Udemy CASP Practice Exam 2 Flashcards
Dion Training wants to get an external attacker’s perspective on its security status. Which of the following services should they purchase?
A. Patch management
B. Vulnerability Scan
C. Penetrationn test
D. Asset management
C. Penetrationn test
Explanation:
OBJ-2.4: Penetration tests provide an organization with an external attacker’s perspective on their security status. The NIST process for penetration testing divides tests into four phases: planning, discovery, attack, and reporting. The penetration test results are valuable security planning tools, as they describe the actual vulnerabilities that an attacker might exploit to gain access to a network. A vulnerability scan provides an assessment of your security posture from an internal perspective. Asset management refers to a systematic approach to the governance and realization of value from the things that a group or entity is responsible for over their whole life cycles. It may apply both to tangible assets and intangible assets. Patch management is the process that helps acquire, test, and install multiple patches (code changes) on existing applications and software tools on a computer, enabling systems to stay updated on existing patches and determining which patches are the appropriate ones.
What is a common Service Oriented Architecture Protocol (SOAP) vulnerability?
A. SQL Injection
B. Cross site scripting
C. XPath Injection
D. XML Denial of Service
D. XML Denial of Service
Explanation:
OBJ-2.5: An XML denial of service (or XML bomb) attempts to pull in entities recursively in a defined DTD and explode the amount of memory used by the system until a denial of service condition occurs. Service-Oriented Architecture (SOA) is an architectural paradigm, and it aims to achieve a loose coupling amongst interacting distributed systems. SOA is used by enterprises to efficiently and cost-effectively integrate heterogeneous systems. However, SOA is affected by several security vulnerabilities, affecting the speed of its deployment in organizations. SOA is most commonly vulnerable to an XML denial of service. While the other options could be used as part of an attack on SOAP, the SOAP message itself is formatted as an XML document making an XML denial of service the most common vulnerability. While SOAP requests are vulnerable to SQL injections, this occurs by submitting a parameter as a morphed SQL query that can authenticate or reveal sensitive information as an attack on the underlying SQL. Cross-Site Scripting (XSS) attacks are a type of injection in which malicious scripts are injected into otherwise benign and trusted websites. XPath Injections operate on websites that use user-supplied information to construct an XPath query for XML data.
Dion Training is worried about the security of the data on their corporate smartphones if lost or stolen. The Chief Security Officer has instructed that the devices be configured so that unauthorized users cannot access the data. Which TWO of the following settings would provide the BEST security and protection for the corporate smartphones’ data?
A. Enable device lockouts after 3 failed attempts
B. Enable full device encryption
C. Require complex passwords
D. Configure the ability to perform a remote wipe
E. Enable a pattern lock
F. Disable the installation of applications from untrusted sources
B. Enable full device encryption
D. Configure the ability to perform a remote wipe
Explanation:
OBJ-3.1: The BEST protections for the data would involve enabling full disk encryption and configuring the ability to perform a remote wipe. Even if the device is lost or stolen, its data would be unreadable if it was using full disk encryption. Additionally, by configuring the ability to wipe the device’s storage remotely, the data would be erased before a thief can access it. The other options are all valid options to increase security, but they do not directly address the issues presented in the scenario.
Which term refers to the consistent and tamper-resistant operation of every element within an enterprise?
A. Trusted computing environment
B. Accrediteed network
C. Trusted foundry
D. Trust certified enterprise
A. Trusted computing environment
Explanation:
OBJ-3.2: A trusted computing environment refers to every element’s consistent and tamper-resistant operation within an enterprise. The Trusted Foundry Program, also called the trusted supplier program, is a United States Department of Defense program designed to secure the manufacturing infrastructure for information technology vendors providing hardware to the military. An accredited network means that a relevant system has been approved for use, and an authorizing official has accepted the risk involved. The term trust certified enterprise is not an industry-standard term and was created as a distractor from the correct answer.
You have been asked to help conduct a known environment penetration test. As part of your preparations, you have been given the source code for the organization’s custom web application.
Which type of vulnerability might be able to exploit the code shown in this image?
A. Remote Code Execution
B. Buffer overflow
C. JavaScript injection
D. SQL Injection
B. Buffer overflow
Explanation:
OBJ-2.5: The function DionCode may be subject to a buffer overflow as the user enters something over 20 characters as their input. In defining the char (character) type array, the programmer only allocated 20 characters worth of memory storage. To solve this problem, the programmer should create proper input validation to ensure that the input is less than 20 characters before passing the user_input variable to the strcpy (string copy) function.
A cybersecurity analyst has deployed a custom DLP signature to alert on any files that contain numbers in the format of a social security number (xxx-xx-xxxx). Which of the following concepts within DLP is being utilized?
A. Exact data match
B. Document matching
C. Classification
D. Statiscal matching
A. Exact data match
Explanation:
OBJ-1.4: An exact data match (EDM) is a pattern matching technique that uses a structured database of string values to detect matches. For example, a company might have a list of actual social security numbers of its customers. But, since it is not appropriate to load these numbers into a DLP filter, they could use EDM to match the numbers’ fingerprints instead based on their format or sequence. Document matching attempts to match a whole document or a partial document against a signature in the DLP. Statistical matching is a further refinement of partial document matching that uses machine learning to analyze various data sources using artificial intelligence or machine learning. Classification techniques use a rule based on a confidentiality classification tag or label attached to the data. For example, the military might use a classification-based DLP to search for any files labeled as secret or top secret.
Which of the following features of homomorphic encryption allows two parties to jointly evaluate a publicly known function without revealing their respective inputs?
A. Secure multiparty computation
B. Secure function evaluation
C. Private function evaluation
D. Private information retrieval
B. Secure function evaluation
Explanation:
OBJ-1.8: Secure Function Evaluation (SFE) allows two parties to jointly evaluate a publicly known function without revealing their respective inputs. Private Information Retrieval (PIR) retrieves an item from a service in possession of a database without revealing which item is retrieved. Private Function Evaluation (PFE) allows two parties to jointly evaluate a private function without revealing their respective inputs. Secure Multi-Party Computation creates methods for parties to jointly compute a function over their inputs while keeping those inputs private.
Dion Training Solutions is currently calculating the risk associated with building a new data center in a hurricane-prone location. The data center would cost $3,125,000 to build and equip. Based on their assessment of the history of the location, a major hurricane occurs every 20 years and their data center would risk losing 60% of its value due to downtime and possible structural damages. If the data center is built in this location, what is the annual loss expectancy for this data center?
A. 1,875,000
B. 93,750
C. 625,000
D. 156,250
B. 93,750
Explanation:
OBJ-4.1: The annual loss expectancy (ALE) of the data center would be $93,750. The annual loss expectancy (ALE) is the average amount that would be lost over a year for a given asset. The annual loss expectancy is calculated by multiplying the single loss expectancy and the annual rate of occurrence together. The single loss expectancy is the amount of value lost in a single occurrence of a risk factor being realized. The single loss expectancy is calculated by multiplying the asset value and the exposure factor together. The annual rate of occurrence is the number of times a risk might be realized in a given year. Therefore, the annual loss expectancy equals the ARO (1 occurrence divided by 20 years) multiplied by the SLE (exposure factor of 60% time the asset value of $3,125,000 equals ), which equals $92,750 (0.05 x $1,875,000).
You are an analyst and have been asked to review and categorize the following output from a packet analysis in Wireshark:
Based on your review, what does this scan indicate?
A. 173.12.15.23 might be infected with malware
192.168.3.145 might be infected with malware
C. 173.12.15.23 might be infected and beaconing to a C2 server
D. This appears to be normal network traffic
E. 192.168.3.145 might be infected and beaconing to a C2 server
D. This appears to be normal network traffic
Explanation:
OBJ-2.9: This appears to be normal network traffic. The first line shows that a DNS lookup was performed for a website (test.diontraining.com). The second line shows the response from the DNS server with the IP address of the website. The third line begins a three-way handshake between an internal host and the website. The fourth line is the SYN-ACK response from the website to the internal host as part of this handshake. The fifth line is a standard Windows NetBIOS query within the local area network to translate human-readable names to local IP addresses. The sixth and seventh lines appear to be inbound requests to port 443 and port 8080, both of which were sent the RST by the internal host’s firewall since it is not running those services on the host. None of this network traffic appears to be suspicious.
Which of the following emergent technologies would be most useful in creating a synthetic customer service agent to respond to initial support requests from users within your enterprise network when they call your help desk?
A. Deep fake
B. Natural language processing
C. Big data
D. Distributed consensus
B. Natural language processing
Explanation:
OBJ-1.8: Natural language processing (NLP) is a type of deep learning focused on understanding and responding to human language. A deep fake is a realistic video or audio that impersonates a real person. Deep fakes are created using deep learning technology. Distributed consensus is used in a distributed or decentralized system to solve a particular computation to maintain the overall integrity of the distributed system or blockchain. Big data refers to data collections that are too large and complex for a traditional database to manage.
You are deploying OpenSSL in your organization and must select a cipher suite. Which of the following ciphers should NOT be used with OpenSSL?
A. ECC
B. DES
C. RSA
D. AES
B. DES
Explanation:
OBJ-3.6: DES is outdated and should not be used for any modern applications. The AES, RSA, and ECC are all current secure alternatives that could be used with OpenSSL. This question may seem beyond the scope of the exam. Still, the objectives allow for “other examples of technologies, processes, or tasks about each objective may also be included on the exam although not listed or covered” in the objectives’ bulletized lists. The content examples listed in the objectives are meant to clarify the test objectives and should not be construed as a comprehensive listing of this examination’s content. Therefore, questions like this are fair game on test day. That said, your goal isn’t to score 100% on the exam; it is to pass it. Don’t let questions like this throw you off on test day. If you aren’t sure, take your best guess and move on!
Dion Training wants to implement a new wireless network in their offices. Which of the following types would support encryption for traffic being sent and received over the network while still allowing users to connect to the open network without a password, passphrase, or digital certificate?
A. WPA2
B. WPA3
C. WPA
D. WEP
B. WPA3
Explanation:
OBJ-3.1: One of the features of WPA3 (WIFI6) is enhanced open. Enhanced Open enables encryption for traffic being sent and received over a wireless network when still using open authentication. WEP, WPA, WPA2 do not provide encryption of traffic sent over the network unless the network is protected by a password, passphrase, or digital certificate.
Fail to Pass Solutions has requested that its employees have a mobile device so that they can respond to questions when they are out of the office. Each employee is responsible for buying their Android smartphone and cellular plan service. To access the corporate network and its data, the employees need to install a company-provided APK on their device. This app contains access to their company-provided email, cloud storage, and customer relationship management (CRM) database. Which of the following policies BEST describes Fail to Pass’s mobile device deployment model?
A. BYOD
B. COBO
C. CYOD
D. COPE
A. BYOD
Explanation:
OBJ-3.1: Bring Your Own Device (BYOD) is a mobile device deployment model that facilitates the use of personally owned devices to access corporate networks and data. Corporate Owned Business Only (COBO) is a mobile device deployment model that provides the employee with a corporate-owned device that may only be used for official work functions and purposes. Corporate Owned Personally Enabled (COPE) is a mobile device deployment model where the device remains the property of the organization, but certain personal use, such as private email, social networking, and web browsing, is also permitted. Choose Your Own Device (CYOD) is a mobile device deployment model where employees are offered a selection of corporate devices for work and, optionally, private use.
You have decided to have DNA genetic testing and analysis performed to determine your exact ancestry composition and possibly find some lost relatives through their database. Which of the following types of data should this be classified?
A. PHI
B. CUI
C. IP
D. PII
A. PHI
Explanation:
OBJ-4.3: Protected health information (PHI) refers to medical and insurance records, plus associated hospital and laboratory test results. Data collected by genetic mapping and heredity companies include the subject’s DNA, making it PHI. Personally identifiable information (PII) is data that can be used to identify, contact, or locate an individual. Information such as social security number (SSN), name, date of birth, email address, telephone number, street address, and biometric data is considered PII. Proprietary information or intellectual property (IP) is information created and owned by the company, typically about the products or services that they make or perform. Controlled Unclassified Information (CUI) is federal non-classified information that must be safeguarded by implementing a uniform set of requirements and information security controls to secure sensitive government information.
A company needs to implement stronger authentication by adding an authentication factor to its wireless system. The wireless system only supports WPA with pre-shared keys, but the backend authentication system supports EAP and TTLS. What should the network administrator implement?
A. PKI with user authentication
B. WPA2 with a complex shared key
C. 802.1x using EAP with MSCHAPv2
D. MAC address filtering with IP filtering
C. 802.1x using EAP with MSCHAPv2
Explanation:
OBJ-1.5: Since the backend uses a RADIUS server for back-end authentication, the network administrator can install 802.1x using EAP with MSCHAPv2 for authentication. The Extensible Authentication Protocol (EAP) is a framework in a series of protocols that allows for numerous different mechanisms of authentication, including things like simple passwords, digital certificates, and public key infrastructure. Microsoft Challenge Handshake Authentication Protocol version 2 (MS-CHAP v2) is a password-based authentication protocol that is widely used as an authentication method in PPTP-based (Point to Point Tunneling Protocol) VPNs and can be used with EAP.
What is a reverse proxy commonly used for?
A. To prevent the unauthorized use of cloud services from the local network
B. Allowing access to a virtual private cloud
C. To obfuscate the origin of a user within a network
D. Directing traffic to internal services if the contents of the traffic comply with the policy
D. Directing traffic to internal services if the contents of the traffic comply with the policy
Explanation:
OBJ-1.1: A reverse proxy is positioned at the cloud network edge and directs traffic to cloud services if the contents of that traffic comply with the policy. This does not require the configuration of the users’ devices. This approach is only possible if the cloud application has proxy support. You can deploy a reverse proxy and configure it to listen for client requests from a public network, like the internet. The proxy then creates the appropriate request to the internal server on the corporate network and passes the server’s response back to the external client. They are not generally intended to obfuscate the source of communication, nor are they necessarily specific to the cloud. A cloud access security broker (CASB) can be used to prevent unauthorized use of cloud services from the local network.
An organization utilizes a BYOD policy with its employees. This allows the employees to store sensitive corporate data on their personally owned devices. Which of the following occurred if an employee accidentally left their device in the back of a taxi?
A. A data breach
B. Failed deperimeterization management
C. Failed data loss prevention
D .An advanced persistent threat
B. Failed deperimeterization management
Explanation:
OBJ-1.1: Deperimeterization is a strategy for protecting a company’s data on multiple levels using encryption and dynamic data-level authentication. Since the employee lost the device, which contained sensitive corporate data outside of the network, this would be classified as failed deperimeterization management. Data loss prevention (DLP) detects potential data breaches/data exfiltration transmissions and prevents them by monitoring, detecting, and blocking sensitive data while in use, in motion, and at rest. DLP does not apply to this scenario since the employee was authorized to have the corporate data on the device under the BYOD policy. A data breach is an incident that exposes confidential or protected information. Based on the scenario provided, we are not told whether anyone has tried to access the device’s data. If an attacker accesses the device’s data, it may be considered a data breach or inadvertent data disclosure, depending on your organization’s policies. An advanced persistent threat is a stealthy computer network threat actor, typically a nation-state or state-sponsored group, which gains unauthorized access to a computer network and remains undetected for an extended period.
Dion Training is designing a new practice exam application that will be hosted in the cloud. The company knows there will be periods of higher and lower demands based on an analysis of historical usage patterns. The programmers have created the code using distributed programming techniques so that the jobs can be distributed over numerous machines across the virtual private cloud (VPC) containing each of the servers. To help control costs, any new servers added to the pool must be added by a system administrator after verifying the current demand. Which of the following BEST describes the type of action used to meet the increasing demands on the server?
A. Autoscaling
B. Content delivery network
C. Horizontal scaling
D. Vertical scaling
C. Horizontal scaling
Explanation:
OBJ-1.2: Horizontal scaling allows additional capacity to be achieved by adding servers to help process the same workload, such as adding nodes to a distributed system or adding web servers to an existing server farm. Vertical scaling allows additional resources to be added to an individual system, such as adding processors, memory, and storage to an existing server. Autoscaling is the ability to expand and contract the performance of workloads based on policies with specific maximum and minimum capacity specifications. Autoscaling can be used with either horizontal or vertical scaling depending on your cloud service provider. A content delivery network (CDN) distributes and replicates the components of any service (such as web apps, media, and storage) across all the key service areas needing access to the content.
The Dion Development Group is a young startup that creating a new Software as a Service (SaaS) tool. To aid in their risk management, the company has decided to create risk tiers to assign to potential vulnerabilities based on their potential ALE cost. For risks with an ALE under $10,000, the company will classify them as low risk. For risks with an ALE between $10,000 and $50,000, the company will classify them as medium risk. For risks with an ALE over $50,000, the company will classify them as high risk. What best describes these potential risk classifications based on the stated monetary thresholds?
A. Inherent risk
B. Risk tolerance
C. Risk appetite
D. Residual risk
B. Risk tolerance
Explanation:
OBJ-4.1: Risk tolerance is defined as the threshold that separates the different levels of risk within an organization. Risk appetite is a strategic assessment of what level of residual risk is acceptable to an organization. Inherent risk is the level of risk that exists before any compensating controls have been implemented. Residual risk is the risk that remains after compensating controls have been implemented.
You are working as a network administrator for Dion Training. The company has decided to allow employees to connect their devices to the corporate wireless network under a new BYOD policy. You have been asked to separate the corporate network into an administrative network (for corporate-owned devices) and an untrusted network (for employee-owned devices). Which of the following technologies should you implement to achieve this goal?
A. VLAN
B. VPN
C. MAC Filtering
D. WPA2
A. VLAN
Explanation:
OBJ-1.1: A virtual local area network (VLAN) is a type of network segmentation configured in your network switches that prevent communications between different VLANs without using a router. This allows two virtually separated networks to exist on one physical network and separates the two virtual network’s data. A virtual private network (VPN) is a remote access capability to connect a trusted device over an untrusted network back to the corporate network. A VPN would not create the desired effect. WPA2 is a type of wireless encryption, but it will not create two different segmented networks on the same physical hardware. MAC filtering is used to allow or deny a device from connecting to a network, but it will not create two network segments, as desired.
Dion Training wants to implement DNS protection on their mobile devices. Which of the following implementations would allow the device’s DNS requests to be tunneled within TLS traffic to aid in the privacy protection of the user?
A. Custom DNS
B. Profiles
C. Token based access
D. DOH
D. DOH
Explanation:
OBJ-3.1: DNS over HTTPS (DoH) allows the DNS requests to be tunneled within the TLS traffic over port 443. This allows most of the DNS protocol traffic over port 53 to be eliminated after the first DNS request to the DoH provider is made. DoH is used mainly to provide privacy protection for the user and their web browsing activities. Custom DNS is often used to block dangerous sites by purposefully refusing to resolve to a previously identified malicious host. Device configuration profiles are XML files that contain configuration details defined at either the user or device level. These profiles can be manually installed or automatically deployed through an MDM solution. Token-based access requires an enrolled device to provide a token issued by an IAM solution to gain access to network resources. Mobile devices with an installed token are granted access to the network resources after being verified by a network access control (NAC) appliance.
Dion Training is building a new learning management system that will require its students to access the system through a webpage. To create a secure communication channel between the student’s system and the learning management system, the programmers have decided to use ephemeral session keys without the use of the server’s digital certificate and instead relying on a Diffie-Hellman key agreement. The programmer states that in his implementation, even if the server’s private key is exposed, the ephemeral session keys would remain secure. Which cryptographic concept is the programmer referring to in his implementation?
A. Key stretching
B. AEAD
C. Forward secrecy
D. Cipher block chaining
C. Forward secrecy
Explanation:
OBJ-3.6: Forward secrecy (FS), also known as perfect forward secrecy (PFS), is a feature of specific key agreement protocols that gives assurances that session keys will not be compromised even if long-term secrets that were used in the session key exchange are compromised. Key stretching is a technique that strengthens potentially weak input for cryptographic key generation, such as passwords or passphrases created by people, against brute force attacks. Authenticated encryption with associated data (AEAD) is a form of encryption that provides confidentiality of the plaintext, a way to check its integrity, and a method of verifying its authenticity. Cipher block chaining (CBC) is a simple mode of enabling symmetric block ciphers to work with large sets of data. CBC is an older method that is vulnerable to the padding-oracle attack and should therefore not be used.
An analyst just completed a port scan and received the following results of open ports:
Based on these scan results, which of the following services are NOT currently operating?
A. RDP
B. SSH
C. Web
D. Database
B. SSH
Explanation:
OBJ-2.9: Based on the port numbers shown as open in the nmap scan results, SSH is not currently operating. SSH operates over port 22. Web servers use port 80 for HTTP and 443 for HTTPS. Database servers run on port 1433 (Microsoft SQL) or 3306 (MySQL). Remote Desktop Protocol runs on port 3389.
You want to provide controlled remote access to the remote administration interfaces of multiple servers hosted on a private cloud. What type of segmentation security solution is the best choice for this scenario?
A. Airgap
B. Jumpbox
C. Bastion hosts
D. Physical
B. Jumpbox
Explanation:
OBJ-1.1: Installing a jumpbox as a single point of entry for the administration of servers within the cloud is the best choice for this requirement. The jumpbox only runs the necessary administrative port and protocol (typically SSH). Administrators connect to the jumpbox then use the jumpbox to connect to the admin interface on the application server. The application server’s admin interface has a single entry in its ACL (the jumpbox) and denies any other hosts’ connection attempts. A bastion host is a special-purpose computer on a network specifically designed and configured to withstand attacks. The computer generally hosts a single application. For example, a proxy server and all other services are removed or limited to reduce the threat to the computer. An airgap system is a network or single host computer with unique security requirements that may physically be separated from any other network. Physical separation would prevent a system from accessing the remote administration interface directly and require an airgap system to reach the private cloud.
You are working as part of a penetration testing team during an engagement. A coworker just entered “sudo systemctl start DionTrainingApp” in the shell of a Linux server the team exploited. What action is your coworker performing with this command?
A. To enumerate the running services on the server
B. To enable persistence of the server
C. To remove persistence on the server
D. To shutdown the running on the server
B. To enable persistence of the server
Explanation:
OBJ-2.4: This scenario uses the systemctl command to remove persistence from a Linux server within its shell. The systemd tool is an init system and system manager that has widely become the new standard for Linux distributions. The systemctl is part of systemd. The systemctl is used to manage services, check their status, change their status, and work with the configuration files. By entering “sudo systemctrl start DionTrainingApp” in the shell, the system will start the service known as DionTrainingApp. This will create persistence by running the DionTrainingApp service, which is just a fictional service name used in this example to hide the penetration tester’s persistence tools. This service could be named anything the penetration tester deems appropriate during the service’s installation.
You are developing a containment and remediation strategy to prevent the spread of an APT within your network. Your plan suggests creating a mirror of the company’s databases, routing all externally sourced network traffic to it, and gradually updating with pseudo-realistic data to confuse and deceive the APT as they attempt to exfiltrate the data. Once the attacker has downloaded the corrupted database, your company would then conduct remediation actions on the network and restore the correct database information to the production system. Which of the following types of containment strategies does the plan utilize?
A. Isolation based containment by removing the affected database from production
B. Segmentation based containment that deceives the attack into believing their attack was successful
C. Segmentation based containment disrupts the APT by using a hack back approach
D. Isolation based containment by disconnecting the APT from the affected network
B. Segmentation based containment that deceives the attack into believing their attack was successful
Explanation:
OBJ-2.6: There are two types of containment: segmentation and isolation. This is an example of a segmentation-based containment strategy that utilizes deception. Segmentation-based containment is a means of achieving the isolation of a host or group of hosts using network technologies and architecture. As opposed to completely isolating the hosts, you might configure the protected segment to deceive him or her into thinking the attack is progressing successfully, such as in the database modification example. The scenario is not a hack-back approach since the APT is not directly attacked, only deceived. Isolation-based containment involves removing an affected component from whatever larger environment it is a part of. In this scenario, the original database was never isolated from the network, nor were any other affected assets during the deception.
Dion Training has contracted a cloud service provider to host their webservers. Dion Training wants to ensure their webservers are highly available and fault-tolerant, but they want to ensure all their data remains located in the same geographic area. Which of the following would allow Dion Training to host their webservers in two different data centers located in the same geographic area?
A. VPC/VNet
B. Data zone
C. Availability Zone
D. Region
C. Availability Zone
Explanation:
OBJ-1.1: An availability zone is a physical or logical data center within a single region. A region describes a collection of data centers located within a geographic area and they are distributed across the globe. A Virtual Private Cloud (VPC) or a Virtual Network (VNet) allows for the creation of cloud resources within a private network that parallels the functionality of the same resources in a traditional, privately operated data center. Data zones describe the state and location of data to help isolate and protect it from unauthorized/inappropriate use within a data lake.
An analyst reviews the logs from the network and notices that there have been multiple attempts from the open wireless network to access the networked HVAC control system. The open wireless network must remain openly available so that visitors can access the internet. How can this type of attack be prevented from occurring in the future?
A. Implement a VLAN to seperate the HVAC control system from the open wireleess network
B. Enable WPA2 Security on the open wireless network
C. Enable NAC on the open wireless network
D. Install an IDS to protect the HVAC system
A. Implement a VLAN to seperate the HVAC control system from the open wireleess network
Explanation:
OBJ-3.3: A VLAN is useful to segment out network traffic to various parts of the network and stop someone from the open wireless network from logging to the HVAC controls. By utilizing NAC, each machine connected to the open wireless network could be checked for compliance and determine if it is a ‘known’ machine, but they would still be given access to the entire network. Also, since this is a publicly usable network, using NAC could prevent users from accessing all the network features. An IDS would be a good solution to detect the attempted logins, but it won’t prevent them. Instead, an IPS would be required to prevent logins.
Jay is replacing his organization’s current vulnerability scanner with a new tool. As he begins to create the scanner’s configurations and scanning policy, he notices a conflict in the settings recommended between different documents. Which of the following sources must Jay follow when trying to resolve these conflicts?
A. Corporate policy
B. NIST Guideline documents
C. Configuration settings from the prior system
D. Vendor best practices
A. Corporate policy
Explanation:
OBJ-4.1: Policies are formalized statements that apply to a specific area or task. Policies are mandatory, and employees who violate a policy may be disciplined. Guidelines are general, non-mandatory recommendations. Best practices are considered procedures that are accepted as being correct or most effective but are not mandatory to be followed. Configuration settings from the prior system could be helpful, but this is not a mandatory compliance area like a policy. Therefore, Jay should first follow the policy before the other three options if there is a conflict.
The Dion Development Group is a young startup that is about to release a minimum viable product (MVP) of their new Software as a Service (SaaS) tool to the marketplace. The company has conducted a strategic assessment and determined that they can accept no more than a $1,000,000 ALE for their SaaS solution after implementing compensating controls. What best describes this acceptable risk level?
A. Risk tolerance
B. Inherent risk
C. Risk appetite
D. Residual risk
A. Risk tolerance
Explanation:
OBJ-4.1: Risk appetite is a strategic assessment of what level of residual risk is acceptable to an organization. Inherent risk is the level of risk that exists before any compensating controls have been implemented. Risk tolerance is defined as the threshold that separates the different levels of risk within an organization. Residual risk is the risk that remains after compensating controls have been implemented.
Dion Training is drafting a new business continuity plan and is trying to determine the appropriate metric to utilize in defining the recovery requirements for their practice exam web application. This application is used by all of Dion Training’s students to prepare for their upcoming certification exams. The web application currently lets students take practice exams, review the results of the exam when completed, and review the complete history of all of their previous exam attempts. The organization has determined that after an incident, they will prioritize the ability for students to take a new exam and review those results first, then work to fully recover the students’ historical exam attempts after the initial recovery is complete. Which of the following metrics best defines this two-tiered approach to recovery?
A. Recovery service level (RSL)
B. Recovery point objective (RPO)
C. Recovery time objective (RTO)
D. Mean time to recovery (MTTR)
A. Recovery service level (RSL)
Explanation:
OBJ-4.4: The recovery service level is the minimum acceptable amount of services that must be restored for a given system to consider it recovered. For example, your organization may need to restore its databases and websites to meet its recovery service level objectives while leaving its print servers offline since they may not be considered a mission-essential function in your organization. The recovery point objective defines the maximum amount of data that can be lost without irreparable harm to the operation of the business. The recovery time objective defines the maximum amount of time that performing a recovery can take and the service can be offline. The mean time to recovery is the average amount of downtime calculated based on when a service or device fails and when its functionality is restored.
Which of the following exploitation frameworks contain plugins that can trigger buffer overflows in SCADA systems, such as /exploit/windows/scada/daq_factory_bof that can trigger a stack overflow by sending excessive requests to a service port on the system?
A. Metasploit
B. Nikto
C. Androzer
D. Nessus
A. Metasploit
Explanation:
OBJ-2.4: Metasploit is an open-source exploitation framework that uses plugins to add different exploits and functionalities. They are always in the form of a directory structure, like /exploit/windows/scada/daq_factory_bof. This represents the plugin type (exploit), the operating system involved (windows), the service/program (scada), and the specific exploit (daq_factory_bof). If you see this format in a question, the answer is most likely related to Metasploit.
Jason is sending an email to Tamera’s Dion Training account with the latest student enrollment numbers. To ensure integrity and non-repudiation of the enrollment numbers, Jason’s email client hashes the email and then encrypts the hash with Jason’s private key before sending the email and the encrypted hash to Tamera’s account. Which of the following certificate use cases is described by this scenario?
A. Digital signature
B. Code signing
C. Server authentication
D. Client authentication
A. Digital signature
Explanation:
OBJ-3.5: A digital signature is created by encrypting the hash digest with the sender’s private key. For example, when digitally signing an email, the email is first hashed and then the hash is encrypted with the private key of the sender to prove its integrity and non-repudiation when sent. Code signing is a method of using a digital signature to ensure the source and integrity of programming code. If a valid code signature exists, this indicates that the code has not been changed or modified since being released by the code’s author or publisher. Client authentication describes the mechanism by which a server can verify that a connection request is originating from a preauthorized endpoint. Client authorization is commonly used by SSH servers by storing a local copy of a client’s public SSH key on the SSH server and using this to authorize the client during a connection. Server authentication is utilized by a client device when the client establishes that the server is genuine. For example, when visiting a new website, a client will use the web server’s digital certificate and public key to authenticate that the server they connected to is legitimate.
Alexa is an analyst for a large bank that has offices in multiple states. She wants to create an alert to detect if an employee from one bank office logs into a workstation located at an office in another state. What type of detection and analysis is Alexa configuring?
A. Anomaly
B. Behavior
C. Heuristic
D. Trend
D. Trend
Explanation:
OBJ-1.1: This is an example of behavior-based detection. Behavior-based detection (or statistical- or profile-based detection) means that the engine is trained to recognize baseline traffic or expected events associated with a user account or network device. Anything that deviates from this baseline (outside a defined level of tolerance) generates an alert. The heuristic analysis determines whether several observed data points constitute an indicator and whether related indicators make up an incident depending on a good understanding of the relationship between the observed indicators. Human analysts are typically good at interpreting context but work painfully slowly, in computer terms, and cannot hope to cope with the sheer volume of data and traffic generated by a typical network. Anomaly analysis is the process of defining an expected outcome or pattern to events and then identifying any events that do not follow these patterns. This is useful in tools and environments that enable you to set rules. Trend analysis is not used for detection but instead to better understand capacity and the system’s normal baseline. Behavioral-based detection differs from anomaly-based detection. Behavioral-based detection records expected patterns concerning the entity being monitored (in this case, user logins). Anomaly-based detection prescribes the baseline for expected patterns based on its observation of what normal looks like.
Which of the following layers within software-defined networking consists of the physical networking devices, such as switches and routers?
A. Application layer
B. Control layer
C. Infrastructure layer
D. Management plane
C. Infrastructure layer
Explanation:
OBJ-1.1: The infrastructure layer contains the physical networking devices that receive information from the control layer about where to move the data and then perform those movements. The application layer focuses on the communication resource requests or information about the network. The control layer uses the information from applications to decide how to route a data packet on the network and to make decisions about how traffic should be prioritized, how it should be secured, and where it should be forwarded to. The management plane is used to monitor traffic conditions, the status of the network, and allows network administrators to oversee the network and gain insight into its operations.
Which type of monitoring would utilize a network tap?
A. Passive
B. SNMP
C. Router based
D. Active
A. Passive
Explanation:
OBJ-1.1: Network taps are devices that allow a copy of network traffic to be captured for analysis. They conduct passive network monitoring and visibility without interfering with the network traffic itself. Active monitoring relies on scanning targeted systems, not a network tap. Router-based monitoring would involve looking over the router’s logs and configuration files. SNMP is used to monitor network devices but is considered active monitoring and doesn’t rely on network taps.
