Objective 2 Flashcards
Which of the following are hardware issues that result from products that are no longer being made or supported, but are still usable?
Hardware cloning
Hardware tampering
Legacy vulnerability
End-of-life vulnerability
End-of-life vulnerability is the correct answer. This occurs when hardware products are no longer supported by the manufacturer, meaning they no longer receive updates, patches, or support. While the hardware may still function, its lack of updates makes it vulnerable to security issues and failures.
Hardware cloning is incorrect because it refers to unauthorized duplication of hardware, not the result of products being out of support. Hardware tampering is incorrect because it involves intentional modifications to hardware, often for malicious purposes, which is unrelated to the lifecycle of the product. Legacy vulnerability is incorrect in this context because it refers more broadly to risks associated with outdated systems, while end-of-life vulnerability specifically addresses unsupported hardware.
Which of the following hardening techniques can help protect systems or devices from attacks by installing software like a firewall or antivirus directly on user devices to report and block potential attacks?
Changing Default Passwords
Installation of endpoint protection
Least Privilege
Patching
Installation of endpoint protection is the correct answer. This hardening technique involves deploying software like firewalls, antivirus, and other security tools directly on user devices to monitor, report, and block potential attacks. Endpoint protection enhances the security of individual devices and safeguards them against various threats.
Changing default passwords is incorrect because, while it is an essential hardening step, it does not involve installing software for active threat protection. Least privilege is incorrect because it focuses on limiting user access rights and permissions, not on directly blocking attacks through software. Patching is incorrect because it refers to updating software to fix vulnerabilities, which is distinct from installing security tools like endpoint protection.
Which of the following vulnerabilities BEST describes a situation where a threat actor can manipulate data after it has been verified by an application, but before the application uses it for a specific operation?
Memory leaks
Resource exhaustion
Race conditions
Time-of-check (TOC)
Time-of-check (TOC) is the correct answer. This vulnerability occurs when a threat actor can manipulate data after it has been verified by an application (at the time of the check), but before the application uses it for a specific operation. This window of time allows for malicious changes to be made, leading to potential security issues.
Memory leaks are incorrect because they refer to the situation where an application fails to release memory that is no longer needed, leading to resource waste but not affecting the manipulation of data. Resource exhaustion is incorrect because it describes a scenario where system resources like memory or CPU are depleted, leading to denial of service, not data manipulation. Race conditions are incorrect because they involve multiple processes attempting to access shared resources simultaneously, which may lead to unpredictable behavior, but the specific manipulation of data after a check is best described by TOC.
Which of the following motivations refers to any act of stealing information from a system or network?
Data exfiltration
Ethical motivations
Disruption/chaos
Service disruption
Data exfiltration is the correct answer. This refers to the act of stealing or transferring data from a system or network, often with malicious intent, such as stealing sensitive information for unauthorized use.
Ethical motivations are incorrect because they relate to actions taken with good intentions, typically by security professionals, to help protect or improve systems, not to steal data. Disruption/chaos is incorrect because it refers to actions aimed at causing confusion or disarray, rather than stealing data. Service disruption is incorrect because it involves actions that intentionally disrupt the availability of services, but it doesn’t necessarily involve stealing information.
Dion Training has recently implemented a new web portal for their customers. During a routine security review, the IT team notices that some suspicious activities have been logged. An unknown user attempted to access the system with a strange pattern: when requesting a particular user file, instead of the usual URL structure ( /users/[username]/profile ) the system registered requests like ( /users/../admin/config ). Within a short span of time, several such patterns were identified, each trying to reach different sensitive files and directories. Given this information, which of the following types of attack is the user MOST likely attempting?
Attempting to escalate their privileges on the system.
Attempting to access files outside of intended directories.
Attempting to exploit a buffer overflow vulnerability.
Attempting to inject malicious scripts into the system.
The user is most likely attempting to access files outside of intended directories. This behavior suggests a directory traversal attack, where the attacker manipulates the URL path to access files or directories that are not meant to be accessed by the user, such as sensitive configuration files. The use of “/../” in the URL indicates an attempt to traverse up the directory structure to access restricted areas.
Attempting to escalate privileges is incorrect because the focus here is on accessing files, not gaining higher privileges on the system. Attempting to exploit a buffer overflow vulnerability is incorrect because buffer overflow attacks typically involve inputting data to overwrite memory, which is not evident from the behavior described. Attempting to inject malicious scripts is incorrect because script injection typically targets web applications with the aim of executing harmful code, which is not the primary issue in this scenario.
Which of the following vulnerabilities is unique to cloud computing environments, posing risks related to unauthorized access and data manipulation?
Side loading
Buffer overflow
Cross-site scripting (XSS)
Insecure Interfaces and APIs
Insecure Interfaces and APIs is the correct answer. This vulnerability is unique to cloud computing environments because many cloud services rely on APIs to allow access and interaction with cloud-based resources. If these APIs are not properly secured, they can be exploited for unauthorized access or data manipulation, posing significant risks to cloud-based systems.
Side loading is incorrect because it refers to installing software from unofficial sources, not directly related to cloud-specific vulnerabilities. Buffer overflow is incorrect because it is a general vulnerability that can occur in any environment, not just cloud computing. Cross-site scripting (XSS) is incorrect because it typically affects web applications and browsers, and while it can occur in cloud environments, it is not unique to them.
Travid is evaluating an attack that has occurred on his organization’s system. He sees that the attacker entered a lot of data into the the area of memory in the API that temporarily stores user input. What type of attack did Travid discover?
Memory leak
Buffer overflow
Buffer underflow
Memory fragmentation
Buffer overflow is the correct answer. In this scenario, the attacker has entered a large amount of data into a memory area that temporarily stores user input, which is characteristic of a buffer overflow attack. The attacker likely overflowed the buffer, causing the excess data to overwrite adjacent memory, potentially allowing the attacker to execute malicious code or alter the behavior of the system.
Memory leak is incorrect because it refers to a situation where memory is not properly released after use, leading to resource exhaustion over time. Buffer underflow is incorrect because it occurs when there is insufficient data to fill a buffer, which is the opposite of a buffer overflow. Memory fragmentation is incorrect because it involves inefficient use of memory, where free memory is split into small blocks, but it doesn’t specifically involve an attack or data overflow.
Which of the following BEST describes a threat actor who primarily depends on commonly found tools, often easily accessible from the web or dark web?
Bug bounty hunter
Script kiddie
APT
Ethical hacker
Script kiddie is the correct answer. A script kiddie is a threat actor who relies on pre-written tools or scripts, often easily accessible from the web or dark web, to carry out attacks. These attackers typically lack the advanced technical skills to develop their own exploits and depend on readily available resources.
Bug bounty hunters are incorrect because they are individuals who are hired to find vulnerabilities in systems and report them responsibly for rewards, not to carry out malicious activities. APT (Advanced Persistent Threat) is incorrect because it refers to highly skilled, well-funded threat actors who employ sophisticated, targeted attacks over an extended period, typically involving custom tools. Ethical hackers are incorrect because they use their skills to help organizations identify and fix security vulnerabilities, not to exploit them.
Which method accurately demonstrates the authentication process used in WPA2 Personal mode?
Dragonfly handshake with a MAC address hash.
QR codes for client device configuration.
Using a passphrase to generate a pairwise master key (PMK).
Password Authenticated Key Exchange (PAKE).
Using a passphrase to generate a pairwise master key (PMK) is the correct answer. In WPA2 Personal mode, the authentication process involves using a pre-shared key (PSK), which is a passphrase that is used to generate a pairwise master key (PMK). This PMK is then used to derive encryption keys for securing the communication between the client and the access point.
Dragonfly handshake with a MAC address hash is incorrect because the Dragonfly handshake is used in WPA3, not WPA2. QR codes for client device configuration are incorrect because QR codes are typically used for simplifying device setup, not the authentication process itself. Password Authenticated Key Exchange (PAKE) is incorrect because it is a protocol used for secure password-based authentication but is not the specific method used in WPA2 Personal.
Which of the following ports, if left open and unmonitored, might allow database queries from unauthorized external sources?
Port 53
Port 443
Port 21
Port 1433
Port 1433 is the correct answer. Port 1433 is the default port used by Microsoft SQL Server for database communication. If left open and unmonitored, it can allow unauthorized external sources to send database queries, potentially leading to unauthorized access to the database.
Port 53 is incorrect because it is used for DNS (Domain Name System) queries, not for database connections. Port 443 is incorrect because it is used for HTTPS traffic, which secures web communications, not for database queries. Port 21 is incorrect because it is used for FTP (File Transfer Protocol), which is related to file transfers, not database queries.
You are a security analyst at Dion Training and you discover that an unauthorized device has been connected to the company’s network. As you investigate, you discover that the device was added so the employee could play video games during her breaks. What type of threat actor are you dealing with?
Insider Threat
Nation-state Actor
Shadow IT
Unskilled Actor
Shadow IT is the correct answer. Shadow IT refers to devices, applications, or services that are used within an organization without the knowledge or approval of the IT department. In this case, the employee added an unauthorized device to the network for personal use (playing video games), which is a typical example of shadow IT.
Insider threat is incorrect because it refers to individuals within the organization who intentionally or unintentionally cause harm, often with malicious intent, which doesn’t fit the situation here. Nation-state actor is incorrect because it refers to a government or state-sponsored group conducting cyberattacks or espionage, which doesn’t apply to an employee’s personal use. Unskilled actor is incorrect because it usually refers to someone who lacks the skills to perform sophisticated attacks, but in this case, the employee’s actions are more about circumventing rules rather than lacking technical ability.
Which of the following motivations is common among Hacktivists?
Espionage
Data exfiltration
Political beliefs
Service disruption
Political beliefs is the correct answer. Hacktivists are motivated by a desire to promote or protest political, social, or ideological causes. They often use cyberattacks as a form of activism to draw attention to their causes or disrupt organizations they oppose.
Espionage is typically associated with nation-state actors or spies seeking sensitive information. Data exfiltration involves stealing data and is more common with cybercriminals or insider threats. Service disruption may be a tactic used by hacktivists but is not their primary motivation; it is a means to achieve their politically driven goals.
Recently, Antatack, a martial arts company, has had a data breech. Barzan, a security analyst, was hired to investigate. He found a rogue WAP near the building. The attacker used the WAP to gain information about Anatack’s clients. Which of the following network attacks is BEST demonstrated by this finding?
Reflected
Amplified
On-path
Wireless
On-path is the correct answer. The rogue wireless access point (WAP) enabled the attacker to intercept and possibly manipulate the communication between Antatack’s clients and the company’s network. This type of attack, previously referred to as a man-in-the-middle (MITM) attack, is now commonly called an on-path attack. It allows the attacker to eavesdrop or collect sensitive information by placing themselves in the communication path.
Reflected attacks typically involve redirecting traffic back to the victim, often seen in DDoS attacks. Amplified attacks are another form of DDoS, leveraging small queries to produce large responses, overwhelming the target. Wireless is a broader category that includes various attacks targeting wireless networks, but it does not specifically describe the on-path nature of this incident.
An application creates a temporary file to save a value for later use. A malicious actor deletes this file after its creation but before its subsequent use by the application. What type of vulnerability is being exploited in this situation?
Time-of-use (TOU)
Race conditions
Memory leaks
Memory injection
A Time-of-use (TOU) vulnerability arises when there’s an opportunity for an attacker to manipulate a resource after its creation but before its use by an application. While memory injection deals with injecting malicious code into a system’s memory, it’s not related to manipulating temporary files between creation and use. Though race conditions refer to unexpected order and timing of events, the specific act of manipulating a temporary file between its creation and use is a classic TOU scenario. Memory leaks involve software not releasing memory that it no longer uses, potentially leading to reduced system performance, and doesn’t concern data manipulation between creation and use
Enrique was validating the integrity of files in the company’s database when he came across two distinct files that, surprisingly, had the same cryptographic hash value. Understanding the implications, Enrique immediately escalated the situation, realizing this could be a potential vulnerability in the hashing algorithm in use. Which of the following BEST describes the anomaly Enrique found in Kelly Innovations LLC’s file signatures?
Time memory trade-off
Hash extension attack
Cryptographic collision
Brute force attack
Cryptographic collision is the correct answer. A collision occurs when two distinct inputs (in this case, files) produce the same cryptographic hash value. This undermines the integrity of the hashing algorithm because it means that different data can appear identical, potentially allowing malicious actors to substitute one file for another without detection.
Time memory trade-off is a technique used to optimize attacks on cryptographic systems, not relevant to the situation described. Hash extension attack typically refers to an attack on a hashing scheme where an attacker can manipulate the hash to extend or alter it in a predictable way, but it doesn’t directly apply to this situation. Brute force attack involves trying all possible inputs to find a hash match and is not specific to the anomaly Enrique encountered, which is a collision.
Dion Training Solutions, a software-as-a-service company, began facing latency issues and, in some cases, outages. The IT team found that a massive amount of traffic was flooding in, but the peculiarity was that the incoming data appeared to be responses to requests that the company never made. These responses came from a wide range of IP addresses scattered globally. Which of the following types of malicious activities is BEST described in this scenario?
Phishing campaign
Amplified DDoS attack
SQL injection
Reflected DDoS attack
Reflected DDoS attack is the correct answer. In a reflected DDoS attack, the attacker sends requests to various servers with the victim’s IP address as the source address. The servers respond to these requests, flooding the victim with unsolicited traffic. The wide range of IP addresses and responses to requests the company never made indicate that this is a reflected attack.
Amplified DDoS attack is similar to a reflected DDoS, but it specifically refers to attackers leveraging services that respond with larger amounts of data than the request they receive, amplifying the traffic. Phishing campaign involves tricking users into divulging sensitive information, which does not match the traffic flooding described here. SQL injection is a method of manipulating a database through malicious queries, unrelated to the flooding of traffic in this scenario.
Which of the following mitigation techniques inspects and controls incoming and outgoing network traffic on a per-application basis?
Network Segmentation
Data Loss Prevention
Host-based Firewall
Intrusion Detection System
Host-based Firewall is the correct answer. A host-based firewall monitors and controls incoming and outgoing traffic on a per-application basis, allowing you to set rules that control which applications can send or receive data. It operates at the host level, filtering traffic specific to the applications running on that machine.
Network Segmentation involves dividing a network into smaller, isolated subnets to control traffic flow and limit the scope of security breaches, but it doesn’t control traffic on a per-application basis. Data Loss Prevention (DLP) focuses on detecting and preventing the loss or unauthorized transmission of sensitive data, not specifically controlling network traffic per application. Intrusion Detection System (IDS) monitors network or system activities for malicious activities but does not directly control traffic based on applications.
While browsing the company portal of Dion Training Solutions, Tina, an employee, attempted to access a link to a third-party site she frequently uses for market research. Instead of reaching the site, she received a message stating that access to this URL was denied due to policy violations. Which of the following terms BEST describes the action experienced by Tina?
Blocked content
Firewall rejection
Malicious URL
Content filtering
Content blocking occurs when access to specific websites or links is denied based on company policies or security concerns. Tina’s inability to access her usual third-party site despite being able to previously is indicative of this. Firewall rejection occurs when traffic is blocked by a firewall due to security rules. The scenario does not provide enough information to determine if a firewall was the reason Tina could not access the site. While the URL might be deemed risky or against company policy, there’s no direct indication in the scenario that the URL is malicious. Content filtering refers to the practice of blocking or allowing content based on specific criteria, like harmful websites. While related, this term is broader, and the scenario specifically describes blocked content.
Which of the following mitigation techniques can help prevent users from making changes to the security features of devices by applying predefined security standards?
Configuration enforcement
Encryption
Patching
Least Privilege
Configuration enforcement is the correct answer. This technique ensures that devices are configured according to predefined security standards, making it difficult or impossible for users to alter critical security settings. By enforcing specific configurations, organizations can maintain consistency and prevent users from making unauthorized changes to security features.
Encryption protects data by converting it into an unreadable format without the correct key but does not address the issue of users modifying security features. Patching involves updating software to fix vulnerabilities, which is crucial for security but does not directly prevent changes to security settings. Least Privilege limits user access to only the resources necessary for their job functions, which can reduce the risk of changes to security features but doesn’t specifically enforce configurations.
Which of the following threat vectors primarily involves malicious software or data being transferred or executed from documents, executables, or other common file types?
Business email compromise
Voice call
File-based
Email
The correct answer is File-based. File-based threats involve malicious software or data embedded in documents, executables, or other common file types. These threats are often delivered through email attachments, downloads, or removable media and can exploit vulnerabilities in applications used to open them.
The other options are incorrect. Business email compromise (BEC) refers to phishing or social engineering attacks targeting executives or employees to trick them into transferring money or sensitive data. Voice call attacks, such as vishing, rely on deception over the phone rather than files. Email as a category includes various attacks but does not specifically focus on threats embedded within files.
You are working remotely and you need to access your company’s network resources. You connect to a public Wi-Fi hotspot at a nearby coffee shop and use a VPN client to establish a secure connection. However, you notice that the VPN client is outdated. What type of vulnerability are you exposing yourself to?
Vulnerable software
Open service ports
Unsecure networks
Default credentials
The correct answer is Vulnerable software. Since the VPN client is outdated, it may contain unpatched security flaws that attackers can exploit to compromise your connection or gain unauthorized access to your system. Using outdated software increases the risk of vulnerabilities being leveraged against you.
The other options are incorrect. Open service ports refer to network services that are left exposed, which is not directly related to using an outdated VPN client. Unsecure networks would apply if you were connecting without a VPN, but in this case, the risk is due to the outdated VPN software rather than the network itself. Default credentials refer to using factory-set usernames and passwords, which is unrelated to the scenario described.
What is the name of the web-based attack that involves entering malicious code into user input fields that are executed by a database server?
Cross-site scripting (XSS)
Structured Query Language injection
Directory traversal
Cross-site request forgery (CSRF)
The correct answer is Structured Query Language (SQL) injection. This type of attack occurs when an attacker inputs malicious SQL statements into a user input field, which are then executed by the database server. This can lead to unauthorized data access, data modification, or even complete database compromise.
The other options are incorrect. Cross-site scripting (XSS) involves injecting malicious scripts into web pages viewed by other users, but it does not target the database. Directory traversal allows attackers to access restricted directories on a server, but it does not involve database execution. Cross-site request forgery (CSRF) tricks a user into executing unwanted actions on a website where they are authenticated, but it does not involve injecting code into a database.
Hani, a security analyst, is investigating a malware incident and discovers that the malware had been placed on the computers weeks ago. At midnight, it triggered a virus that spread across four servers and throughout the organization. The CEO found a message from a former employee stating that he had left a “surprise” for the company. Which type of malware is MOST likely responsible for this incident?
Trojan
Worm
Ransomware
Logic bomb
The correct answer is Logic bomb. A logic bomb is a type of malware that remains dormant until specific conditions are met, such as a date, time, or particular event. In this case, the malware was placed weeks ago and was triggered at midnight, indicating a planned activation, which is characteristic of a logic bomb.
The other options are incorrect. A Trojan disguises itself as a legitimate program but does not necessarily have a timed trigger. A worm spreads across networks without needing a trigger and does not require a former employee to plant it deliberately. Ransomware encrypts files and demands payment but is not typically triggered by a specific event like a logic bomb.
Which of the following is the BEST type of backup that allows for the rapid redeployment of an OS without requiring reinstallation of third-party software, patches, and configurations?
Differential backup
Image backup
File-level backup
Incremental backup
The correct answer is Image backup. An image backup creates a complete copy of the entire operating system, including system files, applications, patches, and configurations. This allows for rapid redeployment without requiring a fresh installation of third-party software or reconfiguration.
The other options are incorrect. A differential backup only captures changes made since the last full backup, not the entire OS. A file-level backup only backs up individual files and does not include system settings or installed software. An incremental backup saves only the changes since the last backup but does not provide a full system restore like an image backup.
Which of the following techniques allows an attacker to eavesdrop on a wired network by connecting their device directly to the network cables?
Packet Sniffing
Port Mirroring
Wiretapping
On-path attack
The correct answer is Wiretapping. Wiretapping allows an attacker to physically or electronically intercept data traveling over a wired network by directly connecting to the network cables. This can be done through passive or active means to capture sensitive information.
The other options are incorrect. Packet sniffing is a broader technique that involves capturing network traffic but typically applies to wireless and wired networks without requiring a direct physical connection to cables. Port mirroring is a legitimate network feature used by administrators to monitor traffic but is not a malicious eavesdropping technique. An on-path attack involves intercepting and modifying communication between two parties but is often associated with wireless or internet-based attacks rather than direct physical access to network cables.
Which of the following ports should be disabled or carefully monitored to prevent unauthorized Voice over IP (VoIP) signaling, which can be an avenue for toll fraud or unauthorized call control?
Port 110
Port 161
Port 139
Port 5060
The correct answer is Port 5060. Port 5060 is used for the Session Initiation Protocol (SIP), which is the signaling protocol used in Voice over IP (VoIP) communication. If left unsecured, it can be exploited for toll fraud or unauthorized call control, making it crucial to disable or closely monitor this port.
The other ports are incorrect for this context. Port 110 is used for the Post Office Protocol version 3 (POP3), a protocol for email retrieval. Port 161 is used for the Simple Network Management Protocol (SNMP), which is used for network management tasks, not related to VoIP. Port 139 is used for NetBIOS Session Service, commonly associated with file and printer sharing in Windows networks, not for VoIP.
Which of the following motivations is MOST likely to drive a nation-state threat actor to launch an attack?
Espionage
Financial Gain
Service disruption
Political beliefs
The correct answer is Espionage. Nation-state threat actors are often driven by the need to gather intelligence, both military and economic, to benefit their country’s strategic interests. Espionage involves the acquisition of sensitive or classified information, often through cyberattacks, which aligns with the objectives of a nation-state actor.
The other motivations are less likely for nation-state actors. Financial gain is typically associated with cybercriminals or hackers who are seeking to profit from their attacks, rather than political or strategic goals. Service disruption is more common among hacktivists or cyberterrorists who want to disrupt systems or cause public attention to their cause. Political beliefs may drive some attackers, such as hacktivists, but nation-state actors are generally more focused on espionage for national security purposes.
What is the term for a type of open service port that is commonly used for remote access servers and can be used to perform on-path attacks on a Windows computer, but not on computers using other operating systems?
RDP
SSH
Telnet
VNC
The correct answer is “RDP.” Remote Desktop Protocol (RDP) is a Microsoft proprietary protocol commonly used for remote access to Windows computers. If improperly secured, it can be exploited for on-path attacks, such as credential interception or session hijacking.
“SSH” is a secure protocol mainly used for remote access on Linux and Unix systems. “Telnet” is an outdated and insecure remote access protocol, but it is not specific to Windows. “VNC” is a cross-platform remote desktop-sharing protocol that lacks the deep system integration of RDP on Windows.
A company’s systems were compromised, and sensitive data was stolen. After investigating, it was found that the breach occurred through a Trojan installed on an employee’s mobile phone. The employee had bypassed the Mobile Device Management (MDM) security controls to install an unauthorized game, which either introduced the Trojan or allowed attackers to exploit the phone’s weakened security. Which of the following is the MOST probable cause of this vulnerability?
SQL injection in the mobile app
Misconfiguration of security settings
Buffer overflow on the mobile device
Insecure network configuration
The correct answer is “Misconfiguration of security settings.” The employee bypassed the Mobile Device Management (MDM) controls, which indicates that security settings were either improperly configured or intentionally circumvented. This allowed unauthorized applications to be installed, leading to the Trojan infection.
“SQL injection in the mobile app” typically affects databases rather than enabling malware installation. “Buffer overflow on the mobile device” is a vulnerability that could be exploited but is not the primary cause here. “Insecure network configuration” might expose the device to threats but does not directly relate to the unauthorized app installation.
Which attribute of a threat actor refers to their ability to develop unique exploit techniques and tools?
Funding
Resources
Sophistication
Capability
The correct answer is capability because it refers to a threat actor’s ability to create, adapt, and deploy unique exploit techniques and tools.
Sophistication is incorrect because it generally describes the complexity or advancement of an attack rather than the actor’s ability to develop new techniques. Resources are incorrect because they refer to the tools, funding, and personnel available to the threat actor but do not specifically indicate their ability to develop unique exploits. Funding is incorrect because while financial backing can enhance a threat actor’s capability, it does not directly reflect their technical expertise in crafting new attack methods.
Which of the following ports, if left open and unmonitored, might allow database queries from unauthorized external sources?
Port 21
Port 1433
Port 443
Port 53
The correct answer is Port 1433 because it is the default port for Microsoft SQL Server, which, if left open and unmonitored, could allow unauthorized database queries from external sources.
Port 21 is incorrect because it is used for FTP, which handles file transfers rather than database queries. Port 443 is incorrect because it is used for HTTPS traffic, securing web communications rather than facilitating database access. Port 53 is incorrect because it is used for DNS queries, which help resolve domain names to IP addresses but do not involve database queries.
Maria, a cybersecurity analyst, is examining logs from a server with crucial financial data. She spots a few anomalies: a two-hour log gap without planned maintenance, a spike in outbound traffic to an unknown IP just before this gap, multiple failed logins from a foreign IP using valid usernames, and a higher CPU usage during the log gap despite no recorded actions. Which of these observations should Maria be MOST concerned with?
The increase in CPU usage during the missing log period.
The sudden two-hour gap in the logs.
Multiple failed login attempts from a foreign IP.
The spike in outbound traffic to the unfamiliar IP address
The correct answer is the sudden two-hour gap in the logs because missing logs can indicate log tampering or deletion, which is often a sign that an attacker is covering their tracks after gaining unauthorized access.
The spike in outbound traffic to an unknown IP is concerning but could be explained by other network activity. Multiple failed logins from a foreign IP suggest a brute-force attempt, but on their own, they don’t confirm a successful breach. The increase in CPU usage during the missing log period is suspicious but not as critical as the absence of logs, which could hide malicious activity.
Jason is working on a legacy application that processes user inputs. He notices that unchecked user inputs can be used to manipulate memory locations directly, leading to potential memory injection attacks. To counter this vulnerability, what should Jason prioritize?
Enable firewalls and intrusion detection systems.
Use a different programming language.
Implement stringent input validation and sanitation.
Upgrade to the latest version of the application
The correct answer is to implement stringent input validation and sanitation because unchecked user input can lead to memory injection attacks, such as buffer overflows or code injection. Proper validation ensures that input does not exceed expected parameters or include malicious payloads. Enabling firewalls and intrusion detection systems can help detect attacks but does not directly prevent memory manipulation. Using a different programming language might reduce risks in some cases, but it is not always feasible for a legacy application. Upgrading to the latest version of the application is good practice but does not guarantee the elimination of input validation vulnerabilities.
Morris has organized an exercise for his security team to test their new defense plans. He has divided the team into two groups: one defending the system and the other attempting to breach it. The groups, set up with similar experience and size, will compete, and the winning team will have lunch catered. What type of exercise has Morris created?
Tabletop exercise
Functional exercise
Simulation
Failover
The correct answer is Simulation, because it involves teams actively engaging in a scenario where one side defends while the other attempts to breach the system, mimicking real-world conditions.
The other answers are incorrect because a Tabletop exercise is typically a discussion-based scenario, not involving direct competition or active participation in a real-time attack and defense. A Functional exercise focuses on testing specific functions within the organization, rather than simulating a full-scale attack and defense. Failover refers to the backup process in case of system failure, not a team-based security exercise.
An organization has recently decided to utilize multiple operating systems and applications on a single physical server to optimize resource usage and reduce costs. Which of the following BEST represents this approach?
SDN
Serverless computing
Virtualization
Microservices
The correct answer is Virtualization, because it allows multiple operating systems and applications to run on a single physical server by creating virtual machines, optimizing resource usage, and reducing costs.
The other answers are incorrect because SDN (Software-Defined Networking) is a network architecture that manages network resources programmatically, not focused on resource optimization of physical servers. Serverless computing refers to a cloud computing model where the infrastructure is abstracted away from the developer, and they don’t manage servers directly. Microservices is an architectural style where applications are built as a collection of loosely coupled services, not focused on optimizing server resources.
Which of the following provides short-term emergency power to a device when the input power source fails, allowing for either a proper system shutdown or switching to a long-term power source?
UPS
Voltage regulators
Power strips
Generators
The correct answer is UPS (Uninterruptible Power Supply), because it provides short-term emergency power during a power failure, allowing for a proper system shutdown or switching to a long-term power source, ensuring that devices do not experience sudden outages.
The other answers are incorrect because voltage regulators stabilize voltage to protect devices from fluctuations, but they do not provide emergency power during a failure. Power strips distribute power to multiple devices but don’t offer any backup during a power outage. Generators provide long-term power but are not designed for short-term emergency power to devices during an outage.
Which of the following technologies allows running code without managing any underlying infrastructure?
Serverless
IaC
SDN
Virtualization
The correct answer is Serverless, because it allows running code without managing the underlying infrastructure. In a serverless model, the cloud provider manages the infrastructure, and you only focus on writing and deploying the code, making it a more efficient and cost-effective option for many use cases.
The other answers are incorrect because IaC (Infrastructure as Code) involves managing infrastructure through code, SDN (Software-Defined Networking) is focused on network management, and Virtualization enables running multiple operating systems on a single physical machine, but none of these remove the need for managing the underlying infrastructure like serverless computing does.
Dion Training needs to regulate the devices connecting to its network. To make things more secure, the devices should be regulated based on their unique physical addresses. Which of the following features would BEST address their needs?
TLS
Fail-open
Jump server
Port security
The correct answer is Port security, because it allows network administrators to control access to a network by regulating the devices based on their unique physical addresses (MAC addresses). This ensures that only authorized devices can connect to the network by limiting which MAC addresses are allowed on specific ports.
The other answers are incorrect because TLS (Transport Layer Security) is a protocol for securing communications, fail-open refers to a system’s behavior when a failure occurs, and a jump server is used for secure administrative access to other systems, none of which directly manage device access based on physical addresses like port security does.
Which of the following is a type of race condition that occurs when a process verifies the state or value of a resource before using it, but another process changes it in between?
Time-of-check (TOC)
Time-of-use (TOU)
Buffer overflow
Virtual machine (VM) escape
The correct answer is Time-of-check (TOC), because this type of race condition happens when a system checks a resource’s state, but before it is used, another process alters it, leading to potential security vulnerabilities.
The other answers are incorrect because Time-of-use (TOU) is a related concept but does not specifically describe the verification issue before use. Buffer overflow is a separate vulnerability caused by excessive data overwriting memory. Virtual machine (VM) escape refers to an attacker breaking out of a virtual machine to access the host system, which is unrelated to race conditions.
Kelsi is browsing an online shopping website that sells various products. She adds some items to her shopping cart and proceeds to checkout. She enters her credit card information, double checks that the credit card information is correct, then clicks on the confirm button. She then receives an email from her bank that informs that her credit card has been charged, but the amount she is charged is more than she expected. She checks her online banking account and sees that there are several transactions that she did not authorize. What type of web-based vulnerability has she likely encountered?
Buffer overflow
Cross-site scripting (XSS)
Structured Query Language injection (SQLi)
Malicious update
The correct answer is Cross-site scripting (XSS), because this attack allows an attacker to inject malicious scripts into a trusted website, which can then execute in a user’s browser, potentially stealing sensitive data like credit card information.
The other answers are incorrect because a buffer overflow exploits memory vulnerabilities rather than injecting scripts into a webpage. Structured Query Language injection (SQLi) manipulates database queries but does not typically cause unauthorized charges directly. A malicious update refers to a compromised software update rather than a web-based attack affecting user transactions.
Which of the following is a hardware vulnerability that relates to using devices or components that are no longer supported by the manufacturer, possibly leading to unpatched security risks?
Legacy vulnerability
Firmware vulnerability
End-of-life vulnerability
Supply Chain vulnerability
The correct answer is End-of-life vulnerability, because this occurs when a device or component is no longer supported by the manufacturer, meaning it will not receive security updates or patches, leaving it exposed to potential threats.
The other answers are incorrect because a legacy vulnerability refers to outdated systems but does not specifically indicate the lack of vendor support. A firmware vulnerability relates to security flaws in firmware that may or may not be patched by the manufacturer. A supply chain vulnerability involves risks in the procurement and distribution process rather than the use of unsupported hardware.
Elvi downloads an app from a website not associated with Apple on his new iPhone. The app offered free games and wallpapers. He installs the app on his mobile device and grants it all the permissions it requests. He notices that the app does not work as advertised, and instead displays ads and pop-ups on his device. He also notices that his device performance and battery life have degraded significantly. What is the most likely cause of Elvi’s problems?
Jailbreaking
Malicious update
Side loading
End of Life vulnerability
The correct answer is Side loading, because this refers to the practice of installing apps from third-party sources that are not verified by the official app store, like Apple’s App Store. These apps often contain malware or unwanted software that can negatively affect the device, as seen with ads, pop-ups, and degraded performance.
The other answers are incorrect because jailbreaking involves removing Apple’s restrictions to install unauthorized apps, which isn’t mentioned here. A malicious update would imply a legitimate app being compromised, but this app was downloaded from an unofficial source. An End of Life vulnerability refers to unsupported devices or software, which doesn’t apply to this situation.
Which of the following email security techniques specifically utilizes email certificates to authenticate and safeguard email content?
S/MIME
SPF
DMARC
TLS
The correct answer is S/MIME, because Secure/Multipurpose Internet Mail Extensions (S/MIME) uses digital certificates to encrypt and sign email content, providing both confidentiality and authentication for email communication.
The other answers are incorrect because SPF (Sender Policy Framework) is used to verify the sender’s IP address and prevent email spoofing, DMARC (Domain-based Message Authentication, Reporting & Conformance) helps prevent fraudulent emails by aligning SPF and DKIM policies, and TLS (Transport Layer Security) encrypts email traffic in transit but does not specifically focus on authenticating email content using certificates.
Kelly Innovations LLC, an e-commerce website, experienced a sudden spike in its incoming traffic. The website’s logs showed that thousands of requests were being sent per second, originating from just a handful of IP addresses. However, upon further analysis, it was revealed that the request packets contained IP addresses that were not part of the originating addresses. The server quickly became overloaded, preventing access to legitimate users. Which of the following types of malicious activities is BEST described in this scenario?
Reflected DDoS attack
Brute force attack
Amplified DDoS attack
Malware infection
The correct answer is Amplified DDoS attack, because this type of attack involves a small request that causes a much larger response, often using a vulnerable third-party server to reflect the traffic back to the target. The logs show that the traffic was coming from a small number of IP addresses, but the request packets contained spoofed IP addresses, indicating an amplification technique was used.
The other answers are incorrect because a Reflected DDoS attack also involves a third-party server reflecting traffic, but it’s typically a smaller scale than an amplified attack. A Brute force attack involves systematically attempting different passwords to break into an account, and Malware infection typically causes systems to behave maliciously but doesn’t directly relate to this specific type of traffic overload.
Langa, a security analyst, is investigating a malware incident and finds that the malware has installed a deeply hidden program that allows an attacker to remotely execute commands on the system without detection. Further investigation reveals that the attacker has gained local administrator privileges, and the program is designed to remain concealed within the operating system. Which of the following types of malware is MOST likely involved in this incident?
Ransomware
Trojan
Rootkit
Worm
The correct answer is Rootkit, because rootkits are specifically designed to hide their presence on a system and allow an attacker to maintain privileged access, often with the ability to execute commands remotely without detection. In this case, the malware is deeply hidden and grants local administrator privileges, which aligns with the characteristics of a rootkit.
The other answers are incorrect because Ransomware typically locks or encrypts data for ransom, Trojan refers to malware disguised as legitimate software but does not necessarily remain hidden or maintain privileged access in the same way, and a Worm is a self-replicating malware that spreads across systems, often without the hidden, persistent nature of a rootkit.
