Jason Dion - Security+ Udemy Course Practice Exam

Question 1

** Which of the following methods is used to replace ALL or part of a Data Field with a randomly generated number used to reference the original value stored in another vault or database?

Anonymization
Data Minimization
Data Masking
Tokenization

Answer 1

Tokenization

Explanation:
Tokenization means that all or part of data in a field is replaced with a randomly generated token. The token is stored with the original value on a token server or token vault, separate from the production database. An authorized query or app can retrieve the original value from the vault, if necessary, so tokenization is a reversible technique.

Data masking can mean that all or part of a field’s contents is redacted, by substituting all character strings with x, for example.

Data minimization involves limiting data collection to only what is required to fulfill a specific purpose. Reducing what information is collected reduces the amount and type of information that must be protected.

Data anonymization is the process of removing personally identifiable information from data sets so that the people whom the data describe remain anonymous.

Question 2

** What tool can be used to scan a Network to perform vulnerability checks and compliance auditing?

BeEF
Metasploit
NMAP
Nessus

Answer 2

Nessus

Explanation:
Nessus is a popular vulnerability scanner. It can be used to check how vulnerable your network is by using various plugins to test for vulnerabilities. Also, Nessus can perform compliance auditing, like internal and external PCI DSS audit scans.

The nmap tool is a port scanner.

The Metasploit Project is a computer security project that provides information about security vulnerabilities and aids in penetration testing and IDS signature development.

BeEF is short for The Browser Exploitation Framework. It is a penetration testing tool that focuses on the web browser.

Question 3

** A computer is infected with malware that has infected the Windows kernel to hide. Which type of malware MOST likely infected this computer?

Rootkit
Botnet
Trojan
Ransomware

Answer 3

Rootkit

Explanation:
A rootkit is a clandestine computer program designed to provide continued privileged access to a computer while actively hiding its presence. A rootkit is generally a collection of tools that enabled administrator-level access to a computer or network. They can often disguise themselves from detection by the operating system and anti-malware solutions. If a rootkit is suspected on a machine, it is best to reformat and reimage the system.

A botnet is many internet-connected devices, each of which is running one or more bots. Botnets can be used to perform distributed denial-of-service (DDoS) attacks, steal data, send spam, and allow the attacker to access the device and its connection.

A trojan is a type of malware that looks legitimate but can take control of your computer. A Trojan is designed to damage, disrupt, steal, or in general, inflict some other harmful action on your data or network. The most common form of a trojan is a Remote Access Trojan (RAT), which allows an attacker to control a workstation or steal information remotely. To operate, a trojan will create numerous processes that run in the background of the system. Ransomware is a type of malware designed to deny access to a computer system or data until a ransom is paid.

Ransomware typically spreads through phishing emails or by unknowingly visiting an infected website. Once infected, a system or its files are encrypted, and then the decryption key is withheld from the victim unless payment is received.

Question 4

** Which of the following categories would contain information about a French Citizen’s Race or Ethnic Origin?

DLP
PII
SPI
PHI

Answer 4

SPI (Sensitive Personal Information)

Explanation:
According to the GDPR, information about an individual’s race or ethnic origin is classified as Sensitive Personal Information (SPI). Sensitive personal information (SPI) is information about a subject’s opinions, beliefs, and nature afforded specially protected status by privacy legislation.

As it cannot be used to identify somebody or make any relevant assertions about health uniquely, it is neither PII nor PHI.

Data loss prevention (DLP) is a software solution that detects and prevents sensitive information from being stored on unauthorized systems or transmitted over unauthorized networks.

Question 5

** Review the following Packet Captured at your NIDS:

23:12:23.154234 IP 86.18.10.3:54326 > 71.168.10.45:3389 Flags [P.], Seq 1834:1245, act1, win 511, options [nop,nop, TS val 263451334 erc 482862734, length 125

After reviewing the packet above, you discovered there is an Unauthorized Service running on the host. Which of the following ACL entries should be implemented to prevent further access to the unauthorized service while maintaining full access to the approved services running on this host?

DENY TCP ANY HOST 71.168.10.45 EQ 3389

DENY TCP ANY HOST 86.18.10.3 EQ 25

DENY IP HOST 86.18.10.3 EQ 3389

DENY IP HOST 71.168.10.45 ANY EQ 25

Answer 5

DENY TCP ANY HOST 71.168.10.45 EQ 3389

Explanation:
Since the question asks you to prevent unauthorized service access, we need to block port 3389 from accepting connections on 71.168.10.45 (the host). This option will deny ANY workstation from connecting to this machine (host) over the Remote Desktop Protocol service that is unauthorized (port 3389).

Question 6

** A supplier needs to connect several laptops to an organization’s Network as part of their service agreement. These laptops will be operated and maintained by the supplier. Victor, a Cybersecurity analyst for the organization, is concerned that these laptops could contain some vulnerabilities that could weaken the Network’s Security posture. What can Victor do to mitigate the risk to other devices on the Network without having direct administrative access to the supplier’s laptops?

Require 2FA (Two-Factor Authentication) on the laptops.

Scan the laptops for vulnerabilities and patch them.

Increase the Encryption Level of the VPN used by the laptops.

Implement a Jumpbox System

Answer 6

Implement a Jumpbox System

Explanation:
A jumpbox is a system on a network used to access and manage devices in a separate security zone. This would create network segmentation between the supplier’s laptops and the rest of the network to minimize the risk. A jump-box system is a hardened and monitored device that spans two dissimilar security zones and provides a controlled means of access between them.

While the other options listed are all good security practices, they do not fully mitigate the risk that insecure systems pose since Victor cannot enforce these configurations on a supplier-provided laptop. Instead, he must find a method of segmenting the laptops from the rest of the network, either physically, logically, using an air gap, or using a jumpbox.

Question 7

** Your company has just finished replacing all of its computers with brand new workstations. Colleen, one of your coworkers, has asked the company’s owner if she can have the old computers that are about to be thrown away. Colleen would like to refurbish the old computers by reinstalling a new operating system and donating them to a local community center for disadvantaged children in the neighborhood. The owner thinks this is a great idea but is concerned that the private and sensitive corporate data on the old computer’s hard drives might be placed at risk of exposure. You have been asked to choose the best solution to sanitize or destroy the data while ensuring the computers will still be used by the community center. What type of data destruction or sanitization method do you recommend?

Degaussing
Shredding
Wiping
Purging

Answer 7

Wiping

Explanation:
Data wiping or clearing occurs by using a software tool to overwrite the data on a hard drive to destroy all electronic data on a hard disk or other media. Data wiping may be performed with a 1x, 7x, or 35x overwriting, with a higher number of times being more secure. This allows the hard drive to remain functional and allows for hardware reuse.

Degaussing a hard drive involves demagnetizing a hard drive to erase its stored data. You cannot reuse a hard drive once it has been degaussed. Therefore, it is a bad solution for this scenario.

Purging involves removing sensitive data from a hard drive using the device’s internal electronics or an outside source such as a degausser, or by using a cryptographic erase function if the drive supports one.

Shredding involves the physical destruction of the hard drive. This is a secure method of destruction but doesn’t allow for device reuse.

Question 8

** The management at Steven’s work is concerned about rogue devices being attached to the Network. Which of the following solutions would quickly provide the most accurate information that Steve could use to identify rogue devices on a wired Network?

Router and Switch-based MAC addressing reporting.

A Physical Survey

Reviewing a central administration tool like an endpoint manager.

A discovery scan using a port scanner.

Answer 8

Router and Switch-based MAC addressing reporting.

Explanation:
The best option is MAC address reporting from a source device like a router or a switch. If the company uses a management system or inventory process to capture these addresses, then a report from one of these devices will show what is connected to the network even when they are not currently in the inventory. This information could then be used to track down rogue devices based on the physical port connected to a network device.

Question 9

** Which role validates the user’s identity when using SAML for authentication?

RP
SP
User Agent
IdP

Answer 9

IdP (Identity Provider)

Explanation:
The IdP provides the validation of the user’s identity. Security assertions markup language (SAML) is an XML-based framework for exchanging security-related information such as user authentication, entitlement, and attributes. SAML is often used in conjunction with SOAP. SAML is a solution for providing single sign-on (SSO) and federated identity management.

It allows a service provider (SP) to establish a trust relationship with an identity provider (IdP) so that the SP can trust the identity of a user (the principal) without the user having to authenticate directly with the SP.

The principal’s User Agent (typically a browser) requests a resource from the service provider (SP).

The resource host can also be referred to as the relying party (RP). If the user agent does not already have a valid session, the SP redirects the user agent to the identity provider (IdP). The IdP requests the principal’s credentials if not already signed in and, if correct, provides a SAML response containing one or more assertions. The SP verifies the signature(s) and (if accepted) establishes a session and provides access to the resource.

Question 10

** Which of the following hashing algorithms results in a 160.bit fixed output?

NTLM
SHA-2
RIPEMD
MD-5

Answer 10

RIPEMD

Explanation:
RIPEMD creates a 160-bit fixed output.

SHA-2 creates a 256-bit fixed output.
NTLM creates a 128-bit fixed output.
MD-5 creates a 128-bit fixed output.

Question 11

** Which of the following cryptographic algorithms is classified as asymmetric?

RC4
AES
PGP
3DES

Answer 11

PGP (Pretty Good Privacy)

Explanation:
Pretty Good Privacy (PGP) is an encryption program that provides cryptographic privacy and authentication for data communication. PGP is used for signing, encrypting, and decrypting texts, emails, files, directories, and whole disk partitions and to increase the security of email communications. PGP is a public-key cryptosystem and relies on an asymmetric algorithm.

AES, RC4, and 3DES are all symmetric algorithms.

Question 12

** Windows files servers commonly hold sensitive files, databases, passwords, and more. What common vulnerability is usually used against a Windows File Server to expose sensitive files, databases, and passwords?

CRLF Injection
SQL Injection
Missing Patches
Cross-Site Scripting

Answer 12

Missing Patches

Explanation:
Missing patches are the most common vulnerability found on both Windows and Linux systems. When a security patch is released, attackers begin to reverse engineer the security patch to exploit the vulnerability. If your servers are not patched against the vulnerability, they can become victims of the exploit, and the server’s data can become compromised.

Cross-Site Scripting (XSS) attacks are a type of injection in which malicious scripts are injected into otherwise benign and trusted websites. Cross-site scripting focuses on exploiting a user’s workstation, not a server.

CRLF injection is a software application coding vulnerability that occurs when an attacker injects a CRLF character sequence where it is not expected.

SQL injection is the placement of malicious code in SQL statements via web page input. SQL is commonly used against databases, but they are not useful when attacking file servers.

Question 13

** What tool is used to collect Wireless packet data?

Netcat
Nessus
Aircrack-ng
John the Ripper

Answer 13

Aircrack-ng

Explanation:
Aircrack-ng is a complete suite of wireless security assessment and exploitation tools that includes monitoring, attacking, testing, and cracking of wireless networks. This includes packet capture and export of the data collected as a text file or pcap file.

John the Ripper is a password cracking software tool.

Nessus is a vulnerability scanner.

Netcat is used to create a reverse shell from a victimized machine back to an attacker.

Question 14

** Dion Training allows its visiting business partners from CompTIA to use an available Ethernet port in their conference room to establish a VPN connection back to the CompTIA internal Network. The CompTIA employees should obtain internet access from the Ethernet port in the conference room, but nowhere else in the building. Additionally, if any of the Dion Training employees use the same Ethernet port in the conference room, they should access Dion Training’s Secure internal Network. Which of the following technologies would allow you to configure this port and support both requirements?

MAC Filtering
Implement NAC
Create an ACL to allow access
Configure a SIEM

Answer 14

Implement NAC (Network Access Control)

Explanation:
Network Access Control (NAC) uses a set of protocols to define and implement a policy that describes how to secure access to network nodes whenever a device initially attempts to access the network. NAC can utilize an automatic remediation process by fixing non-compliant hosts before allowing network access. Network Access Control can control access to a network with policies, including pre-admission endpoint security policy checks and post-admission controls over where users and devices can go on a network and what they can do. In this scenario, implementing NAC can identify which machines are known and trusted Dion Training assets and provide them with access to the secure internal network. NAC could also determine unknown machines (assumed to be those of CompTIA employees) and provide them with direct internet access only by placing them on a guest network or VLAN.

While MAC filtering could be used to allow or deny access to the network, it cannot by itself control which set of network resources could be utilized from a single ethernet port.

A security information and event management (SIEM) system provides real-time analysis of security alerts generated by applications and network hardware.

An access control list could define what ports, protocols, or IP addresses the ethernet port could be utilized. Still, it would be unable to distinguish between a Dion Training employee’s laptop and a CompTIA employee’s laptop like a NAC implementation could.

Question 15

** Which of the following Cryptographic algorithms is classified as Symmetric?

RSA
ECC
Diffie-Hellman
AES

Answer 15

AES (Advanced Encryption Standard)

Explanation:
The Advanced Encryption Standard (AES) is a symmetric-key algorithm for encrypting digital data. It was established as an electronic data encryption standard by NIST in 2001. AES can use a 128-bit, 192-bit, or 256-bit key, and uses a 128-bit block size.

ECC, RSA, and Diffie-Hellman, DSA are all asymmetric algorithms.

DES, 3DES, IDEA, AES, Blowfish, Twofish, RC4, RC5, RC6 are all Symmetric.

GPG is considered a Hybrid algorithm. Uses AES’s Symmetric Encryption with Asymmetric RSA Cipher to create Digital Signatures and has Cross-Platform Availability.

Question 16

** Dion Training is currently undergoing an audit of its information systems. The auditor wants to understand better how the PII data from a particular database is used within business operations. Which of the following employees should the auditor interview?

Data Protection Officer
Data Steward
Data Owner
Data Controller

Answer 16

Data Protection Officer

Explanation:
The primary role of the data protection officer (DPO) is to ensure that her organization processes the personal data of its staff, customers, providers, or any other individuals (also referred to as data subjects) in compliance with the applicable data protection rules. They must understand how any privacy information is used within business operations. Therefore, they are the best person for the auditor to interview to get a complete picture of the data usage.

Question 17

** You have been hired as a Cybersecurity analyst for a privately-owned bank. Which of the following regulations would have the greatest impact on your bank’s Cybersecurity program?

HIPPA
FERPA
GLBA
SOX

Answer 17

GLBA (Gramm-Leach-Bliley Act)

Explanation:
The Gramm-Leach-Bliley Act (GLBA) is a United States federal law that requires financial institutions to explain how they share and protect their customers’ private information.

The Health Insurance Portability and Accountability Act (HIPAA) is a US law designed to provide privacy standards to protect patients’ medical records and other health information provided to health plans, doctors, hospitals, and other health care providers.

Sarbanes-Oxley (SOX) is a United States federal law that sets new or expanded requirements for all US public company boards, management, and public accounting firms.

The Family Educational Rights and Privacy Act (FERPA) of 1974 is a United States federal law that governs the access to educational information and records by public entities such as potential employers, publicly funded educational institutions, and foreign governments.

Question 18

** Of the Options listed, choose the FOUR Security features that you should use the to BEST protect your Servers in the Data Center? This can include Physical, Logical, or Administrative protections.

Options:
Mantrap
Biometrics
GPS Tracking
Cable Lock
Proximity Badges
FM-200
Remote Wipe
Strong Passwords
Antivirus
ECC

Answer 18

Mantrap
Biometrics
FM-200
Antivirus

Explanation:
The best option based on your choices is FM-200, Biometric locks, Mantrap, and Antivirus. FM-200 is a fire extinguishing system commonly used in data centers and server rooms to protect the servers from fire. Biometric locks are often used in high-security areas as a lock on the access door. Additionally, biometric authentication could be used for a server by using a USB fingerprint reader. Mantraps often are used as part of securing a data center as well. This area creates a boundary between a lower security area (such as the offices) and the higher security area (the server room). Antivirus should be installed on servers since they can use signature-based scans to ensure files are safe before being executed.

Question 19

** An attacker uses the nslookup interactive mode to locate information on a Domain Name Service (DNS). What command should they type to request the appropriate records for only the Name Servers?

locate type=ns
set type=ns
transfer type=ns
request type=ns

Answer 19

set type=ns

Explanation:
The nslookup command is used to query the Domain Name System to obtain the mapping between a domain name and an IP address or to view other DNS records. The “set type=ns” tells nslookup only reports information on name servers. If you used “set type=mx” instead, you would receive information only about mail exchange servers.

Question 20

** Which of the following Cryptographic algorithms is classified as Symmetric?

RSA
Twofish
Diffie-Hellman
ECC

Answer 20

Twofish

Explanation:
Twofish is a symmetric key block cipher with a block size of 128 bits and key sizes up to 256 bits.

ECC, RSA, and Diffie-Hellman, DSA are all asymmetric algorithms.

DES, 3DES, IDEA, AES, Blowfish, Twofish, RC4, RC5, RC6 are all Symmetric.

GPG is considered a Hybrid algorithm. Uses AES’s Symmetric Encryption with Asymmetric RSA Cipher to create Digital Signatures and has Cross-Platform Availability.

Question 21

** A Cybersecurity analyst is attempting to classify Network Traffic within an organization. The analyst runs the tcpdump command and receives the following output:

$ tcpdump -n -i eth0
15:01:25.170763 IP 10.0.19.121.52497 > 11.154.12.121.ssh: p 105:157(52) ack 18060 win 16549

15:01:35.170776 IP 11.154.12.121.ssh > 10.0.19.121.52497: p 23988:24136(148) ack 157 win 113

15:01:35:170894 IP 11.154.12.121.ssh > 10.0.19.121.52497: P 24136:24380(244) ack 157 win 113

Which of the following statements is TRUE based on this output?

11.154.12.121 is a client that is accessing an SSH Server over port 52497

10.0.19.121 is a client that is accessing an SSH Server over port 52497.

10.0.19.121 is under attack from a host at 11.154.12.121.

11.154.12.121 is under attack from a host at 10.0.19.121.

Answer 21

10.0.19.121 is a client that is accessing an SSH Server over port 52497.

Explanation:
This output from the tcpdump command is displaying three packets in a larger sequence of events. Based solely on these three packets, we can only be certain that the server (11.154.12.121) runs an SSH server over port 22. This is based on the first line of the output.

The second and third lines are the server responding to the request and sending data back to the client (10.0.19.121) over port 52497.

There is no evidence of an attack against either the server or the client based on this output since we can only see the headers and not the content being sent between the client and server.

Question 22

** Your company just launched a new invoicing website for use by your five largest vendors. You are the Cybersecurity analyst and have been receiving numerous phone calls that the webpage is timing out, and the website overall is performing slowly. You have noticed that the website received three million requests in just 24 hours, and the service has now become unavailable for use. What do you recommend should be implemented to restore and maintain the availability of the new invoicing system?

MAC Filtering
Implement an Allow List
VPN
Intrusion Detection System

Answer 22

Implement an Allow List

Explanation:
By implementing an allow list of the authorized IP addresses for the five largest vendors, they will be the only ones who can access the webserver. This can be done by creating rules in the Access Control List (ACL) to deny ALL other users except these five vendors, thereby dropping a large number of requests from any other IP addresses, such as those from an attacker. Based on the scenario’s description, it appears like the system is under some form of denial of service attack. Still, by implementing an allow list at the edge of the network and sinkholing any traffic from IP addresses that are not allow listed, the server will no longer be overwhelmed or perform slowly to respond to legitimate requests.

MAC filtering is only applicable at layer 2 of the OSI model (which would not work for traffic being sent over the internet from your vendors to your server).

A VPN is a reasonable solution to secure the connection between the vendors and your systems, but it will not deal with the DoS condition being experienced.

An intrusion detection system may detect the DoS condition, but an IDS cannot resolve it (whereas an IPS could).

Question 23

** Which analysis framework provides a graphical depiction of the attacker’s approach relative to a Kill Chain?

MITRE ATT&CK Framework
Lockheed Martin Cyber Kill Chain
Diamond Model of Intrusion Analysis
OpenIOC

Answer 23

Diamond Model of Intrusion Analysis

Explanation:
The Diamond Model provides an excellent methodology for communicating cyber events and allowing analysts to derive mitigation strategies implicitly. The Diamond Model is constructed around a graphical representation of an attacker’s behavior.

The MITRE ATT&CK framework provides explicit pseudo-code examples for detecting or mitigating a given threat within a network and ties specific behaviors back to individual actors.

The Lockheed Martin cyber kill chain provides a general life cycle description of how attacks occur but does not deal with the specifics of how to mitigate them.

OpenIOC contains a depth of research on APTs but does not integrate the detection and mitigation strategy.

Question 24

** Which of the following proprietary tools is used to create forensic disk images without making changes to the original evidence?

dd
FTK Imager
Memdump
Autopsy

Answer 24

FTK Imager

Explanation:
FTK Imager can create perfect copies or forensic images of computer data without making changes to the original evidence. The forensic image is identical in every way to the original, including copying the slack, unallocated, and free space on a given drive.

The dd tool can also create forensic images, but it is not a proprietary tool since it is open-source.

Memdump is used to collect the content within RAM on a given host.

Autopsy is a cross-platform, open-source forensic tool suite.

Question 25

** What sanitization technique uses only logical techniques to remove data, such as overwriting a hard drive with a random series of ones and zeroes?

Destroy
Degauss
Clear
Purge

Answer 25

Clear

Explanation:
Clear applies logical techniques to sanitize data in all user-addressable storage locations for protection against simple non-invasive data recovery techniques. Clearing involves overwriting data once (and seldom more than three times) with repetitive data (such as all zeros) or resetting a device to factory settings.

Purging data is meant to eliminate information from being feasibly recovered even in a laboratory environment.

Destroy requires physical destruction of the media, such as pulverization, melting, incineration, and disintegration.

Degaussing is the process of decreasing or eliminating a remnant magnetic field. Degaussing is an effective method of sanitization for magnetic media, such as hard drives and floppy disks.

Question 26

** Which of the following types of access control provides the strongest level of protection?

ABAC
RBAC
MAC
DAC

Answer 26

MAC (Mandatory Access Control)

Explanation:
Mandatory Access Control (MAC) requires all access to be predefined based on system classification, configuration, and authentication. MAC is commonly used in highly centralized environments and usually relies on a series of labels, such as classification levels of the data.

ABAC = Attribute-based Access Control
RBAC = Role-based Access Control
DAC = Discretionary Access Control

Question 27

You suspect that your server has been the victim of a Web-based Attack. Which of the following ports would most likely be seen in the logs to indicate the attack’s target?

389
3389
443
21

Answer 27

443

Explanation:
Web-based attacks would likely appear on port 80 (HTTP) or port 443 (HTTPS).

An attack against Active Directory is likely to be observed on port 389 LDAP.

An attack on an FTP server is likely to be observed on port 21 (FTP).

An attack using the remote desktop protocol would be observed on port 3389 (RDP).

Question 28

Which protocol relies on mutual authentication of the client and the server for its Security?

LDAPS
CHAP
Two-Factor Authentication
RADIUS

Answer 28

LDAPS (Lightweight Directory Access Protocol SECURE)

Explanation:
The Lightweight Directory Access Protocol (LDAP) uses a client-server model for mutual authentication. LDAP is used to enable access to a directory of resources (workstations, users, information, etc.). TLS provides mutual authentication between clients and servers. Since Secure LDAP (LDAPS) uses TLS, it provides mutual authentication.

Question 29

What information should be recorded on a Chain of Custody form during a forensic investigation?

The list of individuals who made contact with files leading to the investigation.

Any individual who worked with evidence during the investigation.

The law enforcement agent who was first on the scene.

The list of former owners/operators of the workstation involved in the investigation.

Answer 29

Any individual who worked with evidence during the investigation.

Explanation:
Chain of custody forms list every person who has worked with or who has touched the evidence that is a part of an investigation. These forms record every action taken by each individual in possession of the evidence. Depending on the organization’s procedures, manipulation of evidence may require an additional person to act as a witness to verify whatever action is being taken.

While the chain of custody would record who initially collected the evidence, it does not have to record who was the first person on the scene (if that person didn’t collect the evidence).

The other options presented by the question are all good pieces of information to record in your notes, but it is not required to be on the chain of custody form.

Question 30

Your company is making a significant investment in Infrastructure-as-a-Service (IaaS) hosting to replace its data centers. Which of the following techniques should be used to mitigate the risk of data remanence when moving virtual hosts from one server to another in the cloud?

Span multiple virtual disks to fragment data.

Use data masking.

Use Full-Disk Encryption

Zero-Wipe drives before moving systems.

Answer 30

Use Full-Disk Encryption (FDE)

Explanation:
To mitigate the risk of data remanence, you should implement full disk encryption. This method will ensure that all data is encrypted and cannot be exposed to other organizations or the underlying IaaS provider.

Using a zero wipe is typically impossible because VM systems may move without user intervention during scaling and elasticity operations.

Data masking can mean that all or part of a field’s contents is redacted, by substituting all character strings with “x,” for example. Data masking will not prevent your corporate data from being exposed by data remanence.

Spanning multiple disks will leave the data accessible, even though it would be fragmented, and would make the data remanence problem worse overall.

Question 31

Which of the following Cryptographic algorithms is classified as Symmetric?

ECC
GPG
DSA
DES

Answer 31

DES (Data Encryption Standard)

Explanation:
The Data Encryption Standard (DES) is a symmetric-key algorithm for the encryption of digital data. Although its short key length of 56 bits makes it too insecure for applications, it was the standard used from 1977 until the early 2000s.

ECC, RSA, and Diffie-Hellman, DSA are all asymmetric algorithms.

DES, 3DES, IDEA, AES, Blowfish, Twofish, RC4, RC5, RC6 are all Symmetric.

GPG is considered a Hybrid algorithm. Uses AES’s Symmetric Encryption with Asymmetric RSA Cipher to create Digital Signatures and has Cross-Platform Availability.

Question 32

You are installing Windows 2019 on a Rack-Mounted Server and hosting multiple Virtual Machines within the physical Server. You just finished the installation and now want to begin creating and provisioning the Virtual Machines. Which of the following should you utilize to allow you to create and provision Virtual Machines?

Terminal Services
Disk Management
Device Manager
Hypervisor

Answer 32

Hypervisor

Explanation:
A hypervisor, also known as a virtual machine monitor, is a process that creates and runs virtual machines (VMs). A hypervisor allows one host computer to support multiple guest VMs by virtually sharing its resources, like memory and processing. To create and provision virtual machines within the Windows 2019 operating system, you can use a Type II hypervisor like VM Ware or VirtualBox.

Disk Management is a system utility in Windows that enables you to perform advanced storage tasks.

Device Manager is a component of the Microsoft Windows operating system that allows users to view and control the hardware attached to the computer.

Remote Desktop Services, known as Terminal Services in Windows Server 2008 and earlier, is one of the components of Microsoft Windows that allow a user to take control of a remote computer or virtual machine over a network connection.

Question 33

After analyzing and correlating activity from the Firewall logs, Server logs, and the Intrusion Detection System logs, a Cybersecurity analyst has determined that a sophisticated breach of the company’s Network Security may have occurred from a group of specialized attackers in a foreign country over the past five months. Up until now, these cyberattacks against the company Network had gone unnoticed by the company’s information Security team. How would you BEST classify this threat?

Insider Threat
Privilege Escalation
Advanced Persistent Threat (APT)
Spear Phishing

Answer 33

Advanced Persistent Threat (APT)

Explanation:
An advanced persistent threat (APT) is a network attack in which an unauthorized person gains access to a network and stays there undetected for a long period of time. An APT attack intends to steal data rather than to cause damage to the network or organization. An APT refers to an adversary’s ongoing ability to compromise network security, obtain and maintain access, and use various tools and techniques. They are often supported and funded by nation-states or work directly for a nation-states’ government.

Spear phishing is the fraudulent practice of sending emails ostensibly from a known or trusted sender to induce targeted individuals to reveal confidential information.

An insider threat is a malicious threat to an organization from people within the organization, such as employees, former employees, contractors, or business associates, who have inside information concerning the organization’s security practices, data, and computer systems.

Privilege escalation is the act of exploiting a bug, design flaw, or configuration oversight in an operating system or software application to gain elevated access to resources that are normally protected from an application or user. While an APT may use spear phishing, privilege escalation, or an insider threat to gain access to the system, the scenario presented in this question doesn’t specify what method was used. Therefore, APT is the best answer to select.

Question 34

Your organization has recently suffered a data breach due to a Server being exploited. As a part of the remediation efforts, the company wants to ensure that the default administrator password on each of the 1250 workstations on the Network is changed. What is the easiest way to perform the password change requirement?

Create a New Security Group
Revoke the Digital Certificate
Deploy a new Group Policy
Utilize the Key Escrow process

Answer 34

Deploy a new Group Policy

Explanation:
A group policy is used to manage Windows systems in a Windows network domain environment utilizing a Group Policy Object (GPO). GPOs can include many settings related to credentials, such as password complexity requirements, password history, password length, and account lockout settings. You can force a reset of the default administrator account password by using a group policy update.

Question 35

A user has reported that their workstation is running very slowly. A technician begins to investigate the issue and notices alot of unknown processes running in the background. The technician determines that the user has recently downloaded a new application from the Internet and may have become infected with malware. Which of the following types of infections does the workstation MOST likely have?

Trojan
Rootkit
Ransomware
Keylogger

Answer 35

Trojan

Explanation:
A trojan is a type of malware that looks legitimate but can take control of your computer. A Trojan is designed to damage, disrupt, steal, or in general, inflict some other harmful action on your data or network. The most common form of a trojan is a Remote Access Trojan (RAT), which allows an attacker to control a workstation or steal information remotely. To operate, a trojan will create numerous processes that run in the background of the system.

Ransomware is a type of malware designed to deny access to a computer system or data until a ransom is paid. Ransomware typically spreads through phishing emails or by unknowingly visiting an infected website. Once infected, a system or its files are encrypted, and then the decryption key is withheld from the victim unless payment is received.

A rootkit is a clandestine computer program designed to provide continued privileged access to a computer while actively hiding its presence. A rootkit is generally a collection of tools that enabled administrator-level access to a computer or network. They can often disguise themselves from detection by the operating system and anti-malware solutions. If a rootkit is suspected on a machine, it is best to reformat and reimage the system.

A keylogger actively attempts to steal confidential information by capturing the data when entered into the computer by the user. This is done by recording keystrokes entered into a web browser or other application. A software keylogger can be run in the background on a victim’s computer. A hardware keylogger may be placed between the USB port and the wired keyboard.

Question 36

You are trying to select the best device to install to proactively stop outside attackers from reaching your internal Network. Which of the following devices would be the BEST for you to select?

Syslog Server
IPS
IDS
Proxy Server

Answer 36

IPS (Intrusion Protection System)

Explanation:
An intrusion prevention system (IPS) is a form of network security that detects and prevents identified threats. Intrusion prevention systems continuously monitor your network, looking for possible malicious incidents, and capturing information about them. An IPS can block malicious network traffic, unlike an IDS, which can only log them.

A proxy server is a server application that acts as an intermediary between a client requesting a resource and the server providing that resource.

System Logging Protocol (Syslog) uses port 514 and is a way network devices can use a standard message format to communicate with a logging server. It was designed specifically to make it easy to monitor network devices. Devices can use a Syslog agent to send out notification messages under a wide range of specific conditions.

Protection Systems = Protect, Detect & Alert.

Detection Systems = Detect & Alert, DO NOT Protect.

Question 37

A Firewall administrator has configured a new screened subnet to allow public systems to be segmented from the organization’s internal Network. The Firewall now has three security zones set:

Untrusted (Internet) [143.27.43.0/24]; DMZ (Screened Subnet) [161.212.71.0/24]; Trusted (Intranet) [10.10.0.0/24].

The Firewall administrator has been asked to enable remote desktop access from a fixed IP on the remote Network to a remote desktop Server in the screened subnet for the Chief Security Officer to work from his home office after hours. The CSO’s home internet uses a static IP of 143.27.43.32. The remote desktop Server is assigned a public-facing IP of 161.212.71.14.

What rule should the administrator add to the Firewall?

Permit 143.27.43.0/24 161.212.71.0/24 RDP 3389

Permit 143.27.43.32 161.212.71.14 RDP 3389

Permit 143.27.43.32 161.212.71.0/24 RDP 3389

Permit 143.27.43.0/24 161.212.71.14 RDP 3389

Answer 37

Permit 143.27.43.32 161.212.71.14 RDP 3389

Explanation:
Due to the requirement to allow a single remote IP to enter the firewall, the permit statement must start with a single IP in the Untrusted (Internet) zone. Based on the options provided, only 143.27.43.32 could be correct. Next, the destination is a single server in the DMZ (screened subnet), so only 161.212.71.14 could be correct. The destination port should be 3389, which is the port for the Remote Desktop Protocol. Combining these three facts, only “permit 143.27.43.32 161.212.71.14 RDP 3389” could be correct.

Question 38

A penetration tester has been hired to conduct an assessment, but the company wants to exclude social engineering from the list of authorized activities. Which of the following documents would include this limitation?

Service Level Agreement (SLA)
Memorandum of Understanding (MOU)
Rules of Engagement
Acceptable Use Policy (AUP)

Answer 38

Rules of Engagement

Explanation:
While the contract documents’ network scope will define what will be tested, the rules of engagement define how that testing is to occur. Rules of engagement can state things like no social engineering is allowed, no external website scanning, etc.

A memorandum of understanding (MOU) is a preliminary or exploratory agreement to express an intent to work together that is not legally binding and does not involve monetary exchange.

A service level agreement contains the operating procedures and standards for a service contract.

An acceptable use policy is a policy that governs employees’ use of company equipment and internet services.

Question 39

Which of the following is NOT normally part of an endpoint security suite?

Software Firewall
Antivirus
VPN
IPS

Answer 39

VPN (Virtual Private Network)

Explanation:
Endpoint security includes software host-based firewalls, host-based intrusion protection systems (HIPS), and anti-virus software.

A VPN is not typically considered an endpoint security tool because it is a network security tool.

Question 40

Which of the following actions should be done FIRST after forensically imaging a hard drive for evidence in an investigation?

Digitally sign the image file to provide non-repudiation of the collection.

Encrypt the image file to ensure it maintains data integrity.

Encrypt the source drive to ensure an attacker cannot modify its contents.

Create a Hash Digest of the source drive and the image file to ensure they match.

Answer 40

Create a Hash Digest of the source drive and the image file to ensure they match.

Explanation:
The first thing that must be done after acquiring a forensic disk image is to create a hash digest of the source drive and destination image file to ensure they match. A critical step in the presentation of evidence will be to prove that analysis has been performed on an identical image to the data present on the physical media and that neither data set has been tampered with. The standard means of proving this is to create a cryptographic hash or fingerprint of the disk contents and any derivative images made from it. When comparing hash values, you need to use the same algorithm used to create the reference value.

While encrypting the image files is a good security practice to maintain the data’s confidentiality, it does not provide data integrity like a hash digest does. Once imaged, the source drive should not be altered or encrypted.

Digitally signing the image file could serve the function of non-repudiation, but it is an uncommon practice and not required to be performed.

Question 41

Your organization has been receiving many phishing emails recently, and you are trying to determine why they are effective in getting your users to click on their links. The latest email consists of what looks like an advertisement that is offering an exclusive early access opportunity to buy a new iPhone at a discounted price. Still, there are only 5 phones available at this price. What type of social engineering princ9iple is being exploited here?

Intimidation
Familiarity
Trust
Scarcity

Answer 41

Scarcity

Explanation:
Scarcity is used to create a fear in a person of missing out on a special deal or offer. This technique is used in advertising all the time, such as “supplies are limited,” “only available for the next 4 hours”, and other such artificial limitations being used.

Familiarity is a social engineering technique that relies on assuming a widely known organization’s persona. For example, in the United States, nearly 25% of Americans have a Bank of America account. For this reason, phishing campaigns often include emails pretending to be from Bank of America since 1 in 4 people who receive the email in the United States are likely to have an account. This makes them familiar with the bank name and is more likely to click on the email link.

Question 42

You are attempting to login to a Service. You use your Username and Password and then are prompted to check your Mobile App for a Code before you are granted access. How would you appropriately categorize the Authentication method described?

Biometric Authentication
PAP Authentication
Multifactor Authentication
One-time Password Authentication

Answer 42

Multifactor Authentication

Explanation:
For the exam, you need to know the different authentication categories and what type of authentication methods belong to each category. This is an example of multifactor authentication because you are using both a username/password combination with an SMS code. This provides a knowledge factor (username/password) and a possession factor (your smartphone) to provide two factors of authentication, making this the best option.

Question 43

Which type of threat will patches NOT effectively combat as a Security control?

Discovered Software Bugs
Known Vulnerabilities
Zero-Day Attacks
Malware with defined indicators of compromise.

Answer 43

Zero-Day Attacks

Explanation:
Zero-day attacks have no known fix, so patches will not correct them. A zero-day vulnerability is a computer-software vulnerability that is unknown to, or unaddressed by, those who should be interested in mitigating the vulnerability (including the vendor of the target software).

If a discovered software bug or known vulnerability is found, a patch or mitigation is normally available.

If a piece of malware has well-defined indicators of compromise, a patch or signature can be created to defend against it, as well.

Question 44

What control provides the BEST protection against both SQL Injection and Cross-Site Scripting (XSS) attacks?

Network Layer Firewalls
Hypervisors
Input Validation
CSRF

Answer 44

Input Validation

Explanation:
Input validation prevents the attacker from sending invalid data to an application and is a strong control against both SQL injection and cross-site scripting attacks.

A network layer firewall is a device that is designed to prevent unauthorized access, thereby protecting the computer network. It blocks unauthorized communications into the network and only permits authorized access based on the IP address, ports, and protocols in use.

Cross-site request forgery (CSRF) is another attack type.

A hypervisor controls access between virtual machines.

Question 45

Which of the following is the LEAST secure Wireless Security and Encryption Protocol?

WPA
WPA2
WEP
WPA3

Answer 45

WEP (Wired Equivalent Privacy)

Explanation:
Wired equivalent privacy (WEP) is an older mechanism for encrypting data sent over a wireless connection. WEP is considered vulnerable to attacks that can break its encryption. WEP relies on the use of a 24-bit initialization vector to secure its preshared key.

Wi-Fi protected access (WPA) is an improved encryption scheme for protecting Wi-Fi communications that was designed to replace WEP.

WPA uses the RC4 cipher and a temporal key integrity protocol (TKIP) to overcome the vulnerabilities in the older WEP protection scheme.

Wi-Fi protected access version 2 (WPA2) replaced the original version of WPA after the completion of the 802.11i security standard. WPA2 features an improved method of key distribution and authentication for enterprise networks, though the pre-shared key method is still available for home and small office networks. WPA2 uses the improved AES cipher with counter mode with cipher-block chaining message authentication protocol (CCMP) for encryption.

Wi-Fi protected access version 3 (WPA3) has replaced WPA2 as the most secure wireless encryption method. WPA3 uses the simultaneous authentication of equals (SAE) to increase the security of preshared keys. WPA3 provides the enhanced open mode that encrypts transmissions from a client to the access point when using an open network. WPA3 Enterprise mode supports the use of AES with the Galois/counter mode protocol (GCMP-256) for the highest levels of encryption.

Question 46

Julie was just hired to conduct a Security assessment of Dion Training’s Security policies. During her assessment, she noticed that many users were sharing group accounts to conduct their work roles. Julie recommended that the group accounts be eliminated and instead have an account created for each user. What improvement will this recommended action provide for the company?

More routing auditing.
More efficient baseline management.
Increase individual accountability.
Increase password security.

Answer 46

Increase individual accountability.

Explanation:
To adequately provide accountability, the use of shared or group accounts should be disabled. This allows you to log and track individual user actions based on individual user accounts. This enables the organization to hold users accountable for their actions, too.

Question 47

Which of the following types of threats did the Stuxnet Attack rely on to cross an air gap between a business and an Industrial Control System (ICS) Network?

Cross-Site Scripting
Removable Media
Directory Traversal
Session Hijacking

Answer 47

Removable Media

Explanation:
Air gaps are designed to remove connections between two networks to create physical segmentation between them. The only way to cross an air gap is to have a physical device between these systems, such as using a removable media device to transfer files between them.

A directory traversal is an HTTP attack that allows attackers to access restricted directories and execute commands outside the web server’s root directory.

Cross-Site Scripting (XSS) attacks are a type of injection in which malicious scripts are injected into otherwise benign and trusted websites.

A session hijacking attack compromises the session token by stealing or predicting a valid session token to gain unauthorized access to the Web Server.

A directory traversal, cross-site scripting, or session hijacking attack cannot by itself cross an air gap.

Question 48

A Cybersecurity analyst has deployed a custom DLP signature to alert on any files that contain numbers in the format of a Social Security Number (xxx-xx-xxxx). Which of the following concepts within DLP is being utilized?

Statistical Matching
Exact Data Match
Document Matching
Classification

Answer 48

Exact Data Match

Explanation:
DLP = Data Loss Prevention
An exact data match (EDM) is a pattern matching technique that uses a structured database of string values to detect matches. For example, a company might have a list of actual social security numbers of its customers. But, since it is not appropriate to load these numbers into a DLP filter, they could use EDM to match the numbers’ fingerprints instead based on their format or sequence.

Document matching attempts to match a whole document or a partial document against a signature in the DLP.

Statistical matching is a further refinement of partial document matching that uses machine learning to analyze various data sources using artificial intelligence or machine learning.

Classification techniques use a rule based on a confidentiality classification tag or label attached to the data. For example, the military might use a classification-based DLP to search for any files labeled as secret or top secret.

Question 49

Dion Training’s offices utilize an open concept floor plan. They are concerned that a visitor might attempt to steal an external hard drive and carry it out of the building. To mitigate the risk, the Security department has recommended installing Security cameras clearly visible to both employees and visitors. What type of Security control do these cameras represent?

Administrative
Deterent
Corrective
Compensating

Answer 49

Deterrent

Explanation:
A deterrent control is designed to discourage the violation of a security policy. Since the cameras are clearly visible, they are acting as a deterrent control.

Corrective control is one that is used to fix or eliminate a vulnerability.

A compensating control is used to minimize a vulnerability when it is deemed too difficult or impractical to correct the vulnerability fully.

Administrative control is used to create a policy or procedure to minimize or eliminate a vulnerability.

Question 50

Which of the following is the leading cause for Cross-Site Scripting (XSS), SQL Injection, and XML Injection attacks?

Faulty input validation.
Output encoding.
Directory Traversals
File Inclusions

Answer 50

Faulty input validation.

Explanation:
A primary vector for attacking applications is to exploit faulty input validation. The input could include user data entered into a form or URL, passed by another application or link. This is heavily exploited by cross-site scripting, SQL injection, and XML injection attacks.

Directory traversal is the practice of accessing a file from a location that the user is unauthorized to access. The attacker does this by ordering an application to backtrack through the directory path to read or execute a file in a parent directory.

In a file inclusion attack, the attacker adds a file to a web app or website’s running process. The file is either constructed to be malicious or manipulated to serve the attacker’s malicious purposes. Cross-site scripting (XSS) is one of the most powerful input validation exploits. XSS involves a trusted site, a client browsing the trusted site, and the attacker’s site.

Question 51

A popular game allows for in-app purchases to acquire extra lives in the game. When a player purchases the extra lives, the number of lives is written to a configuration file on the gamer’s phone. A Hacker loves the game but hates having to buy lives all the time, so they developed an exploit that allows a player to purchase 1 life for $.99 and then modifies the content of the configuration file to claim 100 lives were purchased before the application reading the number of lives purchased from the file. Which of the following type of vulnerabilities did the hacker exploit?

Sensitive data exposure
Dereferencing
Broken Authentication
Race condition

Answer 51

Race condition

Explanation:
Race conditions occur when the outcome from execution processes is directly dependent on the order and timing of certain events. Those events fail to execute in the order and timing intended by the developer. In this scenario, the hacker’s exploit is racing to modify the configuration file before the application reads the number of lives from it.

Sensitive data exposure is a fault that allows privileged information (such as a token, password, or PII) to be read without being subject to the proper access controls.

Broken authentication refers to an app that fails to deny access to malicious actors.

Dereferencing attempts to access a pointer that references an object at a particular memory location.

Question 52

Karen lives in an area that is prone to hurricanes and other extreme weather conditions. She asks you to recommend an electrical conditioning device that will prevent her files from being corrupted if the building’s power is unstable or lost. Additionally, she would like the computer to maintain power for up to an hour of uptime to allow for a graceful shutdown of her programs and computer. Which of the following should you recommend?

Surge Protector
Power Distribution Unit
Uninterruptible Power Supply
Line Conditioner

Answer 52

Uninterruptible Power Supply (UPS)

Explanation:
An uninterruptible power supply or uninterruptible power source (UPS) is an electrical apparatus that provides emergency power to a load when the input power source becomes too low or the main power fails. A UPS provides near-instantaneous protection from input power interruptions by using a battery backup. The on-battery run-time of most uninterruptible power sources is usually short (less than 60 minutes) but sufficient to properly shut down a computer system.

A line conditioner is a device that adjusts voltages in under-voltage and overvoltage conditions to maintain a 120 V output. Line conditioners raise a sag or under-voltage event back to normal levels, but they cannot protect the line from a complete power failure or power outage.

A surge protector defends against possible voltage spikes that could damage your electronics, appliances, or equipment. A power strip will not protect against voltage spikes.

A UPS or line conditioner could protect against voltage spikes, but they cost much more than a surge protector.

A power distribution unit (PDU) is a device designed to provide power to devices that require power, and may or may not support remote monitoring and access.

Question 53

You are attempting to prioritize your vulnerability scans based on the data’s criticality. This will be determined by the asset value of the data contained in each system. Which of the following would be the most appropriate metric to use in this prioritization?

The type of data processed by the system.

The cost of acquisition of the system.

The cost of hardware replacement of the system.

The depreciated hardware cost of the system.

Answer 53

The type of data processed by the system.

Explanation:
The data’s asset value is a metric or classification that an organization places on data stored, processed, and transmitted by an asset. Different data types, such as regulated data, intellectual property, and personally identifiable information, can determine its value.

The cost of acquisition, cost of hardware replacement, and depreciated costs refer to the financial value of the hardware or system itself. This can be significantly different from the value of the information and data that the system stores and processes.

Question 54

You have just completed identifying, analyzing, and containing an incident. You have verified that the company uses self-encrypting drives as part of its default configuration. As you begin the eradication and recovery phase, you must sanitize the storage devices’ data before restoring the data from known-good backups. Which of the following methods would be the most efficient to use to sanitize the affected hard drives?

Use a Secure Erase (SE) utility on the storage devices.

Conduct Zero-Fill on the storage devices.

Incinerate and replace the storage devices.

Perform a Cryptographic Erase (CE) on the storage devices.

Answer 54

Perform a Cryptographic Erase (CE) on the storage devices.

Explanation:
Sanitizing a hard drive can be done using cryptographic erase (CE), secure erase (SE), zero-fill, or physical destruction. In this case, the hard drives already used data at rest. Therefore, the most efficient method would be to choose CE. The cryptographic erase (CE) method sanitizes a self-encrypting drive by erasing the media encryption key and then reimaging the drive.

A secure erase (SE) is used to perform the sanitization of flash-based devices (such as SSDs or USB devices) when cryptographic erase is not available.

The zero-fill method relies on overwriting a storage device by setting all bits to the value of zero (0), but this is not effective on SSDs or hybrid drives, and it takes much longer than the CE method.

The final option is to conduct physical destruction, but since the scenario states that the storage device will be reused, this is not a valid technique. Physical destruction occurs by mechanical shredding, incineration, or degaussing magnetic hard drives.

Question 55

You are working as part of a Cyber incident response team. An ongoing attack has been identified on your Webserver. Your company wants to take legal action against the criminals who have hacked your Server, so they have brought a forensic analyst from the FBI to collect the evidence from the Server. Using the Options, place them in the proper order that the digital evidence should be collected based on the Order of Volatility?

Swap File
Processor Cache
Random Access Memory
Hard Drive or USB Drive

Answer 55

Processor Cache
Random Access Memory
Swap File
Hard Drive or USB Drive

Explanation:
The correct order for evidence collection based on the order of volatility is the Processor Cache, Random Access Memory, Swap File, and then the Hard Drive or USB Drive.

Since the Processor Cache is the most volatile and changes the most frequently, it should be captured first.

Random Access Memory (RAM) is temporary storage on a computer. It can quickly change or be overwritten, and the information stored in RAM is lost when power is removed from the computer, so it should be collected second.

Swap files are temporary files on a hard disk used as virtual memory, and therefore, they should be collected third.

The files on a hard disk or USB drive are the least volatile of the four options presented since they are used for long-term storage of data and are not lost when the computer loses power.

Question 56

Which of the following techniques would be the most appropriate solution to implementing a Multifactor Authentication system?

Fingerprint and Retinal Scan
Username and Password
Password and Security Question
Smartcard and PIN

Answer 56

Smartcard and PIN

Explanation:
Multi-factor authentication (MFA) creates multiple security layers to help increase the confidence that the user requesting access is who they claim to be by requiring two distinct factors for authentication.

These factors can be something you know (knowledge factor), something you have (possession factor), something you are (inheritance factor), something you do (action factor), or somewhere you are (location factor).

By selecting a smartcard (something you have) and a PIN (something you know), you have implemented multi-factor authentication.

Choosing a fingerprint and retinal scan would instead use only one factor (inheritance).

Choosing a username, password, and security question would also be only using one factor (knowledge).

For something to be considered multi-factor, you need items from at least two different authentication factor categories: knowledge, possession, inheritance, location, or action.

Question 57

Your organization requires the use of TLS or IPsec for all communications with an organization’s Network. Which of the following is this an example of?

DLP
Data in Transit
Data at Rest
Data in Use

Answer 57

Data in Transit

Explanation:
Data in transit (or data in motion) occurs whenever data is transmitted over a network. Examples of types of data in transit include website traffic, remote access traffic, data being synchronized between cloud repositories, and more. In this state, data can be protected by a transport encryption protocol, such as TLS or IPsec.

Data at rest means that the data is in persistent storage media using whole disk encryption, database encryption, and file- or folder-level encryption.

Data in use is when data is present in volatile memory, such as system RAM or CPU registers and cache. Secure processing mechanisms such as Intel Software Guard Extensions can encrypt data as it exists in memory so that an untrusted process cannot decode the information. This uses a secure enclave and requires a hardware root of trust.

Data loss prevention (DLP) products automate the discovery and classification of data types and enforce rules so that data is not viewed or transferred without proper authorization. DLP is a generic term that may include data at rest, data in transit, or data in use to function.

Question 58

A Cybersecurity analyst is reviewing logs of an Authentication Server and saw a log filled with Port 443 traffic that looked to be attempting access to a single user account. What type of attack was MOST likely being attempted by the attacker?

Impersonation
Password Spraying
Credential Stuffing
Brute Force

Answer 58

Brute Force

Explanation:
This is an example of a brute force attack. Unlike password spraying that focuses on attempting only one or two passwords per user, a brute force attack focuses on trying multiple passwords for a single user. The goal of this attack is to crack the user’s password and gain access to their account.

Password spraying, instead, refers to the attack method that takes a large number of usernames and loops them with a single password. We can use multiple iterations using several different passwords, but the number of passwords attempted is usually low compared to the number of users attempted. This method avoids password lockouts, and it is often more effective at uncovering weak passwords than targeting specific users.

Impersonation is the act of pretending to be another person for fraudulent purposes.

Credential stuffing is the automated injection of breached username/password pairs to gain user accounts access fraudulently. This is a subset of the brute force attack category: large numbers of spilled credentials are automatically entered into websites until they are potentially matched to an existing account. The attacker can then hijack the account for their purposes.

Question 59

When you purchase an exam voucher at diontraining.com, the system only collects your name, email, and credit card information. Which of the following privacy methods is being used by Dion Training?

Data Masking
Data Minimization
Tokenization
Anonymization

Answer 59

Data Minimization

Explanation:
Data minimization involves limiting data collection to only what is required to fulfill a specific purpose. Reducing what information is collected reduces the amount and type of information that must be protected. Since we only need your name and email to deliver the voucher and your credit card to receive payment for the voucher, we do not collect any additional information, such as your home address or phone number.

Data masking can mean that all or part of a field’s contents are redacted, by substituting all character strings with x, for example.

Tokenization means that all or part of data in a field is replaced with a randomly generated token. The token is stored with the original value on a token server or token vault, separate from the production database. An authorized query or app can retrieve the original value from the vault, if necessary, so tokenization is a reversible technique.

Data anonymization is the process of removing personally identifiable information from data sets so that the people whom the data describe remain anonymous.

Question 60

What should administrators perform to reduce a system’s attack surface and remove unnecessary software, services, and insecure configuration settings?

Harvesting
Stealthing
Hardening
Windowing

Answer 60

Hardening

Explanation:
Hardening is usually the process of securing a system by reducing its surface of vulnerability, which is larger when a system performs more functions; in principle, a single-function system is more secure than a multipurpose one. Reducing available ways of attack typically includes changing default passwords, removing unnecessary software, unnecessary usernames or logins, and disabling or removing unnecessary services.

Windowing is the use of windows for the simultaneous display of more than one item on a screen.

Harvesting is the process of gathering data, normally user credentials.

Stealthing is a made-up term in this question.

Question 61

You are troubleshooting a Network connectivity issue and need to determine the packet’s flow path from your system to the remote Server. Which of the following tools would best help you identify the path between the two systems?

nbstat
netstat
tracert
ipconfig

Answer 61

tracert

Explanation:
The tracert (trace route) diagnostic utility determines the route to a destination by sending Internet Control Message Protocol (ICMP) echo packets to the destination. In these packets, tracert uses varying IP Time-To-Live (TTL) values. When the TTL on a packet reaches zero (0), the router sends an ICMP “Time Exceeded” message back to the source computer. The ICMP “Time Exceeded” messages that intermediate routers send back show the route.

The ipconfig tool displays all current TCP/IP network configuration values on a given system.

The netstat tool is a command-line network utility that displays network connections for Transmission Control Protocol, routing tables, and some network interface and network protocol statistics on a single system.

The nbtstat command is a diagnostic tool for NetBIOS over TCP/IP used to troubleshoot NetBIOS name resolution problems.

Question 62

During a penetration test, you find a Hash Value related to malware associated with an APT. What best describes what you have found?

Botnet
SQL Injection
XSRF
Indicator of Compromise

Answer 62

Indicator of Compromise

Explanation:
An indicator of compromise is an artifact observed on a network or in an operating system that, with high confidence, indicates a computer intrusion. Typical IOCs are virus signatures and IP addresses, MD5 hashes of malware files or URLs, or botnet command and control servers’ domain names.

SQL injection is a code injection technique used to attack data-driven applications. Malicious SQL statements are inserted into an entry field for execution, such as dumping the database contents to the attacker.

Cross-site request forgery (CSRF or XSRF) is a malicious exploit of a website where unauthorized commands are transmitted from a user that the web application trusts. There are many ways in which a malicious website can transmit commands, such as specially-crafted image tags, hidden forms, and JavaScript XMLHttpRequests can all work without the user’s interaction or even knowledge.

A botnet consists of many Internet-connected devices, each of which is running one or more bots. Botnets can be used to perform Distributed Denial-of-Service (DDoS) attacks, steal data, send spam, and allow the attacker to access the device and its connection.

Question 63

Which mobile device strategy is most likely to introduce vulnerable devices to a corporate Network?

COPE
MDM
BYOD
CYOD

Answer 63

BYOD (Bring Your Own Device)

Explanation:
The BYOD (bring your own device) strategy opens a network to many vulnerabilities. People can bring their personal devices to the corporate network, and their devices may contain vulnerabilities that could be allowed to roam free on a corporate network.

COPE (company-owned/personally enabled) means that the company provides the users with a smartphone primarily for work use, but basic functions such as voice calls, messaging, and personal applications are allowed, with some controls on usage and flexibility.

With CYOD, the user can choose which device they wish to use from a small selection of devices approved by the company. The company then buys, procures, and secures the device for the user.

The MDM is a mobile device management system that gives centralized control over COPE company-owned personally enabled devices.

Question 64

Dion Training has set up a lab consisting of 12 laptops for students to use outside of normal classroom hours. The instructor is worried that a student may try to steal one of the laptops. Which of the following physical Security measures should be used to ensure the laptop is not stolen or moved out of the lab environment?

Key Fob
Cable Locks
USB Lock
Biometric Locks

Answer 64

Cable Locks

Explanation:
The Kensington lock is a small hole found on almost every portable computer or laptop made after 2000. It allows a cable lock to be attached to a portable computer or laptop to lock it to a desk and prevent theft. These locks often use a combination lock or padlock type of locking system. These locks do not affect the user’s ability to use the laptop or device. It only prevents them from moving the laptop from the area.

A biometric lock is any lock that can be activated by biometric features, such as a fingerprint, voiceprint, or retina scan. Biometric locks make it more difficult for someone to counterfeit the key used to open the lock or a user’s account.

A smart card is a form of hardware token. A key fob generates a random number code synchronized to a code on the server. The code changes every 60 seconds or so. This is an example of a one-time password. A SecureID token is an example of a key fob that is produced by RSA.

USB lock prevents unauthorized data transfer through USB ports, reducing the risk of data leakage, data theft, computer viruses, and malware by physically locking and blocking the USB Ports.

Question 65

During an assessment of the POS terminals that accept credit cards, a Cybersecurity analyst notices a recent Windows operating system vulnerability exists on every terminal. Since these systems are all embedded and require a manufacturer update, the analyst cannot install Microsoft’s regular patch. Which of the following options would be best to ensure the system remains protected and are compliant with the rules outlined by the PCI DSS?

Remove the POS terminals from the Network until the vendor releases a patch.

Replace the Windows POS terminals with standard Windows Systems.

Identify, Implement, and Document Compensating Controls.

Build a custom OS Image that includes the patch.

Answer 65

Identify, Implement, and Document Compensating Controls.

Explanation:
Since the analyst cannot remediate the vulnerabilities by installing a patch, the next best action would be to implement some compensating controls. If a vulnerability exists that cannot be patched, compensating controls can mitigate the risk. Additionally, the analyst should document the current situation to achieve compliance with PCI DSS.

The analyst will likely not remove the terminals from the network without affecting business operations, so this is a bad option.

The analyst should not build a custom OS image with the patch since this could void the support agreement with the manufacturer and introduce additional vulnerabilities.

Also, it would be difficult (or impossible) to replace the POS terminals with standard Windows systems due to the custom firmware and software utilized on these systems.

Question 66

Which type of personnel control is being implemented if Kirsten must receive and inventory any items that her coworker, Bob, orders?

Separation of Duties
Mandatory Vacation
Due Control
Background Checks

Answer 66

Separation of Duties

Explanation:
This organization uses separation of duties to ensure that neither Kirsten nor Bob can exploit the organization’s ordering processes for their gain. Separation of duties is the concept of having more than one person required to complete a particular task to prevent fraud and error.

Dual control, instead, requires both people to act together. For example, a nuclear missile system uses dual control and requires two people to each turn a different key simultaneously to allow for a missile launch to occur.

Mandatory vacation policies require employees to take time away from their job and detect fraud or malicious activities.

A background check is a process a person or company uses to verify that a person is who they claim to be and provides an opportunity for someone to check a person’s criminal record, education, employment history, and other past activities to confirm their validity.

Question 67

Which of the following types of data breaches would require that the US Department of Health and Human Services and the media be notified if more than 500 individuals are affected by a data breach?

Credit Card Information
Personally Identifiable Information
Protected Health Information
Trade Secret Information

Answer 67

Protected Health Information

Explanation:
Protected health information (PHI) is defined as any information that identifies someone as the subject of medical and insurance records, plus their associated hospital and laboratory test results. This type of data is protected by the Health Insurance Portability and Accountability Act (HIPAA). It requires notification of the individual, the Secretary of the US Department of Health and Human Services (HHS), and the media (if more than 500 individuals are affected) in the case of a data breach.

Personally identifiable information (PII) is any data that can be used to identify, contact, or impersonate an individual.

Credit card information is protected under the PCI DSS information security standard.

Trade secret information is protected by the organization that owns those secrets.

SPI (Sensitive Personal Information), according to the GDPR, information about an individual’s race or ethnic origin is classified as Sensitive Personal Information (SPI). Sensitive personal information (SPI) is information about a subject’s opinions, beliefs, and nature afforded specially protected status by privacy legislation.

Question 68

Dion Training wants to get an external attacker’s perspective on its Security status. Which of the following services should they purchase?

Vulnerability Scan
Patch Management
Penetration Test
Asset Management

Answer 68

Penetration Test

Explanation:
Penetration tests provide an organization with an external attacker’s perspective on their security status. The NIST process for penetration testing divides tests into four phases: planning, discovery, attack, and reporting. The penetration test results are valuable security planning tools, as they describe the actual vulnerabilities that an attacker might exploit to gain access to a network.

A vulnerability scan provides an assessment of your security posture from an internal perspective.

Asset management refers to a systematic approach to the governance and realization of value from the things that a group or entity is responsible for over their whole life cycles. It may apply both to tangible assets and intangible assets.

Patch management is the process that helps acquire, test, and install multiple patches (code changes) on existing applications and software tools on a computer, enabling systems to stay updated on existing patches and determining which patches are the appropriate ones.

Question 69

A Cybersecurity analyst is working for a university that is conducting a big data medical research project. The analyst is concerned about the possibility of an inadvertent release of PHI data. Which of the following strategies should be used to prevent this?

Use DevSecOps to build the application that processes the PHI.

Utilize formal methods of verification against the application processing the PHI.

Utilize a SaaS model to process the PHI data instead of an on-premise solution.

Conduct Tokenization on the PHI data before ingesting it into the big data application.

Answer 69

Conduct Tokenization on the PHI data before ingesting it into the big data application.

Explanation:
The university should utilize a tokenization approach to prevent an inadvertent release of the PHI data. In a tokenization approach, all or part of data in a field is replaced with a randomly generated token. That token is then stored with the original value on a token server or token vault, separate from the production database. This is an example of a deidentification control and should be used since the personally identifiable medical data is not needed to be retained after ingesting it for the research project; only the medical data itself is needed.

While using DevSecOps can improve the overall security posture of the applications being developed in this project, it does not explicitly define a solution to prevent this specific issue making it a less ideal answer choice for the exam.

Formal verification methods can be used to prove that none of the AI/ML techniques that process the PHI data could inadvertently leak. Still, the cost and time associated with using these methods make them inappropriate for a system used to conduct research. A formal method uses a mathematical model of a system’s inputs and outputs to prove that the system works as specified in all cases. It is difficult for manual analysis and testing to capture every possible use case scenario in a sufficiently complex system. Formal methods are mostly used with critical systems such as aircraft flight control systems, self-driving car software, and nuclear reactors, not big data research projects.

The option provided that recommends utilizing a SaaS model is not realistic. There is unlikely to be a SaaS provider with a product suited to the big data research being done. SaaS products tend to be commoditized software products that are hosted in the cloud. The idea of migrating to a SaaS is a distractor on this exam, which is trying to get you to think about shifting the responsibility for the PHI to the service provider and away from the university, but due to the research nature of the project, this is unlikely to be a valid option in the real world and may not be legally allowed due to the PHI being processed.

Question 70

Which attack is MOST likely to be used by a malicious employee or insider trying to obtain another user’s passwords?

On-Path Attack
Tailgating
Phishing
Shoulder Surfing

Answer 70

Shoulder Surfing

Explanation:
Shoulder Surfing is someone who is already inside, able to monitor another employee to try and gain additional access or credentials or information off someone else’s computer.

Malicious Employee/Insider indicates they are already on the Inside of the Company and already have some access. The options of Phishing and Tailgating suggests an outside strategy to attack the company. Tailgating is someone who is not already authorized using someone who is to piggyback in. While Phishing is using Email campaigns to gain advantages.

On-Path Attack is a Man-in-the-Middle Attack, again suggests that this threat is on the outside trying to get in.

Question 71

Which of the following describes the Security method used when users enter their Username and Password only once and can access multiple applications?

Inheritance
Permission Propagation
Multifactor Authentication
SSO

Answer 71

SSO (Single Sign-On)

Explanation:
Single sign-on (SSO) is an authentication process that allows users to access multiple applications with one set of login credentials. SSO is a common procedure in enterprises, where a client accesses multiple resources connected to a local area network (LAN).

Permission propagation occurs when a technician sets permissions on a folder or a drive, and the folder properties apply those permissions to all of the folders under that folder in the tree. Permissions propagation secures your data by limiting access to the users specified in the top folder.

Multifactor authentication is an authentication scheme that works based on something you know, something you have, something you are, something you do, or somewhere you are. These schemes can be made stronger by combining them (for example, protecting the use of a smart card certification [something you have] with a PIN [something you know]).

Inheritance or inherited permissions are permissions that are given to an object because it is a child of a parent object. Inheritance occurs due to permissions propagation.

Question 72

Dion Consulting Group has recently been awarded a contract to provide Cybersecurity Services for a major hospital chain in 48 cities across the United States. Previously, the consultants have won numerous contracts with financial services and publicly traded companies, but they are new to the healthcare industry. Which of the following laws must the consultants review to ensure the hospital and its customers are fully protected?

COSO
GLBA
HIPAA
SOX

Answer 72

HIPAA (Health Insurance Portability and Accountability Act)

Explanation:
The Health Insurance Portability and Accountability Act (HIPAA) was created primarily to modernize the flow of healthcare information, stipulate how Personally Identifiable Information maintained by the healthcare and healthcare insurance industries should be protected from fraud and theft, and address limitations on healthcare insurance coverage. This is a federal law that must be followed in the United States.

The Gramm-Leach-Bliley Act (GLBA) requires financial institutions to explain their information-sharing practices to their customers and safeguard sensitive data. This includes companies that offer consumers financial products or services like loans, financial or investment advice, or insurance.

The Sarbanes-Oxley Act of 2002 is a federal law that established sweeping auditing and financial regulations for public companies. Lawmakers created the legislation to help protect shareholders, employees, and the public from accounting errors and fraudulent financial practices.

The Committee of Sponsoring Organizations of the Treadway Commission (COSO) guides governance-related topics, including fraud, controls, finance, and ethics. COSO’s ERM-integrated framework defines risk, and related common terminology lists key components of risk management strategies and supplies direction and criteria for enhancing risk management practices.

Question 73

Keith wants to validate the application file that he downloaded from the vendor of the application. Which of the following should he compare against the file to verify the integrity of the downloaded application?

Public Key of the file.
Private Key of the file.
File size and file creation date.
MD5 or SHA1 Hash Digest of the file.

Answer 73

MD5 or SHA1 Hash Digest of the file.

Explanation:
Keith should conduct a hash of the downloaded file and compare it against the MD5 hash digest listed on the server of this file. This file needs to be a verifiable MD5 hash file to validate the file integrity has not been compromised during the download. This is an important step to ensure the file was not modified in transit during the download.

The other options are insufficient to guarantee the integrity of the downloaded file since integrity checking relies on comparing hash digests.

A public or private key would not be assigned solely to a single file, nor do they provide integrity on their own. Public and private keys are used to ensure data confidentiality, whereas a hash digest ensures integrity.

The file size and file creation date are additional forms of metadata that could help validate a file’s integrity. Still, they are of a much lower quality and trust factor than using a hash digest. Therefore MD5 or SHA1 is a better choice.

Question 74

Following a root cause analysis of an edge Router’s unexpected failure, a Cybersecurity analyst discovered that the system administrator had purchased the device from an unauthorized reseller. The analyst suspects that the Router may be a counterfeit device. Which of the following controls would have been MOST effective in preventing this issue?

Conduct secure supply chain management training.

Ensure all antivirus signatures are up to date.

Increase Network vulnerability scan frequency.

Verify that all Routers are patched to the latest release.

Answer 74

Conduct secure supply chain management training.

Explanation:
Anti-counterfeit training is part of the NIST 800-53r4 control set (SA-19(1)) and should be a mandatory part of your supply chain management training within your organization.

All other options may produce security gains in the network. They are unlikely to reliably detect a counterfeit item or prevent its introduction into the organization’s supply chain. Training on detection methodologies (i.e., simple visual inspections) and training for acquisition personnel will better prevent recurrences.

Question 75

You have been hired to investigate a possible insider threat from a user named Terri. Which command would you use to review all sudo commands ever issued by Terri (whose login account is terri and UID=1003) on a Linux System? (Select the MOST efficient command.)

journalctl_UID=1003 | grep -e 1003 | grep sudo

journalctl_UID=1003 |grep -e[Tt]erri | grep -e 1003 | grep sudo

journalctl_UID=1003 | grep -e [Tt]erri | grep sudo

journalctl_UID=1003 | grep sudo

Answer 75

journalctl_UID=1003 | grep sudo

Explanation:
journalctl is a command for viewing logs collected by systemd. The systemd-journald service is responsible for systemd’s log collection, and it retrieves messages from the kernel, systemd services, and other sources. These logs are gathered in a central location, which makes them easy to review. If you specify the parameter of _UID=1003, you will only receive entries made under the authorities of the user with ID (UID) 1003. In this case, that is Terri. Using the piping function, we can send that list of entries into the grep command as an input and then filter the results before returning them to the screen. This command will be sufficient to see all the times that Terri has executed something as the superuser using privilege escalation. If there are too many results, we could further filter the results using regular expressions with grep using the -e flag.

Since the UID of 1003 is only used by Terri, it is unnecessary to add [Tt]erri to your grep filter as the only results for UID 1003 (terri) will already be shown.

So, while all four of these would produce the same results, the most efficient option to accomplish this is by entering “journalctl _UID=1003 | grep sudo” in the terminal. Don’t get afraid when you see questions like this; walk through each part of the command step by step and determine the differences.

In this question, you may not have known what journalctl is, but you didn’t need to. You needed to identify which grep expression was the shortest that would still get the job done. By comparing the differences between the options presented, you could likely take your best guess and identify the right one.

Question 76

1.) An attacker has been collecting Credit Card details by calling victims and using false pretexts to trick them.

2.) An attacker sends out to 100,000 random email addresses. In the email the attacker sent, it claims that “Your Bank of America account is locked out. Please click here to reset your password.”

What types of attacks have occurred in (1) and (2)?

(1) Hoax and (2) Spear Phishing
(1) Pharming and (2) Phishing
(1) Vishing and (2) Phishing
(1) Spear Phishing and (2) Pharming

Answer 76

(1) Vishing and (2) Phishing

Explanation:
Vishing uses a phone call to conduct information gathering and phishing type of actions.

Spearphishing involves targeting specific individuals using well-crafted emails to gather information from a victim.

Phishing relies on sending out a large volume of email to a broad set of recipients in the hopes of collecting the desired action or information.

A hoax involves tricking a user into performing an action (such as virus remediation actions) when no infection has occurred.

Pharming involves domain spoofing in an attempt to gather the desired information from a victim.

Question 77

A Security analyst conducts a Nmap scan of a Server and found that port 25 is open. What risk might this Server be exposed to?

Open Mail Relay
Clear Text Authentication
Open File/Print Sharing
Web Portal Data Leak

Answer 77

Open Mail Relay

Explanation:
Port 25 is the default port for SMTP (Simple Message Transfer Protocol), which is used for sending an email.
An active mail relay occurs when an SMTP server is configured in such a way that it allows anyone on the Internet to send email through it, not just mail originating from your known and trusted users. Spammers can exploit this type of vulnerability to use your email server for their benefit.

File/print sharing usually operates over ports 135, 139, and 445 on a Windows server.

Web portals run on ports 80 and 443.

Clear text authentication could occur using an unencrypted service, such as telnet (23), FTP (20/21), or the web (80).

Question 78

What should be done NEXT if the final set of Security Controls does not eliminate all of the risks in a given system?

You should ignore any remaining risk.

You should accept the risk if the residual risk is low enough.

You should continue to apply additional controls until there is Zero risk.

You should remove the current controls since they are not completely effective.

Answer 78

You should accept the risk if the residual risk is low enough.

Explanation:
In most cases, you will be unable to remove all risks. Instead, it would be best to mitigate the risk to a low enough level to accept the residual risk.

Removing the controls would add to the risk, which is a bad course of action to select.

Ignoring the remaining risk is unacceptable; instead, you should acknowledge what risk remains and accept it if it is low enough.

If it is not low enough, you should continue to mitigate the risk by adding additional control measures.

It is unlikely you will ever be able to get all risk down to zero, but mitigating to a lower level and then accepting the residual risk is a common industry practice.

Question 79

Dion Training has an open wireless Network called “InstructorDemos” for its instructors to use during class, but they do not want any students connecting to this wireless Network. The instructors need the “InstructorDemos” Network to remain open since some of their IoT devices used during course demonstrations do not support encryption. Based on the requirements provided, which of the following configuration settings should you use to satisfy the instructor’s requirements and prevent students from using the “InstructorDemos” Network?

MAC Filtering
Signal Strength
QoS
NAT

Answer 79

MAC Filtering

Explanation:
Since the instructors need to keep the wireless network open, the BEST option is to implement MAC filtering to prevent the students from connecting to the network while still keeping the network open. Since the instructors would most likely use the same devices to connect to the network, it would be relatively easy to implement a MAC filtering based on the list of devices that are allowed to use the open network and reject any other devices not listed by the instructors (like the student’s laptops or phones).

Reducing the signal strength would not solve this issue since students and instructors are in the same classrooms.

Using Network Address Translation and Quality of Service will not prevent the students from accessing or using the open network.

Question 80

Frank and John have started a secret club together. They want to ensure that when they send messages to each other, they are truly unbreakable. What encryption key would provide the STRONGEST and MOST secure Encryption?

DES with a 56-bit Key
AES with a 256-bit Key
Randomized One-Time use pad
ECC with a 256-bit Key

Answer 80

Randomized One-Time use pad

Explanation:
The only truly unbreakable encryption is one that uses a one-time use pad. This ensures that every message is encrypted with a different shared key that only the two owners of the one-time use pad would know. This technique ensures that there is no pattern in the key for an attacker to guess or find. Even if one of the messages could be broken, all of the other messages would remain secure since they use different keys to encrypt them. Unfortunately, one-time use pads require that two identical copies of the pad are produced and distributed securely before they can be used.

DES and AES both rely on a single shared secret key, making it vulnerable to attack.

DES has already been broken, while AES remains unbroken (today).

With enough time and computing power, though, an AES key could be discovered.

RSA is also vulnerable to attack with enough time and computing power.

Question 81

The local electric power plan contains both business Networks and ICS/SCADA Networks to control their equipment. Which technology should the power plant’s Security administrators look to implement first as part of configuring better defenses for the ICS/SCADA systems?

Antivirus Software
Intrusion Prevention System
Log Consolidation
Automated Patch Deployment

Answer 81

Intrusion Prevention System (IPS)

Explanation:
Since this question is focused on the ICS/SCADA network, the best solution would be implementing an Intrusion Prevention System. ICS/SCADA machines utilize very specific commands to control the equipment and to prevent malicious activity. You could set up strict IPS rules to prevent unknown types of actions from being allowed to occur.

Log consolidation is a good idea, but it won’t prevent an issue and therefore isn’t the most critical thing to add first.

Automated patch management should not be conducted, as ICS/SCADA systems must be tested before conducting any patches. Often, patches will break ICS/SCADA functionality.

Antivirus software may or may not be able to run on the equipment, as well, since some ICS/SCADA systems often do not rely on standard operating systems like Windows.

Question 82

A Cybersecurity analyst has determined that an attack has occurred against your company’s Network. Fortunately, your company uses a good logging system with a centralized Syslog Server, so all the logs are available, collected, and stored properly. According to the Cybersecurity analyst, the logs indicate that the database Server was the only company Server on the Network, that appears to have been attacked. The Network is a critical production Network for your organization. Therefore, you have been asked to choose the LEAST disruptive actions on the Network while performing the appropriate Incident Response actions. Which actions do you recommend as part of the response efforts?

Isolate the affected Server from the Network immediately, format the database Server, reinstall from a Known Good Backup.

Conduct a System Restore of the database Server, image the Hard Drive, and maintain the Chain of Custody.

Immediately remove the database Server from the Network, create an image of its hard disk, and maintain the Chain of Custody.

Capture Network traffic using a Sniffer, schedule a period of downtime to image and remediate the affected Server, and maintain the Chain of Custody.

Answer 82

Capture Network traffic using a Sniffer, schedule a period of downtime to image and remediate the affected Server, and maintain the Chain of Custody.

Explanation:
Since the database server is part of a critical production network, it is important to work with the business to time the remediation period to minimize productivity losses. You can immediately begin to capture network traffic since this won’t affect the database server or the network (least intrusive) while scheduling a period of downtime in which to take a forensic image of the database server’s hard drive. All network captures and the hard drive should be maintained under the chain of custody if needed for criminal prosecution or civil action after remediation. The server should be remediated and brought back online once the hard drive image has been created.

Question 83

You have just received an email that claims to be from the Federal Bureau of Investigation (FBI). The email claims that your computer was identified as part of a Botnet being used to distribute pirated copies of a new movie. The email states that you must click the link below and pay a fine of $1000 within 24 hours, or Federal Agents will be sent to your home to arrest you for Copyright infringement. What social engineering principle is this email relying on using?

Trust
Intimidation
Familiarity
Consensus

Answer 83

Intimidation

Explanation:
Intimidation is a commonly used technique during a social engineering campaign. It relies on trying to scare or frighten a person into clicking a link. Often, these emails will claim to be from the FBI, IRS, or other government agencies.

Question 84

Which type of method is used to collect information during passive reconnaissance?

Reviewing Public Repositories
Network Traffic Sniffing
Social Engineering
API Requests and Responses

Answer 84

Reviewing Public Repositories

Explanation:
Passive reconnaissance focuses on collecting information that is widely and openly available from publicly available sources.

While network traffic sniffing is considered passive, gaining access to the network to place a sniffer in a good network tap location would not be considered passive.

Of the choices provided, publicly accessible sources are the best answer to choose.

Collecting API requests and responses would involve a penetration tester sending data to a given server and analyzing the responses received, which is considered an active reconnaissance method.

Social engineering is also an active reconnaissance technique that uses deception to trick a user into providing information to an attacker or penetration tester.

Question 85

Why would a company want to utilize a Wildcard Certificate for their Servers?

To increase the Certificate’s Encryption Key length.

To Secure the Certificate’s Private Key

To reduce the Certificate Management burdens.

To extend the Renewal Date of the Certificate

Answer 85

To reduce the Certificate Management burden.

Explanation:
A wildcard certificate is a public key certificate that can be used with multiple subdomains of a domain. This saves money and reduces the management burden of managing multiple certificates, one for each subdomain. A single wildcard certificate for *.diontraining.com will secure all these domains (www.diontraining.com, mail.diontraining.com, ftp.diontraining.com, etc.).

The other options provided are not solved by using a wildcard certificate.

Question 86

Look at the provided Protocols. Provide the correct corresponding Port # associated with the Protocol provided?

Options:
TFTP
SMTP
HTTP
DNS

Answers:
53
69
80
25
443
110

Answer 86

TFTP = 69 (Trivial File Transfer Protocol)

SMTP = 25 (Simple Mail Transfer Protocol)

HTTP = 80 (Hyper Text Transfer Protocol)

DNS = 53 (Domain Name Service)

Question 87

Dion Training is hiring a penetration testing firm to conduct an assessment of its corporate Network. As part of the contract, the company has specified that it will not provide any Network details to the penetration testing firm. Instead, the company wants to see how much information about the Network can be found by the penetration testers using Open-Source research and scanning the corporate Network. What type of assessment is this considered?

Known Environment Testing
Semi-Trusted Environment Testing
Unknown Environment Testing
Partially Known Environment Testing

Answer 87

Unknown Environment Testing

Explanation:
An unknown environment penetration test requires no previous information and usually takes the approach of an uninformed attacker. The penetration tester has no prior information about the target system or network in an unknown environment penetration test. These tests provide a realistic scenario for testing the defenses, but they can be costlier and more time-consuming to conduct as the tester is examining a system from an outsider’s perspective.

A partially known environment tester has the user’s access and knowledge levels, potentially with elevated privileges on a system. These partially known environment penetration testers typically have some knowledge of a network’s internals, potentially including design and architecture documentation and an account internal to the network.

A known environment test is known by several different names, including clear-box, open-box, auxiliary, or logic-driven testing. It falls on the opposite end of the spectrum from an unknown environment test because the penetration testers have full access to source code, architecture documentation, and so forth.

A known environment penetration tester can also perform static code analysis, so familiarity with source code analyzers, debuggers, and similar tools are necessary for this type of testing.

A semi-trusted environment test is made up term and is used as a distractor in this question.