Sample Exam 1 Flashcards

Question

An internal audit has discovered four servers that have not been updated in over a year, and it will take two weeks to test and deploy the latest patches. Which of the following would be the best way to quickly respond to this situation in the meantime? ❍ A. Purchase cybersecurity insurance ❍ B. Implement an exception for all data center services ❍ C. Move the servers to a protected segment ❍ D. Hire a third-party to perform an extensive audit

Answer 1

The Answer: C. Move the servers to a protected segment Segmenting the servers to their own protected network would allow for additional security controls while still maintaining the uptime and availability of the systems. The incorrect answers: A. Purchase cybersecurity insurance Cybersecurity insurance can help plan for financial issues during a significant attack, but it wouldn't provide any assistance for mitigating potential vulnerabilities during this two week period. B. Implement an exception for all data center services Security exceptions should be rare, and they should be very specific to a small number of systems. It would be risky to create a broad security exception for systems which are not in-scope for the identified vulnerability. D. Hire a third-party to perform an extensive audit Audits take time, and hiring a third-party to perform an audit takes even longer. By the time a third-party audit was underway, the problematic systems would have already been tested and patched.

Answer 2

The Answer: B. Continuity of operations It's always useful to have an alternative set of processes to handle any type of outage or issue. Continuity of operations planning ensures that the business will continue to operate when these issues occur. The incorrect answers: A. Platform diversity Using different operating systems and platforms can help mitigate issues associated with a single OS, but it wouldn't provide any mitigation if the primary Internet connection was no longer available. C. Cold site recovery A cold site takes time to build, and the time and expense associated with a disaster recovery switchover would be extensive. By the time a cold site was enabled, the primary Internet connection may already be restored and many alternative recovery options could have potentially been deployed. D. Tabletop exercise A tabletop exercise usually consists of a meeting where members of a recovery team or disaster recovery talk through a disaster scenario.

Answer 3

The Answer: A. Access control vestibule An access control vestibule is a room designed to restrict the flow of individuals through an area. These are commonly used in high security areas where each person needs to be evaluated and approved before access can be provided. The incorrect answers: B. Video surveillance Although video surveillance can assist with monitoring access to a building or room, it doesn't provide a way to validate the credentials of each visitor. C. Pressure sensors Pressure sensors are commonly used on doors or windows to detect movement in those devices. However, pressure sensors would not be used to check visitor credentials. D. Bollards Bollards and barricades are often used on the exterior of a facility to prevent access to motorized vehicles and channel people through a specific access location.

Answer 4

The Answer: B. Record Record-level encryption is commonly used with databases to encrypt individual columns within the database. This would store some information in the database as plaintext and other information as encrypted data. The incorrect answers: A. Full-disk Full-disk encryption ensures that all data on a storage drive is protected. Full-disk encryption protects all data on the drive, and none of the information would remain as the original plaintext. C. Asymmetric Asymmetric encryption uses a public and private key pair to encrypt data. Asymmetric encryption does not store some information as plaintext and other information as encrypted data. D. Key escrow Key escrow describes the storage and management of decryption keys by a third-party. Key escrow does not determine which data is selected for encryption or the method of encryption.

Answer 5

The Answer: C. Journaling Journaling writes data to a temporary journal before writing the information to the database. If power is lost, the system can recover the last transaction from the journal when power is restored. The incorrect answers: A. Encryption Encryption would provide confidentiality of the data, but it would not provide any additional integrity features if power was lost. B. Off-site backups Off-site backups can be used to recover a corrupted database, but this does not minimize or prevent database corruption from occurring. D. Replication Replication is used to create a duplicate copy of data. Although this process does provide a backup, it doesn't add any additional integrity and could still potentially corrupt data if power is lost.

Answer 6

The Answer: D. MDM An MDM (Mobile Device Manager) provides a centralized management system for all mobile devices. From this central console, security administrators can set policies for many different types of mobile devices. The incorrect answers: A. Segmentation Segmentation describes the separation of user data from company data, but the implementation all policies is managed by the MDM. B. Biometrics Biometrics can be used as another layer of device security, but you need more than biometrics to implement the required security policies in this question. C. COPE A device that is COPE (Corporately Owned and Personally Enabled) is commonly purchased by the corporation and allows the use of the mobile device for both business and personal use. The use of a COPE device does not provide any policy management of the device.

Answer 7

The Answer: D. False negative A false negative is a result that fails to detect an issue when one actually exists. The incorrect answers: A. Exploit An exploit is an attack against a vulnerability. Vulnerability scans do not commonly attempt to exploit the vulnerabilities that they identify. B. Compensating controls Compensating controls are used to mitigate a vulnerability when an optimal security response may not be available. For example, if a company can't deploy a patch for a vulnerability, they can revoke or limit application access until a patch is provided. C. Zero-day attack A zero-day attack focuses on previously unknown vulnerabilities. In this example, the vulnerability scan isn’t an attack, and the vulnerabilities are already known and patches are available.

Answer 8

The Answer: A. Escalation Automation can recognize security events and escalate a security-related ticket to the incident response team without any additional human interaction. The incorrect answers: B. Guard rails Guard rails are used by application developers to provide a set of automated validations to user input and behavior. Guard rails are not used by the help desk team. C. Continuous integration Continuous integration and testing provides an automated method of constantly developing, testing, and deploying code. The continuous integration process is not used by the help desk. D. Resource provisioning Resource provisioning can be automated during the on-boarding and off-boarding process to quickly create or remove rights and permissions. Resource provisioning is not commonly part of the automation associated with security event notification.

Answer 9

The Answer: B. 802.1X 802.1X uses a centralized authentication server, and this allows all users to use their corporate credentials during the login process. The incorrect answers: A. WPA3 WPA3 (Wi-Fi Protected Access 3) is an encryption protocol for 802.11 wireless networking. The WPA3 encryption itself does not include the centralized authentication process described in this question. C. PSK PSK (Pre-Shared Key) is a wireless configuration option that allows everyone on the network to use the same access key or password when connecting to the wireless network. This question requires each person to use unique authentication credentials. D. MFA MFA (Multifactor Authentication) describes the use of multiple types of authentication checks. A username and password is a single factor (something you know), and the use of MFA does not itself require unique username and password credentials for each user.

Answer 10

The Answer: D. Configuration enforcement A posture assessment evaluates the configuration of a system to ensure all configurations and applications are up to date and secure as possible. If a configuration does not meet these standards, the user is commonly provided with options for resolving the issue before proceeding. The incorrect answers: A. Encryption Encryption is an important part of a VPN (Virtual Private Network), but the encryption of network data is not related to the posture assessment process. B. Decommissioning It's important to properly manage data during any decommissioning process, but the decommissioning isn't part of the VPN login process. C. Least privilege Least privilege describes the minimum rights and permissions that would allow an individual to perform their job function. Least privilege is not part of a posture assessment.

Answer 11

The Answer: A. Discretionary Discretionary access control is used in many operating systems, and this model allows the owner of the resource to control who has access. The incorrect answers: B. Mandatory Mandatory access control allows access based on the security level assigned to an object. Only users with the object’s assigned security level or higher may access the resource. C. Attribute-based Attribute-based access control combines many different parameters to determine if a user has access to a resource. D. Role-based Role-based access control assigns rights and permissions based on the role of a user. These roles are usually assigned by group.

Answer 12

The Answer: D. Smishing Smishing, or SMS (Short Message Service) phishing, is a social engineering attack that asks for sensitive information using SMS or text messages. The incorrect answers: A. Brute force A brute force attack tries multiple password combinations in an effort to identify the correct authentication details. B. Watering hole A watering hole attack will infect a third-party site visited by the victim. Watering hole attacks are not commonly associated with received text messages. C. Typosquatting Typosquatting uses a misspelling of a domain name to convince victims they are visiting a legitimate website. The information provided in this question does not provide any specific domain names or links.

Answer 13

The Answer: D. Development lifecycle A formal software development lifecycle defines the specific policies associated with the design, development, testing, deployment, and maintenance of the application development process. The incorrect answers: A. Business continuity Business continuity plans define the procedures used when the primary business systems are unavailable. The business continuity process is not commonly associated with the application development process. B. Acceptable use policy An acceptable use policy formally defines the proper use of company assets and technology devices. C. Incident response Incident response policies define the procedures to follow when a security incident is identified. Incident response is not part of the application development process

Answer 14

The Answer: D. Containment The isolation and containment process prevents malware from spreading and allows the administrator to analyze the operation of the malware without putting any other devices at risk. The incorrect answers: A. Eradication The eradication phase is associated with completely removing malware from a system. This process usually involves removing all data from a system and installing or re-imaging with a known-good operating system. B. Preparation The preparation process occurs before a security incident is discovered, and it can include the documentation of communication methods, the compiling of mitigation software, or gathering network and application documentation. C. Recovery The recovery phase is associated with the recovery of a system after a security incident. Running malware in a sandbox is not part of the recovery process.

Answer 15

The Answer: D. DNS poisoning A DNS poisoning can modify a DNS server to modify the IP address provided during the name resolution process. If an attacker modifies the DNS information, they can direct client computers to any destination IP address. The incorrect answers: A. Deauthentication Deauthentication attacks are commonly associated with wireless networks. The deauthentication attack is used to remove devices from the wireless network, and it does not commonly redirect clients to a different website. B. DDoS A DDoS (Distributed Denial of Service) is used by attackers to cause services to be unavailable. In this example, the bank's website is operational but clients are not resolving the correct IP address. C. Buffer overflow Buffer overflows are associated with application attacks and can cause applications to crash or act in unexpected ways. A buffer overflow would not commonly redirect clients to a different website IP address.

Answer 16

The Answer: C. Network protection mismatches A hybrid cloud includes more than one private or public cloud. This adds additional complexity to the overall infrastructure, and it's common to inadvertently apply different authentication options and user permissions across multiple cloud providers. The incorrect answers: A. Microservice outages Microservices are used to create a scalable and resilient application instance. However, the availability of a microservice is not specific to a hybrid cloud model. B. IoT support IoT (Internet of Things) support is available in many cloud infrastructure models, and this would not be specific to a hybrid cloud. D. Containerization backups Containerization provides an efficient method of deploying application instances, but the use and backup of these containers is not specific to a hybrid cloud infrastructure.

Answer 17

The Answer: C. Validate the offboarding processes and procedures The disabling of an employee account is commonly part of the offboarding process. One way to validate an offboarding policy is to perform an audit of all accounts and compare active accounts with active employees. The incorrect answers: A. Confirm that no unauthorized accounts have administrator access It’s always a good idea to periodically audit administrator accounts, but this audit won’t provide any validation that all former employee accounts have been disabled. B. Validate the account lockout policy Account lockouts occur when a number of invalid authentication attempts have been made to a valid account. Disabled accounts would not be locked out because they are not currently valid accounts. D. Create a report that shows all authentications for a 24-hour period A list of all authentications would be quite large, and it would not be obvious to see which authentications were made with valid accounts and which authentications were made with former employee accounts.

Answer 18

The Answer: A. Risk appetite A risk appetite is a broad description of how much risk-taking is deemed acceptable. An organization's risk appetite posture might be conservative, or they might be more expansionary and willing to take additional risks. The incorrect answers: B. Risk register A risk register identifies and documents the risks associated with each step of a project plan. A risk register is not designed to describe an organization's level of caution associated with each risk. C. Risk transfer Some organizations will transfer their risk to a third-party. For example, many organizations will purchase cybersecurity insurance to minimize the financial impact of a cybersecurity event. D. Risk reporting Risk reporting is the formal process of identifying risk and documenting all details associated with the risk. These reports are commonly designed for the decision making process by the senior management of an organization.

Answer 19

The Answer: B. Follow the steps listed in the backout plan The backout plan associated with the change control process provides information on reverting to the previous configuration if an unrecoverable error is found during the change. The incorrect answers: A. Contact the stakeholders regarding the outage The stakeholders don't commonly require a detailed notification of every step during the maintenance window. The final disposition of the change can be communicated to the stakeholders after the maintenance window has concluded. C. Test the upgrade process in the lab The testing phase of the change control process takes place prior to the maintenance window. Once the maintenance window has started, it's too late to perform any additional tests in the lab. D. Evaluate the impact analysis associated with the change An impact analysis determines the risk for making the proposed change. This analysis is created prior to the change control approval, and it would not be very useful when troubleshooting during the maintenance window.

Answer 20

The Answer: D. DDoS A DDoS (Distributed Denial of Service) is an attack that overwhelms or disables a service to prevent the service from operating normally. Packets from multiple devices that disable a server would be an example of a DDoS attack. The incorrect answers: A. Privilege escalation A privilege escalation attack allows a user to exceed their normal rights and permissions. In this example, user permission escalations were not required to perform this attack. B. SQL injection A SQL (Structured Query Language) injection is used to circumvent an application and communicate directly to the application's database. In this question, there was no mention of application vulnerabilities or specific SQL statements. C. Replay attack A replay attack captures information and then replays that information as the method of attack. In this question, no mention was made of a prior data capture.

Answer 21

The Answer: C. Recovery The recovery after a breach can be a phased approach that may take months to complete. The incorrect answers: A. Lessons learned Once the event is over, it’s useful to revisit the process to learn and improve for next time. B. Containment During an incident, it’s useful to separate infected systems from the rest of the network. D. Analysis The analysis phase can include the analysis of log files and alerts. These data source can help warn of a potential attack or evidence an attack is underway.

Answer 22

The Answer: D. Misconfiguration There are many different configuration options when installing an access point, and it's likely one of those options allowed an attacker to gain access to the internal network. The incorrect answers: A. Race condition A race condition occurs when two different application processes are executing simultaneously. If the two processes are not aware of each other, the application may have unexpected results. In this example, there's no evidence the access points were experiencing a race condition. B. Jailbreaking Jailbreaking replaces the firmware on a mobile device to gain access to features not normally available in the operating system. Jailbreaking is not commonly associated with wireless access points. C. Impersonation Impersonation is an attacker pretending to be someone or something they are not. In this example, there's no evidence that impersonation was used to breach the wireless network.

Answer 23

The Answer: A. End-of-life Because the firewall is no longer available for sale, the firewall company has decided to stop supporting and updating the device. A product no longer supported by the manufacturer is consider to be end-of-life. The incorrect answers: B. Improper input handling A best practice for application security is to provide the proper handling of invalid or unnecessary input. A missing patch for the firewall firmware would not be related to input handling. C. Improper key management Cryptographic keys can be used for many security purposes, but managing those keys isn’t part of the patching process from a vendor. D. Incompatible OS The operating system in the firewall would normally be supported by the manufacturer, and the operating systems are not commonly modified on a purpose-built device such as a firewall.

Answer 24

The Answer: D. Tabletop exercise A tabletop exercise allows a disaster recovery team to evaluate and plan disaster recovery processes without performing a full-scale drill. The incorrect answers: A. Capacity planning Capacity planning is used to determine how many resources would be required for a particular task. A formal tabletop exercise would not commonly include a capacity planning analysis. B. Business impact analysis A business impact analysis is usually created during the disaster recovery planning process. Once the disaster has occurred, it becomes much more difficult to complete an accurate impact analysis. C. Continuity of operations If an outage occurs, it's common to have a backup plan to provide continuity of operations. This plan can be used for any significant outage and is not specific to disaster recovery testing.

Answer 25

The Answer: C. DNS filtering DNS filtering uses a database of known malicious websites to resolve an incorrect or null IP address. If a user attempts to visit a known malicious site, the DNS resolution will fail and the user will not be able to visit the website. The incorrect answers: A. Honeynet A honeynet is a non-production network created to attract attackers. A honeynet is not used to block traffic to known malicious Internet sites. B. Data masking Data masking provides a way to hide data by substitution, shuffling, encryption, and other methods. Data masking does not provide a method of blocking communication to malicious websites. D. Data loss prevention Data Loss Prevention (DLP) systems can identify and block private information from being transferred between systems. DLP does not provide any direct method of blocking network traffic to known malware repositories.

Answer 26

The Answer: B. Recovery The recovery phase describes the process of returning the system and data to the state prior to the malware infection. With a malware infection, this often requires deleting all data and reinstalling a known-good operating system. The incorrect answers: A. Lessons learned A post-incident meeting can help the incident response participants discuss the phases of the incident that went well and which processes can be improved for future events. C. Detection The detection of the malware is an early phase in the incident response process. If the administrator is imaging a system, the malware was previously detected and any critical documents were already recovered. D. Containment The containment phase isolates the system from any other devices to prevent the spread of any malicious software. The containment phase generally occurs immediately after

Answer 27

The Answer: D. Hardening The hardening process for an industrial SCADA (Supervisory Control and Data Acquisition) system might include network segmentation, additional firewall controls, and the implementation of access control lists. The incorrect answers: A. Load balancing A load balancer is used to distribute transactions across multiple systems. A single system was the only device referenced in this question, so a load balancing option would not be available. B. Least privilege Least privilege defines the minimum rights and permissions for completing a specific task. In this example, there was no mention of specific tasks or their necessary permissions. C. Data retention Data retention is important for long-term storage of important information. In this example, the mandated storage of data was not a consideration.

Answer 28

The Answer: C. Brute force A brute force attack discovers password by attempting a large combination of letters, numbers, and special characters until a match is found. In this example, the notification of over four hundred attempts would qualify as a brute force attack. The incorrect answers: A. Spraying A spraying attack is similar to a brute force attack, but spraying limits the number of attempts to prevent alerts or an account lockout. A spraying attack often uses accounts passwords stolen from other sites or a short list of the most common passwords. B. Downgrade A downgrade attack is often used to force an insecure encryption algorithm or the disabling of encryption entirely. In this example, no evidence of a downgrade attack is contained in the security log. D. DDoS A DDoS (Distributed Denial of Service) would involve many different devices to cause a system outage. In this example, a single IP address was logged and there was no evidence of a service outage.

Answer 29

The Answer: B. Configuration enforcement Many organizations will perform a posture assessment during the login process to verify the proper security controls are in place. If the device does not pass the assessment, the system can be quarantined and any missing security updates can then be installed. The incorrect answers: A. Account lockout In this example, there were no errors or notifications regarding the account or authentication status. C. Decommissioning The decommissioning process is often used to permanently remove devices from the network. In this example, the laptop mitigation would allow the device to return to the network once the updates were complete. D. Sideloading Sideloading describes the installation of software on a mobile device through the use of third-party operating systems or websites.

Answer 30

The Answer: D. A Windows Domain requires a password and smart card The multiple factors of authentication for this Windows Domain are a password (something you know), and a smart card (something you have). The incorrect answers: A. A printer uses a password and a PIN A password and a PIN (Personal Identification Number) are both something you know, so only one authentication factor is used. B. The door to a building requires a fingerprint scan A biometric scan (something you are) is a single factor of authentication. C. An application requires a pseudo-random code Pseudo-random authentication codes are often provided using a hardware dongle or mobile app. This single factor of authentication is something you have.

Answer 31

The Answer: C. COPE A COPE (Corporate-owned, Personally Enabled) device would solve the issue of device standardization and would allow the device to be used for both corporate access and personal use. The incorrect answers: A. CYOD CYOD (Choose Your Own Device) allows the user to pick the make and model of their device. This would not solve the issue of different kinds of mobile devices used in the field. B. SSO SSO (Single Sign-On) is used to authenticate once when accessing multiple resources. SSO would not resolve any of the listed issues. D. BYOD With BYOD (Bring Your Own Device), the employee uses their personal device at work. This would not address the issue of mobile device management or standardization of mobile devices.

Answer 32

The Answer: A. Compensating A compensating security control doesn’t prevent an attack, but it does restore from an attack using other means. In this example, the UPS (Uninterruptible Power Supply) does not stop a power outage, but it does provide alternative power if an outage occurs. The incorrect answers: B. Directive A directive control provides security controls using instructions and guidance. A UPS is not categorized as a directive control. C. Deterrent A deterrent control discourages an intrusion attempt. A UPS is used after power has been lost, so it would not be categorized as a deterrent. D. Detective A detective control may not prevent access, but it can identify and record intrusion attempts.

Answer 33

The Answer: B. Blockchain The ledger functionality of a blockchain can be used to track or verify components, digital media, votes, and other physical or digital objects. The incorrect answers: A. Secure enclave A secure enclave is a protected area for secret information, and the secure enclave is often implemented as a hardware processor in a device. C. Hashing Cryptographic hashes are commonly used to provide integrity verifications, but they don't necessarily include any method of tracking components on an assembly line. D. Asymmetric encryption Asymmetric encryption uses different keys for encryption and decryption. Asymmetric encryption does not provide any method for tracking objects on an assembly line.

Answer 34

The Answer: D. Hacktivist A hacktivist is motivated by a particular philosophy, and their goal is to spread their message by defacing web sites and releasing private documents. The incorrect answers: A. Insider An insider has access to many company services, but the motivations of an insider threat would not commonly result in the posting of political information. B. Organized crime Organized crime actors are motivated by money. It would be unusual for an organized crime hack to include the posting of political messages. C. Shadow IT A shadow IT group is mostly interested in building their own systems and applications, and they would not commonly deface a website in an attempt to spread a specific political message.

Answer 35

The Answer: A. Verifies that the file was not corrupted during the file transfer Once the file is downloaded, the administrator can calculate the file’s SHA256 hash and confirm that it matches the value on the website. The incorrect answers: B. Provides a key for decrypting the ISO after download ISO files containing public information are usually distributed without any encryption, and a hash value would not commonly be used as a decryption key. C. Authenticates the site as an official ISO distribution site Although it’s important to download files from known good sites, providing a hash value on a site would not provide any information about the site’s authentication. D. Confirms that the file does not contain any malware A hash value doesn’t inherently provide any protection against malware.

Answer 36

The Answer: B. Biometric scanner A biometric scanner would require a person to be physically present to verify the authentication. The incorrect answers: A. USB security key A security key can be used to store a certificate on a USB (Universal Serial Bus) drive. The security key is commonly used as an authentication method for a user or application, and it doesn't provide any information about the location of the security key. C. PIN Although a PIN (Personal Identification Number) can be used as an authentication factor, the use of the PIN does not guarantee that a person is physically present. D. SMS SMS (Short Message Service), or text messages, are commonly used as authentication factors. However, the use of a mobile device to receive the SMS message does not guarantee that the owner of the mobile device is physically present.

Answer 37

The Answer: B. Open permissions Just like local systems, proper permissions and security controls are required when applications are installed to a cloud-based system. If permissions are not properly configured, the application data may be accessible by anyone on the Internet. The incorrect answers: A. Legacy software Legacy software often describes an older application with limited support options. The application and database in this example is a new installation and would not normally be categorized as legacy. C. Race condition If two processes occur simultaneously without coordination between the processes, unexpected results could occur. In this example, a single vulnerability scan has identified the issue and other processes do not appear to be involved. D. Malicious update A malicious update involves the installation of unwanted software during a normal update process. In this example, an update was not performed and the resulting public access would not generally be part of a malicious update.

Answer 38

The Answer: D. Phishing campaign A phishing campaign is an internal process used to test the security habits of the user community. An email with a link from a server not under the control of the company could be an email sent by the IT department as part of a phishing campaign. The incorrect answers: A. Watering hole attack A watering hole attack is used as an alternative to attacking a victim's device directly. With a watering hole attack, an attacker will compromise a site used by the victim and will simply wait for the victim to visit. B. Cross-site scripting Cross-site scripting takes advantage of the trust already existing in a web browser. In this example, there's no evidence of a vulnerable web application or a specific browser-based vulnerability. C. Zero-day A zero-day attack describes a vulnerability where a software patch or similar mitigation is not immediately available. A link in an email by itself does not describe a zero-day attack.

Answer 39

The Answer: B. Mitigate Mitigation is a strategy that decreases the threat level. This is commonly done through the use of additional security systems and monitoring, such as an NGFW (Next-Generation Firewall). The incorrect answers: A. Transfer Transferring risk would move the risk from one entity to another. Adding an NGFW would not transfer any risk to another party. C. Accept The acceptance of risk is a position where the owner understands the risk and has decided to accept the potential results. D. Avoidance With risk avoidance, the owner of the risk decides to stop participating in a high-risk activity. This effectively avoids the risky activity and prevents any future issues.

Answer 40

The Answer: B. Zero trust Zero trust describes a model where nothing is inherently trusted and everything must be verified to gain access. A central policy enforcement point is commonly used to implement a zero trust architecture. The incorrect answers: A. Public key infrastructure A public key infrastructure (PKI) uses public and private keys to provide confidentiality and integrity. Asymmetric encryption and digital signatures are used as foundational technologies in PKI. C. Discretionary access control. Discretionary access control is an authorization method where the owner of the data determines the scope and type of access. A discretionary access control model does not specifically define how the authorization is implemented. D. Federation Federation provides a way to manage authentication to a third-party database. Federation does not describe the use of a policy enforcement point.

Answer 41

The Answer: C. Responsibility matrix A cloud responsibility matrix is usually published by the provider to document the responsibilities for all cloud-based services. For example, the customer responsibilities for an IaaS (Infrastructure as a Service) implementation will be different than SaaS (Software as a Service). The incorrect answers: A. Playbook A playbook provides conditional steps to follow when managing an organization's processes and procedures. For example, the process of recovering from a virus infection would be documented in a playbook. B. Audit committee An audit committee oversees the risk management activities for an organization. For example, the committee would be responsible for verifying the security implementation documented in the responsibility matrix. D. Right-to-audit clause A right-to-audit clause is often included in a third-party contract to define the terms and conditions around periodic audits. This is often part of a larger product or services contract.

Answer 42

The Answer: D. Enumeration Enumeration describes the detailed listing of all parts in a particular device. For a computer, this could include the CPU type, memory, storage drive details, keyboard model, and more. The incorrect answers: A. Destruction Destruction involves physically damaging a device or component to prevent any future use or data access. Although the company may choose to destroy these computers at a later date, this question does not describe the destruction process. B. Sanitization Sanitization deletes data from storage media and allows the storage device to be used in the future. For example, a sector-by-sector format would sanitize a hard drive and allow the drive to be installed into another computer without the concern of a data breach. C. Certification If a third-party is providing destruction services, they often will certify the work and document which device serial numbers were destroyed as part of their service.

Answer 43

The Answer: A. Buffer overflow The results of a buffer overflow can cause random results, but sometimes the actions can be repeatable and controlled. In the best possible case for the hacker, a buffer overflow can be manipulated to execute code on the remote device. The incorrect answers: B. Replay attack A replay attack does not require the sending of more information than expected, and often a replay attack consists of normal traffic and expected application input. C. Cross-site scripting A cross-site scripting attack allows a third party to take advantage of the trust a browser might have with another website. This question involves an API call and does not appear to reference a browser or third-party website. D. DDoS A DDoS (Distributed Denial of Service) renders a service unavailable, and it involves the input of many devices to operate. A DDoS would not require sending more information than expected, and it rarely results in the execution of arbitrary code.

Answer 44

The Answer: A. Private With asymmetric encryption, the private key is used to decrypt information that has been encrypted with the public key. To ensure continued access to the encrypted data, the company must have a copy of each private key. The incorrect answers: B. CA A CA (Certificate Authority) key is commonly used to validate the digital signature from a trusted CA. This is not commonly used for user data encryption. C. Session Session keys are commonly used temporarily to provide confidentiality during a single session. Once the session is complete, the keys are discarded. Session keys are not used to provide long-term data encryption. D. Public In asymmetric encryption, a public key is already available to everyone. It would not be necessary to escrow a public key.

Answer 45

The Answer: C. Instant messaging Instant messaging is commonly used as an attack vector, and one way to help protect against malicious links delivered by instant messaging is a host-based firewall. The incorrect answers: A. Default credentials Users commonly login with unique credentials that are specific to the user. A host-based firewall would not identify the use of a default username and password. B. Vishing Vishing, or voice phishing, occurs over a phone or other voice communication method. A host-based firewall would not be able to protect against a voice-related attack vector. D. On-path A on-path attack describes a third-party in the middle of a communications path. The victims of an on-path attack are usually not aware an attack is taking place, so a host-based firewall would not be able to detect an on-path attack.

Answer 46

The Answer: D. Create separate VLANs for the corporate network and the manufacturing floor Creating VLANs (Virtual Local Area Networks) will segment a network without requiring additional switches. The incorrect answers: A. Connect the corporate network and the manufacturing floor with a VPN A VPN (Virtual Private Network) would encrypt all information between the two networks, but it would not provide any segmentation. This process would also commonly require additional hardware to provide VPN connectivity. B. Build an air gapped manufacturing floor network An air gapped network would require separate physical switches on each side of the gap, and this would require the purchase of an additional switch. C. Use host-based firewalls on each device While personal firewalls provide protection for individual devices, they do not segment networks. It’s also uncommon for personal firewalls to be installed on manufacturing equipment.

Answer 47

The Answer: D. SASE A SASE (Secure Access Service Edge) solution is a next-generation VPN technology designed to optimize the process of secure communication to cloud services. The incorrect answers: A. RTOS An RTOS (Real-time Operating System) is an OS designed for industrial equipment, automobiles, and other time-sensitive applications. B. CRL A CRL (Certificate Revocation List) is used to determine if a certificate has been administratively revoked. A CRL would not provide any remote access functionality. C. Zero-trust Zero-trust is a security strategy where all devices on the network are verified before connecting to another device. Zero-trust does not provide remote access functions.

Answer 48

The Answer: A. Suspicious message reports from users A security awareness campaign often involves automated phishing attempts, and most campaigns will include a process for users to report a suspected phishing attempt to the IT security team. The incorrect answers: B. An itemized statement of work A statement of work (SOW) is commonly used for service engagements. The SOW provides a list of deliverables for the professional services, and this list is often used to determine if the services were completed. C. An IaC configuration file An IaC (Infrastructure as Code) configuration file describes an infrastructure configuration commonly used by cloud-based systems. An IaC configuration file would not be used by a security awareness campaign. D. An acceptable use policy document An acceptable use policy (AUP) is defined by an employer to describe the proper use of technology and systems within an organization. The AUP itself is not part of a security awareness campaign.

Answer 49

The Answer: D. Change management The change management process includes a testing phase that can help identify potential issues relating to an application change or upgrade. The incorrect answers: A. Containerization Containerization is an efficient method of deploying application instances, but it doesn't provide any mitigation for security vulnerabilities. B. Data masking Data masking can be used to limit access to sensitive data, but it does not prevent the implementation of a security vulnerability. C. 802.1X 802.1X is a standard for port-based network access control, and it can help manage the authentication process of network users. 802.1X does not provide any mitigation for security vulnerabilities.

Answer 50

The Answer: A. Salting Adding random data, or salt, to a password when performing the hashing process will create a unique hash, even if other users have chosen the same password. The incorrect answers: B. Obfuscation Obfuscation is the process of making something difficult for humans to read or understand. The obfuscation process isn't commonly associated with adding random information to hashes. C. Key stretching Key stretching uses a cryptographic key multiple times for additional protection against brute force attacks. Key stretching by itself does not commonly add random data to the hashing process. D. Digital signature Digital signatures use a hash and asymmetric encryption to provide integrity of data. Digital signatures aren't commonly used for storing passwords.

Answer 51

The Answer: D. Digital signature A certificate authority will digitally sign a certificate to add trust. If you trust the certificate authority, you can therefore trust the certificate. The incorrect answers: A. Steganography Steganography is a technique for hiding information inside of another media type. Steganography is a method of obfuscating data and does not provide a method of adding trust to a certificate. B. Hash A hash can help verify that the certificate has not been altered, but it does not provide additional third-party trust. C. Symmetric encryption Symmetric encryption provides data confidentiality, but it doesn't add any additional trust to the encryption process.

Answer 52

The Answer: C. Automate the validation and patching of security issues SCAP (Security Content Automation Protocol) focuses on the standardization of vulnerability management across multiple security tools. This allows different tools to identify and act on the same security criteria. The incorrect answers: A. Train the user community to better identify phishing attempts Security awareness training is an important part of an overall security strategy, but the training process does not generally involve SCAP. B. Present the results of an internal audit to the board A presentation of audit results can provide important feedback, but the presentation itself does not generally use SCAP. D. Identify and document authorized data center visitors The identification and documentation process for visitors is an important security policy, but it does not generally require the use of SCAP.

Answer 53

The Answer: D. Data custodian The data custodian manages access rights and sets security controls to the data. The incorrect answers: A. Data processor The data processor manages the operational use of the data, but not the rights and permissions to the information. B. Data owner The data owner is usually a higher-level executive who makes business decisions regarding the data. C. Data subject The data subjects are the individuals who have their personal information contained in this customer information database.

Answer 54

The Answer: C. Expanded privacy compliance The labeling of data as private is often associated with compliance and confidentiality concerns. The incorrect answers: A. Minimized attack surface The categorization of data has little impact on the size of the potential attack surface associated with a system. B. Simplified categorization Adding additional categories would not commonly be considered a simplification. D. Decreased search time Adding additional classifications would not necessarily provide any decreased search times.

Answer 55

The Answer: A. Integrate an HSM An HSM (Hardware Security Module) is a high-end cryptographic hardware appliance that can securely store keys and certificates for all devices. The incorrect answers: B. Implement full disk encryption on the web servers Full-disk encryption would only protect the keys if someone does not have the proper credentials, and it won’t help consolidate all of the web server keys to a central point. C. Use a TPM A TPM (Trusted Platform Module) is used on individual devices to provide cryptographic functions and securely store encryption keys. Individual TPMs would not provide any consolidation of web server private keys. D. Upgrade the web servers to use a UEFI BIOS A UEFI (Unified Extensible Firmware Interface) BIOS (Basic Input/ Output System) does not provide any additional security or consolidation features for web server private keys.

Answer 56

The Answer: B. The alert was generated from an embedded script and C. The attacker’s IP address is 222.43.112.74 The details of the IPS (Intrusion Prevention System) alert show a script value embedded into JSON (JavaScript Object Notation) data. The IPS log also shows the flow of the attack with an arrow in the middle. The attacker was IP address 222.43.112.74 with port 3332, and the victim was 64.235.145.35 over port 80. The incorrect answers: A. The alert was generated from a malformed User Agent header The user agent information is provided as additional supporting data associated with the alert. The agent itself is not the cause of this alert. D. The attacker’s IP address is 64.235.145.35 The attacker’s IP address is listed first, so the victim's IP address is 64.235.145.35. E. The alert was generated due to an invalid client port number The port number associated with the client, 3332, is a valid port number and not associated with the cause of the alert.

Answer 57

The Answer: B. SLE SLE (Single Loss Expectancy) describes the financial impact of a single event. The incorrect answers: A. ALE ALE (Annual Loss Expectancy) is the financial loss over an entire 12-month period. C. RTO RTO (Recovery Time Objectives) define a set of objectives needed to restore a particular service level. D. ARO The ARO (Annualized Rate of Occurrence) is the number of times an event will occur in a 12-month period.

Answer 58

The Answer: C. SQL injection SQL (Structured Query Language) injection takes advantage of poor input validation to circumvent the application and allows the attacker to query the database directly. The incorrect answers: A. Cross-site scripting Cross-site scripting takes advantage of a third-party trust to a web application. The attack demonstrated in this question does not use another user's credentials or access rights to obtain information. B. Buffer overflow A buffer overflow uses an application vulnerability to submit more information than an application can properly manage. The attack syntax in this question is specific to SQL injections, and it does not appear to be manipulating a buffer overflow vulnerability. D. SSL stripping SSL stripping is a downgrade attack that modifies web site addresses to allow access to encrypted information. The attack in this question does not appear to include a third-party.

Answer 59

The Answer: C. Trojan horse Since a Trojan horse is usually disguised as legitimate software, the victim often doesn’t realize they’re installing malware. Once the Trojan is installed, the attacker can install additional software to control the infected system. The incorrect answers: A. On-path An on-path attack commonly occurs without any knowledge to the parties involved, and there’s usually no additional notification that an attack is underway. B. Worm A worm is malware that can replicate itself between systems without any user intervention, so a spreadsheet that requires additional a user to click warning messages would not be categorized as a worm. D. Logic bomb A logic bomb is malware that installs and operates silently until a certain event occurs. Once the logic bomb has been triggered, the results usually involve loss of data or a disabled operating system.

Answer 60

The Answer: C. Compliance reporting The storage of sensitive information such as customer details and payment information may require additional reporting to ensure compliance with the proper security controls. The incorrect answers: A. Chain of custody Chain of custody describes the control and integrity of collected evidence. Chain of custody would not involve the implementation of encryption and authentication factors in this example. B. Password vaulting Password vaults are used as secure storage and retrieval of authentication credentials. The protection of user data is not associated with password vaulting. D. Sandboxing Sandboxing is the process of running a service or system in a protected environment. This sandbox allows for testing and analysis without affecting other systems that may currently be in production.

Answer 61

The Answer: B. Keylogger A keylogger captures keystrokes and occasionally transmits this information to the attacker for analysis. The traffic patterns identified by the security manager could potentially be categorized as malicious keylogger transfers. The incorrect answers: A. On-path attack An on-path attack is an exploit often associated with a device monitoring data in the middle of a conversation. This question did not provide any evidence of third-party monitoring. C. Replay attack A replay attack is often used by an attacker to gain access to a service through the use of credentials gathered from a previous authentication. Internal devices communicating to an external server would not be a common pattern for a replay attack. D. Brute force A brute force attack attempts to find authentication credentials by attempting to guess a password. In this example, the source of the traffic and the traffic patterns don't match those seen with common brute force attempts.

Answer 62

The Answer: B. DLP DLP (Data Loss Prevention) technologies can identify and block the transmission of sensitive data across the network. The incorrect answers: A. IPS IPS (Intrusion Prevention System) signatures are useful for identifying known vulnerabilities, but they don't commonly provide a way to identify and block PII (Personally Identifiable Information) or sensitive data. C. RADIUS RADIUS (Remote Authentication Dial-In User Service) is an authentication protocol commonly used to validate user credentials. RADIUS would not be used to identify sensitive data transfers. D. IPsec IPsec (Internet Protocol Security) is a protocol suite for authenticating and encrypting network communication. IPsec does not include any features for identifying and alerting on sensitive information.

Answer 63

The Answer: A. The server is a honeypot for attracting potential attackers A screened subnet is a good location to configure services that can be accessed from the Internet, and building a system that can be easily compromised is a common tactic for honeypot systems. The incorrect answers: B. The server is a cloud storage service for remote users Although cloud storage is a useful service, configuring storage on a server with an open guest account is not a best practice. C. The server will be used as a VPN concentrator VPN (Virtual Private Networking) concentrators should be installed on secure devices, and configuring an open guest account would not be considered a secure configuration. D. The server is a development sandbox for third-party programming projects It would not be secure to configure a development sandbox on a system with an open guest account.

Answer 64

The Answer: B. List all servers authorized to send emails SPF (Sender Policy Framework) is used to publish a list of all authorized email servers for a specific domain. The incorrect answers: A. Transmit all outgoing email over an encrypted tunnel The option to use encrypted protocols for email transfer is configured in the email server and not in the DNS (Domain Name System) server. C. Digitally sign all outgoing email messages DKIM (Domain Keys Identified Mail) is used to publish the public key used for the digital signature for all outgoing email. D. Obtain disposition instructions for emails marked as spam A DMARC (Domain-based Message Authentication, Reporting, and Conformance) record announces the preferred email disposition if a message is identified as spam. DMARC options include accepting the messages, sending them to a spam folder, or simply rejecting the emails.

Answer 65

The Answer: A. Containerization Application containerization uses a single virtual machine to use as a foundation for separate application "containers." These containers are implemented as isolated instances, and an application in one container is not inherently accessible from other containers on the system. The incorrect answers: B. IoT IoT (Internet of Things) is a broad category of embedded devices often installed in our homes and businesses. IoT devices are not commonly associated with the application deployment process. C. Proxy Proxies can be used as security devices, but they aren't commonly used for deploying application instances. D. RTOS RTOS (Real-Time Operating Systems) are designed for time-sensitive applications and services. Manufacturing equipment and transportation systems often incorporate an RTOS.

Answer 66

The Answer: D. Penetration test A penetration test can be used to actively exploit potential vulnerabilities in a system or application. This could cause a denial of service or loss of data, so the best practice is to perform the penetration test during nonproduction hours or in a test environment. The incorrect answers: A. Tabletop exercise A tabletop exercise is used to talk through a security event with an incident response team around a conference room table. This is commonly performed as a training device instead of performing a full-scale disaster drill. B. Vulnerability scanner Vulnerability scanners may identify a vulnerability, but they do not actively attempt to exploit the vulnerability. C. DDoS A DDoS (Distributed Denial of Service) attack is often used to disable a service or application, but it doesn't provide any particular information regarding an application vulnerability.