Security + Measure Up #3

Question 1

A company’s systems engineer is devising an incident management plan. What should be the primary goal of the incident management plan for a DoS attack on the company’s ecommerce servers?
A. Implement DPI on the firewall
B. Discover the identity of the attacker
C. Identify the vulnerabilities that the attacker exploited
D. Restore normal operations as quickly as possible

Answer 1

D. Restore normal operations as quickly as possible. Ensuring the ecommerce servers are back up and running minimizes disruption to the business and customer experience.

Question 2

A security administrator learns that sensitive information has been exfiltrated using DNS tunneling. What should the administrator do FIRST to investigate the incident?
A. Check the NetFlow traffic metrics for a sudden spike in UDP traffic
B. Check the firewall for evidence of outbound C&C communications
C. Investigate web logs for logons from untrusted IP addresses
D. Investigate DNS server logs for the registration of unauthorized domains

Answer 2

A. Check the NetFlow traffic metrics for a sudden spike in UDP traffic. This can help identify abnormal DNS traffic patterns that could indicate DNS tunneling activity.

Question 3

Which of the following tasks is MOST likely performed by a third-party as part of compliance monitoring for an organization?
A. Continuous monitoring
B. Cyber attestation
C. Due care
D. Data inventory

Answer 3

B. Cyber attestation. This task is often performed by third-party organizations to provide an independent verification of compliance with security standards and regulations.

Question 4

A company wants to introduce a new enterprise mobility strategy for all users. Which deployment model will the enterprise use if it wants to allow an employee to choose a mobile phone from a company-approved list of devices?
A. BYOD
B. VDI
C. COPE
D. CYOD

Answer 4

D. CYOD (Choose Your Own Device). This model allows employees to select a mobile phone from a company-approved list, balancing flexibility and control.

Question 5

In the context of General Data Protection Regulation (GDPR), which statement regarding data controllers and data processors is correct?
A. Controllers are based in the European Union (EU), while processors are not
B. Controllers store and process data, while processors only store data
C. Controllers determine how data will be processed, while processors process data
D. Controllers only collect data, while processors only process data

Answer 5

C. Controllers determine how data will be processed, while processors process data. This means controllers set the purpose and means of processing personal data, while processors handle the data according to the controller’s instructions.

Question 6

Management has requested that an internal compliance audit be completed. Who should approve the audit plan?
A. A third-party auditor
B. A senior IT executive
C. The audit committee
D. A penetration tester

Answer 6

C. The audit committee. They are responsible for overseeing the audit process, ensuring its independence and objectivity.

Question 7

Which of the following is the BEST option for automating a response to an on-path attack?
A. Network-based Intrusion Prevention System (NIPS)
B. Identity and Access Management (IAM)
C. Network Access Control (NAC)
D. Host-Based Intrusion Detection System (HIDS)

Answer 7

A. Network-based Intrusion Prevention System (NIPS). This system can detect and respond to on-path attacks in real-time, making it a solid choice for automation.

Question 8

Following a breach, an organization implements awareness training to help users identify the risks associated with removable media. Which of the following attacks will this training help mitigate?
A. Injection
B. Side loading
C. Baiting
D. Steganography

Answer 8

C. Baiting. Awareness training helps users recognize the risks of removable media and avoid falling for baiting attacks, where attackers leave infected media around to tempt people into using it and introducing malware.

Question 9

A server has failed four times in the past year. Which measurement is used to determine the amount of time the server was operational?
A. MTTF
B. MTBF
C. ARO
D. ALE

Answer 9

B. MTBF (Mean Time Between Failures). This metric measures the average time between failures of a system, indicating the system’s reliability and operational time.

Question 10

What is the PRIMARY purpose of red teaming?
A. To detect malicious insiders
B. To complete an independent audit
C. To validate security controls
D. To determine risk scores

Answer 10

C. To validate security controls. By simulating sophisticated attack scenarios, red teams assess the effectiveness of an organization’s defenses, identifying weaknesses that need to be addressed.

Question 11

What should be used to outline penalties when a cloud provider suffers an extensive outage?
A. Memorandum of agreement (MOA)
B. Memorandum of understanding (MOU)
C. Service-level agreement (SLA)
D. Master service agreement (MSA)

Answer 11

C. Service-level agreement (SLA). SLAs specifically outline performance standards and penalties for non-compliance, including what happens during extensive outages.

Question 12

Which of the following tasks occurs as part of Open Security Content Automation Protocol (SCAP) deployment in an organization?
A. Penetration testing will be performed
B. System configurations will be audited
C. Web traffic will be scanned for vulnerabilities
D. Data loss prevention will be configured

Answer 12

B. System configurations will be audited. SCAP deployment involves auditing and verifying that system configurations comply with security policies and standards.

Question 13

A remote collection server is managed through command-line commands. Until recently, a company has been using Telnet to connect to the server, but now they suspect that one or more passwords have been compromised. The company’s security analyst is going to disable Telnet connectivity on the server. They need to use a more secure method for logging in and executing commands. What should the analyst use?
A. SSL
B. SSH
C. SNMP
D. HTTPS

Answer 13

B. SSH (Secure Shell). Unlike Telnet, SSH provides encrypted communication, ensuring that passwords and commands are securely transmitted, reducing the risk of interception by malicious actors.

Question 14

An office manager receives a notification from a freight operator indicating that they must place a critical delivery in the organization’s data center. What should the office manager do NEXT?
A. Require the driver to use the access control vestibule.
B. Consult the risk register for instructions on next steps.
C. Escalate the request to the manager of the red team.
D. Report anomalous behavior to the security manager.

Answer 14

D. Report anomalous behavior to the security manager might be the answer because it’s emphasizing the importance of alerting security personnel to any unusual or unexpected activities, which is a key step in maintaining security protocols. Escalating such issues ensures they are handled by those equipped to assess and respond to potential threats.

Question 15

An organization establishes a formal incident response (IR) process and trains users on how the process should be used. Later, a user discovers evidence that their workstation is infected with malware. What should the user do NEXT?
A. Power off the workstation
B. Delete suspicious files
C. Report the finding
D. Run a virus scanner

Answer 15

C. Report the finding. Following the established IR process, the user should immediately report the potential malware infection to ensure it is handled by the appropriate personnel.

Question 16

Why would an organization use Security Content Automation Protocol (SCAP)?
A. To determine if system configurations are consistent and secure
B. To determine if data is being exfiltrated accidentally or intentionally
C. To aggregate and correlate system logs from organizational servers
D. To facilitate single sign-on (SSO) for on-premises and cloud resources

Answer 16

A. To determine if system configurations are consistent and secure. SCAP is primarily used for automating vulnerability management, measurement, and policy compliance evaluation.

Question 17

An organization suffers a breach due to successful impersonation. What should the organization do to reduce the effectiveness of this type of activity?
A. Implement social engineering awareness training
B. Create or update an incident response playbook
C. Perform a tabletop exercise with vulnerable users
D. Train users on how to recognize watering hole attacks

Answer 17

A. Implement social engineering awareness training. This helps employees recognize and respond to impersonation attempts, reducing the likelihood of such breaches.

Question 18

In business impact analysis (BIA), what does recovery point objective (RPO) define?
A. The time it takes to initiate a response to an incident
B. The maximum acceptable data loss following an incident
C. The maximum acceptable downtime following an incident
D. The time it takes to recover from an incident

Answer 18

B. The maximum acceptable data loss following an incident. RPO defines the amount of data an organization can afford to lose during a disruption.

Question 19

Which statement describes a primary benefit provided by MFA?
A. Federated authentication
B. Protection of data in motion
C. Mitigation of phishing attacks
D. Required use of biometrics

Answer 19

C. Mitigation of phishing attacks. MFA adds an extra layer of security by requiring additional verification methods, making it much harder for attackers to gain unauthorized access even if they have compromised passwords.

Question 20

Network access control is designed so that remote users are limited to accessing the network during normal business hours only. Policies regarding user access apply to all users. This is an example of which type of access control?
A. DAC
B. Rule-based access control
C. MAC
D. Role-based access control

Answer 20

B. Rule-based access control. This approach uses predefined rules to determine when users can access the network, applying those rules consistently to all users.

Question 21

Which of the following statements correctly describes data sanitization?
A. All unnecessary permissions assigned to the data must be removed
B. Data must be permanently deleted from storage devices
C. Storage devices holding data must be physically destroyed
D. Data located on storage media or devices must be obfuscated

Answer 21

B. Data must be permanently deleted from storage devices. Data sanitization ensures that data cannot be recovered or reconstructed, making it the most stringent method of data destruction.

Question 22

A penetration tester’s tools cause an out-of-scope web server to crash leading to a prolonged outage. Which of the following documents, if followed by the tester, would have prevented this situation?
A. Master service agreement
B. Statement of work
C. Non-disclosure agreement
D. Rules of engagement

Answer 22

D. Rules of engagement. This document outlines the boundaries and scope of the testing activities, ensuring that out-of-scope systems are not affected.

Question 23

A company is implementing BYOD. The company will take advantage of cloud-based apps to synchronize data between the user’s computer and tablet. Which two tasks should the company’s BYOD policy address as part of its offboarding policy? (Choose two).
A. Removing the device from the asset tracking system
B. Deleting accounts for cloud-based apps
C. Removing the device from the inventory tracking system
D. Removing company data from the personal device
E. Uninstalling the cloud-based apps from the personal device

Answer 23

B. Deleting accounts for cloud-based apps and D. Removing company data from the personal device makes sense as critical steps. They both ensure that company data and access are thoroughly managed during the offboarding process. Keeps the organization’s information secure while the ex-employee transitions out.

Question 24

Following a breach, a security administrator is instructed to run a vulnerability scan against the affected servers. There is evidence that the attack was network-based, but the administrator is unsure which vulnerability was exploited. What should the administrator do to pinpoint the vulnerability?
A. Evaluate all vulnerabilities with a CVSS score of 8 or higher
B. Investigate all services that use TCP ports between 1 and 1023
C. investigate the attack vector metric for all server vulnerabilities
D. Evaluate any vulnerabilities with a scope of unchanged

Answer 24

C. Investigate the attack vector metric for all server vulnerabilities. This metric provides insights into how vulnerabilities can be exploited, helping pinpoint the specific vulnerability used in the network-based attack.

Question 25

The company CSO has ordered that all emails sent or received by senior management personnel be preserved. Managers should not be able to delete emails. If changes are made to an email, both the original and modified versions should be preserved. Managers should still have access to their email accounts. Security personnel are tasked with ensuring this. What should the security personnel use?
A. Forensic hashing
B. Principle of least privilege
C. Legal hold
D. Chain of custody

Answer 25

C: Legal hold. Legal hold is a method used to preserve all forms of relevant information when litigation is reasonably anticipated. This ensures that emails cannot be deleted or altered, and both original and modified versions are preserved. The principle of least privilege would not guarantee preservation of emails, forensic hashing and chain of custody aren’t as comprehensive as a legal hold for your needs.

Question 26

In a large organization, which role is responsible for managing daily data backups?
A. Data steward
B. Data owner
C. Data custodian
D. Data subject

Answer 26

C: Data custodian. The data custodian is usually responsible for the technical aspects of managing data, which includes tasks like performing regular backups to ensure data integrity and availability.
Backups might not sound glamorous, but they are the backbone of any robust data management system.

Question 27

What is the MOST likely consequence of non-compliance with GDPR?
A. Fines
B. SLA breach
C. Reputational damage
D. BPA violation

Answer 27

A: Fines. Non-compliance with GDPR can result in significant financial penalties, which can be quite hefty depending on the severity of the violation. However, it’s worth noting that non-compliance can also lead to reputational damage (Option C), making both consequences highly likely. Fines are just the most immediate and tangible consequence.

Question 28

A company is concerned about users sending sensitive information to recipients outside of the network. This is a concern due to potential insider threats and the need to meet stringent data privacy requirements. What should the company implement to help prevent this?
A. SSL/TLS
B. Hashing
C. DNS sinkhole
D. DLP

Answer 28

D: DLP (Data Loss Prevention). DLP solutions are designed to detect and prevent unauthorized sharing of sensitive data, whether intentional or accidental, thus addressing insider threats and helping with data privacy compliance.

Question 29

A small IT department has started to implement separation of duties to enhance security. However, staffing levels prevent a full implementation, so the organization plans to conduct quarterly management audits for all privileged work that deals with sensitive information. This is an example of which of the following methods or technologies?
A. Quantitative risk analysis
B. Segmentation
C. Compensating controls
D. Risk transference

Answer 29

C: Compensating controls. When full implementation of security measures isn’t feasible, compensating controls like quarterly management audits can help mitigate the risks. This ensures that even with limited staff, sensitive information remains protected.

Question 30

A company is contracting with a third-party security company to perform penetration testing. Which two considerations are NOT defined in the rules of engagement? Select two.
A. Physical location of testers
B. Evidence handling procedures
C. Targeted IP ranges and domains
D. Permission to test
E. Testing goals

Answer 30

C. Targeted IP ranges and domains, and E. Testing goals. Those are indeed critical to outline in the rules of engagement to set clear parameters for the test.

Question 31

An organization’s IT department deploys operating system (OS) updates to all employee workstations. Multiple users report that their email application no longer works, leading to lost revenue and client complaints. Management is concerned that this may happen again and has asked IT leadership to devise a mitigation plan. What is the BEST solution the IT leadership team should recommend?
A. Business continuity
B. Risk analysis
C. Change management
D. Playbooks

Answer 31

C: Change management. Implementing a change management process ensures that updates are thoroughly tested and documented before deployment, reducing the risk of issues like the one you described. This process includes planning, testing, and communication, which can help prevent disruptions to critical applications.

Question 32

What is the PRIMARY purpose of attestation?
A. To simulate a cyber-attack against an organization
B. To identify, document, and quantify risks
C. To demonstrate compliance with regulations
D. To identify vulnerabilities or other weaknesses

Answer 32

C: To demonstrate compliance with regulations. Attestation is primarily about verifying and confirming that an organization meets regulatory requirements and standards. This process provides assurance to stakeholders that the organization is adhering to necessary regulations and guidelines.

Question 33

While at work, an unsuspecting user clicks on a link in a phishing email. The user is directed to a logon page crafted to mimic the organization’s intranet site. The organization’s incident response team is attempting to determine where the cloned page is hosted. What should the team do FIRST?
A. Search the firewall logs for outbound connections
B. Search syslog for events related to TCP port 25
C. Search the System log on the affected user’s workstation
D. Search the SMTP logs on the email server

Answer 33

A: Search the firewall logs for outbound connections. The first step should be to identify any unusual outbound connections that could indicate communication with the malicious site. This can help pinpoint where the cloned page is hosted.

Question 34

Which formula is used to calculate annualized loss expectancy (ALE) in cybersecurity risk analysis?
A. ALE = likelihood x impact
B. ALE = damage + reproducibility + exploitability + affected users + discoverability
C. ALE = SLE x ARO
D. ALE = AV x EF

Answer 34

C: ALE = SLE x ARO. The formula to calculate annualized loss expectancy (ALE) is the Single Loss Expectancy (SLE) multiplied by the Annualized Rate of Occurrence (ARO).

Question 35

An organization enters a contract with a third-party. Which of the following should occur NEXT as part of third-party risk management (TPRM)?
A. Risk assessment
B. Data inventory and retention
C. Continuous monitoring
D. Due diligence

Answer 35

C. Continuous monitoring
Continuous monitoring (Option C) is often a crucial aspect of third-party risk management (TPRM). It ensures that the third-party remains compliant with security and risk standards throughout the duration of the contract, detecting any deviations or issues in real time. While due diligence is essential, continuous monitoring provides an ongoing assessment that keeps everyone on their toes.

Question 36

An employee brings a gaming server from home and plugs it into corporate network. Which governance tool should be used to control this behavior?
A. Service-level agreement (SLA)
B. Memorandum of understanding (MOU)
C. Master service agreement (MSA)
D. Acceptable use policy (AUP)

Answer 36

D: Acceptable Use Policy (AUP). This policy outlines the do’s and don’ts regarding the use of an organization’s IT resources, including the prohibition of unauthorized devices like a personal gaming server.

Question 37

A company is looking to develop an Internet-level, browser-based SSO solution. What should they use to accomplish this?
A. LDAPS
B. RADIUS
C. TACACS+
D. SAML

Answer 37

D: SAML (Security Assertion Markup Language). SAML is a standard for single sign-on (SSO) that allows users to authenticate once and gain access to multiple applications through a web browser. It’s widely used for Internet-level, browser-based SSO solutions.

Question 38

Field sales personnel have product and price lists loaded on their smartphones. This is critical data for the business and must not be accidentally disclosed or compromised while salespeople are traveling or are at customer sites. What two steps should be taken? (Choose two).
A. Install and enable remote wipe
B. Implement full device encryption
C. Disable unused device features
D. Require Passwords on mobile devices
E. Keep product and price information on removable storage

Answer 38

A. Install and enable remote wipe
D. Require Passwords on mobile devices
Option D, requiring passwords on mobile devices, is also crucial. It adds an additional layer of security to prevent unauthorized access. Combining remote wipe with strong password protection ensures that even if devices are lost or stolen, the chances of data breach are minimized.

Question 39

What is a key requirement of General Data Protection Regulation (GDPR)?
A. The right to be forgotten
B. Evidence of internal audits
C. Supply chain analysis
D. Acceptable use policies

Answer 39

Option A: The right to be forgotten. GDPR grants individuals the right to request that their personal data be erased, particularly if it’s no longer necessary for the purposes for which it was collected or if the individual withdraws consent.

Question 40

Following a breach investigation, a company is found negligent and in violation of due care requirements by a cybersecurity insurer. What BEST explains this finding?
A. Missing attestation documentation from third-party auditors
B. Failure to honor customer requests to have their data deleted
C. A lack of reasonable cybersecurity policies and procedures
D. Failure to perform comprehensive vendor risk assessments

Answer 40

C: A lack of reasonable cybersecurity policies and procedures. Due care involves taking necessary precautions to protect data and systems. If a company lacks proper cybersecurity policies and procedures, it can be found negligent for not fulfilling its duty to safeguard information adequately.

Question 41

A security administrator discovers that an employee is exfiltrating proprietary company information. The administrator is concerned that the user may try to cover their tracks. What should the administrator do first?
A. Implement a legal hold on the user’s mailbox
B. Enable data loss prevention on email servers
C. Create a bit-stream image of the employee’s workstation
D. Install a keylogger on the employee’s workstation

Answer 41

A. Implement a legal hold on the user’s mailbox
Implementing a legal hold (Option A) on the user’s mailbox ensures all email data is preserved, preventing any deletions or alterations. This can be crucial in an investigation to maintain the integrity of the evidence.

Question 42

A company has an Ethernet network with four switches, as well as two wireless APs. All devices that connect to either network must be authenticated using EAP. What should the company use?
A. XTACACS
B. SAML
C. WPA
D. 802.1X

Answer 42

D: 802.1X. It provides an authentication mechanism to devices wishing to connect to a LAN or WLAN, ensuring that only authenticated devices can access the network.

Question 43

An organization plans to onboard a new vendor that will supply components used in manufacturing. Which of the following activities should the organization perform to ensure the new vendor meets the organization’s cybersecurity standards?
A. Attestation
B. Due care
C. Due diligence
D. Active reconnaissance

Answer 43

C: Due diligence. This involves thoroughly evaluating the new vendor’s cybersecurity measures and ensuring they meet your organization’s standards before entering into a formal agreement.

Question 44

During which phase of a penetration test is the tester most likely to use OSINT?
A. Maintaining access
B. Gaining access
C. Analysis
D. Reconnaissance

Answer 44

D: Reconnaissance. During the reconnaissance phase, testers gather information about the target using Open Source Intelligence (OSINT) methods. This includes researching publicly available data to understand potential vulnerabilities and plan their approach.