Sy06 Exam Braindumps 101-150

Question 1

A DBA reports that several production server hard drives were wiped over the weekend. The DBA also reports that several Linux servers were unavailable due to system files being deleted unexpectedly. A security analyst verified that software was configured to delete data deliberately from those servers. No backdoors to any servers were found. Which of the following attacks was MOST likely used to cause the data loss?

a. Logic bomb
b. Ransomware
c. Fileless virus
d. Remote access Trojans
e. Rootkit

Answer 1

a. Logic bomb

A logic bomb is a piece of code intentionally inserted into a software system that will set off a malicious function when specified conditions are met. In this case, it appears that the logic bomb was programmed to delete system files and data at a specific time (over the weekend). This explains the deliberate nature of the deletions and the unavailability of the servers without any backdoor being present.

The other options are less likely to be the cause for the following reasons:

Ransomware typically encrypts data and demands a ransom for decryption rather than simply deleting files.
Fileless virus operates in memory and typically does not result in deliberate deletion of files but rather aims to exploit systems without leaving a trace on the disk.
Remote access Trojans (RATs) are used for remote control of a system and typically involve data theft or surveillance rather than destruction of data without any further purpose.
Rootkit hides the presence of other malicious software, such as keyloggers or viruses, but doesn't typically engage in the outright deletion of files as described.

Question 2

Digital signatures use asymmetric encryption. This means the message is encrypted with:

a. the sender’s private key and decrypted with the sender’s public key.
b. the sender’s public key and decrypted with the sender’s private key.
c. the sender’s private key and decrypted with the recipient’s public key.
e. the sender’s public key and decrypted with the recipient’s private key.

Answer 2

a. the sender’s private key and decrypted with the sender’s public key.

Digital signatures indeed use asymmetric encryption, and the process involves the sender’s private and public keys. The correct option regarding the use of keys for creating and verifying a digital signature is:

a. the sender’s private key and decrypted with the sender’s public key.

Here’s how it works:

Creating the Signature:
    The sender creates a hash of the message.
    The sender encrypts this hash using their private key. This encrypted hash is the digital signature.

Verifying the Signature:
    The recipient decrypts the digital signature using the sender's public key to retrieve the hash.
    The recipient also creates a hash of the received message.
    The recipient compares the decrypted hash with the newly created hash. If they match, the message is verified as authentic and untampered.

Question 3

A security engineer was assigned to implement a solution to prevent attackers from gaining access by pretending to be authorized users. Which of the following technologies meets the requirement?

a. SSO
b. IDS
c. MFA
d. TPM

Answer 3

c. MFA (Multi-Factor Authentication)

Explanation:

Multi-Factor Authentication (MFA) adds an additional layer of security beyond just username and password. It requires users to provide two or more verification factors to gain access to a system or application.
MFA typically combines something the user knows (password), with something the user has (like a smartphone app generating a code or a hardware token), or something the user is (biometric data).
This approach significantly reduces the risk of unauthorized access because even if attackers manage to steal or guess a user's password, they would still need the additional factor to authenticate successfully.
Single Sign-On (SSO) simplifies the user login process by allowing users to authenticate once to gain access to multiple systems or applications. While it improves user experience and can indirectly enhance security by reducing password fatigue, it does not inherently prevent attackers from pretending to be authorized users.
Intrusion Detection System (IDS) monitors network or system activities for malicious activities or policy violations. While it detects suspicious behavior, it doesn't directly prevent attackers from impersonating authorized users.
Trusted Platform Module (TPM) is a hardware-based security solution that provides cryptographic functionality to secure hardware and authenticate devices. It does not directly prevent attackers from pretending to be authorized users.

Question 4

The Chief Information Security Officer (CISO) has requested that a third-party vendor provide supporting documents that show proper controls are in place to protect customer data. Which of the following would be BEST for the third-party vendor to provide to the CISO?

a. GDPR compliance attestation
b. Cloud Security Alliance materials
c. SOC 2 Type 2 report
d. NIST RMF workbooks

Answer 4

c. SOC 2 Type 2 report

Explanation:

SOC 2 (Service Organization Control 2) is a widely recognized auditing standard developed by the American Institute of CPAs (AICPA). It focuses on controls relevant to the security, availability, processing integrity, confidentiality, and privacy of data processed by service providers.
A SOC 2 Type 2 report provides detailed information about how a service organization (the third-party vendor in this case) achieves key security objectives based on the Trust Services Criteria (TSC). It includes detailed testing of the effectiveness of controls over a period of time (usually a minimum of six months).
This report is particularly relevant when a vendor needs to demonstrate that they have adequate controls in place to protect customer data, aligning with regulatory requirements and industry best practices.
GDPR compliance attestation is specific to compliance with the European Union's General Data Protection Regulation (GDPR). While important for handling personal data of EU residents, it may not cover all aspects of data protection and security beyond GDPR requirements.
Cloud Security Alliance (CSA) materials are valuable for understanding cloud security best practices and frameworks, but they do not provide specific independent assurance of controls implemented by the vendor.
NIST RMF (Risk Management Framework) workbooks are used for managing and documenting security and privacy controls within federal information systems. However, they are less commonly used in vendor assessments compared to SOC 2 reports.

Question 5

Which of the following is assured when a user signs an email using a private key?

a. Non-repudiation
b. Confidentiality
c. Availability
d. Authentication

Answer 5

a. Non-repudiation

Explanation:

Non-repudiation is assured when a user signs an email using a private key. This means the sender cannot deny having sent the email because the digital signature, created using the sender's private key, uniquely associates the sender with the message. Anyone with the corresponding public key can verify that the message was indeed signed by the holder of the private key.
Confidentiality ensures that the content of the email is accessible only to the intended recipients. However, signing an email does not encrypt its contents; encryption for confidentiality requires using the recipient's public key.
Availability refers to ensuring that the email is accessible to authorized users when needed. Signing an email does not directly impact its availability.
Authentication is the process of verifying the identity of the sender. While signing an email does provide some level of authentication by verifying the sender, the primary assurance provided by signing an email is non-repudiation.

Question 6

A systems administrator is troubleshooting a server’s connection to an internal web server. The administrator needs to determine the correct ports to use. Which of the following tools BEST shows which ports on the web server are in a listening state?

a. ipconfig
b. ssh
c. ping
d. netstat

Answer 6

d. netstat

Explanation:

netstat (network statistics) is a command-line tool that provides various network-related information, including the status of network connections, routing tables, and interface statistics. It is particularly useful for showing which ports are in a listening state on a server, which can help the systems administrator determine the correct ports to use.
ipconfig is a command-line tool used to display and manage the IP configuration of network interfaces on a Windows computer. It does not provide information about listening ports.
ssh (Secure Shell) is a protocol used for secure remote login and other secure network services over an insecure network. It is not used to show listening ports.
ping is a command-line tool used to test the reachability of a host on an IP network. It does not provide information about listening ports.

Question 7

Which of the following BEST reduces the security risks introduced when running systems that have expired vendor support and lack an immediate replacement?

a. Implement proper network access restrictions.
b. Initiate a bug bounty program.
c. Classify the system as shadow IT.
d. Increase the frequency of vulnerability scans.

Answer 7

a. Implement proper network access restrictions.

Explanation:

Implementing proper network access restrictions is the most effective way to reduce security risks for systems with expired vendor support. This approach limits exposure to potential threats by restricting access to the vulnerable system to only those who absolutely need it. It can include measures such as segmentation, firewalls, and access control lists (ACLs).
Initiating a bug bounty program is useful for identifying vulnerabilities, but it is not as immediately effective in reducing risks for unsupported systems as network access restrictions.
Classifying the system as shadow IT might help in acknowledging the risk, but it does not directly mitigate the risk.
Increasing the frequency of vulnerability scans can help in identifying issues more quickly, but without the ability to patch or update the system, the effectiveness of this measure is limited compared to implementing network access restrictions.

Question 8

Due to unexpected circumstances, an IT company must vacate its main office, forcing all operations to alternate, off-site locations. Which of the following will the company MOST likely reference for guidance during this change?

a. The business continuity plan
b. The retention policy
c. The disaster recovery plan
d. The incident response plan

Answer 8

a. The business continuity plan

Explanation:

The business continuity plan (BCP) is designed to ensure that a company can continue to operate during and after a major disruption, such as having to vacate its main office. The BCP includes strategies for maintaining business operations and addressing logistical challenges, such as relocating to alternate, off-site locations.
The disaster recovery plan (DRP) focuses on restoring IT systems and data after a disaster, but it is more specific to IT infrastructure rather than overall business operations.
The retention policy deals with how long records and data are kept and does not address operational relocations.
The incident response plan (IRP) deals with responding to specific incidents, such as security breaches, but does not typically cover broad operational changes like relocating an entire office.

Question 9

While reviewing an alert that shows a malicious request on one web application, a cybersecurity analyst is alerted to a subsequent token reuse moments later on a different service using the same single sign-on method. Which of the following would BEST detect a malicious actor?

a. Utilizing SIEM correlation engines
b. Deploying Netflow at the network border
c. Disabling session tokens for all sites
d. Deploying a WAF for the web server

Answer 9

a. Utilizing SIEM correlation engines

Explanation:

SIEM (Security Information and Event Management) correlation engines are designed to analyze and correlate events from multiple sources across the network, including different applications and services. They can identify patterns and link related incidents, such as the reuse of a token on a different service, indicating potential malicious activity.
Deploying Netflow at the network border would help monitor network traffic patterns but might not effectively correlate the specific use of tokens across different services.
Disabling session tokens for all sites could disrupt user sessions and might not specifically target the detection of malicious activity.
Deploying a WAF (Web Application Firewall) can protect a web server from specific web-based attacks but might not have the capability to correlate token reuse across different services using SSO.

Question 10

The Chief Information Security Officer wants to prevent exfiltration of sensitive information from employee cell phones when using public USB power charging stations. Which of the following would be the BEST solution to implement?

a. DLP
b. USB data blocker
c. USB OTG
d. Disabling USB ports

Answer 10

b. USB data blocker

Explanation:

A USB data blocker is designed to allow power to pass through to a device while blocking any data transfer through the USB port. This would prevent any exfiltration of sensitive information when employees use public USB power charging stations.
DLP (Data Loss Prevention) solutions are typically software-based and are more suited for monitoring and controlling data within the organization's network rather than on individual cell phones in public scenarios.
USB OTG (On-The-Go) is a standard that enables devices to act as a host, allowing other USB devices like keyboards or external storage to be attached, which does not address the issue of blocking data transfer in public charging stations.
Disabling USB ports would prevent the use of public charging stations altogether, which is impractical for employees who need to charge their phones on the go.

Question 11

Two organizations plan to collaborate on the evaluation of new SIEM solutions for their respective companies. A combined effort from both organizations’ SOC teams would speed up the effort. Which of the following can be written to document this agreement?

a. MOU
b. ISA
c. SLA
d. NDA

Answer 11

a. MOU (Memorandum of Understanding)

Explanation:

An MOU (Memorandum of Understanding) is a document that outlines the terms and details of an agreement between parties, including each party's requirements and responsibilities. It is often used to document an agreement to collaborate on projects or initiatives without the formal binding commitments of a contract.
An ISA (Interconnection Security Agreement) is used to define the technical and security requirements for establishing, operating, and maintaining the interconnection of IT systems and networks.
An SLA (Service Level Agreement) is a contract between a service provider and a customer that defines the level of service expected from the service provider.
An NDA (Non-Disclosure Agreement) is a contract that establishes confidentiality between parties to protect sensitive information from being disclosed.

Question 12

The board of directors at a company contracted with an insurance firm to limit the organization’s liability. Which of the following risk management practices does this BEST describe?

a. Transference
b. Avoidance
c. Mitigation
d. Acknowledgement

Answer 12

a. Transference

Explanation:

Transference in risk management involves shifting the risk to a third party. By contracting with an insurance firm, the organization is transferring the financial risk associated with potential liabilities to the insurance company, thus limiting its own liability.
Avoidance involves eliminating the risk entirely by not engaging in the activity that presents the risk.
Mitigation involves taking steps to reduce the impact or likelihood of the risk.
Acknowledgement involves recognizing the risk but choosing to accept it without transferring or mitigating it.

Question 13

Which of the following is a risk that is specifically associated with hosting applications in the public cloud?

a. Unsecured root accounts
b. Zero-day
c. Shared tenancy
d. Insider threat

Answer 13

c. Shared tenancy

Explanation:

Shared tenancy is a risk specific to public cloud environments where multiple customers share the same physical hardware and infrastructure. This can lead to potential vulnerabilities where one tenant's security issues could potentially affect others.
Unsecured root accounts and insider threats are risks that can occur in both cloud and on-premises environments.
Zero-day vulnerabilities are a general security risk that can impact any environment, whether cloud-based or not.

Question 14

DDoS attacks are causing an overload on the cluster of cloud servers. A security architect is researching alternatives to make the cloud environment respond to load fluctuation in a cost-effective way. Which of the following options BEST fulfills the architect’s requirements?

a. An orchestration solution that can adjust scalability of cloud assets
b. Use of multipath by adding more connections to cloud storage
c. Cloud assets replicated on geographically distributed regions
d. An on-site backup that is displayed and only used when the load increases

Answer 14

a. An orchestration solution that can adjust scalability of cloud assets

Explanation:

Orchestration solutions are designed to automatically manage, scale, and optimize resources in response to real-time demand. This allows the cloud environment to dynamically adjust its capacity, adding or removing resources as needed to handle load fluctuations efficiently.
Multipath connections to cloud storage can enhance redundancy and performance but may not directly address the need for scalable compute resources to handle DDoS attacks.
Replicating cloud assets across geographically distributed regions can provide redundancy and disaster recovery benefits but may not be as cost-effective for dynamic scalability in response to fluctuating loads.
An on-site backup that is deployed only when load increases can be costly and less efficient compared to automated orchestration solutions that leverage cloud scalability features.

Question 15

Which of the following documents provides expectations at a technical level for quality, availability, and responsibilities?

a. EOL
b. SLA
c. MOU
d. EOSL

Answer 15

b. SLA (Service Level Agreement)

Explanation:

SLA (Service Level Agreement) is a document that outlines the expectations between a service provider and a customer regarding the quality and availability of services. It defines metrics, responsibilities, and guarantees related to service performance, uptime, response times, and other key aspects.
EOL (End of Life) and EOSL (End of Service Life) refer to the lifecycle stages of products or services, indicating when support or maintenance will end, rather than specifying operational expectations.
MOU (Memorandum of Understanding) outlines broader agreements between parties but may not detail technical expectations at the level of a SLA.

Question 16

Which of the following is an example of transference of risk?

a. Purchasing insurance
b. Patching vulnerable servers
c. Retiring outdated applications
d. Application owner risk sign-off

Answer 16

a. Purchasing insurance

Question 17

An employee received a word processing file that was delivered as an email attachment. The subject line and email content enticed the employee to open the attachment. Which of the following attack vectors BEST matches this malware?

a. Embedded Python code
b. Macro-enabled file
c. Bash scripting
d. Credential-harvesting website

Answer 17

b. Macro-enabled file

Question 18

A security proposal was set up to track requests for remote access by creating a baseline of the users’ common sign-in properties. When a baseline deviation is detected, an MFA challenge will be triggered. Which of the following should be configured in order to deploy the proposal?

a. Context-aware authentication
b. Simultaneous authentication of equals
c. Extensive authentication protocol
d. Agentless network access control

Answer 18

a. Context-aware authentication

Explanation:

Context-aware authentication involves using various contextual factors, such as user location, time of access, device type, and typical behavior patterns, to establish a baseline of normal activity for users.
When there is a deviation from this baseline (such as unusual sign-in properties), it can trigger additional security measures like Multi-Factor Authentication (MFA).
In this scenario, configuring context-aware authentication allows for the detection of baseline deviations and the subsequent triggering of MFA challenges, aligning with the security proposal described.

Question 19

Which of the following secure coding techniques makes compromised code more difficult for hackers to use?

a. Obfuscation
b. Normalization
c. Execution
d. Reuse

Answer 19

a. Obfuscation

Explanation:

Obfuscation is a technique used to make code more difficult to understand or reverse-engineer.
It involves transforming code in a way that preserves its functionality but makes it harder for attackers to analyze.
By obfuscating code, even if it is compromised, it becomes more challenging for hackers to quickly exploit or understand its logic, thereby increasing the complexity and effort required to use the compromised code effectively.

Question 20

As part of a security compliance assessment, an auditor performs automated vulnerability scans. In addition, which of the following should the auditor do to complete the assessment?

a. User behavior analysis
b. Packet captures
c. Configuration reviews
d. Log analysis

Answer 20

c. Configuration reviews

Explanation:

While automated vulnerability scans are essential for identifying technical vulnerabilities, configuration reviews are necessary to assess whether systems, networks, and applications are configured securely according to best practices and compliance requirements.
Configuration reviews involve examining settings, policies, access controls, and configurations against established benchmarks or standards to ensure they align with security policies and industry best practices.
Together with vulnerability scans, configuration reviews provide a comprehensive view of the security posture of the organization's IT infrastructure, ensuring that both technical vulnerabilities and misconfigurations are identified and remediated.

Question 21

A database administrator wants to grant access to an application that will be reading and writing data to a database. The database is shared by other applications also used by the finance department. Which of the following account types is MOST appropriate for this purpose?

a. Service
b. Shared
c. Generic
d. Admin

Answer 21

a. Service

Explanation:

A service account is designed for applications and services that need to access resources such as databases without human intervention.
It provides controlled access to specific resources and can be configured with minimal privileges necessary for the application's functions.
Unlike admin accounts, which typically have broader permissions, service accounts are restricted to specific tasks, reducing the risk of accidental or unauthorized access to sensitive data.

Question 22

A security analyst generated a file named host1.pcap and shared it with a team member who is going to use it for further incident analysis. Which of the following tools will the other team member MOST likely use to open this file?

a. Autopsy
b. Memdump
c. FTK imager
d. Wireshark

Answer 22

d. Wireshark

Wireshark is a widely-used network protocol analyzer that allows users to capture and interactively browse the traffic running on a computer network. It supports the opening and analysis of .pcap files, making it ideal for examining network traffic for incident analysis.

Autopsy and FTK Imager are forensic analysis tools primarily used for examining disk images and file systems, which are not typically used for analyzing network packet captures.

Memdump refers to memory dump analysis, which is used for examining the contents of computer memory, rather than network packet captures.

Question 23

An application developer accidentally uploaded a company’s code-signing certificate private key to a public web server. The company is concerned about malicious use of its certificate. Which of the following should the company do FIRST?

a. Delete the private key from the repository.
b. Verify the public key is not exposed as well.
c. Update the DLP solution to check for private keys.
d. Revoke the code-signing certificate.

Answer 23

d. Revoke the code-signing certificate.

Explanation:

When a company's code-signing certificate private key is compromised or exposed, the first step should be to revoke the certificate. Revocation ensures that any signatures made with the compromised key are no longer trusted.
After revoking the certificate, the company should also delete the private key from any public repositories to prevent further misuse.
Verifying the exposure of the public key and updating DLP solutions are important steps but revocation should be prioritized to mitigate immediate risks.

Question 24

An organization implemented a process that compares the settings currently configured on systems against secure configuration guidelines in order to identify any gaps. Which of the following control types has the organization implemented?

a. Compensating
b. Corrective
c. Preventive
d. Detective

Answer 24

d. Detective

Explanation:
The organization has implemented a detective control. Detective controls are designed to detect and alert on deviations from established security policies, procedures, or standards. In this case, comparing the current system settings against secure configuration guidelines helps to detect any gaps or deviations that may exist, allowing the organization to take corrective actions.

Question 25

The Chief Information Security Officer directed a risk reduction in shadow IT and created a policy requiring all unsanctioned high-risk SaaS applications to be blocked from user access. Which of the following is the BEST security solution to reduce this risk?

a. CASB
b. VPN concentrator
c. MFA
d. VPC endpoint

Answer 25

a. CASB

Explanation:
CASB (Cloud Access Security Broker) is the best security solution to reduce the risk of shadow IT and unsanctioned high-risk SaaS applications. CASBs provide visibility into cloud application usage, enforce security policies, and control access to cloud services. By using CASB, organizations can monitor and block access to unsanctioned SaaS applications based on security policies, thereby reducing the risk associated with shadow IT.

VPN concentrator:
VPN concentrators are used to provide secure remote access to corporate networks. They do not specifically address the visibility and control needed over SaaS applications or shadow IT. While they can secure communications between users and the corporate network, they do not provide detailed visibility into cloud application usage or the ability to enforce policies on specific SaaS applications.

MFA (Multi-Factor Authentication):
MFA enhances security by requiring additional factors beyond just a password for authentication. While important for access security, MFA does not provide visibility or control over the use of SaaS applications. It addresses user authentication rather than the management of cloud application usage or the identification of unauthorized SaaS applications.

VPC endpoint (Virtual Private Cloud endpoint):
VPC endpoints enable private connections between a VPC and supported AWS services or other services hosted by AWS. They facilitate secure communication without exposing traffic to the public internet. However, they do not address the visibility into SaaS applications or the enforcement of policies related to shadow IT. VPC endpoints are specific to AWS services and do not provide comprehensive control over external SaaS applications used by employees.

In contrast, CASB (Cloud Access Security Broker) solutions are specifically designed to monitor, manage, and secure the use of cloud applications and services, including SaaS applications. They provide visibility into which applications are being used, enforce security policies based on risk assessments, and can block access to unsanctioned applications. Therefore, CASB is the most appropriate choice for addressing the risk of shadow IT and unsanctioned SaaS applications.

Question 26

A technician enables full disk encryption on a laptop that will be taken on a business trip. Which of the following does this process BEST protect?

a. Data in transit
b. Data in processing
c. Data at rest
d. Data tokenization

Answer 26

c. Data at rest

Explanation:

Data at rest refers to data that is stored physically in any digital form (e.g., databases, files, etc.). When full disk encryption is enabled, all data stored on the laptop's disk is encrypted. This means that if the laptop is lost or stolen, unauthorized users cannot access the data without the encryption key, thus protecting the data at rest.

Data in transit refers to data actively moving from one location to another over a network. Full disk encryption does not directly protect data while it is being transmitted over a network; other encryption methods (such as SSL/TLS for web traffic) are used to protect data in transit.

Data in processing refers to data being accessed and manipulated by applications or processes. Full disk encryption does not inherently protect data that is actively being used by the operating system or applications; it focuses on protecting data when it is stored on the disk.

Data tokenization is a method used to protect sensitive data by replacing it with unique identification symbols (tokens) that retain essential information about the data without compromising its security. It is different from encryption, which secures data by transforming it into a ciphertext that can be reversed only with a decryption key.

Question 27

A security analyst was called to investigate a file received directly from a hardware manufacturer. The analyst is trying to determine whether the file was modified in transit before installation on the user’s computer. Which of the following can be used to safely assess the file?

a. Check the hash of the installation file.
b. Match the file names.
c. Verify the URL download location.
d. Verify the code signing certificate.

Answer 27

a. Check the hash of the installation file.

Explanation:

Hash Verification: This involves calculating and comparing the hash value (like MD5, SHA-256, etc.) of the downloaded file with the hash value provided by the hardware manufacturer. If the hash values match, it indicates that the file has not been altered during transit.

Why this is the best option:
    Checking the hash ensures the integrity of the file. Even if the file is intercepted and modified during transit, the hash value would change, alerting the analyst to potential tampering.
    Matching file names and verifying the URL download location do not provide the same level of assurance against tampering as hash verification.
    Verifying the code signing certificate is useful for ensuring the authenticity of the software publisher, but it does not directly confirm whether the file was modified during transit.

Question 28

A help desk technician receives a phone call from someone claiming to be a part of the organization’s cybersecurity incident response team. The caller asks the technician to verify the network’s internal firewall IP Address. Which of the following is the technician’s BEST course of action?

a. Direct the caller to stop by the help desk in person and hang up declining any further requests from the caller.
b. Ask for the caller’s name, verify the person’s identity in the email directory, and provide the requested information over the phone.
c. Write down the phone number of the caller if possible, the name of the person requesting the information, hang up, and notify the organization’s cybersecurity officer.
d. Request the caller send an email for identity verification and provide the requested information via email to the caller.

Answer 28

c. Write down the phone number of the caller if possible, the name of the person requesting the information, hang up, and notify the organization’s cybersecurity officer.

Explanation:

Verify Identity: Asking for the caller's name and verifying it against the email directory is a good first step, but it's not foolproof. Attackers can sometimes spoof identities or use social engineering to gain information.
Notification: Writing down the caller's phone number and name and then notifying the organization's cybersecurity officer ensures that a higher authority can verify the legitimacy of the request. This is crucial in cases where sensitive information like firewall IP addresses is involved.
Declining Further Requests: Hanging up and declining further requests from the caller is important to prevent potential manipulation or unauthorized disclosure of sensitive information.

Options a, b, and d either involve potentially providing information to an unverified caller or do not prioritize verification and escalation to a higher authority, which could lead to security risks.

Therefore, option c is the most appropriate response to ensure security protocols are followed and the organization’s information remains protected.

(Braindump : d. Request the caller send an email for identity verification and provide the requested information via email to the caller)

Question 29

Which of the following would BEST provide detective and corrective controls for thermal regulation?

a. A smoke detector
b. A fire alarm
c. An HVAC system
d. A fire suppression system
e. Guards

Answer 29

c. An HVAC system

Explanation:

An HVAC (Heating, Ventilation, and Air Conditioning) system is designed not only to regulate temperature but also to monitor and control environmental conditions such as humidity and air quality.
HVAC systems typically have sensors that can detect anomalies in temperature and automatically adjust heating or cooling to maintain optimal conditions.
In the context of providing detective controls, HVAC systems can generate alerts or notifications when temperature thresholds are exceeded, indicating potential issues.
For corrective controls, HVAC systems can autonomously adjust settings or activate alarms to alert personnel to take action, such as maintenance or repairs, to prevent overheating or other thermal-related problems.

While options like smoke detectors (a), fire alarms (b), and fire suppression systems (d) are important for fire detection and prevention, they do not directly address thermal regulation concerns as comprehensively as an HVAC system. Guards (e) are physical security measures and do not provide environmental monitoring or regulation capabilities like an HVAC system does.

Question 30

Which of the following is a benefit of including a risk management framework into an organization’s security approach?

a. It defines expected service levels from participating supply chain partners to ensure system outages are remediated in a timely manner.
b. It identifies specific vendor products that have been tested and approved for use in a secure environment.
c. It provides legal assurances and remedies in the event a data breach occurs.
d. It incorporates control, development, policy, and management activities into IT operations.

Answer 30

d. It incorporates control, development, policy, and management activities into IT operations.

Explanation:
A risk management framework (RMF) provides several benefits to an organization’s security approach:

Incorporates control, development, policy, and management activities: RMF integrates various aspects of IT operations, including identifying risks, implementing controls, developing policies, and managing security across the organization. This integration helps ensure that security considerations are embedded throughout the organization's processes and activities.

Option a: This describes more about service level agreements (SLAs) and supply chain management, not directly related to the core benefits of a risk management framework.

Option b: This pertains to product testing and approval, which is part of security assessments but not the primary benefit of an RMF.

Option c: Legal assurances and remedies typically come from compliance frameworks and regulations rather than directly from an RMF.

Therefore, option d is the best answer as it highlights how an RMF helps organizations structure and integrate their security efforts comprehensively.

Question 31

An organization maintains several environments in which patches are developed and tested before being deployed to an operational status. Which of the following is the environment in which patches will be deployed just prior to being put into an operational status?

a. Development
b. Test
c. Production
d. Staging

Answer 31

d. Staging

The environment in which patches will be deployed just prior to being put into an operational status is typically referred to as the Staging environment.

Explanation:

Development: This environment is where patches and new software are initially developed and coded.
Test: After development, patches are tested in this environment to ensure they function correctly and do not introduce new issues.
Staging: The staging environment is used for final testing before deployment to production. It mimics the production environment closely, allowing for realistic testing of patches and updates.
Production: This is the live environment where applications and systems are used by end-users.

Question 32

During a trial, a judge determined evidence gathered from a hard drive was not admissible. Which of the following BEST explains this reasoning?

a. The forensic investigator forgot to run a checksum on the disk image after creation.
b. The chain of custody form did not note time zone offsets between transportation regions.
c. The computer was turned off, and a RAM image could not be taken at the same time.
d. The hard drive was not properly kept in an antistatic bag when it was moved.

Answer 32

b, “The chain of custody form did not note time zone offsets between transportation regions.”

Explanation:

Chain of Custody: This refers to the documented trail showing the seizure, custody, control, transfer, analysis, and disposition of physical and electronic evidence. It ensures that evidence is handled properly and maintains its integrity.
Time Zone Offsets: When evidence is moved across different time zones, it is crucial to document any changes in time to establish a clear timeline of events and ensure the integrity of the evidence.

If the chain of custody form did not accurately note the time zone offsets during transportation of the hard drive, it could raise doubts about the continuity and integrity of the evidence. This lack of documentation could lead to the judge ruling the evidence as inadmissible due to concerns over its handling and authenticity.

Question 33

An organization wants to implement a biometric system with the highest likelihood that an unauthorized user will be denied access. Which of the following should the organization use to compare biometric solutions?

a. FRR
b. Difficulty of use
c. Cost
d. FAR
e. CER

Answer 33

d, FAR (False Acceptance Rate).

Explanation:

False Acceptance Rate (FAR): FAR represents the probability that the system incorrectly identifies an unauthorized user as an authorized user. A lower FAR indicates a lower likelihood of unauthorized access, as it means the system is less likely to incorrectly accept someone who should not have access.

In contrast:

False Rejection Rate (FRR): FRR represents the probability that the system incorrectly rejects an authorized user. While minimizing FRR is also important for user convenience, minimizing FAR is critical for security to ensure that unauthorized users are not granted access.

Therefore, by comparing biometric solutions based on their FAR values, the organization can select a system that provides the highest likelihood of denying access to unauthorized users.

(Braindump : e. CER)

Question 34

A company recently experienced a significant data loss when proprietary information was leaked to a competitor. The company took special precautions by using proper labels; however, email filter logs do not have any record of the incident. An investigation confirmed the corporate network was not breached, but documents were downloaded from an employee’s COPE tablet and passed to the competitor via cloud storage. Which of the following is the BEST remediation for this data leak?

a. User training
b. CASB
c. MDM
d. DLP

Answer 34

d, DLP (Data Loss Prevention).

Explanation:

DLP (Data Loss Prevention): DLP solutions are designed to monitor and control the movement of sensitive data within and outside the organization's network. They can detect and prevent unauthorized transfers of sensitive information, such as documents being uploaded to unauthorized cloud storage services.

CASB (Cloud Access Security Broker): While CASB solutions can monitor and control the use of cloud services and applications, they typically work in conjunction with DLP solutions rather than being a direct replacement. CASB focuses more on securing cloud applications and data rather than detecting data leaks from devices.

MDM (Mobile Device Management): MDM solutions manage and secure mobile devices like tablets, including enforcing policies and managing access controls. However, in this case, the issue is not with device management but with preventing unauthorized data transfers.

User Training: While user training is crucial for security awareness, it alone may not prevent sophisticated data leaks involving intentional data exfiltration via personal cloud storage.

(Braindump : d. CASB)
Explanation: While data loss prevention is the goal, in order to implement dlp in cloud applications you need to deploy a casb.

Question 35

An attacker was eavesdropping on a user who was shopping online. The attacker was able to spoof the IP address associated with the shopping site. Later, the user received an email regarding the credit card statement with unusual purchases. Which of the following attacks took place?

a. On-path attack
b. Protocol poisoning
c. Domain hijacking
d. Bluejacking

Answer 35

a. On-path attack

Explanation:

On-path attack: In this type of attack, the attacker intercepts communication between two parties (in this case, the user and the shopping site) and can alter or eavesdrop on the data being transmitted. By spoofing the IP address of the shopping site, the attacker can misdirect the user’s communication, leading to potential interception of sensitive information like credit card details. This aligns with the scenario where the user later receives an email about unusual purchases, indicating that their credit card information may have been compromised during the transaction.

Question 36

A company is considering transitioning to the cloud. The company employs individuals from various locations around the world. The company does not want to increase its on premises infrastructure blueprint and only wants to pay for additional compute power required. Which of the following solutions would BEST meet the needs of the company?

a. Private cloud
b. Hybrid environment
c. Managed security service provider
d. Hot backup site

Answer 36

b. Hybrid environment

Here’s why:

Hybrid environment combines aspects of both public and private clouds, allowing the company to leverage the benefits of both models. In this scenario:
    The company can keep critical or sensitive data and applications on-premises or in a private cloud for security and compliance reasons.
    It can use public cloud resources to scale compute power as needed without investing in additional on-premises infrastructure.
    Employees from various locations around the world can access cloud resources easily, promoting flexibility and scalability.

Private clouds are hosted on-premises or by a third-party provider and offer dedicated resources for a single organization.
While private clouds provide more control and security, they typically require initial infrastructure investment and may not scale as flexibly as needed without additional hardware.

MSSPs offer outsourced monitoring and management of security devices and systems.
While MSSPs can enhance security posture, they do not directly address the company's need for scalable compute resources without increasing on-premises infrastructure.

A hot backup site is a replicated data center that mirrors the primary data center, ready to take over operations if the primary site fails.
While important for disaster recovery and business continuity, it doesn't directly address the requirement for additional compute power on demand without increasing infrastructure.

Question 37

After multiple on premises security solutions were migrated to the cloud, the incident response time increased. The analysts are spending a long time trying to trace information on different cloud consoles and correlating data in different formats. Which of the following can be used to optimize the incident response time?

a. CASB
b. VPC
c. SWG
d. CMS

Answer 37

a. CASB (Cloud Access Security Broker)

Here’s why CASB is the most appropriate choice:

Centralized Visibility and Control: CASB solutions provide centralized visibility into cloud services being used across the organization, including shadow IT, and enforce security policies consistently across all cloud services.

Data Correlation and Analysis: CASBs enable security teams to correlate data from various cloud services into a single console. This helps in quickly identifying and responding to security incidents without having to switch between multiple cloud consoles.

Incident Response Automation: Some CASB solutions offer incident response automation capabilities, which can further streamline response times by automating routine tasks and responses to security incidents.

Compliance Monitoring: CASBs assist in monitoring compliance with security policies and regulatory requirements across all cloud services, which is crucial after migrating security solutions to the cloud.

Why the Other Options are Less Suitable:

VPC (Virtual Private Cloud): VPCs provide isolated network environments within the cloud, focusing on network segmentation rather than incident response optimization.

SWG (Secure Web Gateway): SWGs are typically used for web traffic security, not for optimizing incident response across various cloud services.

CMS (Content Management System): CMS platforms are used for managing digital content and do not address incident response or security management in cloud environments.

Question 38

Which of the following control types would be BEST to use in an accounting department to reduce losses from fraudulent transactions?

a. Recovery
b. Deterrent
c. Corrective
d. Detective

Answer 38

b. Deterrent

Reasoning:

Deterrent controls are designed to discourage potential perpetrators from committing fraudulent activities by emphasizing the potential consequences or highlighting the difficulty of successfully carrying out such activities.

In an accounting department, deterrent controls can include policies and procedures that clearly outline the consequences of fraud, regular audits and reviews, segregation of duties to prevent collusion, and strong authentication and authorization mechanisms for financial transactions.

Unlike corrective controls, which are implemented after an incident has occurred, deterrent controls aim to prevent fraudulent activities from happening in the first place by creating a strong deterrent effect.

Recovery controls:
Purpose: Recovery controls are focused on recovering from incidents after they have occurred, such as through insurance policies or backup systems. They do not directly prevent fraudulent transactions but rather aim to mitigate the impact after the fact.

Corrective controls:
Purpose: Corrective controls are implemented to correct issues that led to fraudulent transactions once they have been identified. Examples include improving internal controls or conducting forensic investigations post-incident. They do not prevent fraud proactively but rather respond to it after detection.

Detective controls:
Purpose: Detective controls are used to detect fraudulent transactions after they have occurred. Examples include monitoring and analytics tools that identify unusual or suspicious activities. While detective controls are important for detecting fraud early, they do not prevent fraud from happening in the first place.

Question 39

A company is receiving emails with links to phishing sites that look very similar to the company’s own website address and content. Which of the following is the BEST way for the company to mitigate this attack?

a. Create a honeynet to trap attackers who access the VPN with credentials obtained by phishing.
b. Generate a list of domains similar to the company’s own and implement a DNS sinkhole for each.
c. Disable POP and IMAP on all Internet-facing email servers and implement SMTPS.
d. Use an automated tool to flood the phishing websites with fake usernames and passwords.

Answer 39

b. Generate a list of domains similar to the company’s own and implement a DNS sinkhole for each.

Explanation:

DNS Sinkholing: This approach involves redirecting traffic from known malicious domains (or domains that resemble the company's legitimate domain) to a non-existent or controlled server. By implementing DNS sinkholing for domains similar to the company's own, the company can prevent users from accessing phishing sites that mimic its domain. This method is effective because it doesn't rely on users recognizing phishing emails but rather blocks access to malicious sites at the network level.

Let’s briefly assess why the other options are less effective or inappropriate:

a. Create a honeynet to trap attackers who access the VPN with credentials obtained by phishing: While honeynets can be useful for detecting and monitoring attackers, they are not directly mitigating the phishing attack itself. They focus more on detecting post-compromise activities rather than preventing initial phishing attempts.

c. Disable POP and IMAP on all Internet-facing email servers and implement SMTPS: This would enhance email server security but does not directly address the issue of users being lured to phishing sites that resemble the company's domain.

d. Use an automated tool to flood the phishing websites with fake usernames and passwords: This approach is not recommended as it can lead to legal and ethical issues (e.g., creating potential harm to innocent parties or violating laws against unauthorized access). It also does not prevent users from falling victim to phishing attacks.

Question 40

A SOC operator is receiving continuous alerts from multiple Linux systems indicating that unsuccessful SSH attempts to a functional user ID have been attempted on each one of them in a short period of time. Which of the following BEST explains this behavior?

a. Rainbow table attack
b. Password spraying
c. Logic bomb
d. Malware bot

Answer 40

b. Password spraying

Explanation:

Password Spraying: This attack involves attempting a small number of commonly used passwords or passwords based on known information (such as the company name or season) against multiple accounts or systems. Unlike brute force attacks that target one user with many passwords, password spraying targets many users with a few common passwords. This method is effective because it can evade traditional brute force detection mechanisms and still potentially gain access if weak passwords are in use.

Let’s briefly assess why the other options are less likely:

a. Rainbow table attack: Rainbow table attacks are used to crack passwords that have been hashed and stored insecurely. They involve precomputed hashes, not repeated attempts with the same password across different accounts or systems.

c. Logic bomb: A logic bomb is malicious code intentionally inserted into a system to execute a harmful action when certain conditions are met, such as a specific date or time. It is not related to repeated login attempts.

d. Malware bot: While bots can be involved in many types of attacks, such as distributed denial-of-service (DDoS) attacks or spreading malware, they typically do not engage in repeated unsuccessful login attempts unless specifically designed for that purpose.

Question 41

A tax organization is working on a solution to validate the online submission of documents. The solution should be carried on a portable USB device that should be inserted on any computer that is transmitting a transaction securely. Which of the following is the BEST certificate for these requirements?

a. User certificate
b. Self-signed certificate
c. Computer certificate
d. Root certificate

Answer 41

(Braindump : a. User certificate)
(Community : A 68%, C 24%)

User Certificate: User certificates specify which resources a given user can have access to. They are sometimes used on devices that several users share. When different users log in, their profile and certificate are automatically loaded, granting them access to their required information.

Self-signed certificate: A self-signed certificate is one that is not signed by a CA at all – neither private nor public. In this case, the certificate is signed with its own private key, instead of requesting it from a public or a private CA (Certificate Authority).

Root Certificate: Root certificates are the cornerstone of authentication and security in software and on the Internet. They’re issued by a certified authority (CA) and, essentially, verify that the software/website owner is who they say they are.

So for this verification I’m completely 100% sure is A: User certificate

ChatGPT:
a. User certificate
Explanation:

A user certificate is best suited for validating the online submission of documents in this scenario. Here’s why:

User certificate: This type of certificate is typically issued to individual users and can be used for authentication, email encryption, and digital signatures. It ensures that the user submitting the document is authenticated and that the submission is secure. This fits well with the requirement to validate online submissions securely.

Self-signed certificate: These are certificates that are not issued by a trusted certificate authority (CA). They are generally not suitable for secure transactions over the internet because they cannot be independently verified by a third-party CA.

Computer certificate: This type of certificate is issued to devices to authenticate them on a network. While useful for ensuring that a device is trusted, it is not the best fit for validating user-submitted documents.

Root certificate: This is a top-level certificate in a certificate hierarchy, used to sign other certificates. While crucial for the overall PKI infrastructure, a root certificate itself is not used directly for end-user authentication or document submission.

Thus, a user certificate is the best option for securely validating the online submission of documents using a portable USB device.

Question 42

A routine audit of medical billing claims revealed that several claims were submitted without the subscriber’s knowledge. A review of the audit logs for the medical billing company’s system indicated a company employee downloaded customer records and adjusted the direct deposit information to a personal bank account.
Which of the following does this action describe?

a. Insider threat
b. Social engineering
c. Third-party risk
d. Data breach

Answer 42

a. Insider threat.

Explanation:

Insider threat: This refers to a threat posed to an organization's security and data by individuals within the organization, such as employees, contractors, or partners, who have authorized access. In this scenario, the employee has misused their authorized access to download customer records and manipulate direct deposit information for personal gain.

Social engineering: Involves manipulating individuals to divulge confidential information or perform actions that compromise security. While social engineering can be involved in some aspects of an insider threat (such as convincing someone to provide access), the primary issue here is the misuse of authorized access rather than external manipulation.

Third-party risk: Refers to risks associated with vendors, suppliers, or partners who have access to an organization's systems or data. There's no indication in the scenario that a third-party entity was directly involved in this incident.

Data breach: Involves unauthorized access to sensitive data. While the employee's actions could lead to data breaches, the core issue here is the misuse of access rather than an external breach.

Question 43

A recent audit cited a risk involving numerous low-criticality vulnerabilities created by a web application using a third-party library. The development staff state there are still customers using the application even though it is end of life and it would be a substantial burden to update the application for compatibility with more secure libraries. Which of the following would be the MOST prudent course of action?

a. Accept the risk if there is a clear road map for timely decommission.
b. Deny the risk due to the end-of-life status of the application.
d. Use containerization to segment the application from other applications to eliminate the risk.
d. Outsource the application to a third-party developer group.

Answer 43

a. Accept the risk if there is a clear road map for timely decommission.

Explanation:

Accept the risk if there is a clear road map for timely decommission: This option acknowledges the existence of low-criticality vulnerabilities in the web application due to the end-of-life status of the application and the burden associated with updating it. However, it proposes accepting the risk temporarily, under the condition that there is a clear plan and timeline for decommissioning the application. This approach allows the organization to continue serving existing customers while working towards a planned retirement or replacement of the application.

Deny the risk due to the end-of-life status of the application: Denying the risk might not be feasible as the vulnerabilities still exist regardless of the application's end-of-life status.

Use containerization to segment the application: While containerization can help isolate and mitigate risks, it doesn't directly address the underlying vulnerabilities in the third-party library.

Outsource the application to a third-party developer group: Outsourcing might introduce additional risks and complexities, especially if the application is already nearing its end-of-life phase.

(Braindump : c. Use containerization to segment the application from other applications to eliminate the risk.)

Question 44

A security analyst is evaluating solutions to deploy an additional layer of protection for a web application. The goal is to allow only encrypted communications without relying on network devices. Which of the following can be implemented?

a. HTTP security header
b. DNSSEC implementation
c. SRTP
d. S/MIME

Answer 44

a. HTTP security header

Explanation:

HTTP security header: Specifically, implementing HTTP Strict Transport Security (HSTS) header ensures that all communication between the client and server occurs over HTTPS, thereby enforcing encrypted communications for the web application. This header instructs web browsers to only interact with the server using HTTPS, even if the user attempts to access the site over HTTP initially.

DNSSEC implementation: DNSSEC (Domain Name System Security Extensions) is used to authenticate DNS responses, ensuring that the domain name lookup results are not tampered with, but it does not directly enforce encrypted communications between the client and server.

SRTP (Secure Real-time Transport Protocol): SRTP is used for securing voice and video communications over IP networks, not typically used for securing web applications.

S/MIME (Secure/Multipurpose Internet Mail Extensions): S/MIME is used for securing email communications, not web applications.

Question 45

A company labeled some documents with the public sensitivity classification. This means the documents can be accessed by:

a. employees of other companies and the press.
b. all members of the department that created the documents.
c. only the company’s employees and those listed in the document.
d. only the individuals listed in the documents.

Answer 45

a. employees of other companies and the press.

Here’s why:

Public Sensitivity Classification: Typically, documents classified as "public" are intended to be accessible to anyone, including the general public, employees of other companies, and the press. This classification indicates that the information within these documents is not confidential and does not pose any risk to the company if widely distributed.

The other options are more restrictive and do not align with the “public” classification:

All members of the department that created the documents: This would imply a more restricted classification, such as "internal" or "departmental."
Only the company's employees and those listed in the document: This would be a more restricted classification, like "confidential" or "internal use only."
Only the individuals listed in the documents: This suggests a highly restricted classification, like "confidential" or "restricted."

Question 46

Which of the following is the MOST relevant security check to be performed before embedding third-party libraries in developed code?

a. Check to see if the third party has resources to create dedicated development and staging environments.
b. Verify the number of companies that downloaded the third-party code and the number of contributions on the code repository.
c. Assess existing vulnerabilities affecting the third-party code and the remediation efficiency of the libraries’ developers.
d. Read multiple penetration-testing reports for environments running software that reused the library.

Answer 46

c. Assess existing vulnerabilities affecting the third-party code and the remediation efficiency of the libraries’ developers.

Explanation:

Option a (Check to see if the third party has resources to create dedicated development and staging environments): While having dedicated environments is beneficial, it is not the most relevant security check when embedding third-party libraries. The primary concern should be the security of the code itself.

Option b (Verify the number of companies that downloaded the third-party code and the number of contributions on the code repository): The popularity and activity on a code repository can provide some insight into the library's reliability and community support, but they do not directly address the security aspects of the code.

Option d (Read multiple penetration-testing reports for environments running software that reused the library): Penetration-testing reports can be useful, but they are specific to particular environments and configurations. They might not cover all potential vulnerabilities of the library.

Option c is the most relevant security check because it directly addresses the security concerns related to the third-party library by assessing known vulnerabilities and the effectiveness of the developers in addressing those vulnerabilities. This check ensures that the library does not introduce security risks into the developed code.

Question 47

A help desk technician receives an email from the Chief Information Officer (CIO) asking for documents. The technician knows the CIO is on vacation for a few weeks. Which of the following should the technician do to validate the authenticity of the email?

a. Check the metadata in the email header of the received path in reverse order to follow the email’s path.
b. Hover the mouse over the CIO’s email address to verify the email address.
c. Look at the metadata in the email header and verify the “From:” line matches the CIO’s email address.
d. Forward the email to the CIO and ask if the CIO sent the email requesting the documents.

Answer 47

(Community : A 47%, D40%,)
ChatGPT & Brain Dump :
a. Check the metadata in the email header of the received path in reverse order to follow the email’s path.

Explanation:

Option a (Check the metadata in the email header of the received path in reverse order to follow the email's path): This method involves examining the email headers to trace the actual path the email took to reach the technician. It can help identify if the email originated from a legitimate source or if it was spoofed.

Option b (Hover the mouse over the CIO's email address to verify the email address): While this can reveal if the displayed email address matches the actual address, it does not provide complete information about the legitimacy of the email. Spoofed emails can still display the correct address.

Option c (Look at the metadata in the email header and verify the "From:" line matches the CIO's email address): Checking the "From:" line alone is not sufficient because it can be easily spoofed. Comprehensive analysis of the full header metadata is required.

Option d (Forward the email to the CIO and ask if the CIO sent the email requesting the documents): This is not practical if the CIO is on vacation and may not respond promptly. Additionally, forwarding a potentially malicious email can introduce risks.

Question 48

A company needs to validate its updated incident response plan using a real-world scenario that will test decision points and relevant incident response actions without interrupting daily operations. Which of the following would BEST meet the company’s requirements?

a. Red-team exercise
b. Capture-the-flag exercise
c. Tabletop exercise
d. Phishing exercise

Answer 48

c. Tabletop exercise

Explanation:

Option a (Red-team exercise): A red-team exercise involves simulating an attack to test the company's defenses. While effective, it can be disruptive to daily operations and is more about testing security defenses rather than decision-making processes in incident response.

Option b (Capture-the-flag exercise): This type of exercise is typically a competitive event that focuses on problem-solving and technical skills in a controlled environment. It is not designed to test an organization's incident response plan or decision-making processes.

Option c (Tabletop exercise): A tabletop exercise is a discussion-based session where team members walk through a simulated incident scenario and discuss their responses. It is an effective way to test decision points and incident response actions without interrupting daily operations, making it the best fit for the company's requirements.

Option d (Phishing exercise): A phishing exercise tests the organization's susceptibility to phishing attacks and typically focuses on the security awareness of employees. It does not validate an incident response plan or decision-making processes in the same comprehensive way as a tabletop exercise.

Option c (Tabletop exercise) is the best choice because it allows the company to validate its incident response plan by walking through a real-world scenario, testing decision points, and discussing relevant actions in a controlled, non-disruptive manner.

Question 49

Security analysts are conducting an investigation of an attack that occurred inside the organization’s network. An attacker was able to collect network traffic between workstations throughout the network. The analysts review the following logs:

VLAN Address
1 0007.1r5d.3213
1 002a.7d.44.8801
1 0011.aab4.344d

The Layer 2 address table has hundreds of entries similar to the ones above. Which of the following attacks has MOST likely occurred?

a. SQL injection
b. DNS spoofing
c. MAC flooding
d. ARP poisoning

Answer 49

c. MAC flooding

Explanation:

Option a (SQL injection): This is a type of attack that targets databases through web applications by injecting malicious SQL queries. It is unrelated to Layer 2 (data link layer) attacks and would not involve the Layer 2 address table.

Option b (DNS spoofing): This attack involves corrupting the DNS cache or responses to redirect traffic to a malicious site. It affects DNS resolution rather than the Layer 2 address table.

Option c (MAC flooding): This attack involves overwhelming a network switch's MAC address table with a large number of entries. Once the table is full, the switch can start broadcasting traffic to all ports, allowing an attacker to capture network traffic between other devices on the network. The provided logs with hundreds of similar entries suggest that the switch’s MAC address table has been flooded.

Option d (ARP poisoning): This attack involves sending falsified ARP messages over the network to associate the attacker's MAC address with the IP address of another device. This allows the attacker to intercept, modify, or stop data intended for the target IP address. While this could lead to interception of traffic, the scenario described fits more closely with MAC flooding due to the nature of the Layer 2 address table entries provided.

Option c (MAC flooding) is the most likely scenario because the large number of similar entries in the Layer 2 address table suggests the switch has been overwhelmed, causing it to operate in a way that exposes network traffic to the attacker.

Question 50

A security policy states that common words should not be used as passwords. A security auditor was able to perform a dictionary attack against corporate credentials. Which of the following controls was being violated?

a. Password complexity
b. Password history
c. Password reuse
d. Password length

Answer 50

a. Password complexity