Udemy CASP Practice Exam 4 Flashcards

Question

Dion Training is concerned with the possibility of a data breach causing a financial loss to the company. After performing a risk analysis, the COO decides to purchase data breach insurance to protect the company from an incident. Which of the following best describes the company's risk response? A. Trasnference B. Mitigation C. Avoidance D. Acceptance

Answer 1

A. Trasnference Explanation: OBJ-4.1: Transference (or sharing) means assigning risk to a third party (such as an insurance company or a contract with a supplier that defines liabilities). Avoidance means that the company stops doing an activity that is risk-bearing. Risk mitigation is the overall process of reducing exposure to or the effects of risk factors, such as patching a vulnerable system. Acceptance means that no countermeasures are put in place either because the risk level does not justify the cost or because there will be an unavoidable delay before the countermeasures are deployed.

Answer 2

A. DNS Poisoning Explanation: OBJ-1.3: DNS poisoning (also known as DNS cache poisoning or DNS spoofing) is a type of attack which uses security gaps in the Domain Name System (DNS) protocol to redirect internet traffic to malicious websites. MAC spoofing is a technique for changing a factory-assigned Media Access Control (MAC) address of a network interface on a networked device. ARP spoofing is a type of attack in which a malicious actor sends falsified ARP (Address Resolution Protocol) messages over a local area network using layer 2 address information. DNS brute-forcing is used to check for wildcard entries using a dictionary or wordlist. This technique is used when a DNS zone transfer is not allowed by a system.

Answer 3

B. Create a script to automatically update the signatures every 24 hours Explanation: OBJ-2.6: Since the analyst appears not to be installing the latest vulnerability signatures according to your instructions, it would be best to create a script and automate the process to eliminate human error. The script will always ensure that the latest signatures are downloaded and installed in the scanner every 24 hours without any human intervention. While you may want the analyst to manually validate the updates were performed as part of their procedures, this is still error-prone and likely not to be conducted properly. Regardless of whether the scanners are being run in uncredentialed or credentialed mode, they will still miss vulnerabilities if using out-of-date signatures. Finally, the option to test the vulnerability remediations in a sandbox is a good suggestion. Still, it won't solve this scenario since we are concerned with the scanning portion or vulnerability management and not remediation.

Answer 4

B. Data historian Explanation: OBJ-3.3: The data historian is a type of software that aggregates and catalogs data from multiple sources within an industrial control system’s control loop. Essentially, the data historian acts like a SIEM for ICS/SCADA systems and, therefore, the incident responders should review the data historian first. The human-machine interface (HMI) provides the input and output controls on a PLC to allow a user to configure and monitor the system. A Safety Instrumented System (SIS) is composed of sensors, logic solvers, and final control elements (devices like horns, flashing lights, and/or sirens) used to return an industrial process to a safe state after predetermined conditions are detected. Ladder Logic is a graphical, flowchart-like programming language used to program the special sequential control sequences used by a programmable logic controller (PLC).

Answer 5

D. pa55word Explanation: OBJ-1.5: Password policies often enforce a mixture of standard character types, including uppercase letters, lowercase letters, numbers, and symbols. The option ‘pa55word’ is the weakest choice since it only includes lowercase letters and numbers. The option ‘Pa55w0rd’ is slightly more complex since it includes uppercase letters, lowercase letters, and numbers. The option ‘P@$$W0RD is also similar in complexity since it includes uppercase letters, numbers, and special characters. The most secure option is ‘P@5$w0rd’ since it includes a mixture of uppercase letters, lowercase letters, numbers, and special characters.

Answer 6

B. Information Disclosure Explanation: OBJ-2.4: Information disclosure is any condition that allows the attacker to gain access to protected information. In this case, the server is vulnerable to disclosing information about the version of PHP being used. The phpinfo.php file should not be accessible to remote users over the internet, as it can be used to provide them with valuable information to help plan an attack.

Answer 7

A. Management network Explanation: OBJ-1.2: The management interface should only be exposed to an isolated or dedicated network used for the management and configuration of the network device and platforms only. This would also help reduce the likelihood of an attack against the virtualization platform or the hypervisor itself. The external zone (internet), internal zone (LAN), or screened subnet (formerly called a DMZ) should not have the management interface exposed to them.

Answer 8

A. Implement a jumpbox system Explanation: OBJ-1.1: A jumpbox is a system on a network used to access and manage devices in a separate security zone. This would create network segmentation between the supplier's laptops and the rest of the network to minimize the risk. A jump-box system is a hardened and monitored device that spans two dissimilar security zones and provides a controlled means of access between them. While the other options listed are all good security practices, they do not fully mitigate the risk that insecure systems pose since Victor cannot enforce these configurations on a supplier-provided laptop. Instead, he must find a method of segmenting the laptops from the rest of the network, either physically, logically, using an air gap, or using a jumpbox.

Answer 9

B. ChaCha Explanation: OBJ-3.6: ChaCha is a variant of Salsa20 that is a modern and efficient symmetric stream cipher that uses a 128-bit or 256-bit encryption key. ChaCha is widely used in combination with the Poly1305 hashing algorithm in the TLS implementation of the Google Chrome browser and the Android operating system. ChaCha is also used by OpenSSH and the random number generator in BSD operating systems as a replacement to the older RC4 algorithm. RC4 is a stream cipher that was used in the wireless encryption protocol (WEP) and many SSL/TLS implementations. RC4 is considered extremely vulnerable to attack and should not be used in modern applications. The Advanced Encryption Standard (AES) is the current standard for the U.S. federal government’s symmetric block encryption cipher. AES can use a key size of 128-bits, 192-bits, or 256-bits with a 128-bit block size. Triple Digital Encryption Standard (3DES) was built as a temporary replacement for the older DES algorithm. 3DES utilizes 3 different 56-bit encryption keys in an encrypt-decrypt-encrypt workflow to effectively increase the security of the weaker DES algorithm. 3DES is a symmetric block encryption cipher and utilizes a 64-bit block size.

Answer 10

D. Output encoding Explanation: OBJ-1.3: Output encoding involves translating special characters into some different but equivalent form that is no longer dangerous in the target interpreter, for example, translating the < character into the < string when writing to an HTML page. Input validation is performed to ensure only properly formed data is entering the workflow in an information system, preventing malformed data from persisting in the database and triggering the malfunction of various downstream components. Improper error handling can introduce various security problems where detailed internal error messages such as stack traces, database dumps, and error codes are displayed to an attacker. The session management implementation defines the exchange mechanism that will be used between the user and the web application to share and continuously exchange the session ID.

Answer 11

D. Utilizing an operating system SCAP Explanation: OBJ-2.4: Security Content Automation Protocol (SCAP) is a multi-purpose framework of specifications supporting automated configuration, vulnerability and patch checking, technical control compliance activities, and security measurement. It is an industry standard and supports testing for compliance. The other options will not allow for a truly repeatable process since individual scans would occur each time instead of comparing against a known good baseline.

Answer 12

C. ChaCha Explanation: OBJ-3.6: ChaCha is a variant of Salsa20 that is a modern and efficient symmetric stream cipher that uses a 128-bit or 256-bit encryption key. ChaCha is widely used in combination with the Poly1305 hashing algorithm in the TLS implementation of the Google Chrome browser and the Android operating system. ChaCha is also used by OpenSSH and the random number generator in BSD operating systems as a replacement to the older RC4 algorithm. RC4 is a stream cipher that was used in the wireless encryption protocol (WEP) and many SSL/TLS implementations. RC4 is considered extremely vulnerable to attack and should not be used in modern applications. The Advanced Encryption Standard (AES) is the current standard for the U.S. federal government’s symmetric block encryption cipher. AES can use a key size of 128-bits, 192-bits, or 256-bits with a 128-bit block size. Triple Digital Encryption Standard (3DES) was built as a temporary replacement for the older DES algorithm. 3DES utilizes 3 different 56-bit encryption keys in an encrypt-decrypt-encrypt workflow to effectively increase the security of the weaker DES algorithm. 3DES is a symmetric block encryption cipher and utilizes a 64-bit block size.

Answer 13

D. SQL Injection Explanation: OBJ-2.5: This is an example of a Boolean-based SQL injection. This occurs when data input by a user is interpreted as a SQL command rather than as normal data by the backend database. In this example, notice that the statement being parsed as part of the URL after the equal sign is equivalent to 1 or 17-7=10. This means the portion of the statement that is 17-7=10 would return a value of 1 (since it is true). Then, we are left to compute if 1 = 1, and since it does, the SQL database will treat this as a positive authentication. This is simply an obfuscation technique of a 1=1 SQL injection technique. A buffer overflow is an exploit that attempts to write data to a buffer and exceed that buffer's boundary to overwrite an adjacent memory location. A session hijacking attack consists of exploiting the web session control mechanism, normally managed for a session token. XML Injection is an attack technique used to manipulate or compromise an XML application or service's logic.

Answer 14

C. MTTR Explanation: OBJ-4.1: Mean time to repair (MTTR) is a measure of the time taken to correct a fault to restore the system to full operation. MTTR is often used to describe the average time to replace or recover a system or product. Recovery time objective (RTO) is when an individual IT system may remain offline following a disaster. This represents the amount of time it takes to identify that there is a problem and then perform recovery (restore from backup or switch in an alternative system, for instance). Recovery point objective (RPO) is the amount of data loss that a system can sustain, measured in time. That is, if a virus destroys a database, an RPO of 24 hours means that the data can be recovered (from a backup copy) to a point not more than 24 hours before the database was infected. Mean time between failure (MTBF) represents the expected lifetime of a product before it fails and must be replaced or repaired.

Answer 15

D. PBKDF2 Explanation: OBJ-3.6: Password-Based Key Derivation Function 2 (PBKDF2) is a form of key stretching that utilizes a hash-based message authentication code (HMAC), the input password, and a salt value to create a more secure derived key. Message Digest Algorithm (MD5) is a one-way cryptographic function that accepts a message of any length as input and returns as output a fixed-length 128-bit hash digest value to be used for authenticating the original message. MD5 can be easily brute-forced and has a high chance of collision. Secure Hashing Algorithm (SHA-1) is a one-way cryptographic function that accepts a message of any length as input and returns as output a fixed-length 160-bit hash digest value to be used for authenticating the original message. SHA-1 is considered weak and no longer used for digital signatures, time stamps, or any application that requires collision resistance as of 2015. RACE Integrity Primitives Evaluation Message Digest (RIPEMD-160) is a one-way cryptographic function that accepts a message of any length as input and returns as output a fixed-length 160-bit hash digest value to be used for authenticating the original message. RIPEMD is used in PGP and the Bitcoin standard.

Answer 16

D. XML Explanation: OBJ-1.5: Security Assertion Markup Language (SAML) is an open standard that allows identity providers (IdP) to pass authorization credentials to service providers (SP). SAML transactions use Extensible Markup Language (XML) for standardized communication between the identity and service providers. SAML is the link between the authentication of a user’s identity and the authorization to use a service.

Answer 17

D. IP Theft Explanation: -OBJ-4.3: This is an example of intellectual property (IP) theft and it happened in 2019 to our company. The competitor wasn't even smart enough to change the examples we used throughout our course from our website (diontraining.com) to their website and re-recorded our entire 8-hour course word-for-word to sell as an audiobook. This is not identity theft because they didn't pretend to be Jason Dion or Dion Training. This is not a data breach because they did not compromise our systems to steal the course. Instead, they went to our website and purchased it. The risk is not a mission-essential function. A mission essential function is something that your organization must do to maintain its operations. For example, at Dion Training, our mission essential functions are (1) recording and editing training videos and (2) writing and publishing practice exams.

Answer 18

C. Clearing the syslog file Explanation: OBJ-2.2: The attacker issued attempted to overwrite the /var/log/syslog file. If this command were successful, they would have overwritten all of the log's contents with a single space character. If the server writes its logs to a centralized Syslog server, the original logs would still be available for review. Additionally, this method does not securely erase the file, and it could be restored from a backup or even from the hard drive using forensic techniques. If the attacker wanted to erase the file securely, they should have used the "shred -zu /var/log/syslog" command. This would overwrite the area of the hard drive that contained the file with zeros for increased security.

Answer 19

C. Application allow list Explanation: OBJ-3.2: Application allow list will only allow a program to execute if it is specifically listed in the approved exception list. All other programs are blocked from running. This makes it the BEST mitigation against a zero-day virus. An intrusion detection system might detect the anomalous activity created by a piece of malware, but it will only log or alert based on the activity, not prevent it. A host-based firewall may prevent a piece of malware from establishing a network connection with a remote server. Still, again, it wouldn't prevent infection or prevent it from executing. An anti-malware solution is a good investment towards improving your security. Since the threat is a zero-day virus, an anti-malware solution will not detect it using its signature database.

Answer 20

D. HFS+ Explanation: OBJ-2.8: The default macOS file system for the drive is HFS+ (Hierarchical File System Plus). While macOS does provide support for FAT32 and exFAT, they are not the default file system format used by the macOS system. NTFS is not supported by macOS without additional drivers and software tools. This question may seem beyond the scope. Still, the exam objectives allow for "other examples of technologies, processes, or tasks about each objective may also be included on the exam although not listed or covered" in the objectives' bulletized lists. The content examples listed in the objectives are meant to clarify the test objectives and should not be construed as a comprehensive listing of this examination's content. Therefore, questions like this are fair game on test day. That said, your goal isn’t to score 100% on the exam; it is to pass it. Don't let questions like this throw you off on test day. If you aren't sure, take your best guess and move on!

Answer 21

B. Scan the network for additional instances of this vulnerability and patch the affected assets Explanation: OBJ-2.7: All of the options listed are the best security practices to implement before and after a detected intrusion, but scanning for additional instances of this vulnerability should be performed first. Often, an enterprise network uses the same baseline configuration for all servers and workstations. Therefore, if a vulnerability is exploited on one device (such as an insecure configuration), that same vulnerability could exist on many other assets across the network. During your recovery, you must identify if any other network systems share the same vulnerability and mitigate them. If you don't, the attacker could quickly reinfect your network by simply attacking another machine using the same techniques used during this intrusion. The other options listed are all examples of additional device hardening that should be conducted during recovery after you have identified the exploited vulnerability across the rest of the network.

Answer 22

C. XML Gateway Explanation: OBJ-1.1: An extensible markup language (XML) gateway acts as an application layer firewall specifically to monitor XML formatted messages as they enter or leave a network or system. An XML gateway is used for inbound pattern detection and the prevention of outbound data leaks. XML is a document structure that is both human and machine-readable. Information within an XML document is placed within tags that describe how the information within the document is structured. Application programming interface (API) gateway is a special cloud-based service that is used to centralize the functions provided by APIs. An API is a type of software interface that offers a service to other pieces of software to build or connect to specific functions or features. A NAT Gateway within a cloud platform allows private subnets in a Virtual Private Cloud (VPC) access to the Internet. A VPN gateway is a type of networking device that connects two or more devices or networks in a VPN infrastructure. It is designed to bridge the connection or communication between two or more remote sites, networks, or devices and/or to connect multiple VPNs.

Answer 23

C. Conducting a brute force login attempt of a remote service on 192.168.1.142 Explanation: OBJ-2.4: The penetration tester is attempting to conduct a brute force login attempt of a remote service on 192.168.1.142, as shown by the multiple login attempts with common usernames and passwords. A brute force attack attempts to crack a password or username or find a hidden web page, or find the key used to encrypt a message, using a trial and error approach and hoping, eventually, to guess correctly. Port Scanning is the name for the technique used to identify open ports and services available on a network host. A denial-of-service (DoS) attack occurs when legitimate users cannot access information systems, devices, or other network resources due to a malicious cyber threat actor's actions. A ping sweep is a basic network scanning technique used to determine which range of IP addresses map to live hosts.

Answer 24

A. Search the registry for a complete list Explanation: OBJ-2.8: The Windows registry keeps a list of the wireless networks that a system has previously connected to. The registry keys can be found in the directory of HKLM\Software\Microsoft\WindowsNT\CurrentVersion\NetworkList\Profiles. This is stored in Local Machine because it logs a copy of every access point connected to all users of the machine, not just the currently logged in user.

Answer 25

A. VDI Explanation: OBJ-1.6: Virtual Desktop Infrastructure (VDI) refers to using a VM as a means of provisioning corporate desktops. In a typical VDI, desktop computers are replaced by low-spec, low-power thin client computers. When the thin client starts, it boots a minimal OS, allowing the user to log on to a VM stored on the company server or cloud infrastructure. The user connects to the VM using some remote desktop protocol (Microsoft Remote Desktop or Citrix ICA, for instance). The thin client has to find the correct image and use an appropriate authentication mechanism. Software as a Service (SaaS) is a cloud computing service that enables a service provider to make applications available over the Internet to end-users. This can be a calendar, scheduling, invoicing, word processor, database, or other programs. For example, Google Docs and Office 365 are both word processing SaaS solutions. Platform as a Service (PaaS) is a cloud computing service that enables consumers to rent fully configured systems that are set up for specific purposes. Infrastructure as a Service (IaaS) is a cloud computing service that enables a consumer to outsource computing equipment purchases and running their own data center.

Answer 26

A. RIsk exception Explanation: OBJ-4.1: A risk exception occurs when a particular policy, standard, security program requirement, or security best practice cannot be fully implemented. In this scenario, the development team cannot create a security patch to eliminate the vulnerability in time for the launch, so they have requested a risk exception to be made. This exception must be documented and signed by the executives who are approving this exception. Risk transfer occurs when risk is moved to or shared with another entity. Most often, risk transfer occurs by purchasing an insurance policy. Residual risk is the risk that remains after compensating controls have been implemented. Since temporary compensating controls were being used in this scenario, a risk exception is a better classification than residual risk since residual risk relies on permanent compensating controls being implemented. Inherent risk is the level of risk that exists before any compensating controls have been implemented.

Answer 27

C. Galois/counter mode Explanation: OBJ-3.6: Galois/counter mode (GCM) provides a method of authenticated encryption with associated data (AEAD) that enables symmetric block ciphers to work with large sets of data. GCM is a specialized variant of the older counter mode that adds the authenticated data feature for the integrity and authenticity of the data. Counter (CTR) mode enables symmetric block ciphers to work with large sets of data by using an initialization vector and adding an incrementing counter value to the key to generate a keystream. Counter mode does not use padding in its operations and simply discards any unused space in the final block. Output feedback (OFB) enables symmetric block ciphers to work with large sets of data by using an initial chaining vector (ICV) during the first round of encryption and then combining the output of the previous rounds into the subsequent rounds. Electronic codebook (ECB) is a simple mode of enabling symmetric block ciphers to work with large sets of data and is an older method that is vulnerable to the padding-oracle attack.

Answer 28

A. Control layer Explanation: OBJ-1.1: The control layer uses the information from applications to decide how to route a data packet on the network and to make decisions about how traffic should be prioritized, how it should be secured, and where it should be forwarded to. The application layer focuses on the communication resource requests or information about the network. The infrastructure layer contains the physical networking devices that receive information from the control layer about where to move the data and then perform those movements. The management plane is used to monitor traffic conditions, the status of the network, and allows network administrators to oversee the network and gain insight into its operations.

Answer 29

C. DKIM Explanation: OBJ-1.7: DomainKeys Identified Mail (DKIM) provides a cryptographic authentication mechanism. This can replace or supplement SPF. To configure DKIM, the organization uploads a public key as a TXT record in the DNS server. Sender Policy Framework (SPF) uses a DNS record published by an organization hosting an email service. The SPF record identifies the hosts authorized to send emails from that domain, and there must be only one per domain. SPF does not provide a cryptographic authentication mechanism like DKIM does, though. The Domain-Based Message Authentication, Reporting, and Conformance (DMARC) framework can ensure that SPF and DKIM are being utilized effectively. DMARC relies on DKMI for the cryptographic authentication mechanism, making it the incorrect option for this question. The simple mail transfer protocol (SMTP) is a communication protocol for electronic mail transmission, which does not utilize cryptographic authentication mechanisms by default.

Answer 30

C. SOAR Explanation: OBJ-1.2: A security orchestration, automation, and response (SOAR) is used to facilitate incident response, threat hunting, and security configuration by orchestrating automated runbooks and delivering data enrichment. A SOAR may be implemented as a standalone technology or integrated within a SIEM as a next-gen SIEM. A SOAR can scan the organization's store of security and threat intelligence, analyze it using machine/deep learning techniques, and then use that data to automate and provide data enrichment for the workflows that drive incident response and threat hunting.

Answer 31

D. RTO Explanation: OBJ-4.4: Recovery time objective (RTO) is when an individual IT system may remain offline following a disaster. This represents the amount of time it takes to identify a problem and then perform recovery (restore from backup or switch in an alternative system, for instance). Recovery point objective (RPO) is the amount of data loss that a system can sustain, measured in time. That is, if a virus destroys a database, an RPO of 24 hours means that the data can be recovered (from a backup copy) to a point not more than 24 hours before the database was infected. Mean time between failure (MTBF) represents the expected lifetime of a product before it fails and must be replaced or repaired. Mean time to repair (MTTR) is a measure of the time taken to correct a fault to restore the system to full operation.

Answer 32

B. Community cloud Explanation: OBJ-1.6: Community Cloud is another type of cloud computing in which the cloud setup is shared manually among different organizations that belong to the same community or area. A multi-tenant setup is developed using the cloud among different organizations belonging to a particular community or group with similar computing concerns. For joint business organizations, ventures, research organizations, and tenders, a community cloud is an appropriate solution. Based on the description of 15 member banks coming together to create the CloudBank organization and its cloud computing environment, a community cloud model is most likely described. A public cloud contains services offered by third-party providers over the public Internet and is available to anyone who wants to use or purchase them. They may be free or sold on-demand, allowing customers to pay only per usage for the CPU cycles, storage, or bandwidth they consume. A private cloud contains services offered either over the Internet or a private internal network and only to select users instead of the general public. A hybrid cloud is a cloud computing environment that uses a mix of on-premises, private cloud, and third-party public cloud services with orchestration between these platforms. This typically involves a connection from an on-premises data center to a public cloud.

Answer 33

C. APT Explanation: OBJ-2.1: An advanced persistent threat (APT) is a type of attacker that keeps a low profile while infiltrating a remote network. Once inside the network, they maintain their patience while gathering intelligence and slowly exfiltrating data out of the network. Many APTs work for a nation-state and focus on intelligence operations. Some APTs also perform corporate espionage to steal highly guarded trade secrets from competitors. APTs commonly use several attack vectors to ensure their success in gaining unauthorized access to information.

Answer 34

D. Buffer overflow Explanation: OBJ-2.5: A buffer overflow occurs when a program or process tries to store more data in a buffer (temporary data storage area) than it was intended to hold. Since buffers are created to contain a finite amount of data, the extra information can cause an overflow into adjacent buffers, corrupting or overwriting the valid data held in them. Although it may occur accidentally through programming error, buffer overflow is an increasingly common security attack on data integrity. In buffer overflow attacks, the extra data may contain codes designed to trigger specific actions, in effect sending new instructions to the attacked computer that could, for example, damage the user's files, change data, or disclose confidential information. Programs should use the variable size validation before writing the data to memory to ensure that the variable can fit into the buffer to prevent this type of attack.

Answer 35

B. $9,000 Explanation: OBJ-4.1: The single loss expectancy (SLE) is the amount that would be lost in a single occurrence (AV) times the exposure factor (EF). The annual loss expectancy (ALE) is the total cost of a risk to an organization annually. This is determined by multiplying the SLE by the annual rate of occurrence (ARO). SLE = AV x RF = $120,000 x 30% = $36,000 ALE = SLE x ARO = $36,000 x 0.25 = $9,000

Answer 36

C. File integrity monitoring (FIM) Explanation: OBJ-1.1: File integrity monitoring (FIM) is a type of software that reviews system files to ensure that they have not been tampered with. Security information and event management system (SIEM) is a solution that provides real-time or near-real-time analysis of security alerts generated by network hardware and applications. Data Loss Prevention (DLP) is a software solution designed to detect and prevent sensitive information from being used, transmitted, or stored inappropriately. Simple network management protocol (SNMP) traps are used to send monitoring and management information from networked devices back to a centralized monitoring station.

Answer 37

B. CI/CD Explanation: OBJ-1.3: Continuous integration/continuous delivery (CI/CD) is a software development methodology in which code updates are tested and committed to a development or build server/code repository rapidly. Waterfall is a software development model where the phases of the SDLC cascade so that each phase will start only when all tasks identified in the previous phase are complete. Spiral development allows the modification of the development repeatedly in response to stakeholder feedback and input but still follows an overall beginning-to-end structure. Both waterfall and spiral development are too slow to support code deployments multiple times per day, so agile development must be utilized. Middleware generally describes more comprehensive software applications designed to integrate two systems. Middleware can perform more sophisticated mechanisms and include multiple APIs to connect to various sources, enabling more feature-rich operations or to detach features from individual systems so they can be separately managed and controlled. Middleware is not a development technique.

Answer 38

C. BYOD E. MDM Explanation: OBJ-3.1: The Bring Your Own Device (BYOD) policy is a security framework used to facilitate the use of personally-owned devices to access corporate networks and data. Mobile Device Management (MDM) is a class of management software designed to apply security policies to the use of mobile devices in the enterprise. Since the employees will be using their laptops and smartphones, the company will need a good BYOD policy to provide security guidance. The company may also implement and install MDM across the employee's devices to better secure the BYOD devices if they give the company permission.

Answer 39

A. Cross site scripting Explanation: OBJ-2.5: This is a form of Cross-Site Scripting (XSS). Cross-site scripting (XSS) is a type of computer security vulnerability typically found in web applications. XSS enables attackers to inject client-side scripts into web pages viewed by other users. Attackers may use a cross-site scripting vulnerability to bypass access controls such as the same-origin policy. Cross-site request forgery (CSRF or XSRF) is a malicious exploit of a website where unauthorized commands are transmitted from a user that the web application trusts. There are many ways in which a malicious website can transmit commands, such as specially-crafted image tags, hidden forms, and JavaScript XMLHttpRequests can all work without the user's interaction or even knowledge. SQL injection is a code injection technique used to attack data-driven applications. Malicious SQL statements are inserted into an entry field for execution, such as dumping the database contents to the attacker. Command injection is an attack in which the goal is to execute arbitrary commands on the host operating system via a vulnerable application. Command injection attacks are possible when an application passes unsafe user-supplied data (forms, cookies, HTTP headers, etc.) to a system shell.

Answer 40

D. Hardware write blocker Explanation: OBJ-2.8: Both hardware and software write blockers are designed to ensure that forensic software and tools cannot change a drive inadvertently by accessing it. But, since the question indicates that you need to choose the BEST solution to protect the drive's contents from being changed during analysis, you should pick the hardware write blocker. A hardware write blocker's primary purpose is to intercept and prevent (or 'block') any modifying command operation from ever reaching the storage device. A forensic drive duplicator copies a drive and validates that it matches the original drive but cannot be used by itself during analysis. A degausser is used to wipe magnetic media. Therefore, it should not be used on the drive since it would erase the hard drive contents.

Answer 41

B. Filter the scan results to include only those items listed as creitical in the asset inventory and remediate those vulnerabilities first Explanation: OBJ-2.3: PHI is an abbreviation for Personal Health Information. When attempting to remediate numerous vulnerabilities, it is crucial to prioritize the vulnerabilities to determine which ones should be remediated first. In this case, there is a regulatory requirement to ensure the security of the PHI data. Therefore, those critical assets to the secure handling or storage of PHI are of the highest risk should be prioritized for remediation first. It is impractical to resolve all 2,592 vulnerabilities at once. Therefore, you should not identify all the false positives and exceptions and then resolve any remaining items since they won't be prioritized for remediation. You should also not wait to perform additional scanning because a scan is only a snapshot of your current status. If it takes 30 days to remediate all the vulnerabilities and do not scan, new vulnerabilities may have been introduced. Placing all the PHI assets into a sandbox will not work either because you have removed them from the production environment and can no longer serve their critical business functions.

Answer 42

D. VPN Explanation: OBJ-3.1: While WiFi is available almost everywhere these days, it is not safe to use it without first configuring and using a VPN. A Virtual Private Network (VPN) connects the components and resources of two (private) networks over another (public) network. This utilizes an encryption tunnel to protect data being transferred to and from her laptop to the Dion Training servers and other websites. The other options are all focused on connecting her cellphone but would still not be considered safe without a VPN being utilized. A local mobile hotspot should be used to provide internet connectivity to the laptop (if she uses this instead of the hotel and coffee shop WiFi). Still, for best security, it should also use a VPN when using this connection.

Answer 43

D. schtasks /create /tn beacon /tr C:\temp\beacon.bat /sc MINUTE /mo 20 /ru SYSTEM Explanation: OBJ-2.6: A scheduled task or scheduled job is an instance of execution, like initiating a process or running a script, that the system performs on a set schedule. Once the task executes, it can prompt the user for interaction or run silently in the background; it all depends on what the task is set up to do. Scheduled tasks in Windows use the schtasks command. The correct answer for this persistence is to enter the command "schtasks /create /tn beacon /tr C:\temp\beacon.bat /sc MINUTE /mo 20 /ru SYSTEM" that will create a task called "beacon" that runs the script at "C:\temp\beacon.bat every 20 minutes as the SYSTEM level user. The other variant of schtasks is incorrect because it used a Linux-based file directory structure to reference the script location and would fail to run in Windows. The crontab options are used in Linux, not in Windows.

Answer 44

D. Warm site Explanation: OBJ-4.4: A warm site is an alternate processing location that is dormant or performs noncritical functions under normal conditions, but which can be rapidly converted to a key operations site when needed. A warm site typically includes a data center that is typically scaled down from the primary site to include the capacity and throughput needed to run critical systems and software. A cold site is a predetermined alternative location where a network can be rebuilt after a disaster. A cold site does not have a pre-established information systems capability, but it is open and available for building out an alternate site after the disaster occurs. A hot site is a fully configured alternate processing site that can be brought online either instantly or very quickly after a disaster. A hot site requires specialized knowledge, sophisticated automation capabilities, and platforms that are designed to operate as a fully redundant and ready alternate site. A mobile site is essentially a data center in a container or trailer that can be rapidly deployed to a given location. A mobile site is best categorized as a mixture of a cold site and a warm site which can also be relocated when needed.

Answer 45

A. Security, Pre-EFI initilization, Driver Execution Environment, Boot Device Select, Transient System Load, Runtime Explanation: OBJ-3.2: The security must first prevent any potential contamination from advanced malware from affecting the system as it proceeds into its startup process. The security consists of initializing the code that the system executes after powering on the EFI system. Pre-EFI initialization initializes the CPU, temporary memory, and boot firmware volume (BFV). Driver Execution Environment initializes the entire system's physical memory, I/O, and MIMO (Memory Mapped Input Output) resources. Finally, it begins dispatching DXE Drivers present in the system Firmware Volumes (given in the HOBL). Boot Device Select interprets the boot configuration data and selects the Boot Policy for later implementation. Runtime focuses on clearing the UEFI program from memory and transferring control to the operating system.

Answer 46

D. Supplier Charlie Explanation: OBJ-4.1: Supplier Charlie would have the higher TCO with a value of $350,000 per year. The total cost of ownership (TCO) is the associated costs of an asset including acquisition costs and costs to maintain and safely operate the asset over its entire lifespan. Since the DLP system in this scenario will be charged under a SaaS model using yearly contract labor, licensing, and maintenance fees, you can calculate the TCO simply by comparing one year of each supplier’s fees against the others. Supplier Alpha’s TCO would equal 3 FTEs ($225,000) plus $100,000 (licensing/maintenance fee) which equals $325,000. Supplier Bravo’s TCO would equal 2 FTEs ($150,000) plus $150,000 (licensing/maintenance fee) which equals $300,000. Supplier Charlie’s TCO would equal 4 FTEs ($300,000) plus $50,000 (licensing/maintenance fee) which equals $350,000. Supplier Delta’s TCO would equal 1 FTEs ($75,000) plus $250,000 (licensing/maintenance fee) which equals $325,000.

Answer 47

C. RADIUS Explanation: OBJ-1.5: Remote Authentication Dial-In User Service (RADIUS) is a networking protocol operating on port 1812 that provides centralized Authentication, Authorization, and Accounting (AAA or Triple-A) management for users who connect and use a network service. The RADIUS protocol utilizes an obfuscated password created from the shared secret and creates an MD5 hash of the authentication request to protect the communications.

Answer 48

B. Code signing Explanation: OBJ-3.5: Code signing is a method of using a digital signature to ensure the source and integrity of programming code. If a valid code signature exists, this indicates that the code has not been changed or modified since being released by the code’s author or publisher. A digital signature is created by encrypting the hash digest with the sender’s private key. For example, when digitally signing an email, the email is first hashed and then the hash is encrypted with the private key of the sender to prove its integrity and non-repudiation when sent. Client authentication describes the mechanism by which a server can verify that a connection request is originating from a preauthorized endpoint. Client authorization is commonly used by SSH servers by storing a local copy of a client’s public SSH key on the SSH server and using this to authorize the client during a connection. Server authentication is utilized by a client device when the client establishes that the server is genuine. For example, when visiting a new website, a client will use the web server’s digital certificate and public key to authenticate that the server they connected to is legitimate.

Answer 49

A. nslookup -type=any_ldap._tcp.inteanet.diontraining.com E. nslookup -type=any_kerberos._tcp.intranet.diontraining.com Explanation: OBJ-1.5: There are several methods for locating Domain Controllers, depending on what you know about the environment you are using. If you are using a Windows client, you can use the nslookup command. You need to specify which protocol you are searching for in the name. Since we are trying to identify domain controllers, we need to look for Kerberos and LDAP-based protocols on the intranet.diontraining.com domain. If you were using a Linux client, you could run a similar command syntax using dig.

Answer 50

A. Multi-Cloud Key Management System Explanation: OBJ-3.4: A Multi-Cloud Key Management System (MCKMS) is a key management system that can be used by multiple clouds. A MCKMS incorporates the features of a Cloud Native Key Management System, an External Key Origination, and a Cloud Service Using External Key Management Systems. A Cloud Native Key Management System uses a KMS that is configured and operated by the same provider being used to run the organization’s cloud services. An External Key Origination uses keys generated by a KMS not managed by the same cloud provider that will use the keys. An External Key Origination model is commonly used to meet legal or regulatory compliance requirements when the cloud customer must wholly own the keys. A Cloud Service Using External Key Management Systems allows the customer to leverage a cloud service offering to provide KMS-hosted external services on-premises or through an alternate cloud service provider. The KMS hardware can be acquired by the customer or the KMS may be a service offering of the cloud provider. Either way, the HSM is exclusively used by the customer who owns the keys.

Answer 51

A. Full packet capture Explanation: OBJ-2.2: Full packet capture records the complete payload of every packet crossing the network. The other methods will not provide sufficient information to detect a cleartext password being sent. A net flow analysis will determine where communications occurred, by what protocol, to which devices, and how much content was sent. Still, it will not reveal anything about the content itself since it only analyzes the metadata for each packet crossing the network. A SIEM event log being monitored might detect that an authentication event has occurred. Still, it will not necessarily reveal if the password was sent in cleartext, as a hash value, or in the ciphertext. A software design documentation may also reveal the designer's intentions for authentication when they created the application, but this only provides an ‘as designed’ approach for a given software and does not provide whether the ‘as-built’ configuration was implemented securely.

Answer 52

C. Tabletop Explanation: OBJ-4.4: A tabletop exercise will identify a specific objective or goal, provide injects or additional details, and then observe the actions that the participants would have taken to respond to a given incident or disaster scenario. Checklist test uses a copy of the business continuity/disaster recovery plan to review and provide comments, updates, or changes to the plan during a periodic update. A parallel test occurs when the alternative site is brought online as if a real disaster occurred, but the primary site is not taken offline or affected, thereby keeping both the primary and alternate sites operating in parallel. A full interruption test is used to take the primary site offline and shift operations to the alternate site.

Answer 53

D. CYOD Explanation: OBJ-3.1: Choose Your Own Device (CYOD) is a mobile device deployment model where employees are offered a selection of corporate devices for work and, optionally, private use. Corporate Owned Business Only (COBO) is a mobile device deployment model that provides the employee with a corporate-owned device that may only be used for official work functions and purposes. Corporate Owned Personally Enabled (COPE) is a mobile device deployment model where the device remains the property of the organization, but certain personal use, such as private email, social networking, and web browsing, is also permitted. Bring Your Own Device (BYOD) is a mobile device deployment model that facilitates the use of personally owned devices to access corporate networks and data.

Answer 54

B. Secure Multi Party COmputation Explanation: OBJ-1.8: Secure Multi-Party Computation creates methods for parties to jointly compute a function over their inputs while keeping those inputs private. Private Function Evaluation (PFE) allows two parties to jointly evaluate a private function without revealing their respective inputs. Secure Function Evaluation (SFE) allows two parties to jointly evaluate a publicly known function without revealing their respective inputs. Private Information Retrieval (PIR) retrieves an item from a service in possession of a database without revealing which item is retrieved.

Answer 55

A. Business continuity plan Explanation: OBJ-4.4: A business continuity plan is a document that outlines how a business will continue operating during an unplanned service disruption. A business continuity plan is more comprehensive than a disaster recovery plan and contains contingencies for business processes, assets, human capital and business partners, and essentially every other aspect of the business that might be affected. A disaster recovery plan is a documented, structured approach that documents how an organization can quickly resume work after an unplanned incident. These unplanned incidents include things like natural disasters, power outages, cyber attacks, and other disruptive events. An incident response plan contains a set of instructions to help our network and system administrators detect, respond to, and recover from network security incidents. These types of plans address issues like cybercrime, data loss, and service outages that threaten daily work. System life cycle plans, also known as life cycle planning, describe the approach to maintaining an asset from creation to disposal. In the information technology world, we normally have a 5-phase lifecycle that is used for all of our systems and networks: Planning, Design, Transition, Operations, and Retirement.

Answer 56

A. Private Cloud Explanation: OBJ-1.6: A private cloud service would be the best recommendation to protect and secure the services from those outside the company from accessing its contents. The private cloud is defined as computing services offered either over the Internet or a private internal network and only to select users instead of the general public. Private cloud computing gives businesses many of the benefits of a public cloud including self-service, scalability, and elasticity with the additional control and customization available from dedicated resources over a computing infrastructure hosted on-premises. Private clouds also deliver a higher level of security and privacy through both company firewalls and internal hosting to ensure operations and sensitive data are not accessible to third-party providers. A public cloud contains services offered by third-party providers over the public Internet and is available to anyone who wants to use or purchase them. They may be free or sold on-demand, allowing customers to pay only per usage for the CPU cycles, storage, or bandwidth they consume. A public cloud contains services offered by third-party providers over the public Internet and is available to anyone who wants to use or purchase them. They may be free or sold on-demand, allowing customers to pay only per usage for the CPU cycles, storage, or bandwidth they consume. A community cloud is a collaborative effort in which infrastructure is shared between several organizations from a specific community with common concerns (security, compliance, jurisdiction, etc.), whether managed internally or by a third party and hosted internally or externally.

Answer 57

B. Client authentication Explanation: OBJ-3.5: Client authentication describes the mechanism by which a server can verify that a connection request is originating from a preauthorized endpoint. Client authorization is commonly used by SSH servers by storing a local copy of a client’s public SSH key on the SSH server and using this to authorize the client during a connection. Server authentication is utilized by a client device when the client establishes that the server is genuine. For example, when visiting a new website, a client will use the web server’s digital certificate and public key to authenticate that the server they connected to is legitimate. A digital signature is created by encrypting the hash digest with the sender’s private key. For example, when digitally signing an email, the email is first hashed and then the hash is encrypted with the private key of the sender to prove its integrity and non-repudiation when sent. Code signing is a method of using a digital signature to ensure the source and integrity of programming code. If a valid code signature exists, this indicates that the code has not been changed or modified since being released by the code’s author or publisher.

Answer 58

A. Application layer Explanation: OBJ-1.1: The application layer focuses on the communication resource requests or information about the network. The control layer uses the information from applications to decide how to route a data packet on the network and to make decisions about how traffic should be prioritized, how it should be secured, and where it should be forwarded to. The infrastructure layer contains the physical networking devices that receive information from the control layer about where to move the data and then perform those movements. The management plane is used to monitor traffic conditions, the status of the network, and allows network administrators to oversee the network and gain insight into its operations.

Answer 59

C. Tradeoff analysis Explanation: OBJ-4.1: A tradeoff analysis compares potential benefits to potential risks and determines a course of action based on adjusting factors that contribute to each area. A business impact analysis describes the collaborative effort to identify those systems and software that perform essential functions, meaning the organization cannot run without them. A privacy impact assessment is conducted by an organization for it to determine where its privacy data is stored and how that privacy data moves throughout an information system. It evaluates the impacts that may be realized by a compromise to the confidentiality, integrity, and/or availability of the data. A gap analysis measures the difference between the current state and desired state to assess the scope of work included in a project. By measuring ALE, MTTR, MTBF, TCO, and other factors, the organization can identify how closely it is performing to the desired outcomes or requirements.

Answer 60

B. All guests must provide valid identification when registering their wireless devices for use on the network Explanation: OBJ-4.1: Sponsored authentication of guest wireless devices requires a guest user to provide valid identification when registering their wireless device for use on the network. This requires that an employee validates the guest's need for access, known as sponsoring the guest. While setting a strong password or using 802.1x are good security practices, these alone do not meet the question's sponsorship requirement. An open authentication standard only requires that the guest know the Service-Set Identifier (SSID) to gain access to the network. Therefore, this does not meet the sponsorship requirement.

Answer 61

D. Implement an allow list Explanation: OBJ-1.1: By implementing an allow list of the authorized IP addresses for the five largest vendors, they will be the only ones who can access the webserver. This can be done by creating rules in the Access Control List (ACL) to deny ALL other users except these five vendors, thereby dropping a large number of requests from any other IP addresses, such as those from an attacker. Based on the scenario's description, it appears like the system is under some form of denial of service attack. Still, by implementing an allow list at the edge of the network and sinkholing any traffic from IP addresses that are not allow listed, the server will no longer be overwhelmed or perform slowly to respond to legitimate requests. MAC filtering is only applicable at layer 2 of the OSI model (which would not work for traffic being sent over the internet from your vendors to your server). A VPN is a reasonable solution to secure the connection between the vendors and your systems, but it will not deal with the DoS condition being experienced. An intrusion detection system may detect the DoS condition, but an IDS cannot resolve it (whereas an IPS could).

Answer 62

D. Deploy the patch in a sandbox environment to test it before platching the production system Explanation: OBJ-3.2: While patching a system is necessary to remediate a vulnerability, you should always test the patch before implementation. It is considered a best practice to create a staging or sandbox environment to test the patches' installation before installing them into the production environment. This reduces the risks of the patch breaking something in the production system. Unless you are dealing with a very critical vulnerability and the risk of not patching is worse than the risk of patching the production system directly, you should not immediately patch the production systems without testing the patch first. You should not wait 60 days to deploy the patch. Waiting this long provides attackers an opportunity to reverse engineer the patch and create a working exploit against the vulnerability. Finally, asking the vendor for a safe time frame is not helpful since the vendor does not know the specifics of your environment or your business operations.

Answer 63

D. Steganography was used to hide the leaked data inside the users photos Explanation: OBJ-2.8: The most likely explanation is that the user utilized steganography to hide the leaked data inside their trip photos. Steganography is the process of hiding one message inside another. By hiding the customer’s information within the digital photos, the incident response team would not see the data being hidden without knowing to look for it inside the seemingly benign pictures from the trip. The scenario did not mention whether or not the user connected to the corporate VPN from their home, and the company should log all VPN connections, so this is not the correct answer. Additionally, the user could not hash the data and email it to themselves without losing the information since hashes are a one-way algorithm. Therefore, even if the user had the hash value, they still would not have the customers' personal information. Finally, according to the scenario, the user’s email showed no evidence of encrypted files being sent.

Answer 64

B. Human machine interface Explanation: OBJ-3.3: The human-machine interface (HMI) provides the input and output controls on a PLC to allow a user to configure and monitor the system. In this scenario, Jason is sitting at a control panel with buttons and switches that are used to manually control the PLCs located throughout the reactor plant. A Safety Instrumented System (SIS) is composed of sensors, logic solvers, and final control elements (devices like horns, flashing lights, and/or sirens) used to return an industrial process to a safe state after predetermined conditions are detected. The data historian is a type of software that aggregates and catalogs data from multiple sources within an industrial control system’s control loop. Ladder Logic is a graphical, flowchart-like programming language used to program the special sequential control sequences used by a programmable logic controller (PLC).

Answer 65

A. Netcat will listen on port 8080 and output anything received to a remote connection on 192.168.1.76 Explanation: OBJ-2.2: The proper syntax for netcat (nc) is -l to signify listening and -p to specify the listening port. Then, the | character allows multiple commands to execute during a single command’s execution. Next, netcat sends the data to the given IP (192.168.1.76) over port 443. This is a common technique to bypass the firewall by sending traffic over port 443 (a secure SSL/TLS tunnel).

Answer 66

A. ECC Explanation: OBJ-3.6: Elliptic curve cryptography (ECC) is an approach to public-key cryptography based on the algebraic structure of elliptic curves over finite fields. One of the main benefits of ECC over non-ECC cryptography is an application that can achieve the same level of security provided by non-ECC cryptography while using a shorter key length. For example, an ECC algorithm using a 256-bit key length is just as strong as an RSA or Diffie-Hellman algorithm using a 3072-bit key length.