Ramdom Questions 1 - 10 Flashcards
A business has received a small grant to transition its infrastructure to an external solution. Which of the following considerations should be prioritized first?
A. Security of cloud providers
B. Cost of implementation
C. Ability of engineers
D. Security of architecture
D. Security of architecture
The marketing department independently implemented project management software without notifying the relevant departments (IT). What term best describes this action?
A. Shadow IT
B. Insider threat
C. Data exfiltration
D. Service disruption
A. Shadow IT
A user attempts to apply a critical patch, but the patch transfer fails. Which access control is most likely blocking the transfer?
A. Attribute-based
B. Time of day
C. Role-based
D. Least privilege
D. Least privilege
What tool can help detect if an employee has mistakenly sent an email with a file containing a customer’s personally identifiable information(PII)?
A. SCAP
B. Net Flow
C. Antivirus
D. DLP
D. DLP
DLP stands for Data Loss Prevention, which is a tool that can assist with detecting and preventing the unauthorized transmission or leakage of sensitive data, such as a customer’s PII (Personally Identifiable Information). DLP can monitor, filter, and block data in motion (such as emails), data at rest (such as files), and data in use (such as applications). DLP can also alert the sender, the recipient, or the administrator of the data breach, and apply remediation actions, such as encryption, quarantine, or deletion. DLP can help an organization comply with data protection regulations, such as GDPR, HIPAA, or PCI DSS, and protect its reputation and assets.
A security analyst has been informed by the cyber operations team about a new method attackers are using to breach networks. SIEM alerts have not been configured yet. What should the analyst do to detect this activity?
A. Digital forensics
B. E-discovery
C. Incident response
D. Threat hunting
D. Threat hunting
Which of the following threat actors is the most likely to be hired by a foreign government to attack critical systems located in other countries?
A. Hacktivist
B. Whistleblower
C. Organized crime
D. Unskilled attacker
C. Organized crime.
Organized crime groups are often well-funded, highly skilled, and capable of carrying out sophisticated cyberattacks, including those targeting critical infrastructure. Governments might collaborate with or hire these groups for cyber espionage, sabotage, or other malicious activities aimed at destabilizing or compromising another nation’s critical systems.
Which of the following is used to add extra complexity before using a one-way data transformation algorithm?
A. Key stretching
B. Data masking
C. Steganography
D. Salting
D. Salting
Salting involves adding random data to the input of a one-way hash function to ensure that the same input will produce different hash values, thus making it more difficult for attackers to use precomputed hash tables (rainbow tables) to reverse engineer the original input.
An employee clicked a link in an email from a payment website that asked the employee to update contact information. The employee entered the log-in information but received a “page not found” error message. Which of the following types of social engineering attacks occurred?
A. Brand impersonation
B. Pretexting
C. Typosquatting
D. Phishing
D. Phishing.
Phishing is a type of social engineering attack that involves sending fraudulent emails that appear to be from legitimate sources, such as payment websites, banks, or other trusted entities. The goal of phishing is to trick the recipients into clicking on malicious links, opening malicious attachments, or providing sensitive information, such as log- in credentials, personal data, or financial details. In this scenario, the employee received an email from a payment website that asked the employee to update contact information. The email contained a link that directed the employee to a fake website that mimicked the appearance of the real one. The employee entered the log-in information, but received a “page not found” error message. This indicates that the employee fell victim to a phishing attack, and the attacker may have captured the employee’s credentials for the payment website.
An enterprise is trying to limit outbound DNS traffic originating from its internal network. Outbound DNS requests will only be allowed from one device with the IP address 10.50.10.25. Which of the following firewall ACLs will accomplish this goal?
A. Access list outbound permit 0.0.0.0/0 0.0.0.0/0 port 53
Access list outbound deny 10.50.10.25/32 0.0.0.0/0 port 53
B. Access list outbound permit 0.0.0.0/0 10.50.10.25/32 port 53
Access list outbound deny 0.0.0.0/0 0.0.0.0/0 port 53
C. Access list outbound permit 0.0.0.0/0 0.0.0.0/0 port 53
Access list outbound deny 0.0.0.0/0 10.50.10.25/32 port 53
D. Access list outbound permit 10.50.10.25/32 0.0.0.0/0 port 53
Access list outbound deny 0.0.0.0/0 0.0.0.0/0 port 53
Selected Answer: D
Permit 10.50.10.25/32 0.0.0.0/0 port 53: This rule allows outbound DNS requests from the device with the IP address 10.50.10.25.
Deny 0.0.0.0/0 0.0.0.0/0 port 53: This rule denies all other outbound DNS requests from any other devices on any IP address.
A data administrator is configuring authentication for a SaaS application and would like to reduce the number of credentials employees need to maintain. The company prefers to use domain credentials to access new SaaS applications. Which of the following methods would allow this functionality?
A. SSO
B. LEAP
C. MFA
D. PEAP
Selected Answer: A. SSO (Single Sign-On)
Single Sign-On (SSO) enables users to authenticate once with their domain credentials and then access multiple applications without needing to re-enter their credentials each time. This aligns with the company’s preference to use domain credentials and reduces the burden of managing multiple sets of credentials for different applications.
Protected Extensible Authentication Protocol (PEAP) is a security protocol that protects wireless and wired networks. It’s used to authenticate clients, such as laptops and mobile devices, to a network server or access point.
Which of the following scenarios describes a possible business email compromise attack?
A. An employee receives a gift card request in an email that has an executive’s name in the display field of the email.
B. Employees who open an email attachment receive messages demanding payment to access files.
C. A service desk employee receives an email from the HR director asking for log-in credentials to a cloud administrator account.
D. An employee receives an email with a link to a phishing site that is designed to look like the company’s email portal.
** Answer: A **
A. This scenario describes a Business Email Compromise (BEC) attack, which is a type of phishing attack that relies on social engineering. In a BEC attack, attackers impersonate a trusted individual (often an executive) and use their name or email address to request sensitive information, payments, or, as in this case, gift cards. These attacks often rely on urgency and authority to trick employees into acting without verifying the request.
C. A service desk employee receives an email from the HR director asking for log-in credentials to a cloud administrator account. –> Credential Harvesting
What is the objective of conducting a network security assessment?
A: To monitor network activity
B: To prevent data breaches
C: To identify vulnerabilities and weaknesses in the network
D: To improve network speed
** Answer:
C: To identify vulnerabilities and weaknesses in the network
**
Bob calculated a unique identifier for three separate log files on his computer. Each file contains entries from distinct days. What function did Bob likely use?
A: Use of a secure hash function
B: Collision
C: Syntax error
D: Decryption
** Answer: A: Use of a secure hash function **
What are the benefits of DomainKeys Identified Mail (DKIM) in improving email security?
A: By storing emails on a gateway
B: By filtering DNS requests
C: By blocking or allowing access to specific websites
D: By providing a digital signature to authenticate email content and its sender
** Answer:
D: By providing a digital signature to authenticate email content and its sender
**
What term describes the new technique recently implemented by Steve’s company to secure remote access for BYOD mobile device users, where users connect to corporate systems through a dedicated application with no corporate data accessible outside of it?
A: Full device encryption
B: Storage segmentation
C: Sideloading
D: Containerization
** Answer: D: Containerization **
Sideloading is the process of installing software from an unapproved source, which can be risky. Sideloaded apps can contain malware, adware, spyware, and other threats.
Containerization security is the practice of protecting containers and their applications from threats and risks. It involves implementing security policies and tools throughout the container’s lifecycle
Bob is investigating an incident and wants the records of attempted connections to a RDP server. Which logs are unlikely to have this information?
A: Database logs
B: System logs
C: Netflow logs
D: Security logs
**
Answer: A: Database logs
**
If a company replaces a user’s Social Security Number with a random string of characters for processing, but retains a secure mapping to the original number, which method are they using?
A: Tokenization
B: Hashing
C: Masking
D: Encryption
**
Answer: A: Tokenization
**
What aspect of security does the Metasploit Framework primarily concentrate on?
A: Network mapping
B: Exploiting discovered vulnerabilities
C: Vulnerability scanning
D: Post-compromise analysis
** Answer:
B: Exploiting discovered vulnerabilities
**
The Metasploit framework is a very powerful tool that can be used by cybercriminals as well as ethical hackers to probe systematic vulnerabilities on networks and servers. Because it’s an open-source framework, it can be easily customized and used with most operating systems.
When an administrator adjusts hashed passwords to include randomization, ensuring that identical inputs lead to varied outputs, what term applies to this modification?
A: Key stretching
B: Salting
C: IPSec
D: Hasing
** Answer:
B: Salting
**
Salting: Adds random data to passwords before hashing, making them harder to crack using methods like rainbow tables. Unique Functions: Encryption secures data, hashing ensures integrity, and salting makes password protection stronger.
Bob has observed irregular spikes in network activity, including an elevated number of outbound DNS query responses with notably larger sizes than the queries. What type of attack should Bob suspect?
A: Pass-the-hash
B: Cross-site scripting
C: Amplification
D: DNS poisoning
** Answer:
C: Amplification
**
Amplification in security refers to a cyberattack where an attacker sends a large request and receives an oversized response. This can be used to launch a Distributed Denial of Service (DDoS) attack.
Which aspect of risk management is highlighted when a company harmonizes its security policies with industry standards, laws, and regulations?
A: Risk Mitigation
B: Security Controls
C: Risk Transference
D: Compliance Enactment
** Answer:
D: Compliance Enactment
**
“Compliance enactment” in security refers to the process of actively implementing and following security measures that adhere to established regulations, industry standards, and internal policies, ensuring an organization takes concrete steps to protect sensitive data and systems by meeting all necessary compliance requirements; essentially, it means putting security rules into practice to avoid violations and maintain a secure environment.
Among the choices provided, which one illustrates a reactive measure in incident response?
A: Implementing intrusion detection systems
B: Regularly patching software and systems
C: Conducting security awareness training for employees
D: Investigating and containing a security incident
** Answer:
D: Investigating and containing a security incident
**
What is the recommended approach for resolving the problem when employees within the network segment encompassed by a new firewall experience connectivity problems attributable to the Firewall lacking configuration?
A: The firewall should be configured with access lists to allow inbound and outbound traffic.
B: The firewall should be configured to include an explicit deny rule.
C: The firewall should be configured with port security to allow traffic.
D: The firewall should be configured to prevent user traffic from matching the implicit deny rule
** Answer:
D: The firewall should be configured to prevent user traffic from matching the implicit deny rule.
**
When an attacker gains access to the victim’s local network, which technique is typically employed to facilitate a man-in-the-middle attack?
A: Buffer overflow
B: ARP spoofing
C: Cross-site scripting
D: Directory traversal
** Answer: B ARP spoofing**
A man-in-the-middle (MITM) attack is a cyberattack where a hacker inserts themselves between two parties to intercept their communications. The attacker can then steal data or manipulate the conversation.
ARP spoofing is a type of attack in which a malicious actor sends falsified ARP (Address Resolution Protocol) messages over a local area network. This results in the linking of an attacker’s MAC address with the IP address of a legitimate computer or server on the network.
When developing a cloud-based web architecture, Bob aims to achieve the highest level of fault tolerance within the constraints of a single laaS vendor. Which solution would be most suitable for him?
A: Creating redundant web servers in different availability zones
B: Creating redundant web servers in different regions
C: Creating redundant web servers across multiple vendors
D: Creating redundant web servers in the same availability zone
TERMINAL
** Answer:
B: Creating redundant web servers in different regions
**
When educating a team about Advanced Persistent Threats (APTs), what distinguishes them from typical pirates or hackers?
A: Lack of organizational backing
B: External forces with low resources
C: Reliance on basic tools
D: Prolonged, sophisticated, and stealthy attacks
** Answer:
D: Prolonged, sophisticated, and stealthy attacks
**
An advanced persistent threat (APT) is a sophisticated, sustained cyberattack in which an intruder establishes an undetected presence in a network to steal sensitive data over a prolonged period of time
Which activity is typically not part of the post-change routine in change management practices?
A: Updating diagrams
B: Updating policies
C: Updating procedures
D: Updating contracts
** Answer:
D: Updating contracts
**
When considering mobile solutions, what is a frequent utilization scenario for cellular connection methods?
A: Providing internet access in areas without Wi-Fi
B: Short-range device pairing
C: Connecting to local area networks (LANs)
D: Connecting to wired networks
** Answer:
A: Providing internet access in areas without Wi-Fi
**
What are the security benefits of implementing the Trusted Platform Module (TPM) within an organization?
A: TPM ensures continuous monitoring
B: TPM controls access to network resources
C: TPM is a type of antivirus software
D: TPM helps in data encryption and key storage
** Answer: A **
A Trusted Platform Module (TPM) is a specialized chip on your computer’s motherboard designed to enhance security by securely storing cryptographic keys used for encryption and decryption.
Which standards must be adhered to the retention of payment information used for monthly charges in the customer profiles of a web-based manufacturing company?
A: GDPR
B: PCI DSS
C: CSA CCM
D: ISO 27001
** Answer:
B: PCI DSS
**
Malware that restricts access to a computer system by encrypting files or locking the entire system down until the user performs the requested action is called:
Grayware
Adware
Ransomware
Spyware
** Answer: Ransomware **
A Trojan horse is a type of software that performs harmful actions under the guise of a legitimate and useful program. The most characteristic feature of Trojan horse is that while it may function as a legitimate program and possess all the expected functionalities, it also contains a concealed portion of malicious code that the user is unaware of.
True
False
** Answer: True **
You correctly answered this question.
Which type of Trojan enables unauthorized remote access to a compromised system?
APT
RAT
MaaS
PUP
** Answer: A **
A standalone malicious computer program that typically propagates itself over a computer network to adversely affect system resources and network bandwidth is referred to as:
Worm
Fileless virus
Bot
Logic bomb
** Answer: Worm **
A worm is a type of malware that spreads across networks by replicating itself. Worms can be harmful because they use up system resources, corrupt files, and steal information.
Malicious software collecting information about users without their knowledge/consent is known as:
Cryptomalware
Adware
Ransomware
Spyware
** Answer: Spyware **
Spyware is a type of malware that secretly collects information from a device to harm the user. It can compromise a user’s privacy, security, and finances.
Which of the answers listed below refer to the characteristic features of bloatware? (Select 3 answers)
a. Pre-installed on a device by the device manufacturer or retailer
b. Generally considered undesirable due to negative impact on system performance
c. Installed without user consent
d. Can be pre-installed, downloaded, or bundled with other software
e. Generally considered undesirable due to negative impact on system performance, privacy, and security
** Answer: a, b, c **
Bloatware can expose users to cybersecurity risks by introducing vulnerabilities that hackers or malware can exploit. Bloatware is unwanted software that comes pre-installed on devices or is downloaded from websites.
Examples of bloatware trial versions of antivirus programs, unnecessary system utilities, promotional software, adware, and browser extensions.
Which of the following answers refer to the characteristics of a PUP? (Select 3 answers)
a. Often installed without clear user consent
b. Can be pre-installed, downloaded, or bundled with other software
c. Generally considered undesirable due to negative impact on system performance, privacy, and security
d. Pre-installed on a device by the device manufacturer or retailer
e. Generally considered undesirable due to negative impact on system performance
** Answer: a, b, c**
PUP stands for a potentially unwanted program, which is software that a user might not want. PUPs are often bundled with other software downloads and can include adware and spyware.
Which of the statements listed below apply to the definition of a computer virus? (Select 3 answers)
a. A self-replicating computer program containing malicious segment.
b. Malware that typically requires its host application to be run to make the virus active.
c. A standalone malicious computer program that replicates itself over a computer network
d. Malware that can run by itself without any interaction
e. Malicious code that typically attaches itself to an application program or other executable component
f. A self-contained malicious program or code that does need a host to propagate itself
** Answer: a, b, e **
Which of the following is an example of spyware?
Keylogger
Vulnerability scanner
Computer worm
Packet sniffer
** Answer: Keylogger **
A keylogger is a form of malware or hardware that keeps track of and records your keystrokes as you type. It takes the information and sends it to a hacker using a command-and-control (C&C) server.
It is a program that logs the keystrokes that a user makes on a computer. They can be used for both legitimate and malicious purposes. However, in most cases, keyloggers are malware deployed by cybercriminals on an infected computer.
Malicious code activated by a specific event is called:
Cryptomalware
Backdoor
Rootkit
Logic bomb
** Answer: Logic bomb **
A logic bomb is a malicious program that’s hidden in software or systems to cause damage when a trigger condition is met. Logic bombs are a type of cyber attack that can be used by malicious insiders or external attackers.
A logic bomb is a type of malicious code embedded in software that remains dormant until specific conditions are met. When triggered, a logic bomb virus executes a destructive action, such as deleting files or disrupting critical systems.
Which of the following answers refers to a collection of software tools used by a hacker to mask intrusion and obtain administrator-level access to a computer or computer network?
Rootkit
Spyware
Backdoor
Trojan
** Answer: Rootkit **
A rootkit is a type of malware that allows cybercriminals to gain access to a computer without being detected. Rootkits are difficult to detect and remove.
A common rootkit definition is a type of malware program that enables cyber criminals to gain access to and infiltrate data from machines without being detected. It covers software toolboxes designed to infect computers, give the attacker a remote control, and remain hidden for a long time.
During a security audit, an analyst discovers that despite having standard security controls, sensitive data was exfiltrated. Upon investigation, it was found that an attacker used a file that appeared legitimate but contained a beacon to track access. Which deception technology was likely deployed by the attacker, and what’s the MOST appropriate countermeasure?
Options:
A. Honeytoken; Implement file integrity monitoring
B. Honeypot; Deploy network segmentation
C. Honeyfile; Enable enhanced logging
D. Honeynet; Increase IDS sensitivity
** Correct Answer: A **
Explanation: A honeytoken is a tracked digital entity (like a file) that detects unauthorized access. The scenario describes a honeytoken being used maliciously. File integrity monitoring would detect modifications and access to such files, making it the most effective countermeasure.
** Honeytoken Scenarios **
File Integrity Monitoring
– Monitors and alerts on file changes
Malicious Modification
– Identifies unauthorized changes to digital files
Unauthorized Access
– Detects unauthorized access to digital entities
Your organization is implementing a new cloud-based security information and event management (SIEM) system. Which two of the following configurations would best align with both zero trust principles and effective security monitoring? (Choose two)
’'’yaml
siem_config:
data _ingestion:
sources: [“network_logs”, “application_logs”, “auth _logs”]
authentication:
method: “multi i_factor”
access_control:
model: “least_privilege”
encryption:
data_at_rest: “AES-256”
data_in_transit: “TLS 1.3”
alert_mechanism:
type: “real-time”
‘’’
Options:
A. data_ingestion sources and real_time alert mechanism
B. multi_factor authentication and least_privilege access control
C. AES-256 encryption for data at rest and TLS 1.3 for data in transit
D. network_logs as the sole data source and periodic alert mechanism
E. single_factor authentication and role-based access control
A security analyst is investigating a potential data breach. The analyst discovers the following log entry:
’'’yaml
- timestamp: “2023-11-15T14:30:22Z”
source_ip: “192.168.1.100”
destination_ip: “203.0.113.50”
protocol: “TCP”
destination_port: 22
payload_size: 1024000
‘’’
What type of attack does this log entry most likely indicate?
A. SQL injection
B. Cross-site scripting (XSS)
C. Data exfiltration
D. Denial of Service (DoS)
** Correct Answer: C **
Explanation: The log shows a large payload (1MB) being sent to an external IP over port 22 (SSH), indicating likely data exfiltration.
Data Exfiltration
Methods
- Malware
- Phishing
- Insider Threats
Prevention
- Encryption
- Access Controls
- Employee Training
Risks
- Data Breaches
- Financial Loss
- Reputation Damage
An organization is implementing a new cloud-based Identity and Access Management (IAM) solution. Which two of the following should be included in the implementation plan? (Choose two.)
A. Configure multi-factor authentication for all user accounts
B. Implement a single sign-on (SSO) solution for all cloud services
C. Disable all legacy authentication protocols
D. Create separate admin accounts for each cloud service
E. Implement a password rotation policy of 30 days for all accounts
** Correct Answer: A, B **
Explanation: Multi-factor authentication (A) and single sign-on (B) are crucial for secure and efficient IAM in cloud environments. They enhance security while improving user experience.
** Enhancing IAM Security and Efficiency **
Single Sign-On
- Streamlines access by allowing users to log in once for multiple services
Multi-Factor Authentication
- Adds an extra layer of security by requiring multiple forms of verification
A company wants to implement a secure file transfer protocol between its internal servers and remote offices while ensuring data confidentiality and integrity. Which of the following protocols should be used?
{
“protocol”: [
{
“name”: “SFP”,
“description”: “Secure File Transfer Protocol”
},
{
“name”: “FTP”,
“description”: “File Transfer Protocol”
}
]
}
Options:
A. SFTP.
B. FTP.
C. SCP.
D. HTTPS.
E. SMTP.
Correct Answer: A
Explanation: SFTP uses SSH for secure file transfers, ensuring both confidentiality and integrity of data.
SFTP and SSH: Ensuring Data Security
SFTP
SSH
- Encryption
- Authentication
Data Security
- Confidentiality
- Integrity
Your organization is transitioning to a Zero Trust Architecture. You need to configure access control policies to ensure that only authorized users can access sensitive resources.
{
“access_control”: {
“application_id”: “app1”,
“permissions”: [
{“user _role”: “admin”, “allowed _actions”: [“read”, “write”] },
{“user _role”: “viewer”, “allowed _actions”: [“read”] }
]
}
}
Options:
A. Assign admin role to all users.
B. Restrict access based on user roles and necessary permissions.
C. Allow read/write actions for everyone.
D. Grant write-only permissions to users who need them.
E. Remove all permissions and re-evaluate every request.
** Correct Answer: B, D **
Explanation: Least privilege requires granting only the minimum necessary permissions; the admin role should have both read and write access while viewers should have only read access. Write-only permissions can be granted as needed but must align with the principle of least privilege.
** Implementing Least Privilege Access **
Role-Based Access
– Assign permissions based on roles
Admin Permissions
– Grant necessary admin access
Viewer Restrictions
– Limit access to read-only
Write-Only Permissions
– Provide specific write access
You are tasked with configuring a network to ensure that sensitive data is protected from unauthorized access using IPsec tunnels. Which of the following steps should you take?
tunnel_config:
- protocol: ESP
encryption: AES-256-CBC
authentication: SHA384
Options:
A. Use TCP as the transport protocol.
B. Configure ESP with AES-128-CBC for encryption.
C. Use UDP as the transport protocol.
D. Configure ESP with AES-256-CBC and SHA384 for authentication.
E. Disable IPsec to allow free communication.
Correct Answer: D
Explanation:
Using ESP (Encapsulating Security Payload) with AES-256-CBC encryption and SHA384 for authentication ensures secure data transfer over the IPsec tunnel.
Securing IPsec Tunnels with AES-256-CBC and SHA384
AES-256-CBC Encryption
Provides robust encryption to protect data confidentiality.
SHA384 Authentication
Ensures data integrity and authenticity through secure hashing.
You are configuring a network security policy for a hybrid cloud environment that requires strict data governance and compliance adherence. You need to ensure that all communications between on-premises resources and cloud services use secure channels.
{
“security_policy”: {
“cloud_provider”: “AWS”,
“encryption_method”: “TLS1.2”,
“communication_type”: [“data_transfer”, “API_calls”]
}
}
Options:
A. Use TLS1.0 for on-premises to cloud communications.
B. Enable data transfer and API calls encryption.
C. Configure no specific security measures.
D. Limit cloud provider to a single vendor only.
E. Disable all network traffic between on-premises and cloud.
** Correct Answer: B **
Explanation: Using TLS1.2 ensures secure communication, and enabling both data transfer and API calls encryption is necessary for compliance.
Ensuring Compliance with Secure Data Transfer and API Encryption
TLS 1.2 Protocol
– Provides a robust framework for secure communications through its encryption standards.
API Calls Encryption
– Secures individual API calls to maintain confidentiality and integrity of data exchanges.
Data Transfer Encryption
– Ensures that all data moving between systems is securely encrypted to prevent unauthorized access.
Your organization wants to implement a password policy that aligns with industry best practices to enhance account security. Which of the following steps should be included in your policy?
{
“password_policy”: {
“min_length”: 12,
“require_special _characters”: true,
“expire_after _days”: 90
}
}
Options:
A. Set minimum password length to 8 characters.
B. Require special characters in passwords.
C. Disable password expiration for all users.
D. Allow passwords to contain common words only.
E. Enforce a 12-character minimum length.
** Correct Answer: B, E **
Explanation: Requiring special characters and setting a minimum password length of 12 characters are key components of strong password policies.
Components of Strong Password Policies
Minimum Length
- Ensuring passwords are long enough to resist attacks
Special Characters
- The inclusion of symbols to enhance password complexity
You need to configure network security settings for an organization’s remote access solution to ensure that all user sessions are encrypted and secure. Which of the following actions should you take?
{
“remote_access”: {
“encryption_protocol”: “TLS1.3”,
“authentication_method”: [“two _factor_auth”, “certificates”]
}
}
Options:
A. Use TLS1.2 for encryption.
B. Enable two-factor authentication and certificate-based login.
C. Disable all remote access sessions.
D. Allow clear-text password transmission.
E. Configure a single-factor authentication method.
** Correct Answer: B **
Explanation: Using TLS1.3 for encryption and enabling both two-factor authentication and certificates provide robust security for remote access sessions.
** Remote Access Security Hierarchy **
Certificate-Based Login
– Uses digital certificates for secure access
Two-Factor Authentication
– Adds an extra layer of identity verification
Encryption Protocol
– TLS1.3 ensures secure data transmission
You are tasked with securing a hybrid cloud environment that involves both on-premises infrastructure and AWS services. You need to ensure secure data transfer between these environments while adhering to compliance requirements.
{
“security_policy”: {
“cloud_provider”: “AWS”,
“data_transfer_encryption”: true,
“compliance_standards”: [“PCI-DSS”, “GDPR”]
}
}
Options:
A. Disable data transfer encryption.
B. Enable data transfer encryption using TLS1.2.
C. Exclude compliance standards for simplicity.
D. Use only AWS services without on-premises integration.
E. Implement no security measures.
** Correct Answer: B, E **
Explanation: Enabling data transfer encryption ensures secure communication, but implementing no security measures is not advisable for compliance.
Choose the best data security strategy for compliance and security.
Enable TLS 1.2
– Ensures secure communication
No Security Measures
– Not advisable for compliance
a
Your organization needs to implement a strong password policy that aligns with industry best practices. Which of the following steps should be included in your policy?
{
“password_policy”: {
“min _length”: 12,
“require_special_characters”: true,
“expire_after _days”: 90
}
}
Options:
A. Set minimum password length to 8 characters.
B. Require special characters in passwords.
C. Disable password expiration for all users.
D. Allow common words and easily guessable phrases.
E. Enforce a 12-character minimum length.
** Correct Answer: B, E **
Explanation: Requiring special characters and setting a minimum password length of 12 characters are key components of strong password policies.
Strengthening Password Security
- Password Security Measures - Special Character Requirement
- Minimum Length Enforcement
You are setting up a firewall rule to protect sensitive data from unauthorized access in a multi-tenant environment.
Which of the following rules should you implement?
{
“firewall _rules”: {
“protocol”: “TCP”,
“source_ip_range”: [“192.168.0.0/24”],
“destination_ip_range”: [“172.31.0.0/16”],
“port_range”: [80, 443]
}
}
Options:
A. Allow all IP ranges and protocols.
B. Block all traffic to the destination range.
C. Permit TCP protocol from a specific source IP range to a specific destination range on certain ports.
D. Disable firewall rules for simplicity.
E. Apply random port ranges.
** Correct Answer: C **
Explanation: Permitting TCP traffic from a specific source
IP range to a specific destination range on specific ports is the correct approach for securing sensitive data.
TCP Traffic Security Strategy
TCP Protocol
– Establishes communication standards
Source IP Range
– Identifies the origin of data traffic
Destination IP Range
– Defines endpoint for data traffic
Specific Ports
– Designates particular channels for communication
Secure Data Transmission
– Ensures the protection of sensitive information
A company is migrating its critical applications to a cloud environment and needs to ensure high availability and disaster recovery. Which two strategies should be implemented?
Options:
A. Implementing cold storage for backups.
B. Utilizing multi-region deployments.
C. Configuring load balancers with health checks.
D. Enforcing strict access controls using IAM policies.
E. Deploying a single cloud instance for
** Correct Answer: B, C **
Explanation: Multi-region deployments ensure high availability and disaster recovery by distributing resources across multiple geographic locations. Load balancers with health checks help maintain service continuity and monitor application health.
** Enhancing System Resilience **
Multi-Region Deployments
– Distributes resources across locations for redundancy
Load Balancers with Health Checks
– Ensures service continuity and application monitoring
An organization is facing frequent security incidents due to misconfigured network devices. Which two configuration steps should be prioritized to enhance network security?
Options:
A. Disabling unnecessary services on servers.
B. Regularly updating firmware and software on devices.
C. Configuring default deny firewall rules.
D. Implementing strong password policies for end-users.
E. Conducting bi-weekly security audits.
** Correct Answer: B, C **
Explanation: Regularly updating firmware and software ensures that network devices are protected against known vulnerabilities. Default deny firewall rules help prevent unauthorized access by blocking all traffic not explicitly allowed.
Update Firmware/Software
– Protects against known vulnerabilities
Configure Firewall Rules
– Prevents unauthorized access
A security analyst is investigating multiple failed authentication attempts across different systems. The following pattern is observed in the logs:
…json
{
“auth_type”: “basic”,
“attempts”: [“admin”, “root”, “system”],
“timing”: “0.5s_interval”
“source_ips”: [“rotating”]
}
…
Which TWO of the following controls would be MOST effective in mitigating this attack? (Choose TWO)
Options:
A. Implement account lockout after three failed attempts
B. Enable password complexity requirements
C. Deploy adaptive multi-factor authentication
D. Configure SSL certificate validation
E. Enable verbose logging on all systems
** Correct Answer: A, C **
Explanation: The pattern shows automated password attacks using common admin accounts with rapid attempts from rotating IPs. Account lockout (A) prevents brute force attempts, while adaptive MFA (C) adds an additional authentication layer that automated tools can’t easily bypass.
Cybersecurity Defense Mechanisms
Deploy Adaptive MFA
– Add adaptive multi-factor authentication layer
Implement Account Lockout
– Activate lockout after three failed attempts
Identify Automated Password Attacks
– Detect rapid login attempts from rotating IPs
A security team discovers unusual network traffic with the following characteristics:
’'’yaml
traffic:
destination: internal_servers
protocol: ICMP
size: oversized
frequency: periodic
content: encrypted
‘’’
What type of attack is MOST likely occurring?
Options:
A. DNS Cache Poisoning
B. ICMP Tunneling
C. ARP Spoofing
D. TCP SYN Flood
** Correct Answer: B **
Explanation: The traffic pattern shows oversized ICMP packets with encrypted content and periodic frequency, classic indicators of ICMP tunneling where ICMP protocol is misused to create a covert channel for data exfiltration.
Understanding ICMP Tunneling
Periodic Frequency
– Regular intervals of packet transmission
Encrypted Content
– Data encrypted for secrecy
Oversized ICMP Packets
– Packets larger than standard size
An organization’s incident response team receives an alert about unauthorized access attempts. Upon investigation, they found the attack started with a legitimate-looking email containing a link to a document about bonus payments, followed by unusual Power Shell activity. Which attack technique was MOST likely used?
Options:
A. Pass-the-hash attack
B. SQL injection
C. Spear phishing with social engineering
D. Man-in-the-middle attack
** Correct Answer: C **
Explanation: The scenario describes a targeted spear phishing attack using social engineering techniques (bonus payments as bait) followed by malicious PowerShell execution, a common post-exploitation activity after successful phishing.
Anatomy of a Spear Phishing Attack
PowerShell Execution
– Malicious script execution
Bonus Payments
– Incentives used as bait
Social Engineering
– Techniques to manipulate targets
An organization implements the following loC detection rule:
’'’json
{
“alert_type”: “high”,
“match”: {
“process_name”: “svchost.exe”,
“network_conn”: “*.onion”,
“parent_process”: “!”
}
}
‘’’
Which of the following attacks is this rule MOST likely designed to detect?
Options:
A. DNS tunneling attack
B. Tor-based malware communication
C. SQL injection attempt
D. Pass-the-hash attack
** Correct Answer: B **
Explanation: The rule monitors schost.exe making connections to onion domains (Tor network) with an unusual parent process. This pattern typically indicates malware using Tor network for command and control communication, making option B correct.
Is the schost.exe connection to .onion domains indicative of malware?
Confirm Malware Activity
– The connection pattern suggests Tor-based command and control
communication, indicating potential malware.
False Positive
– The connection might be legitimate or misinterpreted, not indicating malware.
During a security incident, the following deception technology configuration was active:
‘'’yaml
deception:
type: honeynet
services:
- ssh_emulation
- web_admin
logging: enhanced
alert_threshold: low
Which TWO of the following accurately describe the purpose and effectiveness of this configuration? (Choose TWO)
Options:
A. It primarily prevents lateral movement within the network
B. It provides early warning of attacker techniques and tactics
C. It automatically blocks all suspicious connections
D. It ensures data integrity of production systems
E. It captures detailed information about attack patterns
** Correct Answer: B, E **
Explanation: The honeynet configuration with enhanced logging and multiple emulated services is designed for early attack detection (B) and detailed attack pattern analysis (E).
The low alert threshold and service emulation focus on intelligence gathering rather than prevention or blocking.
Honeynet Configuration for Attack Analysis
Early Attack Detection
– Identifying attacks as they occur
Detailed Pattern Analysis
– Analyzing attack methods and techniques
During a physical security assessment of a data center, an auditor notices that the facility has implemented bollards, security guards, and microwave sensors, but employees frequently hold doors open for others. Which security control principle is being violated, and what type of control is MOST needed?
Options:
A. Defense in depth; Corrective control
B. Separation of duties; Detective control
C. Principle of least privilege; Preventive control
D. Zero trust; Directive control
** Correct Answer: D **
Explanation: The scenario shows a breakdown of zero trust principles where physical access is granted based on courtesy rather than verification. A Directive Control (security policies and training) is needed to address the human behavior undermining existing security measures.
Zero Trust Implementation
Human Behavior
– Factors undermining security measures
Directive Control
– Policies and training to enforce security
Zero Trust Principles
– Core Security framework ensuring verification
A security administrator is reviewing the following risk management configuration:
‘'’json
{
“risk_threshold”: “medium”
“auto_mitigation”: true,
“exceptions_require”: “senior _approval”,
“compliance_check”: “continuous”
}
. . .
Which security framework component does this BEST align with?
Options:
A. NIST SP 800-53 Physical Controls
B. ISO 27001 Asset Management
C. COBIT Governance Framework
D. Zero Trust Architecture
** Correct Answer: C **
Explanation: The configuration shows governance-focused controls with risk thresholds, approval processes, and continuous compliance monitoring, which directly aligns with COBIT’s governance framework approach to risk management and oversight.
COBIT Governance Framework
Governance-focused Controls
– Control Implementation
– Control Evaluation
Continuous Compliance Monitoring
– Compliance Audits
– Regulatory Updates
Risk Thresholds
– Risk Assessment
– Risk Mitigation
Approval Processes
– Decision Making
– Policy Development
A security analyst is reviewing the following firewall rule:
‘“yaml
- action: allow
source: 10.0.0.0/24
destination: any
service: tcp/443
log: true
…
Which of the following accurately describes the impact of this rule?
A. It allows all HTTPS traffic from the 10.0.0.0/24 subnet to any destination
B. It blocks all traffic except HTTPS from the 10.0.0.0/24 subnet
C. It allows only encrypted traffic from any source to the 10.0.0.0/24 subnet
D. It logs all HTTPS traffic but does not allow or block anything
** Correct Answer: A **
Explanation: The rule allows TCP traffic on port 443 (HTTPS) from the 10.0.0.0/24 subnet to any destination, and logs the traffic.
Ensuring Secure and Monitored Web Access
Allowed and Logged HTTPS Traffic
– Subnet 10.0.0.0/24
– HTTPS Protocol
– Firewall Rule
An organization is implementing a zero trust architecture. Which TWO of the following actions align most closely with zero trust principles? (Choose two.)
A. Implementing strong perimeter defenses.
B. Assuming all network traffic is potentially malicious.
C. Granting least privilege access to resources.
D. Relying on VPN for remote access security.
E. Continuously verifying and validating every access attempt.
** Correct Answer: B, E **
Explanation: Zero trust assumes all traffic is potentially malicious (B) and requires continuous verification for every access attempt (E), rather than relying on perimeter defenses or VPNs alone.
A security team is investigating a potential data exfiltration attempt. They notice large amounts of data being transferred to an unknown IP address over port 53. What is the most likely explanation for this activity?
A. Normal DNS queries
B. DNS tunneling
C. DNSSEC validation
D. Zone transfer attack
** Correct Answer: B **
Explanation: Large data transfers over port 53 (typically used for DNS) likely indicate DNS tunneling, a technique often used for data exfiltration that hides data in DNS queries and responses.
Unveiling DNS Tunneling for Data Exfiltration
DNS Tunneling
– Data Exfiltration Method
– Use of Port 53
– DNS Queries and Responses
A security analyst is investigating a potential data breach. The following log snippet was captured:
‘’‘*json
{
“timestamp”: “2023-11-15T14:23:17Z”,
“src_ip”: “192.168.1.100”,
“dst_ip”: “203.0.113.50”
“protocol”: “TCP”,
“dst_port”: 4444,
“payload_size”: 1024
}
‘’’
Which of the following best describes the potential threat indicated by this log entry?
A. SQL injection attack
B. DDoS attack
C. Command and control communication
D. DNS tunneling
** Correct Answer: C **
Explanation: The log entry suggests command and control
(C2) communication. The destination port 4444 is often associated with malware C2 servers, and the consistent payload size of 1024 bytes indicates potential encoded communication.
An organization is implementing a Zero Trust architecture. Which TWO of the following actions align best with Zero Trust principles? (Choose two.)
A. Implementing network segmentation based on user roles
B. Granting full access to internal network resources for all employees
C. Enforcing multi-factor authentication for all user access attempts
D. Utilizing a single sign-on solution across all applications
E. Continuously monitoring and logging all network activities
** Correct Answer: C, E **
Explanation: Zero Trust principles include enforcing strong authentication (MFA) and continuous monitoring. Network segmentation (A) is good but not specific to Zero Trust. Full access (B) contradicts Zero Trust. SSO (D) alone doesn’t ensure Zero Trust.
Zero Trust Security Model
Multi-Factor Authentication
– Enforces strong user verification through multiple authentication methods.
Continuous Monitoring
– Involves constant oversight and logging of network activities.
Which of the following best describes the concept of “security through obscurity (STO)” and its role in a comprehensive security strategy?
A. It’s a primary defense mechanism that should be the foundation of all security plans.
B. It’s an outdated concept that has no place in modern cybersecurity.
C. It can provide an additional layer of defense but shouldn’t be relied upon as a sole security measure.
D. It’s the practice of hiding all system information to prevent any potential attacks.
** Correct Answer: B **
Security through obscurity (STO) is a security strategy that relies on secrecy to protect systems from unauthorized access. The idea is that if attackers can’t see a system’s weaknesses, they can’t exploit them.
Security Through Obscurity (STO) is the practice of concealing the details or mechanisms of a system to enhance its security. This approach relies on the principle of hiding something in plain sight, akin to a magician’s sleight of hand or the use of camouflage.
Dependence on STO as the only line of defense equates to risking your system’s security. It’s an outdated and discouraged practice as it’s impossible to keep all details of a network secret indefinitely, and it contradicts the Zero Trust model best practices.
A company wants to implement a Zero Trust Architecture for its cloud services. Which two measures are essential in ZTA?
Options:
A. Multi-factor authentication (MFA)
B. Network segmentation
C. Regular security audits
D. Intrusion detection systems (IDS)
E. Strong password policies
** Correct Answer: A, B **
Explanation: Multi-factor authentication and network segmentation are fundamental to Zero Trust Architecture, ensuring that only authorized entities can access resources while maintaining strict controls on internal traffic.
Security Measures in Zero Trust Architecture
Network segmentation (Low Access Control)
– Network segmentation controls internal traffic effectively despite lower access control.
Multi-factor authentication (High Access Control)
– Multi-factor authentication ensures high access control with stringent verification.
