(Udemy CASP+ (CAS-004): Practice Exam #1 - Results) Flashcards

Question

A company-wide audit revealed employees are using company laptops and desktops for personal use. To prevent this from occurring, in which document should the company incorporate the phrase “Company-owned IT assets are to be used to perform authorized company business only"? A. AUP B. MOU C. SLA D. NOA

Answer 1

A. AUP Explanation: OBJ-4.1: Acceptable Use Policy dictates what types of actions an employee can or cannot do with company-issued IT equipment. An acceptable use policy (AUP) is a set of rules applied by the owner, creator, or administrator of a network, website, or service, that restrict how the network, website, or system may be used and sets guidelines as to how it should be used. A memorandum of understanding (MOU) is important because it defines the responsibilities of each party in an agreement, provides the scope and authority of the agreement, clarifies terms, and outlines compliance issues. A non-disclosure agreement (NDA) is a legal contract or part of a contract between at least two parties that outlines confidential material, knowledge, or information that the parties wish to share for certain purposes, but wish to restrict access to. A service level agreement (SLA) is a commitment between a service provider and a client for particular aspects of the service, such as quality, availability, or responsibilities.

Answer 2

D. Layer 7 firewall Explanation: OBJ-1.1: Layer 7 firewalls operate at the application layer. These devices allow you to implement security at a more granular level. A layer 7 firewall can be configured to log all of the details for data entering and leaving the DMZ or screened subnet. A network access control (NAC) server is used to unify your endpoint security technology and user/system authentication. A NAC server is used for authentication, and would not provide additional visibility into the DMZ or screened subnet. A honeypot is a computer security mechanism set to detect, deflect, or, in some manner, counteract attempts at unauthorized use of information systems. A honeypot will detect attacks against itself, but not the other servers in the DMZ or screened subnet. A VPN headend establishes multiple encrypted VPN tunnels at the same time and provides a secure and encrypted connection between different VPN nodes. A VPN headend would not provide any additional visibility into the DMZ or screened subnet.

Answer 3

D. Service provider Explanation: OBJ-1.5: Security assertions markup language (SAML) is an XML-based framework for exchanging security-related information such as user authentication, entitlement, and attributes. SAML is often used in conjunction with SOAP. SAML is a solution for providing single sign-on (SSO) and federated identity management. It allows a service provider (SP) to establish a trust relationship with an identity provider (IdP) so that the SP can trust the identity of a user (the principal) without the user having to authenticate directly with the SP. The principal's User Agent (typically a browser) requests a resource from the service provider (SP). The resource host can also be referred to as the relying party (RP). If the user agent does not already have a valid session, the SP redirects the user agent to the identity provider (IdP). The IdP requests the principal's credentials if not already signed in and, if correct, provides a SAML response containing one or more assertions. The SP verifies the signature(s) and (if accepted) establishes a session and provides access to the resource.

Answer 4

C. PII of company employees and customers was exfiltrated Explanation: OBJ-2.7: If the PII (Personally Identifiable Information) of the company’s employees or customers were exfiltrated or stolen during the compromise, this would increase the incident's impact assessment. Loss of PII is a big issue for corporations and one that might garner media attention. While all of the options presented here are bad things that could increase the impact of the assessment, loss of PII is considered the MOST likely to increase the impact dramatically. Depending on the company's size or organization, there may also be mandatory reporting requirements, fines, or restitution that must be paid.

Answer 5

D. Contanerization Explanation: OBJ-3.1: Containerization is the logical isolation of enterprise data from personal data while co-existing in the same device. The major benefit of containerization is that administrators can only control work profiles that are kept separate from the user’s personal accounts, apps, and data. This technology creates a secure vault for your corporate information. Highly targeted remote wiping is supported with most container-based solutions.

Answer 6

D. Proactively sanitizie and reimage all of your routers and switchers Explanation: OBJ-3.2: Since your team could not determine the root cause of the compromise, you would most likely conduct system and network hardening actions as part of the recovery and remediation. The only option that is not considered a hardening action is proactively sanitizing and reimaging your routers and switches. If you performed this action, you could have unwanted disruptive effects on the company. Instead, it would be more beneficial to increase monitoring of the devices to ensure they are not compromised. Proactively sanitizing and reimaging all of the routers and switches would be a large undertaking. Without evidence suggesting that such an approach is warranted, you would be wasting a lot of time and money. The other options presented are the best security practices to prevent future compromises. Reimaging the network devices without knowing the root cause will likely be ineffective in securing the network.

Answer 7

A. Tailgating Explanation: OBJ-2.6: Based on the description, the ethical hacker conducted a very specialized type of social engineering attack known as tailgating. Sometimes on a certification exam, there are two correct answers, but one is more correct. This question is an example of that concept. Tailgating involves someone who lacks the proper authentication following an employee into a restricted area. Social engineering uses deception to manipulate individuals into divulging confidential or personal information that may be used for fraudulent purposes. Shoulder surfing is a type of social engineering technique used to obtain personal identification numbers (PINs), passwords, and other confidential data by looking over the victim's shoulder. Spoofing is the act of disguising a communication from an unknown source as being from a known, trusted source.

Answer 8

D. Aircrack-ng Explanation: OBJ-2.9: Aircrack-ng is a complete suite of wireless security assessment and exploitation tools that includes monitoring, attacking, testing, and cracking of wireless networks. This includes packet capture and export of the data collected as a text file or pcap file. John the Ripper is a password cracking software tool. Nessus is a vulnerability scanner. Netcat is used to create a reverse shell from a victimized machine back to an attacker.

Answer 9

A. Mismtached key error Explanation: OBJ-3.7: The reason Jonathan can no longer read those encrypted emails is that his previous public/private key pair has expired and is no longer valid for use. His email client is trying to decrypt those emails using his new public/private key pair causing a mismatched key error. A mismatched key error occurs is the wrong public/private key pair is used to decrypt data. The most common forms of this error are displayed as “key mismatch” or “X509_check_private_key”. Rekeying is the process of changing an individual key during a communication session. Most communication protocols use session key rekeying to protect the data being transmitted. A rekeying is normally triggered based on the volume of data communicated or the amount of time since the last rekeying. A compromised or exposed key occurs when unauthorized access to a symmetric or private key is gained. When a key is compromised or exposed, it must be revoked and replaced. An incorrect name error is generated when the certificate’s CN name does not match the FQDN of the system that is using the certificate. For example, if the certificate is issued to diontraining.com but is being presented for www.diontraining.com or yourcyberpath.com, it will generate an incorrect name error.

Answer 10

A. An implicit deny statement Explanation: According to the best practices of firewall configurations, you should include an implicit deny at the end of your ACL rules. This will ensure that anything not specifically allowed in the rules above is blocked. Using an implicit allow is a bad security practice since it will allow anything into the network that is not specifically denied. While the time of day restrictions can be useful, they are not required for all network implementations.

Answer 11

A. $67,500 Epxplanation: The single loss expectancy (SLE) is the amount that would be lost in a single occurrence of a particular risk factor. To calculate the single loss expectancy (SLE), you will multiple the asset value (AV) times the exposure factor (EF). Since you are asked to calculate the single loss expectancy, you do not need to calculate the annual rate of occurrence (2/3 or 66%) nor the annualized loss expectancy ($45,000). SLE = AV x EF = $75,000 x 0.90 = $67,500

Answer 12

C. Submit a prioritized list with all of the recommendations for review, procurement and installation Explanation: Since an incident has just occurred, it is important to act swiftly to prevent a reoccurrence. The organization should still take a defined and deliberate approach to choosing the proper controls and risk mitigations. Therefore, execution through a rational business management process is the best approach, including creating a prioritized list of recommendations. Once this list has been created, the organization can conduct a cost/benefit analysis of each recommendation and determine which controls and items will be implemented in the network based upon resource availability in terms of time, person-hours, and money. This process does not need to be a long-term study or filled with complexity. Instead, it should be rapidly conducted due to the probability that an attacker may compromise the network again.

Answer 13

B. Python Explanation: OBJ-2.6: Python is a commonly used scripting language used in cybersecurity. Python is a general-purpose programming language that can develop many different kinds of applications. It is designed to be easy to read, and the programs use fewer lines of code compared to other programming languages. The code runs in an interpreter. Python is preinstalled on many Linux distributions and can be installed on Windows. Python scripts are saved using the .py extension. PHP is used as a scripting language for web applications. C# and ASP.NET are both compiled languages, not scripting languages.

Answer 14

C. NFC Explanation: OBJ-3.1: Near-Field Communication (NFC) is a set of communication protocols for communication between two electronic devices over a distance of 4 cm or less. NFC offers a low-speed connection with a simple setup that can be used to bootstrap more capable wireless connections. NFC is used with payment systems like Apple Pay, Samsung Pay, and Google Pay since it supports two-way communication, unlike RFID which only supports one-way data transfers. Radio-frequency identification (RFID) uses electromagnetic fields to automatically identify and track tags attached to objects. Bluetooth is a short-range wireless technology standard that is used for exchanging data between fixed and mobile devices over short distances using UHF radio waves in the ISM band from 2.402 GHz to 2.48 GHz and building personal area networks. Bluetooth is often used to create peer-to-peer connections between two devices for a distance of up to 10 meters. Wi-Fi is a family of wireless network protocols, based on the IEEE 802.11 family of standards, which are commonly used for local area networking of devices and Internet access, allowing nearby digital devices to exchange data by radio waves. Wi-Fi can provide high speeds and cover a maximum distance of up to 150 meters.

Answer 15

C. Total impact includes a loss of customers D. Organization impact is anticipated F. Notification of external authorities is optional Explanation: OBJ-4.1: Since online sales are critical to business operations, the impact would be categorized as organizational and not localized. While the immediate impact is a loss of sales due to the slow servers causing customer frustration and abandoned carts, the longer-term impact could include losing customers who will never return. It is unlikely to include damages to the company’s reputation over this event, though it isn't a major trust and security issue like a data breach. In terms of notification requirements, it is optional to inform external authorities since there is no evidence of a crime.

Answer 16

B. Isolating affected systems Explanation: OBJ-2.7: Isolation involves removing an affected component from whatever larger environment it is a part of. This can be everything from removing a server from the network after it has been the target of a DoS attack, placing an application in a sandbox virtual machine (VM) outside of the host environments it usually runs on. Segmentation-based containment is a means of achieving the isolation of a host or group of hosts using network technologies and architecture. Segmentation uses VLANs, routing/subnets, and firewall ACLs to prevent a host or group of hosts from communicating outside the protected segment. Removal is not an industry term used but would be a synonym for isolation. Enumeration is defined as the process of extracting user names, machine names, network resources, shares, and services from a system. Isolating the attacker would only stop their direct two-way communication and control of the affected system. However, it would not be the strongest possible response since there could be malicious code still running on your victimized machine.

Answer 17

B. Host based intrusion detection systems (HIDS) Explanation: OBJ-3.2: A host-based intrusion detection system (HIDS) is a type of IDS that monitors a computer system for unexpected behavior or drastic changes to the system's state. Host-based intrusion detection systems normally rely on signature rules to identify potentially malicious activity on the endpoint and then create alerts based on the rule that was matched. A host-based firewall is a firewall implemented as application software running on the host that provides sophisticated filtering of network traffic as well as block processes at the application level. Endpoint detection and response (EDR) is a software agent that collects system data and logs for analysis by a monitoring system to provide early detection of threats. User and entity behavior analytics (UEBA) is a type of cybersecurity application or appliance that identifies anomalous or malicious behavior by using machine learning and statistical analysis to identify deviations from normally established baselines and patterns of activity.

Answer 18

A. DLP Explanation: OBJ-1.1: Data loss prevention (DLP) software detects potential data breaches/data exfiltration transmissions and prevents them by monitoring, detecting, and blocking sensitive data while in use, in motion, and at rest. This can be configured to detect and alert on future occurrences of this issue. Secure Socket Layer (SSL) is a distraction in this question since the questions asked about information being sent unencrypted. The connection between the client and the email server could be encrypted using SSL. However, the information is still be sent to an employee's personal email account, which equates to a loss of control over the company's confidential data. Mobile Device Management (MDM) software is used for the configuration and securing of mobile devices like smartphones and tablets. Unified Threat Management (UTM) is a device that combines the functions of a firewall, anti-malware solution, and IDS into a single piece of hardware. Some UTM's may provide a DLP functionality, but the answer of a DLP is a better answer to this question.

Answer 19

C. OCSP Explanation: OBJ-3.5: The online certificate status protocol (OCSP) allows clients to request the status of a digital certificate and to check whether it is revoked. A certificate revocation list (CRL) is a list of every digital certificate that has been revoked before its expiration date. HTTP Public Key Pinning (HPKP) is a certificate pinning method that embeds the certificate data in the HTTP header sent from a web server to a web browser. HTTP Strict Transport Security (HSTS) is configured as a response header on a web server and notifies a browser to connect to the requested website using HTTPS only. HSTS helps prevent on-path and downgrade attacks.

Answer 20

B. Require biometric identification for user logins Explanation: OBJ-1.5: The BEST choice is to implement biometric identification for user logins, such as a fingerprint reader or a retina scanner. This would ensure that even if an employee could discover another employee's username and password, they would be prevented from logging into the workstation without the employee's finger or eye to scan. Enforcing short password retention can limit the possible damage when a password is disclosed, but it won't prevent a login during the valid period. Security cameras may act as a deterrent or detective control, but they cannot prevent an employee from logging into the workstation as another employee. Security cameras could be used to determine who logged in after the fact, though.

Answer 21

A. User authentication Explanation: OBJ-3.2: User authentication is performed at a much higher level in the operating system. Trusted Platform Module (TPM) technology is designed to provide hardware-based, security-related functions. A TPM chip is a secure crypto-processor that is designed to carry out cryptographic operations. The chip includes multiple physical security mechanisms to make it tamper-resistant, and malicious software cannot tamper with the security functions of the TPM. The TPM provides random number generation, secure generation of cryptographic keys, remote attestation, binding, and sealing functions securely.

Answer 22

C. Directory traversal Explanation: OBJ-2.5: This is an example of a directory traversal. A directory traversal attack aims to access files and directories that are stored outside the webroot folder. By manipulating variables or URLs that reference files with “dot-dot-slash (../)” sequences and its variations or using absolute file paths, it may be possible to access arbitrary files and directories stored on the file system, including application source code or configuration and critical system files. A buffer overflow is an exploit that attempts to write data to a buffer and exceed that buffer's boundary to overwrite an adjacent memory location. XML Injection is an attack technique used to manipulate or compromise an XML application or service's logic. SQL injection is the placement of malicious code in SQL statements via web page input.

Answer 23

C. Quantum computing Explanation: OBJ-1.8: Quantum computing combines physics, mathematics, and quantum mechanics to exploit the collective properties of quantum states. Quantum computing will render cryptography that relies on the difficulty of solving difficult math problems rapidly obsolete. Distributed consensus is used in a distributed or decentralized system to solve a particular computation to maintain the overall integrity of the distributed system or blockchain. Artificial Intelligence is the science of creating machines to develop problem-solving and analysis strategies without significant human direction or intervention. Homomorphic encryption is a method of encryption that allows the computation of certain fields in a dataset without first decrypting the dataset.

Answer 24

B. XSS Explanation: OBJ-2.2: This is an example of a URL-based XSS (cross-site scripting) attack. A cross-site scripting attack uses a specially crafted URL that includes attack code that will cause information that users enter into their web browser to be sent to the attacker. In this example, everything from ?param onward is part of the attack. You can see the base64 encoded string of PHNjcmlwdD5hbGVydCgnSSBsb3ZlIERpb24gVHJhaW5pbmcnKTwvc2NyaXB0Pg== being used. While you could not convert it during the exam without a base64 decoder, you should be able to tell that it is not a SQL injection nor an XML injection based on your studies. It is also not an attempt to conduct password spraying by logging into different usernames with the same password. So, by process of elimination, you can determine this is an XSS attack. If you did have a base64 decoder, you would have found that the parameter being passed would translate to , which is a simple method to cause your web browser to create a popup that displays the text "I love Dion Training." If you attempt to load this URL in your browser, it may or may not function depending on your browser's security.

Answer 25

A. Load Balancer Explanation: OBJ-1.1: A load balancer allows for high availability and the ability to serve increased demand by splitting the workload across multiple servers. RAID is a high availability technology that allows for multiple hard disks to act logically act as one to handle more throughput, but this will not solve the higher demand on the server’s limited processing power as a load balancer would. A VPN concentrator is a networking device that provides the secure creation of VPN connections and the delivery of messages between VPN nodes. A data loss prevention (DLP) system is focused on ensuring that intellectual property theft does not occur. Therefore, a DLP will not help meet the increased demand from new students.

Answer 26

C. nmap -sT Explanation: OBJ-2.4: The nmap TCP connect scan (-sT) is used when the SYN scan (-sS) is not an option. You should use the -sT flag when you d not have raw packet privileges on your workstation or if you are scanning an IPv6 network. This flag tells nmap to establish a connection with the target machine by issuing the connect system call instead of directly using an SYN scan. Normally, a fast scan using the -sS (SYN scan) flag is more often conducted, but it requires raw socket access on the scanning workstation. The -sX flag would conduct a Xmas scan where the FIN, PSH, and URG flags are used in the scan. The -O flag would conduct an operating system detection scan of the target system.

Answer 27

A. DAC Explanation: OBJ-1.5: Discretionary access control (DAC) stresses the importance of the owner. The original creator of the resource is considered the owner and can then assign permissions and ownership to others. The owner has full control over the resource and can modify its ACL to grant rights to others. This is the most flexible model and is currently implemented widely in Windows, Unix, Linux, and macOS systems.

Answer 28

A. Improper input validation Explanation: OBJ-1.3: Based on this code snippet, the application is not utilizing input validation. This would allow a malicious user to conduct an XSS (cross-site scripting) attack. For example, an attacker could input the following for a value of “ID”: '>'. This could cause the victim ID to be sent to “malicious-website.com” where additional code could be run, or the session can then be hijacked. Based on the code snippet provided, we have no indications of the level of logging and monitoring being performed, nor if proper error handling is being conducted. A race condition is a software vulnerability when the resulting outcome from execution processes is directly dependent on the order and timing of certain events. Those events fail to execute in the order and timing intended by the developer.

Answer 29

A. Tabletop exercise Explanation: OBJ-4.4: A tabletop exercise involves gathering the key staff of an organization and discussing their actions during a potential unwanted event. The staff could further be divided into a blue team and a red team, with half playing the role of defenders and the other half playing the adversary's role. Tabletop exercises are less expensive to conduct than a full-scale red team event or penetration test. Tabletop exercises are a great way to exercise existing procedures and response plans to identify any weaknesses within them.

Answer 30

C. Traffic shaping Explanation: OBJ-1.2: Traffic shaping, also known as packet shaping, is the manipulation and prioritization of network traffic to reduce the impact of heavy users or machines from affecting other users. Traffic shaping is used to optimize or guarantee performance, improve latency, or increase usable bandwidth for some kinds of packets by delaying other kinds. High availability (HA) is a component of a technology system that eliminates single points of failure to ensure continuous operations or uptime for an extended period. Fault tolerance refers to the ability of a system (computer, network, cloud cluster, etc.) to continue operating without interruption when one or more of its components fail. Load balancing refers to the process of distributing a set of tasks over a set of resources, intending to make their overall processing more efficient. Load balancing can optimize the response time and avoid unevenly overloading some compute nodes while other compute nodes are left idle.

Answer 31

B. Conduct a data criticality and prioritization analysis Explanation: OBJ-2.7: While the payroll server could be assumed to hold PII, financial information, and corporate information, the analyst would only be making that assumption based on its name. Even before an incident response occurs, it would be a good idea to conduct a data criticality and prioritization analysis to determine what assets are critical to your business operations and need to be prioritized for protection. After an intrusion occurs, this information could be used to better protect and defend those assets against an attacker. Since the question states the analyst is trying to determine which server to look at based on their names, it is clear this organization never performed a data criticality and prioritization analysis and should do that first. After all, with names like FIREFLY, DEATHSTAR, THOR, and DION, the analyst has no idea what is stored on those systems. For example, how do we know that DEATHSTAR doesn’t contain their credit card processing systems that would be a more lucrative target for APT 38 than the PAYROLL_DB. The suggestions of hardening, logically isolating, or conducting a vulnerability scan of a particular server are random guesses by the analyst since they don’t know which data they should focus on protecting or where the attacker is currently.

Answer 32

A. SNMP Explanation: OBJ-1.1: Simple Network Management Protocol (SNMP) is commonly used to gather information from routers, switches, and other network devices. It provides information about a device's status, including CPU and memory utilization, and many other useful details about the device. NetFlow provides information about network traffic. A management information base (MIB) is a database used for managing the entities in a communication network. The Simple Mail Transfer Protocol (SMTP) is a communication protocol for electronic mail transmission.

Answer 33

D. Community Cloud Explanation: OBJ-1.6: A community cloud in computing is a collaborative effort in which infrastructure is shared between several organizations from a specific community with common concerns, whether managed internally or by a third party and hosted internally or externally. Community Cloud is a hybrid form of private cloud. They are multi-tenant platforms that enable different organizations to work on a shared platform. Community Cloud may be hosted in a data center, owned by one of the tenants, or by a third-party cloud services provider and can be either on-site or off-site. A public cloud contains services offered by third-party providers over the public Internet and is available to anyone who wants to use or purchase them. They may be free or sold on-demand, allowing customers to pay only per usage for the CPU cycles, storage, or bandwidth they consume. A private cloud contains services offered either over the Internet or a private internal network and only to select users instead of the general public. A hybrid cloud is a cloud computing environment that uses a mix of on-premises, private cloud, and third-party public cloud services with orchestration between these platforms. This typically involves a connection from an on-premises data center to a public cloud.

Answer 34

C. NAT Gateway Explanation: OBJ-1.1: A NAT Gateway within a cloud platform allows private subnets in a Virtual Private Cloud (VPC) access to the Internet. You can use a NAT gateway so that instances in a private subnet can connect to services outside your VPC but external services cannot initiate a connection with those instances. A VPN gateway is a type of networking device that connects two or more devices or networks in a VPN infrastructure. It is designed to bridge the connection or communication between two or more remote sites, networks, or devices and/or to connect multiple VPNs. An extensible markup language (XML) gateway acts as an application layer firewall specifically to monitor XML formatted messages as they enter or leave a network or system. An XML gateway is used for inbound pattern detection and the prevention of outbound data leaks. XML is a document structure that is both human and machine-readable. Information within an XML document is placed within tags that describe how the information within the document is structured. Application programming interface (API) gateway is a special cloud-based service that is used to centralize the functions provided by APIs. An API is a type of software interface that offers a service to other pieces of software to build or connect to specific functions or features.

Answer 35

D. External Explanation: OBJ-2.4: An external target type best describes these targets since the question doesn’t clearly describe if the servers are first-party or third-party hosted. An external target type is an asset that can be accessed from outside of the organization. For example, if the webserver is visible on the Internet, it is considered an external target. An internal target type means that assets can be accessed from within the organization. This can either be physically or logically from within the network, and it best simulates an insider threat. This target type can also be used to simulate an external hacker who has gained credentials on the network, such as using a spear phishing attack. First-party hosted targets are assets hosted by the client organization themselves. Third-party hosted targets are assets hosted by a vendor, partner, or cloud service provider.

Answer 36

D. Require data at rest encryption on all endpoints Explanation: OBJ-3.1: The greatest protection against this data breach would have been to require data at rest encryption on all endpoints, including this laptop. If the laptop were encrypted, the data would not have been readable by others, even if it was lost or stolen. While requiring a VPN for all telework employees is a good idea, it would not have prevented this data breach since the laptop's loss caused it. Even if a VPN had been used, the same data breach would have still occurred if the employee copied the database to the machine. Remember on exam day that many options are good security practices, but you must select the option that solves the issue or problem in the question being asked. Similarly, data masking and NDAs are useful techniques, but they would not have solved this particular data breach.

Answer 37

B. Immediately revoke and reissue new public/private key pairs to all users Explanation: OBJ-3.7: A compromised or exposed key occurs when unauthorized access to a symmetric or private key is gained. When a key is compromised or exposed, it must be revoked and replaced. Key rotation is the process of purposely changing keys periodically to mitigate against brute force attacks and key disclosure compromises. During key rotation, the previous key is also revoked and invalidated. Crypto shredding is used to destroy a decryption key to effectively destroy the data that key was used to protect. This technique ensures that the data will remain encrypted if the key is fully destroyed and the encryption algorithm itself remains secure. A self-signed certificate is a certificate generated independently of a certificate authority and is considered not trustworthy.

Answer 38

D. IdP Explanation: OBJ-1.5: The IdP provides the validation of the user's identity. Security assertions markup language (SAML) is an XML-based framework for exchanging security-related information such as user authentication, entitlement, and attributes. SAML is often used in conjunction with SOAP. SAML is a solution for providing single sign-on (SSO) and federated identity management. It allows a service provider (SP) to establish a trust relationship with an identity provider (IdP) so that the SP can trust the identity of a user (the principal) without the user having to authenticate directly with the SP. The principal's User Agent (typically a browser) requests a resource from the service provider (SP). The resource host can also be referred to as the relying party (RP). If the user agent does not already have a valid session, the SP redirects the user agent to the identity provider (IdP). The IdP requests the principal's credentials if not already signed in and, if correct, provides a SAML response containing one or more assertions. The SP verifies the signature(s) and (if accepted) establishes a session and provides access to the resource.

Answer 39

A. Install a backdoor/implant on a client victim B. Create a point of presence by adding services, scheduled tasks, or AutoRun keys E. Install a webshell on a server F. Timestomp a malware file to make it appears as if it is part of the OS Explanation: OBJ-2.1: During the installation phase, the adversary is taking actions to establish a footprint on the target system and is attempting to make it difficult for a defender to detect their presence. The attack may also attempt to confuse any attempts to remove the adversary from the system if the detection of their presence occurs. Due to this, an attacker will attempt to install multiple backdoors, implants, web shells, scheduled tasks, services, or AutoRun keys to maintain their access to the target. Timestomping is also conducted to hide the presence of malware on the system. Opening up two-way communication with an established C2 infrastructure occurs in the command and control phase. Collecting user credentials occurs in the actions on objectives phase.

Answer 40

D. Schedule an emergency maintenance for an off peak time later in the day to remediate the vulnerability Explanation: OBJ-4.2: Jorge should recommend that emergency maintenance windows be scheduled for an off-peak time later in the day. Since the vulnerability is critical, it needs to be remediated or mitigated as quickly as possible. But, this also needs to be balanced against the business and operational needs. Therefore, we cannot simply remediate it immediately, as this would cause downtime for this public-facing server. It is also unreasonable to accept the risk until the next scheduled maintenance window since it is a critical vulnerability. Therefore, the best way to balance the risk of the vulnerability and the outage's risk is to schedule an emergency maintenance window and patch the server during that time.

Answer 41

D. Conduct a brute force attack against the FileVault2 encryption Explanation: OBJ-2.8: FileVault 2 is a full-disk encryption system used on macOS devices. A drive can be decrypted if you have the encryption key. This key can be recovered from memory while the volume is mounted. The Recovery key can also be obtained either from the user's notes or from their storage area of iCloud. You cannot unlock the volume by conducting a brute force attack against the drive. It uses the AES 256-bit encryption system, which is currently unbreakable without access to a supercomputer. This question may seem beyond the scope of the exam. Still, the objectives allow for "other examples of technologies, processes, or tasks about each objective may also be included on the exam although not listed or covered" in the objectives' bulletized lists. The exam tests the equivalent of 4 years of hands-on experience in a technical cybersecurity job role. The content examples listed in the objectives are meant to clarify the test objectives and should not be construed as a comprehensive listing of this examination's content. Therefore, questions like this are fair game on test day. That said, your goal isn’t to score 100% on the exam; it is to pass it. Don't let questions like this throw you off on test day. If you aren't sure, take your best guess and move on!

Answer 42

Jason has created a new password cracking tool using some Python code. When he runs the program, the following output is displayed: Based on the output, what type of password cracking method does Jason’s new tool utilize? Explanation: OBJ-2.4: Based on the passwords found in the example, Jason’s new password cracker is most likely using a hybrid approach. All of the passwords found are dictionary words with some additional characters added to the end. For example, Jason’s password of rover123 is made up of the dictionary word “rover” and the number 123. The cracker likely attempted to use a dictionary word (like rover) and the attempted variations on it using brute force (such as adding 000, 001, 002, …122, 123) to the end of the password until found. Combining the dictionary and brute force methods into a single tool is known as a hybrid password cracking approach.

Answer 43

C. AES Explanation: OBJ-3.6: The advanced encryption standard (AES) is a cryptographic algorithm used to perform symmetric data encryption using a 128-bit, 192-bit, or 256-bit key. It is approved by NIST as FIPS 197 for all U.S. Government data encryption. Even if you didn't know that AES was defined in FIPS 197, only the AES and 3DES options are symmetric-key algorithms in this question. Elliptic curve cryptography is a public-key cryptographic algorithm based on the algebraic structure of elliptic curves over finite fields. ECC allows smaller key sizes compared to non-elliptic curve cryptography methods while still providing the equivalent level of security. ECC is heavily used in mobile devices and low-powered device encryption. Triple DES (3DES) is a symmetric-key block cipher that uses a series of encrypt, decrypt, and encrypt functions with three different 56-bit keys to increase the security of the data encryption standard (DES). The digital signature algorithm (DSA) is a cryptographic algorithm that uses logarithmic and modulus math to generate and verify digital signatures. The DSA is faster than RSA at generating digital signatures, but it is slower than RSA when verifying them.

Answer 44

A. Rekeying Explanation: OBJ-3.7: Rekeying is the process of changing an individual key during a communication session. Most communication protocols use session key rekeying to protect the data being transmitted. A rekeying is normally triggered based on the volume of data communicated or the amount of time since the last rekeying. Key rotation is the process of purposely changing keys periodically to mitigate against brute force attacks and key disclosure compromises. During key rotation, the previous key is also revoked and invalidated. Crypto shredding is used to destroy a decryption key to effectively destroy the data that key was used to protect. This technique ensures that the data will remain encrypted if the key is fully destroyed and the encryption algorithm itself remains secure. Cryptographic obfuscation is used to transform protected data into an unreadable format. For example, the Linux user passwords stored in the /etc/shadow file are obfuscated to protect them.

Answer 45

A. Integration testing Explanation: Integration testing is used to test individual components of a system together to ensure that they interact as expected. Unit testing is used to test a particular block of code performs the exact action intended and provides the exact output expected. Normally, unit testing is coded into the software using simply pass/no pass tests for each block of code. Regression testing is the process of testing an application after changes are made to see if these changes have triggered problems in older areas of code. Continuous integration/continuous delivery (CI/CD) is a software development methodology in which code updates are tested and committed to a development or build server/code repository rapidly.

Answer 46

A. FPGA Explanation: OBJ-3.3: A field programmable gate array (FPGA) is a type of processor that can be programmed to perform a specific function by a customer rather than at the time of manufacture. A FPGA can be configured by the end customer to run programming logic on the device for their specific use case or application. An application-specific integrated circuit (ASIC) is a type of processor designed to perform a specific function. ASICs are expensive to design and only work for a single application or function, such as the ASICs used to conduct switching in an Ethernet switch. A System on a Chip (SoC) integrates practically all the components of a traditional chipset (which is comprised of as many as four chips that control communication between the CPU, RAM, storage, and peripherals) into a single chip. SoC includes the processor as well as a GPU (graphics processor), memory, USB controller, power management circuits, and wireless radios. Internet of Things (IoT) is a term used to describe a global network of appliances and personal devices that have been equipped with sensors, software, and network connectivity. The Internet of Things includes hub/control systems, smart devices, wearables, and sensors.

Answer 47

B. http.request.method=="POST" && ip.dst==10.1.2.3 Explanation: OBJ-2.9: Filtering the available PCAP with just the http "post" methods would display any data sent when accessing a REST API, regardless of the destination IP. Filtering the available PCAP with just the desired IP address would show all traffic to that host (10.1.2.3). Combining both of these can minimize the data displayed to only show things posted to the API located at 10.1.2.3. The ip.proto==tcp filter would display all TCP traffic on a network, regardless of the port, IP address, or protocol being used. It would simply produce too much information to analyze.

Answer 48

C. Improper error handling Explanation: OBJ-2.5: This is an example of an improper error handling vulnerability. A well-written application must be able to handle errors and exceptions gracefully. The main goal must be for the application not to fail and allow the attacker to execute code or perform an injection attack. One famous example of an improper error handling vulnerability is Apple's GoTo bug, as described above. For more details on this particular vulnerability, please see CVE-2014-1266. Insecure object reference refers to when a reference to an internal implementation object, such as a file or database key, is exposed to users without any other access control. Insufficient logging and monitoring allow attackers to achieve their goals without being detected due to the lack of monitoring and timely response by defenders. The use of insecure functions occurs in the C language when legacy functions like strcpy() are used. These insecure functions can lead to buffer overflow and other exploits being successful against a program.

Answer 49

D. Business continuity plan Explanation: OBJ-4.4: A business continuity plan (BCP) is a plan to help ensure that business processes can continue during a time of emergency or disaster. Such emergencies or disasters might include a fire or any other case where business cannot occur under normal conditions. A disaster recovery plan is useful (and usually a piece of the large business continuity plan), but it is insufficient for the long-term strategy which is needed to support business operations during an extended outage. The key difference between a DRP and BCP is that a DRP is focused on recovering from a disaster while a BCP is focused on maintaining operations before, during, and after the disaster. Usually, a DRP is a part of an overall BCP.

Answer 50

D. MOU Explanation: OBJ-4.3: MOU is a memorandum of understanding. This is the most accurate description based on the choices given. A memorandum of understanding is a document that describes the broad outlines of an agreement that two or more parties have reached. MOUs communicate the mutually accepted expectations of all of the parties involved in a negotiation. While not legally binding, the MOU signals that a binding contract is imminent. A service level agreement (SLA) is a commitment between a service provider and a client for particular aspects of the service, such as quality, availability, or responsibilities. An acceptable use policy (AUP) is a set of rules applied by the owner, creator, or administrator of a network, website, or service, that restrict how the network, website, or system may be used and sets guidelines as to how it should be used. A master service agreement (MSA) is a contract reached between parties, in which the parties agree to most of the terms that will govern future transactions or future agreements.

Answer 51

A. MTTR Explanation: OBJ-4.1: The mean time to repair (MTTR) measures the average time it takes to repair a network device when it breaks. The mean time between failures (MTBF) measures the average time between when failures occur on a device. The recovery time objective (RTO) is the duration of time and a service level within which a business process must be restored after a disaster to avoid unacceptable consequences associated with a break in continuity. The recovery point objective (RPO) is the interval of time that might pass during a disruption before the quantity of data lost during that period exceeds the Business Continuity Plan’s maximum allowable threshold or tolerance.

Answer 52

D. Private information retrieval Explanation: OBJ-1.8: Private Information Retrieval (PIR) retrieves an item from a service in possession of a database without revealing which item is retrieved. Secure Function Evaluation (SFE) allows two parties to jointly evaluate a publicly known function without revealing their respective inputs. Private Function Evaluation (PFE) allows two parties to jointly evaluate a private function without revealing their respective inputs. Secure Multi-Party Computation creates methods for parties to jointly compute a function over their inputs while keeping those inputs private.

Answer 53

A. Zero day malware Explanation: OBJ-2.7: Based on the scenario provided, it appears that the laptop has become the victim of a zero-day attack. A zero-day attack is an attack that exploits a potentially serious software security weakness that the vendor or developer may be unaware of. This means that there will not be a signature available in the IDS or anti-virus definition file. Therefore, it cannot be combatted with traditional signature-based detection methods. PII (personally identifiable information) exfiltration is the unauthorized copying, transfer, or retrieval of PII data from a computer or server. A ping of death is a type of attack on a computer system that involves sending a malformed or otherwise malicious ping to a computer. A remote access Trojan (RAT) is a malware program that includes a back door for administrative control over the target computer. Based on the scenario's information, we do not have any indications that a ping packet was sent, that PII has been exfiltrated, or that the attack now has remote control of the laptop. Since neither the IDS nor anti-virus alerted on the PDF, it is most likely a form of a zero-day attack.

Answer 54

A. Identify, implement and document compensating controls Explanation: OBJ-4.2: Since the analyst cannot remediate the vulnerabilities by installing a patch, the next best action would be to implement some compensating controls. If a vulnerability exists that cannot be patched, compensating controls can mitigate the risk. Additionally, the analyst should document the current situation to achieve compliance with PCI DSS. The analyst will likely not remove the terminals from the network without affecting business operations, so this is a bad option. The analyst should not build a custom OS image with the patch since this could void the support agreement with the manufacturer and introduce additional vulnerabilities. Also, it would be difficult (or impossible) to replace the POS terminals with standard Windows systems due to the custom firmware and software utilized on these systems.

Answer 55

C. Missing patches Explanation: OBJ-3.2: Missing patches are the most common vulnerability found on both Windows and Linux systems. When a security patch is released, attackers begin to reverse engineer the security patch to exploit the vulnerability. If your servers are not patched against the vulnerability, they can become victims of the exploit, and the server's data can become compromised. Cross-Site Scripting (XSS) attacks are a type of injection in which malicious scripts are injected into otherwise benign and trusted websites. Cross-site scripting focuses on exploiting a user’s workstation, not a server. CRLF injection is a software application coding vulnerability that occurs when an attacker injects a CRLF character sequence where it is not expected. SQL injection is the placement of malicious code in SQL statements via web page input. SQL is commonly used against databases, but they are not useful when attacking file servers.

Answer 56

D. To enable persistence on the server Explanation: OBJ-2.4: This scenario is using a command to add persistence to a Windows server using PowerShell. The command entered adds a new service named Dion Training App with the binary listed in the command. This will add persistence to the system by running the Dion Training App, which is just a fictional service name used in this example to hide the penetration tester's persistence tools. This service could be named anything the penetration tester deems appropriate during the service's installation.

Answer 57

A. Brute force attack Explanation: OBJ-1.5: Since the policy will lock out the student for 15 minutes between attempts, it is a valid mitigation technique against a brute force attack. By extending the waiting period, the attacker's brute force attempts are less effective. A brute force attack is a type of password attack where an attacker uses an application to exhaustively try every possible alphanumeric combination to crack encrypted passwords. An on-path attack is an attack where the threat actor makes an independent connection between two victims and can read, and possibly modify traffic. A privilege escalation is a practice of exploiting flaws in an operating system or other application to gain a greater level of access than was intended for the user or application. Spoofing is a type of attack that disguises a communication from an unknown source as being from a known, trusted source. Spoofing can occur using different methods, such as MAC spoofing, IP spoofing, call spoofing, and others.

Answer 58

D. Someone used a SQL injection to assign straight As to the student with ID #1235235 Explanation: OBJ-2.5: Based on this transaction log entry, it appears that the ID# field was not properly validated before being passed to the SQL server. This would allow someone to conduct an SQL injection and retrieve the student's grades and set all of this student's grades to an 'A' at the same time. It is common to look for a '1==1' type condition to identify an SQL injection. There are other methods to conduct an SQL injection attack that could be utilized by an attacker. If input validation is not being performed on user-entered data, an attacker can exploit any SQL language aspect and inject SQL-specific commands. This entry is suspicious and indicates that either the application or the SQL database is not functioning properly. Still, there appears to be adequate logging and monitoring based on what we can see and whether the question never indicates logging was an issue. An SQL database would not be designed to set ALL of a particular student's grades to A's, thus making this single entry suspicious. Most SQL statements in an SQL log will be fairly uniform and repetitive by nature when you review them. This leaves us with the question as to who person this SQL injection. Per the question choices, it could be the student with ID# 1235235 or "someone." While it seems as if student #1235235 had the most to gain from this, without further investigation, we cannot prove that it actually was student #1235235 that performed the SQL injection. Undoubtedly, student #125235 should be a person of interest in any ensuing investigations, but additional information (i.e., whose credentials were being used, etc.) should be used before making any accusations. Therefore, the answer is that "someone" performed this SQL injection.

Answer 59

D. MD5 Explanation: OBJ-3.6: Message Digest Algorithm (MD5) is a one-way cryptographic function that accepts a message of any length as input and returns as output a fixed-length 128-bit hash digest value to be used for authenticating the original message. MD5 can be easily brute-forced and has a high chance of collision. Secure Hashing Algorithm (SHA-1) is a one-way cryptographic function that accepts a message of any length as input and returns as output a fixed-length 160-bit hash digest value to be used for authenticating the original message. SHA-1 is considered weak and no longer used for digital signatures, time stamps, or any application that requires collision resistance as of 2015. RACE Integrity Primitives Evaluation Message Digest (RIPEMD-160) is a one-way cryptographic function that accepts a message of any length as input and returns as output a fixed-length 160-bit hash digest value to be used for authenticating the original message. RIPEMD is used in PGP and the Bitcoin standard. Poly1305 is a cryptographic message authentication code that creates a 128-bit authenticator for any variable-length message to verify the data integrity and authenticity of a message.

Answer 60

C. DevSecOps Explanation: OBJ-1.3: DevSecOps is a combination of software development, security operations, and systems operations and refers to the practice of integrating each discipline with the others. DevSecOps approaches are generally better postured to prevent problems like this because security is built-in during the development instead of retrofitting the program afterward. The DevOps development model incorporates IT staff but does not include security personnel. The agile software development model focuses on iterative and incremental development to account for evolving requirements and expectations. The waterfall software development model cascades the phases of the SDLC so that each phase will start only when all of the tasks identified in the previous phase are complete. A team of developers can make secure software using either the waterfall or agile model. Therefore, they are not the right answers to solve this issue.

Answer 61

C. Implement a bio metric reader at the datacenter entrance and require passage through an access control vestibule Explanation: OBJ-2.6: A biometric reader would read the employee's fingerprints, retina, or facial features. An access control vestibule (formerly called a mantrap) is most often used in physical security to separate non-secure areas from secure areas and prevent unauthorized access. Combining these two would ensure the identity of the individual and that only one person could enter at a time.

Answer 62

D. Extended validation Explanation: OBJ-3.5: Extended Validation (EV) digital certificates are subject to a process that requires more rigorous checks on the subject's legal identity and control over the domain or software being signed. A major drawback to EV certificates is that they cannot be issued for a wildcard domain. General Purpose or Domain Validation (DV) digital certificates prove the ownership of a particular domain by responding to an email to the authorized domain contact or by publishing a text record to the domain’s DNS records. A wildcard certificate contains the wildcard character (*) in its domain name field and allows the digital certificate to be used for any number of subdomains. For example, the wildcard certificate of *.diontraining.com can be used for members.diontraining.com, cart.diontraining.com, and support.diontraining.com. A multidomain certificate is a single SSL/TLS digital certificate that can be used to secure multiple, different domain names. For example, if you want to install the same certificate on diontraining.com and yourcyberpath.com, you will need to register a multidomain certificate.

Answer 63

B. support@diontraining.com Explanation: OBJ-2.2: In the above REGEX, the \b parameter identifies that we are looking for whole words. The strategic use of the + operator indicates the three places where the word is broken into parts. The first part ([A-Za-z0-9_%+-]" is composed of upper or lower case alphanumeric symbols "_%+-." After the first part of the word and the at sign (@) is specified, follows by another word ([A-Za-z0-9.-]), a period (\.), and another purely alphabetic (non-numeric) string that is 2-6 characters in length. This finds a standard email format of something@something.com (but could be @something.co, @something.org, @something.money, or other options as long as the top-level domain is between 2 and 6 characters). The option of www.diontraining.com is wrong because it does not have an @ sign in the string. The option of jason.dion@diontraining.com is wrong because you cannot use a period before the @ symbol, only letters, numbers, and some specified symbols ( _ % + - ). The option of jason_dion@dion.training is wrong because the last word (training) is longer than 6 characters in length. As a cybersecurity analyst, you must get comfortable creating regular expressions and understanding what type of output they generate.

Answer 64

A. Vulnerability scanning Explanation: OBJ-2.3: The best option here is vulnerability scanning as this allows the IT team to know what risks their network is taking on and where subsequent mitigations may be possible. Configuration management, automatic updates, and patching could normally be possible solutions, but these are not viable options without gaining administrative access to the appliance. Therefore, the analyst should continue to conduct vulnerability scanning of the device to understand the risks associated with it and then make recommendations to add additional compensating controls like firewall configurations, adding a WAF, providing segmentation, and other configurations outside the appliance that could minimize the vulnerabilities it presents.

Answer 65

D. Returns all web pages containing an email address affiliated with diontraining.com Explanation: OBJ-2.2: Google interprets this statement as @diontraining.com and understands that the user is searching for email addresses since %40 is the hex code for the @ symbol. The * is a wild card character meaning that any text could be substituted for the * in the query. This type of search would provide an attacker with a list of email addresses associated with diontraining.com, which could be used as part of a spear phishing campaign. To return all web pages hosted at diontraining.com, you should use the "site:" modifier in the query. To return all web pages with the text diontraining.com, enter "diontraining.com" into the Google search bar with no modifiers to return those results.

Answer 66

B. Request a new digital cert from the cert authority Explanation: OBJ-3.7: This error indicates a validity date error. A validity date error occurs when a certificate is presented for use on a date that is already past the expiration date. To fix this issue, the owner of the website must request a new digital certificate to renew their identity and create a new digital certificate with an expiration date further in the future. There is no need to request a revocation in this case, since the digital certificate is already expired. Revoking a certificate can only be done on a non-expired digital certificate.

Brainscape's Knowledge GenomeTM

(Udemy CASP+ (CAS-004): Practice Exam #1 - Results) Flashcards

Brainscape's Knowledge Genome^TM