Security + Measure Up #3 Flashcards

Pass the First Time

1
Q

A company’s systems engineer is devising an incident management plan. What should be the primary goal of the incident management plan for a DoS attack on the company’s ecommerce servers?
A. Implement DPI on the firewall
B. Discover the identity of the attacker
C. Identify the vulnerabilities that the attacker exploited
D. Restore normal operations as quickly as possible

A

D. Restore normal operations as quickly as possible. Ensuring the ecommerce servers are back up and running minimizes disruption to the business and customer experience.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
2
Q

A security administrator learns that sensitive information has been exfiltrated using DNS tunneling. What should the administrator do FIRST to investigate the incident?
A. Check the NetFlow traffic metrics for a sudden spike in UDP traffic
B. Check the firewall for evidence of outbound C&C communications
C. Investigate web logs for logons from untrusted IP addresses
D. Investigate DNS server logs for the registration of unauthorized domains

A

A. Check the NetFlow traffic metrics for a sudden spike in UDP traffic. This can help identify abnormal DNS traffic patterns that could indicate DNS tunneling activity.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
3
Q

Which of the following tasks is MOST likely performed by a third-party as part of compliance monitoring for an organization?
A. Continuous monitoring
B. Cyber attestation
C. Due care
D. Data inventory

A

B. Cyber attestation. This task is often performed by third-party organizations to provide an independent verification of compliance with security standards and regulations.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
4
Q

A company wants to introduce a new enterprise mobility strategy for all users. Which deployment model will the enterprise use if it wants to allow an employee to choose a mobile phone from a company-approved list of devices?
A. BYOD
B. VDI
C. COPE
D. CYOD

A

D. CYOD (Choose Your Own Device). This model allows employees to select a mobile phone from a company-approved list, balancing flexibility and control.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
5
Q

In the context of General Data Protection Regulation (GDPR), which statement regarding data controllers and data processors is correct?
A. Controllers are based in the European Union (EU), while processors are not
B. Controllers store and process data, while processors only store data
C. Controllers determine how data will be processed, while processors process data
D. Controllers only collect data, while processors only process data

A

C. Controllers determine how data will be processed, while processors process data. This means controllers set the purpose and means of processing personal data, while processors handle the data according to the controller’s instructions.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
6
Q

Management has requested that an internal compliance audit be completed. Who should approve the audit plan?
A. A third-party auditor
B. A senior IT executive
C. The audit committee
D. A penetration tester

A

C. The audit committee. They are responsible for overseeing the audit process, ensuring its independence and objectivity.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
7
Q

Which of the following is the BEST option for automating a response to an on-path attack?
A. Network-based Intrusion Prevention System (NIPS)
B. Identity and Access Management (IAM)
C. Network Access Control (NAC)
D. Host-Based Intrusion Detection System (HIDS)

A

A. Network-based Intrusion Prevention System (NIPS). This system can detect and respond to on-path attacks in real-time, making it a solid choice for automation.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
8
Q

Following a breach, an organization implements awareness training to help users identify the risks associated with removable media. Which of the following attacks will this training help mitigate?
A. Injection
B. Side loading
C. Baiting
D. Steganography

A

C. Baiting. Awareness training helps users recognize the risks of removable media and avoid falling for baiting attacks, where attackers leave infected media around to tempt people into using it and introducing malware.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
9
Q

A server has failed four times in the past year. Which measurement is used to determine the amount of time the server was operational?
A. MTTF
B. MTBF
C. ARO
D. ALE

A

B. MTBF (Mean Time Between Failures). This metric measures the average time between failures of a system, indicating the system’s reliability and operational time.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
10
Q

What is the PRIMARY purpose of red teaming?
A. To detect malicious insiders
B. To complete an independent audit
C. To validate security controls
D. To determine risk scores

A

C. To validate security controls. By simulating sophisticated attack scenarios, red teams assess the effectiveness of an organization’s defenses, identifying weaknesses that need to be addressed.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
11
Q

What should be used to outline penalties when a cloud provider suffers an extensive outage?
A. Memorandum of agreement (MOA)
B. Memorandum of understanding (MOU)
C. Service-level agreement (SLA)
D. Master service agreement (MSA)

A

C. Service-level agreement (SLA). SLAs specifically outline performance standards and penalties for non-compliance, including what happens during extensive outages.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
12
Q

Which of the following tasks occurs as part of Open Security Content Automation Protocol (SCAP) deployment in an organization?
A. Penetration testing will be performed
B. System configurations will be audited
C. Web traffic will be scanned for vulnerabilities
D. Data loss prevention will be configured

A

B. System configurations will be audited. SCAP deployment involves auditing and verifying that system configurations comply with security policies and standards.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
13
Q

A remote collection server is managed through command-line commands. Until recently, a company has been using Telnet to connect to the server, but now they suspect that one or more passwords have been compromised. The company’s security analyst is going to disable Telnet connectivity on the server. They need to use a more secure method for logging in and executing commands. What should the analyst use?
A. SSL
B. SSH
C. SNMP
D. HTTPS

A

B. SSH (Secure Shell). Unlike Telnet, SSH provides encrypted communication, ensuring that passwords and commands are securely transmitted, reducing the risk of interception by malicious actors.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
14
Q

An office manager receives a notification from a freight operator indicating that they must place a critical delivery in the organization’s data center. What should the office manager do NEXT?
A. Require the driver to use the access control vestibule.
B. Consult the risk register for instructions on next steps.
C. Escalate the request to the manager of the red team.
D. Report anomalous behavior to the security manager.

A

D. Report anomalous behavior to the security manager might be the answer because it’s emphasizing the importance of alerting security personnel to any unusual or unexpected activities, which is a key step in maintaining security protocols. Escalating such issues ensures they are handled by those equipped to assess and respond to potential threats.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
15
Q

An organization establishes a formal incident response (IR) process and trains users on how the process should be used. Later, a user discovers evidence that their workstation is infected with malware. What should the user do NEXT?
A. Power off the workstation
B. Delete suspicious files
C. Report the finding
D. Run a virus scanner

A

C. Report the finding. Following the established IR process, the user should immediately report the potential malware infection to ensure it is handled by the appropriate personnel.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
16
Q

Why would an organization use Security Content Automation Protocol (SCAP)?
A. To determine if system configurations are consistent and secure
B. To determine if data is being exfiltrated accidentally or intentionally
C. To aggregate and correlate system logs from organizational servers
D. To facilitate single sign-on (SSO) for on-premises and cloud resources

A

A. To determine if system configurations are consistent and secure. SCAP is primarily used for automating vulnerability management, measurement, and policy compliance evaluation.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
17
Q

An organization suffers a breach due to successful impersonation. What should the organization do to reduce the effectiveness of this type of activity?
A. Implement social engineering awareness training
B. Create or update an incident response playbook
C. Perform a tabletop exercise with vulnerable users
D. Train users on how to recognize watering hole attacks

A

A. Implement social engineering awareness training. This helps employees recognize and respond to impersonation attempts, reducing the likelihood of such breaches.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
18
Q

In business impact analysis (BIA), what does recovery point objective (RPO) define?
A. The time it takes to initiate a response to an incident
B. The maximum acceptable data loss following an incident
C. The maximum acceptable downtime following an incident
D. The time it takes to recover from an incident

A

B. The maximum acceptable data loss following an incident. RPO defines the amount of data an organization can afford to lose during a disruption.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
19
Q

Which statement describes a primary benefit provided by MFA?
A. Federated authentication
B. Protection of data in motion
C. Mitigation of phishing attacks
D. Required use of biometrics

A

C. Mitigation of phishing attacks. MFA adds an extra layer of security by requiring additional verification methods, making it much harder for attackers to gain unauthorized access even if they have compromised passwords.

20
Q

Network access control is designed so that remote users are limited to accessing the network during normal business hours only. Policies regarding user access apply to all users. This is an example of which type of access control?
A. DAC
B. Rule-based access control
C. MAC
D. Role-based access control

A

B. Rule-based access control. This approach uses predefined rules to determine when users can access the network, applying those rules consistently to all users.

21
Q

Which of the following statements correctly describes data sanitization?
A. All unnecessary permissions assigned to the data must be removed
B. Data must be permanently deleted from storage devices
C. Storage devices holding data must be physically destroyed
D. Data located on storage media or devices must be obfuscated

A

B. Data must be permanently deleted from storage devices. Data sanitization ensures that data cannot be recovered or reconstructed, making it the most stringent method of data destruction.

22
Q

A penetration tester’s tools cause an out-of-scope web server to crash leading to a prolonged outage. Which of the following documents, if followed by the tester, would have prevented this situation?
A. Master service agreement
B. Statement of work
C. Non-disclosure agreement
D. Rules of engagement

A

D. Rules of engagement. This document outlines the boundaries and scope of the testing activities, ensuring that out-of-scope systems are not affected.

23
Q

A company is implementing BYOD. The company will take advantage of cloud-based apps to synchronize data between the user’s computer and tablet. Which two tasks should the company’s BYOD policy address as part of its offboarding policy? (Choose two).
A. Removing the device from the asset tracking system
B. Deleting accounts for cloud-based apps
C. Removing the device from the inventory tracking system
D. Removing company data from the personal device
E. Uninstalling the cloud-based apps from the personal device

A

B. Deleting accounts for cloud-based apps and D. Removing company data from the personal device makes sense as critical steps. They both ensure that company data and access are thoroughly managed during the offboarding process. Keeps the organization’s information secure while the ex-employee transitions out.

24
Q

Following a breach, a security administrator is instructed to run a vulnerability scan against the affected servers. There is evidence that the attack was network-based, but the administrator is unsure which vulnerability was exploited. What should the administrator do to pinpoint the vulnerability?
A. Evaluate all vulnerabilities with a CVSS score of 8 or higher
B. Investigate all services that use TCP ports between 1 and 1023
C. investigate the attack vector metric for all server vulnerabilities
D. Evaluate any vulnerabilities with a scope of unchanged

A

C. Investigate the attack vector metric for all server vulnerabilities. This metric provides insights into how vulnerabilities can be exploited, helping pinpoint the specific vulnerability used in the network-based attack.

25
Q

The company CSO has ordered that all emails sent or received by senior management personnel be preserved. Managers should not be able to delete emails. If changes are made to an email, both the original and modified versions should be preserved. Managers should still have access to their email accounts. Security personnel are tasked with ensuring this. What should the security personnel use?
A. Forensic hashing
B. Principle of least privilege
C. Legal hold
D. Chain of custody

A

C: Legal hold. Legal hold is a method used to preserve all forms of relevant information when litigation is reasonably anticipated. This ensures that emails cannot be deleted or altered, and both original and modified versions are preserved. The principle of least privilege would not guarantee preservation of emails, forensic hashing and chain of custody aren’t as comprehensive as a legal hold for your needs.

26
Q

In a large organization, which role is responsible for managing daily data backups?
A. Data steward
B. Data owner
C. Data custodian
D. Data subject

A

C: Data custodian. The data custodian is usually responsible for the technical aspects of managing data, which includes tasks like performing regular backups to ensure data integrity and availability.
Backups might not sound glamorous, but they are the backbone of any robust data management system.

27
Q

What is the MOST likely consequence of non-compliance with GDPR?
A. Fines
B. SLA breach
C. Reputational damage
D. BPA violation

A

A: Fines. Non-compliance with GDPR can result in significant financial penalties, which can be quite hefty depending on the severity of the violation. However, it’s worth noting that non-compliance can also lead to reputational damage (Option C), making both consequences highly likely. Fines are just the most immediate and tangible consequence.

28
Q

A company is concerned about users sending sensitive information to recipients outside of the network. This is a concern due to potential insider threats and the need to meet stringent data privacy requirements. What should the company implement to help prevent this?
A. SSL/TLS
B. Hashing
C. DNS sinkhole
D. DLP

A

D: DLP (Data Loss Prevention). DLP solutions are designed to detect and prevent unauthorized sharing of sensitive data, whether intentional or accidental, thus addressing insider threats and helping with data privacy compliance.

29
Q

A small IT department has started to implement separation of duties to enhance security. However, staffing levels prevent a full implementation, so the organization plans to conduct quarterly management audits for all privileged work that deals with sensitive information. This is an example of which of the following methods or technologies?
A. Quantitative risk analysis
B. Segmentation
C. Compensating controls
D. Risk transference

A

C: Compensating controls. When full implementation of security measures isn’t feasible, compensating controls like quarterly management audits can help mitigate the risks. This ensures that even with limited staff, sensitive information remains protected.

30
Q

A company is contracting with a third-party security company to perform penetration testing. Which two considerations are NOT defined in the rules of engagement? Select two.
A. Physical location of testers
B. Evidence handling procedures
C. Targeted IP ranges and domains
D. Permission to test
E. Testing goals

A

C. Targeted IP ranges and domains, and E. Testing goals. Those are indeed critical to outline in the rules of engagement to set clear parameters for the test.

31
Q

An organization’s IT department deploys operating system (OS) updates to all employee workstations. Multiple users report that their email application no longer works, leading to lost revenue and client complaints. Management is concerned that this may happen again and has asked IT leadership to devise a mitigation plan. What is the BEST solution the IT leadership team should recommend?
A. Business continuity
B. Risk analysis
C. Change management
D. Playbooks

A

C: Change management. Implementing a change management process ensures that updates are thoroughly tested and documented before deployment, reducing the risk of issues like the one you described. This process includes planning, testing, and communication, which can help prevent disruptions to critical applications.

32
Q

What is the PRIMARY purpose of attestation?
A. To simulate a cyber-attack against an organization
B. To identify, document, and quantify risks
C. To demonstrate compliance with regulations
D. To identify vulnerabilities or other weaknesses

A

C: To demonstrate compliance with regulations. Attestation is primarily about verifying and confirming that an organization meets regulatory requirements and standards. This process provides assurance to stakeholders that the organization is adhering to necessary regulations and guidelines.

33
Q

While at work, an unsuspecting user clicks on a link in a phishing email. The user is directed to a logon page crafted to mimic the organization’s intranet site. The organization’s incident response team is attempting to determine where the cloned page is hosted. What should the team do FIRST?
A. Search the firewall logs for outbound connections
B. Search syslog for events related to TCP port 25
C. Search the System log on the affected user’s workstation
D. Search the SMTP logs on the email server

A

A: Search the firewall logs for outbound connections. The first step should be to identify any unusual outbound connections that could indicate communication with the malicious site. This can help pinpoint where the cloned page is hosted.

34
Q

Which formula is used to calculate annualized loss expectancy (ALE) in cybersecurity risk analysis?
A. ALE = likelihood x impact
B. ALE = damage + reproducibility + exploitability + affected users + discoverability
C. ALE = SLE x ARO
D. ALE = AV x EF

A

C: ALE = SLE x ARO. The formula to calculate annualized loss expectancy (ALE) is the Single Loss Expectancy (SLE) multiplied by the Annualized Rate of Occurrence (ARO).

35
Q

An organization enters a contract with a third-party. Which of the following should occur NEXT as part of third-party risk management (TPRM)?
A. Risk assessment
B. Data inventory and retention
C. Continuous monitoring
D. Due diligence

A

C. Continuous monitoring
Continuous monitoring (Option C) is often a crucial aspect of third-party risk management (TPRM). It ensures that the third-party remains compliant with security and risk standards throughout the duration of the contract, detecting any deviations or issues in real time. While due diligence is essential, continuous monitoring provides an ongoing assessment that keeps everyone on their toes.

36
Q

An employee brings a gaming server from home and plugs it into corporate network. Which governance tool should be used to control this behavior?
A. Service-level agreement (SLA)
B. Memorandum of understanding (MOU)
C. Master service agreement (MSA)
D. Acceptable use policy (AUP)

A

D: Acceptable Use Policy (AUP). This policy outlines the do’s and don’ts regarding the use of an organization’s IT resources, including the prohibition of unauthorized devices like a personal gaming server.

37
Q

A company is looking to develop an Internet-level, browser-based SSO solution. What should they use to accomplish this?
A. LDAPS
B. RADIUS
C. TACACS+
D. SAML

A

D: SAML (Security Assertion Markup Language). SAML is a standard for single sign-on (SSO) that allows users to authenticate once and gain access to multiple applications through a web browser. It’s widely used for Internet-level, browser-based SSO solutions.

38
Q

Field sales personnel have product and price lists loaded on their smartphones. This is critical data for the business and must not be accidentally disclosed or compromised while salespeople are traveling or are at customer sites. What two steps should be taken? (Choose two).
A. Install and enable remote wipe
B. Implement full device encryption
C. Disable unused device features
D. Require Passwords on mobile devices
E. Keep product and price information on removable storage

A

A. Install and enable remote wipe
D. Require Passwords on mobile devices
Option D, requiring passwords on mobile devices, is also crucial. It adds an additional layer of security to prevent unauthorized access. Combining remote wipe with strong password protection ensures that even if devices are lost or stolen, the chances of data breach are minimized.

39
Q

What is a key requirement of General Data Protection Regulation (GDPR)?
A. The right to be forgotten
B. Evidence of internal audits
C. Supply chain analysis
D. Acceptable use policies

A

Option A: The right to be forgotten. GDPR grants individuals the right to request that their personal data be erased, particularly if it’s no longer necessary for the purposes for which it was collected or if the individual withdraws consent.

40
Q

Following a breach investigation, a company is found negligent and in violation of due care requirements by a cybersecurity insurer. What BEST explains this finding?
A. Missing attestation documentation from third-party auditors
B. Failure to honor customer requests to have their data deleted
C. A lack of reasonable cybersecurity policies and procedures
D. Failure to perform comprehensive vendor risk assessments

A

C: A lack of reasonable cybersecurity policies and procedures. Due care involves taking necessary precautions to protect data and systems. If a company lacks proper cybersecurity policies and procedures, it can be found negligent for not fulfilling its duty to safeguard information adequately.

41
Q

A security administrator discovers that an employee is exfiltrating proprietary company information. The administrator is concerned that the user may try to cover their tracks. What should the administrator do first?
A. Implement a legal hold on the user’s mailbox
B. Enable data loss prevention on email servers
C. Create a bit-stream image of the employee’s workstation
D. Install a keylogger on the employee’s workstation

A

A. Implement a legal hold on the user’s mailbox
Implementing a legal hold (Option A) on the user’s mailbox ensures all email data is preserved, preventing any deletions or alterations. This can be crucial in an investigation to maintain the integrity of the evidence.

42
Q

A company has an Ethernet network with four switches, as well as two wireless APs. All devices that connect to either network must be authenticated using EAP. What should the company use?
A. XTACACS
B. SAML
C. WPA
D. 802.1X

A

D: 802.1X. It provides an authentication mechanism to devices wishing to connect to a LAN or WLAN, ensuring that only authenticated devices can access the network.

43
Q

An organization plans to onboard a new vendor that will supply components used in manufacturing. Which of the following activities should the organization perform to ensure the new vendor meets the organization’s cybersecurity standards?
A. Attestation
B. Due care
C. Due diligence
D. Active reconnaissance

A

C: Due diligence. This involves thoroughly evaluating the new vendor’s cybersecurity measures and ensuring they meet your organization’s standards before entering into a formal agreement.

44
Q

During which phase of a penetration test is the tester most likely to use OSINT?
A. Maintaining access
B. Gaining access
C. Analysis
D. Reconnaissance

A

D: Reconnaissance. During the reconnaissance phase, testers gather information about the target using Open Source Intelligence (OSINT) methods. This includes researching publicly available data to understand potential vulnerabilities and plan their approach.

45
Q
A