Exam A Flashcards
A company has hired a third-party to gather information about the company’s servers and data. This third-party will not have direct access to the company’s internal network, but they can gather information from any other source. Which of the following would BEST describe this approach?
Passive reconnaissance Passive reconnaissance focuses on gathering as much information from open sources such as social media, corporate websites, and business organizations.
Which of these threat actors would be MOST likely to attack systems for direct financial gain?
Organized crime
An organized crime actor is motivated by money, and their hacking objectives are usually based around objectives that can be easily exchanged for financial capital.
A security administrator has examined a server recently compromised by an attacker, and has determined the system was exploited due to a known operating system vulnerability. Which of the following would BEST describe this finding?
Root cause analysis
The goal of a root cause analysis is to explain the ultimate cause of an incident. Once the cause is known, it becomes easier to protect against similar attacks in the future.
A city is building an ambulance service network for emergency medical dispatching. Which of the following should have the highest priority?
System availability Requests to emergency services are often critical in nature, and it’s important for a dispatching system to always be available when a call is made.
A system administrator receives a text alert when access rights are changed on a database containing private customer information. Which of the following would describe this alert?
Automation
Automation ensures that compliance checks can be performed on a regular basis without the need for human intervention. This can be especially useful to provide alerts when a configuration change causes an organization to be out of compliance.
A security administrator is concerned about the potential for data exfiltration using external storage drives. Which of the following would be the BEST way to prevent this method of data exfiltration?
Create an operating system security policy to prevent the use of removable media Removable media uses hot-pluggable interfaces such as USB to connect storage drives. A security policy in the operating system can prevent any files from being written to a removable drive.
A company creates a standard set of government reports each calendar quarter. Which of the following would describe this type of data?
Regulated Reports and information created for governmental use are regulated by laws regarding the disclosure of certain types of data.
An insurance company has created a set of policies to handle data breaches. The security team has been given this set of requirements based on these policies:
* Access records from all devices must be saved and archived
* Any data access outside of normal working hours must be immediately reported
* Data access must only occur inside of the country
* Access logs and audit reports must be created from a single database Which of the following should be implemented by the security team to meet these requirements? (Select THREE)
❍ A. Restrict login access by IP address and GPS location ❍ B. Require government-issued identification during the onboarding process
❍ C. Add additional password complexity for accounts that access data
❍ D. Conduct monthly permission auditing
❍ E. Consolidate all logs on a SIEM
❍ F. Archive the encryption keys of all disabled accounts ❍ G. Enable time-of-day restrictions on the authentication server
A. Restrict login access by IP address and GPS location,
E. Consolidate all logs on a SIEM, and
G. Enable time-of-day restrictions on the authentication server Adding location-based policies will prevent direct data access from outside of the country. Saving log information from all devices and creating audit reports from a single database can be implemented through the use of a SIEM (Security Information and Event Manager). Adding a check for the time-of-day will report any access that occurs during non-working hours.
A security engineer, is viewing this record from the firewall logs: UTC 04/05/2023 03:09:15809 AV Gateway Alert 136.127.92.171 80 -> 10.16.10.14 60818 Gateway Anti-Virus Alert: XPACK.A_7854 (Trojan) blocked.
Which can be observed from this log information?
A download was blocked from a web server
A traffic flow from a web server port number (80) to a device port (60818) indicates that this traffic flow originated on port 80 of the web server. A file download is one of the most common ways to deliver a Trojan, and this log entry shows that the file containing the XPACK.A_7854 Trojan was blocked.
A user connects to a third-party website and receives this message:
Your connection is not private.
NET::ERR_CERT_INVALID
Which attack would be the MOST likely reason
for this message?
On-path
An on-path attack is often associated with a third-party who is actively
intercepting network traffic. This entity in the middle would not be able
to provide a valid SSL certificate for a third-party website, and this error
would appear in the browser as a warning.
Which would be the BEST way to provide a website
login using existing credentials from a third-party site?
Federation
Federation would allow members of one organization to authenticate
using the credentials of another organization.
A system administrator is working on a contract that will specify a
minimum required uptime for a set of Internet-facing firewalls. The
administrator needs to know how often the firewall hardware is expected
to fail between repairs. Which of the following would BEST describe this
information?
MTBF
The MTBF (Mean Time Between Failures) is a prediction of how often a
repairable system will fail.
An attacker calls into a company’s help desk and pretends to be the
director of the company’s manufacturing department. The attacker
states that they have forgotten their password and they need to have the
password reset quickly for an important meeting. What kind of attack
would BEST describe this phone call?
Social engineering
This social engineering attack uses impersonation to take advantage of
authority and urgency principles in an effort to convince someone else to
circumvent normal security controls.
Two companies have been working together for a number of months,
and they would now like to qualify their partnership with a broad formal
agreement between both organizations. Which would
describe this agreement?
MOA
An MOA (Memorandum of Agreement) is a formal document where
both sides agree to a broad set of goals and objectives associated with the
partnershi
Which would explain why a company would
automatically add a digital signature to each outgoing email message?
Integrity
Integrity refers to the trustworthiness of data. A digital signature allows
the recipient to confirm that none of the data has been changed since the
digital signature was created.
The embedded OS in a company’s time clock appliance is configured to
reset the file system and reboot when a file system error occurs. On one
of the time clocks, this file system error occurs during the startup process
and causes the system to constantly reboot. Which BEST describes this issue?
Race condition
A race condition occurs when two processes occur at similar times, and
usually with unexpected results. The file system problem can often be fixed
before a reboot, but the reboot is occurring before the fix can be applied.
This has created a race condition that results in constant reboots.
A recent audit has found that existing password policies do not include
any restrictions on password attempts, and users are not required to
periodically change their passwords. Which would
correct these policy issues? (Select TWO)
❍ A. Password complexity
❍ B. Password expiration
❍ C. Password reuse
❍ D. Account lockout
❍ E. Password managers
B. Password expiration and D. Account lockout
Password expiration would require a password change after the expiration
date. An account lockout would disable an account after a predefined
number of unsuccessful login attempts.
What kind of security control is associated with a login banner?
Deterrent
A deterrent control does not directly stop an attack, but it may discourage
an action.
An internal audit has discovered four servers that have not been updated
in over a year, and it will take two weeks to test and deploy the latest
patches. Which of the following would be the best way to quickly
respond to this situation in the meantime?
Move the servers to a protected segment
Segmenting the servers to their own protected network would allow
for additional security controls while still maintaining the uptime and
availability of the systems.
A business manager is documenting a set of steps for processing orders
if the primary Internet connection fails. Which would BEST
describe these steps?
Continuity of operations
It’s always useful to have an alternative set of processes to handle any type
of outage or issue. Continuity of operations planning ensures that the
business will continue to operate when these issues occur.
A company would like to examine the credentials of each individual
entering the data center building. Which would BEST
facilitate this requirement?
Access control vestibule
An access control vestibule is a room designed to restrict the flow of
individuals through an area. These are commonly used in high security
areas where each person needs to be evaluated and approved before access
can be provided.
A company stores some employee information in encrypted form, but
other public details are stored as plaintext. Which of the following would
BEST describe this encryption strategy?
Record
Record-level encryption is commonly used with databases to encrypt
individual columns within the database. This would store some
information in the database as plaintext and other information as
encrypted dat
A company would like to minimize database corruption if power is lost to
a server. Which would be the BEST strategy to follow?
Journaling
Journaling writes data to a temporary journal before writing the
information to the database. If power is lost, the system can recover the
last transaction from the journal when power is restored.
A company is creating a security policy for corporate mobile devices:
* All mobile devices must be automatically locked after a predefined
time period.
* The location of each device needs to be traceable.
* All of the user’s information should be completely separate from
company data.
Which would be the BEST way to establish these
security policy rules?
MDM
An MDM (Mobile Device Manager) provides a centralized management
system for all mobile devices. From this central console, security
administrators can set policies for many different types of mobile devices.
A security engineer runs a monthly vulnerability scan. The scan doesn’t
list any vulnerabilities for Windows servers, but a significant vulnerability
was announced last week and none of the servers are patched yet. Which
best describes this result?
False negative
A false negative is a result that fails to detect an issue when one
actually exists.
An IT help desk is using automation to improve the response time for
security events. Which use case would apply to this
process?
Escalation
Automation can recognize security events and escalate a security-related
ticket to the incident response team without any additional human
interaction.
A network administrator would like each user to authenticate with
their corporate username and password when connecting to the
company’s wireless network. Which should the network administrator configure on the wireless access points?
802.1X
802.1X uses a centralized authentication server, and this allows all users to
use their corporate credentials during the login process.
A company’s VPN service performs a posture assessment during the
login process. Which of the following mitigation techniques would this
describe?
Configuration enforcement
A posture assessment evaluates the configuration of a system to ensure
all configurations and applications are up to date and secure as possible.
If a configuration does not meet these standards, the user is commonly
provided with options for resolving the issue before proceeding.
A user has assigned individual rights and permissions to a file on their
network drive. The user adds three additional individuals to have read-only access to the file. Which would describe this access control model?
Discretionary
Discretionary access control is used in many operating systems, and this
model allows the owner of the resource to control who has access.
A remote user has received a text message with a link to login and
confirm their upcoming work schedule. Which would
BEST describe this attack?
Smishing
Smishing, or SMS (Short Message Service) phishing, is a social
engineering attack that asks for sensitive information using SMS or
text messages.
A company is formalizing the design and deployment process used by
their application programmers. Which of the following policies would
apply?
Development lifecycle
A formal software development lifecycle defines the specific policies
associated with the design, development, testing, deployment, and
maintenance of the application development process.
A security administrator has copied a suspected malware executable from
a user’s computer and is running the program in a sandbox. Which would describe this part of the incident response process?
Containment
The isolation and containment process prevents malware from spreading
and allows the administrator to analyze the operation of the malware
without putting any other devices at risk.
A server administrator at a bank has noticed a decrease in the number
of visitors to the bank’s website. Additional research shows that users are
being directed to a different IP address than the bank’s web server. Which
of the following would MOST likely describe this attack?
DNS poisoning
A DNS poisoning can modify a DNS server to modify the IP address
provided during the name resolution process. If an attacker modifies the
DNS information, they can direct client computers to any destination IP
address.
Which consideration is MOST commonly associated
with a hybrid cloud model?
Network protection mismatches
A hybrid cloud includes more than one private or public cloud. This adds
additional complexity to the overall infrastructure, and it’s common to
inadvertently apply different authentication options and user permissions
across multiple cloud providers.