Section 19-20

Question 1

A security analyst discovers that a large number of employee credentials had been stolen and were being sold on the dark web. The analyst investigates and discovers that some hourly employee credentials were compromised, but salaried employee credentials were not affected. Most employees clocked in and out while they were inside the building using one of the kiosks connected to the network. However, some clocked out and recorded their time after leaving to go home. Only those who clocked in and out while inside the building had credentials stolen. Each of the kiosks are on different floors, and there are multiple routers, since the business segments environments for certain business functions. Hourly employees are required to use a website called acmetimekeeping.com to clock in and out. This website is accessible from the internet. Which of the following is the most likely reason for this compromise?

a.
A brute-force attack was used against the time-keeping website to scan for common passwords.
b.
A malicious actor compromised the time-keeping website with malicious code using an unpatched vulnerability on the site, stealing the credentials.
c.
The internal DNS servers were poisoned and were redirecting acmetimekeeping.com to a malicious domain that intercepted the credentials and then passed them through to the real site.
d.
ARP poisoning affected the machines in the building and caused the kiosks to send a copy of all the submitted credentials to a malicious machine.

Answer 1

d.
ARP poisoning affected the machines in the building and caused the kiosks to send a copy of all the submitted credentials to a malicious machine.Your Answer: Correct
ARP poisoning involves intercepting network traffic by associating the attacker’s MAC address with the IP address of a legitimate system on the network. In this scenario, the kiosks inside the building were likely affected by ARP poisoning, causing them to send a copy of the credentials to a malicious machine. This explains why only those who clocked in and out while inside the building had their credentials stolen.

Question 2

A security analyst notices an unusual amount of traffic hitting the edge of the network. Upon examining the logs, the analyst identifies a source IP address and blocks that address from communicating with the network. Even though the analyst is blocking this address, the attack is still ongoing and coming from a large number of different source IP addresses. Which of the following describes this type of attack?

a.
Privilege escalation.
b.
DNS poisoning.
c.
Buffer overflow.
d.
DDoS.

Answer 2

d.
DDoS.Your Answer: Correct
A Distributed Denial of Service (DDoS) attack involves multiple systems attacking a single target, causing a denial of service. The attack coming from a large number of different source IP addresses is indicative of a DDoS attack.

Question 3

A company’s public-facing website, ‘https//www.organization.com’, has an IP address of ‘166.18.75.6.’ However, over the past hour the SOC has received reports of the site’s homepage displaying incorrect information. A quick nslookup search shows ‘https//www.organization.com’ is pointing to ‘151.191.122.115.’ Which of the following is occurring?

a.
DoS attack.
b.
ARP poisoning.
c.
NXDOMAIN attack.
d.
DNS spoofing.

Answer 3

d.
DNS spoofing.Your Answer: Correct
DNS spoofing involves altering DNS records to redirect traffic from the intended IP address to a malicious one. In this case, the incorrect IP address pointing to the website indicates that DNS spoofing is occurring.

Question 4

A company tested and validated the effectiveness of network security appliances within the corporate network. The IDS detected a high rate of SQL injection attacks against the company’s servers, and the company’s perimeter firewall is at capacity. Which of the following would be the best action to maintain security and reduce the traffic to the perimeter firewall?

a.
Convert the firewall to a WAF and use IPSec tunnels to increase throughput.
b.
Set the firewall to fail open if it is overloaded with traffic and send alerts to the SIEM.
c.
Configure the firewall to perform deep packet inspection and monitor TLS traffic.
d.
Set the appliance to IPS mode and place it in front of the company firewall.

Answer 4

d.
Set the appliance to IPS mode and place it in front of the company firewall.Your Answer: Correct
Setting the appliance to IPS (Intrusion Prevention System) mode and placing it in front of the company firewall allows for real-time traffic analysis and automatic blocking of malicious traffic, reducing the load on the perimeter firewall and maintaining security.

Question 5

A Chief Information Security Officer wants to monitor the company’s servers for SQLi attacks and allow for comprehensive investigations if an attack occurs. The company uses SSL decryption to allow traffic monitoring. Which of the following strategies would best accomplish this goal?

a.
Logging all NetFlow traffic into a SIEM.
b.
Deploying network traffic sensors on the same subnet as the servers.
c.
Logging endpoint and OS-specific security logs.
d.
Enabling full packet capture for traffic entering and exiting the servers.

Answer 5

d.
Enabling full packet capture for traffic entering and exiting the servers.Your Answer: Correct
Enabling full packet capture for traffic entering and exiting the servers allows for detailed analysis of the traffic, including the payload, which is necessary for detecting SQLi attacks and conducting comprehensive investigations.

Question 6

A systems administrator set up a perimeter firewall but continues to notice suspicious connections between internal endpoints. Which of the following should be set up in order to mitigate the threat posed by the suspicious activity?

a.
Web application firewall.
b.
Access control list.
c.
Application allow list.
d.
Host-based firewall.

Answer 6

d.
Host-based firewall.Your Answer: Correct
A host-based firewall provides an additional layer of security by filtering incoming and outgoing traffic on individual devices, helping to mitigate threats posed by suspicious internal activity.

Question 7

Which of the following risks can be mitigated by HTTP headers?

a.
SQLi.
b.
DoS.
c.
SSL.
d.
XSS.

Answer 7

d.
XSS.Your Answer: Correct
HTTP headers like Content-Security-Policy (CSP), X-XSS-Protection, and X-Content-Type-Options help prevent XSS attacks by controlling what resources can be loaded and how content is handled.

Question 8

The CIRT is reviewing an incident that involved a human resources recruiter exfiltrating sensitive company data. The CIRT found that the recruiter was able to use HTTP over port 53 to upload documents to a web server. Which of the following security infrastructure devices could have identified and blocked this activity?

a.
WAF utilizing SSL decryption.
b.
NGFW utilizing application inspection.
c.
UTM utilizing a threat feed.
d.
SD-WAN utilizing IPSec.

Answer 8

b.
NGFW utilizing application inspection.Your Answer: Correct
NGFW (Next-Generation Firewall) utilizing application inspection can inspect traffic at the application layer and block unauthorized use of protocols like HTTP over port 53.

Question 9

A security analyst receives alerts about an internal system sending a large amount of unusual DNS queries to systems on the internet over short periods of time during non-business hours. Which of the following is most likely occurring?

a.
A worm is propagating across the network.
b.
Data is being exfiltrated.
c.
A logic bomb is deleting data.
d.
Ransomware is encrypting files.

Answer 9

b.
Data is being exfiltrated.Your Answer: Correct
Unusual DNS queries, especially during non-business hours, often indicate data exfiltration. Attackers may use DNS tunneling to stealthily transfer data out of the network.

Question 10

A company’s end users are reporting that they are unable to reach external websites. After reviewing the performance data for the DNS servers, the analyst discovers that the CPU, disk, and memory usage are minimal, but the network interface is flooded with inbound traffic. Network logs show only a small number of DNS queries sent to this server. Which of the following best describes what the security analyst is seeing?

a.
Concurrent session usage.
b.
Secure DNS cryptographic downgrade.
c.
On-path resource consumption.
d.
Reflected denial of service.

Answer 10

d.
Reflected denial of service.Your Answer: Correct
A reflected denial of service (DoS) attack involves sending forged requests to multiple servers, which then send responses to the target server, overwhelming it with traffic.

Question 11

A financial analyst is expecting an email containing sensitive information from a client. When the email arrives, the analyst receives an error and is unable to open the encrypted message. Which of the following is the most likely cause of the issue?

a.
The S/MIME plug-in is not enabled.
b.
The SSL certificate has expired.
c.
Secure IMAP was not implemented.
d.
POP3S is not supported.

Answer 11

a.
The S/MIME plug-in is not enabled.Correct
The most likely cause of the issue is that the S/MIME plug-in is not enabled. S/MIME is required to decrypt and view encrypted emails, so if it is not enabled or properly configured, the analyst would be unable to open the encrypted message.

Question 12

A company recently suffered a breach in which an attacker was able to access the internal mail servers and directly access several user inboxes. A large number of email messages were later posted online. Which of the following would best prevent email contents from being released should another breach occur?

a.
Implement S/MIME to encrypt the emails at rest.
b.
Enable full disk encryption on the mail servers.
c.
Use digital certificates when accessing email via the web.
d.
Configure web traffic to only use TLS-enabled channels.

Answer 12

a.
Implement S/MIME to encrypt the emails at rest.Correct
Implementing S/MIME to encrypt the emails at rest ensures that the email contents are encrypted and protected even if the attacker gains access to the mail servers, preventing unauthorized access to the email contents.

Question 13

A company recently experienced an attack during which the main website was redirected to the attacker’s web server, allowing the attacker to harvest credentials from unsuspecting customers. Which of the following should the company implement to prevent this type of attack from occurring in the future?

a.
IPSec.
b.
SSL/TLS.
c.
DNSSEC.
d.
S/MIME.

Answer 13

c.
DNSSEC.Your Answer: Correct
DNSSEC (Domain Name System Security Extensions) helps prevent attacks where DNS queries are redirected to malicious sites by ensuring that the responses to DNS queries are authenticated and have not been tampered with. This would prevent attackers from redirecting the company’s website to their own malicious server.

Question 14

Which of the following best describes a use case for a DNS sinkhole?

a.
Attackers can see a DNS sinkhole as a highly valuable resource to identify a company’s domain structure.
b.
A DNS sinkhole can be used to draw employees away from known-good websites to malicious ones owned by the attacker.
c.
A DNS sinkhole can be used to capture traffic to known-malicious domains used by attackers.
d.
A DNS sinkhole can be set up to attract potential attackers away from a company’s network resources.

Answer 14

c.
A DNS sinkhole can be used to capture traffic to known-malicious domains used by attackers.Your Answer: Correct
A DNS sinkhole captures traffic to known-malicious domains used by attackers. It redirects malicious traffic to a controlled environment, allowing the organization to monitor and analyze the traffic without harm.

Question 15

A security team has been alerted to a flood of incoming emails that have various subject lines and are addressed to multiple email inboxes. Each email contains a URL shortener link that is redirecting to a dead domain. Which of the following is the best step for the security team to take?

a.
Create a blocklist for all subject lines.
b.
Send the dead domain to a DNS sinkhole.
c.
Quarantine all emails received and notify all employees.
d.
Block the URL shortener domain in the email gateway.

Answer 15

b.
Send the dead domain to a DNS sinkhole.Correct Answer
Sending the dead domain to a DNS sinkhole will prevent the emails from successfully redirecting to the malicious domain, effectively neutralizing the threat regardless of the various subject lines or email recipients.

Question 16

Which of the following would be most effective to contain a rapidly spreading attack that is affecting a large number of organizations?

a.
Machine learning.
b.
DNS sinkhole.
c.
Blocklist.
d.
Honey pot.

Answer 16

b.
DNS sinkhole.Your Answer: Correct
A DNS sinkhole is effective at containing rapidly spreading attacks by redirecting malicious traffic to a controlled environment, preventing the malware from communicating with its command-and-control servers.

Question 17

Users at a company are reporting they are unable to access the URL for a new retail website because it is flagged as gambling and is being blocked. Which of the following changes would allow users to access the site?

a.
Creating a firewall rule to allow HTTPS traffic.
b.
Tuning the DLP rule that detects credit card data.
c.
Configuring the IPS to allow shopping.
d.
Updating the categorization in the content filter.

Answer 17

d.
Updating the categorization in the content filter.Your Answer: Correct
Updating the categorization in the content filter will allow users to access the new retail website by reclassifying it from gambling to the correct category, thus removing the block.

Question 18

A cybersecurity administrator needs to allow mobile BYOD devices to access network resources. As the devices are not enrolled to the domain and do not have policies applied to them, which of the following are best practices for authentication and infrastructure security? (Select two).

a. Create a new network for the mobile devices and block the communication to the internal network and servers.
b. Use a captive portal for user authentication.
c. Authenticate users using OAuth for more resiliency.
d. Implement SSO and allow communication to the internal network.
e. Use the existing network and allow communication to the internal network and servers.
f. Use a new and updated RADIUS server to maintain the best solution.

Answer 18

a. Create a new network for the mobile devices and block the communication to the internal network and servers.Your Answer: Correct
Creating a new network for mobile devices and blocking communication to the internal network and servers ensures segregation of potentially insecure devices from critical resources.

b. Use a captive portal for user authentication.Your Answer: Correct
Using a captive portal for user authentication provides a way to manage and authenticate users accessing the network without domain enrollment.

Question 19

A security analyst has been tasked with creating a new WiFi network for the company. The requirements received by the analyst are as follows Must be able to differentiate between users connected to WiFi. The encryption keys need to change routinely without interrupting the users or forcing reauthentication. Must be able to integrate with RADIUS. Must not have any open SSIDs. Which of the following options BEST accommodates these requirements?

a.
WPA2-Enterprise.
b.
WPA3-PSK.
c.
802.11n.
d.
WPS.

Answer 19

a.
WPA2-Enterprise.Correct
WPA2-Enterprise supports user differentiation through individual credentials, integrates with RADIUS for authentication, and allows for key changes without user interruption through the use of session keys. It also ensures that there are no open SSIDs by requiring authentication for network access.

Question 20

A security team received the following requirements for a new BYOD program that will allow employees to use personal smartphones to access business email Sensitive customer data must be safeguarded. Documents from managed sources should not be opened in unmanaged destinations. Sharing of managed documents must be disabled. Employees should not be able to download emailed images to their devices. Personal photos and contact lists must be kept private. IT must be able to remove data from lost/stolen devices or when an employee no longer works for the company. Which of the following are the best features to enable to meet these requirements? (Select two).

a. Remote wipe.
b. VPN connection.
c. Biometric authentication.
d. Device location tracking.
e. Geofencing.
f. Application approve list.
g. Containerization.

Answer 20

a. Remote wipe.Your Answer: Correct
Remote wipe allows IT to remove data from lost or stolen devices, or when an employee no longer works for the company, ensuring sensitive customer data is safeguarded.

g. Containerization.

Question 21

A security analyst needs to harden access to a network. One of the requirements is to authenticate users with smart cards. Which of the following should the analyst enable to best meet this requirement?

a.
CHAP.
b.
PEAP.
c.
MS-CHAPv2.
d.
EAP-TLS.

Answer 21

d.
EAP-TLS.Correct Answer
EAP-TLS (Extensible Authentication Protocol-Transport Layer Security) is a widely used authentication protocol that supports the use of smart cards for secure network access. EAP-TLS uses client and server certificates to perform mutual authentication, providing a strong level of security.

Question 22

A company is adding a clause to its AUP that states employees are not allowed to modify the operating system on mobile devices. Which of the following vulnerabilities is the organization addressing?

a.
Cross-site scripting.
b.
Buffer overflow.
c.
Jailbreaking.
d.
Side loading.

Answer 22

c.
Jailbreaking.Correct Answer
Prohibiting OS modifications addresses the risk of jailbreaking, which can bypass security controls and expose the device to vulnerabilities.

Question 23

Which of the following is a primary security concern for a company setting up a BYOD program?

a.
End of life.
b.
Buffer overflow.
c.
VM escape.
d.
Jailbreaking.

Answer 23

d.
Jailbreaking.Correct
Jailbreaking bypasses security controls on devices, making them more vulnerable to malware and unauthorized access.

Question 24

A company has begun labeling all laptops with asset inventory stickers and associating them with employee IDs. Which of the following security benefits do these actions provide? (Choose two.)

a. If a security incident occurs on the device, the correct employee can be notified.
b. The security team will be able to send user awareness training to the appropriate device.
c. Users can be mapped to their devices when configuring software MFA tokens.
d. User-based firewall policies can be correctly targeted to the appropriate laptops.
e. Company data can be accounted for when the employee leaves the organization.

Answer 24

a. If a security incident occurs on the device, the correct employee can be notified.

e. Company data can be accounted for when the employee leaves the organization.Your Answer: Correct
By associating laptops with employee IDs, the organization can better track which devices are assigned to which employees. This makes it easier to ensure that company data is properly accounted for and secured when an employee leaves the organization, as the device can be collected and data wiped or transferred as needed.

Question 25

Which of the following vulnerabilities is associated with installing software outside of a manufacturer’s approved software repository?

a.
Jailbreaking.
b.
Memory injection.
c.
Resource reuse.
d.
Side loading.

Answer 25

d.
Side loading.Correct Answer
Side loading involves installing applications from unofficial sources, which can bypass security controls and increase the risk of malware and other vulnerabilities.