Sy06 Exam Braindumps 201-250 Flashcards
Which of the following prevents an employee from seeing a colleague who is visiting an inappropriate website?
a. Job rotation policy
b. NDA
c. AUP
d. Separation of duties policy
c. AUP (Acceptable Use Policy)
Explanation:
Acceptable Use Policy (AUP): This policy outlines the acceptable and unacceptable use of an organization's IT resources. It sets clear guidelines for appropriate internet usage, which can include restrictions on accessing inappropriate websites. By enforcing an AUP, the organization can prevent employees from accessing inappropriate websites, thereby reducing the likelihood of others seeing such behavior.
Why not the others?:
Job rotation policy: This policy involves rotating employees through different jobs to reduce the risk of fraud and improve skills and knowledge. It does not directly address internet usage or prevent the visibility of inappropriate website visits. NDA (Non-Disclosure Agreement): An NDA is a legal contract that prevents individuals from disclosing confidential information. It does not govern or prevent internet usage behavior within an organization. Separation of duties policy: This policy ensures that no single individual has control over all aspects of a critical process, reducing the risk of fraud or error. It does not directly prevent inappropriate internet usage or visibility of such behavior.
An Acceptable Use Policy is the most relevant and effective measure to prevent employees from accessing inappropriate websites, thereby reducing the chance of others observing such behavior.
A user reports falling for a phishing email to an analyst. Which of the following system logs would the analyst check FIRST?
a. DNS
b. Message gateway
c. Network
d. Authentication
b. message gateway logs first.
Explanation:
Message Gateway Logs: These logs would provide information about incoming and outgoing emails, including details such as sender, recipient, subject, and attachments. They are crucial for identifying the phishing email itself, tracking its source, and potentially determining if similar emails were sent to other users.
Here’s why the other options are less likely the first choice:
DNS Logs: DNS logs primarily record DNS queries and responses, which are more useful for investigating domain resolution and network traffic patterns. They might not provide direct information about the phishing email content or delivery. Network Logs: Network logs encompass a broad range of activities such as traffic flow, connections, and potentially malicious activities like command and control communications. While useful for broader network security investigations, they might not directly reveal details about the phishing email content. Authentication Logs: Authentication logs track user login attempts and activities, which are important for investigating unauthorized access but are less relevant initially when dealing with a phishing incident where the focus is on the email and its handling.
Therefore, in the context of a user falling for a phishing email, checking the message gateway logs first would provide insights into the email’s characteristics, its delivery, and potentially aid in identifying further actions or communications related to the phishing incident.
An attacker has determined the best way to impact operations is to infiltrate third-party software vendors. Which of the following vectors is being exploited?
a. Social media
b. Cloud
c. Supply chain
d. Social Engineering
c. supply chain.
Explanation:
Supply chain: This refers to the network of suppliers and vendors that provide goods and services to an organization. In the context of cybersecurity, supply chain attacks involve targeting third-party vendors or suppliers to gain unauthorized access to systems or data of the targeted organization. By compromising a vendor or supplier, attackers can infiltrate the organization's network through trusted relationships or software dependencies.
Here’s why the other options are not correct in this context:
Social media: While social media can be used in social engineering attacks to gather information or manipulate users, it's not directly related to infiltrating third-party software vendors unless specific social engineering tactics are used against individuals within those vendors. Cloud: Cloud environments can be targeted in various ways, such as through misconfigurations or vulnerabilities, but this option doesn't directly address the tactic of infiltrating third-party vendors to impact operations. Social engineering: While social engineering involves manipulating individuals to divulge confidential information, in this context, the focus is more on the organizational supply chain and not solely on manipulating individuals.
Therefore, the most appropriate answer in the given scenario where the attacker targets third-party software vendors to impact operations is supply chain.
An organization would like to give remote workers the ability to use applications hosted inside the corporate network. Users will be allowed to use their personal computers, or they will be provided organization assets. Either way, no data or applications will be installed locally on any user systems. Which of the following mobile solutions would accomplish these goals?
a. VDI
b. MDM
c. COPE
d. UTM
a. VDI (Virtual Desktop Infrastructure).
Explanation:
VDI (Virtual Desktop Infrastructure): VDI allows users to access virtualized desktops hosted on servers within the corporate network. Users connect to these desktops remotely from their personal devices or organization-provided assets through a client application or web browser. Applications and data remain centralized within the corporate network, and users interact with them through the virtual desktop interface. This approach ensures that no data or applications are installed locally on user systems, enhancing security and control over corporate data.
Let’s briefly review the other options to understand why they are not the best fit:
MDM (Mobile Device Management): MDM is primarily used for managing and securing mobile devices (smartphones, tablets) that access corporate resources. It involves enforcing policies, configuring settings, and securing data on mobile devices. However, it doesn't provide a mechanism for accessing applications hosted inside the corporate network without installing them locally. COPE (Corporate-Owned, Personally-Enabled): COPE refers to a model where organizations provide employees with devices that are both owned and managed by the organization but can be used for personal purposes to some extent. It doesn't directly address the requirement of accessing applications without local installation on personal devices. UTM (Unified Threat Management): UTM refers to a comprehensive security solution that integrates multiple security features such as firewall, antivirus, intrusion detection/prevention, etc. It is not specifically related to providing remote access to applications without local installation.
Therefore, VDI is the most appropriate choice for allowing remote workers to use applications hosted inside the corporate network without installing data or applications locally on any user systems.
Which of the following is used to ensure that evidence is admissible in legal proceedings when it is collected and provided to the authorities?
a. Chain of custody
b. Legal hold
c. Event log
d. Artifacts
a. Chain of custody
Chain of custody refers to the documentation and processes used to establish the chronological history of evidence, from the moment it is collected to its presentation in legal proceedings. It ensures that the integrity of the evidence is preserved, showing who had custody of the evidence at any given time and what actions were performed with it. This documentation is crucial for proving the authenticity and admissibility of evidence in court or other legal proceedings.
b. Legal hold: While important for preserving potentially relevant data from being altered or destroyed, a legal hold specifically refers to preserving data that may be subject to litigation or investigation, rather than ensuring the admissibility of evidence in legal proceedings.
c. Event log: Event logs record system events and activities, which can be useful for forensic analysis and detecting security incidents. However, event logs themselves are not sufficient to ensure the admissibility of evidence in legal proceedings; they provide a record of events but do not establish the chain of custody required for legal validity.
d. Artifacts: Artifacts in cybersecurity refer to residual data left on a system after an activity has occurred. While artifacts can be valuable in investigations, they do not inherently ensure the admissibility of evidence. They are pieces of information that may corroborate findings but are not documentation of the custody of evidence.
Therefore, chain of custody is the correct answer because it specifically addresses the process of documenting and maintaining the integrity of evidence from collection through to presentation in legal contexts, ensuring its admissibility and reliability in court.
The Chief Information Security Officer (CISO) of a bank recently updated the incident response policy. The CISO is concerned that members of the incident response team do not understand their roles. The bank wants to test the policy but with the least amount of resources or impact. Which of the following BEST meets the requirements?
a. Warm site failover
b. Tabletop walk-through
c. Parallel path testing
d. Full outage simulation
b. Tabletop walk-through
Explanation:
Tabletop walk-through: This involves a simulated discussion of an incident scenario without actually executing any of the actions in the response plan. It allows team members to discuss their roles and responsibilities, evaluate the effectiveness of the policy, and identify any gaps or misunderstandings in a controlled environment. It requires minimal resources and does not disrupt normal operations.
The other options involve more significant resource allocation or potential disruption:
Warm site failover: This involves moving operations to a secondary site to simulate a disaster recovery scenario, which requires infrastructure and resources. Parallel path testing: This tests redundant systems simultaneously to ensure they can handle workload if one path fails, which could impact production systems. Full outage simulation: This simulates a complete outage scenario to test response and recovery procedures, which typically requires significant planning, resources, and disruption to normal operations.
Therefore, the tabletop walk-through is the most appropriate choice for testing the incident response policy in a low-impact manner while still achieving the goal of clarifying roles and responsibilities.
Which of the following control types fixes a previously identified issue and mitigates a risk?
a. Detective
b. Corrective
c. Preventative
d. Finalized
b. Corrective
Explanation:
Corrective controls are designed to fix or remediate identified issues or vulnerabilities after they have been identified through monitoring or assessments. Their primary purpose is to mitigate risks by addressing the root cause of problems that have already been identified.
Let’s briefly differentiate it from the other options:
Detective controls (option a) are used to identify and detect deviations from established security policies, procedures, or controls. They do not directly fix issues but rather alert administrators or analysts to investigate and take corrective action. Preventative controls (option c) are implemented to prevent or deter potential incidents or risks from occurring in the first place. They are proactive measures intended to reduce the likelihood or impact of security threats. Finalized (option d) is not a recognized control type in the context of security controls.
Therefore, among the options provided, the control type that specifically addresses and mitigates identified risks by fixing underlying issues is corrective control (option b).
An analyst is reviewing logs associated with an attack. The logs indicate an attacker downloaded a malicious file that was quarantined by the AV solution. The attacker utilized a local non-administrative account to restore the malicious file to a new location. The file was then used by another process to execute a payload.
Which of the following attacks did the analyst observe?
a. Privilege escalation
b. Request forgeries
c. Injection
d. Replay attack
Braindump : c. Injection
a. Privilege escalation
Explanation:
The attacker initially downloaded a malicious file, which was quarantined by the antivirus (AV) solution. This indicates the file was recognized as malicious, but the attacker managed to restore it. The attacker then used a local non-administrative account to restore the file to a new location. This action suggests the attacker gained permissions or escalated privileges to bypass restrictions on executing the file. Finally, the restored file was used by another process to execute a payload, leveraging the compromised privileges to carry out malicious actions.
In summary, this sequence of events describes an attack where the attacker escalated their privileges from a non-administrative account to restore and execute a malicious file, thereby achieving privilege escalation.
Injection: injection attacks involve inserting malicious code or commands into a system or application. This usually targets vulnerabilities in input fields or parameters. The scenario described does not involve injecting code into the system but rather manipulating and executing a quarantined file with escalated privileges.
Request forgeries (CSRF): Cross-Site Request Forgery (CSRF) involves tricking a user into performing actions they did not intend to do, typically on another website where they are authenticated. This attack is not relevant here as the scenario describes actions within the local system, not across different web applications.
Replay attack: In a replay attack, an attacker intercepts and reuses valid data transmissions between parties. This scenario does not involve replaying intercepted data; instead, it focuses on downloading, restoring, and executing a quarantined malicious file with escalated privileges.
A security engineer must deploy two wireless routers in an office suite. Other tenants in the office building should not be able to connect to this wireless network.
Which of the following protocols should the engineer implement to ensure the STRONGEST encryption?
a. WPS
b. WPA2
c. WAP
d. HTTPS
b. WPA2 (Wi-Fi Protected Access 2).
Explanation
WPA2 (Wi-Fi Protected Access 2): This protocol provides strong encryption using the AES (Advanced Encryption Standard) algorithm, which is widely regarded as secure for protecting wireless networks. It offers better security than its predecessor, WPA, and should be used whenever possible to prevent unauthorized access and eavesdropping on wireless communications. WPS (Wi-Fi Protected Setup): While WPS can simplify the process of connecting devices to a wireless network, it has known vulnerabilities and should generally be avoided or disabled if security is a primary concern. WAP (Wireless Application Protocol): WAP is not an encryption protocol but rather a technical standard for accessing information over a wireless network. It is unrelated to securing wireless networks. HTTPS (Hypertext Transfer Protocol Secure): HTTPS is a protocol used for secure communication over a computer network and is specifically designed for secure transmission of data over the internet, not for securing local wireless networks.
Therefore, WPA2 is the correct choice to ensure the strongest encryption and security for the wireless routers in the office suite, preventing unauthorized access from other tenants in the building.
An attacker browses a company’s online job board attempting to find any relevant information regarding the technologies the company uses. Which of the following BEST describes this social engineering technique?
a. Hoax
b. Reconnaissance
c. Impersonation
d. Pretexting
b. Reconnaissance.
Explanation:
Reconnaissance in the context of social engineering involves gathering information about a target organization or individual. This phase is typically part of the initial stages of an attack where the attacker collects data to understand the target's technology infrastructure, processes, employee details, or any other relevant information that can aid in planning an attack. In this scenario, browsing the company's online job board to gather information about the technologies they use falls under reconnaissance. This information can be valuable for crafting targeted attacks or exploiting vulnerabilities related to specific technologies employed by the company.
a. Hoax: A hoax is a deceptive act intended to trick or deceive individuals or organizations into believing something false. It typically involves spreading false information or rumors with the intention of causing confusion or disruption rather than gathering information.
c. Impersonation: Impersonation involves pretending to be someone else, usually a trusted entity or individual, to deceive others into divulging sensitive information, granting access, or performing actions they wouldn’t otherwise do.
d. Pretexting: Pretexting is a social engineering technique where an attacker creates a fabricated scenario or pretext to manipulate individuals into disclosing information or performing actions they wouldn’t typically do under normal circumstances.
In contrast to reconnaissance, which focuses on gathering information about the target, the other options involve different methods of social engineering that are used at different stages of an attack. Reconnaissance is foundational for understanding the target environment before launching more specific attacks or crafting convincing social engineering scenarios.
During an incident response process involving a laptop, a host was identified as the entry point for malware. The management team would like to have the laptop restored and given back to the user. The cybersecurity analyst would like to continue investigating the intrusion on the host. Which of the following would allow the analyst to continue the investigation and also return the laptop to the user as soon as possible?
a. dd
b. memdump
c. tcpdump
d. head
a. dd
Here’s why:
dd: This command-line utility is used to create a bit-by-bit copy of an entire hard drive or a specific partition. By using dd, the cybersecurity analyst can create a full forensic image of the laptop's hard drive. This image can then be analyzed in detail without needing to keep the physical laptop. This allows the analyst to continue the investigation on the forensic image while the laptop is restored and returned to the user.
Let’s briefly review the other options:
memdump: This tool captures the contents of a computer's RAM. While useful for capturing volatile memory data, it does not provide a complete picture of the system's state and would not allow for a full investigation of the intrusion, especially if the analyst needs to examine files on the disk. tcpdump: This tool captures network traffic. It is useful for network forensics but does not help in creating a copy of the laptop's hard drive for detailed analysis of the malware and its effects on the system. head: This command is used to display the first few lines of a file. It is not relevant for creating forensic images or for detailed investigations.
Therefore, dd is the best option as it allows the analyst to create a complete forensic image of the laptop’s hard drive, enabling a thorough investigation while the laptop is restored and returned to the user.
An analyst is trying to identify insecure services that are running on the internal network. After performing a port scan, the analyst identifies that a server has some insecure services enabled on default ports. Which of the following BEST describes the services that are currently running and the secure alternatives for replacing them? (Choose three.)
a. SFTP, FTPS
b. SNMPv2, SNMPv3
c. HTTP, HTTPS
d. TFTP, FTP
e. SNMPv1, SNMPv2
f. Telnet, SSH
g. TLS, SSL
h. POP, IMAP
i. Login, rlogin
b. SNMPv2, SNMPv3
c. HTTP, HTTPS
f. Telnet, SSH
Telnet, SSH:
Current: Telnet (port 23) Secure Alternative: SSH (port 22) Reason: Telnet sends data in clear text, while SSH encrypts the communication, providing confidentiality and integrity.
HTTP, HTTPS:
Current: HTTP (port 80) Secure Alternative: HTTPS (port 443) Reason: HTTPS uses SSL/TLS to encrypt HTTP traffic, protecting data from interception and tampering.
SNMPv1, SNMPv2, SNMPv3:
Current: SNMPv1 (port 161), SNMPv2 (port 161), SNMPv3 (port 161) Secure Alternative: SNMPv3 (or SNMPv2c with strong community string management) Reason: SNMPv3 provides encryption and authentication, addressing vulnerabilities present in SNMPv1 and SNMPv2.
A security analyst needs to produce a document that details how a security incident occurred, the steps that were taken for recovery, and how future incidents can be avoided. During which of the following stages of the response process will this activity take place?
a. Recovery
b. Identification
c. Lessons learned
d. Preparation
c. Lessons learned
During the Lessons learned stage, the security team and stakeholders analyze the incident response process. They document the incident timeline, actions taken, outcomes, and identify areas for improvement to prevent similar incidents in the future. This documentation helps enhance incident response procedures, update policies, and improve security posture based on the lessons derived from the incident.
An administrator is configuring a firewall rule set for a subnet to only access DHCP, web pages, and SFTP, and to specifically block FTP. Which of the following would BEST accomplish this goal?
a. [Permission Source Destination Port]
Allow: Any Any 80
Allow: Any Any 443
Allow: Any Any 67
Allow: Any Any 68
Allow: Any Any 22
Deny: Any Any 21
Deny: Any Any
b. [Permission Source Destination Port]
Allow: Any Any 80
Allow: Any Any 443
Allow: Any Any 67
Allow: Any Any 68
Deny: Any Any 22
Allow: Any Any 21
Deny: Any Any
c. [Permission Source Destination Port]
Allow: Any Any 80
Allow: Any Any 443
Allow: Any Any 22
Deny: Any Any 67
Deny: Any Any 68
Deny: Any Any 21
Allow: Any Any
d. [Permission Source Destination Port]
Allow: Any Any 80
Allow: Any Any 443
Deny: Any Any 67
Allow: Any Any 68
Allow: Any Any 22
Allow: Any Any 21
Allow: Any Any
a.
[Permission Source Destination Port]
Allow: Any Any 80
Allow: Any Any 443
Allow: Any Any 67
Allow: Any Any 68
Deny: Any Any 22
Deny: Any Any 21
Deny: Any Any
Explanation:
Allow: Any Any 80: Allows access to web pages (HTTP). Allow: Any Any 443: Allows access to web pages over HTTPS. Allow: Any Any 67: Allows DHCP traffic (both UDP port 67 for server and 68 for client). Allow: Any Any 68: Allows DHCP traffic (both UDP port 67 for server and 68 for client). Deny: Any Any 22: Blocks SSH traffic, which is not listed as a permitted service. Deny: Any Any 21: Specifically denies FTP traffic. Deny: Any Any: Denies all other traffic implicitly that is not explicitly allowed.
This rule set ensures that only DHCP, web pages, and SFTP traffic is allowed, and FTP traffic is specifically blocked. Therefore, option b is the best choice to accomplish the stated goal.
While investigating a recent security incident, a security analyst decides to view all network connections on a particular server. Which of the following would provide the desired information?
a. arp
b. nslookup
c. netstat
d. nmap
c. netstat
Explanation:
netstat (network statistics) is a command-line tool that displays network connections (both incoming and outgoing), routing tables, interface statistics, masquerade connections, and multicast memberships. By running netstat on a server, a security analyst can view active connections, listening ports, and related network details, which are crucial for investigating network activity during a security incident. arp: The arp command (Address Resolution Protocol) displays and modifies entries in the Address Resolution Protocol (ARP) cache, which maps IP addresses to MAC addresses on a local network. nslookup: The nslookup command is used to query DNS servers to obtain DNS-related information such as IP addresses corresponding to hostnames or vice versa. nmap: The nmap command (Network Mapper) is a powerful network scanning tool used to discover hosts and services on a computer network, thus providing detailed information about the network.
While all these tools are useful in different scenarios for network investigations or troubleshooting, when specifically needing to view all network connections on a server, netstat is typically the tool of choice because it directly shows active connections and related network details on the local machine.
A company recently decided to allow its employees to use their personally owned devices for tasks like checking email and messaging via mobile applications. The company would like to use MDM, but employees are concerned about the loss of personal data. Which of the following should the IT department implement to BEST protect the company against company data loss while still addressing the employees’ concerns?
a. Enable the remote-wiping option in the MDM software in case the phone is stolen.
b. Configure the MDM software to enforce the use of PINs to access the phone.
c. Configure MDM for FDE without enabling the lock screen.
d. Perform a factory reset on the phone before installing the company’s applications.
b. Configure the MDM software to enforce the use of PINs to access the phone.
Here’s why:
Enforcing PINs to access the phone: This measure ensures that the device is secured with a PIN, preventing unauthorized access to both personal and company data if the phone is lost or stolen. It addresses the security requirement without intruding into personal data or creating concerns about personal data loss.
Let’s briefly review the other options:
Enable the remote-wiping option in the MDM software in case the phone is stolen: While this is a strong security measure for protecting company data, it could lead to personal data loss, which is a primary concern for employees. Configure MDM for FDE without enabling the lock screen: Full Disk Encryption (FDE) is a good security practice, but not enabling the lock screen would leave the device vulnerable to unauthorized access. Additionally, FDE by itself doesn’t address the concern of separating personal and corporate data. Perform a factory reset on the phone before installing the company's applications: This would ensure a clean environment for corporate apps, but it would lead to the loss of all personal data on the phone, which is a significant concern for employees.
Therefore, configuring the MDM software to enforce the use of PINs to access the phone strikes a balance between securing company data and respecting employees’ concerns about their personal data.
The concept of connecting a user account across the systems of multiple enterprises is BEST known as:
a. federation.
b. a remote access policy.
c. multifactor authentication.
d. single sign-on.
a. federation.
Federation refers to the process of linking user identities and attributes across multiple identity management systems. It allows users to access multiple applications or services using a single set of credentials, which are often managed by their home organization. Federation enables seamless and secure access to resources across different domains or organizations without the need for users to have separate credentials for each system.
The other options provided are:
b. A remote access policy: Defines guidelines and rules for accessing a network or system remotely, typically focused on security and access control. c. Multifactor authentication: Refers to the use of multiple authentication factors (such as passwords and biometrics) to verify a user's identity. d. Single sign-on: Allows users to authenticate once and gain access to multiple applications or systems without re-entering credentials.
While single sign-on (SSO) is related to federation, federation specifically focuses on linking identities across different enterprises or domains, making a. federation the most appropriate answer in this context.
A user received an SMS on a mobile phone that asked for bank details. Which of the following social-engineering techniques was used in this case?
a. SPIM
b. Vishing
c. Spear phishing
d. Smishing
d. Smishing.
Explanation:
Smishing (SMS phishing) involves sending deceptive text messages to trick individuals into divulging sensitive information, clicking on malicious links, or downloading malicious attachments. In this scenario, the attacker used an SMS to impersonate a legitimate entity (such as a bank) to deceive the user into providing their bank details.
A company is working on mobile device security after a report revealed that users granted non-verified software access to corporate data. Which of the following is the MOST effective security control to mitigate this risk?
a. Block access to application stores
b. Implement OTA updates
c. Update the BYOD policy
d. Deploy a uniform firmware
c. Update the BYOD policy.
Explanation:
BYOD (Bring Your Own Device) policies govern how personal devices are used in the corporate environment, including access to corporate data and applications. Updating the BYOD policy to enforce stricter guidelines on software installation, verification, and access controls can help mitigate the risk of non-verified software accessing corporate data. This update can include requirements for using only approved applications or implementing mechanisms to prevent unauthorized software installation.
Let’s briefly review the other options:
Block access to application stores: This could prevent the installation of new apps, but it might be too restrictive and impractical, especially if users need access to certain legitimate apps for work purposes. It also does not address already installed non-verified software. Implement OTA (Over-The-Air) updates: While important for keeping devices secure with the latest patches and updates, OTA updates do not directly prevent users from installing or granting access to non-verified software. Deploy a uniform firmware: This would standardize the firmware across devices, potentially improving security, but it does not directly address the issue of users installing or granting access to non-verified software.
A security analyst needs to implement security features across smartphones, laptops, and tablets. Which of the following would be the MOST effective across heterogeneous platforms?
a. Enforcing encryption
b. Deploying GPOs
c. Removing administrative permissions
d. Applying MDM software
d. Applying MDM software.
Explanation:
MDM (Mobile Device Management) software provides a centralized solution to manage and secure mobile devices across different platforms, including smartphones, laptops, and tablets. MDM software allows the enforcement of security policies, application management, encryption, remote wipe capabilities, and compliance monitoring, making it the best choice for ensuring consistent security across heterogeneous devices.
Here’s a brief overview of why the other options are less suitable:
a. Enforcing encryption: While encryption is a critical security feature, it is only one aspect of device security. MDM software can enforce encryption policies along with other security settings. b. Deploying GPOs (Group Policy Objects): GPOs are primarily used in Windows environments. While they can manage Windows-based laptops and desktops, they are not effective for managing non-Windows devices like smartphones and tablets. c. Removing administrative permissions: Removing administrative permissions can enhance security, but it doesn't provide a comprehensive solution across different device types. MDM software can enforce this policy along with many other security configurations.