Sy06 Exam Braindumps 301-350

Question 1

A security analyst is investigating an incident to determine what an attacker was able to do on a compromised laptop. The analyst reviews the following SIEM log:

Host Event ID Event Source Description
PC1 865 Microsoft-windows- C:\adsf234\adsf234.exe was blocked by
SoftwareRestricitonPolicies Group Policy
PC1 4688 Microsoft-windows-Security- A new process has been created. New
Auditing Process Name: powershell.exe
Creator Process Name : outlook.exe
PC1 4688 Microsoft-windows-Security- A new process has been created. New
Auditing Process Name: lat.ps1
Name : powershell.exe
PC1 4625 Microsoft-windows-Security- An account failed to log on.
Auditing LogonType: 3
SecurityID:Null SID
Workstation Name: PC1
Authentication Package Name : NTLM

Which of the following describes the method that was used to compromise the laptop?

a. An attacker was able to move laterally from PC1 to PC2 using a pass-the-hash attack.
b. An attacker was able to bypass application whitelisting by emailing a spreadsheet attachment with an embedded PowerShell in the file.
c. An attacker was able to install malware to the C:\asdf234 folder and use it to gain administrator rights and launch Outlook.
d. An attacker was able to phish user credentials successfully from an Outlook user profile

Answer 1

b. An attacker was able to bypass application whitelisting by emailing a spreadsheet attachment with an embedded PowerShell in the file.

The SIEM log provides clues about the method used to compromise the laptop. Let’s break down the log events:

Event ID 865 (Software Restriction Policies): Indicates that C:\adsf234\adsf234.exe was blocked by Group Policy. This shows that there was an attempt to run an executable that was blocked.

Event ID 4688 (Security Auditing):
    The first 4688 event shows that a new process, powershell.exe, was created, initiated by outlook.exe.
    The second 4688 event shows that another new process, lat.ps1, was created, with powershell.exe as the parent process.

Event ID 4625 (Security Auditing): Indicates a failed login attempt using NTLM with LogonType 3 (network logon), which shows an unauthorized access attempt.

Given these events, let’s analyze the options:

a. An attacker was able to move laterally from PC1 to PC2 using a pass-the-hash attack.

There is no evidence in the logs of lateral movement or pass-the-hash activity.

b. An attacker was able to bypass application whitelisting by emailing a spreadsheet attachment with an embedded PowerShell in the file.

This option aligns with the logs showing powershell.exe being started by outlook.exe, indicating that a malicious email could have initiated a PowerShell script.

c. An attacker was able to install malware to the C:\asdf234 folder and use it to gain administrator rights and launch Outlook.

The logs show that adsf234.exe was blocked, not executed. There is no indication that this executable was successfully run to gain administrator rights.

d. An attacker was able to phish user credentials successfully from an Outlook user profile.

The logs do not indicate successful credential phishing. Instead, they show failed login attempts.

Based on the log analysis, the most accurate description of the method used to compromise the laptop is:

b. An attacker was able to bypass application whitelisting by emailing a spreadsheet attachment with an embedded PowerShell in the file.

This aligns with the evidence of powershell.exe being initiated by outlook.exe, which suggests a potential malicious email attachment.

Question 2

A security analyst discovers that a company’s username and password database was posted on an Internet forum. The usernames and passwords are stored in plain text. Which of the following would mitigate the damage done by this type of data exfiltration in the future?

a. Create DLP controls that prevent documents from leaving the network.
b. Implement salting and hashing.
c. Configure the web content filter to block access to the forum.
d. Increase password complexity requirements.

Answer 2

b. Implement salting and hashing.

Here’s why:

Salting and Hashing: Storing passwords in plain text is a major security vulnerability. By implementing salting and hashing, passwords are transformed into a fixed-length string of characters, which does not directly reveal the original password. Salting adds an additional layer of security by adding a unique value to each password before hashing, making it more difficult for attackers to use precomputed tables (rainbow tables) to reverse the hash back to the original password. This makes it significantly harder for attackers to exploit the stolen password data.

The other options, while potentially useful in certain contexts, do not address the core issue of protecting passwords in storage:

DLP Controls: While Data Loss Prevention (DLP) controls can help prevent sensitive documents from leaving the network, they do not specifically address the secure storage of passwords.

Web Content Filter: Configuring a web content filter to block access to the forum where the data was posted does not prevent the initial exposure of the passwords or secure them in storage.

Password Complexity Requirements: Increasing password complexity can make passwords harder to guess but does not protect them if they are stored in plain text and subsequently stolen.

Therefore, implementing salting and hashing is the most effective way to mitigate the damage of future data exfiltration incidents involving passwords.

Question 3

Joe, an employee, receives an email stating he won the lottery. The email includes a link that requests a name, mobile phone number, address, and date of birth be provided to confirm Joe’s identity before sending him the prize. Which of the following BEST describes this type of email?

a. Spear phishing
b. Whaling
c. Phishing
d. Vishing

Answer 3

c. Phishing

Here’s an explanation:

Phishing: This is a broad term for fraudulent attempts to obtain sensitive information such as personal details, usernames, passwords, and credit card numbers by disguising as a trustworthy entity in electronic communications. In this case, the email pretending that Joe has won a lottery and asking for his personal information is a classic example of phishing.

The other options describe more specific types of phishing or related attacks:

Spear Phishing: This is a targeted form of phishing where the attacker customizes the email to a specific individual or organization, often using personal information to make the attack more convincing. There is no indication that Joe was specifically targeted; it seems more like a general phishing attempt.

Whaling: This type of phishing targets high-profile individuals such as executives or senior officials. There is no indication that Joe is a high-profile individual, so this does not fit the description.

Vishing: This is a form of phishing that uses voice communication (phone calls) instead of emails. Since the attack described involves an email, it does not qualify as vishing.

Therefore, the best description for the email Joe received is phishing.

Question 4

A company deployed a WiFi access point in a public area and wants to harden the configuration to make it more secure. After performing an assessment, an analyst identifies that the access point is configured to use WPA3, AES, WPS, and RADIUS. Which of the following should the analyst disable to enhance the access point security?

a. WPA3
b. AES
c. RADIUS
d. WPS

Answer 4

d. WPS

Here’s an explanation:

WPA3: This is the latest and most secure WiFi encryption protocol currently available. Disabling WPA3 would reduce security.

AES: Advanced Encryption Standard (AES) is a strong encryption algorithm used to protect WiFi communications. Disabling AES would weaken security.

RADIUS: Remote Authentication Dial-In User Service (RADIUS) is used for authentication and authorization in a secure manner, especially in enterprise environments. Disabling RADIUS would decrease security.

WPS: Wi-Fi Protected Setup (WPS) is a network security standard that attempts to allow users to easily secure a wireless home network. However, WPS has known vulnerabilities that can be exploited by attackers to gain unauthorized access to the network. Disabling WPS improves security by removing these vulnerabilities.

Therefore, disabling WPS is the best option to enhance the security of the WiFi access point.

Question 5

Which of the following would be used to find the MOST common web-application vulnerabilities?

a. OWASP
b. MITRE ATT&CK
c. Cyber Kill Chain
d. SDLC

Answer 5

a. OWASP (Open Web Application Security Project)

Here’s an explanation:

OWASP: The Open Web Application Security Project provides a list of the top ten most critical web application security risks. It is widely used and recognized in the industry as a primary source for identifying common web-application vulnerabilities and understanding how to address them.

MITRE ATT&CK: This framework provides a comprehensive matrix of tactics, techniques, and procedures used by attackers. While it is an excellent resource for understanding how attacks are carried out, it is not specifically focused on web-application vulnerabilities.

Cyber Kill Chain: This model describes the stages of a cyber attack but does not specifically focus on web-application vulnerabilities.

SDLC (Software Development Life Cycle): This is a process for planning, creating, testing, and deploying an information system. While secure SDLC practices help in mitigating vulnerabilities, it is not a resource for identifying the most common web-application vulnerabilities.

Therefore, OWASP is the most appropriate choice for finding the most common web-application vulnerabilities.

Question 6

A network engineer is troubleshooting wireless network connectivity issues that were reported by users. The issues are occurring only in the section of the building that is closest to the parking lot. Users are intermittently experiencing slow speeds when accessing websites and are unable to connect to network drives. The issues appear to increase when laptop users return to their desks after using their devices in other areas of the building. There have also been reports of users being required to enter their credentials on web pages in order to gain access to them. Which of the following is the MOST likely cause of this issue?

a. An external access point is engaging in an evil-twin attack.
b. The signal on the WAP needs to be increased in that section of the building.
c. The certificates have expired on the devices and need to be reinstalled.
d. The users in that section of the building are on a VLAN that is being blocked by the firewall

Answer 6

a. An external access point is engaging in an evil-twin attack.

Here’s why this is the most likely cause:

Evil-twin attack: An evil-twin attack involves an attacker setting up a rogue access point that mimics the legitimate access point's SSID and settings. This can cause users' devices to connect to the rogue access point, leading to connectivity issues, slow speeds, and credential harvesting (users being required to enter their credentials on web pages).

Signal on the WAP needs to be increased: If the signal strength was the issue, users would not experience credential prompts or intermittent connectivity specifically when returning from other areas of the building.

Expired certificates: While expired certificates can cause connectivity issues, they are unlikely to lead to intermittent issues only in a specific section of the building and would not explain the need for users to re-enter credentials in this context.

VLAN being blocked by the firewall: If a VLAN was being blocked, users would consistently face connectivity issues, not intermittent ones, and it would not specifically affect users moving from other areas.

Given the symptoms of credential prompts and intermittent connectivity near the parking lot, an evil-twin attack is the most plausible explanation.

Question 7

A security administrator suspects there may be unnecessary services running on a server. Which of the following tools will the administrator MOST likely use to confirm the suspicions?

a. Nmap
b. Wireshark
c. Autopsy
d. DNSEnum

Answer 7

a. Nmap

Here’s why:

Nmap: Nmap is a powerful network scanning tool that can be used to discover hosts and services on a computer network. It is commonly used to identify open ports and the services running on those ports, making it ideal for checking which services are running on a server.

Wireshark: Wireshark is a network protocol analyzer used for network troubleshooting, analysis, and protocol development. While it is useful for capturing and analyzing network traffic, it is not typically used to identify running services directly.

Autopsy: Autopsy is a digital forensics tool used for analyzing hard drives and other media for evidence. It is not designed to identify running services on a server.

DNSEnum: DNSEnum is a DNS enumeration tool used to gather information about DNS records and perform DNS reconnaissance. It is not used to identify running services on a server.

Therefore, Nmap is the best choice for confirming whether unnecessary services are running on a server.

Question 8

A vulnerability has been discovered and a known patch to address the vulnerability does not exist. Which of the following controls works BEST until a proper fix is released?

a. Detective
b. Compensating
c. Deterrent
d. Corrective

Answer 8

b. Compensating

Here’s why:

Compensating: Compensating controls are alternative measures implemented to mitigate the risk when the primary control (such as a patch) is not available or feasible. In this context, a compensating control might involve implementing additional security measures, such as restricting access, using firewalls, or monitoring for suspicious activity, to reduce the risk posed by the vulnerability until a proper fix can be released.

Detective: Detective controls are designed to identify and detect unwanted events or incidents. While useful for monitoring and alerting, they do not mitigate or reduce the risk of the vulnerability directly.

Deterrent: Deterrent controls are intended to discourage or prevent an attacker from attempting to exploit a vulnerability. While they can reduce the likelihood of an attack, they do not address the underlying vulnerability.

Corrective: Corrective controls are designed to fix or correct an issue after it has been identified. However, in this case, a corrective control (such as a patch) does not exist yet, so it is not applicable.

Therefore, compensating controls are the best option to mitigate the risk posed by the vulnerability until a proper fix is released.

Question 9

While reviewing pcap data, a network security analyst is able to locate plaintext usernames and passwords being sent from workstations to network switches. Which of the following is the security analyst MOST likely observing?

a. SNMP traps
b. A Telnet session
c. An SSH connection
d. SFTP traffic

Answer 9

b. A Telnet session

Here’s why:

Telnet: Telnet is an older network protocol used for remote management that transmits data, including usernames and passwords, in plaintext. This makes it easy for anyone capturing network traffic to read the credentials.

SNMP traps: SNMP (Simple Network Management Protocol) traps are messages sent from a device to a management system, typically containing status information or alerts. While SNMP v1 and v2c do not encrypt their data, SNMP v3 can be configured to do so. However, SNMP traps usually do not contain usernames and passwords in the way described.

SSH connection: SSH (Secure Shell) is a protocol used for secure remote management and file transfers. SSH encrypts all data transmitted between the client and server, making it highly unlikely that a network security analyst would observe plaintext usernames and passwords.

SFTP traffic: SFTP (SSH File Transfer Protocol) is a secure version of FTP that operates over an SSH connection. Like SSH, SFTP encrypts all data transmitted, so plaintext usernames and passwords would not be observable.

Therefore, the presence of plaintext usernames and passwords in network traffic strongly suggests the use of Telnet.

Question 10

An attacker replaces a digitally signed document with another version that goes unnoticed. Upon reviewing the document’s contents, the author notices some additional verbiage that was not originally in the document but cannot validate an integrity issue. Which of the following attacks was used?

a. Cryptomalware
b. Hash substitution
c. Collision
d. Phishing

Answer 10

(Community : C 71%, B 29%)

c. Collision

Here’s why:

Cryptomalware: Cryptomalware typically refers to malware that encrypts files on a victim's system, often for the purpose of extortion (ransomware). This attack does not involve modifying a document while maintaining a valid digital signature.

Hash substitution: Hash substitution involves replacing a legitimate hash with a fraudulent one. However, if the original hash value is known or retrievable, the attack can be detected because the substituted hash will not match the recalculated hash of the document.

Collision: A collision attack occurs when two different inputs produce the same hash value. In the context of digital signatures, if an attacker can create a modified document that hashes to the same value as the original document, they can replace the original document with the modified one without invalidating the digital signature. This allows the attacker to change the document's contents without being detected through normal integrity checks, as the hash (and therefore the digital signature) appears to be correct.

Phishing: Phishing is a social engineering attack where an attacker attempts to trick individuals into providing sensitive information or performing certain actions by pretending to be a trustworthy entity. This does not involve modifying digital documents directly.

In this case, the attack method that best explains how the document was modified without invalidating the digital signature is a collision attack.

(Braindump : b. Hash substitution)

Question 11

A security analyst notices that specific files are being deleted each time a systems administrator is on vacation. Which of the following BEST describes the type of malware that is running?

a. Fileless virus
b. Logic bomb
c. Keylogger
d. Ransomware

Answer 11

b. Logic bomb

Here’s why:

Fileless virus: A fileless virus operates in memory and does not typically delete files as described in the scenario. It focuses on executing malicious code without leaving traditional traces like files on disk.

Logic bomb: A logic bomb is a type of malicious code that is triggered by a specific event or condition. In this case, the condition triggering the deletion of files is the absence of the systems administrator (when they are on vacation). This fits the scenario where files are systematically deleted only during the administrator's absence.

Keylogger: A keylogger is a type of malware that records keystrokes, usually to capture passwords or other sensitive information typed by users. It does not typically involve file deletion based on specific conditions related to an administrator's absence.

Ransomware: Ransomware encrypts files and demands payment for decryption. It does not selectively delete files based on the presence or absence of specific individuals like a systems administrator on vacation.

Therefore, based on the behavior described in the scenario, the type of malware that is likely running is a logic bomb.

Question 12

Which of the following involves the inclusion of code in the main codebase as soon as it is written?

a. Continuous monitoring
b. Continuous deployment
c. Continuous validation
d. Continuous integration

Answer 12

(Braindump : d. Continuous integration)

b. Continuous deployment

a. Continuous monitoring:
Definition: Continuous monitoring involves the ongoing surveillance, assessment, and analysis of systems and networks to ensure that security controls and processes remain effective over time.
Use: It is primarily used in cybersecurity contexts to detect and respond to security threats and vulnerabilities in real-time.

b. Continuous deployment:
Definition: Continuous deployment is a software engineering approach in which every code change that passes automated testing is automatically deployed to production without manual intervention.
Use: It allows teams to release software updates frequently, ensuring that new features and bug fixes reach users quickly. This practice requires a robust automated testing and deployment pipeline.

c. Continuous validation:
Definition: Continuous validation is the process of continuously testing and validating software applications throughout the development lifecycle to ensure they meet requirements and quality standards.
Use: It ensures that each stage of development, from planning to deployment, includes rigorous testing and validation procedures to identify and address issues early.

d. Continuous integration:
Definition: Continuous integration (CI) is a software development practice where team members frequently integrate their code changes into a shared repository. Each integration triggers an automated build and automated tests to detect integration errors quickly.
Use: CI aims to improve collaboration among team members and increase the speed of software delivery. It helps maintain code quality by catching bugs early in the development process.

Question 13

Which of the following can reduce vulnerabilities by avoiding code reuse?

a. Memory management
b. Stored procedures
c. Normalization
d. Code obfuscation

Answer 13

d. Code obfuscation

Explanation:

Code obfuscation is a technique used to modify code to make it more difficult to understand, reverse-engineer, or reuse without authorization. By obfuscating code, developers can reduce vulnerabilities associated with exposing sensitive logic or algorithms that could be exploited by attackers. It doesn’t prevent code reuse entirely but makes it harder for malicious actors to understand and exploit vulnerabilities in reused code.

Let’s briefly explain the other options for clarity:

a. Memory management: While important for preventing vulnerabilities like memory leaks or buffer overflows, it primarily concerns efficient use of memory resources and doesn’t directly relate to avoiding code reuse.

b. Stored procedures: These are precompiled SQL statements stored in a database, used to improve performance and security by reducing the risk of SQL injection attacks. They are not directly related to avoiding code reuse in the context of software development.

c. Normalization: This refers to organizing data in a database to reduce redundancy and improve data integrity. It is crucial for database design but doesn’t address avoiding code reuse in software development.

In contrast, code obfuscation specifically aims to make code more resistant to reverse engineering and reuse, thus indirectly reducing vulnerabilities associated with exposed code logic.

Question 14

The technology department at a large global company is expanding its Wi-Fi network infrastructure at the headquarters building. Which of the following should be closely coordinated between the technology, cybersecurity, and physical security departments? Select 1

a. Authentication protocol
b. Encryption type
c. WAP placement
d. VPN configuration

Answer 14

c. WAP placement

Explanation:

WAP (Wireless Access Point) placement involves determining where access points will be installed throughout the building. This decision impacts both network coverage and security.
Technology department: Responsible for implementing the network infrastructure and ensuring adequate coverage.
Cybersecurity department: Ensures that WAP placement doesn't compromise network security by considering factors like signal reach, interference, and segregation of network segments.
Physical security department: Ensures that access points are placed in physically secure locations to prevent tampering or unauthorized access.

While authentication protocols, encryption types, and VPN configurations are crucial aspects of network security and operations, WAP placement directly impacts network coverage, reliability, and security, making it essential for coordination among these departments during the expansion of the Wi-Fi network infrastructure.

Question 15

Which of the following is an example of risk avoidance?

a. Installing security updates directly in production to expedite vulnerability fixes
b. Buying insurance to prepare for financial loss associated with exploits
c. Not installing new software to prevent compatibility errors
d. Not taking preventive measures to stop the theft of equipment

Answer 15

Risk avoidance refers to taking actions to eliminate or withdraw from the risk altogether. Among the given options:

c. Not installing new software to prevent compatibility errors

This option best exemplifies risk avoidance because by choosing not to install new software, the organization avoids the potential risk of encountering compatibility issues that could lead to operational disruptions or vulnerabilities. This approach eliminates the risk rather than managing or mitigating it, which aligns with the principle of risk avoidance in risk management strategies.

Question 16

A security administrator needs to block a TCP connection using the corporate firewall. Because this connection is potentially a threat, the administrator does not want to send back an RST. Which of the following actions in the firewall rule would work BEST?

a. Drop
b. Reject
c. Log alert
d. Permit

Answer 16

an RST (Reset) packet, the best action to use in the firewall rule is:

a. Drop

Explanation:

Drop: This action silently drops the packets of the blocked connection without sending any response back to the source. This means the connection is terminated without notifying the sender, which can help avoid revealing information about the firewall's configuration or the existence of the protected network.

Reject: This action sends back an ICMP "port unreachable" message (RST packet for TCP) to the sender, indicating that the connection attempt was actively refused. Since the administrator wants to avoid sending an RST, this option is not suitable.

Log alert: This action logs the event but still sends an ICMP message indicating the port is unreachable, similar to "reject".

Permit: This action allows the connection through, which is the opposite of what the administrator wants to achieve in this case.

Therefore, a. Drop is the most appropriate action to block the TCP connection while minimizing response to the sender.

Question 17

Which of the following BEST describes data streams that are compiled through artificial intelligence that provides insight on current cyberintrusions, phishing, and other malicious cyberactivity?

a. Intelligence fusion
b. Review reports
c. Log reviews
d. Threat feeds

Answer 17

d. Threat feeds

Explanation:

Threat feeds refer to data streams compiled through artificial intelligence and other methods to provide real-time or near-real-time information about current cyber threats, intrusions, phishing campaigns, malware, and other malicious activities. These feeds aggregate data from various sources such as security researchers, threat intelligence platforms, cybersecurity vendors, and global cybersecurity communities. They are used by security teams to enhance their threat detection and response capabilities by staying informed about the latest threats and trends in the cybersecurity landscape.

Intelligence fusion involves integrating multiple sources of intelligence to produce enhanced insights, which can include threat feeds but encompasses broader intelligence sources beyond just cyber threats.

Review reports and log reviews are more specific activities related to examining historical data or logs to identify security incidents or trends, rather than ongoing streams of real-time threat information.

Therefore, d. Threat feeds specifically describes the ongoing data streams compiled through AI to provide insight into current cyberintrusions, phishing, and other malicious cyberactivity.

Question 18

A security team discovered a large number of company-issued devices with non-work-related software installed. Which of the following policies would MOST likely contain language that would prohibit this activity?

a. NDA
b. BPA
c. AUP
d. SLA

Answer 18

c. AUP (Acceptable Use Policy)

Explanation:

Acceptable Use Policy (AUP): This policy defines the acceptable ways in which company resources, including devices like computers and mobile phones, can be used. It typically includes guidelines on software installation, specifying that only approved or necessary software for work purposes should be installed. AUPs often prohibit the installation of unauthorized or non-work-related software to maintain security, compliance, and operational efficiency.

NDA (Non-Disclosure Agreement): This document outlines confidentiality obligations related to sensitive company information and does not typically address device usage or software installation.

BPA (Business Partnership Agreement): This agreement governs the relationship between business partners and may not directly address device usage or software installation.

SLA (Service Level Agreement): This agreement defines the level of service expected from a vendor and does not typically address device usage or software installation.

Therefore, c. AUP is the correct choice as it directly pertains to defining appropriate use of company resources, including devices, which would encompass the prohibition of non-work-related software installations.

Question 19

Which of the following would be the BEST resource for a software developer who is looking to improve secure coding practices for web applications?

a. OWASP
b. Vulnerability scan results
c. NIST CSF
d. Third-party libraries

Answer 19

a. OWASP

Explanation:

OWASP (Open Web Application Security Project) is a nonprofit organization focused on improving the security of software. It provides resources, tools, and best practices for secure coding, particularly for web applications. OWASP offers guidelines, cheat sheets, and extensive documentation on common vulnerabilities and how to mitigate them through secure coding practices.

Vulnerability scan results provide information about existing vulnerabilities in applications but do not necessarily focus on educating developers on secure coding practices.

NIST CSF (Cybersecurity Framework) is a framework developed by the National Institute of Standards and Technology (NIST) to help organizations manage and improve their cybersecurity posture. It provides a framework for risk management but is not specifically focused on secure coding practices for developers.

Third-party libraries are external code components that developers integrate into their applications. While important for security, they do not directly educate developers on secure coding practices for web applications.

Therefore, a. OWASP is the best resource for a software developer looking to improve secure coding practices specifically for web applications.

Question 20

Ann, a customer, received a notification from her mortgage company stating her PII may be shared with partners, affiliates, and associates to maintain day-to-day business operations. Which of the following documents did Ann receive?

a. An annual privacy notice
b. A non-disclosure agreement
c. A privileged-user agreement
d. A memorandum of understanding

Answer 20

a. An annual privacy notice

Explanation:

Annual privacy notice: Financial institutions are required to send out annual privacy notices to their customers explaining how their personal information (PII) is shared and with whom. These notices inform customers about their rights regarding their personal data and the company's practices related to data sharing and privacy.

Non-disclosure agreement (NDA): This is a legal contract between two parties to keep certain information confidential. It is typically used in business partnerships or employment contexts to protect sensitive information but does not apply to customer notifications about data sharing.

Privileged-user agreement: This is an agreement that specifies the responsibilities and acceptable use policies for users with elevated access privileges within an organization. It is not related to customer notifications about data sharing.

Memorandum of understanding (MOU): An MOU is a document that outlines the terms and details of an agreement between parties before the final agreement is signed. It is used to formalize a relationship between parties but is not related to notifying customers about data sharing practices.

Therefore, a. An annual privacy notice is the document Ann received, as it is the one that explains how her PII may be shared with partners, affiliates, and associates for business operations.

Question 21

A Chief Information Security Officer (CISO) is evaluating the dangers involved in deploying a new ERP system for the company. The CISO categorizes the system, selects the controls that apply to the system, implements the controls, and then assesses the success of the controls before authorizing the system. Which of the following is the CISO using to evaluate the environment for this new ERP system?

a. The Diamond Model of Intrusion Analysis
b. CIS Critical Security Controls
c. NIST Risk Management Framework
d. ISO 27002

Answer 21

c. NIST Risk Management Framework

Explanation:

NIST Risk Management Framework (RMF): The NIST RMF provides a structured process for integrating security, privacy, and risk management activities into the system development life cycle. The steps described in the question (categorizing the system, selecting controls, implementing controls, assessing controls, and authorizing the system) closely align with the steps outlined in the NIST RMF.

The Diamond Model of Intrusion Analysis: This model is used for understanding and analyzing cyber intrusions. It focuses on understanding the relationships between adversaries, capabilities, infrastructure, and victims but is not directly related to deploying and securing new systems.

CIS Critical Security Controls: These are a set of best practices for securing IT systems and data. While they are valuable for improving security, they do not provide the structured, comprehensive process described in the question.

ISO 27002: This is a standard that provides guidelines for organizational information security standards and practices. It offers recommendations for security controls but does not specifically describe the structured process of evaluating and authorizing a new system as outlined in the question.

Therefore, c. NIST Risk Management Framework is the most appropriate choice for the process the CISO is following.

Question 22

A manufacturing company has several one-off legacy information systems that cannot be migrated to a newer OS due to software compatibility issues. The OSs are still supported by the vendor, but the industrial software is no longer supported. The Chief Information Security Officer has created a resiliency plan for these systems that will allow OS patches to be installed in a non-production environment, while also creating backups of the systems for recovery. Which of the following resiliency techniques will provide these capabilities?

a. Redundancy
b. RAID 1+5
c. Virtual machines
d. Full backups

Answer 22

c. Virtual machines

Explanation:

Virtual machines (VMs): Using VMs can provide significant flexibility and resiliency for legacy systems. VMs allow the creation of snapshots, which can be used for quick recovery if something goes wrong after applying OS patches. Moreover, VMs can be easily backed up and restored, providing a robust recovery mechanism. Running legacy software in a VM also helps isolate it from the primary system, reducing potential security risks.

Redundancy: While redundancy is a critical part of resilience, it typically involves having duplicate systems or components to ensure availability in case of failure. It does not directly address the need for patch testing or backups as described in the scenario.

RAID 1+5: This refers to a combination of RAID 1 (mirroring) and RAID 5 (striping with parity). RAID configurations are used to improve data availability and fault tolerance for storage devices but do not provide the flexibility or isolation needed for patch testing and recovery of legacy systems.

Full backups: While full backups are essential for recovery, they do not offer the flexibility to test OS patches in a non-production environment. Full backups alone do not provide the same level of isolation and ease of recovery that VMs can offer.

Therefore, c. Virtual machines is the best choice to provide the capabilities described in the scenario

Question 23

A retail store has a business requirement to deploy a kiosk computer in an open area. The kiosk computer’s operating system has been hardened and tested. A security engineer is concerned that someone could use removable media to install a rootkit. Which of the following should the security engineer configure to BEST protect the kiosk computer?

a. Measured boot
b. Boot attestation
c. UEFI
d. EDR

Answer 23

(Braindump : a. Measured boot)
(Community : A 57%, C 23%)
Measured Boot is a new feature of Windows 8 that was created to help better protect your machine from rootkits and other malware. Measured Boot will check each start up component including the firmware all the way to the boot drivers and it will store this information in what is called a Trusted Platform Module (TPM)

Measured Boot is intended to prevent boot-level malware.

unlike secure boot, measured boot does’t validate against a known good list of signatures before booting. instead it relies on the UEFI firmware to hash the firmware, bootloader, drivers, and anything else that is part of the boot process. then the data gathered is stored in the TPM.

This boot attestation process allows comparison against known good states and admins can take action if the measured boot shows a difference from the accepted or secure known state.

ChatGPT :
c. UEFI (Unified Extensible Firmware Interface)
Explanation:
UEFI (Unified Extensible Firmware Interface): UEFI provides a modern firmware interface for PCs that includes secure boot capabilities. Secure Boot, a feature of UEFI, ensures that only trusted software that has been digitally signed can run during the boot process. This helps prevent unauthorized software, such as rootkits, from being installed and executed. Configuring UEFI with Secure Boot can protect the kiosk computer from malicious software that might be introduced through removable media.

Other options:

Measured boot: This is a feature that helps ensure the integrity of the boot process by measuring each component from firmware up through the bootloader and OS. While measured boot can provide valuable information about the boot integrity, it doesn't actively prevent the installation of rootkits via removable media.

Boot attestation: This involves verifying the integrity of the boot process, often using remote attestation to ensure that the device's boot sequence has not been tampered with. While important for validating boot integrity, it is more of a monitoring tool and does not directly prevent rootkit installation.

EDR (Endpoint Detection and Response): EDR solutions provide monitoring and response capabilities for detecting and responding to threats on endpoints. While EDR is useful for detecting and mitigating various threats, it operates at the OS level and may not prevent the initial installation of a rootkit through removable media.

Question 24

A company is implementing MFA for all applications that store sensitive data. The IT manager wants MFA to be non-disruptive and user friendly. Which of the following technologies should the IT manager use when implementing MFA?

a. One-time passwords
b. Email tokens
c. Push notifications
d. Hardware authentication

Answer 24

c. Push notifications

Explanation:

Push notifications: This method is highly user-friendly and non-disruptive. Users receive a notification on their registered mobile device and can simply approve or deny the authentication request with a single tap. This approach is quick, seamless, and minimizes the need for users to input additional information, making it a convenient choice for enhancing security without causing significant disruptions.

Other options:

One-time passwords (OTPs): These typically require users to enter a code received via SMS, email, or an authenticator app. While secure, they can be more disruptive than push notifications since users must manually enter the code each time they log in.

Email tokens: Sending a token to a user's email for each login attempt can be secure but is often slower and more disruptive than push notifications. It also relies on users having immediate access to their email, which may not always be the case.

Hardware authentication: While very secure, using hardware tokens (e.g., YubiKeys) can be disruptive, especially if users forget or lose their tokens. It also involves additional costs and logistical challenges in distributing and managing the hardware.

Therefore, push notifications provide the best balance of security, convenience, and minimal disruption, making them the optimal choice for implementing MFA in a user-friendly manner.

Question 25

A security engineer is reviewing the logs from a SAML application that is configured to use MFA. During this review, the engineer notices a high volume of successful logins that did not require MFA from users who were traveling internationally. The application, which can be accessed without a VPN, has a policy that allows time-based tokens to be generated. Users who change locations should be required to reauthenticate but have been able to log in without doing so. Which of the following statements BEST explains the issue?

a. OpenID is mandatory to make the MFA requirements work.
b. An incorrect browser has been detected by the SAML application.
c. The access device has a trusted certificate installed that is overwriting the session token.
d. The user’s IP address is changing between logins, but the application is not invalidating the token.

Answer 25

d. The user’s IP address is changing between logins, but the application is not invalidating the token.

Explanation:

In the described scenario, the issue seems to be that users who are traveling internationally are able to log in without being prompted for MFA, even though they are accessing the application from different locations. The application’s policy requires reauthentication when the user changes locations. The likely cause is that the application’s session token is not being invalidated when the user’s IP address changes, allowing users to bypass the reauthentication requirement.

Detailed reasoning:

SAML and session tokens: SAML (Security Assertion Markup Language) is used for single sign-on (SSO) and relies on tokens for authentication. When a user logs in, a token is generated and used for subsequent access without requiring reauthentication until the token expires.

MFA requirement upon location change: The policy requires reauthentication (including MFA) when a user changes location, which would typically be detected by a change in the user's IP address.

Token invalidation: If the application does not invalidate the session token when the IP address changes, the user can continue to access the application without reauthenticating, even from a new location.

Therefore, the best explanation for the observed behavior is that the application is not invalidating the token when the user’s IP address changes, allowing users to bypass the reauthentication process required by the MFA policy.

Question 26

An organization wants to enable built-in FDE on all laptops. Which of the following should the organization ensure is installed on all laptops?

a. TPM
b. CA
c. SAML
d. CRL

Answer 26

a. TPM (Trusted Platform Module)

Explanation:

TPM (Trusted Platform Module): TPM is a specialized hardware component designed to secure hardware by integrating cryptographic keys into devices. It is crucial for enabling Full Disk Encryption (FDE) because it securely stores the encryption keys used to encrypt and decrypt the disk. TPM enhances the security of the encryption process, ensuring that only authorized users can access the encrypted data.

Detailed reasoning for other options:

CA (Certificate Authority): A CA issues digital certificates that validate the ownership of encryption keys used in secure communications. While important for overall network security and authentication, a CA is not directly related to enabling built-in FDE on laptops.

SAML (Security Assertion Markup Language): SAML is a standard for Single Sign-On (SSO) and federated identity management. It allows secure transmission of authentication and authorization data. However, it is not related to enabling FDE on laptops.

CRL (Certificate Revocation List): A CRL is a list of digital certificates that have been revoked by the CA before their expiration dates. While it plays a role in managing digital certificates, it is not directly related to FDE on laptops.

Conclusion:

To enable built-in Full Disk Encryption (FDE) on all laptops, the organization should ensure that a TPM (Trusted Platform Module) is installed on all laptops.

Question 27

A security analyst needs to centrally manage credentials and permissions to the company’s network devices. The following security requirements must be met:

*All actions performed by the network staff must be logged.
*Per-command permissions must be possible.
*The authentication server and the devices must communicate through TCP.

Which of the following authentication protocols should the analyst choose?

a. Kerberos
b. CHAP
c. TACACS+
d. RADIUS

Answer 27

c. TACACS+

Explanation:

TACACS+ (Terminal Access Controller Access-Control System Plus): TACACS+ is specifically designed for managing credentials and permissions for network devices. It provides centralized authentication, authorization, and accounting (AAA) services. TACACS+ supports per-command authorization, allowing granular control over what commands users can execute on network devices. It also logs all actions performed by network staff, ensuring comprehensive auditing. Importantly, TACACS+ uses TCP for communication between the authentication server and the network devices.

Detailed reasoning for other options:

Kerberos: Kerberos is primarily used for authentication in client-server applications, particularly within Active Directory environments. It does not provide per-command permissions or the same level of detailed logging specific to network device management as TACACS+.

CHAP (Challenge Handshake Authentication Protocol): CHAP is an authentication mechanism that uses a challenge-response system. It is typically used for PPP connections and does not provide centralized management, per-command permissions, or extensive logging capabilities.

RADIUS (Remote Authentication Dial-In User Service): RADIUS is widely used for centralized authentication, authorization, and accounting. While RADIUS can log actions and use TCP (in addition to UDP), it does not natively support per-command authorization as effectively as TACACS+ does. TACACS+ is more suited for network device management with granular control over user actions.

Conclusion:

TACACS+ is the most appropriate choice for centrally managing credentials and permissions to the company’s network devices, meeting the requirements of logging all actions, supporting per-command permissions, and using TCP for communication.

Question 28

An organization recently released a software assurance policy that requires developers to run code scans each night on the repository. After the first night, the security team alerted the developers that more than 2,000 findings were reported and need to be addressed. Which of the following is the MOST likely cause for the high number of findings?

a. The vulnerability scanner was not properly configured and generated a high number of false positives.
b. Third-party libraries have been loaded into the repository and should be removed from the codebase.
c. The vulnerability scanner found several memory leaks during runtime, causing duplicate reports for the same issue.
d. The vulnerability scanner was not loaded with the correct benchmarks and needs to be updated.

Answer 28

a. The vulnerability scanner was not properly configured and generated a high number of false positives.

Explanation:

When a new vulnerability scanner is used for the first time, especially if it's not properly configured, it can produce a significant number of false positives. This means the scanner reports issues that aren't actually vulnerabilities, leading to an overwhelming number of findings that need to be addressed.

Detailed reasoning for other options:

Third-party libraries have been loaded into the repository and should be removed from the codebase: While third-party libraries can introduce vulnerabilities, it's less likely that they alone would account for such a high number of findings overnight, especially if these libraries were already being used without previous issues.

The vulnerability scanner found several memory leaks during runtime, causing duplicate reports for the same issue: Memory leaks and similar runtime issues are typically identified during dynamic analysis (runtime analysis), not static code scans. Static code analysis, which is usually what's run on repositories nightly, would not report memory leaks in this manner.

The vulnerability scanner was not loaded with the correct benchmarks and needs to be updated: While this could lead to inaccurate findings, it wouldn't necessarily result in a high number of findings. Incorrect benchmarks might lead to missed vulnerabilities rather than an excessive number of findings.

Conclusion:

The most likely cause for the high number of findings is that the vulnerability scanner was not properly configured and thus generated a high number of false positives. This is a common issue when a vulnerability scanner is used for the first time or not tuned to the specific codebase and its environment. Proper configuration and tuning are essential to reduce false positives and make the scan results manageable and actionable.

Question 29

An organization is concerned about intellectual property theft by employees who leave the organization. Which of the following should the organization MOST likely implement?

a. CBT
b. NDA
c. MOU
d. AUP

Answer 29

b. NDA (Non-Disclosure Agreement)

Explanation:

An NDA (Non-Disclosure Agreement) is a legal contract that protects confidential and proprietary information from being disclosed to unauthorized parties. It is commonly used to prevent intellectual property theft by employees, contractors, or other parties who have access to sensitive information during their tenure with the organization.

Reasoning for other options:

CBT (Computer-Based Training): While CBT can educate employees about policies and security practices, it does not directly prevent intellectual property theft after an employee leaves the organization.

MOU (Memorandum of Understanding): MOUs are typically used to establish mutual understanding between parties in less formal agreements, often related to collaborations or partnerships. They are not typically used to prevent intellectual property theft.

AUP (Acceptable Use Policy): AUPs outline acceptable behavior and usage of IT resources within an organization. While they may include clauses related to data protection and intellectual property, an NDA specifically addresses confidentiality and is more directly related to preventing intellectual property theft.

Conclusion:

To address concerns about intellectual property theft by departing employees, implementing an NDA is the most appropriate measure. It legally binds individuals to keep sensitive information confidential even after they are no longer employed by the organization.

Question 30

A security analyst reviews web server logs and notices the following lines:

104.35.45.53 - - [22/May/2020:06:57:31 +0100] “GET /profile.php?id=%3cscript%3ealert%28%271%27%29%3script%3e HTTP/1.1” 200 11705 “http://www.example.com/downloadreport.php”
104.35.45.53 - - [22/May/2020:07:00:58 +0100] “GET /profile.php?id=%3cscript%3ealert%28%27 http%3a%2f%2fwww.evilsite.com%2fupdater.php%27%29%3script%3e HTTP/1.1” 200 23713 “http://www.example.com/downloadreport.php”

Which of the following vulnerabilities is the attacker trying to exploit?

a. Token reuse
b. SQLi
c. CSRF
d. XSS

Answer 30

d. XSS (Cross-Site Scripting)

Explanation:

The logs provided indicate attempts to exploit Cross-Site Scripting (XSS) vulnerabilities. XSS occurs when an attacker injects malicious scripts into web pages viewed by other users. In the logs:

First request: GET /profile.php?id=%3cscript%3ealert%28%271%27%29%3script%3e
    This request includes a script (<script>alert('1')</script>) as part of the id parameter in the URL. If this script is executed in another user's browser, it could perform actions unintended by the application.

Second request: GET /profile.php?id=%3cscript%3ealert%28%27http%3a%2f%2fwww.evilsite.com%2fupdater.php%27%29%3script%3e
    This request attempts to inject a script that redirects users to http://www.evilsite.com/updater.php when the vulnerable page (profile.php) is accessed.

Reasoning for other options:

Token reuse: This involves reusing authentication tokens, which is not evident from the provided logs.

SQLi (SQL Injection): There is no evidence of SQL queries being manipulated in the URL parameters provided.

CSRF (Cross-Site Request Forgery): CSRF involves unauthorized commands being transmitted from a user that the web application trusts. The logs do not indicate CSRF attempts.

Conclusion:

The attacker is attempting to exploit XSS vulnerabilities in the profile.php page of the web server. This type of vulnerability allows attackers to inject malicious scripts into web pages viewed by other users, potentially compromising their session or performing actions on their behalf.

Question 31

A network manager is concerned that business may be negatively impacted if the firewall in its data center goes offline. The manager would like to implement a high availability pair to:

a. decrease the mean time between failures.
b. remove the single point of failure.
c. cut down the mean time to repair.
d. reduce the recovery time objective.

Answer 31

b. remove the single point of failure.

Explanation:

Implementing a high availability pair for the firewall helps to remove the single point of failure in the data center. This means that if one firewall fails or needs maintenance, the other firewall in the pair can seamlessly take over its responsibilities, ensuring continuous operation and reducing the risk of downtime. This setup increases reliability and availability of the network services provided by the firewall, thereby mitigating the impact on business operations if one firewall goes offline.

Question 32

A major manufacturing company updated its internal infrastructure and just recently started to allow OAuth applications to access corporate data. Data leakage is now being reported. Which of the following MOST likely caused the issue?

a. Privilege creep
b. Unmodified default settings
c. TLS protocol vulnerabilities
d. Improper patch management

Answer 32

b. Unmodified default settings

OAuth applications accessing corporate data may have caused data leakage due to unmodified default settings. This could mean that the OAuth applications were granted excessive permissions or were not properly configured to restrict access to only necessary data. Often, default settings in OAuth applications might allow broader access than intended if not adjusted during the setup or configuration phase. This oversight can lead to unintended data exposure and leakage, which seems to be the issue reported after the infrastructure update.

Question 33

While preparing a software inventory report, a security analyst discovers an unauthorized program installed on most of the company’s servers. The program utilizes the same code signing certificate as an application deployed to only the accounting team. After removing the unauthorized program, which of the following mitigations should the analyst implement to BEST secure the server environment?

a. Revoke the code signing certificate used by both programs.
b. Block all unapproved file hashes from installation
c. Add the accounting application file hash to the allowed list.
d. Update the code signing certificate for the approved application.

Answer 33

a. Revoke the code signing certificate used by both programs.

The unauthorized program utilizing the same code signing certificate as an approved application indicates a significant security risk. Code signing certificates are used to verify the authenticity and integrity of software. If an unauthorized program is using the same certificate, it could potentially impersonate the legitimate application, compromising the security and trustworthiness of the entire environment.

By revoking the compromised code signing certificate, the security analyst can prevent further misuse of the certificate by unauthorized programs. This action ensures that only legitimate software signed with valid certificates can be trusted and executed on company servers, thereby mitigating the risk of unauthorized software installations and potential security breaches.

Question 34

A security analyst is reviewing the latest vulnerability scan report for a web server following an incident. The vulnerability report showed no concerning findings. The vulnerability that was used to exploit the server is present in historical vulnerability scan reports, and a patch is available for the vulnerability. Which of the following is the MOST likely cause?

a. Security patches failed to install due to a version incompatibility.
b. An adversary altered the vulnerability scan reports.
c. A zero-day vulnerability was used to exploit the web server.
d. The scan reported a false negative for the vulnerability.

Answer 34

d. The scan reported a false negative for the vulnerability.

In this scenario, the security analyst reviewed the latest vulnerability scan report, which showed no concerning findings. However, historical vulnerability scan reports indicate that the vulnerability used to exploit the server has been present before and that a patch is available for it. Despite this history, the current scan did not identify the vulnerability.

A false negative occurs in vulnerability scanning when the scan fails to detect an actual vulnerability that exists in the system. This could happen due to various reasons, such as misconfiguration of the scanning tool, incomplete scan coverage, insufficient scanning credentials, or even limitations in the scanning methodology itself. In this case, the vulnerability that led to the exploit was not identified in the latest scan, resulting in the false impression that the server was secure.

Therefore, the most likely cause in this situation is that the vulnerability scan reported a false negative for the vulnerability that was exploited.

Question 35

The help desk has received calls from users in multiple locations who are unable to access core network services. The network team has identified and turned off the network switches using remote commands. Which of the following actions should the network team take NEXT?

a. Disconnect all external network connections from the firewall.
b. Send response teams to the network switch locations to perform updates.
c. Turn on all the network switches by using the centralized management software.
d. Initiate the organization’s incident response plan.

Answer 35

d. Initiate the organization’s incident response plan.

The situation described involves multiple locations where users are unable to access core network services, prompting the network team to turn off the network switches remotely to address the issue. This action indicates a potential network-wide problem affecting multiple sites, which could be indicative of a broader incident.

Given the severity and scope of the issue, the next step should be to initiate the organization’s incident response plan (IRP). An incident response plan outlines the procedures and protocols to follow when responding to and mitigating security incidents or disruptions to normal operations. By following the IRP, the network team can systematically address the issue, coordinate responses across different locations, involve necessary stakeholders, and work towards restoring normal operations while ensuring the security and integrity of the network.

Therefore, option d, initiating the organization’s incident response plan, is the most appropriate next action in this scenario.

Question 36

An attacker is trying to gain access by installing malware on a website that is known to be visited by the target victims. Which of the following is the attacker MOST likely attempting?

a. A spear-phishing attack
b. A watering-hole attack
c. Typo squatting
d. A phishing attack

Answer 36

b. A watering-hole attack

In a watering-hole attack, the attacker targets websites that are frequently visited by the intended victims. By compromising these websites with malware, the attacker aims to infect the visitors’ systems when they access these legitimate sites. This type of attack leverages the trust victims have in the targeted websites, making it easier to distribute malware and gain unauthorized access to their systems.

Therefore, given the scenario described where the attacker installs malware on a website visited by the target victims, the attack is most likely a watering-hole attack (option b).

Question 37

An organization is moving away from the use of client-side and server-side certificates for EAP. The company would like for the new EAP solution to have the ability to detect rogue access points. Which of the following would accomplish these requirements?

a. PEAP
b. EAP-FAST
c. EAP-TLS
d. EAP-TTLS

Answer 37

b. EAP-FAST

EAP-FAST (Extensible Authentication Protocol-Flexible Authentication via Secure Tunneling) is designed to provide a secure authentication method that does not rely on client-side or server-side certificates. Instead, it uses a Protected Access Credential (PAC) to establish a secure tunnel for authentication.

Additionally, EAP-FAST supports mechanisms for detecting rogue access points through the use of mutual authentication, where both the client and the server verify each other’s credentials and identities. This helps prevent unauthorized access points from intercepting communications or posing as legitimate network infrastructure.

a. PEAP (Protected Extensible Authentication Protocol): PEAP is an EAP type that encapsulates EAP methods within a TLS tunnel. It typically requires server-side certificates for TLS authentication, making it certificate-based. It does not inherently provide rogue access point detection.

c. EAP-TLS (Extensible Authentication Protocol-Transport Layer Security): EAP-TLS requires both client-side and server-side certificates for mutual authentication. It’s highly secure but relies on certificates, which the organization wants to move away from. It also does not include built-in mechanisms for detecting rogue access points.

d. EAP-TTLS (Extensible Authentication Protocol-Tunneled Transport Layer Security): EAP-TTLS is similar to PEAP in that it uses a TLS tunnel for secure authentication. It supports a variety of authentication methods within the tunnel but still requires server-side certificates for TLS authentication. It does not specifically provide rogue access point detection.

Among these options, EAP-FAST (option b) stands out because it provides a secure authentication method without the heavy reliance on certificates, using a PAC instead. It also includes mechanisms for detecting rogue access points, which aligns with the organization’s requirements. Therefore, EAP-FAST remains the best fit for the organization’s needs based on the information provided.

Question 38

A security analyst receives a SIEM alert that someone logged in to the appadmin test account, which is only used for the early detection of attacks. The security analyst then reviews the following application log:

[03/06/20xx:17:20:18] system 127.0.0.1 FindXPath=//User[Username/text()=’foo’ or 7=7 or ‘o’=’o’ AND Password/text=’bar’]
[03/06/20xx:17:21:18] appadmin 194.28.114.102 action:login result:success
[03/06/20xx:17:21:18] appadmin 194.28.114.102 action:open.account(12345) result:fail
[03/06/20xx:17:21:18] appadmin 194.28.114.102 action:open.account(23456) result:fail
[03/06/20xx:17:21:18] appadmin 194.28.114.102 action:open.account(34567) result:fail
[03/06/20xx:17:21:18] appadmin 194.28.114.102 action:open.account(45678) result:fail

Which of the following can the security analyst conclude?

a. A replay attack is being conducted against the application.
b. An injection attack is being conducted against a user authentication system.
c. A service account password may have been changed, resulting in continuous failed logins within the application.
d. A credentialed vulnerability scanner attack is testing several CVEs against the application.

Answer 38

(Community : B 90%)
b. An injection attack is being conducted against a user authentication system

b. Injection attack against user authentication: The log entry [03/06/20xx:17:20:18] system 127.0.0.1 FindXPath=//User[Username/text()=’foo’ or 7=7 or ‘o’=’o’ AND Password/text=’bar’] suggests an attempt to inject XPath to query the user and password fields. This could indicate an injection attempt aimed at bypassing authentication logic by manipulating the query structure.

a. Replay attack: There is no indication of repeated or retransmitted requests in the log. The log shows distinct actions and their results, not repeated actions with identical or similar characteristics. Therefore, a replay attack is not likely based on the given information.

c. Service account password change: There is no direct evidence in the log indicating a password change for a service account. The log entries primarily show the appadmin account performing actions with varying success and failure results.

d. Credentialed vulnerability scanner attack: The pattern of actions (open.account with different IDs) and their results (mostly fail) suggests automated testing of specific actions within the application. This is more indicative of a controlled test or scanning activity rather than a vulnerability scanner attack, which typically doesn’t manifest as distinct actions like open.account.

Given the provided log, option b. An injection attack is being conducted against a user authentication system seems the most likely conclusion because of the suspicious XPath query attempting to manipulate the authentication process (Username/text()=’foo’ or 7=7 or ‘o’=’o’ AND Password/text=’bar’). This indicates an attempt to bypass authentication controls using injection techniques.

Question 39

A security team is engaging a third-party vendor to do a penetration test of a new proprietary application prior to its release. Which of the following documents would the third-party vendor MOST likely be required to review and sign?

a. SLA
b. NDA
c. MOU
d. AUP

Answer 39

b. Non-Disclosure Agreement (NDA).

Here’s why:

NDA (Non-Disclosure Agreement): This document ensures that the third-party vendor agrees to keep confidential any sensitive information they access or learn about during the penetration testing process. It prevents them from disclosing or using this information for any purpose other than what is agreed upon in the testing scope.

SLA (Service Level Agreement): This document typically outlines the level of service the vendor will provide, including uptime guarantees and performance metrics. It is more relevant in contractual agreements for ongoing services rather than a one-time penetration test.

MOU (Memorandum of Understanding): This document establishes a mutual understanding between parties regarding their roles, responsibilities, and expectations. It may be used in various contexts, but it does not specifically address confidentiality concerns as directly as an NDA.

AUP (Acceptable Use Policy): This outlines acceptable use of the organization’s IT resources by employees or third parties. It is not directly related to the specific activities and confidentiality requirements of a penetration test.

Therefore, to protect the proprietary information of the application and ensure confidentiality during the penetration testing process, the third-party vendor would typically be required to review and sign an NDA (Non-Disclosure Agreement).

Question 40

Which of the following is an administrative control that would be MOST effective to reduce the occurrence of malware execution?

a. Security awareness training
b. Frequency of NIDS updates
c. Change control procedures
d. EDR reporting cycle

Answer 40

a. Security awareness training

Here’s why:

Security awareness training educates employees about safe computing practices, such as recognizing phishing emails, avoiding suspicious websites, and understanding the risks associated with downloading files or clicking on unknown links. By improving employee awareness of cybersecurity threats, organizations can significantly reduce the likelihood of malware being executed through human error or lack of awareness.

Frequency of NIDS (Network Intrusion Detection System) updates (option b) is important for detecting and preventing network-based attacks but does not directly address the human factor that often leads to malware execution.

Change control procedures (option c) are crucial for managing changes in the IT environment to prevent unintended consequences, but they focus more on system integrity and stability rather than directly reducing malware execution.

EDR (Endpoint Detection and Response) reporting cycle (option d) refers to the frequency at which endpoint security events are reported and managed, which is important for incident response but does not prevent the initial execution of malware.

Therefore, security awareness training is the administrative control that would best empower employees to recognize and mitigate the risks associated with malware execution, making it the most effective choice among the options provided.

Question 41

Employees at a company are receiving unsolicited text messages on their corporate cell phones. The unsolicited text messages contain a password reset link. Which of the following attacks is being used to target the company?

a. Phishing
b. Vishing
c. Smishing
d. Spam

Answer 41

c. smishing.

Smishing is a form of phishing attack that uses SMS (Short Message Service) or text messages to deceive individuals into divulging sensitive information or clicking on malicious links. In this scenario:

Phishing typically refers to similar attacks conducted via email.
Vishing involves voice communication, such as phone calls, often impersonating legitimate entities to gather information.
Spam refers to unsolicited bulk messages sent through various mediums, including email and SMS, but does not necessarily imply malicious intent.

Therefore, smishing (option c) is the specific type of attack being used in this situation, where text messages with a password reset link are sent to employees in an attempt to deceive them.

Question 42

During a Chief Information Security Officer (CISO) convention to discuss security awareness, the attendees are provided with a network connection to use as a resource. As the convention progresses, one of the attendees starts to notice delays in the connection, and the HTTPS site requests are reverting to HTTP. Which of the following BEST describes what is happening?

a. Birthday collision on the certificate key
b. DNS hijacking to reroute traffic
c. Brute force to the access point
d. A SSL/TLS downgrade

Answer 42

d. SSL/TLS downgrade attack

Explanation :

SSL/TLS downgrade attack: In this type of attack, a malicious actor intercepts communication between a client (in this case, the attendee's device) and a server (the resource provided at the convention). The attacker then manipulates the traffic to force the use of less secure communication protocols, such as downgrading HTTPS (secure) connections to HTTP (unencrypted). This allows the attacker to potentially eavesdrop on or modify the data being transmitted.

Here’s why the other options are not correct:

Birthday collision on the certificate key (option a): This is a theoretical issue related to cryptographic keys, not directly related to the symptoms described.

DNS hijacking to reroute traffic (option b): While DNS hijacking can redirect traffic, it does not typically cause HTTPS to revert to HTTP. It might redirect users to malicious sites or intercept their traffic but doesn't directly cause protocol downgrades.

Brute force to the access point (option c): Brute forcing an access point typically refers to attempting to crack the Wi-Fi password or authentication credentials. While this could lead to unauthorized access, it doesn't cause HTTPS to HTTP downgrade.

Therefore, based on the symptoms described—delays in connection and HTTPS reverting to HTTP—the most likely scenario is a SSL/TLS downgrade attack where the attacker manipulates the traffic to undermine its security.

Question 43

A user enters a password to log in to a workstation and is then prompted to enter an authentication code. Which of the following MFA factors or attributes are being utilized in the authentication process? (Choose two.)

a. Something you know
b. Something you have
c. Somewhere you are
d. Someone you know
e. Something you are
f. Something you can do

Answer 43

a. Something you know: This refers to the password that the user enters initially.
b. Something you have: This refers to the authentication code, which is typically generated by a token, app, or sent to a device that the user possesses.

Question 44

A company uses specially configured workstations for any work that requires administrator privileges to its Tier 0 and Tier 1 systems. The company follows a strict process to harden systems immediately upon delivery. Even with these strict security measures in place, an incident occurred from one of the workstations. The root cause appears to be that the SoC was tampered with or replaced. Which of the following MOST likely occurred?

a. Fileless malware
b. A downgrade attack
c. A supply-chain attack
d. A logic bomb
e. Misconfigured BIOS

Answer 44

c. A supply-chain attack

Here’s why:

The company follows strict security measures, including hardening systems upon delivery, indicating a strong focus on initial security setup.
Despite these measures, an incident occurred due to tampering or replacement of the SoC (System on Chip).
Tampering or replacing the SoC typically involves unauthorized modification or substitution of hardware components.
Supply-chain attacks involve compromising hardware or software during the manufacturing or distribution process, which can lead to security breaches after the product is deployed.

Therefore, given the description, a supply-chain attack aligns most closely with the situation where tampering or replacement of the SoC has compromised the security of the company’s systems.

Question 45

Audit logs indicate an administrative account that belongs to a security engineer has been locked out multiple times during the day. The security engineer has been on vacation for a few days. Which of the following attacks can the account lockout be attributed to?

a. Backdoor
b. Brute-force
c. Rootkit
d. Trojan

Answer 45

b. Brute-force attack

Here’s why:

Multiple failed login attempts: Audit logs show that the administrative account has been locked out multiple times during the day. This suggests that someone or something is attempting to log in repeatedly with incorrect credentials.
Engineer on vacation: Since the security engineer has been on vacation and is not actively using their account, legitimate login attempts from the engineer can be ruled out.
Brute-force attack: This type of attack involves an automated process that attempts many combinations of usernames and passwords in order to gain unauthorized access to an account. The repeated failed login attempts trigger the account lockout mechanism as a security measure.

Therefore, given the situation where the account lockout occurs while the account owner is away and there are multiple failed attempts, the most plausible cause is a brute-force attack targeting the administrative account.

Question 46

A security analyst is reviewing the output of a web server log and notices a particular account is attempting to transfer large amounts of money:

GET http://yourbank.com/transfer.do?acctnum=087646958&amount=500000 HTTP/1.1
GET http://yourbank.com/transfer.do?acctnum=087646958&amount=5000000 HTTP/1.1
GET http://yourbank.com/transfer.do?acctnum=087646958&amount=1000000 HTTP/1.1
GET http://yourbank.com/transfer.do?acctnum=087646958&amount=500 HTTP/1.1

Which of the following types of attacks is MOST likely being conducted?

a. SQLi
b. CSRF
c. Spear phishing
d. API

Answer 46

b. CSRF (Cross-Site Request Forgery)

Here’s the reasoning:

Pattern of requests: The requests are structured as HTTP GET requests to transfer funds (transfer.do) with different amounts specified in the amount parameter.
Consistent target account: The acctnum parameter (087646958) remains the same across all requests.
HTTP GET method: CSRF attacks typically use GET requests to initiate actions on behalf of the user without their explicit consent, often using their authenticated session.

In CSRF attacks, an attacker tricks a logged-in user into unknowingly executing actions on a web application by leveraging the user’s authenticated session. The requests observed in the log appear to be attempting to transfer various amounts of money from a specific account (087646958) without the user’s knowledge or consent.

Therefore, based on the nature of the requests and the target account, CSRF is the most likely type of attack being conducted in this scenario.

Question 47

After installing a patch on a security appliance, an organization realized a massive data exfiltration had occurred. Which of the following BEST describes the incident?

a. Supply chain attack
b. Ransomware attack
c. Cryptographic attack
d. Password attack

Answer 47

a. Supply chain attack

Here’s the reasoning:

Patch installation: After installing a patch on a security appliance, which typically involves updating software or firmware, the organization experienced unexpected consequences.
Massive data exfiltration: This suggests that the patch installation might have introduced a vulnerability or backdoor into the system, which was exploited by an attacker.
Supply chain attack: In a supply chain attack, malicious actors exploit vulnerabilities or weaknesses in a third-party supplier or service provider to compromise the target organization's systems. Installing a compromised patch from a supplier or vendor can lead to unintended consequences such as unauthorized access or data exfiltration.

Given the context of the incident—installation of a patch leading to data exfiltration—the scenario aligns closely with characteristics of a supply chain attack, where the security of the organization’s systems was compromised through a third-party software or component. Therefore, supply chain attack is the most appropriate description of the incident.

Question 48

A security analyst reviews web server logs and notices the following lines:

104.35.45.53 - - [22/May/2020:06:57:31 +0100] “GET /show_file.php?file=%2e%2e%2f%2e%2e%2fetc%2fpasswd HTTP/1.1” 200 11705 “https://www.example.com/downloaderport.php”
104.35.45.53 - - [22/May/2020:07:00:58 +0100] “GET /show_file.php?file=%2e%2e%2f%2e%2e%2fetc%2fpasswd HTTP/1.1” 200 23713 “https://www.example.com/downloaderport.php”

Which of the following vulnerabilities has the attacker exploited? (Choose two.)

a. Race condition
b. LFI
c. Pass the hash
d. XSS
e. RFI
f. Directory traversal

Answer 48

a. LFI (Local File Inclusion) , b. Directory traversal

a. LFI (Local File Inclusion) - The requests GET /show_file.php?file=%2e%2e%2f%2e%2e%2fetc%2fpasswd indicate attempts to include files from directories above the web root (../../etc/passwd). This is a classic example of a directory traversal attack, specifically targeting local files.

b. Directory traversal - This is closely related to LFI but specifically refers to attempts to access files and directories that are outside the intended directory structure. The presence of %2e%2e%2f%2e%2e%2fetc%2fpasswd in the URL parameters (file) confirms that the attacker is trying to navigate up the directory structure to access sensitive files.

Therefore, the correct answers are LFI and Directory traversal. These vulnerabilities involve manipulating file path references to access unauthorized files on the server.

c. Pass the hash - This attack involves stealing hashed credentials and using them to authenticate without needing to decrypt the hashes. The logs do not show evidence of credential hashing or authentication attempts.

d. XSS (Cross-Site Scripting) - XSS involves injecting malicious scripts into web pages viewed by other users. The logs provided do not show any evidence of script injection or manipulation of client-side scripts.

e. RFI (Remote File Inclusion) - RFI involves including remote files hosted on another server. The logs provided do not indicate requests to include files from a remote server.

f. Race condition - A race condition occurs when two or more operations must be executed in the correct sequence, but the logs do not suggest any timing or sequencing issues.

Based on the web server logs provided, the attacker exploited vulnerabilities related to LFI (Local File Inclusion) and Directory traversal by attempting to access sensitive files on the server using crafted file path parameters.

Question 49

An information security manager for an organization is completing a PCI DSS self-assessment for the first time. Which of the following is the MOST likely reason for this type of assessment?

a. An international expansion project is currently underway.
b. Outside consultants utilize this tool to measure security maturity.
c. The organization is expecting to process credit card information.
d. A government regulator has requested this audit to be completed.

Answer 49

c. The organization is expecting to process credit card information.

PCI DSS compliance is required for any organization that handles credit card information, regardless of size or number of transactions. It ensures that companies securely process, store, and transmit credit card information to prevent data breaches and theft. Completing a PCI DSS self-assessment helps organizations evaluate their adherence to these standards before they start processing credit card payments.

Question 50

Physical access to the organization’s servers in the data center requires entry and exit through multiple access points: a lobby, an access control vestibule, three doors leading to the server floor, a door to the server floor itself, and eventually to a caged area solely for the organization’s hardware. Which of the following controls is described in this scenario?

a. Compensating
b. Deterrent
c. Preventive
d. Detective

Answer 50

In the scenario described, the multiple layers of access points and controls are primarily aimed at preventing unauthorized physical access to the organization’s servers in the data center. Each access point, from the lobby to the caged area, adds a layer of security that must be passed through to reach the servers. This setup aligns with preventive controls.

Therefore, the correct answer is:

c. Preventive

Preventive controls are designed to deter incidents from occurring by implementing barriers and safeguards to prevent unauthorized access, such as physical barriers, access control systems, and authentication mechanisms. These controls aim to reduce the likelihood of unauthorized access by making it difficult for unauthorized individuals to physically reach sensitive areas or assets.