SecurityX Practice Exam #4 (Dion) Flashcards

Question

An IDS is being implemented in an organization that handles sensitive financial data. The security team has the following goals: Monitor traffic for unauthorized access attempts without disrupting legitimate business processes Identify threats by analyzing patterns of network traffic Generate alerts for detected anomalies and potential attacks Given these requirements, which IDS deployment strategy is most appropriate? Configuring the IDS as a default gateway for all network traffic Out-of-band deployment to passively monitor and alert on suspicious activity Provide inline deployment to block malicious traffic in real-time Your answer is incorrect Combining IDS with endpoint detection tools for proactive blocking

Answer 1

Out-of-band deployment to passively monitor and alert on suspicious activity Explanation: OBJ 2.1: An out-of-band deployment enables the IDS to monitor traffic passively, analyzing patterns and generating alerts without affecting the flow of legitimate business traffic. This setup aligns with the goal of non-intrusive monitoring. Inline deployment is characteristic of an IPS, which actively blocks traffic and does not align with IDS functionality. Configuring the IDS as a gateway is impractical, as it may introduce latency and is more suited to firewalls or proxies. Combining IDS with endpoint tools focuses on active blocking, which goes beyond the traditional scope of IDS. For support or reporting issues, include Question ID: 6750f114ec280b7d2c7fa1d8 in your ticket. Thank you.

Answer 2

TACACS+ Explanation: OBJ 2.4: TACACS+ is an extension to TACACS (Terminal Access Controller Access Control System) and was developed as a proprietary protocol by Cisco. The Remote Authentication Dial-In User Service (RADIUS) is a networking protocol that operates on port 1812 and provides centralized Authentication, Authorization, and Accounting management for users who connect and use a network service, but Cisco did not develop it. Kerberos is a network authentication protocol designed to provide strong mutual authentication for client/server applications using secret-key cryptography developed by MIT. Challenge-Handshake Authentication Protocol (CHAP) is used to authenticate a user or network host to an authenticating entity. CHAP is an authentication protocol but does not provide authorization or accounting services. For support or reporting issues, include Question ID: 63fe06ee3b7322449ddbc78e in your ticket. Thank you.

Answer 3

Identify Explanation: OBJ 1.2: This is the identify phase. The identify phase is used to inventory assets and for the identification of all risk items in an organization. The assess phase is used to analyze identified risks to determine their associated level of risk before any mitigations or controls are implemented. The control phase is used to identify effective methods for risk reduction for identified risks in an organization. The review phase is used to periodically re-evaluate the risks in an organization by determining if the risk level has changed and identified controls are still effective. For support or reporting issues, include Question ID: 63fe07f03b7322449ddbd432 in your ticket. Thank you.

Answer 4

Timestomp a malware file to make it appear as if it is part of the operating system Create a point of presence by adding services, scheduled tasks, or AutoRun keys Install a backdoor/implant on a client victim Install a webshell on a server Explanation: OBJ 1.4: During the installation phase, the adversary is taking actions to establish a footprint on the target system and is attempting to make it difficult for a defender to detect their presence. The attack may also attempt to confuse any attempts to remove the adversary from the system if the detection of their presence occurs. Due to this, an attacker will attempt to install multiple backdoors, implants, web shells, scheduled tasks, services, or AutoRun keys to maintain their access to the target. Timestomping is also conducted to hide the presence of malware on the system. Opening up two-way communication with an established C2 infrastructure occurs in the command and control phase. Collecting user credentials occurs in the actions on objectives phase. For support or reporting issues, include Question ID: 63fe07943b7322449ddbcfa0 in your ticket. Thank you.

Answer 5

Separation of duties Explanation: OBJ 1.2: This organization uses separation of duties to ensure that neither Kirsten nor Bob can exploit the organization’s ordering processes for their gain. Separation of duties is the concept of having more than one person required to complete a particular task to prevent fraud and error. Dual control, instead, requires both people to act together. For example, a nuclear missile system uses dual control and requires two people to each turn a different key simultaneously to allow for a missile launch to occur. Mandatory vacation policies require employees to take time away from their job and detect fraud or malicious activities. A background check is a process a person or company uses to verify that a person is who they claim to be and provides an opportunity for someone to check a person's criminal record, education, employment history, and other past activities to confirm their validity. For support or reporting issues, include Question ID: 63fe07e83b7322449ddbd3d1 in your ticket. Thank you.

Answer 6

Private Function Evaluation Explanation: OBJ 3.7: Private Function Evaluation (PFE) allows two parties to jointly evaluate a private function without revealing their respective inputs. Secure Function Evaluation (SFE) allows two parties to jointly evaluate a publicly known function without revealing their respective inputs. Private Information Retrieval (PIR) retrieves an item from a service in possession of a database without revealing which item is retrieved. Secure Multi-Party Computation creates methods for parties to jointly compute a function over their inputs while keeping those inputs private. For support or reporting issues, include Question ID: 63fe06ff3b7322449ddbc86a in your ticket. Thank you.

Answer 7

They allow attackers to exploit trust relationships within an application’s architecture Explanation: OBJ 3.2 - Injection vulnerabilities are dangerous because they exploit the inherent trust applications place in user input, manipulating this trust to execute unauthorized actions or access sensitive data. This strategic exploitation undermines the fundamental security assumptions of an application. These attacks are pervasive across various programming languages and systems, targeting software logic and often requiring minimal resources to execute. For support or reporting issues, include Question ID: 675064363af44d9e9e56c75d in your ticket. Thank you.

Answer 8

Secure Function Evaluation Explanation: OBJ 3.7: Secure Function Evaluation (SFE) allows two parties to jointly evaluate a publicly known function without revealing their respective inputs. Private Information Retrieval (PIR) retrieves an item from a service in possession of a database without revealing which item is retrieved. Private Function Evaluation (PFE) allows two parties to jointly evaluate a private function without revealing their respective inputs. Secure Multi-Party Computation creates methods for parties to jointly compute a function over their inputs while keeping those inputs private. For support or reporting issues, include Question ID: 63fe06e63b7322449ddbc734 in your ticket. Thank you.

Answer 9

Social engineering leveraging AI-based customization Explanation: OBJ 1.5 - This attack demonstrates social engineering augmented by AI, where artificial intelligence is used to analyze publicly available information and create highly personalized phishing messages. While deep fakes involve fabricated media and automated exploit crafting focuses on technical vulnerabilities, AI-driven pipeline manipulation pertains to internal AI workflow disruptions, none of which apply in this context. For support or reporting issues, include Question ID: 674ea9b1f0442e03b476b702 in your ticket. Thank you.

Answer 10

\b(192\.168\.66\.6)|(10\.66\.6\.10)|(172\.16\.66\.1)\b Explanation: OBJ 4.1: The correct option is \b(192\.168\.66\.6)|(10\.66\.6\.10)|(172\.16\.66\.1)\b, which uses parenthesis and "OR" operators (|) to delineate the possible whole-word variations of the three IP addresses. Using square braces indicates that any of the letters contained in the square braces are matching criteria. Using the + operator indicates an allowance for one more instance of the preceding element. In all cases, the period must have an escape (\) sequence preceding it as the period is a reserved operator internal to REGEX. For support or reporting issues, include Question ID: 63fe07423b7322449ddbcba1 in your ticket. Thank you.

Answer 11

It provides runtime protection for workloads by detecting and blocking malicious activity Explanation: OBJ 4.4 - A Cloud Workload Protection Platform (CWPP) secures cloud workloads by providing visibility, runtime protection, and threat detection across containers, virtual machines, and serverless environments. While compliance monitoring and key management are important cloud security practices, they are not primary CWPP functions. Automating backups ensures availability but is unrelated to runtime protection and threat detection. For support or reporting issues, include Question ID: 67508d0a00440144bc05ee3a in your ticket. Thank you.

Answer 12

$20,000 Explanation: OBJ 4.1: The single loss expectancy (SLE) is the amount that would be lost in a single occurrence of a particular risk factor. To calculate the single loss expectancy (SLE), you will multiple the asset value (AV) times the exposure factor (EF). Since you are asked to calculate the single loss expectancy, you do not need to calculate the annual rate of occurrence nor the annualized loss expectancy. SLE = AV x EF. Here, the SLE would be $50,000 (asset value) × 40% (exposure factor), which equals $20,000. The loss of business revenue serves as a distractor to add complexity as it is used in finding other factors not required in this question. For support or reporting issues, include Question ID: 6709aa6d12632274bc4072cd in your ticket. Thank you.

Answer 13

Deploy backup power supplies to ensure continuous operation Explanation: OBJ 3.4 - Backup power ensures that the tamper detection system remains operational even if the primary power source is cut, addressing the root cause of the vulnerability. Increasing surveillance or requiring dual-factor authentication enhances security but does not directly resolve the power issue. Tamper-evident stickers provide visual cues but do not prevent or detect tampering in real-time. For support or reporting issues, include Question ID: 675082f5dfd365846f56357a in your ticket. Thank you.

Answer 14

Context-based authentication Explanation: OBJ 4.1: Context-based authentication can consider several factors before permitting access to a user, including their location (e.g., country, GPS location, etc.), the time of day, and other key factors to minimize the threat of compromised credentials from being utilized by an attacker. A self-service password reset is defined as any process or technology that allows users who have either forgotten their password or triggered an intruder lockout to authenticate with an alternate factor and repair their problem without calling the help desk. While helpful, this alone would not help prevent an attacker from using the compromised credentials. Single sign-on (SSO) is an authentication scheme that allows a user to log in with a single ID and password to any of several related yet independent software systems. Again, this is helpful since it will minimize the number of usernames and passwords that a user must remember. Still, if their credentials are stolen, then the attacker can now access every system the user had access to, extending the problem. Password complexity is also a good thing to use, but it won't address the challenge presented in how to prevent the use of compromised credentials. If the password complexity is increased, this will prevent a brute force credential compromise. However, if the credentials are compromised any other way, the attacker could still log in to our systems and cause trouble. For support or reporting issues, include Question ID: 63fe06ea3b7322449ddbc75c in your ticket. Thank you.

Answer 15

802.1x using EAP with MSCHAPv2 Explanation: OBJ 2.4: Since the backend uses a RADIUS server for back-end authentication, the network administrator can install 802.1x using EAP with MSCHAPv2 for authentication. The Extensible Authentication Protocol (EAP) is a framework in a series of protocols that allows for numerous different mechanisms of authentication, including things like simple passwords, digital certificates, and public key infrastructure. Microsoft Challenge Handshake Authentication Protocol version 2 (MS-CHAP v2) is a password-based authentication protocol that is widely used as an authentication method in PPTP-based (Point to Point Tunneling Protocol) VPNs and can be used with EAP. For support or reporting issues, include Question ID: 63fe06dc3b7322449ddbc6b2 in your ticket. Thank you.

Answer 16

The user is assigned a role that lacks the necessary permissions for the application Explanation: OBJ 3.1: Successful authentication indicates that the user’s identity was verified, but authorization failure means the user lacks the required permissions to access the application. This typically results from misconfigured roles or permissions. Account locks or offline servers would prevent authentication, not cause authorization failure, while misconfigured authentication mechanisms would prevent successful login altogether. For support or reporting issues, include Question ID: 67513dc26a9dc9d16f2d02fe in your ticket. Thank you.

Answer 17

Software development lifecycle model Explanation: OBJ 4.2: The software development lifecycle model used by a company is purely an internal function relevant only to the development of custom software within the organization. Regardless of whether a waterfall or agile methodology is chosen, it does not directly affect the organization's attack surface. The attack surface represents the set of things that could be attacked by an adversary. External and internal users, websites, cloud entities, and software applications used by an organization are all possible entry points that an adversary could attempt an attack upon. For support or reporting issues, include Question ID: 63fe07063b7322449ddbc8bf in your ticket. Thank you.

Answer 18

Secure enclave Explanation: OBJ 3.4: Secure enclaves isolate sensitive data and computations from the main system, enhancing security by reducing exposure to threats. Trusted Platform Modules (TPMs) are used for secure key storage and cryptographic operations but are not specifically designed for isolated computations. Virtual Trusted Platform Modules (vTPMs) are virtualized versions of TPMs, lacking the dedicated hardware isolation of secure enclaves. Hardware Security Modules (HSMs) focus on high-security cryptographic key management rather than computation isolation. For support or reporting issues, include Question ID: 6751ac6597eb9dce4020fc0e in your ticket. Thank you.

Answer 19

Cryptographic obfuscation Explanation: OBJ 3.8: Cryptographic obfuscation is used to transform protected data into an unreadable format. For example, the Linux user passwords stored in the /etc/shadow file are obfuscated to protect them. Crypto shredding is used to destroy a decryption key to effectively destroy the data that key was used to protect. This technique ensures that the data will remain encrypted if the key is fully destroyed and the encryption algorithm itself remains secure. Key rotation is the process of purposely changing keys periodically to mitigate against brute force attacks and key disclosure compromises. During key rotation, the previous key is also revoked and invalidated. Rekeying is the process of changing an individual key during a communication session. Most communication protocols use session key rekeying to protect the data being transmitted. A rekeying is normally triggered based on the volume of data communicated or the amount of time since the last rekeying. For support or reporting issues, include Question ID: 63fe07d23b7322449ddbd2b9 in your ticket. Thank you.

Answer 20

PII Explanation: OBJ 1.3: Personally identifiable information (PII) is data used to identify, contact, or locate an individual. Information such as social security number (SSN), name, date of birth, email address, telephone number, street address, and biometric data is considered PII. Protected health information (PHI) refers to medical and insurance records, plus associated hospital and laboratory test results. Proprietary information or intellectual property (IP) is information created and owned by the company, typically about the products or services that they make or perform. Controlled Unclassified Information (CUI) is federal non-classified information that must be safeguarded by implementing a uniform set of requirements and information security controls to secure sensitive government information. For support or reporting issues, include Question ID: 63fe08053b7322449ddbd53b in your ticket. Thank you.

Answer 21

Only allow administrators to access routers using port 22 Explanation: OBJ 3.2: Port 22 uses SSH to authenticate a remote computer or user, or in this case, an administrator. Even if the router has been compromised, the new full rights user will not access their new account without the SSH key, which could only be provided by a true administrator. Telnet uses port 23 and passes all information as unencrypted traffic on the network. Telnet should always be disabled for security reasons, and SSH (which uses encryption) should be used instead. For support or reporting issues, include Question ID: 63fe070e3b7322449ddbc91e in your ticket. Thank you.

Answer 22

Continuous monitoring Explanation: OBJ 3.5: Continuous monitoring uses tools like IDS and traffic analysis to detect anomalies and potential threats in operational technology systems. Environmental hardening involves physical protections, not network activity monitoring. Firmware updates are not frequent in Supervisory Control and Data Acquisition (SCADA) systems due to operational constraints. Secure boot ensures trusted software at startup but does not monitor ongoing activity. For support or reporting issues, include Question ID: 6751b1368e62d8320cd6bbbc in your ticket. Thank you.

Answer 23

Implement device attestation to verify integrity before access is granted Explanation: OBJ 2.6: Device attestation ensures that hardware and software are validated for integrity and compliance with security policies before granting access to sensitive resources. This aligns with Zero Trust principles of continuous verification. Assigning static IP addresses does not confirm device integrity or compliance. Allowing unmanaged devices based solely on user credentials introduces significant security risks and violates Zero Trust principles. Basic network monitoring provides visibility but does not actively enforce access controls or verify device integrity. For support or reporting issues, include Question ID: 6751037123df37e1b5ec6041 in your ticket. Thank you.

Answer 24

CI/CD Explanation: OBJ 2.2: Continuous integration/continuous delivery (CI/CD) is a software development methodology in which code updates are tested and committed to a development or build server/code repository rapidly. Waterfall is a software development model where the phases of the SDLC cascade so that each phase will start only when all tasks identified in the previous phase are complete. Spiral development allows the modification of the development repeatedly in response to stakeholder feedback and input but still follows an overall beginning-to-end structure. Both waterfall and spiral development are too slow to support code deployments multiple times per day, so agile development must be utilized. Middleware generally describes more comprehensive software applications designed to integrate two systems. Middleware can perform more sophisticated mechanisms and include multiple APIs to connect to various sources, enabling more feature-rich operations or to detach features from individual systems so they can be separately managed and controlled. Middleware is not a development technique. For support or reporting issues, include Question ID: 63fe07123b7322449ddbc950 in your ticket. Thank you.

Answer 25

Data masking Explanation: OBJ 3.8: Data masking can mean that all or part of a field's contents is redacted, by substituting all character strings with x, for example. Tokenization means that all or part of data in a field is replaced with a randomly generated token. The token is stored with the original value on a token server or token vault, separate from the production database. An authorized query or app can retrieve the original value from the vault, if necessary, so tokenization is a reversible technique. Data minimization involves limiting data collection to only what is required to fulfill a specific purpose. Reducing what information is collected reduces the amount and type of information that must be protected. Data anonymization is the process of removing personally identifiable information from a data set so that the people whom the data describe remain anonymous. For support or reporting issues, include Question ID: 63fe06c43b7322449ddbc58e in your ticket. Thank you.

Answer 26

Add the legitimate applications to an allowlist based on a thorough review Explanation: OBJ 3.2: Application allowlisting improves security by permitting only approved applications to run. When legitimate applications are blocked, adding them to the allowlist after careful verification ensures they can function without weakening the overall security posture. Disabling application control or switching to monitoring mode compromises security, while a denylist alone does not provide the proactive protection of an allowlist. For support or reporting issues, include Question ID: 67513f8113c8d9f38d27de06 in your ticket. Thank you.

Answer 27

Configuring secure VPN profiles for all managed devices Explanation: OBJ 3.2: Secure VPN profiles allow devices to access corporate resources securely from any network by creating an encrypted connection to the corporate environment. Application allowlisting and MFA enhance device security but do not address the issue of accessing resources off the corporate network. Geofencing is not suitable for enabling secure access in this scenario. For support or reporting issues, include Question ID: 6751470fee759eace74d72dc in your ticket. Thank you.

Answer 28

User and entity behavior analytics (UEBA) Explanation: OBJ 3.4: User and entity behavior analytics (UEBA) is a type of cybersecurity application or appliance that identifies anomalous or malicious behavior by using machine learning and statistical analysis to identify deviations from normally established baselines and patterns of activity. Endpoint detection and response (EDR) is a software agent that collects system data and logs for analysis by a monitoring system to provide early detection of threats. A host-based intrusion detection system (HIDS) is a type of IDS that monitors a computer system for unexpected behavior or drastic changes to the system's state. A host-based firewall is a firewall implemented as application software running on the host that provides sophisticated filtering of network traffic as well as block processes at the application level. For support or reporting issues, include Question ID: 63fe07da3b7322449ddbd318 in your ticket. Thank you.

Answer 29

LDAPS Explanation: OBJ 2.4: The Lightweight Directory Access Protocol (LDAP) uses a client-server model for mutual authentication. LDAP is used to enable access to a directory of resources (workstations, users, information, etc.). TLS provides mutual authentication between clients and servers. Since Secure LDAP (LDAPS) uses TLS, it provides mutual authentication. For support or reporting issues, include Question ID: 63fe06f43b7322449ddbc7de in your ticket. Thank you.

Answer 30

An attacker exploits a misconfigured application to gain administrative rights from a standard user account Explanation: OBJ 3.2 - Privilege escalation occurs when an attacker exploits a vulnerability, misconfiguration, or flaw to gain higher-level permissions than initially granted. For example, moving from a standard user account to administrative access enables the attacker to execute more harmful actions. Credential theft, denial-of-service (DoS) attacks, and interception of network traffic represent other tactics but do not specifically demonstrate privilege escalation. For support or reporting issues, include Question ID: 675064833af44d9e9e56c762 in your ticket. Thank you.

Answer 31

Data exfiltration Explanation: OBJ 4.2: If attackers use SQL injection to extract data through a Web application, the requests issued by them will usually have a larger HTML response size than a normal request. For example, if the attacker extracts the full credit card database, then a single response for that attacker might be 20 to 50 MB, where a normal response is only 200 KB. Therefore, this scenario is an example of a data exfiltration indicator of compromise. Based on the scenario, there is no evidence that a user is conducting a privilege escalation or using unauthorized privileges. There is also no evidence of a new account having been created or beaconing occurring over the network. For support or reporting issues, include Question ID: 63fe07463b7322449ddbcbce in your ticket. Thank you.

Answer 32

Review the asset inventory and BCP Explanation: OBJ 4.1: To best understand a system's criticality, you should review the asset inventory and the BCP. Most organizations classify each asset in its inventory based on its criticality to the organization's operations. This helps to determine how many spare parts to have, the warranty requirements, service agreements, and other key factors to help keep these assets online and running at all times. Additionally, you can review the business continuity plan (BCP) since this will provide the organization's plan for continuing business operations in the event of a disaster or other outage. Generally, the systems or operations listed in a BCP are the most critical ones to support business operations. While the CEO may be able to provide a list of the most critical systems in a large organization, it isn't easy to get them to take the time to do it, even if they did know the answer. Worse, in most large organizations, the CEO isn't going to know what systems he relies on, but instead just the business functions they serve, again making this a bad choice. While conducting a nmap scan may help you determine what OS is being run on each system, this information doesn't help you determine criticality to operations. The same is true of using IP subnets since a list of subnets by itself doesn't provide criticality or prioritization of the assets. For support or reporting issues, include Question ID: 63fe07803b7322449ddbcead in your ticket. Thank you.

Answer 33

Routing errors Explanation: OBJ 3.3: Routing errors cause improper packet forwarding, leading to connectivity issues. Faulty NICs are hardware-related, not configuration issues. Switch misconfigurations impact local network data switching, not routing. DNS misalignment is unrelated to internal routing paths. For support or reporting issues, include Question ID: 6751a8edccca116cc0eb3b85 in your ticket. Thank you.

Answer 34

Separation of duties Explanation: OBJ 1.2: Separation of duties is the concept of having more than one person required to complete a task. In business, the separation by sharing more than one individual in a single task is an internal control intended to prevent fraud and error. In this case, one person can transfer money in, while another must transfer money out. Dual control authentication is used when performing a sensitive action and requires two different users to log in. Least privilege is the concept and practice of restricting access rights for users, accounts, and computing processes to only those resources required to perform routine, legitimate activities. Security through obscurity is the reliance on security engineering in design or implementation by using secrecy as the main method of providing security to a system or component. For support or reporting issues, include Question ID: 63fe07ff3b7322449ddbd4f0 in your ticket. Thank you.

Answer 35

SNMP Explanation: OBJ 4.1: Simple Network Management Protocol (SNMP) is commonly used to gather information from routers, switches, and other network devices. It provides information about a device's status, including CPU and memory utilization, and many other useful details about the device. NetFlow provides information about network traffic. A management information base (MIB) is a database used for managing the entities in a communication network. The Simple Mail Transfer Protocol (SMTP) is a communication protocol for electronic mail transmission. For support or reporting issues, include Question ID: 63fe07033b7322449ddbc892 in your ticket. Thank you.

Answer 36

Recovery point objective (RPO) Explanation: OBJ 1.1: The COO has defined the recovery point objective as 2 hours. The recovery point objective defines the maximum amount of data that can be lost without irreparable harm to the operation of the business. The recovery time objective defines the maximum amount of time that performing a recovery can take and the service can be offline. The recovery service level is the minimum acceptable amount of services that must be restored for a given system to consider it recovered. For example, your organization may need to restore its databases and websites to meet its recovery service level objectives while leaving its print servers offline since they may not be considered a mission-essential function in your organization. The mean time to recovery is the average amount of downtime calculated based on when a service or device fails and when its functionality is restored. For support or reporting issues, include Question ID: 63fe07ef3b7322449ddbd41e in your ticket. Thank you.

Answer 37

It executes browser sessions in a secure environment to prevent threats from interacting with endpoints directly Explanation: OBJ 3.2: Browser isolation enhances security by running browser sessions in a secure, isolated environment, such as a virtual container or cloud-based sandbox. This approach prevents malicious web content, including exploits and drive-by downloads, from directly impacting the endpoint. Blocking traffic with URL filtering reduces risk but does not isolate threats. Disabling browser features like scripting and plugins is limited to specific types of vulnerabilities, and while a web application firewalls (WAF) inspect web traffic, they do not directly isolate browser activity. For support or reporting issues, include Question ID: 67514432b702e8776b8d552a in your ticket. Thank you.

Answer 38

Implement a unified global data protection policy that meets the strictest regional regulation Explanation: https://ibm-learning.udemy.com/course/comptia-securityx-cas-005-6-practice-exams/learn/quiz/6689173/test#overview:~:text=OBJ%203.8%20%2D%20Implementing,ticket.%20Thank%20you.

Answer 39

Use MFA only for risky actions Explanation: OBJ 2.2: Adaptive MFA balances security and usability by triggering authentication only for high-risk situations, improving the user experience without compromising protection. Disabling MFA sacrifices security entirely. SSO alone is user-friendly but insufficient for sensitive data. Password changes alone weaken security and do not address usability complaints. For support or reporting issues, include Question ID: 6750fbdd23df37e1b5ec5f7d in your ticket. Thank you.

Answer 40

Define RBAC and use hashed passwords for credential storage Explanation: OBJ 2.2: Functional security requirements focus on specific features and functionalities within a system that address security needs: Role-based access control (RBAC) ensures only authorized users can access specific application features, Hashed passwords provide secure storage for credentials, meeting the requirement to secure user credentials. Multifactor authentication (MFA) integration can be seamlessly incorporated into these functional requirements for additional security. Encrypting traffic and vulnerability scans are essential but pertain to operational or non-functional requirements. User training addresses awareness, not system functionality. Intrusion detection and endpoint protection are external measures not directly tied to application design. For support or reporting issues, include Question ID: 6750fa3323df37e1b5ec5f6c in your ticket. Thank you.

Answer 41

Application hardening Explanation: OBJ 2.3: Application hardening involves taking actions to best secure the application from attack. This involves removing any default or sample configurations, properly configuring settings, and updating the application to the latest and more secure version. Patch management is incorrect because only updating the software falls under patch management, not the configuration portions of her actions. Vulnerability scanning involves scanning a device for known vulnerabilities to update the device and prevent a future attack. Input validation is a technique to verify user-provided data meets the expected length and type before allowing a program to utilize it. For support or reporting issues, include Question ID: 63fe07c63b7322449ddbd219 in your ticket. Thank you.

Answer 42

These systems are difficult to retrofit with modern security Explanation: OBJ 3.5: Industrial control system (ICS) and supervisory control and data acquisition (SCADA) systems were developed many years before security standards were established and integrated into their design. Many of these older systems date back to the 1970s and are still in use today. Over time, these systems were incorporated into the organization's TCP/IP data networks, which provides a huge exploitation area by penetration testers and attackers alike. Many ICS and SCADA vendors are slow to implement security measures since they cannot be easily retrofitted with the newer security required. Therefore, ICS and SCADA systems should ALWAYS be isolated from production networks and segmented into their logical network. For example, some ICS/SCADA systems use a proprietary operating system. More modern ICS/SCADA operates using a version of Windows. However, many still use Windows XP, making them much more vulnerable since they cannot be upgraded to Windows 10 without hardware replacement. For support or reporting issues, include Question ID: 63fe07b33b7322449ddbd12e in your ticket. Thank you.

Answer 43

Secure Multi-Party Computation Explanation: OBJ 3.8: Secure Multi-Party Computation creates methods for parties to jointly compute a function over their inputs while keeping those inputs private. Private Function Evaluation (PFE) allows two parties to jointly evaluate a private function without revealing their respective inputs. Secure Function Evaluation (SFE) allows two parties to jointly evaluate a publicly known function without revealing their respective inputs. Private Information Retrieval (PIR) retrieves an item from a service in possession of a database without revealing which item is retrieved. For support or reporting issues, include Question ID: 63fe07113b7322449ddbc941 in your ticket. Thank you.

Answer 44

$7,500 Explanation: OBJ 1.2: To calculate the ALE, you need to multiple the Single Loss Expectancy (SLE) by the Annual Rate of Occurrence (ARO). The SLE is calculated by multiplying the Exposure Factor (EF) by the Asset Value (AV). Therefore, SLE = EF x AV, and ALE = SLE x ARO. For this scenario, the asset value is $15,000, the annual rate of occurrence is 10 times per year, and the exposure factor is 5% (or 0.05). To calculate the SLE, SLE = 0.05 x $15,000 = $750. Therefore, the ALE = SLE x ARO = $750 x 10 = $7,500. For support or reporting issues, include Question ID: 63fe08053b7322449ddbd531 in your ticket. Thank you.

Answer 45

Forward secrecy Explanation: OBJ 3.7: Forward secrecy (FS), also known as perfect forward secrecy (PFS), is a feature of specific key agreement protocols that gives assurances that session keys will not be compromised even if long-term secrets that were used in the session key exchange are compromised. Key stretching is a technique that strengthens potentially weak input for cryptographic key generation, such as passwords or passphrases created by people, against brute force attacks. Authenticated encryption with associated data (AEAD) is a form of encryption that provides confidentiality of the plaintext, a way to check its integrity, and a method of verifying its authenticity. Cipher block chaining (CBC) is a simple mode of enabling symmetric block ciphers to work with large sets of data. CBC is an older method that is vulnerable to the padding-oracle attack and should therefore not be used. For support or reporting issues, include Question ID: 63fe07ba3b7322449ddbd18d in your ticket. Thank you.

Answer 46

Using micro-segmentation to isolate workloads and enforce strict access policies between network segments Explanation: OBJ 2.6 - Micro-segmentation divides the network into smaller, isolated segments, allowing strict access controls and policies to be applied at the workload level. This strategy effectively prevents lateral movement by attackers while maintaining flexibility for operational needs. Implementing a single VLAN oversimplifies management and leaves the network vulnerable to unrestricted movement. A flat network structure with IDS monitoring does not stop lateral movement, it only detects it. Grouping all critical systems into a single secure zone provides some protection but does not address the broader risks associated with unrestricted access across other parts of the network. For support or reporting issues, include Question ID: 674f6f1170de25277ff862a8 in your ticket. Thank you.

Answer 47

Use credentialed scans during maintenance windows to gather in-depth information Explanation: OBJ 2.1: Credentialed scans allow the scanner to authenticate with target systems and provide more accurate and detailed results without causing significant disruptions. Scheduling scans during maintenance windows minimizes the impact on critical systems. Intrusive scans during peak hours risk disrupting production systems, violating the requirement to minimize disruption. Uncredentialed scans may reduce overhead but provide less comprehensive results. Continuous scanning increases system load and is not suitable for minimizing disruption in critical environments. For support or reporting issues, include Question ID: 6750f262ec280b7d2c7fa23e in your ticket. Thank you.

Answer 48

Add the malicious domain name to your content filter and web proxy's block list Explanation: OBJ 4.2: To prevent a user from accessing the malicious website when the link is clicked, the malicious domain name should be added to the blocklist of the company's content filter and web proxy. This will ensure that no devices on the network can reach the malicious domain name. While blocking the IP address associated with the domain name might help for a short period of time, the malicious domain's owner could quickly redirect the DNS to point to a different IP. Then the users would still be able to access the malicious domain and its contents. Enabling TLS on the mail server will only encrypt the connection between the email server and its clients. Still, it will not prevent the users from clicking on the malicious link and accessing the malicious content. While informing the users that there is an active attempt at phishing being conducted against the organization is a good idea, forwarding the phishing email with the malicious link will generally cause more users to accidentally click on the malicious link, which further exacerbates the issue. For support or reporting issues, include Question ID: 63fe06d73b7322449ddbc676 in your ticket. Thank you.

Answer 49

Generating digital signatures for each purchase order made by customers Explanation: OBJ 3.8 - Non-repudiation ensures that a transaction cannot be denied by the involved parties. Digital signatures provide proof of the origin and integrity of the purchase order, binding the customer to the transaction. Storing IP addresses and timestamps aids in auditing but does not ensure non-repudiation. Encrypting payment information ensures confidentiality but does not prevent denial of the transaction. Requiring authentication verifies the user's identity but does not tie the user to a specific transaction in a non-repudiable way. For support or reporting issues, include Question ID: 675085c8f86f3d695e9ad0e1 in your ticket. Thank you.

Answer 50

Annually Explanation: OBJ 1.2: Annual reviews are an industry standard and are typically sufficient unless circumstances happen that might require an update or revision sooner. Waiting five years between policy reviews is too long and would leave the organization with constantly outdated policies. Similarly, conducting quarterly or monthly reviews is too frequent, and there will not be enough time for substantial changes to have occurred. Additionally, most formal audits and assessments are undertaken annually. Therefore, this is a reasonable frequency to use without overburdening your staff. For support or reporting issues, include Question ID: 63fe08013b7322449ddbd509 in your ticket. Thank you.

Answer 51

Staging Explanation: OBJ 3.2: Deploying changes in a staging or sandbox environment provides the organization with a safe, isolated place for testing changes without interfering with production systems. Staging environments can mimic the actual production environment, leading to a realistic test environment that minimizes the risk of failure during a push to the production environment. Honeypots/Honeynets are not considered a testing environment. Instead, they are designed to attract attackers. The organization should not use the development environment to test the patches since a development environment does not mimic the real production environment. For support or reporting issues, include Question ID: 63fe06bd3b7322449ddbc53a in your ticket. Thank you.

Answer 52

Enable anomaly-based detection with threshold adjustments for high traffic Explanation: OBJ 2.1: Anomaly-based detection is effective for identifying unusual patterns in traffic, which is crucial for dynamic environments like e-commerce. Adjusting thresholds reduces the risk of false positives while maintaining security. Signature-based detection for all traffic can lead to delays due to the need for extensive rule matching, impacting performance. Blocking all traffic by default is too restrictive for a customer-facing platform and may disrupt legitimate traffic. Passive mode eliminates performance concerns but does not actively prevent malicious traffic. For support or reporting issues, include Question ID: 6750f0b8ec280b7d2c7fa1d3 in your ticket. Thank you.

Answer 53

It identifies unique coding styles and patterns within the malware’s code to link it to a specific developer or group Explanation: OBJ 4.4 - It identifies unique coding styles and patterns within the malware’s code to link it to a specific developer or group. Code stylometry analyzes distinct coding habits, styles, and patterns in the malware’s code, helping to attribute it to a specific threat actor or group. Analyzing network communication patterns helps trace the malware’s origin or track its actions, but it doesn’t directly identify the developer or group behind it. Matching the malware’s hash can identify known malware but doesn’t provide insight into the specific author. Executing the malware in a sandbox reveals its behavior but doesn’t directly connect the code to its creator. Therefore, code stylometry focuses on identifying unique patterns in the code itself for attribution. For support or reporting issues, include Question ID: 67508ed3f94527ffaf8d225d in your ticket. Thank you.

Answer 54

Measured services Explanation: OBJ 2.5: Measured service is a term that IT professionals apply to cloud computing that references services where the cloud provider measures or monitors the provision of services for various reasons, including billing, effective use of resources, or overall predictive planning. Rapid elasticity is used to describe scalable provisioning or the capability to provide scalable cloud computing services. Rapid elasticity is very critical to meet the fluctuating demands of cloud users. The downside of rapid elasticity implementations is that they can cause significant loading of the system due to the high resource number of allocation and deallocation requests. On-demand refers to the fact that a consumer can unilaterally provision computing capabilities, such as server time and network storage, as needed automatically without requiring human interaction with each service provider. Resource pooling refers to the concept that allows a virtual environment to allocate memory and processing capacity for a VMs use. For support or reporting issues, include Question ID: 63fe070c3b7322449ddbc900 in your ticket. Thank you.

Answer 55

John does not have permission to perform the scan Explanation: OBJ 1.1: All options listed are an issue, but the most significant issue is that John does not have the client’s permission to perform the scan. A vulnerability scan may be construed as a form of reconnaissance, penetration testing, or even an attack on the organization’s systems. A cybersecurity analyst should never conduct a vulnerability scan on another organization’s network without explicit written permission. In some countries, a vulnerability scan against an organization’s network without their permission is considered a cybercrime and could result in jail time for the consultant. For support or reporting issues, include Question ID: 63fe07303b7322449ddbcaca in your ticket. Thank you.

Answer 56

Contact the service desk or incident response team to determine what to do next Explanation: OBJ 1.2: This is an example of either a data leak or a data breach. James is not sure how the website got the details of the product's specifications. Therefore, he should follow his organizational procedures for notification that internal company information has been leaked to the internet. In most organizations, the service desk acts as the single point of contact for all IT issues (even possible data breaches), and they can refer James to the incident response team (if one is currently stood up). Since James works as a programmer, it is unlikely that his team lead is responsible for handling a data leak or data breach, so it is better to contact the service desk first. James should not contact the website directly nor reply to the blog post. Instead, he should leave the response actions to the security team and the incident response team. For support or reporting issues, include Question ID: 63fe06f53b7322449ddbc7ed in your ticket. Thank you.

Answer 57

Model denial of service Explanation OBJ 1.5: A model denial of service (DoS) attack overwhelms the AI system with excessive requests or computational tasks, rendering it unable to process legitimate inputs effectively. This impacts availability and performance. Prompt injection involves feeding malicious input to manipulate the model's output, not its availability. Training data poisoning corrupts the training data but does not directly overload the model. Model inversion focuses on extracting sensitive data, not on denial of service. For support or reporting issues, include Question ID: 674fef8fdb3fddf57c662ca3 in your ticket. Thank you.

Answer 58

Using a software-defined architecture to manage network traffic centrally Explanation: OBJ 2.6 - SDN separates the control plane from the data plane, enabling centralized management and programmability of network traffic. This makes it ideal for scalable and automated environments. VPNs and manual configurations are less efficient, and dedicated hardware routes do not provide the flexibility needed for dynamic cloud environments. For support or reporting issues, include Question ID: 674f73f425e0bdcbe9af8fb7 in your ticket. Thank you.

Answer 59

Measured boot Explanation: OBJ 3.4: Measured boot is a feature where a log of all boot actions is taken and stored in a trusted platform module for later retrieval and analysis by anti-malware software on a remote server. Master boot record analysis is used to capture the hard disk's required information to support a forensic investigation. It would not detect malware during the system's boot-up process. Startup control would be used to determine which programs will be loaded when the operating system is initially booted, but this would be too late to detect malware loaded during the pre-startup and boot process. Advanced anti-malware solutions are programs that are loaded within the operating system. Therefore, they are loaded too late in the startup process to be effective against malicious boot sector viruses and other BIOS/UEFI malware variants. For support or reporting issues, include Question ID: 63fe07c33b7322449ddbd1fb in your ticket. Thank you.

Answer 60

Hacktivist Explanation: OBJ 1.4: It appears this hack was motivated by a pro-environmentalist agenda based on the message of the website defacement. This is an example of hacktivism. In 2012, five top multi-national oil companies were targeted by members of Anonymous as a form of digital protest against drilling in the Arctic, a practice that these hacktivists believe has contributed to the melting of the ice caps in that region. For support or reporting issues, include Question ID: 63fe078a3b7322449ddbcf2a in your ticket. Thank you.

Answer 61

Implement always-on VPN with user and device identity verification for every session Explanation: OBJ 2.6 - An always-on VPN ensures that all traffic is encrypted and connected to the enterprise network, while user and device identity verification adds an additional layer of security, aligning with Zero Trust principles. This approach addresses the excessive trust issue by validating users and devices continuously, ensuring only authorized access. Pre-shared keys lack scalability and do not provide dynamic user verification. Replacing the VPN with a flat network undermines security by removing encrypted remote access. IP-based rules are static and do not adapt to dynamic user behavior or device compliance, leaving the network vulnerable. For support or reporting issues, include Question ID: 674f6fae8a43941b3453845e in your ticket. Thank you.

Answer 62

Directory traversal Explanation: OBJ 4.2: This is an example of a directory traversal. A directory traversal attack aims to access files and directories that are stored outside the webroot folder. By manipulating variables or URLs that reference files with “dot-dot-slash (../)” sequences and its variations or using absolute file paths, it may be possible to access arbitrary files and directories stored on the file system, including application source code or configuration and critical system files. A buffer overflow is an exploit that attempts to write data to a buffer and exceed that buffer's boundary to overwrite an adjacent memory location. XML Injection is an attack technique used to manipulate or compromise an XML application or service's logic. SQL injection is the placement of malicious code in SQL statements via web page input. For support or reporting issues, include Question ID: 63fe07603b7322449ddbcd13 in your ticket. Thank you.

Answer 63

PHI being transmitted over HTTP Data at rest improperly configured on the database Explanation: OBJ 1.1: While all of these may pose valid threats, this scenario is conducting a compliance-based assessment. Since this organization is a hospital, it falls under the health care industry. Health care is regulated in terms of patient privacy and the protection of their records under HIPAA. Therefore, your assessment should prioritize the PHI (personal health information) data being insecurely transmitted over HTTP and the database not properly using data at rest to protect patient data. For support or reporting issues, include Question ID: 63fe081b3b7322449ddbd651 in your ticket. Thank you.

Answer 64

Agent-based scanning Explanation: OBJ 2.3: Using agent-based scanning, you typically get the most reliable results for systems that are not connected to the network, as well as the ones that are connected. This is ideal for traveling salespeople since their laptops are not constantly connected to the organization’s network. These agent-based scans can be conducted when the laptop is offline and then sent to a centralized server the next time it is connected to the network. Server-based scanning, non-credentialed scanning, and passive network monitoring require a continuous network connection to collect the devices' configurations accurately. For support or reporting issues, include Question ID: 63fe07153b7322449ddbc96f in your ticket. Thank you.

Answer 65

IPsec Explanation: OBJ 4.1: IPsec is the most secure protocol that works with VPNs. The use of PPTP and SSL is discouraged for VPN security. Due to this, PPTP and SSL for a VPN will likely alert during a vulnerability scan as an issue to be remediated. For support or reporting issues, include Question ID: 63fe071a3b7322449ddbc9b9 in your ticket. Thank you.