Security + Measure Up #4 Flashcards by Brandon Hibner

A security administrator discovers that an employee is exfiltrating proprietary company information. The administrator is concerned that the user may try to cover their tracks. What should the administrator do first?
A. Install a keylogger on the employee’s workstation
B. Implement a legal hold on the user’s mailbox
C. Enable data loss prevention on email servers
D. Create a bit-stream image of the employee’s workstation

B: Implement a legal hold on the user’s mailbox. This ensures that all email data is preserved and prevents any deletions or alterations, maintaining the integrity of the evidence while the investigation is conducted. It’s an immediate step that helps to secure critical data.

How well did you know this?

Not at all

Perfectly

A security analyst has completed forensics on a compromised server. The analyst suspects the server was breached using a buffer overflow attack. What is the BEST indicator of this attack?
A. User logon errors
B. System crashes
C. Directory traversal events
D. Corrupted system files

B: System crashes. Buffer overflow attacks often result in system instability and crashes because they manipulate memory, causing the system to behave unpredictably.

How well did you know this?

Not at all

Perfectly

An organization plans to contract with a provider for a disaster recovery site that will host server hardware. When the primary data center fails, data will be restored, and the secondary site will be activated. Costs must be minimized. Which type of disaster recovery site should the organization deploy?
A. Hot site
B. Cold site
C. Warm site
D. Mobile site

C. Warm site
In that scenario, deploying a warm site (Option C) strikes a balance between cost and readiness. A warm site is partially equipped and has some pre-installed systems, making it quicker to activate than a cold site, yet more cost-effective than a fully operational hot site.

How well did you know this?

Not at all

Perfectly

A server is the victim of a data breach. Customer password information is exposed to the attacker. Which step in the incident response process is necessary to mitigate the risk of a reoccurrence of the attack?
A. Notify the customers that their passwords should be changed
B. Conduct a post-mortem review to identify lessons learned
C. Escalate the incident to the CEO
D. Quarantine the server

B: Conduct a post-mortem review to identify lessons learned. This step is crucial for understanding what went wrong and implementing measures to prevent a similar attack in the future. It’s about learning from the incident and strengthening your defenses.

How well did you know this?

Not at all

Perfectly

An organization discovers that some of its proprietary data is for sale on a dark web hacker site. As part of the incident response, a security administrator analyzes application and system logs on all Internet-facing servers. On one web server, the administrator observes the following text listed repeatedly in POST requests: “ or “”=”
Which type of application attack is MOST likely indicated by this finding?
A. Directory
B. XSS
C. SQL injection
D. CSRF

C: SQL injection. The repeated text “ or “”=” suggests that the attacker is attempting to exploit a vulnerability in the web server by injecting malicious SQL code. This kind of attack can manipulate the database by bypassing authentication or extracting data.

How well did you know this?

Not at all

Perfectly

What is the MOST likely consequence of non-compliance with GDPR?
A. SLA breach
B. Reputational damage
C. BPA violation
D. Fines

Option D: Fines. Non-compliance with GDPR can result in significant financial penalties, which can be quite hefty depending on the severity of the violation. However, it’s worth noting that non-compliance can also lead to reputational damage (Option B), making both consequences highly likely. Fines are just the most immediate and tangible consequence.

How well did you know this?

Not at all

Perfectly

Field sales personnel have product and price lists loaded on their smartphones. This is critical data for the business and must not be accidentally disclosed or compromised while salespeople are traveling or are at customer sites. What two steps should be taken? (Choose Two).
A. Disable unused device features
B. Keep product and price information on removable storage
C. Require Passwords on mobile devices
D. Install and enable remote wipe
E. Implement full device encryption

C: Require passwords on mobile devices, and D: Install and enable remote wipe. Ensuring that devices are protected by passwords helps prevent unauthorized access, while remote wipe allows data to be erased if a device is lost or stolen. Both are essential for protecting sensitive data in the field.

How well did you know this?

Not at all

Perfectly

An organization wants to use source code inspections to identify vulnerabilities in custom-built applications. Which method should the organization choose?
A. Static Application Security Testing (SAST)
B. Extended detection and response (XDR)
C. Vulnerability scanning
D. Dynamic Application Security Testing (DAST)

A: Static Application Security Testing (SAST). SAST involves analyzing the source code to identify security vulnerabilities at an early stage, before the software is run. It’s an essential method for catching issues that could lead to security breaches if left unaddressed.

How well did you know this?

Not at all

Perfectly

Following a breach investigation, a company is found negligent and in violation of due care requirements by a cybersecurity insurer. What BEST explains this finding?
A. A lack of reasonable cybersecurity policies and procedures
B. Failure of perform comprehensive vendor risk assessments
C. Missing attestation documentation from third-party auditors
D. Failure to honor customer requests to have their data deleted

A: A lack of reasonable cybersecurity policies and procedures. Due care requires that a company take necessary and reasonable precautions to protect its data and systems. If a company fails to establish and follow such policies, it can be deemed negligent in the eyes of a cybersecurity insurer.

How well did you know this?

Not at all

Perfectly

A company stores sensitive identification numbers for its clients. Rather than store the numbers in an internet-accessible database, a security engineer has suggested that the sensitive IDs should be moved to an encrypted database and fake numbers used in their place. The original data will be retrievable, as needed. Which of the following methods is the engineer recommending?
A. Segmentation
B. Tokenization
C. Masking
D. Hashing

B: Tokenization. By replacing sensitive data with a token that stands in for the original data, tokenization ensures that the real data is stored securely in an encrypted database, while only the tokens are used in its place.

How well did you know this?

Not at all

Perfectly

Following a breach, an organization implements awareness training to help users identify the risks associated with removable media. Which of the following attacks will this training help mitigate?
A. Injection
B. Steganography
C. Side loading
D. Baiting

D: Baiting. Awareness training about the risks associated with removable media can help users recognize and avoid baiting attacks, where malicious actors leave infected USB drives or other media in public places, hoping someone will pick them up and plug them into their system.

How well did you know this?

Not at all

Perfectly

An organization plans to deploy a centrally managed wireless network that will require a PKI. The organization needs to ensure that user onboarding is as seamless and error free as possible. What should the organization do first?
A. Obtain a certificate from a public CA
B. Generate a CSR
C. Obtain a self-signed certificate
D. Install and configure a CA

The correct response would involve obtaining a CSR (Certificate Signing Request) from a public CA (Certificate Authority). This step ensures the necessary certificate for the wireless network, facilitating a smooth and error-free onboarding process by leveraging the trusted public CA infrastructure.

How well did you know this?

Not at all

Perfectly

An nmap scan of open ports includes TCP ports 21, 22, 23, 80, 443, and 990. Which three ports indicate that unsecure protocols are in use on the computer? Select three.
A. 21
B. 23
C. 22
D. 80
E. 443
F. 990

A. 21, B. 23, and D. 80.
Port 21 is used for FTP (File Transfer Protocol), which is not secure.
Port 23 is used for Telnet, another unsecure protocol.
Port 80 is used for HTTP, which is unencrypted and hence not secure.

How well did you know this?

Not at all

Perfectly

A security administrator discovers an attack that uses PowerShell to make unauthorized registry changes. What should the administrator do to prevent this attack on sensitive systems?
A. Configure each system’s firewall
B. Disable access to the CLI
C. Whitelist allowed applications
D. Install a HIDS on sensitive systems

C: Whitelist allowed applications. By creating a whitelist of permitted applications, the administrator can ensure that only authorized programs are allowed to run on the system, effectively blocking unauthorized use of PowerShell for making registry changes.

How well did you know this?

Not at all

Perfectly

An employee brings a gaming server from home and plugs it into the corporate network. Which governance tool should be used to control this behavior?
A. Memorandum of understanding (MOU)
B. Service-level agreement (SLA)
C. Master service (MSA)
D. Acceptable use policy (AUP)

D: Acceptable Use Policy (AUP). This policy outlines the do’s and don’ts regarding the use of an organization’s IT resources, including the prohibition of unauthorized devices like a personal gaming server.

How well did you know this?

Not at all

Perfectly

Following a breach, a security administrator is instructed to run a vulnerability scan against the affected servers. There is evidence that the attack was network-based, but the administrator is unsure which vulnerability was exploited. What should the administrator do to pinpoint the vulnerability?
A. Evaluate any vulnerabilities with a scope of unchanged.
B. Investigate the attack vector metric for all sever vulnerabilities
C. Evaluate all vulnerabilities with a CVSS score of 8 or higher
D. Investigate all services that use TCP ports between 1 and 1023

B: Investigate the attack vector metric for all server vulnerabilities. By focusing on the attack vector metric, the security administrator can determine how vulnerabilities are accessed or exploited, providing critical insights into how the network-based attack occurred.

How well did you know this?

Not at all

Perfectly

An organization enters a contract with a third-party. Which of the following should occur NEXT as part of third-party risk management (TPRM)?
A. Continuous monitoring
B. Due diligence
C. Data inventory and retention
D. Risk assessment

A: Continuous monitoring is because ongoing surveillance of third-party activity and security measures ensures they continue to meet your organization’s standards throughout the contract duration. Continuous monitoring helps detect any security lapses or non-compliance issues in real time, mitigating potential risks more effectively.

How well did you know this?

Not at all

Perfectly

An administrator sets up a VM for testing different versions of an application. The administrator wants to be able to return to the baseline state as quickly as possible between each test. What should the administrator do?
A. Configure a sandbox environment
B. Create a snapshot of the VM
C. Run a full backup of the host
D. Implement automatic change management

B: Create a snapshot of the VM. Snapshots allow the administrator to quickly revert the VM to its previous state, making it easy to return to a baseline after each test without having to set up everything again.

In the context of General Data Protection Regulation (GDPR), which statement regarding data controllers and data processors is correct?
A. Controllers store and process data, while processors only store data.
B. Controllers are based in the European Union (EU), while processors are not.
C. Controllers only collect data, while processors only process data.
D. Controllers determine how data will be processed, while processors process data.

D: Controllers determine how data will be processed, while processors process data. Under GDPR, data controllers make decisions regarding the collection and use of personal data, whereas data processors handle the actual processing of data on behalf of the controller.

Refer to the messages below:
LOG 1, Aug 17:36:34.303: Sig: 3051 Subsig:1 Sev: 4 TCP Connection Window Size DoS [1.1.100.11: 19223 - > 172.16.1.10:80]
LOG 2 Aug 12 11: 13:44 Inbound TCP connection denied from 1.1.1.1/21 to 10.10.10.1/51172 flags SYN ACK on interface outside
A consultant is asked to analyze logs from a couple of network devices. Which MOST likely generated these messages?
A. LOG 1- Firewall, LOG 2 - IPS
B. LOG 1 - Firewall, LOG 2 - DLP
C. LOG 1 IPS, LOG 2 - Firewall
D. LOG 1 - AP, LOG 2 - DLP
E. LOG 1 - DLP, LOG 2 - AP
F. LOG 1 - DLP, LOG 2 - Firewall

C. LOG 1 IPS, LOG 2 - Firewall

LOG 1 seems to describe a denial of service (DoS) attack based on TCP connection window size. This is typical of an Intrusion Prevention System (IPS) alerting you to suspicious behavior.

LOG 2 indicates an inbound TCP connection being denied with flags SYN ACK, which sounds like a firewall blocking an unauthorized connection attempt.

A company hosts a customer feedback forum on its website. Visitors are redirected to a different website after opening a recently posted comment. What kind of attack does this MOST likely indicate?
A. Code injection
B. Cross-site scripting (XSS)
C. Directory transversal
D. SQL injection

B: Cross-site scripting (XSS). This attack involves injecting malicious scripts into web pages viewed by others. When visitors open the compromised comment, the script executes and redirects them to a different website.

A security administrator learns that sensitive information has been exfiltrated using DNS tunneling. What should the administrator do FIRST to investigate the incident?
A. Investigate web logs for logons from untrusted IP addresses
B. Check the firewall for evidence of outbound C&C communications
C. Check the NetFlow traffic metrics for a sudden spike in UDP traffic
D. Investigate DNS server logs for the registration of unauthorized domains

C. Check the NetFlow traffic metrics for a sudden spike in UDP traffic

By checking the NetFlow traffic metrics for a sudden spike in UDP traffic (Option C), the administrator can identify unusual patterns that might indicate DNS tunneling activities. Since DNS tunneling often involves the use of DNS over UDP, this would be a revealing sign of such an attack.

A security consultant is brought into test recent changes made to a company’s network by its in-house security personnel. The consultant discovered a file named passwd.csv that was located at the disk root on a web server deployed in the company’s perimeter network. The web server runs Linux. What is the MOST likely reason for this file?
A. The file was left there by an external attacker to help configure persistence
B. The file was placed there as a honeyfile by in-house security
C. The file is evidence that the web server is a staging point for an active data exfiltration effort
D. The file is an optional Linux configuration file

B: The file was placed there as a honeyfile by in-house security. Honeyfiles are decoy files intentionally placed in locations where an attacker might find them. They help detect unauthorized access and activity. Given that this is a perimeter network server and a well-named file, it’s likely a deliberate trap set by the in-house security to monitor potential breaches.

Which key is used to encrypt data in an asymmetric encryption system?
A. The recipient’s public key
B. The sender’s private key
C. The recipient’s private key
D. The sender’s public key

A: The recipient’s public key. In asymmetric encryption, the sender uses the recipient’s public key to encrypt the data. This ensures that only the recipient, who has the corresponding private key, can decrypt and access the data.

A development team manages a complex e-commerce platform and is responsible for scaling up the platform when demand increases and scaling down as demand wanes. Which tool or technology should the team use to ensure this scaling is done in a secure manner?
A. Security Orchestration, Automation and Response (SOAR)
B. Infrastructure as code (IaC)
C. Trusted Automated eXchange of Indicator Information (TAXII)
D. Simple Object Access Protocol (SOAP)

B: Infrastructure as Code (IaC). IaC helps automate the deployment and management of infrastructure in a secure and consistent manner. It allows the development team to manage scaling dynamically while ensuring security best practices are embedded in the code.

An organization wants to minimize the risk of vulnerability created by accidental misconfiguration on servers and other networking nodes. Which of the following technologies should the organization use to automate configuration of newly deployed devices?
A. Supervisory Control and Data Acquistion (SCADA)
B. Secure Access Service Edge (SASE)
C. Unified threat management (UTM)
D. Infrastructure as code (IaC)

D: Infrastructure as Code (IaC). By using IaC, the organization can automate the configuration of newly deployed devices, ensuring consistent and secure configurations. This minimizes the risk of vulnerabilities due to misconfigurations.

A company is designing a data processing application that will support various levels of context-and location-sensitive levels of access. Sensitive data is replaced in the database with a non-sensitive data equivalent that no exploitable meaning or value. The database value is securely mapped to the actual data, which is stored in a separate location. What is this an example of?
A. Data masking
B. Tokenization
C. Encryption
D. De-identification

B: Tokenization. This method replaces sensitive data with non-sensitive equivalents, known as tokens. These tokens map back to the original data stored securely elsewhere, ensuring that the replacement data holds no exploitable meaning or value.

An organization institutes an encryption standard for all data in transit. What is the organization attempting to prevent?
A. Keylogger attack
B. Eavesdropping
C. Injection attacks
D. Brute force attack

B: Eavesdropping. Encryption for data in transit ensures that any data sent over networks is protected from being intercepted and read by unauthorized parties, effectively preventing eavesdropping attacks.

After organizing an incident response team, the team leader wants to guide the team through a mock incident. What should the team leader do?
A. Schedule a parallel test and include IT Services
B. Request members to review the incident response plan checklist
C. Perform a group-based threat modeling exercise
D. Schedule a tabletop exercise for all team members

D: Schedule a tabletop exercise for all team members. A tabletop exercise is an effective way to walk through the incident response plan in a controlled, low-stress environment. It allows the team to discuss their roles, responsibilities, and responses to a simulated incident without the pressure of a real event.

Your organization has developed a fault-tolerant design to help ensure business continuity in case of a disaster. The disaster recovery site has mission-critical hardware already installed and connectivity already established. Data backups of critical data are on hand, but they may be up to a week old. This is an example of which of the following?
A. Hot site
B. Warm site
C. Off-site storage site
D. Cold site

B: Warm site. A warm site comes equipped with necessary hardware and connectivity but may lack the most up-to-date data, which in your case, could be up to a week old. It’s a middle ground between a fully prepared hot site and a more basic cold site.

After migrating systems to the cloud, a security administrator implements jump servers. What is the administrator hoping to accomplish?
A. The segmentation of the network into security zones
B. The restriction of direct access to critical servers
C. The caching of content closer to remote users
D. The load balancing of requests to production servers

B: The restriction of direct access to critical servers. Jump servers act as a secure gateway, allowing administrators to manage and access critical servers without exposing them directly to the network. This adds an extra layer of security by limiting direct access and reducing potential attack vectors.

After organizing an incident response team, the team leader wants to guide the team through a mock incident. What should the team leader do?
A. Schedule a parallel test and include IT Services
B. Perform a group-based threat modeling exercise
C. Schedule a tabletop exercise for all team members
D. Request members to review the incident response plan checklist

C: Schedule a tabletop exercise for all team members. A tabletop exercise is an effective way to walk through the incident response plan in a controlled, low-stress environment. It allows the team to discuss their roles, responsibilities, and responses to a simulated incident without the pressure of a real event.

An attacker breaches an organization’s virtualization system and exfiltrates VMs containing sensitive data. Which of the following is the BEST method to address this risk?
A. Requiring a VPN for all connections
B. Implementing HIPS on all VMs
C. Using full disk encryption
D. Deploying DLP

C: Using full disk encryption. This ensures that even if virtual machines are exfiltrated, the sensitive data within them remains encrypted and unreadable by unauthorized parties.

A security company is contracted for black hat penetration testing at a large corporation. The security company relies only on publicly available information for its initial reconnaissance, and it does not attempt to contact the corporation or access the corporation’s network or resources. What is this BEST described as?
A. CVE
B. Foot printing
C. OSINT
D. War flying

C: OSINT (Open Source Intelligence). This involves gathering information from publicly available sources to gain insights about a target without directly interacting with or accessing its network and resources.

OSINT is fascinating because it shows just how much can be uncovered from seemingly benign sources.

A company is designing its disaster recovery plan. The company wants potential down time after a disaster kept to a minimum. Data loss and reporting requirements should also be kept to a minimum. The ability to physically secure the site and prevent any outside entry is a primary concern. What is the BEST disaster recovery site option?
A. Colocation site
B. Warm site
C. Hot site
D. Cold site

C: Hot site. A hot site is a fully equipped, operational backup location that can be up and running quickly after a disaster. It ensures minimal downtime and data loss, and because it’s continuously updated, it’s ready to take over at any moment.

Which of the following data elements, on their own, are MOST likely to be classified as sensitive data? Choose Two.
A. Home address
B. Full name
C. Driver’s license number
D. Passport number
E. Phone number

C: Driver’s license number and D: Passport number. These are highly sensitive identifiers that, on their own, can be used for identity theft or other malicious purposes.

An organization plans to move some application functionality to SaaS. Which of the following implications should the organization consider prior to this migration?
A. The organization will remain responsible for managing mobile devices
B. The organization will no longer be responsible for managing data
C. The organization will no longer be responsible for managing user accounts
D. The organization will remain responsible for managing operating systems

A: The organization will remain responsible for managing mobile devices. Even with the migration to SaaS, the organization still needs to ensure the security and management of mobile devices accessing the services.

Which of the following is the BEST option for automating a response to an on-path attack?
A. Identity and Access Management (IAM)
B. Network-base Intrusion Prevention System (NIPS)
C. Network Access Control (NAC)
D. Host-Based Intrusion Detection System (HIDS)

B: Network-Based Intrusion Prevention System (NIPS). This system can automatically detect and block on-path (or man-in-the-middle) attacks in real-time, ensuring immediate response and protection.

An organization plans to deploy remote IoT devices that will monitor environmental conditions. Due to processing constraints, the devices do not support PKI, but the organization is concerned that stored secrets might be easily compromised if a device is stolen. Which of the following can be used to mitigate this risk?
A. IPsec
B. 802.1x
C. TPM
D. VPN

C: TPM (Trusted Platform Module). TPMs are hardware-based security modules that store cryptographic keys and perform encryption and decryption operations. They ensure that sensitive data stored on the device is protected, even if the device is stolen. They provide a robust solution for securing secrets on devices with limited processing capabilities.

A company deploys virtual desktop infrastructure (DVI) to replace expensive desktop computers. However, many of the VDI instances are quickly breached through well-known vulnerabilities. Which technology or process should the company use to avoid this issue in the future?
A. Robust Access Control (ACLs)
B. Network segmentation
C. Active threat monitoring
D. Hardened VM templates

D: Hardened VM templates. By using hardened VM templates, the company can ensure that all virtual desktops are built with security best practices in mind from the outset. This includes pre-configured settings to mitigate known vulnerabilities, reducing the risk of breaches.

Why would an organization use Security Content Automation Protocol (SCAP)?
A. To aggregate and correlate system logs from organizational servers
B. To determine if data is being exfiltrated accidentally or intentionally
C. To determine if system configurations are consistent and secure
D. To facilitate single sign-on (SSO) for on-premises and cloud resources

C: To determine if system configurations are consistent and secure. SCAP is used for automated vulnerability management, measurement, and policy compliance evaluation. It helps ensure that systems adhere to security policies and configurations.

An attacker posing as a janitor is able to access a storage area where sensitive printed documents are kept. Which method should the organization use to implement a preventive physical control?
A. Define a policy that forbids unauthorized access to the storage area
B. Install a locked fence that limits access to the storage area
C. Install alarms on all doors leading to the storage area
D. Install surveillance cameras throughout the storage area

B: Install a locked fence that limits access to the storage area. A physical barrier such as a locked fence is an effective preventive control to restrict unauthorized access. Policies and alarms are important, but a physical lock can actually stop someone in their tracks.

A user reports they receive a certificate warning when attempting to visit their banking website. Upon investigation, a security administrator discovers the site is presenting an untrusted SSL certificate. Which of the following attacks has the administrator MOST likely uncovered?
A. Birthday
B. Zero-day
C. Downgrade
D. On-path

D: On-path. This kind of attack involves intercepting communication between the user and the banking website, presenting an untrusted SSL certificate to the user. It’s often referred to as a man-in-the-middle attack.

What should be used to ensure non-repudiation on outgoing emails?
A. Steganography
B. Digital Signature
C. Ephemeral key
D. Cryptographic hash

B: Digital Signature. It provides non-repudiation by verifying the sender’s identity and ensuring that the email has not been tampered with, giving you confidence in the authenticity of the message.

Brainscape's Knowledge GenomeTM

Security + Measure Up #4 Flashcards

Pass the First Time

Brainscape's Knowledge Genome^TM