Security + (SYO-601) Flashcards

1
Q

You are at the doctor’s office and waiting for the physician to enter the room to examine you. You look across the room and see a pile of patient records on the physician’s desk. There is no one in the room and your curiosity has gotten the better of you, so you walk across the room and start reading through the other patient records on the desk. Which tenent of security have you just violated?

A

Confidentiality

Confidentiality ensures that data or information has not been disclosed to unauthorized people. In this case, you are not the doctor or the patient whose records you looked at, therefore, confidentiality has been breached.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
2
Q

You have just walked up to the bank teller and requested to withdraw $100 from checking account #7654123 (your account). The teller asks for your name and driver’s license before conducting this transaction. After she looks at your driver’s license, she thanks you for your business, pulls out $100 from the cash drawer, and hands you back the license and the $100 bill. What category best describes what the bank teller just did?

A

Authentication

Authentication occurs when a person’s identity is established with proof and confirmed by a system. In this case, the bank teller verified you were the account holder by verifying your name and looking over your photo identification (driver’s license) prior to giving you the cash being withdrawn.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
3
Q

You are in the kitchen cooking dinner while your spouse is in the other room watching the news on the television. The top story is about how hackers have been able to gain access to one of the state’s election systems and tamper with the results. Unfortunately, you only heard a fraction of the story, but your spouse knows that you have been learning about hackers in your Security+ course and asks you, “Which type of hacker do you think would be able to do this?”

A

APTs are highly organized, well-funded, and often part of a nation state’s larger foreign policy and influence campaigns. Hacktivists are usually political, but they are disorganized and don’t have the level of sophistication needed to hack into a well-defended government computer network like the election system. While organized crime groups may have the sophistication to conduct the hack, they are usually more interested in conducting criminal actions to make money instead of getting involved in politics. Script kiddies are low skilled hackers who can only use other people’s tools.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
4
Q

A user has reported that their workstation is running very slowly. A technician begins to investigate the issue and notices a lot of unknown processes running in the background. The technician determines that the user has recently downloaded a new application from the internet and may have become infected with malware. Which of the following types of infections does the workstation MOST likely have?

A

A trojan is a type of malware that looks legitimate but can take control of your computer. A Trojan is designed to damage, disrupt, steal, or in general, inflict some other harmful action on your data or network. The most common form of a trojan is a Remote Access Trojan (RAT), which is used to allow an attacker to remotely control a workstation or steal information from it. To operate, a trojan will create numerous processes that run in the background of the system.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
5
Q

On your lunch break, you walked down to the coffee shop on the corner. You open your laptop and connect to their wireless network. After a few minutes of surfing the Internet, a pop-up is displayed on your screen. You close the pop-up, finish your lunch break, shut down the laptop, and put it back into your backpack. When you get back to the office, you take out the laptop and turn it on, but instead of your normal desktop background, you are greeted by a full screen image with a padlock and a message stating you have to pay 1 BTC to regain access to your personal files. What type of malware has infected your laptop?

A

This scenario is describing a ransomware attack. Your personal files are being held hostage and will not be released unless you pay a ransom (in this case, 1 BTC). You should restore your machine from a known good backup and restore your personal files from the backup, as well. You should not pay the ransom since the attackers usually still will not unlock your files.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
6
Q

A computer is infected with a piece of malware that has infected the Windows kernel in an effort to hide. Which type of malware MOST likely infected this computer?

A

A rootkit is a clandestine computer program designed to provide continued privileged access to a computer while actively hiding its presence. A rootkit is generally a collection of tools that enabled administrator-level access to a computer or network. They can often disguise themselves from detection by the operating system and anti-malware solutions. If a rootkit is suspected on a machine, it is best to reformat and reimage the system.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
7
Q

Your company’s Security Operations Center (SOC) is currently detecting an ongoing DDoS attack against your network’s file server. One of the cybersecurity analysts has identified forty internal workstations on the network that are conducting the attack against your network’s file server. The cybersecurity analyst believes these internal workstations are infected with malware and places them into a quarantined area of the network. The analyst then submits a service desk ticket to have the workstations scanned and cleaned of the infection. What type of malware was the workstation likely a victim of based on the scenario provided?

A

A botnet is a number of internet-connected devices, each of which is running one or more bots. Botnets can be used to perform distributed denial-of-service attack (DDoS attack), steal data, send spam, and allows the attacker to access the device and its connection. A zombie (also known as a bot) is a computer or workstation that a remote attacker has accessed and set up to forward transmissions (including spam and viruses) to other computers on the internet.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
8
Q

The Security Operations Center Director for Dion Training received a pop-up message on his workstation that said, “You will regret firing me; just wait until Christmas!” He suspects the message came from a disgruntled former employee that may have set up a piece of software to create this pop-up on his machine. The director is now concerned that other code might be lurking within the network that could create a negative effect on Christmas. He directs his team of cybersecurity analysts to begin searching the network for this suspicious code. What type of malware should they be searching for?

A

A logic bomb is a piece of code intentionally inserted into a software system that will set off a malicious function when specified conditions are met. For example, a programmer may hide a piece of code that starts deleting files should they ever be terminated from the company. The director is concerned that a logic bomb may have been created and installed on his system or across the network before the analyst was fired.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
9
Q

In which type of attack does the attacker begin with a normal user account and then seeks to gain additional access rights?

A

Privilege escalation attacks seek to increase the level of access that an attacker has to a target system. Privilege escalation is the act of exploiting a bug, design flaw, or configuration oversight in an operating system or software application to gain elevated access to resources that are normally protected from an application or user.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
10
Q

You have been investigating how a malicious actor was able to exfiltrate confidential data from a web server to a remote host. After an in-depth forensic review, you determine that the web server’s BIOS had been modified by the installation of a rootkit. After you remove the rootkit and reflash the BIOS to a known good image, what should you do in order to prevent the malicious actor from affecting the BIOS again?

A

Since you are trying to protect the BIOS, utilizing secure boot is the best choice. Secure boot is a security system offered by UEFI. It is designed to prevent a computer from being hijacked by a malicious OS. Under secure boot, UEFI is configured with digital certificates from valid OS vendors. The system firmware checks the operating system boot loader using the stored certificate to ensure that it has been digitally signed by the OS vendor. This prevents a boot loader that has been changed by malware (or an OS installed without authorization) from being used.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
11
Q

Your company recently suffered a small data breach that was caused by an employee emailing themselves a copy of the current customer’s names, account numbers, and credit card limits. You are determined that something like this shall never happen again. Which of the following logical security concepts should you implement to prevent a trusted insider from stealing your corporate data?

A

Data loss prevention software detects potential data breaches/data exfiltration transmissions and prevents them by monitoring, detecting, and blocking sensitive data while in use (endpoint actions), in transit (network traffic), and at rest (data storage). Since the user was an authorized user (employee), changing your password policy, reconfiguring the firewall, or setting up a MDM solution would not solve this problem. Instead, a DLP solution must be implemented.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
12
Q

You are trying to select the best device to install in order to detect an outside attacker who is trying to reach into your internal network. The device should log the event, but it should not take any action to stop it. Which of the following devices would be the BEST for you to select?

A

An intrusion detection system is a device or software application that monitors a network or system for malicious activity or policy violations. Any malicious activity or violation is typically reported either to an administrator or collected centrally using a security information and event management system. Unlike an IPS, which can take action to stop malicious activity or policy violations, an IDS can only log these issues and not stop them.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
13
Q

Which mobile device strategy is most likely to result in the introduction of vulnerable devices to a corporate network?

A

The BYOD (bring your own device) strategy opens a network to many vulnerabilities. People are able to bring their personal devices to the corporate network, and their devices may contain vulnerabilities that could be allowed to roam free on a corporate network.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
14
Q

Your smartphone begins to receive unsolicited messages while you are eating lunch at the restaurant across the street from your office. What might cause this to occur?

A

Bluejacking is the sending of unsolicited messages over Bluetooth to Bluetooth-enabled devices such as smartphones and tablets. Bluesnarfing, on the other hand, involves taking data from a smartphone or tablet over Bluetooth without permission. Bluetooth has a very limited range, so the attacker is likely within 10 meters of the victimized device. Geotagging involves embedded the geolocation coordinates into a piece of data (normally a photo or video). Packet sniffing is a passive method of collecting network traffic for follow-on analysis at a later time.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
15
Q

Tim, a help desk technician, receives a call from a frantic executive who states that their company-issued smartphone was stolen during their lunch meeting with a rival company’s executive. Tim quickly checks the MDM administration tool and identifies that the user’s smartphone is still communicating with the MDM and displays the location of the device on a map. What should Tim do next to ensure the data on the stolen device remains confidential and inaccessible to the thief?

A

T ensure the data remains confidential and is not accessed by the thief, Tim should perform a remote wipe of the device from the MDM. This will ensure any and all corporate data is erased prior to anyone accessing it. Additionally, Tim could reset the device’s password, but if the thief is able to guess or crack the password, then they would have access to the data. Identifying the IP address of the smartphone is not a useful step in protecting the data on the device. Additionally, devices should be encrypted BEFORE they are lost or stolen, not after.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
16
Q

Which of the following BEST describes when a third-party takes components produced by a legitimate manufacturer and assembles an unauthorized replica that is sold in the general marketplace?

A

While the unauthorized third-party may assemble a component that was legitimately made from OEM parts, the fact remains that those parts were never intended for distribution under the manufacturer’s legitimate label. Therefore, this is considered counterfeiting. As a cybersecurity analyst, you need to be concerned with your organization’s supply chain management. There have been documented cases of counterfeit hardware (like switches and routers) being sold with malware or lower mean time between failures, both of which affect the security of your network.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
17
Q

Which of the following programs was designed to secure the manufacturing infrastructure for information technology vendors providing hardware to the military?

A

The Trusted Foundry program, also called the trusted suppliers program, is a United States Department of Defense program designed to secure the manufacturing infrastructure for information technology vendors providing hardware to the military. Trusted Foundry was created to provide a chain of custody for classified/unclassified integrated circuits, ensure there is no reasonable threat related to supply disruption, prevent intentional/unintentional modification of integrated circuits, and protect integrated circuits from reverse engineering and vulnerability testing.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
18
Q

Following a root cause analysis of the unexpected failure of an edge router, a cybersecurity analyst discovered that the system administrator had purchased the device from an unauthorized reseller. The analyst suspects that the router may be a counterfeit device. Which of the following controls would have been most effective in preventing this issue?

A

Anti-counterfeit training is part of the NIST 800-53r4 control set (SA-19(1)) and should be a mandatory part of your supply chain management training within your organization. All other options may produce security gains in the network. They are unlikely to reliably detect a counterfeit item or prevent its introduction into the organization’s supply chain. Training on detection methodologies (i.e., simple visual inspections) and training for acquisition personnel will better prevent recurrences.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
19
Q

What is the lowest layer (bottom layer) of a bare-metal virtualization environment?

A

The bottom layer is physical hardware in this environment. It is what sits beneath the hypervisor and controls access to guest operating systems. The bare-metal approach doesn’t have a host operating system.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
20
Q

You need to determine the best way to test operating system patches in a lab environment prior to deploying them to your automated patch management system. Unfortunately, your network has several different operating systems in use, but you only have one machine available to test the patches on. What is the best environment to utilize to perform the testing of the patches prior to deployment?

A

When you have a limited amount of hardware resources to utilized but have a required to test multiple operating systems, you should set up a virtualized environment to test the patch across each operating system prior to deployment. You should never deploy patches directly into production without testing them first in the lab.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
21
Q

Which of the following vulnerabilities involves leveraging access from a single virtual machine to other machines on a hypervisor?

A

Virtual machine escape vulnerabilities are the most severe issue that may exist in a virtualized environment. In this attack, the attacker has access to a single virtual host and then leverages that access to intrude on the resources assigned to different virtual machines.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
22
Q

(where email=support@diontraining.com and password=‘ or 7==7’)
-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
What type of attack is being performed?

A

SQL injection is a code injection technique that is used to attack data-driven applications. SQL injections are conducted by inserting malicious SQL statements into an entry field for execution. For example, an attacker may try to dump the contents of the database by using this technique. A common technique in SQL injection is to insert a statement that is always true, such as 1 == 1, or in this example, 7 == 7.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
23
Q
<script>
alert("This site is vulnerable to an attack!")
</script>

-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
Then, you clicked the search button, and a pop-up box appears on your screen showing the following text, “This site is vulnerable to an attack!” Based on this response, what vulnerability have you uncovered in the web application?

A

This is a form of Cross-Site Scripting (XSS). Cross-site scripting (XSS) is a type of computer security vulnerability typically found in web applications. XSS enables attackers to inject client-side scripts into web pages viewed by other users. A cross-site scripting vulnerability may be used by attackers to bypass access controls such as the same-origin policy.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
24
Q

https://www.diontraining.com/add_to_cart.php?itemId=5”+perItemPrice=”0.00”+quantity=”100”+/><item+id=”5&quantity=0
-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
Based on this line, what type of attack do you expect has been attempted?

A

This is an example of a XML injection. XML injection manipulates or compromises the logic of an XML application or service. The injection of unintended XML content and/or structures into an XML message can alter the intended logic of an application, and XML Injection can cause the insertion of malicious content into resulting messages/documents. In this case, the URL is attempting to modify the server’s XML structure. The real key to answering this question is identifying the XML structured code being entered as part of the URL, which is shown by the bracketed data.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
25
Q

A supplier needs to connect several laptops to an organization’s network as part of their service agreement. These laptops will be operated and maintained by the supplier. Victor, a cybersecurity analyst for the organization, is concerned that these laptops could potentially contain some vulnerabilities that could weaken the security posture of the network. What can Victor do to mitigate the risk to other devices on the network without having direct administrative access to the supplier’s laptops?

A

jumpbox is a system on a network used to access and manage devices in a separate security zone. This would create network segmentation between the supplier’s laptops and the rest of the network to minimize the risk. A jump-box system is a hardened and monitored device that spans two dissimilar security zones and provides a controlled means of access between them. While the other options listed are all good security practices, they do not fully mitigate the risk that insecure systems pose since Victor cannot enforce these configurations on a supplier provided laptop.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
26
Q

An analyst is reviewing the configuration of a triple-homed firewall that connects to the internet, a private network, and one other network. Which of the following would best describe the third network connected to this firewall?

A

A triple-homed firewall connects to three networks internal (private), external (internet/public), and the demilitarized zone (DMZ). The demilitarized zone (DMZ) network hosts systems that require access from external hosts.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
27
Q

Dion Training allows its visiting business partners from CompTIA to use an available Ethernet port in their conference room to establish a VPN connection back to the CompTIA internal network. The CompTIA employees should be able to obtain internet access from the Ethernet port in the conference room, but nowhere else in the building. Additionally, if a Dion Training employee uses the same Ethernet port in the conference room, they should be able to access Dion Training’s secure internal network. Which of the following technologies would allow you to configure this port and support both requirements?

A

Network Access Control (NAC) uses a set of protocols to define and implement a policy that describes how to secure access to network nodes whenever a device initially attempts to access the network. NAC can utilize an automatic remediation process by fixing non-compliant hosts before allowing network access. Network Access Control can control access to a network with policies, including pre-admission endpoint security policy checks and post-admission controls over where users and devices can go on a network and what they can do.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
28
Q

You have just received some unusual alerts on your SIEM dashboard and want to collect the payload associated with it. Which of the following should you implement to effectively collect these malicious payloads that the attackers are sending towards your systems without impacting your organization’s normal business operations?

A

A honeypot is a host set up with the purpose of luring attackers away from the actual network components and/or discovering attack strategies and weaknesses in the security configuration. A jumpbox is a hardened server that provides access to other hosts. A sandbox is a computing environment that is isolated from a host system to guarantee that the environment runs in a controlled, secure fashion. Containerization is a type of virtualization applied by a host operating system to provision an isolated execution environment for an application.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
29
Q

You are trying to select the best device to install in order to detect an outside attacker who is trying to reach into your internal network. The device should log the event, but it should not take any action to stop it. Which of the following devices would be the BEST for you to select?

A

An intrusion detection system is a device or software application that monitors a network or system for malicious activity or policy violations. Any malicious activity or violation is typically reported either to an administrator or collected centrally using a security information and event management system. Unlike an IPS, which can take action to stop malicious activity or policy violations, an IDS can only log these issues and not stop them.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
30
Q

During a security audit, you discovered that customer service employees have been sending unencrypted confidential information to their personal email accounts via email. What technology could you employ to detect these occurrences in the future and send an automated alert to the security team?

A

Data loss prevention (DLP) software detects potential data breaches/data exfiltration transmissions and prevents them by monitoring, detecting, and blocking sensitive data while in-use, in-motion, and at-rest. This can be configured to detect and alert on future occurrences of this issue.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
31
Q

The Pass Certs Fast corporation has recently been embarrassed by a number of high profile data breaches. The CIO proposes improving the cybersecurity posture of the company by migrating images of all the current servers and infrastructure into a cloud-based environment. What, if any, is the flaw in moving forward with this approach?

A

A poorly implemented security model at a physical location will still be a poorly implemented security model in a virtual location. Unless the fundamental causes of the security issues that caused the previous data breaches have been understood, mitigated, and remediated, then migrating the current images into the cloud will simply change the location of where the processing occurs without improving the security of the network. While the statement concerning unrealized ROI may be accurate, it simply demonstrates the fallacy of the sunk cost argument.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
32
Q

Which of the following would a virtual private cloud infrastructure be classified as?

A

Infrastructure as a Service (IaaS) is a computing method that uses the cloud to provide any or all infrastructure needs. In a VPC environment, an organization may provision virtual servers in a cloud-hosted network. The service consumer is still responsible for maintaining the IP address space and routing internally to the cloud.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
33
Q

Dave’s company utilizes Google’s G-Suite environment for file sharing and office productivity, Slack for internal messaging, and AWS for hosting their web servers. Which of the following cloud models type of cloud deployment models is being used?

A

Multi-cloud is a cloud deployment model where the cloud consumer uses multiple public cloud services. In this example, Dave is using the Google Cloud, Amazon’s AWS, and Slack’s cloud-based SaaS product simultaneously. A private cloud is a cloud that is deployed for use by a single entity. A public cloud is a cloud that is deployed for shared use by multiple independent tenants. A community cloud is a cloud that is deployed for shared use by cooperating tenants.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
34
Q

Which term is used in software development to refer to the method in which app and platform updates are committed to a production environment rapidly?

A

Continuous deployment is a software development method in which app and platform updates are committed to production rapidly. Continuous delivery is a software development method in which app and platform requirements are frequently tested and validated for immediate availability. Continuous integration is a software development method in which code updates are tested and committed to a development or build server/code repository rapidly. Continuous monitoring is the technique of constantly evaluating an environment for changes so that new risks may be more quickly detected.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
35
Q

Which of the following utilizes a well-written set of carefully developed and tested scripts to orchestrate runbooks and generate consistent server builds across an enterprise?

A

IaC is designed with the idea that a well-coded description of the server/network operating environment will produce consistent results across an enterprise, and significantly reduce IT overhead costs through automation while precluding the existence of security vulnerabilities. SDN uses software to define networking boundaries, but does not necessarily handle server architecture in the same way that IaC can. Infrastructure as a Service (IaaS) is a computing method that uses the cloud to provide any or all infrastructure needs.

36
Q

Which type of system would classify traffic as malicious or benign based on explicitly defined examples of malicious and benign traffic?

A

A machine learning (ML) system uses a computer to accomplish a task without ever being explicitly programmed to do it. In the context of cybersecurity, ML generally works by analyzing example data sets to create its own ability to classify future items presented. If the system was presented with large datasets of malicious and benign traffic, it will learn which is malicious and use that to categorize future traffic presented to it.

37
Q

Which of the following types of attacks are usually used as part of a man-in-the-middle attack?

A

A man-in-the-middle attack (MITM) is an attack where the attacker secretly relays and possibly alters the communications between two parties who believe they are directly communicating with each other. One example of a MITM attack is active eavesdropping, in which the attacker makes independent connections with the victims and relays messages between them to make them believe they are talking directly to each other over a private connection, when in fact the entire conversation is controlled by the attacker. The attacker must be able to intercept all relevant messages passing between them.

38
Q

TCP: 80

TCP: 110

TCP: 443

TCP: 1433

TCP: 3306

Based on these scan results, which of the following services are NOT currently operating?

A

Based on the port numbers shown as open in the nmap scan results, SSH is not currently operating. SSH operates over port 22. Web servers use port 80 for HTTP and 443 for HTTPS. Database servers run on port 1433 (Microsoft SQL) or 3306 (MySQL). Remote Desktop Protocol runs on port 3389.

39
Q

Richard attempted to visit a website and received a DNS response from the DNS cache server pointing to the wrong IP address. Which of the following attacks has occurred?

A

DNS poisoning (also known as DNS cache poisoning or DNS spoofing) is a type of attack which uses security gaps in the Domain Name System (DNS) protocol to redirect internet traffic to malicious websites.

40
Q

You are installing a new wireless network in your office building and want to ensure it is secure. Which of the following configurations would create the MOST secure wireless network?

A

The most secure wireless network configuration utilizes WPA2 with AES encryption. WPA2 is the most secure wireless encryption standard, as it has replaced both WPA and WEP. AES is an extremely strong encryption algorithm that is used by default in the WPA2 standard.

41
Q

Your home network is configured with a long, strong, and complex pre-shared key for its WPA2 encryption. You noticed that your wireless network has been running slow, so you checked the list of “connected clients” and see that “Bob’s Laptop” is connected to it. Bob lives downstairs and is the maintenance man for your apartment building. You know that you never gave Bob your password, but somehow he has figured out how to connect to your wireless network. Which of the following actions should you take to prevent anyone from connecting to your wireless network without the WPA2 password?

A

WPS was created to ease the setup and configuration of new wireless devices by allowing the router to automatically configure them after a short eight-digit PIN was entered. Unfortunately, WPS is vulnerable to a brute-force attack and is easily compromised. Therefore, WPS should be disabled on all wireless networks. If Bob was able to enter your apartment and press the WPS button, he could have configured his laptop to use your wireless network without your WPA2 password.

42
Q

Which of the following is the LEAST secure wireless security and encryption protocol?

A

Wired Equivalent Privacy (WEP) is a security protocol, specified in the IEEE Wireless Fidelity (Wi-Fi) standard, 802.11b, that is designed to provide a wireless local area network (WLAN) with a level of security and privacy comparable to what is usually expected of a wired LAN. It is the oldest form of wireless security and the weakest form. WEP can be cracked with brute force techniques in less than 5 minutes with a normal end-user computer.

43
Q

Which of the following physical security controls would be the most effective in preventing an attacker from driving a vehicle through the glass doors at the front of the organization’s headquarters?

A

Bollards are a physical security control that is designed to prevent a vehicle-ramming attack. Bollards are typically designed as a sturdy, short, vertical post. Some organizations have installed more decorative bollards that are created out of cement and are large enough to plant flowers or trees inside. Mantraps are designed to prevent individuals from tailgating into the building. Security guards and intrusion alarms could detect this from occurring, but not truly prevent them.

44
Q

You work for Dion Training as a physical security manager. You are concerned that the physical security at the entrance to the company is not sufficient. To increase your security, you are determined to prevent piggybacking. What technique should you implement first?

A

A mantrap is a device that only allows a single person to enter per authentication. This authentication can be done by RFID, a pin number, or other methods. Once verified, the mantrap lets a single person enter through a system, such as a turnstile or rotating door. CCTV will not stop piggybacking, but it could be used as a detective control after an occurrence happened. Wearing security badges is useful, but it won’t stop piggybacking by a skilled social engineer. RFID badges may be used as part of your entry requirements, but it won’t stop a determined piggyback who follows an employee in.

45
Q

The public library has had a recent issue with their laptops being stolen from their computer lab. Since this is a public library, it is not a high security area and is fully accessible by patrons during the day. What is the best way to prevent the theft of the laptops?

A

Cable locks are the best solution, as it will allow the laptops to be physically connected to the desks in the computer lab and can prevent theft. CCTV is a deterrent or detective control, but will require someone monitoring it to detect the theft. Mobile device management is focused on tablets or phones, not laptops. Motion sensors are not useful during the library’s open hours, since authorized patrons are allowed into the lab during the day. Therefore, if a laptop is being stolen during the day, motion senors will be useless to stop them.

46
Q

What is NOT considered part of the Internet of Things?

A

Supervisory control and data acquisition (SCADA) systems, industrial control systems (ICS), internet-connected televisions, thermostats, and many other things examples of devices classified as the Internet of Things (IoT). A laptop would be better classified as a computer or host than as part of the Internet of Things. The Internet of things (IoT) is a system of interrelated computing devices, mechanical and digital machines provided with unique identifiers (UIDs) and the ability to transfer data over a network without requiring human-to-human or human-to-computer interaction.

47
Q

Syed is developing a vulnerability scanner program for a large network of sensors that are used to monitor his company’s transcontinental oil pipeline. What type of network is this?

A

SCADA (supervisory control and data acquisition) networks is a type of network that works off of an ICS (industry control system) and is used to maintain sensors and control systems over large geographic areas. A building automation system (BAS) for offices and data centers (“smart buildings”) can include physical access control systems, but also heating, ventilation, and air conditioning (HVAC), fire control, power and lighting, and elevators and escalators.

48
Q

An analyst is reviewing the logs from the network and notices that there have been multiple attempts from the open wireless network to access the networked HVAC control system. The open wireless network must remain openly available so that visitors are able to access the internet. How can this type of attack be prevented from occurring in the future?

A

A VLAN is useful to segment out network traffic to various parts of the network, and can stop someone from the open wireless network from being able to attempt to login to the HVAC controls.

49
Q

David noticed that port 3389 was open on one of the POS terminals in a store during a scheduled PCI compliance scan. Based on the scan results, what service should he expect to find enabled on this terminal?

A

Port 3389 is an RDP port used for the Remote Desktop Protocol. If this port isn’t supposed to be opened, then an incident response plan should be the next step since this can be used for remote access by an attacker. MySQL runs on port 3306. LDAP runs on port 389. IMAP over SSL runs on port 993.

50
Q

Which of the following authentication protocols was developed by Cisco to provide authentication, authorization, and accounting services?

A

TACACS+ is an extension to TACACS (Terminal Access Controller Access Control System) and was developed as a proprietary protocol by Cisco. The Remote Authentication Dial-In User Service (RADIUS) is a networking protocol that operates on port 1812 and provides centralized Authentication, Authorization, and Accounting management for users who connect and use a network service, but it was not developed by Cisco.

51
Q

What access control model will a network switch utilize if it requires multilayer switches to use authentication via RADIUS/TACACS+?

A

If you are using RADIUS/TACACS+ with the switch, you will need to use 802.1x for the protocol.

52
Q

Which of the following access control methods utilizes a set of organizational roles in which users are assigned to gain permissions and access rights?

A

Role-based access control (RBAC) is a modification of DAC that provides a set of organizational roles that users may be assigned in order to gain access rights. The system is non-discretionary since the individual users cannot modify the ACL of a resource. Users gain their access rights implicitly based on the groups to which they are assigned as members.

53
Q

Julie was just hired to conduct a security assessment of Dion Training’s security policies. During her assessment, she noticed that there were many group accounts being shared by users to conduct their work roles. Julie recommended that the group accounts be eliminated and instead have an account created for each user. What improvement will this recommended action provide for the company?

A

To adequately provide accountability, the use of shared or group accounts should be disabled. This allows you to log and track individual user actions based on their individual user accounts. This enables the organization to hold users accountable for their actions, too.

54
Q

Marta’s organization is concerned with the vulnerability of a user’s account being vulnerable for an extended period of time if their password was compromised. Which of the following controls should be configured as part of their password policy to minimize this vulnerability?

A

A password expiration control in the policy would force users to change their password at specific intervals of time. This will then locks out a user who types in the incorrect password or create an alter that the user’s account has been potentially compromised. While the other options are good components of password security to prevent an overall compromise, they are not effective against the vulnerability described in this particular scenario, as it states the issue is based on time.

55
Q

After completing an assessment, you create a chart listing the associated risks based on the vulnerabilities identified with your organization’s privacy policy. The chart contains listings such as high, medium, and low. It also utilizes red, yellow, and green colors based on the likelihood and impact of a given incident. Which of the following types of assessments did you just complete?

A

This describes a qualitative risk assessment since it categorizes things based on the likelihood and impact of a given incident using non-numerical terms, such as high, medium, and low. If the risk assessment provided exact numbers or percentages of risk, then it would be a quantitative risk assessment.

56
Q

Jamie’s organization is attempting to budget for the next fiscal year. Jamie has calculated that the asset value of the data is $120,000. Based on her analysis, she believes that a data breach will occur once every four years and have a risk factor is 30%. What is the ALE for a data breach within Jamie’s organization?

A

$9,000
The single loss expectancy (SLE) is the amount that would be lost in a single occurrence (AV) times the risk factor (RF). The annual loss expectancy (ALE) is the total cost of a risk to an organization on an annual basis. This is determined by multiplying the SLE by the annual rate of occurrence (ARO).

57
Q

Dion Training is concerned with the possibility of a data breach causing a financial loss to the company. After performing a risk analysis, the COO decides to purchase data breach insurance to protect the company in the event of an incident. Which of the following best describes the company’s risk response?

A

Transference (or sharing) means assigning risk to a third party (such as an insurance company or a contract with a supplier that defines liabilities). Avoidance means that the company stops doing the activity that is risk-bearing. Risk mitigation is the overall process of reducing exposure to or the effects of risk factors, such as by patching a vulnerable system. Acceptance means that no countermeasures are put in place either because the level of risk does not justify the cost or because there will be an unavoidable delay before the countermeasures are deployed.

58
Q

Which of the following command-line tools would you use to identify open ports and services on a host along with the version of the application that is associated with them?

A

Nmap sends specially crafted packets to the target host(s) and then analyzes the responses to determine the open ports and services running on those hosts. In addition, nmap can determine the versions of the applications being used on those ports and services. Nmap is a command-line tool for use on Linux, Windows, and macOS systems.

59
Q

A cybersecurity analyst in your company notices that an attacker is trying to crack the WPS pin associated with a wireless printer. The device logs show that the attacker tried 00000000, 00000001, 00000002, and continued to increment by 1 number each time until they found the correct PIN of 13252342. Which of the following type of password cracking was being performed by the attacker?

A

A brute-force attack when an attacker uses a set of predefined values to attack a target and analyze the response until he succeeds. Success depends on the set of predefined values. If it is larger, then it will take more time, but there is a better probability of success. In a traditional brute-force attack, the passcode or password is incrementally increased by one letter/number each time until the right passcode/password is found.

60
Q

Nick is participating in a security exercise as part of the network defense team for his organization. Which team is Nick playing on?

A

Blue Team
Penetration testing can form the basis of functional exercises. One of the best-established means of testing a security system for weaknesses is to play “war game” exercises in which the security personnel split into teams: red, blue, and white. The red team acts as the adversary. The blue team acts as the defenders. The white team acts as the referees and sets the parameters for the exercise. The yellow team is responsible for building tools and architectures in which the exercise will be performed.

61
Q

Which of the following protocols is commonly used to collect information about CPU utilization and memory usage from network devices?

A

Simple Network Management Protocol (SNMP) is commonly used to gather information from routers, switches, and other network devices. It provides information about a device’s status, including CPU and memory utilization, as well as many other useful details about the device. NetFlow provides information about network traffic. A management information base (MIB) is a database used for managing the entities in a communication network. The Simple Mail Transfer Protocol (SMTP) is a communication protocol for electronic mail transmission.

62
Q

Which security tool is used to facilitate incident response, threat hunting, and security configuration by orchestrating automated runbooks and delivering data enrichment?

A

A security orchestration, automation, and response (SOAR) is used to facilitate incident response, threat hunting, and security configuration by orchestrating automated runbooks and delivering data enrichment. A SOAR may be implemented as a standalone technology or integrated within a SIEM as a next-gen SIEM. A SOAR can scan the organization’s store of security and threat intelligence, analyze it using machine/deep learning techniques, and then use that data to automate and provide data enrichment for the workflows that drive incident response and threat hunting.

63
Q

You are conducting an intensive vulnerability scan to detect which ports might be open to exploitation. During the scan, one of the network services becomes disabled and causes an impact on the production server. Which of the following sources of information would provide you with the most relevant information for you to use in determining which network service was interrupted and why?

A

The syslog server is a centralized log management solution. By looking through the logs on the syslog server, the technician could determine which service failed on which server, since all the logs are retained on the syslog server from all of the network devices and servers.

64
Q

Which of the following cryptographic algorithms is classified as asymmetric?

A

Elliptic-curve cryptography (ECC) is an approach to public-key cryptography based on the algebraic structure of elliptic curves over finite fields. As a public-key cryptosystem, it relies on an asymmetric algorithm. Twofish, RC4, and DES are all symmetric algorithms.

65
Q

Frank and John have started a secret club together. They want to ensure that when they send messages to each other, they are truly unbreakable. What encryption key would provide the STRONGEST and MOST secure encryption?

A

The only truly unbreakable encryption is one that uses a one-time use pad. This ensures that every message is encrypted with a different shared key that only the two owners of the one-time use pad would know. This technique ensures that there is no pattern in the key for an attacker to guess or find. Even if one of the messages could be broken, all of the other messages would remain secure since they use different keys to encrypt them. Unfortunately, one-time use pads require that two identical copies of the pad are produced and distributed securely before they can be used.

66
Q

A company has recently experienced a data breach and has lost nearly 1 GB of personally identifiable information about its customers. You have been assigned as part of the incident response team to identify how the data was leaked from the network. Your team has conducted an extensive investigation, and so far, the only evidence of a large amount of data leaving the network is from the email server. There is one user that has sent numerous large attachments out of the network to their personal email address. Upon closer inspection, those emails only contain pictures of that user’s recent trip to Australia. What is the most likely explanation for how the data left the network?

A

The most likely explanation is that the user utilized steganography to hide the leaked data inside the photos from their trip. Steganography is the process of hiding one message inside another. By hiding the customer’s information within the digital photos, the incident response team would not be able to see the data being hidden without knowing to look for it inside the seemingly benign pictures from the trip.

67
Q

Keith wants to validate the application file that he downloaded from the vendor of the application. Which of the following should he compare against the file to verify the integrity of the downloaded application?

A

Keith should conduct a hash of the downloaded file and compare it against the MD5 hash digest listed on the server of this file. This file needs to be a verifiable MD5 hash file in order to validate the file integrity has not been compromised during the download. This is an important step to ensure the file was not modified in transit during the download. The other options are insufficient to guarantee the integrity of the downloaded file since integrity checking relies on the comparison of the two hash digests.

68
Q

Which of the following hashing algorithms results in a 160-bit fixed output?

A

SHA-1 creates a 160-bit fixed output. SHA-2 creates a 256-bit fixed output. NTLM creates a 128-bit fixed output. MD-5 creates a 128-bit fixed output.

69
Q

In an effort to increase the security of their passwords, Dion Training has added a salt and cryptographic hash to their passwords prior to storing them. To further increase security, they run this process many times before storing the passwords. What is this technique called?

A

In cryptography, key stretching techniques are used to make a possibly weak key, typically a password or passphrase, more secure against a brute-force attack by increasing the resources it takes to test each possible key. The question describes one such key stretching technique.

70
Q

Question 1:
A cybersecurity analyst is attempting to classify network traffic within an organization. The analyst runs the tcpdump command and receives the following output:
-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
$ tcpdump -n -i eth0

15:01:35.170763 IP 10.0.19.121.52497 > 11.154.12.121.ssh: P 105:157(52) ack 18060 win 16549

15:01:35.170776 IP 11.154.12.121.ssh > 10.0.19.121.52497: P 23988:24136(148) ack 157 win 113

Which of the following statements is true based on this output?

A

This output from the tcpdump command is displaying three packets in a larger sequence of events. Based solely on these three packets, we can only be certain that the server (11.154.12.121) is running an SSH server over port 22. This is based on the first line of the output. The second and third lines are the server responding to the request and sending data back to the client (10.0.19.121) over port 52497. There is not evidence of an attack against either the server or the client based on this output since we can only see the headers and not content being sent between the client and server.

71
Q

Which of the protocols listed is NOT likely to be a trigger for a vulnerability scan alert when it is used to support a virtual private network (VPN)?

A

IPSec is the most secure protocol that works with VPNs. The use of PPTP and SSL is discouraged for VPN security. Due to this, the use of PPTP and SSL for a VPN will likely alert during a vulnerability scan as an issue to be remediated.

72
Q

Your company just installed a new webserver within your DMZ. You have been asked to open up the port for secure web browsing on the firewall. Which port should you set as open to allow users to access this new server?

A

Port 443 is used for HTTPS traffic. Therefore, this port must be opened. This is secure web browsing over SSL or TLS. Port 21 is used for the File Transfer Protocol (FTP). Port 80 is used for unsecured web browsing (HTTP). Port 143 is used for Internet Mail Application Protocol (IMAP).

73
Q

You are configuring a RAID drive for a Media Streaming Server. Your primary concern is speed of delivery of the data. This server has two hard disks installed.

What type of RAID should you install, and what type of data will be stored on Disk 1 and Disk 2?

A

RAID 0 - Disk1 -stripe and disk 2 stripe

74
Q

Dion Training has performed an assessment as part of their disaster recovery planning. The assessment found that the organization’s RAID takes, on average, about 8 hours to repair when two drives within the RAID fail. Which of the following metrics would best represent this time period?

A

Mean time to repair (MTTR) is a basic measure of the maintainability of repairable items. It represents the average time required to repair a failed component or device.

75
Q

Karen lives in an area that is prone to hurricanes and other extreme weather conditions. She asks you to recommend an electrical conditioning device that will prevent her files from being corrupted if the power to the building is unstable or lost. Additionally, she would like the computer to maintain power for up to an hour of uptime to allow for a graceful shutdown of her programs and computer. Which of the following should you recommend?

A

An uninterruptible power supply or uninterruptible power source (UPS) is an electrical apparatus that provides emergency power to a load when the input power source becomes too low, or the main power fails. A UPS provides near-instantaneous protection from input power interruptions by using a battery backup. The on-battery run-time of most uninterruptible power sources is usually short (less than 60 minutes) but sufficient to properly shut down a computer system.

76
Q

Which attack method is MOST likely to be used by a malicious employee or insider who is trying to obtain another user’s passwords?

A

While all of the methods listed could be used by a malicious employee or insider to obtain another user’s passwords, shoulder surfing is the MOST likely to be used. Shoulder surfing is a type of social engineering technique used to obtain information such as personal identification numbers (PINs), passwords, and other confidential data by looking over the victim’s shoulder. Since a malicious employee or insider can work in close proximity to their victims (other users), they could easily use this technique to collect the passwords of the victimized users.

77
Q

Which type of threat actor can accidentally or inadvertently cause a security incident in your organization?

A

An insider threat is a type of threat actor who is assigned privileges on the system that cause an intentional or unintentional incident. Insider threats can be used as unwitting pawns of external organizations or may make crucial mistakes that can open up exploitable security vulnerabilities.

78
Q

Several users have contacted the help desk to report that they received an email from a well-known bank stating that their accounts have been compromised and they need to “click here” to reset their banking password. Some of these users are not even customers of this particular bank, though. Which of the following best describes this type of attack?

A

This is an example of a phishing attack. Phishing is the fraudulent practice of sending emails and pretending to be from a reputable company in order to trick users into revealing personal information, such as passwords and credit card numbers. This email appears to be untargeted since it was sent to both customers and non-customers of this particular bank; it is best classified as phishing. Spear phishing requires the attack to be more targeted and less widespread.

79
Q

Several users have contacted the help desk to report that they received an email from a well-known bank stating that their accounts have been compromised and they need to “click here” to reset their banking password. Some of these users are not even customers of this particular bank, though. Which of the following best describes this type of attack?

A

This is an example of a phishing attack. Phishing is the fraudulent practice of sending emails and pretending to be from a reputable company in order to trick users into revealing personal information, such as passwords and credit card numbers. This email appears to be untargeted since it was sent to both customers and non-customers of this particular bank; it is best classified as phishing. Spear phishing requires the attack to be more targeted and less widespread.

80
Q

Which of the following is a senior role with the ultimate responsibility for maintaining confidentiality, integrity, and availability in a system?

A

A data owner is a person responsible for the confidentiality, integrity, availability, and privacy of information assets. They are usually senior executives and somebody with authority and responsibility. A data owner is responsible for labeling the asset and ensuring that it is protected with appropriate controls. The data owner typically selects the data steward and data custodian and has the authority to direct their actions, budgets, and resource allocations.

81
Q

Your company is setting up a system to accept credit cards in their retail and online locations. Which of the following compliance types should you be MOST concerned within dealing with credit cards?

A

The Payment Card Industry Data Security Standard (PCI DSS) applies to companies of any size that accept credit card payments. If your company intends to accept card payment and store, process, and transmit cardholder data, you need to host your data securely and follow PCI compliance requirements.

82
Q

Your company is expanding its operations in the European Union and is concerned about additional governmental regulations that may apply. Which of the following regulations applies when processing personal data within the European Union?

A

GDPR (General Data Protection Regulation) is a regulation that applies to companies that do business in the European Union. The four forms of regulated data covered by the CompTIA A+ (220-1002) exam are PII (Personally Identifiable Information), PCI (Payment Card Industry), GDPR (General Data Protection Regulation), and PHI (Protected Health Information).

83
Q

During which incident response phase is the preservation of evidence performed?

A

A cybersecurity analyst must preserve evidence during the containment, eradication, and recovery phase. They must preserve forensic and incident information for future needs, to prevent future attacks, or to bring up an attacker on criminal charges. Restoration and recovery are often prioritized over analysis by business operations personnel, but taking time to create a forensic image is crucial to preserve the evidence for further analysis and investigation.

84
Q

You are the first forensic analyst to arrive on the scene of a data breach. You have been asked to begin evidence collection on the server while waiting for the rest of your team to arrive. Which of the following evidence should you capture first?

A

When collecting evidence, you should always follow the order of volatility. This will allow you to collect the most volatile evidence (most likely to change) first, and the least volatile (least likely to change) last. You should always begin the collection with the CPU registers and cache memory (L1/L2/L3/GPU). The contents of system memory (RAM), including a routing table, ARP cache, process tables, kernel statistics, and temporary file systems/swap space/virtual memory. Next, you would move onto the collection of data storage devices like hard drives, SSDs, and flash memory devices.

85
Q

Which of the following is required for evidence to be admissible in a court of law?

A

The chain of custody is used to document the collection and preservation of evidence from its initial acquisition, throughout the handling leading up to a trial, and during its preservation in case of an appeal or retrial.