. What of the following should be selected to meet this security requirement?
A. Stream cipher
B. Block cipher
C. CRC
D. Hashing algorithm
B. Block cipher
Explanation:
A block cipher is used to encrypt multiple bits at a time before moving to the next set of data. Block ciphers generally have a fixed-length block (8-bit, 16-bit, 32-bit, 64-bit, etc.). Stream ciphers encrypt a single bit (or byte) at a time during their encryption process. Hashing algorithms would not meet the requirement because the data would be encrypted using a one-way hash algorithm and be unusable once on the webserver. A cyclic redundancy check (CRC) is an error-detecting code commonly used in digital networks and storage devices to detect accidental changes to raw data.
Which of the following hash algorithms is most vulnerable to a birthday attack or collision?
A. RIPEMD-160
B. Poly1305
C. MD-5
D. SHA-1
C. MD-5
Explanation:
Message Digest Algorithm (MD5) is a one-way cryptographic function that accepts a message of any length as input and returns as output a fixed-length 128-bit hash digest value to be used for authenticating the original message. MD5 can be easily brute-forced and has a high chance of collision.
Which of the following cipher suites supports does not support the more secure ephemeral key agreement mode?
A. TLS_CHACHA20_POLY1305_SHA256
B. TLS_AES_256_GCM_SHA384
C. TLS_RSA_WITH_AES_256_CBC_SHA256
D. ECDHE_RSA_AES128_GCM_SHA256
C. C. TLS_RSA_WITH_AES_256_CBC_SHA256
Explanation:
In TLS 1.2, the cipher suite lists the session key agreement mode as either Diffie-Hellman or Elliptic Curve Diffie-Hellman Ephemeral mode (TLS or ECDHE), then the digital signature type, symmetric bulk encryption type, and the HMAC algorithm. Therefore, the cipher suite that does not support ephemeral key agreement mode is TLS_RSA_WITH_AES_256_CBC_SHA256 since it uses regular Diffie-Hellman for the session key agreement, RSA for digital signatures, AES-256 for symmetric bulk encryption using Cipher Block Chaining (CBC), and SHA256 for HMAC functions.
Dion Training has added a salt and cryptographic hash to their passwords to increase the security before storing them. To further increase security, they run this process many times before storing the passwords. What is this technique called?
A. Key stretching
B. Rainbow table
C. Salting
D. Collision resistance
A. Key stretching
Explanation:
In cryptography, key stretching techniques are used to make a possibly weak key, typically a password or passphrase, more secure against a brute-force attack by increasing the resources it takes to test each possible key. The question describes one such key stretching technique.
Dion Training is choosing an encryption algorithm to use in providing confidentiality of the data stored on its mobile devices. Which of the following cryptographic algorithms should the company choose to provide the equivalent level of security with a smaller key size?
A. MD5
B. AES
C. SHA-256
D. ECC
D. ECC
Explanation:
Why would a company want to utilize a wildcard certificate for their servers?
A. To secure the certificates private key
B. To increase the certificate’s encryption key length
C. To reduce the certificate management burden
D. To extend the renewal date of the certificate
C. To reduce the certificate management burden
Explanation:
A wildcard certificate is a public key certificate that can be used with multiple subdomains of a domain. This saves money and reduces the management burden of managing multiple certificates, one for each subdomain. A single wildcard certificate for *.diontraining.com will secure all these domains (www.diontraining.com, mail.diontraining.com, ftp.diontraining.com, etc.). The other options provided are not solved by using a wildcard certificate.
Dion Training has implemented its own root CA to issue digital certificates to its users. Each digital certificate is valid for 3 years by default, but if a user’s account is disabled then their digital certificate must also be revoked. Which of the following would allow a client to request the status of a digital certification to determine if it was revoked without downloading the full list of certificate statuses?
A. HPKP
B. CRL
C. HSTS
D. OCSP
D. OCSP
Explanation:
The online certificate status protocol (OSCP) allows clients to request the status of a digital certificate and to check whether it is revoked. A certificate revocation list (CRL) is a list of every digital certificate that has been revoked before its expiration date. HTTP Public Key Pinning (HPKP) is a certificate pinning method that embeds the certificate data in the HTTP header sent from a web server to a web browser. HTTP Strict Transport Security (HSTS) is configured as a response header on a web server and notifies a browser to connect to the requested website using HTTPS only.
Dion Training is acquiring Cyber Learning. Both organizations currently have their own PKI implementations built around a single certificate authority at each organization. During the acquisition, Dion Training wants to establish a trust relationship between the Dion Training and Cyber Learning certificate authorities so that users and devices from each organization can use resources from the other organization during the acquisition. Which of the following trust models would BEST meet these requirements?
A. Single CA model
B. Hierarchical model
C. Cross certification model
D. Bridge model
C. Cross certification model
Explanation:
A cross certification model is most appropriate when connecting two organizations during an acquisition or merger. A cross certification model is a trust model that allows a trust relationship to be established between two certification authorities. Cross certification allows users and devices of two organizations to be recognized by the other, regardless of which organization’s root CA signed their certificate.
After analyzing and correlating activity from the firewall logs, server logs, and the intrusion detection system logs, a cybersecurity analyst has determined that a sophisticated breach of the company’s network security may have occurred from a group of specialized attackers in a foreign country over the past five months. Up until now, these cyberattacks against the company network had gone unnoticed by the company’s information security team. How would you best classify this threat?
A. Advanced persistent threat (APT)
B. Spear phishing
C. Insider threat
D. Privilege escalation
A. Advanced persistent threat (APT)
Explanation:
An advanced persistent threat (APT) is a network attack in which an unauthorized person gains access to a network and stays there undetected for a long period of time. An APT attack intends to steal data rather than to cause damage to the network or organization. An APT refers to an adversary’s ongoing ability to compromise network security, obtain and maintain access, and use various tools and techniques. They are often supported and funded by nation-states or work directly for a nation-states’ government.
Which analysis framework provides the most explicit detail regarding how to mitigate or detect a given threat?
A. MITRE ATT&CK framework
B. Diamond Model of Intrusion Analysis
C. Lockheed Martin cyber kill chain
D. OpenIOC
A. MITRE ATT&CK framework
Explanation:
The MITRE ATT&CK framework provides explicit pseudo-code examples for detecting or mitigating a given threat within a network and ties specific behaviors back to individual actors.
In which phase of the security intelligence cycle is input collected from intelligence producers and consumers to improve the implementation of intelligence requirements?
A. Dissemination
B. Analysis
C. Feedback
D. Collection
C. Feedback
Explanation:
The final phase of the security intelligence cycle is feedback and review, which utilizes intelligence producers’ and intelligence consumers’ input. This phase aims to improve the implementation of the requirements, collection, analysis, and dissemination phases as the life cycle is developed.
Dion Training wants to get an external attacker’s perspective on its security status. Which of the following services should they purchase?
A. Vulnerability Scan
B. Asset management
C. Penetration test
D. Patch management
C. Penetration test
Explanation:
Penetration tests provide an organization with an external attacker’s perspective on their security status. The NIST process for penetration testing divides tests into four phases: planning, discovery, attack, and reporting. The penetration test results are valuable security planning tools, as they describe the actual vulnerabilities that an attacker might exploit to gain access to a network.
Which of the following information is traditionally found in the Scope of Work (SOW) for a penetration test?
A. Timing of the scan
B. Format of the executive summary report
C. Excluded hosts
D. Maintenance windows
C. Excluded hosts
Explanation:
A Scope of Work (SOW) for a penetration test normally contains the list of excluded hosts. This ensures that the penetration tester does not affect hosts, workstations, or servers outside the assessment scope. The timing of the scan and the maintenance windows are usually found in the rules of engagement (ROE). The executive summary report contents are usually not identified in any of the scoping documents, only the requirement of whether such a report is to be delivered at the end of the assessment.
Which of the following physical security controls would be the most effective in preventing an attacker from driving a vehicle through the glass doors at the front of the organization’s headquarters?
A. Access control vestibule
B. Security guards
C. Bollards
D. Intrusion alarms
An analyst’s vulnerability scanner did not have the latest set of signatures installed. Due to this, several unpatched servers may have vulnerabilities that were undetected by their scanner. You have directed the analyst to update their vulnerability scanner with the latest signatures at least 24 hours before conducting any scans. However, the results of their scans still appear to be the same. Which of the following logical controls should you use to address this situation?
A. Create a script to automatically updates the signatures every 24 hours
B. Ensure the analysts manually validates that the updates are being performed as directed
C. Test the vulnerability remediations in a sandbox before deploying them into production
D. Configure the vulnerability scanners to run a credentialed scan
A. Create a script to automatically updates the signatures every 24 hours
Explanation:
Since the analyst appears not to be installing the latest vulnerability signatures according to your instructions, it would be best to create a script and automate the process to eliminate human error. The script will always ensure that the latest signatures are downloaded and installed in the scanner every 24 hours without any human intervention. While you may want the analyst to manually validate the updates were performed as part of their procedures, this is still error-prone and likely not to be conducted properly.
You work for Dion Training as a physical security manager. You are concerned that the physical security at the entrance to the company is not sufficient. To increase your security, you are determined to prevent piggybacking. What technique should you implement first?
A. Install CCTV to monitor the entrance
B. Install an access control vestibule at the entrance
C. Require all employees to wear security badges when entering the building
D. Install and RFID badge reader at the entrance
B. Install an access control vestibule at the entrance
Explanation:
An access control vestibule, or mantrap, is a device that only allows a single person to enter per authentication. This authentication can be done by RFID, a PIN, or other methods. Once verified, the mantrap lets a single person enter through a system, such as a turnstile or rotating door.
You are conducting a code review of a program and observe the following calculation of 0xffffffff + 1 was attempted, but the result was returned as 0x0000000. Based on this, what type of exploit could be created against this program?
A. SQL injection
B. Impersonation
C. Integer Overflow Attack
D. Password spraying
C. Integer Overflow Attack
Explanation:
Integer overflows and other integer manipulation vulnerabilities frequently result in buffer overflows. An integer overflow occurs when an arithmetic operation results in a large number to be stored in the space allocated for it. Integers are stored in 32 bits on the x86 architecture; therefore, if an integer operation results in a number greater than 0xffffffff, an integer overflow occurs, as was the case in this example.
A popular game allows for in-app purchases to acquire extra lives in the game. When a player purchases the extra lives, the number of lives is written to a configuration file on the gamer’s phone. A hacker loves the game but hates having to buy lives all the time, so they developed an exploit that allows a player to purchase 1 life for $0.99 and then modifies the content of the configuration file to claim 100 lives were purchased before the application reading the number of lives purchased from the file. Which of the following type of vulnerabilities did the hacker exploit?
A. Sensitive data exposure
B. Dereferencing
C. Broken authentication
D. Race condition
D. Race condition
Explanation:
Race conditions occur when the outcome from execution processes is directly dependent on the order and timing of certain events. Those events fail to execute in the order and timing intended by the developer. In this scenario, the hacker’s exploit is racing to modify the configuration file before the application reads the number of lives from it.
Tony works for a company as a cybersecurity analyst. His company runs a website that allows public postings. Recently, users have started complaining about the website having pop-up messages asking for their username and password. Simultaneously, your security team has noticed a large increase in the number of compromised user accounts on the system. What type of attack is most likely the cause of both of these events?
A. SQL injection
B. XSS
C. Cross site request forgery
D. Rootkit
B. XSS
Explanation:
This scenario is an example of the effects of a cross-site scripting (XSS) attack. If your website’s HTML code does not perform input validation to remove scripts that may be entered by a user, then an attacker can create a popup window that collects passwords and uses that information to compromise other accounts further. An XSS will allow an attacker to execute arbitrary JavaScript within the victim’s browser (such as creating pop-ups).
You are analyzing the SIEM for your company’s e-commerce server when you notice the following URL in the logs of your SIEM:
-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
https://www.diontraining.com/add_to_cart.php?itemId=5”+perItemPrice=”0.00”+quantity=”100”+/><item+id=”5&quantity=0
-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
Based on this line, what type of attack do you expect has been attempted?
A. SQL injection
B. Buffer overflow
C. XML injection
D. Session hijacking
C. XML injection
Explanation:
XML injection manipulates or compromises the logic of an XML application or service. The injection of unintended XML content and/or structures into an XML message can alter an application’s intended logic. XML Injection can cause the insertion of malicious content into resulting messages/documents. In this case, the URL is attempting to modify the server’s XML structure. The original XML structure would be: .
Review the following packet captured at your NIDS:
-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
23:12:23.154234 IP 86.18.10.3:54326 > 71.168.10.45:3389 Flags [P.], Seq 1834:1245, ack1, win 511, options [nop,nop, TS val 263451334 erc 482862734, length 125
-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
After reviewing the packet above, you discovered there is an unauthorized service running on the host. Which of the following ACL entries should be implemented to prevent further access to the unauthorized service while maintaining full access to the approved services running on this host?
A. DENY TCP ANY HOST 71.168.10.45 EQ 3389
B. DENY IP HOST 71.168.10.45 ANY EQ 25
C. DENY IP HOST 86.18.10.3 EQ 3389
D. DENY TCP ANY HOST 86.18.10.3 EQ 25
A. DENY TCP ANY HOST 71.168.10.45 EQ 3389
Explanation:
Since the question asks you to prevent unauthorized service access, we need to block port 3389 from accepting connections on 71.168.10.45 (the host). This option will deny ANY workstation from connecting to this machine (host) over the Remote Desktop Protocol service that is unauthorized (port 3389).
You have been asked to review the SIEM event logs for suspected APT activity. You have been given several indicators of compromise, such as a list of domain names and IP addresses. What is the BEST action to take to analyze the suspected APT activity?
A. Use the IP Addresses to search through the event logs
B. Analyze the trends of the events while manually reviewing them to see if any indicators match
C. Create an advanced query that includes all of the indicators and review any matches
D. Scan for vulnerabilities with exploits known to previously have been used by an APT
B. Analyze the trends of the events while manually reviewing them to see if any indicators match
Explanation:
You should begin by analyzing the event’s trends while manually reviewing them to determine if any of the indicators match. If you only searched through the event logs using the IP addresses, this would not be sufficient as many APTs hide their activity by compromising and using legitimate networks and their IP addresses. If you only use the IP addresses to search the event logs, you would miss any events correlated only to the domain names. If you create an advanced query will all of the indicators, your search of the event logs will find nothing because no single event will include them all.
A cybersecurity analyst has received an alert that sensors continuously observe well-known call home messages at their network boundary. Still, the organization’s proxy firewall is properly configured to successfully drop the messages before leaving the network. Which of the following is MOST likely the cause of the call home messages being sent?
A. An attacker is performing reconnaissance of the organizations workstations
B. An infected workstation is attempting to reach a command and control server
C. A malicious insider is trying to exfiltrate information to a remote network
D. Malware is running on a company workstation or server
B. An infected workstation is attempting to reach a command and control server
Explanation:
A call home message is an indicator of compromise known as beaconing. Beaconing usually occurs after a stage 1 malware program has been implanted on an organization’s workstation or server, but that isn’t the most correct answer to this question. Instead, beaconing indicates that a workstation or server is infected and tries to communicate with the attacker’s command and control server. This beaconing will continue until the infected system (workstation or server) is found and cleared of the malware or until the botnet gives the infected host further instructions to perform.
Which of the following is NOT considered a phase in the incident response cycle?
A. Containment, eradication and recovery
B. Notification and communication
C. Detection and analysis
D. Preparation
B. Notification and communication
Explanation:
There are four phases to the incident response cycle: preparation; detection and analysis; containment, eradication, and recovery; and post-incident activity. While you will conduct some notifications and communication during your incident response, that term is not one of the four defined phases.
A SOC analyst has detected the repeated usage of a compromised user credential on the company’s email server. The analyst sends you an email asking you to check the server for any indicators of compromise since the email server is critical to continued business operations. Which of the following was likely overlooked by your organization during the incident response preparation phase?
A. Prepare a jump bag or kit for use in the investigation
B. Conduct training on how to search for indicators of compromise
C. Develop a communications plan that includes provisions for how to operate in a compromised environment
D. Perform a data criticality and prioritization analysis
C. Develop a communications plan that includes provisions for how to operate in a compromised environment
Explanation:
As part of your preparation phase, your organization should develop a communications plan that details which communication methods will be used during a compromise of various systems. If the analyst suspected the email server was compromised, then communications about the incident response efforts (including detection and analysis) should be shifted to a different communications path, such as encrypted chat, voice, or other secure means.
You are working as a security administrator and need to respond to an ongoing spearphishing campaign against your organization. Which of the following should be used as a checklist of actions to perform to detect and respond to this particular incident?
A. Runbook
B. Incident response plan
C. Disaster recovery plan
D. Playbook
D. Playbook
Explanation:
A playbook is a checklist of actions to perform to detect and respond to a specific type of incident. Your organization will have playbooks for phishing attempts, privilege escalation, and other specific types of incidents. A runbook is an automated version of a playbook used by a SOAR to have the system conduct as many steps as possible.
What information should be recorded on a chain of custody form during a forensic investigation?
A. The list of individuals who made contact with files leading to the investigation
B. The list of former owners/operators of the workstation involved in the investigation
C. Any individual who worked with evidence during the investigation
D. The law enforcement agent who was first on the scene
C. Any individual who worked with evidence during the investigation
Explanation:
Chain of custody forms list every person who has worked with or who has touched the evidence that is a part of an investigation. These forms record every action taken by each individual in possession of the evidence. Depending on the organization’s procedures, manipulation of evidence may require an additional person to act as a witness to verify whatever action is being taken. While the chain of custody would record who initially collected the evidence, it does not have to record who was the first person on the scene (if that person didn’t collect the evidence).
A company has recently experienced a data breach and has lost nearly 1 GB of personally identifiable information about its customers. You have been assigned as part of the incident response team to identify how the data was leaked from the network. Your team has conducted an extensive investigation, and so far, the only evidence of a large amount of data leaving the network is from the email server. One user has sent numerous large attachments out of the network to their personal email address. Upon closer inspection, those emails only contain pictures of that user’s recent trip to Australia. What is the most likely explanation for how the data left the network?
A. Steganography was used to hide the leaked data inside the users photos
B. The files were downloaded from home while connected to the corporate VPN
C. The data was hashed and them emailed to their personal email account
D. The data was encrypted and emailed to their spouses email account
A. Steganography was used to hide the leaked data inside the users photos
Explanation:
The most likely explanation is that the user utilized steganography to hide the leaked data inside their trip photos. Steganography is the process of hiding one message inside another. By hiding the customer’s information within the digital photos, the incident response team would not see the data being hidden without knowing to look for it inside the seemingly benign pictures from the trip.
You are the first forensic analyst to arrive on the scene of a data breach. You have been asked to begin evidence collection on the server while waiting for the rest of your team to arrive. Which of the following evidence should you capture first?
A. Image of the servers SSD
B. L3 cache
C. Backup tapes
D. ARP cache
B. L3 cache
Explanation
When collecting evidence, you should always follow the order of volatility. This will allow you to collect the most volatile evidence (most likely to change) first and the least volatile (least likely to change) last. You should always begin collecting the CPU registers and cache memory (L1/L2/L3/GPU). The contents of system memory (RAM), including a routing table, ARP cache, process tables, kernel statistics, and temporary file systems/swap space/virtual memory. Next, you would move on to the collection of data storage devices like hard drives, SSDs, and flash memory devices.
