SEC+ Practice Test Questions (Jason Dion) Flashcards
Domain: General Security Concepts
What type of encryption only affects a section of a storage device?
File-Level Encryption
Full-Disk Encryption
Database Encryption
Partition Encryption
Partition Encryption
OBJ: 1.4 - Partition encryption matches the encryption affects a section of a storage device. Full-disk encryption encrypts all data on a physical or logical disk, not just a specific section of a storage device. **File-level encryption **encrypts individual files or folders on a storage device, not a specific partition. Database encryption encrypts data at the database level, not a specific partition.
Domain: Security Operations
Enrique, the head of IT at Dion Training, is tasked with ensuring all deployed company systems adhere to a set of standardized configurations. He wants to reduce the attack surface as much as possible. Which of the following techniques would BEST reduce the organization’s attack surface?
A. Implementing a VPN for any remote access to company devices.
B. Deploying antivirus software on all company workstations and other devices.
C. Turning off all unused services and closing unnecessary ports.
D. Requiring frequent password resets for all employees.
C. Turning off all unused services and closing unnecessary ports.
OBJ: 4.1 - Deactivating unused services and closing ports minimizes potential entry points for attackers, thus effectively reducing the attack surface by limiting exposed system components. VPNs secure remote connections by encrypting data in transit. However, while they enhance the security of data communication, they don’t necessarily reduce the attack surface of the underlying systems. While antivirus software provides protection against malware and certain threats, it doesn’t directly reduce the attack surface. It’s an essential layer of defense but doesn’t minimize system exposure by itself. Regularly changing passwords enhances security against potential unauthorized access but doesn’t directly affect the attack surface related to system configurations or open services.
Domain: General Security Concepts
Which asymmetric encryption technique provides a comparable level of security with shorter key lengths, making it efficient for cryptographic operations?
DSA
RSA
Diffie-Hellman
ECC
ECC
OBJ: 1.4 - ECC (Elliptic curve cryptography) is a type of trapdoor function that is efficient with shorter key lengths. For instance, ECC with a 256-bit key provides roughly the same security as RSA with a 2048-bit key. The primary advantage is that ECC has no known shortcuts to cracking it, making it particularly robust. Diffie-Hellman is an algorithm primarily for secure key exchange, not directly comparable to the encryption efficiency offered by ECC’s shorter key lengths. Digital Signature Algorithm (DSA) is an algorithm used for digital signatures, but it doesn’t inherently offer the same efficiency in terms of key length as ECC. While a foundational asymmetric algorithm, RSA generally requires longer key lengths than ECC to achieve comparable security levels.
Domain: General Security Concepts
When considering the RSA algorithm, which description BEST captures its underlying mathematical property used for public key cryptography?
Symmetric encryption
Trapdoor function
Digital signature
Hash function
Trapdoor function
OBJ: 1.4 - The RSA algorithm uses a trapdoor function, where encryption is easy to perform using the public key, but reversing the process (decryption) without the private key is challenging. RSA’s principle is that certain mathematical operations are easy to perform, but their inverse operations are difficult without specific knowledge. Symmetric encryption is a type of encryption where the same key is used for both encryption and decryption, unlike RSA which uses a pair of public and private keys. A hash function is a process that converts an input (often a long string) into a fixed-size value, commonly used for verifying data integrity but not specifically tied to RSA’s public key cryptography. A digital signature is a means to verify the authenticity of a digital message or document, using a combination of hashing and encryption, but it isn’t the mathematical property of RSA.
Domain: Security Program Management and Oversight
Dion Training is considering a collaboration with a new IT service vendor. To ensure compliance and adherence to industry standards, Dion Training wishes to see verifiable evaluations of the vendor’s security controls and practices. Which of the following would provide Dion Training with insights into the vendor’s own internal evaluations of their security measures?
Customer testimonials
Evidence of internal audits
External penetration test reports
Regulatory compliance certificates
Evidence of internal audits
OBJ: 5.3 - Evidence of Internal Audits showcases a vendor’s proactive approach to maintaining and enhancing their security measures. Such audits are conducted internally and reflect a rigorous self-assessment of security practices, vulnerabilities, and control mechanisms. By reviewing these, a company can gain insights into the vendor’s commitment to security, how they address potential weaknesses, and their overall cybersecurity health. This evidence can be instrumental in gauging the reliability and trustworthiness of the vendor’s internal security framework. Regulatory compliance certificates indicate compliance with specific regulations but don’t provide detailed insights into internal evaluations. While **customer testimonials **may provide feedback on the vendor’s performance, they don’t offer insights into the vendor’s internal evaluations of their security measures. External penetration test reports show the results of external entities testing the vendor’s defenses, not the vendor’s own evaluations.
Domain: Threats, Vulnerabilities, and Mitigations
Which of the following BEST describes a threat actor who primarily depends on commonly found tools, often easily accessible from the web or dark web?
Bug bounty hunter
Ethical hacker
APT
Script kiddie
Script kiddie
OBJ: 2.1 - Typically a novice in cyber-attacks, a script kiddie heavily relies on off-the-shelf tools without much understanding of how they work. A Bug bounty hunter is an individual who seeks software vulnerabilities in exchange for rewards or compensation but doesn’t rely solely on basic, common tools. Advanced persistent threats (APTs) are often state-sponsored groups with significant resources, known for long-term, targeted attacks using a variety of sophisticated tools and techniques. An ethical hacker is a cybersecurity professional who systematically attempts to penetrate systems on behalf of its owners to find vulnerabilities.
Domain: Threats, Vulnerabilities, and Mitigations
Which of the following vulnerabilities is unique to cloud computing environments, posing risks related to unauthorized access and data manipulation?
Side loading
Cross-site scripting (XSS)
Insecure Interfaces and APIs
Buffer overflow
Insecure Interfaces and APIs
OBJ: 2.3 - Insecure Interfaces and APIs are a type of vulnerability that arises when the interaction between users and cloud services through interfaces and APIs is not secure, exposing systems to potential unauthorized access and manipulation of data. Cross-site scripting (XSS) is a security vulnerability typically found in web applications, enabling attackers to inject malicious scripts into websites viewed by other users, potentially leading to a variety of malicious activities. Buffer overflows occur when a program writes more data to a block of memory, or buffer, than it was allocated for, which can lead to various issues, including the potential execution of arbitrary code. Side loading refers to the practice of installing applications on a device without using the official app store, which can lead to various security concerns, including the installation of malicious software.
Domain: Security Program Management and Oversight
Florence is the CEO of a company. She has the final say over all decisions made regarding the business, IT, accounting, and other departments. What type of governance does Florence’s company have?
Centralized governance
Committee governance
Decentralized governance
Board governance
Centralized governance
OBJ: 5.1 - Centralized governance involves decision-making authority concentrated in a single authority or department within an organization. In this structure, key decisions are made at the top level and are then disseminated throughout the organization. Decentralized governance involves distributing decision-making power among different departments or units within the organization, rather than being concentrated in a single authority. Board governance typically refers to the governing body of an organization, composed of members who represent various stakeholders. The board’s role is to oversee the organization’s activities, but it may not always involve centralized decision-making power. Committee governance involves decision-making authority vested in committees, which are groups of individuals formed to address specific tasks or issues within the organization. It does not necessarily involve a single authority or department with centralized decision-making power.
Domain: General Security Concepts
What is the name of a cryptographic key that can be freely distributed and used by others to encrypt messages?
Hash key
Public key
Symmetric key
Digital signature
Public key
OBJ: 1.4 - A public key is used in asymmetric encryption. It can be freely distributed and used by others to encrypt messages, which can then only be decrypted by the corresponding private key. A digital signature is a mathematical scheme for verifying the authenticity of digital messages or documents. It is not a key used for encryption or decryption. A hash key is used in hash functions to map data of arbitrary size to fixed-size values. It is not used for encryption or decryption. A symmetric key is used in symmetric encryption where the same key is used for both encryption and decryption. It does not involve a pair of keys for encryption and decryption.
Domain: General Security Concepts
When sending an encrypted message to Dion Training, a client would use which of the following to ensure only Dion Training can decrypt and read the message?
Wildcard certificate
Public key
Key escrow
Private key
Public key
OBJ: 1.4 - The client would use the company’s public key to encrypt the message. Only Dion Training, with the corresponding private key, can decrypt and read the message, ensuring confidentiality and demonstrating the importance of public-key cryptography. Key escrow refers to the secure storage of cryptographic keys, ensuring they can be accessed under specific conditions, but it’s not directly used to encrypt or decrypt messages. A private key is kept secret by its holder and is used to decrypt messages that are encrypted with its corresponding public key. It’s not used by external entities to encrypt messages to the key holder. A wildcard certificate secures multiple subdomains under a main domain but doesn’t directly involve message encryption or decryption.
Domain: Security Architecture
When a legal organization routinely communicates with clients via email containing sensitive case details, which strategy would be the MOST effective to secure the communications?
Utilization of VPNs for email transmission
Conducting regular user cybersecurity training
Deployment of regular data backups to secure cloud storage
Implementation of end-to-end encrypted email
Implementation of end-to-end encrypted email
OBJ: 3.3 - Implementation of end-to-end encrypted email ensures emails are decipherable only by the intended recipient, safeguarding sensitive content. Conducting regular user cybersecurity training educates users about best practices but doesn’t directly protect email content. Utilization of VPNs for email transmission secures transmission of data over networks but isn’t specialized for email content encryption. **Deployment of regular data backups to secure cloud storage **provides email storage solutions but doesn’t inherently secure email transmissions.
Domain: Threats, Vulnerabilities, and Mitigations
Dion Training has recently implemented a new web portal for their customers. During a routine security review, the IT team notices that some suspicious activities have been logged. An unknown user attempted to access the system with a strange pattern: when requesting a particular user file, instead of the usual URL structure ( /users/[username]/profile ) the system registered requests like ( /users/../admin/config ). Within a short span of time, several such patterns were identified, each trying to reach different sensitive files and directories. Given this information, which of the following types of attack is the user MOST likely attempting?
Attempting to inject malicious scripts into the system.
Attempting to access files outside of intended directories.
Attempting to exploit a buffer overflow vulnerability.
Attempting to escalate their privileges on the system.
Attempting to access files outside of intended directories.
OBJ: 2.4 - This scenario is a classic example of directory traversal. The described activities are consistent with an attacker trying to move up the directory structure and access files or directories they shouldn’t. This often involves navigating directories in ways the system didn’t intend. Buffer overflow attacks involve overloading a system’s memory buffer to cause it to crash or to insert malicious code. The activities described in the scenario are more about navigating the file system than overwhelming it. Injection attacks usually involve inputting malicious data into a system with the intent that it will be executed. The scenario described does not suggest data is being executed or run; rather, it’s an attempt to navigate to unintended areas. Privilege escalation attacks aim to gain elevated access to resources that are normally protected from an application or user. While this might be an outcome or a motive, the method described here doesn’t necessarily represent this type of attack.
Domain: Security Architecture
What element of backup strategy involves making data copies regularly at set intervals?
Load balancing
Journaling
Replication
Frequency
Frequency
OBJ: 3.4 - Frequency refers to how often data backups are carried out. Regular backups at set intervals are crucial to minimize the potential loss of data. Replication is the copying of data from one system to another. The regularity with which this is done, isn’t an important part of replication. Journaling entails verifying and logging data, not the regularity of backups. While load balancing is a technique for distributing workloads across multiple computers or networks, it doesn’t relate to how frequently backups are created.
Domain:: Threats, Vulnerabilities, and Mitigations
Which of the following hardening techniques can help protect systems or devices from attacks by installing software like a firewall or antivirus directly on user devices to report and block potential attacks?
Least Privilege
Patching
Installation of endpoint protection
Changing Default Passwords
Installation of endpoint protection
OBJ: 2.5 - Installation of endpoint protection includes installing antivirus, anti-malware, and firewall software on systems or devices. This software helps protect systems and devices from known vulnerabilities. Patching is a mitigation technique that can help prevent exploitation of known vulnerabilities on systems and devices by updating them with the latest security fixes and enhancements. Patching involves applying patches or updates to all software and systems, not just those that provide host security like firewalls. Least privilege is a mitigation technique that limits users to the level of access and privilege they need to do their work. This can limit the extent of an attack by limiting the attacker’s access and privilege to those of the compromised user. Least privilege involves applying predefined rules and permissions, such as roles, groups, and functions and enforcing the rules and permissions through mechanisms such as passwords, tokens, and biometrics. Default password changes is a hardening technique that can help prevent some password attacks on systems and devices. This is done by changing the default or factory-set passwords that may be easily cracked by automated tools or dictionaries because they are often reused or drawn from a small pool of passwords. Password managers, password generators, and security policies can be used to create and enforce the use of strong and unique passwords for each system and device. It doesn’t involve installing antivirus software.
Domain: Security Program Management and Oversight
Which of the following BEST describes the Software Development Life Cycle (SDLC) in application security?
It replaces the need for regular software updates and patches.
It emphasizes the integration of security in software creation and maintenance.
It only considers security during the testing and creation phases of software development.
It primarily focuses on the speed of software delivery over security.
It emphasizes the integration of security in software creation and maintenance.
OBJ: 5.1 - An SDLC ensures that security is a focal point in all stages of software development, from design to maintenance. While certain SDLC models, like Agile, prioritize quick deliveries, they don’t overlook security. SDLC integrates security throughout its phases, not just during testing. Even with a robust SDLC, software may still require updates and patches post-deployment.
Domain: Threats, Vulnerabilities, and Mitigations
Travid is evaluating an attack that has occurred on his organization’s system. He sees that the attacker entered a lot of data into the the area of memory in the API that temporarily stores user input. What type of attack did Travid discover?
Memory fragmentation
Memory leak
Buffer overflow
Buffer underflow
Buffer overflow
OBJ: 2.3 - Buffer overflow is a type of memory corruption that occurs when a program writes more data than the allocated buffer, the area of memory set aside to temporarily hold user input, can hold. This causes the application to overwrite adjacent memory locations. It can lead to crashes, code execution, or privilege escalation. Buffer underflow is a type of memory corruption that occurs when a program reads more data than the allocated buffer can provide, causing it to read from invalid memory locations. It can lead to crashes, data leakage, or undefined behavior. Memory fragmentation is a type of memory issue that occurs when a program allocates and frees memory in an irregular or inefficient manner, causing the available memory to be divided into small and non-contiguous blocks. It can lead to memory wastage, allocation failure, or reduced performance. Memory leak is a type of memory issue that occurs when a program fails to release or free the memory that it has allocated, causing it to consume more and more memory over time. It can lead to performance degradation, resource exhaustion, or out-of-memory errors.
Domain: Security Program Management and OversightDomain
Which of the following terms refers to a critical predictive metric that organizations monitor to foresee potential risks and their impact on operations?
Key risk indicators
Risk metrics
Risk parameters
Risk threshold
Key risk indicators
OBJ: 5.2 - KRIs are metrics that provide early warnings of increasing risk exposures, enabling organizations’ leadership to manage these risks proactively. A risk threshold is the defined level of risk an organization is willing to accept, not a predictive indicator. Risk metrics are quantitative measures of risk but do not specifically refer to the predictive indicators used for monitoring potential risks. Risk parameters are specific variables used within risk assessment processes, not predictive indicators.
Domain: Security Operations
Reed, a cybersecurity specialist at Dion Training Solutions, is optimizing the company’s IPS. He notes that while signature-based detection is highly effective against known threats, it has some limitations. Which of the following BEST describes a limitation of signature-based detection in an IPS?
It encrypts network traffic to hide malicious signatures.
It automatically updates with behavioral patterns of users.
It might not detect zero-day exploits.
It requires substantial network bandwidth to operate.
It might not detect zero-day exploits.
OBJ: 4.5 - Signature-based detection relies on a database of known threat patterns. Therefore, it might not recognize or stop new threats or zero-day exploits because their signatures aren’t in the database yet. Automatically updating with behavioral patterns of users describes behavior-based or heuristic detection, not signature-based detection. Signature-based detection relies on predefined patterns of known threats. Signature-based detection doesn’t encrypt traffic. Instead, it matches traffic patterns against known threat signatures. While an IPS does process traffic, the bandwidth consumption is not a direct limitation of signature-based detection. The bandwidth concern is more about the throughput of the IPS device itself.
Domain: Threats, Vulnerabilities, and Mitigations
Which of the following vulnerabilities BEST describes a situation where a threat actor can manipulate data after it has been verified by an application, but before the application uses it for a specific operation?
Resource exhaustion
Memory leaks
Race conditions
Time-of-check (TOC)
Time-of-check (TOC)
OBJ: 2.3 - A TOC vulnerability occurs when an attacker exploits the time gap between the verification of data and its use, potentially leading to unauthorized or malicious activities. **Memory leaks **are when a program doesn’t release memory that it no longer needs, leading to potential system slowdowns or crashes. This does not involve data manipulation after verification. Race conditions relate to the unexpected order and timing of events in software execution but are not specifically about the gap between data verification and use. Resource exhaustion refers to the overuse of system resources, be it CPU time, memory, or others, which can lead to denial of service. It’s not specific to data manipulation after its verification.
Domain: Threats, Vulnerabilities, and Mitigations
Which of the following mitigation techniques can help enforce compliance with security standards and policies on a system or network by designating programs that are allowed to run and blocking all other programs from being run?
Configuration Enforcement
Application allow list
Patching
Least Privilege
Application allow list
OBJ: 2.5 - Application allow list is a technique that can help enforce compliance with security standards and policies on a system or network by using a list of approved applications that are allowed to run and blocking all other applications that may violate the standards or policies. Application allow list involves using a list of applications that have been verified and authorized by the system or network administrator, and blocking all other applications that may not meet the security requirements or expectations of the system or network. Patching is a technique that can help prevent exploitation of known vulnerabilities on systems and devices by updating them with the latest security fixes and enhancements. Patching involves applying patches or updates to software and systems, but it does not use a list of approved applications that are allowed to run and block all other applications that may violate the standards or policies. Configuration enforcement is a mitigation technique that can help prevent unauthorized or improper changes that increase a system or device’s vulnerability to attack. By creating predefined security standards and policies, and enforcing them, configuration enforcement helps prevent the inadvertent or purposeful creation of vulnerabilities and security risks. This focuses on the configuration settings rather than the applications used within a system. Least privilege is a mitigation technique that limits users to the level of access and privilege they need to do their work. This can limit the extent of an attack by limiting the attacker’s access and privilege to those of the compromised user. Least privilege involves applying predefined rules and permissions, such as roles, groups, and functions and enforcing the rules and permissions through mechanisms such as passwords, tokens, and biometrics. This focuses on limiting the user policies rather than the application itself.
Domain: Security Operations
Which of the following statements is NOT true about the importance of log aggregation?
Log aggregation increases the complexity of managing and interpreting security logs.
Log aggregation helps to detect unusual activity or behavior that may indicate a security breach.
Log aggregation aids in maintaining regulatory compliance by keeping a record of events that happened in the system.
Log aggregation can enhance security by consolidating logs from different sources for easier analysis.
Log aggregation increases the complexity of managing and interpreting security logs.
OBJ: 4.4 - The primary purpose of log aggregation is to simplify the management and interpretation of security logs. It doesn’t increase the complexity, rather it reduces it by consolidating logs from various sources, making them easier to analyze and interpret. Hence, this statement is NOT TRUE about the importance of log aggregation. Log aggregation can help in maintaining regulatory compliance by keeping a record of all system events, which might be a requirement for some regulations or standards Log aggregation enhances security by bringing together logs from different sources into a centralized location for easier analysis and monitoring. Detecting unusual activity that could indicate a security breach is one of the primary purposes of log aggregation. It helps in identifying patterns that could be missed if logs are analyzed separately.
Domain: Security Operations
A software development company regularly releases software updates to its global customer base. Recently, some customers reported receiving unauthorized and potentially malicious software updates. The company wants to implement a security technique to ensure the authenticity and integrity of its software updates when delivered to customers. Which of the following would BEST assist in achieving this goal?
Intrusion Detection System
Code Signing
Antivirus Scanning
Multi-factor Authentication
Code Signing
OBJ: 4.1 - Code signing is a security technique that allows software developers to digitally sign their software updates before distribution. By using cryptographic signatures, code signing ensures the authenticity and integrity of the software updates. When customers receive the updates, their systems can verify the signature to confirm that the update came from a trusted source and that it has not been altered during transmission. This is an effective way for the company to guarantee the legitimacy of its software updates and protect customers from potentially malicious or unauthorized modifications. An Intrusion Detection System (IDS) is a security solution that monitors network traffic and system activities to detect suspicious or malicious behavior. While IDS is valuable for identifying potential security incidents, it primarily focuses on network-level security and does not directly address the authenticity and integrity of software updates and it is not the most appropriate technique for ensuring the legitimacy of software updates. Multi-factor authentication (MFA) is a security method that requires users to provide two or more forms of identification before accessing a system. MFA is commonly used to enhance user authentication and access control. However, it is not directly related to verifying the authenticity and integrity of software updates when delivered to customers. MFA does not address the process of ensuring that the software updates are coming from a trusted source and have not been tampered with during distribution. Therefore, while MFA is a valuable security measure, it is not the most suitable technique for the company’s current objective. Antivirus scanning is a security measure that involves using antivirus software to detect and remove malware from a system. While antivirus scanning is crucial for protecting computers from known malware, it does not directly address the authenticity and integrity of software updates. It focuses on identifying and removing existing malware but does not ensure that the software updates are legitimate and have not been tampered with during distribution.
Domain: General Security Concepts
At Kelly Innovations Corp., Sarah noticed that their core business application, which tracks customer orders, was not updating inventory levels accurately. A recent update seemed to have introduced a bug. Which of the following would offer the BEST solution?
Application rollback
Dependency check
Application restart
Patch management
Application rollback
OBJ: 1.3 - Reverting an application to a previous state or version from a backup to correct issues caused by updates or changes. In this scenario, restoring the application from a backup taken two days earlier is an example of an application rollback and would be the most effective solution. **Patch management **is the process of managing updates for software applications. While the issue arose from an update, Jason is not suggesting another patch but is recommending reverting to a previous state. Application restart involves stopping and then starting an application, often to apply changes or ensure updates have taken effect. While it may be a part of many troubleshooting processes, it wouldn’t address the bug introduced by the update. Dependency check refers to ensuring that all required components, libraries, or modules needed by an application are present. The scenario doesn’t suggest any missing dependencies; rather, it’s a problem with the application’s function.
Domain: Security Operations
Jamario, a security analyst at Dion Training, has just completed a vulnerability assessment on a company’s internal web application. One of the vulnerabilities detected has a high likelihood of being exploited and, if successful, could expose sensitive customer data. Based on severity and potential impact, how should this vulnerability be classified?
Medium
Critical
Low
Informational
Critical
OBJ: 4.3 - A critical classification is assigned to vulnerabilities that, if exploited, would cause significant damage, have a high likelihood of being exploited, or expose sensitive data. These should be addressed immediately. Medium vulnerabilities pose a moderate risk and usually have some mitigating factors that lessen their potential impact or likelihood of exploitation. Informational vulnerabilities are typically findings that don’t pose any immediate risk but are documented to provide a complete view of the assessment. **Low **vulnerabilities have minimal potential damage and are less likely to be exploited. They are of lesser priority compared to other classifications.
Domain: Threats, Vulnerabilities, and Mitigations
During a network investigation, Aiden, a cybersecurity analyst, identifies two key irregularities: The CEO, who tends to work late, logged in from both Paris and Tokyo within five minutes, and there’s an unexpected surge in emails from the HR department outside of recruitment season. Which of the following should the analyst be MOST concerned about based on these observations?
A recent software update on the CEO’s computer.
Simultaneous CEO logins from distant locations.
The sudden increase in emails from the HR department.
The absence of the CEO’s usual late-night login.
Simultaneous CEO logins from distant locations.
OBJ: 2.4 - Simultaneous CEO logins from distant locations suggests that the CEO’s credentials may have been compromised. It’s unlikely for one person to log in from two vastly different geographical locations in such a short time frame. This could mean that an unauthorized entity has gained access to a potentially high-privilege account. It’s common for employees to have specific patterns of logging in, but missing a usual login doesn’t necessarily indicate a compromise. It could be due to various benign reasons, such as a change in the CEO’s schedule or activities. While unusual email patterns can be an indicator of a compromised email account or a potential phishing campaign originating from a trusted source, it’s not as direct an indicator as the simultaneous logins, especially without knowing the content and recipients of those emails. While software updates are essential for fixing vulnerabilities, merely updating software is not typically an immediate indicator of a security compromise. Unless there’s evidence that the update itself was malicious or introduced vulnerabilities, it shouldn’t be Aiden’s primary concern in this context.
Domain: Security Operations
For ensuring the security of an HTTP application like WordPress or Magento against threats like SQL injection or cross-site scripting, which monitoring tool or method would be MOST appropriate?
Web application firewall (WAF)
Host-based intrusion detection system (HIDS)
Antivirus software
NetFlow
Web application firewall (WAF)
OBJ: 4.4 - A WAF specifically protects web applications by filtering and monitoring HTTP traffic, providing defenses against web-specific attacks such as SQL injection. While HIDS monitors the internals of a computing system, it isn’t explicitly designed to combat web application-specific threats. While antivirus software can detect malware and malicious files, it isn’t particularly tailored to protect against web application-specific threats like SQL injection. NetFlow collects IP traffic information and monitors network flow data but doesn’t specifically target web application vulnerabilities.
Domain: Security Program Management and Oversight
Which of the following terms BEST describe the affirmation of the validation of the accuracy and thoroughness of compliance-related reports?
Attestation
Internal assessment
Regulatory examination
Independent third-party audit
Attestation
OBJ: 5.5 - Attestation is the term that refers to the process of affirming the accuracy and completeness of compliance reports. It involves providing formal statements or declarations about the organization’s compliance with specific regulations or standards. Attestation can be done internally by the organization’s management or externally by a third-party auditor. An **independent third-party audit **involves an external and unbiased assessment conducted by an independent auditor or a third-party organization. The purpose of this audit is to provide an objective evaluation of the organization’s compliance status. Independent third-party audits are often used to validate and verify compliance claims made by the organization and can offer more credibility to compliance reports. Internal assessment involves the organization’s internal evaluation of its adherence to established compliance requirements. This process may include self-assessments, internal audits, and reviews conducted by the organization’s compliance team to ensure that it meets the necessary regulatory and security standards. A regulatory examination is an external evaluation conducted by a government agency or a regulatory body to ensure that an organization is complying with specific regulations or industry standards. During a regulatory examination, the organization’s compliance practices, controls, and processes are thoroughly reviewed to assess their alignment with the applicable rules and requirements.
Domain: Security Program Management and Oversight
Horizon Security, a cybersecurity training company, experienced a data breach due to a vendor’s negligence. This breach led to a significant loss of sensitive customer information. What type of consequence is Horizon MOST likely to face?
Fines
Loss of license
Reputational damage
Sanctions
Reputational damage
OBJ: 5.4 - Reputational damage refers to the potential harm or negative impact on Horizon’s reputation due to its failure to comply with data protection regulations. As a result of the data breach, customers may come to believe that Horizon doesn’t know enough about cybersecurity to prevent the breach and/or properly protect its customer data. Its reputation in the cybersecurity training industry may be tarnished. Fines are penalties imposed by regulatory authorities for non-compliance with data protection regulations. However, in this scenario, Horizon did not commit the negligence, so they are not likely to face fines unless they are located in a country that has laws regarding fines for any data breach regardless of responsibility. Sanctions are also potential penalties for non-compliance, but they are typically more severe and may include restrictions or limitations on the company’s operations. However, in this scenario, Horizon did not commit the negligence, so they are not likely to face sanctions unless they are located in a country that has laws regarding sanctions for any data breach regardless of responsibility. Loss of license could be a consequence of non-compliance in certain industries. However, in this scenario, Horizon did not commit the negligence, so they are not likely to lose any licenses they may have.
Domain: Security Operations
As a security analyst, you are reviewing application logs while investigating a suspected breach. Which of the following pieces of information is NOT typically documented in the application log data?
The physical location of the user accessing the application.
User IDs related to specific application transactions.
Server IP address where the application is hosted.
Timestamps of application activity.
The physical location of the user accessing the application.
OBJ: 4.9 - Application logs do NOT typically capture the physical location of the user accessing the application. While IP addresses can give a rough estimate of geographic location, accurate physical location (e.g., GPS coordinates or exact address) is not recorded in standard application logs. Timestamps of application activity are crucial for investigations. They enable the analysis of event occurrence sequence, making it possible to identify patterns and reconstruct the timeline of events. **User IDs related to specific transactions **do appear in application logs. This piece of information can help to identify the user who performed a specific action in the application, useful for incident response. The IP address of the server hosting the application frequently shows up in application logs. This information can be useful for understanding network-level behaviors associated with the application.
Domain: Threats, Vulnerabilities, and Mitigations
Which group is MOST likely to possess the funding and resources to recruit top talent, including skilled strategists, designers, coders, and hackers?
An independent black hat hacker
A criminal syndicate
A security researcher
An open-source developer community
A criminal syndicate
OBJ: 2.1 - Large organized crime rings have the financial means to hire and maintain a team of skilled individuals for sophisticated cyber operations. While skilled, independent black hat hackers operate on their own and may not have the substantial resources a larger organization might. Though they have deep knowledge in cybersecurity, security researchers typically operate independently or within institutions, focusing on studying and mitigating threats. The main intent of an open-source development community is on collaborative software development and not cyber-attacks.
Domain: Security Architecture
As part of a new building initiative, Dion Training Solutions plans to connect two office buildings via a direct physical link. Which measure will BEST protect the physical infrastructure connectivity?
Placing the cable on the ground between buildings.
Using wireless bridges without encryption.
Installing the cable in a conduit buried underground.
Running the connection on overhead poles.
Installing the cable in a conduit buried underground.
OBJ: 3.2 - Burying the connection underground within a protective conduit offers protection from environmental factors and unauthorized tampering. Laying cables on the ground without protection can expose them to damage and unauthorized access. Unencrypted wireless bridges can be susceptible to eavesdropping and interception. Overhead poles expose the connection to environmental factors and potential tampering, making it less secure.
Domain: Threats, Vulnerabilities, and Mitigations
A tech company discovers that the firmware in some of their devices contains a hidden backdoor. Upon investigation, it’s determined that the compromised firmware came from an overseas supplier they contracted with. The backdoor gave attackers remote access to devices without user knowledge. What type of attack vector has the company fallen victim to?
Supply chain
Bluesnarfing
Drive-by download
On-path attack
Supply chain
OBJ: 2.2 - This scenario depicts a supply chain compromise where the threat originated from a supplier. By introducing the backdoor at the production level, attackers ensured widespread distribution of the vulnerability, making it a potent and stealthy attack. In an on-path attack, an unauthorized intermediary intercepts communication between two parties, potentially altering it. While deceptive, it doesn’t stem from supply chain vulnerabilities. Drive-by download involves automatically downloading malicious software onto a user’s system without their knowledge, typically when visiting a compromised website. It doesn’t relate to supply chain threats. Bluesnarfing refers to exploiting vulnerabilities in Bluetooth connections to steal data from another device. It doesn’t involve compromising products at the supply level.
Domain: Security Operations
Which of the following BEST describes how automation and orchestration in cybersecurity operations influence employee satisfaction and retention?
Decreases the demand for cybersecurity professionals.
Directly increases salary packages.
Reduces repetitive and mundane tasks.
Facilitates frequent role rotation among teams.
Reduces repetitive and mundane tasks.
By automating routine tasks, employees can focus on more challenging and fulfilling aspects of their roles, enhancing satisfaction and retention. While automation can handle specific tasks, it doesn’t reduce the overall demand for skilled professionals in cybersecurity. While automation might indirectly lead to operational savings, it doesn’t directly influence individual employee salaries. Automation standardizes operations, but it doesn’t directly promote or facilitate role rotation within cybersecurity teams.
Domain: General Security Concepts
Lexicon, an AI company, wants to implement a security measure to identify and evaluate potential threats to their systems and networks. Which of the following is an example of a managerial security control that the company could implement?
Risk assessments
Firewall
Intrusion detection system
Security guards
Risk assessments
OBJ: 1.1 - Periodic evaluations, like risk assessments, are a managerial security control that involves regularly evaluating the threats to systems and networks. This can help the company identify potential threats and take steps to mitigate them. Security guards are considered operational controls, not managerial controls. Firewall is a technical security control that monitors and controls incoming and outgoing network traffic based on predetermined security rules. Intrusion detection system is a technical security control that monitors network traffic for signs of security threats.
Domain: Security Architecture
Given the need for resilience and the ability to recover in a security architecture, which of the following devices ensures uninterrupted operation during a power outage?
Uninterruptible power supply (UPS)
Power Strip
Voltage Regulator
Onsite/offsite backups
Uninterruptible power supply (UPS)
OBJ: 3.4 - A **UPS **is a device that provides emergency power to a load when the input power source fails, thus ensuring continuous operation. A voltage regulator ensures that the voltage supplied to a device remains constant, even if there are fluctuations in the power source. However, it does not provide backup power during an outage. While onsite and offsite backups ensure data preservation, they don’t guarantee power supply during a power loss. While a power strip allows for multiple devices to be plugged in simultaneously, it does not provide any form of power backup or protection against outages.
Domain: Security Program Management and Oversight
What is the purpose of a security analyst doing due diligence in the vendor selection process?
To compare multiple vendors’ suppliers to ensure they are all diligent in analyzing their own supply chains.
To ensure that the chosen vendor is the best choice among the list of possible vendors
To ensure that the vendor’s practices align with the organization’s requirements
To assess the vendor’s ability to provide the goods or services when they have promised
To ensure that the vendor’s practices align with the organization’s requirements
OBJ: 5.3 - Due diligence includes assessing the vendor’s security practices and confirming that they meet the organization’s security requirements and standards. Due diligence in the vendor selection process involves evaluating the financial stability and reliability of the vendor to ensure they are capable of fulfilling their obligations. Due diligence involves examining the vendors’ security practices and ensuring that they comply with a company’s own practices. It doesn’t normally extend to evaluating a vendors’ suppliers’ supply chains. It is important to make the best choice of vendors, however that isn’t what due diligence means. Due diligence may include checking their performance history and reputation with previous clients to gauge their track record.
Domain: Security Operations
What is the primary difference between sanitization and destruction in the disposal process?
Sanitization involves erasing data so it cannot be recovered; destruction is total physical demolition of the asset.
Sanitization and destruction are synonyms and refer to the same process.
Sanitization concerns the reuse of assets in an organization, and destruction involves transferring those assets to a different department.
Sanitization refers to physically damaging the asset to render it unusable, while destruction involves completely eliminating all residual data.
Sanitization involves erasing data so it cannot be recovered; destruction is total physical demolition of the asset.
OBJ: 4.6 - Sanitization involves the process of permanently erasing or de-identifying data on a device so it cannot be recovered, while destruction is about physically demolishing the asset, ensuring no data can be extracted from it. Sanitization does not refer to physically damaging the asset; instead, it has to do with removing or de-identifying data so it cannot be recovered. Destruction involves physical destruction of the asset itself. Sanitization and destruction refer to two different types of procedures in the disposal process and are not synonyms. Sanitization and destruction involve methods of removing or totally destroying data or assets rather than internal asset redistribution in an organization.
Domain: Security Architecture
Dion Training Solutions is aiming to optimize their wide-area network (WAN) while ensuring advanced network management and performance optimization. They are considering a solution that can be deployed both on-premises and in the cloud. Which of the following technologies would BEST match their requirements?
SD-WAN
AH
TLS
SASE
SD-WAN
OBJ: 3.2 - **SD-WAN (Software-defined wide area network) **provides centralized network management, flexible routing, and traffic management capabilities. It can be hosted both on-premises and in the cloud, giving it an edge for comprehensive WAN optimization. TLS (Transport Layer Security) operates at the application layer and is primarily used for securing application-level communication. It doesn’t offer WAN optimization or centralized network management. While **SASE **offers both network security and WAN capabilities, its primary selling point is as a cloud-based solution that integrates both. It doesn’t focus solely on WAN performance optimization. AH (Authentication header) is a protocol component of IPSec which offers packet integrity but does not specifically cater to WAN optimization or management.
Domain: Security Architecture
Reed & Jamario Security Services has recommended your company use a port based system to prevent unauthorized users and devices. Which of the following are they recommending?
802.1X
IDS
Fail-closed
Fail-open
802.1X
OBJ: 3.2 - 802.1x is a standard developed by the IEEE to govern port-based network access. When used with a RADIUS based authentication server it provides authentication services, checking user credentials to ensure that the user is a legitimate part of the organization and granting access to only those areas of the system that the user is allowed to access. Fail-open refers to what happens when a network encounters errors and exceptions. Fail-open means that when errors occur or exceptions are encountered, the system continues allowing access rather than denying access. Fail-open allows a website to continue offering services even after an error has occurred. The emphasis is, therefore, keeping the website up while the error is addressed, hoping that the error is a minor issue. An intrusion detection system (IDS) monitors network traffic for malicious activities. It alerts to the potential activity but does not prevent it from passing through the network. In this way, it provides a layer of protection without slowing down network performance. Fail-close refers to what happens when a network encounters errors and exceptions. Fail-close means that when errors occur or exceptions are encountered, the system denies further access. This prevents any further network traffic until the error or exception are dealt with. While this provides greater security, it means that a website can’t be accessed even if the error encountered is minor or doesn’t pose a security threat.
Domain: Security Program Management and Oversight
An investment firm allows a fluctuation of up to 10% in the value of its high-risk investment portfolio compared to the expected return on investment, but immediate action is required if this threshold is exceeded. This 10% fluctuation represents an example of:
Risk matrix
Risk appetite
Risk tolerance
Risk management
Risk tolerance
OBJ 5.2 - The 10% fluctuation is an example of the firm’s risk tolerance, which specifies the risk tolerance, which is the acceptable variance in the high-risk portfolio’s performance before triggering action. Risk management is the overarching process of identifying, assessing, and responding to risks, which includes setting risk tolerance but is not represented by the 10% fluctuation itself. A risk matrix is a visual tool used to determine the severity and likelihood of risks, not the acceptable variance in investment performance. While the firm’s decision to have a high-risk investment portfolio at all does reflect its risk appetite, the question specifically refers to the acceptable variance, which is the risk tolerance.
