test

Question 1

Analyze the following scenarios and determine which attacker used piggy backing.

A)On the way to a meeting in a restricted area of a government facility, a contractor holds open a gate for a person in a military uniform, who approaches the entry point at a jog, flashing a badge just outside of the readable range.

B)A government employee is late for a meeting in a restricted area of a military installation. Preoccupied with making the meeting on time, the employee does not notice when the gate has not closed and someone enters the restricted area.

C)An employee leaves the workstation to use the restroom. A coworker notices that the employee has forgotten to lock the workstation, and takes advantage of the user’s permissions.

D)Several prospective interns are touring the operations floor of a large tech firm. One of them seems to be paying especially close attention to the employees.

Answer 1

A

Question 2

What type of phishing attack targets upper-level management?

Pharming
Credential harvesting
Whaling
Typosquatting

Answer 2

Whaling

Question 3

A dissatisfied employee has discreetly begun exfiltrating company secrets to sell to a competitor. The employee sets up a malware script that will run in the event of the employee’s firing and account deletion. Analyze the attack and determine what type of attack the employee has emplaced.

1. Rootkit
2. Logic bomb
3. Remote Access Trojan (RAT)
4. Backdoor

Answer 3

Logic Bomb

Question 4

Question

A hacker gains access to a database of usernames for a target company and then begins combining common, weak passwords with each username to attempt authentication. The hacker conducts what type of attack?

1. Password spraying
2. Brute force attack
3. Dictionary attack
4. Rainbow table attack

Answer 4

Password spraying - Password spraying is a horizontal brute-force online attack. An attacker chooses common passwords and tries them with multiple usernames.

Question 5

A retail establishment experiences an attack where whole number values have been exploited. As a result, some credit values are manipulated from positive values to negative values. Which type of attack is the establishment dealing with?

1. Integer overflow
2. Buffer overflow
3. Stack overflow
4. Race condition

Answer 5

Integer overflow - An integer overflow attack causes the target software to calculate a value that exceeds these bounds. This may cause a positive number to become negative.

Question 6

A user at a realtor’s office contacts their IT department to report that they are not able to copy contract files to a USB flash drive to take home. Which explanation does the IT representative share with the user?

1. Data loss prevention prevents file copying.
2. Mobile device management restricts the use of a portable USB device.
3. A compromised private key has created a trust issue.
4. The file copy process has been allow-listed.

Answer 6

Data loss prevention (DLP) performs a copy protection function based on policies. It does not govern file access, but it mediates the copying of certain tagged data to restrict it to authorized media and services.

Question 7

Question

An unauthorized person gains access to a restricted area by blending in with a crowd of employee’s as they approach the security desk and show their badges to the guard. While walking down a long hallway, the group is stopped at a turnstile and the unauthorized person is discovered. What type of policy prevented this type of social engineering attack?

1. CCTV policy
2. Mantrap policy
3. ID badge policy
4. Skimming policy

Answer 7

Mantrap Policy

Question 8

Question

Users at a company report that web browsing to their own website is not working. Upon further investigation, it is found that HTTP sessions are being hijacked. Any requests to replace a resource during a TCP connection are being altered. Which HTTP method is not working properly?

1. GET
2. PUT
3. DELETE
4. POST

Answer 8

PUT The PUT method creates a new resource or replaces a current resource (at a target URL) on a web server.

Question 9

Question

An attack at a company renders a network useless after a switch is impacted. Engineers review network traffic and determine that the switch is behaving like a hub. What do the engineers conclude is happening? (Select all that apply.)

1. The switch’s memory is exhausted.
2. The switch is flooding unicast traffic.
3. The switch MAC table has invalid entries.
4. The switch is using MAC-based forwarding.

Answer 9

A/B/

MAC flooding is used to attack a switch. The intention of the attack is to exhaust the memory used to store the switch’s MAC address table.

Overwhelming the switch’s MAC table can cause the switch to stop trying to apply MAC-based forwarding and flood unicast traffic out of all ports

Question 10

Question

After several users call to report dropped network connections on a local wireless network, a security analyst scans network logs and discovers that multiple unauthorized devices were connecting to the network and overwhelming it via a smartphone tethered to the network, which provided a backdoor for unauthorized access. How would this device be classified?

1. A switched port analyzer (SPAN)/mirror port
2. A spectrum analyzer
3. A rogue access point (AP)
4. A thin wireless access point (WAP)

Answer 10

Rouge accès point -A malicious user can set up an unauthorized (rogue) access point with something as basic as a smartphone with tethering capabilities, and non-malicious users could do so by accident.

Question 11

A hacker places a false name:IP address mapping in an operating system’s HOSTS file, redirecting traffic from a legitimate IP address to a malicious IP address. What type of attack did the hacker perform?

1. Domain hijacking
2. Domain name system client cache (DNS) poisoning
3. Rogue dynamic host configuration protocol (DHCP)
4. Address Resolution Protocol (ARP) poisoning

Answer 11

DNS Poisoning

Question 12

IT staff reviews security alerts received for a monitoring system and discovers that uncommon firewall ports on several Windows workstations and a server have been opened and are being accessed by a malicious process. What does the staff determine the issue to be?

1. Shellcode
2. Persistence
3. Credential dumping
4. Lateral movement

Answer 12

With lateral movement, the attacker might be seeking data assets or may try to widen access through systems by changing the system security configuration.

Question 13

A security analytics team is threat hunting on a Windows network. What type of activity is most likely to alert the team to an insider attack?

1. A user without privileged access executes PowerShell Invoke-Command cmdlet.
2. A privileged user account executes PowerShell Invoke-Command cmdlet.
3. A user without privileged access uses a Bash command whoami to locate users on the local network.
4. A privileged user account uses Constrained Language Mode (CLM) and signed scripts.

Answer 13

Lateral movement or an insider attack uses access to execute a process remotely, using a tool such as psexec or PowerShell. These commands can blend in with ordinary network operations, though they could be anomalous behavior for a non-privileged account. Cmdlets, such as Invoke-Expression, can indicate an attempt to run some type of binary shellcode.

Question 14

Which statement describes a key distinction between an intentional and unintentional threat actor?

1. An intentional threat actor attacks a target from inside its network; whereas, an unintentional threat actor conducts opportunistic attacks.
2. An intentional threat actor has intent and motivation to attack; whereas, an unintentional threat actor acts out of negligence.
3. An intentional threat actor actively undermines a target system; whereas an unintentional threat actor passively undermines the target system.
4. An intentional threat actor has permissions on the target system; whereas, an unintentional threat actor does not have permissions.

Answer 14

2:

Question 15

Analyze the following scenarios and determine which constitutes an external threat.

1. Naomi practices poor password management, and through her negligence, an outsider gains access to her company’s server.
2. Raul, a security contractor, installs antivirus software for a small company. He uses his temporary access to gain the company’s banking information.
3. Abram uses a quiz on a popular social media platform to solicit answers to online banking consumers’ login security questions.
4. Chelsea uses her coworker’s unattended workstation to exploit her coworker’s elevated account permissions.

Answer 15

C /

An external actor may perpetuate an attack remotely or on-premises. The threat actor, rather than the attack method, is defined as external.

An unintentional or inadvertent insider threat is a vector for an external actor or a separate—malicious—internal actor to exploit, rather than a threat actor in its own right.

An external actor has to break into the system without having any legitimate permission. An insider threat actor has some sort of access.

A malicious insider is a current or former employee, contractor, or business partner with authorized access who exceeds permissions or misuses an organization’s network, system, or data to negatively affect the organization’s information or information systems.

Question 16

An engineer routinely provides data to a source that compiles threat intelligence information. The engineer focuses on behavioral threat research. Which information does the engineer provide?

1. IP addresses associated with malicious behavior
2. Descriptions of example attacks
3. Correlation of events observed with known actor indicators
4. Data available as a paid subscription

Answer 16

B.

Behavioral threat research is narrative commentary describing examples of attacks and TTPs gathered through primary research sources.

Question 17

Question

Sal, an IT specialist for a large tech firm, pays for a subscription to a threat data feed to stay updated on the latest blogs, white papers, and webinars in his field. What term(s) best describes this type of feed? (Select all that apply.)

1. Closed
2. Proprietary
3. Open source
4. Vendor-specific

Answer 17

A/B

Closed or proprietary research and cyber threat intelligence (CTI) data are available through a paid subscription to a commercial threat intelligence platform.

Closed/proprietary security solution providers also publish blogs, white papers, and webinars, making the most valuable research available early to platform subscribers.

Question 18

Question

Evaluate which of the following solutions would most effectively mitigate vulnerabilities that might arise when outsourcing code development.

1. Have one vendor develop the code, and a different vendor perform vulnerability and penetration testing.
2. Outsource coding to multiple vendors at once, compare the results each vendor produces, and select the most secure implementations.
3. Outsource all coding to a single vendor, limiting the number of vendors in the workflow.
4. Trust system integration to the third-party contractor and their contacts.

Answer 18

A)

A solution to outsourced code development is to use one vendor for development and a different vendor for vulnerability and penetration testing.

Question 19

Question

A security team uses passive scanning to gather information and data related to a suspected rogue system on a network. By using passive scanning, what type of information does the team gather?

1. Credentialed
2. Indirect evidence
3. Embedded
4. Report

Answer 19

B) Non-intrusive (or passive) scanning means analyzing indirect evidence, such as the types of traffic generated by a device.

Question 20

An organization hires a pen tester. The tester achieves a connection to a perimeter server. Which technique allows the tester to bypass a network boundary from this advantage?

1. Persistence
2. Privilege escalation
3. Pivoting
4. Lateral movement

Answer 20

C) Pivoting

If the pen tester achieves a foothold on a perimeter server, a pivot allows them to bypass a network boundary and compromise servers on an inside network.

Question 21

A server administrator configures digital signatures for secure communications. By doing so, the administrator accomplishes which secure method of communication? (Select all that apply.)

1. Configuring encryption so no two hashes are the same
2. Combining public key cryptography with hashing algorithms
3. Using the same secret key to perform both encryption and decryption
4. Providing authentication, integrity, and non-repudiation

Answer 21

B/D

Question 22

A banking institution is considering the use of cloud computing across multiple locations. Comparing the various cloud deployment models, which model will likely allow optimal control over privacy and security?

1. Public
2. Hosted private
3. Private
4. Community

Answer 22

C)

Private cloud infrastructure is completely private to and owned by the organization, allowing greater control over privacy and security. This method suits banking and governmental services that require strict access control in their operations.

Question 23

Question

Consider an abstract model of network functions for an infrastructure as code (IaC) implementation and determine which plane describes how traffic is prioritized.

1. Data
2. Management
3. Control
4. Application

Answer 23

C) Control

The control plane makes decisions about how traffic should be prioritized, secured, and switched. A software-defined networking (SDN) application can be used to define policy decisions.

Question 24

Simulate the installation of a bare metal virtual platform.

1. A type 1 hypervisor is installed directly onto a host machine and manages access to the host hardware directly.
2. An office has all desktop computers replaced with low specification and low power thin client computers that boot a minimal operating system.
3. The client accesses an application hosted on a server or streams the application from the server to the client for local processing.
4. A client enforces resource separation at the operating system level without a hypervisor.

Answer 24

A)

A bare metal virtual platform means that a type 1 hypervisor is installed directly onto a host machine and manages access to the host hardware directly without going through a host Operating System (OS) like Windows Server.

Question 25

Question Which of the following statements best contrasts between a service-oriented architecture (SOA) model and a microservices-based model? 1. SOA can build services from other services, while an implementation of microservices develops, tests, and deploys microservices independently. 2. Microservices are loosely decoupled, while SOA services are considered highly decoupled. 3. SOA focuses on making a single, discrete task easily repeatable, while microservices perform a sequence of automated tasks. 4. Microservices help to make a network’s design architecture fit a business’s requirements, rather than accommodating the business workflow to the platform requirements, as in SOA.

Answer 25

A) ## Footnote SOA allows a service to build from other services. By contrast, each microservice should be capable of being developed, tested, and deployed independently. The microservices can be described as highly decoupled rather than just loosely decoupled.

Question 26

A web server receives data from an application. It appears that passing this data causes an issue that evolves into an overflow at the destination. What process on the receiving server should be investigated? 1. Normalization 2. Output encoding 3. Error handling 4. Input validation

Answer 26

D) Input Validation Input could include user data entered into a form or a URL passed by another application as a URL or HTTP header. Malicious input could be crafted to perform an overflow attack. Input validation checks for proper input.

Question 27

Examine the differences between authentication factors and authentication attributes and select the statement that most effectively summarizes the differences between authentication factors and authentication attributes. 1. Authentication attributes are characteristics used to verify an account holder’s credentials, while authentication factors use secondary or continuous authentication and access control. 2. Authentication factors verify an account holder’s credentials, while authentication attributes are either non-unique or cannot independently authenticate a user’s credentials. 3. Authentication factors are most secure when used alone, while authentication attributes should be used in combination with one another to authenticate a user’s credentials. 4. Authentication attributes describe physical characteristics and behavioral traits of an individual user, while authentication factors primarily authenticate users based on items they carry or information they know.

Answer 27

B) Attributes can be distinguished from factors as information that is not unique or that is not reliable/fast enough to use as a primary authentication mechanism. Attributes are for secondary or continuous authentication/access control mechanisms. Authentication verifies that only the account holder can use the account. Technologies for defining credentials are categorized as factors. Single-factor authentication may easily be compromised. A strong authentication technology combines the use of more than one type of knowledge, ownership, and biometric factor, and is called multifactor authentication (MFA). Authentication factors include something the user knows, has, does, or is. Authentication technologies should meet confidentiality, integrity, and availability requirements for effective authentication design.

Question 28

Question Which of the following authentication procedures effectively employs multifactor authentication? 1. A password reset prompt requires the user to supply the answer to several recovery questions. 2. A system login requires a user to insert a smart card and enter a PIN. 3. An entry control point employs a security guard and requires entrants to submit to a retinal scan. 4. A system login requires a user to enter a password, pin, and passphrase.

Answer 28

B) A login prompt that requires both a physical object the user holds and a PIN the user knows, employs multifactor authentication.

Question 29

An organization considers installing fingerprint scanners at a busy entry control point to a secure area. What concerns might arise with the use of this technology? **(Select all that apply.)**. 1. Fingerprint scanning is relatively easy to spoof. 2. Installing equipment is cost-prohibitive. 3. Surfaces must be clean and dry. 4. The scan is highly intrusive.

Answer 29

A/ C The main problem with fingerprint scanners is that it is possible to obtain a copy of a user's fingerprint and create a mold of it that will fool the scanner. Moisture or dirt can prevent good readings, so facilities using fingerprint scanners must keep readers clean and dry, which can prove challenging in high throughput areas.

Question 30

An administrator plans a backup and recovery implementation for a server. The goal is to have a full backup every Sunday followed by backups that only include changes every other day of the week. In the event of a catastrophe, the restore time needs to be as quick as possible. Which scheme does the administrator use? 1. Full followed by incrementals 2. Image followed by incrementals 3. Full followed by differentials 4. Snapshot followed by differentials

Answer 30

C) A full backup includes data regardless of its last backup time. A differential backup includes new and modified files since the last full backup. A differential restore is quicker than an incremental.

Question 31

Two companies enter into an agreement that if one data center suffers a disaster-level event, it can failover to the other company’s data center with minimal disruption in service. Which statement most accurately describes the companies’ site resiliency postures? 1. The companies have a reciprocal arrangement for mutual hot site support. 2. The companies have a contractual agreement to provide mutual cold site support. 3. The companies each have a reserved warm site for failover operations. 4. The companies have a mutual contract for warm site failover support.

Answer 31

A) Businesses may enter into reciprocal arrangements to provide mutual support, which is cost effective but complex to plan and set up. Each data center represents a hot site, which can failover almost immediately.

Question 32

A company deploys an active defense strategy designed to detect insider malpractice. To record the malicious insider’s actions, the security team creates a convincing, yet fake, data file with a tracker that records any data exfiltration attempts. Analyze the security tool and determine what method the security team employed. 1. Honeypot 2. Honeynet 3. Subnet 4. Honeyfile

Answer 32

D) HoneyFIle ## Footnote A honeyfile is convincingly useful but fake data. A security team can make a honeyfile trackable, so if a threat actor successfully exfiltrates it, the security team can trace any attempts to reuse or exploit it.

Question 33

A company is researching data redundancy solutions for local systems. An executive manager has heard to never use redundant array of independent disks (RAID) level 0. Which configuration use case justifies the use of a RAID level 0 configuration? 1. A system should use RAID level 0 alone to improve system performance. 2. RAID level 0 uses striping with parity, so a system can use it alone to improve performance and redundancy. 3. RAID level 0 uses mirroring to provide redundancy, but at a reduced rate of efficiency. 4. In a nested configuration, the use of RAID level 0 can improve system performance.

Answer 33

D) Nesting RAID sets generally improves performance or redundancy. Nested (0+1, 1+0, or 5+0) RAID sets can support the failure of more than one disk. RAID level 0 refers to striping without parity, which is typically only implemented to improve performance in a nested RAID solution.

Question 34

A defense contractor must configure a new server in a site where several other companies maintain server equipment. The contractor’s security requirements specify that other companies’ personnel cannot gain access to the contractor’s servers, and the area must be impervious to eavesdropping from electromagnetic leaks. What site security configuration will best meet the contractor’s requirements? 1. Locked Faraday cage 2. Locked equipment cage 3. Locked server racks 4. Vault

Answer 34

A) Friday cage The contractor’s assets are collocated with other equipment, so they should be secured in a separate, locking cage. A Faraday cage is a charged conductive mesh that blocks signals from entering or leaving the area, to mitigate the risk of eavesdropping from leakage of electromagnetic signals.

Question 35

Question In a protocol, such as Transport Layer Security (TLS), the server and client negotiate mutually compatible cipher suites as part of the TLS handshake. Which of the following components is NOT part of the encryption cipher suite? 1. Signature algorithm 2. A key exchange/agreement algorithm 3. Bulk encryption cipher 4. Stream cipher

Answer 35

D) Stream Cipher The Advanced Encryption Standard (AES) is the default symmetric (block) encryption cipher for most products. A block cipher divides plaintext into equal-size blocks, adding padding if there is not enough data in the plaintext to fill out the block. TLS protocol uses a signature algorithm to assert the identity of the server's public key and facilitate authentication. In TLS, the server and client derive the same bulk encryption symmetric key through the use of a key exchange/agreement algorithm. The final part of a cipher suite determines the bulk encryption cipher. When advanced encryption standard (AES) is the symmetric cipher, it has to be in a mode of operation that supports a stream of network data.

Question 36

Question Which of the following statements most accurately describes the function of key stretching? 1. Key stretching makes the password key stronger. 2. Key stretching prevents brute force attacks. 3. Key stretching adds a random value when creating the password hash. 4. Key stretching adds entropy to a user-generated password.

Answer 36

D) Users tend to select low entropy passwords. Key stretching helps compensate for this by running the initial key through thousands of rounds of hashing. This creates ever-longer, more random keys.

Question 37

Question An engineer implements a security solution to protect a domain. The engineer decides on DNS Security Extensions (DNSSEC) to prevent spoofing. Which features does the engineer rely on for protection? **(Select all that apply.)** 1. Zone Signing Key 2. RRset package 3. Access Control List 4. Key Signing Key

Answer 37

A/B/D With DNS Security Extensions (DNSSEC) enabled, the authoritative server for the zone creates a "package" of resource records (RRset). An RRset is signed with a private key (the Zone Signing Key). When another server requests a secure record exchange, the authoritative server returns the package and its public key. With DNSSEC, the public Zone Signing Key is signed with a separate Key Signing Key. Separate keys are used so that if there is a compromise, the domain can continue to operate securely by revoking the compromised key and issuing a new one

Question 38

Which statement correctly differentiates between file transfer protocol (FTP), secure shell file transfer protocol (SFTP), and file transfer protocol over secure socket layer (FTPS)? 1. FTP has no encryption. FTPS adds transport layer security (TLS), and SFTP is an entirely different protocol based on the network protocol SSH (secure shell). 2. FTP uses only basic encryption, while SFTP adds a layer of security with secure shell (SSH). FTPS uses an entirely different protocol, using secure port 990. 3. FTP has no encryption. SFTP adds a layer of security with secure shell (SSH), and FTPS uses an entirely different protocol, using secure port 990. 4. FTP uses only basic encryption, while FTPS adds transport layer security (TLS), and SFTP is an entirely different protocol based on the network protocol SSH (secure shell).

Answer 38

A) ## Footnote Unlike both FTP and FTPS, SFTP uses only one connection and encrypts both authentication information and data files being transferred. SFTP addresses FTP’s privacy and integrity issues by encrypting the authentication and data transfer between client and server. SFTP establishes a secure link using Secure Shell (SSH) over transmission control protocol (TCP) port 22.

Question 39

After news of a breach at a competitor, IT at a manufacturer looks to harden server systems. Which system properties should IT disable if they are not in use? **(Select all that apply.)** 1. Network interfaces 2. System services 3. Service ports 4. Persistent storage

Answer 39

A/B/C Interfaces provide a connection to the network. Some machines may have more than one interface. If any of these interfaces are not required, they should be explicitly disabled rather than simply left unused. Services provide a library of functions for different types of applications. Some services support local features of the OS and installed applications. Unused services should be disabled. Application service ports allow client software to connect to applications over a network. These should either be disabled or blocked at a firewall if remote access is not required.

Question 40

A software engineer develops an application that includes routines to check whether user input meets conformity standards to reduce the application’s potential attack surface. The engineer conducts which secure coding technique? 1. Normalization 2. Output encoding 3. Error handling 4. Input validation

Answer 40

D) input Validation An attacker can craft malicious input to exploit faulty input validation. Installing routines to check user input and reject any input that does not conform to requirements helps reduce the potential attack surface.

Question 41

A small company needs to secure the perimeter of their network, but they do not have the overhead or infrastructure to construct a demilitarized zone. Examine the following recommendations and select the best solution for this small company. 1. The company should configure a screened subnet. 2. The company should install a triple-homed firewall. 3. The company should implement microsegmentation across their network. 4. The company should configure a screened host.

Answer 41

D) A dual-homed proxy/gateway server can act as a screened host to protect internet access in smaller networks.

Question 42

A network administrator needs to implement a firewall between nodes on the same subnet, without reconfiguring subnets and reassigning IP addresses across the network. Considering firewall configurations, which implementation is the best choice? 1. Routed firewall 2. Router firewall 3. Transparent firewall 4. Virtual firewall

Answer 42

C) transparent Firewall A bridged or transparent firewall inspects traffic passing between two nodes, such as a router and a switch. It typically deploys without having to reconfigure subnets and reassign IP addresses on other devices.

Question 43

Question An intrusion prevention system (IPS) generates an incident report for some suspicious user activity, which prompts a system administrator to investigate a possible insider attack. Analyze the scenario and determine what type of IPS profile led to this discovery. 1. Signature-based detection 2. Behavioral-based detection 3. Host-based intrusion detection 4. Web application firewall (WAF) detection

Answer 43

B) Behavioral Based Detection In behavioral-based detection, the engine recognizes deviations from a baseline of "normal" traffic or events, which can help identify zero-day attacks, insider threats, and other malicious activity.

Question 44

Analyze the following security information and event management (SIEM) functions and determine which event is NOT conducted during data aggregation. 1. Normalize time zones to a single timeframe. 2. Use plug-ins to parse data from different vendors and sensors. 3. Identify attributes and content that can be mapped to standard fields. 4. Link observables into a meaningful indicator of risk, or Indicator of Compromise (IOC).

Answer 44

D) Where collection and aggregation produce inputs, a SIEM is for reporting, a critical function of which is correlation. SIEM software can link individual events or data points (observables) into a meaningful indicator of risk, or Indicator of Compromise (IOC). SIEM can use correlation to drive an alerting system.

Question 45

Compare and evaluate the main components in an Extensible Authentication Protocol (EAP). Which scenarios accurately differentiate between these components? **(Select all that apply.)** 1. An authenticator performs the authentication and the authentication server establishes a channel. 2. An authenticator establishes a channel for the supplicant and the authentication server to exchange credentials using EAP. 3. A supplicant requests authentication and the authentication server performs the authentication. 4. A supplicant requests authentication and the authenticator performs the authentication.

Answer 45

B/C ## Footnote The authenticator provides the channel while the authentication server provides the authentication. An authenticator is the device that receives the authentication request such as a remote access server or wireless point. The authenticator establishes a channel for the supplicant and the authentication server to exchange credentials using the EAP over LAN protocol. A supplicant is the client requesting the authentication. The authentication server is the server that performs the authentication and is typically an AAA server. The supplicant is the client that requests authentication but the authentication server actually provides the authentication while the authenticator provides the channel for the exchange of credentials.

Question 46

Identify the true statements about supervisory control and data acquisition (SCADA) systems. **(Select all that apply.)** 1. SCADA systems typically communicate with one another through LAN connections. 2. SCADA systems typically run as software on ordinary computers, gathering data from and managing field devices. 3. SCADA systems are purpose-built devices that prioritize IT security features. 4. SCADA systems serve primarily industrial, manufacturing, utility, and logistics sectors.

Answer 46

B/D SCADA typically runs as software on ordinary computers, gathering data from and managing plant devices and equipment, with embedded PLCs, referred to as field devices. Many sectors of industry, including utilities, industrial processing, fabrication and manufacturing, logistics, and facilities management use these types of systems.

Question 47

An engineering firm provisions microwave technology for a wide area communications project. When using point-to-multipoint (P2M) mode, which technologies does the firm put in place? **(Select all that apply.)** 1. Directional antennas 2. Sectoral antennas 3. Multiple sites connected to a single hub 4. High gain link between two sites

Answer 47

**B/C** Point-to-multipoint (P2M) microwave links multiple sites and uses smaller sectoral antennas than P2P, each covering a separate quadrant. P2M links multiple sites or subscriber nodes to a single hub. This can be more cost-efficient in high density urban areas and requires less radio spectrum.

Question 48

An engineering firm provisions microwave technology for a wide area communications project. When using point-to-multipoint (P2M) mode, which technologies does the firm put in place? **(Select all that apply.)** 1. Directional antennas 2. Sectoral antennas 3. Multiple sites connected to a single hub 4. High gain link between two sites

Answer 48

**B/C** Point-to-multipoint (P2M) microwave links multiple sites and uses smaller sectoral antennas than P2P, each covering a separate quadrant. P2M links multiple sites or subscriber nodes to a single hub. This can be more cost-efficient in high density urban areas and requires less radio spectrum.

Question 49

Question What exploitation method targets near field communication (NFC) devices? 1. Juice jacking 2. Bluesnarfing 3. Remote wipe 4. Skimming

Answer 49

D) skimming An attacker with an NFC reader can skim information from an NFC device in a crowded area, such as a busy train.

Question 50

A cloud engineer configures a virtual private cloud. While trying to create a public subnet, the engineer experiences difficulties. The issue is that the subnet remains private, while the goal is to have a public subnet. What does the engineer conclude the problem might be? 1. The Internet gateway is configured as the default route. 2. The Internet gateway is not configured as the default route. 3. The Internet gateway uses 1:1 network address translation. 4. The Internet gateway does not use 1:1 network address translation.

Answer 50

B) To configure a public subnet, first an Internet gateway (virtual router) must be attached to the VPC configuration. Secondly, the Internet gateway must be configured as the default route for each public subnet. After a VPC has a virtual router attached, a gateway is set as a default route. If an Internet gateway is not assigned as a default route, the subnet is private. Each instance in a public subnet is configured with a public IP in its cloud profile. The Internet gateway performs 1:1 network address translation (NAT) to route Internet communications to and from the instance. Typically, the virtual Internet gateway performs 1:1 network address translation (NAT) to route Internet communications to and from the instance. One-to-many is another NAT approach

Question 51

Question A business is setting up new network devices. The network devices are critical and the manager wants to ensure that they have access despite the high turnover of personnel in the IT industry. They set up accounts through a RADIUS server that are normally used to log in. What should they configure as a backup? 1. Administrator/Root account 2. Administrator's user account 3. Network service account 4. Local service account

Answer 51

A) Administrator /ROot account The local system account creates the host processes that start Windows before the user logs on. Administrative or privileged accounts can install and remove apps and device drivers. Admin should prohibit superuser accounts from logging on in normal circumstances.

Question 52

A systems administrator deletes a user account after an employee left the company. The employee returns a few weeks later and the account is recreated with the same username and password. The user no longer has immediate access to previously used assets such as files and folders. Which account property does the administrator realize is the cause? 1. The username is different 2. The user's security identifier is different 3. The user's password is different 4. The user's descriptive name is different

Answer 52

B) Behind a user account is a security identifier (SID). Even though a user may have the same name and password as previously used, the account is a different account (based on the SID) and will need to have access and permissions configured.

Question 53

A user enters a card equipped with a secure processing chip into a reader and then enters a PIN for Kerberos authentication. What authentication method is described here? **(Select all that apply.)** 1. Trusted Platform Module (TPM) authentication 2. Smart-card authentication 3. Multifactor authentication 4. One-time password (OTP) token authentication

Answer 53

B/C ## Footnote Smart-card authentication means programming cryptographic information onto a card equipped with a secure processing chip. The chip stores the user's digital certificate, the private key associated with the certificate, and a personal identification number (PIN) used to activate the card. Strong, multifactor authentication (MFA) technology combines the use of more than one type of knowledge, ownership, and biometric factor.

Question 54

Question Consider the Public Key Infrastructure (PKI) Trust Model. Which of the following best protects against compromise? 1. Single CA 2. Intermediate CA 3. Self-signed CA 4. Offline CA

Answer 54

D) An offline Certificate Authority (CA) is where the root CA has been disconnected from the network to protect it from compromise. Therefore, it is not a single point of failure.

Question 55

Which term best describes a root certificate authority (CA) in a secure configuration? 1. Online 2. Single 3. Hierarchical 4. Offline

Answer 55

D) Because of the high risk posed by compromising the root CA, a secure configuration involves making the root an offline CA, disconnected from any network, and usually kept in a powered-down state.

Question 56

A user enters the web address of a favorite site and the browser returns the following: "There is a problem with this website's security certificate." The user visits this website frequently and has never had a problem before. Applying knowledge of server certificates, select the circumstances that could cause this error message. **(Select all that apply.)** 1. The system's time setting is incorrect. 2. The certificate is pinned. 3. The web address was mistyped. 4. The certificate expired.

Answer 56

A/D If the date and time settings on the system are not synchronized with the server’s setting, the server’s certificate will be rejected. An expired server certificate would cause the browser to return an error message.

Question 57

Compare the advantages and disadvantages of certificate revocation versus suspension and select the scenario that presents the best argument for certificate revocation. 1. An online business changed its domain name. 2. An administrative user left his/her company. 3. A banking website’s private key may have been compromised. 4. A key used for encryption is accidentally destroyed.

Answer 57

C) ## Footnote If a private key is compromised, the admin can revoke the key pair to prevent users from trusting the public key. CAs maintain a certificate revocation list (CRL) of all revoked and suspended certificates.

Question 58

Question A junior engineer investigates a systems breach. While documenting network information, the engineer uses the arp command. What useful information will this command provide? 1. The configuration assigned to network interface(s) in Windows, including the media access control (MAC) address. 2. The address of the DHCP server that provides the IP address lease. 3. Probing of a host on a particular IP address. 4. The MAC address of systems the host has communicated with.

Answer 58

D) The ARP cache shows the MAC address of the interface associated with each IP address the local host has communicated with recently.

Question 59

A banking firm's IT team discovers a possible man-in-the-middle attack. Which of the following statements describes an assessment tool, built into the operating system, that would result in this discovery? **(Select all that apply.)** 1. This tool is an open-source graphical packet capture and analysis utility, with installer packages for most operating systems. 2. This tool sends probes to report the round trip time (RTT) for hops between the local host and a host on a remote network. 3. This tool will repair the boot sector. 4. This tool displays the local machine's Address Resolution Protocol (ARP) cache.

Answer 59

B/D tracert (Windows) and traceroute (Linux) allow the user to view and configure the host's local routing table using probes to report the round trip time (RTT) for hops between the local host and a host on a remote network. The ARP cache shows the MAC address of the interface associated with each IP address the local host has communicated with recently. A discrepancy in the MAC address may indicate a man-in-the-middle attack.

Question 60

Question Compare and contrast methods used by Kerberos and Public Key Infrastructure (PKI) to authenticate users and identify the true statement. 1. Kerberos uses asymmetric cryptography while PKI uses symmetric cryptography. 2. Kerberos and PKI both use passwords to authenticate users. 3. Kerberos uses timestamps and PKI does not. 4. Kerberos and PKI both provide Single Sign-On (SSO).

Answer 60

C) Kerberos uses timestamps and a validity period when issuing tickets to defeat replay attacks. PKI issues certificates and does not use timestamps.

Question 61

An engineer configures hosts on a network to use IPSEC for secure communications. The engineer decides between Encapsulation Security Payload (ESP) or Authentication Header (AH). If the engineer chooses transport mode over tunnel mode, which specifics of operation should be expected? **(Select all that apply.)** 1. With ESP the whole IP packet (header and payload) is encrypted 2. With ESP the IP header for each packet is not encrypted 3. AH has no real use in this mode 4. AH can provide integrity for the IP header

Answer 61

B/D Transport mode is used to secure communications between hosts on a private network. When ESP is applied, the IP header for each packet is not encrypted, just the payload data. If AH is used in transport mode, it can provide integrity for the IP header as it performs a cryptographic hash on the whole packet.

Question 62

During weekly scans, a system administrator identifies a system that has software installed that goes against security policy. The system administrator removes the system from the network in an attempt to limit the effect of the incident on the remainder of the network. After the system administrator removes the unauthorized software and completes additional scans, the system administrator places the system back on the network. Applying information from the Computer Security Incident Handling Guide, determine the next step the system administrator should take to mitigate the effects of the incident and restore the network to optimal functionality. 1. The system administrator should put controls in place to prevent the software from being installed. 2. The system administrator should complete an initial scan to determine if unauthorized software is installed, then fully document the incident. 3. The system administrator should remove the system from the network, remove the unauthorized software, and then place the system back into operation. 4. The system administrator should determine how the unauthorized software was installed and identify what security to modify to prevent future incidents, then fully document the incident.

Answer 62

D) The containment, eradication, and recovery stage was completed by removing the system from the network, removing the software, and placing the system back into operation.

Question 63

What phases of the Incident Response Process involves determining if an attack happened and mitigating its effects? **(Select all that apply.)** 1. Eradication 2. Identification 3. Containment 4. Preparation

Answer 63

B/C Identification is the step where information from an alert or report is used determine whether an incident has taken place, assess how severe it might be (triage), and notify stakeholders. Containment is the step to limit the scope and magnitude of the incident. The principal aim of incident response is to secure data while limiting the immediate impact.

Question 64

Management at a financial firm is assembling an incident response team that will be responsible for handling certain aspects of recovery and remediation following a security incident. What internal offices should provide a representative to serve as a member of this team? **(Select all that apply.)** 1. Sales 2. Legal 3. HR 4. PR

Answer 64

B/C/D

Question 65

Question A company hires a security consultant to train the IT team in incident response procedures. The consultant facilitates a question and answer session, and the IT team practices running scans. Determine which type of incident response exercise the consultant facilitates in this scenario. 1. Tabletop exercise 2. Walkthrough 3. Simulation 4. Forensics

Answer 65

In a walkthrough, a facilitator presents a scenario and the incident responders demonstrate what actions they would take. Responders may run scans and analyze sample files, typically on sandboxed versions of the company's actual response and recovery tools.

Question 66

During a cyber incident response exercise, a blue team takes steps to ensure the company and its affiliates can still use network systems while managing a simulated threat in real-time. Based on knowledge of incident response procedures, what stage of the incident response process is the blue team practicing? 1. Containment 2. Identification 3. Eradication 4. Recovery

Answer 66

A) Containment

Question 67

A security information and event management (SIEM) manager analyzes logs from a network RADIUS server. When the SIEM manager analyzes this data, what is the manager looking for as an indicator of possible malicious activity? 1. Unauthorized network traffic 2. Suspicious metadata entries 3. Communication with suspect IP addresses 4. Authentication attempt errors

Answer 67

D) ecurity logs may record authentication attempts for hosts, as well as authentication servers, such as Remote Authentication Dial-in User Service (RADIUS) servers. Authentication errors may indicate suspicious activity.

Question 68

Question A security investigator compiles a report for an organization that lost data in a breach. Which ethical approach does the investigator apply while collecting data for the report? 1. Search for relevant information 2. Apply standard tags to files 3. Disclosing of evidence 4. Using repeatable methods

Answer 68

D) Repeatable methods Analysis methods should follow strong ethical principles and must be repeatable by third parties with access to the same evidence. This can indicate that any evidence has not been changed or manipulated.

Question 69

A suspected malicious insider at a company conducted a network attack. A security manager, who personally knew the insider, conducts forensic analysis looks for evidence of misconduct on the employee’s workstation and in system logs. The manager packages the data for further review but modifies it by removing certain fields of data to make it easier to review. Examine the scenario and determine what argument a defense attorney might bring up concerning the forensic investigative process. **(Select all that apply.)** 1. The examiner conducted analysis with bias. 2. The examiner tampered with evidence by accessing system logs. 3. The examination did not follow ethical procedures. 4. E-discovery tools applied biased filters to the evidence for research.

Answer 69

A/C Investigators must perform analysis without bias. Investigators should form conclusions and opinions only from the direct evidence under analysis. Defense counsel may try to use any deviation of good ethical and professional behavior to have the forensics investigator's findings dismissed

Question 70

Question An employee suspected of storing illicit content on a company computer discovers a plan to investigate, so the employee tries to hide evidence of wrongdoing. The employee deletes the illicit files and attempts to overwrite them. If a forensics investigation can discover the lost files, which statement best describes how? 1. The forensics investigation will not be able to locate the lost files. 2. The forensics investigator can retrieve fragments of deleted or overwritten files. 3. The forensics investigator must use a live acquisition tool to retrieve files in recent memory. 4. The forensics investigation can uncover the lost data using a cache acquisition tool.

Answer 70

B) Data recovery refers to analyzing a disk (or image of a disk) for file fragments stored in slack space, which might represent deleted or overwritten files. Carving is the process of recovering them.

Question 71

Company policy prohibits employees from taking any type of portable computing or storage device other than managed laptops identified by RFID tags into an equipment room. Video surveillance has been implemented within the equipment room. As part of a compliance audit, you must categorize the surveillance control. Which single classification is BEST suited to categorizing the surveillance system? 1. Operational 2. Corrective 3. Physical 4. Managerial

Answer 71

C) Physical ## Footnote Operational is a way of classifying controls by characteristic and refers to things that bind the way people should behave, such as procedural and policy-based controls. Corrective is a way of classifying controls by function and refers to the set of controls that operate to mitigate an event that has already happened, such as using backup software to recover from destruction of data files. Physical is a way of classifying controls by characteristic and refers to things that operate in the built environment, such as locks, badge readers, security guards, video surveillance, and lighting. Managerial is a way of classifying controls by characteristic and refers to controls that give insight and reporting into the whole security system, such as risk assessment and compliance monitoring.

Question 72

Question An engineering firm wants to bolster the security measures implemented on their servers. Evaluate the proposed solutions for the best type of security control to fit the firm's needs. 1. Security guards should secure all entry control points. 2. Advanced firewalls and access control lists should be configured. 3. The company's security policy needs to be updated. 4. Employees should attend annual security training.

Answer 72

B) The company is interested in server-level control systems, so they need to implement stricter technical controls. Technical controls are system-level implementations, such as access control lists, firewalls, and anti-virus software.

Question 73

After a break-in at a government laboratory, some proprietary information was stolen and leaked. Which statement best summarizes how the laboratory can implement security controls to prevent future breaches? 1. The laboratory needs to take detective action and should implement physical and deterrent controls in the future. 2. The laboratory needs to take detective action and should implement corrective controls in the future. 3. The laboratory needs to take compensatory action and should implement physical controls in the future. 4. The laboratory needs to take corrective action and should implement both physical and preventative controls in the future.

Answer 73

D) ## Footnote Following a break-in that included both physical intrusion and data compromise, the lab should take _corrective action_ to reduce the impact of the intrusion event. Implementing preventative measures can help secure data from future attacks, and physical controls can mitigate the probability of future physical break-ins.

Question 74

Question Which of the following policies support separation of duties? **(Select all that apply.)** 1. Employees must take at least one, five-consecutive-day vacation each year. 2. Employees must stay in the same role for a minimum of two years prior to promotion. 3. A principle of least privilege is utilized and critical tasks are distributed between two employees. 4. Standard Operating Procedures (SOPs) are in effect in each office.

Answer 74

A/C/D Mandatory vacations force employees to take earned vacation time. During this time, someone else fulfills their duties while they are away so audits can occur and potential discrepancies can be identified. The principle of least privilege solely grants a user sufficient rights to perform a specific job. For critical tasks, duties should be divided between several people. SOPs are the policies that set the technical expectation to enforce least privilege. It can be high level or detailed, but should at least be broad enough to ensure coverage across all types of systems. It is advisable that employees do not stay in the same role for an extended period of time. For example, managers may be moved to different departments periodically.

Question 75

A network administrator is preparing a strategy for backing up company data. Which of the following is NOT a main backup type? 1. Full 2. Incremental 3. Discretionary 4. Differential

Answer 75

C) DIscretionary A discretionary backup is NOT a main backup type. Discretionary is a common type of access control. A full backup includes all selected data regardless of when it was previously backed up. Performing a full backup takes a longer period of time than other backup methods. However, the time it takes to restore data is relatively low. When performing an incremental backup, new files, as well as files that have been modified since the last backup are backed up. Another main type of backing up data is known as a differential backup. With a differential backup, it only takes a moderate amount of time to both backup and restore data.

Question 76

Analyze the factors associated with performing a Business Process Analysis (BPA) and select the statement that aligns with the output factors. 1. The data or resources a function produces 2. The source of information for performing a function 3. The resources supporting a function 4. A description of how a function is performed

Answer 76

A) The output factors are data or resources produced by a function. This is one of five factors that should be identified when performing a Business Process Analysis (BPA). A BPA is performed to identify dependencies, which should be reduced as much as possible between critical components. The input factors are the sources of information for performing a function, including the resulting impact if these are delayed or out of sequence. This can include data entered into a system, or data flowing from other systems or sites. The staff support the function and may also include other resources. BPAs are all encompassing, including the staff that monitor, maintain, and repair the systems that process data. Process flow is a step by step description of how a function is performed. For example, a flow chart showing the process from start to end. This chart can show dependencies and the results of failures within the process.

Question 77

While preparing a disaster recovery plan, management at a company considers how far back it can allow for the loss of data. Which metric does management use to describe this business essential data in terms of recovery? 1. Recovery point objective 2. Work recovery time 3. Maximum tolerable downtime 4. Mean time to repair

Answer 77

A) RPO Recovery Point Objective (RPO) is the amount of data loss that a system can sustain, measured in time. If data is not recoverable (such as the last five working days of data), there is significant impact to operations of the business. Work Recovery Time (WRT) follows systems recovery. During this time there may be additional work to reintegrate different systems and test overall functionality. Maximum tolerable downtime (MTD) is the longest period of time that a business function outage may occur for without causing irrecoverable business failure. Mean time to repair (MTTR) is a measure of the time taken to correct a fault so that the system is restored to full operation.

Question 78

A new IT administrator accidently causes a fire in the IT closet at a small company. Consider the disaster types and conclude which types this event might classify as. **(Select all that apply.)** 1. External 2. Man-made 3. Internal 4. Environmental

Answer 78

B/C ## Footnote A man-made disaster event is one where human agency is the primary cause. Typical examples include terrorism, war, vandalism, pollution, and arson. There can also be accidental man-made disasters. An internal disaster is one that is caused by malicious activity or by accident by an employee or contractor. In this case, the fire was accidental.

Question 79

Question A company performing a risk assessment calculates how much return the company has saved by implementing a security measure. Which formula will they use to calculate this metric? 1. Asset value x EF 2. [(ALE-ALEm)-Cost of Solution]/Cost of Solution 3. SLE x ARO 4. (ALE-SLE)/Cost of Solution

Answer 79

B) Return on Security Investment (ROSI) calculates a new ALE, based on reduction in loss by new security controls. ROSI is: [(ALE – ALEm) – Cost of Solution] / Cost of Solution, where ALE is before controls and ALEm is after controls.

Question 80

A company hires a security consultant to help them perform a business process analysis (BPA) and reduce dependencies. The consultant asks a manager at the company to walk through the typical process each salesperson makes when processing order requests. Examine the consultant’s methods and determine which factor in the BPA the consultant is evaluating. 1. Identify process inputs 2. Identify process outputs 3. Examine the process flow 4. Identify staff and other resources performing the function

Answer 80

C) Identify staff and other resources performing the function For mission essential functions, it is important to reduce the number of dependencies between components. Performing a business process analysis (BPA) for each mission critical function identifies dependencies for each function. The _BPA should identify the process flow, a step-by-step description of how the function is performed._

Question 81

a national intelligence agency maintains data on threat actors. If someone intercepted this data, it would cause exceptionally grave damage to national security. Analyze the risk of exposure and determine which classification this data most likely holds. 1. Confidential 2. Secret 3. Top secret 4. Proprietary

Answer 81

C) Top Secret Critical or top secret information is too valuable to allow any risk of its capture. Viewing is severely restricted, and if captured would cause exceptionally grave damage to national security. Secret information is a level of classification below top secret for government agencies. If this data were captured it would cause serious damage to national security. The term confidential and secret may be used interchangeably because both require information to be shared to only those that need to know.

Question 82

The U.S. Department of Defense (DoD) awards an IT contract to a tech company to perform server maintenance. The servers are colocated at a third-party storage facility. The DoD and the tech company enter into what type of agreement which commits the tech company to implement the agreed upon security controls? 1. Interconnection security agreement (ISA) 2. Non-disclosure agreement (NDA) 3. Data sharing and use agreement 4. Service level agreement (SLA)

Answer 82

A) ISA ## Footnote Any federal agency interconnecting its IT system to a third party must create an ISA to govern the relationship. An ISA sets out a security risk awareness process and commits the agency and supplier to implementing security controls.