SecurityX Practice Exam #5 (Dion) Flashcards

Question

During your review of the firewall logs, you notice that an IP address from within your company’s server subnet had been transmitting between 125 to 375 megabytes of data to a foreign IP address overnight each day. You have determined this has been occurring for approximately 5 days, and the affected server has since been taken offline for forensic review. Which of the following is MOST likely to increase the impact assessment of the incident? PII of company employees and customers was exfiltrated Forensic review of the server required fallback to a less efficient service IP addresses and other network-related configurations were exfiltrated Raw financial information about the company was accessed

Answer 1

PII of company employees and customers was exfiltrated Explanation: OBJ 1.2: If the PII (Personally Identifiable Information) of the company’s employees or customers were exfiltrated or stolen during the compromise, this would increase the incident's impact assessment. Loss of PII is a big issue for corporations and one that might garner media attention. While all of the options presented here are bad things that could increase the impact of the assessment, loss of PII is considered the MOST likely to increase the impact dramatically. Depending on the company's size or organization, there may also be mandatory reporting requirements, fines, or restitution that must be paid. For support or reporting issues, include Question ID: 63fe071b3b7322449ddbc9c4 in your ticket. Thank you.

Answer 2

Symmetric encryption Explanation: OBJ 3.8: Symmetric encryption is efficient and effective for securing data at rest by encrypting it with a single key that can be securely managed. Transport Layer Security (TLS) secures data in transit, not storage. Digital signatures provide data authenticity and integrity checks but do not encrypt the data. Tokenization replaces sensitive data with tokens but does not encrypt the underlying data. For support or reporting issues, include Question ID: 6751b350fd8b34c81216adbc in your ticket. Thank you.

Answer 3

Static code analysis Explanation: OBJ 2.2: Buffer overflows are most easily detected by conducting a static code analysis. Manual peer review or pair programming methodologies might have been able to detect the vulnerability. Still, they do not have the same level of success as a static code analysis using proper tools. DevSecOps methodology would also improve the likelihood of detecting such an error but still rely on human-to-human interactions and human understanding of source code to detect the fault. Dynamic code analysis also may have detected this if the test found exactly the right condition. Still, again, a static code analysis tool is designed to find buffer overflows more effectively. For support or reporting issues, include Question ID: 63fe07073b7322449ddbc8c4 in your ticket. Thank you.

Answer 4

Password expiration Explanation: OBJ 3.1: A password expiration control in the policy would force users to change their passwords at specific time intervals. This will then lock out a user who types in the incorrect password or create an alter that the user's account has been potentially compromised. While the other options are good components of password security to prevent an overall compromise, they are not effective against the vulnerability described in this particular scenario. It states the issue is based on time. Password history is used to determine the number of unique passwords a user must use before using an old password again. Passwords must meet complexity requirements. The policy setting determines whether passwords must meet a series of guidelines that are considered important for a strong password. Maximum password length creates a limit to how long the password can be, but a longer password is considered stronger against a brute force attack. For support or reporting issues, include Question ID: 63fe06ec3b7322449ddbc77f in your ticket. Thank you.

Answer 5

USB-based attack Explanation: OBJ 3.4: USB-based attacks involve using malicious USB devices to exploit systems, such as injecting keystrokes or executing malware. Credential dumping targets stored credentials, not hardware interfaces. Shimming manipulates the communication between software and hardware, while lateral movement refers to spreading within a network after initial compromise. For support or reporting issues, include Question ID: 6751aef62f8fe131b6ff6d0e in your ticket. Thank you.

Answer 6

There was a privacy violation since the customers explicitly gave permission to use the email address as an identifier and did not consent to receive marketing emails Explanation: OBJ 1.3: According to the European Union's General Data Protection Regulation (GDPR), personal data collected can only be used for the exact purpose in which explicit consent was obtained. To use email addresses for marketing purposes, separate explicit consent should have been obtained. Since the company operates in Germany, it must follow the GDPR privacy standard. Even if a company doesn't operate within the European Union, its customers might be European Union citizens, and therefore the company should still optional follow the GDPR guidelines. While data minimization is a good internal policy to utilize, not following it doesn't equate to a privacy violation or breach. Data minimization is the principle that data should only be processed and stored, if necessary, to perform the purpose for which it is collected. The option concerning the customer relationship management (CRM) tool is a distractor since the issue is using the data in ways that were not consented to by the customer, not which system the email was sent through. A privacy violation can occur when corporate employees view data if those employees do not have a need to know, a valid business requirement to use the data, or consent from the customer to use the data for a specific purpose (as was the case in this scenario). For support or reporting issues, include Question ID: 63fe07f43b7322449ddbd45f in your ticket. Thank you.

Answer 7

Segment legacy devices into a separate network with restricted access Explanation: OBJ 2.1: Segmenting legacy devices into a restricted network ensures they do not pose a security risk to the main network while still allowing limited functionality. This approach balances security with the operational need to accommodate legacy systems. Excluding legacy devices from NAC policies exposes the network to potential risks. Replacing all legacy devices may be cost-prohibitive and impractical for many organizations. Role-based NAC does not address the security concerns posed by legacy devices' lack of posture validation. For support or reporting issues, include Question ID: 6750f4c6ec280b7d2c7fa257 in your ticket. Thank you.

Answer 8

Isolating components based on their function and sensitivity, with strict access controls between zones Explanation: OBJ 2.6 - Creating security boundaries by isolating components based on their function and sensitivity ensures that access is limited to authorized users and systems. Consolidating components into a single VPN or allowing unrestricted communication increases the attack surface. Static IP addresses provide visibility but do not contribute to establishing security boundaries. For support or reporting issues, include Question ID: 674f721cbe598e99e87d620a in your ticket. Thank you.

Answer 9

Distribute the traffic across additional servers in a cluster (horizontal scaling) Explanation: OBJ 2.1 - Horizontal scaling, which involves adding more servers to distribute the traffic, is ideal for handling sudden spikes in demand. This approach enhances both availability and integrity by preventing overload on individual servers and providing redundancy. Vertical scaling (adding more powerful servers) has limitations due to hardware constraints and single points of failure. Redirecting traffic to a centralized data center does not address the scaling issue, and caching mechanisms can reduce load but do not ensure sustained availability under high traffic. For support or reporting issues, include Question ID: 674f681aaccd77bad2095011 in your ticket. Thank you.

Answer 10

Automated alert suppression for low-priority events Explanation: OBJ 4.1: Automated alert suppression filters out low-priority events, reducing alert fatigue and helping security teams focus on critical issues. Continuous logging is important for analysis but does not prioritize alerts. Extended retention of alert data is useful for historical analysis but does not address immediate prioritization. System audits help maintain security but do not directly resolve issues with alert management. For support or reporting issues, include Question ID: 6751b7ae9192dec49e1159c9 in your ticket. Thank you.

Answer 11

Exact data match Explanation: OBJ 4.1: An exact data match (EDM) is a pattern matching technique that uses a structured database of string values to detect matches. For example, a company might have a list of actual social security numbers of its customers. But, since it is not appropriate to load these numbers into a DLP filter, they could use EDM to match the numbers' fingerprints instead based on their format or sequence. Document matching attempts to match a whole document or a partial document against a signature in the DLP. Statistical matching is a further refinement of partial document matching that uses machine learning to analyze various data sources using artificial intelligence or machine learning. Classification techniques use a rule based on a confidentiality classification tag or label attached to the data. For example, the military might use a classification-based DLP to search for any files labeled as secret or top secret. For support or reporting issues, include Question ID: 63fe06c23b7322449ddbc56f in your ticket. Thank you.

Answer 12

Incorrect permissions Explanation: OBJ 3.1: An incorrect permissions error is generated when a template is used for certificate enrollment but the template’s permissions are misconfigured. This can result in a “cannot enroll for this type of certificate” or an “operation failed” error. A cipher mismatch error is generated by a modern web browser if an old or deprecated cipher suite is being requested for use by the webserver. Alternatively, this error can also occur if the client is using an older operating system that doesn’t support a more modern cipher suite. Chain issues occur when the root, subordinate, or leaf certificate fails to pass a validity check. Since the certificate authorities must all pass the validity checks for the certification issued to be considered valid, if any of these are invalid then the entire chain is considered invalid, too. A wrong certificate type error is generated when a certificate designed for a specific use case is used for a different reason. For example, if a user attempts to log in to a website using an email certificate instead of an identification certificate, a wrong certificate type error will be generated. For support or reporting issues, include Question ID: 63fe07a83b7322449ddbd0ac in your ticket. Thank you.

Answer 13

MITRE ATT&CK framework Explanation: OBJ 1.4: The MITRE ATT&CK framework provides explicit pseudo-code examples for detecting or mitigating a given threat within a network and ties specific behaviors back to individual actors. The Diamond Model provides an excellent methodology for communicating cyber events and allowing an analyst to implicitly derive mitigation strategies. The Lockheed Martin cyber kill chain provides a general life cycle description of how attacks occur but does not deal with the specifics of how to mitigate them. OpenIOC contains a depth of research on APTs but does not integrate the detection and mitigation strategy. For support or reporting issues, include Question ID: 63fe07233b7322449ddbca25 in your ticket. Thank you.

Answer 14

DoS Explanation: OBJ 4.2: A DoS attack or denial-of-service attack works by overloading a server with multiple requests (more than it can handle), thus eventually knocking the server offline. When a denial-of-service attack occurs, there will be an increase in the amount of web traffic on the server, but since that traffic is not being sent by legitimate customers there will be no financial transactions occurring. ARP spoofing is a type of attack in which a malicious actor sends falsified ARP (Address Resolution Protocol) messages over a local area network. This results in the linking of an attacker's MAC address with the IP address of a legitimate computer or server on the network. Phishing is a type of social engineering where an attacker sends a fraudulent email designed to trick a human victim into revealing sensitive information to the attacker or to deploy malicious software on the victim's infrastructure like ransomware. Bluejacking is the sending of unsolicited messages over Bluetooth to Bluetooth-enabled devices such as mobile phones, PDAs, or laptop computers, sending a vCard which typically contains a message in the name field to another Bluetooth-enabled device via the OBEX protocol. For support or reporting issues, include Question ID: 63fe078d3b7322449ddbcf48 in your ticket. Thank you.

Answer 15

Recovery time objective (RTO) Explanation: OBJ 1.1: The COO has defined the recovery time objective as 8 hours. The recovery time objective defines the maximum amount of time that performing a recovery can take and the service can be offline. The recovery point objective defines the maximum amount of data that can be lost without irreparable harm to the operation of the business. The recovery service level is the minimum acceptable amount of services that must be restored for a given system to consider it recovered. For example, your organization may need to restore its databases and websites to meet its recovery service level objectives while leaving its print servers offline since they may not be considered a mission-essential function in your organization. The mean time to recovery is the average amount of downtime calculated based on when a service or device fails and when its functionality is restored. For support or reporting issues, include Question ID: 63fe07fc3b7322449ddbd4c8 in your ticket. Thank you.

Answer 16

Improper error handling Explanation: OBJ 4.2: This is an example of an improper error handling vulnerability. A well-written application must be able to handle errors and exceptions gracefully. The main goal must be for the application not to fail and allow the attacker to execute code or perform an injection attack. One famous example of an improper error handling vulnerability is Apple's GoTo bug, as described above. For more details on this particular vulnerability, please see CVE-2014-1266. Insecure object reference refers to when a reference to an internal implementation object, such as a file or database key, is exposed to users without any other access control. Insufficient logging and monitoring allow attackers to achieve their goals without being detected due to the lack of monitoring and timely response by defenders. The use of insecure functions occurs in the C language when legacy functions like strcpy() are used. These insecure functions can lead to buffer overflow and other exploits being successful against a program. For support or reporting issues, include Question ID: 63fe075c3b7322449ddbcce6 in your ticket. Thank you.

Answer 17

RP Explanation: OBJ 2.4: Relying parties (RPs) provide services to members of a federation. An identity provider (IdP) provides identities, makes assertions about those identities, and releases information about the identity holders. The Security Assertion Markup Language (SAML) is an open standard for exchanging authentication and authorization data between parties between an identity provider and a service provider (SP) or a relying party (RP). Single sign-on (SSO) is an authentication scheme that allows a user to log in with a single ID and password to any of several related yet independent software systems across a federation. SAML and SSO are not parties. Therefore, they cannot possibly be the right answer to this question. For support or reporting issues, include Question ID: 63fe06ed3b7322449ddbc789 in your ticket. Thank you.

Answer 18

Overwriting the drives with random data multiple times using a secure erasure tool Explanation: OBJ 3.8 - Overwriting data with random patterns multiple times using a secure erasure tool ensures that the original data cannot be reconstructed, aligning with industry standards for data sanitization. While physically destroying drives is effective, it is typically used when sanitization tools are unavailable. Deleting files and reformatting drives does not securely remove data, as it can still be recovered with specialized tools. Encrypting drives adds security but does not meet the requirements for complete sanitization prior to disposal. For support or reporting issues, include Question ID: 675084aff86f3d695e9ad0d2 in your ticket. Thank you.

Answer 19

TLS Explanation: OBJ 3.8: Transport Layer Security (TLS) is a widely used protocol that encrypts data in transit, protecting it from interception during transmission between clients and servers. Asymmetric encryption is used within TLS for key exchange but cannot secure entire sessions independently. Homomorphic encryption allows operations on encrypted data but is not designed for securing transmitted data. Forward secrecy is a feature of TLS to protect session keys but is not a standalone protocol. For support or reporting issues, include Question ID: 6751b41bfd8b34c81216adc4 in your ticket. Thank you.

Answer 20

ECC Explanation: OBJ 3.7: Elliptic curve cryptography (ECC) is an approach to public-key cryptography based on the algebraic structure of elliptic curves over finite fields. One of the main benefits of ECC over non-ECC cryptography is an application that can achieve the same level of security provided by non-ECC cryptography while using a shorter key length. For example, an ECC algorithm using a 256-bit key length is just as strong as an RSA or Diffie-Hellman algorithm using a 3072-bit key length. For support or reporting issues, include Question ID: 63fe07c63b7322449ddbd21e in your ticket. Thank you.

Answer 21

Supplier Alpha Explanation: OBJ 1.2: Supplier Alpha will have the lowest return on investment. The return on investment (ROI) is the amount of money generated and/or saved after investing in an asset. To calculate the ROI for each supplier’s quote, you need to first calculate the labors costs of the FTEs (full-time equivalent positions) being replaced by the ML/AI system. Then, you will subtract the labor costs from the system cost to calculate the total ROI over the five-year timeframe. Supplier Alpha’s ROI would equal the cost of labor for 5 years (3 FTEs x $75,000/FTE x 5 years) minus the cost of the system ($1,000,000) which equals a labor savings of $125,000 ($1,125,000 – $1,000,000 = $125,000). Supplier Bravo’s ROI would equal the cost of labor for 5 years (4 FTEs x $75,000/FTE x 5 years) minus the cost of the system ($1,300,000) which equals a labor savings of $200,000 ($1,500,000 – $1,300,000 = $200,000). Supplier Charlie’s ROI would equal the cost of labor for 5 years (5 FTEs x $75,000/FTE x 5 years) minus the cost of the system ($1,700,000) which equals a labor savings of $175,000 ($1,875,000 – $1,700,000 = $175,000). Supplier Delta’s ROI would equal the cost of labor for 5 years (6 FTEs x $75,000/FTE x 5 years) minus the cost of the system ($2,000,000) which equals a labor savings of $250,000 ($2,250,000 – $2,000,000 = $250,000). For support or reporting issues, include Question ID: 63fe07ee3b7322449ddbd414 in your ticket. Thank you.

Answer 22

Passive mode to monitor and alert on potential threats Explanation: OBJ 2.1: Deploying the WAF in passive mode allows the security team to observe and refine detection rules by monitoring traffic and generating alerts without impacting legitimate users. This is critical during the initial deployment phase to fine-tune configurations. Inline mode with default blocking rules enabled may disrupt legitimate traffic due to misconfigured rules. Transparent proxy mode with automated enforcement could lead to false positives, impacting users. Active mode configured to log and block all traffic risks blocking legitimate traffic, especially during the initial phase. For support or reporting issues, include Question ID: 6750f6a9ec280b7d2c7fa261 in your ticket. Thank you.

Answer 23

Encrypting the database with AES-256 and storing encryption keys in a secure hardware module Explanation: OBJ 3.8 - Encrypting data at rest with a robust encryption standard like AES-256 ensures the confidentiality of sensitive data, even if physical storage is compromised. Storing encryption keys in a secure hardware module, such as a Hardware Security Module (HSM), adds another layer of protection by preventing key exposure. HTTPS protects data in transit, not at rest. Strong passwords and regular backups are important but do not directly address the security of data at rest. For support or reporting issues, include Question ID: 67508653f86f3d695e9ad0eb in your ticket. Thank you.

Answer 24

Data historian Explanation: OBJ 3.5: The data historian is a type of software that aggregates and catalogs data from multiple sources within an industrial control system’s control loop. Essentially, the data historian acts like a SIEM for ICS/SCADA systems and, therefore, the incident responders should review the data historian first. The human-machine interface (HMI) provides the input and output controls on a PLC to allow a user to configure and monitor the system. A Safety Instrumented System (SIS) is composed of sensors, logic solvers, and final control elements (devices like horns, flashing lights, and/or sirens) used to return an industrial process to a safe state after predetermined conditions are detected. Ladder Logic is a graphical, flowchart-like programming language used to program the special sequential control sequences used by a programmable logic controller (PLC). For support or reporting issues, include Question ID: 63fe07dc3b7322449ddbd336 in your ticket. Thank you.

Answer 25

Key stretching Explanation: OBJ 3.7: Key stretching is a technique that strengthens potentially weak input for cryptographic key generation, such as passwords or passphrases created by people, against brute force attacks. Key stretching will not stop a brute force attack, but it will slow it down since each password must still be put through thousands of rounds of hashing before being checked against the stored password in the database. Authenticated encryption with associated data (AEAD) is a form of encryption that provides confidentiality of the plaintext, a way to check its integrity, and a method of verifying its authenticity. Forward secrecy (FS), also known as perfect forward secrecy (PFS), is a feature of specific key agreement protocols that gives assurances that session keys will not be compromised even if long-term secrets used in the session key exchange are compromised. Cipher block chaining (CBC) is a simple mode of enabling symmetric block ciphers to work with large sets of data. CBC is an older method that is vulnerable to the padding-oracle attack and should therefore not be used. For support or reporting issues, include Question ID: 63fe07d03b7322449ddbd29b in your ticket. Thank you.

Answer 26

Requiring pull requests to be approved before merging into the main branch Explanation: OBJ 2.2: Requiring pull request approval ensures that all changes are reviewed and tested before being merged into the main branch. This helps maintain code integrity, reduce security vulnerabilities, and enforce best practices. Allowing direct merges bypasses the review process, increasing the risk of introducing vulnerabilities. Disabling version control is impractical and undermines the CI/CD process. Allowing unrestricted pushes risks unauthorized changes, making the codebase vulnerable. For support or reporting issues, include Question ID: 6750fd2f23df37e1b5ec5f87 in your ticket. Thank you.

Answer 27

IoT devices focus on convenience more than security Explanation: OBJ 3.5: IoT device manufacturers are more focused on making the devices convenient to use instead of ensuring they have strong security. The other options are incorrect and not true. IoT devices can receive patches and updates through an over-the-air firmware update if a manufacturer creates the patches. IoT devices are powerful these days, and they can support encryption and other security features if manufacturers would add them to their code. IoT devices are not just used in low-security use cases, either. For example, IoT devices are often used as life-saving devices in hospitals or security systems in our homes. Unfortunately, IoT devices are notoriously lax when it comes to security. Some IoT systems may even allow a user full remote control of a device. For support or reporting issues, include Question ID: 63fe07b33b7322449ddbd133 in your ticket. Thank you.

Answer 28

The API key in the secrets management tool has expired or been revoked Explanation: OBJ 3.1: Secrets management tools securely store sensitive credentials such as API keys, but these keys may expire or be revoked by the service provider, causing authorization errors. This scenario likely requires updating or revalidating the API key. While encryption and resource issues are important, they would not directly cause unauthorized errors. Additionally, secrets management tools commonly support storing API keys, making that option less likely. For support or reporting issues, include Question ID: 67513c8e59799a92e0afe5b1 in your ticket. Thank you.

Answer 29

False positive Explanation: OBJ 3.3: A false positive occurs when a scanner detects a vulnerability, but the vulnerability does not exist on the scanned system. A true positive occurs when a scanner detects a vulnerability, and the vulnerability exists on the scanned system. A true negative occurs when a scanner does not detect a vulnerability because the vulnerability does not exist on the scanned system. A false negative occurs when a scanner does not detect a vulnerability, but the vulnerability exists on the scanned system. For support or reporting issues, include Question ID: 63fe07163b7322449ddbc97f in your ticket. Thank you.

Answer 30

Dual control authentication Explanation: OBJ 2.4: This approach is an example of dual control authentication. Dual control authentication is used when performing a sensitive action. It requires the participation of two different users to log in (in this case, one with the password and one with the token). Transitive trust is a technique via which a user/entity has already undergone authentication by one communication network to access resources in another communication network without having to undergo authentication a second time. Least privilege is the concept and practice of restricting access rights for users, accounts, and computing processes to only those resources required to perform routine, legitimate activities. Security through obscurity is the reliance on security engineering in the design or implementation of secrecy as the main method of providing security to a system or component. For support or reporting issues, include Question ID: 63fe07e73b7322449ddbd3bc in your ticket. Thank you.

Answer 31

Active scanning engine installed on the enterprise console Explanation: OBJ 3.6: Since the college wants to ensure a centrally-managed enterprise console, an active scanning engine installed on the enterprise console would best meet these requirements. The college’s cybersecurity analysts could then perform scans on any devices connected to the network using the active scanning engine at the desired intervals. Agent-based scanning would be ineffective since the college cannot force the agents' installation onto each of the personally owned devices brought in by the students or faculty. A cloud-based or server-based engine may be useful, but it won't address the centrally-managed requirement. Passive scanning is less intrusive but is subject to a high number of false positives. For support or reporting issues, include Question ID: 63fe077f3b7322449ddbce99 in your ticket. Thank you.

Answer 32

Centralized logging system Explanation: OBJ 3.3: Centralized logging systems ensure consistent log collection and synchronization, improving observability across distributed environments. Enhanced encryption protocols focus on data security, not log consistency. Network segmentation improves security but does not address observability. DNSSEC secures DNS queries but is unrelated to logging. For support or reporting issues, include Question ID: 6751aaa197eb9dce4020fbff in your ticket. Thank you.

Answer 33

VDI Explanation: OBJ 2.5: Virtual desktop infrastructure (VDI) is a virtualization implementation that separates the personal computing environment from a user's physical computer. Virtual private cloud (VPC) is a private network segment made available to a single cloud consumer on a public cloud. A virtual private network (VPN) is a secure tunnel created between two endpoints connected via an insecure network, typically the internet. User and entity behavior analytics (UEBA) is a system that can provide automated identification of suspicious activity by user accounts and computer hosts. For support or reporting issues, include Question ID: 63fe06d03b7322449ddbc620 in your ticket. Thank you.

Answer 34

Full interruption test Explanation: OBJ 1.1: The organization is using a full interruption test to validate its BCP in this scenario. A full interruption test is used to take the primary site offline and shift operations to the alternate site. A parallel test occurs when the alternative site is brought online as if a real disaster occurred, but the primary site is not taken offline or affected, thereby keeping both the primary and alternate sites operating in parallel. A tabletop exercise will identify a specific objective or goal, provide injects or additional details, and then observe the actions that the participants would have taken to respond to a given incident or disaster scenario. A walk-through test typically occurs as a group conference where a representative from each business unit discusses the actions taken by their teams, reviews the plan, analyzes the plan’s effectiveness, and provides feedback or changes. For support or reporting issues, include Question ID: 63fe08193b7322449ddbd630 in your ticket. Thank you.

Answer 35

Revoke access immediately and log the non-compliant activity Explanation: OBJ 2.6: Continuous authorization requires dynamic evaluation of user and device status. If a device becomes non-compliant mid-session, access should be revoked immediately to prevent unauthorized activity, with logging to provide a record for investigation. Allowing the session to continue violates Zero Trust principles by prioritizing convenience over security. Blocking future access but maintaining the current session fails to mitigate immediate risks. Triggering an alert without revoking access compromises security in favor of user convenience. For support or reporting issues, include Question ID: 6750ffb623df37e1b5ec5ff2 in your ticket. Thank you.

Answer 36

Incorrect VPN tunnel configuration Explanation: OBJ 3.3: VPN tunnel misconfiguration often causes routing issues in encrypted traffic. Unpatched endpoint software is endpoint-specific, insufficient bandwidth allocation impacts traffic handling, and expired certificates prevent connection establishment, not routing problems. For support or reporting issues, include Question ID: 6751aa1997eb9dce4020fbfa in your ticket. Thank you.

Answer 37

Secure encrypted enclaves Explanation: OBJ 3.4: Secure encrypted enclaves protect CPU instructions, dedicated secure subsystems in a system on a chip (SoC), or a protected region of memory in a database engine by only allowing data to be decrypted on the fly within the CPU, SoC, or protected region. A self-encrypting drive (SED) is a type of solid state device (SSD) or hard disk drive (HDD) that conducts transparent encryption of all data as it is written to the device using an embedded hardware cryptographic processor. Local drive encryption protects the contents of a solid state device (SSD) or hard disk drive (HDD) when the operating system is not running through the use of software-based encryption such as BitLocker, FileVault, or TrueCrypt. Attestation services are used to ensure the integrity of the computer’s startup and runtime operations. Hardware-based attestation is designed to protect against threats and malicious code that could be loaded before the operating system is loaded. For support or reporting issues, include Question ID: 63fe07a33b7322449ddbd06f in your ticket. Thank you.

Answer 38

Integration testing Explanation: OBJ 2.2: Integration testing evaluates how different components of an application work together. It ensures that new changes do not introduce issues when modules interact, making it crucial for validating interconnected functionality. Unit testing focuses on isolated components rather than their integration. Canary testing involves testing in a production-like environment, not component integration. Regression testing ensures existing functionality is preserved but does not focus on component interactions. For support or reporting issues, include Question ID: 6750fede52107569898127cf in your ticket. Thank you.

Answer 39

Digital signatures Explanation: OBJ 3.8: Digital signatures provide a way to verify the sender's authenticity and ensure the document has not been tampered with, meeting both integrity and non-repudiation requirements. Symmetric encryption protects confidentiality but does not verify origin or integrity. Hashing ensures integrity but does not authenticate the sender. Key stretching is used to strengthen weak passwords and is irrelevant to this scenario. For support or reporting issues, include Question ID: 6751b44bfd8b34c81216adc9 in your ticket. Thank you.

Answer 40

NDA Explanation: OBJ 1.1: Non-disclosure agreement (NDA) is the legal basis for protecting information assets. NDAs are used between companies and employees, between companies and contractors, and between two companies. If the employee or contractor breaks this agreement and shares such information, they may face legal consequences. NDAs are useful because they deter employees and contractors from violating the trust that an employee places in them. An interconnection security agreement (ISA) is defined by NIST's SP800-4 and is used by any federal agency interconnecting its IT system to a third party must create an ISA to govern the relationship. A service level agreement (SLA) is a contractual agreement that sets out the detailed terms under which a service is provided. A data sharing and use agreement (DSUA) states that personal data can only be collected for a specific purpose. A DSUA can specify how a dataset can be analyzed and proscribe the use of reidentification techniques. For support or reporting issues, include Question ID: 63fe07f13b7322449ddbd441 in your ticket. Thank you.

Answer 41

MTTR Explanation: OBJ 1.2: Mean time to repair (MTTR) is a measure of the time taken to correct a fault to restore the system to full operation. MTTR is often used to describe the average time to replace or recover a system or product. Recovery time objective (RTO) is when an individual IT system may remain offline following a disaster. This represents the amount of time it takes to identify that there is a problem and then perform recovery (restore from backup or switch in an alternative system, for instance). Recovery point objective (RPO) is the amount of data loss that a system can sustain, measured in time. That is, if a virus destroys a database, an RPO of 24 hours means that the data can be recovered (from a backup copy) to a point not more than 24 hours before the database was infected. Mean time between failure (MTBF) represents the expected lifetime of a product before it fails and must be replaced or repaired. For support or reporting issues, include Question ID: 63fe07f63b7322449ddbd47d in your ticket. Thank you.

Answer 42

Availability Explanation: OBJ 1.2: Availability metrics measure the probability that a system will be operating as expected at any given point in time. The most common availability metric used is known as uptime. Scalability metrics measure the ability of a system to handle an increase in workload while maintaining a consistent level of performance. Reliability metrics measure the ability of a system to perform without error or to avoid, detect, and/or repair component or integrity failures. Usability metrics measure the effectiveness, efficiency, and satisfaction of users working with a given system. For support or reporting issues, include Question ID: 63fe080e3b7322449ddbd5a9 in your ticket. Thank you.

Answer 43

Advanced persistent threat (APT) Explanation: OBJ 1.4: An advanced persistent threat (APT) is a network attack in which an unauthorized person gains access to a network and stays there undetected for a long period of time. An APT attack intends to steal data rather than to cause damage to the network or organization. An APT refers to an adversary's ongoing ability to compromise network security, obtain and maintain access, and use various tools and techniques. They are often supported and funded by nation-states or work directly for a nation-states' government. Spear phishing is the fraudulent practice of sending emails ostensibly from a known or trusted sender to induce targeted individuals to reveal confidential information. An insider threat is a malicious threat to an organization from people within the organization, such as employees, former employees, contractors, or business associates, who have inside information concerning the organization's security practices, data, and computer systems. Privilege escalation is the act of exploiting a bug, design flaw, or configuration oversight in an operating system or software application to gain elevated access to resources that are normally protected from an application or user. While an APT may use spear phishing, privilege escalation, or an insider threat to gain access to the system, the scenario presented in this question doesn't specify what method was used. Therefore, APT is the best answer to select. For support or reporting issues, include Question ID: 63fe071c3b7322449ddbc9ca in your ticket. Thank you.

Answer 44

Agile Explanation: OBJ 2.2: The principles of the Agile Manifesto characterize agile software development. The Agile Manifesto emphasizes individuals and interactions over the processes and tools that Spiral and Waterfall rely on. It also focuses on working software, customer collaboration, and responding to change as key elements of the Agile process. The waterfall model is a breakdown of project activities into linear sequential phases. Each phase depends on the deliverables of the previous one and corresponds to a specialization of tasks. Rapid Application Development (RAD) is a form of agile software development methodology that prioritizes rapid prototype releases and iterations. Unlike the Waterfall method, RAD emphasizes software and user feedback over strict planning and requirements recording. Spiral development is a risk-driven software development model that guides a team to adopt elements of one or more process models, such as incremental, waterfall, or evolutionary prototyping. For support or reporting issues, include Question ID: 63fe06ed3b7322449ddbc784 in your ticket. Thank you.

Answer 45

ECDSA Explanation: OBJ 3.7: Elliptic-Curve Digital Signature Algorithm (ECDSA) is an asymmetric algorithm that utilizes the properties of elliptic curves to provide comparable levels of protection as RSA with a much smaller key size. The digital signature algorithm (DSA) is a cryptographic algorithm that uses logarithmic and modulus math to generate and verify digital signatures. The DSA is faster than RSA at generating digital signatures, but it is slower than RSA when verifying them. Salsa20 is a modern and efficient symmetric stream cipher that uses a 128-bit or 256-bit encryption key. Salsa20 is not used in many cryptographic implementations, but a variant of Salsa20 known as ChaCha is widely adopted by Google for use in Android devices and the Google Chrome browser. ChaCha is a variant of Salsa20 that is a modern and efficient symmetric stream cipher that uses a 128-bit or 256-bit encryption key. ChaCha is widely used in combination with the Poly1305 hashing algorithm in the TLS implementation of the Google Chrome browser and the Android operating system. ChaCha is also used by OpenSSH and the random number generator in BSD operating systems as a replacement to the older RC4 algorithm. For support or reporting issues, include Question ID: 63fe07d33b7322449ddbd2c3 in your ticket. Thank you.

Answer 46

Injecting parameters into a connection string using semicolons as a separator Explanation: OBJ 4.2: Connection String Parameter Pollution (CSPP) exploits specifically the semicolon-delimited database connection strings that are constructed dynamically based on the user inputs from web applications. CSPP, if carried out successfully, can be used to steal user identities and hijack web credentials. CSPP is a high-risk attack because of the relative ease with which it can be carried out (low access complexity) and the potential results it can have (high impact). Exploit chaining involves multiple commands and exploits being conducted in a series to fully attack or exploit a given target. For support or reporting issues, include Question ID: 63fe07283b7322449ddbca61 in your ticket. Thank you.

Answer 47

DNS poisoning Explanation: OBJ 4.2: DNS poisoning (also known as DNS cache poisoning or DNS spoofing) is a type of attack which uses security gaps in the Domain Name System (DNS) protocol to redirect internet traffic to malicious websites. MAC spoofing is a technique for changing a factory-assigned Media Access Control (MAC) address of a network interface on a networked device. ARP spoofing is a type of attack in which a malicious actor sends falsified ARP (Address Resolution Protocol) messages over a local area network using layer 2 address information. DNS brute-forcing is used to check for wildcard entries using a dictionary or wordlist. This technique is used when a DNS zone transfer is not allowed by a system. For support or reporting issues, include Question ID: 63fe06eb3b7322449ddbc76b in your ticket. Thank you.

Answer 48

DAC Explanation: https://ibm-learning.udemy.com/course/comptia-securityx-cas-005-6-practice-exams/learn/quiz/6689175/test#overview:~:text=OBJ%202.4%3A%C2%A0Discretionary,ticket.%20Thank%20you.

Answer 49

ECC Explanation: OBJ 3.7: Elliptic curve cryptography is a public-key cryptographic algorithm based on the algebraic structure of elliptic curves over finite fields. ECC allows smaller key sizes compared to non-elliptic curve cryptography methods while still providing the equivalent level of security. ECC is heavily used in mobile devices and low-powered device encryption. For example, the P384 curve uses a 384-bit key and is approved for the encryption of data up to the Top Secret level by the National Security Agency. Rivest, Shamir, and Adleman (RSA) is an asymmetric algorithm that uses the complexity of factoring large prime numbers to provide security. RSA requires a larger key size of 7680-bit to have the equivalent protection of ECC encrypted data using a 384-bit key. The Advanced Encryption Standard (AES) is the current standard for the U.S. federal government’s symmetric block encryption cipher. AES can use a key size of 128-bits, 192-bits, or 256-bits with a 128-bit block size. ChaCha is a variant of Salsa20 that is a modern and efficient symmetric stream cipher that uses a 128-bit or 256-bit encryption key. ChaCha is widely used in combination with the Poly1305 hashing algorithm in the TLS implementation of the Google Chrome browser and the Android operating system. ChaCha is also used by OpenSSH and the random number generator in BSD operating systems as a replacement to the older RC4 algorithm. For support or reporting issues, include Question ID: 63fe07d43b7322449ddbd2d2 in your ticket. Thank you.

Answer 50

Security and information event management (SIEM) Explanation: https://ibm-learning.udemy.com/course/comptia-securityx-cas-005-6-practice-exams/learn/quiz/6689175/test#overview:~:text=OBJ%204.1%3A%C2%A0While,ticket.%20Thank%20you.

Answer 51

Implement NAC Explanation: OBJ 2.4: Network Access Control (NAC) uses a set of protocols to define and implement a policy that describes how to secure access to network nodes whenever a device initially attempts to access the network. NAC can utilize an automatic remediation process by fixing non-compliant hosts before allowing network access. Network Access Control can control access to a network with policies, including pre-admission endpoint security policy checks and post-admission controls over where users and devices can go on a network and what they can do. In this scenario, implementing NAC can identify which machines are known and trusted Dion Training assets and provide them with access to the secure internal network. NAC could also determine unknown machines (assumed to be those of CompTIA employees) and provide them with direct internet access only by placing them on a guest network or VLAN. While MAC filtering could be used to allow or deny access to the network, it cannot by itself control which set of network resources could be utilized from a single ethernet port. A security information and event management (SIEM) system provides real-time analysis of security alerts generated by applications and network hardware. An access control list could define what ports, protocols, or IP addresses the ethernet port could be utilized. Still, it would be unable to distinguish between a Dion Training employee's laptop and a CompTIA employee's laptop like a NAC implementation could. For support or reporting issues, include Question ID: 63fe07053b7322449ddbc8b0 in your ticket. Thank you.

Answer 52

Setting the secure attribute on the cookie Explanation: OBJ 2.4: When a cookie has the Secure attribute, the user agent includes the cookie in an HTTP request only if transmitted over a secure channel (typically HTTPS). Although seemingly useful for protecting cookies from active network attackers, the Secure attribute protects only the cookie’s confidentiality. Forcing the web application to use TLS or SSL does not force the cookie to be sent over TLS/SSL, so you still need to set the cookie's Secure attribute. Hashing the cookie provides the cookie's integrity, not confidentiality; therefore, it will not solve the issue presented by this question. For support or reporting issues, include Question ID: 63fe06ec3b7322449ddbc77a in your ticket. Thank you.

Answer 53

Hardening Explanation: OBJ 3.5: Hardening involves disabling unnecessary services, applying strict access controls, and enabling logging to reduce the attack surface of legacy systems. Endpoint detection and response (EDR) focuses on detection and response but does not directly reduce vulnerabilities. Network segmentation isolates systems but is not the same as hardening. Patching is often not feasible for unsupported legacy systems. For support or reporting issues, include Question ID: 6751b0b28e62d8320cd6bbb7 in your ticket. Thank you.

Answer 54

The type of data processed by the system Explanation: OBJ 1.2: The data's asset value is a metric or classification that an organization places on data stored, processed, and transmitted by an asset. Different data types, such as regulated data, intellectual property, and personally identifiable information, can determine its value. The cost of acquisition, cost of hardware replacement, and depreciated costs refer to the financial value of the hardware or system itself. This can be significantly different from the value of the information and data that the system stores and processes. For support or reporting issues, include Question ID: 63fe08023b7322449ddbd513 in your ticket. Thank you.

Answer 55

The REGEX expression to filter using "[Ss]cript" is insufficient since an attacker could use SCRIPT or SCRipt or %53CrIPT to evade it Explanation: OBJ 4.2: The most likely explanation is that the REGEX filter was insufficient to eliminate every single possible cross-site scripting attack that could occur. Since cross-site scripting relies on the HTML tags to launch, the system administrators had a good idea of creating input validation using a REGEX for those keywords. Unfortunately, they forgot to include a more inclusive version of this REGEX to catch all variants. For example, simply using [Ss][Cc][Rr][Ii][Pp][Tt] would have been much more secure, but even this would miss %53CrIPT would evade this filter. To catch all the letter S variants, you would need to use [%53%%73Ss], which includes the capital S in hex code, the lower case s in hex code, the capital S, and the lowercase s. While using a SQL injection is possible, their REGEX input validation would still have allowed a cross-site scripting attack to occur, so this option must be eliminated. As for the logging options, both are possible in the real world, but they do not adequately answer this scenario. The obvious flaw in their input validation is their REGEX filter. For support or reporting issues, include Question ID: 63fe07683b7322449ddbcd81 in your ticket. Thank you.

Answer 56

Poison or overflow the MAC table of the switch Explanation: OBJ 4.2: VLAN hopping is the act of illegally moving from one VLAN to another. A VLAN (virtual LAN) is a logical grouping of switch ports extending across any number of switches on an Ethernet network. One of the most common VLAN hopping methods is to overflow the MAC table on a vulnerable switch. When this occurs, the switch defaults to operating as a hub and repeats all frames being received through all of its ports. This "fail open" method ensures the network can continue to operate, but it is a security risk that can be exploited by the penetration tester. For support or reporting issues, include Question ID: 63fe07523b7322449ddbcc64 in your ticket. Thank you.

Answer 57

IaaS Explanation: OBJ 2.5: Infrastructure as a service (IaaS) is an instant computing infrastructure, provisioned, and managed over the internet. Infrastructure as a Service (IaaS) is a cloud computing service that enables a consumer to outsource computing equipment purchases and running their own data center. IaaS quickly scales up and down with demand, letting you pay only for what you use. It helps you avoid the expense and complexity of buying and managing your physical servers and other data center infrastructure. Each resource is offered as a separate service component, and you only need to rent a particular one for as long as you need it. A cloud computing service provider manages the infrastructure while you purchase, install, configure, and manage your software. Platform as a Service (PaaS) is a cloud computing service that enables consumers to rent fully configured systems that are set up for specific purposes. Software as a Service (SaaS) is a cloud computing service that enables a service provider to make applications available over the Internet to end-users. This can be a calendar, scheduling, invoicing, word processor, database, or other programs. For example, Google Docs and Office 365 are both word processing SaaS solutions. Desktop as a Service (DaaS) provides a full virtualized desktop environment from within a cloud-based service. This is also known as VDI (Virtualized Desktop Infrastructure) and is coming in large enterprise businesses focused on increasing their security and minimizing their operational expenses. For support or reporting issues, include Question ID: 63fe06dd3b7322449ddbc6c1 in your ticket. Thank you.

Answer 58

Cold site Explanation: OBJ 1.1: A cold site is a predetermined alternative location where a network can be rebuilt after a disaster. A cold site does not have a pre-established information systems capability, but it is open and available for building out an alternate site after the disaster occurs. A warm site is an alternate processing location that is dormant or performs noncritical functions under normal conditions, but which can be rapidly converted to a key operations site when needed. A warm site typically includes a data center that is typically scaled down from the primary site to include the capacity and throughput needed to run critical systems and software. A hot site is a fully configured alternate processing site that can be brought online either instantly or very quickly after a disaster. A hot site requires specialized knowledge, sophisticated automation capabilities, and platforms that are designed to operate as a fully redundant and ready alternate site. A mobile site is essentially a data center in a container or trailer that can be rapidly deployed to a given location. A mobile site is best categorized as a mixture of a cold site and a warm site which can also be relocated when needed. For support or reporting issues, include Question ID: 63fe07ef3b7322449ddbd423 in your ticket. Thank you.

Answer 59

Review Explanation: OBJ 1.2: This is the review phase. The identify phase is used to inventory assets and for the identification of all risk items in an organization. The assess phase is used to analyze identified risks to determine their associated level of risk before any mitigations or controls are implemented. The control phase is used to identify effective methods for risk reduction for identified risks in an organization. The review phase is used to periodically re-evaluate the risks in an organization by determining if the risk level has changed and identified controls are still effective. For support or reporting issues, include Question ID: 63fe08193b7322449ddbd635 in your ticket. Thank you.

Answer 60

Unauthorized execution to gain control over system processes and execute malicious commands Explanation: OBJ 3.2 - Unauthorized execution occurs when an attacker or malware gains the ability to run unauthorized code or commands on a system, often leading to actions such as bypassing security mechanisms, exfiltrating data, or compromising system integrity. While privilege escalation and lateral movement may occur in tandem, they describe different tactics. Credential dumping involves extracting stored authentication information and is unrelated to the execution of malicious scripts. For support or reporting issues, include Question ID: 67506557b4d0b28795afb914 in your ticket. Thank you.

Answer 61

Defensive evasion to avoid detection and maintain stealth Explanation: OBJ 3.2 - Defensive evasion is a tactic where attackers actively work to avoid detection by security tools or forensic investigations. This can involve disabling antivirus software, modifying or deleting logs, or using encryption and obfuscation techniques to hide their activity. While privilege escalation and persistence may be parts of an attack chain, defensive evasion specifically focuses on hiding the attacker’s presence. Lateral movement describes spreading across systems, not avoiding detection. For support or reporting issues, include Question ID: 67506657b4d0b28795afb948 in your ticket. Thank you.

Answer 62

API gateway Explanation: OBJ 2.5: Application programming interface (API) gateway is a special cloud-based service that is used to centralize the functions provided by APIs. An API is a type of software interface that offers a service to other pieces of software to build or connect to specific functions or features. A NAT Gateway within a cloud platform allows private subnets in a Virtual Private Cloud (VPC) access to the Internet. A VPN gateway is a type of networking device that connects two or more devices or networks in a VPN infrastructure. It is designed to bridge the connection or communication between two or more remote sites, networks, or devices and/or to connect multiple VPNs. An extensible markup language (XML) gateway acts as an application layer firewall specifically to monitor XML formatted messages as they enter or leave a network or system. An XML gateway is used for inbound pattern detection and the prevention of outbound data leaks. XML is a document structure that is both human and machine-readable. Information within an XML document is placed within tags that describe how the information within the document is structured. For support or reporting issues, include Question ID: 63fe06cc3b7322449ddbc5ee in your ticket. Thank you.

Answer 63

Perform DAST in a staging environment with production-like conditions and scheduled testing windows Explanation: OBJ 2.2: DAST is designed to test an application for vulnerabilities during runtime, making it critical for identifying issues like SQL injection and XSS that occur during execution. Conducting DAST in a staging environment with production-like conditions allows the team to simulate real-world usage without impacting live user traffic, and scheduled testing windows help manage resource allocation to address performance concerns. Limiting DAST to critical functions risks missing vulnerabilities in non-critical areas, while conducting tests in a live production environment could disrupt users and compromise sensitive data. Replacing DAST with SAST is inappropriate because SAST cannot identify runtime vulnerabilities. For support or reporting issues, include Question ID: 674f6cac7a4b195c66838b37 in your ticket. Thank you.

Answer 64

Nessus Explanation: OBJ 1.4: Nessus is a popular vulnerability scanner. It can be used to check how vulnerable your network is by using various plugins to test for vulnerabilities. Also, Nessus can perform compliance auditing, like internal and external PCI DSS audit scans. The nmap tool is a port scanner. The Metasploit Project is a computer security project that provides information about security vulnerabilities and aids in penetration testing and IDS signature development. BeEF is short for The Browser Exploitation Framework. It is a penetration testing tool that focuses on the web browser. For support or reporting issues, include Question ID: 63fe076f3b7322449ddbcdd6 in your ticket. Thank you.