Exam C Flashcards
A finance company is legally required to maintain seven years of tax records for all of their customers. Which would be the BEST way to implement this requirement?
Create a separate daily backup archive for all
applicable tax records
An important consideration for a data retention mandate is to always have access to the information over the proposed time frame. In this example, a daily backup would ensure tax information is constantly archived over
a seven-year period and could always be retrieved if needed. If data was inadvertently deleted from the primary storage, the backup would still maintain a copy.
A system administrator is designing a data center for an insurance company’s new public cloud and would like to automatically rotate encryption keys on a regular basis. Which of the following would provide this functionality?
Key management system
A key management system is used to manage large security key implementations from a central console. This includes creating keys, associating keys with individuals, rotating keys on regular intervals, and
logging all key use.
A newly installed IPS is flagging a legitimate corporate application as malicious network traffic. Which would be the BEST way to resolve this issue?
Tune the IPS alerts
Each signature of an IPS can commonly be tuned to properly alert on a legitimate issue. Tuning the IPS can properly identify and block attacks and allow all legitimate traffic.
A security administrator has identified an internally developed application which allows modification of SQL queries through the web-based front-end. Which of the following changes would resolve this vulnerability?
Validate all application input
Input validation would examine the input from the client and make sure that the input is expected and not malicious. In this example, validating the input would prevent any SQL (Structured Query Language) injection
through the web front-end.
A system administrator is implementing a fingerprint scanner to provide access to the data center. Which authentication technology would be associated with this access?
Something you are
An authentication factor of “something you are” often refers to a physical characteristic. This factor commonly uses fingerprints, facial recognition, or some other biometric characteristic to match a user to an authentication attempt.
The IT department of a transportation company maintains an on-site inventory of chassis-based network switch interface cards. If a failure occurs, the on-site technician can replace the interface card and have the system running again in sixty minutes. Which BEST describes this recovery metric?
MTTR
MTTR (Mean Time To Restore) is the amount of time required to get back up and running. This is sometimes called Mean Time To Repair.
A company maintains a server farm in a large data center. These servers
are used internally and are not accessible from outside of the data center. The security team has discovered a group of servers was breached before the latest security patches were applied. Breach attempts were not logged
on any other servers. Which threat actor would be MOST likely involved in this breach?
Insider
None of these servers are accessible from the outside, and the only servers with any logged connections were also susceptible to the latest vulnerabilities. To complete this attack, there would need a very specific knowledge of the vulnerable systems and a way to communicate with those servers.
An organization has received a vulnerability scan report of their Internet-facing web servers. The report shows the servers have multiple Sun Java Runtime Environment ( JRE) vulnerabilities, but the server administrator
has verified that JRE is not installed. Which would be the BEST way to handle this report?
Ignore the JRE vulnerability alert
It’s relatively common for vulnerability scans to show vulnerabilities that don’t actually exist, especially if the scans are not credentialed. An issue that is identified but does not actually exist is a false positive, and it can be
dismissed once the alert has been properly researched.
A user downloaded and installed a utility for compressing and decompressing files. Immediately after installing the utility, the user’s overall workstation performance degraded and it now takes twice as much
time to perform any tasks on the computer. Which is the BEST description of this malware infection?
Trojan
A Trojan horse is malicious software that pretends to be something benign. The user will install the software with the expectation that it will perform a particular function, but in reality it is installing malware on the computer.
Which of the following is the process for replacing sensitive data with a non-sensitive and functional placeholder?
Tokenization
Tokenization replaces sensitive data with a token, and this token can be used as a functional placeholder for the original data. Tokenization is commonly used with credit card processing and mobile devices.
A security administrator has installed a new firewall to protect a web server VLAN. The application owner requires all web server sessions communicate over an encrypted channel. Which rule should the security
administrator add to the firewall rulebase?
Source: ANY, Destination: ANY, Protocol: TCP, Port: 443, Allow
Most web servers use tcp/443 for HTTPS (Hypertext Transfer Protocol
Secure) for encrypted web server communication This rule allows HTTPS
encrypted traffic to be forwarded to the web server over tcp/443.
Which of these would be used to provide multi-factor authentication?
Smart card with picture ID
A smart card commonly includes a certificate that can be used as a multifactor authentication of something you have. These smart cards are commonly combined with an employee identification card, and often require a separate PIN (Personal Identification Number) as an additional authentication factor.
A company’s human resources team maintains a list of all employees participating in the corporate savings plan. A third-party financial company uses this information to manage stock investments for the employees. Which of the following would describe this financial company?
Processor
A data processor performs some type of action to the data, and this is often a different group within the organization or a third-party company.
In this example, the third-party financial organization is the data processor f the employee’s financial data.
A company’s network team has been asked to build an IPsec tunnel to a new business partner. Which security risk would be the MOST important to consider?
Supply chain attack
A direct connection to a third-party creates potential access for an attacker. Most organizations will include a firewall to help monitor and protect against any supply chain attacks.
A technology company is manufacturing a military-grade radar tracking system designed to identify any nearby unmanned aerial vehicles (UAVs).
The UAV detector must be able to instantly identify and react to a vehicle without delay. Which would BEST describe this tracking system?
RTOS
This tracking system requires an RTOS (Real-Time Operating System) to instantly react to input without any significant delays or queuing in the operating system. Operating systems used by the military, automobile
manufacturers, and industrial equipment companies often use RTOS to process certain transactions without any significant delays.
An administrator is writing a script to convert an email message to a help desk ticket and assign the ticket to the correct department. Which should the administrator use to complete this script?
Orchestration
Orchestration describes the process of automation, and is commonly associated with large scale automation or automating processes between different systems.
A security administrator would like a report showing how many attackers are attempting to use a known vulnerability to gain access to a corporate web server. Which should be used to gather this information?
IPS log
An IPS (Intrusion Detection System) commonly uses a database of known vulnerabilities to identify and block malicious network traffic. This log of attempted exploits would provide the required report information.
During a ransomware outbreak, an organization was forced to rebuild database servers from known good backup systems. In which of the following incident response phases were these database servers brought
back online?
Recovery
The recovery phase focuses on getting things back to normal after an attack. This is the phase that removes malware, fixes vulnerabilities, and recovers the damaged systems.
A security administrator is installing a web server with a newly built operating system. Which of the following would be the best way to harden this OS?
Remove unnecessary software
The process of hardening an operating system makes it more difficult to attack. In this example, the only step that would limit the attack surface is to remove any unnecessary or unused software.
An incident response team would like to validate their disaster recovery plans without making any changes to the infrastructure. Which of the following would be the best course of action?
Tabletop exercise
A tabletop exercise is a walk-through exercise where the disaster recovery process can be discussed in a conference room without making any changes to the existing systems.
A network IPS has created this log entry:
-Frame 4: 937 bytes on wire (7496 bits), 937 bytes captured
-Ethernet II, Src: HewlettP_82:d8:31, Dst: Cisco_a1:b0:d1
-Internet Protocol Version 4, Src: 172.16.22.7, Dst: 10.8.122.244
-Transmission Control Protocol, Src Port: 3863, Dst Port: 1433
-Application Data: SELECT * FROM users WHERE username=’x’
or ‘x’=’x’ AND password=’x’ or ‘x’=’x’
Which would describe this log entry?
SQL injection
The SQL injection is contained in the application data. The attacker was attempting to circumvent the authentication through the use of equivalent SQL statements (‘x’=’x’).
A system administrator has installed a new firewall between the corporate user network and the data center network. When the firewall is turned on with the default settings, users complain the application in the data center is no longer working. Which would be the BEST way to correct this application issue?
Create firewall rules that match the application traffic flow
By default, most firewalls implicitly deny all traffic. Firewall rules must be built to match the traffic flows, and only then will traffic pass through the firewall.
Which of these would be used to provide HA for a web-based database application?
UPS
HA (High Availability) means the service should always be on and available. The only device on this list providing HA is the UPS (Uninterruptible Power Supply). If power is lost, the UPS will provide electricity using battery power or a gas-powered generator.
Each year, a certain number of laptops are lost or stolen and must be replaced by the company. Which of the following would describe the total cost the company spends each year on laptop replacements?
ALE
The ALE (Annual Loss Expectancy) is the total amount of the financial loss over an entire year.
A network administrator is viewing a log file from a web server:
https://www.example.com/?s=/Index/think/
app/invokefunction&function=call_user_func_
array&vars[0]=md5&vars[1][0]=__HelloThinkPHP
Which would be the BEST way to prevent this attack?
Input validation
In this example, the attacker is attempting to use a remote code execution exploit. Input validation can be used to create a very specific filter of allowed input, and a strict validation process would have prevented the web server from processing this attack information.
Sam would like to send an email to Jack and have Jack verify that Sam was the sender of the email. Which should Sam use to provide this verification?
Digitally sign with Sam’s private key
The sender of a message digitally signs with their own private key to ensure integrity, authentication, and non-repudiation of the signed contents. The digital signature is validated with the sender’s public key.
The contract of a long-term temporary employee is ending. Which would be the MOST important part of the off-boarding process?
Archive the decryption keys associated with the user account
Without the decryption keys, it will be impossible to access any of the user’s protected files once they leave the company. Given the other possible answers, this one is the only one that would result in unrecoverable data loss if not properly followed.
A cybersecurity analyst has been asked to respond to a denial of service attack against a web server, and the analyst has collected the log files and data from the server. Which would allow a future analyst
to verify the data as original and unaltered?
Data hashing
Data hashing creates a unique message digest based on stored data. If the data is tampered with, a hash taken after the change will differ from the original value. This allows the forensic engineer to identify if information
has been changed.
A security administrator is reviewing authentication logs. The logs show a large number of accounts with at least three failed authentication attempts during the previous week. Which would BEST explain this report data?
Spraying
A spraying attack attempts to discover login credentials using a small number of authentication attempts. If the password isn’t discovered in those few attempts, the brute force process stops before any account
lockouts occur. An attacker could potentially perform a spraying attack across many accounts without any noticeable alerts or alarms.
A security administrator has been asked to block all browsing to casino gaming websites. Which of the following would be the BEST way to implement this requirement?
Add a content filter rule
Web filters contain a large database of categorized website addresses, and this allows an administrator to create rules to block browsing attempts to specific content. For example, a content filter may allow browsing to news and business sites, but block browsing attempts to gaming and shopping
sites.
A company is experiencing downtime and outages when application patches and updates are deployed during the week. Which of the following would help to resolve these issues?
Change management procedures
Change management defines a series of best practices for implementing changes in a complex technical environment. The goals of change management are to implement updates and changes while also maintaining the uptime and availability of critical business systems.
A company is implementing a series of steps to follow when responding
to a security event. Which of the following would provide this set of
processes and procedures?
Playbook
A playbook provides a conditional set of steps to follow when addressing
a specific event. An organization might have separate playbooks for
investigating a data breach, responding to a virus infection, or recovering
from a ransomware attack.
A transportation company maintains a scheduling application and a database in a virtualized cloud-based environment. Which would be the BEST way to backup these services?
Snapshot
Virtual machines (VMs) have a snapshot feature to capture both a full backup of the virtual system and incremental changes that occur over time. It’s common to take a snapshot of a VM for backup purposes or before making any significant changes to the VM. If the changes need to be rolled back, a previous snapshot can be selected and instantly applied to the VM.
In an environment using discretionary access controls, which of these would control the rights and permissions associated with a file or directory?
Owner
The owner of an object controls access in a discretionary access control model. The object and type of access is at the discretion of the owner, and they can determine who can access the file and the type of access they
would have.