Random Question 41 - 60 Flashcards
CompTIA SY0-701
Question 51:
An organization’s incident response team receives an alert about unauthorized access attempts. Upon investigation, they find the attack started with a legitimate-looking email containing a link to a document about bonus payments, followed by unusual Power Shell activity. Which attack technique was MOST likely used?
Options:
A. Pass-the-hash attack
B. SQL injection
C. Spear phishing with social engineering
D. Man-in-the-middle attack
Correct Answer: C
Explanation: The scenario describes a targeted spear phishing attack using social engineering techniques (bonus payments as bait) followed by malicious PowerShell execution, which is a common post-exploitation activity after successful
Question 52:
A security administrator is reviewing the following risk management configuration:
’'’json
{
“risk_threshold”: “medium”
“auto_mitigation”: true,
“exceptions_require”: “senior _approval”,
“compliance_check”: “continuous”
}
‘’’
Which security framework component does this BEST align with?
Options:
A. NIST SP 800-53 Physical Controls
B. ISO 27001 Asset Management
C. COBIT Governance Framework
D. Zero Trust Architecture
Correct Answer: C
Explanation: The configuration shows governance-focused controls with risk thresholds, approval processes, and continuous compliance monitoring, which directly aligns with COBIT’s governance framework approach to risk management and oversight.
Question 53:
A security analyst is reviewing the following firewall rule:
‘“yaml
- action: allow
source: 10.0.0.0/24
destination: any
service: tcp/443
log: true
‘’’
Which of the following accurately describes the impact of this rule?
A. It allows all HTTPS traffic from the 10.0.0.0/24 subnet to any destination
B. It blocks all traffic except HTTPS from the 10.0.0.0/24 subnet
C. It allows only encrypted traffic from any source to the 10.0.0.0/24 subnet
D. It logs all HTTPS traffic but does not allow or block anything
Correct Answer: A
Explanation: The rule allows TCP traffic on port 443 (HTTPS) from the 10.0.0.0/24 subnet to any destination, and logs the traffic.
Question 54:
An organization is implementing a zero trust architecture. Which TWO of the following actions align most closely with zero trust principles? (Choose two.)
A. Implementing strong perimeter defenses.
B. Assuming all network traffic is potentially malicious.
C. Granting least privilege access to resources.
D. Relying on VPN for remote access security.
E. Continuously verifying and validating every access attempt.
**Correct Answer: B, E **
Explanation: Zero trust assumes all traffic is potentially malicious (B) and requires continuous verification for every access attempt (E), rather than relying on perimeter defenses or VPNs alone.
Question 55:
A security team is investigating a potential data exfiltration attempt. They notice large amounts of data being transferred to an unknown IP address over port 53. What is the most likely explanation for this activity?
A. Normal DNS queries
B. DNS tunneling
C. DNSSEC validation
D. Zone transfer attack
Correct Answer: B
Explanation: Large data transfers over port 53 (typically used for DNS) likely indicate DNS tunneling, a technique often used for data exfiltration that hides data in DNS queries and responses.
Question 56:
A security analyst is investigating a potential data breach. The following log snippet was captured:
’’‘*json
{
“timestamp”: “2023-11-15T14:23:17Z”,
“src_ip”: “192.168.1.100”,
“dst_ip”: “203.0.113.50”
“protocol”: “TCP”,
“dst_port”: 4444,
“payload_size”: 1024
}
‘’’
Which of the following best describes the potential threat indicated by this log entry?
A. SQL injection attack
B. DDoS attack
C. Command and control communication
D. DNS tunneling
Correct Answer: C
Explanation: The log entry suggests command and control (C2) communication. The destination port 4444 is often associated with malware C2 servers, and the consistent payload size of 1024 bytes indicates potential encoded communication.
Question 57:
An organization is implementing a Zero Trust architecture. Which TWO of the following actions align best with Zero Trust principles? (Choose two.)
A. Implementing network segmentation based on user roles
B. Granting full access to internal network resources for all employees
C. Enforcing multi-factor authentication for all user access attempts
D. Utilizing a single sign-on solution across all applications
E. Continuously monitoring and logging all network activities
Correct Answer: C, E
Explanation: Zero Trust principles include enforcing strong authentication (MFA) and continuous monitoring. Network segmentation (A) is good but not specific to Zero Trust. Full access (B) contradicts Zero Trust. SSO (D) alone doesn’t ensure Zero Trust.
Question 58:
Which of the following best describes the concept of “security through obscurity” and its role in a comprehensive security strategy?
A. It’s a primary defense mechanism that should be the foundation of all security plans.
B. It’s an outdated concept that has no place in modern cybersecurity.
C. It can provide an additional layer of defense but shouldn’t be relied upon as a sole security measure.
D. It’s the practice of hiding all system information to prevent any potential attacks
Correct Answer: C
Explanation: Security through obscurity can add a layer of defense by making it harder for attackers to gather information, but it shouldn’t be the primary security measure.
A comprehensive strategy should include multiple layers of security controls.
Question 49:
A security analyst is investigating a potential data breach. The analyst discovers the following log entry:
‘yaml
- timestamp: “2023-11-15T14:30:22Z”
source_ip: “192.168.1.100”
destination_ip: “203.0.113.50”
protocol: “TCP”
destination_port: 22
payload_size: 1024000
What type of attack does this log entry most likely indicate?
A. SQL injection
B. Cross-site scripting (XSS)
C. Data exfiltration
D. Denial of Service (DoS)
Correct Answer: C
Explanation: The log shows a large payload (1MB) being sent to an external IP over port 22 (SSH), indicating likely data exfiltration.
Question 50:
An organization is implementing a new cloud-based Identity and Access Management (IAM) solution. Which two of the following should be included in the implementation plan? (Choose two.)
A. Configure multi-factor authentication for all user accounts
B. Implement a single sign-on (SSO) solution for all cloud services
C. Disable all legacy authentication protocols
D. Create separate admin accounts for each cloud service
E. Implement a password rotation policy of 30 days for all accounts
Correct Answer: A, B
Explanation: Multi-factor authentication (A) and single sign-on (B) are crucial for secure and efficient IAM in cloud environments. They enhance security while improving user
Which of the following answers can be used to describe technical security controls? (Select 3 answers)
a. Focused on protecting material assets
b. Sometimes called logical security controls
c. Executed by computer systems (instead of people)
d. Also known as administrative controls
e. Implemented with technology
f. Primarily implemented and executed by people (as opposed to computer systems)
** Answer: b, c, e**
– Sometimes called logical security controls
– Executed by computer systems (instead of people)
– Implemented with technology
Which of the answers listed below refer to examples of technical security controls? (Select 3 answers)
a. Security audits
b. Encryption
c. Organizational security policy
d. IDSs
e. Configuration management
f. Firewalls
** Answer: b, d, f **
Which of the following answers refer to the characteristic features of managerial security controls? (Select 3 answers)
a. Also known as administrative controls
b. Sometimes referred to as logical security controls
c. Focused on reducing the risk of security incidents
d. Executed by computer systems (instead of people)
e. Documented in written policies
f. Focused on protecting material assets
** Answer: a, c, e**
Examples of managerial security controls include: (Select 3 answers)
a. Configuration management
b. Data backups
c. Organizational security policy
d. Risk assessments
e. Security awareness training
** Answer: c, d, e**
Which of the answers listed below can be used to describe operational security controls (Select 3 answers)
a. Also known as administrative controls
b. Focused on the day-to-day procedures of an organization
c. Executed by computer systems (instead of people)
d. Used to ensure that the equipment continues to work as specified
e. Focused on managing risk
f. Primarily implemented and executed by people (as opposed to computer systems)
** Answer: b, d, f **
Which of the following examples fall into the category of operational security controls? (Select 3 answers)
a. Risk assessments
b. Configuration management
c. System backups
d. Authentication protocols
e. Patch management
** Answer: b, c, f **
Which of the answers listed below refers to security controls designed to deter, detect, and prevent unauthorized access, theft, damage, or destruction of material assets?
a. Managerial security controls
b. Physical security controls
c. Technical security controls
d. Operational security controls
** Answer:
b. Physical security controls
**
Which of the following examples do not fall into the category of physical security controls? (Select 3 answers)
a. Lighting
b. Access control vestibules
c. Data backups
d. Fencing/Bollards/Barricades
e. Firewalls
f. Security guards
g. Asset management
** Answer: c, e, g**
– Data backups
– Firewalls
– Asset management
What are the examples of preventive security controls? (Select 3 answers)
a. Encryption
b. IDS
c. Sensors
d. Firewalls
e. Warning signs
f. AV software
** Answer: a, d, f **
– Encryption
– Firewalls
– AV software
Examples of deterrent security controls include: (Select 3 answers)
a. Warning signs
b. Sensors
c. Lighting
d. Video surveillance
e. Security audits
f. Fencing/Bollards
** Answer: a, c, f **
– Warning signs
– Lighting
– Fencing/Bollards
Which of the answers listed below refer(s) to detective security control(s)? (Select all that apply)
a. Lighting
b. Log monitoring
c. Sandboxing
d. Security audits
e. CCTV
f. IDS
g. Vulnerability scanning
** Answer: b, d, e, f, g **
Which of the following answers refer(s) to corrective security control(s)? (Select all that apply)
a. Recovering data from backup copies
b. Applying software updates and patches to fix vulnerabilities
c. Developing and implementing IRPs to respond to and recover from security incidents
d. Regularly reviewing logs for anomalies or patterns indicative of attacks
e. Activating and executing DRPs to restore operations after a major incident
** Answer: a, b, c, e **
Which of the answers listed below refer(s) to compensating security control(s)? (Select all that apply)
a. Backup power systems
b. Video surveillance
c. MFA
d. Application sandboxing
e. Network segmentation
** Answer: a, c, d, e **
Which of the following terms fall into the category of directive security controls? (Select 2 answers)
a. IRP
b. AUP
c. IDS
d. MFA
e. IPS
** Answer: A, B**
“IRP” stands for “Incident Response Plan,” which is a documented strategy outlining how an organization will detect, respond to, and recover from cybersecurity incidents like data breaches, malware attacks, or other disruptions, aiming to minimize damage and ensure business continuity.
AUP” stands for “Acceptable Use Policy,” which is a set of rules and guidelines that define how users can properly access and utilize an organization’s network, systems, and other digital resources, outlining what behaviors are considered acceptable and unacceptable when using company technology.
The term “Directive security controls” refers to the category of security controls that are implemented through policies and procedures.
True
False
** Answer: True **
The configuration and workings of firewalls and access control fall under which category of controls?
A - Operational controls.
B - Technical controls.
C - Managerial controls.
D - Physical controls.
** Answer: B - Technical Controls **
The configuration and workings of firewalls and access control fall under the category of technical controls in cybersecurity.
What is the main purpose of directive controls in an organization’s security system?
A - To provide physical protection against threats.
B - To guide the operation and use of systems within an organization
C - To prevent incidents from happening.
D - To correct problems during an incident.
** Answer:
B - To guide the operation and use of systems within an organization
**
Directive controls are those designed to establish desired outcomes; preventative controls are designed to prevent errors, irregularities, or undesirable events from occurring; and detective controls are those designed to detect and correct undesirable events that have occurred.
Corrective controls are used at which stage of an incident?
A - Before the event.
B - During the event.
C - After the event.
D - They are not likely to a specific stage of an incident.
** Answer: C - After the event **
Corrective controls are used after an event has occurred. They limit the extent of damage and help the company recover from damage quickly. And provide measures to lessen harmful effects or restore the system being impacted.
Detective controls are designed to do which of the following?
A - Correct a problem during an incident.
B - Monitor and detect any unauthorized behavior or hazard.
C- Detect potential attackers.
D - Prevent incidents from happening.
** Answer:
C- Detect potential attackers.
**
A “detective control” in security refers to a measure designed to identify and alert about security issues that have already occurred, essentially acting as a second line of defense after preventative controls might have been bypassed, by monitoring for anomalies and providing evidence of a breach through logging and alerts.
Detective controls are designed to do which of the following?
A - Correct a problem during an incident.
B - Monitor and detect any unauthorized behavior or hazard.
C- Detect potential attackers.
D - Prevent incidents from happening.
** Answer:
B - Monitor and detect any unauthorized behavior or hazard.
**
Detective controls aim at monitoring and detecting unauthorized behavior and hazards.
These controls alert of failures in other controls and can identify unwanted events during or after they have occurred.
What type of controls are meant to deter threat actors from executing offensive assaults on an environment, thereby preventing incidents from occurring?
A - Deterrent controls.
B - Corrective controls.
C - Preventive controls.
D - Detective controls.
** Answer: D - Preventive controls. **
Preventive controls are employed before an event occurs and are designated to prevent incidents. They enforce security policy and are meant to prevent incidents from happening, and they typically include measures such as intrusion prevention systems (IPSs), access lists, and passwords.
Which type of controls are implemented to prevent incidents from happening with examples such as access lists, passwords, and fences?
A - Detective controls.
B - Corrective controls.
C - Deterrent controls.
D - Preventive controls.
** Answer: D - Preventative Control **
Preventative Control. Preventative control refers to measures implemented before a threat event to reduce the likelihood and impact of a successful attack. Examples include policies, encryption, firewalls, and physical barriers.
Security awareness training and formal change-management procedures are examples of which category of controls?
A - Technical controls.
B - Operational controls.
C - Managerial controls.
D - Physical controls.
** Answer: C- Managerial controls. **
Managerial controls encompass business and organizational processes and procedures, such as security awareness training and formal change management procedures.
Which category of controls is executed by people and involves user awareness and training?
A - Operational controls.
B - Technical controls.
C - Managerial controls.
D - Physical controls.
** Answer: C- Managerial controls **
Managerial controls encompass business and organizational processes and procedures, which include user awareness training.
Which control category involves securing physical access to an organization’s building and equipment?
A - Technical controls.
B - Managerial controls.
C - Operational controls.
D - Physical controls.
** Answer: D - Physical controls. **
Physical controls involve securing physical access to an organization’s building and equipment and implementing physical access-securing methods.
The configuration and workings of firewalls and access control fall under which category of controls?
A - Operational controls.
B - Technical controls.
C - Managerial controls.
D - Physical controls.
** Answer: B - Technical controls. **
Technical controls are executed by computer systems, including mechanisms such as firewalls, access control, and cryptography.
What is the primary function of a honeytoken in a cybersecurity system?
A - It serves as a backup for the system’s data.
B - It serves as an early warning system for unauthorized access or system breaches.
C- It enables an attacker to gain access to the system.
D - It assists in decrypting encrypted data.
** Answer:
C - It enables an attacker to gain access to the system.
**
The primary function of a honeytoken in a cybersecurity system is to act as a decoy, designed to detect unauthorized access or malicious activity by attracting attackers to a piece of fake data, which then triggers an alert to the security team when accessed, revealing potential breaches without compromising sensitive information.
Which of the following types of sensors would be most effective for detecting movement due to changes in heat levels?
A - Microwave sensors.
B - Ultrasonic sensors.
C - Pressure sensors.
D - Infrared sensors.
** Answer: D- Infrared sensors.**
Infrared sensors are most effective for detecting movement due to changes in heat levels, as they can identify the thermal energy produced by an object.
Which of the following best describes the function of an access control vestibule in a facility protection plan?
A - it allows free access to anyone entering the facility.
B - It ensures that both sets on entrance doors can be opened simultaneously.
C- It creates a buffer zone at the entrance and provides an additional layer of access control.
D - It prevents visibility into the entrance of the facility.
** Answer:
C- It creates a buffer zone at the entrance and provides an additional layer of access control.
**
An access control vestibule in a facility protection plan creates a buffer zone at the facility’s entrance and provides an additional layer of access control, ensuring that only authorized individuals gain entry.
In the Zero Trust security framework, the data plane is responsible for:
A - Determining policies and security protocols.
B - Making intelligent decisions based on policies.
C- Enforcing policies determined by the control plane.
D - Allowing all data packets to pass freely without inspection.
** Answer:
C- Enforcing policies determined by the control plane.
**
In the Zero trust security framework, the data plane is responsible for enforcing policies determined by the control plane and executing the security measures defined.
The network security engineer at a multinational company is preparing to introduce a new network infrastructure model. The company’s objective is to minimize the attack surface by implementing effective port security measures. To accomplish this, the engineer is evaluating the security implications of various architecture models and their compatibility with port security measures. Since the network security engineer plans to deploy port security to minimize the attack surface, which architecture model can BEST assist in supporting and enhancing the effectiveness of port security?
A. Peer-to-peer model
B. Client-server model
C. Hybrid model
D. Three-tier model
** Correct Answer: B **
The client-server model can enhance the effectiveness of port security as it has centralized servers, making it easier to monitor and manage port security.
Although the peer-to-peer model allows direct sharing of resources among peers, it can be challenging to implement comprehensive port security due to the distributed nature of the network.
While the hybrid model combines elements of the client-server and peer-to-peer models, it might complicate port security measures due to its mixed nature, potentially leading to less effective control of the attack surface.
While excellent for organizing resources and providing scalability, this model’s layered design does not inherently enhance port security or minimize the attack surface.
An organization’s security team performs vulnerability assessments quarterly to identify potential risks in its infrastructure. During a recent vulnerability assessment, the security team identified a critical vulnerability in a server room, which had numerous entryways.
Which factor is MOST likely to reduce the risk of vulnerability exploitation among the provided variables?
A. The server’s operating system version
B. Limited physical access to the server room
C. The type of applications running on the server
D. The temperature of the server room
** Correct Answer: B **
Tightening security measures and directly restricting access to the server room decreases the chances of physical attacks, unauthorized tampering, and unsanctioned connections to the hardware.
The server’s operating system plays a role in its overall security profile, but it is not a consideration in environmental variables and stands apart from the physical environment
A security analyst is reviewing server configurations in an organization during a vulnerability assessment. The analyst finds that someone left the default vendor passwords active on a critical server holding customer data. Additionally, someone is running unnecessary services on the server, and no one has patched it for several months. In this scenario, which vulnerability would adversaries MOST likely exploit first to gain unauthorized access to the critical server?
A. Absence of an intrusion detection system (IDS)
B. Default vendor passwords not changed
C. Use of open-source software
D. Non-encrypted data at rest
** Correct Answer: B **
Default vendor passwords are well-known and are one of the first things an attacker will try when attempting to gain unauthorized access. Leaving them unchanged presents an Immediate and high risk.
While an IDS is essential for monitoring and alerting potential security threats, its absence does not directly provide an access vector for attackers.
Using open-source software is not inherently a vulnerability. Many open-source projects have robust security due to their wide community scrutiny.
An organization’s security team has begun integrating third-party threat feeds into its vulnerability management strategy. The security manager believes this will enhance the ability to identify and respond to emerging threats more effectively. Within vulnerability management, what primary advantage does incorporating third-party threat feeds offer an organization’s security posture?
A. It increases situational awareness and response capability to threats and vulnerabilities.
B. It replaces the organization’s need for an internal vulnerability assessment team.
C. It ensures the organization has complete protection against all zero-day vulnerabilities.
D. It guarantees the organization is complying with international cybersecurity regulations.
** Correct Answer: A **
Third-party threat feeds provide real-time information on emerging threats, often tailored to specific industries or geographical regions, enhancing an organization’s situational awareness and response capability.
While third-party threat feeds can complement the efforts of an internal team, they do not replace the specialized knowledge and contextual understanding of an organization’s specific environment that an internal team provides.
An organization’s security team has hired a penetration tester to assess the vulnerabilities in its digital infrastructure. The penetration tester has a clear set of guidelines and is about to start the test. When engaging in vulnerability management within an organization, which activities will the penetration tester MOST likely undertake to ensure a comprehensive assessment? (Select the two best options.)
A. Deleting data found in critical servers
B. Running exploitation tools against known vulnerabilities
C. Installing new software without prior permission
D. Assessing the environment for potential weak points
** Correct Answer: B, D **
Penetration testers often use exploitation tools to confirm the existence of known vulnerabilities and understand their potential impact.
A primary aspect of penetration testing involves identifying and evaluating potential weak points in the system or network, helping the organization understand where they might be vulnerable.
Penetration testers aim to assess and report vulnerabilities, not to harm the organization. Deleting data would be against ethical guidelines and could cause severe harm.
Ethical penetration testers always work within the bounds of the agreement with the organization. Unauthorized software installation is invasive and could introduce new vulnerabilities or operational issues.
An information security analyst at a tech company reviews a security report outlining recent attack vectors against the company’s systems. The analyst identifies potential risks related to unpatched software vulnerabilities still unknown to the vendor and risks associated with weak cryptographic algorithms. The analyst wants to prioritize these risks to decide on immediate remedial action. Based on the provided scenario, what BEST describes an unknown vulnerability in software that the vendor has yet to discover or patch, and that attackers are actively exploiting?
A. Zero-day vulnerability
B. On-path attack
C. Rainbow table attack
D. Public key infrastructure flaw
** Correct Answer: A **
The term “zero-day” describes a software vulnerability that the vendor has yet to identify.
Attackers exploit this vulnerability and jeopardize systems.
In an on-path attack, an attacker intercepts and might alter communication between two parties.
However, this threat does not connect to a software vulnerability unpatched and unknown by the vendor.
A medium-sized software development company recently introduced a bug bounty program to identify and mitigate vulnerabilities in their flagship application. The security manager plans to coordinate the program’s rules and engagement policies. When setting up a bug bounty program for vulnerability management, which activities should the security manager prioritize to ensure the program’s effectiveness and ethical participation? (Select the two best options.)
A. Establishing a clear scope of which assets researchers can test
B. Offering substantial rewards regardless of the severity of the bug found
C. Providing a secure platform for researchers to report findings
D. Allowing researchers to disclose findings publicly immediately after discovery
** Correct Answer: A, C 4**
Security managers must define the scope to guide researchers about which areas they can and cannot test, preventing unintended system breaches outside the bug bounty program’s intention.
A bug bounty program requires a secure and straightforward method for researchers to report vulnerabilities effectively.
An application security analyst at a software company is assessing a new software application before its release to customers. Before deciding on the best approach for the assessment, the analyst recalls that there are different methods of analysis to evaluate the software’s security posture. The analyst wants to assess the software’s running state to identify potential vulnerabilities during its execution. Considering the preference to evaluate the software in its running state and identify vulnerabilities during execution, which type of examination should the analyst primarily rely on?
A. Static code review
B. Manual penetration testing
C. Dynamic Analysis
D. Source code fingerprinting
** C.Dynamic Analysis **
Dynamic analysis evaluates the software application in its running state and looks for vulnerabilities during its execution, which aligns with the analyst’s requirement in the scenario.
Static code review evaluates the software’s source code, bytecode, or application binaries without executing the software. While it is a valuable method, it does not meet the analyst’s preference to assess the software while running.
Manual penetration testing involves actively probing for vulnerabilities in a running application, but it is broader than just analyzing the software’s execution and can involve various techniques not limited to the software’s runtime behavior.
Source code fingerprinting identifies software components and their versions by analyzing the software’s source code.
A leading fintech company plans to migrate its primary financial application to a public cloud environment. Before the transition, the cloud security specialist reviews the application’s architecture to ensure its resistance against potential cloud-based application attacks. Given the specific vulnerabilities associated with cloud platforms, which attack method would be the MOST effective against a cloud-based application that has API rate limits, but has not completely secured its Application Programming Interface (API)?
A. Distributed denial of service (DDoS) against the cloud Infrastructure
B. Brute force attack on application user accounts
C. Injection attack targeting the application’s API
D. Social engineering attack on cloud provider personnel
** Correct Answer: C. Injection attack targeting the application’s API **
APIs often act as gateways for data exchange in cloud-based applications. If not securely configured, they become vulnerable to injection attacks.
Distributed denial of service (DDoS) attacks primarily flood a system with unwanted traffic, causing it to become overwhelmed and unavailable to genuine users. DDoS attacks can disrupt the availability of the application by exhausting its resources or overwhelming its network.
A brute force attack is a trial-and-error method attackers use to obtain information such as a user password or personal identification number (PIN). In this approach, the attacker systematically submits all possible combinations in the hope of guessing correctly.
Social engineering attacks manipulate individuals into revealing confidential information or performing specific actions that may compromise security.
A company hires a team of penetration testers to evaluate the security posture of its newly developed web application. After a comprehensive analysis, the testers submit their findings, detailing potential vulnerabilities. The company’s security officer reviews the report and contemplates the essential differences between how threat actors and penetration testers would exploit the identified vulnerabilities. What distinct motive differentiates a professional penetration tester from a threat actor when it comes to exploiting vulnerabilities in a system?
A. Penetration testers aim to damage or disrupt the system.
B. Threat actors provide a detailed report of their findings.
C. Penetration testers identify vulnerabilities improving security.
D. Threat actors operate with permission to test the system.
** Correct Answer: C **
Penetration testers are professionals who evaluate the security posture of systems and networks. Their main goal is to identify vulnerabilities and recommend solutions to bolster security.
A cybersecurity analyst at a tech firm is integrating Open Source Intelligence (OSINT) methodologies into the company’s vulnerability management program. The analyst seeks to use publicly available information to understand potential threats better and improve the firm’s security posture. When the cybersecurity analyst integrates OSINT into the vulnerability management program, which will the analyst MOST likely prioritize to maximize the effectiveness of the security framework? (Select the two best options.)
A. Monitoring deep web sources for threat indicators.
B. Automating system patch updates based on social media trends.
C. Analyzing publicly available forums for emerging threat patterns.
D. Upgrading the office router every time a new model is released.
** Correct Answer: A, C **
Open Source Intelligence (OSINT) is a method of gathering information from the public or other open sources, which can be used by security experts, national intelligence agencies, or cybercriminals.
A large corporation is evaluating potential hardware suppliers and service providers for its new data center expansion. The IT team aims to select vendors that adhere to security best practices to minimize vulnerabilities. When assessing the security posture of hardware suppliers and service providers, which factors are essential for the corporation to consider to ensure reduced vulnerabilities in its data center operations? (Select the two best options.)
A. Supply chain verification processes in place
B. Number of data centers the supplier operates
C. Hardware components’ origin transparency
D. Annual revenue of the service provider
** Correct Answer: A, C **
Ensuring suppliers have robust supply chain verification helps confirm the integrity of products, reducing the chances of counterfeit or tampered goods introducing vulnerabilities.
Knowing the “where and how” of the hardware components provides insights into their quality and security. A transparent origin can suggest a lesser likelihood of embedded vulnerabilities or malicious alterations.
While a larger operational scale might indicate experience, it does not directly correlate with the supplier’s security posture or potential vulnerabilities in products or services.
A security analyst at a large corporation initiates a vulnerability scan on the company’s web application. Upon completion, the results show several potential vulnerabilities. One of these vulnerabilities, identified as “Potential SQL Injection,” is a concern. However, after further inspection, the analyst realizes this vulnerability does not exist in the application and the scanner has made an error. Given the scenario above, what term BEST describes the vulnerability scanner’s identification of the “Potential SQL Injection” that does not exist in the application?
A. True negative
B. False positive
C. False negative
D. True positive
** Correct Answer: B **
A vulnerability scanner gives a false positive when it flags a vulnerability the system does not have. In this scenario, the scanner flagged a “Potential SQL Injection,” but after manual inspection, the analyst confirmed it as not a genuine vulnerability.
A true negative happens when a vulnerability scanner correctly confirms the absence of a vulnerability. In this scenario, however, the scanner incorrectly flagged a vulnerability.
A scanner produces a false negative when it misses a genuine vulnerability. This result does not apply since the scanner incorrectly flagged a non-existent vulnerability.
A true positive occurs when a vulnerability scanner correctly flags an existing vulnerability.
However, the scanner incorrectly identified the “Potential SQL Injection.”
An organization’s security analyst joins two information-sharing organizations to enhance the company’s vulnerability management strategy. These organizations promise to share real-time threat intelligence, best practices, and resources. In the context of vulnerability management, which primary advantages do information-sharing organizations offer to improve an organization’s security posture? (Select the two best options.)
A. It provides real-time threat intelligence feeds tailored to industry specifics.
B. It automatically patches vulnerabilities without human intervention.
C. It facilitates collaboration and exchange of best practices among member organizations.
D. It ensures the organization becomes immune to future vulnerabilities.
** Correct Answer: A, C **
Information-sharing organizations often curate and deliver real-time threat intelligence feeds for specific industries, ensuring organizations stay aware and ready for relevant potential threats.
Information-sharing organizations foster a collaborative environment as a core benefit, enabling member entities to share and learn best practices from each other, enhancing integrity.
A software development company has recently integrated new tools for dependency analysis and Software Bill of Materials (SBOM) into its development pipeline. The security team ensures that these tools effectively identify and manage vulnerabilities. When leveraging dependency analysis and SBOM tools in a software development environment, which key factors should the security team prioritize to address potential vulnerabilities more efficiently? (Select the two best options.)
A. Recognizing outdated software dependencies
B. Tracking the frequency of software updates
C. Identifying undisclosed open-source components
D. Calculating the software’s runtime speed
** Correct Answer: A, C **
Outdated dependencies can introduce vulnerabilities if not patched or updated. Dependency analysis tools help in these outdated components.
Many software vulnerabilities arise from undisclosed open-source components, which may not undergo the same rigorous security testing. SBOM tools can identify such components, as to address potential risks.
While regular updates might indicate active maintenance, the frequency alone does not measure the software’s vulnerability status or the effectiveness of the updates in addressing security concerns.
You’ve hired a third-party to gather information about your company’s servers and data. The third-party will not have direct access to your internal network but can gather information from any other source.
Which of the following would BEST describe this approach?
A. Backdoor testing
B. Passive footprinting
C. OS fingerprinting
D. Partially known environment
** Correct Answer: B. Pass Footingprinting **
If a third-party is gathering information about your company’s servers and data without direct access to your internal network, this approach is best described as “passive reconnaissance”; meaning they are collecting information from publicly available sources like websites, social media, and domain registrations, rather than actively probing your network for vulnerabilities.
Which of these protocols uses TLS to provide secure communication? (Select TWO)
A. HTTPS
B. SSH
C. FTPS
D. SNMPv2
O E. DNSSEC
O F. SRTP
** Correct Answer: A. HTTP & C. FTPS **
TLS (Transport Layer Security) is a cryptographic protocol used to encrypt network communication. HTTPS is the Hypertext Transfer Protocol over TLS, and FTPS is the File Transfer Protocol over TLS.
An earlier version of TLS is SSL (Secure Sockets Layer). Although we don’t commonly see SSL in use any longer, you may see TLS communication colloquially referenced as SSL.
Senario:
Identify and Revert the Security Features
* List security features that the technician might have disabled or loosened, which need reverting to their original settings.
YOUR SHOPPING CART!
We couldn’t process your order at this time.
* If you encounter this message more than once, please contact us, and we will do our best to help you.
After noticing several disabled security features on the company’s web server, what actions should the security analyst take to reestablish the fundamental security protections of the server?
Re-enable Firewall
Re-enable Intrusion Detection System
Update Antivirus Definitions
Revert to HTTPS from HTTP
Rotate Encryption Keys
** Correct Answer:
- Re-enable Firewall
- Re-enable Intrusion Detection System
- Update Antivirus Definitions
- Revert to HTTPS from HTTP
- Rotate Encryption Keys
**
Senario:
Tighten Access Controls
* Provide examples of how the company should tighten the access controls on the web server.
YOUR SHOPPING CART!
We couldn’t process your order at this time.
* If you encounter this message more than once, please contact us, and we will do our best to help you.
To secure the web server after noticing an oversight symbol indicating improper configurations, which steps should the security analyst implement to tighten access controls?
Enforce Strict Password Policies
Implement Role-Based Access Control (RBAC)
Implement Network Segmentation
Set up a Whitelist of IP Addresses for the Admin Panel
Review and Update Access Permissions Regularly
** Correct Answer:
- Enforce Strict Password Policies
- Implement Role-Based Access Control (RBAC)
- Implement Network Segmentation
- Set up a Whitelist of IP Addresses for the Admin Panel
**
Senario:
Audit and Documentation
* Describe the steps to audit the system’s current configuration and how to document the reconfiguration process.
YOUR SHOPPING CART!
We couldn’t process your order at this time.
* If you encounter this message more than once, please contact us, and we will do our best to help you.
In reviewing the configurations on a computer, what steps should the security analyst undertake to effectively audit the current configurations and properly document the changes made?
Review Logs to Identify Changes
Document Detailed Change Log and Rationale
Perform a Risk Assessment
Conduct Penetration Testing
Compare Current Configuration with Known-Good Baseline
** Correct Answer:
- Review Logs to Identify Changes
- Document Detailed Change Log and Rationale
- Conduct Penetration Testing
- Compare Current Configuration with Known-Good Baseline
**
Senario:
Future Prevention
* Recommend measures the company could take to prevent similar situations from happening in the future.
YOUR SHOPPING CART!
We couldn’t process your order at this time.
* If you encounter this message more than once, please contact us, and we will do our best to help you.
What proactive steps should the company establish to prevent similar security oversights in the future?
Implement a Change Management Process
Enforce Regular Training for Support Staff
Conduct Regular Data Backups
Establish Incident Response Plan
Implement Configuration Management
** Correct Answer:
Implement a Change Management Process
Enforce Regular Training for Support Staff
Implement Configuration Management
**
The IT team in a large company has recently completed a comprehensive inventory of all hardware, software, and data assets. The team is also in charge of asset tracking for the company. The team leader, concerned about maintaining effective security, is trying to understand how proper asset management relates to security.
Which practices would directly contribute to enhancing the company’s security posture through effective asset management and tracking? (Select the two best options.)
A. Perform regular audits of asset inventory
B. Store passwords in plain text on a secure server
C. Implement network segmentation
D. Establish a policy for the disposal of outdated software
** Correct Answer: A, D **
Regular audits of the asset inventory play a critical role in enhancing security as they enable the identification of unauthorized assets, assurance of compliance, and detection of vulnerable or at-risk assets.
Implementing a policy for disposing of outdated software bears significance as it prevents the potential exploitation of out-of-date and possibly unpatched software.
Despite the security of a server, storing passwords in plain text is not a secure practice due to the immediate accessibility of the passwords if a server compromise occurs.
While network segmentation is a beneficial security practice, it does not directly relate to managing or tracking hardware, software, and data assets.
In the event of a significant disruption, such as a natural disaster or a major cyberattack, the IT director has highlighted the need for robust Business Continuity Planning (BCP). The director stresses that the key priority is to guarantee that essential operations can continue with minimal downtime. What is the primary goal of BCP in safeguarding the organization’s vital functions by the IT director’s emphasis?
A. Critical business processes remain operational during and after disruptions
B. Establish secure connections between all of the office locations
C. Must include detecting and responding to any unauthorized system access
D. For business continuity, encrypt sensitive company data stored in databases
** Correct Answer: A **
BCP maintains the continuity of essential business functions in the face of disruptions, whether due to natural disasters, cybersecurity incidents, or other unforeseen challenges.
Although secure connections are essential for data protection and integrity, they do not represent the primary goal of BCP. This aspect is more related to secure networking and remote access policies.
A large technology company has recently experienced a significant system failure due to a cyberattack. The chief information security officer (CISO) is conducting a post-incident review to identify ways to improve the organization’s resilience and recovery capabilities. The CISO wants to focus on strategies that could have prevented the system downtime or minimized its duration and impact. From a resilience and recovery standpoint in security architecture and continuity of operations planning (COOP), which of the following strategies would the CISO MOST likely recommend implementing to enhance the organization’s ability to prevent or quickly recover from similar incidents in the future? (Select the two best options.)
A. Expanding the IT team with more developers
B. Investing in a stronger firewall system
C. Establishing a redundant data center
D. Implementing a detailed incident response plan
** Correct Answer: B, D **
An organization can notably strengthen its resilience and recovery capabilities by establishing a redundant data center. The redundant site swiftly takes over operations in case of a system failure or cyberattack, reducing downtime.
Formulating a detailed incident response plan is key to guaranteeing an effective, coordinated response to incidents. This plan specifies the procedures for identifying, reacting to, and recovering from security incidents.
While recruiting more developers could amplify an organization’s capacity to manage and improve its systems, it does not directly impact resilience and recovery in the context of a COOP.
Though enhancing firewall systems can fortify an organization’s capacity to fend off certain cyberattacks, it does not directly contribute to resilience and recovery.
A leading financial institution is enhancing its security infrastructure by revising user access controls. The IT department, in collaboration with the security team, deliberates on the essential principles to guide their implementation efforts. A primary focus is on ensuring proper authentication and authorization mechanisms are in place. Which of the following measures should the IT department integrate to ensure users are both authenticated and authorized before gaining access to sensitive resources? (Select the two best options.)
A. Implementing multifactor authentication (MFA)
B. Assigning role-based access controls (RBAC)
C. Using a single shared password for all users
D. Relying on facial recognition for guest users
** Correct Answer: A, B **
MFA requires users to present several identification types before they gain access, enhancing the authentication process. MFA requires at least two or more of the following to verify the identity of a user: something you know, something you have, something you are, somewhere you are, and something you do.
RBAC grants access to resources based on a user’s role within the organization, ensuring users only access what their job function needs.
Shared passwords diminish authentication’s granularity and introduce a D significant security risk since they do not differentiate between users, complicating the assurance of proper authorization.
Using facial recognition as the only authentication for guest users is problematic, especially without other authentication measures. Guest users often lack the right authorization mechanisms.
A multinational corporation wants to ensure the security of its digital assets. The IT department focuses on refining its hardware and software asset management practices as part of its initiative. They analyze the potential security implications associated with properly managing these assets to guide their actions. Which actions contribute directly to improved security through effective hardware and software asset management in securing digital assets?
(Select the two best options.)
A. Regularly updating software to the latest versions
B. Ensuring every workstation has a dual-monitor setup
C. Tracking and documenting all hardware assets in a centralized inventory system
D. Installing multiple antivirus tools on each system
** Correct Answer: A, C **
By patching known vulnerabilities, the IT department directly minimizes the attack surface and deters attackers from exploiting weak points in the system. This proactive measure acts as a first line of defense against potential threats.
By actively identifying unapproved or suspicious devices on the network in real-time, The IT department enhances the security posture and mitigates risks associated with unauthorized devices.
A healthcare organization stores sensitive patient information. The data protection officer (DPO) wants to implement strategies to manage these data assets effectively, ensuring they remain secure from unauthorized access. Which strategies should the DPO employ to understand and enhance the security posture of the data assets and ensure the organization adheres to best practices in data asset management? (Select the two best options.)
A. Conduct regular data audits
B. Implement data classification based on sensitivity
C. Increase the volume of data storage
D. Purchase new servers for faster data retrieval
** Correct Answer: A, B **
Organizations use regular audits to identify the location of their data storage, determine who has access, and assess if they adequately protect it. This proactive approach allows for early detection of vulnerabilities.
An IT security consultant is reviewing the advanced data protection strategies of a multinational corporation. The corporation recently experienced a significant data breach that affected one of its primary databases, leading to significant downtime and a loss of trust among its stakeholders. The consultant notes that while the company has robust preventive measures, its resilience and recovery procedures need enhancement. Based on the importance of resilience and recovery in security architecture, which of the following strategies would the consultant MOST likely recommend to prevent excessive downtime and loss of stakeholder trust?
A. Implement a redundant data storage solution with automated failover capabilities
B. Increase the frequency of employee cybersecurity training sessions
C. Deploy additional intrusion prevention systems at all network entry points
D. Purchase and install the latest antivirus software for all end-user devices
** Correct Answer: A **
Redundant data storage ensures data availability even if one storage medium fails. Automated failover further ensures uninterrupted service by rerouting traffic or processes to a backup system in the event of a failure.
A data center manager is evaluating the resilience and recovery capabilities of the company’s server room. The manager wants to ensure that in the event of power fluctuations or outages, the company’s servers remain operational and maintain data integrity. The manager focuses on the role of power distribution units (PDUs) and Uninterruptible Power Supplies (UPSs) in this context. In enhancing the resilience and recovery capabilities of the server room concerning power interruptions, which primary function does the UPS provide to the servers that directly support this goal?
A. It distributes the power to multiple servers simultaneously.
B. It filters the power, removing noise and surges.
C. It provides temporary power to prevent data loss.
D. It monitors the power usage, alerting for overconsumption.
** Correct Answer: C **
A UPS provides temporary power during an outage, ensuring that servers can undergo a graceful shutdown without data loss or continue running until backup generators take over. This function is critical for resilience and recovery as it prevents sudden power loss, leading to data corruption.
While PDUs distribute power to multiple devices, their primary function is not to provide resilience during the power interupptions.
A global finance company faced a massive cyberattack. The attacker successfully bypassed perimeter defenses and encrypted a significant portion of the company’s stored financial records. The company’s incident response team quickly intervened, neutralizing the threat. Now, the chief information security officer (CISO) focuses on implementing strategies to enhance resilience and ensure a rapid recovery should a similar event occur. Considering the company’s recent incident and its determination to bolster resilience and advanced data protection, which of the following actions should the CISO prioritize to MOST directly ensure the organization can efficiently recover from similar cybersecurity events in the future?
A. Implementing an advanced intrusion detection system (IDS)
B. Regularly testing and updating data backup and recovery solutions
C. Introducing more comprehensive employee cybersecurity training programs
D. Increasing the frequency of penetration testing exercises
** Correct Answer: C **
Teams regularly test and update data backup and recovery solutions to ensure resilience and rapid recovery after a cybersecurity incident. This practice allows efficient data restoration after an attack, reducing downtime and operational impact.
An intrusion detection system identifies potential security breaches critically. However, it serves mainly as a detection measure and does not address post-incident recovery directly.
Employee cybersecurity training actively prevents future incidents but does not offer a solution for system restoration or recovery after an incident.
Teams use penetration testing exercises to discover vulnerabilities and strengthen the organization’s defenses. However, these exercises do not focus directly on recovery procedures after a cybersecurity incident.
