Security Operations - Quiz Revision Flashcards

Question 1

Q

Which of the following data sources would provide you with information about potential weaknesses and security flaws within a network or system?

A) IDS/IPS logs
B) Automated reports
C) Vulnerability scans
D) Network logs

Answer

A

Vulnerability scans provide information about potential weaknesses and security flaws within a network or system. Vulnerability scans involve automated assessments of network devices, servers, and applications to identify potential weaknesses and security vulnerabilities. These scans analyze system configurations, software versions, and patch levels to detect known vulnerabilities and misconfigurations that could be exploited by attackers. Reports generated from/by these vulnerability scans provide detailed information about identified vulnerabilities, including severity ratings, affected systems, and recommended remediation steps. By conducting vulnerability scans regularly, organizations can proactively identify and address security risks, thereby enhancing the overall security posture of their network and systems.

Question 2

Q

What are Automated reports?

Answer

A

Automated reports may include various types of information generated by security tools and systems, such as IDS/IPS alerts, network activity summaries, and system status reports. While automated reports can provide valuable insights into security events and operational metrics, they do not specifically focus on identifying potential vulnerabilities or weaknesses within the network or system. Automated reports may complement other data sources in a cybersecurity investigation but are not primarily used for assessing security vulnerabilities.

Question 3

Q

IPS/IDS logs?

Answer

A

Intrusion Prevention System (IPS) and Intrusion Detection System (IDS) logs record alerts and events related to security threats detected within the network. These logs contain information about suspicious network traffic, attempted intrusions, and malicious activities identified by the IPS/IDS sensors. While they can help identify suspicious network activity, they do not find unexploited weaknesses or vulnerabilities, such as unpatched software, open unnecessary ports, or affected systems. They identify and record information about issues as they are discovered. They record what is “happening now”, as opposed to alerting that you may have a potential problem in the future.

Question 4

Q

What does network logs capture?

Answer

A

Network logs capture information about network traffic, including source and destination IP addresses, port numbers, protocols, and packet details. These logs are generated by network devices such as routers, switches, and firewalls, and they provide insights into network activity and communication patterns. Like IPS and IDS logs, they do not analyze endpoints or the overall security posture of the network.

Question 5

Q

Management at your company has requested that you implement DLP. What is the purpose of this technology?

A) It monitors data on computers to ensure the data is not deleted or removed.

B) It protects against malware.

C) It allows organizations to use the Internet to host services and data remotely instead of locally.

D) It implements hardware-based encryption.

Answer

A

Data Loss Prevention (DLP) is a network system that monitors data on computers to ensure the data is not deleted or removed. If your organization implements a DLP system, you can prevent users from transmitting confidential data to individuals outside the company.

Question 6

Q

What is cloud computing?

Answer

A

Cloud computing is a technology that allows organizations to use the Internet to host services and data remotely instead of locally.

Question 7

Q

What is TPM?

Answer

A

Trusted Platform Module (TPM) and Hardware Security Module (HSM) are both chips that implement hardware-based encryption. The main difference between the two is that a TPM chip is usually mounted on the motherboard and HSM chips are PCI adapter cards.

Question 8

Q

What are the different solutions are provided with DLP?

Answer

A

DLP provides different solutions based on data location:

Network-based – deals with data in motion and is usually located on the network perimeter.
Storage-based – operates on long-term storage (archive)
Endpoint-based – operates on a local device and focuses on data-in-use.

Cloud-based – operates in “the cloud” data in use, motion, and at rest

Question 9

Q

What services does DLP provide?

Answer

A

DLP identifies and controls end-point ports as well as block access to removable media by providing the following services:

Identify removable devices connected to your network by type (USB thumb drive, DVD burner, mobile device), manufacturer, model number, and MAC address.

Control and manage removable devices through endpoint ports, including USB, Wi-Fi, and Bluetooth.

Require encryption, limit file types, and limit file size.

Provide detailed forensics on device usage and data transfer by person, time, file type, and amount.

DLP includes USB blocking, cloud-based, and email services.

Question 10

Q

Management has decided to install a network-based intrusion detection system (NIDS). What is the primary advantage of using this device?

A) It is low maintenance.

B) It launches no counterattack on the intruder.

C) It has a high throughput of the individual workstations on the network.

D) It has the ability to analyze encrypted information.

Answer

A

The primary advantage of an NIDS is the low maintenance involved in analyzing traffic in the network. An NIDS is easy and economical to manage because the Signatures are not configured on all the hosts in a network segment. Configuration usually occurs at a single system, rather than on multiple systems. By contrast, host-based intrusion detection systems (HIDSs) are difficult to configure and monitor because the intrusion detection agent should be installed on each individual workstation of a given network segment. HIDSs are configured to use the operating system audit logs and system logs, while NIDSs actually examine the network packets.

Question 11

Q

Does the packet that goes through the VPN be readable with NIDS?

Answer

A

Individual hosts do not need real-time monitoring because intrusion is monitored on the network segment on which the NIDS is placed, and not on individual workstations. An NIDS is not capable of analyzing encrypted information. For example, the packets that travel through a Virtual Private Network tunnel (VPN) cannot be analyzed by the NIDS. The lack of this capability is a primary disadvantage of an NIDS.

Question 12

Q

Does NIDS effect the throughput of a workstation?

Answer

A

The high throughput of the workstations in a network does not depend on the NIDS installed in the network. Factors such as the processor speed, memory, and bandwidth allocated affect the throughput of workstations.

Question 13

Q

Does Network Switches affect Switched Network if NIDS is used?

Answer

A

The performance of an NIDS can be affected in a switched network environment because the NIDS will not be able to properly analyze all the traffic that occurs on the network on which it does not reside. An HIDS is not adversely affected by a switched network because it is primarily concerned with monitoring traffic on individual computers.

Question 14

Q

You need to restrict access to resources on your company’s Windows Active Directory domain. Which criteria can be used to restrict access to resources?

A)location
B)all of these choices
C)transaction type
D)time of day
E)roles
F)groups

Answer

A

Roles, groups, location, time of day, and transaction type can all be used to restrict access to resources. Regardless of the criteria used, access administration can be simplified by grouping objects and subjects. Access control lists (ACLs) can be used to assign users, groups, or roles access to a particular resource. If you implement time of day restrictions with ACLs, security is improved.

Question 15

Q

Examine the following exhibit. Based on the output, what is displayed?

A) A firewall log
B) A packet capture
C) Metadata
D) An endpoint log

Answer

A

The exhibit is a Windows Firewall log. Firewall logs record every attempt to access the network. They record information such as source and destination IP addresses, ports, protocols, and connection status. Analyzing firewall logs can help security analysts identify unauthorized access attempts, suspicious network behavior, and potential threats such as port scanning or denial-of-service (DoS) attacks. Firewall logs are valuable for monitoring and enforcing network security policies and detecting anomalous activities at the network perimeter.

Firewall logs are a type of network log. Network logs capture information about network traffic, including source and destination IP addresses, port numbers, protocols, and packet details. These logs are generated by network devices such as routers, switches, and firewalls, and they provide insights into network activity and communication patterns. The following exhibit shows output from the netstat command:

Question 16

Q

What is an example of an endpoint log?

Answer

A

Endpoint logs record events and activities generated by endpoints such as desktops, laptops, and mobile devices. These logs contain information about user logins, file access, system processes, and network connections initiated by endpoint devices. Analyzing endpoint logs can help detect security threats such as malware infections, insider attacks, and unauthorized access attempts. Endpoint logs are crucial for monitoring endpoint security, investigating security incidents, and identifying potential security risks or vulnerabilities within the organization’s endpoint infrastructure.

Eventviewer

Question 17

Q

What is packet capture?

Answer

A

Packet captures, also known as packet sniffing or network traffic analysis, capture and record data about individual network packets exchanged between devices on a network. Packet captures provide a more detailed record of network traffic than does a network log, including source and destination IP addresses, port numbers, protocols, packet payloads, and communication patterns. By analyzing packet captures, cybersecurity investigators can identify potential security threats, such as malicious activities, network intrusions, and data exfiltration attempts. The following example shows a packet capture made using Wireshark, with a detail pane expanding on packets captured from source IP address 10.2.2.101

Question 18

Q

What is metadata?

Answer

A

Metadata refers to descriptive information about data, such as the time stamps, file sizes, sender/recipient details, and other attributes associated with files or communication sessions. As an example, metadata associated with an email communication may include the sender’s email address, recipient’s email address, subject line, time and date of transmission, and file attachments. Analyzing this metadata can help investigators trace the source of suspicious emails, identify potential data exfiltration attempts, and reconstruct the timeline of cyber incidents. Metadata is valuable for understanding the characteristics and context of data exchanges, enabling investigators to gain a deeper understanding of security events and formulate effective response strategies.

Question 19

Q

You need to remove data from a storage media that is used to store confidential information. Which method is NOT recommended?

A) zeroization
B) degaussing
C) destruction
D) formatting

Answer

A

Formatting is not a recommended method. Formatting or deleting the data from a storage media, such as a hard drive, does not ensure the actual removal of the data, but instead removes the pointers to the location where the data resides on the storage media. The residual data on the storage media is referred to as data remanence. The main issue with media reuse is remanence. The residual data can be recovered by using data recovery procedures. This can pose a serious security threat if the erased information is confidential in nature. Sanitization is the process of wiping the storage media to ensure that its data cannot be recovered or reused. Sanitization includes several methods, such as zeroization, degaussing, and media destruction. All of these methods can be used to remove data from storage media, depending on the type of media used. Most storage media with a magnetic base can be sanitized. However, CDs and DVDs often cannot be degaussed. If this is the case, the only option is physical destruction of the CD or DVD.

Question 20

Q

How can you implement proper controls when ensuring data security?

Answer

A

When implementing appropriate controls to ensure data security, you need to design the appropriate data policies, including the following:

Data wiping – ensures that the contents of the media are no longer accessible.

Data disposing – destroys the media to ensure that media is unusable.

Data retention – ensures that data is retained for a certain period. The data retention policies should also define the different data types and data labeling techniques to be used.

Data storage – ensures that data is stored in appropriate locations. In most cases, two copies of data should be retained and placed in different geographic locations.

No matter which type of media you must dispose of or reuse, you need to ensure that your organization understands the legal and compliance issues that will affect the disposal. Certain types of protected data, such as personally identifiable information (PII) or personal health information (PHI), may require special handling when stored on media.

Question 21

Q

You want to configure password policies that ensure password strength. Which password setting most affects a password’s strength?

A) password history
B) password age
C) password complexity
D) password lockout

Answer

A

Password complexity is the most important setting to ensure password strength. Password complexity allows you to configure which characters should be required in a password to reduce the possibility of dictionary or brute force attacks. A typical password complexity policy would force the user to incorporate numbers, letters, and special characters. Both uppercase and lowercase letters can be required. A password that uses a good mix, such as Ba1e$23q, is more secure than a password that only implements parts of these requirements, such as My32birthday, NewYears06, and John$59. Note that password complexity rules are less effective when users make common character substitutions in dictionary words, such as zero for O, @ for a, and 3 for E.

Question 22

Q

A large financial institution needs to securely manage and grant temporary access to privileged accounts for third-party contractors performing system maintenance. Of the choices given, which solution would be most appropriate for privileged access management?

A) Just-in-time permissions
B) Password vaulting
C) Time-limited authorization
D) Ephemeral credentials

Answer

A

Ephemeral credentials would be the most appropriate solution for privileged access management. Ephemeral credentials refer to temporary, short-lived credentials generated dynamically for accessing privileged accounts or resources. Ephemeral credentials can be generated on-demand and automatically revoked after a predefined period, reducing the risk of credential theft, misuse, or exposure. This ensures that third-party contractors have access only for the duration required to perform system maintenance tasks, enhancing security and compliance.

Question 23

Q

What is the temporary solution for Just-in-time permissions?

Answer

A

Just-in-time permissions involve granting temporary access to resources or privileged accounts for a specific period, typically based on user requests or predefined policies. While just-in-time permissions provide a means to limit exposure and reduce the risk of unauthorized access, they may not be the most appropriate solution for the scenario described. Just-in-time permissions are typically used for user accounts within an organization’s internal network, rather than third-party contractors requiring temporary privileged access for system maintenance.

Question 24

Q

What is password Vaulting?

Answer

A

Password vaulting involves securely storing and managing passwords, encryption keys, and other sensitive credentials used to access privileged accounts. While password vaulting helps centralize and secure access to privileged accounts, it may not be the most appropriate solution for the scenario described. Password vaulting solutions are designed to manage static credentials and do not provide temporary access or time-limited authorization capabilities required for third-party contractors performing system maintenance.

Question 25

Q

How can you grant access where once a task is completed or when the time is expired and access is no longer granted?

Answer

A

Time-limited authorization involves granting access permissions for a specific period or until a certain event occurs, such as the completion of a task or the expiration of a predefined timeframe. While time-limited authorization shares similarities with just-in-time permissions and ephemeral credentials, it may not specifically address the need for managing and securing privileged access for third-party contractors in the scenario described. Time-limited authorization can be part of a broader privileged access management strategy but may require additional capabilities, such as credential rotation and monitoring, to effectively manage temporary access for contractors performing system maintenance.

Question 26

Q

You have asked your assistant to configure a firewall with the following access control list (ACL).

access list outbound deny ip 0.0.0.0 0.0.0.0/0 port 23
access list outbound permit ip 192.168.5.6/32 0.0.0.0/0 port 23
access list outbound permit ip 0.0.0.0 0.0.0.0/0

What will be the effect of these commands?

A) No devices will be able to send outbound Telnet requests.

B) Only the device at 192.168.5.6 will be able to send outbound DNS requests.

C) Only the device at 192.168.5.6 will be able to send outbound Telnet requests.

D) No devices will be able to send outbound DNS requests.

Answer

A

As a result of the first rule, no device will be able to send outbound Telnet requests from inside the network:

access list outbound deny ip 0.0.0.0 0.0.0.0/0 port 23

The list specifies Telnet traffic (port 23). DNS traffic operates on port 53.

Setting the source and destination address to 0.0.0.0 affects all traffic. Telnet operates on port 23. The order of the statements is important because the system processes them from top to bottom. Once traffic matches a rule, the rule is applied in the specified direction, and the traffic is not evaluated further. Because ALL traffic matches the first line, all traffic is blocked on port 23 and the second statement is never processed.

Question 27

Q

You need to install a network device or component that ensures the computers on the network meet an organization’s security policies. Which device or component should you install?

A) NAT
B) DMZ
C) IPSec
D) NAC

Answer

A

Network Access Control (NAC) ensures that the computers on the network meet an organization’s security policies. NAC user policies can be enforced based on the location of the network user, group membership, or some other criteria. Media access control (MAC) filtering is a form of NAC. NAC provides host health checks for any devices connecting to the network. Hosts may be allowed or denied access or placed into a quarantined state based on this health check.

When connecting to a NAC, the user should be prompted for credentials. If the user is not prompted for credentials, the user’s computer is missing the authentication agent.

NAC can be permanent or dissolvable. Permanent or persistent NAC is installed on a device and runs continuously, while dissolvable NAC, also referred to as portal-based, downloads and runs when required and then disappears.

NAC can also be Agent-based or agentless. With Agent-based, a piece of code is installed on the host that performs the NAC functions on behalf of the NAC server. Agentless NAC integrates with a directory service.

Question 28

Q

Which type of test relies heavily on automated scanning tools and reporting?

A)penetration test
B)unknown environment test
C)vulnerability test
D)known environment test

Answer

A

Automated scanning tools and reporting are used to perform a vulnerability test. A vulnerability test identifies the vulnerabilities in a network. After the vulnerabilities are identified, a penetration test exploits the identified vulnerabilities to prove that the vulnerability actually exists.

A vulnerability test and a penetration test are NOT the same thing. A vulnerability test leads to the penetration test. You must first identify the vulnerabilities in the vulnerability test and then attempt to exploit the vulnerabilities using a penetration test.

Question 29

Q

Your organization has recently undergone a hacker attack. You have been tasked with preserving the data evidence. You must follow the appropriate eDiscovery process. You are currently engaged in the Preservation and Collection process. Which of the following guidelines should you follow? (Choose all that apply.)

A)The data acquisition should include both bit-stream imaging and logical backups.

B)The data acquisition should be from a live system to include volatile data when possible.

C)The chain of custody should be preserved from the data acquisition phase to the presentation phase.

D)Hashing of acquired data should occur only when the data is acquired and when the data is modified.

Answer

A

When following the eDiscovery process guidelines, you should keep the following points in mind regarding the Preservation and Collection process:

The data acquisition phase should be from a live system to include volatile data when possible.

The data acquisition should include both bit-stream imaging and logical backups.

The chain of custody should be preserved from the data acquisition phase to the presentation phase.

While it is true that the hashing of acquired data should occur when the data is acquired and when the data is modified, these are not the only situations that require hashing. Hashing should also be performed when a custody transfer of the data occurs.

Other points to keep in mind during the Preservation and Collection process include the following:

A consistent process and policy should be documented and followed at all times.

Forensic toolkits should be used.

The data should not be altered in any manner, within reason.

Logs, both paper and electronic, must be maintained.

At least two copies of collected data should be maintained.

Question 30

Q

List The stages of Forensic Discovery?

Answer

A

The stages of Forensic Discovery include the following:

Verification – Confirm that an incident has occurred.

System Description – Collect detailed descriptions of the systems in scope.

Evidence Acquisition – Acquire the relevant data in scope, minimizing data loss, in a manner that is legally defensible. This is primarily concerned with the minimization of data loss, the recording of detailed notes, the analysis of collected data, and reporting findings.

Data Analysis – This includes media analysis, string/byte search, timeline analysis, and data recovery.

Results Reporting – Provide evidence to prove or disprove statements of facts.

Question 31

Q

List The stages of eDiscovery?

Answer

A

The stages of eDiscovery include the following:

Identification – Verify the triggering event that has occurred. Find and assign potential sources of data, subject matter experts, and other required resources.

Preservation and Collection – Acquire the relevant data in scope, minimizing data loss, in a manner that is legally defensible. This is primarily concerned with the minimization of data loss, the recording of detailed notes, the analysis of collected data, and reporting findings.

Processing, Review, and Analysis – Process and analyze the data while ensuring that data loss is minimized.

Production – Prepare and produce electronically stored information
(ESI) in a format that has already been agreed to by the parties.

Presentation – Provide evidence to prove or disprove statements of facts.

Question 32

Q

When preparing an eDiscovery policy for your organization, you need to consider?

Answer

A

When preparing an eDiscovery policy for your organization, you need to consider the following facets:

Electronic inventory and asset control – You must ensure that all assets involved in the eDiscovery process are inventoried and controlled. Unauthorized users must not have access to any assets needed in eDiscovery.

Data retention policies – Data must be retained as long as required. Organizations should categorize data and then decide the amount of time that each type of data is to be retained. Data retention policies are the most important policies in the eDiscovery process. They also include systematic review, retention, and destruction of business documents.

Data recovery and storage – Data must be securely stored to ensure maximum protection. In addition, data recovery policies must be established to ensure that data is not altered in any way during the recovery. Data recovery and storage is the process of salvaging data from damaged, failed, corrupted, or inaccessible storage when it cannot be accessed normally.

Data ownership – Data owners are responsible for classifying data. These data classifications are then assigned data retention policies and data recovery and storage policies.

Data handling – A data handling policy should be established to ensure that the chain of custody protects the integrity of the data.

Question 33

Q

What is the process of identifying IoT and other devices that are not part of the core infrastructure so that hackers cannot use them to compromise an organization’s core network?

A) Penetration testing and adversary emulation
B) Passive discovery
C) Edge discovery
D) Security controls testing

Answer

A

Edge discovery is the process of identifying Internet of Things (IoT) and other devices that are not part of the core infrastructure. Once identified, they can be configured so that hackers cannot use them to compromise an organization’s core network.

Edge discovery is a key component of edge security for attack surface management. Edge security is the process of securing nodes that are outside a company’s network core. The edge of the network needs the same level of security as the core network. Nodes at the edge are not fully covered by the security perimeter of the organization and so are the most vulnerable to cybersecurity risks. Computing on the edge involves computing occurring closer to edge devices rather than the infrastructure of the network. Self-driving cars, sensors, fitness bands, and IoT devices are examples of edge devices. These devices often handle sensitive data, and their compromise can compromise the full network. For this reason, it is essential that these devices are not discoverable by hackers on the Internet. Physical controls involve securing the devices and only allowing authorized personnel to use them. Logical controls involve encryption of device data both in transit and at rest and implementing authorization and authentication.

Question 34

Q

How to secure edge devices?

Answer

A

The growth in the use of edge devices has increased the attack surface for an organization. To secure edge devices, you use routers and firewalls as well as wide area network (WAN) devices which are built for security. Some best practices for edge security include:

Keep a zero-trust model throughout the company

Ensure internal configuration and control of edge devices and reject compromised devices

Use AI and ML tools to monitor edge device activity

Ensure edge devices are isolated in a public cloud to avoid discovery

Question 35

Q

What is passive discovery?

Answer

A

Passive discovery helps to protect the network through the use of security appliances, including firewalls, intrusion detection systems (IDSes), intrusion prevention systems (IPSes), malware protection systems, and others. It is the role of these systems to monitor events and, when an event occurs, create an alert for humans to intervene.

Question 36

Q

How do can you verify all security controls have been implemented properly?

Answer

A

Security controls testing determines whether controls have been properly implemented and are performing as expected and producing the appropriate results. For example, a test of a physical security control could be checking to see if an access control card denies entry into a specific area. This would be an example of a preventative type of control.

Question 37

Q

What is critical for attack surface management?

Answer

A

Penetration testing and adversary emulation are critical for attack surface management. The goal of penetration testing is to determine as many vulnerabilities as possible within defined time and scope parameters. Adversary emulation (also known as threat emulation) adopts current threat intelligence methodologies and tactics to identify, expose, and correct vulnerabilities. Adversary emulation is particularly suited to measure the organization’s ability to withstand an attack from advanced persistent threats.

Question 38

Q

What preserves the existence and integrity of relevant electronic records (and paper records) when litigation is imminent?

A) Incident response plan
B) Chain of custody
C) Data sovereignty
D) Legal hold

Answer

A

Legal hold is the term for the preservation of information relevant to an impending lawsuit. Personnel will be instructed not to destroy or alter information relating to the topic of the lawsuit. Chain of custody deals with how the evidence is handled once it has been collected and guarantees the identity and integrity of the evidence from the collection stage to its presentation in the court of law. There should be a log of who has had custody of the evidence, where it has been, and who has seen it. Active logging should also be used to document access to the evidence, including photographic or video records, showing the manner in which the evidence is secured. Preserving data for a legal hold just ensures that data is retained for the appropriate period and has nothing to do with chain of custody, although chain of custody is vital to preserving evidence.

An incident response plan describes how to respond to various types of security incidents. Incident response plans provide details on how to preserve data and logs related to an incident. Data sovereignty means that the data is subject to the laws of the location where it is stored. Different countries may differ in their laws for preserving the existence and integrity of records prior to litigation.

Question 39

Q

In a security investigation, which of the following would provide you with the best data source for detailed information about network transmissions?

A) Application logs
B) Packet captures
C) Dashboards
D) IPS/IDS logs

Answer

A

Packet captures would provide you with the best data source for detailed information about network transmission. Packet captures, also known as packet sniffing or network traffic analysis, involve capturing and recording individual network packets exchanged between devices on a network. Packet captures provide a detailed record of network traffic, including source and destination IP addresses, port numbers, protocols, packet payloads, and communication patterns. By analyzing packet captures, cybersecurity investigators can identify potential security threats, such as malicious activities, network intrusions, and data exfiltration attempts. Packet captures are essential for conducting in-depth network traffic analysis, identifying anomalous behavior, and supporting incident response efforts in cybersecurity investigations.

Question 40

Q

What are dashboard used for?

Answer

A

Dashboards provide an overall view of combined datasets without a lot of detail. Dashboards provide visual representations of key performance indicators (KPIs), metrics, and data insights related to various aspects of an organization’s IT environment. While dashboards can aggregate and display data from multiple sources, including logs and security alerts, they do not capture the detailed content of network packets exchanged between devices.

Question 41

Q

How are application logs captured?

Answer

A

Application logs capture events and activities generated by software applications running on servers or client devices. These logs contain valuable information about user interactions, application errors, and system events within the application environment. Analyzing application logs can help identify security incidents such as unauthorized access attempts, application vulnerabilities, and abnormal user behavior. Application logs are essential for troubleshooting application issues, detecting malicious activities, and ensuring the security and reliability of business-critical applications.

Question 42

Q

What are the benefits of IPS and IDS in terms of reporting logs?

Answer

A

Intrusion Prevention System (IPS) and Intrusion Detection System (IDS) logs record alerts and events related to security threats detected within the network. These logs contain information about suspicious network traffic, attempted intrusions, and malicious activities identified by the IPS/IDS sensors. IPS/IDS examine active network traffic based on a profile, or heuristic signatures. Their primary purpose is not to capture every packet coming across the network for later analysis, but rather provide automated detection and response to security threats in real time. By contrast, packet capture tools like Wireshark are often used selectively for targeted analysis or troubleshooting tasks rather than continuous monitoring of all network traffic. IDS/IPS focus on “what is happening,” while packet capture focuses on “what happened.”

Question 43

Q

In which of the following scenarios would the ability to interpret suspicious commands be helpful?

A) when an email-based attack uses embedded and malicious links
B) when an attacker alters an email header to obscure the sender
C) when an attacker compromises the DNS system
D) when an attacker accesses a shell

Answer

A

When an attacker is able to install a shell (also called dropping a shell), they will be able to access a command line interface to the system. In this scenario, one’s ability to interpret any strange commands they may have entered and executed may help to identify exactly what the attacker did or was attempting to do.

Question 44

Q

What is an email-based attack?

Answer

A

An email-based attack uses embedded and malicious links in an email. While training users not to click any hyperlinks in incoming emails is one solution, you can go a step further and disable hyperlinks in emails.

Question 45

Q

Why is it critical to know DKIM function?

Answer

A

When an attacker alters an email header to obscure the sender and perform impersonation, a solution would be to implement DomainKeys Identified Mail (DKIM), an email authentication method designed to detect forged sender addresses in email (email spoofing), a technique often used in phishing and email spam.

Question 46

Q

What is DMARC good for when the attacker compromises the DNS system?

Answer

A

When an attacker compromises the DNS system, a solution would be to implement Domain-based Message Authentication, Reporting, and Conformance (DMARC). When a DMARC DNS entry is published, any receiving email server can authenticate the incoming email, preventing a delivery based on an altered header. DMARC extends two email authentication mechanisms: Sender Policy Framework (SPF) and DomainKeys Identified Mail (DKIM). It allows the administrative owner of a domain to publish a policy in their DNS records to specify how to check the From: field presented to end users.

Question 47

Q

You are investigating a security incident, and need more information about what a log entry contains. Which of the following data sources would you consult to find information about the characteristics of other data?

A) IPS/IDS logs
B) Network logs
C) Firewall logs
D) Metadata

Answer

A

Metadata literally means data about the data. Metadata refers to descriptive information about data, such as the time stamps, file sizes, sender/recipient details, and other attributes associated with files or communication sessions. As an example, metadata associated with an email communication may include the sender’s email address, recipient’s email address, subject line, time and date of transmission, and file attachments. Analyzing this metadata can help investigators trace the source of suspicious emails, identify potential data exfiltration attempts, and reconstruct the timeline of cyber incidents. Metadata is valuable for understanding the characteristics and context of data exchanges, enabling investigators to gain a deeper understanding of security events and formulate effective response strategies.

Question 48

Q

Which asset management activity typically involves scanning to locate assets?

A)Ownership
B)Inventory
C)Enumeration
D)Classification

Answer

A

Enumeration is the asset management activity that typically involves scanning to locate assets. Unlike inventory management, which relies on existing records or information, enumeration actively scans systems and networks to identify and list all of the technology resources and devices within the organization. This process helps ensure that all assets are discovered and accounted for, even if they were not previously documented in the inventory.

Question 49

Q

The IT department has been tasked with implementing a new identity and access management (IAM) solution to streamline user authentication across various systems and applications. They want to ensure that the IAM solution seamlessly integrates with existing infrastructure components, such as Active Directory, cloud services, and custom applications. Which aspect of IAM implementation is most critical in this scenario?

A)Permission assignments and implications
B)Attestation
C)Interoperability
D)Provisioning/de-provisioning user accounts

Answer

A

Interoperability would be the most critical in this scenario. Interoperability refers to the ability of different systems or applications to seamlessly work together and exchange information. In the context of IAM implementation, interoperability ensures that the IAM solution can integrate with various systems, directories, and applications across the organization’s infrastructure. This enables centralized management of user identities and access controls, simplifies administration, and enhances security by enforcing consistent policies across multiple systems.

Question 50

Q

What is Attestation?

Answer

A

Attestation refers to the process of verifying the accuracy and validity of user access rights and permissions through periodic reviews and audits. While attestation helps ensure that access rights remain aligned with business needs and regulatory requirements over time,

Question 51

Q

What is provisioning and deprovisioning?

Answer

A

Provisioning involves creating and granting access to user accounts, while deprovisioning entails removing access privileges and disabling user accounts when they are no longer needed. In the context of IAM implementation, efficient provisioning and deprovisioning processes ensure that users have appropriate access rights to resources based on their roles and responsibilities. However, in this scenario, where integration with existing infrastructure is the primary concern, provisioning/deprovisioning user accounts may not directly address the interoperability requirements of the IAM solution.

Question 52

Q

What is IAM solutions?

Answer

A

Identity and Access Management (IAM) solutions are systems and processes designed to manage and control users’ access to resources within an organization. These solutions ensure that the right individuals have the appropriate access to technology resources, safeguarding sensitive information and maintaining compliance with regulatory requirements.

Question 53

Q

Your vulnerability analysis scan has identified several vulnerabilities and assigned them a CVSS score. Issue A has a score of 4.3, Issue B has a score of 9.1, Issue C has a score of 1.6, and Issue D has a score of 7.7. Which issue should take priority?

A)Issue D
B)Issue B
C)Issue A
D)Issue C

Answer

A

Issue B should take priority because it has the highest CVSS value of 9.1, which is considered a critical issue.

The Common Vulnerability Scoring System (CVSS) is a system of ranking vulnerabilities that are discovered based on pre-defined metrics. This system ensures that the most critical vulnerabilities can be easily identified and addressed after a vulnerability test is met. Scores are awarded on a scale of 0 to 10, with the values having the following ranks:

0 – No issues
0.1 to 3.9 – Low
4.0 to 6.9 – Medium
7.0 to 8.9 – High
9.0 to 10.0 – Critical

In most cases, companies will attempt to resolve the vulnerabilities with the highest score. However, in some cases, you may find that a less critically scored vulnerability can be resolved relatively quickly. In that case, you may decide to handle that vulnerability.

Keep in mind that tool updates and plug-ins for vulnerability scanners are just as important as updates are to anti-malware and antivirus products. Tool updates and plug-ins allow the scanner to recognize the latest vulnerabilities that have been discovered. It is important to keep the vulnerability scanning tool you use up to date.

Question 54

Q

As part of the incident response team, you have been called in to help with an attack on your company’s web server. You are currently working to identify the root cause of the attack. During which step of incident response does root cause analysis occur?

A) Containment
B) Identification
C) Lessons Learned
D) Preparation
E) Eradication
F) Recovery

Answer

A

There are six steps in incident response:

Preparation – Ensure that the organization is ready for an incident by documenting and adopting formal incident response procedures.

Identification – Analyze events to identify an incident or data breach. If the first responder is not the person responsible for detecting the incident, the person who detects the incident should notify the first responder. This step is also often referred to as detection.

Containment – Stop the incident as it occurs and preserve all evidence. Notify personnel of the incident. Escalate the incident if necessary. Containing the incident involves isolating the system or device by either quarantine or device removal. This step also involves ensuring that data loss is minimized by using the appropriate data and loss control procedures.

Eradication – Fix the system or device that is affected by the incident. Formal recovery/reconstitution procedures should be documented and followed during this step of incident response. This step is also referred to as remediation

Recovery – Ensure that the system or device is repaired. Return the system or device to production. This step is also referred to as resolution.

Lessons Learned – Perform a root cause analysis, and document any lessons learned. Report the incident resolution to the appropriate personnel. This step may also be referred to as review and close.
During the preparation step of incident response, you may identify incidents that you can prevent or mitigate. Taking the appropriate prevention or mitigation steps is vital to ensure that your organization will not waste valuable time and resources on the incident later.

Question 55

Q

Match the following types of log data and/or log data with their characteristics. Choose the BEST answer.

The log terms should be matched to their characteristics as follows:

Firewall logs – Log data that includes information about network traffic passing through the firewall, such as source and destination IP addresses, ports, protocols, and connection status.

Application logs – Record events and activities generated by software applications running on servers or client devices.

Endpoint logs – Capture information about events and activities generated by devices, such as user logins, file access, and network connections.

OS-specific security logs – Provide information about security-related events and activities recorded by the operating system, such as authentication events and system configuration changes

Answer

A

Firewall logs – Log data that includes information about network traffic passing through the firewall, such as source and destination IP addresses, ports, protocols, and connection status.

Application logs – Record events and activities generated by software applications running on servers or client devices.

Endpoint logs – Capture information about events and activities generated by devices, such as user logins, file access, and network connections.

OS-specific security logs – Provide information about security-related events and activities recorded by the operating system, such as authentication events and system configuration changes

Question 56

Q

Which vulnerability management activity would you perform to confirm that remediation actions have been successfully implemented and have addressed the identified vulnerabilities?

A) Auditing
B) Rescanning
C) Verification
D) Endpoint management
E) Reporting

Answer

A

Rescanning involves conducting additional vulnerability scans after remediation actions have been implemented to reassess the security posture of the environment and verify whether the identified vulnerabilities were effectively addressed. Rescanning confirms that the actions taken to address vulnerabilities were successful and that no new vulnerabilities were generated as a result.

Question 57

Q

What activity involves in vulnerability management?

Answer

A

Rescanning involves conducting additional vulnerability scans after remediation actions have been implemented to reassess the security posture of the environment and verify whether the identified vulnerabilities were effectively addressed. Rescanning confirms that the actions taken to address vulnerabilities were successful and that no new vulnerabilities were generated as a result.

Verification is the ongoing process of confirming or validating that remediation actions were successfully implemented and that they effectively resolved the identified vulnerabilities over time. Verification is part of the validation of remediation. During verification, security teams may conduct manual or automated checks to ensure that the remediation steps were applied correctly and that the associated vulnerabilities have been mitigated as intended. Verification is a critical step in the vulnerability management lifecycle, as it provides assurance that the organization’s security controls are functioning as expected and that potential risks have been mitigated in the long term.

Auditing involves examining and evaluating various aspects of an organization’s operations, processes, or systems to ensure compliance with established policies, standards, or regulations. While auditing may include reviewing the effectiveness of vulnerability management practices, it typically encompasses a broader scope of activities beyond validating a specific remediation action.

Reporting involves documenting and communicating information about vulnerabilities, remediation efforts, and security incidents to relevant stakeholders within the organization. Reporting plays a crucial role in vulnerability management by providing visibility into the status of vulnerabilities, tracking remediation progress, and facilitating decision-making processes related to risk management and resource allocation. Effective reporting enables security teams to prioritize remediation efforts, demonstrate compliance with regulatory requirements, and improve overall security posture.

Endpoint management, or installing endpoint management software, is a method of hardening workstations, servers, and other clients by centralizing their configuration and management. It allows administrators to monitor their health and configuration from a single console. It is a hardening technique and not part of active vulnerability management. However, the report generated from a vulnerability audit may recommend endpoint management be installed.

Question 58

Q

Your organization needs to implement a system that logs changes to files. What category of solution should you research?

A)File integrity checks
B)Host-based firewall
C)HIDS/HIPS
D)Antivirus

Answer

A

File integrity checks examine selected files to see if there have been any changes and logs changes to files. Some file integrity checks just notify you of a change, while others can actually return a file to its previous state if the change is unauthorized.

Question 59

Q

How can you use application log list used to monitor a cyber attack?

Answer

A

Application allow listing (previously referred to as whitelisting) is the practice of denying all applications from running on a device except for those that are approved, which are designated as whitelisted. Several products are available that check for applications that are not on the allowed list, including attempts to install those applications. For example, the logs generated by the security product would tell you if someone had attempted to install a keylogger.

Question 60

Q

Why is RMC important in every environment?

Answer

A

Removable media control (RMC) is important in many environments. USB drives, SD cards, CDs, DVDs, and BluRay devices can all present dangers to the system. As an example, someone can use a USB drive to copy sensitive information and deliver it to someone outside the organization. Another example could be a CD that appears to be a music CD but is actually installation media for unauthorized software. Examine the RMC logs to determine attempts to violate removable media policies.

Question 61

Q

What is an advantage of advanced malware tool check?

Answer

A

Advanced malware tools check for malicious code that would otherwise slip by standard antivirus and antimalware tools. Patch management tools assist with the installation of patches, which can present a significant challenge to an enterprise environment. Best practices dictate that you install a patch on a test machine and verify that the patch performs as expected prior to deploying it throughout the network. It is important to examine the logs to check for failed updates, incompatible patches, and unsuccessful patch installations.

Question 62

Q

What is UTM?

Answer

A

Unified Threat Management (UTM) incorporates several threat management devices and systems into one appliance. The biggest advantage to a UTM, from an analysis standpoint, is that all the logs are in one place, as opposed to checking multiple systems.

Question 63

Q

What is DEP?

Answer

A

Data execution prevention (DEP) forces the user to approve an application before it executes or launches. Logs will record execution attempts, including failed attempts. Notification of failed attempts is important, as it could tell you that your antimalware application successfully blocked an attempt to install malware.

Question 64

Q

What is WAF?

Answer

A

A web application firewall (WAF) uses a set of defined rules to manage incoming and outgoing web server traffic, as well as attack prevention. Organizations can define their own rules based on their vulnerabilities.

Answer 65

A

Wi-Fi Protected Access 3 (WPA3) would be the BEST way to enhance wireless security. The most secure wireless security configuration is WPA3 plus AES-CCMP/AES-GCMP.

WPA3 is the latest standard in wireless security protocols, offering enhanced protection against various cyber threats. It provides stronger encryption through the use of the Simultaneous Authentication of Equals (SAE) protocol, which protects against offline dictionary attacks and brute-force attacks. Additionally, WPA3 introduces individualized data encryption, ensuring that each wireless connection is encrypted separately. This feature significantly enhances security by preventing attackers from intercepting and decrypting wireless traffic.

Answer 66

A

Remote Authentication Dial-In User Service (RADIUS) is a networking protocol used for centralized authentication, authorization, and accounting (AAA). While RADIUS is an essential component of network security, its primary focus is on user authentication rather than specifically enhancing wireless security. Although RADIUS can strengthen authentication processes for accessing wireless networks, it does not directly provide encryption or protection against wireless-specific threats.

Answer 67

A

Cryptographic protocols such as Secure Sockets Layer/Transport Layer Security (SSL/TLS), Internet Protocol Security (IPSec), and Secure Shell (SSH) are fundamental to securing network communications, including wireless transmissions. These protocols utilize encryption algorithms to ensure data confidentiality, integrity, and authenticity. While cryptographic protocols are crucial components of overall network security, they are not specific to wireless security. However, they can be employed in conjunction with other wireless security measures, such as WPA3, to further enhance protection.

Answer 68

A

Authentication protocols, including Extensible Authentication Protocol (EAP), Protected Extensible Authentication Protocol (PEAP), and EAP-Transport Layer Security (EAP-TLS), verify the identity of users or devices attempting to access a network resource. While authentication protocols play a vital role in securing wireless networks by preventing unauthorized access, they primarily focus on user authentication rather than providing encryption or protection against wireless-specific threats.

Answer 69

A

The tool displayed is Nessus, a widely used vulnerability scanner. It shows the vulnerabilities found by the tool and color-codes them by severity, as shown on the graphic.

Answer 70

A

The Metasploit tool is used to mount various types of attacks. Its interface is shown below.

Answer 71

A

The tool is not OpenVAS. OpenVAS is an open-source vulnerability scanner.

Answer 72

A

Does Packet Analysis?

Answer 73

A

You should first verify or validate the False positives to ensure that you can eliminate them from the report. While validation of False positives can be very time consuming, it is a necessary step to ensure that they are not true positives. Once they are verified, you can then configure exceptions for them.

Answer 74

A

Firewall logs would be the most beneficial in analyzing network traffic and identification of security incidents. Firewall logs record every attempt to access the network. They record information such as source and destination IP addresses, ports, protocols, and connection status. Analyzing firewall logs can help security analysts identify unauthorized access attempts, suspicious network behavior, and potential threats such as port scanning or denial-of-service (DoS) attacks. Firewall logs are valuable for monitoring and enforcing network security policies and detecting anomalous activities at the network perimeter.

Answer 75

A

Dynamic analysis and package monitoring are associated with application security in vulnerability management.

Dynamic analysis involves assessing software or systems while they are running to identify vulnerabilities, weaknesses, or security flaws. In the context of application security, dynamic analysis refers to techniques such as penetration testing, runtime code analysis, and web application scanning, which are used to identify security vulnerabilities and risks in software applications. Dynamic analysis helps detect vulnerabilities that may not be apparent during static code analysis or design reviews.

Package monitoring involves tracking and monitoring software packages, libraries, and dependencies used within the organization. In application security, package monitoring is crucial for identifying vulnerabilities and security flaws in third-party software components, frameworks, and libraries integrated into applications. By monitoring for security advisories, updates, and patches released by software vendors or open-source communities, organizations can identify and address vulnerabilities in their applications’ dependencies to reduce the risk of exploitation.

Answer 76

A

Wireshark and Nmap are tools used during the reconnaissance phase of the Cyber Kill Chain process. Wireshark is a highly accurate sniffer tool used for network analysis, and Nmap is a free tool used for network discovery and auditing.

Answer 77

A

The Cyber Kill Chain model is a cybersecurity framework used to model the typical steps taken in a cyber attack. Cybersecurity professionals use the model for penetration testing and to understand how attackers frame their attacks. It also helps security professionals prevent attacks and improves their ability to respond and analyze incidents.

Reconnaissance
Weaponization
Delivery
Exploitation
Installation
Command and Control
Actions on Objectives

Answer 78

A

Reconnaissance – The attacker or penetration tester gathers information about the target system or network, particularly vulnerabilities that can be exploited. There are several tools that are used during this phase, which could involve open-source intelligence (OSINT) research, passive and active port scanning of potential hosts, and footprinting resources found on those hosts. The attacker looks for information such as email addresses, user IDs, physical locations, operating systems, and applications used within the target network.

Answer 79

A

Weaponization – As the name suggests, the attacker develops weapons against the target network. The attacker or pen tester selects an attack vector, such as ransomware, viruses, or social engineering, to exploit the known vulnerability.

Answer 80

A

Delivery – The attacker uses the weapons and the chosen vector to launch the attack, such as delivering phishing emails with malicious links to targeted people. This phase is the first opportunity for defenders and cyber security professionals to identify the attack and block the attacker’s activities.

Answer 81

A

Exploitation – If successful, the weapon exploits the identified vulnerability on the target system. A successful exploit gives the attacker access to move laterally through the system to find a new weakness or execute malicious code.

Answer 82

A

Installation – The attacker enters the target system or network and installs the malicious payload. The attacker might use a command-line interface, a Trojan horse, or a backdoor to install malicious code or malware during this phase.

Answer 83

A

Command and Control – The attacker establishes a two-way connection between the target and the attacker’s machine. The target system is compromised and under the control of the attacker. After gaining this access, the attacker may try to pivot to other resources in the network in an attempt to locate other vulnerable resources.

Answer 84

A

Actions on Objectives – The attacker has full access to the target machine or system and carries out their intended actions (such as stealing confidential information, deleting data, destroying or altering systems, encrypting the system with ransomware, or installing malware).The final phase of the Cyber Kill Chain has the greatest impact and is the hardest to remediate .

Answer 85

A

Complexity – The level of intricacy or sophistication involved in a system, process, or solution, which can impact its manageability and maintenance.

Cost – The monetary expenses associated with implementing and maintaining automation and orchestration solutions for secure operations

Single point of failure – Occurs when a system, component, or process becomes the sole point of failure in a network or infrastructure, posing a risk to the entire system if it malfunctions.

Technical debt – Refers to the accumulation of additional work required in the future due to choosing an expedient but limited solution instead of a more comprehensive one.

Ongoing supportability – The ability of automation and orchestration solutions to be effectively maintained and supported over time, ensuring their continued functionality and alignment with evolving security needs.

Answer 86

A

Access control lists have implicit deny all at the end of each rule set. If the traffic is compared to all of the configured rules, and none match the traffic type, the packet will be blocked by the implied deny all. For that reason, every ACL should have at least one permit rule to allow some type of traffic through.

Once traffic matches a rule, the rule is applied in the specified direction, and the traffic is not evaluated further. The syntax of a firewall ACL rule is:

Access list <direction> <action> <source></source> <destination> <protocol> <port></port></protocol></destination></action></direction>

Answer 87

A

Password vault is a password management computer program that encrypts and stores individuals’ passwords so that they are both secure from outside threats and easy for employees and the organization to keep track of. A password vault or password manager makes it possible to have different, complex passwords for each resource or system within an organization. They are also quite popular for personal use, allowing you to store login information for all your personal online accounts. Think of it as a safe for all your different passwords to be securely protected from unauthorized users and prying eyes.

Answer 88

A

Technical debt refers to the additional work or maintenance required in the future as a result of choosing a quick but limited solution in the short term. Technical debt accumulates when shortcuts are taken during systems development or systems deployment, leading to increased complexity, higher maintenance costs, and potential security risks over time. In layman’s terms, technical debt can be considered “penny wise but pound foolish.” Technical debt increases as more and more systems or applications take advantage of the automation. Once multiple secure systems rely on the workaround solution, it can become near-impossible to halt their operation in order to fix or replace the inefficient component.

Complexity refers to the level of intricacy or sophistication involved in a system, process, or solution. This is particularly evident when trying to automate security operations. Complexity can arise from the integration of multiple tools, platforms, and processes, potentially making it more challenging to manage and maintain secure operations effectively.

Costs are important among other considerations. There may be significant expenses associated with implementing and maintaining automation and orchestration solutions for secure operations. While there may be upfront costs involved in deploying automation and orchestration tools, the long-term benefits, such as increased efficiency and reduced incident response times, often outweigh the initial investment

Ongoing supportability refers to the ability of automation and orchestration solutions to be effectively maintained and supported over time. While automation and orchestration can improve operational efficiency and streamline security processes, ongoing supportability ensures that these solutions remain functional, secure, and aligned with evolving business requirements and security needs. Proper documentation, training, and regular maintenance are essential for ensuring the ongoing supportability of automation and orchestration solutions in secure operations.

Answer 89

A

The result of multiplying the asset values by the exposure factor (EF) is the single loss expectancy (SLE) value. SLE refers to the quantitative amount of loss incurred by a single event when a threat takes place. The formula for calculating SLE is:

SLE = asset value x EF

EF is defined as the percentage of the expected loss when an event occurs. For example, a virus hits five computer systems out of 100 before it is prevented by the safeguard from further infecting the other 95 computers, resulting in a loss of five percent of the computers. If the asset value of 100 computers is $10,000, then the exposure factor will be $500, which is five percent of the total asset value. Annualized loss expectancy (ALE) refers to the loss potential of an asset for a single year. ALE is calculated by multiplying the SLE value with the annualized rate of occurrence (ARO) of an event.

ARO refers to the frequency of a threat occurring in a single year. SLE is the amount, in dollars, which an organization will lose if even a single threat event.

ALE = SLE x ARO

Suppose your organization has a server that is worth $10,000. When an outage occurs, you approximate that 10% of the data will be lost. The administrator has determined that the server will fail approximately 5 times each year. To calculate SLE, you would multiply the asset value ($10,000) times the exposure factor (10%) and get an SLE value of $1,000. This is the value of a single loss incident. Then to determine the ALE, you would multiply the SLE ($1,000) times the approximate number of times this incident will occur annually (5) and get an ALE value of $5,000.Total risk can be calculated by multiplying the threats, the vulnerabilities, and the asset value.

Total risk = threats x vulnerabilities x asset value

A risk cannot be eliminated completely. It can be accepted, reduced, or transferred, but some amount of risk will always be present, referred to as residual risk. You can also take steps to deter risk. Risk deterrence is any action that you take to prevent a risk from occurring. Identifying residual risk is the most important aspect of the risk acceptance strategy.

Answer 90

A

Static code analysis is performed without the code executing. Code review and testing must occur throughout the entire application development life cycle. Code review and testing must identify bad programming patterns, security misconfigurations, functional bugs, and logic flaws.

Web vulnerability scanners can operate in two ways, using synthetic transaction monitoring and real user monitoring. In synthetic transaction monitoring, preformed (synthetic) transactions are executed against the application in an automated fashion, and the behavior of the application is recorded. In real user monitoring, the real user transactions are monitored while the web application is live.

Fuzz testing, or fuzzing, involves injecting invalid or unexpected input (sometimes called faults) into an application to test how the application reacts. It is usually done with a software tool that automates the process.

An interception proxy is an application that stands between the web server and the client and passes all requests and responses back and forth. While it does so, it analyzes the information to test the security of the web application. A web application proxy can also “crawl” the site and its application to discover the links and content contained.

Answer 91

A

Content categorization would be the most appropriate capability of agent-based web filters. Content categorization involves classifying web content into predefined categories based on its content and context. Content categorization allows organizations to define policies to block access to specific categories of content, such as adult content, gambling sites, or social media platforms, helping enforce acceptable use policies and maintain a secure and productive work environment.

Answer 92

A

URL scanning involves inspecting web addresses (URLs) accessed by users to identify and block access to malicious or suspicious websites. While URL scanning is an essential capability of agent-based web filters, it may not be the most appropriate solution for the scenario described. URL scanning alone may not provide sufficient protection against evolving threats and may not offer granular control over content categories or specific web pages.

Answer 93

A

Block rules involve creating rules or policies to block access to specific websites, URLs, or content categories based on predefined criteria. While block rules are an essential component of agent-based web filters, they may not be the most appropriate solution for the scenario described. Block rules require manual configuration and may not provide real-time protection against emerging threats or dynamic web content.

Answer 94

A

Reputation refers to assessing the trustworthiness and reputation of websites based on their history, behavior, and associations with known malicious activity. While reputation is an important consideration for assessing the security of websites, it may not be the most appropriate solution for the scenario described. Reputation-based filtering relies on external databases or services to determine the reputation of websites and may not provide granular control over content categories or specific web pages.

Answer 95

A

You should check for patches. Patching is the activity primarily focused on addressing identified vulnerabilities and mitigating associated risks within an organization by applying updates, fixes, or patches to software applications, operating systems, and firmware. Patch management is a critical aspect of vulnerability response and remediation, as it helps eliminate or mitigate the risks posed by identified vulnerabilities by ensuring that critical elements such as software applications, operating systems and firmware are up to date and protected against known exploits.

You would only select a compensating control if you first checked for patches and did not find any available. Compensating controls are alternative security measures or safeguards implemented to address or mitigate risks when primary security controls are insufficient or cannot be implemented. Compensating controls may include additional security mechanisms, procedures, or safeguards that help reduce the risk of exploitation in the absence of adequate primary controls. Using an automobile as an analogy, if you get a flat tire, you can use the smaller donut spare to drive until you can install a replacement tire. Because the donut does the job as a workaround, it is the compensating control.

Answer 96

A

Privileged access management (PAM) is a process that provides extra protection for roles above the level of regular users, such as an administrator or a service account. If an account that is assigned special access is compromised, that breach can have a more significant impact than a breach of a regular user’s account.

Answer 97

A

Passwordless authentication provides alternative mechanisms to authenticate users, using items that do not have to be remembered by the user. Examples of passwordless authentication include hardware tokens, smart cards, biometrics, and one-time passcodes sent to an authenticating user’s phone.

Answer 98

A

A cloud access security broker (CASB) is a checkpoint where security policies are enforced, located between an organization’s users and its cloud providers. A CASB can ensure cloud security by comparing users, applications, and devices against multiple security policies.

Answer 99

A

Single sign-on (SSO) allows users to freely access all systems to which their account has been granted access after the initial authentication. The SSO process addresses the issue of multiple usernames and passwords. It is based on granting users’ access to all the systems, applications, and resources they need when they start a computer session. This is considered both an advantage and a disadvantage. It is an advantage because the user only has to log in once and does not have to constantly re-authenticate when accessing other systems. Multiple directories can be browsed using single sign-on. It is a disadvantage because the maximum authorized access is possible if a user account and its password are compromised. All the systems that are enrolled in the SSO system are referred to as a federation. In most cases, transitive trusts are configured between the systems for authentication. Systems that can be integrated into an SSO solution include Kerberos, LDAP, smart cards, Active Directory, and SAML. A federated identity management system provides access to multiple systems across different enterprises.

Single sign-on was created to dispose of the need to maintain multiple user accounts and passwords to access multiple systems. With single sign-on, a user is given an account and password that logs on to the system and grants the user access to all systems to which the user’s account has been granted. User accounts and passwords are stored on each individual server in a decentralized privilege management environment.

Answer 100

A

Webhooks would not be suitable for deleting or updating data on other systems or databases. An APIis the interface of the application that permits other programs or applications to request, input, delete, or update data in the application. A webhook uses an HTTP POST message to communicate from one application’s APIto another application’s API. The communication is triggered in response to a user-defined event that occurs in the webhook’s application.

APIs and webhooks are used to accomplish similar goals, but in different ways. While APIs programmatically direct an entity to create an order, webhooks inform an APIthat an event has occurred. The message is used to trigger an action in response, such as sending an email or creating a calendar event.

Answer 101

A

Webhooks are suitable in number of scenarios, which include but are not limited to:

Notifying the customer support team when customers raise a payment dispute.
Automatically sending invoices to the accounting department after customers pay via an e-commerce platform.
Sending an email to a developer to request a fix for a non-urgent issue.
Webhooks are used to automate workflows. Other real-world scenarios where webhooks can be used would include:

Notifying an agent in a chat application when a query is sent in the chatbot engine.
Automatically sending an email to a marketing team via customer relationship management (CRM) software when a customer makes a purchase or exits a shopping cart without buying.
Receiving automatic email reminder notifications from your calendar application on your phone.
Automatically uploading photos from one social media platform to another, such as from Instagram to Twitter.

Answer 102

A

The log terms should be matched to their characteristics as follows:

IPS/IDS logs – Record alerts and events related to potential security threats detected within the network, such as suspicious network traffic and attempted intrusions.

Network logs – Capture information about network traffic, including source and destination IP addresses, port numbers, protocols, and packet details.

Metadata – Record descriptive information about data, such as time stamps, file sizes, sender/recipient details, and other attributes associated with files or communication sessions.

OS-specific security logs – Help security analysts identify security incidents such as failed login attempts, privilege escalation, and suspicious system modification

Answer 103

A

Resource provisioning involves the automated allocation and management of technology assets, such as virtual machines, storage, and network resources, to meet the demands of applications and workloads. Automation and scripting enable organizations to dynamically provision resources based on predefined policies, workload requirements, and resource utilization metrics. This ensures that these assets are efficiently utilized, scaled up or down as needed, and properly configured to support secure operations in dynamic environments.

Answer 104

A

Configuring the transport method to use secure protocols such as HTTPS or TLS is the most appropriate solution for ensuring secure communication between client devices and servers. The transport method refers to the technique used to transfer data between client devices and servers securely. By encrypting data in transit and providing secure communication channels, these protocols help mitigate the risk of data interception and unauthorized access, thereby enhancing network security.

Answer 105

A

Enforcing baselines involves the consistent application of predefined security standards and configurations across an organization’s infrastructure. Automation and scripting enable organizations to automate the deployment and configuration of security controls, ensuring that systems, applications, and devices adhere to established security baselines. By enforcing baselines, organizations can reduce the risk of misconfigurations, vulnerabilities, and security incidents, thereby enhancing the overall security posture of the environment.

Answer 106

A

Efficiency and time saving is a benefit. Automation and scripting help streamline repetitive tasks and processes, reducing the time and effort required for manual execution. While efficiency and time-saving are important benefits of automation, this option does not specifically address the consistent application of predefined security standards and configurations.

Another benefit from automation and scripting establishment and maintenance of standardized configurations and structures across the infrastructure. This promotes consistency and uniformity in system configurations, application deployments, and network architectures. While standard structure and configurations contribute to improved security by reducing complexity and enhancing manageability, this option does not specifically address the automated enforcement of security baselines.

Scaling in a secure manner refers to the capability of automation and scripting to dynamically adjust resources and processes to accommodate changing workload demands while ensuring security and compliance.

Automation and scripting enable security teams to scale their efforts effectively without sacrificing security controls or risking data breaches. By automating repetitive tasks and orchestrating complex workflows, organizations can scale their operations in a secure and efficient manner to address a larger volume of security incidents and threats.

Answer 107

A

Security Content Automation Protocol (SCAP) is a collection of tools to automate security compliance checks, vulnerability assessments, and configuration monitoring across systems. a collection of open standards and specifications designed to. SCAP enables organizations to streamline the process of evaluating and enforcing security policies, configurations, and controls across diverse environments. By leveraging SCAP-compliant tools, organizations can automate routine security tasks, enhance visibility into their security posture, and ensure compliance with industry regulations and best practices.

Answer 108

A

Alert tuning involves configuring and fine-tuning security alerting systems to reduce false positives and improve the accuracy of threat detection. While alert tuning plays a crucial role in enhancing the effectiveness of security monitoring and incident response, it is not specifically focused on automating security compliance checks or vulnerability assessments.

Answer 109

A

Benchmarks refer to industry-standard guidelines, configurations, or best practices that organizations can use to assess and improve the security posture of their systems and infrastructure. While benchmarks provide valuable guidance for evaluating security controls and configurations, they typically require manual assessment and interpretation. Unlike SCAP, benchmarks are not inherently designed for automating security compliance checks or vulnerability assessments.

Answer 110

A

A workforce multiplier, also known as a “force multiplier,” is something that created efficiencies and allows a group to achieve more with the same or fewer resources. In essence, a workforce multiplier the effectiveness of a workforce. In the context of secure operations, automation and scripting serve as a workforce multiplier by enabling security teams to automate repetitive tasks, orchestrate complex processes, and scale their efforts to address a larger volume of security incidents and threats. By leveraging automation and scripting, organizations can effectively maximize the productivity and impact of their security teams, thereby enhancing overall security posture and resilience.

Answer 111

A

Reaction time refers to the speed at which an organization responds to security incidents or emerging threats. While automation and scripting can help improve reaction time by automating incident detection, response, and remediation processes, this term specifically addresses the timeliness of incident response rather than the broader benefits of automation in enhancing overall operational efficiency.

Answer 112

A

Scaling in a secure manner refers to the capability of automation and scripting to dynamically adjust resources and processes to accommodate changing workload demands while ensuring security and compliance. Automation and scripting enable security teams to scale their efforts effectively without sacrificing security controls or risking data breaches. By automating repetitive tasks and orchestrating complex workflows, organizations can scale their operations in a secure and efficient manner to address a larger volume of security incidents and threats.

Answer 113

A

Shibboleth uses Security Assertion Markup Language (SAML), which defines security authorizations on web pages as opposed to web page elements in HTML. Shibboleth is a single sign-on (SSO) system that uses an identity provider and a hardwareAuth is Open Authorization. The current standard, OAuth 2.0, grants an application limited access to a user’s account on a Third-party site, such as Facebook or Twitter. OAuth could grant the application access to a friend’s list or give the application the ability to post on the user’s behalf.

OpenID Connect provides the authentication necessary in OAuth. It authenticates the user and stores the user information in a token. OAuth does not work with SAML.

A secure token contains the user information and authentication information used by OpenID.

Answer 114

A

Security keys would be the most appropriate solution to enhance the security of the EHR system. Security keys are physical devices that users insert into their computers or mobile devices to authenticate their identities. These devices contain cryptographic keys that are used to generate unique authentication codes for each login attempt. Security keys provide a strong level of security and are easy for users to use, making them suitable for protecting sensitive patient health information. Additionally, security keys can help prevent unauthorized access to EHR systems, reducing the risk of data breaches and ensuring compliance with healthcare privacy regulations such as HIPAA.

Answer 115

A

User behavior analytics (UBA) is the most appropriate solution for improving the ability to detect insider threats and identify anomalous behavior patterns among employees. By monitoring and analyzing user activities, UBA solutions can help organizations proactively identify and mitigate security risks, safeguard sensitive data, and protect against insider threats. User behavior analytics (UBA) involves monitoring and analyzing user activities to detect abnormal or suspicious behavior that may indicate a security threat. UBA solutions use machine learning algorithms and statistical analysis to identify patterns and deviations from normal behavior, allowing organizations to detect insider threats, compromised accounts, and other security incidents more effectively. By analyzing user actions, access patterns, and interactions with systems and data, UBA solutions can provide valuable insights into potential security risks and help organizations proactively mitigate threats.

Answer 116

A

SELinux is an operating systems security feature available in various Linux distributions. SELinux provides mandatory access controls (MAC) to restrict the actions that users and processes can perform on the system. While SELinux enhances security by enforcing fine-grained access controls, it does not directly address the need for detecting insider threats or identifying anomalous behavior patterns among users.

Answer 117

A

Extended detection and response (XDR) is a security solution that integrates and correlates data from multiple security tools and sources to detect and respond to threats more effectively. While XDR solutions enhance overall security posture by providing comprehensive threat detection and response capabilities, they may not specifically focus on detecting insider threats or analyzing user behavior patterns within the organization.

Answer 118

A

Guard rails involve implementing predefined policies, rules, and controls to enforce security standards and best practices. These guard rails act as automated safeguards that prevent unauthorized actions, configurations, or access attempts that violate security policies. By automating the enforcement of security guard rails, organizations can reduce the risk of security breaches, ensure compliance with regulatory requirements, and maintain a consistent security posture across the infrastructure.

Answer 119

A

The containment stage of incident response focuses on preventing further spread or damage of a security incident within the organization’s network environment. This involves isolating affected systems, blocking malicious network traffic, and implementing temporary mitigations to prevent the incident from escalating. Containment actions aim to limit the impact of the incident while investigators proceed with further analysis and response activities.

The detection stage of incident response focuses on identifying and recognizing security incidents through the monitoring of security controls, network traffic, system logs, and security alerts. Once a security incident is detected, organizations proceed to the subsequent stages of incident response, including analysis, containment, eradication, and recovery.

The analysis stage of incident response involves investigating and analyzing the nature, scope, and impact of a security incident to understand how it occurred, what systems or data were affected, and what actions were taken by the attacker. While analysis is crucial for gathering evidence and understanding the incident’s implications, it does not directly involve actions to contain or mitigate the incident.

Additional processes include eradication, recovery and lessons learned.

The eradication stage of incident response involves identifying and removing the root cause of the security incident from the organization’s systems and network environment. This may include patching vulnerabilities, removing malware or unauthorized access, and implementing corrective measures to prevent similar incidents in the future.

The recovery stage of incident response focuses on restoring affected systems, data, and services to normal operation after a security incident. This involves restoring backups, reconfiguring systems, and validating the integrity of restored data to ensure that the organization can resume normal business operations with minimal disruption.

The lessons learned stage of incident response involves conducting a post-incident review and analysis to identify strengths, weaknesses, and areas for improvement in the organization’s incident response processes, procedures, and security controls. This feedback is used to refine incident response plans, update security measures, and enhance the organization’s overall security posture.

Training and e-discovery are also important activities.

Organizations should provide regular training and awareness programs to educate employees about cybersecurity best practices, incident response procedures, and their roles and responsibilities in responding to security incidents.

E-discovery is an aspect of digital forensics. E-discovery refers to the process of identifying, preserving, and collecting electronically stored information (ESI) for legal or regulatory purposes, such as in response to litigation, investigations, or compliance requirements. Effective incident response includes procedures for managing e-discovery requests and ensuring the integrity and admissibility of digital evidence.

Answer 120

A

On a rooted mobile device, apps can escape the isolated virtual sandbox, which could allow malware access to the company storage that is normally protected. Unfortunately, users can still compromise their device without rooting. They can download malicious apps from unauthorized sources, remotely wipe their device, and upgrade to a new Android OS version.

MDM helps by moderating and managing corporate owned devices and can report on things such as the device’s software version, any backtracking of a smartphone to an earlier version should stand out and cause the MDM to log a security event. Upon the detection of possible rooting, the administrator can choose to have the MDM automatically lock the user out of the device, wipe all corporate data or restrict access on the device. Some more advanced phones can also report back to the MDM on real-time occasional assessments on the integrity of the device’s operating system.

Answer 121

A

A dual-homed firewall has two network interfaces. One interface connects to the public network, usually the Internet. The other interface connects to the private network. The forwarding and routing function should be disabled on the firewall to ensure that network segregation occurs.

Answer 122

A

A bastion host, also known as a jump server, is a computer that resides on a network that is locked down to provide maximum security. Users can connect securely to the bastion host and then use it to connect to an external target, rather than connecting directly to a target from an internal client. These types of hosts reside on the front line in a company’s network security systems. The security configuration for this entity is important because it is exposed to un-trusted entities. Any server that resides in a screened subnet should be configured as a bastion host. A bastion host has firewall software installed, but can also provide other services.

Answer 123

A

Role-based access control (RBAC) has a low security cost because security is configured based on roles. For this reason, it is also easier to implement than the other access control models. During the information gathering stage of a deploying RBAC model, you will most likely need a matrix of job titles with their required access privileges.

With RBAC, it is easy to enforce minimum privilege for general users. You would create the appropriate role, configure its permissions, and then add the users to the role. A role is defined based on the operations and tasks that the role should be granted. Roles are based on the structure of the organization and are usually hierarchical.

RBAC is a popular access control model used in commercial applications, especially large networked applications.

Rule-based access control is often confused with RBAC because their names are similar. With rule-based access control, access to resources is based on a set of rules. The user is given the permissions of the first rule that he matches.

Answer 124

A

Security controls testing determines if safeguards that have been installed were properly implemented, performing as expected and producing the appropriate results. Security controls are grouped into three main categories: technical, administrative, and physical. For example, a test of a physical security control could be checking to see if an access control card denies entry into a specific area.

Answer 125

A

A bug bounty is a reward for finding security flaws (bugs) in an application. Organizations will attract ethical hackers to find vulnerabilities. Once found, the ethical hackers are rewarded, often with some prestige or notoriety like being mentioned on a leaderboard. Finding and correcting vulnerabilities helps reduce the attack surface.

Answer 126

A

Common Vulnerability Scoring System (CVSS) – A standardized method for assessing and scoring the severity of vulnerabilities based on various factors such as exploitability, impact, and remediation difficulty. It provides a common framework for organizations to evaluate and prioritize vulnerabilities, facilitating more informed decision-making and resource allocation in vulnerability management efforts.

Common Vulnerability
Enumeration (CVE) – A system for uniquely identifying and cataloguing software vulnerabilities and exposures for the purpose of vulnerability management and mitigation. Each CVE entry includes a unique identifier, description, and reference links to additional information, enabling organizations to track and manage vulnerabilities more effectively across the organization.

Vulnerability classification – The process of categorizing vulnerabilities based on their characteristics, such as their origin, nature, and potential impact on systems and networks. By classifying vulnerabilities, organizations can better understand their properties and prioritize remediation efforts based on their severity and potential risk to the organization.
Environmental variables – Factors within an organization’s operational environment that may influence the likelihood or impact of exploiting vulnerabilities. These variables can include network configuration, user behavior, system architecture, and other contextual factors that affect the security posture of systems and infrastructure.

Industry/organizational impact – Assessing how vulnerabilities may affect specific industries or organizations based on their unique operational requirements, regulatory obligations, and business objectives. Understanding the industry or organizational impact of vulnerabilities helps organizations prioritize remediation efforts and allocate resources more effectively to mitigate potential risks.

Risk tolerance – An organization’s willingness to accept a certain level of risk in exchange for achieving its business goals, objectives, and operational needs. It reflects the organization’s overall attitude toward risk and guides decision-making processes related to vulnerability management, risk mitigation, and resource allocation. Organizations with higher risk tolerance may be more willing to accept certain vulnerabilities or invest in compensating controls, while those with lower risk tolerance may prioritize more aggressive remediation efforts to minimize risk exposure.

Answer 127

A

US CERT Bulletin is a major threat feed used in the security world. Created and maintained by CISA, they use weekly bulletins to provide summaries of new vulnerabilities and possible patch options if and when they become available.

The Department of Homeland Security (DHS) maintains the free Automated Indicator Sharing (AIS) program that allows organizations to share and obtain machine-comprehensible defensive measures and cyber threat indicators, allowing monitoring and defense of their networks against known threats.

The FBI InfraGard is a partnership between the FBI and members of the private sector in the shared concern for the protection of U.S. Critical Infrastructure. Through unified collaboration, InfraGard unites owners and operators within critical infrastructure to the FBI, to provide education, information sharing, networking, and workshops on emerging technologies and threats that are developing within the US, and round the world.

The Microsoft Security Response Center Blog is created and maintained by Microsoft to help keep up with the ever-evolving threats and better safeguard customers against malicious attacks through timely security updates and authoritative assistance.

Answer 128

A

COPE (Corporate Owned, Personally Enabled) is a deployment model in which employees are provided a phone chosen by and paid for by the company, but they may use the device for personal tasks in addition to work. COPE is the most expensive yet most secure option for most companies. The main difference between this model and CYOD (choose your own device) is tighter legal control (searching the device for intellectual property theft is easier), and corporate discounts on the devices and usage plans.

Bring your own device (BYOD) is by far the most lax model, where users have complete control and ownership of the device, and the company is required to provide adequate security to corporate use.

Virtual device integration (VDI) describes a desktop deployment model where a central server provides access to virtual desktop machines that employees can use instead of a dedicated corporate-owned desktop machine.

Answer 129

A

Attribute-based access control (ABAC) goes beyond authentication based on username and password. It evaluates other factors, such as time of day and location of logons. It would also control behavior based on location, such as if a user has read access to files but is attempting to edit or delete files remotely.

Answer 130

A

Other considerations include CER, tokens, HOTP, TOTP, CAC, PIV, and file system security.

Crossover error rate (CER) is the point where FAR and FRR are equal. Generally, a lower CER value would indicate a more accurate system. CER is primarily used to compare biometric authentication systems. Hardware tokens (or physical tokens) include such physical devices as wireless key cards, key fobs, and smart cards. Software tokens are a component of two-factor authentication systems. They are usually embedded on a device and used to authenticate the user. HOTP and TOTP are two types of one-time passwords, i.e., they can only be used once. Hashed One Time Passwords (HOTP) are secure passwords used with hardware tokens. Time-based One Time Passwords (TOTP) are issued for a specific period of time. Once it is used or its time expires, the TOTP is no longer valid. As an example of a TOTP, a user forgets a password to a website. When the user clicks the “Forgot Password” link, the website would send a new temporary password to the user but would limit how long the temporary password would be valid. A Common Access Card (CAC) is a smart card issued by the Department of Defense (DoD) to military personnel and contractors. They incorporate a picture, integrated chip, two bar codes, and a magnetic strip. They can be used for visual identification and for login.

A Personal Identity Verification (PIV) smart card is issued to non-military federal employees and contractors. They incorporate a picture, integrated chip, two bar codes, and a magnetic strip. They can be used for visual identification and for login.

File system security should always be set to only allow what is absolutely essential for the user to do their job. This is also known as the principle of least privilege.

Answer 131

A

Industrial Control Systems/Supervisory Control and Data Acquisition (ICS/SCADA) systems and embedded systems would benefit the most.

Industrial Control Systems/Supervisory Control and Data Acquisition (ICS/SCADA) systems are often used in critical infrastructure sectors, such as energy, water, and manufacturing. These systems often consist of specialized hardware and software designed for specific industrial environments. They are not usually designed with security considerations in mind. Network segmentation is essential for securing ICS/SCADA systems to prevent unauthorized access and protect critical infrastructure. Network segmentation helps isolate these systems from other parts of the network, reducing the risk of unauthorized access and protecting against cyber threats that could disrupt essential operations.

Embedded systems are specialized computing devices with dedicated functions, often found in consumer electronics, medical devices, and automotive systems. Examples include smart appliances, medical monitors, and automotive control units. Embedded systems have a closed-loop architecture that consists of three main components:

Microprocessor or programmable microcontroller, also called system-on-chip or “system on a chip” (SoC)
Real-time operating system (RTOs)
Device-specific applications or software that run in the RTOs

Answer 132

A

To reduce the attack surface and limiting the potential impact of security breaches on critical functions, you should harden embedded systems in the following ways:

Disable unnecessary ports, services, and protocols
Apply firmware updates and patches
Use secure communication protocols like TLS
Use strong authentication and change default credentials
Audit system activities
Use physical controls to secure the devices, like locks, sensors, and alarms
Use logical controls to limit access to the devices, like firewalls and network segmentation

Answer 133

A

A real-time operating system (RTOS) is an operating system designed for embedded systems and applications that require precise timing and responsiveness. Examples of RTOS include VxWorks and FreeRTOS, commonly used in automotive systems, industrial control systems, and medical devices. While network segmentation can enhance the security of RTOS-based systems by isolating critical components, it may not be as commonly implemented compared to other security measures such as access controls and secure communication protocols.

Answer 134

A

RADIUS Federation is a group of RADIUS servers that assist with network roaming. The servers will validate the login credentials of a user belonging to another RADIUS server’s network.

Answer 135

A

They are simply authentication protocols that could be implemented. In Extensible Authentication protocol-Transport Layer Security (EAP-TLS) EAP manages key transmissions, and TLS uses X.509 digital certificates for authentication

Answer 136

A

In Extensible Authentication protocol-Tunneled Transport Layer Security (EAP-TTLS) EAP manages key transmissions, and TTLS is an extension of TLS (which authenticates the server). TTLS encapsulates the TLS session, allowing for authentication of the client.

Answer 137

A

Extensible Authentication protocol-Flexible Authentication via Secure Tunneling (EAP-FAST) is used in wireless and point-to-point networks. EAP manages key transmissions, and FAST creates a TLS tunnel to be used in authentication through a protected access credential.

Answer 138

A

A Security Information and Event Management (SIEM) system collects data from the different security devices in the system, such as firewalls and IPSs, and then aggregates the log files for analysis. It provides predictive trend analysis, behavior analytics, alerts, and even helps you comply with regulations like SOX and HIPAA.

Automated alerting and triggers are a SIEM feature that allow the system to react based on predetermined criteria.

Answer 139

A

Domain-based Message Authentication, Reporting, and Conformance (DMARC) is the correct solution to prevent email spoofing and enhance email security. DMARC is an email authentication protocol that helps prevent email spoofing and phishing attacks by allowing senders to specify policies for email authentication and enforcement. DMARC enables organizations to specify how they want email servers to handle messages that fail authentication checks, thereby providing an additional layer of protection against fraudulent emails.

Answer 140

A

Sender Policy Framework (SPF) is an email authentication mechanism that allows domain owners to specify which mail servers are authorized to send emails on behalf of their domain. By publishing SPF records in DNS, organizations can prevent email spoofing and unauthorized use of their domain in phishing attacks, thereby enhancing email security.

Answer 141

A

DomainKeys Identified Mail (DKIM) is an email authentication technique that allows senders to digitally sign outgoing messages using cryptographic keys, enabling recipients to verify the message’s authenticity and integrity. By signing outgoing emails with DKIM signatures, organizations can ensure that messages have not been tampered with during transit and protect against email spoofing and phishing attacks.

Answer 142

A

Gateway filters inspect inbound and outbound email traffic at the network gateway to detect and block malicious content, including phishing emails. While gateway filters are a crucial component of email security, it may not specifically address the issue of phishing attacks via email.

Answer 143

A

NetFlow is a network program originally developed by Cisco for collecting IP traffic information and monitoring of network data. IPFIX stands for IP Flow Information Export and was designed as an open standard, more universal solution to collecting and analyzing vital network data. IPFIX is extremely similar to NetFlow, the main difference is that IPFIX is open standard and can work with many other networking vendors apart from Cisco.

The source and destination IP addresses and the source and destination ports are the fields that define a unique network flow in the flow records generated by collecting data packets that flow through a device on the metered network.

Answer 144

A

Chain of custody refers to strict and organized formal procedures in accordance with the law and the legal regulations governing the collection, analysis, and preservation of the evidence before the evidence is produced in a court of law. In computer crimes, most of the evidence is electronic in nature and is referred to as hearsay evidence. Therefore, it is important that a clearly defined chain of custody be established to ensure the reliability and the integrity of the evidence and to make the evidence admissible in court. Chain of custody assists in identifying whether a system was properly handled during transport.

Chain of custody guarantees the identity and integrity of the evidence from the collection stage to its presentation in the court of law. The following procedure is used to establish a chain of custody for evidence submission in a court:

The evidence should be collected in the predefined manner by following strict and formal procedures and stating the names of people who secured the evidence and validated it.

The evidence should be marked by the investigating officer by mentioning the date, the time, and the respective case number.

The evidence is sealed in a container, and the container is again marked with the same information. Writing the information on the seal is preferred because it is easier to detect any change to the evidence by examining either the broken or the tampered seal.

The location of the evidence is also documented.

The evidence is processed and analyzed by technical experts.

Logs are maintained mentioning people who accessed the information, the time at which the information was accessed, and the reasons for accessing the information.

The prosecuting lawyer presents the evidence in the court of law to implicate the suspect.
Chain of custody applies to forensic image retention in that the chain of custody provides documentation as to who handled the evidence.

Answer 145

A

When performing a forensic investigation, you should ensure that the following procedures are followed:

Follow order of volatility rules. – All data is volatile. More rapidly changing information should be preserved first, in this order: 1.) CPU, cache and register content; 2).Routing table, ARP cache, process table, kernel statistic; 3.) Memory; 4.)Temporary file system / swap space; 5.)Data on hard disk; 6.) Remotely logged data; 7.)Data contained on archival media.

Capture a system image. – Ensure that appropriate forensic hashes are taken of the disk both before and after the image is taken and of the image itself.

Get copies of both a network traffic capture and logs.

Ensure that the correct record time offset is obtained to ensure that any recordings can be calibrated together.

Takes hashes of all files and images.

Record the appropriate screenshots.
Record any witnesses, including contact information.
Keep track of man hours and expense involved in the forensic process.

Obtain and preserve any video capture that exists, including computer video and CCTV.

Perform big data analysis. – It is vital that your organization’s data is not corrupted. For this purpose, you need software in place to help you analyze the data. Remember, your organization is responsible for protecting the data.

Answer 146

A

Secure cookies would be the most effective way to block these vulnerabilities. Secure cookies only travel over secure channels like HTTPS. In addition, secure cookies can contain additional attributes, including flags like “Secure” and “HttpOnly”. The “Secure” flag is the mechanism that forces the cookie to only transmit over secure, encrypted connections like HTTPS. Preventing cross-site scripting (XSS) attacks can be done by preventing JavaScript from tampering with the cookie. This prevention is accomplished using the “HttpOnly” flag, blocking JavaScript.

Answer 147

A

Input validation deals more with ensuring that the user enters data that is appropriate for the field or the form. The primary purpose of input validation is to prevent SQL injection or cross-site scripting (XSS) attacks. However, input validation does not really address session management.

Answer 148

A

Infrastructure as code (IaC) is the process of using definition and configuration files to provision and manage data centers. Automating this process through scripts can ensure that there is more control and less opportunity for error when deploying servers, as compared with manual configuration. IaC is the foundation for Secure DevOps. Secure Development Operations (Secure DevOps) means that security is built into all your development operations.

Answer 149

A

Baselining allows you to know how software (or hardware, for that matter) performs under normal load situations. That behavior is known as metrics. When you add new services, you are able to determine what effect those services have on system performance. Because baselining is passive, it would not allow you to configure or manage data centers.

Answer 150

A

Every rule is NOT necessarily examined. An access list is a list of rules defined in a specific order. The rules are examined from the top of the list to the bottom. When one of the rules that matches the traffic type of the packet being examined is encountered, the action specified in that rule is taken, and no more rules are examined.

The order of the rules is important. For example, examine this set of conceptual rules:

Allow traffic from subnet 192.168.5.0/24
Deny traffic from 192.168.5.5/24

The second rule would never be invoked because the first rule would always match the traffic of 192.168.5.5.

There is an implicit deny all at the end of each rule set. If all of the rules in a set are examined and none match the traffic type, the packet will be disallowed by an implied deny all.

Answer 151

A

Provisioning and deprovisioning allocates resources based on demand for those resources. Stored procedures are a series of SQL statements that are executed as a group and are similar to scripts. Using properly written stored procedures protects the database from damage caused by poorly written SQL statements and SQL injection attacks.

Answer 152

A

Code reuse and dead code are closely related. Attackers can reuse code that was developed for another purpose. In some cases, the code reused is no longer valid or outdated. If the code is outdated, it is called dead code.

Answer 153

A

When comparing server-side versus client-side execution and validation, server-side execution and validation happens on the server when the data returns to the server. Client-side validation occurs on the browser on the client machine. The good thing about client-side validation is that it provides a quicker response and does not generate a lot of overhead on the server. With that said, however, the browser needs to monitor for malicious code.

Answer 154

A

Memory management watches for things like memory leaks. Memory leaks can be caused by a programmer failing to free up memory once the process using that memory has been completed. C and C++ are particularly prone to memory leaks.

Answer 155

A

Third-party libraries and software development kits (SDKs), while commonly used, can present security vulnerabilities. A flaw in an SDK can result in issues in every application that the SDK was used to develop. Data exposure occurs when there are not sufficient safeguards on a database. Failure to protect your database can result in data hijacking and injection attacks.

Answer 156

A

You should deploy Simple Network Management Protocol (SNMP) to monitor network devices and the devices’ parameters. It uses port 161 to communicate. SNMP allows an administrator to set device traps.

Answer 157

A

You are engaged in the Monitor and Evaluate phase of the security management life cycle. This phase includes the following components:

Review logs, audit results, metrics, and service level agreements.
Assess accomplishments.
Complete quarterly steering committee meetings.
Develop improvement steps for integration into Plan and Organize phase.
Reviewing audits is not part of any of the other phases.
In secure staging deployment, you need to understand security baselines and integrity measurement. You determine a security baseline by documenting the minimum specifications for an application, system, or service that is considered secure. By establishing a security baseline, any change can be compared to the baseline to determine whether minimum security levels are maintained.

Once the baseline is defined, you should monitor the application, system, or service to ensure that it complies with the security baseline. This monitoring process is called integrity measurement.

Answer 158

A

You should consider all of these requirements when choosing a mail gateway: spam filters, data loss prevention (DLP), and encryption.

Spam filters trap undesirable email before it reaches the user’s inbox. Such filters could include country of origin, key words in the subject line, specific IP addresses, or blacklisted mail domains.

If your organization implements a DLP system, you can prevent users from transmitting confidential data to individuals outside the company. DLP systems incorporate a number of data protection processes. These processes can include prevention from unauthorized access, protecting data from modification or destruction, or keeping data from leaving the network. Encryption can be a critical component and feature of a mail gateway. Encryption on a mail gateway would scramble the outgoing message, making it unreadable to someone who intercepts the message. For the Security+ exam, you should also understand the installation and configuration of media gateways, SSL/TLS accelerators, and SSL decryptors.

Media gateways perform the same function as mail gateways but work with multimedia communication.

SSL/TLS accelerators alleviate the load on the processor during encryption. They transfer the encryption process to a separate device, typically a PCI card, for encryption.

SSL decryptors decrypt incoming traffic, examine that traffic, and re-encrypt it before it goes back out on the network. While this does put extra load on the processor, it prevents the instance where a problem was not intercepted due to an encrypted packet.

Answer 159

A

You should use the Common Vulnerabilities and Exposures (CVE), which provides standardized names for security-related software flaws.

Common Platform Enumeration (CPE) provides standard names for product names and versions. Common Configuration Enumeration (CCE) provides standard names for system configuration issues. Common Vulnerability Scoring System (CVSS) provides a standardized metric that measures and describes the severity of security-related software flaws.

Keep in mind that you may need to provide reports on identified vulnerabilities to different audiences. While technical staff may be able to read and comprehend the automatic reports generated by a vulnerability scanner, you may need to create an executive report for other non-technical staff that contains information that is more easily understood.

While having the vulnerability scanner deliver reports automatically may be preferred, it is not the best solution. Understanding automated versus manual distribution issues will ensure that you, as the security analyst, can provide your audience with information they need and understand. Automatic distribution distributes the reports automatically through internal mechanisms, often via email. Manual distribution would require more effort on the security analyst to ensure that the appropriate individuals receive the correct report.

Answer 160

A

The dark web encompasses sites, content, and services accessible only over a dark net, which is a network established as an overlay for internet infrastructure by certain types of software such as TOR or Freenet. The dark net is utilized by both privacy advocates and criminals alike due to its anonymity.

Open-source intelligence(OSINT) is freely contributed by various non-profit groups and for-profit sources, including large corporations, and is available in a variety of formats, including comma-delimited files (.csv), HTML, and text files (.txt).

Automated Indicator Sharing (AIS) is a feed of threat indicators and defensive measures provided to the public by the U.S. Cybersecurity and Infrastructure Security Agency (CISA). Users can access it directly through CISA or indirectly through a Third-party service.

Academic journals are periodical publications of academic or scholarly journals in which scholarship relating to a particular academic discipline is published. Academic journals serve as permanent and transparent forums for the presentation, scrutiny, and discussion of research.

Answer 161

A

A heat map is not a target for hardening. A heat map is used to determine wireless coverage areas and placement of wireless access points. It provides a visual representation of signal strength or coverage areas within a space. It uses color gradients to represent varying levels of signal intensity, typically generated through surveys or monitoring tools. Areas with stronger signals appear in warmer colors like red or orange, while weaker areas show cooler colors like blue or green. Heat maps aid in optimizing network design, identifying dead zones, and enhancing overall performance by allowing administrators to adjust antenna placement or power settings.

Answer 162

A

Monitoring infrastructure refers to overseeing the performance of the components that support the organization, including network devices, servers, storage systems, and databases. Monitoring infrastructure involves observing the performance, availability, and security of these components to ensure the overall health and functionality of the infrastructure. By monitoring infrastructure, organizations can detect anomalies, identify security incidents, and proactively address potential issues before they escalate.

Answer 163

A

Keyboard cadence is an example of something you do. When the user enters a new password, the keystroke timing (cadence) is recorded as a signature pattern. Subsequent logons are compared against the recorded signature. Even if an attacker was able to obtain a user’s password, there is only a remote likelihood that the attacker’s cadence would match the recorded cadence.

Biometrics is an example of something you are. Fingerprints, voiceprints, retina scans, and iris scans are all biometrics. Something you have is based on the user possessing some type of security device. These can include things such as smart cards, tokens, and key fobs. Something you know would be a password, a PIN, the name of a childhood friend, the color of your first car, or the answer to a similar question.

For the Security+ exam, you must understand the following authentication factors: something you are, something you have, and something you know. Somewhere you are authenticates based on the device you use to log in from or the GPS location where you are logging in. Something you do is a biometric factor that is based on user actions, such as signature dynamics.

You also need to understand the following attributes: somewhere you are, something you exhibit, someone you know, and something you do.

Answer 164

A

Other authentication topics include federation and federated identity and transitive trust.

Federation and federated identity is a user’s ability to authenticate with a single identity across multiple businesses or networks. It differs from single sign-on, where a user has one password that grants access to all the permitted network resources. Federation relies on trust relationships that are established between the different businesses or networks. Transitive trust involves creating relationships between domains to grant authenticated users access to other domains. In Active Directory, for example, if the Sales domain trusts the Marketing domain, and the Marketing domain trusts the HR domain, then Sales trusts the HR domain through a transitive relationship.

Brainscape's Knowledge GenomeTM

Security Operations - Quiz Revision Flashcards

Brainscape's Knowledge Genome^TM