Sy06 Exam Braindumps 201-250

Question 1

Which of the following prevents an employee from seeing a colleague who is visiting an inappropriate website?

a. Job rotation policy
b. NDA
c. AUP
d. Separation of duties policy

Answer 1

c. AUP (Acceptable Use Policy)

Explanation:

Acceptable Use Policy (AUP): This policy outlines the acceptable and unacceptable use of an organization's IT resources. It sets clear guidelines for appropriate internet usage, which can include restrictions on accessing inappropriate websites. By enforcing an AUP, the organization can prevent employees from accessing inappropriate websites, thereby reducing the likelihood of others seeing such behavior.

Why not the others?:

Job rotation policy: This policy involves rotating employees through different jobs to reduce the risk of fraud and improve skills and knowledge. It does not directly address internet usage or prevent the visibility of inappropriate website visits.
NDA (Non-Disclosure Agreement): An NDA is a legal contract that prevents individuals from disclosing confidential information. It does not govern or prevent internet usage behavior within an organization.
Separation of duties policy: This policy ensures that no single individual has control over all aspects of a critical process, reducing the risk of fraud or error. It does not directly prevent inappropriate internet usage or visibility of such behavior.

An Acceptable Use Policy is the most relevant and effective measure to prevent employees from accessing inappropriate websites, thereby reducing the chance of others observing such behavior.

Question 2

A user reports falling for a phishing email to an analyst. Which of the following system logs would the analyst check FIRST?

a. DNS
b. Message gateway
c. Network
d. Authentication

Answer 2

b. message gateway logs first.

Explanation:

Message Gateway Logs: These logs would provide information about incoming and outgoing emails, including details such as sender, recipient, subject, and attachments. They are crucial for identifying the phishing email itself, tracking its source, and potentially determining if similar emails were sent to other users.

Here’s why the other options are less likely the first choice:

DNS Logs: DNS logs primarily record DNS queries and responses, which are more useful for investigating domain resolution and network traffic patterns. They might not provide direct information about the phishing email content or delivery.

Network Logs: Network logs encompass a broad range of activities such as traffic flow, connections, and potentially malicious activities like command and control communications. While useful for broader network security investigations, they might not directly reveal details about the phishing email content.

Authentication Logs: Authentication logs track user login attempts and activities, which are important for investigating unauthorized access but are less relevant initially when dealing with a phishing incident where the focus is on the email and its handling.

Therefore, in the context of a user falling for a phishing email, checking the message gateway logs first would provide insights into the email’s characteristics, its delivery, and potentially aid in identifying further actions or communications related to the phishing incident.

Question 3

An attacker has determined the best way to impact operations is to infiltrate third-party software vendors. Which of the following vectors is being exploited?

a. Social media
b. Cloud
c. Supply chain
d. Social Engineering

Answer 3

c. supply chain.

Explanation:

Supply chain: This refers to the network of suppliers and vendors that provide goods and services to an organization. In the context of cybersecurity, supply chain attacks involve targeting third-party vendors or suppliers to gain unauthorized access to systems or data of the targeted organization. By compromising a vendor or supplier, attackers can infiltrate the organization's network through trusted relationships or software dependencies.

Here’s why the other options are not correct in this context:

Social media: While social media can be used in social engineering attacks to gather information or manipulate users, it's not directly related to infiltrating third-party software vendors unless specific social engineering tactics are used against individuals within those vendors.

Cloud: Cloud environments can be targeted in various ways, such as through misconfigurations or vulnerabilities, but this option doesn't directly address the tactic of infiltrating third-party vendors to impact operations.

Social engineering: While social engineering involves manipulating individuals to divulge confidential information, in this context, the focus is more on the organizational supply chain and not solely on manipulating individuals.

Therefore, the most appropriate answer in the given scenario where the attacker targets third-party software vendors to impact operations is supply chain.

Question 4

An organization would like to give remote workers the ability to use applications hosted inside the corporate network. Users will be allowed to use their personal computers, or they will be provided organization assets. Either way, no data or applications will be installed locally on any user systems. Which of the following mobile solutions would accomplish these goals?

a. VDI
b. MDM
c. COPE
d. UTM

Answer 4

a. VDI (Virtual Desktop Infrastructure).

Explanation:

VDI (Virtual Desktop Infrastructure): VDI allows users to access virtualized desktops hosted on servers within the corporate network. Users connect to these desktops remotely from their personal devices or organization-provided assets through a client application or web browser. Applications and data remain centralized within the corporate network, and users interact with them through the virtual desktop interface. This approach ensures that no data or applications are installed locally on user systems, enhancing security and control over corporate data.

Let’s briefly review the other options to understand why they are not the best fit:

MDM (Mobile Device Management): MDM is primarily used for managing and securing mobile devices (smartphones, tablets) that access corporate resources. It involves enforcing policies, configuring settings, and securing data on mobile devices. However, it doesn't provide a mechanism for accessing applications hosted inside the corporate network without installing them locally.

COPE (Corporate-Owned, Personally-Enabled): COPE refers to a model where organizations provide employees with devices that are both owned and managed by the organization but can be used for personal purposes to some extent. It doesn't directly address the requirement of accessing applications without local installation on personal devices.

UTM (Unified Threat Management): UTM refers to a comprehensive security solution that integrates multiple security features such as firewall, antivirus, intrusion detection/prevention, etc. It is not specifically related to providing remote access to applications without local installation.

Therefore, VDI is the most appropriate choice for allowing remote workers to use applications hosted inside the corporate network without installing data or applications locally on any user systems.

Question 5

Which of the following is used to ensure that evidence is admissible in legal proceedings when it is collected and provided to the authorities?

a. Chain of custody
b. Legal hold
c. Event log
d. Artifacts

Answer 5

a. Chain of custody

Chain of custody refers to the documentation and processes used to establish the chronological history of evidence, from the moment it is collected to its presentation in legal proceedings. It ensures that the integrity of the evidence is preserved, showing who had custody of the evidence at any given time and what actions were performed with it. This documentation is crucial for proving the authenticity and admissibility of evidence in court or other legal proceedings.

b. Legal hold: While important for preserving potentially relevant data from being altered or destroyed, a legal hold specifically refers to preserving data that may be subject to litigation or investigation, rather than ensuring the admissibility of evidence in legal proceedings.

c. Event log: Event logs record system events and activities, which can be useful for forensic analysis and detecting security incidents. However, event logs themselves are not sufficient to ensure the admissibility of evidence in legal proceedings; they provide a record of events but do not establish the chain of custody required for legal validity.

d. Artifacts: Artifacts in cybersecurity refer to residual data left on a system after an activity has occurred. While artifacts can be valuable in investigations, they do not inherently ensure the admissibility of evidence. They are pieces of information that may corroborate findings but are not documentation of the custody of evidence.

Therefore, chain of custody is the correct answer because it specifically addresses the process of documenting and maintaining the integrity of evidence from collection through to presentation in legal contexts, ensuring its admissibility and reliability in court.

Question 6

The Chief Information Security Officer (CISO) of a bank recently updated the incident response policy. The CISO is concerned that members of the incident response team do not understand their roles. The bank wants to test the policy but with the least amount of resources or impact. Which of the following BEST meets the requirements?

a. Warm site failover
b. Tabletop walk-through
c. Parallel path testing
d. Full outage simulation

Answer 6

b. Tabletop walk-through

Explanation:

Tabletop walk-through: This involves a simulated discussion of an incident scenario without actually executing any of the actions in the response plan. It allows team members to discuss their roles and responsibilities, evaluate the effectiveness of the policy, and identify any gaps or misunderstandings in a controlled environment. It requires minimal resources and does not disrupt normal operations.

The other options involve more significant resource allocation or potential disruption:

Warm site failover: This involves moving operations to a secondary site to simulate a disaster recovery scenario, which requires infrastructure and resources.

Parallel path testing: This tests redundant systems simultaneously to ensure they can handle workload if one path fails, which could impact production systems.

Full outage simulation: This simulates a complete outage scenario to test response and recovery procedures, which typically requires significant planning, resources, and disruption to normal operations.

Therefore, the tabletop walk-through is the most appropriate choice for testing the incident response policy in a low-impact manner while still achieving the goal of clarifying roles and responsibilities.

Question 7

Which of the following control types fixes a previously identified issue and mitigates a risk?

a. Detective
b. Corrective
c. Preventative
d. Finalized

Answer 7

b. Corrective

Explanation:

Corrective controls are designed to fix or remediate identified issues or vulnerabilities after they have been identified through monitoring or assessments. Their primary purpose is to mitigate risks by addressing the root cause of problems that have already been identified.

Let’s briefly differentiate it from the other options:

Detective controls (option a) are used to identify and detect deviations from established security policies, procedures, or controls. They do not directly fix issues but rather alert administrators or analysts to investigate and take corrective action.

Preventative controls (option c) are implemented to prevent or deter potential incidents or risks from occurring in the first place. They are proactive measures intended to reduce the likelihood or impact of security threats.

Finalized (option d) is not a recognized control type in the context of security controls.

Therefore, among the options provided, the control type that specifically addresses and mitigates identified risks by fixing underlying issues is corrective control (option b).

Question 8

An analyst is reviewing logs associated with an attack. The logs indicate an attacker downloaded a malicious file that was quarantined by the AV solution. The attacker utilized a local non-administrative account to restore the malicious file to a new location. The file was then used by another process to execute a payload.
Which of the following attacks did the analyst observe?

a. Privilege escalation
b. Request forgeries
c. Injection
d. Replay attack

Answer 8

Braindump : c. Injection

a. Privilege escalation

Explanation:

The attacker initially downloaded a malicious file, which was quarantined by the antivirus (AV) solution. This indicates the file was recognized as malicious, but the attacker managed to restore it.
The attacker then used a local non-administrative account to restore the file to a new location. This action suggests the attacker gained permissions or escalated privileges to bypass restrictions on executing the file.
Finally, the restored file was used by another process to execute a payload, leveraging the compromised privileges to carry out malicious actions.

In summary, this sequence of events describes an attack where the attacker escalated their privileges from a non-administrative account to restore and execute a malicious file, thereby achieving privilege escalation.

Injection: injection attacks involve inserting malicious code or commands into a system or application. This usually targets vulnerabilities in input fields or parameters. The scenario described does not involve injecting code into the system but rather manipulating and executing a quarantined file with escalated privileges.

Request forgeries (CSRF): Cross-Site Request Forgery (CSRF) involves tricking a user into performing actions they did not intend to do, typically on another website where they are authenticated. This attack is not relevant here as the scenario describes actions within the local system, not across different web applications.

Replay attack: In a replay attack, an attacker intercepts and reuses valid data transmissions between parties. This scenario does not involve replaying intercepted data; instead, it focuses on downloading, restoring, and executing a quarantined malicious file with escalated privileges.

Question 9

A security engineer must deploy two wireless routers in an office suite. Other tenants in the office building should not be able to connect to this wireless network.
Which of the following protocols should the engineer implement to ensure the STRONGEST encryption?

a. WPS
b. WPA2
c. WAP
d. HTTPS

Answer 9

b. WPA2 (Wi-Fi Protected Access 2).

Explanation

WPA2 (Wi-Fi Protected Access 2): This protocol provides strong encryption using the AES (Advanced Encryption Standard) algorithm, which is widely regarded as secure for protecting wireless networks. It offers better security than its predecessor, WPA, and should be used whenever possible to prevent unauthorized access and eavesdropping on wireless communications.

WPS (Wi-Fi Protected Setup): While WPS can simplify the process of connecting devices to a wireless network, it has known vulnerabilities and should generally be avoided or disabled if security is a primary concern.

WAP (Wireless Application Protocol): WAP is not an encryption protocol but rather a technical standard for accessing information over a wireless network. It is unrelated to securing wireless networks.

HTTPS (Hypertext Transfer Protocol Secure): HTTPS is a protocol used for secure communication over a computer network and is specifically designed for secure transmission of data over the internet, not for securing local wireless networks.

Therefore, WPA2 is the correct choice to ensure the strongest encryption and security for the wireless routers in the office suite, preventing unauthorized access from other tenants in the building.

Question 10

An attacker browses a company’s online job board attempting to find any relevant information regarding the technologies the company uses. Which of the following BEST describes this social engineering technique?

a. Hoax
b. Reconnaissance
c. Impersonation
d. Pretexting

Answer 10

b. Reconnaissance.

Explanation:

Reconnaissance in the context of social engineering involves gathering information about a target organization or individual. This phase is typically part of the initial stages of an attack where the attacker collects data to understand the target's technology infrastructure, processes, employee details, or any other relevant information that can aid in planning an attack.

In this scenario, browsing the company's online job board to gather information about the technologies they use falls under reconnaissance. This information can be valuable for crafting targeted attacks or exploiting vulnerabilities related to specific technologies employed by the company.

a. Hoax: A hoax is a deceptive act intended to trick or deceive individuals or organizations into believing something false. It typically involves spreading false information or rumors with the intention of causing confusion or disruption rather than gathering information.

c. Impersonation: Impersonation involves pretending to be someone else, usually a trusted entity or individual, to deceive others into divulging sensitive information, granting access, or performing actions they wouldn’t otherwise do.

d. Pretexting: Pretexting is a social engineering technique where an attacker creates a fabricated scenario or pretext to manipulate individuals into disclosing information or performing actions they wouldn’t typically do under normal circumstances.

In contrast to reconnaissance, which focuses on gathering information about the target, the other options involve different methods of social engineering that are used at different stages of an attack. Reconnaissance is foundational for understanding the target environment before launching more specific attacks or crafting convincing social engineering scenarios.

Question 11

During an incident response process involving a laptop, a host was identified as the entry point for malware. The management team would like to have the laptop restored and given back to the user. The cybersecurity analyst would like to continue investigating the intrusion on the host. Which of the following would allow the analyst to continue the investigation and also return the laptop to the user as soon as possible?

a. dd
b. memdump
c. tcpdump
d. head

Answer 11

a. dd

Here’s why:

dd: This command-line utility is used to create a bit-by-bit copy of an entire hard drive or a specific partition. By using dd, the cybersecurity analyst can create a full forensic image of the laptop's hard drive. This image can then be analyzed in detail without needing to keep the physical laptop. This allows the analyst to continue the investigation on the forensic image while the laptop is restored and returned to the user.

Let’s briefly review the other options:

memdump: This tool captures the contents of a computer's RAM. While useful for capturing volatile memory data, it does not provide a complete picture of the system's state and would not allow for a full investigation of the intrusion, especially if the analyst needs to examine files on the disk.

tcpdump: This tool captures network traffic. It is useful for network forensics but does not help in creating a copy of the laptop's hard drive for detailed analysis of the malware and its effects on the system.

head: This command is used to display the first few lines of a file. It is not relevant for creating forensic images or for detailed investigations.

Therefore, dd is the best option as it allows the analyst to create a complete forensic image of the laptop’s hard drive, enabling a thorough investigation while the laptop is restored and returned to the user.

Question 12

An analyst is trying to identify insecure services that are running on the internal network. After performing a port scan, the analyst identifies that a server has some insecure services enabled on default ports. Which of the following BEST describes the services that are currently running and the secure alternatives for replacing them? (Choose three.)

a. SFTP, FTPS
b. SNMPv2, SNMPv3
c. HTTP, HTTPS
d. TFTP, FTP
e. SNMPv1, SNMPv2
f. Telnet, SSH
g. TLS, SSL
h. POP, IMAP
i. Login, rlogin

Answer 12

b. SNMPv2, SNMPv3
c. HTTP, HTTPS
f. Telnet, SSH

Telnet, SSH:

Current: Telnet (port 23)
Secure Alternative: SSH (port 22)
Reason: Telnet sends data in clear text, while SSH encrypts the communication, providing confidentiality and integrity.

HTTP, HTTPS:

Current: HTTP (port 80)
Secure Alternative: HTTPS (port 443)
Reason: HTTPS uses SSL/TLS to encrypt HTTP traffic, protecting data from interception and tampering.

SNMPv1, SNMPv2, SNMPv3:

Current: SNMPv1 (port 161), SNMPv2 (port 161), SNMPv3 (port 161)
Secure Alternative: SNMPv3 (or SNMPv2c with strong community string management)
Reason: SNMPv3 provides encryption and authentication, addressing vulnerabilities present in SNMPv1 and SNMPv2.

Question 13

A security analyst needs to produce a document that details how a security incident occurred, the steps that were taken for recovery, and how future incidents can be avoided. During which of the following stages of the response process will this activity take place?

a. Recovery
b. Identification
c. Lessons learned
d. Preparation

Answer 13

c. Lessons learned

During the Lessons learned stage, the security team and stakeholders analyze the incident response process. They document the incident timeline, actions taken, outcomes, and identify areas for improvement to prevent similar incidents in the future. This documentation helps enhance incident response procedures, update policies, and improve security posture based on the lessons derived from the incident.

Question 14

An administrator is configuring a firewall rule set for a subnet to only access DHCP, web pages, and SFTP, and to specifically block FTP. Which of the following would BEST accomplish this goal?

a. [Permission Source Destination Port]
Allow: Any Any 80
Allow: Any Any 443
Allow: Any Any 67
Allow: Any Any 68
Allow: Any Any 22
Deny: Any Any 21
Deny: Any Any

b. [Permission Source Destination Port]
Allow: Any Any 80
Allow: Any Any 443
Allow: Any Any 67
Allow: Any Any 68
Deny: Any Any 22
Allow: Any Any 21
Deny: Any Any

c. [Permission Source Destination Port]
Allow: Any Any 80
Allow: Any Any 443
Allow: Any Any 22
Deny: Any Any 67
Deny: Any Any 68
Deny: Any Any 21
Allow: Any Any

d. [Permission Source Destination Port]
Allow: Any Any 80
Allow: Any Any 443
Deny: Any Any 67
Allow: Any Any 68
Allow: Any Any 22
Allow: Any Any 21
Allow: Any Any

Answer 14

a.

[Permission Source Destination Port]
Allow: Any Any 80
Allow: Any Any 443
Allow: Any Any 67
Allow: Any Any 68
Deny: Any Any 22
Deny: Any Any 21
Deny: Any Any

Explanation:

Allow: Any Any 80: Allows access to web pages (HTTP).
Allow: Any Any 443: Allows access to web pages over HTTPS.
Allow: Any Any 67: Allows DHCP traffic (both UDP port 67 for server and 68 for client).
Allow: Any Any 68: Allows DHCP traffic (both UDP port 67 for server and 68 for client).
Deny: Any Any 22: Blocks SSH traffic, which is not listed as a permitted service.
Deny: Any Any 21: Specifically denies FTP traffic.
Deny: Any Any: Denies all other traffic implicitly that is not explicitly allowed.

This rule set ensures that only DHCP, web pages, and SFTP traffic is allowed, and FTP traffic is specifically blocked. Therefore, option b is the best choice to accomplish the stated goal.

Question 15

While investigating a recent security incident, a security analyst decides to view all network connections on a particular server. Which of the following would provide the desired information?

a. arp
b. nslookup
c. netstat
d. nmap

Answer 15

c. netstat

Explanation:

netstat (network statistics) is a command-line tool that displays network connections (both incoming and outgoing), routing tables, interface statistics, masquerade connections, and multicast memberships.
By running netstat on a server, a security analyst can view active connections, listening ports, and related network details, which are crucial for investigating network activity during a security incident.

arp: The arp command (Address Resolution Protocol) displays and modifies entries in the Address Resolution Protocol (ARP) cache, which maps IP addresses to MAC addresses on a local network.

nslookup: The nslookup command is used to query DNS servers to obtain DNS-related information such as IP addresses corresponding to hostnames or vice versa.

nmap: The nmap command (Network Mapper) is a powerful network scanning tool used to discover hosts and services on a computer network, thus providing detailed information about the network.

While all these tools are useful in different scenarios for network investigations or troubleshooting, when specifically needing to view all network connections on a server, netstat is typically the tool of choice because it directly shows active connections and related network details on the local machine.

Question 16

A company recently decided to allow its employees to use their personally owned devices for tasks like checking email and messaging via mobile applications. The company would like to use MDM, but employees are concerned about the loss of personal data. Which of the following should the IT department implement to BEST protect the company against company data loss while still addressing the employees’ concerns?

a. Enable the remote-wiping option in the MDM software in case the phone is stolen.
b. Configure the MDM software to enforce the use of PINs to access the phone.
c. Configure MDM for FDE without enabling the lock screen.
d. Perform a factory reset on the phone before installing the company’s applications.

Answer 16

b. Configure the MDM software to enforce the use of PINs to access the phone.

Here’s why:

Enforcing PINs to access the phone: This measure ensures that the device is secured with a PIN, preventing unauthorized access to both personal and company data if the phone is lost or stolen. It addresses the security requirement without intruding into personal data or creating concerns about personal data loss.

Let’s briefly review the other options:

Enable the remote-wiping option in the MDM software in case the phone is stolen: While this is a strong security measure for protecting company data, it could lead to personal data loss, which is a primary concern for employees.

Configure MDM for FDE without enabling the lock screen: Full Disk Encryption (FDE) is a good security practice, but not enabling the lock screen would leave the device vulnerable to unauthorized access. Additionally, FDE by itself doesn’t address the concern of separating personal and corporate data.

Perform a factory reset on the phone before installing the company's applications: This would ensure a clean environment for corporate apps, but it would lead to the loss of all personal data on the phone, which is a significant concern for employees.

Therefore, configuring the MDM software to enforce the use of PINs to access the phone strikes a balance between securing company data and respecting employees’ concerns about their personal data.

Question 17

The concept of connecting a user account across the systems of multiple enterprises is BEST known as:

a. federation.
b. a remote access policy.
c. multifactor authentication.
d. single sign-on.

Answer 17

a. federation.

Federation refers to the process of linking user identities and attributes across multiple identity management systems. It allows users to access multiple applications or services using a single set of credentials, which are often managed by their home organization. Federation enables seamless and secure access to resources across different domains or organizations without the need for users to have separate credentials for each system.

The other options provided are:

b. A remote access policy: Defines guidelines and rules for accessing a network or system remotely, typically focused on security and access control.

c. Multifactor authentication: Refers to the use of multiple authentication factors (such as passwords and biometrics) to verify a user's identity.

d. Single sign-on: Allows users to authenticate once and gain access to multiple applications or systems without re-entering credentials.

While single sign-on (SSO) is related to federation, federation specifically focuses on linking identities across different enterprises or domains, making a. federation the most appropriate answer in this context.

Question 18

A user received an SMS on a mobile phone that asked for bank details. Which of the following social-engineering techniques was used in this case?

a. SPIM
b. Vishing
c. Spear phishing
d. Smishing

Answer 18

d. Smishing.

Explanation:

Smishing (SMS phishing) involves sending deceptive text messages to trick individuals into divulging sensitive information, clicking on malicious links, or downloading malicious attachments. In this scenario, the attacker used an SMS to impersonate a legitimate entity (such as a bank) to deceive the user into providing their bank details.

Question 19

A company is working on mobile device security after a report revealed that users granted non-verified software access to corporate data. Which of the following is the MOST effective security control to mitigate this risk?

a. Block access to application stores
b. Implement OTA updates
c. Update the BYOD policy
d. Deploy a uniform firmware

Answer 19

c. Update the BYOD policy.

Explanation:

BYOD (Bring Your Own Device) policies govern how personal devices are used in the corporate environment, including access to corporate data and applications. Updating the BYOD policy to enforce stricter guidelines on software installation, verification, and access controls can help mitigate the risk of non-verified software accessing corporate data. This update can include requirements for using only approved applications or implementing mechanisms to prevent unauthorized software installation.

Let’s briefly review the other options:

Block access to application stores: This could prevent the installation of new apps, but it might be too restrictive and impractical, especially if users need access to certain legitimate apps for work purposes. It also does not address already installed non-verified software.

Implement OTA (Over-The-Air) updates: While important for keeping devices secure with the latest patches and updates, OTA updates do not directly prevent users from installing or granting access to non-verified software.

Deploy a uniform firmware: This would standardize the firmware across devices, potentially improving security, but it does not directly address the issue of users installing or granting access to non-verified software.

Question 20

A security analyst needs to implement security features across smartphones, laptops, and tablets. Which of the following would be the MOST effective across heterogeneous platforms?

a. Enforcing encryption
b. Deploying GPOs
c. Removing administrative permissions
d. Applying MDM software

Answer 20

d. Applying MDM software.

Explanation:

MDM (Mobile Device Management) software provides a centralized solution to manage and secure mobile devices across different platforms, including smartphones, laptops, and tablets. MDM software allows the enforcement of security policies, application management, encryption, remote wipe capabilities, and compliance monitoring, making it the best choice for ensuring consistent security across heterogeneous devices.

Here’s a brief overview of why the other options are less suitable:

a. Enforcing encryption: While encryption is a critical security feature, it is only one aspect of device security. MDM software can enforce encryption policies along with other security settings.

b. Deploying GPOs (Group Policy Objects): GPOs are primarily used in Windows environments. While they can manage Windows-based laptops and desktops, they are not effective for managing non-Windows devices like smartphones and tablets.

c. Removing administrative permissions: Removing administrative permissions can enhance security, but it doesn't provide a comprehensive solution across different device types. MDM software can enforce this policy along with many other security configurations.

Question 21

The new Chief Information Security Officer at a company has asked the security team to implement stronger user account policies. The new policies require:

-Users to choose a password unique to their last ten passwords
-Users to not log in from certain high-risk countries

Which of the following should the security team implement? (Choose two.)

a. Password complexity
b. Password history
c. Geolocation
d. Geofencing
e. Geotagging
f. Password reuse

Answer 21

b. Password history
d. Geofencing

(Braindump: b. Password history c. Geolocation)

Here’s why:

Password history: This policy ensures that users cannot reuse their last ten passwords, thereby enforcing the requirement for a unique password.

Geofencing: This security control restricts or allows access based on the user's geographic location. By implementing geofencing, the company can prevent logins from high-risk countries, as required by the new policies.

Let’s briefly review the other options:

Password complexity: While important for ensuring strong passwords, this does not address the specific requirement of preventing the reuse of the last ten passwords.

Geolocation: This involves determining the physical location of a user or device, which is useful but does not actively prevent logins from high-risk countries on its own.

Geotagging: This is the process of adding location data to digital content. It is not relevant to restricting logins based on location.

Password reuse: This term is related to the concept of password history but is not the actual policy or control used to enforce it.

Therefore, implementing password history and geofencing will effectively meet the new policies set by the Chief Information Security Officer.

Question 22

Which of the following is MOST likely to outline the roles and responsibilities of data controllers and data processors?

a. SSAE SOC 2
b. PCI DSS
c. GDPR
d. ISO 31000

Answer 22

(Community : C 59%, A 41%)
Taken from Mike Meyers Security + 601 Cert Guide (pg 51):
“The GDPR in the European Union outlines in great detail how organizations should deal with private information…Many countries have subsequently adopted similar regulations, so naturally, many multinational corporations comply with those regulations throughout their organization. The DATA CONTROLLER controls the data, which sounds silly, but means the person must ensure that data complies with the protections of PII thoroughly, according to the regulations in the GDPR.

c. GDPR (General Data Protection Regulation)

The GDPR (General Data Protection Regulation) is a comprehensive data protection law in the European Union that outlines the roles and responsibilities of data controllers and data processors. It specifies requirements for how personal data should be processed, including the obligations and responsibilities of these entities in handling personal data. Therefore, GDPR is the regulation that is most likely to detail the roles and responsibilities of data controllers and data processors.

a. SSAE SOC 2 (Statement on Standards for Attestation Engagements No. 2): This is an auditing standard that focuses on controls relevant to the security, availability, processing integrity, confidentiality, and privacy of data processed by service providers.

b. PCI DSS (Payment Card Industry Data Security Standard): This standard applies to organizations that handle cardholder information for major debit, credit, prepaid, ATM, and POS cards. It focuses specifically on securing cardholder data to prevent fraud.

d. ISO 31000: This is an international standard for risk management that provides guidelines and principles for managing risks effectively in any organization.

Among these options, only GDPR specifically addresses the roles and responsibilities of data controllers and data processors within the context of personal data protection. Therefore, while the other standards and regulations focus on different aspects of security and risk management, GDPR is the most relevant to outline the roles and responsibilities of data controllers and processors

Question 23

Which of the following is MOST likely to contain ranked and ordered information on the likelihood and potential impact of catastrophic events that may affect business processes and systems, while also highlighting the residual risks that need to be managed after mitigating controls have been implemented?

a. An RTO report
b. A risk register
c. A business impact analysis
d. An asset value register
e. A disaster recovery plan

Answer 23

(Community : B 93%)
b. A risk register

Here’s why:

Risk Register: A risk register typically contains ranked and ordered information on various risks that may affect business processes and systems. It includes details on the likelihood and potential impact of these risks. After mitigating controls have been implemented, the risk register also highlights residual risks that need to be managed.

Let’s briefly review the other options for clarity:

RTO Report (Recovery Time Objective): This report focuses on the maximum acceptable downtime for recovering specific IT systems, applications, or business processes after a disruption.

Business Impact Analysis (BIA): A BIA assesses the potential impact of disruptions to critical business operations and identifies recovery priorities.

Asset Value Register: This typically lists the financial value and other attributes of organizational assets.

Disaster Recovery Plan: This plan outlines procedures for recovering and restoring IT systems and data in the event of a disaster.

Question 24

A worldwide manufacturing company has been experiencing email account compromises. In one incident, a user logged in from the corporate office in France, but then seconds later, the same user account attempted a login from Brazil. Which of the following account policies would BEST prevent this type of attack?

a. Network location
b. Impossible travel time
c. Geolocation
d. Geofencing

Answer 24

b. Impossible travel time

Here’s why:

Impossible travel time: This policy detects and blocks login attempts that occur within an implausibly short time frame between two geographically distant locations. It assumes that the user cannot physically travel between these locations in such a short period. This policy helps prevent unauthorized access attempts that indicate account compromise or fraudulent activity, such as in the described scenario where a user logs in from France and then attempts a login from Brazil within seconds.

Let’s briefly review the other options for clarity:

Network location: This policy restricts access based on the network or IP address from which the login attempt originates. It may not be effective in preventing simultaneous logins from geographically distant locations if the IP addresses are within the allowed network range.

Geolocation: This policy allows or denies access based on the geographic location of the login attempt. While related, it may not detect or prevent rapid login attempts from different global locations within a short time.

Geofencing: This policy sets geographical boundaries within which a user is allowed to access certain resources or services. It doesn't directly prevent rapid and implausible travel between geographically distant locations in a short time frame.

Therefore, impossible travel time is the most suitable account policy to address and prevent the type of attack where a user account is compromised and login attempts are made from widely separated locations within an unreasonably short period.

Question 25

A new vulnerability in the SMB protocol on the Windows systems was recently discovered, but no patches are currently available to resolve the issue. The security administrator is concerned that servers in the company’s DMZ will be vulnerable to external attack; however, the administrator cannot disable the service on the servers, as SMB is used by a number of internal systems and applications on the LAN. Which of the following TCP ports should be blocked for all external inbound connections to the DMZ as a workaround to protect the servers? (Choose two.)

a. 135
b. 139
c. 143
d. 161
e. 443
f. 445

Answer 25

b. 139
f. 445

Port 139: This port is used for NetBIOS Session Service, which includes SMB over NetBIOS. Blocking this port helps mitigate external SMB-related attacks.

Port 445: This port is used for SMB over TCP. Blocking this port helps prevent external access to SMB services, which mitigates the risk of exploitation through the SMB vulnerability.

Question 26

A recent phishing campaign resulted in several compromised user accounts. The security incident response team has been tasked with reducing the manual labor of filtering through all the phishing emails as they arrive and blocking the sender’s email address, along with other time-consuming mitigation actions. Which of the following can be configured to streamline those tasks?

a. SOAR playbook
b. MDM policy
c. Firewall rules
d. URL filter
e. SIEM data collection

Answer 26

a. SOAR playbook (Security Orchestration, Automation, and Response)

SOAR platforms are designed to automate and orchestrate security operations tasks, including incident response actions like filtering and blocking emails based on predefined rules and playbooks. Here’s how a SOAR playbook can help:

Automated Response Actions: SOAR playbooks can be configured to automatically detect phishing indicators, such as suspicious email patterns or URLs, and then take predefined actions like blocking sender addresses, quarantining emails, or alerting the security team.

Integration with Email Systems: They can integrate with email security solutions or mail servers to perform these actions swiftly and effectively.

Reduction in Manual Effort: By automating these tasks, SOAR reduces the need for manual intervention, thereby saving time and improving response efficiency.

Question 27

A user reports constant lag and performance issues with the wireless network when working at a local coffee shop. A security analyst walks the user through an installation of Wireshark and gets a five-minute pcap to analyze. The analyst observes the following output:

No. Time Source Destination Protocol Length Info
1234 9.1195665 Sagemcom_87:9f:a3 Broadcast 802.11 38 Deauthentication,
SN=655, FN=0
1235 9.1265649 Sagemcom_87:9f:a3 Broadcast 802.11 39 Deauthentication,
SN=655, FN=0
1236 9.2223212 Sagemcom_87:9f:a3 Broadcast 802.11 38 Deauthentication,
SN=655, FN=0

Which of the following attacks does the analyst MOST likely see in this packet capture?

a. Session replay
b. Evil twin
c. Bluejacking
d. ARP poisoning

Answer 27

b. Evil twin

The activity observed in the Wireshark capture, specifically deauthentication frames causing performance issues, aligns most closely with an evil twin attack.

a. Session replay: Involves capturing and replaying legitimate session data to impersonate a user.
b. Evil twin: Involves setting up a rogue wireless access point with the same SSID as a legitimate one to trick users into connecting to it.
c. Bluejacking: Involves sending unsolicited messages to Bluetooth-enabled devices.
d. ARP poisoning: Involves manipulating ARP (Address Resolution Protocol) cache to associate a different MAC address with an IP address.

Question 28

A security analyst is reviewing the following output from a system:

TCP 192.168.10.10.80 192.168.1.2:60101 TIME_WAIT
TCP 192.168.10.10.80 192.168.1.2:60102 TIME_WAIT
TCP 192.168.10.10.80 192.168.1.2:60103 TIME_WAIT
TCP 192.168.10.10.80 192.168.1.2:60104 TIME_WAIT
TCP 192.168.10.10.80 192.168.1.2:60105 TIME_WAIT
TCP 192.168.10.10.80 192.168.1.2:60106 TIME_WAIT
TCP 192.168.10.10.80 192.168.1.2:60107 TIME_WAIT
TCP 192.168.10.10.80 192.168.1.2:60108 TIME_WAIT
TCP 192.168.10.10.80 192.168.1.2:60109 TIME_WAIT
TCP 192.168.10.10.80 192.168.1.2:60110 TIME_WAIT

Which of the following is MOST likely being observed?

a. ARP poisoning
b. Man in the middle
c. Denial of service
d. DNS poisoning

Answer 28

c. Denial of service

The output provided shows multiple TCP connections in the TIME_WAIT state between the IP address 192.168.10.10 on port 80 and the IP address 192.168.1.2 on sequentially increasing ports (60101 to 60110). This pattern is characteristic of a denial of service (DoS) attack where an attacker floods the target system with numerous connection requests, exhausting resources and causing legitimate clients to be unable to connect.

Let’s break down the options:

a. ARP poisoning: This involves manipulating ARP tables to redirect traffic, typically not related to the TCP TIME_WAIT state observed here.

b. Man in the middle: Involves intercepting communications between two parties, which would not typically result in numerous connections in TIME_WAIT state.

c. Denial of service: This matches the observed behavior, where multiple connections are initiated but not fully established due to the overwhelming number of requests.

d. DNS poisoning: Involves corrupting the DNS resolution process to redirect traffic, not directly related to the TCP connections in TIME_WAIT state.

Given the description of numerous TCP connections in TIME_WAIT state from the same source IP on incrementing ports, the most likely scenario being observed is a denial of service (DoS) attack.

Question 29

Which of the following concepts BEST describes tracking and documenting changes to software and managing access to files and systems?

a. Version control
b. Continuous monitoring
c. Stored procedures
d. Automation

Answer 29

a. Version control

Version control systems (VCS) are designed to track changes to files over time, allowing developers (and administrators) to manage and collaborate on projects effectively. It provides mechanisms to:

Track modifications made to files, including who made the changes and when.
Restore previous versions of files if necessary.
Manage access control to ensure that only authorized individuals can make changes.

Continuous monitoring (option b) focuses more on real-time monitoring of systems and applications for security and performance issues rather than managing changes and access control.

Stored procedures (option c) are database-specific and refer to predefined sets of SQL statements stored in the database catalog. They are not directly related to managing changes to software or access to files and systems.

Automation (option d) involves using scripts or tools to perform tasks automatically, which can include version control operations but is broader in scope than just tracking changes and managing access.

Question 30

A penetration tester is brought on site to conduct a full attack simulation at a hospital. The penetration tester notices a WAP that is hanging from the drop ceiling by its cabling and is reachable. Which of the following recommendations would the penetration tester MOST likely make given this observation?

a. Employ a general contractor to replace the drop-ceiling tiles.
b. Place the network cabling inside a secure conduit.
c. Secure the access point and cabling inside the drop ceiling.
d. Utilize only access points that have internal antennas

Answer 30

c. Secure the access point and cabling inside the drop ceiling.

Explanation:

Securing the access point and cabling inside the drop ceiling would involve properly mounting and securing the WAP and its associated cabling within the drop ceiling to prevent physical access by unauthorized individuals.
Hanging WAPs can be easily tampered with or accessed, potentially allowing an attacker to gain physical access to the device, compromise it, or tamper with network traffic.
This recommendation ensures that the WAP is not only functioning securely but also physically protected from tampering or unauthorized access.

The other options do not directly address the immediate security concern of the WAP being physically vulnerable:

Option a (Employ a general contractor to replace the drop-ceiling tiles) is unrelated to securing the WAP.
Option b (Place the network cabling inside a secure conduit) addresses cable management but not the physical security of the WAP itself.
Option d (Utilize only access points that have internal antennas) focuses on antenna types rather than physical security.

Question 31

Which of the following techniques eliminates the use of rainbow tables for password cracking?

a. Hashing
b. Tokenization
c. Asymmetric encryption
d. Salting

Answer 31

d. Salting

Explanation:

Salting involves adding a unique, random string of characters (the salt) to each password before hashing it. This ensures that even if two users have the same password, their hashed passwords will be different due to the unique salts.
Rainbow tables are precomputed tables used to crack hashed passwords efficiently. They map hashed passwords to their plaintext equivalents. However, if salts are used, each password hash will be unique, even if the passwords are the same, thereby thwarting the use of rainbow tables.
Hashing (option a) itself does not prevent the use of rainbow tables unless combined with salting.
Tokenization (option b) and asymmetric encryption (option c) are not directly related to preventing rainbow table attacks on password hashes.

Question 32

During a security assessment, a security analyst finds a file with overly permissive permissions. Which of the following tools will allow the analyst to reduce the permissions for the existing users and groups and remove the set-user-ID bit from the file?

a. ls
b. chflags
c. chmod
d. lsof
e. setuid

Answer 32

c. chmod

Explanation:

chmod (change mode) is a command-line utility in Unix and Unix-like operating systems that allows users to change the permissions (read, write, execute) of files and directories.
It can be used to modify permissions for existing users and groups on a file.
Additionally, chmod can remove the set-user-ID (setuid) bit from a file if necessary, which is a security measure to prevent potential privilege escalation attacks.
The other options:
    ls (option a) is used to list directory contents.
    chflags (option b) is used to change file flags on BSD and macOS systems, not directly related to standard Unix file permissions.
    lsof (option d) lists open files and is used for displaying information about files opened by processes.
    setuid (option e) refers to the set-user-ID bit, which can be set or removed using chmod.

Question 33

A network administrator is concerned about users being exposed to malicious content when accessing company cloud applications. The administrator wants to be able to block access to sites based on the AUP. The users must also be protected because many of them work from home or at remote locations, providing on-site customer support. Which of the following should the administrator employ to meet these criteria?

a. Implement NAC.
b. Implement an SWG.
c. Implement a URL filter.
d. Implement an MDM.

Answer 33

(Community : B 93%)

b. Implement an SWG (Secure Web Gateway).

Here’s why:

SWG (Secure Web Gateway): This solution provides comprehensive web security through functionalities such as URL filtering, content inspection, malware detection, and application controls. It allows administrators to enforce policies that block access to websites based on categories (including malicious sites and those violating the AUP). SWGs can also offer protection regardless of the user's location, whether they are working from home or remotely accessing company resources.

NAC (Network Access Control): NAC is primarily used to control access to the network based on the endpoint's compliance with security policies. While it can restrict network access, it does not typically provide the granular web filtering and content inspection capabilities needed to block specific websites based on AUP or protect against malicious content directly.

URL filter: A URL filter is part of an SWG and can be a component of other security solutions, but alone it does not provide the comprehensive security features of an SWG, such as deep content inspection and malware protection.

MDM (Mobile Device Management): MDM focuses on managing and securing mobile devices, ensuring compliance with security policies, and enabling remote management of device configurations and applications. It does not directly address web security or enforce web access policies.

Question 34

A website developer is working on a new e-commerce website and has asked an information security expert for the most appropriate way to store credit card numbers to create an easy reordering process. Which of the following methods would BEST accomplish this goal?

a. Salting the magnetic strip information
b. Encrypting the credit card information in transit
c. Hashing the credit card numbers upon entry
d. Tokenizing the credit cards in the database

Answer 34

d. Tokenizing the credit cards in the database.

Here’s why tokenization is the preferred approach:

Tokenization: This method replaces sensitive credit card information with a unique identifier (token) that has no exploitable value. The actual credit card data is securely stored in a separate, PCI-compliant vault maintained by a payment processor or gateway. This way, even if the database is compromised, the tokens cannot be reverse-engineered to obtain credit card details.

Salting the magnetic strip information: Salting is a technique used in hashing to add randomness to data before hashing, primarily to prevent dictionary and rainbow table attacks. It's not typically used for credit card information storage because hashing alone doesn't provide the flexibility needed for reordering processes.

Encrypting the credit card information in transit: Encrypting data in transit (using protocols like TLS/SSL) is crucial for securing data while it moves between the user’s browser and the web server. However, it doesn’t directly address the storage of credit card information in the database for reordering purposes.

Hashing the credit card numbers upon entry: Hashing transforms data into a fixed-size string of characters, making it impractical to reverse the process to obtain the original data. However, hashing alone is irreversible, making it unsuitable for storing data that needs to be retrieved or reused (such as for reordering).

Question 35

Which of the following supplies non-repudiation during a forensics investigation?

a. Dumping volatile memory contents first
b. Duplicating a drive with dd
c. Using a SHA-2 signature of a drive image
d. Logging everyone in contact with evidence
e. Encrypting sensitive data

Answer 35

c. Using a SHA-2 signature of a drive image

Here’s why:

Using a SHA-2 signature of a drive image: Non-repudiation ensures that the authenticity of a digital artifact can be proven and that it has not been altered since it was captured. By generating a SHA-2 hash (or any cryptographic hash) of a drive image, you create a unique digital fingerprint of the data at a specific point in time. If the hash of the image matches the hash taken later, it proves that the drive image has not been altered, providing non-repudiation.

Let’s briefly review the other options:

Dumping volatile memory contents first: This is a good practice for capturing ephemeral data that would be lost if the system were powered down, but it does not provide non-repudiation.

Duplicating a drive with dd: While this is a method of creating a forensic copy of a drive, it does not, by itself, provide non-repudiation. Non-repudiation is about proving that the data has not been altered after duplication.

Logging everyone in contact with evidence: This is part of maintaining the chain of custody, which helps ensure the integrity and accountability of the handling of evidence, but it does not provide non-repudiation by itself.

Encrypting sensitive data: Encryption protects the confidentiality and integrity of data but does not provide non-repudiation unless combined with a method to verify that the data has not been altered, such as hashing.

Therefore, using a SHA-2 signature of a drive image is the best method for providing non-repudiation during a forensics investigation.

Question 36

A security analyst is tasked with classifying data to be stored on company servers. Which of the following should be classified as proprietary?

a. Customers’ dates of birth
b. Customers’ email addresses
c. Marketing strategies
d. Employee salaries

Answer 36

c. Marketing strategies would be classified as proprietary because they involve confidential plans and tactics that provide a competitive edge to the company.

While the other options involve sensitive information, they are generally classified differently based on their sensitivity and potential impact, but not necessarily as proprietary unless specified otherwise by the company’s policies and practices.

a. Customers’ dates of birth: This information is sensitive and could potentially be used for identity theft or other malicious activities. While it’s sensitive, it’s not typically classified as proprietary unless the company explicitly treats it as such for business reasons.

b. Customers’ email addresses: Email addresses are usually considered personal information and are not typically classified as proprietary unless there are specific business reasons to do so.

c. Marketing strategies: Marketing strategies often involve confidential plans and tactics that provide a competitive advantage. Such information is usually classified as proprietary because it directly affects the company’s competitive position.

d. Employee salaries: Employee salaries are sensitive information and are generally classified as confidential rather than proprietary. However, in some cases where salary structures or compensation strategies are proprietary to the company, this information might be classified as proprietary.

Question 37

Which of the following holds staff accountable while escorting unauthorized personnel?

a. Locks
b. Badges
c. Cameras
d. Visitor logs

Answer 37

d. Visitor logs

Here’s why:

Visitor logs: These logs record the details of visitors, including the time of entry, time of exit, the purpose of the visit, and the name of the escorting staff member. By maintaining accurate visitor logs, the organization can track who is responsible for escorting each visitor and hold staff accountable if there are any issues or security breaches involving unauthorized personnel.

Let’s briefly review the other options:

Locks: Locks are physical security controls that restrict access to certain areas. While they are important for securing spaces, they do not hold staff accountable for escorting visitors.

Badges: Badges can identify authorized personnel and visitors, but they do not directly track or hold staff accountable for escorting unauthorized personnel.

Cameras: Cameras can provide visual surveillance and record the movements of people within a facility. While they can be used to review incidents and identify who was involved, they do not inherently hold staff accountable without additional processes in place to review and act on the footage.

Therefore, visitor logs are the most effective means of holding staff accountable for escorting unauthorized personnel.

Question 38

An organization’s Chief Security Officer (CSO) wants to validate the business’s involvement in the incident response plan to ensure its validity and thoroughness. Which of the following will the CSO MOST likely use?

a. An external security assessment
b. A bug bounty program
c. A tabletop exercise
d. A red-team engagement

Answer 38

(Community : C 68%, A 27%)
The reason why option A (an external security assessment) is not the most likely choice for the CSO to validate the business’s involvement in the incident response plan is because an external security assessment focuses on evaluating the overall security posture of an organization, rather than specifically validating the incident response plan

tabletop exercise (C) is specifically designed to test and validate the incident response plan. It allows participants to simulate and discuss their responses to various emergency scenarios, ensuring that the plan is comprehensive and that all stakeholders understand their roles and responsibilities

It’s important to note that while an external security assessment can provide valuable insights into an organization’s security posture, it may not be the most suitable method for validating the incident response plan in this specific scenario.

c. A tabletop exercise

a. An external security assessment: This involves hiring an outside firm to evaluate the organization’s security posture, which can include policies, procedures, and technical controls. While valuable, it does not specifically focus on validating business involvement in the incident response plan.

b. A bug bounty program: This program incentivizes external researchers to find and report vulnerabilities in the organization’s systems. Although it can improve overall security, it does not directly address the business’s involvement in incident response.

c. A tabletop exercise: This is a discussion-based exercise where key stakeholders from the business, including IT and security teams, simulate a security incident scenario. Participants discuss their roles, responsibilities, and actions in response to the scenario, which helps validate and refine the incident response plan. This option directly involves business stakeholders and assesses the thoroughness of their engagement.

d. A red-team engagement: This involves a team of ethical hackers simulating real-world attacks to test the organization’s security defenses. While it provides valuable insights into security weaknesses, it focuses more on technical defenses and less on validating the business’s involvement in incident response.

Conclusion:

c. A tabletop exercise is the most appropriate choice for the CSO to validate the business’s involvement in the incident response plan. It provides a controlled environment where all relevant parties can actively participate, ensuring the plan’s validity and thoroughness are assessed comprehensively.

Question 39

Which of the following documents provides guidance regarding the recommended deployment of network security systems from the manufacturer?

a. Cloud control matrix
b. Reference architecture
c. NIST RMF
d. CIS Top 20

Answer 39

b. Reference architecture

a. Cloud control matrix: This is a framework provided by the Cloud Security Alliance (CSA) that helps organizations assess the risk associated with cloud computing providers. It focuses on cloud security controls rather than specific deployment guidance for network security systems from manufacturers.

b. Reference architecture: This document provides a standardized blueprint or template for the deployment of technology solutions, including network security systems. It often includes best practices and recommendations from the manufacturer on how to deploy and integrate their products within an organization’s infrastructure.

c. NIST RMF (Risk Management Framework): This framework, provided by the National Institute of Standards and Technology (NIST), focuses on managing and mitigating risks in information systems. While it provides guidelines for risk management and security controls, it does not specifically offer deployment guidance for network security systems from manufacturers.

d. CIS Top 20: The Center for Internet Security (CIS) Top 20 Controls are a set of best practices and guidelines for securing an organization’s IT systems and data. They focus on various aspects of cybersecurity but do not provide specific deployment guidance for network security systems from manufacturers.

Conclusion:

b. Reference architecture is the document that provides guidance regarding the recommended deployment of network security systems from the manufacturer. It includes best practices, templates, and recommendations for implementing these systems effectively within an organization’s infrastructure.

Question 40

During a recent security assessment, a vulnerability was found in a common OS. The OS vendor was unaware of the issue and promised to release a patch within the next quarter. Which of the following BEST describes this type of vulnerability?

a. Legacy operating system
b. Weak configuration
c. Zero day
d. Supply chain

Answer 40

c. Zero day

A zero-day vulnerability is a security flaw that is unknown to the software vendor and, consequently, has no available patch or fix at the time of discovery. It is called “zero day” because the developers have had zero days to address and mitigate the issue.

Question 41

Which of the following is a targeted attack aimed at compromising users within a specific industry or group?

a. Watering hole
b. Typosquatting
c. Hoax
d. Impersonation

Answer 41

a. Watering hole

A watering hole attack is a targeted attack aimed at compromising users within a specific industry or group. In this type of attack, the attacker identifies websites that are frequently visited by members of the targeted group and then compromises those sites with malware. When the target users visit the compromised site, their systems become infected, allowing the attacker to gain access to their networks and information.

b. Typosquatting: This attack involves registering domain names that are similar to legitimate websites, relying on users making typographical errors when entering URLs. While it can target specific groups, it is not inherently designed to compromise users within a specific industry or group.

c. Hoax: This is a form of deception that convinces people to believe something that is not true. Hoaxes are generally used to spread misinformation or to trick people into taking actions based on false information. They are not specifically targeted at compromising users within a specific industry or group.

d. Impersonation: This involves pretending to be someone else, often to gain unauthorized access to information or systems. While impersonation can be part of a targeted attack, it doesn’t specifically describe an attack aimed at compromising users within a specific industry or group as a watering hole attack does.

Question 42

To reduce and limit software and infrastructure costs, the Chief Information Officer has requested to move email services to the cloud. The cloud provider and the organization must have security controls to protect sensitive data. Which of the following cloud services would BEST accommodate the request?

a. IaaS
b. PaaS
c. DaaS
d. SaaS

Answer 42

d. SaaS (Software as a Service)
Explanation:

SaaS (Software as a Service): SaaS is a cloud computing service model that delivers software applications over the internet, which are managed by a third-party provider. For email services, SaaS solutions like Microsoft 365 or Google Workspace offer robust email hosting with built-in security features, such as encryption, spam filtering, and data loss prevention. These providers also handle infrastructure and maintenance, reducing costs and complexity for the organization.

Why not the other choices?

IaaS (Infrastructure as a Service): IaaS provides virtualized computing resources over the internet. While IaaS offers flexibility and control over the infrastructure, it requires the organization to manage and maintain the email software and its security. This does not reduce software and infrastructure costs as effectively as SaaS.

PaaS (Platform as a Service): PaaS provides a platform allowing customers to develop, run, and manage applications without dealing with the underlying infrastructure. While PaaS can be used for email services, it typically targets application development and deployment rather than ready-to-use email solutions, making it less suitable for the described need.

DaaS (Desktop as a Service): DaaS provides virtual desktops that users can access from anywhere. It is more focused on delivering a complete desktop environment rather than specific services like email. Thus, it is not the best fit for the requirement to move email services to the cloud specifically.

Question 43

A security engineer is concerned that the strategy for detection on endpoints is too heavily dependent on previously defined attacks. The engineer would like a tool to monitor for changes to key files and network traffic on the device. Which of the following tools BEST addresses both detection and prevention?

a. NIDS
b. HIPS
c. AV
d. NGFW

Answer 43

b. HIPS (Host-based Intrusion Prevention System)
Explanation:

HIPS (Host-based Intrusion Prevention System): HIPS is designed to detect and prevent threats on individual endpoints by monitoring system behavior, including file changes, and analyzing network traffic to and from the host. HIPS can detect and block suspicious activities based on predefined rules and behavior patterns, making it effective for both detection and prevention.

Why not the other choices?

NIDS (Network-based Intrusion Detection System): NIDS monitors network traffic for suspicious activity and anomalies but does not directly monitor or prevent changes to key files on endpoints. It is primarily a detection tool rather than a prevention tool.

AV (Antivirus): Antivirus software is primarily designed to detect and remove known malware based on signature-based detection. While modern AV solutions may include some heuristic and behavioral detection capabilities, they are not as comprehensive in monitoring network traffic and file changes as HIPS.

NGFW (Next-Generation Firewall): NGFWs provide advanced network security features, including intrusion prevention, application awareness, and deep packet inspection. While NGFWs can monitor and block network traffic, they are not focused on endpoint-specific activities like file changes.

Question 44

During a recent incident, an external attacker was able to exploit an SMB vulnerability over the internet. Which of the following action items should a security analyst perform FIRST to prevent this from occurring again?

a. Check for any recent SMB CVEs.
b. Install AV on the affected server.
c. Block unneeded TCP 445 connections.
d. Deploy a NIDS in the affected subnet.

Answer 44

c. Block unneeded TCP 445 connections.
Explanation:

Block unneeded TCP 445 connections: SMB (Server Message Block) uses TCP port 445. Blocking unnecessary inbound connections on this port will immediately mitigate the risk of external attacks exploiting SMB vulnerabilities. This step is crucial because it directly addresses the vector used by the attacker and prevents similar attacks in the future.

Why not the other choices?

Check for any recent SMB CVEs: While it's important to stay updated on recent vulnerabilities (CVEs), this action alone does not prevent exploitation. Blocking the relevant port is a more immediate and effective preventive measure.

Install AV on the affected server: Antivirus software helps detect and remove malware but does not prevent exploitation of SMB vulnerabilities. It is more of a reactive measure rather than a preventive one.

Deploy a NIDS in the affected subnet: A Network Intrusion Detection System (NIDS) can help detect malicious activities and potential exploit attempts, but it does not prevent them. Blocking the port is a more direct and immediate step to prevent exploitation.

Question 45

A penetration tester is fuzzing an application to identify where the EIP of the stack is located on memory. Which of the following attacks is the penetration tester planning to execute?

a. Race-condition
b. Pass-the-hash
c. Buffer overflow
d. XSS

Answer 45

c. buffer overflow attack.
Explanation:

Buffer overflow: In this type of attack, the penetration tester aims to inject more data than a buffer was designed to handle. This overflow can overwrite adjacent memory locations, including critical program control data such as the EIP (Extended Instruction Pointer) on the stack. By carefully crafting the input data (fuzzing), the tester attempts to determine the exact memory location (such as EIP) that can be manipulated to execute arbitrary code or gain control of the application.

Race-condition: This type of attack involves exploiting a flaw in the timing or sequence of events within a system to gain unintended access or privileges, typically by manipulating the order of operations or events.

Pass-the-hash: This is a method used to authenticate to a remote system by using the hash of the user's password instead of the plaintext password.

XSS (Cross-Site Scripting): This attack injects malicious scripts into web applications that are executed in the browsers of other users who visit the affected site.

Question 46

Server administrators want to configure a cloud solution so that computing memory and processor usage is maximized most efficiently across a number of virtual servers. They also need to avoid potential denial-of-service situations caused by availability. Which of the following should administrators configure to maximize system availability while efficiently utilizing available computing power?

a. Dynamic resource allocation
b. High availability
c. Segmentation
d. Container security

Answer 46

a. Dynamic resource allocation

Here’s why:

Dynamic resource allocation: This approach involves automatically distributing computing resources (such as memory and CPU) among virtual servers based on current demand. It ensures that resources are used efficiently, preventing any one server from being overwhelmed while others remain underutilized. This helps to maximize system performance and availability, reducing the risk of denial-of-service situations caused by resource shortages.

Let’s briefly review the other options:

High availability: High availability focuses on ensuring that systems and services are available with minimal downtime, often through redundancy and failover mechanisms. While important for maintaining service availability, it does not directly address the efficient use of computing resources.

Segmentation: Segmentation involves dividing a network into smaller, isolated segments to improve security and manageability. It does not directly impact the efficient use of computing resources or prevent denial-of-service situations related to resource allocation.

Container security: Container security focuses on securing containerized applications and their environments. While important for protecting applications, it does not address the efficient use of memory and processor resources across virtual servers.

Therefore, dynamic resource allocation is the best solution for maximizing system availability and efficiently utilizing available computing power.

Question 47

While reviewing the wireless router, a systems administrator of a small business determines someone is spoofing the MAC address of an authorized device. Given the table below:

Hostname IP address MAC MAC filter
PC1 192.168.1.20 00:1E:1B;43:21:B2 On
PC2 192.168.1.23 31:1C:3C;13:25:C4 Off
PC3 192.168.1.25 20:A2:22;45:11:D2 On
Unknown 192.168.1.21 12:44:B2;FF:A1:22 Off

Which of the following should be the administrator’s NEXT step to detect if there is a rogue system without impacting availability?

a. Conduct a ping sweep,
b. Physically check each system.
c. Deny internet access to the “UNKNOWN” hostname.
d. Apply MAC filtering.

Answer 47

(Community : B 47%, A 45%)
B. Physically check each system

Running a ping sweep isn’t actually going to help you resolve the problem. But if you verify the MAC address of each authorized device you can then apply Mac filtering to allow only the authorized devices. But in order to identify the MAC address for each device you need to physically check each device.

(Brain dump : a. Conduct a ping sweep,)
a: Conduct a ping sweep would be the most practical next step to identify active devices on the network. However, to specifically detect the rogue system with potentially spoofed MAC addresses, the administrator should also consider:

Implementing ARP inspection: This helps to detect and block ARP spoofing, which is often associated with MAC address spoofing.
Using network monitoring tools: Tools that can monitor and analyze network traffic and device behavior for anomalies.

Conduct a ping sweep (option a): This could help identify active devices on the network, but it won’t specifically detect MAC address spoofing unless coupled with ARP inspection or other network monitoring tools.

Physically check each system (option b): While effective, physically checking each system can be time-consuming and may not be feasible if the network is large or remote. It’s not the most efficient immediate step.

Deny internet access to the “UNKNOWN” hostname (option c): This could prevent the potential rogue system from accessing the internet, but it doesn’t address the core issue of identifying and verifying the rogue system.

Apply MAC filtering (option d): This is a viable option because enabling MAC filtering on the router can enforce restrictions based on MAC addresses. However, it’s important to ensure that MAC addresses are correctly identified and updated, as MAC filtering alone won’t detect spoofed MAC addresses.

Question 48

A security analyst in a SOC has been tasked with onboarding a new network into the SIEM. Which of the following BEST describes the information that should feed into a SIEM solution in order to adequately support an investigation?

a. Logs from each device type and security layer to provide correlation of events
b. Only firewall logs since that is where attackers will most likely try to breach the network
c. Email and web-browsing logs because user behavior is often the cause of security breaches
d. NetFlow because it is much more reliable to analyze than syslog and will be exportable from every device

Answer 48

a: Logs from each device type and security layer to provide correlation of events.

Here’s why option a is correct:

Logs from each device type: This includes logs from firewalls, routers, switches, servers, endpoints, and other network infrastructure. Each device type generates logs that capture different aspects of network and system activity.

Security layers: Logs should encompass various security layers such as intrusion detection/prevention systems (IDS/IPS), antivirus solutions, authentication systems, and more. This provides a comprehensive view of security events across different layers of the network.

Correlation of events: SIEM systems excel at correlating events from different sources to detect patterns and anomalies indicative of security incidents. By ingesting logs from diverse device types and security layers, the SIEM can perform effective correlation and alerting, enhancing the SOC's ability to detect and respond to threats.

Option b, c, and d are not as comprehensive or accurate:

Option b: Only focusing on firewall logs would miss potential threats and incidents that occur elsewhere in the network or on endpoints.

Option c: While email and web-browsing logs are important for detecting user-related threats, they do not cover the full spectrum of network activity and security incidents.

Option d: NetFlow is useful for network traffic analysis but is not a replacement for syslog logs, which provide detailed event information crucial for security monitoring and incident response.

Question 49

An organization just implemented a new security system. Local laws state that citizens must be notified prior to encountering the detection mechanism to deter malicious activities. Which of the following is being implemented?

a. Proximity cards with guards
b. Fence with electricity
c. Drones with alarms
d. Motion sensors with signage

Answer 49

d. Motion sensors with signage

Explanation:

The implementation of motion sensors with signage aligns with the requirement to notify citizens prior to encountering the detection mechanism. Motion sensors are commonly used in security systems to detect movement and trigger alarms or alerts. By placing signage indicating the presence of motion sensors, individuals are made aware of their presence before potentially triggering them. This practice not only complies with legal requirements but also serves as a deterrent to malicious activities by notifying individuals of surveillance or monitoring in the area.

Question 50

An IT security manager requests a report on company information that is publicly available. The manager’s concern is that malicious actors will be able to access the data without engaging in active reconnaissance. Which of the following is the MOST efficient approach to perform the analysis?

a. Provide a domain parameter to theHarvester tool.
b. Check public DNS entries using dnsenum.
c. Perform a Nessus vulnerability scan targeting a public company’s IP.
d. Execute nmap using the options: scan all ports and sneaky mode.

Answer 50

a. Provide a domain parameter to the Harvester tool.

Explanation:

TheHarvester is a popular tool used for gathering information from public sources like search engines, PGP key servers, and SHODAN computer databases. By providing a domain parameter to theHarvester, the tool can be directed to search for and gather various types of information associated with the company’s domain name. This could include email addresses, subdomains, hostnames, and open ports, all of which could potentially expose information that malicious actors might use for reconnaissance purposes.

Options b, c, and d involve specific activities like checking DNS entries, performing vulnerability scans on IP addresses, and conducting comprehensive port scans. While these activities are valuable for security assessments, they are not as directly focused on gathering publicly available company information as providing a domain parameter to theHarvester tool would be.