SEC+ Practice Test Questions (Jason Dion) Flashcards

Question

# Domain: Threats, Vulnerabilities, and Mitigations During a network investigation, Aiden, a cybersecurity analyst, identifies two key irregularities: The CEO, who tends to work late, logged in from both Paris and Tokyo within five minutes, and there's an unexpected surge in emails from the HR department outside of recruitment season. Which of the following should the analyst be MOST concerned about based on these observations? ## Footnote A recent software update on the CEO's computer. Simultaneous CEO logins from distant locations. The sudden increase in emails from the HR department. The absence of the CEO's usual late-night login.

Answer 1

Simultaneous CEO logins from distant locations. ## Footnote OBJ: 2.4 - **Simultaneous CEO logins from distant locations** suggests that the CEO's credentials may have been compromised. It's unlikely for one person to log in from two vastly different geographical locations in such a short time frame. This could mean that an unauthorized entity has gained access to a potentially high-privilege account. It's common for employees to have specific patterns of logging in, but **missing a usual login** doesn't necessarily indicate a compromise. It could be due to various benign reasons, such as a change in the CEO's schedule or activities. While **unusual email patterns** can be an indicator of a compromised email account or a potential phishing campaign originating from a trusted source, it's not as direct an indicator as the simultaneous logins, especially without knowing the content and recipients of those emails. While **software updates** are essential for fixing vulnerabilities, merely updating software is not typically an immediate indicator of a security compromise. Unless there's evidence that the update itself was malicious or introduced vulnerabilities, it shouldn't be Aiden's primary concern in this context.

Answer 2

Web application firewall (WAF) ## Footnote OBJ: 4.4 - A **WAF** specifically protects web applications by filtering and monitoring HTTP traffic, providing defenses against web-specific attacks such as SQL injection. While **HIDS** monitors the internals of a computing system, it isn't explicitly designed to combat web application-specific threats. While **antivirus software** can detect malware and malicious files, it isn't particularly tailored to protect against web application-specific threats like SQL injection. **NetFlow** collects IP traffic information and monitors network flow data but doesn't specifically target web application vulnerabilities.

Answer 3

Attestation ## Footnote OBJ: 5.5 - **Attestation** is the term that refers to the process of affirming the accuracy and completeness of compliance reports. It involves providing formal statements or declarations about the organization's compliance with specific regulations or standards. Attestation can be done internally by the organization's management or externally by a third-party auditor. An **independent third-party audit **involves an external and unbiased assessment conducted by an independent auditor or a third-party organization. The purpose of this audit is to provide an objective evaluation of the organization's compliance status. Independent third-party audits are often used to validate and verify compliance claims made by the organization and can offer more credibility to compliance reports. **Internal assessment** involves the organization's internal evaluation of its adherence to established compliance requirements. This process may include self-assessments, internal audits, and reviews conducted by the organization's compliance team to ensure that it meets the necessary regulatory and security standards. A **regulatory examination** is an external evaluation conducted by a government agency or a regulatory body to ensure that an organization is complying with specific regulations or industry standards. During a regulatory examination, the organization's compliance practices, controls, and processes are thoroughly reviewed to assess their alignment with the applicable rules and requirements.

Answer 4

Reputational damage ## Footnote OBJ: 5.4 - **Reputational damage** refers to the potential harm or negative impact on Horizon's reputation due to its failure to comply with data protection regulations. As a result of the data breach, customers may come to believe that Horizon doesn't know enough about cybersecurity to prevent the breach and/or properly protect its customer data. Its reputation in the cybersecurity training industry may be tarnished. **Fines** are penalties imposed by regulatory authorities for non-compliance with data protection regulations. However, in this scenario, Horizon did not commit the negligence, so they are not likely to face fines unless they are located in a country that has laws regarding fines for any data breach regardless of responsibility. **Sanctions** are also potential penalties for non-compliance, but they are typically more severe and may include restrictions or limitations on the company's operations. However, in this scenario, Horizon did not commit the negligence, so they are not likely to face sanctions unless they are located in a country that has laws regarding sanctions for any data breach regardless of responsibility. **Loss of license** could be a consequence of non-compliance in certain industries. However, in this scenario, Horizon did not commit the negligence, so they are not likely to lose any licenses they may have.

Answer 5

The physical location of the user accessing the application. ## Footnote OBJ: 4.9 - Application logs do NOT typically capture the physical location of the user accessing the application. While IP addresses can give a rough estimate of geographic location, accurate physical location (e.g., GPS coordinates or exact address) is not recorded in standard application logs. **Timestamps of application activity** are crucial for investigations. They enable the analysis of event occurrence sequence, making it possible to identify patterns and reconstruct the timeline of events. **User IDs related to specific transactions **do appear in application logs. This piece of information can help to identify the user who performed a specific action in the application, useful for incident response. The **IP address of the server hosting the application** frequently shows up in application logs. This information can be useful for understanding network-level behaviors associated with the application.

Answer 6

A criminal syndicate ## Footnote OBJ: 2.1 - **Large organized crime rings** have the financial means to hire and maintain a team of skilled individuals for sophisticated cyber operations. While skilled, **independent black hat hackers** operate on their own and may not have the substantial resources a larger organization might. Though they have deep knowledge in cybersecurity, **security researchers** typically operate independently or within institutions, focusing on studying and mitigating threats. The main intent of an **open-source development community** is on collaborative software development and not cyber-attacks.

Answer 7

Installing the cable in a conduit buried underground. ## Footnote OBJ: 3.2 - Burying the connection underground within a protective conduit offers protection from environmental factors and unauthorized tampering. Laying cables on the ground without protection can expose them to damage and unauthorized access. Unencrypted wireless bridges can be susceptible to eavesdropping and interception. Overhead poles expose the connection to environmental factors and potential tampering, making it less secure.

Answer 8

Supply chain ## Footnote OBJ: 2.2 - This scenario depicts a **supply chain** compromise where the threat originated from a supplier. By introducing the backdoor at the production level, attackers ensured widespread distribution of the vulnerability, making it a potent and stealthy attack. In an **on-path attack**, an unauthorized intermediary intercepts communication between two parties, potentially altering it. While deceptive, it doesn't stem from supply chain vulnerabilities. **Drive-by download** involves automatically downloading malicious software onto a user's system without their knowledge, typically when visiting a compromised website. It doesn't relate to supply chain threats. **Bluesnarfing** refers to exploiting vulnerabilities in Bluetooth connections to steal data from another device. It doesn't involve compromising products at the supply level.

Answer 9

Reduces repetitive and mundane tasks. ## Footnote By automating routine tasks, employees can focus on more challenging and fulfilling aspects of their roles, enhancing satisfaction and retention. While automation can handle specific tasks, it doesn't reduce the overall demand for skilled professionals in cybersecurity. While automation might indirectly lead to operational savings, it doesn't directly influence individual employee salaries. Automation standardizes operations, but it doesn't directly promote or facilitate role rotation within cybersecurity teams.

Answer 10

Risk assessments ## Footnote OBJ: 1.1 - Periodic evaluations, like **risk assessments**, are a managerial security control that involves regularly evaluating the threats to systems and networks. This can help the company identify potential threats and take steps to mitigate them. **Security guards** are considered operational controls, not managerial controls. **Firewall** is a technical security control that monitors and controls incoming and outgoing network traffic based on predetermined security rules. **Intrusion detection system** is a technical security control that monitors network traffic for signs of security threats.

Answer 11

Uninterruptible power supply (UPS) ## Footnote OBJ: 3.4 - A **UPS **is a device that provides emergency power to a load when the input power source fails, thus ensuring continuous operation. A **voltage regulator** ensures that the voltage supplied to a device remains constant, even if there are fluctuations in the power source. However, it does not provide backup power during an outage. While **onsite and offsite backups** ensure data preservation, they don't guarantee power supply during a power loss. While a **power strip** allows for multiple devices to be plugged in simultaneously, it does not provide any form of power backup or protection against outages.

Answer 12

To ensure that the vendor's practices align with the organization's requirements ## Footnote OBJ: 5.3 - Due diligence includes assessing the vendor's security practices and confirming that they meet the organization's security requirements and standards. Due diligence in the vendor selection process involves evaluating the financial stability and reliability of the vendor to ensure they are capable of fulfilling their obligations. Due diligence involves examining the vendors' security practices and ensuring that they comply with a company's own practices. It doesn't normally extend to evaluating a vendors' suppliers' supply chains. It is important to make the best choice of vendors, however that isn't what due diligence means. Due diligence may include checking their performance history and reputation with previous clients to gauge their track record.

Answer 13

Sanitization involves erasing data so it cannot be recovered; destruction is total physical demolition of the asset. ## Footnote OBJ: 4.6 - Sanitization involves the process of permanently erasing or de-identifying data on a device so it cannot be recovered, while destruction is about physically demolishing the asset, ensuring no data can be extracted from it. Sanitization does not refer to physically damaging the asset; instead, it has to do with removing or de-identifying data so it cannot be recovered. Destruction involves physical destruction of the asset itself. Sanitization and destruction refer to two different types of procedures in the disposal process and are not synonyms. Sanitization and destruction involve methods of removing or totally destroying data or assets rather than internal asset redistribution in an organization.

Answer 14

SD-WAN ## Footnote OBJ: 3.2 - **SD-WAN (Software-defined wide area network) **provides centralized network management, flexible routing, and traffic management capabilities. It can be hosted both on-premises and in the cloud, giving it an edge for comprehensive WAN optimization. **TLS (Transport Layer Security)** operates at the application layer and is primarily used for securing application-level communication. It doesn't offer WAN optimization or centralized network management. While **SASE **offers both network security and WAN capabilities, its primary selling point is as a cloud-based solution that integrates both. It doesn't focus solely on WAN performance optimization. **AH (Authentication header)** is a protocol component of IPSec which offers packet integrity but does not specifically cater to WAN optimization or management.

Answer 15

802.1X ## Footnote OBJ: 3.2 - **802.1x** is a standard developed by the IEEE to govern port-based network access. When used with a RADIUS based authentication server it provides authentication services, checking user credentials to ensure that the user is a legitimate part of the organization and granting access to only those areas of the system that the user is allowed to access. **Fail-open** refers to what happens when a network encounters errors and exceptions. Fail-open means that when errors occur or exceptions are encountered, the system continues allowing access rather than denying access. Fail-open allows a website to continue offering services even after an error has occurred. The emphasis is, therefore, keeping the website up while the error is addressed, hoping that the error is a minor issue. An **intrusion detection system (IDS)** monitors network traffic for malicious activities. It alerts to the potential activity but does not prevent it from passing through the network. In this way, it provides a layer of protection without slowing down network performance. **Fail-close** refers to what happens when a network encounters errors and exceptions. Fail-close means that when errors occur or exceptions are encountered, the system denies further access. This prevents any further network traffic until the error or exception are dealt with. While this provides greater security, it means that a website can’t be accessed even if the error encountered is minor or doesn’t pose a security threat.

Answer 16

Risk tolerance ## Footnote OBJ 5.2 - The 10% fluctuation is an example of the firm's **risk tolerance**, which specifies the risk tolerance, which is the acceptable variance in the high-risk portfolio's performance before triggering action. **Risk management** is the overarching process of identifying, assessing, and responding to risks, which includes setting risk tolerance but is not represented by the 10% fluctuation itself. A **risk matrix** is a visual tool used to determine the severity and likelihood of risks, not the acceptable variance in investment performance. While the firm's decision to have a high-risk investment portfolio at all does reflect its **risk appetite**, the question specifically refers to the acceptable variance, which is the risk tolerance.

Answer 17

Shadow IT ## Footnote OBJ: 2.1 - **Shadow IT** is a type of threat actor that is the result of unauthorized or unapproved IT systems or devices within an organization. Shadow IT can introduce security risks and compliance issues for an organization, but the damage is usually unintentional. It results from employees or insiders who bring in equipment or alter systems for their own convenience and without getting permission. **Nation-state actors** are a type of threat actor that is sponsored by a government or a country's military. They normally have high resources/funding and high level of sophistication/capability. Nation-state actors can launch advanced and persistent attacks against other countries, organizations, or individuals. They create harm on purpose. A **hacktivist** is a threat actor that is motivated by philosophical or political beliefs and often targets organizations or governments that they disagree with. Hacktivists may use unauthorized or unapproved IT systems or devices but the harm they cause is done on purpose An unskilled attacker is a type of threat actor that has little or no technical skills and has low resources/funding and low level of sophistication/capability. **Unskilled attackers** often launch simple and opportunistic attacks using tools or scripts developed by others. The damage they do might be minor, but they do intend to do damage.

Answer 18

Automating the provisioning of account credentials. ## Footnote OBJ: 4.7 - Using scripting, IT can automatically create user accounts, set default passwords, and assign appropriate access rights based on the role of the new employee. While scripting can perform many tasks, producing physical manuals typically isn't within its domain of automation. Scripting aids in automation, but it doesn't replace or facilitate human-to-human interactions such as interviews. While scripting can automate various processes, it doesn't directly enhance the quality or content of training materials.

Answer 19

Key exchange ## Footnote OBJ: 1.4 - **Key exchange** is a process in which two communicating parties establish a shared secret key, typically used for symmetric encryption. This key is established in a manner so that eavesdroppers, even if they intercept the key exchange messages, cannot determine the shared key. The most common method for key exchange is the Diffie-Hellman protocol. **Asymmetric encryption** uses different keys for encryption and decryption, but it doesn't involve the exchange of cryptographic keys. **Symmetric encryption** the same key for both encryption and decryption, but it doesn't involve the exchange of cryptographic keys. **Hashing** involves converting input data (often called a message) into a fixed-length string of bytes. It's primarily used for data integrity checks and is not reversible, meaning you cannot retrieve the original input from its hash. Therefore, it isn't suitable for the purpose of exchanging cryptographic keys or establishing shared secrets for communication.

Answer 20

Compromised availability leading to operational disruptions. ## Footnote OBJ: 4.7 - A single point of failure can jeopardize the entire system's uptime, introducing potential security risks and halting processes. Upholding data confidentiality is a primary security concern, but it isn't directly related to the risks of single points of failure. Data integrity ensures data remains accurate and consistent over its lifecycle, but it doesn't directly link to concerns of single points of failure. Scalability ensures systems can handle growth, but it isn't focused on the immediate availability risks associated with single points of failure.

Answer 21

Reviewing event logs ## Footnote OBJ: 4.3 - **Event logs** can provide insight into system and process behaviors. By examining these logs, an organization can validate whether a vulnerability has been adequately addressed or if it's still causing issues. **Rescanning** is about running the vulnerability scan again to identify remaining vulnerabilities but doesn't provide insights from system and network logs. While it's about keeping systems updated, **patch management** itself doesn't involve examining logs to validate vulnerability remediation. **Threat modeling** is a process of understanding and mapping potential threats but doesn't validate vulnerability remediation through logs.

Answer 22

Data Controller ## Footnote OBJ: 5.4 - A **Data Controller** is an individual or entity that determines the purposes and means of processing personal data. They have primary responsibility for ensuring the data's protection and compliance with privacy regulations. An identifiable person whose personal data is being processed by a data controller or processor. A **Data Processor** is an individual or entity that processes personal data on behalf of the data controller, without deciding the purposes or means of the processing. The **Data Custodian** typically responsible for ensuring the safety and maintenance of data assets through its various stages of storage, but doesn't decide on processing methods.

Answer 23

Disabling ports ## Footnote OBJ: 2.5 - **Disabling ports** is the act of turning off specific communication points in a system to reduce potential vulnerabilities or halt unauthorized access. **Encryption** is the process of converting data into a code to prevent unauthorized access. It doesn't deal with turning off specific entry or exit points in a system. **Monitoring** is the continuous observation and checking of a system or network to ensure its functionality and security. It is not directly related to shutting off communication points. **Segmentation** is the dividing a network into different parts or segments for security and performance enhancement, but not specifically about shutting off communication points.

Answer 24

Layer 7 Firewall ## Footnote OBJ: 3.2 - A **Layer 7 firewall** operates at the application layer and can make more granular decisions about the traffic based on the application-payload, which makes it the most effective choice in this scenario. **802.1x** is a standard developed by the IEEE to govern port-based network access. When used with a RADIUS based authentication server it provides authentication services, checking user credentials to ensure that the user is a legitimate part of the organization and granting access to only those areas of the system that the user is allowed to access. A** Layer 4 Firewall** operates at the transport layer which provides less granularity for blocking or allowing traffic based on the application-payload. A **VPN** provides a secure method for remote operations by creating an encrypted connection over the internet. It establishes a secure tunnel so that data can be securely transferred even over insecure networks.

Answer 25

Inline ## Footnote OBJ: 3.2 - **Inline** devices are designed to interact with network traffic actively and can take actions such as accepting, rejecting, or modifying packets, making them the optimal choice for this scenario. Secure Access **Service Edge (SASE)** is a form of cloud architecture that combines a number of services as a single service. By providing services like Software-defined wide are network (SD-WAN), firewalls as a service, secure web gateways, and zero-trust network access, SASE will reduce cost and simplify management while improving security. The integrated nature of the architecture means the technologies used will work together efficiently. It may include a packet analyzer, but that isn't the focus of the architecture. Fail-close refers to what happens when a network encounters errors and exceptions. **Fail-close** means that when errors occur or exceptions are encountered, the system denies further access. This prevents any further network traffic until the error or exception are dealt with. While this provides greater security, it means that a website can’t be accessed even if the error encountered is minor or doesn’t pose a security threat. This is a response to errors and exceptions, it doesn't read and interact with packets. **Remote access** allows users to connect to a network or a device from a distant location, but it does not pertain to actively interacting with network traffic to reject or modify packets.

Answer 26

The signatures require tuning. ## Footnote OBJ: 4.5 - When signatures are overly broad or not precisely defined, they might incorrectly match legitimate network traffic, leading to false positives. Signature-based detection works by inspecting traffic patterns, whether encrypted or not. However, the encrypted nature of traffic isn't the primary reason for false positives in signature-based detection. While outdated signatures might miss newer threats, they aren't typically the cause of false positives. Instead, they might lead to false negatives. Where the signature database is stored does not influence the accuracy of the detection. It's the quality and precision of the signatures that matter most.

Answer 27

Monitoring ## Footnote OBJ: 2.5 - **Monitoring**, the continuous observation and checking of system or network operations, often involves tools like Nagios or Splunk to ensure its functionality and security. Implementing **hardening techniques** to secure a system, which might include many methods, doesn't inherently imply the use of Nagios or Splunk. **Patching** is the act of updating or fixing software to address vulnerabilities, but it is not particularly about continuous observation using specific tools. Dividing a network into different parts or **segments** for security and performance enhancement, but not specifically using observation tools like Nagios or Splunk.

Answer 28

DAC ## Footnote OBJ: 1.2 - **Discretionary Access Control (DAC)** is an authorization model where the owner of the resource decides who is allowed to access it. **Mandatory Access Control (MAC)** is an authorization model where access to resources is determined by a set of rules defined by a central authority. **Role-Based Access Control (RBAC)** is an authorization model that assigns permissions to roles, rather than individual users. Attribute Based **Access Control (ABAC)** determines access through a combination of contexts and system wide attributes.

Answer 29

Digital signatures ## Footnote OBJ: 1.2 - **Digital signatures** are a method used to provide non-repudiation by using cryptographic techniques to verify the authenticity of a message or document. **Encryption** is used to protect the confidentiality of information by making it unreadable to unauthorized users, but it does not provide non-repudiation. A **Cryptographic primitive** is a single occurrence of encryption, like one hash or one symmetric key. It is used for encryption. Non-repudiation requires multiple cryptographic primitives. **Firewalls** are used to protect networks by controlling incoming and outgoing traffic, but they do not provide non-repudiation.

Answer 30

$1,500 ## Footnote OBJ: 5.2 - The ALE is calculated by multiplying the SLE by the ARO. With an SLE of $15,000 and an ARO of 0.1, the ALE equals $1,500 ($15,000 * 0.1 = $1,500). This represents the expected yearly financial loss due to operational failures. $150 isn't correct. $15,000 isn't correct. $150,000 isn't correct.

Answer 31

Reduced response time to security incidents. ## Footnote Automated systems can instantly detect and respond to threats, ensuring faster mitigation compared to manual responses. Automation can speed up patching, but it doesn't necessarily extend the time patching takes. The focus is on efficiency, not prolonging processes. While automation can free up time, it doesn't specifically allocate more time for meetings or administrative tasks. Automation doesn't directly increase the working hours for staff. Instead, it often aims to decrease the need for overtime and off-hours interventions.

Answer 32

To provide historical insights into security incidents for future investigations. ## Footnote OBJ: 4.4 - Archiving in the context of security is essential for maintaining a record of all system logs. This not only ensures that historical data is available for audits or investigations but also provides valuable insights into past incidents, aiding in enhancing security measures. While real-time threat analysis is crucial in security, archiving is more focused on preserving past data for future reference and not immediate threat mitigation. Compliance with regulations often requires long-term data storage, so this statement is contradictory. While backups are essential for system recovery, archiving in the security context goes beyond this and is centered around preserving logs and alerts for investigative and compliance purposes.

Answer 33

Enforcing baselines helps to standardize configurations across systems, enabling efficient automation and reducing the risk of security incidents. ## Footnote OBJ: 4.7 - Enforcing baselines is about maintaining a standard, secure configuration across all systems. This standardization is crucial for efficient automation, as it ensures all systems are at a known, secure state. This reduces the risk of security incidents as it minimizes configuration drift and variance, which can create security vulnerabilities. While automation can certainly assist in incident response, enforcing baselines does not mean you can completely automate this process. Human intervention is still necessary to determine the appropriate response to an incident, even when automation is used to aid in detection and initial response. Enforcing baselines does not eliminate the need for continuous monitoring. While it provides a standard configuration that can help in identifying anomalies, continuous monitoring is still necessary to ensure that systems remain at their baseline state and to detect any potential security incidents. While automation can certainly aid in threat hunting, this is not the primary purpose of enforcing baselines. Baselines are more about maintaining a standard level of security across the system, rather than actively seeking out threats.

Answer 34

Risk tolerance ## Footnote OBJ: 5.2 - **Risk tolerance** refers to an organization's predetermined level of acceptable risk exposure. It represents the extent to which an organization is willing to tolerate potential risks before taking action to mitigate or avoid them. The **exposure factor** is a calculation that determines the amount of value that is lost if an event takes place. It doesn't measure an organization's level of acceptable risk exposure. The term "**conservative**" is not directly related to risk management. In financial contexts, it may refer to a risk-averse approach or cautious decision-making. While similar to risk tolerance, **risk appetite** refers to the amount of risk an organization is willing to take on to achieve its strategic objectives. It represents the organization's overall attitude toward risk-taking.

Answer 35

National legal implications ## Footnote OBJ: 5.4 - **National legal implications **are laws and regulations set at the country level that outline the requirements and boundaries for data protection and privacy. **Consent management** is a process that ensures organizations obtain and manage the consent of individuals before collecting or processing their personal data. **Data encryption** is a method used to protect data from unauthorized access by converting it into a code. The **GDPR** is a regulation enacted by the European Union to ensure data protection and privacy for all its citizens.

Answer 36

Agent based NACs use additional software to authenticate users, while Agentless NACs use network level protocols to authenticate users. ## Footnote OBJ: 4.4 - Both forms of NAC authenticate users and grant access. Agent-based NACs use a software component installed on a central server to monitor network traffic, while Agentless involves monitoring network devices directly through the use of network level protocols without the need for additional software. Agent-based NACs require additional software. There isn't a difference in the amount of data they collect. Both forms of NAC authenticate users and grant access. Agent-based NACs use a software component installed on a central server to monitor network traffic, while Agentless involves monitoring network devices directly through the use of network level protocols without the need for additional software. Agentless NACs don't require additional software. There isn't a difference in the amount of data they collect.

Answer 37

End-of-life vulnerability ## Footnote OBJ: 2.3 - **End-of-life vulnerability** can allow a hardware attack that involves exploiting vulnerabilities in devices that are no longer supported or updated by the manufacturer. It can allow an attacker to compromise the security or functionality of the device, or use it as a gateway to access other systems or networks. A **legacy vulnerability** may allow an attack that involves exploiting vulnerabilities in devices that are outdated or obsolete, but still in use. It can allow an attacker to compromise the security or functionality of the device, or use it as a gateway to access other systems or networks. **Hardware tampering** is a hardware attack that involves physically altering or damaging hardware devices to compromise their functionality, performance, or security. It can allow an attacker to install malware, backdoors, spyware, or vulnerabilities on the device. **Hardware cloning** is a hardware attack that involves creating unauthorized copies of hardware devices to counterfeit their functionality, performance, or security. It can allow an attacker to sell fake products, steal intellectual property, or bypass authentication mechanisms.

Answer 38

Host-based Firewall ## Footnote OBJ: 2.5 - Using a **Host-based firewall** is a hardening technique that can help protect a system or device from unauthorized or malicious network traffic. Host-based firewalls by use software to filter and control incoming and outgoing network traffic by using predefined rules and policies. The policies and rules are based on criteria such as source and destination IP address, port number, protocol. Host-based firewall involves installing software on a system or device. **Encryption** is a mitigation technique that involves using mathematical algorithms to transform data into an unreadable format. Encryption can protect data from unauthorized access or modification, as only those who have the secret key or algorithm can decrypt the data. Encryption will not stop data from entering a host machine. Using a **Host-based Intrusion Prevention System (HIPS)** is a hardening technique that can help prevent attacks from occurring. It is software that is installed on a system or device to detect and prevent unauthorized actions like file modifications and registry changes. A HIPS may include a firewall, but will contain other features as well. **Patching** is a mitigation technique that can help prevent exploitation of known vulnerabilities on systems and devices by updating them with the latest security fixes and enhancements. Patching involves applying patches or updates to any software and systems.

Answer 39

Encryption algorithm ## Footnote OBJ: 1.4 - An **encryption algorithm** provides a structured method for converting plaintext into ciphertext. A good algorithm ensures data remains confidential and secure from unauthorized access. **Digital signatures** validate the authenticity and integrity of a message or document, ensuring it hasn't been tampered with since being signed. A **cipher block** refers to a fixed-size portion of data that an encryption algorithm processes. It doesn't define the mathematical method itself. A **hash function** takes input and returns a fixed-size string, typically used for verifying data integrity, but it does not encrypt data for the purpose of confidentiality.

Answer 40

It maintains the integrity of digital evidence over time. ## Footnote OBJ: 4.8 - Preserving evidence ensures that it remains unchanged and is kept in a state where its authenticity is intact for the duration of the investigation and any subsequent legal proceedings. While resources are necessary, preservation focuses on keeping evidence secure and unaltered. While prioritization is a part of investigation processes, preservation itself is about safeguarding evidence once collected. Preservation is about ensuring evidence remains unchanged, not about strategizing for a legal case.

Answer 41

Session management ## Footnote OBJ: 5.1 - These refer to the protocols that maintain the security of user interactions on the web, including the secure creation and transfer of unique identifiers or "cookies," and setting inactivity limits to automatically terminate the session if the user is inactive for a certain period. **Timeout policies** contribute to these practices by defining when an inactive session should end, but they do not include the secure transmission and generation of identifiers. **Token handling** involves managing security tokens within a system, but on its own, it doesn't cover all aspects of what is required to maintain the security of user interactions, including setting inactivity limits. While **session cookies** are a part of what is managed, this term alone does not encompass the full scope of practices like setting inactivity limits.

Answer 42

Disabling unnecessary services and protocols. ## Footnote OBJ: 3.2 - Reducing active services and protocols minimizes potential entry points for attackers, thereby reducing the attack surface. Relying on a single layer of security can leave the network vulnerable if that layer is compromised. Allowing most inbound and outbound traffic would significantly expand the attack surface by allowing potentially malicious traffic. Uniform passwords increase the risk of a widespread breach if the common password is compromised.

Answer 43

An attacker gained access, created the unauthorized account, and removed logs. ## Footnote OBJ: 2.4 - The combination of missing logs and an unauthorized account creation suggests malicious activity. Attackers remove evidence of their presence and actions by deleting or altering logs. Pausing a backup for maintenance is plausible, but it wouldn't result in the creation of an unauthorized account, nor would it typically remove logs. While low storage could prevent backups, it wouldn't delete logs or create unauthorized accounts. While the IT team creating a new account for a new employee and forgetting to inform him might explain the creation of a new account, it doesn't account for the missing logs. It's also a best practice for IT to notify of such changes.

Answer 44

Decentralized governance ## Footnote OBJ: 5.1 -In **decentralized governance**, decision-making is distributed among various departments or sectors, promoting responsiveness and specialization. **Hierarchical management** implies a top-down approach to decision-making and does not necessarily allow for autonomy in separate departments. **Flat organization **refers to an organization with few or no levels of middle management between staff and executives, which affects management layers but not necessarily decision-making distribution. While **matrix structure** involves multiple reporting lines, it does not solely define the decision-making autonomy of departments.

Answer 45

Layer 4 ## Footnote OBJ: 3.2 - **Layer 4**, or the transport layer, deals with protocols like TCP and UDP and is concerned with port numbers and connection-oriented communication. Network appliances operating at this layer filter and manage traffic based on source and destination IP addresses, as well as port numbers. **Layer 3**, the network layer, is primarily focused on routing data and IP addressing. Devices at this layer, like routers, aren't primarily concerned with port numbers. **Layer 5**, the session layer, establishes, maintains, and terminates connections between applications on different devices. It doesn't handle filtering based on IP addresses and port numbers. **Layer 2**, the data link layer, deals with frames and MAC addresses. Switches typically operate at this layer.

Answer 46

Complexity ## Footnote OBJ: 4.7 - **Complexity** refers to the degree of intricacy in a system or process. In automation and orchestration, high complexity can lead to challenges in maintenance, understanding, and implementation. **Ongoing supportability** relates to the ease with which a system can be maintained and supported over time, but it doesn't specifically address the intricacy or convolution of a system. While high complexity can lead to increased costs, the term '**cost**' encompasses a broader range of financial considerations, not just those associated with intricate systems. While **technical debt** can be a consequence of complexity, it more specifically refers to the implied cost of additional rework caused by choosing a quicker yet less optimal solution.

Answer 47

Resilience ## Footnote OBJ: 3.1 - **Resilience** in cloud architecture refers to the ability of the system to quickly recover from failures and maintain operational performance, crucial for ensuring availability during adverse conditions. **Availability** refers to guaranteeing a system will continue to operate so that the system can be used regardless of conditions. Resilience, like availability, refers to keeping a system functioning, but also directly addresses how quickly a system can recover after adverse conditions have led to a failure. **Scalability** means that the system can expand when more resources are needed without creating lags or problems for users. This expansion isn't considered an adverse condition. Increased business is seen as a positive attribute. Resilience is the ability of a system to quickly recover after failures due to adverse conditions. **Ease of Deployment** means that new instances and the entire cloud environment can be easily created. Resilience is the ability to maintain operational performance and recover quickly from failures.

Answer 48

Risk threshold ## Footnote OBJ: 5.2 - The $500,000 financial impact figure is an example of a **risk threshold**, as it is the specific point at which the company must act to mitigate risk. While **risk limit** is not a standard term, it could colloquially be used to describe a risk threshold, but in this context, the correct term is "risk threshold." **Risk level** pertains to the severity of risk and does not describe the actionable limit set by the company. **Risk tolerance** refers to the general level of risk the firm is willing to accept, not the precise financial impact threshold for action.

Answer 49

Shadow IT ## Footnote OBJ: 2.1 - **Shadow IT** is a type of threat actor that is the result of unauthorized or unapproved IT systems or devices within an organization. In this case, the device may introduce security risks and compliance issues for an organization, but the employee wasn't intending any harm to the company. An unskilled threat actor is one that lacks technical expertise or sophistication. **Unskilled attackers** often launch simple and opportunistic attacks using tools or scripts developed by others. The employee in this case may be unskilled but the employee didn't attach the device to cause problems for the company. **Nation-state actors** are a type of threat actor that is sponsored by a government or a country's military. They normally have high resources/funding and high level of sophistication/capability, but they are not a part of the organization they attack. An **insider threat** is a type of threat actor that has authorized access to an organization’s network, systems, or data and has variable resources/funding and level of sophistication/capability depending on their role and position. Insider threats can abuse their authorized access, leak information, sabotage operations, or collaborate with external actors. They intend to harm the company by their actions. 

Answer 50

Risk owner ## Footnote OBJ: 5.2 - Sarah exemplifies a **risk owner**, as she is tasked with the ongoing management and mitigation of risks pertaining to the data management platform. A **risk register** would be the tool Sarah uses to track and assess the risks, not her role. A **risk indicator** would be a metric Sarah might monitor to assess risk levels, not her position. A **risk assessor** might be a role that Sarah takes on when evaluating risks, but it does not encapsulate her comprehensive management responsibilities.

Answer 51

Data exfiltration ## Footnote OBJ: 2.1 - **Data exfiltration** refers to the act of stealing sensitive or confidential data from a system or network. Data exfiltration can be done for financial gain, espionage, blackmail, or other purposes. **Service disruption** refers to the act of impairing or interrupting the availability or functionality of a system or network. Service disruption can be done as a form of protest, sabotage, or diversion of resources or it can be used to gain money through ransom. Attackers with **ethical motivations** will attack an organization that acts unjustly or improperly. There are many ways in which the attackers can publicize the unjust or improper actions, but data exfiltration is not as likely as defacement or other actions. If an attacker is motivated by wanting to cause disruption or chaos, she will want to create fear or panic. She might also want to slow down or stop interactions between an organization and its clients. Stealing information is less likely to cause these problems than attacks such as denial of services or ransomware.

Answer 52

Inadequate buffer overflow protections. ## Footnote OBJ: 3.1 - RTOSs prioritize performance, sometimes at the expense of security features like buffer overflow protections, potentially leaving the system susceptible to certain attacks. RTOSs aren't primarily concerned with supporting legacy protocols, and this isn't a direct security risk associated with them. RTOSs are designed for efficiency and generally don't involve the overheads from virtualization layers. While cloud access can pose risks, it's not an inherent security implication of using an RTOS.

Answer 53

Layer 7 ## Footnote OBJ: 3.2 - **Layer 7**, or the application layer, deals with end-user services, and appliances at this layer can make filtering decisions based on specifics like URLs, HTTP headers, and specific application functions. **Layer 6**, the presentation layer, is responsible for translating data between the application and transport layers. **Layer 5**, the session layer, manages connections between applications. It isn't focused on the content-specific criteria like URLs and HTTP headers. **Layer 3** devices are concerned with IP addressing and routing.

Answer 54

Verify the legitimacy of the software vendor. ## Footnote OBJ: 4.1 - Before making any purchases, it's essential to ensure the vendor is reputable to avoid acquiring counterfeit or malicious software. Financial considerations, while valid, come after ensuring security. Compatibility is important, but first, you need to ensure you're buying from a reputable source. While collaboration is crucial, the first step should be to ensure the vendor's legitimacy.

Answer 55

Using a passphrase to generate a pairwise master key (PMK). ## Footnote OBJ: 2.2 - WPA2-PSK leverages a passphrase to create a key, called the PMK, to encrypt communications. This is a distinguishing feature of WPA2's personal authentication. The Dragonfly handshake is a key feature of the WPA3's Simultaneous Authentication of Equals (SAE) method. This does not pertain to the WPA2 authentication mechanism. PAKE is specifically a method associated with WPA3's SAE protocol. It's not the method employed by WPA2 for authentication. QR codes for configuration relate to the newer Easy Connect method. It is not a characteristic of WPA2 Personal authentication.

Answer 56

Patching is the process of identifying and fixing security vulnerabilities in software, firmware, and operating systems to prevent potential exploits. ## Footnote OBJ: 4.3 - Patching is the process of identifying and fixing security vulnerabilities in software, firmware, and operating systems. Regularly applying patches helps prevent potential exploits and ensures the system remains secure against known vulnerabilities. Patching is not related to securing physical entry points; instead, it focuses on software and firmware updates to address security vulnerabilities. Patching focuses on software updates to address security issues. It will update software that is used by hardware, but it doesn't update hardware components. Patching is not about installing special, custom made features software interfaces but rather updating software to address security vulnerabilities.

Answer 57

Ownership ## Footnote OBJ: 4.2 - **Ownership **helps in determining who is responsible for the asset, ensuring clear lines of accountability and often helping in deciding the access rights. **Monitoring** involves keeping an eye on the performance and status of assets, rather than establishing responsibility. **Decommissioning** pertains to the process of retiring assets and doesn't directly associate assets with specific entities. **Acquisition **refers to the process of obtaining assets, not the association of assets with individuals or departments.

Answer 58

Environmental variables refer to the unique characteristics of an organization's infrastructure that can affect vulnerability assessments and risk analysis ## Footnote OBJ: 4.3 - Environmental variables refer to the unique characteristics of an organization's infrastructure, business environment, and operational context that can impact vulnerability assessments and risk analysis. Understanding these variables is crucial to conducting effective vulnerability management and developing appropriate risk mitigation strategies. These variables are not specific conditions triggering automated responses; rather, they are factors related to an organization's infrastructure and business environment that impact vulnerability management processes. While vulnerability scanning tools may use various parameters, environmental variables refer to different aspects related to an organization's infrastructure and business environment. While physical security factors are important, environmental variables in this context have a different focus.

Answer 59

Implementing a central OAuth authorization server to handle user authentication and issue access tokens to third-party applications. ## Footnote OBJ: 4.6 - Implementing a central OAuth authorization server is the best approach for secure and standardized access to user account data. The authorization server acts as an intermediary between the user and the third-party application, handling user authentication and issuing access tokens to authorized applications. By using OAuth, the user can grant limited access to their account data without sharing credentials directly. Providing unrestricted access to user account data without authentication or authorization is highly insecure and violates the principles of access management. OAuth's purpose is to provide controlled access to specific data, ensuring that third-party applications are authorized only for the data they require and nothing more. While generating random access tokens is a step in the right direction, sharing them directly with third-party applications is not recommended. OAuth operates on the principle of "authorization delegation," where the user grants access to specific data to third-party applications. Access tokens should be issued by an authorization server and presented by the third-party application to access limited data on behalf of the user. Asking users to share their account credentials directly with third-party applications violates the core principle of OAuth, which is to avoid sharing credentials with third parties. Sharing credentials increases the risk of unauthorized access to user accounts and sensitive data, which undermines the security objectives of OAuth.

Answer 60

To test employees' ability to recognize and report phishing attempts. ## Footnote OBJ: 5.6 - The main objective of phishing campaigns conducted during security awareness training is to test employees' ability to identify and report phishing attempts. These campaigns are designed to simulate real-world phishing attacks to gauge how well employees can recognize suspicious emails and report them to the appropriate authorities. The primary objective of phishing campaigns is not to promote a competitive environment among employees. While phishing may involve malware, it doesn't always. In addition, preventing phishing won't prevent any form of malware from spreading on a network. The primary objective of phishing campaigns is not to trick employees into revealing sensitive information.

Answer 61

Increased responsibility for physical security. ## Footnote OBJ: 3.1 - With on-premise infrastructure, organizations must ensure the physical safety of servers and other equipment against theft, tampering, and disasters. On-premise infrastructure typically allows for more control over when and how patches are applied, rather than being dependent on third-party vendors. Multi-tenancy is a concern in shared cloud environments where resources are shared among different clients, not in on-premise setups. Risk transference to third-party vendors is more relevant to cloud-based services where responsibilities are often shared between the provider and the customer.

Answer 62

Port 1433 ## Footnote OBJ: 2.5 - **Port 1433** is the default for Microsoft SQL Server. Organizations typically restrict or monitor access to this port to prevent unauthorized database operations. Domain Name System (DNS) uses **port 53** for resolving domain names into IP addresses. It isn't associated with database operations. **Port 443** is used for secure web traffic through SSL/TLS. It's not directly related to database queries. File Transfer Protocol (FTP) uses **port 21** for unencrypted data transfers, not for database operations.

Answer 63

IaC ## Footnote OBJ: 3.1 - **Infrastructure as code (IaC)** allows infrastructure to be provisioned and managed using code, making it easier to manage, replicate, and scale. While **serverless architecture** reduces the complexity of deploying code into production, it doesn't involve defining the underlying infrastructure as code. An **air-gapped network** is a security measure that involves physically isolating a computer or network and ensuring it doesn't connect to unsecured networks, especially the public internet. It doesn't deal with infrastructure management methodologies. **Microservices architecture** is about designing software applications as suites of independently deployable services, but it doesn't directly address infrastructure provisioning through code.

Answer 64

Certificate of Sanitization ## Footnote OBJ: 2.4 - A **Certificate of Sanitization** serves as a formal assurance that a device has undergone a thorough data cleansing process, ensuring all information has been securely and permanently erased. It is essential for maintaining data privacy, especially when disposing of or repurposing equipment. A **service agreement** is a formal contract that sets out terms and conditions between a service provider and a client. While it might specify various services, including data-related ones, it isn't a confirmation of data removal from a device. A **Data Retention Policy** defines the duration for which data should be stored and when it should be disposed of. While it addresses data management, it doesn't certify the secure erasure of data from a device. Typically used to authorize the purchase of goods or services. While it's an essential record in procurement processes, it doesn't have any relevance to the secure erasure of data from devices.

Answer 65

They need to set boundaries and limitations during the penetration test. ## Footnote OBJ: 5.3 - Rules of engagement are essential to ensure that the security assessment is conducted within specified parameters and doesn't inadvertently harm the vendor's operations or reputation. While the cost might be a consideration in the overall agreement, the rules of engagement are more about the technical and operational constraints of the assessment. While listing the personnel who will be involved in the security assessment might be part of the overall planning, it's not the primary purpose of the rules of engagement. Rules of engagement are focused on the current assessments, not future ones.

Answer 66

Limited security update capabilities. ## Footnote OBJ: 3.1 - SCADA systems are often engineered for specific tasks and might not receive regular security updates, making them susceptible to vulnerabilities over time. While important for real-time systems, runtime efficiency is not a primary security concern for SCADA systems. Memory constraints are more pertinent to embedded or real-time systems, not inherently a SCADA security concern. SCADA systems are not typically deployed in containers; thus, this isn't a relevant security implication.

Answer 67

Committee ## Footnote A **committee** governance structure involves forming a group with representatives from different departments or units within the organization. This approach allows for a collective decision-making process, leveraging expertise and perspectives from various parts of the company. By pooling insights from diverse sectors, the committee can ensure that decisions are holistic, considerate of multiple facets of the business, and are thus more likely to contribute to effective and efficient operations. It promotes collaboration, shared responsibility, and balanced power distribution in organizational governance. A **hierarchical** structure relies on a strict top-down approach, where decisions are made at the higher levels and passed down to the lower levels for execution. This can sometimes lead to a disconnect between the decision-makers and those affected by the decisions on the ground. **Centralized** governance concentrates decision-making power in a single authority or department, where all major decisions are made by a central entity, often top-level management. **Board** governance is typically associated with the oversight and decision-making of an organization's board of directors, which is responsible for high-level strategic decisions and governance oversight but may not involve decision-making power distribution across different departments or units.

Answer 68

Certificate Authority ## Footnote **Certificate Authorities** (CAs) are trusted entities that issue and manage security credentials and public keys for message encryption. CAs issue a digital signature wrapper to secure public keys. **Root of Trust** (RoT) is a source that can always be trusted. It is the foundation of a cryptographic system and is the central point of the chain of trust within that system. It can be a piece of hardware (a Hardware Root of Trust) or software based. It is important in PKI, but it doesn't provide digital certificates. Blockchain is a system that allows for transparent and public verification of transactions. It uses a peer to peer network that maintains a public ledger. This provides both integrity and permanency of records. It relies on peer-to-peer networks, not on digital signatures for authentication. A **Registration Authority** processes requests for digital certificates. They check credentials and authenticate the users' identity. A **Certificate Authority** may have Registration Authorities check credentials, but the Registration Authority doesn't issue certificates.

Answer 69

Risk from malicious peripheral devices ## Footnote Peripherals with malicious firmware can pose significant risks when connected. They have the potential to launch highly effective attacks. The crafting of such malicious peripherals requires extensive resources, making the risk less frequent but impactful. **Bluejacking** involves sending unsolicited messages to Bluetooth devices. It's a form of spam and doesn't refer to the risk of connecting to malicious devices. **Device discovery** makes a Bluetooth device visible to others nearby. While it can increase the risk of unwanted connections, it doesn't involve the specific threat of malicious firmware in peripherals. **Bluesnarfing** is the act of exploiting Bluetooth vulnerabilities to gain unauthorized access to data on another person's device. It doesn't specifically refer to the risk of connecting to malicious peripherals.

Answer 70

RPO (Recovery Point Objective) ## Footnote **RPO (Recovery point objective)** defines the maximum acceptable amount of data loss measured in time, determining how old backup data can be to resume normal operations after a failure. **RTO (Recovery time objective)** indicates the target amount of time to restore IT and business activities post-disaster, focusing on downtime rather than data loss. **MTBF (Mean time between failures) **measures the average operational period between failures, relating to system reliability, not data recovery metrics. **SLA (Service level agreement)** details the agreed-upon level of service between a provider and client, without specific focus on data loss time frames.

Answer 71

Vulnerabilities in redundancy mechanisms. ## Footnote While high availability systems prioritize uptime, they can sometimes introduce risks such as vulnerabilities in their failover and redundancy systems. Vulnerabilities of all cloud native environments refers to cloud-native applications, which are tailored for cloud platforms and don't inherently carry risks associated with constant uptime. Embedded systems' primary concerns revolve around their inability to quickly update or patch, which doesn't relate to uptime concerns. Limits on permissions for role based access refers to Role-Based Access Control (RBAC), which manages system access based on user roles within an organization and isn't directly tied to uptime issues. High availability wouldn't produce limits on permissions for role based access.

Answer 72

OSINT involves the use of open-source software to manage and monitor vulnerabilities in an organization's network infrastructure ## Footnote **OSINT** stands for **Open-Source Intelligence**, which involves gathering information from publicly available sources to gain insights and assess potential risks, but it does not relate to the use of open-source software for vulnerability management. OSINT is open-source, not proprietary software. While tracking and monitoring hardware assets is essential, OSINT primarily focuses on gathering intelligence from publicly available sources to assess security risks. While assessing vulnerabilities in operating systems is essential, OSINT is not limited to this specific activity.

Answer 73

Technical ## Footnote **Technical** security controls are measures that are put in place to protect the confidentiality, integrity, and availability of a system or network. These controls can include firewalls, intrusion detection/prevention systems, encryption, and access controls. **Managerial** security controls are measures that involve managing and directing the overall security of an organization. These controls can include risk assessments, security awareness training, and incident response planning. **Operational** security controls are measures that involve the day-to-day operations of an organization’s security. These controls can include backup and recovery procedures, configuration management, and media protection. **Physical ** security controls are measures that involve protecting an organization’s physical assets. These controls can include security cameras, locks, and security badges.

Answer 74

Risk Transference ## Footnote Understanding **risk transference** is essential when considering hybrid cloud architectures, as it helps determine how certain responsibilities and risks can be shifted to cloud providers, mitigating potential liabilities. While the **Responsibility Matrix** outlines the roles of a company and the cloud provider, it is not a measure of how risk is specifically transferred between entities. Although **air-gapped systems** provide a level of security, they do not directly address the shifting of risk to other entities **Logical segmentation** is crucial for network security in hybrid cloud considerations, but it does not directly assess how risk is transferred between entities.

Answer 75

PCI DSS ## Footnote **PCI DSS (Payment Card Industry Data Security Standard)** is a set of security standards designed to ensure that all companies that accept, process, store, or transmit credit card information maintain a secure environment. **FISMA (Federal Information Security Management Act)** is focused on the security of federal data but doesn't specifically address the handling of credit card information. **HIPAA (Health Insurance Portability and Accountability Act)** is specific to the health industry and focuses on the protection of sensitive patient health information, not credit card transactions. While the **CCPA (California Consumer Privacy Act)** is focused on consumer privacy rights and data protection, it doesn't specifically cater to credit card transactions or define standards for financial information storage.

Answer 76

Likelihood ## Footnote **Likelihood** is used in qualitative risk analysis to subjectively describe how probable a risk event is, often expressed in terms such as "low," "medium," or "high." The **exposure factor (EF)** is the fraction of the asset value that is at risk in the event of a security incident. While a **confidence level** might inform the use of "high" in different contexts, it doesn't specifically refer to the qualitative measure of risk probability. A **risk rating** incorporates both likelihood and impact to give an overall score to a risk but is not the term used to express the chance of occurrence alone.

Answer 77

A data-driven standard operating procedure (SOP) for responding to cyberthreats. ## Footnote A **playbook**, also known as a runbook, guides junior analysts through steps to detect and handle cyberthreats such as phishing, SQL injection, and others, starting with a SIEM report. A playbook is not a personnel roster; it's a guideline to address specific cyberthreat scenarios effectively. While SIEM systems are essential in cybersecurity, a playbook specifically details the response process to certain cyberthreats and not the setup of the SIEM system. While historical records are crucial, a playbook is a proactive tool designed to guide the response to specific types of cyber threats.