Udemy CASP Practice Exam 3 Flashcards
Dion Training is creating a new website and needs to register a new digital certificate to support SSL/TLS connections to the server. When creating the digital certificate, Jason was required to publish a TXT record to the domain’s DNS records to validate that he owned the new domain name. Which of the following digital certificate types did he utilize in this scenario?
A. Wildcard
B. General purpose
C. Extended validation
D. Multidomain
B. General purpose
Explanation:
OBJ-3.5: General Purpose or Domain Validation (DV) digital certificates prove the ownership of a particular domain by responding to an email to the authorized domain contact or by publishing a text record to the domain’s DNS records. Extended Validation (EV) digital certificates are subject to a process that requires more rigorous checks on the subject’s legal identity and control over the domain or software being signed. A major drawback to EV certificates is that they cannot be issued for a wildcard domain. A wildcard certificate contains the wildcard character (*) in its domain name field and allows the digital certificate to be used for any number of subdomains. For example, the wildcard certificate of *.diontraining.com can be used for members.diontraining.com, cart.diontraining.com, and support.diontraining.com. A multidomain certificate is a single SSL/TLS digital certificate that can be used to secure multiple, different domain names. For example, if you want to install the same certificate on diontraining.com and yourcyberpath.com, you will need to register a multidomain certificate.
Dion Training is joining a group of five other training organizations to work on a joint venture. Each organization has its own PKI implementations built around a single certificate authority at each organization. During the joint venture, the training organizations want to establish a trust relationship between all six of the certificate authorities so that users and devices from each organization can use resources from the other organizations during the project. This is a temporary project and the organizations involved do not want to have to issue new digital certificates to all of their users. Which of the following trust models would BEST meet these requirements?
A. Cross certification model
B. Bridge Model
C. Hierarchical model
D. Single CA model
B. Bridge Model
Explanation:
OBJ-3.5: A bridge model is most appropriate when connecting multiple organizations that each have a single CA architecture already configured. A bridge model is a trust model that allows a local CA to connect to a centralized bridge CA which maintains bilateral arrangements with the local CAs from other organizations. This model forms a star topology of trust, where all trust and verification occur through the central bridge node. A cross certification model is a trust model that allows a trust relationship to be established between two certification authorities. Cross certification allows users and devices of two organizations to be recognized by the other, regardless of which organization’s root CA signed their certificate. A hierarchical model allows a root certificate authority to trust multiple intermediate or subordinate certificate authorities in a parent/child relationship. Through this trust model, all members trust the root server and, therefore, they can also trust each other. A single CA is used to issue certificates to users and users only trust certificates issued by that CA.
A company is implementing enhanced user authentication for system administrators accessing the company’s confidential servers. They intend to use two-factor authentication to accomplish this. Which of these BEST represents two-factor authentication?
A. ID Badge and Keys
B. Username and password
C. Fingerprint scanner and retina scan
D. Password and key fob
D. Password and key fob
Explanation:
OBJ-1.5: Two-factor authentication (also known as 2FA) is a method of confirming a user’s claimed identity by using a combination of two different factors: (1) something you know, (2) something you have, or (3) something you are. Out of the options provided, only a key fob (something you have) and a password (something you know) meet the requirements of 2FA. If you have two factors from the same type/category, like something you know (username and password), this is only considered a single factor of authentication.
Your team is developing an update to a piece of code that allows customers to update their billing and shipping addresses in the web application. The shipping address field used in the database was designed with a limit of 75 characters. Your team’s web programmer has brought you some algorithms that may help prevent an attacker from trying to conduct a buffer overflow attack by submitting invalid input to the shipping address field. Which pseudo-code represents the best solution to prevent this issue?
A. if (shippingAddress !=75 {update field} else exit
B. if (shippingAddress = 75) {update field} else exit
C. if (shippingAddress <=75) {update field} else exit
D. if (shippingAddress >=75) {update field} else exit
C. if (shippingAddress <=75) {update field} else exit
Explanation:
OBJ-1.3: To ensure that the field is not overrun by an input that is too long, input validation must occur. Checking if the shipping address is less than or equal to 75 characters before updating the field will prevent a buffer overflow from occurring in this program. If the input is 76 characters or more, then the field will not be updated, and the algorithm will exit the function.
The Dion Development Group is about to release a new Software as a Service (SaaS) tool to the marketplace. The company has utilized some third-party libraries in the development of their web application and has added compensating controls during the testing process to account for any insecurities in the third-party library. Which of the following terms best describes the type of risk this third-party library represents to the company?
A. Qualitative Risk
B. Quantitative Risk
C. Inherent Risk
D. Residual Risk
D. Residual Risk
Explanation:
OBJ-4.1: Residual risk is the risk that remains after compensating controls have been implemented. Inherent risk is the level of risk that exists before any compensating controls have been implemented. Qualitative risk describes the evaluation of risk using words instead of numbers and is much more subjective than quantitative risk analysis. Quantitative risk describes the evaluated risk using numbers, generally monetary values, to evaluate its potential impact. Risk tolerance is defined as the threshold that separates the different levels of risk within an organization.
Dion Training is working on an internal development server while developing a new web application. The development server has been issued a self-signed digital certificate to use during testing. When Tim, a developer, connects to the web application over HTTPS, he receives an error that states “Your connection is not private”. Which of the following actions should Tim take to securely use the web application on the development server for testing on the company’s internal test and development network?
A. Connect to the web application on the development server using HTTP
B. Accept the self signed certificate as trusted in the clients browser
C. Ex tend the validity of the self signed certified from 1 year to 3 years
D. Uninstall the self signed certificate and request an EV certificate
B. Accept the self signed certificate as trusted in the clients browser
Explanation:
OBJ-3.7: A self-signed certificate is a certificate generated independently of a certificate authority and is considered not trustworthy. If this was a publicly available server or one used in a production network, you should uninstall the self-signed certificate and instead request a new digital certificate from a trusted third-party CA. An EV certificate should not be requested or used in this case due to the excessive costs involved. Extended Validation (EV) digital certificates are subject to a process that requires more rigorous checks on the subject’s legal identity and control over the domain or software being signed. The web application should not be used over HTTP since this would allow data sent to/from the server to be possibly intercepted by an on-path attack. The validity of the self-signed certificate does not need to be changed as it is already valid for use once accepted by the client’s web browser.
Dion Training is trying to define key performance indicators for their recently released voucher management system. The CIO has stated that the voucher management system must be built on serverless architecture to support up to 1 million students per hour while maintaining a 3-second latency or less when issuing vouchers. To monitor this requirement, the analysts have created a metric to measure the number of students per hour using the system and another metric to measure the latency when issuing vouchers to those students. Which of the following types of key performance indicators would these metrics be classified as?
A. Availability
B. Usability
C. Reliability
D. Scalability
D. Scalability
Explanation:
OBJ-4.1: Scalability metrics measure the ability of a system to handle an increase in workload while maintaining a consistent level of performance. Reliability metrics measure the ability of a system to perform without error or to avoid, detect, and/or repair component or integrity failures. Availability metrics measure the probability that a system will be operating as expected at any given point in time. The most common availability metric used is known as uptime. Usability metrics measure the effectiveness, efficiency, and satisfaction of users working with a given system.
Your company is setting up a system to accept credit cards in their retail and online locations. Which of the following compliance types should you be MOST concerned with dealing with credit cards?
A. GDPR
B. PII
C. PHI
D. PCI-DSS
D. PCI-DSS
Explanation:
OBJ-4.3: The Payment Card Industry Data Security Standard (PCI-DSS) applies to companies of any size that accept credit card payments. If your company intends to accept card payment and store, process, and transmit cardholder data, you need to securely host your data and follow PCI compliance requirements. The General Data Protection Regulation (GDPR) is a regulation created in the European Union that creates provisions and requirements to protect the personal data of European Union (EU) citizens. Transfers of personal data outside the EU Single Market are restricted unless protected by like-for-like regulations, such as the US’s Privacy Shield requirements. Personally identifiable information (PII) is data used to identify, contact, or locate an individual. Information such as social security number (SSN), name, date of birth, email address, telephone number, street address, and biometric data is considered PII. Protected health information (PHI) refers to medical and insurance records, plus associated hospital and laboratory test results.
You are reviewing a rule within your organization’s IDS. You see the following output:
Based on this rule, which of the following malicious packets would this IDS alert on?
A. Any malicious inbound packets
B. A malicious outbound TCP packet
C. A malicious inbound TCP packet
D. Any malicious outbound packets
C. A malicious inbound TCP packet
Explanation:
OBJ-3.2: The rule header is set to alert only on TCP packets based on this IDS rule’s first line. The flow condition is set as “to_client,established,” which means that only inbound traffic will be analyzed against this rule and only inbound traffic for connections that are already established. Therefore, this rule will alert on an inbound malicious TCP packet only when the packet matches all the conditions listed in this rule. This rule is an example of a Snort IDS rule. For the exam, you do not need to create your own IDS rules, but you should be able to read them and pick out generic content like the type of protocol covered by the signature, the port to be analyzed, and the direction of flow.
Which of the following types of digital forensic investigations is most challenging due to the on-demand nature of the analyzed assets?
A. Cloud services
B. Employee workstations
C. On premise Servers
D. Mobile Devices
A. Cloud services
Explanation:
OBJ-3.4: The on-demand nature of cloud services means that instances are often created and destroyed again, with no real opportunity for forensic recovery of any data. Cloud providers can mitigate this to some extent by using extensive logging and monitoring options. A CSP might also provide an option to generate a file system and memory snapshots from containers and VMs in response to an alert condition generated by a SIEM. Employee workstations are often the easiest to conduct forensics on since they are a single-user environment for the most part. Mobile devices have some unique challenges due to their operating systems, but good forensic tool suites are available to ease the forensic acquisition and analysis of mobile devices. On-premise servers are more challenging than a workstation to analyze, but they do not suffer from the same issues as cloud-based services and servers.
John is a cybersecurity consultant that wants to sell his services to an organization. In preparation for his first meeting with the client, John wants to conduct a vulnerability scan of their network to show the client how much they need his services. What is the most significant issue with John conducting this scan of the organization’s network?
A. The IP range of the client systems is unknown by John
B. John does not have permissions to perform the scan
C. The clients infrastructure design to unknown to John
D. John does not know what operating system and applications are in use
B. John does not have permissions to perform the scan
Explanation:
OBJ-2.4: All options listed are an issue, but the most significant issue is that John does not have the client’s permission to perform the scan. A vulnerability scan may be construed as a form of reconnaissance, penetration testing, or even an attack on the organization’s systems. A cybersecurity analyst should never conduct a vulnerability scan on another organization’s network without explicit written permission. In some countries, a vulnerability scan against an organization’s network without their permission is considered a cybercrime and could result in jail time for the consultant.
In which phase of the security intelligence cycle do system administrators capture data to identify anomalies of interest?
A. Dissemination
B. Analysis
C. Feedback
D. Collection
D. Collection
Explanation:
OBJ-2.1: The collection phase is usually implemented by administrators using various software suites, such as security information and event management (SIEM). This software must be configured with connectors or agents that can retrieve data from sources such as firewalls, routers, IDS sensors, and servers. The analysis phase focuses on converting collected data into useful information or actionable intelligence. The dissemination phase refers to publishing information produced by analysis to consumers who need to develop the insights. The final phase of the security intelligence cycle is feedback and review, which utilizes both intelligence producers’ and intelligence consumers’ input. This phase aims to improve the implementation of the requirements, collection, analysis, and dissemination phases as the life cycle develops.
Which of the following has occurred if a device fails to activate because it has detected an unknown modification?
A. Self-checking
B. Obfuscation
C. Improper authentication
D. Failed trusted foundry
A. Self-checking
Explanation:
OBJ-3.3: NIST defines self-checking behavior as a control used to prohibit elicit modification to hardware components. This can be done using anti-tamper technology like a field-programmable gate array (FPGA), a physically unclonable function (PUF), or other techniques. Obfuscation is the act of making something obscure, unclear, or unintelligible. Usually, this is done by encoding strings or binary information to make it less detectable by signature-based detection mechanisms. Improper authentication occurs when an attacker claims to have a given identity, and the software does not prove or insufficiently prove that the claim is correct. The Trusted Foundry Program, also called the trusted supplier program, is a United States Department of Defense program designed to secure the manufacturing infrastructure for information technology vendors providing hardware to the military.
Trevor is responsible for conducting vulnerability scans for his organization. His supervisor must produce a monthly report for the CIO that includes the number of open vulnerabilities. What process should Trevor use to ensure the supervisor gets the information needed for their monthly report?
A. Run a report each month and then email to his supervisor
B. Create an account for the supervisors assistant so they can create the reports
C. Create an account for the supervisor to the vulnerability scanner so they can run the reports themselves
D. Create a custom report that is automatically emailed each month to the supervisor with the needed information
D. Create a custom report that is automatically emailed each month to the supervisor with the needed information
Explanation:
OBJ-2.3: The best solution is to design a report that provides all necessary information and configure it to send this report to the supervisor each month automatically. It is not a good practice to create additional accounts on the vulnerability scanner beyond what is necessary per the concept of least privilege. It is also inefficient for Trevor to run the reports each month and then email them to his supervisor. When possible, the use of automation should be encouraged.
If an attacker can compromise an Active Directory domain by utilizing an attack to grant administrative access to the domain controllers for all domain members, which type of attack is being used?
A. Lateral movement
B. Pass the hash
C. Golden ticket
D. Pivoting
C. Golden ticket
Explanation:
OBJ-2.5: A golden ticket is a Kerberos ticket that can grant other tickets in an Active Directory environment. Attackers who can create a golden ticket can use it to grant administrative access to other domain members, even to domain controllers. Pass the Hash (PtH) is the process of harvesting an account’s cached credentials when the user logs in to a single sign-on (SSO) system. This would then allow the attacker to use the credentials on other systems, as well. Lateral movement is an umbrella term for a variety of attack types. Attackers can extend their lateral movement by a great deal if they can compromise host credentials. Pivoting is a process similar to lateral movement. When attackers pivot, they compromise one central host (the pivot) that allows them to spread out to other hosts that would otherwise be inaccessible.
Sarah has reason to believe that systems on her network have been compromised by an APT. She has noticed many file transfers outbound to a remote site via TLS-protected HTTPS sessions from unknown systems. Which of the following techniques would most likely detect the APT?
A. Endpoint forensics
B. Network traffic analysis
C. Network forensics
D. Endpoint behavior analysis
A. Endpoint forensics
Explanation:
OBJ-2.7: An advanced persistent threat (APT) is a stealthy computer network threat actor, typically a nation-state or state-sponsored group, which gains unauthorized access to a computer network and remains undetected for an extended period. APTs usually send encrypted traffic so that they are harder to detect through network traffic analysis or network forensics. This means that you need to focus on the endpoints to detect an APT. Unfortunately, APTs are very sophisticated, so endpoint behavioral analysis is unlikely to detect them easily, so Sarah will need to conduct endpoint forensics as her most likely method to detect an APT and their associated infections on her systems.
Your Security Operations Center is experiencing a backlog of threat intelligence to analyze. The SOC Director has recommended that you investigate using emerging technologies to perform accurate correlations between various threat intelligence sources and traffic being observed on the production network. Which of the following emerging technologies should you select?
A. Natural Language Processing
B. Deep Fakes
C. Machine Learning
D. Artificial Intelligence
D. Artificial Intelligence
Explanation:
OBJ-1.8: Artificial Intelligence is the science of creating machines to develop problem-solving and analysis strategies without significant human direction or intervention. A machine learning (ML) system uses a computer to accomplish a task without being explicitly programmed. In the context of cybersecurity, ML generally works by analyzing example data sets to create its own ability to classify future items presented. If the system was presented with large datasets of malicious and benign traffic, it will learn which is malicious and categorize future traffic presented to it. Machine Learning is useful for categorizations and classifications, but it is not as sophisticated as artificial intelligence in terms of data correlation. A deep fake is a realistic video or audio that impersonates a real person. Deep fakes are created using deep learning technology. Natural language processing (NLP) is a type of deep learning focused on understanding and responding to human language.
What SCAP component provides a list of entries that contains an identification number, a description, and a public reference for each publicly known weakness in a piece of software?
A. CPE
B. CCE
C. CVE
D. XCCDF
C. CVE
Explanation:
OBJ-2.3: The Common Vulnerabilities and Exposures (CVE) system provides a reference method for publicly known information-security vulnerabilities and exposures. XCCDF (extensible configuration checklist description format) is a language that is used in creating checklists for reporting results. The Common Configuration Enumeration (CCE) provides unique identifiers to system configuration issues to facilitate fast and accurate correlation of configuration data across multiple information sources and tools. Common Platform Enumeration (CPE) is a standardized method of describing and identifying classes of applications, operating systems, and hardware devices present among an enterprise’s computing assets.
Which of the following services should you install to connect multiple remote branch offices to your cloud service provider’s virtual private cloud (VPC) using an IPSec site-to-site connection?
A. API Gateway
B. VPN Gateway
C. NAT Gateway
D. XML Gateway
B. VPN Gateway
Explanation:
OBJ-1.1: A VPN gateway is a type of networking device that connects two or more devices or networks in a VPN infrastructure. It is designed to bridge the connection or communication between two or more remote sites, networks, or devices and/or to connect multiple VPNs. An extensible markup language (XML) gateway acts as an application layer firewall specifically to monitor XML formatted messages as they enter or leave a network or system. An XML gateway is used for inbound pattern detection and the prevention of outbound data leaks. XML is a document structure that is both human and machine-readable. Information within an XML document is placed within tags that describe how the information within the document is structured. Application programming interface (API) gateway is a special cloud-based service that is used to centralize the functions provided by APIs. An API is a type of software interface that offers a service to other pieces of software to build or connect to specific functions or features. A NAT Gateway within a cloud platform allows private subnets in a Virtual Private Cloud (VPC) access to the Internet.
Dion Training Solutions has received proposals from four suppliers to install a new data loss prevention (DLP) system and contractors to operate it. The cost of each full-time equivalent (FTE) position to operate the system costs $75,000 per year. Supplier Alpha’s system will require 3 FTE positions to operate and costs $100,000 for licensing and maintenance fees per year. Supplier Bravo’s system will require 2 FTE positions to operate and costs $150,000 for licensing and maintenance fees per year. Supplier Charlie’s system will require 4 FTE positions to operate and costs $50,000 for licensing and maintenance fees per year. Supplier Delta’s system will require 1 FTE position to operate and costs $250,000 for licensing and maintenance fees per year. If all of the data loss prevention systems would provide equivalent security, which supplier’s system would provide the lowest TCO?
A. Supplier Delta
B. Supplier Alpha
C. Supplier Charlie
D. Supplier Bravo
D. Supplier Bravo
Explanation:
OBJ-4.1: Supplier Bravo would have the lowest TCO with a value of $300,000 per year. The total cost of ownership (TCO) is the associated costs of an asset including acquisition costs and costs to maintain and safely operate the asset over its entire lifespan. Since the DLP system in this scenario will be charged under a SaaS model using yearly contract labor, licensing, and maintenance fees, you can calculate the TCO simply by comparing one year of each supplier’s fees against the others. Supplier Alpha’s TCO would equal 3 FTEs ($225,000) plus $100,000 (licensing/maintenance fee) which equals $325,000. Supplier Bravo’s TCO would equal 2 FTEs ($150,000) plus $150,000 (licensing/maintenance fee) which equals $300,000. Supplier Charlie’s TCO would equal 4 FTEs ($300,000) plus $50,000 (licensing/maintenance fee) which equals $350,000. Supplier Delta’s TCO would equal 1 FTEs ($75,000) plus $250,000 (licensing/maintenance fee) which equals $325,000.
Which of the following Nmap commands would scan DionTraining.com and probe any open ports to determine the versions of the running services on those ports?
A. nmap -sV DionTraining.com
B. nmap -sS DionTraining.com
C. nmap -sT DionTraining.com
D. nmap -sL DionTraining.com
A. nmap -sV DionTraining.com
Explanation:
OBJ-2.9: The -sV option will scan the target by probing all the open ports to determine the service version they are running. The -sS option will scan the target using a TCP SYN packet and conduct a half-open scan. The -sT option will scan the target by conducting a full TCP 3-way handshake. The -sU option will scan the target by conducting a UDP scan.
Your company has decided to move all of its data into the cloud. Your company is small and has decided to purchase some on-demand cloud storage resources from a commercial provider (such as Google Drive) as its primary cloud storage solution. Which of the following types of clouds is your company using?
A. Private
B. Public
C. Hybrid
D. Community
B. Public
Explanation:
OBJ-1.6: The public cloud is defined as computing services offered by third-party providers over the public internet, making them available to anyone who wants to use or purchase them. They may be free or sold on-demand, allowing customers to pay only per usage for the CPU cycles, storage, or bandwidth they consume. Amazon Web Services, Microsoft Azure, and Google Cloud are three popular public cloud platforms. A private cloud contains services offered either over the Internet or a private internal network and only to select users instead of the general public. A community cloud is a collaborative effort in which infrastructure is shared between several organizations from a specific community with common concerns (security, compliance, jurisdiction, etc.), whether managed internally or by a third party and hosted internally or externally. A hybrid cloud is a cloud computing environment that uses a mix of on-premises, private cloud, and third-party public cloud services with orchestration between these platforms. This typically involves a connection from an on-premises data center to a public cloud.
Fail to Pass is concerned about the possibility of an on-path attack being conducted against their students when trying to connect to the company’s web server. Several years ago, their web developer implemented a technique that embedded the certificate data in the HTTP header and presented it to the student’s web browser when they connected to the webserver. Unfortunately, this technique is now considered vulnerable and deprecated, but Fail to Pass has not bothered to upgrade its code. Which of the following techniques is Fail to Pass most likely using?
A. HSTS
B. Secure cookies
C. Certificate pinning
D. Wildcard certificate
C. Certificate pinning
Explanation:
OBJ-3.5: Certificate pinning is a deprecated method of trusting digital certificates that bypasses the CA hierarchy and chain of trust to minimize on-path (formerly man-in-the-middle) attacks. Certificate pinning with HTTP Public Key Pinning (HPKP) embeds the server’s certificate data into the HTTP header when sending the data to the web browser. Certificate pinning should be replaced with HSTS to provide resistance to an on-path attack. HTTP Strict Transport Security (HSTS) is configured as a response header on a web server and notifies a browser to connect to the requested website using HTTPS only. HSTS helps prevent on-path and downgrade attacks. Secure cookies are a type of HTTP cookie that has the Secure attribute set, which limits the scope of the cookie to secure channels. When a cookie has the Secure attribute, the user agent will include the cookie in an HTTP request only if the request is transmitted over a secure channel. A wildcard certificate contains the wildcard character (*) in its domain name field and allows the digital certificate to be used for any number of subdomains. For example, the wildcard certificate of *.diontraining.com can be used for members.diontraining.com, cart.diontraining.com, and support.diontraining.com.
A hospital’s file server has become infected with malware. The files on the server all appear to be encrypted and cannot be opened. The network administrator receives an email from the attacker asking for 20 bitcoin in exchange for the decryption key. Which type of malware MOST likely infected these computers?
A. Spyware
B. Rootkit
C. Keylogger
D. Ransomware
D. Ransomware
Explanation:
OBJ-2.7: Ransomware is a type of malware designed to deny access to a computer system or data until a ransom is paid. Ransomware typically spreads through phishing emails or by unknowingly visiting an infected website. Once infected, a system or its files are encrypted, and then the decryption key is withheld from the victim unless payment is received. Spyware is a program that monitors user activity and sends the information to someone else. It may be installed with or without the user’s knowledge. It invades the device, steals sensitive information and internet usage data, and relays it to advertisers, data firms, or external users. A keylogger actively attempts to steal confidential information by capturing the data when entered into the computer by the user. This is done by recording keystrokes entered into a web browser or other application. A software keylogger can be run in the background on a victim’s computer. A hardware keylogger may be placed between the USB port and the wired keyboard. A rootkit is a clandestine computer program designed to provide continued privileged access to a computer while actively hiding its presence. A rootkit is generally a collection of tools that enabled administrator-level access to a computer or network. They can often disguise themselves from detection by the operating system and anti-malware solutions. If a rootkit is suspected on a machine, it is best to reformat and reimage the system.
Which of the following features of homomorphic encryption allows two parties to jointly evaluate a private function without revealing their respective inputs?
A. Private Information Retrieval
B. Secure Multi Party Computation
C. Private Function Evaluation
D. Secure Function Evaluation
C. Private Function Evaluation
Explanation:
OBJ-1.8: Private Function Evaluation (PFE) allows two parties to jointly evaluate a private function without revealing their respective inputs. Secure Function Evaluation (SFE) allows two parties to jointly evaluate a publicly known function without revealing their respective inputs. Private Information Retrieval (PIR) retrieves an item from a service in possession of a database without revealing which item is retrieved. Secure Multi-Party Computation creates methods for parties to jointly compute a function over their inputs while keeping those inputs private.
(Sample Simulation – On the real exam for this type of question, you would have access to the log files to determine which server on a network might have been affected, and then choose the appropriate actions.) A cybersecurity analyst has determined that an attack has occurred against your company’s network. Fortunately, your company uses a good logging system with a centralized Syslog server, so all the logs are available, collected, and stored properly. According to the cybersecurity analyst, the logs indicate that the database server was the only company server on the network that appears to have been attacked. The network is a critical production network for your organization. Therefore, you have been asked to choose the LEAST disruptive actions on the network while performing the appropriate incident response actions. Which actions do you recommend as part of the response efforts?
A. Immediately remove the database server from the network. create an image of its hard disk, and maintain the chain of custody
B. Isolate the affected server from the network immediately, format the database server, reinstall from a known good backup
C. Capture network traffic using a sniffer, schedule a period of downtime to image and remediate the affected server and maintain the chain of custody
D. Conduct a system restore of the database server, image the hard drive and maintain the chain of custody
C. Capture network traffic using a sniffer, schedule a period of downtime to image and remediate the affected server and maintain the chain of custody
Explanation:
OBJ-2.7: Since the database server is part of a critical production network, it is important to work with the business to time the remediation period to minimize productivity losses. You can immediately begin to capture network traffic since this won’t affect the database server or the network (least intrusive) while scheduling a period of downtime in which to take a forensic image of the database server’s hard drive. All network captures and the hard drive should be maintained under the chain of custody if needed for criminal prosecution or civil action after remediation. The server should be remediated and brought back online once the hard drive image has been created.
Which of the following is the most difficult to confirm with an external vulnerability scan?
A. Cross site scripting (XSS)
B. Blind SQL injection
C. Unpatched web server
D. Cross site request forgery (XSRF/CSRF)
B. Blind SQL injection
Explanation:
OBJ-2.3: Vulnerability scanners typically cannot confirm that a blind SQL injection with the execution of code has previously occurred. XSS and CSRF/XSRF are typically easier to detect because the scanner can pick up information that proves a successful attack. The banner information can usually identify unpatched servers.
Which of the following layers is NOT used in a three-tiered data center network architecture?
A. Access/edge layer
B. Distribution/aggregation layer
C. Control layer
D. Core layer
C. Control layer
Explanation:
OBJ-1.1: The control layer is used in software-defined networking (SDN), not the three-tiered data center network architecture. The Core Layer is considered the backbone of our network and is used to merge geographically separated networks back into one logical and cohesive unit. In general, you will have at least two routers at the core level, operating in a redundant configuration. The distribution or aggregation layer is located under the core layer and it provides boundary definition by implementing access lists and filters to define the policies for the network at large. The access or edge layer is located beneath the distribution or aggregation layer and is used to connect all the endpoint devices like computers, laptops, servers, printers, wireless access points, and others.
Which of the following options places the correct phases of the Software Development Lifecycle’s waterfall method in the correct order?
A. Planning, requirements analysis, design, implementation, testing, deployment, and maintenance
B. Requirements analysis, planning, design, implementation, testing, deployment and maintenance
C. Requirements analysis, planning, design, implementation, deployment, testing, maintenance
D. Planning, requirements analysis, design, implementation, deployment, testing, maintenance
A. Planning, requirements analysis, design, implementation, testing, deployment, and maintenance
Explanation:
OBJ-1.3: The software development lifecycle (SDLC) can be conducted using waterfall or agile methods. The waterfall method moves through seven phases: planning, requirements, design, implementation, testing, deployment, and maintenance. Planning involves training the developers and testers in security issues, acquiring security analysis tools, and ensuring the development environment’s security. Requirements analysis is used to determine security and privacy needs in terms of data processing and access controls. Design identifies threats and controls or secure coding practices to meet the requirements. Implementation performs known environment source code analysis and code reviews to identify and resolve vulnerabilities. Testing performs known or unknown environment testing to test for vulnerabilities in the published application and its publication environment. Deployment installs and operates the software packages and best practice configuration guides. Maintenance involves ongoing security monitoring and incident response procedures, patch development and management, and other security controls. For a question like this on the real certification exam, you may be asked to drag and drop the seven steps into the proper order instead of receiving this as a multiple-choice question.
Dion Training is creating a new security policy that states all access to system resources will be controlled based on the user’s job functions and tasks within the organization. For example, only people working in Human Resources can access employee records, and only the people working in finance can access customer payment histories. Which of the following policies or security practices is BEST described by this new policy?
A. Job rotation
B. Mandatory vacation
C. Least privilege
D. Separation of duties
C. Least privilege
Explanation:
OBJ-4.1: Least privilege is a security policy that states someone or something should be allocated the minimum necessary rights, privileges, or information to perform the specific role. Separation of duties is a security policy that states that duties and responsibilities should be divided among individuals to prevent ethical conflicts or abuse of powers. Job rotation is a security policy that prevents any one individual from performing the same role or tasks for too long. Job rotation is useful in deterring fraud and providing better oversight of the person’s duties. Mandatory vacation is a security policy that states when and how long an employee must take time off from work so that their activities may be subjected to a security review by having another employee conduct their job functions.
Which of the following utilizes a well-written set of carefully developed and tested scripts to orchestrate runbooks and generate consistent server builds across an enterprise?
A. Software Defined Networking (SDN)
B. Infrastructure as a Service (IaaS)
C. Infrastructure as Code (IaC)
D. Software as a Service (SaaS)
C. Infrastructure as Code (IaC)
Explanation:
OBJ-3.4: Infrastructure as Code (IaC) is designed with the idea that a well-coded description of the server/network operating environment will produce consistent results across an enterprise and significantly reduce IT overhead costs through automation while precluding the existence of security vulnerabilities. SDN uses software to define networking boundaries but does not necessarily handle server architecture in the same way that IaC can. Infrastructure as a Service (IaaS) is a computing method that uses the cloud to provide any or all infrastructure needs. Software as a Service (SaaS) is a computing method that uses the cloud to provide users with application services.
Dion Training has noticed an increase in trouble tickets from students stating they are receiving a “Your connection is not private” error when connecting to the company’s homepage. Vikas is investigating the issue and believes it is a problem between the webserver and the student’s web browsers. Vikas determined that the issue only occurs when students attempt to connect using the older Internet Explorer web browser on a Windows 7 client machine. If those same students attempt to log in using their newer smartphones, though, they can connect securely. Which of the following is MOST likely causing this error?
A. Incorrect permissions
B. Cipher mismatch error
C. Chain issues
D. Wrong certificate type
B. Cipher mismatch error
Explanation:
OBJ-3.7: The most likely cause of the issue is a cipher mismatch caused by using an older web browser and operating system. A cipher mismatch error is generated by a modern web browser if an old or deprecated cipher suite is being requested for use by the webserver. Alternatively, this error can also occur if the client is using an older operating system that doesn’t support a more modern cipher suite. An incorrect permissions error is generated when a template is used for certificate enrollment but the template’s permissions are misconfigured. This can result in a “cannot enroll for this type of certificate” or an “operation failed” error. Chain issues occur when the root, subordinate, or leaf certificate fails to pass a validity check. Since the certificate authorities must all pass the validity checks for the certification issued to be considered valid, if any of these are invalid then the entire chain is considered invalid, too. A wrong certificate type error is generated when a certificate designed for a specific use case is used for a different reason. For example, if a user attempts to log in to a website using an email certificate instead of an identification certificate, a wrong certificate type error will be generated.
You are reverse engineering a piece of malware recovered from a retailer’s network for analysis. They found that the malicious code was extracting track data from their customer’s credit cards during processing. Which of the following types of threats would you classify this malware as?
A. POS malware
B. Keylogger
C. Rootkit
D. Ransomwaree
A. POS malware
Explanation:
OBJ-2.7: Point-of-sale malware (POS malware) is usually a type of malicious software (malware) that is used by cybercriminals to target point of sale (POS) and payment terminals with the intent to obtain credit card and debit card information, a card’s track 1 or track 2 data and even the CVV code, by various man-in-the-middle attacks, that is the interception of the processing at the retail checkout point of sale system. Ransomware is a type of malware that threatens to publish the victim’s data or perpetually block access to it unless a ransom is paid. Keyloggers are a type of monitoring software designed to record keystrokes made by a user. These keyloggers can record the information you type into a website or application and send it back to an attacker. A rootkit is a malware class that modifies system files, often at the kernel level, to conceal its presence.
Due to numerous network misconfiguration issues in the past, Dion Training adopted a policy that requires a second technician to verify any configuration changes before they are applied to a network device. When the technician inspects a newly proposed configuration change from a coworker, she determines that it would improperly configure the AS number on the device. Which of the following issues could have resulted from this configuration change if it was applied?
A. Spanning tree ports would have entered flooding mode
B. BGP routing issues would have occurred
C. Wireless coverage area would be decreased
D. A frequency mismatch would have occurred
B. BGP routing issues would have occurred
Explanation:
OBJ-1.1: BGP (Border Gateway Protocol) is used to route data between autonomous systems (AS). A collection of networks within the same administrative domain is called an autonomous system (AS). The routers within an AS to use an interior gateway protocol, such as the Routing Information Protocol (RIP) or the Open Shortest Path First (OSPF) protocol, exchange routing information among themselves. Autonomous systems operate at layer 3 and are focused on wired networks. Therefore, the frequency mismatch, decreased wireless coverage areas, and spanning tree ports would not be affected by the improper configuration of an AS number on a device.
Dion Training issues two different digital certificates for each team member and embeds them onto a smart card. One of the digital certificates is used for identity verification while the second is used for the digital signing of the team member’s emails. Jason is trying to log in to the SharePoint server on the company’s intranet using his smart card. When he clicks the login button, a window pops up asking for him to select a certificate from his smart card. Jason selects a certificate and then receives an error stating “Your session could not be established. Access was denied by the access policy.” Which of the following is MOST likely causing this error?
A. A chain issue occurred with intermediate CA
B. The incorrect name is on the certificate
C. The wrong certificate type was presented
D. There is a validity date error on the certificate
C. The wrong certificate type was presented
Explanation:
OBJ-3.7: The most likely cause of this error is that Jason selected the email certificate instead of his identity certificate from his smart card during the login process. A wrong certificate type error is generated when a certificate designed for a specific use case is used for a different reason. For example, if a user attempts to log in to a website using an email certificate instead of an identification certificate, a wrong certificate type error will be generated. A validity date error occurs when a certificate is presented for use on a date that is already past the expiration date. An incorrect name error is generated when the certificate’s CN name does not match the FQDN of the system that is using the certificate. For example, if the certificate is issued to diontraining.com but is being presented for www.diontraining.com or yourcyberpath.com, it will generate an incorrect name error. Chain issues occur when the root, subordinate, or leaf certificate fails to pass a validity check. Since the certificate authorities must all pass the validity checks for the certification issued to be considered valid, if any of these are invalid then the entire chain is considered invalid, too.
Kevin is conducting a penetration test against Dion Training’s network. He is in the post-exploitation phase and needs to cover his tracks. He runs the following script:
Which technique to cover his tracks is being used?
A. Changing timestamp values
B. Clearing specific event log entries
C. Erasing data securely
D. Erasing shell history
A. Changing timestamp values
Explanation:
OBJ-2.4: If you can modify the time that certain events are recorded, you can deceive investigators into believing a false narrative. Altering a file’s MACE (modified, accessed, created, entry modified) metadata can confuse and misdirect investigators into thinking that your attack happened at a different time, or has lasted for a longer or shorter amount of time than it has. You can use the timestomp command in Meterpreter to change MACE values.
