Practice Exam 00 Flashcards

1
Q

An attacker uses the nslookup interactive mode to locate information on a Domain Name Service (DNS). What command should they type to request the appropriate records for only the name servers?

a. transfer type=ns
b. set type=ns
c. request type =ns
d. locate type = ns

A

b. set type=ns

OBJ-4.1: The nslookup command is used to query the Domain Name System to obtain the mapping between a domain name and an IP address or to view other DNS records. The “set type=ns” tells nslookup only reports information on name servers. If you used “set type=mx” instead, you would receive information only about mail exchange servers.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
2
Q

Which of the following methods is used to replace all or part of a data field with a randomly generated number used to reference the original value stored in another vault or database?

a. Anonymization
b. Tokenization
c. Data minimization
d. Data masking

A

b. Tokenization

OBJ-5.5: Tokenization means that all or part of data in a field is replaced with a randomly generated token. The token is stored with the original value on a token server or token vault, separate from the production database. An authorized query or app can retrieve the original value from the vault, if necessary, so tokenization is a reversible technique.

Data masking can mean that all or part of a field’s contents is redacted, by substituting all character strings with x, for example.

Data minimization involves limiting data collection to only what is required to fulfill a specific purpose. Reducing what information is collected reduces the amount and type of information that must be protected.

Data anonymization is the process of removing personally identifiable information from data sets so that the people whom the data describe remain anonymous.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
3
Q

Which of the following hashing algorithms results in a 160-bit fixed output?

a. SHA-2
b. NTLM
c. MD-5
d. RIPEMD

A

d. RIPEMD

OBJ-2.8: RIPEMD creates a 160-bit fixed output.

SHA-2 creates a 256-bit fixed output.
NTLM creates a 128-bit fixed output.
MD-5 creates a 128-bit fixed output.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
4
Q

Why would a company want to utilize a wildcard certificate for their servers?

a. To increase the certificate’s encryption key length
b. To extend the renewal date of the certificate
c. To secure the certificate’s private key
d. To reduce the certificate management burden

A

d. To reduce the certificate management burden

OBJ-3.9: A wildcard certificate is a public key certificate that can be used with multiple subdomains of a domain. This saves money and reduces the management burden of managing multiple certificates, one for each subdomain. A single wildcard certificate for *.diontraining.com will secure all these domains (www.diontraining.com, mail.diontraining.com, ftp.diontraining.com, etc.). The other options provided are not solved by using a wildcard certificate.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
5
Q

Which protocol relies on mutual authentication of the client and the server for its security?

a. RADIUS
b. Two-factor authentication
c. CHAP
d. LDAPS

A

d. LDAPS

OBJ-3.1: The Lightweight Directory Access Protocol (LDAP) uses a client-server model for mutual authentication. LDAP is used to enable access to a directory of resources (workstations, users, information, etc.). TLS provides mutual authentication between clients and servers. Since Secure LDAP (LDAPS) uses TLS, it provides mutual authentication.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
6
Q

A firewall administrator has configured a new screened subnet to allow public systems to be segmented from the organization’s internal network. The firewall now has three security zones set: Untrusted (Internet) [143.27.43.0/24]; DMZ (Screened Subnet) [161.212.71.0/24]; Trusted (Intranet) [10.10.0.0/24]. The firewall administrator has been asked to enable remote desktop access from a fixed IP on the remote network to a remote desktop server in the screened subnet for the Chief Security Officer to work from his home office after hours. The CSO’s home internet uses a static IP of 143.27.43.32. The remote desktop server is assigned a public-facing IP of 161.212.71.14. What rule should the administrator add to the firewall?

a. Permit 143.27.43.32 161.212.71.14 RDP 3389
b. Permit 143.27.43.32/24 161.212.71.14/24 RDP 3389
c. Permit 143.27.43.32/24 161.212.71.14 RDP 3389
d. Permit 143.27.43.32 161.212.71.14/24 RDP 3389

A

a. Permit 143.27.43.32 161.212.71.14 RDP 3389

OBJ-4.4: Due to the requirement to allow a single remote IP to enter the firewall, the permit statement must start with a single IP in the Untrusted (Internet) zone. Based on the options provided, only 143.27.43.32 could be correct. Next, the destination is a single server in the DMZ (screened subnet), so only 161.212.71.14 could be correct. The destination port should be 3389, which is the port for the Remote Desktop Protocol. Combining these three facts, only “permit 143.27.43.32 161.212.71.14 RDP 3389” could be correct.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
7
Q

After analyzing and correlating activity from the firewall logs, server logs, and the intrusion detection system logs, a cybersecurity analyst has determined that a sophisticated breach of the company’s network security may have occurred from a group of specialized attackers in a foreign country over the past five months. Up until now, these cyberattacks against the company network had gone unnoticed by the company’s information security team. How would you best classify this threat?

a. Insider Threat
b. Spear phishing
c. Privilege escalation
d. Advanced persistent threat (APT)

A

d. Advanced persistent threat (APT)

OBJ-1.5: An advanced persistent threat (APT) is a network attack in which an unauthorized person gains access to a network and stays there undetected for a long period of time. An APT attack intends to steal data rather than to cause damage to the network or organization. An APT refers to an adversary’s ongoing ability to compromise network security, obtain and maintain access, and use various tools and techniques. They are often supported and funded by nation-states or work directly for a nation-states’ government. Spear phishing is the fraudulent practice of sending emails ostensibly from a known or trusted sender to induce targeted individuals to reveal confidential information. An insider threat is a malicious threat to an organization from people within the organization, such as employees, former employees, contractors, or business associates, who have inside information concerning the organization’s security practices, data, and computer systems. Privilege escalation is the act of exploiting a bug, design flaw, or configuration oversight in an operating system or software application to gain elevated access to resources that are normally protected from an application or user. While an APT may use spear phishing, privilege escalation, or an insider threat to gain access to the system, the scenario presented in this question doesn’t specify what method was used. Therefore, APT is the best answer to select.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
8
Q

You are trying to select the best device to install to proactively stop outside attackers from reaching your internal network. Which of the following devices would be the BEST for you to select?

a. IPS
b. Proxy server
c. Syslog server
d. IDS

A

a. IPS

OBJ-3.3: An intrusion prevention system (IPS) is a form of network security that detects and prevents identified threats. Intrusion prevention systems continuously monitor your network, looking for possible malicious incidents, and capturing information about them. An IPS can block malicious network traffic, unlike an IDS, which can only log them. A proxy server is a server application that acts as an intermediary between a client requesting a resource and the server providing that resource. System Logging Protocol (Syslog) uses port 514 and is a way network devices can use a standard message format to communicate with a logging server. It was designed specifically to make it easy to monitor network devices. Devices can use a Syslog agent to send out notification messages under a wide range of specific conditions.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
9
Q

During an assessment of the POS terminals that accept credit cards, a cybersecurity analyst notices a recent Windows operating system vulnerability exists on every terminal. Since these systems are all embedded and require a manufacturer update, the analyst cannot install Microsoft’s regular patch. Which of the following options would be best to ensure the system remains protected and are compliant with the rules outlined by the PCI DSS?

a. Remove the POS terminals from the network until the vendor releases a patch
b. Replace the Windows POS terminal with standard Windows systems
c. Build a custom OS image that includes the patch
d. Identify, implement, and document compensating controls.

A

d. Identify, implement, and document compensating controls.

OBJ-5.1: Since the analyst cannot remediate the vulnerabilities by installing a patch, the next best action would be to implement some compensating controls. If a vulnerability exists that cannot be patched, compensating controls can mitigate the risk. Additionally, the analyst should document the current situation to achieve compliance with PCI DSS. The analyst will likely not remove the terminals from the network without affecting business operations, so this is a bad option. The analyst should not build a custom OS image with the patch since this could void the support agreement with the manufacturer and introduce additional vulnerabilities. Also, it would be difficult (or impossible) to replace the POS terminals with standard Windows systems due to the custom firmware and software utilized on these systems.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
10
Q

A security analyst conducts a Nmap scan of a server and found that port 25 is open. What risk might this server be exposed to?

a. Web portal data leak
b. Open mail relay
c. Open file/print sharing
d. Clear text authentication

A

b. Open mail relay

OBJ-1.5: Port 25 is the default port for SMTP (Simple Message Transfer Protocol), which is used for sending an email. An active mail relay occurs when an SMTP server is configured in such a way that it allows anyone on the Internet to send email through it, not just mail originating from your known and trusted users. Spammers can exploit this type of vulnerability to use your email server for their benefit. File/print sharing usually operates over ports 135, 139, and 445 on a Windows server. Web portals run on ports 80 and 443. Clear text authentication could occur using an unencrypted service, such as telnet (23), FTP (20/21), or the web (80).

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
11
Q

Windows file servers commonly hold sensitive files, databases, passwords, and more. What common vulnerability is usually used against a Windows file server to expose sensitive files, databases, and passwords?

a. SQL injuection
b. CRLF injection
c. Cross-site scripting
d. Missing patches

A

d. Missing patches

OBJ-1.6: Missing patches are the most common vulnerability found on both Windows and Linux systems. When a security patch is released, attackers begin to reverse engineer the security patch to exploit the vulnerability. If your servers are not patched against the vulnerability, they can become victims of the exploit, and the server’s data can become compromised. Cross-Site Scripting (XSS) attacks are a type of injection in which malicious scripts are injected into otherwise benign and trusted websites. Cross-site scripting focuses on exploiting a user’s workstation, not a server. CRLF injection is a software application coding vulnerability that occurs when an attacker injects a CRLF character sequence where it is not expected. SQL injection is the placement of malicious code in SQL statements via web page input. SQL is commonly used against databases, but they are not useful when attacking file servers.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
12
Q

Which of the following is the LEAST secure wireless security and encryption protocol?

a. WPA
b. WEP
c. WPA3
d. WPA2

A

b. WEP

OBJ-3.4: Wired equivalent privacy (WEP) is an older mechanism for encrypting data sent over a wireless connection. WEP is considered vulnerable to attacks that can break its encryption. WEP relies on the use of a 24-bit initialization vector to secure its preshared key. Wi-Fi protected access (WPA) is an improved encryption scheme for protecting Wi-Fi communications that was designed to replace WEP. WPA uses the RC4 cipher and a temporal key integrity protocol (TKIP) to overcome the vulnerabilities in the older WEP protection scheme. Wi-Fi protected access version 2 (WPA2) replaced the original version of WPA after the completion of the 802.11i security standard. WPA2 features an improved method of key distribution and authentication for enterprise networks, though the pre-shared key method is still available for home and small office networks. WPA2 uses the improved AES cipher with counter mode with cipher-block chaining message authentication protocol (CCMP) for encryption. Wi-Fi protected access version 3 (WPA3) has replaced WPA2 as the most secure wireless encryption method. WPA3 uses the simultaneous authentication of equals (SAE) to increase the security of preshared keys. WPA3 provides the enhanced open mode that encrypts transmissions from a client to the access point when using an open network. WPA3 Enterprise mode supports the use of AES with the Galois/counter mode protocol (GCMP-256) for the highest levels of encryption.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
13
Q

Dion Training has an open wireless network called “InstructorDemos” for its instructors to use during class, but they do not want any students connecting to this wireless network. The instructors need the “InstructorDemos” network to remain open since some of their IoT devices used during course demonstrations do not support encryption. Based on the requirements provided, which of the following configuration settings should you use to satisfy the instructor’s requirements and prevent students from using the “InstructorDemos” network?

a. NAT
b. MAC filtering
c. QoS
d. Signal strength

A

b. MAC filtering

OBJ-3.4: Since the instructors need to keep the wireless network open, the BEST option is to implement MAC filtering to prevent the students from connecting to the network while still keeping the network open. Since the instructors would most likely use the same devices to connect to the network, it would be relatively easy to implement a MAC filtering based on the list of devices that are allowed to use the open network and reject any other devices not listed by the instructors (like the student’s laptops or phones). Reducing the signal strength would not solve this issue since students and instructors are in the same classrooms. Using Network Address Translation and Quality of Service will not prevent the students from accessing or using the open network.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
14
Q

A computer is infected with malware that has infected the Windows kernel to hide. Which type of malware MOST likely infected this computer?

a. Trojan
b. Botnet
c. Ransomware
d. Rootkit

A

d. Rootkit

OBJ-1.2: A rootkit is a clandestine computer program designed to provide continued privileged access to a computer while actively hiding its presence. A rootkit is generally a collection of tools that enabled administrator-level access to a computer or network. They can often disguise themselves from detection by the operating system and anti-malware solutions. If a rootkit is suspected on a machine, it is best to reformat and reimage the system. A botnet is many internet-connected devices, each of which is running one or more bots. Botnets can be used to perform distributed denial-of-service (DDoS) attacks, steal data, send spam, and allow the attacker to access the device and its connection. A trojan is a type of malware that looks legitimate but can take control of your computer. A Trojan is designed to damage, disrupt, steal, or in general, inflict some other harmful action on your data or network. The most common form of a trojan is a Remote Access Trojan (RAT), which allows an attacker to control a workstation or steal information remotely. To operate, a trojan will create numerous processes that run in the background of the system. Ransomware is a type of malware designed to deny access to a computer system or data until a ransom is paid. Ransomware typically spreads through phishing emails or by unknowingly visiting an infected website. Once infected, a system or its files are encrypted, and then the decryption key is withheld from the victim unless payment is received.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
15
Q

What information should be recorded on a chain of custody form during a forensic investigation?

a. Any individual who worked with evidence during the investigation
b. The list of former owners/operators of the workstation involved in the investigation
c. The list of individuals who made contact with files leading to the investigation
d. The law enforcement agent who was first on the scene

A

a. Any individual who worked with evidence during the investigation

OBJ-4.5: Chain of custody forms list every person who has worked with or who has touched the evidence that is a part of an investigation. These forms record every action taken by each individual in possession of the evidence. Depending on the organization’s procedures, manipulation of evidence may require an additional person to act as a witness to verify whatever action is being taken. While the chain of custody would record who initially collected the evidence, it does not have to record who was the first person on the scene (if that person didn’t collect the evidence). The other options presented by the question are all good pieces of information to record in your notes, but it is not required to be on the chain of custody form.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
16
Q

You have been hired as a cybersecurity analyst for a privately-owned bank. Which of the following regulations would have the greatest impact on your bank’s cybersecurity program?

a. FERPA
b. GLBA
c. SOX
d. HIPAA

A

b. GLBA

OBJ-5.2: The Gramm-Leach-Bliley Act (GLBA) is a United States federal law that requires financial institutions to explain how they share and protect their customers’ private information. The Health Insurance Portability and Accountability Act (HIPAA) is a US law designed to provide privacy standards to protect patients’ medical records and other health information provided to health plans, doctors, hospitals, and other health care providers. Sarbanes-Oxley (SOX) is a United States federal law that sets new or expanded requirements for all US public company boards, management, and public accounting firms. The Family Educational Rights and Privacy Act (FERPA) of 1974 is a United States federal law that governs the access to educational information and records by public entities such as potential employers, publicly funded educational institutions, and foreign governments.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
17
Q

Dion Consulting Group has recently been awarded a contract to provide cybersecurity services for a major hospital chain in 48 cities across the United States. Previously, the consultants have won numerous contracts with financial services and publicly traded companies, but they are new to the healthcare industry. Which of the following laws must the consultants review to ensure the hospital and its customers are fully protected?

a. COSO
b. GLBA
c. SOX
d. HIPAA

A

d. HIPAA

OBJ-5.2: The Health Insurance Portability and Accountability Act (HIPAA) was created primarily to modernize the flow of healthcare information, stipulate how Personally Identifiable Information maintained by the healthcare and healthcare insurance industries should be protected from fraud and theft, and address limitations on healthcare insurance coverage. This is a federal law that must be followed in the United States. The Gramm-Leach-Bliley Act (GLBA) requires financial institutions to explain their information-sharing practices to their customers and safeguard sensitive data. This includes companies that offer consumers financial products or services like loans, financial or investment advice, or insurance. The Sarbanes-Oxley Act of 2002 is a federal law that established sweeping auditing and financial regulations for public companies. Lawmakers created the legislation to help protect shareholders, employees, and the public from accounting errors and fraudulent financial practices. The Committee of Sponsoring Organizations of the Treadway Commission (COSO) guides governance-related topics, including fraud, controls, finance, and ethics. COSO’s ERM-integrated framework defines risk, and related common terminology lists key components of risk management strategies and supplies direction and criteria for enhancing risk management practices.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
18
Q

You are troubleshooting a network connectivity issue and need to determine the packet’s flow path from your system to the remote server. Which of the following tools would best help you identify the path between the two systems?

a. netstat
b. nbtstat
c. ipconfig
d. tracert

A

d. tracert

OBJ-4.1: The tracert (trace route) diagnostic utility determines the route to a destination by sending Internet Control Message Protocol (ICMP) echo packets to the destination. In these packets, tracert uses varying IP Time-To-Live (TTL) values. When the TTL on a packet reaches zero (0), the router sends an ICMP “Time Exceeded” message back to the source computer. The ICMP “Time Exceeded” messages that intermediate routers send back show the route. The ipconfig tool displays all current TCP/IP network configuration values on a given system. The netstat tool is a command-line network utility that displays network connections for Transmission Control Protocol, routing tables, and some network interface and network protocol statistics on a single system. The nbtstat command is a diagnostic tool for NetBIOS over TCP/IP used to troubleshoot NetBIOS name resolution problems.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
19
Q

Your organization requires the use of TLS or IPsec for all communications with an organization’s network. Which of the following is this an example of?

a. Data at rest
b. DLP
c. Data in use
d. Data in transit

A

d. Data in transit

OBJ-2.1: Data in transit (or data in motion) occurs whenever data is transmitted over a network. Examples of types of data in transit include website traffic, remote access traffic, data being synchronized between cloud repositories, and more. In this state, data can be protected by a transport encryption protocol, such as TLS or IPsec. Data at rest means that the data is in persistent storage media using whole disk encryption, database encryption, and file- or folder-level encryption. Data in use is when data is present in volatile memory, such as system RAM or CPU registers and cache. Secure processing mechanisms such as Intel Software Guard Extensions can encrypt data as it exists in memory so that an untrusted process cannot decode the information. This uses a secure enclave and requires a hardware root of trust. Data loss prevention (DLP) products automate the discovery and classification of data types and enforce rules so that data is not viewed or transferred without proper authorization. DLP is a generic term that may include data at rest, data in transit, or data in use to function.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
20
Q

The management at Steven’s work is concerned about rogue devices being attached to the network. Which of the following solutions would quickly provide the most accurate information that Steve could use to identify rogue devices on a wired network?

a. Reviewing a central administration tool like an endpoint manager
b. A physical survey
c. A discovery scan using a port scanner
d. Router and switch-based MAC address reporting

A

d. Router and switch-based MAC address reporting

OBJ-1.4: The best option is MAC address reporting from a source device like a router or a switch. If the company uses a management system or inventory process to capture these addresses, then a report from one of these devices will show what is connected to the network even when they are not currently in the inventory. This information could then be used to track down rogue devices based on the physical port connected to a network device.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
21
Q

Following a root cause analysis of an edge router’s unexpected failure, a cybersecurity analyst discovered that the system administrator had purchased the device from an unauthorized reseller. The analyst suspects that the router may be a counterfeit device. Which of the following controls would have been most effective in preventing this issue?

a. Increase network vulnerability scan frequency
b. Ensure all anti-virus signatures are up to date
c. Conduct secure supply chain management training
d. Verify that all routers are patched to the latest release

A

c. Conduct secure supply chain management training

OBJ-1.5: Anti-counterfeit training is part of the NIST 800-53r4 control set (SA-19(1)) and should be a mandatory part of your supply chain management training within your organization. All other options may produce security gains in the network. They are unlikely to reliably detect a counterfeit item or prevent its introduction into the organization’s supply chain. Training on detection methodologies (i.e., simple visual inspections) and training for acquisition personnel will better prevent recurrences.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
22
Q

What tool is used to collect wireless packet data?

a. John the Ripper
b. Nessus
c. Netcat
d. Aircrack-ng

A

d. Aircrack-ng

OBJ-3.4: Aircrack-ng is a complete suite of wireless security assessment and exploitation tools that includes monitoring, attacking, testing, and cracking of wireless networks. This includes packet capture and export of the data collected as a text file or pcap file.

John the Ripper is a password cracking software tool.
Nessus is a vulnerability scanner.
Netcat is used to create a reverse shell from a victimized machine back to an attacker.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
23
Q

Which type of method is used to collect information during the passive reconnaissance?

a. Reviewing public repositories
b. Network traffic sniffing
c. API requests and responses
d. Social engineering

A

a. Reviewing public repositories

OBJ-1.8: Passive reconnaissance focuses on collecting information that is widely and openly available from publicly available sources. While network traffic sniffing is considered passive, gaining access to the network to place a sniffer in a good network tap location would not be considered passive. Of the choices provided, publicly accessible sources are the best answer to choose. Collecting API requests and responses would involve a penetration tester sending data to a given server and analyzing the responses received, which is considered an active reconnaissance method. Social engineering is also an active reconnaissance technique that uses deception to trick a user into providing information to an attacker or penetration tester.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
24
Q

Dion Training has set up a lab consisting of 12 laptops for students to use outside of normal classroom hours. The instructor is worried that a student may try to steal one of the laptops. Which of the following physical security measures should be used to ensure the laptop is not stolen or moved out of the lab environment?

a. USB lock
b. Biometric locks
c. Cable locks
d. Key fob

A

c. Cable locks

OBJ-2.7: The Kensington lock is a small hole found on almost every portable computer or laptop made after 2000. It allows a cable lock to be attached to a portable computer or laptop to lock it to a desk and prevent theft. These locks often use a combination lock or padlock type of locking system. These locks do not affect the user’s ability to use the laptop or device. It only prevents them from moving the laptop from the area. A biometric lock is any lock that can be activated by biometric features, such as a fingerprint, voiceprint, or retina scan. Biometric locks make it more difficult for someone to counterfeit the key used to open the lock or a user’s account. A smart card is a form of hardware token. A key fob generates a random number code synchronized to a code on the server. The code changes every 60 seconds or so. This is an example of a one-time password. A SecureID token is an example of a key fob that is produced by RSA. USB lock prevents unauthorized data transfer through USB ports, reducing the risk of data leakage, data theft, computer viruses, and malware by physically locking and blocking the USB Ports.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
25
Q

You have just completed identifying, analyzing, and containing an incident. You have verified that the company uses self-encrypting drives as part of its default configuration. As you begin the eradication and recovery phase, you must sanitize the storage devices’ data before restoring the data from known-good backups. Which of the following methods would be the most efficient to use to sanitize the affected hard drives?

a. Perform a cryptographic erase (CE) on the storage devices
b. Conduct zero-fill on the storage devices
c. Use a secure erase (SE) utility on the storage devices
d. Incinerate and replace the storage devices

A

a. Perform a cryptographic erase (CE) on the storage devices

OBJ-2.7: Sanitizing a hard drive can be done using cryptographic erase (CE), secure erase (SE), zero-fill, or physical destruction. In this case, the hard drives already used data at rest. Therefore, the most efficient method would be to choose CE. The cryptographic erase (CE) method sanitizes a self-encrypting drive by erasing the media encryption key and then reimaging the drive. A secure erase (SE) is used to perform the sanitization of flash-based devices (such as SSDs or USB devices) when cryptographic erase is not available. The zero-fill method relies on overwriting a storage device by setting all bits to the value of zero (0), but this is not effective on SSDs or hybrid drives, and it takes much longer than the CE method. The final option is to conduct physical destruction, but since the scenario states that the storage device will be reused, this is not a valid technique. Physical destruction occurs by mechanical shredding, incineration, or degaussing magnetic hard drives.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
26
Q

(Sample Simulation – On the real exam for this type of question, you might receive a list of attack vectors and targets. Based on these, you would select the type of attack that occurred.) (1) An attacker has been collecting credit card details by calling victims and using false pretexts to trick them. (2) An attacker sends out to 100,000 random email addresses. In the email the attacker sent, it claims that “Your Bank of America account is locked out. Please click here to reset your password.” What types of attacks have occurred in (1) and (2)?

a. (1) Vishing and (2) phishing
b. (1) Hoax and (2) Spearphishing
c. (1) Pharming and (2) Phishing
d. (1) Spearphishing and (2) Pharming

A

a. (1) Vishing and (2) phishing

OBJ-1.1: Vishing uses a phone call to conduct information gathering and phishing type of actions. Spearphishing involves targeting specific individuals using well-crafted emails to gather information from a victim. Phishing relies on sending out a large volume of email to a broad set of recipients in the hopes of collecting the desired action or information. A hoax involves tricking a user into performing an action (such as virus remediation actions) when no infection has occurred. Pharming involves domain spoofing in an attempt to gather the desired information from a victim.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
27
Q

Which role validates the user’s identity when using SAML for authentication?

a. User agent
b. SP
c. RP
d. IdP

A

d. IdP

OBJ-3.8: The IdP provides the validation of the user’s identity. Security assertions markup language (SAML) is an XML-based framework for exchanging security-related information such as user authentication, entitlement, and attributes. SAML is often used in conjunction with SOAP. SAML is a solution for providing single sign-on (SSO) and federated identity management. It allows a service provider (SP) to establish a trust relationship with an identity provider (IdP) so that the SP can trust the identity of a user (the principal) without the user having to authenticate directly with the SP.

The principal’s User Agent (typically a browser) requests a resource from the service provider (SP).

The resource host can also be referred to as the relying party (RP).

If the user agent does not already have a valid session, the SP redirects the user agent to the identity provider (IdP). The IdP requests the principal’s credentials if not already signed in and, if correct, provides a SAML response containing one or more assertions. The SP verifies the signature(s) and (if accepted) establishes a session and provides access to the resource.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
28
Q

Karen lives in an area that is prone to hurricanes and other extreme weather conditions. She asks you to recommend an electrical conditioning device that will prevent her files from being corrupted if the building’s power is unstable or lost. Additionally, she would like the computer to maintain power for up to an hour of uptime to allow for a graceful shutdown of her programs and computer. Which of the following should you recommend?

a. Surge protector
b. Uninterruptible power supply
c. Line conditioner
d. Power distribution unit

A

b. Uninterruptible power supply

OBJ-2.5: An uninterruptible power supply or uninterruptible power source (UPS) is an electrical apparatus that provides emergency power to a load when the input power source becomes too low or the main power fails. A UPS provides near-instantaneous protection from input power interruptions by using a battery backup. The on-battery run-time of most uninterruptible power sources is usually short (less than 60 minutes) but sufficient to properly shut down a computer system. A line conditioner is a device that adjusts voltages in under-voltage and overvoltage conditions to maintain a 120 V output. Line conditioners raise a sag or under-voltage event back to normal levels, but they cannot protect the line from a complete power failure or power outage. A surge protector defends against possible voltage spikes that could damage your electronics, appliances, or equipment. A power strip will not protect against voltage spikes. A UPS or line conditioner could protect against voltage spikes, but they cost much more than a surge protector. A power distribution unit (PDU) is a device designed to provide power to devices that require power, and may or may not support remote monitoring and access.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
29
Q

What should be done NEXT if the final set of security controls does not eliminate all of the risks in a given system?

a. You should continue to apply additional controls until there is zero risk
b. You should remove the current controls since they are not completely effective
c. You should accept the risk if the residual risk is low enough
d. You should ignore any remaining risk

A

c. You should accept the risk if the residual risk is low enough

OBJ-5.4: In most cases, you will be unable to remove all risks. Instead, it would be best to mitigate the risk to a low enough level to accept the residual risk. Removing the controls would add to the risk, which is a bad course of action to select. Ignoring the remaining risk is unacceptable; instead, you should acknowledge what risk remains and accept it if it is low enough. If it is not low enough, you should continue to mitigate the risk by adding additional control measures. It is unlikely you will ever be able to get all risk down to zero, but mitigating to a lower level and then accepting the residual risk is a common industry practice.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
30
Q

Which mobile device strategy is most likely to introduce vulnerable devices to a corporate network?

a. BYOD
b. CYOD
c. MDM
d. COPE

A

a. BYOD

OBJ-3.5: The BYOD (bring your own device) strategy opens a network to many vulnerabilities. People can bring their personal devices to the corporate network, and their devices may contain vulnerabilities that could be allowed to roam free on a corporate network. COPE (company-owned/personally enabled) means that the company provides the users with a smartphone primarily for work use, but basic functions such as voice calls, messaging, and personal applications are allowed, with some controls on usage and flexibility. With CYOD, the user can choose which device they wish to use from a small selection of devices approved by the company. The company then buys, procures, and secures the device for the user. The MDM is a mobile device management system that gives centralized control over COPE company-owned personally enabled devices.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
31
Q

Dion Training’s offices utilize an open concept floor plan. They are concerned that a visitor might attempt to steal an external hard drive and carry it out of the building. To mitigate this risk, the security department has recommended installing security cameras clearly visible to both employees and visitors. What type of security control do these cameras represent?

a. Administrative
b. Corrective
c. Deterrent
d. Compensating

A

c. Deterrent

OBJ-5.1: A deterrent control is designed to discourage the violation of a security policy. Since the cameras are clearly visible, they are acting as a deterrent control. Corrective control is one that is used to fix or eliminate a vulnerability. A compensating control is used to minimize a vulnerability when it is deemed too difficult or impractical to correct the vulnerability fully. Administrative control is used to create a policy or procedure to minimize or eliminate a vulnerability.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
32
Q

A security analyst is conducting a log review of the company’s web server and found two suspicious entries:

[12Nov2020 10:07:23] “GET /loon.php?user=test’_oR+7>1%20-HTTP/1.1” 200 5825
[12Nov2020 10:10:03] “GET /loon.php?user=admin’;%20-HTTP/1.1” 200 5845
——————————-
END LOG

The analyst contacts the web developer and asks for a copy of the source code to the logon.php script. The script is as follows:

<?php
include(‘../../config/db_connect.php’);
$user = $_GET[ ‘user’ ];
$pass = $_GET[ ‘pass’ ];
$sql = “SELECT * FROM USERS WHERE username = ‘ ‘$user’ AND password = ‘$pass’”;
$result = MqSQL_query($sql) or die (“couldn’t execute query”);

if (MySQL_num_rows($result) !=0 ) scho ‘Authentication granted!’;
else echo ‘Authentication failed!’;
?>

Based on source code analysis, which type of vulnerability is this web server vulnerable to?

a. Command injection
b. SQL injection
c. Directory traversal
d. LDAP injection

A

b. SQL injection

OBJ-1.3: Based on the log entries, it appears the attack was successful in conducting a SQL injection. Notice the escape character (‘) used in the log. A connection to the MySQL database is being used in the script, which could be exploited since no input validation is being performed. Command injection is an attack in which the goal is to execute arbitrary commands on the host operating system via a vulnerable application. SQL injection is a specific type of command injection. LDAP injection is a code injection technique used to exploit web applications that could reveal sensitive user information or modify information represented in the LDAP (Lightweight Directory Access Protocol) data stores. Directory traversal or Path Traversal is an HTTP attack that allows attackers to access restricted directories and execute commands outside of the web server’s root directory.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
33
Q

Which of the following proprietary tools is used to create forensic disk images without making changes to the original evidence?

a. Memdump
b. Autopsy
c. FTX Imager
d. dd

A

c. FTX Imager

OBJ-4.1: FTK Imager can create perfect copies or forensic images of computer data without making changes to the original evidence. The forensic image is identical in every way to the original, including copying the slack, unallocated, and free space on a given drive. The dd tool can also create forensic images, but it is not a proprietary tool since it is open-source. Memdump is used to collect the content within RAM on a given host. Autopsy is a cross-platform, open-source forensic tool suite.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
34
Q

Which analysis framework provides a graphical depiction of the attacker’s approach relative to a kill chain?

a. OpenIC
b. MITRE ATT@CK framework
c. Diamond Model of Intrusion Analysis
d. Lockheed Martin cyber kill chain

A

c. Diamond Model of Intrusion Analysis

OBJ-4.2: The Diamond Model provides an excellent methodology for communicating cyber events and allowing analysts to derive mitigation strategies implicitly. The Diamond Model is constructed around a graphical representation of an attacker’s behavior. The MITRE ATT&CK framework provides explicit pseudo-code examples for detecting or mitigating a given threat within a network and ties specific behaviors back to individual actors. The Lockheed Martin cyber kill chain provides a general life cycle description of how attacks occur but does not deal with the specifics of how to mitigate them. OpenIOC contains a depth of research on APTs but does not integrate the detection and mitigation strategy.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
35
Q

Which of the following is not normally part of an endpoint security suite?

a. Anti-virus
b. Software friewall
c. VPN
d. IPS

A

c. VPN

OBJ-3.2: Endpoint security includes software host-based firewalls, host-based intrusion protection systems (HIPS), and anti-virus software. A VPN is not typically considered an endpoint security tool because it is a network security tool.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
36
Q

Which of the following types of access control provides the strongest level of protection?

a. MAC
b. ABAC
c. RBAC
d. DAC

A

a. MAC

OBJ-3.8: Mandatory Access Control (MAC) requires all access to be predefined based on system classification, configuration, and authentication. MAC is commonly used in highly centralized environments and usually relies on a series of labels, such as classification levels of the data.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
37
Q

Your company is making a significant investment in infrastructure-as-a-service (IaaS) hosting to replace its data centers. Which of the following techniques should be used to mitigate the risk of data remanence when moving virtual hosts from one server to another in the cloud?

a. Use full-disk encryption
b. Use data masking
c. Span multiple virtual disks to fragment data
d. Zero-wipe drives before moving systems

A

a. Use full-disk encryption

OBJ-1.5: To mitigate the risk of data remanence, you should implement full disk encryption. This method will ensure that all data is encrypted and cannot be exposed to other organizations or the underlying IaaS provider. Using a zero wipe is typically impossible because VM systems may move without user intervention during scaling and elasticity operations. Data masking can mean that all or part of a field’s contents is redacted, by substituting all character strings with “x,” for example. Data masking will not prevent your corporate data from being exposed by data remanence. Spanning multiple disks will leave the data accessible, even though it would be fragmented, and would make the data remanence problem worse overall.

38
Q

(Sample Simulation – On the real exam for this type of question, you would have to rearrange the steps into the proper order by dragging and dropping them into place.)

53 TFTP
69 SMTP
25 HTTP
80 DNS

a. 53, 69, 25, 80
b. 80, 53, 69, 25
c. 69, 25, 80, 53
d. 25, 80, 53, 69

A

c. 69, 25, 80, 53

OBJ-3.1: For the exam, you need to know your ports and protocols. The Trivial File Transfer Protocol (TFTP) uses port 69. The Simple Mail Transfer Protocol (SMTP) uses port 25. The Hypertext Transfer Protocol (HTTP) uses port 80. The Domain Name Service (DNS) protocol uses port 53.

39
Q

Dion Training is currently undergoing an audit of its information systems. The auditor wants to understand better how the PII data from a particular database is used within business operations. Which of the following employees should the auditor interview?

a. Data Controller
b. Data owner
c. Data steward
d. Data protection officer

A

d. Data protection officer

OBJ-5.5: The primary role of the data protection officer (DPO) is to ensure that her organization processes the personal data of its staff, customers, providers, or any other individuals (also referred to as data subjects) in compliance with the applicable data protection rules. They must understand how any privacy information is used within business operations. Therefore, they are the best person for the auditor to interview to get a complete picture of the data usage.

40
Q

A cybersecurity analyst has deployed a custom DLP signature to alert on any files that contain numbers in the format of a social security number (xxx-xx-xxxx). Which of the following concepts within DLP is being utilized?

a. Statistical matching
b. Exact data match
c. Document matching
d. Classification

A

b. Exact data match

OBJ-3.2: An exact data match (EDM) is a pattern matching technique that uses a structured database of string values to detect matches. For example, a company might have a list of actual social security numbers of its customers. But, since it is not appropriate to load these numbers into a DLP filter, they could use EDM to match the numbers’ fingerprints instead based on their format or sequence. Document matching attempts to match a whole document or a partial document against a signature in the DLP. Statistical matching is a further refinement of partial document matching that uses machine learning to analyze various data sources using artificial intelligence or machine learning. Classification techniques use a rule based on a confidentiality classification tag or label attached to the data. For example, the military might use a classification-based DLP to search for any files labeled as secret or top secret

41
Q

Julie was just hired to conduct a security assessment of Dion Training’s security policies. During her assessment, she noticed that many users were sharing group accounts to conduct their work roles. Julie recommended that the group accounts be eliminated and instead have an account created for each user. What improvement will this recommended action provide for the company?

a. More efficient baseline management
b. Increase individual accountability
c. Increase password security
d. More routing auditing

A

b. Increase individual accountability

OBJ-5.3: To adequately provide accountability, the use of shared or group accounts should be disabled. This allows you to log and track individual user actions based on individual user accounts. This enables the organization to hold users accountable for their actions, too.

42
Q

Which of the following cryptographic algorithms is classified as symmetric?

a. Diffie Hellman
b. RSA
c. AES
d. ECC

A

c. AES

OBJ-2.8: The Advanced Encryption Standard (AES) is a symmetric-key algorithm for encrypting digital data. It was established as an electronic data encryption standard by NIST in 2001. AES can use a 128-bit, 192-bit, or 256-bit key, and uses a 128-bit block size.

43
Q

Dion Training wants to get an external attacker’s perspective on its security status. Which of the following services should they purchase?

a. Patch management
b. Asset management
c. Penetration test
d. Vulnerability scan

A

c. Penetration test

OBJ-1.8: Penetration tests provide an organization with an external attacker’s perspective on their security status. The NIST process for penetration testing divides tests into four phases: planning, discovery, attack, and reporting. The penetration test results are valuable security planning tools, as they describe the actual vulnerabilities that an attacker might exploit to gain access to a network. A vulnerability scan provides an assessment of your security posture from an internal perspective. Asset management refers to a systematic approach to the governance and realization of value from the things that a group or entity is responsible for over their whole life cycles. It may apply both to tangible assets and intangible assets. Patch management is the process that helps acquire, test, and install multiple patches (code changes) on existing applications and software tools on a computer, enabling systems to stay updated on existing patches and determining which patches are the appropriate ones.

44
Q

What should administrators perform to reduce a system’s attack surface and remove unnecessary software, services, and insecure configuration settings?

a. Harvesting
b. Stealthing
c. Hardening
d. WIndowing

A

c. Hardening

OBJ-3.2: Hardening is usually the process of securing a system by reducing its surface of vulnerability, which is larger when a system performs more functions; in principle, a single-function system is more secure than a multipurpose one. Reducing available ways of attack typically includes changing default passwords, removing unnecessary software, unnecessary usernames or logins, and disabling or removing unnecessary services. Windows is the use of windows for the simultaneous display of more than one item on a screen. Harvesting is the process of gathering data, normally user credentials. Stealthing is a made-up term in this question.

45
Q

Which of the following cryptographic algorithms is classified as symmetric?

a. ECC
b. RSA
c. Diffie-Hellman
d. Twofish

A

d. Twofish

OBJ-2.8: Twofish is a symmetric key block cipher with a block size of 128 bits and key sizes up to 256 bits. ECC, RSA, and Diffie-Hellman are all asymmetric algorithms.

46
Q

Which of the following cryptographic algorithms is classified as asymmetric?

a. 3DES
b. PGP
c. RC4
d. AES

A

b. PGP

OBJ-2.8: Pretty Good Privacy (PGP) is an encryption program that provides cryptographic privacy and authentication for data communication. PGP is used for signing, encrypting, and decrypting texts, emails, files, directories, and whole disk partitions and to increase the security of email communications. PGP is a public-key cryptosystem and relies on an asymmetric algorithm. AES, RC4, and 3DES are all symmetric algorithms.

47
Q

A penetration tester has been hired to conduct an assessment, but the company wants to exclude social engineering from the list of authorized activities. Which of the following documents would include this limitation?

a. Memorandum of understanding
b. Rules of engagement
c. Service level agreement
d. Acceptable user policy

A

b. Rules of engagement

OBJ-1.8: While the contract documents’ network scope will define what will be tested, the rules of engagement define how that testing is to occur. Rules of engagement can state things like no social engineering is allowed, no external website scanning, etc. A memorandum of understanding (MOU) is a preliminary or exploratory agreement to express an intent to work together that is not legally binding and does not involve monetary exchange. A service level agreement contains the operating procedures and standards for a service contract. An acceptable use policy is a policy that governs employees’ use of company equipment and internet services.

48
Q

You are attempting to prioritize your vulnerability scans based on the data’s criticality. This will be determined by the asset value of the data contained in each system. Which of the following would be the most appropriate metric to use in this prioritization?

a. The depreciated hardware cost of the system
b. The cost of acquisition of the system
c. The cost of hardware replacement of the system
d. The type of data processed by the system

A

d. The type of data processed by the system

OBJ-5.4: The data’s asset value is a metric or classification that an organization places on data stored, processed, and transmitted by an asset. Different data types, such as regulated data, intellectual property, and personally identifiable information, can determine its value. The cost of acquisition, cost of hardware replacement, and depreciated costs refer to the financial value of the hardware or system itself. This can be significantly different from the value of the information and data that the system stores and processes.

49
Q

You have been hired to investigate a possible insider threat from a user named Terri. Which command would you use to review all sudo commands ever issued by Terri (whose login account is terri and UID=1003) on a Linux system? (Select the MOST efficient command)

a. journalctl_UID=1003 | grep -e [Tt]erri | grep sudo
b. journalctl_UID=1003 | grep -e 1003 | grep sudo
c. journalctl_UID=1003 | grep -e [Tt]erri | grep -e 1003 | grep sudo
d. journalctl_UID=1003 | grep sudo

A

d. journalctl _UID=1003 | grep sudo

OBJ-4.3: journalctl is a command for viewing logs collected by systemd. The systemd-journald service is responsible for systemd’s log collection, and it retrieves messages from the kernel, systemd services, and other sources. These logs are gathered in a central location, which makes them easy to review. If you specify the parameter of _UID=1003, you will only receive entries made under the authorities of the user with ID (UID) 1003. In this case, that is Terri. Using the piping function, we can send that list of entries into the grep command as an input and then filter the results before returning them to the screen. This command will be sufficient to see all the times that Terri has executed something as the superuser using privilege escalation. If there are too many results, we could further filter the results using regular expressions with grep using the -e flag. Since the UID of 1003 is only used by Terri, it is unnecessary to add [Tt]erri to your grep filter as the only results for UID 1003 (terri) will already be shown. So, while all four of these would produce the same results, the most efficient option to accomplish this is by entering “journalctl _UID=1003 | grep sudo” in the terminal. Don’t get afraid when you see questions like this; walk through each part of the command step by step and determine the differences. In this question, you may not have known what journalctl is, but you didn’t need to. You needed to identify which grep expression was the shortest that would still get the job done. By comparing the differences between the options presented, you could likely take your best guess and identify the right one.

50
Q

A cybersecurity analyst is reviewing the logs of an authentication server and saw the following output:

login: json password: password
login: json password: CompTIACySA+
login: json password: 1234
login: json password: qwerty
login: json password: abc123
————————
END LOG

What type of attack was most likely being attempted by the attacker?

a. Password spraying
b. Impersonation
c. Brute force
d. Credential stuffing

A

c. Brute force

OBJ-1.2: This is an example of a brute force attack. Unlike password spraying that focuses on attempting only one or two passwords per user, a brute force attack focuses on trying multiple passwords for a single user. The goal of this attack is to crack the user’s password and gain access to their account. Password spraying, instead, refers to the attack method that takes a large number of usernames and loops them with a single password. We can use multiple iterations using several different passwords, but the number of passwords attempted is usually low compared to the number of users attempted. This method avoids password lockouts, and it is often more effective at uncovering weak passwords than targeting specific users. In the scenario provided, only one or two attempts are being made to each username listed. This is indicative of a password spraying attack instead of a brute force attempt against a single user. Impersonation is the act of pretending to be another person for fraudulent purposes. Credential stuffing is the automated injection of breached username/password pairs to gain user accounts access fraudulently. This is a subset of the brute force attack category: large numbers of spilled credentials are automatically entered into websites until they are potentially matched to an existing account. The attacker can then hijack the account for their purposes.

51
Q

Your company has just finished replacing all of its computers with brand new workstations. Colleen, one of your coworkers, has asked the company’s owner if she can have the old computers that are about to be thrown away. Colleen would like to refurbish the old computers by reinstalling a new operating system and donating them to a local community center for disadvantaged children in the neighborhood. The owner thinks this is a great idea but is concerned that the private and sensitive corporate data on the old computer’s hard drives might be placed at risk of exposure. You have been asked to choose the best solution to sanitize or destroy the data while ensuring the computers will still be usable by the community center. What type of data destruction or sanitization method do you recommend?

a. Purging
b. Degaussing
c. Wiping
d. Shredding

A

c. Wiping

OBJ-2.7: Data wiping or clearing occurs by using a software tool to overwrite the data on a hard drive to destroy all electronic data on a hard disk or other media. Data wiping may be performed with a 1x, 7x, or 35x overwriting, with a higher number of times being more secure. This allows the hard drive to remain functional and allows for hardware reuse. Degaussing a hard drive involves demagnetizing a hard drive to erase its stored data. You cannot reuse a hard drive once it has been degaussed. Therefore, it is a bad solution for this scenario. Purging involves removing sensitive data from a hard drive using the device’s internal electronics or an outside source such as a degausser, or by using a cryptographic erase function if the drive supports one. Shredding involves the physical destruction of the hard drive. This is a secure method of destruction but doesn’t allow for device reuse.

52
Q

You are installing Windows 2019 on a rack-mounted server and hosting multiple virtual machines within the physical server. You just finished the installation and now want to begin creating and provisioning the virtual machines. Which of the following should you utilize to allow you to create and provision virtual machines?

a. Disk management
b. Hypervisor
c. Device manager
d. Terminal services

A

b. Hypervisor

OBJ-2.2: A hypervisor, also known as a virtual machine monitor, is a process that creates and runs virtual machines (VMs). A hypervisor allows one host computer to support multiple guest VMs by virtually sharing its resources, like memory and processing. To create and provision virtual machines within the Windows 2019 operating system, you can use a Type II hypervisor like VM Ware or VirtualBox. Disk Management is a system utility in Windows that enables you to perform advanced storage tasks. Device Manager is a component of the Microsoft Windows operating system that allows users to view and control the hardware attached to the computer. Remote Desktop Services, known as Terminal Services in Windows Server 2008 and earlier, is one of the components of Microsoft Windows that allow a user to take control of a remote computer or virtual machine over a network connection.

53
Q

(Sample Simulation – On the real exam for this type of question, you would have to rearrange the steps into the proper order by dragging and dropping them into place.)

                                                                             Order of Evidence Collection Swapping File                                                        1. Processor Cache                                                   2. Hard Drive or USB Drive                                      3. Random Access Memory                                     4.

You are working as part of a cyber incident response team. An ongoing attack has been identified on your webserver. Your company wants to take legal action against the criminals who have hacked your server, so they have brought a forensic analyst from the FBI to collect the evidence from the server. In what order should the digital evidence be collected based on the order of volatility?

a. Hard Drive or USB Drive, Swap File, Random Access Memory, Processor Cache
b. Processor Cache, Swap Files, Random Access Memory, Hard Drive or USB Drive
c. Swap File, Processor Cache, Random Access Memory, Hard Drive or USB Drive
d. Processor Cache, Random Access Memory, Swap File, Hard Drive or USB Drive

A

d. Processor Cache, Random Access Memory, Swap File, Hard Drive or USB Drive

OBJ-4.5: The correct order for evidence collection based on the order of volatility is the Processor Cache, Random Access Memory, Swap File, and then the Hard Drive or USB Drive. Since the Processor Cache is the most volatile and changes the most frequently, it should be captured first. Random Access Memory (RAM) is temporary storage on a computer. It can quickly change or be overwritten, and the information stored in RAM is lost when power is removed from the computer, so it should be collected second. Swap files are temporary files on a hard disk used as virtual memory, and therefore, they should be collected third. The files on a hard disk or USB drive are the least volatile of the four options presented since they are used for long-term storage of data and are not lost when the computer loses power.

54
Q

You suspect that your server has been the victim of a web-based attack. Which of the following ports would most likely be seen in the logs to indicate the attack’s target?

a. 443
b. 3389
c. 21
d. 389

A

a. 443

OBJ-3.1: Web-based attacks would likely appear on port 80 (HTTP) or port 443 (HTTPS). An attack against Active Directory is likely to be observed on port 389 LDAP. An attack on an FTP server is likely to be observed on port 21 (FTP). An attack using the remote desktop protocol would be observed on port 3389 (RDP).

55
Q

A cybersecurity analyst is attempting to classify network traffic within an organization. The analyst runs the tcpdump command and receives the following output:

tcpdum -n -i eth0
IP 10.0.19.121.52497 > 11.154.12.121.ssh: P 105:157 (52) ack 18060 win 16549
IP 11.154.12.121.ssh > 10.0.19.121.52497: P 23988:24136 (148) ack 157 win 113
IP 11.154.12.121.ssh > 10.0.19.121.52497: P 24136:24380 (224) ack 157 win 113

Which of the following statements is true based on this output?

a. 10.0.19.121 is a client that is accessing an SSH server over port 52497
b. 10.0.19.121 is under attack from a host at 11.154.12.121
c. 11.154.12.121 is under attack from a host at 10.0.19.121
d. 11.154.12.121 is a client that is accessing an SSH server over port 52497

A

a. 10.0.19.121 is a client that is accessing an SSH server over port 52497

OBJ-4.1: This output from the tcpdump command is displaying three packets in a larger sequence of events. Based solely on these three packets, we can only be certain that the server (11.154.12.121) runs an SSH server over port 22. This is based on the first line of the output. The second and third lines are the server responding to the request and sending data back to the client (10.0.19.121) over port 52497. There is no evidence of an attack against either the server or the client based on this output since we can only see the headers and not the content being sent between the client and server.

56
Q

Which of the following categories would contain information about a French citizen’s race or ethnic origin?

a. SPI
b. DLP
c. PII
d. PHI

A

a. SPI

OBJ-5.5: According to the GDPR, information about an individual’s race or ethnic origin is classified as Sensitive Personal Information (SPI). Sensitive personal information (SPI) is information about a subject’s opinions, beliefs, and nature afforded specially protected status by privacy legislation. As it cannot be used to identify somebody or make any relevant assertions about health uniquely, it is neither PII nor PHI. Data loss prevention (DLP) is a software solution that detects and prevents sensitive information from being stored on unauthorized systems or transmitted over unauthorized networks.

57
Q

Sample Simulation – On the real exam for this type of question, you would receive 3-5 pictures and be asked to drag and drop them into place next to the correct term.)

Picture of a computer screen with lock and keys to enter. Front of it is a mobile phone with the access code

How would you appropriately categorize the authentication method being displayed here?

a. One-time password authentication
b. PAP authentication
c. Biometric authentication
d. Multifactor authentication

A

d. Multifactor authentication

OBJ-2.4: For the exam, you need to know the different authentication categories and what type of authentication methods belong to each category. This is an example of multifactor authentication because you are using both a username/password combination with an SMS code. This provides a knowledge factor (username/password) and a possession factor (your smartphone) to provide two factors of authentication, making this the best option.

58
Q

(Sample Simulation – On the real exam for this type of question, you would have access to the log files to determine which server on a network might have been affected, and then choose the appropriate actions.) A cybersecurity analyst has determined that an attack has occurred against your company’s network. Fortunately, your company uses a good logging system with a centralized Syslog server, so all the logs are available, collected, and stored properly. According to the cybersecurity analyst, the logs indicate that the database server was the only company server on the network that appears to have been attacked. The network is a critical production network for your organization. Therefore, you have been asked to choose the LEAST disruptive actions on the network while performing the appropriate incident response actions. Which actions do you recommend as part of the response efforts?

a. Capture network traffic using a sniffer, schedule a period of downtime to image and remediate the affected server, and maintain the chain of custody
b. Conduct a system restore of the database server, image the hard drive, and maintain the chain of custody
c. Isolate the affected server from the network immediately, format the database server, reinstall from a known good backup
d. Immediately remove the database server from the network, create an image of its hard disk, and maintain the chain of custody.

A

a. Capture network traffic using a sniffer, schedule a period of downtime to image and remediate the affected server, and maintain the chain of custody

OBJ-1.7: Since the database server is part of a critical production network, it is important to work with the business to time the remediation period to minimize productivity losses. You can immediately begin to capture network traffic since this won’t affect the database server or the network (least intrusive) while scheduling a period of downtime in which to take a forensic image of the database server’s hard drive. All network captures and the hard drive should be maintained under the chain of custody if needed for criminal prosecution or civil action after remediation. The server should be remediated and brought back online once the hard drive image has been created.

59
Q

You have just received an email that claims to be from the Federal Bureau of Investigation (FBI). The email claims that your computer was identified as part of a botnet being used to distribute pirated copies of a new movie. The email states that you must click the link below and pay a fine of $1000 within 24 hours, or federal agents will be sent to your home to arrest you for copyright infringement. What social engineering principle is this email relying on using?

a. Familiarity
b. Intimidation
c. Consensus
d. Trust

A

b. Intimidation

OBJ-1.1: Intimidation is a commonly used technique during a social engineering campaign. It relies on trying to scare or frighten a person into clicking a link. Often, these emails will claim to be from the FBI, IRS, or other government agencies.

60
Q

Which of the following is the leading cause for cross-site scripting, SQL injection, and XML injection attacks?

a. Directory traversals
b. Faulty input validation
c. Output encoding
d. File inclusions

A

b. Faulty input validation

OBJ-3.2: A primary vector for attacking applications is to exploit faulty input validation. The input could include user data entered into a form or URL, passed by another application or link. This is heavily exploited by cross-site scripting, SQL injection, and XML injection attacks. Directory traversal is the practice of accessing a file from a location that the user is unauthorized to access. The attacker does this by ordering an application to backtrack through the directory path to read or execute a file in a parent directory. In a file inclusion attack, the attacker adds a file to a web app or website’s running process. The file is either constructed to be malicious or manipulated to serve the attacker’s malicious purposes. Cross-site scripting (XSS) is one of the most powerful input validation exploits. XSS involves a trusted site, a client browsing the trusted site, and the attacker’s site.

61
Q

Which of the following describes the security method used when users enter their username and password only once and can access multiple applications?

a. Permission propagation
b. Multifactor authentication
c. SSO
d. Inheritance

A

c. SSO

OBJ-3.8: Single sign-on (SSO) is an authentication process that allows users to access multiple applications with one set of login credentials. SSO is a common procedure in enterprises, where a client accesses multiple resources connected to a local area network (LAN). Permission propagation occurs when a technician sets permissions on a folder or a drive, and the folder properties apply those permissions to all of the folders under that folder in the tree. Permissions propagation secures your data by limiting access to the users specified in the top folder. Multifactor authentication is an authentication scheme that works based on something you know, something you have, something you are, something you do, or somewhere you are. These schemes can be made stronger by combining them (for example, protecting the use of a smart card certification [something you have] with a PIN [something you know]). Inheritance or inherited permissions are permissions that are given to an object because it is a child of a parent object. Inheritance occurs due to permissions propagation.

62
Q

Which of the following type of threats did the Stuxnet attack rely on to cross an air gap between a business and an industrial control system network?

a. Directory traversal
b. Removal media
c. Session hijacking
d. Cross-site scripting

A

b. Removal media

OBJ-2.7: Air gaps are designed to remove connections between two networks to create physical segmentation between them. The only way to cross an air gap is to have a physical device between these systems, such as using a removable media device to transfer files between them.

A directory traversal is an HTTP attack that allows attackers to access restricted directories and execute commands outside the web server’s root directory.

Cross-Site Scripting (XSS) attacks are a type of injection in which malicious scripts are injected into otherwise benign and trusted websites.

A session hijacking attack compromises the session token by stealing or predicting a valid session token to gain unauthorized access to the Web Server.

A directory traversal, cross-site scripting, or session hijacking attack cannot by itself cross an air gap.

63
Q

Dion Training allows its visiting business partners from CompTIA to use an available Ethernet port in their conference room to establish a VPN connection back to the CompTIA internal network. The CompTIA employees should obtain internet access from the Ethernet port in the conference room, but nowhere else in the building. Additionally, if any of the Dion Training employees use the same Ethernet port in the conference room, they should access Dion Training’s secure internal network. Which of the following technologies would allow you to configure this port and support both requirements?

a. MAC filtering
b. Create an ACL to allow access
c. Configure a SIEM
d. Implement NAC

A

d. Implement NAC

OBJ-3.3: Network Access Control (NAC) uses a set of protocols to define and implement a policy that describes how to secure access to network nodes whenever a device initially attempts to access the network. NAC can utilize an automatic remediation process by fixing non-compliant hosts before allowing network access. Network Access Control can control access to a network with policies, including pre-admission endpoint security policy checks and post-admission controls over where users and devices can go on a network and what they can do. In this scenario, implementing NAC can identify which machines are known and trusted Dion Training assets and provide them with access to the secure internal network. NAC could also determine unknown machines (assumed to be those of CompTIA employees) and provide them with direct internet access only by placing them on a guest network or VLAN. While MAC filtering could be used to allow or deny access to the network, it cannot by itself control which set of network resources could be utilized from a single ethernet port. A security information and event management (SIEM) system provides real-time analysis of security alerts generated by applications and network hardware. An access control list could define what ports, protocols, or IP addresses the ethernet port could be utilized. Still, it would be unable to distinguish between a Dion Training employee’s laptop and a CompTIA employee’s laptop like a NAC implementation could.

64
Q

Frank and John have started a secret club together. They want to ensure that when they send messages to each other, they are truly unbreakable. What encryption key would provide the STRONGEST and MOST secure encryption?

a. Randomized one-time use pad
b. ECC with a 256-bit key
c. AES with a 256-bit key
d. DES with a 56-bit key

A

a. Randomized one-time use pad

OBJ-2.8: The only truly unbreakable encryption is one that uses a one-time use pad. This ensures that every message is encrypted with a different shared key that only the two owners of the one-time use pad would know. This technique ensures that there is no pattern in the key for an attacker to guess or find. Even if one of the messages could be broken, all of the other messages would remain secure since they use different keys to encrypt them. Unfortunately, one-time use pads require that two identical copies of the pad are produced and distributed securely before they can be used. DES and AES both rely on a single shared secret key, making it vulnerable to attack. DES has already been broken, while AES remains unbroken (today). With enough time and computing power, though, an AES key could be discovered. RSA is also vulnerable to attack with enough time and computing power.

65
Q

Review the following packet captured at your NIDS:

23:12:23.154234 IP 86.18.10.3:54326 > 71.168.10.45:3389
Flags [P.], Seq 1834:1245, ackl win 511, options
[nop, nop, TS val 253451334 erc 482862734, length 125

After reviewing the packet above, you discovered there is an unauthorized service running on the host. Which of the following ACL entries should be implemented to prevent further access to the unauthorized service while maintaining full access to the approved services running on this host?

a. DENY TCP ANY HOST 71.168.10.45 EQ 3389
b. DENY IP HOST 86.18.10.3 EQ 3389
c. DENY IP HOST 71.168.10.45 ANY EQ 25
D. DENY TCP ANY HOST 86.18.10.3 EQ 25

A

a. DENY TCP ANY HOST 71.168.10.45 EQ 3389

OBJ-4.4: Since the question asks you to prevent unauthorized service access, we need to block port 3389 from accepting connections on 71.168.10.45 (the host). This option will deny ANY workstation from connecting to this machine (host) over the Remote Desktop Protocol service that is unauthorized (port 3389).

66
Q

(This is a simulated performance-based question.)

Review the network diagram provided. Which of the following ACL entries should be added to the firewall to allow only the Human Resources (HR) computer to have SMB access to the file server (Files)?

DMZ
FTP Web Email
192.168.0.5 192.168.0.6 192.168.0.7

Internet Workstations
Backup HR IT
172.16.1.2 172.16.13 172.16.14

Data Center
Sales Confidential Files
192.168.1.10 192.168.1.11 192.168.1.12

(Note: The firewall in this network is using implicit deny to maintain a higher level of security. ACL entries are in the format of Source IP, Destination IP, Port Number, TCP/UDP, Allow/Deny.)

a. 172.16.1.3, 192.168.1.12, ANY, TCP, ALLOW
b. 172.16.1.12, 192.168.1.3/24, 445, TCP, ALLOW
c. 192.168.1.12, 172.16.1.3, 445, UDP, DENY
d. 172.16.1.3, 192.168.1.12, 445, TCP, ALLOW

A

d. 172.16.1.3, 192.168.1.12, 445, TCP, ALLOW

OBJ-3.3: The ACL should be created with 172.16.1.3 as the Source IP, 192.168.1.12 as the Destination IP, 445 as the port number operating over TCP, and the ALLOW condition set. This is the most restrictive option presented (only the HR and Files server are used), and the minimal number of ports are opened to accomplish our goal (only port 445 for the SMB service).

67
Q

Which type of personnel control is being implemented if Kirsten must receive and inventory any items that her coworker, Bob, orders?

a. Dual control
b. Background checks
c. Separation of duties
d. Mandatory vacation

A

c. Separation of duties

OBJ-5.3: This organization uses separation of duties to ensure that neither Kirsten nor Bob can exploit the organization’s ordering processes for their gain. Separation of duties is the concept of having more than one person required to complete a particular task to prevent fraud and error. Dual control, instead, requires both people to act together. For example, a nuclear missile system uses dual control and requires two people to each turn a different key simultaneously to allow for a missile launch to occur. Mandatory vacation policies require employees to take time away from their job and detect fraud or malicious activities. A background check is a process a person or company uses to verify that a person is who they claim to be and provides an opportunity for someone to check a person’s criminal record, education, employment history, and other past activities to confirm their validity.

68
Q

Your organization has been receiving many phishing emails recently, and you are trying to determine why they are effective in getting your users to click on their links. The latest email consists of what looks like an advertisement that is offering an exclusive early access opportunity to buy a new iPhone at a discounted price. Still, there are only 5 phones available at this price. What type of social engineering principle is being exploited here?

a. Scarcity
b. Trust
c. Intimidation
d. Familiarity

A

a. Scarcity

OBJ-1.1: Scarcity is used to create a fear in a person of missing out on a special deal or offer. This technique is used in advertising all the time, such as “supplies are limited,” “only available for the next 4 hours”, and other such artificial limitations being used. Familiarity is a social engineering technique that relies on assuming a widely known organization’s persona. For example, in the United States, nearly 25% of Americans have a Bank of America account. For this reason, phishing campaigns often include emails pretending to be from Bank of America since 1 in 4 people who receive the email in the United States are likely to have an account. This makes them familiar with the bank name and is more likely to click on the email link.

69
Q

Which of the following cryptographic algorithms is classified as symmetric?

a. GPG
b. DSA
c. DES
d. ECC

A

c. DES

OBJ-2.8: The Data Encryption Standard (DES) is a symmetric-key algorithm for the encryption of digital data. Although its short key length of 56 bits makes it too insecure for applications, it was the standard used from 1977 until the early 2000s. GPG, ECC, and DSA are all asymmetric algorithms.

70
Q

When you purchase an exam voucher at diontraining.com, the system only collects your name, email, and credit card information. Which of the following privacy methods is being used by Dion Training?

a. Data minimization
b. Anonymization
c. Tokenization
d. Data masking

A

a. Data minimization

OBJ-5.5: Data minimization involves limiting data collection to only what is required to fulfill a specific purpose. Reducing what information is collected reduces the amount and type of information that must be protected. Since we only need your name and email to deliver the voucher and your credit card to receive payment for the voucher, we do not collect any additional information, such as your home address or phone number. Data masking can mean that all or part of a field’s contents are redacted, by substituting all character strings with x, for example. Tokenization means that all or part of data in a field is replaced with a randomly generated token. The token is stored with the original value on a token server or token vault, separate from the production database. An authorized query or app can retrieve the original value from the vault, if necessary, so tokenization is a reversible technique. Data anonymization is the process of removing personally identifiable information from data sets so that the people whom the data describe remain anonymous.

71
Q

Which attack method is MOST likely to be used by a malicious employee or insider trying to obtain another user’s passwords?

a. Shoulder surfing
b. On-path attack
c. Tailgating
d. Phishing

A

a. Shoulder surfing

OBJ-1.1: While a malicious employee or insider could use all of the methods listed to obtain another user’s passwords, shoulder surfing is the MOST likely to be used. Shoulder surfing is a type of social engineering technique used to obtain personal identification numbers (PINs), passwords, and other confidential data by looking over the victim’s shoulder. Since a malicious employee or insider can work close to their victims (other users), they could easily use this technique to collect the victimized users’ passwords. An on-path attack is an attack where the attacker secretly relays and possibly alters the communications between two parties who believe they are directly communicating with each other. The attacker makes independent connections with the victims and relays messages between them to make them believe they are talking directly to each other over a private connection. The attacker will intercept all relevant messages passing between the two victims and inject new ones. Tailgating is a social engineering technique to gain access to a building by following someone unaware of their presence. Phishing is an email-based social engineering attack in which the attacker sends an email from a supposedly reputable source, such as a bank, to try to elicit private information from the victim. Phishing attacks target an indiscriminate large group of random people.

72
Q

During a penetration test, you find a hash value related to malware associated with an APT. What best describes what you have found?

a. XSRF
b. Botnet
c. SQL injection
d. Indicator of compromise

A

d. Indicator of compromise

OBJ-1.2: An indicator of compromise is an artifact observed on a network or in an operating system that, with high confidence, indicates a computer intrusion. Typical IOCs are virus signatures and IP addresses, MD5 hashes of malware files or URLs, or botnet command and control servers’ domain names. SQL injection is a code injection technique used to attack data-driven applications. Malicious SQL statements are inserted into an entry field for execution, such as dumping the database contents to the attacker. Cross-site request forgery (CSRF or XSRF) is a malicious exploit of a website where unauthorized commands are transmitted from a user that the web application trusts. There are many ways in which a malicious website can transmit commands, such as specially-crafted image tags, hidden forms, and JavaScript XMLHttpRequests can all work without the user’s interaction or even knowledge. A botnet consists of many Internet-connected devices, each of which is running one or more bots. Botnets can be used to perform Distributed Denial-of-Service (DDoS) attacks, steal data, send spam, and allow the attacker to access the device and its connection.

73
Q

Dion Training is hiring a penetration testing firm to conduct an assessment of its corporate network. As part of the contract, the company has specified that it will not provide any network details to the penetration testing firm. Instead, the company wants to see how much information about the network can be found by the penetration testers using open-source research and scanning the corporate network. What type of assessment is this considered?

a. Unknown environment testing
b. Known environment testing
c. Partially known environment testing
d. Semi-trusted environment testing

A

a. Unknown environment testing

OBJ-1.8: An unknown environment penetration test requires no previous information and usually takes the approach of an uninformed attacker. The penetration tester has no prior information about the target system or network in an unknown environment penetration test. These tests provide a realistic scenario for testing the defenses, but they can be costlier and more time-consuming to conduct as the tester is examining a system from an outsider’s perspective. A partially known environment tester has the user’s access and knowledge levels, potentially with elevated privileges on a system. These partially known environment penetration testers typically have some knowledge of a network’s internals, potentially including design and architecture documentation and an account internal to the network. A known environment test is known by several different names, including clear-box, open-box, auxiliary, or logic-driven testing. It falls on the opposite end of the spectrum from an unknown environment test because the penetration testers have full access to source code, architecture documentation, and so forth. A known environment penetration tester can also perform static code analysis, so familiarity with source code analyzers, debuggers, and similar tools are necessary for this type of testing. A semi-trusted environment test is made up term and is used as a distractor in this question.

74
Q

A supplier needs to connect several laptops to an organization’s network as part of their service agreement. These laptops will be operated and maintained by the supplier. Victor, a cybersecurity analyst for the organization, is concerned that these laptops could contain some vulnerabilities that could weaken the network’s security posture. What can Victor do to mitigate the risk to other devices on the network without having direct administrative access to the supplier’s laptops?

a. Scan the laptops for vulnerabilities and patch them
b. Increase the encryption level of VPN used by the laptops
c. Implement a jumpbox system
d. Require 2FA (two-factor authentication) on the laptop

A

c. Implement a jumpbox system

OBJ-3.3: A jumpbox is a system on a network used to access and manage devices in a separate security zone. This would create network segmentation between the supplier’s laptops and the rest of the network to minimize the risk. A jump-box system is a hardened and monitored device that spans two dissimilar security zones and provides a controlled means of access between them. While the other options listed are all good security practices, they do not fully mitigate the risk that insecure systems pose since Victor cannot enforce these configurations on a supplier-provided laptop. Instead, he must find a method of segmenting the laptops from the rest of the network, either physically, logically, using an air gap, or using a jumpbox.

75
Q

Which of the following techniques would be the most appropriate solution to implementing a multi-factor authentication system?

a. Smartcard and PIN
b. Password and security questions
c. Fingerprint and retinal scan
d. Username and password

A

a. Smartcard and PIN

OBJ-2.4: Multi-factor authentication (MFA) creates multiple security layers to help increase the confidence that the user requesting access is who they claim to be by requiring two distinct factors for authentication. These factors can be something you know (knowledge factor), something you have (possession factor), something you are (inheritance factor), something you do (action factor), or somewhere you are (location factor). By selecting a smartcard (something you have) and a PIN (something you know), you have implemented multi-factor authentication. Choosing a fingerprint and retinal scan would instead use only one factor (inheritance). Choosing a username, password, and security question would also be only using one factor (knowledge). For something to be considered multi-factor, you need items from at least two different authentication factor categories: knowledge, possession, inheritance, location, or action.

76
Q

A popular game allows for in-app purchases to acquire extra lives in the game. When a player purchases the extra lives, the number of lives is written to a configuration file on the gamer’s phone. A hacker loves the game but hates having to buy lives all the time, so they developed an exploit that allows a player to purchase 1 life for $0.99 and then modifies the content of the configuration file to claim 100 lives were purchased before the application reading the number of lives purchased from the file. Which of the following type of vulnerabilities did the hacker exploit?

a. Broken authentication
b. Sensitive data exposure
c. Race condition
d. Dereferencing

A

c. Race condition

OBJ-1.6: Race conditions occur when the outcome from execution processes is directly dependent on the order and timing of certain events. Those events fail to execute in the order and timing intended by the developer. In this scenario, the hacker’s exploit is racing to modify the configuration file before the application reads the number of lives from it. Sensitive data exposure is a fault that allows privileged information (such as a token, password, or PII) to be read without being subject to the proper access controls. Broken authentication refers to an app that fails to deny access to malicious actors. Dereferencing attempts to access a pointer that references an object at a particular memory location.

77
Q

What sanitization technique uses only logical techniques to remove data, such as overwriting a hard drive with a random series of ones and zeroes?

a. Clear
b. Degauss
c. Purge
d. Destory

A

a. Clear

OBJ-2.7: Clear applies logical techniques to sanitize data in all user-addressable storage locations for protection against simple non-invasive data recovery techniques. Clearing involves overwriting data once (and seldom more than three times) with repetitive data (such as all zeros) or resetting a device to factory settings. Purging data is meant to eliminate information from being feasibly recovered even in a laboratory environment. Destroy requires physical destruction of the media, such as pulverization, melting, incineration, and disintegration. Degaussing is the process of decreasing or eliminating a remnant magnetic field. Degaussing is an effective method of sanitization for magnetic media, such as hard drives and floppy disks.

78
Q

Which type of threat will patches NOT effectively combat as a security control?

a. Malware with defined indicators of compromise
b. Discovered software bugs
c. Zero-day attacks
d. Known vulnerabilities

A

c. Zero-day attacks

OBJ-3.2: Zero-day attacks have no known fix, so patches will not correct them. A zero-day vulnerability is a computer-software vulnerability that is unknown to, or unaddressed by, those who should be interested in mitigating the vulnerability (including the vendor of the target software). If a discovered software bug or known vulnerability is found, a patch or mitigation is normally available. If a piece of malware has well-defined indicators of compromise, a patch or signature can be created to defend against it, as well.

79
Q

Keith wants to validate the application file that he downloaded from the vendor of the application. Which of the following should he compare against the file to verify the integrity of the downloaded application?

a. Private key of the file
b. Public key of the file
c. File size and file creation date
d. MD5 or SHA1 hash digest of the file

A

d. MD5 or SHA1 hash digest of the file

OBJ-2.8: Keith should conduct a hash of the downloaded file and compare it against the MD5 hash digest listed on the server of this file. This file needs to be a verifiable MD5 hash file to validate the file integrity has not been compromised during the download. This is an important step to ensure the file was not modified in transit during the download. The other options are insufficient to guarantee the integrity of the downloaded file since integrity checking relies on comparing hash digests. A public or private key would not be assigned solely to a single file, nor do they provide integrity on their own. Public and private keys are used to ensure data confidentiality, whereas a hash digest ensures integrity. The file size and file creation date are additional forms of metadata that could help validate a file’s integrity. Still, they are of a much lower quality and trust factor than using a hash digest. Therefore MD5 or SHA1 is a better choice.

80
Q

(Sample Simulation – On the real exam for this type of question, you would have to fill in the blanks by dragging and dropping them into place.)

Server in the Data Center with 4 blank spaces to fill

Choices :
mantrap Cable lock
Biometrics GSP racking
Proximity badges FM-200
Remote wipe Strong password
Antivirus ECC

Using the image provided, select four security features that you should use to best protect your servers in the data center. This can include physical, logical, or administrative protections.

a. Antivirus, Mantrap, Cable lock, GPS tracking
b. Strong passwords, Biometrics, mantrap, Cable lock
c. GPS tracking, Biometrics, Proximity badges, Remote wipe
d. FM-200, Biometric locks, Mantrap, Antvirus

A

d. FM-200, Biometric locks, Mantrap, Antvirus

OBJ-2.7: The best option based on your choices is FM-200, Biometric locks, Mantrap, and Antivirus. FM-200 is a fire extinguishing system commonly used in data centers and server rooms to protect the servers from fire. Biometric locks are often used in high-security areas as a lock on the access door. Additionally, biometric authentication could be used for a server by using a USB fingerprint reader. Mantraps often are used as part of securing a data center as well. This area creates a boundary between a lower security area (such as the offices) and the higher security area (the server room). Antivirus should be installed on servers since they can use signature-based scans to ensure files are safe before being executed.

81
Q

A cybersecurity analyst is working for a university that is conducting a big data medical research project. The analyst is concerned about the possibility of an inadvertent release of PHI data. Which of the following strategies should be used to prevent this?

a. utilize formal methods of verification against the application processing the PHI
b. Use DevSecOps to build the application that process the PHI
c. Utilize a SaaS model to process the PHI data instead of an on-premise solution
d. Conduct tokenization of the PHI data before ingesting it into the big data application

A

d. Conduct tokenization of the PHI data before ingesting it into the big data application

OBJ-3.2: The university should utilize a tokenization approach to prevent an inadvertent release of the PHI data. In a tokenization approach, all or part of data in a field is replaced with a randomly generated token. That token is then stored with the original value on a token server or token vault, separate from the production database. This is an example of a deidentification control and should be used since the personally identifiable medical data is not needed to be retained after ingesting it for the research project; only the medical data itself is needed.

While using DevSecOps can improve the overall security posture of the applications being developed in this project, it does not explicitly define a solution to prevent this specific issue making it a less ideal answer choice for the exam.

Formal verification methods can be used to prove that none of the AI/ML techniques that process the PHI data could inadvertently leak. Still, the cost and time associated with using these methods make them inappropriate for a system used to conduct research.

A formal method uses a mathematical model of a system’s inputs and outputs to prove that the system works as specified in all cases. It is difficult for manual analysis and testing to capture every possible use case scenario in a sufficiently complex system.

Formal methods are mostly used with critical systems such as aircraft flight control systems, self-driving car software, and nuclear reactors, not big data research projects. The option provided that recommends utilizing a SaaS model is not realistic.

There is unlikely to be a SaaS provider with a product suited to the big data research being done. SaaS products tend to be commoditized software products that are hosted in the cloud. The idea of migrating to a SaaS is a distractor on this exam, which is trying to get you to think about shifting the responsibility for the PHI to the service provider and away from the university, but due to the research nature of the project, this is unlikely to be a valid option in the real world and may not be legally allowed due to the PHI being processed.

82
Q

Your company just launched a new invoicing website for use by your five largest vendors. You are the cybersecurity analyst and have been receiving numerous phone calls that the webpage is timing out, and the website overall is performing slowly. You have noticed that the website received three million requests in just 24 hours, and the service has now become unavailable for use. What do you recommend should be implemented to restore and maintain the availability of the new invoicing system?

a. Intrusion Detection System
b. VPN
c. Implement an allow list
d. MAC filtering

A

c. Implement an allow list

OBJ-3.2: By implementing an allow list of the authorized IP addresses for the five largest vendors, they will be the only ones who can access the webserver. This can be done by creating rules in the Access Control List (ACL) to deny ALL other users except these five vendors, thereby dropping a large number of requests from any other IP addresses, such as those from an attacker. Based on the scenario’s description, it appears like the system is under some form of denial of service attack. Still, by implementing an allow list at the edge of the network and sinkholing any traffic from IP addresses that are not allow listed, the server will no longer be overwhelmed or perform slowly to respond to legitimate requests. MAC filtering is only applicable at layer 2 of the OSI model (which would not work for traffic being sent over the internet from your vendors to your server). A VPN is a reasonable solution to secure the connection between the vendors and your systems, but it will not deal with the DoS condition being experienced. An intrusion detection system may detect the DoS condition, but an IDS cannot resolve it (whereas an IPS could).

83
Q

The local electric power plant contains both business networks and ICS/SCADA networks to control their equipment. Which technology should the power plant’s security administrators look to implement first as part of configuring better defenses for the ICS/SCADA systems?

a. Automated patch deployment
b. Anti-virus software
c. Log consolidation
d. Intrusion prevention system

A

d. Intrusion prevention system

OBJ-2.6: Since this question is focused on the ICS/SCADA network, the best solution would be implementing an Intrusion Prevention System. ICS/SCADA machines utilize very specific commands to control the equipment and to prevent malicious activity. You could set up strict IPS rules to prevent unknown types of actions from being allowed to occur. Log consolidation is a good idea, but it won’t prevent an issue and therefore isn’t the most critical thing to add first. Automated patch management should not be conducted, as ICS/SCADA systems must be tested before conducting any patches. Often, patches will break ICS/SCADA functionality. Antivirus software may or may not be able to run on the equipment, as well, since some ICS/SCADA systems often do not rely on standard operating systems like Windows.

84
Q

Which of the following types of data breaches would require that the US Department of Health and Human Services and the media be notified if more than 500 individuals are affected by a data breach?

a. Personally identifiable information
b. Credit card information
c. Trade secret information
d. Protected health information

A

d. Protected health information

OBJ-4.5: Protected health information (PHI) is defined as any information that identifies someone as the subject of medical and insurance records, plus their associated hospital and laboratory test results. This type of data is protected by the Health Insurance Portability and Accountability Act (HIPAA). It requires notification of the individual, the Secretary of the US Department of Health and Human Services (HHS), and the media (if more than 500 individuals are affected) in the case of a data breach. Personally identifiable information (PII) is any data that can be used to identify, contact, or impersonate an individual. Credit card information is protected under the PCI DSS information security standard. Trade secret information is protected by the organization that owns those secrets.

85
Q

What tool can be used to scan a network to perform vulnerability checks and compliance auditing?

a. Metasploit
b. Nmap
c. BeEF
d. Nessus

A

d. Nessus

OBJ-4.1: Nessus is a popular vulnerability scanner. It can be used to check how vulnerable your network is by using various plugins to test for vulnerabilities. Also, Nessus can perform compliance auditing, like internal and external PCI DSS audit scans. The nmap tool is a port scanner. The Metasploit Project is a computer security project that provides information about security vulnerabilities and aids in penetration testing and IDS signature development. BeEF is short for The Browser Exploitation Framework. It is a penetration testing tool that focuses on the web browser.

86
Q

Which of the following actions should be done FIRST after forensically imaging a hard drive for evidence in an investigation?

a. Encrypt the source drive to ensure an attacker cannot modify its contents
b. Digitally sign the image file to provide non-repudiation of the collection
c. Create a hash digest of the source drive and the image file to ensure they match
d. Encrypt the image file to ensure it maintains data integrity

A

c. Create a hash digest of the source drive and the image file to ensure they match

OBJ-4.5: The first thing that must be done after acquiring a forensic disk image is to create a hash digest of the source drive and destination image file to ensure they match. A critical step in the presentation of evidence will be to prove that analysis has been performed on an identical image to the data present on the physical media and that neither data set has been tampered with. The standard means of proving this is to create a cryptographic hash or fingerprint of the disk contents and any derivative images made from it. When comparing hash values, you need to use the same algorithm used to create the reference value. While encrypting the image files is a good security practice to maintain the data’s confidentiality, it does not provide data integrity like a hash digest does. Once imaged, the source drive should not be altered or encrypted. Digitally signing the image file could serve the function of non-repudiation, but it is an uncommon practice and not required to be performed.

87
Q

You are reviewing a rule within your organization’s IDS. You see the following output:

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $ HOME_NET any
msg: “BROWSER-IE Microsoft Internet Explorer
CacheSize exploit attempt”;
flow: to_client, established;
file_data;
content : “recordset”; offset:14; depth:9;
content : “.CachesSize”; distance:0; within:100;
pcre: “/CacheSize\s*=\s/”;
byte_test:10,>, 0x3ffffffe,0,relative,string;
max-detect-ips drop, service http;
reference:cve,2016-8077;
classtype: attempted-user;
sid:65535;rev:1;

Based on this rule, which of the following malicious packets would this IDS alert on?

a. Any malicious outbound packets
b. A malicious outbound TCP packet
c. A malicious inbound TCP packet
d. Any malicious inbound packets

A

c. A malicious inbound TCP packet

OBJ-4.3: The rule header is set to alert only on TCP packets based on this IDS rule’s first line. The flow condition is set as “to_client, established,” which means that only inbound traffic will be analyzed against this rule and only inbound traffic for connections that are already established. Therefore, this rule will alert on an inbound malicious TCP packet only when the packet matches all the conditions listed in this rule. This rule is an example of a Snort IDS rule. For the exam, you do not need to create your own IDS rules, but you should be able to read them and pick out generic content like the type of protocol covered by the signature, the port to be analyzed, and the direction of flow.

88
Q

Your organization has recently suffered a data breach due to a server being exploited. As a part of the remediation efforts, the company wants to ensure that the default administrator password on each of the 1250 workstations on the network is changed. What is the easiest way to perform this password change requirement?

a. Create a new security group
b. Deploy a new group policy
c. Revoke the digital certificate
d. Utilize the key escrow process

A

b. Deploy a new group policy

OBJ-3.7: A group policy is used to manage Windows systems in a Windows network domain environment utilizing a Group Policy Object (GPO). GPOs can include many settings related to credentials, such as password complexity requirements, password history, password length, and account lockout settings. You can force a reset of the default administrator account password by using a group policy update.

89
Q

A user has reported that their workstation is running very slowly. A technician begins to investigate the issue and notices a lot of unknown processes running in the background. The technician determines that the user has recently downloaded a new application from the internet and may have become infected with malware. Which of the following types of infections does the workstation MOST likely have?

a. Ransomware
b. Keylogger
c. Trojan
d. Rootkit

A

c. Trojan

OBJ-1.2: A trojan is a type of malware that looks legitimate but can take control of your computer. A Trojan is designed to damage, disrupt, steal, or in general, inflict some other harmful action on your data or network. The most common form of a trojan is a Remote Access Trojan (RAT), which allows an attacker to control a workstation or steal information remotely. To operate, a trojan will create numerous processes that run in the background of the system. Ransomware is a type of malware designed to deny access to a computer system or data until a ransom is paid. Ransomware typically spreads through phishing emails or by unknowingly visiting an infected website. Once infected, a system or its files are encrypted, and then the decryption key is withheld from the victim unless payment is received. A rootkit is a clandestine computer program designed to provide continued privileged access to a computer while actively hiding its presence. A rootkit is generally a collection of tools that enabled administrator-level access to a computer or network. They can often disguise themselves from detection by the operating system and anti-malware solutions. If a rootkit is suspected on a machine, it is best to reformat and reimage the system. A keylogger actively attempts to steal confidential information by capturing the data when entered into the computer by the user. This is done by recording keystrokes entered into a web browser or other application. A software keylogger can be run in the background on a victim’s computer. A hardware keylogger may be placed between the USB port and the wired keyboard.

90
Q

What control provides the best protection against both SQL injection and cross-site scripting attacks?

a. Hypervisor
b. Input validation
c. Network layer firewall
d. CSRF

A

b. Input validation

OBJ-1.3: Input validation prevents the attacker from sending invalid data to an application and is a strong control against both SQL injection and cross-site scripting attacks. A network layer firewall is a device that is designed to prevent unauthorized access, thereby protecting the computer network. It blocks unauthorized communications into the network and only permits authorized access based on the IP address, ports, and protocols in use. Cross-site request forgery (CSRF) is another attack type. A hypervisor controls access between virtual machines.