First 100 Flashcards

Question 1

Q

A user is attempting to navigate to a website from inside the company network using a desktop. When the user types in the URL, https://www.site.com, the user is presented with a certificate mismatch warning from the browser. The user does not receive a warning when visiting http://www.anothersite.com. Which of the following describes this attack?

A. On-path
B. Domain hijacking
C. DNS poisoning
D. Evil twin

Answer

A

C. DNS poisoning

Question 2

Q

Which of the following tools is effective in preventing a user from accessing unauthorized removable media?

A. USB data blocker
B. Faraday cage
C. Proximity reader
D. Cable lock

Answer

A

A. USB data blocker

Question 3

Q

A Chief Security Officer is looking for a solution that can provide increased scalability and flexibility for back-end infrastructure, allowing it to be updated and modified without disruption to services. The security architect would like the solution selected to reduce the back-end server resources and has highlighted that session persistence is not important for the applications running on the back-end servers. Which of the following would BEST meet the requirements?

A. Reverse proxy
B. Automated patch management
C. Snapshots
D. NIC teaming

Answer

A

A. Reverse proxy

Question 4

Q

Which of the following describes a social engineering technique that seeks to exploit a person’s sense of urgency?

A. A phishing email stating a cash settlement has been awarded but will expire soon
B. A smishing message stating a package is scheduled for pickup
C. A vishing call that requests a donation be made to a local charity
D. A SPIM notification claiming to be undercover law enforcement investigating a cybercrime

Answer

A

A. A phishing email stating a cash settlement has been awarded but will expire soon Most Voted

Question 5

Q

A security analyst is reviewing application logs to determine the source of a breach and locates the following log: https://www.comptia.com/login.php?id=’%20or%20’1’1=’1
Which of the following has been observed?

A. DLL Injection
B. API attack
C. SQLi
D. XSS

Question 6

Q

An audit identified PII being utilized in the development environment of a critical application. The Chief Privacy Officer (CPO) is adamant that this data must be removed; however, the developers are concerned that without real data they cannot perform functionality tests and search for specific data. Which of the following should a security professional implement to BEST satisfy both the CPO’s and the development team’s requirements?

A. Data anonymization
B. Data encryption
C. Data masking
D. Data tokenization

Answer

A

A. Data anonymization

Data anonymization is the process of protecting private or sensitive information by erasing or encrypting identifiers that connect an individual to stored data.

Question 7

Q

A company is implementing a DLP solution on the file server. The file server has PII, financial information, and health information stored on it. Depending on what type of data that is hosted on the file server, the company wants different DLP rules assigned to the data. Which of the following should the company do to help accomplish this goal?

A. Classify the data.
B. Mask the data.
C. Assign the application owner.
D. Perform a risk analysis.

Answer

A

A. Classify the data.

DLP = Data Loss Prevention

Question 8

Q

A forensics investigator is examining a number of unauthorized payments that were reported on the company’s website. Some unusual log entries show users received an email for an unwanted mailing list and clicked on a link to attempt to unsubscribe. One of the users reported the email to the phishing team, and the forwarded email revealed the link to be:
<a>Click here to unsubscribe</a>
Which of the following will the forensics investigator MOST likely determine has occurred?

A. SQL injection
B. Broken authentication
C. XSS
D. XSRF

Answer

A

D. XSFR

CSRF== XSFR
Cross-site request forgery (also known as CSRF) is a web security vulnerability that allows an attacker to induce users to perform actions that they do not intend to perform

Question 9

Q

A report delivered to the Chief Information Security Officer (CISO) shows that some user credentials could be exfiltrated. The report also indicates that users tend to choose the same credentials on different systems and applications. Which of the following policies should the CISO use to prevent someone from using the exfiltrated credentials?

A. MFA
B. Lockout
C. Time-based logins
D. Password history

Answer

A

A. MFA Most Voted

Question 10

Q

A company wants to simplify the certificate management process. The company has a single domain with several dozen subdomains, all of which are publicly accessible on the internet. Which of the following BEST describes the type of certificate the company should implement?

A. Subject alternative name
B. Wildcard
C. Self-signed
D. Domain validation

Question 11

Q

Which of the following is an effective tool to stop or prevent the exfiltration of data from a network?

A. DLP
B. NIDS
C. TPM
D. FDE

Answer

A

Data loss prevention (DLP) makes sure that users do not send sensitive or critical information outside the corporate network.

Question 12

Q

Several attempts have been made to pick the door lock of a secure facility. As a result, the security engineer has been assigned to implement a stronger preventative access control. Which of the following would BEST complete the engineer’s assignment?

A. Replacing the traditional key with an RFID key
B. Installing and monitoring a camera facing the door
C. Setting motion-sensing lights to illuminate the door on activity
D. Surrounding the property with fencing and gates

Answer

A

A. Replacing the traditional key with an RFID key

Question 13

Q

Which of the following can be used by a monitoring tool to compare values and detect password leaks without providing the actual credentials?

A. Hashing
B. Tokenization
C. Masking
D. Encryption

Answer

A

A. Hashing

Hashing is a data security technique used to convert data values into alternate, unique identifiers called hashes for quick and secure access. Hashing can be used for data security because the one-way process prevents access to or tampering with the source data

Question 14

Q

A security engineer is building a file transfer solution to send files to a business partner. The users would like to drop off the files in a specific directory and have the server send the file to the business partner. The connection to the business partner is over the internet and needs to be secure. Which of the following can be used?

A. S/MIME
B. LDAPS
C. SSH
D. SRTP

Answer

A

C. SSH

Answer: SSH - SSH or (Secure Shell) is a protocol that enables two computers to communicate securely by encrypting the connection.

Question 15

Q

An administrator needs to protect user passwords and has been advised to hash the passwords. Which of the following BEST describes what the administrator is being advised to do?

A. Perform a mathematical operation on the passwords that will convert them into unique strings.
B. Add extra data to the passwords so their length is increased, making them harder to brute force.
C. Store all passwords in the system in a rainbow table that has a centralized location.
D. Enforce the use of one-time passwords that are changed for every login session.

Answer

A

A. Perform a mathematical operation on the passwords that will convert them into unique strings.

Question 16

Q

Which of the following would be indicative of a hidden audio file found inside of a piece of source code?

A. Steganography
B. Homomorphic encryption
C. Cipher suite
D. Blockchain

Answer

A

A. Steganography

Steganography is the art of punting information inside of information. Is like hiding something in front of everyone eyes.

Question 17

Q

A user enters a username and a password at the login screen for a web portal. A few seconds later the following message appears on the screen:
Please use a combination of numbers, special characters, and letters in the password field.
Which of the following concepts does this message describe?

A. Password complexity
B. Password reuse
C. Password history
D. Password age

Answer

A

A. Password complexity

Question 18

Q

A company recently experienced an inside attack using a corporate machine that resulted in data compromise. Analysis indicated an unauthorized change to the software circumvented technological protection measures. The analyst was tasked with determining the best method to ensure the integrity of the systems remains intact and local and remote boot attestation can take place. Which of the following would provide the BEST solution?

A. HIPS
B. FIM
C. TPM
D. DLP

Answer

A

C. TPM

Trusted Platform Modules (TPM) chips have mechanisms to prevent system tampering and boot attestation can be done with TPM based hardware to verify the state of the firmware, bootloader, etc. TPM is the best option here

Question 19

Q

Which of the following is a reason to publish files’ hashes?

A. To validate the integrity of the files
B. To verify if the software was digitally signed
C. To use the hash as a software activation key
D. To use the hash as a decryption passphrase

Answer

A

A. To validate the integrity of the files

Hashes = Integrity always

Question 20

Q

A security manager has tasked the security operations center with locating all web servers that respond to an unsecure protocol. Which of the following commands could an analyst run to find the requested servers?

A. nslookup 10.10.10.0
B. nmap -p 80 10.10.10.0/24
C. pathping 10.10.10.0 -p 80
D. ne -l -p 80

Answer

A

B. nmap -p 80 10.10.10.0/24

Nmap or network mapper is a network discovery and security auditing tool mainly used to find services, hosts, and open ports on a network. In this case, nmap will check for the HTTP port 80.

Question 21

Q

Which biometric error would allow an unauthorized user to access a system?

A. False acceptance
B. False entrance
C. False rejection
D. False denial

Answer

A

A. False acceptance

Question 22

Q

A company is auditing the manner in which its European customers’ personal information is handled. Which of the following should the company consult?

A. GDPR
B. ISO
C. NIST
D. PCI DSS

Question 23

Q

Which of the following are common VoIP-associated vulnerabilities? (Choose two.)

A. SPIM
B. Vishing
C. Hopping
D. Phishing
E. Credential harvesting
F. Tailgating

Answer

A

B. Vishing
E. Credential harvesting

Credential Harvesting is often done through VoIP features such as voicemail

Question 24

Q

Which of the following describes the exploitation of an interactive process to gain access to restricted areas?

A. Persistence
B. Buffer overflow
C. Privilege escalation
D. Pharming

Answer

A

C. Privilege escalation

Question 25

Q

An organization is planning to open other data centers to sustain operations in the event of a natural disaster. Which of the following considerations would BEST support the organization’s resiliency?

A. Geographic dispersal
B. Generator power
C. Fire suppression
D. Facility automation

Answer

A

A. Geographic dispersal

Question 26

Q

A security engineer is deploying a new wireless network for a company. The company shares office space with multiple tenants. Which of the following should the engineer configure on the wireless network to ensure that confidential data is not exposed to unauthorized users?

A. EAP
B. TLS
C. HTTPS
D. AES

Answer

A

A. EAP

EAP (Extensible Authentication Protocol): EAP is an authentication framework used to secure network access. It provides a mechanism for mutual authentication between the client and the server, which helps prevent unauthorized access to the wireless network.

Question 27

Q

The Chief Compliance Officer from a bank has approved a background check policy for all new hires. Which of the following is the policy MOST likely protecting against?

A. Preventing any current employees’ siblings from working at the bank to prevent nepotism

B. Hiring an employee who has been convicted of theft to adhere to industry compliance

C. Filtering applicants who have added false information to resumes so they appear better qualified

D. Ensuring no new hires have worked at other banks that may be trying to steal customer information

Answer

A

B. Hiring an employee who has been convicted of theft to adhere to industry compliance

Question 28

Q

An engineer recently deployed a group of 100 web servers in a cloud environment. Per the security policy, all web-server ports except 443 should be disabled.
Which of the following can be used to accomplish this task?

A. Application allow list
B. SWG
C. Host-based firewall
D. VPN

Answer

A

C. Host-based firewall

A host-based firewall is a firewall that is installed on a single server or endpoint. It can be configured to block traffic on specific ports or protocols, thereby preventing unauthorized access to the server. In this case, a host-based firewall can be used to block all incoming traffic on ports except 443 on each of the 100 web servers deployed in the cloud environment, which will ensure that only HTTPS traffic is allowed to reach the web servers.

Question 29

Q

A technician was dispatched to complete repairs on a server in a data center. While locating the server, the technician entered a restricted area without authorization. Which of the following security controls would BEST prevent this in the future?

A. Use appropriate signage to mark all areas.
B. Utilize cameras monitored by guards.
C. Implement access control vestibules.
D. Enforce escorts to monitor all visitors.

Answer

A

C. Implement access control vestibules

Access control vestibules are a physical security measure that requires individuals to go through a series of doors or gates to access a restricted area.

Question 30

Q

Which of the following would BEST provide a systems administrator with the ability to more efficiently identify systems and manage permissions and policies based on location, role, and service level?

A. Standard naming conventions
B. Domain services
C. Baseline configurations
D. Diagrams

Answer

A

A. Standard naming conventions

Question 31

Q

Which of the following would detect intrusions at the perimeter of an airport?

A. Signage
B. Fencing
C. Motion sensors
D. Lighting
E. Bollards

Answer

A

C. Motion sensors

Question 32

Q

A security analyst is concerned about critical vulnerabilities that have been detected on some applications running inside containers. Which of the following is the
BEST remediation strategy?

A. Update the base container Image and redeploy the environment.
B. Include the containers in the regular patching schedule for servers.
C. Patch each running container individually and test the application.
D. Update the host in which the containers are running.

Answer

A

A. Update the base container image and redeploy the environment: Containers are typically built from a base image, and any application running inside a container is layered on top of the base image.

Question 33

Q

An organization has decided to purchase an insurance policy because a risk assessment determined that the cost to remediate the risk is greater than the five- year cost of the insurance policy. The organization is enabling risk:

A. avoidance.
B. acceptance.
C. mitigation.
D. transference.

Answer

A

D. transference

Question 34

Q

A security analyst receives an alert from the company’s SIEM that anomalous activity is coming from a local source IP address of 192.168.34.26. The Chief
Information Security Officer asks the analyst to block the originating source. Several days later, another employee opens an internal ticket stating that vulnerability scans are no longer being performed properly. The IP address the employee provides is 192.168.34.26. Which of the following describes this type of alert?

A. True negative
B. True positive
C. False positive
D. False negative

Answer

A

C. False positive

Question 35

Q

A security analyst wants to reference a standard to develop a risk management program. Which of the following is the BEST source for the analyst to use?

A. SSAE SOC 2
B. ISO 31000
C. NIST CSF
D. GDPR

Answer

A

B. ISO 31000

ISO 31000 is an internationally recognized standard that provides guidelines for risk management. It provides a comprehensive framework for identifying, assessing, and treating risks in an organization, and it is widely used as a reference for risk management practices. It covers all types of risks, including security risks, and provides a structured approach to developing and implementing a risk management program

Question 36

Q

The Chief Information Security Officer (CISO) requested a report on potential areas of improvement following a security incident. Which of the following incident response processes is the CISO requesting?

A. Lessons learned
B. Preparation
C. Detection
D. Containment
E. Root cause analysis

Answer

A

A. Lessons learned

Question 37

Q

A company is providing security awareness training regarding the importance of not forwarding social media messages from unverified sources. Which of the following risks would this training help to prevent?

A. Hoaxes
B. SPIMs
C. Identity fraud
D. Credential harvesting

Answer

A

A. Hoaxes

Question 38

Q

A security analyst is receiving numerous alerts reporting that the response time of an internet-facing application has been degraded. However, the internal network performance was not degraded. Which of the following MOST likely explains this behavior?

A. DNS poisoning
B. MAC flooding
C. DDoS attack
D. ARP poisoning

Answer

A

C. DDoS attack

A Distributed Denial of Service (DDoS) attack is a type of cyberattack that aims to make an online service or website unavailable by overwhelming it with traffic from multiple sources.

Question 39

Q

Which of the following will increase cryptographic security?

A. High data entropy
B. Algorithms that require less computing power
C. Longer key longevity
D. Hashing

Answer

A

A. High data entropy

Data entropy is a measure of the randomness or unpredictability of data. High data entropy means that the data is more random and therefore harder to predict or guess. Cryptographic algorithms that use high-entropy data are more secure, as they make it more difficult for attackers to crack the encryption.

Question 40

Q

Which of the following statements BEST describes zero-day exploits?

A. When a zero-day exploit is discovered, the system cannot be protected by any means.
B. Zero-day exploits have their own scoring category in CVSS.
C. A zero-day exploit is initially undetectable, and no patch for it exists.
D. Discovering zero-day exploits is always performed via bug bounty programs.

Answer

A

C. A zero-day exploit is initially undetectable, and no patch for it exists.

Question 41

Q

A company wants to restrict emailing of PHI documents. The company is implementing a Data Loss Prevention (DLP) solution. In order to restrict Protected Health Information (PHI) documents, which of the following should be performed FIRST?

A. Retention
B. Governance
C. Classification
D. Change management

Answer

A

C. Classification

Document classification is the process of categorizing documents based on their sensitivity or confidentiality level. In this case, the company wants to restrict emailing of PHI documents, which contain sensitive information. Therefore, the first step should be to classify all documents that contain PHI as sensitive or confidential. This classification should be done using a consistent and standardized process to ensure that all documents are classified consistently.

Question 42

Q

A security analyst is investigating some users who are being redirected to a fake website that resembles www.comptia.org. The following output was found on the naming server of the organization:

Name Type Data
WWW A 192.168.1.10
Server1 A 10.10.10.10
Server2 A 10.10.10.11
File A 10.10.10.12

Which of the following attacks has taken place?
A. Domain reputation
B. Domain hijacking
C. Disassociation
D. DNS poisoning

Answer

A

D. DNS poisoning

Question 43

Q

Which of the following describes the continuous delivery software development methodology?

A. Waterfall
B. Spiral
C. V-shaped
D. Agile

Question 44

Q

Which of the following is the BEST example of a cost-effective physical control to enforce a USB removable media restriction policy?

A. Putting security/antitamper tape over USB ports, logging the port numbers, and regularly inspecting the ports
B. Implementing a GPO that will restrict access to authorized USB removable media and regularly verifying that it is enforced
C. Placing systems into locked, key-controlled containers with no access to the USB ports
D. Installing an endpoint agent to detect connectivity of USB and removable media

Answer

A

A. Putting security/antitamper tape over USB ports, logging the port numbers, and regularly inspecting the ports

This option is a cost-effective physical control that can be used to enforce a USB removable media restriction policy.

Question 45

Q

A company suspects that some corporate accounts were compromised. The number of suspicious logins from locations not recognized by the users is increasing.
Employees who travel need their accounts protected without the risk of blocking legitimate login requests that may be made over new sign-in properties. Which of the following security controls can be implemented?

A. Enforce MFA when an account request reaches a risk threshold.
B. Implement geofencing to only allow access from headquarters.
C. Enforce time-based login requests that align with business hours.
D. Shift the access control scheme to a discretionary access control.

Answer

A

A. Enforce MFA when an account request reaches a risk threshold

Multi-Factor Authentication (MFA) is a security mechanism that requires users to provide two or more forms of authentication to verify their identity when logging into an account

Question 46

Q

An organization wants to participate in threat intelligence information sharing with peer groups. Which of the following would MOST likely meet the organization’s requirement?

A. Perform OSINT investigations.
B. Subscribe to threat intelligence feeds.
C. Submit RFCs.
D. Implement a TAXII server.

Answer

A

D. Implement a TAXII server

The Trusted Automated Exchange of Indicator Information (TAXII) is an open standard that allows organizations to share threat intelligence data in a structured and automated way.

Question 47

Q

Which of the following is the MOST effective control against zero-day vulnerabilities?

A. Network segmentation
B. Patch management
C. Intrusion prevention system
D. Multiple vulnerability scanners

Answer

A

B. Patch management

Zero-day vulnerabilities refer to software vulnerabilities that are unknown to the software vendor or the public, and as a result, there are no available patches or fixes to address them.

Question 48

Q

Which of the following is the GREATEST security concern when outsourcing code development to third-party contractors for an internet-facing application?

A. Intellectual property theft
B. Elevated privileges
C. Unknown backdoor
D. Quality assurance

Answer

A

C. Unknown backdoor

Question 49

Q

An organization has hired a red team to simulate attacks on its security posture. Which of the following will the blue team do after detecting an Indicator of Compromise (IoC) ?

A. Reimage the impacted workstations.
B. Activate runbooks for incident response.
C. Conduct forensics on the compromised system.
D. Conduct passive reconnaissance to gather information.

Answer

A

B. Activate runbooks for incident response.

Question 50

Q

An amusement park is implementing a biometric system that validates customers’ fingerprints to ensure they are not sharing tickets. The park’s owner values customers above all and would prefer customers’ convenience over security. For this reason, which of the following features should the security team prioritize
FIRST?

A. Low FAR
B. Low efficacy
C. Low FRR
D. Low CER

Answer

A

C. Low FRR

Since the park’s owner values customer convenience over security, the security team should prioritize a low False Rejection Rate (FRR). A low FRR means that the biometric system is less likely to incorrectly reject a valid user, ensuring a smoother experience for customers.

Question 51

Q

Which of the following organizations sets frameworks and controls for optimal security configuration on systems?

A. ISO
B. GDPR
C. PCI DSS
D. NIST

Answer

A

D. NIST (National Institute of Standards and Technology) sets frameworks and controls for optimal security configuration on systems.

Question 52

Q

An organization discovered files with proprietary financial data have been deleted. The files have been recovered from backup, but every time the Chief Financial
Officer logs in to the file server, the same files are deleted again. No other users are experiencing this issue. Which of the following types of malware is MOST likely causing this behavior?

A. Logic bomb
B. Cryptomalware
C. Spyware
D. Remote access Trojan

Answer

A

A. Logic Bomb

Logic bomb: a set of instructions secretly incorporated into a program so that if a particular condition is satisfied they will be carried out, usually with harmful effects.

Question 53

Q

A security analyst has identified malware spreading through the corporate network and has activated the CSIRT. Which of the following should the analyst do
NEXT?

A. Review how the malware was introduced to the network.
B. Attempt to quarantine all infected hosts to limit further spread.
C. Create help desk tickets to get infected systems reimaged.
D. Update all endpoint antivirus solutions with the latest updates.

Answer

A

B. Attempt to quarantine all infected hosts to limit further spread.

Question 54

Q

During an incident response, an analyst applied rules to all inbound traffic on the border firewall and implemented ACLs on each critical server. Following an investigation, the company realizes it is still vulnerable because outbound traffic is not restricted, and the adversary is able to maintain a presence in the network.
In which of the following stages of the Cyber Kill Chain is the adversary currently operating?

A. Reconnaissance
B. Command and control
C. Actions on objective
D. Exploitation

Answer

A

B. Command and control

The adversary is currently operating in the Command and Control stage of the Cyber Kill Chain. This stage involves the establishment of a connection between the compromised system and the attacker’s server, allowing the attacker to maintain control and send commands to the infected system. The fact that outbound traffic is not restricted allows the adversary to maintain a presence in the network and communicate with the compromised systems.

Question 55

Q

A recent security breach exploited software vulnerabilities in the firewall and within the network management solution. Which of the following will MOST likely be used to identify when the breach occurred through each device?

A. SIEM correlation dashboards
B. Firewall syslog event logs
C. Network management solution login audit logs
D. Bandwidth monitors and interface sensors

Answer

A

A. SIEM correlation dashboards

SIEM (Security Information and Event Management) correlation dashboards are the most likely tool to be used to identify when the breach occurred through each device. SIEM tools collect, analyze, and correlate data from various sources, including firewalls, network management solutions, and other security devices. This allows for a comprehensive view of events and alerts, helping to identify the timeline and sequence of events related to the breach.

Question 56

Q

Which of the following is the FIRST environment in which proper, secure coding should be practiced?

A. Stage
B. Development
C. Production
D. Test

Answer

A

B. Development

Proper, secure coding should be practiced from the very beginning of the software development lifecycle, starting with the development environment. This is the stage where code is initially written, and integrating secure coding practices at this stage helps to minimize vulnerabilities and potential security issues before the software moves into testing, staging, and eventually production environments.

Development, Testing, Staging, Production

Question 57

Q

A cloud service provider has created an environment where customers can connect existing local networks to the cloud for additional computing resources and block internal HR applications from reaching the cloud. Which of the following cloud models is being used?

A. Public
B. Community
C. Hybrid
D. Private

Answer

A

C. Hybrid Cloud

Question 58

Q

An organization has developed an application that needs a patch to fix a critical vulnerability. In which of the following environments should the patch be deployed LAST?

A. Test
B. Staging
C. Development
D. Production

Answer

A

D. Production

Following best practices for the software development lifecycle, patches should first be applied and tested in development, test, and staging environments to ensure proper functionality and compatibility. Once all is good Production.

Question 59

Q

An organization is building backup server rooms in geographically diverse locations. The Chief Information Security Officer implemented a requirement on the project that states the new hardware cannot be susceptible to the same vulnerabilities in the existing server room. Which of the following should the systems engineer consider?

A. Purchasing hardware from different vendors
B. Migrating workloads to public cloud infrastructure
C. Implementing a robust patch management solution
D. Designing new detective security controls

Answer

A

A. Purchasing hardware from different vendors

To ensure that the new hardware is not susceptible to the same vulnerabilities as the existing server room, the systems engineer should consider purchasing hardware from different vendors. This will help reduce the risk of hardware vulnerabilities being present across multiple server rooms, as different vendors often have unique vulnerabilities or security features. It promotes diversity in the technology stack, which can help enhance resilience against potential threats.

Question 60

Q

A security analyst is working on a project to implement a solution that monitors network communications and provides alerts when abnormal behavior is detected.
Which of the following is the security analyst MOST likely implementing?

A. Vulnerability scans
B. User behavior analysis
C. Security orchestration, automation, and response
D. Threat hunting

Answer

A

B. User behavior analysis

The security analyst is most likely implementing User Behavior Analysis (UBA) in this scenario. UBA involves monitoring network communications and user activities to establish a baseline of normal behavior, and then providing alerts when abnormal behavior is detected. This helps identify potential security threats or policy violations by detecting deviations from the established baseline.

Question 61

Q

Data exfiltration analysis indicates that an attacker managed to download system configuration notes from a web server. The web-server logs have been deleted, but analysts have determined that the system configuration notes were stored in the database administrator’s folder on the web server. Which of the following attacks explains what occurred? (Choose two.)

A. Pass-the-hash
B. Directory traversal
C. SQL injection
D. Privilege escalation
E. Cross-site scripting
F. Request forgery

Answer

A

B. Directory Traversal: This attack allows attackers to access directories that they should not be able to access by manipulating a URL or by using malicious scripts. In this case, the attacker might have utilized directory traversal to access the database administrator’s folder.

D. Privilege Escalation: This is a type of network intrusion where an attacker increases their privileges or access level, often with the goal of gaining full control over a system. In this case, the attacker seems to have escalated their privileges to access the database administrator’s folder.

Question 62

Q

A junior security analyst is conducting an analysis after passwords were changed on multiple accounts without users’ interaction. The SIEM have multiple login entries with the following text: suspicious event - user: scheduledtasks successfully authenticate on AD on abnormal time suspicious event - user: scheduledtasks failed to execute c:\weekly_checkups\amazing-3rdparty-domain-assessment.py suspicious event - user: scheduledtasks failed to execute c:\weekly_checkups\secureyourAD-3rdparty-compliance.sh suspicious event - user: scheduledtasks successfully executed c:\weekly_checkups\amazing-3rdparty-domain-assessment.py

Which of the following is the MOST likely attack conducted on the environment?
A. Malicious script
B. Privilege escalation
C. Domain hijacking
D. DNS poisoning

Answer

A

A. Malicious script

Question 63

Q

A customer service representative reported an unusual text message that was sent to the help desk. The message contained an unrecognized invoice number with a large balance due and a link to click for more details. Which of the following BEST describes this technique?

A. Vishing
B. Whaling
C. Phishing
D. Smishing

Answer

A

D. Smishing is phishing via text

Question 64

Q

Which of the following actions would be recommended to improve an incident response process?

A. Train the team to identify the difference between events and incidents.
B. Modify access so the IT team has full access to the compromised assets.
C. Contact the authorities if a cybercrime is suspected.
D. Restrict communication surrounding the response to the IT team.

Answer

A

A. Train the team to identify the difference between events and incidents.

Answer 61

A

D. WAF (Web Application Firewall): This is a firewall that monitors, filters, or blocks the HTTP traffic to and from a web application. A WAF can protect web applications by filtering and monitoring HTTP traffic between a web application and the Internet. It operates at Layer 7 of the OSI model and can specifically protect against various application layer attacks such as cross-site scripting (XSS) and SQL injection.

B. NIPS (Network Intrusion Prevention System): While this operates across multiple layers, it also functions at Layer 7 by monitoring the network for malicious activities or policy violations. When it detects potentially dangerous traffic, it takes action to stop the intrusion.

Answer 62

A

B. Perform a physical-to-virtual migration.

Answer 63

A

D. Block port 3389 inbound from untrusted networks: This would prevent external, potentially malicious users from connecting to the server using RDP, making it more difficult for them to manually install malicious code.

The given scenario indicates that the malware outbreak was initiated through manual logins on a server and execution of malicious code, which is typical of a Remote Desktop Protocol (RDP) attack. RDP uses port 3389 by default. Thus, blocking this port from untrusted networks would be the best choice to prevent reinfection via the same method.

Answer 64

A

B. Federation

Federation is a security protocol that allows users to use the same identification data to access the networks of all businesses in the federation. Security Assertion Markup Language (SAML) is an open standard for exchanging authentication and authorization data between parties, in particular, between an identity provider and a service provider, which is commonly used in federated identity management solutions.

Answer 65

A

C. Implement a SOAR with customizable playbooks.

Answer 66

A

C. VDI

Virtual Desktop Infrastructure

Answer 67

A

C. Proprietary

Answer 68

A

B. A CASB (Cloud Access Security Broker):
A Cloud Access Security Broker (CASB) is a security solution that sits between an organization’s on-premises infrastructure and cloud services to monitor and enforce security policies. It provides visibility and control over cloud usage and helps in preventing advanced threats and malware. CASBs can offer features like data loss prevention (DLP), user activity monitoring, threat detection, and encryption for cloud data. By implementing a CASB, the CSO can gain better control and security for the organization’s cloud-based services.

C. An NG-SWG (Next-Generation Secure Web Gateway):
An NG-SWG is a security gateway that helps protect users from accessing malicious content, websites, and services. It provides URL filtering, content inspection, and threat detection capabilities. Implementing an NG-SWG for cloud-based services can help detect and block advanced threats and malware before they reach the users or the cloud infrastructure. It acts as an additional layer of defense and complements other security measures in place.

Answer 69

A

C. COPE and VDI

The deployment model being utilized in this scenario is COPE (Company-Owned, Personally-Enabled) and VDI (Virtual Desktop Infrastructure).

COPE (Company-Owned, Personally-Enabled):
In the COPE model, the organization issues laptops or mobile devices to its employees. These devices are company-owned, which means the organization has full control over them and can enforce security policies and restrictions. However, they are also personally-enabled, allowing employees to use the devices for personal purposes outside of their job roles. It strikes a balance between providing corporate control and allowing some flexibility for personal use.

VDI (Virtual Desktop Infrastructure):
With VDI, instead of running the operating system and applications directly on the laptops, the users’ corporate operating systems are accessed remotely. Virtual desktops are hosted on servers in the organization’s data center or cloud infrastructure. Employees use their laptops to connect to these virtual desktops, which allows them to access the corporate operating system and applications from any device with an internet connection. VDI enhances security and centralizes management since the data and applications are stored and processed in the data center or cloud, reducing the risk of data loss from the laptops.

Answer 70

A

B. Key Logger

Answer 71

A

A. Snapshot

Answer 72

A

D. Direct access

Answer 73

A

A. CVSS (Common Vulnerability Scoring System)

CVSS stands for the Common Vulnerability Scoring System. It is a framework used to assess and communicate the severity of software vulnerabilities. CVSS provides a calculated value or score for known vulnerabilities based on several metrics, including the potential impact of the vulnerability and its exploitability. The purpose of CVSS is to help organizations prioritize their mitigation efforts by understanding the relative severity of different vulnerabilities and allocating resources accordingly.

Answer 74

A

A. Community

The best cloud deployment strategy that would meet the universities’ need to share compute and storage resources for their collaborative research project is the “Community” cloud deployment.

Answer 75

A

D. Calculate the checksum using a hashing algorithm.

The most likely method that a forensic analyst will use to prove that data has not been tampered with since it was collected is option D, which involves calculating the checksum using a hashing algorithm.

Answer 76

A

B. Password history

Answer 77

A

C. curl –head http://192.168.0.10

By using “curl –head,” the security analyst can obtain important information from the web server’s response headers, such as the web server software and version, as well as other useful details like supported HTTP methods, cookies, and more. This information aids in fingerprinting the web server and understanding its configuration, which can be useful for security assessments and vulnerability identification.

Answer 78

A

C. Memdump

Memdump is a tool used to extract the content of a computer’s memory (RAM) at a specific point in time. In the context of a penetration test, obtaining a memory dump from a compromised internal server is extremely valuable for lateral movement and further assessment.

Answer 79

A

B. Mobile Device Management (MDM)

Mobile Device Management would be the best choice for this organization’s needs. MDM solutions allow for the management and policy enforcement of mobile devices used by the employees. This would allow the organization to ensure that the mobile devices are only used for work purposes by controlling, monitoring, and enforcing the organization’s policy on these devices.

MDM can also provide capabilities like remote wiping (D) if the device is lost or stolen, geofencing (A) to restrict the device’s use to a specific location, and containerization (C) to separate work and personal data. However, given the question, the broader capabilities of MDM make it a more comprehensive solution for this scenario.

Answer 80

A

A. Preventive

Answer 81

A

D. Memory Leak

The information provided suggests that the “timeAttend.exe” program is not properly releasing memory back to the system after it has finished using it. The analysis tool indicates that there are 4608 bytes “definitely lost”, meaning they were allocated (using malloc, a function for memory allocation) but never deallocated (freed), even after the program ended.

Answer 82

A

A. DLP

DLP - Data Loss Prevention uses exact data matching or regex matching - in this case a regex rule for detecting credit card numbers could be in place that is actively blocking the upload of the document -

Regex for detecting and Amex Card: ^3[47][0-9]{13}$

Answer 83

A

A.ACCEPTANCE

Answer 84

A

B. Publish the document in a central repository that is easily accessible to the organization.

Answer 85

A

B. Perform containment on the critical servers and resources.

Answer 86

A

C. Deterrent controls

Deterrent controls are intended to discourage a potential attacker from attempting to breach a system or site. These controls might not prevent all forms of unauthorized access, but they can help reduce the risk. Examples of deterrent controls could be signs indicating surveillance, “no trespassing” signs, or the presence of a security guard. These are typically less expensive than other types of controls, such as installing an advanced biometric system (preventive controls)

Answer 87

A

B. DPO
Data Privacy Officer

Answer 88

A

C. Salting

In the context of password storage, a “salt” is random data that is used as an additional input to the hashing function that hashes a password. The benefit of using a salt is that it makes each hash unique, even if the plaintext passwords are the same. In this case, even though all users have the same password (P@55w0rD), the hashes are different because each hash was created with a unique salt.

Answer 89

A

D. pivoting.

Answer 90

A

C. Dark web

The dark web is a part of the internet that isn’t indexed by standard search engines. It requires specific software, configurations, or authorization to access. It’s a place where a lot of illegal activities occur, including selling of stolen data such as leaked credentials. Hence, threat intelligence researchers would definitely monitor the dark web for leaked credentials.

Answer 91

A

B. SQLi attack

Answer 92

A

A. Transit Gateway

A Transit Gateway acts as a network transit hub, which can be used to consolidate and forward inbound internet traffic to multiple cloud environments through a single firewall. It simplifies the management and reduces the complexity of growing networks by enabling scalability and more efficient networking.

Brainscape's Knowledge GenomeTM

First 100 Flashcards

Brainscape's Knowledge Genome^TM